mirror of
https://github.com/privacyguides/privacyguides.org.git
synced 2025-07-23 11:51:16 +00:00
Markdown conversion (#529)
Co-authored-by: Daniel Gray <dng@disroot.org>
This commit is contained in:
@@ -3,15 +3,15 @@ type: Recommendation
|
||||
logo: /assets/img/android/grapheneos.svg
|
||||
logo_dark: /assets/img/android/grapheneos-dark.svg
|
||||
description: |
|
||||
<strong>GrapheneOS</strong> is the best choice when it comes to privacy and security.
|
||||
**GrapheneOS** is the best choice when it comes to privacy and security.
|
||||
|
||||
GrapheneOS has a lot of security hardening and privacy improvements. It has a <a href="https://github.com/GrapheneOS/hardened_malloc">hardened memory allocator</a>, network and sensor permissions, and various other <a href="https://grapheneos.org/features">security features</a>. GrapheneOS also comes with full firmware updates and signed builds, so <a href="https://source.android.com/security/verifiedboot">verified boot</a> is fully supported.
|
||||
GrapheneOS has a lot of security hardening and privacy improvements. It has a [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), network and sensor permissions, and various other [security features](https://grapheneos.org/features). GrapheneOS also comes with full firmware updates and signed builds, so [verified boot](https://source.android.com/security/verifiedboot) is fully supported.
|
||||
|
||||
Notably, GrapheneOS supports <a href="https://grapheneos.org/usage#sandboxed-play-services">Sandboxed Play Services</a>. Google Play Services can be run fully sandboxed like a regular user app and contained in a work profile or user <a href="/android/#android-security-privacy">profile</a> of your choice. This means that you can run apps dependant on Play Services, such as those that require push notifications using Google's <a href="https://firebase.google.com/docs/cloud-messaging/">Firebase Cloud Messaging</a> service. GrapheneOS allows you to take advantage of most <a href="https://en.wikipedia.org/wiki/Google_Play_Services">Google Play Services</a> whilst having full user control over their permissions and access.
|
||||
Notably, GrapheneOS supports [Sandboxed Play Services](https://grapheneos.org/usage#sandboxed-play-services). Google Play Services can be run fully sandboxed like a regular user app and contained in a work profile or user [profile](/android/#android-security-privacy) of your choice. This means that you can run apps dependant on Play Services, such as those that require push notifications using Google's [Firebase Cloud Messaging](https://firebase.google.com/docs/cloud-messaging/) service. GrapheneOS allows you to take advantage of most [Google Play Services](https://en.wikipedia.org/wiki/Google_Play_Services) whilst having full user control over their permissions and access.
|
||||
|
||||
Currently, only <a href="https://grapheneos.org/faq#device-support">Pixel phones</a> meet its hardware security requirement and are supported.
|
||||
Currently, only [Pixel phones](https://grapheneos.org/faq#device-support) meet its hardware security requirement and are supported.
|
||||
|
||||
<h4>Notes</h4>
|
||||
#### Notes
|
||||
GrapheneOS's "extended support" devices do not have full security patches (firmware updates) due to the original equipment manufacturer (OEM) discontinuing support. These devices cannot be considered completely secure.
|
||||
website: 'https://grapheneos.org/'
|
||||
privacy_policy: 'https://grapheneos.org/faq#privacy-policy'
|
||||
|
@@ -2,20 +2,20 @@ title: CalyxOS
|
||||
type: Recommendation
|
||||
logo: /assets/img/android/calyxos.svg
|
||||
description: |
|
||||
<strong>CalyxOS</strong> is a decent alternative to GrapheneOS.
|
||||
**CalyxOS** is a decent alternative to GrapheneOS.
|
||||
|
||||
It has some privacy features on top of AOSP, such as the <a href="https://calyxos.org/docs/tech/datura-details"> Datura firewall</a>, <a href="https://signal.org">Signal</a> integration in the dialer app, and a built in panic button. CalyxOS also comes with firmware updates and signed builds, so <a href="https://source.android.com/security/verifiedboot">verified boot</a> is fully supported.
|
||||
It has some privacy features on top of AOSP, such as the [Datura firewall](https://calyxos.org/docs/tech/datura-details), [Signal](https://signal.org) integration in the dialer app, and a built in panic button. CalyxOS also comes with firmware updates and signed builds, so [verified boot](https://source.android.com/security/verifiedboot) is fully supported.
|
||||
|
||||
To accomodate users who need Google Play Services, CalyxOS optionally includes <a href="https://microg.org/">MicroG</a>. With MicroG, CalyxOS also bundles in the <a href="https://location.services.mozilla.com/">Mozilla</a> and <a href="https://github.com/n76/DejaVu">DejaVu</a> location services.
|
||||
To accomodate users who need Google Play Services, CalyxOS optionally includes [MicroG](https://microg.org/). With MicroG, CalyxOS also bundles in the [Mozilla](https://location.services.mozilla.com/) and [DejaVu](https://github.com/n76/DejaVu) location services.
|
||||
|
||||
Currently, CalyxOS <a href="https://calyxos.org/docs/guide/device-support/">supports</a> Google Pixel phones and the Xiaomi Mi A2. For legacy devices, CalyxOS offers "extended support" for much longer than GrapheneOS, making it a good choice once GrapheneOS has dropped support.
|
||||
Currently, CalyxOS [supports](https://calyxos.org/docs/guide/device-support/) Google Pixel phones and the Xiaomi Mi A2. For legacy devices, CalyxOS offers "extended support" for much longer than GrapheneOS, making it a good choice once GrapheneOS has dropped support.
|
||||
|
||||
<h4>Notes</h4>
|
||||
#### Notes
|
||||
CalyxOS's "extended support" does not have full security patches due to the original equipment manufacturer (OEM) discontinuing support, therefore they cannot be considered completely secure.
|
||||
|
||||
With the Xiaomi Mi A2, CalyxOS does not distribute the latest firmware. Newer versions of the firmware prevented the device from performing verified boot.
|
||||
|
||||
The Datura firewall can leak in some circumstances (see <a href="https://gitlab.com/CalyxOS/calyxos/-/issues/572">#572</a> and <a href="https://gitlab.com/CalyxOS/calyxos/-/issues/581">#581</a>).
|
||||
The Datura firewall can leak in some circumstances (see [#572](https://gitlab.com/CalyxOS/calyxos/-/issues/572) and [#581](https://gitlab.com/CalyxOS/calyxos/-/issues/581)).
|
||||
website: 'https://calyxos.org'
|
||||
privacy_policy: 'https://calyxinstitute.org/legal/privacy-policy'
|
||||
downloads:
|
||||
|
@@ -2,22 +2,22 @@ title: DivestOS
|
||||
type: Recommendation
|
||||
logo: /assets/img/android/divestos.svg
|
||||
description: |
|
||||
<strong>DivestOS</strong> is a <a href="https://en.wikipedia.org/wiki/Fork_(software_development)#Forking_of_free_and_open-source_software">soft-fork</a> of <a href="https://lineageos.org/">LineageOS</a>.
|
||||
**DivestOS** is a [soft-fork](https://en.wikipedia.org/wiki/Fork_(software_development)#Forking_of_free_and_open-source_software) of [LineageOS](https://lineageos.org/).
|
||||
|
||||
DivestOS inherits many <a href="https://divestos.org/index.php?page=devices&base=LineageOS">supported devices</a> from LineageOS. It has signed builds, making it possible to have <a href="https://source.android.com/security/verifiedboot">verified boot</a> on some non-Pixel devices.
|
||||
DivestOS inherits many [supported devices](https://divestos.org/index.php?page=devices&base=LineageOS) from LineageOS. It has signed builds, making it possible to have [verified boot](https://source.android.com/security/verifiedboot) on some non-Pixel devices.
