Graphene OS has strengthened its security, many day-to-day apps affected

Graphene OS has strengthened its security by adding DCL
(dynamic code loading) restrictions via memory and storage.

DCL is when an application starts executing code that is outside the APK scope.

DCL makes the app more vulnerable to exploitations, since the dynamically loaded code can be tempered with or without substituted.

You might be wondering what everyday apps currently don’t run without this protection being disabled.

Unfortunately, there are many such apps,

Viber is one of them.
SimpleX too.

Signal is not affected by this bug out of the box. Fact.

8 Likes

related to issue GitHub comment

A moderator of the Graphene OS forum has commented on the situation.

I’ve tried it as well and I also get the same errors and the app also crashes for me sometimes.

Ultimately, they will need to fix it on their end.

1 Like

According to the release notes, there should be a per-app toggle in the settings for these restrictions.

2 Likes

It is indeed there and if you disable exploit protection on these attack vectors for each application that requires disabling DCL restrictions via memory and storage individually the application will work.

1 Like

The gap between GrapheneOS and other OSs is getting bigger and bigger. Considering the size of the GOS team, they’re punching way above their weight.

4 Likes
A little lyric

The metaphor is especially appealing to me considering one of my passions is MMA.

Essentially we are stuck in a paradigm of not maximizing individual privacy as a priority, at the cost of someone else’s corporate progress and market dominance setup.

If just one out of every three cents from Corporations went to building values and models like the Graphene OS, it would be…

If at least every third bullet and the resources for its production, used to kill the most beautiful thing on the planet - life, were used not for that but for the good, it would be…

Is this affecting some banking apps? Just noticed Citi stopped working properly.

So far I have noticed a compromise, been able to run my apps disabling only memory or storage DCL 1 of 2, each app has a different option. Not running transactions, etc.
Only opening, checking accounts, menu surfing, etc.

Banking applications are a separate and very sensitive topic to talk about, even Graphene OS notes that some features which are present as exploit protection correlate with banking tools to monitor unauthorized access, so they should be considered capricious, correct me if I’m wrong, because my experience with banking applications on a personal device protected by Graphene OS
is not very long.

Notably also Proton Wallet requires DCL unlike their other apps.

1 Like

Ente also not very happy. Even in restricted

What I am concerned about at the moment and what I would like to consult with you all about is what I should do next, and whether my previous actions in creating this topic (and potentially the actions of anyone who further reports such bugs)
violate Proton’s Vulnerability disclosure policy

specific section

Proton is committed to the timely correction of vulnerabilities. We will work diligently to resolve any issues that put our community at risk. We ask all researchers to bear with us as we examine the reports you submit to us, as the public disclosure of a vulnerability in the absence of a readily-available corrective action likely increases rather than decreases our community’s security risk.

Accordingly, we require that you refrain from sharing information about discovered vulnerabilities for 120 calendar days after you have received our acknowledgement of receipt of your report. If you believe others should be informed of the vulnerability prior to our implementation of corrective actions, you must coordinate in advance with the Proton Security team.

We may share vulnerability reports with affected vendors. We will not share the names or contact data of security researchers unless given explicit permission.
Questions?

Questions regarding this policy may be sent to security@proton.me. Proton encourages security researchers to contact us for clarification on any element of this policy.

Please contact us if you are unsure if a specific test method is inconsistent with or unaddressed by this policy before you begin testing. We also invite security researchers to contact us with suggestions for improving this policy.

Because I only informed them today and I just received a response in a polite and professional manner:

Thank you for the nice words and for reaching out to Proton’s security team. We appreciate the time you took to inform us of your findings.

We will forward your report to the appropriate team, and will get back to you. Meanwhile we ask you to keep your findings confidential in accordance with Proton AG’s Vulnerability Disclosure Policy, located at Proton security response center | Proton.

Best regards,

Proton Security Team

Why do you keep posting the same messages here and in GrapheneOS forums?

Hi, thank you for your question. The answer is quite simple and reasonable. Both forums are a collection of people who are professionals in their field and have extensive experience in the subject matter among other things. This is a topic that interests me and is a priority for me because I want to benefit the community and try to be an example. One of the main factors in such cases is speed of response and maximizing the involvement of knowledgeable people in the field. The threads on this forum and on the Graphene forum present the last issue identical to this one, but relate to different crash cases.

This isn’t even a vulnerability. The app just crashes because of the non standard restrictions imposed by GOS.

2 Likes

If the website doesn’t load without JIT on a browser that has it disabled, then it doesn’t work because of “non-standard restrictions," but that doesn’t matter at all because I would expect the website to work without it, especially if that website or service is mentioning security as one of their main selling points.

1 Like

I tend to agree. The App is expecting to have this permission to do an action in an Android environment (it could be exploited or not, it is another question), but it can´t. So it crashes.

1 Like

(Modified title so it’s clearer this impact phone apps, not Graphene project programms)

1 Like

You are free to open tickets for any issues or crashes you may have. I am just pointing out that vulnerability disclosure isn’t the correct channel, It is meant for cybersecurity professionals that can provide detailed reports of an exploit that they found with steps to reproduce it.

3 Likes

That’s a useful point, worrying security departments about issues that shouldn’t divert their attention is less productive.

Of course, since I’m not a coder (late comer to computers) but just an athlete who likes to read, lol. I’ll listen to you and add a poll for activeness.

Do you think it would be more appropriate to open tickets instead of sending emails through this channel?

By the way, your argument is supported by the fact that the email itself said that this would be passed on to the appropriate team.

We will forward your report to the appropriate team, and will get back to you.

Private voting for Trust LVL 1+
  • Open a ticket.
  • Mail security team.
  • Use both channels.
  • Do nothing. Chill.
0 voters