Comment by Borealid
2 days ago
Let's define "more secure" as "preventing a particular behavior that is against the device owner's conscious or unconscious wishes".
It would be "more secure" to have a per-application firewall that blocks particular apps from outbound traffic over certain networks or to certain destinations. This prevents a malicious app from consuming roaming data.
LineageOS can have that, at the owner's preference. Graphene explicitly forbids it.
It would be "more secure" to allow backing up apps and all their data. This would mitigate the damage of ransomware. Graphene, again, forbids it (following google guidelines prioritizing the wishes of an app's developer over the device owner).
There are many such examples. Lineage is philosophically owned by the person who installed it onto the phone. Graphene is owned by the Graphene devs, NOT the phone owner. Sometimes the Graphene devs purposefully choose to let software on the device restrict the valid owner of that device.
>It would be "more secure" to have a per-application firewall that blocks particular apps from outbound traffic over certain networks or to certain destinations. This prevents a malicious app from consuming roaming data.
LineageOS can have that, at the owner's preference. Graphene explicitly forbids it.
Not sure what is meant by forbidding it? GrapheneOS provides per-app network access control via a user-controllable Network permission which is not implemented in AOSP or LineageOS afaik. They do not forbid using local firewall/filtering apps like RethinkDNS (to enforce mobile data only or Wi-Fi only iirc) and InviZible. They only warn that 'blocks particular apps from outbound traffic ..to certain destinations' cannot be enforced once an app has network access which makes sense to me.
>It would be "more secure" to allow backing up apps and all their data. This would mitigate the damage of ransomware. Graphene, again, forbids it (following google guidelines prioritizing the wishes of an app's developer over the device owner).
Contact scopes, storage scopes, the sensors permission and the network permission are examples that show precisely the opposite (GrapheneOS prioritises the device owner over the application developers). To my understanding, the backup app built-in to GrapheneOS even 'simulates' a device-to-device transfer mode to get around apps not being comfortable with data being exfiltrated to Google Drive. That being said, I understand they have plans to completely revamp the backup experience once they have the resources to do so.
They're referring to the leaky network toggles in LineageOS for different kinds of networks. GrapheneOS won't include that because it doesn't work correctly and gives people the false impression that it's going to stop apps communicating over those networks when it only stops most (not all) direct connections.
LineageOS has the same Seedvault backup system with the same limitations. There are few limitations left since Android 12's API level stopped apps opting out of all backups by redefining it as an opt-out of cloud backups and similarly redefined the file exclusions as only being for cloud backups. The new system supports very explicitly omitting files from device-to-device backups but it has to be explicitly specified that way and few apps do it. The problems with apps opting out of backups due to not wanting cloud backups for space, bandwidth or privacy reasons has been solved for several years now. It doesn't mean all app data is portable between devices, such as Signal encrypting their database with a hardware keystore key making it fundamentally impossible to do backups at a file level for it rather than using their own backup system.
See https://news.ycombinator.com/item?id=45562664 for a response to the rest of it.
No, I'm specifically referring to iptables-based firewalls (like AFWall), which Graphene does not allow the user to create and Lineage does (via root access).
These are not an android VPN provider and allow blocking traffic based on the combination of source app AND DESTINATION SERVER ADDRESS.
> LineageOS can have that, at the owner's preference. Graphene explicitly forbids it.
That's not true.
You can use apps like RethinkDNS providing local monitoring and filtering of connections while still supporting using a VPN on either LineageOS or GrapheneOS. GrapheneOS fixes 5 different kinds of outbound VPN leaks which are still present on LineageOS, which is quite relevant to this. There are no known outbound VPN leaks remaining for GrapheneOS as long as Private DNS is set to Off.
The reason GrapheneOS doesn't include the finer grained network toggles LineageOS does is because they're leaky and do not work correctly. Our Network toggle doesn't have those kinds of leaks. We do plan to split up the Network toggle a bit but doing that correctly is much harder and comes with some limitations since it still has to block generic INTERNET permission access if anything is disabled and only permit cases which are specially handled.
GrapheneOS has Storage Scopes, Contact Scopes, a Network toggle and a Sensors toggle not available on LineageOS along with other app sandbox and permission model improvements. Users have much more control of their apps and data on GrapheneOS.
LineageOS provides privileged access for Google apps while we take a different approach.
> It would be "more secure" to allow backing up apps and all their data. This would mitigate the damage of ransomware. Graphene, again, forbids it (following google guidelines prioritizing the wishes of an app's developer over the device owner).
That's also not true. LineageOS has the same limitations and backup system.
Both GrapheneOS and LineageOS use Seedvault with the same kind of integration. Since the Android 12 API level, apps can only opt-out of cloud backups and existing exclusion files only apply to cloud backups. There's a new exclusion system which can be used to explicitly omit files from device-to-device backups such as Google's device transfer system, but that's rarely used and it exists for good reason due to device-specific data that's not portable.
> There are many such examples. Lineage is philosophically owned by the person who installed it onto the phone. Graphene is owned by the Graphene devs, NOT the phone owner. Sometimes the Graphene devs purposefully choose to let software on the device restrict the valid owner of that device.
You haven't raised any examples of GrapheneOS restricting what can be done in a way that's not done by LineageOS. All you did is bring up a feature approached differently by both operating systems where the most flexible solutions such as RethinkDNS are available for both. If people want to modify either GrapheneOS or LineageOS, they can do it for each. We provide very good build documentation for production releases with proper signing. We strongly recommend against using Magisk but people do modify GrapheneOS with that projects and use it. Our recommendations are not restrictions on what people can do.
As an example of something lineage allows me to do which graphene forbids: Lineage allows me, the owner of my phone, to use an app of my choice to serve as a location provider.
Graphene requires that I use google services (sandboxed) and does not PERMIT me, the owner of the device, to choose otherwise without compiling my own fork.
I'm using Graphene but honestly the biggest thing is that Lineage devs wouldn't care if you root, while Graphene devs obviously do because it screws the whole point of Graphene