Comment by realusername

I am not sure what you are trying to say.

My point is that

1. If you care about privacy, you should care about security. If your email server is compromised and your emails leak in the public internet, then they are not private anymore.

2. GrapheneOS does care about both security and privacy.

> explored my phone's capabilities with root. Accessing the sensor devices, inspecting what the different apps do, what the OS is doing, installing Xprivacy to provide fake data to tracking apps... none of that is possible on GrapheneOS

I think you're talking about something like "freedom", here. GrapheneOS doesn't claim to give you the freedom to do whatever you want. In fact, part of the Android security model is to limit your freedom.

Which is not to say that you should not want the freedom to have root access on your phone. But if that's what you want, GrapheneOS is probably not it.

> recommend you install proprietary apps GApps in their sandbox

They don't recommend you to do that. They tell people that if people want to install apps, Google Play Store is a secure and easy way to get apps. They inform people about this because some have the misconception that using the Play Store defeats the whole purpose of GOS (which it doesn't) or that the Play Store is highly problematic (it's better than most alternatives). But, the user itself is free to decide what they do. If you look at project members of GrapheneOS, some say they use Play, some say they don't.

> The sandbox doesn't matter if all the private data is in the same sandbox!

That's not how sandboxing works. The sandbox is around the app. Each app is in the sandbox. On GrapheneOS even the componenents of Google Play (Play Store, Play Services and on older installs Play Services Framework) are sandboxed. On Android OSes that bundle Google Mobile Services (GMS), Play gets an exception and is a priviliged app. On GrapheneOS they are regular apps. They are each put in their own sandbox. The access of each is controlled by their own set of fine-grained run-time permissions.

With all due respect, you fundamentally misunderstand how sandboxing works, even on Android in general. I recommend reading this to understand sandboxing in the AOSP: https://source.android.com/docs/security/app-sandbox . On GrapheneOS the sandbox is hardened a bit, but that's not the most significant feature of the OS at all, and Play is forced to run sandboxed if users choose to install it.

Feels like you don't know what "the sandbox" is. It's not "their" sandbox, it's from AOSP.

When you run an app on Android, it runs in a sandbox. Meaning that your social media app cannot access the files of your banking app by default. They are "sandboxed".

On a normal Android, the Play Services are installed as a system app. It is privileged app that has "system" access. A system app is not sandboxed.

GrapheneOS allows you to install the Play Services and the Play Store as "sandboxed" apps in that they run unprivileged, just like WhatsApp or TikTok or your banking app.

So running the proprietary Google apps in the sandbox is obviously more private than running them as system apps, wouldn't you say?

They recommend you install google play services if you need it. Privacy is in no small part a user-decision - no matter how secure your device is if you just scroll Facebook all day.

>GrapheneOS does not have an equivalent of ublock origin built into the OS which I'd consider step 1 of fighting the problem.

Content filtering is built into the browser. GrapheneOS have always maintained that you cannot prevent an app from exfiltrating data, especially if it has internet access. Enumerating badness is an unsustainable approach they don't want to encourage. Instead they attack the heart of the issue with Storage Scopes/Contact Scopes/Network Permission/Sensors Permission etc. They allow aps to think they have full access when they do not, so you can control exactly what data they get in the first place. Maybe all of the other AOSP projects could contribute App Communication Scopes/Enhanced Clipboard Privacy and other things because this approach makes a lot of sense to me. Like preventing an illness instead of wasting energy treating symptoms.

>The "ideal android" in my head would just have a dynamic ruleset to patch/nop tracking libraries as the app loads, which as far as I know, nobody does that, eOS doesn't either. Kind of like Revanced but on steroids and built into Android.

Something similar was addressed some years ago as a feature request for GrapheneOS https://github.com/GrapheneOS/os-issue-tracker/issues/284. To summarise there was no way to do this without an unacceptable security cost to the OS, but this is sort of doable if you run your own userdebug build which you have the power to do.

GrapheneOS provides greatly improved privacy including through features like Contact Scopes and Storage Scopes.

> GrapheneOS does not have an equivalent of ublock origin built into the OS which I'd consider step 1 of fighting the problem.

Enumerating badness by trying to list domains which are solely used for advertising, telemetry, etc. doesn't address any of the main privacy invasive behavior by apps which is done through their own services and server side contact with third parties.

uBlock Origin has the same problems in the browser but the rules within a browser are a lot more flexible than the extreme limitations of domain-based blocking whether any useful purpose of the domain results in blocklists not being able to include it or apps would break. Domain-based filtering is also far less usable in practice and is typically not per-app either.

RethinkDNS on GrapheneOS works far better than the domain blocklist in /e/ but it's not a strong approach to privacy and does not address much.

Apps can easily work around it and prevent the filtering, as can the SDKs. One way is doing server-side connections and another is using DNS-over-HTTPS for DNS resolution. Facebook has fallback IPs and DNS resolution in a growing number of their apps and can do it in their SDKs too.

