Never expected someone to call GNOME straight up ugly. IMO it's currently the most stylish DE out there by far (comparing to the default look of other DEs). Opinions, huh.
Not possible in Finland. :( I'm using the one bank (OP) that used to allow rooted devices to use their app, but even they eventually blocked it via SafetyNet.
That's the kicker, they will all eventually block it, so it's not worth your time and sanity constantly swapping banks on the hopes this one will keep lax security.
I agree that the features should ideally be provided by the base system so that the user does not have to "hack them in" with root-powered apps. But the reality is that most Android "distros" simply do not support the features that I would consider basic functionality. I mainly root for three reasons:
- Backing up all app data via Neo Backup. Android has an auto-backup feature that backs up app data to the user's Google Drive, but unfortunately the app developer can simply opt out of this, and the user cannot do anything about it. This means that app data may be lost when migrating to a new phone, as the app data is stored in directories that are not accessible in the filesystem without root.
- High-quality call recording via Call Recorder. For some reason, some (most?) phones do not allow apps to access the raw incoming audio stream. Non-root apps have to rely on capturing the other end through the microphone, which is horrible.
- /etc/hosts-based ad blocking while using a VPN via AdAway. DNS-based ad blocking is possible via apps like AdGuard, which use a local VPN to accomplish this. Unfortunately, Android only allows one VPN connection at a time, which means that without root I would not be able to use a VPN for any other purpose while simultaneously blocking ads.
---
I have no experience with GrapheneOS, so I'd be interested to hear if these features are possible on it without rooting. If not, can I request these features somewhere?
Rooting is a very bad idea. https://madaidans-insecurities.github.io/android.html#rootin... But GrapheneOS is fully open source and provides great build instructions, so you can always make your own build and add whatever features or privileged apps you like within the standard AOSP frameworks for privileged apps with system integration.
> DNS-based ad blocking is possible via apps like AdGuard
DNS-based blocking can also be accomplished by using Android's native Private DNS feature with a resolver that blocks ads. You could even host your own on a VPS if you are more comfortable running name resolution and DNS-level adblocking on infrastructure you control.
Thank you so much for replying! Seems promising, I will take a closer look. I'm definitely looking forward to possibly buying a Graphene-powered Motorola phone in the future.
Rooting is only a bad idea if there is an alternative. Unfortunately I have to root my devices because there isn't an alternative method to provide me, the physical owner of the device with control over the device. I would much prefer not to generally have root on my phone but to be able to access root externally or via a hardware switch or some other scheme. ADB root is fine.
The alternative to "running as root" isn't "not having access to root".
>Rooting is only a bad idea if there is an alternative.
An alternative to accomplish what?
>to provide me, the physical owner of the device with control over the device
Control over what properties or behaviours of the device, exactly?
No offense, but these complaints feel more like aesthetic ("I want to log into a user named root") than practical ("I want to be able to do things that could only be done under root")
You're missing the point completely, of course there are more secure ways to do a lot of things, the problem is that if there isn't an alternative "secure" mechanism to accomplish what I want if I have root I can just get it done whatever way works for me. I do not want to run into a situation like I did prior to having root, where my voice memos unbeknownst to me end up in some sort of elevated privileged enclave and I can't copy them over to my computer.
There's a myriad of reasons to have root, like baseline I want to be able to watch my network traffic. I want to be able to spoof my location, I want to be able to sftp into my phone and mount it as a drive because it's convenient. I want to access sensors and log them in the background. I wanna just run normal linux daemons.
I don't need any of these reasons though, all I need is the desire to be the ultimate arbiter of what happens on my devices. I don't need to or want to control all aspects of what goes on my device, I'm fine giving up control, I'm not fine with it being taken away from me. Everything else is secondary, the person with final say on what happens on my device should be me.
I'm trying to understand why rooting Android is such a sin.
If I give root to my terminal so I can browse and edit any files I want, I'm placing a lot of trust in the terminal, sure. But trusting the terminal seems reasonable, as it's an important (basic; fundamental; necessary) part of any "real" OS. If I don't trust the terminal to not be malicious, why should I trust my OS? Anything could be compromised from a supply-chain attack. If we don't trust anything, we can turn off the computer and have perfect security, but if we accept that there's a trade-off between security and usability, we have to place some trust in some parts of the system.
> It does not matter if you have to whitelist apps that have root — an attacker can fake user input by, for example, clickjacking, or they can exploit vulnerabilities in apps that you have granted root to. Rooting turns huge portions of the operating system into root attack surface; vulnerabilities in the UI layer — such as in the display server, among other things — can now be abused to gain complete root access.
So if some app can somehow exploit the display server, it can inject commands on the terminal and hide the real output? I know the X server on Linux has (or has had) major security issues [1] that don't provide any real GUI isolation. Is that the type of issues Madaidan is talking about?
