security/hakurei.app
security/hakurei.app
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 4 Wiki Activity

use conforming procedure style in usage.html

Browse Source
This commit is contained in:
sandbank52641 2024-05-29 17:00:19 +02:00 committed by Daniel Micay
parent 03a1803b32
commit de35a80221
1 changed files with 127 additions and 100 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

227
static/usage.html
View File

@ -110,9 +110,12 @@
like it. Our experience is that when armed with the appropriate knowledge, the like it. Our experience is that when armed with the appropriate knowledge, the
vast majority of users prefer the newer gesture navigation approach.</p> vast majority of users prefer the newer gesture navigation approach.</p>
<p>The system navigation mode can be configured in Settings ➔ System ➔ Gestures ➔ <p>The system navigation mode can be configured in <b>Settings&#160;<span
System navigation. The same menu is also available in Settings ➔ Accessibility ➔ aria-label="and then">></span> System&#160;<span aria-label="and
System controls ➔ System navigation.</p> then">></span> Gestures&#160;<span aria-label="and then">></span> Navigation
mode</b>. The same menu is also available in <b>Settings&#160;<span aria-label="and
then">></span> Accessibility&#160;<span aria-label="and then">></span> System
controls&#160;<span aria-label="and then">></span> Navigation mode</b>.</p>
<section id="gesture-navigation"> <section id="gesture-navigation">
<h3><a href="#gesture-navigation">Gesture navigation</a></h3> <h3><a href="#gesture-navigation">Gesture navigation</a></h3>
@ -371,8 +374,9 @@
be safe. This is the same as the stock OS but it comes with one set up be safe. This is the same as the stock OS but it comes with one set up
already.</p> already.</p>
<p>GrapheneOS disables showing the characters as passwords are typed by default. <p>GrapheneOS disables showing the characters as passwords are typed by default. You
You can enable this in Settings ➔ Privacy.</p> can enable this in <b>Settings&#160;<span aria-label="and then">></span>
Privacy</b>.</p>
<p>Third party accessibility services can be installed and activated. This <p>Third party accessibility services can be installed and activated. This
includes the ones made by Google. Most of these will work but some may have a hard includes the ones made by Google. Most of these will work but some may have a hard
@ -419,7 +423,8 @@
<section id="updates-settings"> <section id="updates-settings">
<h3><a href="#updates-settings">Settings</a></h3> <h3><a href="#updates-settings">Settings</a></h3>
<p>The settings are available in the Settings app in System ➔ System update.</p> <p>The settings are available in the Settings app in <b>System&#160;<span
aria-label="and then">></span> System update</b>.</p>
<p>The "Check for updates" option will manually trigger an update check as soon as <p>The "Check for updates" option will manually trigger an update check as soon as
possible. It will still wait for the configuration conditions listed below to be possible. It will still wait for the configuration conditions listed below to be
@ -474,12 +479,12 @@
<section id="updates-disabling"> <section id="updates-disabling">
<h3><a href="#updates-disabling">Disabling</a></h3> <h3><a href="#updates-disabling">Disabling</a></h3>
<p>It's highly recommended to leave automatic updates enabled and to configure the <p>It's highly recommended to leave automatic updates enabled and to configure
permitted networks if the bandwidth usage is a problem on your mobile data connection. the permitted networks if the bandwidth usage is a problem on your mobile data
However, it's possible to turn off the update client by going to Settings ➔ Apps, connection. However, it's possible to turn off the update client by going to
enabling Show system via the menu, selecting System Updater and disabling the <b>Settings&#160;<span aria-label="and then">></span> Apps</b>, enabling Show
app. If you do this, you'll need to remember to enable it again to start receiving system via the menu, selecting System Updater and disabling the app. If you do
updates.</p> this, you'll need to remember to enable it again to start receiving updates.</p>
</section> </section>
<section id="updates-sideloading"> <section id="updates-sideloading">
@ -521,10 +526,12 @@
<h2><a href="#usb-peripherals">USB peripherals</a></h2> <h2><a href="#usb-peripherals">USB peripherals</a></h2>
