Hi there, I have always used custom roms on my phones for years and rooted them as well as I use apps like AdAway which works to block ad trackers and such.
I keep reading that this is really bad for security but I don’t really understand why. I do have my phone set to auto reboot into BFU mode periodically as well as reboot if a data cable is plugged in while locked. If someone were to get a hold of my phone my understanding is that especially in BFU mode there’s not much they can do as the data is encrypted.
I guess in theory they could replace the bootloader but I don’t understand where that would get them because unless they also had my password I’d immediately notice that the rom is different.
Any app that asks for root is going to ask for it via Magisk and I’d notice it I feel like so I don’t understand how this is a security concern either.
I feel that if someone has physical access to your device you’re in a bad situation anyway and I’m having trouble understanding how much more having a locked bootloader and not root protects you in that case, can someone explain it to me?
Sure, basically if a malicious actor replaces the operating system, verified boot will detect it, and in the case of GrapheneOS, attempt to obtain the original data:
In other words, a locked bootloader attempts to act as a tamper-evident security seal with data recovery properties.
What I don’t understand is how someone could replace the OS without me noticing? If they don’t have access to my data because my phone was in BFU I’m going to see immediately something is off even just from the way my lockscreen looks.
Or is the concern more that a malicious boot sector would be installed and the OS/data left intact? I’m more familiar with this concern on Linux servers and not 100% clear how this works on Android devices.
I guess I’m having trouble understanding such a scenario or adversary as I feel like taking my phone from me unlocked in public or shoulder surfing my pin would be much easier for this adversary and yield greater results
It is called an evil maid attack. Basically, if you left your device unattended for a few minutes, a malicious actor could physically access your device and attempt to attack it using various vectors in order to exfiltrate data, gain persistent elevated privileges, or other nefarious goals. The other approach is remote access, which depends on the radio frequency attack surface of your device, among other exotic attack vectors.
In the case of GrapheneOS, keeping the bootloader unlocked could allow a malicious actor to modify partitions’ contents, which means that a user may not necessarily detect it past AFU.
How can the partition’s contents be altered if it’s encrypted? I guess I may not be familiar with how android does encryption because obviously some things are left unencrypted for BFU. I’m thinking more of a LUKS partition that you couldn’t really alter in that way
Simply put it is all about your threat model (i know it sounds like broken record) and the designed use case of your device.
I wont worry about it if it is to be used only inside my home, only connects to guest network, with only privacy respecting apps installed, with no sensitive apps (e.g. messenger, email client, banking apps, VOIP etc.), and for entertainment purposes only.
BUT if it follows me to the street, of it will be used for sensitive, personal stuff, then I think it js a bad idea. Since it will definitely be the weakest linkof the whole chain of trust, and it could be breaches easily, if you connect to malicious wifi hotspot, bogus usb charging port, etc.
edit: The point hereis not solely about likelihood, it is also about weighing between pros and cons, as well as the necessity of such choice.
Ok so in this scenario the adversary would already have to know my password?
If my threat model doesn’t include people knowing my password is the unlocked bootloader that dangerous in terms of an adversary getting access to my data, especially with the additional protections I put with reboot on data cable and BFU every X hours etc
When the phone is booted up the message about it being bootloader unlocked always looks quite severe, “Do not trust the data on this device, do not store sensitive data on this device, the data may be available to attackers”
From what I’m understanding they would really need to have my password in AFU to do any of this? Which would be quite a concern on a non unlocked bootloader as well
Ah OK, so they can extract from BFU but other than the metadata what they would be able to extract would be encrypted correct? So if I had a long password on the phone vs a short pin they would have to brute force?
Well if the marketing/testimonial videos’ claims are to be trusted, then unlocking, decrypting, and extracting the device’s contents are all achieved using the one tool alone: