View Logs feature and encryption

Curious

Hello,

I have a question about these two things.
View Logs feature:
To what I understand this is for easier debugging etc. but I wonder if this is a some sort of view of native logging procedure that is on android in general, so that means inputs are mainly created by apps and system, the thing is... can there be logged any sensitive info, like pin, pwd, message etc.?
Also does it rotate or is there a way to erase it?

Encryption of data on disk:
Sorry if this was asked many times before, but lets say for a situation one want to sell, give out older device where GOS was installed, the standard factory reset acts as standard "safe data delete" or should one also rewrite a disk with know utils (like 0 or upload full storage space file etc. just to be sure). Also When factory reset or deleting secondary profile, data from security element are also safe deleted?

Thank you for clarification

ryrona

Curious the thing is... can there be logged any sensitive info, like pin, pwd, message etc.?

Apps can log whatever they want to the system log, including all of what you mentioned. In practice I have seen file names logged, which in itself can be very revealing depending on what files you have on your phone. I have also seen email addresses logged there. Notice that the system log is common for all user profiles, so it holds messages from apps running in all user profiles. Be careful with whom you share your system log.

Curious Also does it rotate or is there a way to erase it?

Yes, the system log is never written to disk, only kept in RAM. It is entirely erased during a device reboot.

Curious Sorry if this was asked many times before, but lets say for a situation one want to sell, give out older device where GOS was installed, the standard factory reset acts as standard "safe data delete" or should one also rewrite a disk with know utils (like 0 or upload full storage space file etc. just to be sure). Also When factory reset or deleting secondary profile, data from security element are also safe deleted?

A factory reset of the device will securely wipe all encryption keys, which will cryptographically destroy all user data on the phone, including all metadata. It should be impossible for even the most advanced forensics to recover any information about files, apps or activity on the phone after that. Only information related to SIM cards will remain, such as phone numbers.

Writing big zero files or filler files to the disk is uneffective for data erasure. That method worked a long time ago when we had magnetic hard drives in computers, but that method is not effective at all to erase data on flash based storage such as USB memories, SSD/NVMEs or the storage found in mobile devices such as mobile phones, since such files does not actually cause any overwriting of data due to how wear leveling, transparent compression and so on works on flash based controllers. A factory reset is the way to securely erase all data.

Deleting a single user profile will cause the file content and file name encryption key for that user profile to be securely wiped. This will make it impossible for someone to read file content and file names for any file or app data from that profile after it has been deleted. However, metadata such as file counts, file sizes, timestamps and folder structure will remain until the whole device is factory reset, since there is only a single metadata encryption key for the whole device.

Curious

@ryrona Greetings, I hope I am not bothering you, but I found your thread about this topic and that you did some auditing . Can you please help me to clarify this?

Curious

ryrona Thank you for clarification.

Well but about that logs, like a View Logs feature that was added and it is accessible to see, that this is not somewhat hidden or locket by something.

Also out of curiosity, if lets say the malware or something gets on phone itself, it could read those logs and if there are any sensitive data, that means issue, but I am not sure if this is possible since RAM is way protected by GOS mechanism and hardening no?

So in general case no matter this View feature for logs to be displayed to user, this means that any app on any system iteration of AOSP can write stuff there and it could be accessed?

I mean I am really glad that there is an auto-restart feature then but if this is on any devices common, then well scary stuff.

ryrona

Curious Also out of curiosity, if lets say the malware or something gets on phone itself, it could read those logs and if there are any sensitive data, that means issue, but I am not sure if this is possible since RAM is way protected by GOS mechanism and hardening no?

Apps cannot read the system log, no matter how malicious they might be. Other users than the owner user also cannot read the system log. But if there is an app sandbox escape vulnerability or driver vulnerability or similar that an hacker is able to exploit, they can possibly get elevated privileges on your device and read the system log. It is usually a good idea to clear the system log by rebooting the device after having done sensitive things in a separate user profile, rather than merely locking that user profile.

