Beginner questions

polygraph

You used an OS with abandoned and vulnerable drivers from a
decade ago, and now you are suspicious of Google's firmware?

This is a disjunct mixed with argumentum ad logicam.

We used what we could afford. The other option was to use stock Android on the same old devices which would be far worse.

As for:

and now you are suspicious of Google's firmware?

I am asking what I would like to know based on what is already known, e.g.

https://iverify.io/press-releases/iverify-discovers-severe-android-vulnerability-impacting-millions-of-devices-around-the-world

"Furthermore, users cannot remove this app because it is part of the firmware image, and Google does not allow end-users to alter the firmware image for security reasons."

In that sense, I see nothing unhealthy in questioning and distrusting what is hidden.

de0u

polygraph https://iverify.io/press-releases/iverify-discovers-severe-android-vulnerability-impacting-millions-of-devices-around-the-world

https://discuss.grapheneos.org/d/14993-debunking-fake-stock-pixel-os-vulnerability-from-an-edr-company

polygraph

Watermelon

Thank you for these answers!

Ultimately, no software can protect against malicious hardware.

Which is exactly the reason my question.

In the linked thread, I am reading:

"To this point, there is no evidence from traffic logs and similar that there are any unexpected connections to Google servers whatsoever. So, even if Google had implemented some kind of evil backdoor, they apparently don't make use of it."

which implies traffic log analysis but no details were provided. That however addresses potential spyware only and in a partial way - a potential spyware may not be transmitting data all the time. It may be saving it locally and sending it only e.g. once a month, or on Christmas.

Additionally that says nothing about non-spyware malware, e.g. malware that could destroy data, without necessarily transmitting anything. Or one that can brick the device totally.

I have first-hand information for similar things that electronics manufacturers deliberately do with some modules inside TVs, so they get "damaged" not long after the warranty expires. Then one must use their "certified repair services" or buy a new TV.

I hope that clarifies what I mean.

No software can protect you against physical tampering.

Right. So, how does one replace the battery?

Firstly, Vanadium activates a form of site isolation (sandboxing) that's stricter than the one used in Chromium/Google Chrome even on desktop.

Well, perhaps my specific example was not quite appropriate as it opens the direction to the huge subject of browsers, but since you mention Vanadium:

Is Vanadium based on ungoogled-chromium? Or is it ungoogled in a similar way?

I am concerned that because it is Chrome-based effective usage of uBlock Origin is practically impossible which seems to me a cons in regards to privacy.

Secondly, its very apparent to me as a user how much the GrapheneOS team cares about quick and good patching of security vulnerabilities [...]

I am not questioning that at all. I am rather interested whether Graphene has additional protections, independent of traditional patches.

and some of these tricks could harm the security of your device

From what I have read, SIM toolkit acquires and communicates user data and is a potential door to mischief by MNOs. That's why I have removed it from our Replicant phones and they work fine without it. From your words I understand that is not possible to do on Graphene, right?

Once again, thank you for answering some of my questions!
I hope someone can answer the remaining ones:

3
7
8 (first part)
9-12

de0u

polygraph I have first-hand information for similar things that electronics manufacturers deliberately do with some modules inside TVs, so they get "damaged" not long after the warranty expires. Then one must use their "certified repair services" or buy a new TV.

The forum moderators have expressed distaste for conspiracy allegations without support. Obviously some conspiracies do exist, but the number of possible evidence-free allegations is high enough that hosting them would reduce the tactfulness of the forum quite a bit.

fernlike

polygraph I hope someone can answer the remaining ones:

3
7
8 (first part)
9-12

/3. Unknown, wait and see.

/8. As far as I know it does not. I had to send in my P8 for a display replacement (through Google) and I did not reset it to stock beforehand. They will factory reset your phone anyway as part of the repair. But see this thread on the topic.

/10. No real difference really as far as I know. In general newer is better since it will get updates longer.
/11. See point 10, but maybe/potentially this.
/12. See point 3, but probably slightly worse initially.

de0u

polygraph How does one replace the battery?

I believe iFixit sells Pixel batteries and provides directions. For example: https://www.ifixit.com/Guide/Google+Pixel+8+Battery+Replacement/166180

de0u

polygraph From what I have read, SIM toolkit acquires and communicates user data and is a potential door to mischief by MNOs. That's why I have removed it from our Replicant phones and they work fine without it.

These days many carriers work without it (and, I believe, many don't use it). But some might still require it.

The GrapheneOS project provides build instructions for those who wish to do private builds.

polygraph

de0u

OT/
I cannot provide verifiable evidence. I know what I said from a certified technician who fixes such dysfunctional TV modules every day and he did not benefit financially from sharing this info (he actually fixed our TV for free). His words: "They deliberately make them like this, so they get damaged about the warranty time". His recommendation was "don't buy high-end models, buy cheaper ones".
/OT

de0u

https://discuss.grapheneos.org/d/14993-debunking-fake-stock-pixel-os-vulnerability-from-an-edr-company

Thank you for sharing this. I understand the particular case is obviously not a stable basis for conclusions. That however does not make proprietary components trusted per se, especially without analysis or reverse engineering. We also have the history of the 'non-evil' company + so much other evidence (otherwise we wouldn't need to replace the stock Android).

de0u

The GrapheneOS project provides build instructions for those who wish to do private builds

I can't seem to find a section that explains how to remove an app. Is there any info about it?

Also why is a complete rebuild required? On Replicant I can simply ADB as root, remount /system as rw and delete the apk. Isn't that possible on Graphene?

fernlike

Thank you! Very good info.

I guess what remains to be clarified has been reduced to:

1 (as per follow up)
5 (as per follow up)
7
9

As a newcomer, I would also like to express my good initial impressions from the community!

de0u

polygraph I have first-hand information for similar things that electronics manufacturers deliberately do with some modules inside TVs, so they get "damaged" not long after the warranty expires. Then one must use their "certified repair services" or buy a new TV.

de0u The forum moderators have expressed distaste for conspiracy allegations without support.

polygraph I cannot provide verifiable evidence. I know what I said from a certified technician who fixes such dysfunctional TV modules every day and he did not benefit financially from sharing this info (he actually fixed our TV for free). His words: "They deliberately make them like this, so they get damaged about the warranty time". His recommendation was "don't buy high-end models, buy cheaper ones".

That is not "first-hand knowledge". I believe that in (at least) the U.S. legal system that is "hearsay", meaning it isn't even legal testimony. First-hand knowledge would be if you, personally, worked for a TV company and had been told, personally, by your boss to deliberately build modules to fail early and personally explained how you had done it.

de0u

de0u https://discuss.grapheneos.org/d/14993-debunking-fake-stock-pixel-os-vulnerability-from-an-edr-company

polygraph Thank you for sharing this. I understand the particular case is obviously not a stable basis for conclusions. That however does not make proprietary components trusted per se, especially without analysis or reverse engineering.

Correct. Unfortunately, at present the set of phones with both the features expected by most users (Wi-Fi, Bluetooth, cellular data, VoLTE, GPU) and open-source firmware appears to be the empty set. This is not to my taste, but it appears to be true, and also it seems likely to be true for some time to come.

Then the question becomes which platforms without open-source firmware have things like strong isolation of hardware components, rapid and long-term firmware patches when vulnerabilities are disclosed, hardware rate limiting in the secure element, etc. At present this set is small but not empty.

de0u

de0u The GrapheneOS project provides build instructions for those who wish to do private builds.

polygraph I can't seem to find a section that explains how to remove an app. Is there any info about it?

I think so far the build instructions are focused on how to reproduce GrapheneOS -- this is important because it differs somewhat from the regular AOSP build sequence, so if this information were missing that would impede even experienced Android developers. In terms of adding or removing apps, one place I might start would be developer.android.com; another option would be to look back at the GrapheneOS history to find when the "Info" app was added, and do the opposite.

Watermelon

polygraph I hope that clarifies what I mean.

GrapheneOS does do something that seems like what you're asking about:
https://grapheneos.org/features#broad-carrier-support

polygraph Right. So, how does one replace the battery?

By yourself, I guess. I don't have a better answer. If you don't want someone to tamper with your phone, don't give it to them.

polygraph Is Vanadium based on ungoogled-chromium? Or is it ungoogled in a similar way?

GrapheneOS is a professional project:
https://grapheneos.org/hiring
They're experts in the field and base their software on Google's output rather than amateur/volunteer software projects.

Vanadium strips out Google integration from Chromium in a way that I imagine is similar to ungoogled-chromium.

polygraph I am concerned that because it is Chrome-based effective usage of uBlock Origin is practically impossible which seems to me a cons in regards to privacy.

Vanadium strips out extension support for security and sandboxing reason, and adds a simple built-in ad blocker (togglable globally and per-site).
https://vanadium.app/

polygraph I am not questioning that at all. I am rather interested whether Graphene has additional protections, independent of traditional patches.

This is the primary focus of the GrapheneOS project.
Traditional patches: https://grapheneos.org/features#more-complete-patching
Zero-day exploit protection: https://grapheneos.org/features#exploit-protection

polygraph From what I have read, SIM toolkit acquires and communicates user data and is a potential door to mischief by MNOs. That's why I have removed it from our Replicant phones and they work fine without it. From your words I understand that is not possible to do on Graphene, right?

You have no reason to touch apps like SIM Toolkit on GrapheneOS. See the first link in this post.

polygraph

de0u That is not "first-hand knowledge". [...]

OK. Let's be "precise":

I said information, not knowledge.
It is first-hand in the sense that it was my direct experience how our TV got "damaged", then fixed for free by a friendly person who had explained the reasons. Yes, it is not first-hand according to the formal or legal definitions you provide, but it still sounds convincing to me. Please everyone excuse me in case that has created some confusion.
What I said was not an "allegation", as in a statement or accusation. It was just a side note to clarify a concern.
I don't like the modern trend of classifying things as "conspiracy" because I am familiar with the factual history and purpose of the term "conspiracy theory".
If you insist to dig into it, you can search for e.g. "TVs with firmware that gets self-damaged". I was surprised to read in some of the SERPs how similar were other people's experiences.

Since you are obviously concerned with moderator's distaste, and I am reading that "Sustained disruption or derailing of threads" is not tolerated, may I ask that we stay on topic please?

de0u Correct.

Glad we agree.

Then the question becomes which platforms [...]

I am actually interested in the original question #1.

de0u to look back at the GrapheneOS history to find when the "Info" app was added, and do the opposite.

Are you suggesting that SIM toolkit was added by Graphene at certain point in time, before it wasn't there, i.e. that it was not part of it from the beginning as part of upstream Android?

polygraph I guess what remains to be clarified has been reduced to:

1 (as per follow up)
5 (as per follow up)
7
9

... hopefully.

de0u

polygraph I can't seem to find a section that explains how to remove an app. Is there any info about it?

de0u In terms of adding or removing apps, one place I might start would be developer.android.com; another option would be to look back at the GrapheneOS history to find when the "Info" app was added, and do the opposite.

polygraph Are you suggesting that SIM toolkit was added by Graphene at certain point in time, before it wasn't there, i.e. that it was not part of it from the beginning as part of upstream Android?

If I had believed that the Sim Toolkit system app had been added by the GrapheneOS project, I might have suggested looking at the commit history to find when the Sim Toolkit system app was added and doing the reverse of that.

Exactly because I suspect the Sim Toolkit system app was there before the start of the GrapheneOS project, and because I am quite certain that the "Info" app was recently added, I suggested finding the point in the commit history where the "Info" app was added.

I don't know where the idea might have come from that the GrapheneOS project added the Sim Toolkit app to AOSP.

de0u

de0u Unfortunately, at present the set of phones with both the features expected by most users (Wi-Fi, Bluetooth, cellular data, VoLTE, GPU) and open-source firmware appears to be the empty set. This is not to my taste, but it appears to be true, and also it seems likely to be true for some time to come.

Then the question becomes which platforms without open-source firmware have things like strong isolation of hardware components, rapid and long-term firmware patches when vulnerabilities are disclosed, hardware rate limiting in the secure element, etc. At present this set is small but not empty.

polygraph I am actually interested in the original question #1.

Fair enough. Here it is:

polygraph What particular analyses of the proprietary components have been made? What did those reveal and what protection measures have been implemented? In general, how does Graphene OS protect from potential malware in the proprietary components?

I do not speak for the GrapheneOS developers, so I don't know what might have occurred in private. That said, I am unaware of them having reported on any binary analysis of any proprietary components.

However, a variety of protection measures are nonetheless in place. User-space proprietary blobs are run with MTE enabled on GrapheneOS (as opposed to the stock OS) except when they can't be because they crash too often; hopefully as Google enables MTE internally they will fix those bugs. There is special sandboxing for Google's eSIM management blob. I believe that kernel drivers use GrapheneOS's hardened memory allocators. Various hardware components (I'm pretty sure including the baseband) are isolated via the IOMMU. I believe that if Google Play is installed it is run via AOT compilation instead of JIT, as a regular app.

Obviously that is not ideal! But I am curious about which competitors are perceived to exist. Are there phones (including VoLTE, Wi-Fi, Bluetooth, etc.) with open-source firmware? Are there phones with detailed analysis of closed-source firmware?

polygraph

de0u I suggested finding the point in the commit history where the "Info" app was added.

Sorry, I have misread your earlier message, as I am still not familiar with the system.

I do not speak for the GrapheneOS developers, so I don't know what might have occurred in private. That said, I am unaware of them having reported on any binary analysis of any proprietary components.

