[kwlug-disc] cell phone security and privacy

[Doug Moen]

After researching cell phone OSes and installing Graphene, I suddenly have a lot of opinions about privacy and security in cell phone operating systems. I now have a fully degoogled Android phone, and I'll talk about that.

Within the current landscape, there's a three way tradeoff between convenience, security and privacy. More of one may mean less of another. I decided to go all the way with privacy, with a high level of security, and screw convenience. This led me to install Graphene on a Pixel 6.

Some opinions, and a conclusion:

* Stock Android is a privacy nightmare. Google sees everything you do, knows your exact location at all times, sells the information. Even if you never use the google app store or sign in using a google id. From a privacy perspective, most of the apps on Google Play are malware (specifically, spyware). Security is good, better than privacy. And it is tolerably free: the Android core is open source, you can install your own apps without Google's permission, and you can install a different OS if you don't like stock Android.

* Apple iOS is both a privacy nightmare and a possible violation of human rights. Apple sees everything you do, although they don't sell the information the way Google does. They do, however, hand over your information to government agencies on request. That's why there's no end to end encryption of your data in the Apple cloud, so they can do this. The fact that they scan your photos for child porn is also creepy, at least to me. Some may derive a feeling of security knowing that big brother is watching. Apple also has excellent marketing that convinces most people that iOS is the opposite of what it actually is. The spyware in the iOS app store is less virulent: it collects less information than under Android. Security is excellent. The Apple ecosystem is super convenient. But it is totally unfree. You cannot install a different OS on iPhone hardware. You cannot even write your own software and install it on your own phone without Apple's permission, which requires paying a fee, and permission is often enough not granted or revoked. Apple sells this as a security feature, but this claim is self serving. The FSF says that iOS is incompatible with GPL licensed software. The new EU Digital Markets Act makes some of this behaviour illegal.

* I want my phone to be private, secure and free, of course, but how is this accomplished? The OS should be FOSS.  It empowers me to define my own security and privacy policies, both system wide, and on a per app basis, and I can be confident that those policies will be enforced. One of those policies is: PII (Personally Identifiable Information) is not being collected and transmitted without my knowledge or assent. In order to reliably enforce privacy policies, I need a good, layered security design, beginning at the hardware level. I need Secure Boot, so that an evil maid or border security guard with access to my phone cannot replace or modify the OS without my knowledge. Also: hardware backed keystore, a supply chain allowing the OS to download and install the latest firmware security updates, etc. Any apps (third party software) that I install must be sandboxed so that the app cannot violate the policies I have configured. Third party software cannot subvert the OS.

* Pinephone is not the answer. Even though Pinephone advertises freedom, privacy and security, it doesn't have proper hardware security support. There's no secure boot. There's no trustworthy, secure mobile OS (of the stature of Graphene) available for Pinephone. Instead I see embarrassing things like this: <https://nns.ee/blog/2021/04/03/modem-rce.html>.

I see Pinephone fans arguing the absence of secure boot is a feature: that it takes away your freedom. Not true. On my new phone, secure boot means that it is impossible to install a different operating system without wiping the previous operating system and all its user data. This is a security policy I have deliberately enabled, and it's enforced by hardware. I also have the option of permanently locking my phone, so that it is impossible to replace Graphene OS with something else, but I haven't exercised that option yet[*]. If somebody permanently locks your phone to a particular OS before selling it to you, then yes your freedom has been taken away. But I bought my Pixel 6 unlocked.

So Pinephone is a security nightmare. You can't trust the software to enforce your privacy policies. To compensate for this, Pinephone has hardware kill switches for the cam, mic, LTE, bluetooth, wifi. Okay, but Graphene provides these switches in software, and it has a hardware-backed security architecture that makes them trustworthy. And I can trust Graphene not to leak my PII even when my LTE or wifi are turned on.

Get a Pinephone so that you can run desktop FOSS linux software, not because it has the best privacy and security.

[*Footnote: Interestingly, locking my phone would violate the GPL 3 (by denying an adversary with temporary possession of my phone the right to hack it and insert malware), but only if Graphene used GPL 3. Graphene uses a permissive licence specifically to ensure my right to protect myself.]

* Pixel phones are the best hardware for security and privacy. They have the full hardware based security toolkit. You can buy them unlocked and install your choice of OS. There are exactly two FOSS mobile OSes that have decent security and privacy, and support secure boot. These are Graphene and Calyx, and they only run on Pixels.

* Graphene OS is the open source Android clone with the best security, famously endorsed by Ed Snowdon. It has an 8 year history (previously called Copperhead); they pioneered and upstreamed some security features of modern stock Android. Graphene also by default provides the highest level of privacy, although you may start to lose that depending on what additional apps you install and how you configure their sandboxes. It doesn't phone home to Google by default, and uses its own OS update infrastructure independent of Google Play. It is the most current and frequently updated Android distro (best for security), and phones have long term security support past the date when Google halts security updates for their distro. You can securely disable mic/camera/gps/bluetooth/cellular/wifi from the top level pulldown in any context, a unique privacy feature for Android. You have 2 options for installing the Google Play app store, both sandboxed, both with better security than other Android distros, and one (Aurora) with enhanced privacy. Some apps won't work due to prioritizing security over convenience. Eg, Graphene uses a hardened runtime that crashes apps with memory errors (eg, use after free), meaning a few apps (it's rare) will crash in Graphene even though they run in other Android distros. Android Auto will probably never be supported, since it requires the highest privilege levels, bypassing your security and privacy settings, and Graphene refuses to let it run outside a sandbox. Some banking apps and games may not run due to detecting that they are not running on stock Android. Documentation is amazing, forum quickly answered my one question so far. Based in Toronto.

* Calyx OS is a new competitor to Graphene. Although they seem to mimic Graphene's security and privacy claims, they in fact prioritize convenience and usability over privacy and security, whereas Graphene is security first. It looks like Calyx is easier to set up, whereas Graphene gives you more control, better documentation, and more frequent updates, so maybe its like Ubuntu vs Arch. Calyx supports the same set of phones as Graphene (pixel only). Calyx preinstalls popular Android apps like Signal and F-Droid, and they will sell you a phone with Calyx preinstalled. (To get this for Graphene, you can buy a Graphene phone from a third party.) Calyx is a non-profit foundation for internet freedom, and the phone OS is one of their projects.

* Lineage OS is focused on supporting as many old android phones as possible. It's less secure than Calyx. This distro is the popular choice if you want a fully open source Android ROM on a non-Pixel phone.

* I don't have the Google Play store installed, but I do have F-Droid installed. F-Droid is an Android app store that requires FOSS and prohibits spyware, adware, and phoning home to google. App update uses F-Droid infrastructure, not google play. This is exactly the policy I want. There are some people claiming F-Droid is better for privacy, others claiming F-Droid is worse for security, than the Google Play Store. Both claims can be true. The Graphene forum warns against installing F-Droid, Calyx installs it by default. For comparison, Graphene has equally sharp criticisms of the security of the Debian repository.

* Can you completely degoogle an Android phone? Sure, mine is. Graphene is 100% degoogled in the default install (it doesn't phone home to google and has no closed source google components). You can get additional apps using F-Droid. Calyx? Not clear, since it preinstalls popular Android apps like Signal, that use Google services. A more interesting question is: can you install Android apps that use google services, and enforce a privacy policy that prevents those apps from sending personal information to Google? I dunno yet.

microG and Aurora are technologies that promise to let you use the google play services and store while (to some extent) not giving up PII to google. Do they actually accomplish this goal, and in a safe way? It's controversial.

* microG is an open source replacement for Google Play Services. It only supports a subset of the APIs, but for that subset, it increases privacy by not phoning home to Google. Calyx and Lineage use microG to improve privacy and to substitute open source for closed source.

But not Graphene. MicroG must run at the highest privilege level, and it does shady things to spoof google services. Graphene does not use microG, because it breaks the security of verified boot and breaks the app sandboxing model, creating a "security mess". So instead, Graphene builds a layer or sandbox around the official implementation of the Play components (google play store, google play services, google services framework). Normally, these components require privileged system access to run. The sandbox contains a compatibility layer that fakes out privileged system calls. Some APIs are broken, but most work. As a special case, Graphene provides a controlled version of the location API that is usually provided by Play services.

In principle, microG and Graphene's play service sandbox should be equally effective for privacy. MicroG reimplements all the APIs, while Graphene filters all the APIs, controlling the inputs and outputs. In practice, both are incomplete works in progress. So there are limitations.
 * microG currently supports a much smaller subset of the play service APIs than Graphene, so more apps are incompatible.
 * Graphene also says they have more work to increase compatibility.
 * Calyx acknowledges that Graphene's sandbox approach is more secure, but they claim it is less private. (I can't find specifics behind this claim.) Then, Calyx claims that Calyx is prioritizing privacy over security, while Graphene is prioritizing security over privacy, as if this were a fundamental difference between the distros. Graphene vigorously disputes this.

* Aurora is a layer around the google play store that allows you to anonymously install apps. Graphene and Calyx both support it. Sounds good, but then the apps I download still might need google play services, and they may use google analytics and google ads and do other things I don't like. So we are back to the question of whether Graphene can block all these bad things. At this point I would need to learn more.

But whatever, doesn't affect me. IMO, the best way to win the game against google play malware is not to Play. In short, degoogle.

* In summary, my phone is fully degoogled and I have the apps I want from F-Droid. I like the extreme hard core security stance of Graphene, it engenders trust in their code.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20220726/5d7dedd8/attachment.htm>