waydroid / waydroid

Waydroid uses a container-based approach to boot a full Android system on a regular GNU/Linux system like Ubuntu.
https://waydro.id
GNU General Public License v3.0
8.01k stars 332 forks source link

Security Documentation #538

Open maltfield opened 2 years ago

maltfield commented 2 years ago

This ticket is a request to add a "Security" section to the documentation:

Issue

I'd like to use waydroid for virtualizing security-critical andorid apps, but I can't find any documentation that would allow me to determine if it's safe to do so.

Generally speaking, I don't trust my Android handset. My laptop has a >20 character passphrase, proper FDE, compartimentalization with QubesOS, and all kinds of physical security protections. My handy is something I keep in my pocket and need to lock/unlock fast. It therefore has significantly less protection. I don't think I'm alone here; I think this is generally the case for most people: their laptops are more secure than their phones.

Unfortunately there's this anti-pattern where a lot of financial institutions require you to use an Android app for various bank-related tasks. That's terrible. For security reasons, I refuse to use my handset for managing my finances.

This is where waydroid comes-in. It would allow me to run Android apps forced upon me by my bank in a virtualized environment inside my hardened computer. I think virtualizing security-critical apps in security-hardend laptops would be an excellent use-case for waydroid in general.

Solution

The security design, implementation, and usage instructions should be documented so that users can understand the risks, benefits, and how to take advantage of waydroid for security-critical applications.

I can't enumerate all of the things that should be documented here, but I know that the Debian-release of waydroid uses a cryptographically signed repo with PGP. Explaining what this does, why its part of the Security design of waydroid, and how it works should be a good start to this "Security" section of the waydroid documentation

Quackdoc commented 2 years ago

I'm no security professional or anything, but right now, I wouldn't trust waydroid with anything security critical. if you are looking for something secure I would recommend virtualisation by way of Bliss or some other androidx86 variant currently.

Waydroid runs as a root container and while apps cannot get root access, it always a safe assumption that if the container gets compromised so would the host. and while waydroid does have apparmour support, it's not yet been thoroughly tested. and it's not something I would trust without third party validation anyways.

If I were to use android in a security context, where I would either need to protect the host from malware or even vice versa, I would opt to use qemu + bliss myself.

I agree that security will eventually be a great usecase for waydroid, I don't think I would trust it yet.

maltfield commented 2 years ago

@Quackdoc thanks for looking at this, but I think you misunderstand my use-case.

I wouldn't trust waydroid with anything security critical

I'm not suggesting that I want to use waydroid for insecure "untrusted" apps because I think it's good at sandboxing.

What I'm suggesting is that I want to use waydroid for secure "trusted" apps (eg my bank's app) on waydroid on my laptop because I trust my laptop more than I trust my handset. In my use-case, waydroid would be running inside a AppVM on QubesOS that's siloed-off (security through compartimentalization) from the rest of my system.

Waydroid runs as a root container...it always a safe assumption that if the container gets compromised so would the host.

Not an issue for this use-case.

What I don't want is to run my bank's app on my Android phone, because the phone itself is extremely insecure.

I would opt to use qemu + bliss myself.

I'll also look into BlissOS, thanks.

Quackdoc commented 2 years ago

ahh I see.

generally speaking, waydroid images start by using LOS as a base and apply a series of patches on it, so I would trust waydroid about as much as you trust LOS. and while LOS is strictly NOT degoogled, it could still be a good platform as it doesn't have a lot of the vendor junk, however if you need the absolute confidence that it's free of junk, I would recommend looking at the AOSP builds (or vanilla android-x86 project) or possibly ask the maintainers of a degoogled or "security focused" rom to look into the android generic project. as android generic somewhat supports both ax86 images and waydroid images.

I would still in this case use bliss os inside of qemu, or in your case it might even be possible to create a qube using it, not something I have ever tried myself so I cannot comment on the viability of it. I would do this for the fact that you can set a frozen state in the VM, and always be able to boot to that, meaning every time it reboots, it reboots to the frozen state, meaning no matter what you do in the VM, it won't be contaminated for whatever reason.

maltfield commented 2 years ago

I would also be very interested if waydroid could run on more secure alternatives than LineageOS, such as GrapheneOS or CalynxOS

secretmango commented 10 months ago

enumerating some big security issues with waydroid

If you want a secure device, use a Pixel 8 with GrapheneOS. Isolate your Banking apps in a different user profile which is not the main one, use a reasonable pin code with pin scrambling.

GrapheneOS is by far more secure than any Laptop with slow firmware updates or even outdated, Intel ME, etc. CalyxOS is just LineageOS with some "privacy bling" on top. It is not secure as it uses microG, and also pretty much lacks most features of GrapheneOS (preinstalling Signal is not a feature).

I am wondering, why cant Waydroid use a rootless Podman container? Afaik it is unable to use USB anyways.

maltfield commented 9 months ago

@firefoxlover the benefit of an emulator is security through compartimentalization with distinct VMs -- far greater security isolation than Android sandboxing or user profile sioling.

If I have 10 apps then I'd need 10 phones with the "Pixel 8 & GrapheneOS" solution. And, because GrapheneOS doesn't support old phones, I'd need to buy 10 new phones every few years. That's not a very practical solution.

With an emulator, I can have 10 distinct VMs running in QubesOS, providing very high security for annoying services that require apps (eg banking software).

I recognize that waydroid likely has lots of security issues. The first step in fixing this is documenting the vulnerabilities, then--once identified--they can be fixed.

sta-c0000 commented 9 months ago

I don't know if you can call Waydroid "secure" and consider dubious security-critical Android apps. But I agree that cell phones being treated as identity trust keepers is terrible.

I know someone who's running Android in a VM just for Microsoft Authenticator, which requires Google Play Store and services (push). Microsoft Authenticator is mandatory for their work, they do not allow alternate login authentication methods. Microsoft Authenticator runs on Android and iOS only (not even Windows). It's silly for them to have to run a VM in a window next to the browser on the same PC to satisfy an obviously artificial "security" requirement.

But at least we have the ability do this instead of being forced to buy extra throw away battery operated devices.