GrapheneOS has official production support for the Pixel 3, Pixel 3 XL, Pixel 3a, @@ -155,9 +155,9 @@ with easily added support for other environments. It can easily run on non-Linux-based operating systems too, and supporting some like HardenedBSD is planned but depends on contributors from those communities.
-The recommended devices with the best hardware, firmware and software security @@ -174,9 +174,9 @@ expensive flagship devices. You can read more on the differences between the hardware elsewhere. Unlike the Pixel 3a, the Pixel 4a has a proper SSD which provides a much better experience with the GrapheneOS exec-based spawning security feature.
-Devices are carefully chosen based on their merits rather than the project aiming @@ -210,9 +210,9 @@ improve some aspects of insecure devices and supporting a broad set of devices would be directly counter to the values of the project. A lot of the low-level work also ends up being fairly tied to the hardware.
-Broader device support can only happen after the community (companies, @@ -238,9 +238,9 @@ devices produced based on an SoC reference design with minor improvements for privacy and security. Broad device support is the opposite of what the project wants to achieve in the long term.
-GrapheneOS aims to provide reasonably private and secure devices. It cannot do that @@ -266,13 +266,13 @@ security of the project when exceptions for old devices need to be listed out. The project ends up wanting to drop devices for this reason but has always kept them going until the end-of-life date to provide more time for people to migrate.
-As of Android 10, only the configured default input method editor (your keyboard of @@ -286,9 +286,9 @@ slightly less strict implementation of this feature. It provided a toggle for users to whitelist clipboard managers, which is no longer needed now that keyboards are expected to provide it.
-As of Android 10, apps cannot obtain permission to access non-resettable hardware @@ -309,9 +309,9 @@ with limited functionality and hardware acceleration. Hiding the CPU/SoC model would require not even using basic hardware virtualization support and these things could probably still be detected via performance measurements.
-In addition to not having a way to identify the hardware, apps cannot directly @@ -373,9 +373,9 @@ However, profiles are the only way to provide a strong assurance of separate identities since the application model of the OS is designed to support communication between apps within the same profile, but never between them.
-GrapheneOS always considers networks to be hostile and avoids placing trust in @@ -434,15 +434,15 @@ alerts for silent SMS but rather would be ignored with the rest of the spam. Regardless, sending texts or other data is not required or particularly useful to track devices connected to a network for an adversary with the appropriate access.
-See the usage guide section on Wi-Fi privacy.
-GrapheneOS makes connections to the outside world to test connectivity, detect @@ -568,9 +568,9 @@ everything unnecessary and making our servers the default for handling anything that cannot simply be shipped with Vanadium for one reason or another such as requiring quicker updates.
-GrapheneOS services follow the EFF's
@@ -595,9 +595,9 @@
Our mail server (mail.grapheneos.org) isn't offered as a public service and doesn't
have a privacy policy since it's only used internally by GrapheneOS developers.
By default, the OS uses the network-provided DNS servers, whether those come from @@ -605,9 +605,9 @@ servers are provided, GrapheneOS uses Cloudflare DNS as the fallback rather than Google Public DNS. In practice, the fallback is rarely used and has little real world impact.
-It isn't possible to directly override the DNS servers provided by the network via @@ -636,9 +636,9 @@ part of fingerprinting users. If you're using a VPN, you should consider using the standard DNS service provided by the VPN service to avoid standing out from other users.
-By default, in the automatic mode, the Private DNS feature provides opportunistic @@ -655,9 +655,9 @@ DNS server via unencrypted DNS and then force all other DNS lookups via DNS-over-TLS with the identity of the server authenticated as part of providing authenticated encryption.
-No, it only provides privacy for DNS resolution. Even authenticating DNS results @@ -669,9 +669,9 @@ There are other ways to perform a MITM attack than DNS hijacking and internet routing is fundamentally insecure. DNS-over-TLS may make a MITM harder for some attackers, but don't count on it at all.
-Private DNS only encrypts DNS, and an adversary monitoring connections can still @@ -681,9 +681,9 @@ SNI, so encrypted DNS is not yet accomplishing much. It's a forward looking feature that will become more useful in the future. Using it is recommended, but it's not an alternative to using Tor or a VPN.
-VPNs can be configured under Settings ➔ Network & Internet ➔ Advanced ➔ VPN. @@ -699,9 +699,9 @@ can also be set as the always-on VPN via the entry in the Settings page. For app-based VPN implementations, there's also an additional "Block connections without VPN" toggle which is needed to prevent leaks when the app's VPN service isn't running.
-Apps cannot monitor network connections unless they're made into the active VPN @@ -712,9 +712,9 @@
This was previously part of the GrapheneOS privacy improvements, but became a standard Android feature with Android 10.
-Yes, GrapheneOS inherits the deeply integrated firewall from the Android Open @@ -729,9 +729,9 @@ ecosystem. Revoking the permission denies indirect access via OS components and apps enforcing the INTERNET permission, such as DownloadManager. Direct access is denied by blocking low-level network socket access.
-The recommended approach to system-wide ad-blocking is setting up domain-based @@ -750,9 +750,9 @@ used service like AdGuard with a standard block list is much less of an issue than a custom set of subscriptions / rules, but it still stands out compared to the default of not doing it.
-Content filtering apps are fully compatible with GrapheneOS, but they have serious @@ -779,9 +779,9 @@ providing one, and very few have bothered to implement this. NetGuard is an one example implementing SOCKS5 forwarding, which can be used to forward to apps like Orbot (Tor).
-Yes, the baseband is isolated on all of the officially supported devices. Memory @@ -813,35 +813,35 @@ Linux kernel is monolithic and has no internal security boundaries, the attack surface is problematic and a HardMAC implementation with most complexity in the isolated firmware could be better than the status quo. An isolated driver would be ideal.
-GrapheneOS has entirely automatic background updates. More details are available in the the usage guide's updates section.
-Updates can be sideloaded via recovery.
-See the features page.
-No, since this is strictly a theft deterrence feature, not a security feature, and @@ -865,9 +865,9 @@ incompatible with features designed to wipe data automatically in certain cases. This will not be implemented by GrapheneOS since it isn't a good approach and it conflicts with other planned features.
-There are drawbacks to bundling apps into the OS and few advantages in most cases. @@ -907,7 +907,7 @@ cases we want to support. GPLv3 is no problem for our own usage, but we don't want to forbid using GrapheneOS as a replacement for the Android Open Source Project in locked down devices.
-