diff --git a/static/features.html b/static/features.html
index de698f85..79825c17 100644
--- a/static/features.html
+++ b/static/features.html
@@ -60,135 +60,147 @@
AOSP and the hardware are not covered here. Documentation on that will be gradually
added elsewhere on our site.
- Partial list of GrapheneOS features beyond what AOSP 11 provides:
+
+
-
- - Hardened app runtime
- - Stronger app sandbox
- - Hardened libc providing defenses against the most common classes of vulnerabilities (memory
- corruption)
- - Our own hardened malloc (memory allocator)
- leveraging modern hardware capabilities to provide substantial defenses against
- the most common classes of vulnerabilities (heap memory corruption) along with
- reducing the lifetime of sensitive data in memory. The
- hardened_malloc
- README has extensive documentation on it. The hardened_malloc project is
- portable to other Linux-based operating systems and is being adopted by other
- security-focused operating systems like Whonix. Our allocator also heavily influenced the
- design of the next-generation
- musl malloc implementation which offers substantially better security than musl's
- previous malloc while still having minimal memory usage and code size.
- - Hardened compiler toolchain
- - Hardened kernel
- - Prevention of dynamic native code execution in-memory or via the filesystem
- for the base OS without going via the package manager, etc.
- - Filesystem access hardening
- - Enhanced verified boot with better security properties and reduced attack surface
- - Enhanced hardware-based attestation with more precise version information
- - Eliminates remaining holes for apps to access hardware-based identifiers
- - Greatly reduced remote, local and proximity-based attack surface by stripping out unnecessary
- code, making more features optional and disabling optional features by default (NFC, Bluetooth, etc.) or when the
- screen is locked (connecting new USB peripherals, camera access)
- - Low-level improvements to the filesystem-based full disk encryption used on
- modern Android
- - Support for logging out of user profiles without needing a device manager: makes them inactive so that they can't continue running code while using another profile and purges the disk encryption keys (which are per-profile) from memory and hardware registers
- - Support longer passwords by default without a device manager
- - Stricter implementation of the optional fingerprint unlock feature permitting
- only 5 attempts rather than 20 before permanent lockout (our recommendation is
- still keeping sensitive data in user profiles without fingerprint unlock)
- - PIN scrambling option
- - LTE-only mode to reduce cellular radio attack surface by disabling enormous amounts of legacy
- code
- - Default enabled per-connection MAC randomization
- as an improvement over Android's default per-network MAC randomization reusing
- the same MAC address until the DHCP lease with that network expires (can still
- use the standard implementation or fully disable it)
- - Vanadium: hardened WebView and default browser - the WebView is what most
- other apps use to handle web content, so you benefit from Vanadium in many apps
- even if you choose another browser
- - Hardware-based security verification and monitoring: the
- Auditor app app and
- attestation service provide strong
- hardware-based verification of the authenticity and integrity of the
- firmware/software on the device. A strong pairing-based approach is used which
- also provides verification of the device's identity based on the hardware backed
- key generated for each pairing. Software-based checks are layered on top with
- trust securely chained from the hardware. For more details, see the
- about page
- and tutorial.
- - PDF Viewer: sandboxed,
- hardened PDF viewer using HiDPI rendering with pinch to zoom, text selection,
- etc.
- - Encrypted backups via integration of the
- Seedvault app with
- support for local backups and any cloud storage provider with a storage provider
- app
- - Secure application spawning system avoiding
- sharing address space layout and other secrets across applications
- - Network permission toggle disallowing both direct and indirect network access,
- superior to a purely firewall-based implementation only disallowing direct
- access to the network without covering inter-process communication (enabled by
- default for compatibility)
- - Sensors permission toggle: disallow access to all other sensors not covered by
- existing Android permissions (enabled by default for compatibility)
- - Authenticated encryption for network time updates via a first party server to
- prevent attackers from changing the time and enabling attacks based on bypassing
- certificate / key expiry, etc.
- - Proper support for disabling network time updates rather than just not using
- the results
- - Connectivity checks via a first party server with the option to revert to the
- standard checks
- - Hardened local build / signing infrastructure
- - Seamless automatic OS update system that just
- works and stays out of the way in the background without disrupting device
- usage, with full support for the standard automatic rollback if the first boot
- of the updated OS fails
- Require unlocking to access sensitive function
- via quick tiles
- - Minor changes to default settings to prefer privacy over small conveniences:
- personalized keyboard suggestions based on gathering input history are disabled by
- default, sensitive notifications are hidden on the lockscreen by default and
- passwords are hidden during entry by default
-
+ Partial list of GrapheneOS features beyond what AOSP 11 provides:
- Infrastructure features:
+
+ - Hardened app runtime
+ - Stronger app sandbox
+ - Hardened libc providing defenses against the most common classes of vulnerabilities (memory
+ corruption)
+ - Our own hardened malloc (memory allocator)
+ leveraging modern hardware capabilities to provide substantial defenses against
+ the most common classes of vulnerabilities (heap memory corruption) along with
+ reducing the lifetime of sensitive data in memory. The
+ hardened_malloc
+ README has extensive documentation on it. The hardened_malloc project is
+ portable to other Linux-based operating systems and is being adopted by other
+ security-focused operating systems like Whonix. Our allocator also heavily influenced the
+ design of the next-generation
+ musl malloc implementation which offers substantially better security than musl's
+ previous malloc while still having minimal memory usage and code size.
+ - Hardened compiler toolchain
+ - Hardened kernel
+ - Prevention of dynamic native code execution in-memory or via the filesystem
+ for the base OS without going via the package manager, etc.
+ - Filesystem access hardening
+ - Enhanced verified boot with better security properties and reduced attack surface
+ - Enhanced hardware-based attestation with more precise version information
+ - Eliminates remaining holes for apps to access hardware-based identifiers
+ - Greatly reduced remote, local and proximity-based attack surface by stripping out unnecessary
+ code, making more features optional and disabling optional features by default (NFC, Bluetooth, etc.) or when the
+ screen is locked (connecting new USB peripherals, camera access)
+ - Low-level improvements to the filesystem-based full disk encryption used on
+ modern Android
+ - Support for logging out of user profiles without needing a device manager: makes them inactive so that they can't continue running code while using another profile and purges the disk encryption keys (which are per-profile) from memory and hardware registers
+ - Support longer passwords by default without a device manager
+ - Stricter implementation of the optional fingerprint unlock feature permitting
+ only 5 attempts rather than 20 before permanent lockout (our recommendation is
+ still keeping sensitive data in user profiles without fingerprint unlock)
+ - PIN scrambling option
+ - LTE-only mode to reduce cellular radio attack surface by disabling enormous amounts of legacy
+ code
+ - Default enabled per-connection MAC randomization
+ as an improvement over Android's default per-network MAC randomization reusing
+ the same MAC address until the DHCP lease with that network expires (can still
+ use the standard implementation or fully disable it)
+ - Vanadium: hardened WebView and default browser - the WebView is what most
+ other apps use to handle web content, so you benefit from Vanadium in many apps
+ even if you choose another browser
+ - Hardware-based security verification and monitoring: the
+ Auditor app app and
+ attestation service provide strong
+ hardware-based verification of the authenticity and integrity of the
+ firmware/software on the device. A strong pairing-based approach is used which
+ also provides verification of the device's identity based on the hardware backed
+ key generated for each pairing. Software-based checks are layered on top with
+ trust securely chained from the hardware. For more details, see the
+ about page
+ and tutorial.
+ - PDF Viewer: sandboxed,
+ hardened PDF viewer using HiDPI rendering with pinch to zoom, text selection,
+ etc.
+ - Encrypted backups via integration of the
+ Seedvault app with
+ support for local backups and any cloud storage provider with a storage provider
+ app
+ - Secure application spawning system avoiding
+ sharing address space layout and other secrets across applications
+ - Network permission toggle disallowing both direct and indirect network access,
+ superior to a purely firewall-based implementation only disallowing direct
+ access to the network without covering inter-process communication (enabled by
+ default for compatibility)
+ - Sensors permission toggle: disallow access to all other sensors not covered by
+ existing Android permissions (enabled by default for compatibility)
+ - Authenticated encryption for network time updates via a first party server to
+ prevent attackers from changing the time and enabling attacks based on bypassing
+ certificate / key expiry, etc.
+ - Proper support for disabling network time updates rather than just not using
+ the results
+ - Connectivity checks via a first party server with the option to revert to the
+ standard checks
+ - Hardened local build / signing infrastructure
+ - Seamless automatic OS update system that just
+ works and stays out of the way in the background without disrupting device
+ usage, with full support for the standard automatic rollback if the first boot
+ of the updated OS fails
- Require unlocking to access sensitive function
+ via quick tiles
+ - Minor changes to default settings to prefer privacy over small conveniences:
+ personalized keyboard suggestions based on gathering input history are disabled by
+ default, sensitive notifications are hidden on the lockscreen by default and
+ passwords are hidden during entry by default
+
+
-
- - Strict privacy and security practices for our infrastructure
- - Unnecessary logging is avoided and logs are automatically purged after 10 days
- - Services hosted on OVH without involving any additional parties for CDNs,
- mirrors or other services - we don't outsource to others
- - Our services are built with open technology stacks to avoid being locked in to
- any particular hosting provider or vendor
- - Open documentation on our infrastructure including listing out all of our
- services, guides on making similar setups, published configurations for each
- of our web services, etc.
- - No proprietary services
- - Authenticated encryption for all of our services
- - Strong cipher configurations for all of our services (SSH, TLS, etc.)
- - DNSSEC for all our domains
- - SSHFP across all domains for pinning SSH keys
- - DANE TLSA records for pinning keys for all our TLS services (unfortunately only
- used by a subset of other mail services in practice, and not yet web
- browsers)
- - Static key pinning for our services in apps like Auditor
- - No cookies or similar client-side state for anything other than login sessions,
- which are set up via SameSite=strict cookies and have server-side session tracking
- with the ability to log out of other sessions
- - scrypt-based password hashing (likely Argon2 when the available implementations
- are more mature)
-
+
+
- Beyond the technical features of the OS:
+ Service infrastructure features:
-
- - Collaborative, open source project with a very active community and contributors
- - Can make your own builds and make desired changes, so you aren't stuck with
- the decisions made by the upstream project
- - Non-profit project avoiding conflicts of interest by keeping commercialization
- at a distance. Companies support the project rather than the project serving the
- needs of any particular company
- - Strong privacy policies
-
+
+ - Strict privacy and security practices for our infrastructure
+ - Unnecessary logging is avoided and logs are automatically purged after 10 days
+ - Services hosted on OVH without involving any additional parties for CDNs,
+ mirrors or other services - we don't outsource to others
+ - Our services are built with open technology stacks to avoid being locked in to
+ any particular hosting provider or vendor
+ - Open documentation on our infrastructure including listing out all of our
+ services, guides on making similar setups, published configurations for each
+ of our web services, etc.
+ - No proprietary services
+ - Authenticated encryption for all of our services
+ - Strong cipher configurations for all of our services (SSH, TLS, etc.)
+ - DNSSEC for all our domains
+ - SSHFP across all domains for pinning SSH keys
+ - DANE TLSA records for pinning keys for all our TLS services (unfortunately only
+ used by a subset of other mail services in practice, and not yet web
+ browsers)
+ - Static key pinning for our services in apps like Auditor
+ - No cookies or similar client-side state for anything other than login sessions,
+ which are set up via SameSite=strict cookies and have server-side session tracking
+ with the ability to log out of other sessions
+ - scrypt-based password hashing (likely Argon2 when the available implementations
+ are more mature)
+
+
+
+
+
+
+ Beyond the technical features of the OS:
+
+
+ - Collaborative, open source project with a very active community and contributors
+ - Can make your own builds and make desired changes, so you aren't stuck with
+ the decisions made by the upstream project
+ - Non-profit project avoiding conflicts of interest by keeping commercialization
+ at a distance. Companies support the project rather than the project serving the
+ needs of any particular company
+ - Strong privacy policies
+
+