I don't know much about Android's display server, but if it's possible for an app without root access to exploit it, couldn't that app inject touch events or keystrokes in another app, or read the other app's screen? How would not having root benefit me if a random can view or control other apps without my knowledge by exploiting the display server? [2]
From what I gather if an app with root access has vulnerabilities, it makes it easier for another app (or other type of malicious code) to use it to gain root. But if the UI layer, to use Madaidan's example, has a vulnerability, it seems like it could be exploited successfully, with awful consequences, even if the malicious code doesn't get root in the end. So if I choose several apps to give root access to, I would just extend the attack surface from {all of the OS and its various layers} to {all of the OS and its various layers and those several apps}.
> root fundamentally breaks verified boot and other security features by placing excessive trust in persistent state.
I don't understand this. Could someone explain it with more details to me, please?
Of course the topic as a whole is much more complex than that, but I'll try to summarize it. Android has 3 systems of access control [1][2]:
- Discretionary Access Control, i.e. the standard Unix file permissions
- Mandatory Access Control, implemented in the form of the SELinux and YAMA LSMs (GrapheneOS stopped using YAMA in the 2024031400 release and replaced it with advanced SELinux policies)
- Android permissions which have to be disclosed in the AndroidManifest.xml, and most of the time need to be granted by the user at runtime
Root simply bypasses ALL of these security mechanisms. This is a clear violation of the principle of least privilege, since most of the stuff you are doing with root probably doesn't require access to your entire filesystem, and could easily run within an SELinux context. But writing and deploying a modified SELinux policy would take extra time and effort, and devs are lazy, so they just use root to completely bypass it.
As madaidan points out, only a tiny subset of system processes on Android run as root. [3] And Android has clear guidelines about what root process are and aren't allowed to do. From the AOSP documentation:
> Where possible, root code should be isolated from untrusted data and accessed via IPC.
> Root processes must not listen on a network socket.
> Root processes must not provide a general-purpose runtime for apps (for example, a Java VM).
Desktop systems are very different from Android and iOS. Out of Android's three major security mechanisms, they typically only implement one. This is why ransomware is so insanely successful. Every program has access to all the files and folders of the logged in user, including network shares, etc. Even on systems that implement application sandboxing and a permission system, such as macOS, it's only an afterthought, and isn't enforced properly. (macOS is still miles ahead of Windows and Linux though) For example, when installing a 3rd-party terminal emulator such as iTerm2 on macOS, you have to grant it the permission to access your entire file system (otherwise you will be limited to the home directory IIRC). But this permission also applies recursively to every process started within the terminal, greatly limiting its usefulness.
> I don't understand this. Could someone explain it with more details to me, please?
Android uses Verified Boot to protect against both Evil maid attacks [4], i.e. someone modifying the operating system on the hard drive, and malware persistence. By default, the Android /system partition is mounted in read-only mode, unlike for example your C:\Windows directory, or system directories like /bin on Linux. This prevents malware from modifying the operating system. If you ever get malware on Android or iOS, in most cases you can get rid of it, by simply rebooting your device. Unless of course, the malware has some persistence mechanism. Root obviously provides a great vector for persistence, since the system partition could simply be remounted in a writable mode, and the system could be modified however the attacker wants to.
When you build your own copy of AOSP or GrapheneOS, include your modifications, and sign the image with your own Verified Boot keys, that image can't be modified or tampered with by an attacker. It's perfectly secure to do that (of course only if you can trust the extra code you're including).
I'll read the links you posted a bit later, but for now I have a few questions that could help me clear some misconceptions I might have. I haven't used a rooted Android device yet, so I might be wrong about how it works. I've read about magisk and other methods a bit and am at familiar with the security concepts you wrote.
Let's say I give root permissions to a terminal app TermGood and I don't give root permissions to an app GameEvil. I trust TermGood fully - I accept that if TermGood is malicious or if it has some exploitable bugs, it's game over. I don't trust GameEvil at all, but I trust the OS to limit the damage it could do since it doesn't have root permissions.
1. Could I run TermGood with root only sometimes? Run it with root, close it, then run it with the normal restricted permissions. That's just to clarify how rooting works in general.
2. For MacOS you wrote "this permission also applies recursively to every process started within the terminal, greatly limiting its usefulness.". For Android, if I run a program like ls or vi from TermGood, will it be launched with root permissions, too? Will I have fully trust that ls or vi are not malicious or exploitable in certain ways (e.g., running vi on a file created by GameEvil that exploits vi).
3. Will GameEvil have any way to compromise the OS, to circumvent some security boundaries or to do any other damage it wouldn't have been able to do if I hadn't "rooted" the OS?
3.1. Would GameEvil be able to launch TermGood on its own without my knowledge? Or somehow piggyback on TermGood to take advantage of its root permissions?
3.2. If there's a bug in the UI layer (the "display server" - what Madaidan gave as an example) and I had TermGood open as root, GameEvil could inject some keystrokes into TermGood to read its screen (like the output of a cat command, for example).
3.3. Just because TermGood could have root access, does that somehow make GameEvil more likely to gain root access itself? On Linux, if there is sudo installed, it might increase the attack surface because sudo might have exploitable bugs. What could GameEvil exploit?
4. If I don't root my OS by any of the available means, what would my alternatives be for full control and customization?
4.1. AFAIK with adb you don't get rw access on / if the OS is not rooted.
4.2. Let's say I want to X (e.g., backup / to a server when it commands it to) without rooting. Would I have to create the app, then modify security policies in a way that would enable it to run without root, but with granular permissions for X specifically and nothing else, like permissions to read / and to listen on a network socket, maybe by changing the SELinux policies and/or the Android permissions of the app? Or would that be impossible? I don't really have a specific X in mind, but I want X to be as broad as possible. That's what makes it a real OS for me - being able to do anything on it.
5. If TermGood is compromised, it could reinfect the root filesystem after booting and effectively bypass Verified Boot. Or, if I used TermGood to change something on /, e.g. `touch /testfile`, would I be able to sign the new root filesystem? Ideally I should be able to control all the keys and sign the whole chain of trust whenever I make a change.
6. Android doesn't have FDE, so evil maid seems relatively easy (although any unrestricted physical access to the device should be treated extremely seriously, even with FDE in place). Is that correct?
Basically, if we assume that:
* I fully trust TermGood and the processes it spawns to not be malicious or have exploitable bugs;
* I could resign any changes I've made so I can keep Verified Boot working.
Then, would I be able to give TermGood root and keep my security?
It's Redacted.sh, a.k.a. RED. They have around three million torrents. But like What.CD, Redacted.sh is a private tracker, so you can't just jump in and see the content.
It is worth noting that RED is particularly difficult to get a decent ratio on. Spend some time googling reddit posts, there are plenty of examples of people not being able to build solid ratios due to competing with scripted bots.
1. You don't need a separate browser extension for blocking cookie notices, Ublock Origin can do that just fine. You just need to enable the cookie notice filters in the settings (they are disabled by default).
2. AdAway on Android allows network-level blocking without resorting to a VPN (it's based on /etc/hosts). Though it does require root.
I refuse to engage with them on principle and will not signal denial or acceptance, because doing so would legitimise this farcical, dilettante excuse for a government "solution".
I get the point you're trying to make, but it absolutely is a government solution, because it was obvious to anyone that this would be the result. And there has been nothing done to remedy or even admit their failure. Asking big tech nicely not to be evil has never worked. Besides, there are plenty of cases where websites without tracking have the popups anyway, just to be on the safe side from the wrath of EU bureaucracy.
Isn't the point of the notices that you have to explicitly agree to them for the site to be allowed to track you? Wouldn't never accepting be equivalent to rejecting?
The problem with ad blocker apps on Android is that they always require a either a VPN, in which cases my banking apps don't work, or root, which is getting harder and harder to get and probably also breaks my banking apps.
However, I have found that using NextDNS as a private DNS server works and doesn't cause any problems like this.
I'm still having good results with root, Magisk, and Play Integrity Fix. That does involve some knowledge and effort though, so what I point others to is Mullvad DNS, which is free: https://mullvad.net/en/help/dns-over-https-and-dns-over-tls
Don't forget to give apps that fuck with you in the name of security 1-star reviews!
True, but it doesn't require an account, and is free for unlimited use. Not having to sign up for anything is a plus when I'm recommending things to others.
I'd be surprised if it did, there's no technical reason to require those. Also, SafetyNet is deprecated in favor of Play Integrity, so you're not likely to see the former in any new apps/services.
That's interesting. When I close my eyes and imagine "seeing" things, I would actually describe it as pretty much exactly like the sensation I have when I "see" stuff in dreams. To me, this similarity is especially clear when I wake up in the middle of a dream, then close my eyes while awake — I can continue where I left off, and it "looks" exactly the same as in the dream.
But I agree that it doesn't feel like "sight", as in the physical act of seeing with your eyes.
I think I am aphantasic or mostly so. I don't see visualizations but have vague echoes of their derived properties like spatial structures. It is almost like proprioception if I were some amorphous being that could spread out my countless limbs to feel the shape of the scene.
But, I do have vivid, sometimes lucid, dreams. I would say they are exactly like seeing and being in terms of qualia. It feels like my eyes, and I can blink, cover my face, etc. It's like a nearly ideal, first-person VR experience.
They are unlike reality in that I can be aware it is a dream and have a kind of detachment about it. And the details can be unstable or break down as the dream progresses.
Common visual problems are that I cannot read or operate computers. I try, but the symbolic content shifts and blurs and will not remain coherent.
Motor problems include that I lose my balance or my legs stop working or gravity stops working and I start dragging myself along by my arms or swimming through the air, trying to continue the story.
If I've been playing video games recently, I can even have a weird second-order experience like I am fumbling to find the keyboard and mouse controls to pilot myself through the dream! That is a particularly weird feeling when I become aware of it.
I feel like I have recurring dreams in the same fictional places, but they can have unreal aspects that lead me to get lost. Not like MC Escher drawings, but doorways and junctions that seem to be unreliable or spaces that don't make sense like the Tardis.
reply