What data does GrapheneOS collect on its users

hemingway

I can't seem to find any info on this anywhere. So Diagnostic or otherwise, what data is collected from users of the OS and how is it anonymized (if at all)?

My question arose when I noticed that the shell app has unrestricted and un-disableable access to network, call logs, contacts, location, sms, etc. and the code indicates a function to upload this data.

userofgos

hemingway I can't seem to find any info on this anywhere. So Diagnostic or otherwise, what data is collected from users of the OS and how is it anonymized (if at all)?

Here's a relevant tweet: https://xcancel.com/GrapheneOS/status/1990459088648683902#m

GrapheneOS does not collect user data. All of the default connections and their purpose are documented at https://grapheneos.org/faq#default-connections. Our privacy policy is documented at https://grapheneos.org/faq#privacy-policy If you want to avoid 10 or fewer days of IP access logs for services, use a VPN.

hemingway My question arose when I noticed that the shell app

What shell app?

de0u

hemingway can't seem to find any info on this anywhere. So Diagnostic or otherwise, what data is collected from users of the OS and how is it anonymized (if at all)?

This information is available in the "Security and Privacy" section of the FAQ, especially starting with the "Default Connections" part.

In general, users are encouraged to read through the FAQ, which contains answers to a wide variety of questions that are frequently asked.

hemingway

userofgos What shell app?

This one:

1.jpg
2.jpg
3.jpg

hemingway

userofgos GrapheneOS does not collect user data.

Iirc shell was a non essential app related to adb that I routinely removed as bloat on older versions of android. So this begs the question: Why is an app 99% of people won't use permitted unrestricted and unrestrainable access to everything?

userofgos

hemingway Why is an app 99% of people won't use permitted unrestricted and unrestrainable access to everything?

See: https://discuss.grapheneos.org/d/11050-system-apps-pixel-firmware-network-connections/12

de0u

hemingway Iirc shell was a non essential app related to adb that I routinely removed as bloat on older versions of android.

Is the matter at hand frameworks/base/packages/Shell?

If so, is there a belief that this code is related to the GrapheneOS project collecting user data?

Upstate1618

hemingway Iirc shell was a non essential app

This is wrong. Essential apps are not apps you must use. Essential apps are apps that's essential for all OS features including those you might never use. For example you might never use UWB but that is also an essential app. You might never use adb shell but it's an essential app because others might use it for development purposes.

hemingway

userofgos https://discuss.grapheneos.org/d/11050-system-apps-pixel-firmware-network-connections/12

Appreciate it but that response does not answer my question and can be summarized as "disabling some system apps is disallowed since it might break things"

As I mentioned, shell should be a non essential app and I have had no trouble removing it on older android versions. The fact that it is related to adb and has these permissions makes disallowing restricting its permissions until the user deems its use necessary seems like a security blunder.

If it has indeed become necessary with android's evolution, I would love to know why it is now so essential to system operations that GOS disallows any modifications to its liberal permissions.

hemingway

de0u Is the matter at hand frameworks/base/packages/Shell?

Yes

de0u If so, is there a belief that this code is related to the GrapheneOS project collecting user data?

I ran into this app while auditing app permissions and had to wonder about the security implications of providing the app undeniable access to everything.

userofgos

hemingway Appreciate it but that response does not answer my question and can be summarized as "disabling some system apps is disallowed since it might break things"

https://discuss.grapheneos.org/d/11050-system-apps-pixel-firmware-network-connections/4
https://discuss.grapheneos.org/d/11050-system-apps-pixel-firmware-network-connections/7

hemingway f it has indeed become necessary with android's evolution, I would love to know why it is now so essential to system operations that GOS disallows any modifications to its liberal permissions.

I'll leave that to others to answer that are more knowledgeable on the matter.

de0u

hemingway I ran into this app while auditing app permissions and had to wonder about the security implications of providing the app undeniable access to everything.

The "auditing app permissions" approach, for system apps, is probably unproductive. A vast amount of code that ships with GrapheneOS, and that runs with elevated privileges, is not "app" code. Meanwhile, the interactions between various system apps can be non-obvious, so denying permissions to them frequently leads to mysterious failures, perhaps weeks or months after the permissions were removed.

Based on a quick glance, the code in question appears to be related to capturing data when a user wishes to submit a bug report. If that is correct, such an app would plausibly need access to various data in order to collect it for inclusion in the bug report.

To assess the "security implications" of that code it would be necessary to inspect the code.

hemingway The fact that it is related to adb and has these permissions makes disallowing restricting its permissions until the user deems its use necessary seems like a security blunder.

