Git-Mirrors/anarsec.guide
1
0
Fork 0
mirror of https://0xacab.org/anarsec/anarsec.guide.git synced 2025-07-23 23:01:04 -04:00
Code Issues Projects Releases Packages Wiki Activity

standarize em dashes

Browse source
This commit is contained in:
anarsec 2024-04-15 03:17:44 +00:00
parent d6f4ad9d2e
commit 5d9796b043
No known key found for this signature in database
12 changed files with 98 additions and 98 deletions
Download patch file Download diff file Expand all files Collapse all files

16
content/posts/grapheneos/index.md
View file

@ -25,11 +25,11 @@ Due to the nature of [how the technology works](https://citizenlab.ca/2023/10/fi
# Installation
[Google Pixel](https://www.privacyguides.org/android/#google-pixel) phones are currently the only devices that meet the hardware security requirements of GrapheneOS - see [supported](https://grapheneos.org/faq#device-support) and [recommended devices](https://grapheneos.org/faq#recommended-devices). "Hardware memory tagging support" is a very powerful security feature that was introduced with the Pixel 8, [making it substantially harder to remotely exploit user installed apps like Signal](https://grapheneos.social/@GrapheneOS/111479318824446241).
[Google Pixel](https://www.privacyguides.org/android/#google-pixel) phones are currently the only devices that meet the hardware security requirements of GrapheneOS see [supported](https://grapheneos.org/faq#device-support) and [recommended devices](https://grapheneos.org/faq#recommended-devices). "Hardware memory tagging support" is a very powerful security feature that was introduced with the Pixel 8, [making it substantially harder to remotely exploit user installed apps like Signal](https://grapheneos.social/@GrapheneOS/111479318824446241).
Starting with the Pixel 6, Pixel devices will receive at least [5 years of security updates](https://grapheneos.org/faq#device-lifetime) from the date of release. End-of-life devices (GrapheneOS "extended support" devices) do not receive full security updates and therefore are not recommended. See [how long GrapheneOS will support the device for](https://grapheneos.org/faq#device-lifetime).
Avoid carrier variants of the phone, i.e. don't buy one from a mobile operator, which may prevent you from installing GrapheneOS. The cheapest option is to buy the "a" model right after the next flagship model is released - for example, the Google Pixel 6a after the Pixel 7 is released.
Avoid carrier variants of the phone, i.e. don't buy one from a mobile operator, which may prevent you from installing GrapheneOS. The cheapest option is to buy the "a" model right after the next flagship model is released for example, the Google Pixel 6a after the Pixel 7 is released.
[GrapheneOS can be installed](https://grapheneos.org/install/) using a web browser or the [command line](/glossary#command-line-interface-cli). If you are uncomfortable with command line, the web browser installer is fine; as the [instructions note](https://grapheneos.org/install/cli#verifying-installation), "Even if the computer you used to flash GrapheneOS was compromised and an attacker replaced GrapheneOS with their own malicious OS, it can be detected with Auditor", which is explained below. Both methods list the officially supported operating systems.
@ -77,13 +77,13 @@ How does it work? Your new device is the *auditee*, and the *auditor* can be eit
First, immediately after installing the device and before connecting to the Internet, [perform a "local verification"](https://attestation.app/tutorial#local-verification). This requires the presence of a friend whom you see semi-regularly and who has the Auditor app (on any Android device). The first pairing will show a brown background, and subsequent audits will show attestation results with a green background if nothing is remiss. There is no remote connection established between the phones of the auditor and auditee; you must perform these verifications in person.
We recommend using the phone as a Wi-Fi only device. Turn on airplane mode, and then turn on Wi-Fi. This "will fully disable the cellular radio transmit and receive capabilities, which will prevent your phone from being reached from the cellular network and stop your carrier (and anyone impersonating them to you) from tracking the device via the cellular radio." Leave airplane mode on at all times - otherwise the phone will interact with cellular networks even if there is no SIM card the phone.
