mirror of
https://github.com/privacyguides/privacyguides.org.git
synced 2025-07-23 11:51:16 +00:00
Revamping the Android section (#390)
Co-authored-by: Daniel Nathan Gray <dng@disroot.org> Signed-off-by: Freddy <freddy@decypher.pw>
This commit is contained in:
19
_data/operating-systems/android/1_grapheneos.yml
Normal file
19
_data/operating-systems/android/1_grapheneos.yml
Normal file
@@ -0,0 +1,19 @@
|
||||
title: GrapheneOS
|
||||
type: Recommendation
|
||||
logo: /assets/img/android/grapheneos.svg
|
||||
description: |
|
||||
<strong>GrapheneOS</strong> is the best choice when it comes to privacy and security.
|
||||
|
||||
GrapheneOS has a lot of security hardening and privacy improvements. It has a <a href="https://github.com/GrapheneOS/hardened_malloc">hardened memory allocator</a>, network and sensor permissions, and various other <a href="https://grapheneos.org/features">security features</a>. GrapheneOS also comes with full firmware updates and signed builds, so <a href="https://source.android.com/security/verifiedboot">verified boot</a> is fully supported.
|
||||
|
||||
Notably, GrapheneOS supports <a href="https://grapheneos.org/usage#sandboxed-play-services">Sandboxed Play Services</a>. Google Play Services can be run fully sandboxed like a regular user app and contained in a work profile or user <a href="/android/#android-security-privacy">profile</a> of your choice. This means that you can run apps dependant on Play Services, such as those that require push notifications using Google's <a href="https://firebase.google.com/docs/cloud-messaging/">Firebase Cloud Messaging</a> service. GrapheneOS allows you to take advantage of most <a href="https://en.wikipedia.org/wiki/Google_Play_Services">Google Play Services</a> whilst having full user control over their permissions and access.
|
||||
|
||||
Currently, only <a href="https://grapheneos.org/faq#device-support">Pixel phones</a> meet its hardware security requirement and are supported.
|
||||
|
||||
<h4>Notes</h4>
|
||||
GrapheneOS's "extended support" devices do not have full security patches (firmware updates) due to the original equipment manufacturer (OEM) discontinuing support. These devices cannot be considered completely secure.
|
||||
website: 'https://grapheneos.org/'
|
||||
privacy_policy: 'https://grapheneos.org/faq#privacy-policy'
|
||||
downloads:
|
||||
- icon: fab fa-github
|
||||
url: 'https://github.com/GrapheneOS'
|
25
_data/operating-systems/android/2_calyxos.yml
Normal file
25
_data/operating-systems/android/2_calyxos.yml
Normal file
@@ -0,0 +1,25 @@
|
||||
title: CalyxOS
|
||||
type: Recommendation
|
||||
logo: /assets/img/android/calyxos.svg
|
||||
description: |
|
||||
<strong>CalyxOS</strong> is a decent alternative to GrapheneOS.
|
||||
|
||||
It has some privacy features on top of AOSP, such as the <a href="https://calyxos.org/docs/tech/datura-details"> Datura firewall</a>, <a href="https://signal.org">Signal</a> integration in the dialer app, and a built in panic button. CalyxOS also comes with firmware updates and signed builds, so <a href="https://source.android.com/security/verifiedboot">verified boot</a> is fully supported.
|
||||
|
||||
To accomodate users who need Google Play Services, CalyxOS optionally includes <a href="https://microg.org/">MicroG</a>. With MicroG, CalyxOS also bundles in the <a href="https://location.services.mozilla.com/">Mozilla</a> and <a href="https://github.com/n76/DejaVu">DejaVu</a> location services.
|
||||
|
||||
Currently, CalyxOS <a href="https://calyxos.org/docs/guide/device-support/">supports</a> Google Pixel phones and the Xiaomi Mi A2. For legacy devices, CalyxOS offers "extended support" for much longer than GrapheneOS, making it a good choice once GrapheneOS has dropped support.
|
||||
|
||||
<h4>Notes</h4>
|
||||
CalyxOS's "extended support" does not have full security patches due to the original equipment manufacturer (OEM) discontinuing support, therefore they cannot be considered completely secure.
|
||||
|
||||
With the Xiaomi Mi A2, CalyxOS does not distribute the the latest firmware. Newer versions of the firmware prevented the device from performing verified boot.
|
||||
|
||||
The Daruta firewall can leak in some circumstances (see <a href="https://gitlab.com/CalyxOS/calyxos/-/issues/572">#572</a> and <a href="https://gitlab.com/CalyxOS/calyxos/-/issues/581">#581</a>).
|
||||
website: 'https://calyxos.org'
|
||||
privacy_policy: 'https://calyxinstitute.org/legal/privacy-policy'
|
||||
downloads:
|
||||
- icon: fab fa-github
|
||||
url: 'https://github.com/CalyxOS'
|
||||
- icon: fab fa-gitlab
|
||||
url: 'https://gitlab.com/calyxos'
|
29
_data/operating-systems/android/3_divestos.yml
Normal file
29
_data/operating-systems/android/3_divestos.yml
Normal file
@@ -0,0 +1,29 @@
|
||||
title: DivestOS
|
||||
type: Recommendation
|
||||
logo: /assets/img/android/divestos.svg
|
||||
description: |
|
||||
<strong>DivestOS</strong> is a <a href="https://en.wikipedia.org/wiki/Fork_(software_development)#Forking_of_free_and_open-source_software">soft-fork</a> of <a href="https://lineageos.org/">LineageOS</a>.
|
||||
|
||||
DivestOS inherits many <a href="https://divestos.org/index.php?page=devices&base=LineageOS">supported devices</a> from LineageOS. It has signed builds, making it possible to have <a href="https://source.android.com/security/verifiedboot">verified boot</a> on some non-Pixel devices.
|
||||
|
||||
DivestOS has automated kernel vulnerability <a href="https://gitlab.com/divested-mobile/cve_checker">(CVE) patching</a>, fewer proprietary blobs, a custom <a href="https://divested.dev/index.php?page=dnsbl">hosts</a> file, along with bundled <a href="https://www.f-droid.org">F-Droid</a> as the app store. It also includes <a href="https://github.com/microg/UnifiedNlp">UnifedNlp</a> for network location and some hardening with <a href="https://gitlab.com/divested-mobile/mulch">Mulch Webview</a>. DivestOS also includes kernel patches from GrapheneOS and enables security features in <a href="https://github.com/Divested-Mobile/DivestOS-Build/blob/master/Scripts/Common/Functions.sh#L698">defconfig</a>.
|
||||
|
||||
DivestOS also inherits LineageOS's <a href="https://reddit.com/comments/c4a6f7">iptables</a> network access feature. You can deny network access to an individual application by pressing and holding on the app's icon. (App info → Data and Network → Uncheck "Network Access").
|
||||
|
||||
DivestOS 16.0 and 17.1 has GrapheneOS's <a href="https://github.com/GrapheneOS/hardened_malloc">hardened memory allocator</a>. There are plans to port this to DivestOS 18.1.
|
||||
|
||||
<h4>Notes</h4>
|
||||
DivestOS firmware update <a href="https://gitlab.com/divested-mobile/firmware-empty/-/blob/master/STATUS">status</a> varies across the devices it supports. For Pixel phones, we still recommend using GrapheneOS or CalyxOS. For other supported devices, DivestOS is a good alternative.
|
||||
|
||||
Like CalyxOS's firewall, the network access toggle can also leak in <a href="https://gitlab.com/LineageOS/issues/android/-/issues/3228">some</a> situations.
|
||||
|
||||
Not all of the supported devices have <a href="https://source.android.com/security/verifiedboot">verified boot</a> and some perform it better than others.
|
||||
|
||||
website: 'https://divestos.org'
|
||||
website_tor: 'http://divestoseb5nncsydt7zzf5hrfg44md4bxqjs5ifcv4t7gt7u6ohjyyd.onion'
|
||||
privacy_policy: 'https://divestos.org/index.php?page=privacy_policy'
|
||||
downloads:
|
||||
- icon: fab fa-github
|
||||
url: 'https://github.com/divested-mobile'
|
||||
- icon: fab fa-gitlab
|
||||
url: 'https://gitlab.com/divested-mobile'
|
Reference in New Issue
Block a user