graphene feedback

This commit is contained in:
anarsec 2024-04-23 23:35:25 +00:00
parent 81a517c39e
commit 83a7ffe5ee
No known key found for this signature in database
2 changed files with 9 additions and 8 deletions

View file

@ -19,7 +19,7 @@ While [anarchists should minimize the presence of phones in their lives](/posts/
# What is GrapheneOS?
GrapheneOS is a security-focused version of the Android [operating system](/glossary#operating-system-os). Standard Android smartphones have Google baked into them (for example, [Google Play Services](https://en.wikipedia.org/wiki/Google_Play_Services) has irrevocable access to your files, call logs, location, etc.). GrapheneOS removes all Google apps and services by default, uses hardware-based security to [make it far more difficult](https://grapheneos.org/faq#encryption) to bypass the disk encryption, and it is significantly [hardened](/glossary#hardening) against hacking. There are other alternative Android operating systems, [but they don't have comparable security](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/). See the [GrapheneOS documentation](https://grapheneos.org/features) for an extensive list of privacy and security improvements over standard Android.
GrapheneOS is a security-focused version of the Android [operating system](/glossary#operating-system-os). Standard Android smartphones have Google baked into them (for example, [Google Play Services](https://en.wikipedia.org/wiki/Google_Play_Services) has irrevocable access to your files, call logs, location, etc.). GrapheneOS removes all Google apps and services by default, uses hardware-based security to [make it far more difficult](https://grapheneos.org/faq#encryption) to bypass the disk encryption, and it is significantly [hardened](/glossary#hardening) against hacking. There are other alternative Android operating systems, [but they don't have comparable security](https://eylenburg.github.io/android_comparison.htm). See the [GrapheneOS documentation](https://grapheneos.org/features) for an extensive list of privacy and security improvements over standard Android.
Due to the nature of [how the technology works](https://citizenlab.ca/2023/10/finding-you-teleco-vulnerabilities-for-location-disclosure/), cell phones connecting to cell towers give the provider a history of your geolocation. For this reason, we recommend that you leave your smartphone at home and use it like a landline, connecting to the Internet via Wi-Fi in airplane mode, rather than using a SIM card to connect through cell towers. Even if you use an anonymously purchased SIM card, if it is linked to your identity in the future, the service provider can be retroactively queried for all geolocation data. Furthermore, it's not enough to only leave your phone at home when you're going to a demo or action, as this will [stand out](/posts/nophones/#metadata-patterns) as an outlier and serve as an indication of conspiratorial activity in that time window.
@ -27,7 +27,7 @@ Due to the nature of [how the technology works](https://citizenlab.ca/2023/10/fi
[Google Pixel](https://www.privacyguides.org/android/#google-pixel) phones are currently the only devices that meet the hardware security requirements of GrapheneOS — see [supported](https://grapheneos.org/faq#device-support) and [recommended devices](https://grapheneos.org/faq#recommended-devices). "Hardware memory tagging support" is a very powerful security feature that was introduced with the Pixel 8, making it substantially harder to remotely exploit user installed apps such as Signal which has a ["massive amount of remote attack surface"](https://grapheneos.social/@GrapheneOS/111479318824446241).
Starting with the Pixel 6, Pixel devices will receive at least 5 years of security updates from the date of release. End-of-life devices (GrapheneOS "extended support" devices) do not receive full security updates and therefore are not recommended. See [how long GrapheneOS will support the device for](https://grapheneos.org/faq#device-lifetime).
Starting with the Pixel 8, Pixel devices will receive at least 7 years of security updates from the date of release. End-of-life devices (GrapheneOS "extended support" devices) do not receive full security updates and therefore are not recommended. See [how long GrapheneOS will support the device for](https://grapheneos.org/faq#device-lifetime).
Avoid carrier variants of the phone, i.e. don't buy one from a mobile operator, which may prevent you from installing GrapheneOS. The cheapest option is to buy the "a" model right after the next flagship model is released — for example, the Google Pixel 6a after the Pixel 7 is released.
@ -132,7 +132,7 @@ You are now ready to install applications from the Google Play Store. The first
>Using a reputable VPN provider can provide more privacy against surveillance from your ISP or government and prevent network injection attacks from those entities. A VPN will also make traffic correlation attacks — especially those targeting messaging apps — more difficult to perform and less effective.
Using the example of RiseupVPN, once installed, accept the 'Connection request' prompt. A green display means that the VPN has been successfully connected. Navigate to **Advanced settings** in the RiseupVPN menu, click **Always-on VPN** and follow the instructions. From now on, the VPN will connect automatically when you turn on your phone. Continue installing other apps — see [Encrypted Messaging for Anarchists](/posts/e2ee/) for ideas.
Using the example of RiseupVPN, once installed, accept the 'Connection request' prompt. A green display means that the VPN has been successfully connected. Note that **Always-on VPN** and **Block connections without VPN** are enabled by default on GrapheneOS. From now on, the VPN will connect automatically when you turn on your phone. Continue installing other apps — see [Encrypted Messaging for Anarchists](/posts/e2ee/) for ideas.
Now we will delegate apps to the profiles they are needed in:
@ -141,9 +141,10 @@ Now we will delegate apps to the profiles they are needed in:
## Software That Isn't On the Play Store
Some apps are not on the Play Store, either because they're still in development or because they don't want users to have to interact with Google. The Play Store can be used to update apps, but if you download individual .apk files, you have to remember to update them yourself (there are exceptions, like Signal, which is designed to update itself), and you must [verify them yourself](https://github.com/soupslurpr/AppVerifier).
Some apps are not on the Play Store, either because they're still in development or because they don't want users to have to interact with Google. The Play Store can be used to update apps, but if you download individual .apk files, you have to remember to update them yourself (there are exceptions, like Signal, which is designed to update itself), and you must verify them yourself with a tool like [AppVerifier](https://github.com/soupslurpr/AppVerifier).
[Obtainium](https://www.privacyguides.org/en/android/#obtainium) is an app to keep track of which apks need to be updated, and it is available on the [GitHub Releases page](https://github.com/ImranR98/Obtainium/releases) — `app-arm64-v8a-release.apk` of the latest release is what you want (arm64-v8a is the processor architecture). If you need apps that aren't available in the Play Store, install Obtainium in the Owner user profile (and don't disable it). Use the same process as above to install apps into the Owner user profile, but through Obtainium, then disable the app and delegate it to a secondary profile. AppVerifier integrates with Obtainium so that prior to installation you can do a verification — AppVerifier can approve selected apps, or you can manually compare the apk's fingerprint to somewhere that the developer has published it. Unfortunately, apps obtained through Obtainium require manual updates — it will notify you when one is needed.
[Obtainium](https://www.privacyguides.org/en/android/#obtainium) is an app to keep track of which apks need to be updated, and it is available on the [GitHub Releases page](https://github.com/ImranR98/Obtainium/releases) — `app-arm64-v8a-release.apk` of the latest release is what you want (arm64-v8a is the processor architecture). If you need apps that aren't available in the Play Store, install Obtainium in the Owner user profile (and don't disable it). Use the same process as above to install apps into the Owner user profile, but through Obtainium, then disable the app and delegate it to a secondary profile. Unfortunately, apps obtained through Obtainium require manual updates — it will notify you when one is needed.
As an example of how to use Obtainium, Molly-FOSS is a hardened version of Signal without [Google software](https://github.com/mollyim/mollyim-android#free-and-open-source) and it is available from [Github Releases](https://github.com/mollyim/mollyim-android/releases). In Obtanium, press **Add App**, then copy the Github Releases URL.
@ -157,7 +158,7 @@ Many [banking apps](https://grapheneos.org/usage#banking-apps) will require Sand
A Wi-Fi only smartphone doesn't require a service plan. As explained in [Kill the Cop in Your Pocket](/posts/nophones#bureaucracy), bureaucracies often require a phone number that can be called from a normal phone (without encryption). [VoIP](/glossary#voip-voice-over-internet-protocol) applications allow you to create a number and make calls over Wi-Fi rather than through cell towers. A phone number is also occasionally required to register for an application, and a VoIP number will usually work.
Some of the VoIP applications [that work on computers](/posts/nophones#bureaucracy) also work on smartphones. The [jmp.chat](https://www.kicksecure.com/wiki/Mobile_Phone_Security#Phone_Number_Registration_Unlinked_to_SIM_Card) VoIP service can be paid for in Bitcoin, and it can be used with their [Cheogram app](https://cheogram.com/). There are also mobile-only paid options such as MySudo (although it only works in a [handful of countries](https://support.mysudo.com/hc/en-us/articles/360020177133-Why-isn-t-MySudo-working-in-my-country-)). A MySudo subscription can be purchased anonymously with [Google Play gift cards](https://support.google.com/googleplay/answer/3422734), but this is probably unnecessary if the point is to give the number to bureaucracies. MySudo requires Google Play Services.
Some of the VoIP applications [that work on computers](/posts/nophones#bureaucracy) also work on smartphones. The [jmp.chat](https://www.kicksecure.com/wiki/Mobile_Phone_Security#Phone_Number_Registration_Unlinked_to_SIM_Card) VoIP service can be paid for in Bitcoin, and it can be used with their [Cheogram app](https://cheogram.com/). There are also mobile-only paid options such as MySudo (although it only works in a [handful of countries](https://support.mysudo.com/hc/en-us/articles/360019983274-Which-countries-are-supported-for-Sudo-phone-numbers)). A MySudo subscription can be purchased anonymously with [Google Play gift cards](https://support.google.com/googleplay/answer/3422734), but this is probably unnecessary if the point is to give the number to bureaucracies. MySudo requires Google Play Services.
# Tor
@ -182,7 +183,7 @@ In all profiles:
* Leave the Global Toggles for Bluetooth, location, camera access, and microphone access disabled when you don't need them for a specific purpose. Apps cannot use disabled features (even with individual permissions) until they are re-enabled. Also set a Bluetooth timeout: **Settings → Connected devices → Bluetooth timeout:** 2 minutes
* In the "Messaging" app, disable **Settings → Advanced → Auto-retrieve**
* Many applications allow you to "share" a file with them for media upload. For example, if you want to send a picture on Signal, do not grant Signal access to "photos and videos" because it will have access to all of your pictures. Instead, in the Files app, long-press to select the picture, and then share it with Signal.
* When an app asks for storage permissions, select Storage Scopes. This will make the app think that it has all the storage permissions it is requesting, when in fact it has none.
* When an app asks for storage permissions, select [Storage Scopes](https://grapheneos.org/usage#storage-scopes). This will make the app think that it has all the storage permissions it is requesting, when in fact it has none. The same is true for [Contact Scopes](https://grapheneos.org/usage#contact-scopes).
# How to Backup

View file

@ -7,7 +7,7 @@ paginate_by = 5
<br>
<div class="column is-8 is-offset-2">
AnarSec is a resource designed to help anarchists navigate the hostile terrain of technology — defensive guides for digital security and anonymity, as well as offensive guides for hacking. All guides are available in zine format for printing and will be kept up to date.
AnarSec is a resource designed to help anarchists navigate the hostile terrain of technology — defensive guides for digital security and anonymity, as well as offensive guides for hacking. All guides are available in booklet format for printing and will be kept up to date.
## Defensive