diff --git a/static/features.html b/static/features.html
index e7e10151..83203262 100644
--- a/static/features.html
+++ b/static/features.html
@@ -98,6 +98,7 @@
can be disabled
Broad carrier support without invasive carrier access
Private screenshots
+ Other features
Services
@@ -118,129 +119,6 @@
the improvements we've contributed to Android since those features aren't listed
here despite being a substantial portion of our overall historical work.
-
- - Enhanced verified boot
- with better security properties and reduced attack surface
- - Enhanced hardware-based attestation with more precise version information
- - Eliminates remaining holes for apps to access hardware-based identifiers
- - Greatly reduced remote, local and proximity-based attack surface by
- stripping out unnecessary code, making more features optional and disabling
- optional features by default (NFC, Bluetooth, etc.), when the screen is
- locked (connecting new USB peripherals, camera access) and optionally after a
- timeout (Bluetooth, Wi-Fi)
- - Option to disable native debugging (ptrace) to reduce local attack surface
- (still enabled by default for compatibility)
- - Low-level improvements to the filesystem-based
- full disk encryption used on modern Android
- - Support creating up to 16 secondary user profiles (15 + guest) instead of
- only 4 (3 + guest).
- - Support for logging out of user profiles without needing a device manager:
- makes them inactive so that they can't continue running code while using
- another profile and purges the disk encryption keys (which are per-profile)
- from memory and hardware registers
- - Option to enable automatically rebooting the device when no profile has
- been unlocked for the configured time period to put the device fully at rest
- again.
- - Modern Microphone/Camera usage indicator UX is also used for Location.
- - Improved user visibility into persistent firmware security through version
- and configuration verification with reporting of inconsistencies and debug
- features being enabled.
- - Support for longer passwords by default (64 characters instead of 16)
- without requiring a device manager
- - Stricter implementation of the optional fingerprint unlock feature permitting
- only 5 attempts rather than 20 before permanent lockout (our recommendation is
- still keeping sensitive data in user profiles without fingerprint unlock)
- - Support for using the fingerprint scanner only for authentication in apps
- and unlocking hardware keystore keys by toggling off support for unlocking.
- - PIN scrambling option
- - LTE-only mode to reduce cellular radio
- attack surface by disabling enormous amounts of both legacy code (2G, 3G) and
- bleeding edge code (5G)
- - Per-connection MAC randomization
- option (enabled by default) as a more private option than the standard
- persistent per-network random MAC.
- - When the per-connection MAC randomization added by GrapheneOS is being
- used, DHCP client state is flushed before reconnecting to a network to avoid
- revealing that it's likely the same device as before.
- - Improved IPv6 privacy addresses to prevent tracking across networks
- - Vanadium: hardened WebView and default browser — the WebView is what most
- other apps use to handle web content, so you benefit from Vanadium in many apps
- even if you choose another browser
- - Apps: first-party GrapheneOS app repository focused on security, which is
- currently used to distribute our own apps and a mirror of Google Play for the
- sandboxed Google Play feature. In the future, it will be used to distribute
- first-party GrapheneOS builds of externally developed open source apps with
- hardening applied.
- - Hardware-based security verification and monitoring: the
- Auditor app app and
- attestation service provide strong
- hardware-based verification of the authenticity and integrity of the
- firmware/software on the device. A strong pairing-based approach is used which
- also provides verification of the device's identity based on the hardware backed
- key generated for each pairing. Software-based checks are layered on top with
- trust securely chained from the hardware. For more details, see the
- about page
- and tutorial.
- - PDF Viewer: sandboxed,
- hardened PDF viewer using HiDPI rendering with pinch to zoom, text selection,
- etc.
- - GrapheneOS Camera: modern
- camera app with a great user interface and a focus on privacy and
- security.
- - Encrypted backups via integration of the
- Seedvault app with
- support for local backups and any cloud storage provider with a storage provider
- app
- - Secure application spawning system avoiding
- sharing address space layout and other secrets across applications
- - Network permission toggle for disallowing both direct and indirect access
- to any of the available networks. The device-local network (localhost) is also
- guarded by this permission, which is important for preventing apps from using
- it to communicate between profiles. Unlike a firewall-based implementation,
- the Network permission toggle prevents apps from using the network via APIs
- provided by the OS or other apps in the same profile as long as they're marked
- appropriately.
