Ability to install/replace privileged system apps for user freedom

electron777

With the new dystopia of so-called "trusted computing" modern software is designed to cryptograpically lock users out of accessing the files on their devices or installing patches of their own in the name of security. I am not the kind of person to say that these technologies are inherently evil, and I understand that one of the goals of GrapheneOS is to attempt to maximize the benefits of these security measures while bringing some of the control back to the user.
With that, I think it would be a great idea to create a mechanism to allow the safe installation of apps with system-level privilege as well as allow them to be swapped out or patched by the user. As I understand it, right now this can't be done for a few reasons, including signature conflicts and downgrade protection. I understand the potential security implications of this, but it could be an optional developer mode feature where you could add approved signing certificates for these types of apps (I haven't fully thought this out yet).
Some example use cases:

App developers have exclusive control over their users' data in the /data partition. I want to be able to install a file manager that can read and modify this data. (Not sure if this is possible with priv-app permissions, but it would be nice to be able to swap out the file manager anyway)
I used to use JamesDSP, but it requires root access to work. This is extremely insecure. What if instead, we could develop a new app to replace android's AudioFX equalizer that includes JamesDSP, rather than the hacky way of using root
There are several low level APIs that can only be accessed by system apps or through proprietary wrappers. One such API is for eSIMs. Allowing access to these APIs would make it easier for developers to build open source replacements on real off-the-shelf hardware, e.g. https://gitea.angry.im/PeterCxy/OpenEUICC

Any thoughts on this? I'm not trying to downplay the complexity of adding such a feature, but it seems like a much better solution than people rooting their phones

Dumdum

electron777 Could users not just do this by building their own GrapheneOS?

Fay_Wilmont

electron777 I guess you just can't have that kind of freedom without sacrificing some of the security. Although I agree with the spirit of your proposal: give us the tools to securely implement changes to the OS, without us needing to become an OS developer.

Mobile OSes are all about taking control away from the user. Maybe because most users don't know what they are doing and are easily coerced into doing something stupid. Maybe because it's a business model protecting someone else's revenue.

Hell, I wasn't aware of the security implications of unlocking a bootloader and rooting an OS when I first did it! Not even in the slightest. The only thing I knew was I was getting rid of those annoying ads everywhere, which was a REAL concern to me.

Luckily that doesn't require rooting anymore these days. But still, why can't we access app's files and edit their databases? Why are they allowed to keep our data hostage? Why can't we grant or deny an app any permission we want? Why aren't we able to remove the spyware that comes preloaded on our devices? How come Meta gets to run code on my device with system app privileges but I don't? Why is rooting or jailbreaking even a thing? What happened to elevated privileges, to the administrator or root account we know from desktop OSes?

Mobile OSes are like dictatorial regimes, taking away our freedoms in the name of security and protecting us from criminals. The sad reality is that most users and their data must be protected, with so much scammers/malware around and devices always connected to the internet. Maybe it's real difficult—or even impossible—to achieve that while also giving power users a level of access that fits their skill level and risk tolerance.

But it's undeniable that profit is also a factor. Don't tell me having Meta services run as a privileged system app and the owner of the phone not being able to disable or uninstall it is good for security. Don't tell me not being able to deny an app internet access is good for security. Luckily these are some things GrapheneOS fixes, as they actually are about security, without making compromises for year-over-year growth.

I do wish they—or any custom Android firmware—would add a proper way to backup and restore app data. At any time, not just when first setting up a user. And in an open, accessible format too, so we actually own our data. Of course that creates new attack surface, if only for social engineering attacks. There's always a trade-off to be made between security and usability. But it's sad the only choice we currently have is to just burn a gaping hole in the security model—i.e. root the OS—to achieve it. And that most "custom ROM" users and developers seem fine with that. “Just install Magisk if you want that functionality...”

There is room in the custom firmware scene or mobile OS space for a security conscious approach to giving power users what they want. Android and iOS are aimed at the tech illiterate masses. The rest of us are left with hacks like rooting/jailbreaking and exploiting developer and device management features. Which get criticized a lot in security circles, but as long as there are no viable alternatives, is that really fair?

rjo12

My thoughts - it would be a gaping security hole - on an equal footing with rooting your device - so I'd be quite surprised if GOS ever provided a means for a user to simply install system apps.

