Share this page!

GrapheneOS Profile picture
Twitter logo
29 May, 8 tweets, 2 min read
GrapheneOS makes a lot of privacy improvements, not just security improvements.

A recent focus has been fixing difficult issues to prevent users being tracked via Wi-Fi. Android and other Linux-based OSes along with iOS, etc. have flaws preventing MAC randomization from working.
See grapheneos.org/features#graph… for an overview of the features added by GrapheneOS. This is a list of what we improve upon over Android 11.

It doesn't take credit for what Android provides, as is common elsewhere. That's even the case for features we participated in getting landed.
On Android and iOS you can be tracked across Wi-Fi networks, apps can use sensors to record coarse movement, location and audio information without a way to fully revoke it and the attempts at preventing cross-app tracking are very incomplete even across profiles. Lots more too.
We'll be releasing a few proof of concept apps demonstrating some of the privacy and security issues we address.

Also going to be making apps demonstrating many features provided by OS and app privacy/security features elsewhere do not really work such as firewall features.
We'll be publishing apps demonstrating , other firewall leaks, cross-profile identifier leaks, intercepting data intended for other apps via microG, a subset of Wi-Fi privacy leaks demonstrable through an app and other things. Will be able to test your OS.
The fine-grained firewall leak demonstration can essentially be a pastebin site implemented as an app sending arbitrary data to the server via DNS queries.

It's an easy way to demonstrate to users that their fine-grained firewall filtering and/or monitoring isn't really working.
Apps are using this as a way to send data to their servers. It's often hard to draw the distinction between malware and the most popular apps, if there is one.

It's clearly not enough to point out these things can be done and are being done. We'll be making a few little demos.
DNS queries go to the DNS resolver such as 1.1.1.1, 9.9.9.9, your ISP DNS, etc. Those send along the queries to the authoritative DNS servers chosen / run by sites. Being able to make a DNS query via system DNS is ultimately the ability to send any data to anyone, anywhere.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with GrapheneOS

GrapheneOS Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @GrapheneOS

GrapheneOS Profile picture
29 May
Someone has been impersonating Bromite's (bromite.org) developer on Telegram. They convinced a bunch of room admins and a lot of people in the rooms. Once they had a couple trusted people convinced, they chained from them to everyone else. The web of trust at work...
This is a serious issue. They had the unofficial Bromite room and a bunch of other people convinced.

They were using the stolen identity to spread misinformation including attacking GrapheneOS in coordination with others. We intervened and then their false identity fell apart.
The username they were using was TheAntimatter. They appear to have started doing it right after csagan5 (Bromite's developer) left the platform.

They pretended they switched to a pseudonym to avoid harassment. Please be more skeptical. This unraveled fast from our intervention.
Read 6 tweets
GrapheneOS Profile picture
27 May
@ihackbanme @spoofyroot If the device is deeply compromised, how is this going to help you? Why would the attacker allow you to use an OS mechanism to analyze it?

Verified boot, attestation (via our Auditor app and attestation.app) and a sideloaded update are the only things countering them.
@ihackbanme @spoofyroot If you don't have meaningful verified boot, then they don't even need to exploit the OS every boot to maintain their deep level of persistent access.

If you have a way to grant persistent root access, you don't have meaningful verified boot for the OS accomplishing anything.
@ihackbanme @spoofyroot In the verified boot security model, persistent state is not trusted. If there's a way to grant root access to an application persistently or even to make it available to the user in the OS persistently then that compromise is permanent root access without exploitation each boot.
Read 5 tweets
GrapheneOS Profile picture
26 May
Freenode admins hijacked the #grapheneos and #grapheneos-offtopic channels due to us migrating to Matrix rooms:

gist.github.com/thestinger/eb9…

They removed our channel moderation privileges, changed the topic and set the channel to invite-only preventing users from joining/rejoining. Screenshot of Weechat (IRC ...
It justifies our urgent migration away from freenode.

Be careful what you say in private messages on freenode because the new admins can easily read them and may retaliate if you speak badly about them.

See arstechnica.com/gadgets/2021/0… and vice.com/en/article/m7e… for more details.
Please join #grapheneos:grapheneos.org and #grapheneos-offtopic:https://t.co/f02rVtJa8a via Matrix. Links to join via the Element web client:

app.element.io/#/room/#graphe…
app.element.io/#/room/#graphe…

Element (web, desktop or mobile) with matrix.org is one option.
Read 5 tweets
GrapheneOS Profile picture
4 Feb
If you're installing GrapheneOS or making a guide on it, please use either the official web installer (grapheneos.org/install/web) or CLI install guide (grapheneos.org/install/cli).

There are many out-of-date and/or inaccurate third party install guides. Many have dangerous advice.
If you do publish an unofficial guide, please address inaccuracies that are reported and keep it up to date. If you lack the time, please take it down and ask people to use either our web installer or official CLI guide instead.

Many people are being harmed by inaccurate guides.
Every day, multiple users come to our chat needing help after following one of the problematic unofficial guides.

They often have a soft bricked device and a mess on their computer to clean up. Some of these users end up hard bricking their devices.

It's totally unnecessary...
Read 5 tweets
GrapheneOS Profile picture
3 Feb
If you receive legal threats from Copperhead based on their fraudulent claims of ownership over our work please get in touch with us.

There's no basis to these claims and we're looking into providing protection for contributors and other open source projects via indemnification.
CopperheadOS was started by Daniel Micay in 2014 and he owns all of the code he wrote for it. He's a co-founder of Copperhead and still owns half of the company. He never assigned any copyright to Copperhead and work on the project was not done as an employee or as contract work.
It was explicitly agreed upon that the open source project would remain owned and control by Daniel Micay. It was explicitly agreed upon that there would be no copyright assignment.

Copperhead is trying to intimidate contributors to GrapheneOS and other open source projects.
Read 5 tweets
GrapheneOS Profile picture
2 Feb
If an app has the ability to perform arbitrary DNS queries via the OS, it can exfiltrate data to any party.

It can query encrypted-data.domain.tld to send data to an authoritative DNS server. No direct connection is ever required. It's being used in practice. Keep that in mind.
In general, granting network access provides the ability to exfiltrate data anywhere via the network. Fine-grained filtering is useful for harm reduction but doesn't provide what users expect from it. That includes using it in a stricter way than enumerating + blocking badness.
GrapheneOS has a coarse Network toggle blocking all direct access to the network and also preventing indirect access via APIs requiring the INTERNET permission.

Fine-grained filtering only filters direct access and there are a lot of issues like that DNS one. Doesn't work well.
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @GrapheneOS has new unrolls!

Check out other threads from @GrapheneOS!

Read all threads by @GrapheneOS

:(