I mean, that is saying in effect that the user is a security liability, that rights should be withheld from the user because they can’t be trusted. I think that is diametrically opposed to the very principles motivating giving the user control of their phone and privacy.
Sure, lock root behind whatever “I’m an adult and the phone’s owner, and know what I’m doing” setup, or sandbox as need, or require a user to properly self-authenticate any key-related operations, but desktop OSes function fine giving users root abilities. The reason device manufacturers lock their phones and prevent root is maintaining a trusted environment adversarially to the user, not that the user’s data will be insecure.
Some grapheneos is open source, you can build your own rom that includes whatever features you would typically need root for. Implementing those features at the system level is far more secure than giving the user account root access.
If you want to trade away the benefits of that security model to be able to tinker with things and feel more in control of your phone, you can use something else that lets you do that by default, or patch and build a rootful Graphene yourself. Ironically, the risk there is of giving full control of your phone and privacy to a potential malicious third party anyways, but different threat models may deem that acceptable or low-risk enough.
but desktop OSes function fine giving users root abilities.
Again, threat models. They may function fine for most people, and for most people the risk is low, but the linux desktop world is a security nightmare.
I mean, that is saying in effect that the user is a security liability, that rights should be withheld from the user because they can’t be trusted.
This is literally true when dealing with cyber security. And always will be.
And, no, throwing up some scary warning does not magically fix anything. If root access exists - at all - that creates an extreme vulnerability to any kind of malware.
You want Android that is secure? Then say goodbye to root access. You want root access? Then you don’t have a secure OS on your phone.
There is no middle ground. Just doesn’t work that way, sorry.
This is only true with an embarrassingly coarse threat model.
Yes, every avenue that allows a user access in theory allows a hacker possible access. But the entire point of security is to create access that is as close to seamless for the user and as close to impermeable for the hacker as possible.
Think of the physical world. We secure a literal bank vault against thieves, customers and even employees with different threat and access models while officers and executives retain “root” access.
If you simply use an access and threat model that treats the user as a hacker, it’s both lazy and undermines the basic purpose of security. It’s just encasing the bank vault door in concrete.
But I don’t think you even realize what you’re arguing - you’re not advocating that nobody gets root access. You’re advocating that the phone or OS maker gets root access while the user does not. You really are saying we can’t own our phones rather than than we can’t secure them.
I mean, that is saying in effect that the user is a security liability, that rights should be withheld from the user because they can’t be trusted. I think that is diametrically opposed to the very principles motivating giving the user control of their phone and privacy.
Sure, lock root behind whatever “I’m an adult and the phone’s owner, and know what I’m doing” setup, or sandbox as need, or require a user to properly self-authenticate any key-related operations, but desktop OSes function fine giving users root abilities. The reason device manufacturers lock their phones and prevent root is maintaining a trusted environment adversarially to the user, not that the user’s data will be insecure.
Some grapheneos is open source, you can build your own rom that includes whatever features you would typically need root for. Implementing those features at the system level is far more secure than giving the user account root access.
This isn’t about the user being treated as untrustworthy or as less than an adult, it’s about the security model GrapheneOS is based on. The team explains it well in this thread: https://discuss.grapheneos.org/d/18953-why-the-stigma-against-rooting
If you want to trade away the benefits of that security model to be able to tinker with things and feel more in control of your phone, you can use something else that lets you do that by default, or patch and build a rootful Graphene yourself. Ironically, the risk there is of giving full control of your phone and privacy to a potential malicious third party anyways, but different threat models may deem that acceptable or low-risk enough.
Again, threat models. They may function fine for most people, and for most people the risk is low, but the linux desktop world is a security nightmare.
This is literally true when dealing with cyber security. And always will be.
And, no, throwing up some scary warning does not magically fix anything. If root access exists - at all - that creates an extreme vulnerability to any kind of malware.
You want Android that is secure? Then say goodbye to root access. You want root access? Then you don’t have a secure OS on your phone.
There is no middle ground. Just doesn’t work that way, sorry.
¯\_(ツ)_/¯
This is only true with an embarrassingly coarse threat model.
Yes, every avenue that allows a user access in theory allows a hacker possible access. But the entire point of security is to create access that is as close to seamless for the user and as close to impermeable for the hacker as possible.
Think of the physical world. We secure a literal bank vault against thieves, customers and even employees with different threat and access models while officers and executives retain “root” access.
If you simply use an access and threat model that treats the user as a hacker, it’s both lazy and undermines the basic purpose of security. It’s just encasing the bank vault door in concrete.
But I don’t think you even realize what you’re arguing - you’re not advocating that nobody gets root access. You’re advocating that the phone or OS maker gets root access while the user does not. You really are saying we can’t own our phones rather than than we can’t secure them.