Is privacy compromised when using privacy-respecting apps on non-private operating systems?

Is privacy compromised at all when using privacy-respecting (FOSS) apps on operating systems that are meant to spy or gather data?

For example, could user data in apps like Standard Notes or Nextcloud be compromised or accessible at all to the OS if used on Android (Googled), iOS, MacOS, Windows? Standard Notes is e2ee but once the passcode is entered is data accessible by the OS?

In general, can operating systems access app data fields, app data in RAM, etc?

Thanks for considering noob questions.

3 Likes

Yes, they can.

To answer your question “is privacy compromised”, that depends on whether or not you trust the people who control the OS. For example, if you use an OS by Apple then probably Apple will promise that they don’t spy on you. If you trust them on that, then you can run a carefully selected trusted FOSS app in their OS and you can think that is okay. But then you need to trust Apple completely, like a child trusts a parent.

5 Likes

So do you think apple can access data in Bitwarden, Standard Notes, and other supposed encrypted and private apps on iOS or Mac OS??? No way around this?

I think you should be more specific in your question, particularly as far as what you mean by “access.”

You access that data on the operating system, and then the operating system shows you the data you decrypted, so at that point it has access to everything you’re asking about. Are you then asking if it saves that data? Or remembers your password and decrypts it without your knowledge? Or phones home with your information? (BTW, the answer to those questions is “no one knows but apple”)

I see your point and I didn’t mean to be vague, but if I understand you correctly then either an android/windows/Apple operating system at some point has access to any data that is decrypted when read or used, such as passwords from Bitwarden pasted into a browser or private notes and information in Standard Notes?
And I agree with you that we would never know what they do with that information or if they save it or store it which essentially makes those supposedly safe and encrypted private apps not really safe and encrypted after all? At least to the OS’s used? But more so as a added level of security or safeguard to someone that has gained possession of your device?
I’m a newbie to all this privacy and security and sometimes I feel like it’s all just wasted effort that we can ever be completely secure and private when using the big tech operating systems?

An OS controls the computer. If it is running on hardware, it can do anything other than affecting some embedded firmware software for eg a HDD. In this age, I don’t think you can ever truly have a secure system because vulnerabilities will always come up. Scale of 0 to 1 and free systems like pureOS (if you manage correctly) can be pretty close to 1 but there is always a million more things to do. There is then hardware firmware and such. If you want to know if an OS can ‘hack’ a program you install ed with and on the OS and use on it, obviously it can view what happens with the program.

1 Like

The programs may still make use of encryption. If they are decrypted when it reaches you, obviously the OS can see and manage it. How else would the computer work. If you send an encrypted file to a computer without the key, the file cannot be decrypted by that computer. All pretty obvious.

Don’t use a big tech OS. If not, still better than going with proprietary trash than some libre software on top of it. The OS may not do all the things we think it could (although we should assume that it does because it is so easy to implement) but yeah. If you want a secure system. Use things like HEADS, hand pick some good hardware that is free such as computers from raptor CS and manage firmware carefully. Install an OS that is libre and harden it heavily and use various VMs and such. If you wanted to go full, you can inspect all code that runs on your computer but that is obviously not easily done. You can air gap the system and move files manually from another. Also one thing many forget is JS in the browser. Be very very careful with this. They can do various malicious things. Basically, the only way to win is to not ever interact with computers but there is still plenty you can do to be alright.

1 Like

Your question is why some people like Richard Stallman swear to never run proprietary code on their computer and take various steps with how they interact with the internet and programs that are installed on their system (even if they are free).

2 Likes

The operating system accesses everything. It has to, because it runs everything. What it does with information on the side is harder to answer. If the source code is available (like PureOS’s and other Linux distributions are), then one can dig into the code and see for oneself what it does with the data. Otherwise, you have to monitor network traffic and glean whatever information you can. …if you care to verify, that is.

2 Likes

Yes, any of those you listed. I am migrating from the Apple ecosystem due to blackbox processes and telemetry. I don’t go near googled Android or Windows. So, could an app like Bitwarden have data accessed, stored, or transmitted by a non-Linux OS. Seems like the answer is yes from this discussion.

Interestingly, the creator of Standard Notes (SN), Mo Bitar, was interviewed on episode 062 of The Privacy, Security, & OSINT Show in 2018. Around 36:05 he starts talking about some of the security/privacy protocols of SN. Typed keystrokes are encrypted, data is stored/transmitted encrypted, a TLS connection is used, etc. He states, if I understand correctly, that v1 of SN “trusted” the computer but v2 didn’t. v2 prevented unencrypted data from being saved to the hard drive, leaving it only in RAM. Also, a passcode was added that encrypts the encryption key. I liked that he was attending to the context (OS) in which his app resided.

Do modern OS’s have memory protection such that active RAM used by an app is not accessible and perhaps encrypted? I don’t know.

There’s Intel SVM, but it’s been full of holes so far.

