Yeah try it. It is concerningly easy. Write a program that edits the users bashrc/zshrc. Have it append a line that adds something to the front of the path, and have it shim sudo. You can even have it forward the password to the real sudo.
Instead of waiting for the user to open another shell, you can also open a subshell. (E.g. your malicious program never returns/exits, it just appears to exit by opening a subshell witj the modified path)
Immutable OS’s like nix and fedora silverblue still have sudo, they can still rm -rf /. If they can do it and maintain security, then Android can too.
I agree both the OTA and safe way of doing superuser requests could be heavy technical work. My bigger point is people who manage ROM’s shouldn’t demonize having full control of devices we own. Root can be done safely. Its not an inherent security risk, its just a technical problem waiting for a technical solution. “Just accept you dont need it” is not an acceptable response IMO.
Good guess about the federating problem. Thats a good reminder for me to change instances (was on lemm.ee before it died, .world was my backup).
OTA, While a fair point, again is a technical problem. Desktop systems get timely OTA updates. Its perfectly possible for rooted Android to get security updates that are on-par with rooted (e.g. basically any) Linux systems. The hash can be done on the incoming update instead (integrity hash) instead of on the system.
Linux has other tools and protections.
- If there are protections they’re at the system level (not app space). Which means the ROM provider could/should add those same protections as Linux instead of saying “you dont need root, stop asking”.
- AFAIK there are, unfortunately, basically no protections on Linux. Sudo can be trivially shimmed (add malicious exe to PATH) without even having sudo permissions, then the next time user inputs sudo an attacker would have their password. Its bad that its so easy, but its a double standard to say Linux is fine but an (up to date) Android with root is vulnerable.
What bothers me a bit more is, the OS could address a lot of what Graphene is talking about: there should be a builtin OS level “no overlays, no accessibility, allowed when superuser reqested, must use builtin OS controlled keyboard to input password”. I’m not saying the graphene team needs to do more work; their contributions are incredible. But they shouldn’t claim that having full control over a device you own is inherently a security flaw. Its a technical problem that can be resolved with ROM development.
Yeah these numbers should be reported in % of profits