<p>GrapheneOS defaults to ignoring connected USB peripherals when the device is <p>GrapheneOS defaults to ignoring connected USB peripherals when the device is
already booted and the screen is locked. A USB device already connected at boot already booted and the screen is locked. A USB device already connected at boot will
will still work. The purpose is reducing attack surface for a locked device with still work. The purpose is reducing attack surface for a locked device with active
active login sessions to user profiles to protect data that's not at rest. This login sessions to user profiles to protect data that's not at rest. This can be
can be controlled in Settings ➔ Security ➔ USB accessories. The options are:</p> controlled in <b>Settings&#160;<span aria-label="and then">></span>
Security&#160;<span aria-label="and then">></span> USB peripherals</b>. The options
are:</p>
<ul> <ul>
<li>Disallow new USB peripherals</li> <li>Disallow new USB peripherals</li>
@ -805,12 +812,13 @@
profiles, so it also provides a temporary set of device identifiers across profiles profiles, so it also provides a temporary set of device identifiers across profiles
for each boot via the shared randomized values.</p> for each boot via the shared randomized values.</p>
<p>This feature can be disabled via Settings ➔ Security ➔ Enable secure app <p>This feature can be disabled via <b>Settings&#160;<span aria-label="and
spawning if you prefer to have faster cold start app spawning time and lower app then">></span> Security&#160;<span aria-label="and then">></span> Secure app
process memory usage instead of the substantial security benefits and the removal spawning</b> if you prefer to have faster cold start app spawning time and lower
of the only known remaining direct device identifiers across profiles (i.e. not app process memory usage instead of the substantial security benefits and the
depending on fingerprinting global configuration, available storage space, etc. or removal of the only known remaining direct device identifiers across profiles (i.e.
using side channels).</p> not depending on fingerprinting global configuration, available storage space, etc.
or using side channels).</p>
</section> </section>
<section id="bugs-uncovered-by-security-features"> <section id="bugs-uncovered-by-security-features">
@ -836,8 +844,11 @@
designed to be friendly to apps and fully compatible rather than killing the designed to be friendly to apps and fully compatible rather than killing the
application when it violates the rules.</p> application when it violates the rules.</p>
<p>You can enable our exploit protection compatibility mode via Settings ➔ Apps ➔ <p>You can enable our exploit protection compatibility mode via
App ➔ Exploit protection. The exploit protection compatibility mode toggle will:</p> <b>Settings&#160;<span aria-label="and then">></span> Apps&#160;<span
aria-label="and then">></span> <var>APP</var>&#160;<span aria-label="and
then">></span> Exploit protection compatibility mode</b>. The exploit protection
compatibility mode toggle will:</p>
<ul> <ul>
<li>Switch from hardened_malloc to Android's standard allocator (Scudo)</li> <li>Switch from hardened_malloc to Android's standard allocator (Scudo)</li>
<li>Reduce address space size from 48 bit to Android's standard 39 bit</li> <li>Reduce address space size from 48 bit to Android's standard 39 bit</li>
@ -892,24 +903,27 @@
privacy rather than increasing it. If you need to use a hidden AP, make sure privacy rather than increasing it. If you need to use a hidden AP, make sure
to delete the saved network afterwards.</p> to delete the saved network afterwards.</p>
<p>Wi-Fi and Bluetooth scanning for improving location detection are disabled <p>Wi-Fi and Bluetooth scanning for improving location detection are disabled by
by default, unlike the stock OS. These can be toggled in Settings ➔ Location ➔ default, unlike the stock OS. These can be toggled in <b>Settings&#160;<span
Location Services ➔ Wi-Fi and Bluetooth scanning. These features enable aria-label="and then">></span> Location&#160;<span aria-label="and
scanning even when Wi-Fi or Bluetooth is disabled, so these need to be kept then">></span> Location services&#160;<span aria-label="and then">></span> Wi-Fi and
disabled to fully disable the radios when Wi-Fi and Bluetooth are disabled. Bluetooth scanning</b>. These features enable scanning even when Wi-Fi or Bluetooth is
GrapheneOS itself doesn't currently include a supplementary location service disabled, so these need to be kept disabled to fully disable the radios when Wi-Fi and Bluetooth
based on Wi-Fi and Bluetooth scanning. These options impact whether apps such are disabled. GrapheneOS itself doesn't currently include a supplementary location service based
as sandboxed Google Play are able to use the functionality if you grant them on Wi-Fi and Bluetooth scanning. These options impact whether apps such as sandboxed Google Play
the Location permission. GrapheneOS plans to eventually include an OS service are able to use the functionality if you grant them the Location permission. GrapheneOS plans to
based on local databases rather than a network-based service giving the user's eventually include an OS service based on local databases rather than a network-based service
location to a server whenever location is being used.</p> giving the user's location to a server whenever location is being used.</p>
</section> </section>
<section id="wifi-privacy-associated"> <section id="wifi-privacy-associated">
<h3><a href="#wifi-privacy-associated">Associated with an Access Point (AP)</a></h3> <h3><a href="#wifi-privacy-associated">Associated with an Access Point (AP)</a></h3>
<p>Associated MAC randomization is performed by default. This can be controlled <p>Associated MAC randomization is performed by default. This can be controlled
per-network in Settings ➔ Network &amp; Internet ➔ Internet ➔ <var>NETWORK</var> ➔ Privacy.</p> per-network in <b>Settings&#160;<span aria-label="and then">></span> Network
&amp; internet&#160;<span aria-label="and then">></span> Internet&#160;<span
aria-label="and then">></span> <var>NETWORK</var>&#160;<span
aria-label="and then">></span> Privacy</b>.</p>
<p>In the stock OS, the default is to use a unique persistent random MAC address for <p>In the stock OS, the default is to use a unique persistent random MAC address for
each network. It has 2 options available: "Use randomized MAC (default)" and "Use each network. It has 2 options available: "Use randomized MAC (default)" and "Use
@ -946,15 +960,16 @@
<h2><a href="#lte-only-mode">LTE-only mode</a></h2> <h2><a href="#lte-only-mode">LTE-only mode</a></h2>
<p>If you have a reliable LTE connection from your carrier, you can reduce attack <p>If you have a reliable LTE connection from your carrier, you can reduce attack
surface by disabling 2G, 3G and 5G connectivity in Settings ➔ Network &amp; surface by disabling 2G, 3G and 5G connectivity in <b>Settings&#160;<span
Internet ➔ SIMs ➔ Preferred network type. Traditional voice calls will only work aria-label="and then">></span> Network &amp; internet&#160;<span aria-label="and
in the LTE-only mode if you have either an LTE connection and VoLTE (Voice over then">></span> SIMs&#160;<span aria-label="and then">></span> <var>SIM</var>&#160;<span
LTE) support or a Wi-Fi connection and VoWi-Fi (Voice over Wi-Fi) support. VoLTE / aria-label="and then">></span> Preferred network type</b>. Traditional voice calls will only
VoWi-Fi works on GrapheneOS for most carriers unless they restrict it to carrier work in the LTE-only mode if you have either an LTE connection and VoLTE (Voice over LTE) support or
phones. Some carriers may be missing VoWi-Fi due to us not including their a Wi-Fi connection and VoWi-Fi (Voice over Wi-Fi) support. VoLTE / VoWi-Fi works on GrapheneOS for
proprietary apps. Please note that AT&amp;T users may see "5Ge" being used when most carriers unless they restrict it to carrier phones. Some carriers may be missing VoWi-Fi due to
LTE Only mode is enabled as AT&amp;T intentionally mislabel LTE services as "5Ge" us not including their proprietary apps. Please note that AT&amp;T users may see "5Ge" being used
to mislead users.</p> when LTE Only mode is enabled as AT&amp;T intentionally mislabel LTE services as "5Ge" to mislead
users.</p>
<p>This feature is not intended to improve the confidentiality of traditional calls and <p>This feature is not intended to improve the confidentiality of traditional calls and
texts, but it might somewhat raise the bar for some forms of interception. It's not a texts, but it might somewhat raise the bar for some forms of interception. It's not a
@ -1073,28 +1088,29 @@
<section id="sandboxed-google-play-configuration"> <section id="sandboxed-google-play-configuration">
<h3><a href="#sandboxed-google-play-configuration">Configuration</a></h3> <h3><a href="#sandboxed-google-play-configuration">Configuration</a></h3>
<p>The compatibility layer has a configuration menu available at Settings ➔ <p>The compatibility layer has a configuration menu available at
