privacyguides/privacyguides.org
1
0
Fork 0
mirror of https://github.com/privacyguides/privacyguides.org.git synced 2025-07-24 12:21:09 +00:00
Code Issues Activity

Markdown conversion (#529)

Browse Source 
Co-authored-by: Daniel Gray <dng@disroot.org>
This commit is contained in:
Jonah Aragon
2022-02-12 07:43:21 +00:00
committed by Daniel Gray
parent 842b58e42a
commit 806b0b97d7
53 changed files with 690 additions and 686 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
_data/operating-systems/android-applications/1_orbot.yml
View File

@@ -2,14 +2,14 @@ title: Orbot
type: Recommendation
logo: /assets/img/android/orbot.svg
description: |
<strong>Orbot</strong> is a free proxy app that routes your connections through the Tor Network.
**Orbot** is a free proxy app that routes your connections through the Tor Network.
Orbot can proxy individual apps if they support SOCKS or HTTP proxying. It can also proxy all your network connections using the <a href="https://developer.android.com/reference/android/net/VpnService">VpnService</a> and can be used with the VPN killswitch (⚙️ Settings → Network & internet → VPN → ⚙️ → Block connections without VPN).
Orbot can proxy individual apps if they support SOCKS or HTTP proxying. It can also proxy all your network connections using the [VpnService](https://developer.android.com/reference/android/net/VpnService) and can be used with the VPN killswitch (⚙️ Settings → Network & internet → VPN → ⚙️ → Block connections without VPN).
For resistance against traffic analysis attacks, consider enabling <em>Isolate Destination Address</em> ( ⁝ →Settings → Connectivity). This will use a completely different Tor Circuit (different middle relay and exit nodes) for every domain you connect to.
For resistance against traffic analysis attacks, consider enabling *Isolate Destination Address* ( ⁝ →Settings → Connectivity). This will use a completely different Tor Circuit (different middle relay and exit nodes) for every domain you connect to.
<h4>Notes</h4>
Orbot is often outdated on the Guardian Project's <a href="https://guardianproject.info/fdroid">F-Droid repository</a> and <a href="https://play.google.com/store/apps/details?id=org.torproject.android">Google Play</a> so consider downloading directly from the <a href="https://github.com/guardianproject/orbot">GitHub repository</a> instead.
#### Notes
Orbot is often outdated on the Guardian Project's [F-Droid repository](https://guardianproject.info/fdroid) and [Google Play](https://play.google.com/store/apps/details?id=org.torproject.android) so consider downloading directly from the [GitHub repository](https://github.com/guardianproject/orbot) instead.
All versions are signed using the same signature so they should be compatible with each other.
website: 'https://guardianproject.info/apps/org.torproject.android'

6
_data/operating-systems/android-applications/2_shelter.yml
View File

@@ -2,11 +2,11 @@ title: Shelter
type: Recommendation
logo: /assets/img/android/shelter.svg
description: |
<strong>Shelter</strong> is an app that helps you leverage the Android work profile to isolate other apps.
**Shelter** is an app that helps you leverage the Android work profile to isolate other apps.
Shelter supports blocking contact search cross profiles and sharing files across profiles via the default file manager (<a href="https://source.android.com/devices/architecture/modular-system/documentsui">DocumentsUI</a>).
Shelter supports blocking contact search cross profiles and sharing files across profiles via the default file manager ([DocumentsUI](https://source.android.com/devices/architecture/modular-system/documentsui)).
<h4>Notes</h4>
#### Notes
CalyxOS includes a device controller so we recommend using their built in work profile instead.
website: 'https://gitea.angry.im/PeterCxy/Shelter'
downloads:

19
_data/operating-systems/android-applications/3_auditor.yml
View File

@@ -2,20 +2,19 @@ title: Auditor
type: Recommendation
logo: /assets/img/android/auditor.svg
description: |
<strong>Auditor</strong> is an app which leverages hardware security features to provide device integrity monitoring for <a href="https://attestation.app/about#device-support">supported devices</a>. It currently works with GrapheneOS and the stock operating system. It performs attestation and intrusion detection by:
<ul>
<li>Using a <a href="https://en.wikipedia.org/wiki/Trust_on_first_use">Trust On First Use (TOFU)</a> model between an <em>auditor</em> and <em>auditee</em>, the pair establish a private key in the <a href="https://source.android.com/security/keystore/">hardware-backed keystore</a> of the <em>Auditor</em>.</li>
<li>The <em>auditor</em> can either be another instance of the Auditor app or the <a href="https://attestation.app">Remote Attestation Service</a>.</li>
<li>The <em>auditor</em> records the current state and configuration of the <em>auditee</em>.</li>
<li>Should tampering with the operating system of the <em>auditee</em> after the pairing is complete, the auditor will be aware of the change in the device state and configurations.</li>
<li>The user will be alerted to the change.</li>
</ul>
**Auditor** is an app which leverages hardware security features to provide device integrity monitoring for [supported devices](https://attestation.app/about#device-support). It currently works with GrapheneOS and the stock operating system. It performs attestation and intrusion detection by:
* Using a [Trust On First Use (TOFU)](https://en.wikipedia.org/wiki/Trust_on_first_use) model between an *auditor* and *auditee*, the pair establish a private key in the [hardware-backed keystore](https://source.android.com/security/keystore/) of the *Auditor*.
* The *auditor* can either be another instance of the Auditor app or the [Remote Attestation Service](https://attestation.app).
* The *auditor* records the current state and configuration of the *auditee*.
* Should tampering with the operating system of the *auditee* after the pairing is complete, the auditor will be aware of the change in the device state and configurations.
* The user will be alerted to the change.
No personally identifiable information is submitted to the attestation service. We recommend that you sign up with an anonymous account and enable remote attestation for continuous monitoring.
If your <a href="/threat-modeling/">threat model</a> requires privacy you could consider using Orbot or a VPN to hide your IP address from the attestation service.
If your [threat model](/threat-modeling/) requires privacy you could consider using Orbot or a VPN to hide your IP address from the attestation service.
To make sure that your hardware and operating system is genuine, <a href="https://grapheneos.org/install/web#verifying-installation">perform local attestation</a> immediately after the device has been installed and prior to any internet connection.
To make sure that your hardware and operating system is genuine, [perform local attestation](https://grapheneos.org/install/web#verifying-installation) immediately after the device has been installed and prior to any internet connection.
website: 'https://attestation.app'
privacy_policy: 'https://attestation.app/privacy-policy'

10
_data/operating-systems/android/1_grapheneos.yml
View File

@@ -3,15 +3,15 @@ type: Recommendation
logo: /assets/img/android/grapheneos.svg
logo_dark: /assets/img/android/grapheneos-dark.svg
description: |
<strong>GrapheneOS</strong> is the best choice when it comes to privacy and security.
**GrapheneOS** is the best choice when it comes to privacy and security.
GrapheneOS has a lot of security hardening and privacy improvements. It has a <a href="https://github.com/GrapheneOS/hardened_malloc">hardened memory allocator</a>, network and sensor permissions, and various other <a href="https://grapheneos.org/features">security features</a>. GrapheneOS also comes with full firmware updates and signed builds, so <a href="https://source.android.com/security/verifiedboot">verified boot</a> is fully supported.
GrapheneOS has a lot of security hardening and privacy improvements. It has a [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), network and sensor permissions, and various other [security features](https://grapheneos.org/features). GrapheneOS also comes with full firmware updates and signed builds, so [verified boot](https://source.android.com/security/verifiedboot) is fully supported.
Notably, GrapheneOS supports <a href="https://grapheneos.org/usage#sandboxed-play-services">Sandboxed Play Services</a>. Google Play Services can be run fully sandboxed like a regular user app and contained in a work profile or user <a href="/android/#android-security-privacy">profile</a> of your choice. This means that you can run apps dependant on Play Services, such as those that require push notifications using Google's <a href="https://firebase.google.com/docs/cloud-messaging/">Firebase Cloud Messaging</a> service. GrapheneOS allows you to take advantage of most <a href="https://en.wikipedia.org/wiki/Google_Play_Services">Google Play Services</a> whilst having full user control over their permissions and access.
Notably, GrapheneOS supports [Sandboxed Play Services](https://grapheneos.org/usage#sandboxed-play-services). Google Play Services can be run fully sandboxed like a regular user app and contained in a work profile or user [profile](/android/#android-security-privacy) of your choice. This means that you can run apps dependant on Play Services, such as those that require push notifications using Google's [Firebase Cloud Messaging](https://firebase.google.com/docs/cloud-messaging/) service. GrapheneOS allows you to take advantage of most [Google Play Services](https://en.wikipedia.org/wiki/Google_Play_Services) whilst having full user control over their permissions and access.
Currently, only <a href="https://grapheneos.org/faq#device-support">Pixel phones</a> meet its hardware security requirement and are supported.
Currently, only [Pixel phones](https://grapheneos.org/faq#device-support) meet its hardware security requirement and are supported.
<h4>Notes</h4>
#### Notes
GrapheneOS's "extended support" devices do not have full security patches (firmware updates) due to the original equipment manufacturer (OEM) discontinuing support. These devices cannot be considered completely secure.
website: 'https://grapheneos.org/'
privacy_policy: 'https://grapheneos.org/faq#privacy-policy'

12
_data/operating-systems/android/2_calyxos.yml
View File

@@ -2,20 +2,20 @@ title: CalyxOS
type: Recommendation
logo: /assets/img/android/calyxos.svg
description: |
<strong>CalyxOS</strong> is a decent alternative to GrapheneOS.
**CalyxOS** is a decent alternative to GrapheneOS.
It has some privacy features on top of AOSP, such as the <a href="https://calyxos.org/docs/tech/datura-details"> Datura firewall</a>, <a href="https://signal.org">Signal</a> integration in the dialer app, and a built in panic button. CalyxOS also comes with firmware updates and signed builds, so <a href="https://source.android.com/security/verifiedboot">verified boot</a> is fully supported.
It has some privacy features on top of AOSP, such as the [Datura firewall](https://calyxos.org/docs/tech/datura-details), [Signal](https://signal.org) integration in the dialer app, and a built in panic button. CalyxOS also comes with firmware updates and signed builds, so [verified boot](https://source.android.com/security/verifiedboot) is fully supported.
To accomodate users who need Google Play Services, CalyxOS optionally includes <a href="https://microg.org/">MicroG</a>. With MicroG, CalyxOS also bundles in the <a href="https://location.services.mozilla.com/">Mozilla</a> and <a href="https://github.com/n76/DejaVu">DejaVu</a> location services.
To accomodate users who need Google Play Services, CalyxOS optionally includes [MicroG](https://microg.org/). With MicroG, CalyxOS also bundles in the [Mozilla](https://location.services.mozilla.com/) and [DejaVu](https://github.com/n76/DejaVu) location services.
Currently, CalyxOS <a href="https://calyxos.org/docs/guide/device-support/">supports</a> Google Pixel phones and the Xiaomi Mi A2. For legacy devices, CalyxOS offers "extended support" for much longer than GrapheneOS, making it a good choice once GrapheneOS has dropped support.
Currently, CalyxOS [supports](https://calyxos.org/docs/guide/device-support/) Google Pixel phones and the Xiaomi Mi A2. For legacy devices, CalyxOS offers "extended support" for much longer than GrapheneOS, making it a good choice once GrapheneOS has dropped support.
<h4>Notes</h4>
#### Notes
CalyxOS's "extended support" does not have full security patches due to the original equipment manufacturer (OEM) discontinuing support, therefore they cannot be considered completely secure.
With the Xiaomi Mi A2, CalyxOS does not distribute the latest firmware. Newer versions of the firmware prevented the device from performing verified boot.
The Datura firewall can leak in some circumstances (see <a href="https://gitlab.com/CalyxOS/calyxos/-/issues/572">#572</a> and <a href="https://gitlab.com/CalyxOS/calyxos/-/issues/581">#581</a>).
The Datura firewall can leak in some circumstances (see [#572](https://gitlab.com/CalyxOS/calyxos/-/issues/572) and [#581](https://gitlab.com/CalyxOS/calyxos/-/issues/581)).
website: 'https://calyxos.org'
privacy_policy: 'https://calyxinstitute.org/legal/privacy-policy'
downloads:

