1
0
mirror of https://github.com/privacyguides/privacyguides.org.git synced 2025-07-23 11:51:16 +00:00

Markdown conversion (#529)

Co-authored-by: Daniel Gray <dng@disroot.org>
This commit is contained in:
2022-02-12 07:43:21 +00:00
committed by Daniel Gray
parent 842b58e42a
commit 806b0b97d7
53 changed files with 690 additions and 686 deletions

View File

@@ -3,15 +3,15 @@ type: Recommendation
logo: /assets/img/android/grapheneos.svg
logo_dark: /assets/img/android/grapheneos-dark.svg
description: |
<strong>GrapheneOS</strong> is the best choice when it comes to privacy and security.
**GrapheneOS** is the best choice when it comes to privacy and security.
GrapheneOS has a lot of security hardening and privacy improvements. It has a <a href="https://github.com/GrapheneOS/hardened_malloc">hardened memory allocator</a>, network and sensor permissions, and various other <a href="https://grapheneos.org/features">security features</a>. GrapheneOS also comes with full firmware updates and signed builds, so <a href="https://source.android.com/security/verifiedboot">verified boot</a> is fully supported.
GrapheneOS has a lot of security hardening and privacy improvements. It has a [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), network and sensor permissions, and various other [security features](https://grapheneos.org/features). GrapheneOS also comes with full firmware updates and signed builds, so [verified boot](https://source.android.com/security/verifiedboot) is fully supported.
Notably, GrapheneOS supports <a href="https://grapheneos.org/usage#sandboxed-play-services">Sandboxed Play Services</a>. Google Play Services can be run fully sandboxed like a regular user app and contained in a work profile or user <a href="/android/#android-security-privacy">profile</a> of your choice. This means that you can run apps dependant on Play Services, such as those that require push notifications using Google's <a href="https://firebase.google.com/docs/cloud-messaging/">Firebase Cloud Messaging</a> service. GrapheneOS allows you to take advantage of most <a href="https://en.wikipedia.org/wiki/Google_Play_Services">Google Play Services</a> whilst having full user control over their permissions and access.
Notably, GrapheneOS supports [Sandboxed Play Services](https://grapheneos.org/usage#sandboxed-play-services). Google Play Services can be run fully sandboxed like a regular user app and contained in a work profile or user [profile](/android/#android-security-privacy) of your choice. This means that you can run apps dependant on Play Services, such as those that require push notifications using Google's [Firebase Cloud Messaging](https://firebase.google.com/docs/cloud-messaging/) service. GrapheneOS allows you to take advantage of most [Google Play Services](https://en.wikipedia.org/wiki/Google_Play_Services) whilst having full user control over their permissions and access.
Currently, only <a href="https://grapheneos.org/faq#device-support">Pixel phones</a> meet its hardware security requirement and are supported.
Currently, only [Pixel phones](https://grapheneos.org/faq#device-support) meet its hardware security requirement and are supported.
<h4>Notes</h4>
#### Notes
GrapheneOS's "extended support" devices do not have full security patches (firmware updates) due to the original equipment manufacturer (OEM) discontinuing support. These devices cannot be considered completely secure.
website: 'https://grapheneos.org/'
privacy_policy: 'https://grapheneos.org/faq#privacy-policy'

View File

@@ -2,20 +2,20 @@ title: CalyxOS
type: Recommendation
logo: /assets/img/android/calyxos.svg
description: |
<strong>CalyxOS</strong> is a decent alternative to GrapheneOS.
**CalyxOS** is a decent alternative to GrapheneOS.
It has some privacy features on top of AOSP, such as the <a href="https://calyxos.org/docs/tech/datura-details"> Datura firewall</a>, <a href="https://signal.org">Signal</a> integration in the dialer app, and a built in panic button. CalyxOS also comes with firmware updates and signed builds, so <a href="https://source.android.com/security/verifiedboot">verified boot</a> is fully supported.
It has some privacy features on top of AOSP, such as the [Datura firewall](https://calyxos.org/docs/tech/datura-details), [Signal](https://signal.org) integration in the dialer app, and a built in panic button. CalyxOS also comes with firmware updates and signed builds, so [verified boot](https://source.android.com/security/verifiedboot) is fully supported.
To accomodate users who need Google Play Services, CalyxOS optionally includes <a href="https://microg.org/">MicroG</a>. With MicroG, CalyxOS also bundles in the <a href="https://location.services.mozilla.com/">Mozilla</a> and <a href="https://github.com/n76/DejaVu">DejaVu</a> location services.
To accomodate users who need Google Play Services, CalyxOS optionally includes [MicroG](https://microg.org/). With MicroG, CalyxOS also bundles in the [Mozilla](https://location.services.mozilla.com/) and [DejaVu](https://github.com/n76/DejaVu) location services.
Currently, CalyxOS <a href="https://calyxos.org/docs/guide/device-support/">supports</a> Google Pixel phones and the Xiaomi Mi A2. For legacy devices, CalyxOS offers "extended support" for much longer than GrapheneOS, making it a good choice once GrapheneOS has dropped support.
Currently, CalyxOS [supports](https://calyxos.org/docs/guide/device-support/) Google Pixel phones and the Xiaomi Mi A2. For legacy devices, CalyxOS offers "extended support" for much longer than GrapheneOS, making it a good choice once GrapheneOS has dropped support.
<h4>Notes</h4>
#### Notes
CalyxOS's "extended support" does not have full security patches due to the original equipment manufacturer (OEM) discontinuing support, therefore they cannot be considered completely secure.
With the Xiaomi Mi A2, CalyxOS does not distribute the latest firmware. Newer versions of the firmware prevented the device from performing verified boot.
The Datura firewall can leak in some circumstances (see <a href="https://gitlab.com/CalyxOS/calyxos/-/issues/572">#572</a> and <a href="https://gitlab.com/CalyxOS/calyxos/-/issues/581">#581</a>).
The Datura firewall can leak in some circumstances (see [#572](https://gitlab.com/CalyxOS/calyxos/-/issues/572) and [#581](https://gitlab.com/CalyxOS/calyxos/-/issues/581)).
website: 'https://calyxos.org'
privacy_policy: 'https://calyxinstitute.org/legal/privacy-policy'
downloads:

View File

@@ -2,22 +2,22 @@ title: DivestOS
type: Recommendation
logo: /assets/img/android/divestos.svg
description: |
<strong>DivestOS</strong> is a <a href="https://en.wikipedia.org/wiki/Fork_(software_development)#Forking_of_free_and_open-source_software">soft-fork</a> of <a href="https://lineageos.org/">LineageOS</a>.
**DivestOS** is a [soft-fork](https://en.wikipedia.org/wiki/Fork_(software_development)#Forking_of_free_and_open-source_software) of [LineageOS](https://lineageos.org/).
DivestOS inherits many <a href="https://divestos.org/index.php?page=devices&base=LineageOS">supported devices</a> from LineageOS. It has signed builds, making it possible to have <a href="https://source.android.com/security/verifiedboot">verified boot</a> on some non-Pixel devices.
DivestOS inherits many [supported devices](https://divestos.org/index.php?page=devices&base=LineageOS) from LineageOS. It has signed builds, making it possible to have [verified boot](https://source.android.com/security/verifiedboot) on some non-Pixel devices.
DivestOS has automated kernel vulnerability (<a href="https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures">CVE</a>) <a href="https://gitlab.com/divested-mobile/cve_checker">patching</a>, fewer proprietary blobs, a custom <a href="https://divested.dev/index.php?page=dnsbl">hosts</a> file, along with bundled <a href="https://www.f-droid.org">F-Droid</a> as the app store. It also includes <a href="https://github.com/microg/UnifiedNlp">UnifedNlp</a> for network location and some hardening with <a href="https://gitlab.com/divested-mobile/mulch">Mulch Webview</a>. DivestOS also includes kernel patches from GrapheneOS and enables security features in <a href="https://github.com/Divested-Mobile/DivestOS-Build/blob/master/Scripts/Common/Functions.sh#L698">defconfig</a>.
DivestOS has automated kernel vulnerability ([CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) [patching](https://gitlab.com/divested-mobile/cve_checker), fewer proprietary blobs, a custom [hosts](https://divested.dev/index.php?page=dnsbl) file, along with bundled [F-Droid](https://www.f-droid.org) as the app store. It also includes [UnifedNlp](https://github.com/microg/UnifiedNlp) for network location and some hardening with [Mulch Webview](https://gitlab.com/divested-mobile/mulch). DivestOS also includes kernel patches from GrapheneOS and enables security features in [defconfig](https://github.com/Divested-Mobile/DivestOS-Build/blob/master/Scripts/Common/Functions.sh#L698).
DivestOS also inherits LineageOS's <a href="https://reddit.com/comments/c4a6f7">iptables</a> network access feature. You can deny network access to an individual application by pressing and holding on the app's icon (App info → Data and Network → Uncheck "Network Access").
DivestOS also inherits LineageOS's [iptables](https://reddit.com/comments/c4a6f7) network access feature. You can deny network access to an individual application by pressing and holding on the app's icon (App info → Data and Network → Uncheck "Network Access").
DivestOS 16.0 and 17.1 has GrapheneOS's <a href="https://github.com/GrapheneOS/hardened_malloc">hardened memory allocator</a>. There are plans to port this to DivestOS 18.1.
DivestOS 16.0 and 17.1 has GrapheneOS's [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc). There are plans to port this to DivestOS 18.1.
<h4>Notes</h4>
DivestOS firmware update <a href="https://gitlab.com/divested-mobile/firmware-empty/-/blob/master/STATUS">status</a> varies across the devices it supports. For Pixel phones, we still recommend using GrapheneOS or CalyxOS. For other supported devices, DivestOS is a good alternative.
#### Notes
DivestOS firmware update [status](https://gitlab.com/divested-mobile/firmware-empty/-/blob/master/STATUS) varies across the devices it supports. For Pixel phones, we still recommend using GrapheneOS or CalyxOS. For other supported devices, DivestOS is a good alternative.
Like CalyxOS's firewall, the network access toggle can also leak in <a href="https://gitlab.com/LineageOS/issues/android/-/issues/3228">some</a> situations.
Like CalyxOS's firewall, the network access toggle can also leak in [some](https://gitlab.com/LineageOS/issues/android/-/issues/3228) situations.
Not all of the supported devices have <a href="https://source.android.com/security/verifiedboot">verified boot</a> and some perform it better than others.
Not all of the supported devices have [verified boot](https://source.android.com/security/verifiedboot) and some perform it better than others.
website: 'https://divestos.org'
website_tor: 'http://divestoseb5nncsydt7zzf5hrfg44md4bxqjs5ifcv4t7gt7u6ohjyyd.onion'