Thank you for this info. I wonder how we could probably get some feedback from those who may have researched.

Are there phones (including VoLTE, Wi-Fi, Bluetooth, etc.) with open-source firmware?

Replicant devices use external USB Wi-Fi adapters with FOSS firmware. That's all I know.

Are there phones with detailed analysis of closed-source firmware?

I don't know.

Watermelon If my answer to #1 doesn't satisfy you, I'm not sure what would.

It does and I thank you. I am just willing to know about the analysis part (if any).

Regarding #5: Why do you insist on wanting to remove system apps?

I don't consider the browser to be a system app. I just want to know if it is possible and easy to do. I don't pretend it will increase security. Consider it from the perspective of freedom.

Regarding #7: Why isn't DNS-over-TLS and DNS-over-HTTPS sufficient for you?

https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS

Furthermore, I'm not aware of any option to use DNSCrypt as a native built-in OS feature in any version of Android

There is an Android version:

https://github.com/DNSCrypt/dnscrypt-proxy/releases

I don't see what prevents you from reproducing the same DNSCrypt setup that you've used before?

I have used DNSCrypt only on Linux. On Replicant I was able to run it through ADB (starting the service as root and using iptables rules) but it wouldn't run after rebooting because persisting that requires modification of SELlinux policies and I couldn't do it. It requires to rebuild certain things which is beyond my capabilities. Should be trivial for an expert, I think.

Do you think anyone would be interested to do look into it? (Perhaps in a separate thread)

userofgos

Thanks for these links. I understand there is no easy way to do it.

Watermelon

polygraph 1 (as per follow up)
5 (as per follow up)
7
9

If my answer to #1 doesn't satisfy you, I'm not sure what would. But I don't blame you for being questioning. So no further comment from me about it for now.

Regarding #5: Why do you insist on wanting to remove system apps? You gain only a small doubtable security advantage, and lots of issues. The SIM Toolkit app on GrapheneOS doesn't spy on you. It doesn't work for the carrier, it works for you. See:
https://grapheneos.org/faq#baseband-isolation
https://grapheneos.org/faq#cellular-tracking
https://grapheneos.org/features#broad-carrier-support
Please have a thorough look at the features, usage guide, and FAQ pages on the main website. Read the whole table of contents, at least. Then check any section in these pages that might answer your questions, at least. Ideally, read the whole pages and not just the table of contents wholly.

Regarding #7: Why isn't DNS-over-TLS and DNS-over-HTTPS sufficient for you? Furthermore, I'm not aware of any option to use DNSCrypt as a native built-in OS feature in any version of Android, and modern GrapheneOS supports VPN apps just as much as stock Android (but much more secure because many leaks are patched), so I don't see what prevents you from reproducing the same DNSCrypt setup that you've used before?

polygraph

Novalissoide you want to remove Vanadium webview in pursuit of, freedom?

The 4 freedoms don't apply to what I am asking. Read it as freedom to remove components one does not intend to use.

Or did I miss something here?

The original question. Vanadium and SIM Toolkit were just random examples. I don't know what other default apps exist in Graphene.

Watermelon

You bring in a lot of interesting off-topic remarks that are probably worth discussing in dedicated threads, so I will restrict my reply to the current one as much as possible.

Why do you need to remove it when there's a setting to switch the default entirely to your favorite app?

Potential additional reduction of attack surface. The original question says nothing about favorites or replacements. One may decide not to use a browser at all.

complex installation instructions for root is very lazy.

It is unlikely DNSCrypt's devs will visit the forum and read this. If they work together with Graphene's devs it would benefit Graphene, hence my previous suggestion to discuss technical questions on their GitHub tracker.

all I can think of is that what you want gives privacy-by-design, whereas standard DoT/DoH gives privacy-by-policy

Spot on.

and I'm not sure privacy-by-design for DNS queries in standard web browsing is worth the effort

DNS is not just about web browsing.

if you can't find a nice way to run it

I am looking for one, hence my question.

I don't understand what you mean here.

Your question:

Why isn't DNS-over-TLS and DNS-over-HTTPS sufficient for you?

Delaney They've come from Replicant. Presumably their top priority is maintaining "freedom" in the software they use. They're not coming to GrapheneOS for the security and privacy enhancements necessarily.

The priority is security and privacy. Freedom per se does not guarantee that (there are FOSS malware tools), yet it is a logical prerequisite, hence question 1.

@polygraph needs to understand that "freedom" is not the main goal of GrapheneOS

I am against any form of bigoted conformity.

