Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
imiric 4 days ago

> A root access is a big hole

How so?

On Linux, I can add an account to the sudoers list, and have the flexibility to configure the level of security appropriate for my use case. I have yet to experience any security issues (that I'm aware of). Why isn't this possible on my mobile device as well?

This absolute stance is not right. Security is not binary, but a spectrum. I should be allowed to have full control over my device without this being a security risk.

rfoo 4 days ago | parent | next [-]

Well, anyone with actual root on a secure (locked, verified boot on) Android phone can hard brick it with a single command. Yes, you can yell at the user telling them it's their fault. Still something you usually do not want to support.

I don't think having authorized temporary root is inherently insecure, but on the other hand making sure it is secure could be a huge time sink.

Now, the original request here, modifying user app (I'd assume it's not system app) data, is reasonable. Designing a properly authenticated way to allow doing so would be an interesting challenge.

subscribed 4 days ago | parent | next [-]

Oh, I agree that the initial request is more than reasonable. Titanium Backup is something i miss every day.

Especially since Seedvault is.... ekhm, lacking.

tiberious726 13 hours ago | parent [-]

Seedvault is the /worst/. I ranted about it here a few months ago, and the lead dev says he's aware they really need something better: https://news.ycombinator.com/item?id=42541520

fsflover 4 days ago | parent | prev [-]

> Designing a properly authenticated way to allow doing so would be an interesting challenge.

Qubes OS solved this problem. I don't see any flaws in their security model relying on vurtualization.

subscribed 4 days ago | parent | prev [-]

How so?

Root can access absolutely everything.

Malware capable of getting root can access / exfiltrate anything, use your network, flash your firmware, can persist permanently, can use you as a vector.

Shellshock, log4j, Heartbleed. Hundreds of the big profile vulnerabilities that can be exploited on the system in an attempt to obtain root. And then you're cooked.

You really think a malware with the root access can't do much?

Why do you think selinux (and similar) even exist?

This isn't absolute stance. This is just stating that having a root access on the proruction/daily system is the opposite of security.

wkat4242 3 days ago | parent | next [-]

Yes but root still exists in phones just like it does in servers. It's just not accessible by the user. The OS does run processes as root and it needs it for things like updates.

Also, the user having root access doesn't mean that every process they run has root rights. For rooted phones there's apps to control what it's used for. Anything else just runs with the limited rights as before.

Of course those 'sudo' apps would be an attack vector but a pretty niche one.

imiric 4 days ago | parent | prev [-]

I understand the risks, but just because they theoretically exist doesn't mean that they pose an active threat in all scenarios, or that they can't be mitigated.

The idea of locking the system down completely and preventing anyone from accessing it is technically more secure, but it creates many practical issues for tech-savvy people who want full control over their devices, which is the vast majority of the GrapheneOS user base.

If SELinux can mitigate the risks, then sure, let's use that. I don't really care what the technical solution is to this problem.

I'm just saying that:

a) As a user of an OS I want to be allowed full control over my device and not have babyproofed functionality because "it's for my own good". That is the realm of walled garden OSs from most major corporations which I deliberately avoid by using GOS in the first place.

b) My personal threat model doesn't involve using a bunch of untrusted applications, and I'm fine with trading some security for convenience. If the risks from choosing convenience can't be mitigated, then my OS should be flexible enough to allow me to make that choice. Other OSs can do this, so why can't GOS? I'm inclined to believe that there's no technical reason for it, but it's something that maintainers simply don't want to support. Which is fine, it's their project and their prerogative, but then let's not pretend that this is a discussion about security.