Curious

ryrona Great point, thank you. Btw do you know of any auditing reports about GOS similar to your?
I would like to audit stuff myself but this area and ecosystem is out of my scope, so I have to seek information from folks who has right expertise. Sadly there is no any official report on that term, but I also know it would probably has not much value since development is in constant move and so that would only audit snapshot and by the time it is done, the version could be in way more diff.
It is truly interesting how many new stuff can one learn about this topics. (Like not general concepts, but in more detailed way)

Not gonna lie I am still little scared about using GOS as daily driver, but in current times of AI and features and permissions that nobody asked for etc. I think it is a must have, I really like the minimalism of it and control it provides.

ryrona

Curious Btw do you know of any auditing reports about GOS similar to your?

I cannot think of any. But there are many who are reporting security issues they find, at least to the bug tracker, and some of these reports clearly show the author is actively auditing, not just discovering by chance.

I like to suggest learning to use Wireshark to those interested in learning to audit network traffic, and to learn poking around in the file system using command line tools for those interested in learning to look for traces of activity left on the device. Whether for computers or phones. It takes a while to learn, and is a pretty steep learning curve, but eventually you will be able to audit a lot by yourself, if interested.

Curious

ryrona Yea, was trying to do these on desktop on phone? That is kinda diff level for me, I mean I can try, but... idk it all starting to feel like it is so much hassle, if you know what I mean...

Sorry for offtopic:
Anyway may I ask why did you chose GOS and what makes you and how much do you trust the project and people around it?

You know don't get me wrong about this, I really love the fact that it is minimalistic, extra security features etc. patching, talented team, other staff members around community etc.

But this kinda my first experience ever with non-stock OS on phone. And to be fair, I would say that I use smartphone out of necessity, general usage as browsing, music, sometimes photo stuff, but... I would even use a dumb phone for calls but the problem is that smartphone is needed for so many auth apps and methods, like...

and the issue that is currently on the market right now is that AI is forced into everything... I belive that this kind of stuff should not be on smartphone for personal usage, but that is my take only. And GOS is clean of that nad does what it is supposed to do in minimal way possible.
The project is great, everybody is saying that, but you know I do not know those people, I do not know their background (people who give reviews and dev team itself) and I am not able to audit stuff by myself, so... I am like in position: "Trust me bro" and I am not saying that big techy corps are better at this, but who is accountable if something?

I tried to find opinion from security experts or devs, or people who are into this stuff in my circle, but find only a few answers that were not too clear or people do not know the project at all.

de0u

Curious I tried to find opinion from security experts or devs, or people who are into this stuff in my circle, but find only a few answers that were not too clear or people do not know the project at all.

FWIW... https://x.com/Snowden/status/1588472045960327168 (or https://nitter.net/Snowden/status/1588472045960327168)

Also maybe ask some of your security friends to wade through this thread: https://discuss.grapheneos.org/d/14344-cellebrite-premium-july-2024-documentation

Edit: And/or ask your security friends to review:

ryrona

Curious Anyway may I ask why did you chose GOS and what makes you and how much do you trust the project and people around it?

I didn't use to trust smartphones at all. I had an iPhone, but pretty much only used it for digital ID and bus tickets. Nothing private at all ever touched that device.

But I wanted a portable media player, that had strong disk encryption, and no connectivity at all. I decided on getting a Linux phone. I bought a Pinephone and installed Mobian on it. It has strong LUKS2 encryption which hides all data including metadata, since all Linux distributions do, and the Pinephone had hardware switches, so I could just disable the cellular and the Wifi modules. I didn't care much for the reputation of either Pinephone nor Mobian, as it would only be used offline.

But things never turn out as one expects. I ended up installing a Matrix client on the phone, and soon I discovered just how convenient and helpful it is to keep in touch with both friends and activism initiatives I am in by having a phone. Rather than checking for messages once a day, I now had a phone LED that would flash as soon as there was a message to me. So I started using the Pinephone as an online device instead, always turned on, and it was never used as a media player.

But I felt very uneasy about it. The Mobian project weren't good at all in getting out kernel updates or Wifi firmware updates, sometimes lagging behind by half a year, and kept talking about how they might need to drop support for the Pinephone entirely, because it was too hard for them to maintain at all, even ignoring security issues. Furthermore, the Matrix client was written in C++, and as I used it for activism, the likelihood of being hacked is very real. I also wouldn't know what internet facing apps might attempt to read my files. So I didn't dare having any sensitive files on the phone at all. For internet usage, I just didn't feel I had any control at all.

