DynamicGlow (Note that “phishing” means trying to attack you as a person by tricking you to give personal info. What you're asking about is how well Vanadium protects you from exploits — when a website tries to attack your software.)
DynamicGlow as far as vanadium allowing the pages to execute malicious code on my phone?
DynamicGlow P.S. what would be the best course of action for me to take from here?
DynamicGlow what is the verified boot mechanism?
First of all, rebooting is a great advice. The other advice is always running the most up-to-date software, both the OS version and all apps in the built-in App Store.
I think you might enjoy reading these:
https://grapheneos.org/features#anti-persistence
https://vanadium.app/
The short version is that GrapheneOS has these features, partially inherited from Google's Android and Chromium:
- Every time you reboot the device, the entire operating system (including all preinstalled apps like Vanadium, Auditor, etc) are either reverted to a known clean state as the GrapheneOS project created them if anything was changed on your device and it's possible to revert it, or blocked from being loaded if impossible to revert. So every time you reboot, you know all GrapheneOS software on your device doesn't have any modifications by an attacker. GrapheneOS extended this guarantee also to updates to all system apps and preinstalled apps, like Vanadium, installed outside of what's included in your current OS version (e.g. updates from the built-in App Store, although the OS doesn't care which source you get the updates from). In normal Android, the OS verifies updates to system apps only when you update them, but not at boot.
- GrapheneOS extends this guarantee so it wouldn't happen just when you boot the device and when updating a system app, but all the time (on every read of the app). Every time you use Vanadium, the OS verifies that the Vanadium app wasn't tampered by an attacker, and blocks the app from running if it was tampered. Although, I still think rebooting is a great suggestion if you feel like you need to, as an extra measure — your device starts verifying all GrapheneOS software from scratch every time you reboot. Normal Android verifies all the time only the code/data loaded from the system partition, but not updated versions of system apps updated through an app store.
- Every site in Vanadium is isolated into a tight sandbox, so that if it corrupts the “browser”, it actually corrupts only a dedicated browser process created just for this site, not shared with other sites. Every element embedded within a site you browse that's coming from a third-party site not the one you browse currently is also further isolated within its own isolated process, not shared with its own process when browsing it directly (so if you have two tabs open, google.com and facebook.com, and within the google.com page there's an element from facebook.com, you'd have three separate processes: one for google and two for facebook). And by “third-party”, I mean even a different site within the same top-level domain as your current site is considered by Vanadium as a “third-party” site. In normal Chrome, sites from the same top-level domain (such as www.google.com and mail.google.com both coming from google.com) share the same browser process, and Chrome can degrade isolation even further if it detects your device doesn't have enough physical memory (RAM).
- Vanadium completely disables JIT compilation of JavaScript and WebAssembly code for all sites by default. This prevents sites from exploiting vulnerabilities in the JIT compiler. In normal Chrome, JIT cannot be disabled completely.
- Vanadium blocks all dynamically created/injected code inside sites' processes. As for your question if a malicious site can execute malicious code, the answer is “basically no”. Only code that's part of the Vanadium code as it's stored in the app code, not created during your browsing, is allowed to run. Vanadium uses OS features to enforce this on site processes. This is only possible when JIT compilation is disabled, because the whole point of JIT compilation is to generate optimized website JavaScript code just-in-time during browsing. Normal Chrome doesn't do this, even on GrapheneOS.
And if all of this isn't enough, all apps, including Vanadium, are contained within their own sandboxes. If a website somehow manages to completely compromise the Vanadium app, it can't spread to other apps, and can't abuse any OS permissions you revoked from the Vanadium app. GrapheneOS tightens the sandboxes of apps, and tightens the kernel against attacks from rogue apps, and more. (The kernel is the highly privileged core of the operating system, and it also plays a part in enforcing/providing some of the security features. So obviously it's very important to secure it.)