From de35a80221253ca5d481fd6ccb0b75f90a33b123 Mon Sep 17 00:00:00 2001 From: sandbank52641 <153552626+sandbank52641@users.noreply.github.com> Date: Wed, 29 May 2024 17:00:19 +0200 Subject: [PATCH] use conforming procedure style in usage.html --- static/usage.html | 227 ++++++++++++++++++++++++++-------------------- 1 file changed, 127 insertions(+), 100 deletions(-) diff --git a/static/usage.html b/static/usage.html index e5567699..5eb2b319 100644 --- a/static/usage.html +++ b/static/usage.html @@ -110,9 +110,12 @@ like it. Our experience is that when armed with the appropriate knowledge, the vast majority of users prefer the newer gesture navigation approach.

-

The system navigation mode can be configured in Settings ➔ System ➔ Gestures ➔ - System navigation. The same menu is also available in Settings ➔ Accessibility ➔ - System controls ➔ System navigation.

+

The system navigation mode can be configured in Settings > System > Gestures > Navigation + mode. The same menu is also available in Settings > Accessibility > System + controls > Navigation mode.

Gesture navigation

@@ -371,8 +374,9 @@ be safe. This is the same as the stock OS but it comes with one set up already.

-

GrapheneOS disables showing the characters as passwords are typed by default. - You can enable this in Settings ➔ Privacy.

+

GrapheneOS disables showing the characters as passwords are typed by default. You + can enable this in Settings > + Privacy.

Third party accessibility services can be installed and activated. This includes the ones made by Google. Most of these will work but some may have a hard @@ -419,7 +423,8 @@

Settings

-

The settings are available in the Settings app in System ➔ System update.

+

The settings are available in the Settings app in System > System update.

The "Check for updates" option will manually trigger an update check as soon as possible. It will still wait for the configuration conditions listed below to be @@ -474,12 +479,12 @@

Disabling

-

It's highly recommended to leave automatic updates enabled and to configure the - permitted networks if the bandwidth usage is a problem on your mobile data connection. - However, it's possible to turn off the update client by going to Settings ➔ Apps, - enabling Show system via the menu, selecting System Updater and disabling the - app. If you do this, you'll need to remember to enable it again to start receiving - updates.

+

It's highly recommended to leave automatic updates enabled and to configure + the permitted networks if the bandwidth usage is a problem on your mobile data + connection. However, it's possible to turn off the update client by going to + Settings > Apps, enabling Show + system via the menu, selecting System Updater and disabling the app. If you do + this, you'll need to remember to enable it again to start receiving updates.

@@ -521,10 +526,12 @@

USB peripherals

GrapheneOS defaults to ignoring connected USB peripherals when the device is - already booted and the screen is locked. A USB device already connected at boot - will still work. The purpose is reducing attack surface for a locked device with - active login sessions to user profiles to protect data that's not at rest. This - can be controlled in Settings ➔ Security ➔ USB accessories. The options are:

+ already booted and the screen is locked. A USB device already connected at boot will + still work. The purpose is reducing attack surface for a locked device with active + login sessions to user profiles to protect data that's not at rest. This can be + controlled in Settings > + Security > USB peripherals. The options + are:

  • Disallow new USB peripherals
    • @@ -805,12 +812,13 @@ profiles, so it also provides a temporary set of device identifiers across profiles for each boot via the shared randomized values.

    -

    This feature can be disabled via Settings ➔ Security ➔ Enable secure app - spawning if you prefer to have faster cold start app spawning time and lower app - process memory usage instead of the substantial security benefits and the removal - of the only known remaining direct device identifiers across profiles (i.e. not - depending on fingerprinting global configuration, available storage space, etc. or - using side channels).

    +

    This feature can be disabled via Settings > Security > Secure app + spawning if you prefer to have faster cold start app spawning time and lower + app process memory usage instead of the substantial security benefits and the + removal of the only known remaining direct device identifiers across profiles (i.e. + not depending on fingerprinting global configuration, available storage space, etc. + or using side channels).

@@ -836,8 +844,11 @@ designed to be friendly to apps and fully compatible rather than killing the application when it violates the rules.

-

You can enable our exploit protection compatibility mode via Settings ➔ Apps ➔ - App ➔ Exploit protection. The exploit protection compatibility mode toggle will:

+

You can enable our exploit protection compatibility mode via + Settings > Apps > APP > Exploit protection compatibility mode. The exploit protection + compatibility mode toggle will:

  • Switch from hardened_malloc to Android's standard allocator (Scudo)
  • Reduce address space size from 48 bit to Android's standard 39 bit
    • @@ -892,24 +903,27 @@ privacy rather than increasing it. If you need to use a hidden AP, make sure to delete the saved network afterwards.

