Revamping the Android section (#390)

Co-authored-by: Daniel Nathan Gray <dng@disroot.org> Signed-off-by: Freddy <freddy@decypher.pw>
2025-07-23 20:01:08 +00:00 · 2021-12-20 00:45:41 +00:00
parent d25d460348
commit fbbb7ab44a
33 changed files with 367 additions and 102 deletions
--- a/_data/nav/1_home.yml
+++ b/_data/nav/1_home.yml
@@ -1,3 +0,0 @@
-type: link
-title: Home
-file: index.html
--- a/_data/nav/1_providers.yml
+++ b/_data/nav/1_providers.yml
--- a/_data/nav/2_software.yml
+++ b/_data/nav/2_software.yml
@@ -6,7 +6,7 @@ items:
    icon: fad fa-browser
    file: _evergreen/browsers.html
  - type: link
-    title: Operating Systems
+    title: Operating Systems (Legacy)
    icon: fad fa-compact-disc
    file: legacy_pages/os.html
  - type: divider
--- a/_data/nav/3._operating_systems.yml
+++ b/_data/nav/3._operating_systems.yml
@@ -0,0 +1,7 @@
+type: dropdown
+title: Operating Systems
+items:
+  - type: link
+    title: Android
+    icon: fab fa-android
+    file: _evergreen/android.html
--- a/_data/operating-systems/android-applications/1_orbot.yml
+++ b/_data/operating-systems/android-applications/1_orbot.yml
@@ -0,0 +1,24 @@
+title: Orbot
+type: Recommendation
+logo: /assets/img/android/orbot.svg
+description: |
+  <strong>Orbot</strong> is a free proxy app that routes your connections through the Tor Network.
+
+  Orbot can proxy individual apps if they support SOCKS or HTTP proxying. It can also proxy all your network connections using the <a href="https://developer.android.com/reference/android/net/VpnService">VpnService</a> and can be used with the VPN killswitch (⚙️ Settings → Network & internet → VPN → ⚙️ → Block connections without VPN).
+
+  For resistance against traffic analysis attacks, consider enabling <em>Isolate Destination Address</em> ( ⁝ →Settings → Connectivity). This will use a completely different Tor Circuit (different middle relay and exit nodes) for every domain you connect to.
+
+  <h4>Notes</h4>
+  Orbot is often outdated on the Guardian Project's <a href="https://guardianproject.info/fdroid">F-Droid repository</a> and <a href="https://play.google.com/store/apps/details?id=org.torproject.android">Google Play</a> so consider downloading directly from the <a href="https://github.com/guardianproject/orbot">GitHub repository</a> instead.
+
+  All versions are signed using the same signature so they should be compatible with each other.
+website: 'https://guardianproject.info/apps/org.torproject.android'
+downloads:
+  - icon: fab fa-android
+    url: 'https://guardianproject.info/fdroid'
+  - icon: fab fa-google-play
+    url: 'https://play.google.com/store/apps/details?id=org.torproject.android'
+  - icon: fab fa-github
+    url: 'https://github.com/guardianproject/orbot'
+  - icon: fab fa-gitlab
+    url: 'https://gitlab.com/guardianproject/orbot'
--- a/_data/operating-systems/android-applications/2_shelter.yml
+++ b/_data/operating-systems/android-applications/2_shelter.yml
@@ -0,0 +1,20 @@
+title: Shelter
+type: Recommendation
+logo: /assets/img/android/shelter.svg
+description: |
+  <strong>Shelter</strong> is an app that helps you leverage the Android work profile to isolate other apps.
+
+  Shelter supports blocking contact search cross profiles and sharing files across profiles via the default file manager (<a href="https://source.android.com/devices/architecture/modular-system/documentsui">DocumentsUI</a>).
+
+  <h4>Notes</h4>
+  CalyxOS includes a device controller so we recommend using their built in work profile instead.