I understand having all components free is an impossible goal due to existing hardware. If Graphene is deliberately against freedom though (which I doubt), that is the same conformity, just inverted.

Watermelon it's very obvious that security/privacy are either extremely high priorities for the OP, or the highest priorities, in their decision process. Much of what they talk/ask about is for security/privacy.

Spot on again.

userofgos

polygraph Can unwanted apps be completely removed? (e.g. SIM Toolkit or Vanadium)

Novalissoide

polygraph I've daily driven ReplicantOS i9300, back in 2017, the mindset is so familiar. It hasn't changed in essence regarding my desire to be in control of my electronics to the fullest of my abilities. Two things about this world;

The best, and quickest way to understand GrapheneOS is to go ahead and use it.
and

The platform you leave, hopefully for this one, is less secure in so many ways.

Watermelon

polygraph I don't consider the browser to be a system app.

The built-in browser on Android is a system app, like Internet Explorer/Microsoft Edge on Windows.

polygraph Consider it from the perspective of freedom.

You can switch the default browser on Android. There's a menu in the Settings app to choose default apps for various types of apps (launcher, browser, etc). This would make all URLs and Custom Tabs open with it. The only thing you can't switch is the System WebView component, which is used by apps that want to use the System WebView component to display embedded web content. It's part of the experience of using these apps though, rather than your web browser, so I don't consider it to be a freedom issue. It's also beneficial for apps to use the System WebView, because on GrapheneOS that'd be Vanadium System WebView, which by itself has lots of security improvements, and additionally lets you block JIT compilation in the System WebView in each app to protect the app.

polygraph https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS

polygraph There is an Android version:

https://github.com/DNSCrypt/dnscrypt-proxy/releases

(By "native" support, I meant a built-in feature in the OS, not a third-party app. And speaking of an "app"…)

I checked the zip file and I can see only a binary file in it, presumably an ELF executable. This isn't what I'd call Android support. I imagine you could run an ELF executable in a terminal app, and it could open up a port on the loopback interface so you could point other apps into it. This would probably have awful UI/UX and battery consumption and get killed in the background all the time. You'll also have to disable the dynamic code loading via storage exploit mitigation on the terminal app to be able to execute ELF binaries in it.

I made a search for DNSCrypt apps and came up with a few results, I haven't tried them myself though:
https://play.google.com/store/apps/details?id=pan.alexander.tordnscrypt.gp (should be open source, also has a website)
https://play.google.com/store/apps/details?id=app.intra (should be open source, made by a company related to Google)
https://play.google.com/store/apps/details?id=com.dnschanger

For the best anonymity, you really should be using the Tor network, and/or Tor Browser (which is insecure because it's based on Firefox which is also insecure). I see the merit in having a binary choice between Tor and normal browsing with anonymous DNS, compared to a binary choice between Tor and normal browsing without anonymous DNS. With that said, if you can't find a good Anonymous DNSCrypt solution on GrapheneOS, I'd suggest you to stick to standard DNS-over-TLS/DNS-over-HTTPS with a DNS resolver that has a privacy policy you're comfortable with. Anonymous DNS (such as Anonymous DNSCrypt that you pointed to above, and Oblivious DNS-over-HTTPS which also came up in my search) provides privacy-by-design instead of privacy-by-policy, but I personally don't think the privacy-by-policy approach would be so bad for a DNS resolver. As I said, for best anonymity, use Tor. (But seriously, couldn't they've created a normal Android app instead of giving an executable and pointing users to install it with root? It's very lazy of them. And not your fault.)

polygraph I have used DNSCrypt only on Linux. On Replicant I was able to run it through ADB (starting the service as root and using iptables rules) but it wouldn't run after rebooting because persisting that requires modification of SELlinux policies and I couldn't do it. It requires to rebuild certain things which is beyond my capabilities. Should be trivial for an expert, I think.

ADB is incredibly insecure and unsafe. Avoid it entirely. Make a rule for yourself to never, ever enable ADB on your personal phone. Same thing for developer mode as a whole. It requires inputting credentials to enable it for a good reason.
Root is fundamentally incompatible with Android's sandboxing and verified boot features, and as such would never be supported in GrapheneOS in any form.
GrapheneOS improves the SELinux policies from Android. I strongly recommend you to stick to the official GrapheneOS releases built by the developers, rather than unofficial builds by yourself or others. I'd especially recommend you to avoid looking for Android versions with relaxed SELinux policies to support features. You'd want stricter SELinux policies, not relaxed ones, if you want security.

Eirikr70

Lol, I don't understand a word of what you're chatting about, but the fact that such chats take place in this community gives me trust in the OS.