We recommend using the phone as a Wi-Fi only device. Turn on airplane mode, and then turn on Wi-Fi. This "will fully disable the cellular radio transmit and receive capabilities, which will prevent your phone from being reached from the cellular network and stop your carrier (and anyone impersonating them to you) from tracking the device via the cellular radio." Leave airplane mode on at all times otherwise the phone will interact with cellular networks even if there is no SIM card the phone.
You are now ready to connect to Wi-Fi. Once you have an Internet connection, we recommend that you immediately set up a [scheduled remote verification](https://attestation.app/tutorial#scheduled-remote-verification) with an email that you check regularly. The default delay until alerts is 48 hours; if you know your phone will be off for a longer period, you can update the configuration to a maximum of two weeks. If your phone will be off for more than two weeks (for example, if you leave it at home while traveling), simply ignore the notification emails. You can always log back in to view your attestation history.
# User Profiles
User profiles are a feature that allows you to compartmentalize your phone, similar to how [Qubes OS](/posts/qubes/#what-is-qubes-os) compartmentalizes your computer. User profiles have their own instances of apps, app data, and profile data. Apps can't see the apps in other user profiles and can only communicate with apps within the same user profile. In other words, user profiles are isolated from each other - if one is compromised, the others aren't necessarily.
User profiles are a feature that allows you to compartmentalize your phone, similar to how [Qubes OS](/posts/qubes/#what-is-qubes-os) compartmentalizes your computer. User profiles have their own instances of apps, app data, and profile data. Apps can't see the apps in other user profiles and can only communicate with apps within the same user profile. In other words, user profiles are isolated from each other if one is compromised, the others aren't necessarily.
The Owner user profile is the default profile that is present when you turn on the phone. You can create additional user profiles. Each profile is [encrypted](/glossary/#encryption) with its own encryption key and cannot access the data of other profiles. Even the device owner cannot view the data of other profiles without knowing their password. A shortcut for switching between different user profiles is located at the bottom of Quick Settings (accessible by swiping down twice from the top of the screen). When you press **End session** on a profile, that profile's data is encrypted at rest.
@ -128,9 +128,9 @@ To install and configure Sandboxed Google Play:
You are now ready to install applications from the Google Play Store. The first application we will install is a [VPN](/glossary/#vpn-virtual-private-network). If you want to use a free VPN, we recommend RiseupVPN. If you want to pay for a VPN anonymously, we recommend both [Mullvad](https://www.privacyguides.org/en/vpn/#mullvad) and [IVPN](https://www.privacyguides.org/en/vpn/#ivpn). VPNs must be installed in each user profile separately. All standard GrapheneOS connections will be forced through the VPN (except for [connectivity checks](https://grapheneos.org/faq#default-connections), which can be optionally [disabled](https://privsec.dev/posts/android/android-tips/#connectivity-check)). We recommended using a VPN in every profile, for reasons that are well-summarized by the [Security Lab](https://securitylab.amnesty.org/latest/2023/10/technical-deep-dive-into-intellexa-alliance-surveillance-products/):
>Using a reputable VPN provider can provide more privacy against surveillance from your ISP or government and prevent network injection attacks from those entities. A VPN will also make traffic correlation attacks especially those targeting messaging apps more difficult to perform and less effective.
>Using a reputable VPN provider can provide more privacy against surveillance from your ISP or government and prevent network injection attacks from those entities. A VPN will also make traffic correlation attacks — especially those targeting messaging apps — more difficult to perform and less effective.
Using the example of RiseupVPN, once installed, accept the 'Connection request' prompt. A green display means that the VPN has been successfully connected. Navigate to **Advanced settings** in the RiseupVPN menu, click **Always-on VPN** and follow the instructions. From now on, the VPN will connect automatically when you turn on your phone. Continue installing other apps - see [Encrypted Messaging for Anarchists](/posts/e2ee/) for ideas.
Using the example of RiseupVPN, once installed, accept the 'Connection request' prompt. A green display means that the VPN has been successfully connected. Navigate to **Advanced settings** in the RiseupVPN menu, click **Always-on VPN** and follow the instructions. From now on, the VPN will connect automatically when you turn on your phone. Continue installing other apps see [Encrypted Messaging for Anarchists](/posts/e2ee/) for ideas.
