Yes, “because one of their council is leftist pro censorship”

Like this crap

https://grapheneos.org/features#grapheneos

Not sure but GrapheneOS has an “LTE only” mode, stock Android only has preferred Network afaik.

visiting only known websites is not a scaleable option, a browser needs to be secure. Kiwix is the browser that basically runs desktop Chromium on Android, so it has Addon support. But that is also soon manifest v3 restricted, and likely pretty insecure.

of course the user data partition is not checked, but every other important one. I have not tested what would happen when it is modified though.

I dont know what magisk did, but I think that is only about Google Play adding their “safety” scanning to the OS. Nothing regarding boot. But yes, likely there could, can or should be OS components scanning things too.

Googles stuff is pretty insecure, for example the latest SafetyNetFix simply disabled hardware cryptography, as they still support insecure phones.

For sure this is very complex and there are always vulnerabilities found in Android and GrapheneOS.

Yes that is one definition.

But what if you get it back? Or if you just keep it?

There is a chance that you have Pegasus on there, and I wouldnt want a phone without the detection of this.

GrapheneOS can likely detect pegasus with their Attestation and if you have it, use an external device to reflash it.

Not sure if VPN eliminates all risks with 2G and 3G, maybe it does.

Sandboxing, javascript

Vanadium has sandboxing but its javascript blocking is useless (no granular control)

Mull has no process isolation at all, but support for UBO and Noscript. Bad situation

it’s a walk in the park for it to modify any of the partitions

These cannot be written without TPM verification or stuff, ask GrapheneOS devs about that, I dont know. The firmware signing is required, the verification will not be done inside the OS, that would be totally flawed.

If they have the firmware signing keys, they can fuck you. If they dont, they can only write to the system partition, and Attestation can see that.

Reading data has nothing to do with that. They likely can, but that doesnt matter.

My 6 years old phone still receives LOS updates

This will not include firmware and likely even the kernel.

Thanks! TLDR spamhaus (a big spamlist provider) has them on their spamlist, or maybe not, and they are using some fancy CDN.

It is VERY likely just a technical error.

Yes I know, and I want to try DivestOS one time. But they do incomplete patches.

They cannot update the kernel themselves or even worse the firmware. The kernel needs to be built and patched for the specific hardware, GrapheneOS relies completely on Google here. And the firmware needs to be signed by the vendors, so no chance either.

And especially baseband, cellular stuff has extremely many vulnerabilities in the code.

I think 3a is already too old. I think 4a is a better minimum, but this is still insecure of course.

Image toolbox is awesome, damn!

What, source?

How would you block an OS?

And btw there are some reasons why GrapheneOS may be criticised

Mailbox.org missing, pass

VPNs are not meant for privacy. The concept is clunky, as is the concept of our internet.

Tor or I2P are made for privacy, but the interactions with the clearnet have the same problems, you need a legal entity hosting the server, IPs are known and can be blocked etc.

Hosting your own VPN does not anonymize you anymore but is very unlikely to get blocked.

All Android phones have Google malware installed by default, as system apps, which means those apps can do whatever they want.

So every piece of data you put on there is possibly tracked and collected.

Then there are 2 more problems

• the software is proprietary and cannot be externally wiped clean
• the software is outdated

This makes it vulnerable to Pegasus attacks and others. There are tons of secure practices to avoid getting it, like LTE-only, HTTPS only, encrypted and trustworthy DNS, sandboxed processes, blocked javascript execution from unknown websites…

But still if the phone is outdated there are unpatched and publicly known security issues. Just spamming them at all phones is likely to succeed as so many people run vulnerable versions, as vendors suck.

Then if you have pegasus, the only way for security is to reflash the A/B partitions, both. Factory reset is not secure as it will keep what is already in the system partitions.

The firmware is protected and signed by the vendors, so it is likely clean.

But Pegasus installs itself to the phone storage.

If you A cant obtain factory images or B cant flash the phone at all, you cannot wipe it clean.

