Lucian side channel attack on Android, especially on GrapheneOS, are extremely unlikely?
I would say they are doable, and your first line of defense is to not launch code you do not trust.
Note: "code you do not trust" might be a script, a binary, an app or a website.
It would be unlikely for you to suffer such attacks if you take some time to make sure what you are running is safe or not.
In my understanding, a script inside termux (or the like) can potentially reach the same things an app can.
Also, the other two major "vectors" that may try side-channeling are sites you visit through the browser (WASM, js and other code running localy might go rogue) and physical access to the phone.
Again, "side-channel" is a broad term to describe those attacks that misuse a piece of software or hardware to gather information in a way you shouldn't be able to.
Some hardware examples might be electomagnetic fields around cables/devices, the led of your hdd, and so on.
As software example we can recycle the timing attack we previously saw for argon2.
The broad meaning of "side-channel" is there just to describe a kind of attack and unfortunately because of the nature of these, you might never reach 100% security on that.
I think I can say, without underestimating the menace, that these attacks are unlikely (unless you are a valuable target), and that the possibility to get affected by casual browsing is very small.
Lucian Use Case:
I want to create a SLIP39 single share and use the secret part of it as a master password for my core password manager.
Then I use the SLIP39 schamir scheme to back it up as multiple shares.
First of all, let's skim the pypi page.
In the project description you can read:
This implementation is not using any hardening techniques. Secrets are passed in the open, and calculations are most likely trivially vulnerable to side-channel attacks.
The purpose of this code is to verify correctness of other implementations. It should not be used for handling sensitive secrets.
In few words they suggest to not use it for your core password manager.
Continuing to read the project description, I see some example of the code, like this:
You can supply your own master secret as a hexadecimal string:
$ shamir create 3of5 --master-secret=cb21904441dfd01a392701ecdc25d61c
So there are at least two things I would take care in here.
The first one is to make sure this won't stay in your shell history.
The second thing is to avoid using the clipboard to paste the master secret in your shell.
Everything seems to be running in RAM, in clear text, with no encryption whatsoever, which is kind of risky.
That said, if you still want to use this tool, there are some things you can do to lower risk.
I would:
- Create a new profile (private space, new user, possibly not work profile) to leverage isolation;
- Create the master secret offline, possibly using airplane mode
- Use the official GOS keyboard to avoid rogue keyboards reading your input
- Avoid using the clipboard to copy paste data to prevent apps to snoop on it
Maybe make sure that apps in the background are trusted.
Also, reboot the phone to clear the RAM once you are done.
With these precautions you should be ok.
Of course, this won't prevent people from shoulder surfing what you are doing or taking pictures of your screen.