Using a fundamentally unworkable approach that's increasingly becoming less useful is not how GrapheneOS approaches privacy.

> The "ideal android" in my head would just have a dynamic ruleset to patch/nop tracking libraries as the app loads, which as far as I know, nobody does that, eOS doesn't either. Kind of like Revanced but on steroids and built into Android.

This is another fundamentally unworkable enumerating badness approach which is not how GrapheneOS approaches privacy. GrapheneOS avoids apps getting access to sensitive data rather than trying to stop them sending it to specific places.

> I feel like you can't really fix android anyways, the design is just broken and if you care about security / privacy, you should just use everything in a browser or a Linux distribution.

GrapheneOS is a Linux distribution. Desktop Linux distributions have far worse privacy and security than GrapheneOS. The ports of desktop Linux distributions to mobile are largely losing even more security. That's a huge setback for privacy and security, not progress. They don't have similar privacy protections, don't have a similarly strict approach to privacy for default services and lack security to keep privacy intact. Using mostly or only open source software doesn't mean you don't need privacy and security protections. Aside from that, the open source mobile app ecosystem for Android and GrapheneOS is far better than it is for those operating systems.

> Sure the work GrapheneOS does is valuable but it's like removing water from a lake with a bucket.

GrapheneOS provides drastically better privacy and security than the desktop operating you think are better. It has a great open source app ecosystem available with lots of high quality apps. You're portraying it as if people must use privacy invasive apps but that's not at all the case. Plenty of desktop users are using apps like Discord where they can access the entirety of their data as opposed to GrapheneOS where it's a heavily sandboxed app with lots of user control along with prevention of coercion to get access via the scopes features we add for pretending to grant permissions while actually granting access to no files/media/contacts by default where it simply appears there are none until users explicitly opt-in to adding them.

> I feel like shielding the mess that Android is into something like an improved Waydroid with a mindset of "yeah let's keep it there and the sane stack for the rest" sounds a better approach to me.

Waydroid has far worse privacy and security from Android apps than running them on AOSP or especially GrapheneOS. It loses the Android app sandbox and permission model. It uses a very outdated fork of AOSP and breaks the privacy/security model through how it's implemented. It runs on top of a far less secure host OS with worse isolation for the apps inside it from the rest of the OS than exists on Android itself. Moving to a drastically less private/secure host OS while running Android apps in a much less private/secure way is hardly progress.

GrapheneOS does focus on browser fingerprinting with a long term approach that's being implemented. That's why adblocking is implemented the way that it is with a specific list of filters and then regional/language filters activated based on which languages are enabled. Vanadium does provide good protection against instances of Vanadium being distinguished from each other in ways other than the IP addresses, language, time zone, etc. Adding support for using a universal UTC time zone in Vanadium is one of many planned features for countering fingerprinting. Expanding the Vanadium userbase beyond GrapheneOS would be the main way to reduce fingerprinting since it heavily depends on the number of people using the browser so we eventually plan to launch it for use outside of GrapheneOS once it has more features.

Brave has the best anti-fingerprinting on Android right now but it's not all implemented in a good way and they have a lot of features with privacy and security downsides too. Vanadium is gradually working towards having stronger anti-fingerprinting than it. It will take time. In general, our approach is focusing on doing things properly with the long term in mind. It takes longer but the end results will be better as can be seen for what we ship in many areas. Our network-based location implementation is a nice example among many others.

The founder, afaik, not just a developer.

Tor Browser seems to be a project that requires multiple full time developers. I don't think GrapheneOS have the resources right now to do this alongside their OS development, device support and app overhaul plans.

Also please don't take this as any criticism of your suggestion, but there have been multiple 'privacy' browser projects based on Chromium for Android. It's a little frustrating that they couldn't collaborate some base like this to the open source community.

I won't argue with you on the project-related part of it, you obviously know best there :) Thank you for all the work!

But how would you "rate" for example desktop "GNU/Linux" with this in mind? Quite clearly privacy is important here and none of the major components leak/store unnecessary personal data. But the security story is quite sad, everything runs as the same user so a random `npm install` can just do whatever it wants with my browser caches, ssh keys, etc. I would say that GNU/Linux is privacy-friendly, but has terrible security. Would you not agree here? How does this fit with the "privacy and security are not separate things" part? Genuinely curious about your opinion here, not arguing for the sake of it, they are just not as closely connected in my mind. For example Google has a good track record of having safe practices regarding data storage -- but privacy is not their strong suit/hard to define what it means for a company to begin with.

Other way around, actually. It's possible to make concessions to privacy, like providing crash reports, or running applications in sandboxes which limits what they can harvest, while keeping the platform secure.

Any privacy you have on a system is reliant on no one tampering with that system and on software behaving itself. Without security, you can't trust the system to implement any privacy.