GrapheneOS Malware Containment

Graphy773

How well does GrapheneOS contain Malware?

I run sensitive things on my Graphene phone such ass KeepassDX
if my phone was ever infected with malware would grapheneos prevent the malware from reading my keepass vault?

Johnnyloans

Welcome,

GrapheneOS releases updates for the latest exploits faster than any OEM.
I recommend that everyone should enable security preview updates under Settings > system > system update > receive security preview releases
These updates contain code that isn't open source--yet--because the exploits are so new we can't show the world how to use them and many OEMs take weeks to update phones.

GOS is extremely safe with many layers of security: selinux, MTE, sandboxing, secure app spawninig, hardened memory allocator, zero-on-free, etc

Graphy773 I run sensitive things on my Graphene phone such ass KeepassDX

I believe storing passwords would be true for everyone ;)

Eirikr70

Graphy773 I don't know how KeepassDX works since I use Bitwarden, but I would be surprised if it were different. The passwords are stored as encrypted by Bitwarden. You have to provide the password to decrypt them. Of course, once decrypted, you might think that they can be accessed. At that stage, if I understand correctly, the standard sandboxing feature of Android should prevent it.
If a malware were to attack the sandboxing, bear in mind that each time you reboot your phone, the system is controled against tampering (that is one reason why I always shut down my phone once a day). And as a plus, as @Johnnyloans says, security updates are delivered very fast by GrapheneOS.
I hope these elements make it clearer to you.

Chipper

Johnnyloans These updates contain code that isn't open source--yet--because the exploits are so new we can't show the world how to use them and many OEMs take weeks to update phones.

Haha I like the way you put it but if Graphy wants the precise quote from the project, here is the graphene account explaining the actual reason for security preview releases.

Graphy773 take the time to read this it will help greatly to explain the miriad of ways graphene protects from malware, and if in doubt just remember its an immutable os, so if you think you have been compromised, reboot.
Bar something lower level than the os you'll be fine and remember to enable remote attestation.

Novalissoide

Graphy773 Welcome to support forum! 👋

MetropleX

Johnnyloans These updates contain code that isn't open source--yet--because the exploits are so new we can't show the world how to use them and many OEMs take weeks to update phones.

This is an erroneous explanation even if I can understand where it comes from. I can appreciate why other users felt the need to provide the specific quoted reasoning for accuracy and brevity.

Where disagreements occur can we please always be sure to refer responses at all times back to the OP's questions or where necessary simply flag the posts for moderation to correct or address as required.