Red Flags? Permission understanding, system components and future OEM?

tpqdt

As you read from title i feel likes each update is very suspicious.

I will list out every thing

In the recent update i found that there are many apps system packages the network permissions
cannot be toggled its completely greyed out previously we can do toggle the network permissions for those apps now we can't able to do that. I feel like we are losing the control we don't need network permissions
for many apps we don't need some system apps like bluetooth needs it i understand but for others i don't think they are needed. why did the update made them greyed out.
I saw a new package name in the network permissions list that is related to camera "com.google.pixel.camera.services.PersistentApplication" why its has network permissions toggled greyed out i don't need that at all i don't even need that pixel camera at all it should be user preference whether they need it or not for me its no then i should have freedom of disabling it or atleast turning network permissions off. This packages contains absurd amount of permissions just go and look at it you will definitely be shocked.
permisisons it has enabled and cannot be turned off list -> location (all time), call logs (why the hell call logs for camera service), contacts, music and audio, near by devices, network, notifications, phone, photo and videos, sensors, sms (omg my head is spinning just from looking at this absurd amount of permissions). There are many apps like this i only listed out one or two here.
The devicediagnostics app the permissions list has went from just network, sensors to camera, location, near by devices, network, sensors. Atleast you can turn off the network for these apps.
Graphene os many apps like gallery when i check its github repo its started before 13 years i know its aosp project but its has absurd amount of permissions to it. we can turn off permissions mostly here i think the graphene os team can't remove the permisisons from AndroidManifest.xml if they removed maybe it breaks manythings. i am worried about the library it uses maybe its very old and has loop hole to exploit. Graphene os team keep on focusing on security aspect but they are not giving considerations into usability. They should atleast fork apps like fossify sms, fossify gallery instead of trusting fossify if graphene os forked it and provided it has more trustability we don't need to worry graphene os can take of everything for us.
finally its the one i been wanting to ask graphene os team i feel like nobody is thinking about it everybody just happy with new OEM to finally moved out from pixel (these are high price but usesless compared to other mind range phones) i am happy but i can't think like that alone we need to consider few things. i will list out one by one
5.1 -> What are the terms graphene os and the new OEM agreed up on. will there be transperancy in the future when they officially anounce the OEM to us.
5.2 -> Why the OEM agreed to partner up with graphene os. what's the benefit for OEM? are they fooling graphene os by partnering with 3 letters agency ahem* i hope you understand what i said, installing hardware based backdoors to spy on us.
i still have many questions in my mind let me stop here.

MetropleX

tpqdt finally its the one i been wanting to ask graphene os team i feel like nobody is thinking about it everybody just happy with new OEM to finally moved out from pixel (these are high price but usesless compared to other mind range phones) i am happy but i can't think like that alone we need to consider few things. i will list out one by one
5.1 -> What are the terms graphene os and the new OEM agreed up on. will there be transperancy in the future when they officially anounce the OEM to us.
5.2 -> Why the OEM agreed to partner up with graphene os. what's the benefit for OEM? are they fooling graphene os by partnering with 3 letters agency ahem* i hope you understand what i said, installing hardware based backdoors to spy on us.

5.1 Nothing in this has yet been announced and nor will it be available or pertinent until an announcement is made by both parties.

5.2 Our OEM partner is interested in making actual secure devices to earn money. They'll be marketing the devices they build. GrapheneOS is remaining non-profit and we aren't invested in the OEM or anything like that. We gain another device benefitting from our expertise to support. They get the ability to not only sell these devices with the benefits we extol for such hardware to the broader marketplace but also directly to our extensive user base who would accept nothing less as well as taking marketshare from a competitor for those willing to buy Pixels but those who look at GrapheneOS with envious eyes but are principled about not using anything Google.

Regards to this specific quoted part of your post however:

are they fooling graphene os by partnering with 3 letters agency

If you wish to make such extraordinary claims, assertions, defamations you will most certainly be expected to provide the matching extraordinary evidence, especially being you're a visitor to our own support forums.

Further repetition of such inferences will lead to further moderation and I would sincerely like for it to be otherwise.

Vincent96

It's this kind of post again...

groove_untie145

Vincent96 OP is asking a valid question about why system apps are getting every permission. Don't think we should just blankly dismiss that. Maybe give them a technical rationalisation rather than making a throwaway comment?

Mikeg

If I had that many questions I would move on to something else I considered less suspicious. Why don't you?

nologo

groove_untie145 off course questions about permissions are valid, those are asked (and answered) on this forum daily. But personally I have a feeling this post is not about getting answers, but about raising suspicion. The title alone refers to "red flags" and "hidden permissions". (Hidden? It's open source, for crying out loud.) And the part about the OEM installing hardware backdoors for some agency is just completely ridiculous speculation.

Vincent96

groove_untie145 It's either uninformed FUD or for tarnishing the reputation GrapheneOS.

nologo gets it.

DeletedUser591

A few points I want to mention.

Excluding the "com.google.pixel.camera.services.PersistentApplication", those other system apps come from AOSP and thus are inspectable by GrapheneOS. This pixel camera service might come from AOSP as well, but I am not sure.

We need to put some base level of trust into GrapheneOS, at least, for us to be able to use it confidently. Assuming that those apps somehow need those permissions (location, network, camera, sms/phone etc.) for some kind of surveillance/data-collection purposes there are two scenarios:

GrapheneOS is in on it: why would GrapheneOS even show that those apps have those permission, they could just hide it from the user interface or even better, use the settings app itself for surveillance as it runs constantly, has every permission etc.
GrapheneOS "overlooked" it: in my opinion unlikely, as GrapheneOS maintains and merges any AOSP commits and Google is unlikely to install spyware into their own OS.