Now we will delegate apps to the profiles they are needed in:
@ -139,7 +139,7 @@ Now we will delegate apps to the profiles they are needed in:
## Software That Isn't On the Play Store
Some apps are not on the Play Store, either because they're still in development or because they don't want users to have to interact with Google. The Play Store can be used to update apps, but if you download individual .apk files, you have to remember to update them yourself (there are exceptions, like Signal, which is designed to update itself). [Obtainium](https://www.privacyguides.org/en/android/#obtainium) is an app to keep track of which apks need to be updated, and is available on the [GitHub Releases page](https://github.com/ImranR98/Obtainium/releases); `app-arm64-v8a-release.apk` of the latest release is what you want (arm64-v8a is the processor architecture). If you need apps that aren't available in the Play Store, install Obtainium in the Owner user profile (and don't disable it). Use the same process as above to install apps into the Owner user profile, but through Obtainium, then disable the app and delegate it to the profiles it is needed in. Unfortunately, apps obtained through Obtainium require manual updates - it will notify you when one is needed.
Some apps are not on the Play Store, either because they're still in development or because they don't want users to have to interact with Google. The Play Store can be used to update apps, but if you download individual .apk files, you have to remember to update them yourself (there are exceptions, like Signal, which is designed to update itself). [Obtainium](https://www.privacyguides.org/en/android/#obtainium) is an app to keep track of which apks need to be updated, and is available on the [GitHub Releases page](https://github.com/ImranR98/Obtainium/releases); `app-arm64-v8a-release.apk` of the latest release is what you want (arm64-v8a is the processor architecture). If you need apps that aren't available in the Play Store, install Obtainium in the Owner user profile (and don't disable it). Use the same process as above to install apps into the Owner user profile, but through Obtainium, then disable the app and delegate it to the profiles it is needed in. Unfortunately, apps obtained through Obtainium require manual updates it will notify you when one is needed.
As an example of how to use Obtainium, Molly-FOSS is a hardened version of Signal without [Google software](https://github.com/mollyim/mollyim-android#free-and-open-source) and is available from [Github Releases](https://github.com/mollyim/mollyim-android/releases). In Obtanium, press **Add App**, then copy the Github Releases URL. Obtanium will be able to install the app, and if there is a new version, you will get a system notification and an update icon next to it, and you will need to update it manually.
@ -165,7 +165,7 @@ You may want to use [Tor](/glossary/#tor-network) from a smartphone. However, if
* The automatic reboot, if no profile has been unlocked for several hours, will put the device fully at rest again, where [Full Disk Encryption](/glossary/#full-disk-encryption-fde) is most effective. It will reboot at least overnight if you forget to turn it off. If the device is compromised by [malware](/glossary/#malware), then [Verified Boot](https://www.privacyguides.org/en/os/android-overview/#verified-boot) will prevent and revert any changes to the operating system files when the device is rebooted. If the police ever manage to get their hands on your phone while it is in a lock-screen state, this setting [will return it to a more effective encryption once the time has elapsed](https://grapheneos.social/@GrapheneOS/112204443938445819).
* Leave the Global Toggles for Bluetooth, location services, the camera, and the microphone disabled when you don't need them for a specific purpose. Apps cannot use disabled features (even with individual permissions) until they are re-enabled. Also set a Bluetooth timeout: **Settings → Connected devices → Bluetooth timeout:** 2 minutes
* [Owner user profile] **Settings → Security → USB-C Port:** [Charging-only](https://grapheneos.social/@GrapheneOS/112204446073852302)
* Once you have all the applications you need installed in a secondary user profile, disable app installation in that profile - apps installed in a secondary user profile delegated from the Owner profile will still be updated.
* Once you have all the applications you need installed in a secondary user profile, disable app installation in that profile apps installed in a secondary user profile delegated from the Owner profile will still be updated.
* [Owner user profile] **Settings → System → Multiple users → [Username] → App installs and updates:** Disabled
* In the "Messaging" app, disable **Settings → Advanced → Auto-retrieve**
* It is convenient to be able to receive notifications from any user profile: