security/hakurei.app
security/hakurei.app
5
1
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases 4 Wiki Activity
hakurei.app/static/features.html
Daniel Micay 1d5f63b979 privacy-focused defaults
2020-12-10 15:39:15 -05:00

193 lines
13 KiB
HTML
Raw Blame History

<!DOCTYPE html>
<html lang="en" prefix="og: https://ogp.me/ns#">
<head>
<meta charset="utf-8"/>
<title>Features | GrapheneOS</title>
<meta name="description" content="Overview of GrapheneOS features."/>
<meta name="theme-color" content="#212121"/>
<meta name="msapplication-TileColor" content="#ffffff"/>
<meta name="viewport" content="width=device-width, initial-scale=1"/>
<meta name="twitter:site" content="@GrapheneOS"/>
<meta name="twitter:creator" content="@GrapheneOS"/>
<meta property="og:title" content="GrapheneOS feature overview"/>
<meta property="og:description" content="Overview of GrapheneOS features."/>
<meta property="og:type" content="website"/>
<meta property="og:image" content="https://grapheneos.org/opengraph.png"/>
<meta property="og:image:width" content="512"/>
<meta property="og:image:height" content="512"/>
<meta property="og:image:alt" content="GrapheneOS logo"/>
<meta property="og:url" content="https://grapheneos.org/features"/>
<meta property="og:site_name" content="GrapheneOS"/>
<link rel="icon" sizes="16x16 24x24 32x32 48x48 64x64" type="image/vnd.microsoft.icon" href="/favicon.ico"/>
<link rel="icon" sizes="any" type="image/svg+xml" href="/mask-icon.svg"/>
<link rel="mask-icon" href="/mask-icon.svg" color="#1a1a1a"/>
<link rel="stylesheet" href="/grapheneos.css?23"/>
<link rel="manifest" href="/manifest.webmanifest"/>
<link rel="canonical" href="https://grapheneos.org/features"/>
<link rel="license" href="/LICENSE.txt"/>
</head>
<body>
<header>
<nav id="site-menu">
<ul>
<li><a href="/">GrapheneOS</a></li>
<li aria-current="page"><a href="/features">Features</a></li>
<li><a href="/install">Install</a></li>
<li><a href="/build">Build</a></li>
<li><a href="/usage">Usage</a></li>
<li><a href="/faq">FAQ</a></li>
<li><a href="/releases">Releases</a></li>
<li><a href="/source">Source</a></li>
<li><a href="/donate">Donate</a></li>
<li><a href="/contact">Contact</a></li>
</ul>
</nav>
</header>
<main id="features">
<h1><a href="#features">GrapheneOS feature overview</a></h1>
<p>This is an overview of the current set of features differentiating GrapheneOS from
the Android Open Source Project (AOSP). This page does not currently cover any of our
historical features that are either not yet reimplemented or which became obsolete due
to improvements in AOSP. Each major release of AOSP brings substantial privacy and
security improvements, some of which have been based on our research and development
work.</p>
<p>GrapheneOS is based on the Android 11 release of the Android Open Source Project
which provides a strong baseline for privacy and security. GrapheneOS takes great care
to preserve the baseline privacy and security, including taking full advantage of all
of the standard hardware features. The privacy and security features inherited from
AOSP and the hardware are not covered here. Documentation on that will be gradually
added elsewhere on our site.</p>
<p>Partial list of GrapheneOS features beyond what AOSP 11 provides:</p>
<ul>
<li>Hardened app runtime</li>
<li>Stronger app sandbox</li>
<li>Hardened libc providing defenses against the most common classes of vulnerabilities (memory
corruption)</li>
<li>Our own <a href="https://github.com/GrapheneOS/hardened_malloc/blob/master/README.md">hardened malloc (memory allocator)</a>
leveraging modern hardware capabilities to provide substantial defenses against
the most common classes of vulnerabilities (heap memory corruption) along with
reducing the lifetime of sensitive data in memory</li>
<li>Hardened kernel</li>
<li>Prevention of dynamic native code execution in-memory or via the filesystem
for the base OS without going via the package manager, etc.</li>
<li>Filesystem access hardening</li>
<li>Enhanced verified boot with better security properties and reduced attack surface</li>
<li>Enhanced hardware-based attestation with more precise version information</li>
<li>Eliminates remaining holes for apps to access hardware-based identifiers</li>
<li>Greatly reduced remote, local and proximity-based attack surface by stripping out unnecessary
code, making more features optional and disabling optional features by default (NFC, Bluetooth, etc.) or when the
screen is locked (connecting new USB peripherals, camera access)</li>
<li>Low-level improvements to the filesystem-based full disk encryption used on
modern Android</li>
<li>Support for logging out of user profiles without needing a device manager: makes them inactive so that they can't continue running code while using another profile and purges the disk encryption keys (which are per-profile) from memory and hardware registers</li>
<li>Support longer passwords by default without a device manager</li>
<li>Stricter implementation of the optional fingerprint unlock feature permitting
only 5 attempts rather than 20 before permanent lockout (our recommendation is
still keeping sensitive data in user profiles without fingerprint unlock)</li>
<li>PIN scrambling option</li>
<li><a href="/usage#lte-only-mode">LTE-only mode</a> to reduce cellular radio attack surface by disabling enormous amounts of legacy
code</li>
<li><a href="/usage#wifi-privacy-associated">Default enabled per-connection MAC randomization</a>
as an improvement over Android's default per-network MAC randomization reusing
the same MAC address until the DHCP lease with that network expires (can still
use the standard implementation or fully disable it)</li>
<li>Vanadium: hardened WebView and default browser - the WebView is what most
other apps use to handle web content, so you benefit from Vanadium in many apps
even if you choose another browser</li>
<li>Auditor: hardware-based attestation used to help secure and monitor devices
for users and organizations using a pairing-based model for authentication
rather than relying on a root of trust. Puts attestation to work for the owners of
devices instead of using it as a form of DRM. It provides both local verification and
automated remote verification / device monitoring via our
<a href="https://attestation.app/">attestation.app</a> service. See the
<a href="https://attestation.app/about">detailed explanation on the site</a> for
more information.</li>
<li><a href="https://github.com/GrapheneOS/PdfViewer">PDF Viewer</a>: sandboxed,
hardened PDF viewer using HiDPI rendering with pinch to zoom, text selection,
etc.</li>
<li>Encrypted backups via integration of the
<a href="https://github.com/seedvault-app/seedvault">Seedvault app</a> with
support for local backups and any cloud storage provider with a storage provider
app</li>
<li><a href="/usage#exec-spawning">Secure application spawning system</a> avoiding
sharing address space layout and other secrets across applications</li>
<li>Network permission toggle disallowing both direct and indirect network access,
superior to a purely firewall-based implementation only disallowing direct
access to the network without covering inter-process communication (enabled by
default for compatibility)</li>
<li>Sensors permission toggle: disallow access to all other sensors not covered by
existing Android permissions (enabled by default for compatibility)</li>
<li>Authenticated encryption for network time updates via a first party server to
prevent attackers from changing the time and enabling attacks based on bypassing
certificate / key expiry, etc.</li>
<li>Proper support for disabling network time updates rather than just not using
the results</li>
<li>Connectivity checks via a first party server with the option to revert to the
standard checks</li>
<li>Hardened local build / signing infrastructure</li>
<li><a href="/usage#updates">Seamless automatic OS update system</a> that just
works and stays out of the way in the background without disrupting device
usage, with full support for the standard automatic rollback if the first boot
of the updated OS fails</li> <li>Require unlocking to access sensitive function
via quick tiles</li>
<li>Minor changes to default settings to prefer privacy over small conveniences:
personalized keyboard suggestions based on gathering input history are disabled by
default, sensitive notifications are hidden on the lockscreen by default and
passwords are hidden during entry by default</li>
</ul>
<p>Infrastructure features:</p>
<ul>
<li>Strict privacy and security practices for our infrastructure</li>
<li>Unnecessary logging is avoided and logs are automatically purged after 10 days</li>
<li>Services hosted on OVH without involving any additional parties for CDNs,
mirrors or other services - we don't outsource to others</li>
<li>Our services are built with open technology stacks to avoid being locked in to
any particular hosting provider or vendor</li>
<li>Open documentation on our infrastructure including listing out all of our
services, guides on making similar setups, published configurations for each
of our web services, etc.</li>
<li>No proprietary services</li>
<li>Authenticated encryption for all of our services</li>
<li>Strong cipher configurations for all of our services (SSH, TLS, etc.)</li>
<li>DNSSEC for all our domains</li>
<li>SSHFP across all domains for pinning SSH keys</li>
<li>DANE TLSA records for pinning keys for all our TLS services (unfortunately only
used by a subset of other mail services in practice, and not yet web
browsers)</li>
<li>Static key pinning for our services in apps like Auditor</li>
<li>No cookies or similar client-side state for anything other than login sessions,
which are set up via SameSite=strict cookies and have server-side session tracking
with the ability to log out of other sessions</li>
<li>scrypt-based password hashing (likely Argon2 when the available implementations
are more mature)</li>
</ul>
<p>Beyond the technical features of the OS:</p>
<ul>
<li>Collaborative, open source project with a very active community and contributors</li>
<li>Can make your own builds and make desired changes, so you aren't stuck with
the decisions made by the upstream project</li>
<li>Non-profit project avoiding conflicts of interest by keeping commercialization
at a distance. Companies support the project rather than the project serving the
needs of any particular company</li>
<li><a href="/faq#privacy-policy">Strong privacy policies</a></li>
</ul>
</main>
<footer>
<a href="/"><img src="/logo.png" width="512" height="512" alt=""/>GrapheneOS</a>
<ul id="social">
<li><a href="https://twitter.com/GrapheneOS">Twitter</a></li>
<li><a href="https://github.com/GrapheneOS">GitHub</a></li>
<li><a href="https://reddit.com/r/GrapheneOS">Reddit</a></li>
</ul>
</footer>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink