Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
colordrops 4 days ago

What is the threat model when enabling root on a phone and why can't it be mitigated? Root is enabled on most servers and desktops and we are surviving fine.

integralid 2 days ago | parent | next [-]

Threat model is that you can "spy" on what your applications are doing, or do things undesirable to application owners (like making screenshots).

This is desirable to end users, but my understanding is that making your os rootable will make applications like bank apps blacklist your os, and make it more or less unusable for a normal user.

Brian_K_White 4 days ago | parent | prev | next [-]

The way apps behave and the user interface to apps and the way they are used, the level of basic visibility and control that the user has moment to moment, is totally different on a phone than on a pc.

j4hdufd8 4 days ago | parent [-]

How so?

subscribed 4 days ago | parent | prev [-]

This is why most desktops and servers are comparably much less secure.

Check why Qubes OS was developed.

const_cast 3 days ago | parent | next [-]

In practice, desktops and servers are quiet secure because you don't need to download random closed-source firmware and apps to use your device.

iOS and Android are a security nightmare. Downloading a random-ass executable to pay for parking is asking for trouble. Relying on millions of lines of proprietary Google code that you-don't-know-what-it-does is asking for trouble.

This code could have, and almost certainly does have, spyware, keyloggers, and various other forms of malware. You're simply trusting that it doesn't, because it's unverifiable.

And this doesn't even TOUCH on all the vulnerabilities associated with cellular networks, the baseband, SS7, etc. Good luck auditing that code.

At least on a server I can have some baseline guarantees about what software I'm running and what it's doing. Whereas on a phone, your location could constantly be triangulated, your phone identity spoofed, your cellular traffic sniffed, and on and on and you'd never know.

I mean, just this week we saw a post on here about ICE using fake cell towers to identify protestors. That shit is truly trivial to do, and people have been doing it for almost two decades. You wanna talk CVE? Start with that.

buckle8017 4 days ago | parent | prev [-]

The user has real dom0 root on qubes.

sterlind 3 days ago | parent [-]

Is Qubes resistant to forensics? I think its selling point is multi-level security and lateral movement prevention, not safeguarding data on a stolen laptop.

strcat 2 days ago | parent [-]

No, it's not resistant to forensics unless it's turned off when obtained. The hardware / firmware / software makes no serious attempt to protect a device in the After First Unlock state.