security/hakurei.app
security/hakurei.app
5
1
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases 4 Wiki Activity
hakurei.app/static/index.html
Daniel Micay b3e07c840e migrate history page into an index page
2021-03-27 15:53:54 -04:00

182 lines
11 KiB
HTML
Raw Blame History

<!DOCTYPE html>
<html lang="en" prefix="og: https://ogp.me/ns#">
<head>
<meta charset="utf-8"/>
<title>GrapheneOS</title>
<meta name="description" content="GrapheneOS is a security and privacy focused mobile OS with Android app compatibility."/>
<meta name="theme-color" content="#212121"/>
<meta name="msapplication-TileColor" content="#ffffff"/>
<meta name="viewport" content="width=device-width, initial-scale=1"/>
<meta name="twitter:site" content="@GrapheneOS"/>
<meta name="twitter:creator" content="@GrapheneOS"/>
<meta property="og:title" content="GrapheneOS"/>
<meta property="og:description" content="GrapheneOS is a security and privacy focused mobile OS with Android app compatibility."/>
<meta property="og:type" content="website"/>
<meta property="og:image" content="https://grapheneos.org/opengraph.png"/>
<meta property="og:image:width" content="512"/>
<meta property="og:image:height" content="512"/>
<meta property="og:image:alt" content="GrapheneOS logo"/>
<meta property="og:site_name" content="GrapheneOS"/>
<meta property="og:url" content="https://grapheneos.org/"/>
<link rel="canonical" href="https://grapheneos.org/"/>
<link rel="icon" sizes="16x16 24x24 32x32 48x48 64x64" type="image/vnd.microsoft.icon" href="/favicon.ico"/>
<link rel="icon" sizes="any" type="image/svg+xml" href="/mask-icon.svg"/>
<link rel="mask-icon" href="/mask-icon.svg" color="#1a1a1a"/>
<link rel="apple-touch-icon" href="/apple-touch-icon.png"/>
<link rel="stylesheet" href="/grapheneos.css"/>
<link rel="manifest" href="/manifest.webmanifest"/>
<link rel="license" href="/LICENSE.txt"/>
<script type="module" src="/js/redirect.js"></script>
</head>
<body>
<header>
<nav id="site-menu">
<ul>
<li aria-current="page"><a href="/">GrapheneOS</a></li>
<li><a href="/features">Features</a></li>
<li><a href="/install/">Install</a></li>
<li><a href="/build">Build</a></li>
<li><a href="/usage">Usage</a></li>
<li><a href="/faq">FAQ</a></li>
<li><a href="/releases">Releases</a></li>
<li><a href="/source">Source</a></li>
<li><a href="/history/">History</a></li>
<li><a href="/articles/">Articles</a></li>
<li><a href="/donate">Donate</a></li>
<li><a href="/contact">Contact</a></li>
</ul>
</nav>
</header>
<main id="grapheneos">
<h1><a href="#grapheneos">GrapheneOS</a></h1>
<p>GrapheneOS is a privacy and security focused mobile OS with Android app
compatibility developed as a non-profit <a href="/source">open source</a> project.