18
_data/operating-systems/android/3_divestos.yml
View File

@@ -2,22 +2,22 @@ title: DivestOS
type: Recommendation
logo: /assets/img/android/divestos.svg
description: |
<strong>DivestOS</strong> is a <a href="https://en.wikipedia.org/wiki/Fork_(software_development)#Forking_of_free_and_open-source_software">soft-fork</a> of <a href="https://lineageos.org/">LineageOS</a>.
**DivestOS** is a [soft-fork](https://en.wikipedia.org/wiki/Fork_(software_development)#Forking_of_free_and_open-source_software) of [LineageOS](https://lineageos.org/).
DivestOS inherits many <a href="https://divestos.org/index.php?page=devices&base=LineageOS">supported devices</a> from LineageOS. It has signed builds, making it possible to have <a href="https://source.android.com/security/verifiedboot">verified boot</a> on some non-Pixel devices.
DivestOS inherits many [supported devices](https://divestos.org/index.php?page=devices&base=LineageOS) from LineageOS. It has signed builds, making it possible to have [verified boot](https://source.android.com/security/verifiedboot) on some non-Pixel devices.
DivestOS has automated kernel vulnerability (<a href="https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures">CVE</a>) <a href="https://gitlab.com/divested-mobile/cve_checker">patching</a>, fewer proprietary blobs, a custom <a href="https://divested.dev/index.php?page=dnsbl">hosts</a> file, along with bundled <a href="https://www.f-droid.org">F-Droid</a> as the app store. It also includes <a href="https://github.com/microg/UnifiedNlp">UnifedNlp</a> for network location and some hardening with <a href="https://gitlab.com/divested-mobile/mulch">Mulch Webview</a>. DivestOS also includes kernel patches from GrapheneOS and enables security features in <a href="https://github.com/Divested-Mobile/DivestOS-Build/blob/master/Scripts/Common/Functions.sh#L698">defconfig</a>.
DivestOS has automated kernel vulnerability ([CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) [patching](https://gitlab.com/divested-mobile/cve_checker), fewer proprietary blobs, a custom [hosts](https://divested.dev/index.php?page=dnsbl) file, along with bundled [F-Droid](https://www.f-droid.org) as the app store. It also includes [UnifedNlp](https://github.com/microg/UnifiedNlp) for network location and some hardening with [Mulch Webview](https://gitlab.com/divested-mobile/mulch). DivestOS also includes kernel patches from GrapheneOS and enables security features in [defconfig](https://github.com/Divested-Mobile/DivestOS-Build/blob/master/Scripts/Common/Functions.sh#L698).
DivestOS also inherits LineageOS's <a href="https://reddit.com/comments/c4a6f7">iptables</a> network access feature. You can deny network access to an individual application by pressing and holding on the app's icon (App info → Data and Network → Uncheck "Network Access").
DivestOS also inherits LineageOS's [iptables](https://reddit.com/comments/c4a6f7) network access feature. You can deny network access to an individual application by pressing and holding on the app's icon (App info → Data and Network → Uncheck "Network Access").
DivestOS 16.0 and 17.1 has GrapheneOS's <a href="https://github.com/GrapheneOS/hardened_malloc">hardened memory allocator</a>. There are plans to port this to DivestOS 18.1.
DivestOS 16.0 and 17.1 has GrapheneOS's [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc). There are plans to port this to DivestOS 18.1.
<h4>Notes</h4>
DivestOS firmware update <a href="https://gitlab.com/divested-mobile/firmware-empty/-/blob/master/STATUS">status</a> varies across the devices it supports. For Pixel phones, we still recommend using GrapheneOS or CalyxOS. For other supported devices, DivestOS is a good alternative.
#### Notes
DivestOS firmware update [status](https://gitlab.com/divested-mobile/firmware-empty/-/blob/master/STATUS) varies across the devices it supports. For Pixel phones, we still recommend using GrapheneOS or CalyxOS. For other supported devices, DivestOS is a good alternative.
Like CalyxOS's firewall, the network access toggle can also leak in <a href="https://gitlab.com/LineageOS/issues/android/-/issues/3228">some</a> situations.
Like CalyxOS's firewall, the network access toggle can also leak in [some](https://gitlab.com/LineageOS/issues/android/-/issues/3228) situations.
Not all of the supported devices have <a href="https://source.android.com/security/verifiedboot">verified boot</a> and some perform it better than others.
Not all of the supported devices have [verified boot](https://source.android.com/security/verifiedboot) and some perform it better than others.
website: 'https://divestos.org'
website_tor: 'http://divestoseb5nncsydt7zzf5hrfg44md4bxqjs5ifcv4t7gt7u6ohjyyd.onion'