Hot take: rooted phones are inherently less secure. That does not include GrapheneOS btw, since you don't have root privileges on an official build of GrapheneOS.
Hot take: rooted phones are inherently less secure. That does not include GrapheneOS btw, since you don't have root privileges on an official build of GrapheneOS.
"Less secure" depends on your threat model.
I'm much less worried a hypothetical attack where I accidentally give sudo access to a malicious app than I am about the well-established ongoing attacks where Google violates the entire population's privacy, or the regular stream of malware that makes it into the official app store.
Not that long ago it was considered a problem to have a rootkit on your machine [1]. Nowadays it's getting hard to acquire a device that hasn't been rootkitted at the factory.
[1] https://en.m.wikipedia.org/wiki/Sony_BMG_copy_protection_roo...
There's always a root account, the only issue is who has access to it.
So... phones where a corporation has root are more secure that phones where the owner has root, you say? Secure for whom? For the user? Seems obviously wrong. It's more secure for someone else to have power over you?
Again, you're just a few words from "Freedom is slavery".
> So... phones where a corporation has root are more secure that phones where the owner has root, you say?
You're putting words in my mouth that I explicitly rejected when I said "that does not include GrapheneOS". Just to prevent the follow up "well actually GrapheneOS is an organization": they don't have any kind of root access to GrapheneOS phones. The only thing they can do is push system updates, which you can (1) reject and (2) verify if they are the same updates being pushed to all users, to avoid targeted attacks.
> Secure for whom? For the user? Seems obviously wrong. It's more secure for someone else to have power over you?
Yes, secure for the user. Sure, power users that very carefully review any system mods they install with root powers would have the same level of security as with a non-rooted phone. But most people won't read the source code of root apps/extensions they install.
It's easier to tempt mobile phone users to install "cosmetic improvement/customization whatevers" that happen to require elevated privileges, than desktop Linux users. It's well known that many Android apps bundle near-malware that slurps all data possible, and will ask for root privileges if that is detected.
The fact is that mobile phones tend to contain more sensitive data than desktop computers (and are thus significantly more secure by default than Linux/Windows computers). Contacts, private messages, photos, etc. It's a more valuable target, so more effort is put in developing malware for phones.
Hotter take: if you don't have root, you've been pwned.
> Hot take: rooted phones are inherently less secure.
My computer is rooted, making it inherently less secure than my phone, yet I have no trouble accessing my bank website. What threat is a bank protecting against by disallowing app usage on a rooted phone?
When I access my bank from my computer, I need to authenticate using a secure token, where my options are an RSA-style dedicated device or a secure (non-rooted) smartphone.
great question! probably historical reasons:
* computers have always been "rootable", so the banks can't do anything about that
* phones work with "apps", which are viewed as more dangerous than websites. So they came up with the concept of app curation (monitoring large appstores for lookalikes and viruses), and by rooting/sideloading you are violating that model.
* Repackaging a legit app into a malicious lookalike is relatively easy on Android, but harder to distribute if you combat rooting/sideloading.
* if your phone is rooted the bank may be concerned that you could be more susceptible to installing dangerous things, including apps that intercept your 2fa.
You can argue whether these points held up over time (or whether they make things more secure), but that seems to be why they do it. It costs them relatively little to try to combat rooting but potentially liable for losses if people get phished/hacked so...
> What threat
The threat to majority. Very very few people own a computer than a phone. And those people are much more tech savvy.