mirror of
https://github.com/PrivSec-dev/privsec.dev.git
synced 2025-05-02 06:16:19 -04:00
Badness Enumeration
This commit is contained in:
Tommy
GitHub
parent
c4974c7ac2
commit
ddc0451884
29 changed files with 57 additions and 21 deletions
|
|
@ -11,7 +11,7 @@ Android is a very secure and robust operating system out of the box. This post w
|
|||
|
||||
### Recommended Phones
|
||||
|
||||
|
||||
|
||||
|
||||
Google Pixel phones are the **only** devices I would recommend for purchase. Pixel phones have stronger hardware security than any other Android devices currently on the market, due to proper AVB support for third-party operating systems and Google's custom [Titan](https://security.googleblog.com/2021/10/pixel-6-setting-new-standard-for-mobile.html) security chips acting as the Secure Element.
|
||||
|
||||
|
|
@ -24,11 +24,11 @@ You should also avoid buying the /e/ OS phones (sometimes branded as the Murena
|
|||
|
||||
You should also be very wary of low quality privacy branded phones like the Freedom Phone, BraX2 Phone, Volta Phone, and the like. These are cheap Chinese phones with the [Mediatek Helio P60](https://i.mediatek.com/p60) from 2018, which has already reached end-of-life or is near end-of-life. Needless to say, you should also avoid any vendor who claims they are Zero-day proof like this:
|
||||
|
||||
|
||||
|
||||
|
||||
## Android-based Operating Systems
|
||||
|
||||
|
||||
|
||||
|
||||
In certain cases, installing a custom Android-based operating system can help increase your privacy and security. This is rather tricky; however, as the vast majority of these operating systems (a.k.a. "custom ROMs") do exactly the opposite - breaking the Android security model, ruining your security while providing no or dubious privacy benefits.
|
||||
|
||||
|
|
@ -63,7 +63,7 @@ Quite a few applications allow you to "share" a file with them for media upload.
|
|||
|
||||
If you are using GrapheneOS, you should utilize the Storage Scopes feature to force apps that request broad storage access permission to function with scoped storage.
|
||||
|
||||
|
||||
|
||||
|
||||
## User Profiles
|
||||
|
||||
|
|
@ -115,7 +115,7 @@ If you are using a device with Google services, either your stock operating syst
|
|||
|
||||
### Enroll in the Advanced Protection Program
|
||||
|
||||
|
||||
|
||||
|
||||
If you have a Google account we suggest enrolling in the [Advanced Protection Program](https://landing.google.com/advancedprotection/). It is available at no cost to anyone with two or more hardware security keys with [FIDO2](/knowledge/multi-factor-authentication/#fido2-fast-identity-online) support.
|
||||
|
||||
|
|
@ -150,6 +150,6 @@ On Android distributions with privileged Google Play Services (such as stock OSe
|
|||
- **Settings** → **Google** → **Ads**
|
||||
- **Settings** → **Privacy** → **Ads**
|
||||
|
||||
|
||||
|
||||
|
||||
You will either be given the option to delete your advertising ID or to *Opt out of interest-based ads*, this varies between OEM distributions of Android. If presented with the option to delete the advertising ID that is preferred. If not, then make sure to opt out and reset your advertising ID.
|
||||
|
|
|
|||
|
|
@ -18,7 +18,7 @@ When choosing a custom Android-based operating system, you should make sure that
|
|||
|
||||
### Verified Boot
|
||||
|
||||
|
||||
|
||||
|
||||
[Verified Boot](https://source.android.com/security/verifiedboot) is an important part of the Android security model. It provides protection against [evil maid](https://en.wikipedia.org/wiki/Evil_maid_attack) attacks, malware persistence, and ensures security updates cannot be downgraded with [rollback protection](https://source.android.com/security/verifiedboot/verified-boot#rollback-protection).
|
||||
|
||||
|
|
@ -66,14 +66,14 @@ In order for a system to be secure, it must have SELinux in Enforcing mode, acco
|
|||
|
||||
Unfortunately, many custom Android-based operating system builds (especially unofficial LineageOS builds) disables SELinux or set it into Permissive mode. You can check whether SELinux is in enforcing mode or not by executing `getenforce` in the ADB shell (the expected output is `Enforcing`). You should avoid any Android-based operating system builds that do not have SELinux in enforcing mode at all cost.
|
||||
|
||||
|
||||
|
||||
|
||||
## Recommended Android-Based Operating Systems
|
||||
|
||||
Currently, I am only aware of two Android-based operating systems that should be used over the stock operating systems:
|
||||
|
||||
### GrapheneOS
|
||||
|
||||
|
||||
|
||||
[GrapheneOS](https://grapheneos.org) is the **only** custom Android-based operating system you should buy a new phone for. It provides additional [security hardening](https://en.wikipedia.org/wiki/Hardening_(computing)) and privacy improvements over the stock operating system from Google. It has a [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), network and sensor permissions, and various other [security feature](https://grapheneos.org/features). GrapheneOS also comes with full firmware updates and signed builds, so verified boot is fully supported.
|
||||
|
||||
|
|
@ -83,7 +83,7 @@ Because GrapheneOS does not grant any Google Apps and Services apart from the op
|
|||
|
||||
Recently, GrapheneOS has also added the [Storage Scopes](https://grapheneos.org/usage#storage-access) feature, allowing you to force apps that request broad storage access permission to function with scoped storage. With this new feature, you no longer have to grant certain apps access to all of your media or files to use them anymore.
|
||||
|
||||
|
||||
|
||||
|
||||
Currently, Google Pixel phones are the only devices that meet GrapheneOS's [hardware security requirements](https://grapheneos.org/faq#device-support).
|
||||
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@ For frozen distributions, package maintainers are expected to backport patches t
|
|||
|
||||
In fact, in certain cases, there have been vulnerabilities introduced by Debian because of their patching process. [Bug 1633467](https://bugzilla.mozilla.org/show_bug.cgi?id=1633467) and [Bug 1679430](https://bugzilla.mozilla.org/show_bug.cgi?id=1679430) are examples of this.
|
||||
|
||||
|
||||
|
||||
|
||||
Holding packages back and applying interim patches is generally not a good idea, as it diverges from the way the developer might have intended the software to work. [Richard Brown](https://rootco.de/aboutme/) has a presentation about this:
|
||||
|
||||
|
|
@ -74,7 +74,7 @@ Here is a quick non authoritative list of distributions that are generally bette
|
|||
|
||||
### Fedora Workstation
|
||||
|
||||
|
||||
|
||||
|
||||
[Fedora Workstation](https://getfedora.org/en/workstation/) is a great general purpose Linux distribution, especially for those who are new to Linux. It is a semi-rolling release distribution. While some packages like GNOME are frozen until the next Fedora release, most packages (including the kernel) are updated frequently throughout the lifespan of the release. Each Fedora release is supported for one year, with a new version released every 6 months.
|
||||
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@ tags: ['Operating Systems', 'Qubes OS', 'Anonymity', 'Privacy']
|
|||
author: Tommy
|
||||
---
|
||||
|
||||
|
||||
|
||||
|
||||
[Lokinet](https://lokinet.org) is an Internet overlay network utilizing onion routing to provide anonymity for its users, similar to Tor network. This post will provide a quick (and non exhaustive) list of its [pros](#advantages) and [cons](#disadvantages) from an end user perspective and go over how to set it up on Qubes OS.
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue