Rooting grapheneOS is extremely discouraged. There is one somewhat kosher way, from this r/grapheneos comment, but I can't understand if it means that you can get some afwall equivalent worflow via adb:

A userdebug build of AOSP or GrapheneOS has a su binary and an adb root command providing root access via the Android Debug Bridge via physical access using USB. This does still significantly reduce security, particularly since ADB has a network mode that can be enabled. Most of the security model is still intact. This is not what people are referring to when they talk about rooting on Android, they are referring to granting root access to apps via the UI not using it via a shell.

Sadge... A hardened privacy focused OS should know that:

  • you can NOT use a phone without an always on vpn.
  • you need app access to your own LAN but be able to block app WAN!

So it means in graphene os you can't:

  • use network file browsing apps
  • use home servers / media servers
  • use IoT automation apps
  • just inspect your own LAN or send a magic packet without risk from the app spying via WAN.

My spare rooted + xposed + afwall + vpn phone is more secure on that front. Been waiting for years and I can't upgrade from iphones + spare rooted android, to graphene os because of this limitation.

So @GrapheneOS, thoughts, please?

    stwy I understand where you're coming from but wouldn't it be the users responsibility not to use apps they don't trust? If you think the developer of the app is trying to exfiltrate data about you it's probably best practice not to use the app at all if you're concerned about privacy, rather than expecting the OS to be able to "intervene" to prevent it.

        stwy

        If you are looking for the ability to be connected to a VPN and filter network traffic depending on the app that sends it there are options for doing this without needing root.

        Its possible for the app which occupies the VPN slot of a user profile to provide a connection to a VPN service and also for it to provide filtering of network packets. Rethink does this.

        Alternatively a firewall app in the VPN slot can send, maybe via SOCKS5, everything to another app which provides the connection to the VPN.

        Do however need to also consider the problem that network filtering based upon the app performing the network activity is not a robust approach. Apps can ask other apps to perform network operations. There are clearly defined APIs to do this within AOSP and that is why GrapheneOS made the Network permission, which already existed into a user facing permission which users can toggle.

            2 months later

            flighty_sloth

            I don't follow the "just don't use apps bro" argument at all, because:

            • then why do we have the ability to bock all network access in the first place?
            • Good luck with any smart TV control app on the planet. Or finding a trustworthy keyboard that's open source and has good (auto-switching multi-language) autocorrect, or with apps for ANY TYPE OF DAYJOB.
            • why should I have to trust any app provider in the first place? Say I install some open source keyboard or smth like Jellyfin, and then it gets exploited/hacked/taken over by russia etc. without my knowledge. I'd rather it didn't have that internet connection to begin with, thanks!!

                Carlos-Anso

                Thanks, nice but but you're not really providing alternatives here.

                • There unfortunately aren't any VPN apps that do per-app blocking + always on killswitch. And Rethinkdns.org is NOT a vpn. And there's no point in even trying to convince anyone that a DNS is better than Mullvad or Proton or PIA etc.
                • Same for the firewall forwarding to a vpn app; nice idea, doesn't exist.

                "Network filtering based upon the app performing the network activity is not a robust approach. Apps can ask other apps to perform network operations."

                ^ I just want to point out that this can be read as a unnecessarily discouraging point, like "might as well not do it", whereas it couldn't be further from the case:

                • we have google services removed or siloed
                • we don't have bloatware
                • we install the one app in its own silo
                • we want to allow that app to only work on LAN

                You can't say "it's not robust". Yes, yes it can easily be 100% robust.

                    stwy I wasn't suggesting not to use apps AT ALL, just not to use apps you don't trust. If you're trying to specifically block network access to an app that tells me that you feel it's not trustworthy. In that case it's your choice to use the app or not, and not the OS developers responsibility to protect you from yourself. To be clear I do think it would be a useful feature, but it seems like you're suggesting the devs have some responsibility to implement it, or have failed in some by not doing so, and I just disagree.

                      stwy Rethinkdns.org is NOT a vpn

                      It does however support sending network traffic to a VPN using the wireguard protocol.

                      stwy So it means in graphene os you can't:
                      use network file browsing apps
                      use home servers / media servers
                      use IoT automation apps
                      just inspect your own LAN or send a magic packet without risk from the app spying via WAN.

                      You can do all these things. Theres various ways you can mitigate potential risks. You have a lot of control to limit the data apps can access. You can take time to select apps made by developers that are more trustworthy.

                      There are various well documented methods that a malicious app could use to work around the methods you are using on your rooted afwalled device to try to restrict them from exfiltrating data.

                          6 days later

                          (Rethinkdns) does however support sending network traffic to a VPN using the wireguard protocol.

                          Ok, so I have PIA. How do I get it to work through that? As I understand it, you're saying something theoretical.

                          Theres various ways you can mitigate potential risks

                          Not if it's a file manager or a keyboard or tv controller or drone or LAN IoT monitoring device. At least you didn't give any applicable actionable points.

                          There are various well documented methods that a malicious app could use to work around the methods you are using on your rooted afwalled device to try to restrict them from exfiltrating data.

                          With the xposed framework and root and firewall you can do your own testing, and run exploit test apps and verify yourself if you're airtight in a given configuration on a particular phone and usecase.

                          select apps made by developers that are more trustworthy
                          I wasn't suggesting not to use apps AT ALL

                          Yeah I got that - and I pointed out that it is 100% impossible to access entire classes of apps - e.g. there are 0 (zero) smart tv apps that are not invasive. And I also pointed out we have the option to deny all network for good reasons -- e.g. a keyboard app should 100% of the time be denied access to any internet, NO MATTER HOW MUCH YOU TRUST IT, even if the current version doesn't request network access at all - there's too much keylogging risk.

                          To be clear, I'm not demanding GrapheneOS implement and maintain some firewalls or whatever. But wee need some exposed ability to control the WAN.

                            a month later

                            ijawefoj
                            Sorry for the thred necro, but as an Afwall user who has had to move to GoS, I too would like limit some apps to LAN access only, or data only etc.

                            @graphoneOS hos the idea of 'network Scopes' similar to 'contact scopes' ever been considered..?

                                stwy (Rethinkdns) does however support sending network traffic to a VPN using the wireguard protocol.

                                Ok, so I have PIA. How do I get it to work through that? As I understand it, you're saying something theoretical.

                                It isn't theoretical. You can export WireGuard config from PIA (many tools support doing so, including this official one), and import it in Rethink (Configure -> Proxy -> Setup WireGuard -> tap on the floating action button at the right-hand bottom corner of the UI -> Import / Scan QR).