Apps ➔ Sandboxed Google Play.</p> <b>Settings&#160;<span aria-label="and then">></span> Apps&#160;<span
aria-label="and then">></span> Sandboxed Google Play</b>.</p>
<p>By default, apps using Google Play geolocation are redirected to our own <p>By default, apps using Google Play geolocation are redirected to our own
implementation on top of the standard OS geolocation service. You don't need implementation on top of the standard OS geolocation service. You don't need to
to grant any permissions to Google Play or change any settings for working grant any permissions to Google Play or change any settings for working location
location in apps using Google Play geolocation due to our rerouting feature. in apps using Google Play geolocation due to our rerouting feature. If you want
If you want to use Google's network location service to provide location to use Google's network location service to provide location estimates without
estimates without satellite reception, you can disable the "Reroute location satellite reception, you can disable the "Reroute location requests to OS APIs"
requests to OS APIs" toggle and grant what it requires to provide network toggle and grant what it requires to provide network location. You will need to
location. You will need to grant "Allow all the time" Location access to grant "Allow all the time" Location access to Google Play services along with
Google Play services along with the Nearby Devices permission for it to have the Nearby Devices permission for it to have all the access it needs. You need
all the access it needs. You need to use the "Google Location Accuracy" link to use the "Google Location Accuracy" link from the sandboxed Google Play
from the sandboxed Google Play configuration menu to access the Google Play configuration menu to access the Google Play services menu for opting into their
services menu for opting into their network location service, otherwise this network location service, otherwise this is all pointless. It will send the
is all pointless. It will send the nearby Wi-Fi and cellular networks provided nearby Wi-Fi and cellular networks provided via the Location and Nearby Devices
via the Location and Nearby Devices permissions to their service to retrieve a permissions to their service to retrieve a location estimate. In order to fully
location estimate. In order to fully take advantage of Wi-Fi and Bluetooth take advantage of Wi-Fi and Bluetooth scanning, you also need to enable the
scanning, you also need to enable the scanning toggles in Settings ➔ Location scanning toggles in <b>Settings&#160;<span aria-label="and then">></span>
➔ Location services which are disabled by default and control whether apps Location &#160;<span aria-label="and then">></span> Location services</b> which
with the required permissions can scan when Wi-Fi and Bluetooth are otherwise are disabled by default and control whether apps with the required permissions can
disabled.</p> scan when Wi-Fi and Bluetooth are otherwise disabled.</p>
<p>Re-routing location to the OS geolocation service will use more power than <p>Re-routing location to the OS geolocation service will use more power than
using the Google Play geolocation service since we do not provide a using the Google Play geolocation service since we do not provide a
@ -1109,9 +1125,10 @@
integration so there needs to be an app providing a way to access them.</p> integration so there needs to be an app providing a way to access them.</p>
<p>The menu also provides links to this usage guide, Play services system <p>The menu also provides links to this usage guide, Play services system
settings, Play Store system settings and Google settings. The Play services settings, Play Store system settings and Google settings. The Play services and
and Play Store system settings are only included for convenience since they Play Store system settings are only included for convenience since they can be
can be accessed the same way as any other app via Settings ➔ Apps.</p> accessed the same way as any other app via <b>Settings&#160;<span
aria-label="and then">></span> Apps</b>.</p>
</section> </section>
<section id="sandboxed-google-play-limitations"> <section id="sandboxed-google-play-limitations">
@ -1150,8 +1167,10 @@
<p>eSIM support on GrapheneOS doesn't require any dependency on Google Play, <p>eSIM support on GrapheneOS doesn't require any dependency on Google Play,
and never shares data to Google Play even when installed.</p> and never shares data to Google Play even when installed.</p>
<p>eSIM support can be enabled in Settings ➔ Network &amp; <p>eSIM support can be enabled in <b>Settings&#160;<span aria-label="and
Internet ➔ eSIM support. The toggle is persistent across every boot.</p> then">></span> Network &amp; internet&#160;<span aria-label="and
then">></span> eSIM support</b>. The toggle is persistent across every
boot.</p>
<p>By enabling the toggle, the proprietary Google functionality is enabled and <p>By enabling the toggle, the proprietary Google functionality is enabled and
will be used by the OS to provision and manage eSIMs.</p> will be used by the OS to provision and manage eSIMs.</p>
@ -1183,10 +1202,12 @@
depends on sandboxed Google Play, you'll be prompted to install it if it's not depends on sandboxed Google Play, you'll be prompted to install it if it's not
already installed.</p> already installed.</p>
<p>After installation, Android Auto has to be set up from the "Settings ➔ Apps ➔ <p>After installation, Android Auto has to be set up from the <b>Settings&#160;<span
Sandboxed Google Play ➔ Android Auto" configuration screen, which contains aria-label="and then">></span> Apps&#160;<span aria-label="and
permission toggles, links to related configuration screens, configuration tips, and then">></span> Sandboxed Google Play&#160;<span aria-label="and
links to optional Android Auto dependencies.</p> then">></span> Android Auto</b> configuration screen, which contains permission
toggles, links to related configuration screens, configuration tips, and links to optional
Android Auto dependencies.</p>
<p>The permission toggles ask for a confirmation before turning on. The <p>The permission toggles ask for a confirmation before turning on. The
confirmation popup explains what access each permission toggle provides.</p> confirmation popup explains what access each permission toggle provides.</p>
@ -1227,12 +1248,12 @@
generally encountered with non-financial apps.</p> generally encountered with non-financial apps.</p>
<p>Many of these apps have their own crude anti-tampering mechanisms trying to <p>Many of these apps have their own crude anti-tampering mechanisms trying to
prevent inspecting or modifying the app in a weak attempt to hide their code and prevent inspecting or modifying the app in a weak attempt to hide their code and API
API from security researchers. GrapheneOS allows users to disable native code from security researchers. GrapheneOS allows users to disable <b>Native code
debugging via a toggle in Settings ➔ Security to improve the app sandbox and this debugging</b> via a toggle in <b>Settings&#160;<span aria-label="and then">></span>
can interfere with apps debugging their own code to add a barrier to analyzing the Security</b> to improve the app sandbox and this can interfere with apps debugging their
app. You should try enabling this again if you've disabled it and are encountering own code to add a barrier to analyzing the app. You should try enabling this again if you've
compatibility issues with these kinds of apps.</p> disabled it and are encountering compatibility issues with these kinds of apps.</p>
<p>Banking apps are increasingly using Google's SafetyNet attestation service to <p>Banking apps are increasingly using Google's SafetyNet attestation service to
check the integrity and certification status of the operating system. GrapheneOS check the integrity and certification status of the operating system. GrapheneOS
@ -1265,16 +1286,17 @@
<section id="app-link-verification"> <section id="app-link-verification">
<h2><a href="#app-link-verification">App link verification</a></h2> <h2><a href="#app-link-verification">App link verification</a></h2>
<p>Android apps can declare associations with domains in order to handle those <p>Android apps can declare associations with domains in order to handle those URLs
URLs in the app automatically. For security reasons, app links are disabled by in the app automatically. For security reasons, app links are disabled by default to
default to prevent apps intercepting arbitrary URLs. First party apps associated prevent apps intercepting arbitrary URLs. First party apps associated with a domain
with a domain are expected to be authorized by the domain. Apps can ask for their are expected to be authorized by the domain. Apps can ask for their app links to be
app links to be verified by the OS by marking them with <code>autoVerify</code> in verified by the OS by marking them with <code>autoVerify</code> in their manifest.
