1
0
mirror of https://github.com/privacyguides/privacyguides.org.git synced 2025-07-23 11:51:16 +00:00

Revamping the Android section (#390)

Co-authored-by: Daniel Nathan Gray <dng@disroot.org>
Signed-off-by: Freddy <freddy@decypher.pw>
This commit is contained in:
Tommy
2021-12-20 00:45:41 +00:00
committed by Daniel Gray
parent d25d460348
commit fbbb7ab44a
33 changed files with 367 additions and 102 deletions

View File

@@ -0,0 +1,19 @@
title: GrapheneOS
type: Recommendation
logo: /assets/img/android/grapheneos.svg
description: |
<strong>GrapheneOS</strong> is the best choice when it comes to privacy and security.
GrapheneOS has a lot of security hardening and privacy improvements. It has a <a href="https://github.com/GrapheneOS/hardened_malloc">hardened memory allocator</a>, network and sensor permissions, and various other <a href="https://grapheneos.org/features">security features</a>. GrapheneOS also comes with full firmware updates and signed builds, so <a href="https://source.android.com/security/verifiedboot">verified boot</a> is fully supported.
Notably, GrapheneOS supports <a href="https://grapheneos.org/usage#sandboxed-play-services">Sandboxed Play Services</a>. Google Play Services can be run fully sandboxed like a regular user app and contained in a work profile or user <a href="/android/#android-security-privacy">profile</a> of your choice. This means that you can run apps dependant on Play Services, such as those that require push notifications using Google's <a href="https://firebase.google.com/docs/cloud-messaging/">Firebase Cloud Messaging</a> service. GrapheneOS allows you to take advantage of most <a href="https://en.wikipedia.org/wiki/Google_Play_Services">Google Play Services</a> whilst having full user control over their permissions and access.
Currently, only <a href="https://grapheneos.org/faq#device-support">Pixel phones</a> meet its hardware security requirement and are supported.
<h4>Notes</h4>
GrapheneOS's "extended support" devices do not have full security patches (firmware updates) due to the original equipment manufacturer (OEM) discontinuing support. These devices cannot be considered completely secure.
website: 'https://grapheneos.org/'
privacy_policy: 'https://grapheneos.org/faq#privacy-policy'
downloads:
- icon: fab fa-github
url: 'https://github.com/GrapheneOS'

View File

@@ -0,0 +1,25 @@
title: CalyxOS
type: Recommendation
logo: /assets/img/android/calyxos.svg
description: |
<strong>CalyxOS</strong> is a decent alternative to GrapheneOS.
It has some privacy features on top of AOSP, such as the <a href="https://calyxos.org/docs/tech/datura-details"> Datura firewall</a>, <a href="https://signal.org">Signal</a> integration in the dialer app, and a built in panic button. CalyxOS also comes with firmware updates and signed builds, so <a href="https://source.android.com/security/verifiedboot">verified boot</a> is fully supported.
To accomodate users who need Google Play Services, CalyxOS optionally includes <a href="https://microg.org/">MicroG</a>. With MicroG, CalyxOS also bundles in the <a href="https://location.services.mozilla.com/">Mozilla</a> and <a href="https://github.com/n76/DejaVu">DejaVu</a> location services.
Currently, CalyxOS <a href="https://calyxos.org/docs/guide/device-support/">supports</a> Google Pixel phones and the Xiaomi Mi A2. For legacy devices, CalyxOS offers "extended support" for much longer than GrapheneOS, making it a good choice once GrapheneOS has dropped support.
<h4>Notes</h4>
CalyxOS's "extended support" does not have full security patches due to the original equipment manufacturer (OEM) discontinuing support, therefore they cannot be considered completely secure.
With the Xiaomi Mi A2, CalyxOS does not distribute the the latest firmware. Newer versions of the firmware prevented the device from performing verified boot.
The Daruta firewall can leak in some circumstances (see <a href="https://gitlab.com/CalyxOS/calyxos/-/issues/572">#572</a> and <a href="https://gitlab.com/CalyxOS/calyxos/-/issues/581">#581</a>).
website: 'https://calyxos.org'
privacy_policy: 'https://calyxinstitute.org/legal/privacy-policy'
downloads:
- icon: fab fa-github
url: 'https://github.com/CalyxOS'
- icon: fab fa-gitlab
url: 'https://gitlab.com/calyxos'

View File

@@ -0,0 +1,29 @@
title: DivestOS
type: Recommendation
logo: /assets/img/android/divestos.svg
description: |
<strong>DivestOS</strong> is a <a href="https://en.wikipedia.org/wiki/Fork_(software_development)#Forking_of_free_and_open-source_software">soft-fork</a> of <a href="https://lineageos.org/">LineageOS</a>.
DivestOS inherits many <a href="https://divestos.org/index.php?page=devices&base=LineageOS">supported devices</a> from LineageOS. It has signed builds, making it possible to have <a href="https://source.android.com/security/verifiedboot">verified boot</a> on some non-Pixel devices.
DivestOS has automated kernel vulnerability <a href="https://gitlab.com/divested-mobile/cve_checker">(CVE) patching</a>, fewer proprietary blobs, a custom <a href="https://divested.dev/index.php?page=dnsbl">hosts</a> file, along with bundled <a href="https://www.f-droid.org">F-Droid</a> as the app store. It also includes <a href="https://github.com/microg/UnifiedNlp">UnifedNlp</a> for network location and some hardening with <a href="https://gitlab.com/divested-mobile/mulch">Mulch Webview</a>. DivestOS also includes kernel patches from GrapheneOS and enables security features in <a href="https://github.com/Divested-Mobile/DivestOS-Build/blob/master/Scripts/Common/Functions.sh#L698">defconfig</a>.
DivestOS also inherits LineageOS's <a href="https://reddit.com/comments/c4a6f7">iptables</a> network access feature. You can deny network access to an individual application by pressing and holding on the app's icon. (App info → Data and Network → Uncheck "Network Access").
DivestOS 16.0 and 17.1 has GrapheneOS's <a href="https://github.com/GrapheneOS/hardened_malloc">hardened memory allocator</a>. There are plans to port this to DivestOS 18.1.
<h4>Notes</h4>
DivestOS firmware update <a href="https://gitlab.com/divested-mobile/firmware-empty/-/blob/master/STATUS">status</a> varies across the devices it supports. For Pixel phones, we still recommend using GrapheneOS or CalyxOS. For other supported devices, DivestOS is a good alternative.
Like CalyxOS's firewall, the network access toggle can also leak in <a href="https://gitlab.com/LineageOS/issues/android/-/issues/3228">some</a> situations.
Not all of the supported devices have <a href="https://source.android.com/security/verifiedboot">verified boot</a> and some perform it better than others.
website: 'https://divestos.org'
website_tor: 'http://divestoseb5nncsydt7zzf5hrfg44md4bxqjs5ifcv4t7gt7u6ohjyyd.onion'
privacy_policy: 'https://divestos.org/index.php?page=privacy_policy'
downloads:
- icon: fab fa-github
url: 'https://github.com/divested-mobile'
- icon: fab fa-gitlab
url: 'https://gitlab.com/divested-mobile'