So I went looking for another solution, and found recommendations on GrapheneOS running on Pixels. However, this time around, security and trust was very important for me, but unfortunately, no security project I already trust vouched for or recommended GrapheneOS at all. So I felt a bit left alone in trying to find trust in GrapheneOS. My idea was that I would do security domain isolation, keeping all my activism activity separate from my usage of the device as a media player separate from my usage of the phone for digital ID and bus tickets. So if either domain gets compromised, the hacker will not be able to obtain any information from the other domains. I already use QubesOS, so I know how an ideal implementation of security domain isolation would look like. And reading up on GrapheneOS, the sandboxing of file permissions and internet permissions on the one hand, and no IPC between user profiles on the other hand, seem to enable something that looks like an acceptable albeit not ideal implementation of security domain isolation. And GrapheneOS also seemed to be very serious about getting kernel updates and firmware updates out very soon, including general hardening.

So it really came down to GrapheneOS seemingly having the security features I would need.

But trust is hard, so I ended up auditing GrapheneOS using wireshark and root shell access too before finally choosing to trust GrapheneOS for my use cases. At that point, I had a pretty good idea of what kind of security weaknesses is in GrapheneOS. I have also reported some issues myself, and some of those have been solved by the GrapheneOS team now, showing they take reported security issues seriously. They also plan to solve the remaining ones, but cannot promise any time plan since way harder to do.

I think, after having used an operating system for a while, one tend to get a pretty good idea of what strengths and weaknesses that operating system has, especially if one actively follow discussions, the bug ticket tracker, and audit things oneself. But even before that, having a clear picture of what security features one need oneself could guide one in making an initial choice.

I am still keeping my eyes open for a mobile phone operating system that implements strong security domain isolation similar to QubesOS, but unlike QubesOS, where each domain can be put at rest independently from each other in case my phone gets taken while turned on. That would be ideal for me.

Curious

de0u FWIW... https://x.com/Snowden/status/1588472045960327168 (or https://nitter.net/Snowden/status/1588472045960327168)

Well if you asked me for any details about this person, I would say you I have almost no idea who he is sadly, but I did my small research and I kinda get it, but... I generally don't know him.

Well I asked, but sadly, they seem not interested...or it is kinda out of their scope, like there are not many who are in field of Mobile OSes and whole problematic around it.

de0u

Curious Well if you asked me for any details about this person, I would say you I have almost no idea who he is sadly, but I did my small research and I kinda get it, but... I generally don't know him.

Two avenues:

Video: Citizen four
Book: Permanent Record

Curious Well I asked, but sadly, they seem not interested...or it is kinda out of their scope, like there are not many who are in field of Mobile OSes and whole problematic around it.

Maybe make more friends? 🙂

Security is complicated, so if you want some you'll need to figure out some mixture of how it works and whom to trust for opinions. Be aware that there is a fair amount of snake oil being sold, including in some YouTube videos. Meanwhile, I have thought well of the few Naomi Brockwell (NBTV) videos I have watched.

Curious

ryrona Thank your for clarification, obviously average person from nowhere has diff needs and goals in phone security and privacy compare to others.
I am also playing with idea that I would go Apple just to have firm ground as average Joe with some extra specific treats and better compatibility to future proof for apps I really need (not relaying on good will of bank app dev if they keep them friendly for alternative non-mainstream OSes).

But I mean even that would be a improvement compare to past where I was using non-pixel android phone with some sw tweaks and tons of bloat.

Another big bug of Apple for me is that it is so hard to like integrate it into "ecosystem" that is not Apple centric and also the fact that well their specs on HW are top quality but... the equation paying more for less is kinda big there.

Another thing that is big + for me for GOS is that it has no AI at all, I mean even today if you need to use mainstream OS on phone the better one is Apple since their AI is not so good and they maybe gaslighting that they will be processing stuff on your device, but at minimal some option is better than nothing.

Btw I found this one:
https://www.youtube.com/watch?v=4hTv_D0wKEs

Guy here is obviously biased on Apple ecosystem, sure, but... he mentioned that some app even tho he denied network access it still pinged home somehow (seeing it on their NextDNS) @GrapheneOS any idea what could be cause of it?
Also his point about apps talking to each others at background well... we also have sandbox no? So this should not be possible right?