    -

    Wi-Fi and Bluetooth scanning for improving location detection are disabled - by default, unlike the stock OS. These can be toggled in Settings ➔ Location ➔ - Location Services ➔ Wi-Fi and Bluetooth scanning. These features enable - scanning even when Wi-Fi or Bluetooth is disabled, so these need to be kept - disabled to fully disable the radios when Wi-Fi and Bluetooth are disabled. - GrapheneOS itself doesn't currently include a supplementary location service - based on Wi-Fi and Bluetooth scanning. These options impact whether apps such - as sandboxed Google Play are able to use the functionality if you grant them - the Location permission. GrapheneOS plans to eventually include an OS service - based on local databases rather than a network-based service giving the user's - location to a server whenever location is being used.

    +

    Wi-Fi and Bluetooth scanning for improving location detection are disabled by + default, unlike the stock OS. These can be toggled in Settings > Location > Location services > Wi-Fi and + Bluetooth scanning. These features enable scanning even when Wi-Fi or Bluetooth is + disabled, so these need to be kept disabled to fully disable the radios when Wi-Fi and Bluetooth + are disabled. GrapheneOS itself doesn't currently include a supplementary location service based + on Wi-Fi and Bluetooth scanning. These options impact whether apps such as sandboxed Google Play + are able to use the functionality if you grant them the Location permission. GrapheneOS plans to + eventually include an OS service based on local databases rather than a network-based service + giving the user's location to a server whenever location is being used.

Associated with an Access Point (AP)

Associated MAC randomization is performed by default. This can be controlled - per-network in Settings ➔ Network & Internet ➔ Internet ➔ NETWORK ➔ Privacy.

+ per-network in Settings > Network + & internet > Internet > NETWORK > Privacy.

In the stock OS, the default is to use a unique persistent random MAC address for each network. It has 2 options available: "Use randomized MAC (default)" and "Use @@ -946,15 +960,16 @@

LTE-only mode

If you have a reliable LTE connection from your carrier, you can reduce attack - surface by disabling 2G, 3G and 5G connectivity in Settings ➔ Network & - Internet ➔ SIMs ➔ Preferred network type. Traditional voice calls will only work - in the LTE-only mode if you have either an LTE connection and VoLTE (Voice over - LTE) support or a Wi-Fi connection and VoWi-Fi (Voice over Wi-Fi) support. VoLTE / - VoWi-Fi works on GrapheneOS for most carriers unless they restrict it to carrier - phones. Some carriers may be missing VoWi-Fi due to us not including their - proprietary apps. Please note that AT&T users may see "5Ge" being used when - LTE Only mode is enabled as AT&T intentionally mislabel LTE services as "5Ge" - to mislead users.

+ surface by disabling 2G, 3G and 5G connectivity in Settings > Network & internet > SIMs > SIM > Preferred network type. Traditional voice calls will only + work in the LTE-only mode if you have either an LTE connection and VoLTE (Voice over LTE) support or + a Wi-Fi connection and VoWi-Fi (Voice over Wi-Fi) support. VoLTE / VoWi-Fi works on GrapheneOS for + most carriers unless they restrict it to carrier phones. Some carriers may be missing VoWi-Fi due to + us not including their proprietary apps. Please note that AT&T users may see "5Ge" being used + when LTE Only mode is enabled as AT&T intentionally mislabel LTE services as "5Ge" to mislead + users.

This feature is not intended to improve the confidentiality of traditional calls and texts, but it might somewhat raise the bar for some forms of interception. It's not a @@ -1073,28 +1088,29 @@

Configuration

-

The compatibility layer has a configuration menu available at Settings ➔ - Apps ➔ Sandboxed Google Play.

+

The compatibility layer has a configuration menu available at + Settings > Apps > Sandboxed Google Play.

