Have you ever wondered why #GrapheneOS has a separate PDF viewer?

Well that answer is pretty obvious, it is more secure to have a separate hardened, sandboxed utility designed for that instead of sharing such a responsibility with a much larger app with greater attack surface like a web browser or office suite. It is trivial for some threat actors to deliver weaponized, malicious PDF files to their targets.

If we know all of this, the next step for some may be to wonder "Why is the GrapheneOS PDF viewer secure?", for you, I will explain some of the most important details:

The GrapheneOS PDF Viewer app requires absolutely no user-facing permissions to run, it doesn't ask for any, nor does it need them. Without permissions the app is completely contained in the Android app sandbox and the security access model is far greater.

How the viewer opens a file is through making a false request to Localhost from the WebView and then intercepting that request with a stream of the PDF data. The benefits to this include:

1. We don't needing files access in the WebView (both setAllowFileAccess and setAllowContentAccess are set to false).

2. Allowing us to intercept headers into the request like CSP, Permissions Policy for hardening the sandboxing done via the WebView With CSP, all dynamic and inline CSS and JS is disabled. The only scripts loaded are those used for the viewer itself.

3. In addition to using WebView for PDF Viewer, Vanadium takes the place for the WebView on GrapheneOS, meaning GrapheneOS users take advantage of the exploit protections used in Vanadium.

Even with all of this, the PDF Viewer still has a fair amount of room for improvement when it comes to quality of life features and usability enhancements.