Brax’s phone is an overpriced Android with a Custom Rom that you can easily install yourself. If im not mistaken.
Ordering a pre-setup privacy phone, especially if they add their own tweaks just adds more to trust issues too me.
1 Like
Hello everyone, I am in the process of setting up a new phone with GrapheneOS and in doing so I am reviewing how I manage the applications I use, in terms of security and privacy best practices (trying to meet my own personal requirements).
So far, I have always used a combination of F-Droid and Aurora Store but I have recently stumbled upon the following pages that basically do not recommend to use F-Droid:
- https://www.privacyguides.org/android/#f-droid
- https://privsec.dev/posts/android/f-droid-security-issues/
- https://wonderfall.dev/fdroid-issues (same as above, this is just the source)
I am still crashing my head trying to understands what are the implications of the issues discussed in these articles, I tried to find additional information here and on the privacyguides.org and grapheneos forums, but I could not find any in depth discussion rebutting or confirming the issues.
I would really appreciate if somebody could help me understand how critical and concrete are the issues discussed in the articles, and let me know if there are corrective fixes being worked on for F-Droid (client and repository).
I would stop here, but one more thing. I am a bit puzzled by the conclusions the articles seem to offer:
- use the Play Store, as Google supposedly has the best security practice in place; but that would mean trusting Google and that it is not “tampering” with the apps (could that be a thing?)
- manually get the apps directly from the developers, by regularly checking for updates on their release page e.g. via RSS; but I am failing to understand how this method, clumsy and not so practical to less technical people as it seems, could foster security best practices; furthermore, that would mean trusting still the builds from the developers and the hosting repositories infrastructure (github, gitlab, …)
Is this reasoning of mine so flawed?
Many thanks!
In the recent past Graphene developers were hostile to F-Droid, so do take that one article (because you have 3 links with the same content actually?) with a grain of salt or more.
2 Likes
@smoking_cheese_n3
Sorry to give you bad news BUT the “critical and concrete” is Google itself. If you understand and have cognizance on what IT do and how , you will decide more accurately what to do. Protect and block a system developed with some purpose in mind took time and efforts and is not completely achievable.
Apart the articles that you can read around the net try to expand your point of view for make decisions more aware .
privacyguides.org is under or at least connected with GitHub and GitHub was acquired by Microsoft in late 2018. We all know how obvious Microsoft also hates users freedom and is setting up traps around Apple and Google trying to catch more of their fleeing users.
1 Like
@Silvershade
F-Droid uses GitLab.com for source code, test builds, and project management hosting…
- is proprietary: ee/LICENSE · master · GitLab.org / GitLab · GitLab
- is hosted on Google Cloud Platform: Production Architecture | GitLab
- is behind Cloudflare: Why GitLab.com is changing its CDN provider to Cloudflare March 28 | GitLab
F-Droid also has additional CI runners hosted on Microsoft Azure: apply for Azure credits to open source projects (#296) · Issues · F-Droid / admin · GitLab
Is F-Droid too therefore evil and also “connected” to the big bad Google/Microsoft/Cloudflare?
(Hint: the answer is no)
Seriously that is a pointless argument to make regarding privacyguides.org somehow being under control of Microsoft.
And to be clear I don’t agree at all with the recommendations to use Play instead of F-Droid.
2 Likes
Even there are Google related sites that still will tell you reasons to stay away from F-Droid but Microsoft is becoming more aggressive. I wouldn’t be surprise how Microsoft commands Github turns out pretty much the same as Elon Musk is doing to Twitter. Always a matter of time for desperate measures.
Plus from what I read in that privateguide site’s forum, I don’t see much discussions for software freedom, just about private even they might be confusing for private with security.
I suppose you studied “set theory” so correct your assertion by yourself. If is not enough look also at “fallacies”. Or Dunning Kruger effect. Etc.
Someone would spend billion for no reason? Doh…
The ugly stuff is that we should admit to our self that we are failing and is also our responsibility.
To be not responsible of what we say or what we do is one of the first mechanism of surviving, together with lies. (this is usually applied to monkeys called human)
Just my dime on this one.
Individual and his/her responsibility to take action. Society can say and push for whatever they wish. Things under self control can be worked ON and otherwise just go with the flow.
No use fighting or dragging Monkeys in here, or even pulling up some sort of citation. Remember, a fight or argument is only good till it is civil.
I’ll do my best to “remember” it , thanks father.
At least 2 of those articles are written by people who develop for Graphene.