Being able to install arbitrary apps with system privileges would be an easy way to totally undermine security of your device - all that would be needed is you installing one malicious app with elevated privileges (and the easier it is to do that, the more likely that someone will be tricked into doing it). It would break the "chain of trust" that is central to GOS, and attestation using its Auditor app.

Personally, with GOS, I've yet to find any need to root the device. GOS is different from most OEM variants of Android, and Android-based ROMs, in that the few system apps are carefully selected with security and privacy in mind. The most I've had to do is disable some of the included apps, and install replacements that I prefer - but that's a long way from any need to root the device.

dc32f0cfe84def651e0e

rjo12 Personally, with GOS, I've yet to find any need to root the device.

I wish GOS supported full and unrestricted user level access to the /data partition. Thus making it possible to fully back up the userspace and change apps' context.

Titan_M2

dc32f0cfe84def651e0e Backing up user data can be implemented by a first party backup system without exposing raw access to apps. In regards with the ability to modify /data, again you can build your own modified version, probably easiest way is to enable adb root.

rjo12

dc32f0cfe84def651e0e Personally, I don't want user-level access to my data partition. But you can set up your own build if you must have that (and be willing to accept/manage whatever security compromises you make).

I keep my GOS setup simple enough that manual means of backup (e.g. from apps that allow exporting their data, and periodically copying their exported data manually to a personal NAS) are sufficient for my purposes. That said, I do keep Seedvault backups - but that's because of interest (and hope) in seeing how it evolves as a backup/recovery solution, rather than (for now) relying on it.

schklom

Titan_M2 > Backing up user data can be implemented by a first party backup system without exposing raw access to apps

A lot of apps disallow saving data to system backups for no valid reason, e.g. Signal and Whatsapp prefer to backup on their own. I think even adb cannot enforce backing up user data. Root or system privilege is the only method for them.

ryrona

My own personal wishlist:

Being able to capture network dumps (PCAP dumps) from arbitrary network interface, so I can later analyze them using Wireshark on my computer. This would make me audit for leaks and for misconduct by apps way more, including in more realistic real world use-cases, which could benefit both my own security and privacy a lot, but by extension also those of other GrapheneOS users. Today, I would need to make a userdebug build to be able to do this, but then I cannot audit my actual real system, and reinstalling my phone including going to the authorities to get a new digital ID issued to me every time makes this not very practical. That a privileged app shipped by GrapheneOS (possibly just "adb shell") can capture network traffic does not seem like a security or privacy issue at all to me. User installed apps still wouldn't be able to do it. And if someone who has taken my device physically does it, that likely will not give them any information at all useful to them, except for what apps might be running in a secondary user profile they haven't been able to unlock, but this information is supposedly available to them anyway.
Being able to have read access to all data on the device file system, including to private app data. This way I would be able to better learn what kind of data apps store on my device about me. This would also have made it far easier to verify files goes back to rest when a user profile is locked. I discovered this was not the case for the private space only because I made a userdebug build. Again, being able to audit the system is beneficial both for my own and all ours security and privacy, and it would still only be a privileged app or possibly "adb shell" that is able to do this. There are security risks here though. Someone who has taken my device plus my passphrase would now be able to read out private app data including database files, and including from user profiles that are still locked (but running). This could reveal information about past activity and activity in other user profiles. But as I understand, Seedvault is already compromising this security and privacy partially, and the real solution to keeping data protected is to have it at rest.

Though, I don't think the GrapheneOS developers will ever implement these abilities to audit the real live system, even if it would have benefits for the security and privacy of everyone. They seem to be feeling very strongly about not removing any security feature implemented by AOSP at all, and the above restrictions on ability to monitor data traffic and read files are implemented by AOSP.

Titan_M2

schklom A lot of apps disallow saving data to system backups for no valid reason, e.g. Signal and Whatsapp prefer to backup on their own

GrapheneOS can easily override that flag and backup anyway, unless the app is using hardware-backed keys in which case you can't do it even with root.

schklom

Titan_M2 https://github.com/seedvault-app/seedvault/wiki/FAQ

Android gives apps the option to opt-out of the system backup. Many privacy respecting apps used this option to prevent user data ending up on Google servers. Unfortunately, this also affects encrypted backups done via Seedvault as the opt-out is enforced by the system.

You could ask Graphene devs to patch Android in order to let system backups ignore the opt-out option. But as Android currently is, apps have the decision power.

More info on why ignoring the flag is not a great idea in general: https://github.com/seedvault-app/seedvault/issues/165