It's focused on the research and development of privacy and security technology
including substantial improvements to sandboxing, exploit mitigations and the
permission model. GrapheneOS also develops various apps and services with a focus on
privacy and security. Vanadium is a hardened variant of the Chromium browser and
WebView specifically built for GrapheneOS. GrapheneOS also includes our minimal
security-focused PDF Viewer, our hardware-based Auditor app / attestation service
providing local and remote verification of devices, and the externally developed
Seedvault encrypted backup which was initially developed for inclusion in
GrapheneOS.</p>
<p>GrapheneOS improves the privacy and security of the OS from the bottom up. It
deploys technologies to mitigate whole classes of vulnerabilities and make exploiting
the most common sources of vulnerabilities substantially more difficult. It improves
the security of both the OS and the apps running on it. The app sandbox and other
security boundaries are fortified. GrapheneOS tries to avoid impacting the user
experience with the privacy and security features. Ideally, the features can be
designed so that they're always enabled with no impact on the user experience and no
additional complexity like configuration options. It's not always feasible, and
GrapheneOS does add various toggles for features like the Network permission, Sensors
permission, restrictions when the device is locked (USB peripherals, camera, quick
tiles), etc. along with more complex user-facing privacy and security features with
their own UX.</p>
<p>The <a href="/features">features page</a> provides an overview of the substantial
privacy and security improvements added by GrapheneOS to the Android Open Source
Project.</p>
<p>Official releases are available on the <a href="/releases">releases page</a> and
installation instructions are on the <a href="/install/">install page</a>.</p>
<section id="never-google-services">
<h2><a href="#never-google-services">No Google apps or services</a></h2>
<p>GrapheneOS will never include either Google Play services or another
implementation of Google services like microG. Those are not included in the
Android Open Source Project and are not required for baseline Android
compatibility. Apps designed to run on Android rather than only Android with
bundled Google apps and services already work on GrapheneOS, so a huge number of
both open and closed source apps are already available for it.</p>
<p>AOSP APIs not tied to Google but that are typically provided via Play services
will continue to be implemented using open source providers like the Seedvault
backup app. Text-to-speech, speech-to-text, geocoding, accessibility services,
etc. are examples of other open Android APIs where we need to develop/bundle an
implementation based on existing open source projects. GrapheneOS is not going to
be implementing these via a Google service compatibility layer because these APIs
are in no way inherently tied to Google services.</p>
<p>We're developing a minimal Play services compatibility layer as a regular app
without any special privileges. The app will provide a stub implementation of the
entire Play services API pretending the servers are down and the functionality is
unavailable. It will always be disabled by default since apps will detect Play
services is available and will try to use it rather than alternatives. As an
example, Signal would try to use a non-functional FCM implementation rather than
their own server push implementation. The intention is that users will only enable
this in profiles dedicated to running apps with an unnecessary hard dependency on
Play services. We'll likely prevent enabling it in the owner profile to help users
avoid those kinds of pitfalls.</p>
<p>Our Play services app won't have any special privileges or whitelisting in the
OS like Play services or microG. There will be no support for bypassing arbitrary
signature checks like the microG signature spoofing patch since it substantially
compromises the OS security model and breaks other security features like verified
boot. Instead, our app will be signed with a GrapheneOS Play services key and the
only OS support for the app will be presenting the GrapheneOS Play services key as
the Google Play services key.</p>
<p>Ideally, Google themselves would support installing the official Play services
as a regular Android app, rather than taking the monopolistic approach of forcing
it to be bundled into the OS in a deeply integrated way with special privileged
permissions and capabilities unavailable to other service providers competing with
them. Even though we would never include it in GrapheneOS, it would be great if
users did have the option to install Play services as a regular app in specific
profiles. It's unfortunate that the approach taken to it is so deeply integrated
and anti-competitive. GrapheneOS users can still choose to use Google services if
they choose, but largely only via a browser. A few of their apps like Google Maps
do work with reduced functionality without Play services but most won't.</p>
</section>
<section id="history">
<h2><a href="#history">History</a></h2>
<p>GrapheneOS was founded as an open source project in late 2014. It was formerly
known as CopperheadOS. For more details, see the <a href="/history/">history
page</a>.</p>
</section>
<section id="upstream">
<h2><a href="#upstream">Upstream contributions</a></h2>
<p>See <a href="/faq#upstream">the FAQ section on our upstream work</a> improving
privacy and security for billions of users by getting a subset of our changes into
core infrastructure projects.</p>
</section>
<section id="copyright-and-licensing">
<h2><a href="#copyright-and-licensing">Copyright and licensing</a></h2>
<p>GrapheneOS is permissively licensed and has never used copyright assignment, so
the work is owned by the developers. See the
<a href="/faq#copyright-and-licensing">FAQ entry on copyright and licensing</a>
for more details.</p>
</section>
<section id="roadmap">
<h2><a href="#roadmap">Roadmap</a></h2>
<p>See <a href="/faq#roadmap">the FAQ section on the roadmap</a>.</p>
</section>
<section id="device-support">
<h2><a href="/faq#device-support">Device support</a></h2>
<p>See <a href="/faq#device-support">the FAQ section on device support</a>.</p>
</section>
</main>
<footer>
<a href="/"><img src="/mask-icon.svg" width="512" height="512" alt=""/>GrapheneOS</a>
<ul id="social">
<li><a href="https://twitter.com/GrapheneOS">Twitter</a></li>
<li><a href="https://github.com/GrapheneOS">GitHub</a></li>
<li><a href="https://reddit.com/r/GrapheneOS">Reddit</a></li>
<li><a href="https://www.linkedin.com/company/grapheneos/">LinkedIn</a></li>
</ul>
</footer>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink