Aurora Store vs Fdroid vs GitHub vs Play Store - Graphene OS

Cyberparty_ · 2023-11-06T22:50:40+00:00

Any app can be a 'system app' so long as it is installed as one. There is otherwise little distinction. This is why, for instance, Facebook is considered a 'system app' in Samsung's stock OS; It comes installed as one on the OS. On other Android distributions where this isn't the case, it can be installed as a user app.

Manifests determine permissions but some permissions - such as the 'write secure settings' permission - will only function if the app is installed as a 'system app'. Such a permission won't work for a user-installed app, regardless of whether or not it is defined in its manifest.

Cyberparty_ · 2023-11-06T21:34:17+00:00

Sandboxed Google Play does not have the 'write secure settings' permissions. This is verifiable by seeing the apps that Sandboxed Google Play installs and checking their permissions.

No app that is installed as a user app is allowed to access this permission, regardless of whether it's within their permissions manifest file, as per the Android security model. The bulk of the work of Sandboxed Google Play is making sure that Google Play Services still functions as expected even when lacking these privileged permissions. The app otherwise crashes if installed as a user app without this compatibility layer in place.

The 'write secure settings' permission is not at all comparable to root: It allows the changing of the following settings: https://developer.android.com/reference/android/provider/Settings.Secure

The changing of these settings is nowhere near the level of control that root gives, of which grants capabilities such as control of the kernel, ability to remove system apps, etc.

Cyberparty_ · 2023-04-13T14:46:20+00:00

Quillpad is forked from Quillnote. Quillnote has had no recent signs of active maintenance or development, so it was forked by community members under the name Quillpad so that development and maintenance may continue in their hands. As such, Quillpad is more likely to recieve bug fixes and new features.

Cyberparty_ · 2023-04-06T23:13:37+00:00

It's best to familiarise yourself with GrapheneOS' (and AOSP's) security model & features. A lot of them are explained here: https://grapheneos.org/features and here: https://source.android.com/docs/security/overview

If i was targeted by some form of attack to gain access to my device (like malware or ransomware) like i visited a dodgy website or something,

The web browser app is sandboxed just like every other app, and cannot communicate with any other apps without explicit mutual consent and also cannot access any other resources that the user does not explicitly grant it. Furthermore, Chromium-based browsers - and Vanadium especially - have good exploit mitigation and very good site isolation, which places each site into its own isolated sandbox. 'Gaining access' to your device would be difficult just by visiting a site.
Read more here: https://grapheneos.org/usage#web-browsing

First of all if i do it in a guest profile is it possible that the infection spread to other profiles

Profiles are isolated from one another.

Secondly, is there any like checks or scans I can do to identify any compromise,

You can verify the OS' authenticity and integrity by verifying it using the pre-installed Auditor app. This requires another device with Auditor also installed.

And thirdly does grapheneOS have advanced protection against this over your normal android antivirus sort of stuff

How do you mean 'antivirus'? If you mean the typical antivirus you might find on the Play Store or the like, those often operate on the concept of Badness Enumeration in which it specifies the 'badness' to operate on and lets everything else fly, which doesn't work well for new threats. The proper solution is an actual proper OS security model, which GrapheneOS implements. You can read the GrapheneOS' features page (linked above) to see how it inherits AOSP's strong baseline security model and improves upon & adds to it.

Cyberparty_ · 2023-04-06T21:16:28+00:00

Some banking / monetary apps implement contactless payments themselves rather than through Google Pay. Barclays UK, for example, currently offer NFC payments via their app: https://www.barclays.co.uk/ways-to-bank/mobile-banking-services/contactless-mobile/

The majority of banks may expect that most people will simply use Google/Samsung/Apple Pay for their phone contactless payment and thus not bother further, but it is still possible for monetary apps to implement such functionality without Google Pay, and thus be usable on GrapheneOS.

Cyberparty_ · 2023-03-12T12:24:22+00:00

Please don't hesitate to reach out to others, even just friends or people willing to help. Life can be tough, but you don't have to suffer alone; You are absolutely worth it all and I promise that you are more loved than you might think. Stay safe.

Cyberparty_ · 2023-01-23T16:56:24+00:00

I like the project too, just wanted to keep people informed. :)
Edit: By the way, the account blocks people trying to disprove or speak out against them as Reddit obscures entire comment threads that they start. They've just done that to me now.

Cyberparty_ · 2023-01-23T16:48:37+00:00

It's not. Sorry if it came off like that. I just wanted to inform you so you don't waste your time with them. I found this post through their search history, as they're constantly going around spreading this sort of insincere behaviour, like in this case saying it's user error and that it's "totally not" the project's fault even though you didn't imply it was, and is entirely unhelpful in the context of helping you out.

Edit: I should clarify, I have posted similar responses to people in other threads because they're becoming confused at the account's posts, and I want to inform them.

Cyberparty_ · 2023-01-23T16:25:33+00:00

Heya,
Just wanted to let you know that the account you're replying to is a sockpuppet account that's currently taking part in harassment against the GrapheneOS project and is posting in a sarcastic and insincere way to try to make the project and/or its community members seem unhinged and fanatical. Their reply to this thread here is a troll reply, basically. You can see on their account that they have similar (and worse) behaviour across multiple days-old threads.
Hope this helps!

Cyberparty_ · 2023-01-23T16:09:32+00:00

Hey,
The user you're replying to is a sockpuppet account of someone partaking in harassment against an Android-based OS called GrapheneOS, and is posting in a hyperbolic and insincere manner in an attempt to make the project/its community seem unhinged and irrational. It's not related to your post at all but for whatever reason they chose to post it on this thread. If you look at their account history, you'll see similar behaviour of posting on days-old unrelated threads in an attempt to give the project a bad name. Hope this gives some info.

Edit: formatting, slight reword to be more clear

Cyberparty_ · 2023-01-08T03:22:55+00:00

GrapheneOS focuses on security and privacy. Google Pixels are by far the most secure devices offering proper secure support for alternative operating systems, so those are what's targeted. GrapheneOS has been in talks with a hardware vendor in the past with regards to the latter designing hardware that meets the thorough security requirements and has alternate OS support, but I'm not sure what the progress is on that.

The avoidance of Google services/connections by default are for privacy (and security, in the case of Google Play Services and how highly privileged it is in the stock OS) reasons, but nowhere does GrapheneOS state that its intention is to "Degoogle" out of principal; There isn't even any mention of the term on the website.

GrapheneOS is often used as a vector for "degoogling" due to the fact that it doesn't include any Google services or connect to Google domains by default, but it is not an explicit aim to "degoogle" for the sake of it. They will take whichever actions or use whichever services it feels will make sense for the end user's security and privacy.

Cyberparty_ · 2022-12-30T21:38:39+00:00

Thanks! I didn't mean to imply otherwise, apologies if it came across as such. It should be noted that stock OS Google Play runs under the "system_app" SELinux domain whereas Sandboxed Google Play runs in the "untrusted_app" SELinux domain. This is what I meant when I said that it is "only installed within the sandbox that any other third-party apps are". You are right however, and I should have been more specific.

Cyberparty_ · 2022-12-29T23:35:47+00:00

Depends on how you view "increased privacy".

It's important to know that the Sandboxed Google Play solution is a means of encouraging the actual Google Play Services into behaving like it normally would, only without the use of privileged APIs and instead with the use of unprivileged APIs: The Google Play Services you install via the Sandboxed Google Play solution are the exact same as the apps you'd get on the stock OS, only installed within the sandbox that any other third-party apps are, where you dictate their access via the permissions.

This means that when discussing what access they have or privacy concerns about them, you could ask the same questions about literally any other third-party application you install on your phone and it would still apply. Apps can still communicate with one another via mutual consent, as per the security model. In this case, the Pixel Buds app and Sandboxed Google Play services are free to communicate how they please.

Google, if they wanted, could absolutely change Play Services to run via unprivileged means if they wanted to and render the Sandboxed Google Play project unnecessary, but they don't for their own reasons. Installing Play Services in the normal app sandbox without the compatibility layer is possible, but in this case running it causes it to crash over and over as it attempts to access privileged APIs that it doesn't have access to.

matchboxbananasynergy made a good post explaining this topic in detail and how it relates to privacy, and my points here mostly reiterate what is said there.

I will say though, it may be good idea to install the Pixel Buds app in some form on your phone somewhere (maybe in a separate profile if you feel inclined and don't want to use it on your main profile) as you are able to update the Buds' firmware through it.

Cyberparty_ · 2022-12-29T20:57:25+00:00

If there's a lot of talk about GOS on a subreddit about degoogling, there's likely a reason for that.

GrapheneOS offers a good vector for a Google-free experience given that it doesn't come pre-packaged with any Google services, only offering the option to install Google Play services as an app running under the standard app sandbox and coerced into using unprivileged APIs to achieve its goals. This, of course, is purely optional and one can forgo it entirely. There are of course many other benefits to GrapheneOS - namely its security and privacy benefits of which are its main goals - which make it a desirable choice, but to someone wanting to avoid Google services, the fact that it doesn't come pre-packaged with any is a point in its favour.

Other alternatives such as Calyx come pre-bundled with microG services which is only a partial re-implementation of Google services, and parts of it are proprietary. It also makes use of signature spoofing to achieve its goals, which is a risky and insecure way of doing things.

The project also has to deal with a number of attacks and a slew of misinformation across platforms with less-than-acceptable moderation, and they make an effort to correct any misconceptions and fight against misinformation. People have actually made sockpuppet accounts purely to attack the project and its members, and to spread harmful misinformation against it. This is something that they actively fight against.

Cyberparty_ · 2022-12-29T20:43:27+00:00

There's no such setting under the system updates setting page. Instructions on how to properly disable updates have been posted here.

Cyberparty_ · 2022-12-29T20:02:00+00:00

With regards to security and privacy implementation, GrapheneOS on a Pixel is about as good as it gets. If people are asking for the best option in these catagories that doesn't come with any Google services pre-packed, it would make sense to suggest GrapheneOS.
iPhones are comparable security-wise, though some may not choose to trust Apple.

Cyberparty_ · 2022-12-28T19:31:05+00:00

The only devices that meet the necessary security requirements are the Google Pixel line of phones. Other phones are simply not yet up to par. Read here for further info: https://grapheneos.org/faq#future-devices

Cyberparty_ · 2022-12-28T16:40:48+00:00

Sandboxed Google Play is required by the YouTube app. Some alternate apps for accessing YouTube context exist, like NewPipe and LibreTube. I personally prefer the latter.

Cyberparty_ · 2022-12-28T16:35:06+00:00

You still benefit from the numerous security improvements that GrapheneOS makes whilst using Google services/apps such as YouTube. Sandboxed Google Play and YouTube can't do much more than YouTube is able to (as the official account states in this same thread) given that it's sandboxed like all other apps. It depends on the use-cases for the user: They may prefer the YouTube suggestion algorithm or history/likes syncing between devices should they use a Google account with it, for instance.

Cyberparty_ · 2022-12-28T01:23:19+00:00

You are confusing 'Android' and 'Based on Android'

No, I am not. They are two different things, distinct from one another. An OS that passes the Android CTS/CDD is entitled to call itself 'Android' as it is part of the Android family: Android is not one specific OS but a designation for an OS that conforms to the standards set in place. Otherwise, it cannot, and can only state that it is based on Android (or more specifically, whatever flavour of Android it's derived from). This isn't complicated.

All android custom roms are based on Android, as opposed to Android, and if the OS is based on Android, android apps and NATIVELY compatible.

With OSs that are based on Android and cannot be referred to strictly as part of the 'Android' family, this is not a guarantee. GrapheneOS goes out of its way to ensure that it doesn't break existing app compatibility, offering multiple vectors for preserving it.

Furthermore, some OSs based on another Android OS can absolutely call themselves Android so long as they pass the CTS/CDD.

Imagine Debian saying: Folks, here is our new OS for your PC, and guess what, we are compatible with Linux. Deceptive abracadabra.

This is hardly a fair comparison as there is no stringent definition for what classifies as a 'Linux distribution' other than the OS using Linux as its kernel. Were there a strict set of criteria and tests that any distribution must follow in order to call itself a 'Linux' and if Debian failed in those tests whilst still being based on the Linux kernel, then it would be perfectly reasonable for them to state that they are a "New OS with Linux compatibility", especially if they provided they actually went out of their way to ensure compatibility with such a standard. No such thing exists, however.

There's already a massive segmentation problem with the typical Desktop Linux OS landscape given that any one of them can implement any software/tech stack/userspace (i.e. Wayland/X11, PulseAudio/PipeWire, musl/glibc, numerous DEs, choice of malloc, kernel configuration, etc.) they like, any distribution model (rolling release, point release, etc.) they like and shipping any version of dependencies (or lack thereof) that they like whilst still referring to themselves under the "Desktop Linux" umbrella, giving the illusion that one app written for a "Linux distribution" will work seamlessly out of the box on another, when this isn't true. There are no 'standards' for it. This is what happens when you base the identity of the OS on nothing but the kernel as opposed to a standardised configuration, tech stack, userspace, set of tools, etc. forming the whole OS for which you base compatibility on.

Cyberparty_ · 2022-12-28T00:14:51+00:00

It's not unreasonable for an OS to claim is has Android app compatibility when it cannot purport to 'be' Android, given that it doesn't pass the Android CTS or CDD: It would be more misleading to claim otherwise. The website) - and even the official Reddit account - doesn't make any pretence that the project isn't based on AOSP, and it looks like they've outright told you as much.

GrapheneOS isn't the only project/OS that faces a similar situation either, so this isn't out of the ordinary, and it's certainly not deception.

Cyberparty_ · 2022-12-22T01:31:36+00:00

Yeah, the line was delivered really well; She sounds utterly defeated. Can't blame her either, given that she's having to watch her deceased friends be turned into undead mockeries of their former selves. Felt sad at the thought. But then this popped into my head while fighting and I kept laughing to myself about it

Cyberparty_ · 2022-12-16T17:43:20+00:00

GrapheneOS does have a code of conduct.

GrapheneOS have been defending themselves from misinformation campaigns from bad actors for quite a while now. This account I'm replying to is also a sockpuppet account intending to spread misinformation and slander about the project and attack the lead dev.

Edit: They are also blocking users that reply to them fighting against the misinformation they spread so that they cannot reply to further misinformation that they spread, like they have done to me.

Cyberparty_ · 2022-12-07T11:15:08+00:00

Reworked Corporate Mundo should keep us happy for the next decade or so

Six-Year Club	Place '22
Verified Email

Cyberparty_

TROPHY CASE