Why does the emergency alerts app need permission to read my text messages?

Bobn4apples1

Basically the title. I'd like to delete the app altogether, but permission to read SMS MMS seems ridiculous.

de0u

Bobn4apples1 Here are some threads about this app:

Despite a lot of discussion, so far nobody has found anything in the source code of the app that indicates it's doing anything nefarious.

userofgos

Bobn4apples1 see this thread: https://discuss.grapheneos.org/d/7965-understanding-wireless-emergency-alerts-app/10

It seems like you are misinterpreting what is actually happening. The permission to read your SMS messages is just part of having to grant it the SMS permission, which is completely normal. You'll notice that if you check every app which asks for the SMS permission, you'll find that there. It's not malicious, it's how the SMS permission works.

It is unfortunate that AOSP still lists permissions in that way, though tucked away in a menu because it confuses folks.

The WEA app needs to be able to send those alerts and be able to handle them so that it can activate the siren if it's a presidential/national alert. It is also important to put this in context. Wireless Emergency Alerts app is a system app. It being able to read SMS doesn't mean it's broadcasting that anywhere. It's part of AOSP and therefore part of GrapheneOS. It's harmless.

Bobn4apples1

de0u

Thanks, I checked those out hoping for a better answer. My regular Android 12 phone let's me disable this app.

This is a serious problem.

de0u

Bobn4apples1 This is a serious problem.

Some potential options:

Review the source code to see whether there are vulnerabilities
Build a personal fork of GrapheneOS with whichever changes seem appropriate

Bobn4apples1

de0u

Obviously if I knew how to do that I wouldn't be asking questions here.

de0u

Bobn4apples1

The GrapheneOS project is focused on security and privacy. This includes rapidly tracking security fixes from Google, and typically involves at least two releases per month (built for many devices). For technical reasons, this means that code added to the system that enables users to make configuration changes is expensive to maintain.

Other Android distributions have lots of user-configurable options (including selectable font families), but those distributions are typically months or years behind on security updates. It's a tradeoff.

Historically the GrapheneOS developers move quickly on clear, detailed reports of security and privacy problems, and from time to time add security and privacy improvements to the system. Also historically, the GrapheneOS developers do not move quickly to add user configuration options.

If a clear, detailed report is made about a security or privacy problem with the Wireless Emergency Alerts app, I think there's a good chance that appropriate changes will be made. In the other direction, I suspect that changes will not be made in the absence of a clear, detailed report about a security or privacy problem with the Wireless Emergency Alerts app.

If one wishes for a threat assessment of some part of GrapheneOS, it may be possible to hire a software security professional to carry one out. If one wishes a personal fork of GrapheneOS with specified changes that the GrapheneOS developers are not pursuing, it may be possible to hire somebody to make those changes.

Please note that I do not speak for the GrapheneOS project.

DeletedUser639

de0u Please note that I do not speak for the GrapheneOS project.

I noticed! with that word soup reply that failed to answer anything the OP asked.