CalyxOS

Security FAQ

Frequently asked questions about CalyxOS security

Contents

How secure is the signing infrastructure for the OS builds?

Signing is a cryptographic process where we take the factory image of CalyxOS and apply a digital signature that allows your device to attest that the image actually came from Calyx and no one else.

CalyxOS factory images and OTA updates are signed off-line by one person with sole custody of the signing keys.

Could a rogue developer compromise the over-the-air updates?

As an open source project, CalyxOS depends on the contributions from many developers and many other projects. Changes go through stringent review process. Ultimately, there are a small number of people who have (separate) trusted roles, such as creating or signing the factory images.

What are the security implications of the extended permissions for F-Droid

The default repositories configured in CalyxOS are run by F-Droid and CalyxOS itself. However, these additional repositories (sources) introduce the possibility of an attacker compromising the remote app repositories and serving a malicious update. To guard against this type of attack, these repositories go through multiple verification steps.

App stores cannot modify the fundamental security model of the Android operating system: When installing an update, the new app will only be accepted if verified to be from the same developer as the original version of the app. However, Android also always accepts the identity of the developer when first installing a new app, which is why the app repositories mustn’t be compromised.

For more information, see F-Droid security model.

What are the security implications of the extended permissions for Aurora Store?

In CalyxOS, Aurora Store is given the ability to update apps without approving each one manually, much like the Google Play Store. This is achieved with Aurora Services. Aurora Store is not able to install apps silently or without user intervention.

The special permissions granted to Aurora introduce these possible attacks:

  • There could be a vulnerability in the Aurora Store bundled with CalyxOS. We use the version built by F-Droid.
  • An attacker could compromise the Google Play Store servers used both Aurora and the Google Play Store.

App stores cannot modify the fundamental security model of the Android operating system: When installing an update, the new app will only be accepted if verified to be from the same developer as the original version of the app. However, Android also always accepts the identity of the developer when first installing a new app, which is why it is important that the app repositories are not compromised.

Is it possible to root CalyxOS?

CalyxOS does not support running in rooted mode, nor do we recommend this. Running any Android device with root permissions severely undermines the security of the device.