So a good activism phone needs

• trustworthy and minimal system apps / stock software
• modern software updates
• possible to reflash whole device externally
• nice to have: ability to verify checksum of system partition, like GrapheneOS Attestation

This makes them poorly pretty expensive. I think a slightly outdated GrapheneOS phone is okay though.

Burner phones are a strange concept. If you want to store sensitive data on it, you shouldnt use some cheap android phone or even a dumbphone without encryption support.

Any system app on Android, the captive portal login and more CAN all bypass a VPN in “block all other connections” mode.

Android is really problematic and having as little system apps as possible is the only fix.

For sure, edited it. GrapheneOS screenshots have no metadata afaik

Software that doesnt store private metadata

• grapheneOS cam
• opencamera (not by default!)
• KDE spectacle
• android GrapheneOS screenshots

Oh nice, its from their repo not f-droid

This. Androids permission toggles combine multiple ones. GrapheneOS actually adds more of these toggles, as some things like Network and various sensor permissions are always on (wtf Android). But even those are combined toggles.

You can also display more permissions on the permission page, top right.

Nice, own Gitlab instance with locked registration (?) so I cannot report this bug:

Until its known by people that actually know stuff, avoid it

Social= contact with people you want to contact

Privacy= the stuff you share is not sent to random people but only who you want to

It uses the Matrix protocol which is kind of a red flag because of performance, but its encrypted.

Yes. It is only needed for /storage/emulated/0/Android/obb which is legacy afaik and GrapheneOS has a specific toggle just for this.

It is default

Nice! You should use an override.js to avoid missing out on updates.

Also have a look at my messy project arkenfox softening

Btw.

• on GrapheneOS you do not need the legacy “manage all files” permission. GrapheneOS has a specific “obb” permission for installing apps, thats it and even that is legacy
• use the session installer, nothing else.

Airplane mode, always!

Okay fair. They have shady sponsors.

Doesnt winget use the same store?

Or just using their official release APK over obtainium

Wtfff

Banking is a hit or miss, GrapheneOS should pass all security checks and more, but none of them is Google certified and apps start to request that, which sucks

Cool!

This was about screenshots, sorry. No idea, dont think you can change that without a different android OS

GrapheneOS Camera is very nice. May only work on Pixels, but on stock android (which is an insane tracking platform you should ditch) too.

Https://github.com/grapheneos/apps/releases/latest

Download their appstore, there you get the camera app.

Wow this is great!

if you are using your own index, I think you could use a more economical approach to fight the spam bullshit of the modern web.

• instead of using badness enumeration, crawling everything and filtering malware, use an opt-in principle
• have a community method of gathering new trusted websites
• use websites internal search functions to get more results
• use categories to split up the websites, reinventing what people should find: general, news, navigation, science, politics, IT, technology (not code), art, music, philosohy, …
• have an app or submission website where users can submit new websites, and some form of community control over it (kinda censorship but in a good way)

This could fix the web as it currently is, by rethinking what should be found, pushed etc. Rating websites by quality could also be helpful.

Also if you support payments in crypto or cash, there should be no problem to make it paid.

You need to contact them, if they connect to known to-be-blocked sites to get their IPs.

Googerteller does this:

Note: Find it ironic or not, but to query the list of all Google IPs/subnets, this needs to contact one Google domain, actually. (That request does not emit a sound, though.)

And I would ask DDG how their “tracker blocker” works and if it would also block such requests.0

Thanks, I think it is very relevant to understand how this DDG VPN “tracker blocking” works.

If it is about an app sending requests to lots of domains, this may have many reasons. For example it could check the IP addresses of all these tracking serverers to block apps from communicating with them via IP and not URLs.

This would be a reason that a trusted app connects to tracking servers to update their internal filterlist.

This “known to collect” seems to be unrelated to the actual connection, just “this service often collects data about x”.

If this is true, that is HIGHLY misleading and please update your post to explain that possibility.

You are using that Duckduckgo thing which is not a reliable source of information.

I would be interested in what a “tracking attempt” would look like.

Your VPN sees EVERYTHING you connect to, if you use HTTPS that is not a big deal but can help target stuff to your usage.

If it is tracking or just traffic passthrough is decided on their servers, which no weird Duckduckgo app can access.