• 0 Posts
  • 11 Comments
Joined 6 months ago
cake
Cake day: May 9th, 2025

help-circle

  • prism@lemmy.dbzer0.comtoAndroid@lemmy.worldcustom rom?
    link
    fedilink
    English
    arrow-up
    1
    ·
    20 days ago

    KernelSU has something like this called app profiles where you can set the capabilities that each app gets when it uses su. And if you are a SELinux wizard you can also set a custom domain for each app which would give you the fine grained control you’re looking for. I doubt the average KernelSU user wants to delve into SELinux details so some tool to automate this would be cool. Sadly doesn’t look like Magisk supports this.


  • prism@lemmy.dbzer0.comtoAndroid@lemmy.worldcustom rom?
    link
    fedilink
    English
    arrow-up
    2
    ·
    20 days ago

    Rooting devices breaks the principle of sandboxing: one app shouldn’t be able to access or modify another app or its data, or system files. If you give an app root, it can do whatever it wants to the system. It could install a keylogger to steal credentials, extract login tokens from another app’s storage or just nuke system files to make your device unbootable.

    Let’s say you don’t give any apps root. Even having a rooting platform on the phone (e.g. Magisk) is still a vulnerability. Most rooting platforms will ask the user whether an app should get root when the app requests it. But there could be code execution vulnerabilities (e.g. buffer overflows) in the rooting platform that let you add an app to the list of apps allowed to use root without user confirmation.

    TLDR: Root gives an app full access to the device, it could do anything with that. Even if you’re careful with what you give root to, it still adds a lot of attack surface that could be exploited.


  • prism@lemmy.dbzer0.comtoAndroid@lemmy.worldcustom rom?
    link
    fedilink
    English
    arrow-up
    7
    ·
    20 days ago

    I use GrapheneOS without play services on my daily driver because I despise Google’s forcing play services down Android’s throat. The irony isn’t lost on me that Graphene only works on Google devices, that will hopefully change soon as Graphene works with an OEM to build their own devices. I don’t bother with banking or government apps as they aren’t mandatory where I live, at least not yet. I try to stick to FOSS (or at least source available) apps where possible.

    On a secondary device I also run a rooted version of GrapheneOS just for fun. Yes I know it might be viewed as terribly insecure but it’s just a secondary device that I like to play around with, it doesn’t have any important data on it. I find it quite interesting to learn how rooting methods work to bypass the normal security measures in place.