So why are we distrusting system apps from GrapheneOS having those permissions? We might as well distrust the whole OS – they could use the built-in apps (phone, messages, settings) for surveillance instead and hide it from the user.

I agree with OP's point, that we should be able to deny them these permissions, though. This is something I would like someone from the team to answer as well. Especially, since this is something new and the OS has worked flawlessly without these apps having undeniable rights to network/sms/phone etc.

DeletedUser591

nologo And the part about the OEM installing hardware backdoors for some agency is just completely ridiculous speculation.

I mean speculation or not, it is possible to some extent. The same way it is possible for Google to do the same.

Who are you going to trust at this point? If your threat model requires zero trust, just use pen and paper or just talk to people instead of messaging them.

nologo

About Pixel Camera Services, please read the posts by the GrapheneOS account: https://discuss.grapheneos.org/d/27554-will-the-grapheneos-camera-ever-reach-the-quality-of-the-pixel-camera/39

DeletedUser591

Also keep this point in mind, from the GrapheneOS account:

It's fine to change permissions for the bundled user-facing apps but you shouldn't disable or mess with the permissions of OS components. It's very strange that the Settings app even shows the system components implemented in Java/Kotlin outside of system_server as if they're apps and as if the regular permissions available to apps are even all that relevant. There are no toggles for the privileged permissions only available to built-in system components and other parts of the internal access control model. It's very strange that the regular permissions are exposed as toggles for those components.

This is inherited from standard Android and the we plan to gradually add more safeguards as we started doing by preventing disabling certain essential components via the Settings app which will cause crashes/breakage unexpected by users. For example, we added the system camera to the list of essential components since users don't realize that only the system camera can provide the media capture intents and that they'll break apps using this as a privacy friendly alternative to the Camera permission and cause them to crash.

The definition they use to distinguish system components from apps for these user interfaces in Settings is inconsistent and not properly thought out. In particular, it doesn't filter them in the permission dashboard properly which we consider a major issue.

They might be slowly removing the user's ability to revoke permissions to system components and the filtering might not be working correctly.

DeletedUser591

And this from MetropleX:

As above, @collector it doesn't make sense to view OS components the way you are. This is not a third party app, it's part of the OS.

The permissions being listed only appears in the permission manager because this component is implemented with the app runtime. The lower level parts of the OS don't appear there. Trying to disable apps or permissions for system components based on a high and narrow interpretation doesn't make sense when it would break more than what you perceive it to represent.

Camera would be included in the dialer for example for use of VILTE (VIdeo over LTE) where provisioned. You can see the provision toggle under ##4636## then Phone Info as just one example where the system would handle the video and not a third party app.

As for location, this is part of implementing supporting for carriers and cellular. This component being able to work with information about the cellular network and carrier counts as being location data which requires the Location permission.

It's the implementation of https://en.wikipedia.org/wiki/IP_Multimedia_Subsystem

Examples of global standards based on IMS are MMTel which is the basis for Voice over LTE (VoLTE), Wi-Fi Calling (VoWIFI), Video over LTE (ViLTE), SMS/MMS over WiFi and LTE, USSD over LTE, and Rich Communication Services (RCS)

nologo

DeletedUser591 I mean speculation or not, it is possible to some extent.

Sure. But posting completely unfounded and unsubstantiated speculations about the unknown OEM doing such things is just spreading FUD.

userofgos

Here's another quote, this one from matchboxbananasynergy

As a general rule, you're achieving nothing by disabling permissions from system apps. The only thing that's going to end up happening is things breaking and us not knowing how to help you fix them, since we won't know exactly what you've changed.

If you trust GrapheneOS, there's no reason to be adjusting permissions or anything else for system apps.

The Network and Sensors permission are granted by default to ensure compatibility as these are permissions that GrapheneOS adds.

For user-installed apps, you have a checkbox to disallow network for the app you're installing in the installation confirmation prompt.

There's also a toggle in the Settings to revoke the Sensors permission for newly installed apps.

gristle-cause

What system apps do you think are making network calls while also blocking users from disabling their network permissions

So far as I'm aware, the only system apps that ever seen communicate with the network are:

com.android.dynsystem
app.vanadium.browser
com.android.providers.downloads
app.grapheneos.apps
com.android.rkpdapp
app.seamlessupdate.client

I would not consider any of these any less than highly trusted. All network communications GOS makes are excruciatingly detailed in the documentation

It's worth mentioning that some firewall monitors erroneously track system communication as network communications, despite no data ever being communicated over the network - I suspect this to be the case with your camera service. I cannot provide any more insight without a more technical report

DeletedUser591

MetropleX They get the ability to not only sell these devices with the benefits we extol for such hardware to the broader marketplace but also directly to our extensive user base who would accept nothing less as well as taking marketshare from a competitor for those willing to buy Pixels but those who look at GrapheneOS with envious eyes but are principled about not using anything Google.

I am sure that a lot of people here only bought a Pixel because GrapheneOS supports them. I imagine most would not even think of buying a phone from Google if this were not the case.

I would even add to that that most would not even have an Android phone and would opt for an iPhone if it weren't for GrapheneOS.

r134a

DeletedUser591 I am sure that a lot of people here only bought a Pixel because GrapheneOS supports them. I imagine most would not even think of buying a phone from Google if this were not the case.

Can confirm, whatever and from whom the new device might be, i'll buy it aswell. Since it will be a major OEM, it probably won't really matter, but in this case i'll 'vote with my wallet', to signal to the OEM they did a great thing.