Trusting the OS

guermantes

I'm not out to insult anyone, but it is serious stuff to install another OS on your phone. Any Linux dev worth their name would acknowledge that it is ultimately a question of trust. In that respect, I find the devs' reasoning behind not having 3rd party audits and publishing the result a bit wanting.

I am paraphrasing here but if I am not mistaken their argument against 3rd party audit is that it would just constitute a "point in time statement" and thus not be very useful, so instead they "build long-term relationships" with security researchers. To some extent, I see there reasoning behind that. But since potential negative outcomes of those relationships is not transparent, it is not much use when it comes to building trust. Contributing upstream is laudable, but says nothing about a potential other side of the coin. Conversley, a few 3rd party audits some time apart with positive score would go a long way to building trust.

I would seriously like to trust GrapheneOS, I have already bought my Pixel for this purpose, but I am hesitant to make the jump and embed my fingerprint and banking app, etc.

Is there anything I have misunderstood about the implementation of GrapheneOS that would mitigate my current inability to trust the OS?

de0u

guermantes A few 3rd party audits some time apart with positive score would go a long way to building trust.

Nothing stands in the way of a group of people banding together and hiring professionals to do one or more audits of GrapheneOS (and/or other Android variants). It would even be possible to set up a non-profit foundation to periodically hire audit teams.

But the overall issue of "how to trust" is hard! I haven't done the experiment recently, but back when I had a 3a for logistical reasons I installed the stock (Google) OS, vanilla AOSP, and GrapheneOS, a couple times each. It was striking to me that the boot time for Google's OS was almost twice as long as the boot time for AOSP or GrapheneOS. Of course, the extra time was being taken by booting up code in Google's OS which wasn't part of AOSP or GrapheneOS. Has any of that closed-source code been audited by third parties?

So I think the question of whether/how to place trust in GrapheneOS might not be most productively posed in a vacuum. As an end user, if one will be carrying a smartphone around, one will be placing some trust in some smartphone OS. If not GrapheneOS, then maybe LineageOS, or DivestOS, or Ubuntu Touch, Replicant, etc. It would be great if end users could choose among multiple options, each with A+ auditing, but that doesn't seem to be possible at present. So maybe we're individually choosing which leap of faith to make.

admin

GrapheneOS is certainly not against third party audits and not against publishing the results. The premise of your post is completely untrue. GrapheneOS has gone out of the way to support third parties auditing/reviewing our code. We actively help people set up builds and familiarize themselves with the code to review it. Code review is primarily done publicly and issues are filed publicly via the issue tracker. There are a bunch of existing issues open about Android privacy and security flaws along with limitations of our features such as the Network permission not being enforced by browsers for opening links. Any valid results of a formal audit are filed in the issue tracker.

There have been multiple formal audits commissioned by companies for our code where we were provided with the results or a summary of the results. None of these found any security issues of even valid ways we could improve the code. They did make incorrect suggestions for further hardening. Presenting this as something positive doesn't make sense. It reflects how flawed this is as an approach considering that we have lots of open issues about how things can be improved but they missed all of it and only tried to make generic suggestions which were not applicable.

It's possible that you've based this post around misinterpreting our documentation, but that doesn't seem likely. There's a particular group primarily active on Reddit maliciously attacking the project with inaccurate talking points resembling what you've posted here. It seems quite likely it's based on you getting your information from them. It would be helpful to know where you got this strange idea that we are against auditing the code and publishing results.

guermantes

admin It would be helpful to know where you got this strange idea that we are against auditing the code and publishing results.

Thanks for engaging with my question!

While I admit I have also skimmed some discussions on other sites, what I wrote above was prompted by a brief exchange here on this forum. I now re-read the FAQ and realize I may have cut too many corners when paraphrasing.

I guess it could be the novelty of the situation I am in (choosing the unknown, to abandon Google Android for something else) that makes me hesitant. After all, I have internalized the risk of being beaten up in the street and thugs forcing my thumb onto the fingerprint reader in order to transfer my money to their accounts. If I am not daily stressing out about that, why should I fear some attack vector unknown to me in the OS that I am using?

Psychologically, perhaps the latter scenario scares me more because I have the option to stay with the privacy-invasive OS? I "have nothing to hide", my interest in GrapheneOS is more philosophical/political in that I despise the privacy-invasive direction our economic systems have been taking.

In Sweden it has become very cumbersome to go through your daily life without using the "Mobilt Bank-ID" app to sign your name electronically. Many public services, transportation and other situations are increasingly just presupposing that you to have that app installed. And friends expect that you use "Swish" instead of cash to transfer money (try using cash in Stockholm, people will treat you as a money-launderer!). Perhaps the solution for me is to try to go old-school on the Pixel with GrapheneOS, and keep my old Google phone in a drawer at home and use it only for banking and electronically signing...

In any case, I wish the devs all the best henceforth.

ve3jlg

admin There have been multiple formal audits commissioned by companies for our code where we were provided with the results or a summary of the results. None of these found any security issues of even valid ways we could improve the code. They did make incorrect suggestions for further hardening.

Where can we read the details about this please?

Andy

Trusting the OS – or not….?
Been there, done that, got the T-shirt! Ouch...
I made a terrible mistake -
https://discuss.grapheneos.org/d/711-decisions-decisions/8
and
https://discuss.grapheneos.org/d/758-ios-vs-graphene-os/6

I notice reference to Linux Devs - without going over same old stuff; I take the view of NSA whistleblower Ed Snowden on not only GrapheneOS but Tails plus Tor – no proven leak or bad consequence of using either. https://tails.net/
Or you could ask the Guardian? https://www.theguardian.com/securedrop

Thanks again to admin and GOS devs for peace of mind and years of trouble free use on Pixel 3a with GOS. Hoping for 7a to drop in price :)