If it is believed that shipping the Shell app with those permissions represents a "security blunder" by the GrapheneOS team, presumably it is feasible to provide a proof-of-concept, or at least a plausible description of a specific problem such as privilege escalation, presumably via responsible disclosure (the GrapheneOS project provides a security.txt).

hemingway

userofgos https://discuss.grapheneos.org/d/11050-system-apps-pixel-firmware-network-connections/4
https://discuss.grapheneos.org/d/11050-system-apps-pixel-firmware-network-connections/7

Again, thanks but neither link appears to answer any part of my question.

hemingway

de0u the code in question appears to be related to capturing data when a user wishes to submit a bug report

That is exactly how I've categorized the app in the past and removal has not impacted me on any of my devices for enough years that I have to wonder about its necessity. This is why I'm asking what I'm missing here since I can't fathom the need to disallow restricting something most people will never use.

de0u If it is believed that shipping the Shell app with those permissions represents a "security blunder" by the GrapheneOS team, presumably it is feasible to provide a proof-of-concept, or at least a plausible description of a specific problem such as privilege escalation, presumably via responsible disclosure (the GrapheneOS project provides a security.txt).

No, it may be a blunder to disallow restricting the app's permissions. Every OS, whether Android, Windows or Linux, comes out of the box with a "what should work for most" default configuration. The benefit of auditing the configuration by narrowing permissions down to a "what is necessary for me" configuration should be obvious. "There have been no fires in my home thus far so I don't need a fire extinguisher" isn't a very sound approach imho.

de0u

hemingway I can't fathom the need to disallow restricting something most people will never use.

The calculus is different when the user community has one member than when it has 300,000. With a sufficiently large number of users it becomes quite plausible that somebody who turned something off and forgot about it will later present a problem report that may waste support resources as a result.

Users who wish to remove or reconfigure system apps are free to build their own variants of GrapheneOS using the detailed directions on the web site.

hemingway The benefit of auditing the configuration by narrowing permissions down to a "what is necessary for me" configuration should be obvious.

Users for whom it is obvious that code and/or permissions should be removed from GrapheneOS are free to build their own variants of GrapheneOS using the detailed directions on the web site.

The project does review and may accept change proposals, but generally when they improve security and/or privacy in a demonstrable way for a large part of the user community, in the judgment of the developers. Proposals to enable disabling or removing permissions from built-in system apps, without specific vulnerability information, seem unlikely to be accepted.

Please note that I do not speak for the GrapheneOS project.

hemingway

de0u Users who wish to remove or reconfigure system apps are free to build their own variants of GrapheneOS using the detailed directions on the web site.

de0u Users for whom it is obvious that code and/or permissions should be removed from GrapheneOS are free to build their own variants of GrapheneOS using the detailed directions on the web site.

GOS uses exploit mitigation to catch and confound unknown attack vectors. GOS also appears to frown on rooting as allowing any single app unfettered access to everything plainly poses a potential security risk on a massive scale.

I believe auditing app permissions employs the same spirit of premptive security. "Build your own fork if you don't like it!" seems like a premature and rather hostile response to someone simply asking "Why does this once useless app enjoy unrestricted permissions on GOS?" For all I know at this point, it could be vital to the functioning of GOS, or it could be a minor oversight that can easily be remedied.

I'll wait in the hope that someone who knows what the app actually does chimes in before concluding that disabling contacts permission or enabling contact scopes for a bug report app would break GOS and lead to a support burden on a massive scale.

de0u

hemingway GOS uses exploit mitigation to catch and confound unknown attack vectors.

Yes.

hemingway GOS also appears to frown on rooting as allowing any single app unfettered access to everything plainly poses a potential security risk on a massive scale.

Is an allegation being made that the "Shell" app has "unfettered access to everything"?

hemingway I believe auditing app permissions employs the same spirit of premptive security.

Ok. But there have been many posts by official accounts on this forum stating that removing permissions from built-in system apps is not something the project supports (including at least one such post in a thread linked to earlier in this thread (link)).

hemingway "Build your own fork if you don't like it!" seems like a premature and rather hostile response to someone simply asking "Why does this once useless app enjoy unrestricted permissions on GOS?"

But it wasn't a response to that. It was a response to "I can't fathom the need to disallow restricting something most people will never use" and also to "The benefit of auditing the configuration by narrowing permissions down to a 'what is necessary for me' configuration should be obvious".

If the benefit to you of "narrowing permissions" is obvious, and if the project is staunchly opposed to users "narrowing permissions", then one possible way to resolve that conflict would be building one's own fork. Another possibility, also mentioned, is reporting a vulnerability to the project.

hemingway I'll wait in the hope that someone who knows what the app actually does chimes in before concluding that disabling contacts permission or enabling contact scopes for a bug report app would break GOS and lead to a support burden on a massive scale.

That is an option as well.

raccoondad

hemingway I'll wait in the hope that someone who knows what the app actually does chimes in

You can just...read the source. It seems to be for bug report scanning. It doesn't seem to send any data to any outside source, which was your concern.

hemingway

raccoondad It seems to be for bug report scanning

This was my read on it as well. The app has undeniable network permissions and appears to communicate with other apps so I wasn't sure if I'd missed something. Everyone seems certain the extensive permissions the app enjoys are there for good reason though so far no one has provided any clue as to what that reason might be. It looks like an oversight to me.