[kwlug-disc] cell phone security and privacy

[Evan Nordquist]

I also went GrapheneOS recently, and I can't imagine going back.

*Evan Nordquist*


On Tue, Jul 26, 2022 at 4:59 PM Doug Moen <doug at moens.org> wrote:

> After researching cell phone OSes and installing Graphene, I suddenly have
> a lot of opinions about privacy and security in cell phone operating
> systems. I now have a fully degoogled Android phone, and I'll talk about
> that.
>
> Within the current landscape, there's a three way tradeoff between
> convenience, security and privacy. More of one may mean less of another. I
> decided to go all the way with privacy, with a high level of security, and
> screw convenience. This led me to install Graphene on a Pixel 6.
>
> Some opinions, and a conclusion:
>
> * Stock Android is a privacy nightmare. Google sees everything you do,
> knows your exact location at all times, sells the information. Even if you
> never use the google app store or sign in using a google id. From a privacy
> perspective, most of the apps on Google Play are malware (specifically,
> spyware). Security is good, better than privacy. And it is tolerably free:
> the Android core is open source, you can install your own apps without
> Google's permission, and you can install a different OS if you don't like
> stock Android.
>
> * Apple iOS is both a privacy nightmare and a possible violation of human
> rights. Apple sees everything you do, although they don't sell the
> information the way Google does. They do, however, hand over your
> information to government agencies on request. That's why there's no end to
> end encryption of your data in the Apple cloud, so they can do this. The
> fact that they scan your photos for child porn is also creepy, at least to
> me. Some may derive a feeling of security knowing that big brother is
> watching. Apple also has excellent marketing that convinces most people
> that iOS is the opposite of what it actually is. The spyware in the iOS app
> store is less virulent: it collects less information than under Android.
> Security is excellent. The Apple ecosystem is super convenient. But it is
> totally unfree. You cannot install a different OS on iPhone hardware. You
> cannot even write your own software and install it on your own phone
> without Apple's permission, which requires paying a fee, and permission is
> often enough not granted or revoked. Apple sells this as a security
> feature, but this claim is self serving. The FSF says that iOS is
> incompatible with GPL licensed software. The new EU Digital Markets Act
> makes some of this behaviour illegal.
>
> * I want my phone to be private, secure and free, of course, but how is
> this accomplished? The OS should be FOSS.  It empowers me to define my own
> security and privacy policies, both system wide, and on a per app basis,
> and I can be confident that those policies will be enforced. One of those
> policies is: PII (Personally Identifiable Information) is not being
> collected and transmitted without my knowledge or assent. In order to
> reliably enforce privacy policies, I need a good, layered security design,
> beginning at the hardware level. I need Secure Boot, so that an evil maid
> or border security guard with access to my phone cannot replace or modify
> the OS without my knowledge. Also: hardware backed keystore, a supply chain
> allowing the OS to download and install the latest firmware security
> updates, etc. Any apps (third party software) that I install must be
> sandboxed so that the app cannot violate the policies I have configured.
> Third party software cannot subvert the OS.
>
> * Pinephone is not the answer. Even though Pinephone advertises freedom,
> privacy and security, it doesn't have proper hardware security support.
> There's no secure boot. There's no trustworthy, secure mobile OS (of the
> stature of Graphene) available for Pinephone. Instead I see embarrassing
> things like this: <https://nns.ee/blog/2021/04/03/modem-rce.html>.
>
> I see Pinephone fans arguing the absence of secure boot is a feature: that
> it takes away your freedom. Not true. On my new phone, secure boot means
> that it is impossible to install a different operating system without
> wiping the previous operating system and all its user data. This is a
> security policy I have deliberately enabled, and it's enforced by hardware.
> I also have the option of permanently locking my phone, so that it is
> impossible to replace Graphene OS with something else, but I haven't
> exercised that option yet[*]. If somebody permanently locks your phone to a
> particular OS before selling it to you, then yes your freedom has been
> taken away. But I bought my Pixel 6 unlocked.
>
> So Pinephone is a security nightmare. You can't trust the software to
> enforce your privacy policies. To compensate for this, Pinephone has
> hardware kill switches for the cam, mic, LTE, bluetooth, wifi. Okay, but
> Graphene provides these switches in software, and it has a hardware-backed
> security architecture that makes them trustworthy. And I can trust Graphene
> not to leak my PII even when my LTE or wifi are turned on.
>
> Get a Pinephone so that you can run desktop FOSS linux software, not
> because it has the best privacy and security.
>
> [*Footnote: Interestingly, locking my phone would violate the GPL 3 (by
> denying an adversary with temporary possession of my phone the right to
> hack it and insert malware), but only if Graphene used GPL 3. Graphene uses
> a permissive licence specifically to ensure my right to protect myself.]
>
> * Pixel phones are the best hardware for security and privacy. They have
> the full hardware based security toolkit. You can buy them unlocked and
> install your choice of OS. There are exactly two FOSS mobile OSes that have
> decent security and privacy, and support secure boot. These are Graphene
> and Calyx, and they only run on Pixels.
>
> * Graphene OS is the open source Android clone with the best security,
> famously endorsed by Ed Snowdon. It has an 8 year history (previously
> called Copperhead); they pioneered and upstreamed some security features of
> modern stock Android. Graphene also by default provides the highest level
> of privacy, although you may start to lose that depending on what
> additional apps you install and how you configure their sandboxes. It
> doesn't phone home to Google by default, and uses its own OS update
> infrastructure independent of Google Play. It is the most current and
