Re: What can't you do on Android WITHOUT a Google Account set up in the OS?

Jeff Layman <Jeff@invalid.invalid> wrote:

VanguardLH wrote:
>

I haven't heard that the Android OS or Graphene OS have had
independent audits despite they may be free open source.  FOSS
doesn't guarantee anyone outside the dev team has inspected the
code.

 
You might find these of interest:
<https://grapheneos.org/faq#audit>
<https://discuss.privacyguides.net/t/i-dont-trust-pixel-graphene-where-are-the-authoritative-claims-of-its-credibility/17503>
<https://dl.acm.org/doi/10.1145/3448609>

Rather than claim the code has been audited, prove the claim by
referencing the audits.  Anyone can say their code is audited.  Again,
being open source doesn't mean *independent* audit.  Nice to know,
though, their code is well documented.

AOSP projects are peered reviewed.  Well, we had weekly code reviews,
but guess who was reviewing the code.  They really didn't want QA
attending those meetings, and even we weren't outside auditors.
Independent audit means non-peer review.

A published paper describing how security (and only that facet) should
work in an OS is not an independent audit of the code.  Just a
description of how it should work.  Still, it's interesting reading.

While I've found no independent audits of GrapheneOS, I suspect any such
code reviews would be on Android (haven't found audits for that, either)
while any variations thereof would get passed over.  Android has lots of
users.  GrapheneOS not so much.  I've seen guesses there are 175K
GrapheneOS users.  Android is estimated at 3 billion.