Conversation

We're hopeful the recent attention will help us with finding hardware partners with aligned goals. It's a requirement for the devices to be at least as secure as a Pixel. That includes a modern mobile SoC and a comparable secure element to the Titan M implementing the same APIs.

109

GrapheneOS

@GrapheneOS

Feb 1, 2021

Initially, it doesn't need to be better. It's difficult enough to produce a device meeting the same standards without severe privacy or security regressions. We're not interested in having our brand associated with a device that's marketed as private and secure but is worse off.

GrapheneOS

@GrapheneOS

Feb 1, 2021

The setup we want to have isn't far from what Google was doing with Nexus devices. GrapheneOS needs substantial input into the design and implementation of devices. They'll use our signing keys for boot chain, stock OS verified boot key, etc. Pixels set the baseline standards.

GrapheneOS

@GrapheneOS

Feb 2, 2021

Some additions to the secure element APIs would make sense and a 'Sensors Off' switch disabling all sensors usable for audio recording (microphones, cameras, gyroscopes, accelerometers, compass, barometer, etc.) for mitigating a compromised device would be a nice frill to add.

Replying to

does it mean that on Pixels + GrapheneOS, when an app has "sensors access", it has an indirect access to audio recording, even if if microphone permission is off ?

Replying to

and

Sensors like gyroscopes and accelerometers can be used for recording audio. Android doesn't give apps high frequency polling of sensors and limits their usage in the background: developer.android.com/guide/topics/s. The kill switch threat model is that the device has been compromised though.

developer.android.com

Sensors Overview | Android Developers

11:03 PM · Feb 2, 2021Twitter Web App

Replying to

and

That means for the kill switch threat model, there is no limitation on polling sensors, and they make much better microphones than they do with that limitation. Even with the limitation, they can perform crude audio recording. Sound is vibration. Gyroscopes, etc. are crude mics.

Replying to

and

Custom hardware isn't going to change anything about the permission model used in the OS or the semantics for it. It seems like you're misinterpreting this as an issue with Pixels. GrapheneOS adds the Sensors permission because they leak crude forms of audio, location, etc.

Show replies