|
||||
|
||||
DivestOS has automated kernel vulnerability (<a href="https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures">CVE</a>) <a href="https://gitlab.com/divested-mobile/cve_checker">patching</a>, fewer proprietary blobs, a custom <a href="https://divested.dev/index.php?page=dnsbl">hosts</a> file, along with bundled <a href="https://www.f-droid.org">F-Droid</a> as the app store. It also includes <a href="https://github.com/microg/UnifiedNlp">UnifedNlp</a> for network location and some hardening with <a href="https://gitlab.com/divested-mobile/mulch">Mulch Webview</a>. DivestOS also includes kernel patches from GrapheneOS and enables security features in <a href="https://github.com/Divested-Mobile/DivestOS-Build/blob/master/Scripts/Common/Functions.sh#L698">defconfig</a>.
|
||||
DivestOS has automated kernel vulnerability ([CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) [patching](https://gitlab.com/divested-mobile/cve_checker), fewer proprietary blobs, a custom [hosts](https://divested.dev/index.php?page=dnsbl) file, along with bundled [F-Droid](https://www.f-droid.org) as the app store. It also includes [UnifedNlp](https://github.com/microg/UnifiedNlp) for network location and some hardening with [Mulch Webview](https://gitlab.com/divested-mobile/mulch). DivestOS also includes kernel patches from GrapheneOS and enables security features in [defconfig](https://github.com/Divested-Mobile/DivestOS-Build/blob/master/Scripts/Common/Functions.sh#L698).
|
||||
|
||||
DivestOS also inherits LineageOS's <a href="https://reddit.com/comments/c4a6f7">iptables</a> network access feature. You can deny network access to an individual application by pressing and holding on the app's icon (App info → Data and Network → Uncheck "Network Access").
|
||||
DivestOS also inherits LineageOS's [iptables](https://reddit.com/comments/c4a6f7) network access feature. You can deny network access to an individual application by pressing and holding on the app's icon (App info → Data and Network → Uncheck "Network Access").
|
||||
|
||||
DivestOS 16.0 and 17.1 has GrapheneOS's <a href="https://github.com/GrapheneOS/hardened_malloc">hardened memory allocator</a>. There are plans to port this to DivestOS 18.1.
|
||||
DivestOS 16.0 and 17.1 has GrapheneOS's [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc). There are plans to port this to DivestOS 18.1.
|
||||
|
||||
<h4>Notes</h4>
|
||||
DivestOS firmware update <a href="https://gitlab.com/divested-mobile/firmware-empty/-/blob/master/STATUS">status</a> varies across the devices it supports. For Pixel phones, we still recommend using GrapheneOS or CalyxOS. For other supported devices, DivestOS is a good alternative.
|
||||
#### Notes
|
||||
DivestOS firmware update [status](https://gitlab.com/divested-mobile/firmware-empty/-/blob/master/STATUS) varies across the devices it supports. For Pixel phones, we still recommend using GrapheneOS or CalyxOS. For other supported devices, DivestOS is a good alternative.
|
||||
|
||||
Like CalyxOS's firewall, the network access toggle can also leak in <a href="https://gitlab.com/LineageOS/issues/android/-/issues/3228">some</a> situations.
|
||||
Like CalyxOS's firewall, the network access toggle can also leak in [some](https://gitlab.com/LineageOS/issues/android/-/issues/3228) situations.
|
||||
|
||||
Not all of the supported devices have <a href="https://source.android.com/security/verifiedboot">verified boot</a> and some perform it better than others.
|
||||
Not all of the supported devices have [verified boot](https://source.android.com/security/verifiedboot) and some perform it better than others.
|
||||
|
||||
website: 'https://divestos.org'
|
||||
website_tor: 'http://divestoseb5nncsydt7zzf5hrfg44md4bxqjs5ifcv4t7gt7u6ohjyyd.onion'
|
||||
|
Reference in New Issue
Block a user