Rooting Android phones can decrease security significantly as it weakens the complete Android security model. This can decrease privacy should there be an exploit that is assisted by the decreased security. Common rooting methods involve directly tampering with the boot partition, making it impossible to perform successful verified boot. Apps that require root will also modify the system partition meaning that verified boot would have to remain disabled. Having root exposed directly in the user interface also increases the attack surface and may assist in privilege escalation vulnerabilities and SELinux policy bypasses.
-Adblockers (Adaway) which modify the hosts file and firewalls (AFWall+) which require root access persistently are dangerous and should not be used. They are also not the correct way to solve their intended purposes. For Adblocking we suggest DNS or VPN based blocking solutions instead. Adaway in non-root mode will take up the VPN slot preventing you from using privacy enhancing services such as Orbot or a VPN. AFWall+ works based on the packet filtering approach and is bypassable in some situations.
+Adblockers (AdAway) which modify the hosts file and firewalls (AFWall+) which require root access persistently are dangerous and should not be used. They are also not the correct way to solve their intended purposes. For Adblocking we suggest DNS or VPN based blocking solutions instead. RethinkDNS, TrackerControl and AdAway in non-root mode will take up the VPN slot preventing you from using privacy enhancing services such as Orbot or a real VPN. AFWall+ works based on the packet filtering approach and is bypassable in some situations.
We do not believe that the security sacrifices made by rooting a phone are worth the questionable privacy benefits of those apps.
@@ -131,7 +131,7 @@ We have these general tips:GrapheneOS extends the user profile feature allowing a user to press an "End Session" button. This button clears the encryption key from memory. There are plans to add a cross profile notifications system in the future.
Packet filter based solutions such Datura Firewall, LineageOS (DivestOS), AFWall+ and Netguard, are not ideal as they can leak and don't prevent an app from proxying a network request through another app using an intent. Other filtering solutions such as RethinkDNS also prevent you from using a VPN at the same time.
+Packet filter based solutions such Datura Firewall, LineageOS (DivestOS), AFWall+ and NetGuard, are not ideal as they can leak and don't prevent an app from proxying a network request through another app using an intent.
Android has a built-in INTERNET permission. This is enforced by the operating system. On AOSP and most of its derivatives, it is treated as an install time permission. GrapheneOS changes it to runtime permission, meaning that it can be revoked to deny internet access to a specific app.
Android 12 comes with special support for seamless app updates with third party app stores. The popular Free and Open Source Software (FOSS) repository F-Droid doesn't implement this feature and requires a privileged extension to be included with the Android distribution in order to have unattended app installation.
-GrapheneOS doesn't compromise on security, therefore they do not include the F-Droid extension therefore, users have to confirm all updates manually if they want to use F-Droid. GrapheneOS officially recommends Sandboxed Play Services instead. Many FOSS Android apps are also in Google Play but sometimes they are not (like Newpipe).
+GrapheneOS doesn't compromise on security, therefore they do not include the F-Droid extension therefore, users have to confirm all updates manually if they want to use F-Droid. GrapheneOS officially recommends Sandboxed Play Services instead. Many FOSS Android apps are also in Google Play but sometimes they are not (like NewPipe).
CalyxOS includes the privileged extension, which may lower device security. Seemless app updates should be possible with Aurora Store when CalyxOS is upgraded to Android 12 and #153 is completed.