All apps can be installed and run across multiple user profiles. Worth noting if an app updates on one profile, it updates in every profile.

A lot of Chinese social media do this approach, many of them just use a numeric ID, but I know some IDs can be usernames.

Pixel 8 and later due to the support of hardware memory tagging. This is a humongous security benefit the other phones do not have. We use MTE throughout the OS and the Vanadium web browser.

Pixel Tablet and Pixel Fold are from the seventh generation, so sadly not. Hopefully Fold 2 and Tablet 2 (if there is a second Tablet) will have.

Pixel 8 has the hardware for DisplayPort Alt Mode but does not enable it in stock. Fortunately, GrapheneOS enables it.

There is no fully working desktop mode... Yet.

Replying here so I can do two in one:

GrapheneOS does not have such a feature yet but a PN/password that erases the device is being worked on. Oftentimes people use an app like Wasted, Duress or similar which allows a trigger to erase the device via device admin. We never recommended these because all these duress features that people sell or make apps for in this method can be easily bypassed by holding the Volume Down button when the trigger happens to boot to Fastboot and cancel it. We have a video by a forensics company (MSAB) instructing how to perform this bypass, it has been common knowledge for ages.

This is why this work has took longer than people think, because the way GrapheneOS does it should not be cancelled or bypassed. It has to be new.

The automatic reboot covers a threat actor seeking to attack a device by taking advantage of it being in an AFU state. This is not the only protection we have on offer. The very new USB port controls are another. The hardware-backed rate limiting via the Titan M2 is a part of the benefits of the hardware we support. The longer passwords also means having ones so long you cannot brute force (providing the entropy is great!)

Regardless of autoreboot, your phone won't get any updates if seized. They could wait and see if they can exploit in the future... but if a phone is in BFU their work becomes harder. They'd need to find a way to exploit the tamper-resistant secure element to even think about getting through brute force protections most likely.

For the curious user, here is the work done for the new USB port controls on #GrapheneOS:

https://github.com/GrapheneOS/platform_frameworks_base/pull/485

This is a replacement for the former grsecurity-based deny_new_usb integration with screen lock integration included. That older feature only covered USB peripherals and it didn't cover USB alternate modes, gadgets or low-level USB attack surface from the USB-C implementation itself. Blocking of USB peripherals were on a high level and there were still some attack surface previously. We cover all of this now including turning off the data lines in hardware. You also have the option to deactivate the USB port entirely when in OS mode.

Unclear this is affecting Android app repos. Doesn't look like it, I only see Python scripts in the source articles. I wouldn't worry about this even if there is knowledge this effects Android app repositories.

Someone getting their apps outside of an app store like from GitHub MUST do their due diligence, people should see that the GitHub repository they get their apps from is the authentic repo by the real developer. This is just a dependency confusion attack where a threat actor posts an app or library using the same name as a popular one to confuse people into downloading their malicious one.

Obtainium is not our app, nor is it the best source for apps. Obtainium lacks ability to secure initial install of apps and you rely on the Android Trust-on-First-Use model that apps can only be updated if they are signed by the same developer key that the initial install has. You rely entirely on your trust and research that the apps you get are the authentic ones when you install them the first time. App stores like Accrescent (accrescent.app) pin signing keys and verify app installs so you don't have to do that. Some apps may also let you verify in other ways too.

If people check their apps first this is not an issue to anyone. This is just an issue of people being tricked.

Android apps are sandboxed and you should deny a permission for an app to access or do something if you do not like that. If you can't use the app without it and you KNOW it is not necessary then you should maybe consider an alternative app instead. Most trivial Android malware comes down to people just allowing the apps to see what they want.

#GrapheneOS version 2024022800 released:

This release fixes a bug with sideloading caused by the new USB port controls.

Changes since the 2024022600 release:

- Tensor Pixels: fix issue with the USB changes breaking recovery sideloading and the fastbootd flashing mode used by the web installer which blocked us being able to release the previous release to all users

- Settings: change "Charging only" to "Charging-only" for the USB-C port mode options to make the meaning clearer

- Vanadium: update to version 122.0.6261.90.0

https://grapheneos.org/releases#2024022800

#GrapheneOS #privacy #security

If you can't make the platform to verify your software accessible then most people just won't even try to do that. That's on them.

Honestly believe the platforms they use are at fault here.

Not many people are going out of their way to use Ethereum domains for serious use cases. It's mostly circulated purely for LARP or for a limited audience. Maybe I have filter bubbled myself but I couldn't think of a single person who does... If they had a more accessible platform people would have noticed these discrepencies far better because there would be more eyes watching them. Monero wallet developers make their workflow almost entirely on Tor and has worked far better because people genuinely use Tor.

This is only my opinion though...

Reason #57526 on verifying:

Tornado Cash IPFS front-ends had backdoor code that hijacked deposit certificates and was hidden in plain sight for just almost two months inside a governance proposal made by Butterfly Effects.

https://gas404.medium.com/tornado-cash-notes-exploit-from-jan-1st-and-the-actions-you-must-take-6076748bc886

We have had a few OEMs who have wanted to work with us but so far none has been able nor willing to follow through on what we want with security requirements. We aren't going to support a device that is less secure than what we support already and if something were to go wrong on that device we will get the blame for their incompetence or lack of ability to provide such security that we were able to use elsewhere.

https://grapheneos.org/faq#future-devices

Other sane OEMs do anticonsumer practices, like Samsung with having an eFuse that breaks security features (and the camera in some models) when you want to use another OS. This shouldn't be a thing, but sadly it is.

We still want more devices and are still looking for OEMs. Buying a device secondhand will stop you giving money to Google as another means. DivestOS is an option for non-Pixel devices who use a small amount but not all of our enhancements, but it's mainly used for harm-reduction for insecure end of life devices.

Charging only when locked with BFU exception and charging-only when locked*

What a tongue twist.

Charging-only when locked with BFU exception will be the potential default. If you don't use accessories when BFU then Charging-only when locked works, if you don't use accessories at all then Charging-only is best.

If any USB port usage by someone is unacceptable like in a threat with physical access, then Off is best. This makes the phone only charge when you power off. Hopefully forces them to go to BFU state.

Brave is currently the only other browser we recommend. It keeps the same security as mobile Chromium while adding additional state partitioning, anti-fingerprinting improvements and the most advanced content filtering engine. Content filtering is the best on Brave. Vanadium needs to improve on some of these but we also have state partitioning and we discuss our approach to anti-fingerprinting a little different to how Brave does it. Brave randomizes data while we reduce the data that could be used and make all Vanadium users look the same as each other where possible.

However, Vanadium is more secure and has greater security enhancements and exploit mitigations than Brave. Vanadium is the only browser incorporating Memory Tagging in production for Pixel 8 and later. Vanadium also has Control Flow Integrity which is disabled upstream and other browsers like Cromite tried to enable and failed. Vanadium is designed to be extremely resistant to exploitation, JS JIT is off by default and has a toggle while Brave doesn't have.

As work on Vanadium uplifts continue we hope to improve the content filtering. Vanadium to Chromium is what GrapheneOS is to AOSP. Brave is solid as a browser but I cannot make a result on their services as I refuse to use them.

Enabled. If it was disabled by default people may get the urge to enable it and stand out. It's unlikely people would choose to disable DNT.

We don't officially support Lightning at the moment due to a number of constraints. I've personally sent the sats (or equivalents in fiat depending on my financial situation) to the GrapheneOS Foundation myself when I am zapped. For non-GOS posts I keep them.

GrapheneOS mods on Nostr do this voluntarily.

This is still being looked on as it's a new feature and overall feedback is required, we don't want to have added confusion by people wondering why their accessories wont work at all. Users sadly still mix this up even with the older accessories toggle we have. Currently it's set to On but either Charging-only when locked or Charging-only except BFU would be a default in the future.

Charging-only with BFU exception and Charging-only have almost the same benefit since the BFU device is still entirely encrypted. Although, charging-only would definitely be the way for someone who doesn't use any accessories at all. Stricter modes like Off are for people who consider any situations with access to the phone's USB port when powered (like a seizure risk) as an unacceptable threat.

The USB port configuration is when the phone is in the OS mode. The phone will charge when powered off and recovery still works via fastboot. My other reply to Max just now explains the usecase for accessories on BFU.