From b0830edb4a6bb4a4044e4aa57751b80cfa9ab6f0 Mon Sep 17 00:00:00 2001 From: fria <138676274+friadev@users.noreply.github.com> Date: Tue, 24 Dec 2024 14:08:16 +0000 Subject: [PATCH] update!: Remove Hypatia, DivestOS, and Mull in light of support ending (#2839) Signed-off-by: blacklight447 Signed-off-by: Mare Polaris <15004290+ph00lt0@users.noreply.github.com> Signed-off-by: Freddy --- docs/android/distributions.md | 43 ------------------ docs/device-integrity.md | 40 ----------------- docs/mobile-browsers.md | 44 ------------------- docs/tools.md | 10 ----- theme/assets/img/android/divestos.svg | 1 - theme/assets/img/browsers/mull.svg | 1 - .../img/device-integrity/hypatia-dark.svg | 1 - theme/assets/img/device-integrity/hypatia.svg | 1 - 8 files changed, 141 deletions(-) delete mode 100644 theme/assets/img/android/divestos.svg delete mode 100644 theme/assets/img/browsers/mull.svg delete mode 100644 theme/assets/img/device-integrity/hypatia-dark.svg delete mode 100644 theme/assets/img/device-integrity/hypatia.svg diff --git a/docs/android/distributions.md b/docs/android/distributions.md index af5bfe76..2fd43ee4 100644 --- a/docs/android/distributions.md +++ b/docs/android/distributions.md @@ -19,17 +19,6 @@ schema: "@context": http://schema.org "@type": WebPage url: "./" - - - "@context": http://schema.org - "@type": CreativeWork - name: Divest - image: /assets/img/android/divestos.svg - url: https://divestos.org/ - sameAs: https://en.wikipedia.org/wiki/DivestOS - subjectOf: - "@context": http://schema.org - "@type": WebPage - url: "./" robots: nofollow, max-snippet:-1, max-image-preview:large --- Protects against the following threat(s): @@ -70,38 +59,6 @@ By default, Android makes many network connections to Google to perform DNS conn If you want to hide information like this from an adversary on your network or ISP, you **must** use a [trusted VPN](../vpn.md) in addition to changing the connectivity check setting to **Standard (Google)**. It can be found in :gear: **Settings** → **Network & internet** → **Internet connectivity checks**. This option allows you to connect to Google's servers for connectivity checks, which, alongside the usage of a VPN, helps you blend in with a larger pool of Android devices. -### DivestOS - -If GrapheneOS isn't compatible with your phone, DivestOS is a good alternative. It supports a wide variety of phones with *varying* levels of security protections and quality control. - -
- -![DivestOS logo](../assets/img/android/divestos.svg){ align=right } - -**DivestOS** is a soft-fork of [LineageOS](https://lineageos.org). -DivestOS inherits many [supported devices](https://divestos.org/index.php?page=devices&base=LineageOS) from LineageOS. It has signed builds, making it possible to have [verified boot](../os/android-overview.md#verified-boot) on some non-Pixel devices. Not all supported devices support verified boot or other security features. - -[:octicons-home-16: Homepage](https://divestos.org){ .md-button .md-button--primary } -[:simple-torbrowser:](http://divestoseb5nncsydt7zzf5hrfg44md4bxqjs5ifcv4t7gt7u6ohjyyd.onion){ .card-link title="Onion Service" } -[:octicons-eye-16:](https://divestos.org/index.php?page=privacy_policy){ .card-link title="Privacy Policy" } -[:octicons-info-16:](https://divestos.org/index.php?page=faq){ .card-link title="Documentation" } -[:octicons-code-16:](https://github.com/divested-mobile){ .card-link title="Source Code" } -[:octicons-heart-16:](https://divested.dev/pages/donate){ .card-link title="Contribute" } - -
- -The [status](https://gitlab.com/divested-mobile/firmware-empty/-/blob/master/STATUS) of firmware updates in particular will vary significantly depending on your phone model. While standard AOSP bugs and vulnerabilities can be fixed with standard software updates like those provided by DivestOS, some vulnerabilities cannot be patched without support from the device manufacturer, making end-of-life devices less safe even with an up-to-date alternative ROM like DivestOS. - -DivestOS has automated kernel vulnerability ([CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) [patching](https://gitlab.com/divested-mobile/cve_checker), fewer proprietary blobs, and a custom [hosts](https://divested.dev/index.php?page=dnsbl) file. Its hardened WebView, [Mulch](https://gitlab.com/divested-mobile/mulch), enables [control-flow integrity](https://en.wikipedia.org/wiki/Control-flow_integrity) for all architectures and [network state partitioning](https://developer.mozilla.org/docs/Web/Privacy/State_Partitioning), and receives out-of-band updates. - -DivestOS also includes kernel patches from GrapheneOS and enables all available kernel security features via [defconfig hardening](https://github.com/Divested-Mobile/DivestOS-Build/blob/master/Scripts/Common/Functions.sh#L758). All kernels newer than version 3.4 include full page [sanitization](https://lwn.net/Articles/334747) and all ~22 Clang-compiled kernels have [`-ftrivial-auto-var-init=zero`](https://reviews.llvm.org/D54604?id=174471) enabled. - -DivestOS implements some system hardening patches originally developed for GrapheneOS. DivestOS 16.0 and higher implements GrapheneOS's `INTERNET` and `SENSORS` permission toggle, [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), [exec-spawning](https://grapheneos.org/usage#exec-spawning), Java Native Interface [constification](https://en.wikipedia.org/wiki/Const_(computer_programming)), and partial [bionic](https://en.wikipedia.org/wiki/Bionic_(software)) hardening patchsets. 17.1 and higher features per-network full MAC address randomization, [`ptrace_scope`](https://kernel.org/doc/html/latest/admin-guide/LSM/Yama.html) control, automatic reboot, and Wi-Fi/Bluetooth [timeout options](https://grapheneos.org/features#attack-surface-reduction). - -DivestOS uses F-Droid as its default app store. We normally [recommend avoiding F-Droid](obtaining-apps.md#f-droid), but doing so on DivestOS isn't viable; the developers update their apps via their own F-Droid repository, [DivestOS Official](https://divestos.org/fdroid/official). For these apps you should continue to use F-Droid **with the DivestOS repository enabled** to keep those components up to date. For other apps, our recommended [methods of obtaining them](obtaining-apps.md) still apply. - -DivestOS replaces many of Android's background network connections to Google services with alternative services, such as using OpenEUICC for eSIM activation, NTP.org for network time, and Quad9 for DNS. These connections can be modified, but their deviation from a standard Android phone's network connections could mean it is easier for an adversary on your network to deduce what operating system you have installed on your phone. If this is a concern to you, consider using a [trusted VPN](../vpn.md) and enabling the native VPN [kill switch](../os/android-overview.md#vpn-killswitch) to hide this network traffic from your local network and ISP. - ## Criteria **Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](../about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. diff --git a/docs/device-integrity.md b/docs/device-integrity.md index 9c7b5fd6..f71fdb18 100644 --- a/docs/device-integrity.md +++ b/docs/device-integrity.md @@ -187,43 +187,3 @@ It is important to note that Auditor can only effectively detect changes **after No personally identifiable information is submitted to the attestation service. We recommend that you sign up with an anonymous account and enable remote attestation for continuous monitoring. If your [threat model](basics/threat-modeling.md) requires privacy, you could consider using [Orbot](tor.md#orbot) or a VPN to hide your IP address from the attestation service. - -## On-Device Scanners - -Protects against the following threat(s): - -- [:material-bug-outline: Passive Attacks](basics/common-threats.md#security-and-privacy){ .pg-orange } - -These are apps you can install on your device which scan your device for signs of compromise. - -
-

Warning

- -Using these apps is insufficient to determine that a device is "clean", and not targeted with a particular spyware tool. - -
- -### Hypatia (Android) - -
- -![Hypatia logo](assets/img/device-integrity/hypatia.svg#only-light){ align=right } -![Hypatia logo](assets/img/device-integrity/hypatia-dark.svg#only-dark){ align=right } - -**Hypatia** is an open source real-time malware scanner for Android, from the developer of [DivestOS](android/distributions.md#divestos). It accesses the internet to download signature database updates, but does not upload your files or any metadata to the cloud (scans are performed entirely locally). - -[:octicons-home-16: Homepage](https://divestos.org/pages/our_apps#hypatia){ .md-button .md-button--primary } -[:octicons-eye-16:](https://divestos.org/pages/privacy_policy#hypatia){ .card-link title="Privacy Policy" } -[:octicons-code-16:](https://github.com/divested-mobile/hypatia){ .card-link title="Source Code" } -[:octicons-heart-16:](https://divested.dev/pages/donate){ .card-link title=Contribute } - -
-Downloads - -- [:simple-fdroid: F-Droid](https://f-droid.org/packages/us.spotco.malwarescanner) - -
- -
- -Hypatia is particularly good at detecting common stalkerware: If you suspect you are a victim of stalkerware, you should [visit this page](https://stopstalkerware.org/information-for-survivors) for advice. diff --git a/docs/mobile-browsers.md b/docs/mobile-browsers.md index d4e16839..5307081f 100644 --- a/docs/mobile-browsers.md +++ b/docs/mobile-browsers.md @@ -262,50 +262,6 @@ These options can be found in :material-menu: → :gear: **Settings** → **Lega This disables update checks for the unmaintained Bromite adblock filter. -## Mull (Android) - -
- -![Mull logo](assets/img/browsers/mull.svg){ align=right } - -**Mull** is a privacy oriented and deblobbed Android browser based on Firefox. Compared to Firefox, it offers much greater fingerprinting protection out of the box, and disables JavaScript Just-in-Time (JIT) compilation for enhanced security. It also removes all proprietary elements from Firefox, such as replacing Google Play Services references. - -[:octicons-home-16: Homepage](https://divestos.org/pages/our_apps#mull){ .md-button .md-button--primary } -[:octicons-eye-16:](https://divestos.org/pages/privacy_policy){ .card-link title="Privacy Policy" } -[:octicons-info-16:](https://divestos.org/pages/browsers#tuningFenix){ .card-link title="Documentation" } -[:octicons-code-16:](https://codeberg.org/divested-mobile/mull-fenix){ .card-link title="Source Code" } - -
-Downloads - -- [:simple-fdroid: F-Droid](https://f-droid.org/en/packages/us.spotco.fennec_dos) - -
- -
- -
-

Danger

- -Firefox (Gecko)-based browsers on Android [lack](https://bugzilla.mozilla.org/show_bug.cgi?id=1610822) [site isolation](https://wiki.mozilla.org/Project_Fission),[^1] a powerful security feature that protects against a malicious site performing a [Spectre](https://en.wikipedia.org/wiki/Spectre_(security_vulnerability))-like attack to gain access to the memory of another website you have open.[^2] Chromium-based browsers like [Brave](#brave) will provide more robust protection against malicious websites. - -
- -[^1]: This should not be mistaken for [state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning) (or dynamic [first party isolation](https://2019.www.torproject.org/projects/torbrowser/design/#identifier-linkability)), where website data such as cookies and cache is restricted so that a third-party embedded in one top-level site cannot access data stored under another top-level site. This is an important privacy feature to prevent cross-site tracking and **is** supported by Firefox on Android. -[^2]: GeckoView also [does not](https://bugzilla.mozilla.org/show_bug.cgi?id=1565196) take advantage of Android's native process sandboxing by using the [isolatedProcess](https://developer.android.com/guide/topics/manifest/service-element#isolated) flag, which normally allows an app to safely run less trusted code in a separate process that has no permissions of its own. - -Enable DivestOS's [F-Droid repository](https://divestos.org/fdroid/official) to receive updates directly from the developer. Downloading Mull from the default F-Droid repo will mean your updates could be delayed by a few days or longer. - -Mull enables many features upstreamed by the [Tor uplift project](https://wiki.mozilla.org/Security/Tor_Uplift) using preferences from [Arkenfox](desktop-browsers.md#arkenfox-advanced). Proprietary blobs are removed from Mozilla's code using the scripts developed for Fennec F-Droid. - -### Recommended Mull Configuration - -We would suggest installing [uBlock Origin](browser-extensions.md#ublock-origin) as a content blocker if you want to block trackers within Mull. - -Mull comes with privacy protecting settings configured by default. You might consider configuring the **Delete browsing data on quit** options in Mull's settings if you want to close all your open tabs when quitting the app automatically, or clear other data such as browsing history and cookies automatically. - -Because Mull has more advanced and strict privacy protections enabled by default compared to most browsers, some websites may not load or work properly unless you adjust those settings. You can consult this [list of known issues and workarounds](https://divestos.org/pages/broken#mull) for advice on a potential fix if you do encounter a broken site. Adjusting a setting in order to fix a website could impact your privacy/security, so make sure you fully understand any instructions you follow. - ## Safari (iOS) On iOS, any app that can browse the web is [restricted](https://developer.apple.com/app-store/review/guidelines) to using an Apple-provided [WebKit framework](https://developer.apple.com/documentation/webkit), so a browser like [Brave](#brave) does not use the Chromium engine like its counterparts on other operating systems. diff --git a/docs/tools.md b/docs/tools.md index 90c4d7d2..c159553d 100644 --- a/docs/tools.md +++ b/docs/tools.md @@ -84,14 +84,6 @@ For more details about each project, why they were chosen, and additional tips o - [Read Full Review :material-arrow-right-drop-circle:](mobile-browsers.md#cromite-android) -- ![Mull logo](assets/img/browsers/mull.svg){ .lg .middle .twemoji } **Mull (Android)** - - --- - - **Mull** is a Firefox-based browser for Android centered around privacy and removing proprietary components. - - - [Read Full Review :material-arrow-right-drop-circle:](mobile-browsers.md#mull-android) - - ![Safari logo](assets/img/browsers/safari.svg){ .lg .middle .twemoji } **Safari (iOS)** --- @@ -626,7 +618,6 @@ For encrypting your OS drive, we typically recommend using the encryption tool y
- ![GrapheneOS logo](assets/img/android/grapheneos.svg#only-light){ .twemoji loading=lazy }![GrapheneOS logo](assets/img/android/grapheneos-dark.svg#only-dark){ .twemoji loading=lazy } [GrapheneOS](android/distributions.md#grapheneos) -- ![DivestOS logo](assets/img/android/divestos.svg){ .twemoji loading=lazy } [DivestOS](android/distributions.md#divestos)
@@ -707,7 +698,6 @@ These tools may provide utility for certain individuals. They provide functional - ![MVT logo](assets/img/device-integrity/mvt.webp){ .twemoji loading=lazy } [Mobile Verification Toolkit](device-integrity.md#mobile-verification-toolkit) - ![iMazing logo](assets/img/device-integrity/imazing.png){ .twemoji loading=lazy } [iMazing (iOS)](device-integrity.md#imazing-ios) - ![Auditor logo](assets/img/device-integrity/auditor.svg#only-light){ .twemoji loading=lazy }![Auditor logo](assets/img/device-integrity/auditor-dark.svg#only-dark){ .twemoji loading=lazy } [Auditor (Android)](device-integrity.md#auditor-android) -- ![Hypatia logo](assets/img/device-integrity/hypatia.svg#only-light){ .twemoji loading=lazy }![Hypatia logo](assets/img/device-integrity/hypatia-dark.svg#only-dark){ .twemoji loading=lazy } [Hypatia (Android)](device-integrity.md#hypatia-android) diff --git a/theme/assets/img/android/divestos.svg b/theme/assets/img/android/divestos.svg deleted file mode 100644 index 38d8520c..00000000 --- a/theme/assets/img/android/divestos.svg +++ /dev/null @@ -1 +0,0 @@ - diff --git a/theme/assets/img/browsers/mull.svg b/theme/assets/img/browsers/mull.svg deleted file mode 100644 index 485adc39..00000000 --- a/theme/assets/img/browsers/mull.svg +++ /dev/null @@ -1 +0,0 @@ - diff --git a/theme/assets/img/device-integrity/hypatia-dark.svg b/theme/assets/img/device-integrity/hypatia-dark.svg deleted file mode 100644 index f18d66a2..00000000 --- a/theme/assets/img/device-integrity/hypatia-dark.svg +++ /dev/null @@ -1 +0,0 @@ - \ No newline at end of file diff --git a/theme/assets/img/device-integrity/hypatia.svg b/theme/assets/img/device-integrity/hypatia.svg deleted file mode 100644 index 99c06be6..00000000 --- a/theme/assets/img/device-integrity/hypatia.svg +++ /dev/null @@ -1 +0,0 @@ - \ No newline at end of file