• General
  • Does using GrapheneOS make you "stand out"?

Apps can know you are using GrapheneOS. Does limiting what surveillance capitalism can scoop from your mobile use by using GrapheneOS unintentionally make you "interesting" to other actors, similarly to Tor use? I don't know if Snowden endorsing the OS was necessarily good, if you know what I mean. In what ways does using GrapheneOS make you "stand out"? How can it be mitigated?

    Was wondering about this myself, would second the request for input. I suppose any app that's installed has to know a fair amount about the device such as storage space, android version, memory, etc. But do they actually search for and make a distinction between GrapheneOS & other custom software like LineageOS or CalyxOS? Or would they just query the attestation level and leave it at that? Maybe too broad a question here, but still curious.

    Wouldn't GOS appear to anybody else as an AOSP device?

    Such2938

    From https://grapheneos.org/faq#non-hardware-identifiers

    Apps can detect that they're being run on GrapheneOS via the privacy and security features placing further restrictions on them and hardening them against further exploitation.

    Secure application spawning, from what I understand, is one thing that can help determine a device is running GrapheneOS https://grapheneos.org/features#closed-device-identifier-leaks

    Our secure application spawning system primarily exists to significantly improve protection against exploitation. However, it also improves privacy. On a device without our secure application spawning system, the secrets used for probabilistic exploit mitigations such as ASLR are usable as device identifiers persisting until reboot. This is an easy way to identify the device from apps in different profiles. It's a minor bonus of the feature and there are still plenty of side channels to identify devices across apps, but it fixes most of the known direct identifier leaks.

    Also, I guess there are other things that app devs can use to determine whether a device is running GrapheneOS. Like, just a simple package scan to see if GOS apps are already installed, i.e. Apps, Auditor. Vanadium would be a big one for people with Vanadium having its own package name (for many the package name is still the same as regular Chromium, this change was part of the 2022110400 release renaming from org.chromium.chrome to app.vanadium.browser). Vanadium is only available on GrapheneOS. They can also check if sensors are returning zeroed everything.

    Those are just the things I can think of off the top of my head.

      Our secure application spawning system primarily exists to significantly improve protection against exploitation. However, it also improves privacy. On a device without our secure application spawning system, the secrets used for probabilistic exploit mitigations such as ASLR are usable as device identifiers persisting until reboot. This is an easy way to identify the device from apps in different profiles. It's a minor bonus of the feature and there are still plenty of side channels to identify devices across apps, but it fixes most of the known direct identifier leaks.

      This doesn't read like a section on how secure app spawning makes it easier for apps in a profile to know they're being ran on GrapheneOS, it's talking about closing ways of identifying the device from apps in different profiles, which the secure app spawning feature does.

      That said, if an app really wants to know if it's being used on GrapheneOS, it definitely can.

        matchboxbananasynergy

        Agreed. I was just suggesting that this is just one feature that is available on GrapheneOS that can be used to help determine the phone is running GrapheneOS. Maybe not enough evidence to prove it's definitely GrapheneOS, though.

        Like here's how I see it:

        This results in every app sharing the same initial memory content and layout, including sharing secrets that are meant to be randomized for each process.

        It cripples these security features since every app has the values for every other app and the values don't change for fresh app processes until reboot.

        My thinking is that on regular Android with the Zygote model, apps "share secrets that are meant to be randomized". So, if an app went through the trouble of checking these secrets, then they'd be able to determine a phone is using the zygote spawning model if the app has the same secrets each time it's launched. Or, if for example Meta checked this with Facebook and Instagram, the secrets are the same for both apps until reboot.

        Apps would know the phone hasn't been rebooted since they can receive a boot completed broadcast.

        However, if the secrets do change every time the app is launched, they can determine that the phone isn't using the zygote spawning model.

        that said, I don't actually know how an app would get access to these secrets. I could be wrong, and happy to learn more about this if I am :)

        And I realize that this thread is about "standing out." I kind of got excited and started to talk about ways to fingerprint GOS users... My bad.

        Also, to be clear, I'm not calling this stuff out as a "bad thing." Secure app spawning is obviously beneficial.

        unwat Are there any plans to mitigate this? It would be nice if permissions that can´t be turned off in mainstream Android distributions, like sensors, could be spoofed somehow. Same with those GOS apps not found elsewhere.

