You don’t have to compile GrapheneOS from source thanks to avbroot which can take a release zip, patch it with root and sign it using a custom avb key. This lets you root while keeping the bootloader locked.

The rooted-graphene project automates this completely using GitHub actions. It even lets you do OTA updates like normal GrapheneOS.

KernelSU has something like this called app profiles where you can set the capabilities that each app gets when it uses su. And if you are a SELinux wizard you can also set a custom domain for each app which would give you the fine grained control you’re looking for. I doubt the average KernelSU user wants to delve into SELinux details so some tool to automate this would be cool. Sadly doesn’t look like Magisk supports this.

Rooting devices breaks the principle of sandboxing: one app shouldn’t be able to access or modify another app or its data, or system files. If you give an app root, it can do whatever it wants to the system. It could install a keylogger to steal credentials, extract login tokens from another app’s storage or just nuke system files to make your device unbootable.

Let’s say you don’t give any apps root. Even having a rooting platform on the phone (e.g. Magisk) is still a vulnerability. Most rooting platforms will ask the user whether an app should get root when the app requests it. But there could be code execution vulnerabilities (e.g. buffer overflows) in the rooting platform that let you add an app to the list of apps allowed to use root without user confirmation.

TLDR: Root gives an app full access to the device, it could do anything with that. Even if you’re careful with what you give root to, it still adds a lot of attack surface that could be exploited.

I use GrapheneOS without play services on my daily driver because I despise Google’s forcing play services down Android’s throat. The irony isn’t lost on me that Graphene only works on Google devices, that will hopefully change soon as Graphene works with an OEM to build their own devices. I don’t bother with banking or government apps as they aren’t mandatory where I live, at least not yet. I try to stick to FOSS (or at least source available) apps where possible.

On a secondary device I also run a rooted version of GrapheneOS just for fun. Yes I know it might be viewed as terribly insecure but it’s just a secondary device that I like to play around with, it doesn’t have any important data on it. I find it quite interesting to learn how rooting methods work to bypass the normal security measures in place.

Cool project! Does it support 2FA? I’d like to use a password and then either TOTP or FIDO, like Authelia does.

Could you share the name of the company please?