Good afternoon:
Brave search is not the panacea, it has its things: Old URL, redirecting to new...
Nth attack from GrapheneOs people (wonderfall is a known Matrix user of the project) to then promote their own resources.
In short, we must swallow with the idea of giving money to Google, directly or indirectly (second hand) buying their devices, as any other option is ridiculously insecure.
They did it with:
- Linux phones under the guise of not having Android security features (bootloader, ARM TrustZone, Titan M chip, etc) closed source technologies and on the Pixel mostly provided by Google.
There is a free implementation of the Titan M chip (Opentitan) but for some reason Google is not interested in adding it to their devices.
So the keys and passwords are stored, in the case of GOS, on a closed source chip that only Google knows.
For security, they say do you trust Google? I don’t.
The CalyxtOs project and its MicroG for signature spoofing, whose team only allows it for the aforementioned MicroG component and not the rest of the system, promoting instead proprietary packages (sandboxed Play Services) that in audits (by CalyxtOs people) generate many more connections than the previous one. And it is that a malware in sandbox is still malware…
The fact that a software is open does not mean that it is more secure (it is also an important issue for these groups).
As you well know, I don’t use MicroG but at least its connections are documented and it is open source technology.
I am of the opinion that any software or program is untrusted. That its code is visible/auditable at least gives you the option to look.
An argument against the above, promoted by closed source supporters, is that this is impossible because of the large size of some projects but however the current practice is not to do it in the whole program as a whole but through the Commits that are added from the beginning which is much simpler.
Mozilla browser, and its lack of security on Android, highlighting that it has nothing of “isolation” which is a lie Browsers - DivestOS Mobile
It only lacks Per-Site Process Isolation, as long as we enable privacy.firstpartyisolate in about:config
-
Any LineageOs ROM because in many cases they do not have firmware updates (remembering that the same in GOS are from Google and closed source) or that the open bootloader is a tremendous security hole (true in part, especially if someone has physical access to the device) but nevertheless the bootloader in GOS is from Google, also proprietary code (to be honest all are, except in Linux phones)
-
In the FAQ of his website he says that Linux is insecure and that he expects to switch to a microkernel in the future (coincidentally Fuchsia is…)
-
And now it’s the turn of F-Droid where they highlight its security problems, they recommend the Google store, directly or through Aurora, or their own store in development.
As for the aforementioned F-Droid and said document, in summary:
- They mention F-Droid signatures to packages commenting that we need to add another trusted source.
The F-Droid team analyzes the apks, in the source it says in a rudimentary way, although I don’t think so but it is always improvable, to make sure they pass their evaluation criteria.
Then, this website compares this practice to the keys stored in Google’s cloud for the Play Store (which I consider an added privacy issue).
To my knowledge, I have never read of a serious security issue with the F-droid store.
Mozilla browser, and its lack of security on Android, highlighting that it has nothing of “isolation” which is a lie Browsers - DivestOS Mobile
It only lacks Per-Site Process Isolation, as long as we enable privacy.firstpartyisolate in about:config
-
Any LineageOs ROM because in many cases they do not have firmware updates (remembering that the same in GOS are from Google and closed source) or that the open bootloader is a tremendous security hole (true in part, especially if someone has physical access to the device) but nevertheless the bootloader in GOS is from Google, also proprietary code (to be honest all are, except in Linux phones)
-
In the FAQ of his website he says that Linux is insecure and that he expects to switch to a microkernel in the future (coincidentally Fuchsia is…)
-
And now it’s the turn of F-Droid where they highlight its security problems, they recommend the Google store, directly or through Aurora, or their own store in development.
As for the aforementioned F-Droid and said document, in summary:
- They mention F-Droid signatures to packages commenting that we need to add another trusted source.
The F-Droid team analyzes the apks, in the source it says in a rudimentary way, although I don’t think so but it is always improvable, to make sure they pass their evaluation criteria.
Then, this website compares this practice to the keys stored in Google’s cloud for the Play Store (which I consider an added privacy issue).
To my knowledge, I have never read of a serious security issue with the F-droid store.
They give Signal as an example, which refuses to get the app into F-Droid. This would give for another debate, when they deliberately hide their apk on the web and urge you to use the Play Store.
On top of that, if you have a ROM without gapps they make you go through a Google recaptcha, not to mention their connection to firebaseinstallation whose blocking crashes the installation.
The Signal team argues, on the other hand, the delay in the actus (something legitimate), that they can not have stats, crash reportings, etc, that is, more data from its users.
-Compatibility with old APIS. The F-Droid team says it wants to support very old phones. It is undeniable security problems that this entails but they do not want to leave without possibilities to people who can not or do not want to buy a phone leaving in the lurch these people without resources. Technically, if these apps do not have access to the internet, the problem would be solved.
Again, security above all else.
Lack of best practices. Being able to add repos is a security issue according to them. Certainly, but it also gives you that freedom, with all that it entails.
They mention TLS certificate pinning and give the Play Store as an example. It would be ideal if they implemented it, but they base their argument on the fact that since the Play Store has it (and the GOS apps repo) and they don’t, that’s another point against it.
Or the absolete “signature schemes” and PGP. I agree. F-Droid team argues lack of developers, a pity. I hope this will change, why deny it.
-
Or the outdated version of F-droid available. Its developers comment that for stability. They are a small team and prefer this to possible software bugs.
As soon as we update repos new versions will be released, and if we mark also unstable this “problem” is mitigated.
-
The misleading permissions method. There is not much to scratch here. They criticize that F-droid gives more info about what applications can do and that can overwhelm the user.
They put as a “good example” the Play Store…
-Conclusion according to them. Use the Play Store, try Aurora but not with anonymous account or that we use the GOS repo with their apps, mix of open and proprietary.
In short, it brings out the security issues of the platform and masks, softens or hides the privacy issues of the alternatives.
Personally I will continue to use F-Droid
Sorry for the long-windedness.
As you may have guessed, I don’t want, nor do I feel like trying GrapheneOS.
I could go into much more detail about the reasons but I think it is starting to be evident to many people that all that glitters is not gold.
However, don’t talk bad about them in forums or specialized privacy media, whether they are constructive criticisms or not, because you will be banned (I have been).
It already seems quite hypocritical on my part to be pulling Android ROMs to give money to Google over revaluing their devices not to mention their practices discrediting other possibilities, attacking them, setting themselves up as the only option in security and mobile privacy.
As long as there is still fdroid we will be safer. Then the rest will have us or want to have more controlled by the lack of interest of the people of their data. And so on. If not look at the continuous connections on the web that come out of google, facebook, and others …
About search engines. I like it:
https://search.snopyta.org/
Or https://searx.space/
Besides, I don’t know what they have in store for us in Europe with the 2030 agenda. Nothing good in terms of privacy. Otherwise, I don’t know why the EU is doing La UE lanza su propio 'YouTube' y propio 'Twitter' (basado en Mastodon, que no deja de sumar usuarios desde la llegada de Musk).
You can also look at
By the way, and speaking of Chrome, you will like this.
https://contrachrome.com/
Below is a link to download it:
It’s a comic that highlights the privacy issues with Chrome and Google in general: Un cómic de Google presumía de las fortalezas de Chrome en 2008. Este nuevo cómic se ríe de su privacidad ahora
Since it doesn’t work, because there must be quite a few people looking at it, you have to pull it from archive.org (and/or download it): (gives error due to saturation) https://web.archive.org/web/20220401202242/https://contrachrome.com/ContraChrome_en.pdf
You can also look at LibreWolf vs Firefox: Comparing the Privacy Heroes of Open-Source Browsers
I’m sorry for all the tocho but to hear about Graphe…
Thank goodness we have a WONDERFUL TEAM BEHIND FDROID, DIVESTED, DIVESTOS and LINEAGEOS.
A hug