        -Y'all, would the ability to pass as any other Android phone be as desirable as it seems? If we're all onboard about the need for privacy, seems to me that being a GOS user is quite a fingerprint.

          Such2938 Y'all, would the ability to pass as any other Android phone be as desirable as it seems? If we're all onboard about the need for privacy, seems to me that being a GOS user is quite a fingerprint.

          If I have to pick between two options

          1. running GrapheneOS and benefit from better security and privacy, but could be fingerprinted as a GOS user
          2. running Stock and fitting in, but I don't have anything listed here: https://grapheneos.org/features

          I'd pick option 1 any day. Because what can anyone learn about us based on our phone's operating system, really? Lots of different kinds of people have GrapheneOS on their phones.

          Such2938 Are there any plans to mitigate this? It would be nice if permissions that can´t be turned off in mainstream Android distributions, like sensors, could be spoofed somehow. Same with those GOS apps not found elsewhere.

          Yes. There are always plans to improve the privacy and security of GrapheneOS users. The issue tracker (enhancement tag) is a good source of info about what they're planning on doing. Also, there's stuff about reducing the ability to fingerprint on the website here https://grapheneos.org/faq#non-hardware-identifiers.

            unwat Lots of different kinds of people have GrapheneOS on their phones.

            This assertion means nothing with respect to identifying a specific user. A GOS user is in a much smaller population compared to Android (with behaviours that can be guessed from being a member of the GOS population). Other observable traits can be used as next stage filters. For example, what are the number of GOS users in a geographically identifiable IP address block?

            Various studies have shown that it is often quite easy to denanoymize a person.

            See en.wikipedia.org/wiki/Data_re-identification and specifically, this paper:

            Hardesty, Larry. "How hard is it to 'de-anonymize' cellphone data?". MIT news. Retrieved 14 January 2015.
            https://news.mit.edu/2013/how-hard-it-de-anonymize-cellphone-data

              ve3jlg

              Your links are about de-anonymization. Being a "GrapheneOS user" would only come into play if the anonymous datasets include that data. I don't know if they do or not, but if they do, you're right, GrapheneOS has a smaller userbase, so if that data is there, it's easier to de-anonymize us.

              Same can be said about other "de-Googled" OSs, so GrapheneOS isn't unique in this regard.

              But thanks for calling me out. That one thing I wrote was kind of dumb and an oversimplification of what was really going on in my head. Not sure if you noticed, but I sometimes write too much. I'm trying to be more concise but I keep failing at that.

              De-anonymization is a statistics game. The less data we leak, the harder it is to de-anonymize or fingerprint us.

              GrapheneOS has already taken steps to reduce apps' ability to get data from us and will continue to do so in the future. As GrapheneOS improves, companies trying to harvest our data will get less data from the OS. It's also up to us to reduce the amount of data we willingly share.

              So I'd rather be IDed as a GrapheneOS user than one who runs an OS that "blends in," but also leaks data. As GrapheneOS improves anti-fingerprinting features, we're only going to benefit, even if we can be detected as GrapheneOS users.

              22 days later

              Apps can easily determine the specific device model and specific OS build. It's a given and there's fundamentally no way to fake it. They can see the system properties and all the code/data that's accessible to them. This is OS specific. They can see the signing keys for system components accessible to them, which indicates the specific OS and device model due to device-specific keys being used for important security reasons including avoiding components on one device being valid on another as out-of-band updates along with key rotation tied to device lifecycle. They can determine the specific OS build in multiple ways too. Trying to hide system properties, etc. is fruitless. They can still determine it.

              If apps want, they can use hardware-based attestation to check the device model and determine the OS through checking if it's in the green boot state or yellow boot state, and then checking the signing key for the yellow boot state. They can't know for sure what's being used in orange boot state but they'd know the device is unlocked and could refuse to allow using their services in that case. There are many ways to determine all of this without hardware-based attestation.

              The only way to avoid apps determining this is to run them inside a VM which they can identify as a specific kind of VM with a specific OS build for that VM. If the VM / VM OS was shared between multiple operating systems, they couldn't easily determine the host OS. That's not a realistic approach. Realistically, the VM OS will vary based on OS and will be built and signed by the OS provider like the rest of the OS.

              This simply isn't something possible to change. If you want to appear to be using the stock Pixel OS, you have to use the stock Pixel OS. There is no alternative.