Users are in control of which types of networks the Updater app will use and can disable the Updater app in extreme cases. It's strongly recommended to leave it enabled to quickly receive security updates including updates outside - the regular monthly schedule. See the usage guide's - section on updates for more information.
+ the regular monthly schedule. +The update client avoids trusting the data obtained from the update server + via signature verification with downgrade protection. Verified boot provides + another layer of signature verification with downgrade protection. GrapheneOS + servers do not have access to GrapheneOS signing keys.
+See the usage guide's section on updates for + more information.
An HTTPS connection is made to https://time.grapheneos.org/ to update the time from the date header field. This is a full replacement of Android's standard network time update implementation, which uses the cellular network - when available with a fallback to SNTP when it's not available. We plan to - offer a toggle to use the standard functionality instead of HTTPS-based time - updates in order to blend in with other devices.
+ when available with a fallback to SNTP when it's not available. Network time + updates are security sensitive since certificate validation depends on having + an accurate time, but the standard NTP / SNTP protocols used across most OSes + have no authentication. + +We plan to offer a toggle to use the standard functionality instead of + HTTPS-based time updates in order to blend in with other devices.
Network time can be disabled with the toggle at Settings ➔ System ➔ Date & time ➔ Use network-provided time. Unlike AOSP or the stock OS on the @@ -458,7 +467,7 @@
On devices with a Qualcomm baseband (which provides GPS), when location - functionality is being used, + functionality is enabled and being used, GPS almanacs are downloaded from https://xtrapath1.izatcloud.net/xtra3grc.bin, https://xtrapath2.izatcloud.net/xtra3grc.bin or @@ -489,17 +498,21 @@ privacy by giving your device a more unique fingerprint. GrapheneOS aims to appear like any other common mobile device on the network.
+Standard frozen AOSP user agent for the GET request:
+Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.32 Safari/537.36
+No query / data is sent to the servers and the response is unused beyond + checking the response code.
+ +Standard URLs used by Android and when blending in with other devices on + GrapheneOS:
+Standard AOSP user agent for the GET request:
-Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.32 Safari/537.36
-No query / data is sent to the servers and the response is unused beyond - checking the response code.
-Similar connectivity checks are also performed by Vanadium.
+We have our own connectivitycheck.grapheneos.org server as an alternative to using the standard URLs. This can currently be enabled by users interested in using it via the developer tools. Providing a toggle in the Settings app @@ -509,6 +522,19 @@ important and must remain supported for people who need to be able to blend in rather than getting the nice feeling that comes from using GrapheneOS servers.
+ +We do not currently provide a separate fallback domain so the fallback HTTP + fallback should be set to + http://connectivitycheck.grapheneos.org/generate_204.
+ +Similar connectivity checks are also performed by Vanadium. Configuration + will need to be extended to these, likely by reusing the OS configuration + instead of it being separate.
DNS connectivity and functionality tests