this post was submitted on 19 Nov 2023
90 points (91.7% liked)

Privacy

32130 readers
1071 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
 

Things that make me angry about my current smartphone Samsung Galaxy S21Ultra on a Verizon plan is the mandatory software updates in which they install WITHOUT MY PERMISSION stupid apps like Netflix and addictive gambling games and stacking block games and Candy crush. God knows what else they install without my permission. I don't want any of it!

Next phone I buy I want to start with a clean slate, I'm not going to affiliate with any conglomerate like Verizon or AT&T or Sprint or T-Mobile etc, I prefer to go rogue somehow,

which smartphone do you recommend that has no bloatware and it's customizable?

you are viewing a single comment's thread
view the rest of the comments
[–] iamak@infosec.pub 4 points 1 year ago (3 children)

What is the root scene on Graphene? I know the dev is pretty against it but I like having root access after being used to it. Is it possible to easily root it without any integrity issues later on?

[–] xep@kbin.social 12 points 1 year ago (1 children)

It's not supported. According to the devs rooting defeats the purpose of Graphene OS.

[–] iamak@infosec.pub 1 points 1 year ago (2 children)

Yeah I have read that. And couldn't find any reason why. When I ask about root people only say "if you want root, graphene isn't for you"😅

[–] Lemongrab@lemmy.one 5 points 1 year ago (1 children)

Rooting defeats androids security model and allows for further exploitation. Graphene most likely does support it because any AOSP OS that is geared towards security isn't going to leave a big hole in their security allowing malware or bad actors to modify system files (or install a rootkit).

[–] iamak@infosec.pub 1 points 1 year ago (1 children)

Desktop Linux allows root access and is still secure. Allowing root access doesn't make it insecure.

[–] Lemongrab@lemmy.one 5 points 1 year ago (1 children)

Desktop linux isn't the same as Android, which is why I said the "Android security model". Android is a mobile operating system and must protect against the fact that it will be in unknown environments all the time. It must protect against physical attacks, software attacks, and partially sandbox apps. Root breaks app sandboxing and allows for modifying system files and reading internal app storage. The system image is immutable and modifications/settings are made on top.

Linux desktop isn't more secure out of the box. The general user account shouldnt be a sudoer. Immutable OSes are more secure and help pervent rootkits and other attacks. PCs are most often stationary and stored in a private location. Laptops are weak against attacks because you can boot to a different OS from usb without passworded BIOS. Desktop OSes are the geared for the same kinds of protections.

There is good reason why Android is far more secure than Linux mobile.

[–] iamak@infosec.pub 2 points 1 year ago

Oh okay thanks!

[–] netchami@sh.itjust.works 2 points 1 year ago

GrapheneOS significantly increases security, rooting does the exact opposite

[–] GasMaskedLunatic@lemmy.dbzer0.com 8 points 1 year ago (1 children)

It looks like the verified boot security feature of Graphene effectively prevents rooting the OS. I understand wanting root access, it does provide some nice features, but I don't have any need for it. I don't have any bloatware embedded to remove, and I don't need to mod any system apps, so I haven't looked into it much. I know the dev says it isn't planned because it massively increases attack surface, which I personally agree with, but it would be nice to have the option via a separate version of the OS or something. If you need root access, I would suggest looking into LineageOS. It's similar in privacy to Graphene and last I knew could be rooted. Graphene is very focused on security as well as privacy, and for me is a best of both worlds, but if you want to modify the system for various power-user type features, it might not be for you.

[–] iamak@infosec.pub 5 points 1 year ago (3 children)

Yeah I'm currently running LineageOS. I wanted root mainly for adblock (modifying /etc/hosts) and AppOps. Does Graphene have those features built in?

[–] BearOfaTime@lemm.ee 6 points 1 year ago* (last edited 1 year ago) (1 children)

Check out DivestOS. It's a fork of lineage with a focus on better security and privacy. Not restrictive like Graphene. Rootable via magisk.

So far I'm liking it. Great battery life (lowest I've ever seen) even on my 5 year old phone.

[–] iamak@infosec.pub 1 points 1 year ago

I'll try that thanks!

[–] GasMaskedLunatic@lemmy.dbzer0.com 4 points 1 year ago (1 children)

No, it doesn't. I use 95% FOSS software, so anything that might have ads just gets denied network permission entirely. As for AppOps, I just looked it up, and that would be something I'd like to see developed as a feature of Graphene. It seems like a genuinely useful, and at the very least privacy-protecting, app. I don't use copy/paste via keyboard, and despite it not having network permissions, I'd still deny it clipboard access simply because it doesn't need it.

[–] iamak@infosec.pub 2 points 1 year ago

Okay. Thanks a lot! :)

[–] netchami@sh.itjust.works 3 points 1 year ago

For security reasons GrapheneOS doesn't allow the modification of system files. You can achieve the same thing with DNS though. Either self-host a Pi-Hole or AdGuard Home, or use something like NextDNS.

[–] trevor@lemmy.blahaj.zone 5 points 1 year ago (2 children)

You can root on GrapheneOS. You do it exactly the same way you'd do it for the stock Google ROM:

  1. Have an unlocked bootloader. Yes, this means that it """defeats the purpose of GrapheneOS""", if the purpose of GrapheneOS isn't for you to avoid Google's privacy nightmare. I use GrapheneOS for privacy moreso than security, and not being able to block ads properly is irritating.
  2. Install the Magisk app.
  3. Extract the boot.img from the GrapheneOS image and patch within Magisk.
  4. Flash the patched boot image in the bootloader.

The main annoyance with this is that you'll have to do that dance every month when a security patch gets released, but for me, it's better than vomiting from exposure to ads on mobile.

[–] iamak@infosec.pub 1 points 1 year ago

Oh okay. Thanks! Does it pass the integrity checks?

[–] xep@kbin.social 1 points 1 year ago* (last edited 1 year ago)

What is the patching process when running with Majisk, without OTA? It looked like quite a PITA to me, but I'm using Graphene for the same reason you are.

Edit: I found this

https://grapheneos.org/usage#updates-sideloading

After sideloading an update I'd probably have to do what Trevor posted.