Git-Mirrors/anarsec.guide
1
0
Fork 0
mirror of https://0xacab.org/anarsec/anarsec.guide.git synced 2025-08-03 03:46:35 -04:00
Code Issues Projects Releases Packages Wiki Activity

write-protect switch improvements

Browse source
This commit is contained in:
anarsec 2024-04-12 00:41:24 +00:00
parent 6ebbac8958
commit 91677225a1
No known key found for this signature in database
3 changed files with 7 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

7
content/posts/grapheneos/index.md
View file

@ -71,7 +71,7 @@ GrapheneOS uses [gesture navigation](https://grapheneos.org/usage#gesture-naviga
# Auditor
In the post-installation instructions, **Hardware-based attestation** is the last step. The Auditor app included in GrapheneOS uses hardware security features to monitor the integrity of the device's firmware and software. This is critical because it will alert you if the device is maliciously tampered with. The Auditor app must be configured immediately after GrapheneOS is installed, before any Internet connection is made.
In the post-installation instructions, **Hardware-based attestation** is the last step. The Auditor app included in GrapheneOS uses hardware security features to monitor the integrity of the device's firmware and OS software. This is critical because it will alert you if the device is maliciously tampered with. Note that Auditor doesn't necessarily check whether the user-level apps running on your device are malicious. The Auditor app must be configured immediately after GrapheneOS is installed, before any Internet connection is made.
How does it work? Your new device is the *auditee*, and the *auditor* can be either another instance of the Auditor app on a friend's phone or the [Remote Attestation Service](https://attestation.app/); we recommend doing both. The *auditor* and *auditee* pair to create a private key, and if the *auditee's* operating system is tampered with after the pairing is complete, the *auditor* will be alerted.
@ -165,12 +165,13 @@ You may want to use [Tor](/glossary/#tor-network) from a smartphone. However, if
* The automatic reboot, if no profile has been unlocked for several hours, will put the device fully at rest again, where [Full Disk Encryption](/glossary/#full-disk-encryption-fde) is most effective. It will reboot at least overnight if you forget to turn it off. If the device is compromised by [malware](/glossary/#malware), then [Verified Boot](https://www.privacyguides.org/en/os/android-overview/#verified-boot) will prevent and revert any changes to the operating system files when the device is rebooted. If the police ever manage to get their hands on your phone while it is in a lock-screen state, this setting [will return it to a more effective encryption once the time has elapsed](https://grapheneos.social/@GrapheneOS/112204443938445819).
* Leave the Global Toggles for Bluetooth, location services, the camera, and the microphone disabled when you don't need them for a specific purpose. Apps cannot use disabled features (even with individual permissions) until they are re-enabled. Also set a Bluetooth timeout: **Settings → Connected devices → Bluetooth timeout:** 2 minutes
* [Owner user profile] **Settings → Security → USB-C Port:** [Charging-only](https://grapheneos.social/@GrapheneOS/112204446073852302)
* Many applications allow you to "share" a file with them for media upload. For example, if you want to send a picture on Signal, do not grant Signal access to "photos and videos" because it will have access to all of your pictures. Instead, in the Files app, long-press to select the picture, and then share it with Signal.
* Once you have all the applications you need installed in a secondary user profile, disable app installation in that profile - apps installed in a secondary user profile delegated from the Owner profile will still be updated.
* [Owner user profile] **Settings → System → Multiple users → [Username] → App installs and updates:** Disabled
* When an app asks for storage permissions, select Storage Scopes. This will make the app think that it has all the storage permissions it is requesting, when in fact it has none.
* In the "Messaging" app, disable **Settings → Advanced → Auto-retrieve**
* It is convenient to be able to receive notifications from any user profile:
* [Owner user profile] **Settings → System → Multiple users:** Send notifications to current user (enabled)
* Many applications allow you to "share" a file with them for media upload. For example, if you want to send a picture on Signal, do not grant Signal access to "photos and videos" because it will have access to all of your pictures. Instead, in the Files app, long-press to select the picture, and then share it with Signal.
* When an app asks for storage permissions, select Storage Scopes. This will make the app think that it has all the storage permissions it is requesting, when in fact it has none.
# How to Backup