Before using GrapheneOS, you should consider this:
Trusting developer is the most important thing when it comes to choosing a rom, especially if you are not building yourself. But even if you are building yourself, an entire OS, even if open source, cannot be fully audited, because of literally millions of lines of code. Even if someone tried such an audit, it would take years not to mention expenses, and by the time such audit is complete, the OS becomes obsolete. So, relying on developers is paramount.
With that in mind, let’s take a look at the intro, Graphene puts on every social media be it Twitter, Disqus, Matrix, Reddit or their own website:
“GrapheneOS is a privacy and security focused mobile OS with Android app compatibility”
The message is: We have a new Mobile OS for you, Android junkies. But wait, there is more: you can use your favorite Android apps on our OS.
Beg your pardon?! “Our OS is compatible with Android apps”?! GrapheneOS IS Android. That’s why it is compatible with android apps. The above intro is not only wrong, it is deceptive, as GraphneOS developers know well their OS is Android.
1 Like
Last part makes much sense as you put it, but not sure why people go for Graphene? It is é os again and privacy does not mean going into trapland again.
1 Like
There’s only one post actually that’s passed around…
Those articles touch on some things we could do better, but also get some essential facts wrong. F-Droid contributors are aware of those articles but they do not point out any critical security issues. You don’t have to take our word for it, you can read the code and audits. We’ll be publishing the results of another one soon. It is important to note that those articles all come from the same small group of people that are involved with GrapheneOS. They also seem to put a lot of trust in Google, where a central goal of F-Droid is to reduce the amount of trust needed to run our service. For example:
- Free software and inspection are key to software we can trust | F-Droid - Free and Open Source Android App Repository
- No user accounts, by design | F-Droid - Free and Open Source Android App Repository
GrapheneOS do good hardening work, but don’t seem to understand other key parts of building secure ecosystem. For example, Danial Micay deliberately burned the signing keys for CopperheadOS when we was lead dev, thereby locking all users out of ever getting updates again. That is especially bad if the private key was compromised. That means only the person who stole the private key can provide updates. He now controls the official signing keys of GrapheneOS, so keep that in mind. It could be worthwhile to find another source of signed builds. I think GrapheneOS is technically interesting for very specific use cases where there is no app store, e.g. a device that includes Signal and DeltaChat, with no additional apps or method for installing other apps.
I have nothing against their project or work, but they have not treated F-Droid contributors respectfully. I’ve heard from a number of other Android ROM developers that they also have been treated badly by GrapheneOS contributors.
4 Likes
Rings word by word true. I no longer have those chats, else would have shared few excerpts from it. But yeah, CHOS and GOS have that. I was an interim developer and maintainer for an OS couple of years back for 4-6 releases, and I know what I felt on it.
Anyways, privacy is weirdly read very differently worldwide and it’s definition differs a lot, but the main SCOPE remains unhinged.
“I have nothing against their project or work, but they have not treated F-Droid contributors respectfully. I’ve heard from a number of other Android ROM developers that they also have been treated badly by GrapheneOS contributors.”
GrapheneOS treats everybody, who they disagree with, badly.
Moreover, on Reddit, they have their own moderators in PrivacyGuides and Degooglingwith threads, who basically remove any critical posts within minutes. In addition, both threads actively promote Graphene.
As a result the credibility of these 2 threads have been destroyed. They have simply turned into a marketing tool for GrapheneOS, which in turn makes one wonder about the credibility of the project itself.
3 Likes
GrapheneOS treats everybody, who they disagree with, badly.
You’re not wrong, but everybody is a lot.
The list of targets is long,
started when the leader was younger,
had difficulties years ago,
and the list gets longer and longer today,
sadly.
2 Likes
good afternoon:
Privacy itself, we will never have it again.
Since we give our data left and right.
It’s like carrying our ID, driving license, medical data, etc… In our mobiles. If everything is connected and has telemetry, everything will be sent to know where, and we will never have control over them.
Every day new news comes out that more and more devices are always listening to us, and sending our data. Incognito mode also has many security and privacy gaps. Or even being constantly monitored by cameras everywhere. And many, many more things.
And people see it as normal. They take your cash, they say for security and so on. But then you become number one, which is more controlled than anything else in this world.
But we see everything as normal, and nothing happens.
GrapheneOS is not the panacea in privacy either. If you say it is better to use Google Store, or after all that has already been discussed in this topic.
Best regards and HAPPY 2023
He is now ‘good-mouthing’ Google, because he is hopping to get attestation for his OS. Good luck… .
In my view, although not a bad developer, he has a disgusting personality and very low credibility: I would never trust a dev who spends his time attacking others.
P.S. Oh, and by the way, he has a ‘brand new OS’ with an added bonus: IT IS COMPATIBLE WITH ANDROID APPS! LOL.