+website: 'https://gitea.angry.im/PeterCxy/Shelter'
+downloads:
+  - icon: fab fa-android
+    url: 'https://f-droid.org/en/packages/net.typeblog.shelter'
+  - icon: fab fa-google-play
+    url: 'https://play.google.com/store/apps/details?id=net.typeblog.shelter'
+  - icon: fab fa-github
+    url: 'https://github.com/PeterCxy/Shelter'
+  - icon: fab fa-git
+    url: 'https://gitea.angry.im/PeterCxy/Shelter'
--- a/_data/operating-systems/android-applications/3_auditor.yml
+++ b/_data/operating-systems/android-applications/3_auditor.yml
@@ -0,0 +1,26 @@
+title: Auditor
+type: Recommendation
+logo: /assets/img/android/auditor.svg
+description: |
+  <strong>Auditor</strong> is an app which leverages hardware security features to provide device integrity monitoring for <a href="https://attestation.app/about#device-support">supported devices</a>. It currently works with GrapheneOS and the stock operating system. It performs attestation and intrusion detection by:
+  <ul>
+    <li>Using a <a href="https://en.wikipedia.org/wiki/Trust_on_first_use">Trust On First Use (TOFU)</a> model between an <em>auditor</em> and <em>auditee</em>, the pair establish a private key in the <a href="https://source.android.com/security/keystore/">hardware-backed keystore</a> of the <em>Auditor</em>.</li>
+    <li>The <em>auditor</em> can either be another instance of the Auditor app or the <a href="https://attestation.app">Remote Attestation Service</a>.</li>
+    <li>The <em>auditor</em> records the current state and configuration of the <em>auditee</em>.</li>
+    <li>Should tampering with the operating system of the <em>auditee</em> after the pairing is complete, the auditor will be aware of the change in the device state and configurations.</li>
+    <li>The user will be alerted to the change.</li>
+  </ul>
+
+  No personally identifiable information is submitted to the attestation service. We do still recommend that you sign up with an anonymous account and enable remote attestation for continuous monitoring.
+
+  If your <a href="/threat-modeling/">threat model</a> requires complete anonymity you could consider using Orbot or a VPN to hide your IP address from the attestation service.
+
+  To make sure that your hardware and operating system is genuine, <a href="https://grapheneos.org/install/web#verifying-installation">perform local attestation</a> immediately after the device has been installed and prior to any internet connection.
+
+website: 'https://attestation.app'
+privacy_policy: 'https://attestation.app/privacy-policy'
+downloads:
+  - icon: fab fa-google-play
+    url: 'https://play.google.com/store/apps/details?id=app.attestation.auditor'
+  - icon: fab fa-github
+    url: 'https://github.com/GrapheneOS/Auditor'
--- a/_data/operating-systems/android/1_grapheneos.yml
+++ b/_data/operating-systems/android/1_grapheneos.yml
@@ -0,0 +1,19 @@
+title: GrapheneOS
+type: Recommendation
+logo: /assets/img/android/grapheneos.svg
+description: |
+  <strong>GrapheneOS</strong> is the best choice when it comes to privacy and security.
+
+  GrapheneOS has a lot of security hardening and privacy improvements. It has a <a href="https://github.com/GrapheneOS/hardened_malloc">hardened memory allocator</a>, network and sensor permissions, and various other <a href="https://grapheneos.org/features">security features</a>. GrapheneOS also comes with full firmware updates and signed builds, so <a href="https://source.android.com/security/verifiedboot">verified boot</a> is fully supported.
+
+  Notably, GrapheneOS supports <a href="https://grapheneos.org/usage#sandboxed-play-services">Sandboxed Play Services</a>. Google Play Services can be run fully sandboxed like a regular user app and contained in a work profile or user <a href="/android/#android-security-privacy">profile</a> of your choice. This means that you can run apps dependant on Play Services, such as those that require push notifications using Google's <a href="https://firebase.google.com/docs/cloud-messaging/">Firebase Cloud Messaging</a> service. GrapheneOS allows you to take advantage of most <a href="https://en.wikipedia.org/wiki/Google_Play_Services">Google Play Services</a> whilst having full user control over their permissions and access.
+
+  Currently, only <a href="https://grapheneos.org/faq#device-support">Pixel phones</a> meet its hardware security requirement and are supported.
+
+  <h4>Notes</h4>
+  GrapheneOS's "extended support" devices do not have full security patches (firmware updates) due to the original equipment manufacturer (OEM) discontinuing support. These devices cannot be considered completely secure.
+website: 'https://grapheneos.org/'
+privacy_policy: 'https://grapheneos.org/faq#privacy-policy'
+downloads:
+  - icon: fab fa-github
+    url: 'https://github.com/GrapheneOS'
--- a/_data/operating-systems/android/2_calyxos.yml
+++ b/_data/operating-systems/android/2_calyxos.yml
@@ -0,0 +1,25 @@
+title: CalyxOS
+type: Recommendation
+logo: /assets/img/android/calyxos.svg
+description: |
+  <strong>CalyxOS</strong> is a decent alternative to GrapheneOS.
