Yeah, install Signal from F-Droid…oh…sorry…host your own…oh sorry. C’mon…
Install Conversations from F-Droid, and tell others to do it, and then Conversations will store image/video in user data instead of app data, leaving the files accessible to any other app.
Good afternoon:
Brave search is not the panacea, it has its things: Old URL, redirecting to new...
Nth attack from GrapheneOs people (wonderfall is a known Matrix user of the project) to then promote their own resources.
In short, we must swallow with the idea of giving money to Google, directly or indirectly (second hand) buying their devices, as any other option is ridiculously insecure.
They did it with:
- Linux phones under the guise of not having Android security features (bootloader, ARM TrustZone, Titan M chip, etc) closed source technologies and on the Pixel mostly provided by Google.
There is a free implementation of the Titan M chip (Opentitan) but for some reason Google is not interested in adding it to their devices.
So the keys and passwords are stored, in the case of GOS, on a closed source chip that only Google knows.
For security, they say do you trust Google? I don’t.
The CalyxtOs project and its MicroG for signature spoofing, whose team only allows it for the aforementioned MicroG component and not the rest of the system, promoting instead proprietary packages (sandboxed Play Services) that in audits (by CalyxtOs people) generate many more connections than the previous one. And it is that a malware in sandbox is still malware…
The fact that a software is open does not mean that it is more secure (it is also an important issue for these groups).
As you well know, I don’t use MicroG but at least its connections are documented and it is open source technology.
I am of the opinion that any software or program is untrusted. That its code is visible/auditable at least gives you the option to look.
An argument against the above, promoted by closed source supporters, is that this is impossible because of the large size of some projects but however the current practice is not to do it in the whole program as a whole but through the Commits that are added from the beginning which is much simpler.
Mozilla browser, and its lack of security on Android, highlighting that it has nothing of “isolation” which is a lie Browsers - DivestOS Mobile
It only lacks Per-Site Process Isolation, as long as we enable privacy.firstpartyisolate in about:config
-
Any LineageOs ROM because in many cases they do not have firmware updates (remembering that the same in GOS are from Google and closed source) or that the open bootloader is a tremendous security hole (true in part, especially if someone has physical access to the device) but nevertheless the bootloader in GOS is from Google, also proprietary code (to be honest all are, except in Linux phones)
-
In the FAQ of his website he says that Linux is insecure and that he expects to switch to a microkernel in the future (coincidentally Fuchsia is…)
-
And now it’s the turn of F-Droid where they highlight its security problems, they recommend the Google store, directly or through Aurora, or their own store in development.
As for the aforementioned F-Droid and said document, in summary:
- They mention F-Droid signatures to packages commenting that we need to add another trusted source.
The F-Droid team analyzes the apks, in the source it says in a rudimentary way, although I don’t think so but it is always improvable, to make sure they pass their evaluation criteria.
Then, this website compares this practice to the keys stored in Google’s cloud for the Play Store (which I consider an added privacy issue).
To my knowledge, I have never read of a serious security issue with the F-droid store.
Mozilla browser, and its lack of security on Android, highlighting that it has nothing of “isolation” which is a lie Browsers - DivestOS Mobile
It only lacks Per-Site Process Isolation, as long as we enable privacy.firstpartyisolate in about:config
-
Any LineageOs ROM because in many cases they do not have firmware updates (remembering that the same in GOS are from Google and closed source) or that the open bootloader is a tremendous security hole (true in part, especially if someone has physical access to the device) but nevertheless the bootloader in GOS is from Google, also proprietary code (to be honest all are, except in Linux phones)
-
In the FAQ of his website he says that Linux is insecure and that he expects to switch to a microkernel in the future (coincidentally Fuchsia is…)
-
And now it’s the turn of F-Droid where they highlight its security problems, they recommend the Google store, directly or through Aurora, or their own store in development.
As for the aforementioned F-Droid and said document, in summary:
- They mention F-Droid signatures to packages commenting that we need to add another trusted source.
The F-Droid team analyzes the apks, in the source it says in a rudimentary way, although I don’t think so but it is always improvable, to make sure they pass their evaluation criteria.
Then, this website compares this practice to the keys stored in Google’s cloud for the Play Store (which I consider an added privacy issue).
To my knowledge, I have never read of a serious security issue with the F-droid store.
They give Signal as an example, which refuses to get the app into F-Droid. This would give for another debate, when they deliberately hide their apk on the web and urge you to use the Play Store.
On top of that, if you have a ROM without gapps they make you go through a Google recaptcha, not to mention their connection to firebaseinstallation whose blocking crashes the installation.
The Signal team argues, on the other hand, the delay in the actus (something legitimate), that they can not have stats, crash reportings, etc, that is, more data from its users.
-Compatibility with old APIS. The F-Droid team says it wants to support very old phones. It is undeniable security problems that this entails but they do not want to leave without possibilities to people who can not or do not want to buy a phone leaving in the lurch these people without resources. Technically, if these apps do not have access to the internet, the problem would be solved.
Again, security above all else.
Lack of best practices. Being able to add repos is a security issue according to them. Certainly, but it also gives you that freedom, with all that it entails.
They mention TLS certificate pinning and give the Play Store as an example. It would be ideal if they implemented it, but they base their argument on the fact that since the Play Store has it (and the GOS apps repo) and they don’t, that’s another point against it.
Or the absolete “signature schemes” and PGP. I agree. F-Droid team argues lack of developers, a pity. I hope this will change, why deny it.
-
Or the outdated version of F-droid available. Its developers comment that for stability. They are a small team and prefer this to possible software bugs.
As soon as we update repos new versions will be released, and if we mark also unstable this “problem” is mitigated. -
The misleading permissions method. There is not much to scratch here. They criticize that F-droid gives more info about what applications can do and that can overwhelm the user.
They put as a “good example” the Play Store…
-Conclusion according to them. Use the Play Store, try Aurora but not with anonymous account or that we use the GOS repo with their apps, mix of open and proprietary.
In short, it brings out the security issues of the platform and masks, softens or hides the privacy issues of the alternatives.
Personally I will continue to use F-Droid
Sorry for the long-windedness.
As you may have guessed, I don’t want, nor do I feel like trying GrapheneOS.
I could go into much more detail about the reasons but I think it is starting to be evident to many people that all that glitters is not gold.
However, don’t talk bad about them in forums or specialized privacy media, whether they are constructive criticisms or not, because you will be banned (I have been).
It already seems quite hypocritical on my part to be pulling Android ROMs to give money to Google over revaluing their devices not to mention their practices discrediting other possibilities, attacking them, setting themselves up as the only option in security and mobile privacy.
As long as there is still fdroid we will be safer. Then the rest will have us or want to have more controlled by the lack of interest of the people of their data. And so on. If not look at the continuous connections on the web that come out of google, facebook, and others …
About search engines. I like it:
Besides, I don’t know what they have in store for us in Europe with the 2030 agenda. Nothing good in terms of privacy. Otherwise, I don’t know why the EU is doing La UE lanza su propio 'YouTube' y propio 'Twitter' (basado en Mastodon, que no deja de sumar usuarios desde la llegada de Musk).
You can also look at
By the way, and speaking of Chrome, you will like this.
https://contrachrome.com/
Below is a link to download it:
It’s a comic that highlights the privacy issues with Chrome and Google in general: Un cómic de Google presumía de las fortalezas de Chrome en 2008. Este nuevo cómic se ríe de su privacidad ahora
Since it doesn’t work, because there must be quite a few people looking at it, you have to pull it from archive.org (and/or download it): (gives error due to saturation) https://web.archive.org/web/20220401202242/https://contrachrome.com/ContraChrome_en.pdf
You can also look at LibreWolf vs Firefox: Comparing the Privacy Heroes of Open-Source Browsers
I’m sorry for all the tocho but to hear about Graphe…
Thank goodness we have a WONDERFUL TEAM BEHIND FDROID, DIVESTED, DIVESTOS and LINEAGEOS.
A hug
Tnx Galle for the contribution. Lots of this informations are really difficult to be found.
Good afternoon:
I think I got a little excited, but backwards when I read graphe…
I’m sorry for all the rambling and for my English. But my bilirubin went up without realizing it jejejeje
A hug
You don’t trust your other apps? Why did you install them? Terrible decision you’ve made…
Like the post said, use a separate profile then, if you need some of those.
You do realize that a chat app means you have to chat with other people, and you can’t control what apps others install?
This is a basic feature that should have been done a long time ago, the developer just doesn’t want to implement it and said he has it as a low priority.
Really? then recommending Conversations is a low priority for me.
Just use Signal, and as much as it pains me, Element / Matrix
Just use Whatsapp then, same features that you like. Others can export your files anyway, you can’t deny that to them.
Anyway…
People already understand the difference between leaving it in the app and exporting it. (and export it encrypted as a backup is possible)
This is not an excuse for not implementing a high(should be) priority feature.
You know perfectly well that other apps like Signal and Telegram have it, even Monocles chat, a fork, has it although partially (no export)
Gotta choose your fights, and winners, yes. Centralized services are worse imho.
FYI, Conversations has a toggle that monocles uses (right?) but without export it’s pain, it’s hostile to the user, keeping data hostage. Just like centralized services want it…to make you dependant of them.
Centralized services are worse imho.
Except when one almost daily uses centralized, non-free Microsoft github, and Gitlab.
“Do as I say, not as I do” for you.
Indeed.
I’m guilty of that. git was great, then hiring managers “had” to see public GitHub, and now folks are jumping ship to GitLab as a compromise.
It’s hard to unravel the hosted services crap now. Colleges / Universities are steeped in Office365, and I guess I shouldn’t be surprised how many companies have GSuite now. iCloud doesn’t seem to be used outside personal use. Because so many institutions have handed over everything to Google / Microsoft’s “services”, it’s hard to escape as employees / students.
Good afternoon:
Neither Github nor Gtilab can be trusted. Since now many are escaping to Gitea or Codeberg.
After the messaging applications. No matter how encrypted the message is. Then if you upload the backup to Google, icloud. Well… But even without uploading them if whatsapp is so eager to accept the new terms of data transfer to Facebook … Well, the encryption will not be very reliable. But if not, the US and the EU already agree La UE y EEUU llegan a un acuerdo para poder transferir datos personales | Tecnología or La UE y EEUU acuerdan volver a transferir datos personales, garantizando la privacidad
Besides, I don’t know at world level. But in other parts of the world mobile phone rates, usually have unlimited minutes of calls. Then use applications like whatsapp, which are anything but private or secure. If in addition almost the most searched for the network is: how can I enter the whatsapp or facebook of my partner, friend or so …
For example I like the way of Silence for sms. That if you send one encrypted and the other does not have the application. And even if you have it, if you don’t accept the encryption, everything comes out except the text.
Then on the web you see a lot of Google amp.
Or else they are already spying on us with Pegasus Así funciona Pegasus, el programa espía que pone en jaque al Gobierno de coalición de Sánchez
In the end they want us submissive and with everything from us. Watched by cameras and so on.
Or for example in Spain with covid. That was different the code of the application in the Google store. That in Github. But as far as privacy is concerned…
We will have to get to make carbon phones. Without camera, microphone, etc… Or even put a headset with the cable cut so that they do not hear you or others.
But that is the same as people do not read on the webs about cookies. Simply accept and that’s it. But if you read it, it comes out of everything…
For example using a firewall Afwall+ style that you can give or remove permission to access both wifi or data. It helps with privacy. And in strange connections to call it that way.
Which for example gives me a doubt. It is because even the customs room. In the phone application comes out of SIP calls. Because for example you look in App Manager and there is active.
What I do not know if in future versions of the application Fdroid. You could remove the Nearby option. Or do not have access to Bluetooth or NFC. This would already be a tipzo more for Fdroid.
Best regards
Yes, sad, right?
How many devs did you convince to move?
How many apps did you uninstall because of these reasons?
We can go on in circles, yet here we are trying to do our best of this situation.
Subject above was messaging, not F-Droid, bringing this into that helps this discussion how? Repeating the same things like Cpt. Obvious helps how?
How many devs did you convince to move?
Don’t know, obviously, but we can celebrate those who have: Known F/LOSS Development of F-Droid Apps
How many apps did you uninstall because of these reasons?
First step is acknowledging and identifying the problems. Unfortunately, F-Droid makes it take longer than it should, by ignoring it, not tagging it, or even dev site labeling links.
From this old list: Why use Github, why not use Savannah, others, or self-host?
Uninstalled: AntennaPod, DejaVu, Flym AND Feeder, Phyphox, Planisphere, Wifi Analyzer, QR Scanner,
Changed from Vanilla Music to VLC
Not yet: Editor by BilltheFarmer, Etar, Orbot, OsmAnd, Simple Draw, Simple Gallery, Survival Manual,
Next up: Change from Conversations to Monocles
Thanks for asking. I also separated free dev and non free dev apps on my home screen, as a reminder to look for replacements.
F-Droid alternative is on the list now.
We can go on in circles, yet here we are trying to do our best of this situation.
F-Droid was “clean” when it started on Gitorious. When it went along with, or got swept into, Gitlab, F-Droid took a wrong turn. This is not circling; it is going wrong directions, and setting bad examples. IMO.
messaging, not F-Droid, bringing this into that helps this discussion how?
When someone argues against centralized services in one area, but uses/pushes/works for them in another area, it detracts from their credibility.
Messaging specifically, it is related: Switch to Monocles, not Conversations. Support moving off centralized, privacy disrespecting, dis-services.
Repeating the same things like Cpt. Obvious helps how?
You remember Cpt. Obvious, don’t you. Honestly, I do take this daily reminder bit from RMS’ '22 State of Foss (rambling, chewing, annoyingly presented ) talk.
PS. It hurts my eyes seeing “login with (Microsoft) github” every login.
That’s not…wat?
Your list above says the same now?
You should support Conversations then, as monocles/blabber do not exist without it.
Link?
Us too, but FOSS devs are where they are. As said above, always push for better.
/LE: try to keep on topic. this change of subject midway of random threads is tiresome already.
Your list above says the same now?
Fair enough. At least I am aware of the problem AND do change in the “good” direction.
You should support Conversations then, as monocles/blabber do not exist without it.
This is slippery slope logic, which allows F-Droid to be comfortable with status quo. My view is I clearly cannot support Conversations, because it continues to use microsoft github, which I stongly dislike. I would support bounty programs to reward changing, but I cannot support it while on github.
My view is: Should I NOT support monocles also, because it relies on Conversations/Github? Similar to NOT supporting F-Droid because it relies on GitHub/Lab? I draw my line like this. Monocles developer does as much as one person or a small group possibly can, to be consistent with Foss philosophy; this I support. F-Droid group, as far as I can see, is trending in the wrong direction; this I do not support.
Link
Look for media goblin link here: https://www.fsf.org/events/rms-20220413-online
change of subject midway of random threads
Most threads wander before long, especially with topics as broad as “privacy on phone”. You may get tired of hearing it but it is not yet Cpt. Obvious to all.
It was just irony, recommending Signal on the F-Droid forum, see context: I've degoogled Signal Messenger - #19 by Licaon_Kter
Or read them all: https://forum.f-droid.org/search?q=signal
What’s the “normal text messaging” thing? SMS? IETF standard XMPP? What?
Link?
You can get the APK from their site, no Play needed, it even autoupdates.
The crypto thing? That has Onion routing that’s not Tor? That uses Google Push so it can’t yet be in F-Droid?
The app does that, no F-Droid involved. IIRC even Telegram has that.