By default, apps using Google Play geolocation are redirected to our own - implementation on top of the standard OS geolocation service. You don't need - to grant any permissions to Google Play or change any settings for working - location in apps using Google Play geolocation due to our rerouting feature. - If you want to use Google's network location service to provide location - estimates without satellite reception, you can disable the "Reroute location - requests to OS APIs" toggle and grant what it requires to provide network - location. You will need to grant "Allow all the time" Location access to - Google Play services along with the Nearby Devices permission for it to have - all the access it needs. You need to use the "Google Location Accuracy" link - from the sandboxed Google Play configuration menu to access the Google Play - services menu for opting into their network location service, otherwise this - is all pointless. It will send the nearby Wi-Fi and cellular networks provided - via the Location and Nearby Devices permissions to their service to retrieve a - location estimate. In order to fully take advantage of Wi-Fi and Bluetooth - scanning, you also need to enable the scanning toggles in Settings ➔ Location - ➔ Location services which are disabled by default and control whether apps - with the required permissions can scan when Wi-Fi and Bluetooth are otherwise - disabled.

+ implementation on top of the standard OS geolocation service. You don't need to + grant any permissions to Google Play or change any settings for working location + in apps using Google Play geolocation due to our rerouting feature. If you want + to use Google's network location service to provide location estimates without + satellite reception, you can disable the "Reroute location requests to OS APIs" + toggle and grant what it requires to provide network location. You will need to + grant "Allow all the time" Location access to Google Play services along with + the Nearby Devices permission for it to have all the access it needs. You need + to use the "Google Location Accuracy" link from the sandboxed Google Play + configuration menu to access the Google Play services menu for opting into their + network location service, otherwise this is all pointless. It will send the + nearby Wi-Fi and cellular networks provided via the Location and Nearby Devices + permissions to their service to retrieve a location estimate. In order to fully + take advantage of Wi-Fi and Bluetooth scanning, you also need to enable the + scanning toggles in Settings > + Location  > Location services which + are disabled by default and control whether apps with the required permissions can + scan when Wi-Fi and Bluetooth are otherwise disabled.

Re-routing location to the OS geolocation service will use more power than using the Google Play geolocation service since we do not provide a @@ -1109,9 +1125,10 @@ integration so there needs to be an app providing a way to access them.

The menu also provides links to this usage guide, Play services system - settings, Play Store system settings and Google settings. The Play services - and Play Store system settings are only included for convenience since they - can be accessed the same way as any other app via Settings ➔ Apps.

+ settings, Play Store system settings and Google settings. The Play services and + Play Store system settings are only included for convenience since they can be + accessed the same way as any other app via Settings > Apps.

@@ -1150,8 +1167,10 @@

eSIM support on GrapheneOS doesn't require any dependency on Google Play, and never shares data to Google Play even when installed.

-

eSIM support can be enabled in Settings ➔ Network & - Internet ➔ eSIM support. The toggle is persistent across every boot.

+

eSIM support can be enabled in Settings > Network & internet > eSIM support. The toggle is persistent across every + boot.

By enabling the toggle, the proprietary Google functionality is enabled and will be used by the OS to provision and manage eSIMs.

@@ -1183,10 +1202,12 @@ depends on sandboxed Google Play, you'll be prompted to install it if it's not already installed.

-

After installation, Android Auto has to be set up from the "Settings ➔ Apps ➔ - Sandboxed Google Play ➔ Android Auto" configuration screen, which contains - permission toggles, links to related configuration screens, configuration tips, and - links to optional Android Auto dependencies.

+

After installation, Android Auto has to be set up from the Settings > Apps > Sandboxed Google Play > Android Auto configuration screen, which contains permission + toggles, links to related configuration screens, configuration tips, and links to optional + Android Auto dependencies.

The permission toggles ask for a confirmation before turning on. The confirmation popup explains what access each permission toggle provides.

@@ -1227,12 +1248,12 @@ generally encountered with non-financial apps.

Many of these apps have their own crude anti-tampering mechanisms trying to - prevent inspecting or modifying the app in a weak attempt to hide their code and - API from security researchers. GrapheneOS allows users to disable native code - debugging via a toggle in Settings ➔ Security to improve the app sandbox and this - can interfere with apps debugging their own code to add a barrier to analyzing the - app. You should try enabling this again if you've disabled it and are encountering - compatibility issues with these kinds of apps.

+ prevent inspecting or modifying the app in a weak attempt to hide their code and API + from security researchers. GrapheneOS allows users to disable Native code + debugging via a toggle in Settings > + Security to improve the app sandbox and this can interfere with apps debugging their + own code to add a barrier to analyzing the app. You should try enabling this again if you've + disabled it and are encountering compatibility issues with these kinds of apps.

Banking apps are increasingly using Google's SafetyNet attestation service to check the integrity and certification status of the operating system. GrapheneOS @@ -1265,16 +1286,17 @@