+
+  It has some privacy features on top of AOSP, such as the <a href="https://calyxos.org/docs/tech/datura-details"> Datura firewall</a>, <a href="https://signal.org">Signal</a> integration in the dialer app, and a built in panic button. CalyxOS also comes with firmware updates and signed builds, so <a href="https://source.android.com/security/verifiedboot">verified boot</a> is fully supported.
+
+  To accomodate users who need Google Play Services, CalyxOS optionally includes <a href="https://microg.org/">MicroG</a>. With MicroG, CalyxOS also bundles in the <a href="https://location.services.mozilla.com/">Mozilla</a> and <a href="https://github.com/n76/DejaVu">DejaVu</a> location services.
+
+  Currently, CalyxOS <a href="https://calyxos.org/docs/guide/device-support/">supports</a> Google Pixel phones and the Xiaomi Mi A2. For legacy devices, CalyxOS offers "extended support" for much longer than GrapheneOS, making it a good choice once GrapheneOS has dropped support.
+
+  <h4>Notes</h4>
+  CalyxOS's "extended support" does not have full security patches due to the original equipment manufacturer (OEM) discontinuing support, therefore they cannot be considered completely secure.
+
+  With the Xiaomi Mi A2, CalyxOS does not distribute the the latest firmware. Newer versions of the firmware prevented the device from performing verified boot.
+
+  The Daruta firewall can leak in some circumstances (see <a href="https://gitlab.com/CalyxOS/calyxos/-/issues/572">#572</a> and <a href="https://gitlab.com/CalyxOS/calyxos/-/issues/581">#581</a>).
+website: 'https://calyxos.org'
+privacy_policy: 'https://calyxinstitute.org/legal/privacy-policy'
+downloads:
+  - icon: fab fa-github
+    url: 'https://github.com/CalyxOS'
+  - icon: fab fa-gitlab
+    url: 'https://gitlab.com/calyxos'
--- a/_data/operating-systems/android/3_divestos.yml
+++ b/_data/operating-systems/android/3_divestos.yml
@@ -0,0 +1,29 @@
+title: DivestOS
+type: Recommendation
+logo: /assets/img/android/divestos.svg
+description: |
+  <strong>DivestOS</strong> is a <a href="https://en.wikipedia.org/wiki/Fork_(software_development)#Forking_of_free_and_open-source_software">soft-fork</a> of <a href="https://lineageos.org/">LineageOS</a>.
+
+  DivestOS inherits many <a href="https://divestos.org/index.php?page=devices&base=LineageOS">supported devices</a> from LineageOS. It has signed builds, making it possible to have <a href="https://source.android.com/security/verifiedboot">verified boot</a> on some non-Pixel devices.
+
+  DivestOS has automated kernel vulnerability <a href="https://gitlab.com/divested-mobile/cve_checker">(CVE) patching</a>, fewer proprietary blobs, a custom <a href="https://divested.dev/index.php?page=dnsbl">hosts</a> file, along with bundled <a href="https://www.f-droid.org">F-Droid</a> as the app store. It also includes <a href="https://github.com/microg/UnifiedNlp">UnifedNlp</a> for network location and some hardening with <a href="https://gitlab.com/divested-mobile/mulch">Mulch Webview</a>. DivestOS also includes kernel patches from GrapheneOS and enables security features in <a href="https://github.com/Divested-Mobile/DivestOS-Build/blob/master/Scripts/Common/Functions.sh#L698">defconfig</a>.
+
+  DivestOS also inherits LineageOS's <a href="https://reddit.com/comments/c4a6f7">iptables</a> network access feature. You can deny network access to an individual application by pressing and holding on the app's icon. (App info → Data and Network → Uncheck "Network Access").
+
+  DivestOS 16.0 and 17.1 has GrapheneOS's <a href="https://github.com/GrapheneOS/hardened_malloc">hardened memory allocator</a>. There are plans to port this to DivestOS 18.1.
+
+  <h4>Notes</h4>
+  DivestOS firmware update <a href="https://gitlab.com/divested-mobile/firmware-empty/-/blob/master/STATUS">status</a> varies across the devices it supports. For Pixel phones, we still recommend using GrapheneOS or CalyxOS. For other supported devices, DivestOS is a good alternative.