their manifest. The OS will securely confirm that the domain authorizes the app to The OS will securely confirm that the domain authorizes the app to handle the
handle the domain's URLs. Users can also manually enable an app's link domain's URLs. Users can also manually enable an app's link associations via
associations via Settings ➔ Apps ➔ App name ➔ Open by default ➔ Add link. Apps can <b>Settings&#160;<span aria-label="and then">></span> Apps&#160;<span
ask users to enable the associations and send them to this page in the Settings aria-label="and then">></span> <var>APP</var>&#160;<span aria-label="and
app.</p> then">></span> Open by default&#160;<span aria-label="and then">></span> Add link</b>. Apps
can ask users to enable the associations and send them to this page in the Settings app.</p>
<p>As an example, the first party YouTube app will have the app links verified by <p>As an example, the first party YouTube app will have the app links verified by
the OS automatically while the NewPipe app requires manually enabling handling the OS automatically while the NewPipe app requires manually enabling handling
@ -1347,12 +1369,16 @@
<ul> <ul>
<li>Some carriers require you to explicitly opt in to use services such as Wi-Fi calling. <li>Some carriers require you to explicitly opt in to use services such as Wi-Fi calling.
Consult your carrier's documentation on the process for this or contact them.</li> Consult your carrier's documentation on the process for this or contact them.</li>
<li>Reset Mobile Network settings in Settings ➔ System ➔ Reset options ➔ Reset Wi-Fi, <li><b>Reset Mobile Network Settings</b> in <b>Settings&#160;<span
mobile &amp; Bluetooth and then reboot the device.</li> aria-label="and then">></span> System&#160;<span aria-label="and
then">></span> Reset options</b> and then reboot the device.</li>
<li>USA users only: You may need to request your carrier to enable CDMA-less mode if <li>USA users only: You may need to request your carrier to enable CDMA-less mode if
you have issues.</li> you have issues.</li>
<li>Follow your carrier's instructions for setting up APNs, this can be found in <li>Follow your carrier's instructions for setting up APNs, this can be found in
Settings ➔ Network &amp; Internet ➔ SIMs ➔ Access Point Names</li> <b>Settings&#160;<span aria-label="and then">></span> Network &amp;
internet&#160;<span aria-label="and then">></span> SIMs&#160;<span
aria-label="and then">></span> <var>SIM</var>&#160;<span
aria-label="and then">></span> Access Point Names</b></li>
<li>If calls do not work and you have <a href="#lte-only-mode">LTE-only mode</a> enabled, <li>If calls do not work and you have <a href="#lte-only-mode">LTE-only mode</a> enabled,
try toggling it off. If "Allow 2G" is disabled, try toggling it back on. Your carrier try toggling it off. If "Allow 2G" is disabled, try toggling it back on. Your carrier
may not properly support VoLTE.</li> may not properly support VoLTE.</li>
@ -1360,13 +1386,14 @@
</ul> </ul>
<p>Some carriers may restrict functionality, such as VoLTE, on imported Pixel <p>Some carriers may restrict functionality, such as VoLTE, on imported Pixel
devices as they only whitelist the IMEI ranges of Pixel device SKUs which were devices as they only whitelist the IMEI ranges of Pixel device SKUs which were sold
sold locally. You can check your SKU on GrapheneOS by going to Settings ➔ About locally. You can check your SKU on GrapheneOS by going to <b>Settings&#160;<span
phone ➔ Model ➔ Hardware SKU and using the aria-label="and then">></span> About phone&#160;<span aria-label="and then">></span>
<a href="https://support.google.com/pixelphone/answer/7158570">official Google Model&#160;<span aria-label="and then">></span> Hardware SKU</b> and using the <a
documentation</a>. You should check if such functionality works on the stock OS to href="https://support.google.com/pixelphone/answer/7158570">official Google
troubleshoot. It is not possible to change the IMEI on a production device and documentation</a>. You should check if such functionality works on the stock OS to troubleshoot.
GrapheneOS cannot add support for it since the hardware doesn't support it.</p> It is not possible to change the IMEI on a production device and GrapheneOS cannot add support for
it since the hardware doesn't support it.</p>
<p>Android 12 introduced support for the <p>Android 12 introduced support for the
<a href="https://www.gsma.com/newsroom/wp-content/uploads//TS.43-v9.0.pdf">GSMA <a href="https://www.gsma.com/newsroom/wp-content/uploads//TS.43-v9.0.pdf">GSMA