KernelSU has something like this called app profiles where you can set the capabilities that each app gets when it uses su. And if you are a SELinux wizard you can also set a custom domain for each app which would give you the fine grained control you’re looking for. I doubt the average KernelSU user wants to delve into SELinux details so some tool to automate this would be cool. Sadly doesn’t look like Magisk supports this.

Rooting devices breaks the principle of sandboxing: one app shouldn’t be able to access or modify another app or its data, or system files. If you give an app root, it can do whatever it wants to the system. It could install a keylogger to steal credentials, extract login tokens from another app’s storage or just nuke system files to make your device unbootable.

Let’s say you don’t give any apps root. Even having a rooting platform on the phone (e.g. Magisk) is still a vulnerability. Most rooting platforms will ask the user whether an app should get root when the app requests it. But there could be code execution vulnerabilities (e.g. buffer overflows) in the rooting platform that let you add an app to the list of apps allowed to use root without user confirmation.

TLDR: Root gives an app full access to the device, it could do anything with that. Even if you’re careful with what you give root to, it still adds a lot of attack surface that could be exploited.

I use GrapheneOS without play services on my daily driver because I despise Google’s forcing play services down Android’s throat. The irony isn’t lost on me that Graphene only works on Google devices, that will hopefully change soon as Graphene works with an OEM to build their own devices. I don’t bother with banking or government apps as they aren’t mandatory where I live, at least not yet. I try to stick to FOSS (or at least source available) apps where possible.

On a secondary device I also run a rooted version of GrapheneOS just for fun. Yes I know it might be viewed as terribly insecure but it’s just a secondary device that I like to play around with, it doesn’t have any important data on it. I find it quite interesting to learn how rooting methods work to bypass the normal security measures in place.

Absolutely. The general population is braindead when it comes to privacy and digital rights and it gets worse with newer generations as 24/7 connectivity and everything being online is the norm for them. As long as they can watch some social media slop they are satisfied. I believe the proliferation of AI will accelerate this as people delegate their critical thinking faculties to machines and accept big tech’s propaganda as gospel. Chatgippity knows best, right?

I really hate this timeline. 99% of companies pushing users into walled gardens. Governments and banks forcing people to use invasive apps that only work in those walled gardens. Slowly our control is eroded, yet your average user couldn’t care less as long as they get to watch their TikTok slop for a few hours a day.

Until a Linux phone becomes viable I’ll be using a rooted custom ROM and avoiding banking/government apps like the plague.

It can be implemented well but often isn’t. Likely eID will force you to use an mobile app (no website or Linux app, yay) that is only available on Apple’s app store or GPlay. And if you want to run a degoogled android ROM good luck with that when they force Play Integrity. Basically shoving everyone into either the Apple or Google walled garden along with the complementary spyware of both gardens and also screwing anyone who uses a non-smart phone either out of choice or circumstance.

A big ol’ steaming turd

Only the APK is on GitHub, source code is still from the previous release. They say it will be “available at a later time” but knowing Proton that could take a while.

Cool project! Does it support 2FA? I’d like to use a password and then either TOTP or FIDO, like Authelia does.

Perhaps worse than the 9 when it comes to wifi which has been downgraded from 7 to 6e. Will most users care? Maybe not, but I do.

Could you share the name of the company please?