> frequently updated Android distro (best for security), and phones have long
> term security support past the date when Google halts security updates for
> their distro. You can securely disable
> mic/camera/gps/bluetooth/cellular/wifi from the top level pulldown in any
> context, a unique privacy feature for Android. You have 2 options for
> installing the Google Play app store, both sandboxed, both with better
> security than other Android distros, and one (Aurora) with enhanced
> privacy. Some apps won't work due to prioritizing security over
> convenience. Eg, Graphene uses a hardened runtime that crashes apps with
> memory errors (eg, use after free), meaning a few apps (it's rare) will
> crash in Graphene even though they run in other Android distros. Android
> Auto will probably never be supported, since it requires the highest
> privilege levels, bypassing your security and privacy settings, and
> Graphene refuses to let it run outside a sandbox. Some banking apps and
> games may not run due to detecting that they are not running on stock
> Android. Documentation is amazing, forum quickly answered my one question
> so far. Based in Toronto.
>
> * Calyx OS is a new competitor to Graphene. Although they seem to mimic
> Graphene's security and privacy claims, they in fact prioritize convenience
> and usability over privacy and security, whereas Graphene is security
> first. It looks like Calyx is easier to set up, whereas Graphene gives you
> more control, better documentation, and more frequent updates, so maybe its
> like Ubuntu vs Arch. Calyx supports the same set of phones as Graphene
> (pixel only). Calyx preinstalls popular Android apps like Signal and
> F-Droid, and they will sell you a phone with Calyx preinstalled. (To get
> this for Graphene, you can buy a Graphene phone from a third party.) Calyx
> is a non-profit foundation for internet freedom, and the phone OS is one of
> their projects.
>
> * Lineage OS is focused on supporting as many old android phones as
> possible. It's less secure than Calyx. This distro is the popular choice if
> you want a fully open source Android ROM on a non-Pixel phone.
>
> * I don't have the Google Play store installed, but I do have F-Droid
> installed. F-Droid is an Android app store that requires FOSS and prohibits
> spyware, adware, and phoning home to google. App update uses F-Droid
> infrastructure, not google play. This is exactly the policy I want. There
> are some people claiming F-Droid is better for privacy, others claiming
> F-Droid is worse for security, than the Google Play Store. Both claims can
> be true. The Graphene forum warns against installing F-Droid, Calyx
> installs it by default. For comparison, Graphene has equally sharp
> criticisms of the security of the Debian repository.
>
> * Can you completely degoogle an Android phone? Sure, mine is. Graphene is
> 100% degoogled in the default install (it doesn't phone home to google and
> has no closed source google components). You can get additional apps using
> F-Droid. Calyx? Not clear, since it preinstalls popular Android apps like
> Signal, that use Google services. A more interesting question is: can you
> install Android apps that use google services, and enforce a privacy policy
> that prevents those apps from sending personal information to Google? I
> dunno yet.
>
> microG and Aurora are technologies that promise to let you use the google
> play services and store while (to some extent) not giving up PII to google.
> Do they actually accomplish this goal, and in a safe way? It's
> controversial.
>
> * microG is an open source replacement for Google Play Services. It only
> supports a subset of the APIs, but for that subset, it increases privacy by
> not phoning home to Google. Calyx and Lineage use microG to improve privacy
> and to substitute open source for closed source.
>
> But not Graphene. MicroG must run at the highest privilege level, and it
> does shady things to spoof google services. Graphene does not use microG,
> because it breaks the security of verified boot and breaks the app
> sandboxing model, creating a "security mess". So instead, Graphene builds a
> layer or sandbox around the official implementation of the Play components
> (google play store, google play services, google services framework).
> Normally, these components require privileged system access to run. The
> sandbox contains a compatibility layer that fakes out privileged system
> calls. Some APIs are broken, but most work. As a special case, Graphene
> provides a controlled version of the location API that is usually provided
> by Play services.
>
> In principle, microG and Graphene's play service sandbox should be equally
> effective for privacy. MicroG reimplements all the APIs, while Graphene
> filters all the APIs, controlling the inputs and outputs. In practice, both
> are incomplete works in progress. So there are limitations.
>  * microG currently supports a much smaller subset of the play service
> APIs than Graphene, so more apps are incompatible.
>  * Graphene also says they have more work to increase compatibility.
>  * Calyx acknowledges that Graphene's sandbox approach is more secure, but
> they claim it is less private. (I can't find specifics behind this claim.)
> Then, Calyx claims that Calyx is prioritizing privacy over security, while
> Graphene is prioritizing security over privacy, as if this were a
> fundamental difference between the distros. Graphene vigorously disputes
> this.
>
> * Aurora is a layer around the google play store that allows you to
> anonymously install apps. Graphene and Calyx both support it. Sounds good,
> but then the apps I download still might need google play services, and
> they may use google analytics and google ads and do other things I don't
> like. So we are back to the question of whether Graphene can block all
> these bad things. At this point I would need to learn more.
>
> But whatever, doesn't affect me. IMO, the best way to win the game against
> google play malware is not to Play. In short, degoogle.
>
> * In summary, my phone is fully degoogled and I have the apps I want from
> F-Droid. I like the extreme hard core security stance of Graphene, it
> engenders trust in their code.
> _______________________________________________
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
> https://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20220726/a5891b5c/attachment.htm>