- - The standard INTERNET permission used as the basis for the Network
- permission toggle is enhanced with a second layer of enforcement and proper
- support for granting/revoking it on a per-profile basis.
- - Sensors permission toggle: disallow access to all other sensors not covered by
- existing Android permissions (Camera, Microphone, Body Sensors, Activity
- Recognition) including an accelerometer, gyroscope, compass, barometer,
- thermometer and any other sensors present on a given device. To avoid breaking
- compatibility with Android apps, the added permission is enabled by
- default.
- - Authenticated encryption for network time updates via a first party server to
- prevent attackers from changing the time and enabling attacks based on bypassing
- certificate / key expiry, etc.
- - Proper support for disabling network time updates rather than just not using
- the results
- - Connectivity checks via a first party server with the option to revert to the
- standard checks (to blend in) or to fully disable them
- - Attestation key provisioning via a first party server with the option to
- revert to the standard server
- - GNSS almanac downloads (PSDS) via a first party server with the option to
- revert to the standard server (not available for all GPS vendors yet)
- - Hardened local build / signing infrastructure
- - Seamless automatic OS update system that just
- works and stays out of the way in the background without disrupting device
- usage, with full support for the standard automatic rollback if the first boot
- of the updated OS fails
- - Require unlocking to access sensitive functionality via quick tiles
- - Minor changes to default settings to prefer privacy over small conveniences:
- personalized keyboard suggestions based on gathering input history are disabled by
- default, sensitive notifications are hidden on the lockscreen by default and
- passwords are hidden during entry by default
- - Minimal bundled apps and services. Only
- essential apps are integrated into the OS. We don't make partnerships with
- apps and services to bundle them into the OS. An app may be the best choice
- today and poor choice in the future. Our approach will be recommending certain
- apps during the initial setup, not hard-wiring them into the OS.
- - No Google apps and services. These can be used on GrapheneOS but only if
- they avoid requiring invasive OS integration. Building privileged support for
- Google services into the OS isn't something we're going to be doing, even if
- that's partially open source like microG.
-
-
@@ -503,6 +381,135 @@
turning this metadata back on in Settings ➔ Privacy since some users may find
it to be useful.
+
+
+
+
+ This is an incomplete list of other GrapheneOS features.
+
+
+ - Enhanced verified boot
+ with better security properties and reduced attack surface
+ - Enhanced hardware-based attestation with more precise version information
+ - Eliminates remaining holes for apps to access hardware-based identifiers
+ - Greatly reduced remote, local and proximity-based attack surface by
+ stripping out unnecessary code, making more features optional and disabling
+ optional features by default (NFC, Bluetooth, etc.), when the screen is
+ locked (connecting new USB peripherals, camera access) and optionally after a
+ timeout (Bluetooth, Wi-Fi)
+ - Option to disable native debugging (ptrace) to reduce local attack surface
+ (still enabled by default for compatibility)
+ - Low-level improvements to the filesystem-based
+ full disk encryption used on modern Android
+ - Support creating up to 16 secondary user profiles (15 + guest) instead of
+ only 4 (3 + guest).
+ - Support for logging out of user profiles without needing a device manager:
+ makes them inactive so that they can't continue running code while using
+ another profile and purges the disk encryption keys (which are per-profile)
+ from memory and hardware registers
+ - Option to enable automatically rebooting the device when no profile has
+ been unlocked for the configured time period to put the device fully at rest
+ again.
+ - Modern Microphone/Camera usage indicator UX is also used for Location.
+ - Improved user visibility into persistent firmware security through version
+ and configuration verification with reporting of inconsistencies and debug
+ features being enabled.
+ - Support for longer passwords by default (64 characters instead of 16)
+ without requiring a device manager
+ - Stricter implementation of the optional fingerprint unlock feature permitting
+ only 5 attempts rather than 20 before permanent lockout (our recommendation is
+ still keeping sensitive data in user profiles without fingerprint unlock)
+ - Support for using the fingerprint scanner only for authentication in apps
+ and unlocking hardware keystore keys by toggling off support for unlocking.
+ - PIN scrambling option
+ - LTE-only mode to reduce cellular radio
+ attack surface by disabling enormous amounts of both legacy code (2G, 3G) and
+ bleeding edge code (5G)
+ - Per-connection MAC randomization
+ option (enabled by default) as a more private option than the standard
+ persistent per-network random MAC.
+ - When the per-connection MAC randomization added by GrapheneOS is being
+ used, DHCP client state is flushed before reconnecting to a network to avoid
+ revealing that it's likely the same device as before.
+ - Improved IPv6 privacy addresses to prevent tracking across networks
+ - Vanadium: hardened WebView and default browser — the WebView is what most
+ other apps use to handle web content, so you benefit from Vanadium in many apps
+ even if you choose another browser
+ - Apps: first-party GrapheneOS app repository focused on security, which is
+ currently used to distribute our own apps and a mirror of Google Play for the
+ sandboxed Google Play feature. In the future, it will be used to distribute
+ first-party GrapheneOS builds of externally developed open source apps with
+ hardening applied.
+ - Hardware-based security verification and monitoring: the
+ Auditor app app and
+ attestation service provide strong
+ hardware-based verification of the authenticity and integrity of the
+ firmware/software on the device. A strong pairing-based approach is used which
+ also provides verification of the device's identity based on the hardware backed
+ key generated for each pairing. Software-based checks are layered on top with
+ trust securely chained from the hardware. For more details, see the
+ about page
+ and tutorial.
+ - PDF Viewer: sandboxed,
+ hardened PDF viewer using HiDPI rendering with pinch to zoom, text selection,
+ etc.
+ - GrapheneOS Camera: modern
+ camera app with a great user interface and a focus on privacy and
+ security.
+ - Encrypted backups via integration of the
+ Seedvault app with
+ support for local backups and any cloud storage provider with a storage provider
+ app
+ - Secure application spawning system avoiding
+ sharing address space layout and other secrets across applications
+ - Network permission toggle for disallowing both direct and indirect access
+ to any of the available networks. The device-local network (localhost) is also
+ guarded by this permission, which is important for preventing apps from using
+ it to communicate between profiles. Unlike a firewall-based implementation,
+ the Network permission toggle prevents apps from using the network via APIs
+ provided by the OS or other apps in the same profile as long as they're marked
+ appropriately.
+ - The standard INTERNET permission used as the basis for the Network
+ permission toggle is enhanced with a second layer of enforcement and proper
+ support for granting/revoking it on a per-profile basis.
+ - Sensors permission toggle: disallow access to all other sensors not covered by
+ existing Android permissions (Camera, Microphone, Body Sensors, Activity
+ Recognition) including an accelerometer, gyroscope, compass, barometer,
+ thermometer and any other sensors present on a given device. To avoid breaking
+ compatibility with Android apps, the added permission is enabled by
+ default.
+ - Authenticated encryption for network time updates via a first party server to
+ prevent attackers from changing the time and enabling attacks based on bypassing
+ certificate / key expiry, etc.
+ - Proper support for disabling network time updates rather than just not using
+ the results
+ - Connectivity checks via a first party server with the option to revert to the
+ standard checks (to blend in) or to fully disable them
+ - Attestation key provisioning via a first party server with the option to
+ revert to the standard server
+ - GNSS almanac downloads (PSDS) via a first party server with the option to
+ revert to the standard server (not available for all GPS vendors yet)
+ - Hardened local build / signing infrastructure
+ - Seamless automatic OS update system that just
+ works and stays out of the way in the background without disrupting device
+ usage, with full support for the standard automatic rollback if the first boot
+ of the updated OS fails
+ - Require unlocking to access sensitive functionality via quick tiles
+ - Minor changes to default settings to prefer privacy over small conveniences:
+ personalized keyboard suggestions based on gathering input history are disabled by
+ default, sensitive notifications are hidden on the lockscreen by default and
+ passwords are hidden during entry by default
+ - Minimal bundled apps and services. Only
+ essential apps are integrated into the OS. We don't make partnerships with
+ apps and services to bundle them into the OS. An app may be the best choice
+ today and poor choice in the future. Our approach will be recommending certain
+ apps during the initial setup, not hard-wiring them into the OS.
+ - No Google apps and services. These can be used on GrapheneOS but only if
+ they avoid requiring invasive OS integration. Building privileged support for
+ Google services into the OS isn't something we're going to be doing, even if
+ that's partially open source like microG.
+
+