If you want to process encrypted data without encrypting them, then there’s https://en.wikipedia.org/wiki/Homomorphic_encryption . You do get to pay a penalty of a hundredfold slowdown though.

But if you want to access the data in a human-readable form, you’ll have to decrypt it at some point. DRM makers love the https://en.wikipedia.org/wiki/Analog_hole .

Similarly, when I started reading some of Joanna Rutkowska’s (Qubes creator) writings and watching some of her presentations on trusting computers (specifically x86) I was left wondering what the point is of syncing data from a private/trusted (optimized) computer (ie - Librem + PureOS) onto a nonprivate/untrusted computer (Mac, Android, Windows). Anyone else read her stuff and think similarly?

1 Like

I shot an email to standard notes and got this reply…

“You’re right in saying that the notes are temporarily decrypted while the app is open. However, this decrypted data only remains in the device’s working memory. Hence, once the app is closed, all of the decrypted content is deleted as well, while the updated encrypted notes remain on our servers (or on your device, if you are using the app offline). I’ll have to confirm the specifics of it, if you’d like more detailed info”

I’m not sure more information for password apps like Bitwarden are more or less exposed as you are having login and password information being pasted into other apps as well as websites? Is the data vulnerable to the OS during this time? Perhaps stored on RAM again and then deleted?

Yes. The OS is moving the data between apps. The OS can see into the memory of every open app every time it wants to. It’s the ultimate middle man, and you can’t avoid it without a huge amount of effort. DRM comes closest I guess.

You can treat encrypted data as a sealed envelope: the moment you want to actually do something with it, you have to open it, and it’s not sealed in that moment.

1 Like

Man, I REALLY can’t wait to get my L14!!!

My understanding of that specific example, with those two separate programs (the Bitwarden password manager and the browser) that are running, is that the user first copies the password from Bitwarden, then the password is in the clipboard which is managed by the OS. Then the user switches to the browser and pastes the password there. The user may think that the password came “directly” from Bitwarden but that is not really the case, because the OS sits in between. The OS could easily log all such clipboard contents, all such pieces of text that are moved between apps in that way. The OS could save all that info and send it home to Google/Microsoft/Apple.

The OS also controls both input (what you type, mouse movements, touchscreen touch events) and output (what is shown on the screen). Whenever you input something to your app, the OS could record that. Whenever your app shows something on the screen, the OS could save a screenshot without telling you about it. And so on.

There is also the question of how to know what program you are really running. As far as I know, on iOS you are only allowed to install programs via Apple’s app store, Apple may be able to modify the app source code and install their modified proprietary version while you believe it is the FOSS version. Verifying that you are running the correct binary might be hard to do when Apple controls the OS.

2 Likes

Another consideration is: There are credible arguments that rather than run a dedicated password manager, you should use the operating system’s built-in password manager. In that case it goes without saying that if you don’t trust the operating system then you can’t trust the password manager.

It’s worse than that. The operating system is the thing that loads a program. Even if you could download the program’s source on another fully trusted computer, compile it, digitally sign it … and then move it to the target computer, once you run the program, you have no idea what you are running, whether it is genuine, whether it has been verified as genuine, …

And of course most programs rely on the operating system for a range of services, any or all of which could be compromised in some way if the operating systems intends to interfere with your program.

You either trust the operating system or you verify the operating system.

There’s Intel’s SGX - but to me that is a two-edged sword. The enclave may be more private from spying from the outside but that very privacy makes it harder to audit what is really going on. So you would at least have to trust the supplier of the code running in the enclave more than you trust the supplier of the code running in the operating system.

I get the distinct impression that SGX was an anti-privacy feature.

1 Like

DRM is trash and is nearly always trivial to bypass. Only DRM that works pretty well in my view is when it is built from the hardware up like they had with the PS3 (which got broken) and video game anti-cheat systems such as BE, EAC and the one made by tencent for valorant. I remember seeing a document published for how anti-cheat can detect if it is in a VM and such and it looks like a lot of work to bypass this crap and somewhat isn’t possible (yet). DRM is the rare case where there is code written specifically and only to limit your computing and it must be bypassed.

I can’t really think of an implementation where you would boot up your computer as usual and a program’s data wouldn’t be able to be accessed by the OS because it doesn’t make sense for it not to be. Maybe there could be a system of a trusted program module on a motherboard where a program is launched in the OS and passes the program to be run by the component on the mobo which is really its own computer with own CPU and memory and such and can hijack peripherals temporarily and displays over the monitor while the other computer runs (other being the main system). I think that would be interesting but not sure how possible that would be. I think it would be because it would just be a second computer in one machine to handle just a single program.

Wow I thought Apple was bad, but didn’t realize to what extent. Just no way to trust them on any level even with so called 3rd party “secure” apps. I suppose Linux is the only real choice here, and again, cannot wait to move everything to my L14 when I get it!

Just sorry I’m starting so late with finally getting a Linux laptop. Next is a Linux phone.

2 Likes