Do storage scopes protect against full device client-side scanning?

everythingisinverted

Hi guys. I've been diving deep into client-side scanning. My understanding is that a messaging application like WhatsApp is being pressured to install a toolkit (with an update) that scans the phone of the sender (client). This means the complete phone of the sender can be scanned even before a message is created.

Now with GrapheneOS it's possible to enable storage scopes and limit the folder access of an application like WhatsApp. Does this mean we can trick client-side scanning to make it think that it accesses the full phone, while it's only accessing one folder? This would me an awesome privacy-protecting mechanism.

matchboxbananasynergy

Apps are not granted access to storage by default. This is the case on both GrapheneOS and Android in general. You have to explicitly grant it that permission.

That said, an app can choose to refuse to work if you don't grant it the permission it requests. That can be any permission. For storage permissions and contact permissions, we have the respective scopes features on GrapheneOS.

These features will make the app think that it has full storage/contacts permissions, whereas in reality, the user can control what the app can see.

Now, on the topic of "client-side scanning" in a messaging application, I can't really speculate about how that would work if implemented, but it doesn't sound like it would be checking and scanning the phone's storage, but rather media being sent through the media app, essentially making it so if it gets a ping for an image sent through the app, it would send a notification to the app. Of course, you can't really do that securely and it's a horrible idea, but yeah.

everythingisinverted

Thanks for answering @matchboxbananasynergy

This is the client-side scanning explanation from Proton:

So the most likely solution would be local hash matching, in which the digital fingerprints of your messages are compared against the digital fingerprints of prohibited content stored in a database on your device. In theory, the database would contain the hashes for child sexual abuse material or materials related to terrorism, but in practice the database could contain anything. And you would have no way of knowing.

That means whenever you download an app, even if it’s end-to-end encrypted like Signal or WhatsApp, you would be downloading a toolkit designed to inspect all your pictures and text messages and potentially report that data to the developer or the government.

This is why client-side scanning is even worse than a backdoor. Law enforcement wants to use backdoors in encryption to scan the content shared with others, but client-side scanning would allow them to look at the content you store on your device, whether you share it or not.

So it sounds like Storage Scopes could actually protect us against this. But I understand it's difficult to answer this question given the client-side scanning software hasn't been rolled out yet.

233328

everythingisinverted So it sounds like Storage Scopes could actually protect us against this

No it wouldn't, because the kind of cliend-side scanning that proton are talking about here (scanning everything on the phone) would be implemented at the OS level, not through an app because an app is too heavily restricted in what it can do. Even if it was implemented in a way where Storage Scopes was effective in circumventing this, it would mean that simply revoking every storage permission for that app would be as effective, which would be way too easy for anyone to do and therefore not the way it would be done. Storage Scopes integrates with the app permissions, it has no bearing over what OS components are capable of since they could bypass standard app permissions/not be subject to them at all.

But you don't have to worry about that because such client-side scanning wouldn't ever make it into GrapheneOS. Although, if something like does get implemented effectively and if alternatives like GrapheneOS are banned, then the only way around it would be to stop using smartphones.

The other possibility is that client-side scanning gets implemented at the app level like for example in Whatsapp so that it scans the messages you send with it. The only way to prevent that would be to just not use such app. Storage Scopes obviously wouldn't prevent an app from accessing (and therefore, scanning) its own messages.

Storage Scopes is useful to control the files/folders an app can access even if it requires a broad access to function (like All Files/Photos and Videos, etc). Which, again, is not how system-wide client-scanning would be implemented.