Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
GrapheneOS Profile picture
@GrapheneOS
Aug 15 15 tweets 4 min read Read on X
Wired was manipulated into spreading misinformation to market Palantir and iVerify by misrepresenting a vulnerability in a disabled demo app as being a serious problem which could be exploited in the real world. They should retract the article but won't.

wired.com/story/google-a…
iVerify are scammers and anyone paying them money should rapidly stop doing it and remove their malware from their devices. The real security risk is giving remote code execution on your devices to one of these sketchy EDR companies lying about their capabilities and discoveries.
This is one of multiple carrier apps in the stock Pixel OS which we don't include in GrapheneOS. We were aware of it already since we had to go through them and figure out why they exist. We could embrace this fearmongering and leverage it for marketing, but we aren't dishonest.
"iVerify vice president of research [...] points out that while Showcase represents a concerning exposure for Pixel devices, it is turned off by default. This means that an attacker would first need to turn the application on in a target's device before being able to exploit it."
"The most straightforward way to do this would involve having physical access to a victim's phone as well as their system password or another exploitable vulnerability that would allow them to make changes to settings. Google's Fernandez emphasized this limiting factor as well."
Wired should retract the article and explain how they're going to do better. They keep publishing this kind of fearmongering misinformation from information security industry charlatans. There are real remote code execution flaws being fixed in Android and iOS but they push this.
GrapheneOS has gone through each of the carrier apps included on Pixel generation to determine their purpose and consequences of including or excluding them. Here it is being excluded from the new adevtool project for ProtonAOSP and GrapheneOS in 2021:

github.com/GrapheneOS/ade…
GrapheneOS has publicly posted about the carrier apps included on Pixels and their privileged permissions on numerous occasions. We talked about the ones which get enabled automatically based on using a SIM from a carrier rather than a disabled demo without an automatic trigger.
Here's a thread from 2017 posted from our project's previous Twitter account which was stolen in 2018:



Incredibly important to note that this thread directly involves the CEO of Trail of Bits that's now claiming their iVerify team discovered these apps.
Stock Pixel OS no longer gives the same level of access to the active carrier. This disabled demo app was never a real part of the problem but it was part of the apps we referring to and excluding. We didn't claim credit for discovering this when we became aware of it in 2015.
Dan Guido, CEO of the company behind iVerify, has repeatedly called out charlatans in the infosec industry. It's incredibly hypocritical to use the same tactics and expect not to be held to the same standard. We're not doing anything he hasn't done himself many times before.
It's ridiculous to falsely claim something is a backdoor and then get upset your EDR software remotely monitoring devices and opening up new security holes is called malware. An app running within an increasingly strict sandbox trying to defend devices is an unworkable approach.
Since this fits into a standard narrative pushed by mainstream news coverage, their dubious iVerify product will get a massive amount of free promotion from it. They should be criticized for claiming credit for discovering this when they didn't and for misrepresenting it.
Someone linked this article not taking claims from the company promoting themselves at face value, which is far better than most of the news coverage which got completely duped into believing in a completely a fabricated threat:



Still not good enough.therecord.media/google-to-remo…
Palantir is a mass surveillance company aiding with egregious human rights violations. CEO of Trail of Bits that's working with them is a diehard Apple fanboy and has been dismissing GrapheneOS for years. Perhaps he works with Cellebrite and NSO too.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with GrapheneOS

GrapheneOS Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @GrapheneOS

GrapheneOS Profile picture
Aug 16


This is a fake story. Turns out that getting security information from the CISO of a mass surveillance company trying to build a dystopian police state providing police with "predictive policing" software largely based on racial stereotypes is a bad move.
Trail of Bits iVerify EDR product runs in the standard app sandbox on iOS and Android. It can hardly do anything beyond static scanning of APKs. It's a crippled antivirus app marketed as detecting sophisticated attackers. It's a scam and Trail of Bits has lost all credibility.
Trail of Bits is working closely with Palantir and is focused on getting government contracts. They've created a fake news story to promote their EDR product which has been propagated across mainstream media. Journalists didn't do basic due diligence and spread false marketing.
Read 12 tweets
GrapheneOS Profile picture
Jul 21
Here's the Cellebrite Premium 7.69.5 iOS Support Matrix from July 2024.

404media recently published an article based on the same April 2024 docs we received in April and published in May. Many tech news sites including 9to5Mac made incorrect assumptions treating that as current.

Image
Image
Image
Here's the Cellebrite Premium 7.69.5 Android Support Matrix from July 2024 for Pixels. They're still unable to exploit locked GrapheneOS devices unless they're missing patches from 2022. A locked GrapheneOS device also automatically gets back to BFU from AFU after 18h by default.
Image
Image
GrapheneOS is defending against these tools with generic exploit protections rather than by patching specific vulnerabilities. Until recently, it's likely that it was our generic memory corruption exploit mitigations including hardened_malloc which was successfully stopping this.
Read 29 tweets
GrapheneOS Profile picture
Jul 2
@Parallel_Comms @utdream CalyxOS rolls back security a fair bit and doesn't provide comparable privacy or security features to GrapheneOS. It is not a hardened OS but rather somewhat anti-hardened. Their focus is marketing and bundling party apps and services, often with problematic privileged access.
@Parallel_Comms @utdream CalyxOS lags a bit behind on updates and misleads users about the security patches and privacy/security they offer. All their release notes have inaccurate claims about it, and they copied setting an inaccurate security patch level from LineageOS among other problems from there.
@Parallel_Comms @utdream /e/OS has all the privacy and security reductions from problematic LineageOS changes along with far more of their own. LineageOS lags months behind on quarterly/yearly updates which delays providing full patches and even the baseline ASB patches for Pixels. /e/OS is much worse.
Read 4 tweets
GrapheneOS Profile picture
Jul 2
Unplugged are a recent entry in the crowded space of selling insecure hardware with significantly worse privacy and security than an iPhone as highly private and secure. Bottom of the barrel MediaTek device with outdated AOSP is worse than status quo. All marketing, no substance.
As part of marketing their products, Unplugged are spreading unsubstantiated spin and misinformation about GrapheneOS and the much more secure hardware we target. We've been aware of it for a while but chose not to respond to it until they began doing it in direct response to us.
GrapheneOS is a hardened OS built on the latest release of the Android Open Source Project rather than older releases with inferior privacy/security and incomplete privacy/security patches. We substantially improve privacy/security with our changes rather than making it worse.
Read 21 tweets
GrapheneOS Profile picture
Jun 15
@davidbombal This video has major inaccuracies. CalyxOS always uses multiple Google services and gives them extensive privileged access within the OS. CalyxOS has far more limited app compatibility than GrapheneOS, and their approach to compatibility comes a high security and privacy cost.
@davidbombal GrapheneOS provides far broader app compatibility via our sandboxed Google Play compatibility layer. It also has a much easier installation process. It's completely backwards to say that GrapheneOS is harder to adopt. What's the basis for making those statements about GrapheneOS?
@davidbombal GrapheneOS greatly improves both privacy and security. CalyxOS substantially rolls back security rather than improving it. It doesn't provide comparable privacy features either. No Storage Scopes, no Contact Scopes, no Sensors toggle, no per-connection Wi-Fi anonymity, etc.
Read 8 tweets
GrapheneOS Profile picture
May 18
XRY and Cellebrite say they can do consent-based full filesystem extraction with iOS, Android and GrapheneOS. It means they can extract data from the device once the user provides the lock method, which should always be expected. They unlock, enable developer options and use ADB.
Cellebrite's list of capabilities provided to customers in April 2024 shows they can successfully exploit every non-GrapheneOS Android device brand both BFU and AFU, but not GrapheneOS if patch level is past late 2022. It shows only Pixels stop brute force via the secure element.
Image
Capability table described by the tweet. We can't properly format the tabular data as alt text but we can share it elsewhere.
Cellebrite has similar capabilities for iOS devices. This is also from April 2024. We can get the same information from newer months. In the future, we'll avoid sharing screenshots and will simply communicate it via text since to prevent easily tracking down the ongoing leaks.
Capability table described by the tweet. We can't properly format the tabular data as alt text but we can share it elsewhere.
Capability table described by the tweet. We can't properly format the tabular data as alt text but we can share it elsewhere.
Read 16 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(