|
|
|
|
@ -2,9 +2,19 @@
|
|
|
|
|
title: Android Overview
|
|
|
|
|
icon: material/cellphone-check
|
|
|
|
|
---
|
|
|
|
|
Android is a secure operating system that has strong [app sandboxing](https://source.android.com/security/app-sandbox), [Verified Boot](https://source.android.com/security/verifiedboot), and a robust [permission](https://developer.android.com/guide/topics/permissions/overview) control system.
|
|
|
|
|
Android is a secure operating system that has strong [app sandboxing](https://source.android.com/security/app-sandbox), [Verified Boot](https://source.android.com/security/verifiedboot) (AVB), and a robust [permission](https://developer.android.com/guide/topics/permissions/overview) control system.
|
|
|
|
|
|
|
|
|
|
The main privacy concern with most Android devices is that they usually include [Google Play Services](https://developers.google.com/android/guides/overview). This component is proprietary (closed source), has a privileged role on your phone, and may collect private user information. It is neither a part of the [AOSP](https://source.android.com/) nor is it included with the below derivatives.
|
|
|
|
|
The main privacy concern with most Android devices is that they usually include [Google Play Services](https://developers.google.com/android/guides/overview). This component is proprietary (closed source), has a privileged role on your phone, and may collect private user information. It is neither a part of the [Android Open Source Project](https://source.android.com/) nor is it included with the below derivatives.
|
|
|
|
|
|
|
|
|
|
## Choosing an Android Distribution
|
|
|
|
|
|
|
|
|
|
When you buy an Android phone, the device's default operating system often comes with invasive integration with apps and services which are not part of the [Android Open Source Project](https://source.android.com/). An example of such is Google Play Services, which has unrevokable privileges to access your files, contacts storage, call logs, SMS messages, location, camera, microphone, hardware identifiers, and so on. These apps and services increase the attack surface of your device and are the source of various privacy concerns with Android.
|
|
|
|
|
|
|
|
|
|
This problem could be solved by using a custom Android distribution that does not come with such invasive integration. Unfortunately, many custom Android distributions often break the Android security model by not supporting critical security features such as AVB, rollback protection, firmware updates, and so on. Some distributions also ship with [`userdebug`](https://source.android.com/setup/build/building#choose-a-target) builds which expose root via the [Android Debug Bridge](https://developer.android.com/studio/command-line/adb) (ADB) and requires [more permissive](https://github.com/LineageOS/android_system_sepolicy/search?q=userdebug&type=code) SELinux policies to accomodate debugging features, resulting in a further increased attack surface and weakened security model.
|
|
|
|
|
|
|
|
|
|
Ideally, when choosing a custom Android distribution, you should make sure that it upholds the Android security model. At the very least, the distribution should have production builds, support for AVB, rollback protection, timely firmware and operating system updates, and SELinux in enforcing mode. All of our recommended Android distributions satisfy these criteria.
|
|
|
|
|
|
|
|
|
|
[Our Android System Recommendations :material-arrow-right:](../android.md){ .md-button }
|
|
|
|
|
|
|
|
|
|
## Avoid Root
|
|
|
|
|
|
|
|
|
|
@ -34,41 +44,4 @@ It's important to not use an [end-of-life](https://endoflife.date/android) versi
|
|
|
|
|
|
|
|
|
|
Should you want to run an app that you're unsure about, consider using a user or work [profile](android/#android-security-privacy).
|
|
|
|
|
|
|
|
|
|
## Advanced Protection Program
|
|
|
|
|
|
|
|
|
|
If you have a Google account we suggest enrolling in the [Advanced Protection Program](https://landing.google.com/advancedprotection/). It is available at no cost to anyone with two or more hardware security keys with [FIDO](/security/multi-factor-authentication.md#fido-fast-identity-online) support.
|
|
|
|
|
|
|
|
|
|
The Advanced Protection Program provides enhanced threat monitoring and enables:
|
|
|
|
|
|
|
|
|
|
- Stricter two factor authentication; e.g. that [FIDO](/security/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of SMS OTPs, TOTP, and [OAuth](https://en.wikipedia.org/wiki/OAuth)
|
|
|
|
|
- Only Google and verified third party apps can access account data
|
|
|
|
|
- Scanning of incoming emails on Gmail accounts for [phishing](https://en.wikipedia.org/wiki/Phishing#Email_phishing) attempts
|
|
|
|
|
- Stricter [safe browser scanning](https://www.google.com/chrome/privacy/whitepaper.html#malware) with Google Chrome
|
|
|
|
|
- Stricter recovery process for accounts with lost credentials
|
|
|
|
|
|
|
|
|
|
For users that are using the privileged Google Play Services (common on stock operating systems), the Advanced Protection Program also comes with [additional benefits](https://support.google.com/accounts/answer/9764949?hl=en) such as:
|
|
|
|
|
|
|
|
|
|
- Not allowing app installation outside of the Google Play Store, the OS vendor's app store, or via [`adb`](https://en.wikipedia.org/wiki/Android_Debug_Bridge)
|
|
|
|
|
- Mandatory automatic device scanning with [Play Protect](https://support.google.com/googleplay/answer/2812853?hl=en#zippy=%2Chow-malware-protection-works%2Chow-privacy-alerts-work)
|
|
|
|
|
- Warning the user about unverified applications
|
|
|
|
|
|
|
|
|
|
## SafetyNet and Play Integrity API
|
|
|
|
|
|
|
|
|
|
[SafetyNet](https://developer.android.com/training/safetynet/attestation) and the [Play Integrity APIs](https://developer.android.com/google/play/integrity) are generally used for [banking apps](https://grapheneos.org/usage#banking-apps). Many banking apps will work fine in GrapheneOS with sandboxed Play services, however some non-financal apps have their own crude anti-tampering mechanisms which might fail. GrapheneOS passes the `basicIntegrity` check, but not the certification check `ctsProfileMatch`. Devices with Android 8 or later have hardware attestation support which cannot be bypassed without leaked keys or serious vulnerabilities.
|
|
|
|
|
|
|
|
|
|
As for Google Wallet, we don't recommend this due to their [privacy policy](https://payments.google.com/payments/apis-secure/get_legal_document?ldo=0&ldt=privacynotice&ldl=en), which states you must opt-out if you don't want your credit rating and personal information shared with affiliate marketing services.
|
|
|
|
|
|
|
|
|
|
## Advertising ID
|
|
|
|
|
|
|
|
|
|
All devices with Google Play Services installed automatically generate an [advertising ID](https://support.google.com/googleplay/android-developer/answer/6048248?hl=en) used for targeted advertising. Disable this feature to limit the data collected about you.
|
|
|
|
|
|
|
|
|
|
On Android distributions with [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to ⚙️ Settings → Apps → Sandboxed Google Play → Google Settings → Ads and select **Delete advertising ID**.
|
|
|
|
|
|
|
|
|
|
On Android distributions with privileged Google Play Services (such as stock OSes), the setting may be in one of several locations. Check
|
|
|
|
|
|
|
|
|
|
- ⚙️ Settings → Google → Ads
|
|
|
|
|
- ⚙️ Settings → Privacy → Ads
|
|
|
|
|
|
|
|
|
|
Depending on your system, you will either be given the option to delete your advertising ID or to "Opt out of interest-based ads". You should delete the advertising ID if you are given the option to, and if you are not, we recommend that you opt out of interested-based ads and then reset your advertising ID.
|
|
|
|
|
|
|
|
|
|
--8<-- "includes/abbreviations.en.md"
|
|
|
|
|
|
