• Gooey0210@sh.itjust.works
    link
    fedilink
    arrow-up
    1
    ·
    11 months ago

    My last comment wasn’t really addressed personally to you, sorry i sounded like that

    Having root is almost never a security benefit, it allows you to close one hole, but opens up 10 new more

    It means you have your bootloader unlocked, you have secure boot disabled which allows for persistent malware. Just having root by itself opens up many more remote, zero click, or just very dangerous exploits

    F-droid is not secure, some of the issues had been resolved, but it’s still not recommended for best practices

    Of course, everything depends on the thread model

    I personally really like fdroid and izzy, and other custom repos. And root is a cool thing, although i don’t have it on my daily driver(but have on my test phone)

    • Zak@lemmy.world
      link
      fedilink
      arrow-up
      2
      ·
      11 months ago

      There may be some other comments being unfair. People shouldn’t complain about free software someone else gives to them falling short of perfection, but we should be careful about granting random apps root permissions.

      Having root is almost never a security benefit, it allows you to close one hole, but opens up 10 new more

      I think it’s more like two:

      • If an app granted root privileges is compromised, the damage it can cause is much greater
      • The bootloader has to be unlocked for most approaches to gaining root; I consider it a design flaw that it isn’t easier for users to add signing keys and re-lock the bootloader

      F-droid is not secure, some of the issues had been resolved, but it’s still not recommended for best practices

      This is another very binary statement about security. The article addresses a number of design issues with F-Droid and concludes that most users are better off getting apps from Google Play. I don’t disagree with the design complaints in theory, but in practice it doesn’t hold up. I’ve seen people get malware from Google Play and read a number of documented cases. I have never heard of malware in the official F-Droid repository.

      I’m reminded of comparing Windows to Linux 20 years ago. In theory, Windows had a more sophisticated permissions model and more reliable logging, making it potentially more secure. In practice, it took significant care to keep a Windows desktop clean, while Linux was very unlikely to be compromised.

      Of course someone with high-value secrets on their device or who’s likely to be directly targeted by sophisticated threats should probably take a more conservative approach, install very few apps, and consider a hardened ROM like GrapheneOS.

      • Gooey0210@sh.itjust.works
        link
        fedilink
        arrow-up
        2
        ·
        11 months ago

        Agree, agree, agree

        But have some sidenotes to add 😂

        The bootloader has to be unlocked for most approaches to gaining root;

        Did you know you can root grapheneos, and lock the bootloader? 😂 pretty dangerous stuff to do, but possible!

        concludes that most users are better off getting apps from Google Play.

        In general, screw google play, and screw google, or any big corpo, it’s not even about security, but about them being bad companies and bad services

        And the same about windows, joy is the most important thing, if software is full of trackers and just designed poorly, why would anyone want to use it 🫠

        • Zak@lemmy.world
          link
          fedilink
          arrow-up
          2
          ·
          11 months ago

          I did not know that it was possible to have root on GrapheneOS with a locked bootloader, but there have been ROMs with SU functionality built in, and adding their keys would be a straightforward way to have root and a locked bootloader.