+
+  Like CalyxOS's firewall, the network access toggle can also leak in <a href="https://gitlab.com/LineageOS/issues/android/-/issues/3228">some</a> situations.
+
+  Not all of the supported devices have <a href="https://source.android.com/security/verifiedboot">verified boot</a> and some perform it better than others.
+
+website: 'https://divestos.org'
+website_tor: 'http://divestoseb5nncsydt7zzf5hrfg44md4bxqjs5ifcv4t7gt7u6ohjyyd.onion'
+privacy_policy: 'https://divestos.org/index.php?page=privacy_policy'
+downloads:
+  - icon: fab fa-github
+    url: 'https://github.com/divested-mobile'
+  - icon: fab fa-gitlab
+    url: 'https://gitlab.com/divested-mobile'
--- a/_data/software/browsers-desktop/1_firefox.yml
+++ b/_data/software/browsers-desktop/1_firefox.yml
@@ -28,16 +28,16 @@ description: |
  <h4>Arkenfox (advanced)</h4>
  The <a href="https://github.com/arkenfox/user.js">Arkenfox project</a> provides a set of carefully considered options for Firefox. These options are quite strict but a few are subjective and can sometimes cause a website to not work properly. You can easily change these settings to suit your needs. We <strong>strongly recommend</strong> reading through the <a href="https://github.com/arkenfox/user.js/wiki">basics</a> section. Arkenfox also enables <a href="https://support.mozilla.org/en-US/kb/containers#w_for-advanced-users">container</a> support.

-website: 'https://firefox.com/'
-privacy_policy: 'https://www.mozilla.org/privacy/firefox/'
+website: 'https://firefox.com'
+privacy_policy: 'https://www.mozilla.org/privacy/firefox'
 downloads:
  - icon: fab fa-windows
-    url: 'https://www.mozilla.org/firefox/windows/'
+    url: 'https://www.mozilla.org/firefox/windows'
  - icon: fab fa-apple
-    url: 'https://www.mozilla.org/firefox/mac/'
+    url: 'https://www.mozilla.org/firefox/mac'
  - icon: fab fa-linux
-    url: 'https://www.mozilla.org/firefox/linux/'
+    url: 'https://www.mozilla.org/firefox/linux'
  - icon: fab fa-freebsd
    url: 'https://www.freshports.org/www/firefox'
  - icon: fab fa-git
-    url: 'https://hg.mozilla.org/mozilla-central/'
+    url: 'https://hg.mozilla.org/mozilla-central'
--- a/_data/software/browsers-mobile/1_bromite.yml
+++ b/_data/software/browsers-mobile/1_bromite.yml
@@ -18,7 +18,7 @@ description: |
    <li>Select: <strong>Open external links in incognito</strong>.</li>
  </ul>

-website: 'https://www.bromite.org/'
+website: 'https://www.bromite.org'
 privacy_policy: 'https://www.bromite.org/privacy'
 downloads:
  - icon: fab fa-android
--- a/_data/software/browsers-mobile/3_firefox.yml
+++ b/_data/software/browsers-mobile/3_firefox.yml
@@ -12,8 +12,8 @@ description: |
  <h5><strong>Sanitizing on close</strong></h5>
  Firefox iOS does not have have an option to clear cache on quit so you must do it manually. ( ≡ → ⚙️ Settings → Data Management).

-website: 'https://firefox.com/'
-privacy_policy: 'https://www.mozilla.org/privacy/firefox/'
+website: 'https://firefox.com'
+privacy_policy: 'https://www.mozilla.org/privacy/firefox'
 downloads:
  - icon: fab fa-app-store-ios
    url: 'https://apps.apple.com/app/id989804926'
--- a/_data/software/browsers-mobile/4_firefox_focus.yml
+++ b/_data/software/browsers-mobile/4_firefox_focus.yml
@@ -12,8 +12,8 @@ description: |
  <h4>Notes</h4>
  Focus only lets you open one tab at a time.

-website: 'https://firefox.com/'
-privacy_policy: 'https://www.mozilla.org/privacy/firefox/'
+website: 'https://firefox.com'
+privacy_policy: 'https://www.mozilla.org/privacy/firefox'
 downloads:
  - icon: fab fa-app-store-ios
    url: 'https://apps.apple.com/app/id1055677337'