Typo

Signed-off-by: blacklight447 <niek@privacyguides.org>
Signed-off-by: Daniel Gray <dngray@privacyguides.org>

.all-contributorsrc

@@ -621,7 +621,12 @@
       "avatar_url": "https://avatars.githubusercontent.com/u/30749146?v=4",
       "profile": "https://github.com/razac-elda",
       "contributions": [
-        "doc"
+        "doc",
+        "bug",
+        "financial",
+        "promotion",
+        "question",
+        "translation"
       ]
     },
     {
@@ -2854,6 +2859,15 @@
       "contributions": [
         "doc"
       ]
+    },
+    {
+      "login": "IDON-TEXIST",
+      "name": "IDON-TEXIST",
+      "avatar_url": "https://avatars.githubusercontent.com/u/73442356?v=4",
+      "profile": "https://github.com/IDON-TEXIST",
+      "contributions": [
+        "doc"
+      ]
     }
   ],
   "contributorsPerLine": 5,

README.md

@@ -44,7 +44,7 @@
 
 The current list of team members can be found [here](https://www.privacyguides.org/en/about/#executive-committee). Additionally, [many people](#contributors) have made contributions to the project, and you can too!
 
-*Featured on: [Tweakers](https://tweakers.net/reviews/10568/op-zoek-naar-privacyvriendelijke-tools-niek-de-wilde-van-privacy-guides.html), [The New York Times](https://nytimes.com/wirecutter/guides/online-security-social-media-privacy), and [Wired](https://wired.com/story/firefox-mozilla-2022)*
+*Featured on: [Tweakers](https://tweakers.net/reviews/10568/op-zoek-naar-privacyvriendelijke-tools-niek-de-wilde-van-privacy-guides.html), [The New York Times](https://nytimes.com/wirecutter/guides/online-security-social-media-privacy), [Wired](https://wired.com/story/firefox-mozilla-2022), and [Fast Company](https://www.fastcompany.com/91167564/mozilla-wants-you-to-love-firefox-again).*
 
 ## Contributing
 
@@ -246,7 +246,7 @@ Privacy Guides wouldn't be possible without these wonderful people ([emoji key](
     <tr>
       <td align="center" valign="top" width="20%"><a rel="nofollow noopener noreferrer" href="https://github.com/Kcchouette"><img src="https://avatars.githubusercontent.com/u/3000936?v=4" width="100px;" loading=lazy /><br /><sub><b>Kcchouette</b></sub></a><br /><a href="https://github.com/privacyguides/privacyguides.org/commits?author=Kcchouette" title="Documentation">📖</a></td>
       <td align="center" valign="top" width="20%"><a rel="nofollow noopener noreferrer" href="https://jacobneplokh.com/"><img src="https://avatars.githubusercontent.com/u/46184597?v=4" width="100px;" loading=lazy /><br /><sub><b>Jacob Neplokh</b></sub></a><br /><a href="https://github.com/privacyguides/privacyguides.org/commits?author=jneplokh" title="Documentation">📖</a></td>
-      <td align="center" valign="top" width="20%"><a rel="nofollow noopener noreferrer" href="https://github.com/razac-elda"><img src="https://avatars.githubusercontent.com/u/30749146?v=4" width="100px;" loading=lazy /><br /><sub><b>Leonardo Mazzon</b></sub></a><br /><a href="https://github.com/privacyguides/privacyguides.org/commits?author=razac-elda" title="Documentation">📖</a></td>
+      <td align="center" valign="top" width="20%"><a rel="nofollow noopener noreferrer" href="https://github.com/razac-elda"><img src="https://avatars.githubusercontent.com/u/30749146?v=4" width="100px;" loading=lazy /><br /><sub><b>Leonardo Mazzon</b></sub></a><br /><a href="https://github.com/privacyguides/privacyguides.org/commits?author=razac-elda" title="Documentation">📖</a> <a href="https://github.com/privacyguides/privacyguides.org/issues?q=author%3Arazac-elda" title="Bug reports">🐛</a> <a href="#financial-razac-elda" title="Financial">💵</a> <a href="#promotion-razac-elda" title="Promotion">📣</a> <a href="#question-razac-elda" title="Answering Questions">💬</a> <a href="#translation-razac-elda" title="Translation">🌍</a></td>
       <td align="center" valign="top" width="20%"><a rel="nofollow noopener noreferrer" href="https://github.com/opheron"><img src="https://avatars.githubusercontent.com/u/7110152?v=4" width="100px;" loading=lazy /><br /><sub><b>Andrew Chong</b></sub></a><br /><a href="https://github.com/privacyguides/privacyguides.org/commits?author=opheron" title="Documentation">📖</a></td>
       <td align="center" valign="top" width="20%"><a rel="nofollow noopener noreferrer" href="https://github.com/woctezuma"><img src="https://avatars.githubusercontent.com/u/570669?v=4" width="100px;" loading=lazy /><br /><sub><b>Wok</b></sub></a><br /><a href="https://github.com/privacyguides/privacyguides.org/commits?author=woctezuma" title="Documentation">📖</a></td>
     </tr>
@@ -593,6 +593,9 @@ Privacy Guides wouldn't be possible without these wonderful people ([emoji key](
       <td align="center" valign="top" width="20%"><a rel="nofollow noopener noreferrer" href="https://github.com/m00t316"><img src="https://avatars.githubusercontent.com/u/54213179?v=4" width="100px;" loading=lazy /><br /><sub><b>Kieran Colfer</b></sub></a><br /><a href="https://github.com/privacyguides/privacyguides.org/commits?author=m00t316" title="Documentation">📖</a></td>
       <td align="center" valign="top" width="20%"><a rel="nofollow noopener noreferrer" href="https://github.com/I-I-IT"><img src="https://avatars.githubusercontent.com/u/78900789?v=4" width="100px;" loading=lazy /><br /><sub><b>Triple T</b></sub></a><br /><a href="https://github.com/privacyguides/privacyguides.org/commits?author=I-I-IT" title="Documentation">📖</a></td>
     </tr>
+    <tr>
+      <td align="center" valign="top" width="20%"><a rel="nofollow noopener noreferrer" href="https://github.com/IDON-TEXIST"><img src="https://avatars.githubusercontent.com/u/73442356?v=4" width="100px;" loading=lazy /><br /><sub><b>IDON-TEXIST</b></sub></a><br /><a href="https://github.com/privacyguides/privacyguides.org/commits?author=IDON-TEXIST" title="Documentation">📖</a></td>
+    </tr>
   </tbody>
   <tfoot>
     <tr>

blog/.authors.yml

@@ -12,6 +12,9 @@ authors:
     name: Niek de Wilde
     description: Team Member
     avatar: https://github.com/blacklight447.png
+    mastodon:
+      username: blacklight447
+      instance: mastodon.social
   dngray:
     name: Daniel Gray
     description: Team Member
@@ -24,6 +27,10 @@ authors:
     name: Jonah Aragon
     description: Team Member
     avatar: https://github.com/jonaharagon.png
+    mastodon:
+      username: jonah
+      instance: neat.computer
+    twitter: jonaharagon
   kaitebay:
     name: Kai Tebay
     description: Former Team Member

blog/posts/.meta.yml

@@ -1 +1,3 @@
 comments: true
+social:
+  cards_layout: blog

docs/about/criteria.md

@@ -5,7 +5,7 @@ title: General Criteria
 Below are some general priorities we consider for all submissions to Privacy Guides. Each category will have additional requirements for inclusion.
 
 - **Security**: Tools should follow security best-practices wherever applicable.
-- **Source Availability**: Open-source projects are generally preferred over equivalent proprietary alternatives.
+- **Source Availability**: Open-source projects are generally preferred over equivalent proprietary alternatives. Our definition of Open-source follows the [OSI definition](https://opensource.org/osd). Licenses not under the OSI are allowed as long as they are compatible with the OSI definition. The Open-source part is only mandatory for pages with "Open-source" as a minimum requirement.
 - **Cross-Platform Availability**: We typically prefer recommendations to be cross-platform, to avoid vendor lock-in.
 - **Active Development**: The tools that we recommend should be actively developed, unmaintained projects will be removed in most cases.
 - **Usability**: Tools should be accessible to most computer users, an overly technical background should not be required.

docs/android/distributions.md

@@ -62,43 +62,45 @@ GrapheneOS provides additional [security hardening](https://en.wikipedia.org/wik
 
 </div>
 
-GrapheneOS supports [sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), which runs [Google Play Services](https://en.wikipedia.org/wiki/Google_Play_Services) fully sandboxed like any other regular app. This means you can take advantage of most Google Play Services, such as [push notifications](https://firebase.google.com/docs/cloud-messaging), while giving you full control over their permissions and access, and while containing them to a specific [work profile](../os/android-overview.md#work-profile) or [user profile](../os/android-overview.md#user-profiles) of your choice.
+GrapheneOS supports [sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), which runs Google Play Services fully sandboxed like any other regular app. This means you can take advantage of most Google Play Services, such as push notifications, while giving you full control over their permissions and access, and while containing them to a specific [work profile](../os/android-overview.md#work-profile) or [user profile](../os/android-overview.md#user-profiles) of your choice.
 
 [Google Pixel phones](../mobile-phones.md#google-pixel) are the only devices that currently meet GrapheneOS's [hardware security requirements](https://grapheneos.org/faq#future-devices).
 
+By default, Android makes many network connections to Google to perform DNS connectivity checks, to sync with current network time, to check your network connectivity, and for many other background tasks. GrapheneOS replaces these with connections to servers operated by GrapheneOS and subject to their privacy policy. This hides information like your IP address [from Google](../basics/common-threats.md#privacy-from-service-providers), but means it is trivial for an admin on your network or ISP to see you are making connections to `grapheneos.network`, `grapheneos.org`, etc. and deduce what operating system you are using.
+
+GrapheneOS provides the option to switch back to connecting to Google's servers for many of these background connections if you prefer, but it is far more robust/foolproof to use a [trusted VPN](../vpn.md) and enable Android's native VPN [kill switch](../os/android-overview.md#vpn-killswitch) to hide information like this from adversaries on your network.
+
 ### DivestOS
 
+If GrapheneOS isn't compatible with your phone, DivestOS is a good alternative. It supports a wide variety of phones with *varying* levels of security protections and quality control.
+
 <div class="admonition recommendation" markdown>
 
 ![DivestOS logo](../assets/img/android/divestos.svg){ align=right }
 
 **DivestOS** is a soft-fork of [LineageOS](https://lineageos.org).
-DivestOS inherits many [supported devices](https://divestos.org/index.php?page=devices&base=LineageOS) from LineageOS. It has signed builds, making it possible to have [verified boot](https://source.android.com/security/verifiedboot) on some non-Pixel devices.
+DivestOS inherits many [supported devices](https://divestos.org/index.php?page=devices&base=LineageOS) from LineageOS. It has signed builds, making it possible to have [verified boot](../os/android-overview.md#verified-boot) on some non-Pixel devices. Not all supported devices support verified boot or other security features.
 
 [:octicons-home-16: Homepage](https://divestos.org){ .md-button .md-button--primary }
 [:simple-torbrowser:](http://divestoseb5nncsydt7zzf5hrfg44md4bxqjs5ifcv4t7gt7u6ohjyyd.onion){ .card-link title="Onion Service" }
 [:octicons-eye-16:](https://divestos.org/index.php?page=privacy_policy){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://divestos.org/index.php?page=faq){ .card-link title=Documentation}
+[:octicons-info-16:](https://divestos.org/index.php?page=faq){ .card-link title="Documentation" }
 [:octicons-code-16:](https://github.com/divested-mobile){ .card-link title="Source Code" }
-[:octicons-heart-16:](https://divested.dev/pages/donate){ .card-link title=Contribute }
+[:octicons-heart-16:](https://divested.dev/pages/donate){ .card-link title="Contribute" }
 
 </div>
 
-DivestOS has automated kernel vulnerability ([CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) [patching](https://gitlab.com/divested-mobile/cve_checker), fewer proprietary blobs, and a custom [hosts](https://divested.dev/index.php?page=dnsbl) file. Its hardened WebView, [Mulch](https://gitlab.com/divested-mobile/mulch), enables [CFI](https://en.wikipedia.org/wiki/Control-flow_integrity) for all architectures and [network state partitioning](https://developer.mozilla.org/docs/Web/Privacy/State_Partitioning), and receives out-of-band updates.
+The [status](https://gitlab.com/divested-mobile/firmware-empty/-/blob/master/STATUS) of firmware updates in particular will vary significantly depending on your phone model. While standard AOSP bugs and vulnerabilities can be fixed with standard software updates like those provided by DivestOS, some vulnerabilities cannot be patched without support from the device manufacturer, making end-of-life devices less safe even with an up-to-date alternative ROM like DivestOS.
+
+DivestOS has automated kernel vulnerability ([CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) [patching](https://gitlab.com/divested-mobile/cve_checker), fewer proprietary blobs, and a custom [hosts](https://divested.dev/index.php?page=dnsbl) file. Its hardened WebView, [Mulch](https://gitlab.com/divested-mobile/mulch), enables [control-flow integrity](https://en.wikipedia.org/wiki/Control-flow_integrity) for all architectures and [network state partitioning](https://developer.mozilla.org/docs/Web/Privacy/State_Partitioning), and receives out-of-band updates.
+
 DivestOS also includes kernel patches from GrapheneOS and enables all available kernel security features via [defconfig hardening](https://github.com/Divested-Mobile/DivestOS-Build/blob/master/Scripts/Common/Functions.sh#L758). All kernels newer than version 3.4 include full page [sanitization](https://lwn.net/Articles/334747) and all ~22 Clang-compiled kernels have [`-ftrivial-auto-var-init=zero`](https://reviews.llvm.org/D54604?id=174471) enabled.
 
-DivestOS implements some system hardening patches originally developed for GrapheneOS. DivestOS 16.0 and higher implements GrapheneOS's [`INTERNET`](https://developer.android.com/training/basics/network-ops/connecting) and SENSORS permission toggle, [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), [exec-spawning](https://grapheneos.org/usage#exec-spawning), [JNI](https://en.wikipedia.org/wiki/Java_Native_Interface) [constification](https://en.wikipedia.org/wiki/Const_(computer_programming)), and partial [bionic](https://en.wikipedia.org/wiki/Bionic_(software)) hardening patchsets. 17.1 and higher features GrapheneOS's per-network full [MAC randomization](https://en.wikipedia.org/wiki/MAC_address#Randomization) option, [`ptrace_scope`](https://kernel.org/doc/html/latest/admin-guide/LSM/Yama.html) control, [automatic reboot](https://grapheneos.org/features#auto-reboot), and Wi-Fi/Bluetooth [timeout options](https://grapheneos.org/features#attack-surface-reduction).
+DivestOS implements some system hardening patches originally developed for GrapheneOS. DivestOS 16.0 and higher implements GrapheneOS's `INTERNET` and `SENSORS` permission toggle, [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), [exec-spawning](https://grapheneos.org/usage#exec-spawning), Java Native Interface [constification](https://en.wikipedia.org/wiki/Const_(computer_programming)), and partial [bionic](https://en.wikipedia.org/wiki/Bionic_(software)) hardening patchsets. 17.1 and higher features per-network full MAC address randomization, [`ptrace_scope`](https://kernel.org/doc/html/latest/admin-guide/LSM/Yama.html) control, automatic reboot, and Wi-Fi/Bluetooth [timeout options](https://grapheneos.org/features#attack-surface-reduction).
 
-DivestOS uses F-Droid as its default app store. We normally [recommend avoiding F-Droid](obtaining-apps.md#f-droid), but doing so on DivestOS isn't viable; the developers update their apps via their own F-Droid repository, [DivestOS Official](https://divestos.org/fdroid/official). We recommend disabling the official F-Droid app and using [F-Droid Basic](https://f-droid.org/en/packages/org.fdroid.basic) **with the DivestOS repository enabled** to keep those components up to date. For other apps, our recommended [methods of obtaining them](obtaining-apps.md) still apply.
+DivestOS uses F-Droid as its default app store. We normally [recommend avoiding F-Droid](obtaining-apps.md#f-droid), but doing so on DivestOS isn't viable; the developers update their apps via their own F-Droid repository, [DivestOS Official](https://divestos.org/fdroid/official). For these apps you should continue to use F-Droid **with the DivestOS repository enabled** to keep those components up to date. For other apps, our recommended [methods of obtaining them](obtaining-apps.md) still apply.
 
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-DivestOS firmware update [status](https://gitlab.com/divested-mobile/firmware-empty/-/blob/master/STATUS) and quality control varies across the devices it supports. We still recommend GrapheneOS depending on your device's compatibility. For other devices, DivestOS is a good alternative.
-
-Not all of the supported devices have verified boot, and some perform it better than others.
-
-</div>
+DivestOS replaces many of Android's background network connections to Google services with alternative services, such as using OpenEUICC for eSIM activation, NTP.org for network time, and Quad9 for DNS. These connections can be modified, but their deviation from a standard Android phone's network connections could mean it is easier for an adversary on your network to deduce what operating system you have installed on your phone. If this is a concern to you, consider using a [trusted VPN](../vpn.md) and enabling the native VPN [kill switch](../os/android-overview.md#vpn-killswitch) to hide this network traffic from your local network and ISP.
 
 ## Criteria
 

docs/android/index.md

@@ -21,16 +21,48 @@ schema:
 
 The **Android Open Source Project** (AOSP) is an open-source mobile operating system led by Google which powers the majority of the world's mobile devices. Most phones sold with Android are modified to include invasive integrations and apps such as Google Play Services, so you can significantly improve your privacy on your mobile device by replacing your phone's default installation with a version of Android without these invasive features.
 
-[:octicons-home-16:](https://source.android.com){ .card-link title=Homepage }
-[:octicons-info-16:](https://source.android.com/docs){ .card-link title=Documentation}
-[:octicons-code-16:](https://cs.android.com/android/platform/superproject/main){ .card-link title="Source Code" }
+[General Android Overview :material-arrow-right-drop-circle:](../os/android-overview.md){ .md-button .md-button--primary }
 
-We recommend the following Android-specific tools to maximize your mobile device's security and privacy.
+## Our Advice
 
-- [Alternative Distributions](distributions.md)
-- [General Apps](general-apps.md)
-- [Obtaining Applications](obtaining-apps.md)
+### Replace Google Services
 
-To learn more about Android:
+There are many methods of obtaining apps on Android while avoiding Google Play. Whenever possible, try using one of these methods before getting your apps from non-private sources:
 
-[General Android Overview :material-arrow-right-drop-circle:](../os/android-overview.md){ .md-button }
+[Obtaining Applications :material-arrow-right-drop-circle:](obtaining-apps.md){ .md-button }
+
+There are also many private alternatives to the apps that come pre-installed on your phone, such as the camera app. Besides the Android apps we recommend throughout this site in general, we've created a list of system utilities specific to Android which you might find useful.
+
+[General App Recommendations :material-arrow-right-drop-circle:](general-apps.md){ .md-button }
+
+### Install a Custom Distribution
+
+When you buy an Android phone, the default operating system comes bundled with apps and functionality that are not part of the Android Open Source Project. Many of these apps—even apps like the dialer which provide basic system functionality—require invasive integrations with Google Play Services, which in turn asks for privileges to access your files, contacts storage, call logs, SMS messages, location, camera, microphone, and numerous other things on your device in order for those basic system apps and many other apps to function in the first place. Frameworks like Google Play Services increase the attack surface of your device and are the source of various privacy concerns with Android.
+
+This problem could be solved by using an alternative Android distribution, commonly known as a *custom ROM*, that does not come with such invasive integration. Unfortunately, many custom Android distributions often violate the Android security model by not supporting critical security features such as AVB, rollback protection, firmware updates, and so on. Some distributions also ship [`userdebug`](https://source.android.com/setup/build/building#choose-a-target) builds which expose root via [ADB](https://developer.android.com/studio/command-line/adb) and require [more permissive](https://github.com/LineageOS/android_system_sepolicy/search?q=userdebug&type=code) SELinux policies to accommodate debugging features, resulting in a further increased attack surface and weakened security model.
+
+Ideally, when choosing a custom Android distribution, you should make sure that it upholds the Android security model. At the very least, the distribution should have production builds, support for AVB, rollback protection, timely firmware and operating system updates, and SELinux in [enforcing mode](https://source.android.com/security/selinux/concepts#enforcement_levels). All of our recommended Android distributions satisfy these criteria:
+
+[Recommended Distributions :material-arrow-right-drop-circle:](distributions.md){ .md-button }
+
+### Avoid Root
+
+[Rooting](https://en.wikipedia.org/wiki/Rooting_(Android)) Android phones can decrease security significantly as it weakens the complete [Android security model](https://en.wikipedia.org/wiki/Android_(operating_system)#Security_and_privacy). This can decrease privacy should there be an exploit that is assisted by the decreased security. Common rooting methods involve directly tampering with the boot partition, making it impossible to perform successful Verified Boot. Apps that require root will also modify the system partition, meaning that Verified Boot would have to remain disabled. Having root exposed directly in the user interface also increases the attack surface of your device and may assist in [privilege escalation](https://en.wikipedia.org/wiki/Privilege_escalation) vulnerabilities and SELinux policy bypasses.
+
+Content blockers which modify the [hosts file](https://en.wikipedia.org/wiki/Hosts_(file)) (AdAway) and firewalls (AFWall+) which require root access persistently are dangerous and should not be used. They are also not the correct way to solve their intended purposes. For content blocking, we suggest encrypted [DNS](../dns.md) or content blocking functionality provided by a VPN instead. TrackerControl and AdAway in non-root mode will take up the VPN slot (by using a local loopback VPN), preventing you from using privacy enhancing services such as [Orbot](../tor.md#orbot) or a [real VPN provider](../vpn.md).
+
+AFWall+ works based on the [packet filtering](https://en.wikipedia.org/wiki/Firewall_(computing)#Packet_filter) approach and may be bypassable in some situations.
+
+We do not believe that the security sacrifices made by rooting a phone are worth the questionable privacy benefits of those apps.
+
+### Install Updates Regularly
+
+It's important to not use an [end-of-life](https://endoflife.date/android) version of Android. Newer versions of Android receive not only security updates for the operating system but also important privacy enhancing updates too.
+
+For example, [prior to Android 10](https://developer.android.com/about/versions/10/privacy/changes) any apps with the [`READ_PHONE_STATE`](https://developer.android.com/reference/android/Manifest.permission#READ_PHONE_STATE) permission could access sensitive and unique serial numbers of your phone such as [IMEI](https://en.wikipedia.org/wiki/International_Mobile_Equipment_Identity), [MEID](https://en.wikipedia.org/wiki/Mobile_equipment_identifier), or your SIM card's [IMSI](https://en.wikipedia.org/wiki/International_mobile_subscriber_identity); whereas now they must be system apps to do so. System apps are only provided by the OEM or Android distribution.
+
+### Use Built-in Sharing Features
+
+You can avoid giving many apps permission to access your media with Android's built-in sharing features. Many applications allow you to "share" a file with them for media upload.
+
+For example, if you want to post a picture to Discord you can open your file manager or gallery and share that picture with the Discord app, instead of granting Discord full access to your media and photos.

docs/index.md

@@ -1,5 +1,5 @@
 ---
-meta_title: "Privacy Guides: Your Independent Privacy and Security Resource"
+meta_title: "Privacy Guides: Independent Privacy & Security Resources"
 description: "The most popular & trustworthy non-profit website to find privacy tools and learn about protecting your digital life. Ad & affiliate free, high quality reviews."
 template: home.html
 social:

docs/os/android-overview.md

@@ -8,39 +8,11 @@ robots: nofollow, max-snippet:-1, max-image-preview:large
 
 The **Android Open Source Project** is a secure mobile operating system featuring strong [app sandboxing](https://source.android.com/security/app-sandbox), [Verified Boot](https://source.android.com/security/verifiedboot) (AVB), and a robust [permission](https://developer.android.com/guide/topics/permissions/overview) control system.
 
-## Our Advice
+[:octicons-home-16:](https://source.android.com){ .card-link title=Homepage }
+[:octicons-info-16:](https://source.android.com/docs){ .card-link title=Documentation}
+[:octicons-code-16:](https://cs.android.com/android/platform/superproject/main){ .card-link title="Source Code" }
 
-### Choosing an Android Distribution
-
-When you buy an Android phone, the default operating system comes bundled with apps and functionality that are not part of the Android Open Source Project. Many of these apps—even apps like the dialer which provide basic system functionality—require invasive integrations with Google Play Services, which in turn asks for privileges to access your files, contacts storage, call logs, SMS messages, location, camera, microphone, and numerous other things on your device in order for those basic system apps and many other apps to function in the first place. Frameworks like Google Play Services increase the attack surface of your device and are the source of various privacy concerns with Android.
-
-This problem could be solved by using a custom Android distribution that does not come with such invasive integration. Unfortunately, many custom Android distributions often violate the Android security model by not supporting critical security features such as AVB, rollback protection, firmware updates, and so on. Some distributions also ship [`userdebug`](https://source.android.com/setup/build/building#choose-a-target) builds which expose root via [ADB](https://developer.android.com/studio/command-line/adb) and require [more permissive](https://github.com/LineageOS/android_system_sepolicy/search?q=userdebug&type=code) SELinux policies to accommodate debugging features, resulting in a further increased attack surface and weakened security model.
-
-Ideally, when choosing a custom Android distribution, you should make sure that it upholds the Android security model. At the very least, the distribution should have production builds, support for AVB, rollback protection, timely firmware and operating system updates, and SELinux in [enforcing mode](https://source.android.com/security/selinux/concepts#enforcement_levels). All of our recommended Android distributions satisfy these criteria.
-
-[Our Android System Recommendations :material-arrow-right-drop-circle:](../android/distributions.md){ .md-button }
-
-### Avoid Rooting
-
-[Rooting](https://en.wikipedia.org/wiki/Rooting_(Android)) Android phones can decrease security significantly as it weakens the complete [Android security model](https://en.wikipedia.org/wiki/Android_(operating_system)#Security_and_privacy). This can decrease privacy should there be an exploit that is assisted by the decreased security. Common rooting methods involve directly tampering with the boot partition, making it impossible to perform successful Verified Boot. Apps that require root will also modify the system partition, meaning that Verified Boot would have to remain disabled. Having root exposed directly in the user interface also increases the [attack surface](https://en.wikipedia.org/wiki/Attack_surface) of your device and may assist in [privilege escalation](https://en.wikipedia.org/wiki/Privilege_escalation) vulnerabilities and SELinux policy bypasses.
-
-Content blockers which modify the [hosts file](https://en.wikipedia.org/wiki/Hosts_(file)) (AdAway) and firewalls (AFWall+) which require root access persistently are dangerous and should not be used. They are also not the correct way to solve their intended purposes. For content blocking, we suggest encrypted [DNS](../dns.md) or content blocking functionality provided by a VPN instead. TrackerControl and AdAway in non-root mode will take up the VPN slot (by using a local loopback VPN), preventing you from using privacy enhancing services such as [Orbot](../tor.md#orbot) or a [real VPN provider](../vpn.md).
-
-AFWall+ works based on the [packet filtering](https://en.wikipedia.org/wiki/Firewall_(computing)#Packet_filter) approach and may be bypassable in some situations.
-
-We do not believe that the security sacrifices made by rooting a phone are worth the questionable privacy benefits of those apps.
-
-### Install Updates
-
-It's important to not use an [end-of-life](https://endoflife.date/android) version of Android. Newer versions of Android receive not only security updates for the operating system but also important privacy enhancing updates too.
-
-For example, [prior to Android 10](https://developer.android.com/about/versions/10/privacy/changes) any apps with the [`READ_PHONE_STATE`](https://developer.android.com/reference/android/Manifest.permission#READ_PHONE_STATE) permission could access sensitive and unique serial numbers of your phone such as [IMEI](https://en.wikipedia.org/wiki/International_Mobile_Equipment_Identity), [MEID](https://en.wikipedia.org/wiki/Mobile_equipment_identifier), or your SIM card's [IMSI](https://en.wikipedia.org/wiki/International_mobile_subscriber_identity); whereas now they must be system apps to do so. System apps are only provided by the OEM or Android distribution.
-
-### Sharing Media
-
-You can avoid giving many apps permission to access your media with Android's built-in sharing features. Many applications allow you to "share" a file with them for media upload.
-
-For example, if you want to post a picture to Discord you can open your file manager or gallery and share that picture with the Discord app, instead of granting Discord full access to your media and photos.
+[Our Android Advice :material-arrow-right-drop-circle:](../android/index.md){ .md-button .md-button--primary }
 
 ## Security Protections
 

includes/contributors.md

@@ -85,7 +85,7 @@
     <tr>
       <td align="center" valign="top" width="20%"><a rel="nofollow noopener noreferrer" href="https://github.com/Kcchouette"><img src="https://avatars.githubusercontent.com/u/3000936?v=4" width="100px;" loading=lazy /><br /><sub><b>Kcchouette</b></sub></a><br /><a href="https://github.com/privacyguides/privacyguides.org/commits?author=Kcchouette" title="Documentation">📖</a></td>
       <td align="center" valign="top" width="20%"><a rel="nofollow noopener noreferrer" href="https://jacobneplokh.com/"><img src="https://avatars.githubusercontent.com/u/46184597?v=4" width="100px;" loading=lazy /><br /><sub><b>Jacob Neplokh</b></sub></a><br /><a href="https://github.com/privacyguides/privacyguides.org/commits?author=jneplokh" title="Documentation">📖</a></td>
-      <td align="center" valign="top" width="20%"><a rel="nofollow noopener noreferrer" href="https://github.com/razac-elda"><img src="https://avatars.githubusercontent.com/u/30749146?v=4" width="100px;" loading=lazy /><br /><sub><b>Leonardo Mazzon</b></sub></a><br /><a href="https://github.com/privacyguides/privacyguides.org/commits?author=razac-elda" title="Documentation">📖</a></td>
+      <td align="center" valign="top" width="20%"><a rel="nofollow noopener noreferrer" href="https://github.com/razac-elda"><img src="https://avatars.githubusercontent.com/u/30749146?v=4" width="100px;" loading=lazy /><br /><sub><b>Leonardo Mazzon</b></sub></a><br /><a href="https://github.com/privacyguides/privacyguides.org/commits?author=razac-elda" title="Documentation">📖</a> <a href="https://github.com/privacyguides/privacyguides.org/issues?q=author%3Arazac-elda" title="Bug reports">🐛</a> <a href="#financial-razac-elda" title="Financial">💵</a> <a href="#promotion-razac-elda" title="Promotion">📣</a> <a href="#question-razac-elda" title="Answering Questions">💬</a> <a href="#translation-razac-elda" title="Translation">🌍</a></td>
       <td align="center" valign="top" width="20%"><a rel="nofollow noopener noreferrer" href="https://github.com/opheron"><img src="https://avatars.githubusercontent.com/u/7110152?v=4" width="100px;" loading=lazy /><br /><sub><b>Andrew Chong</b></sub></a><br /><a href="https://github.com/privacyguides/privacyguides.org/commits?author=opheron" title="Documentation">📖</a></td>
       <td align="center" valign="top" width="20%"><a rel="nofollow noopener noreferrer" href="https://github.com/woctezuma"><img src="https://avatars.githubusercontent.com/u/570669?v=4" width="100px;" loading=lazy /><br /><sub><b>Wok</b></sub></a><br /><a href="https://github.com/privacyguides/privacyguides.org/commits?author=woctezuma" title="Documentation">📖</a></td>
     </tr>
@@ -432,6 +432,9 @@
       <td align="center" valign="top" width="20%"><a rel="nofollow noopener noreferrer" href="https://github.com/m00t316"><img src="https://avatars.githubusercontent.com/u/54213179?v=4" width="100px;" loading=lazy /><br /><sub><b>Kieran Colfer</b></sub></a><br /><a href="https://github.com/privacyguides/privacyguides.org/commits?author=m00t316" title="Documentation">📖</a></td>
       <td align="center" valign="top" width="20%"><a rel="nofollow noopener noreferrer" href="https://github.com/I-I-IT"><img src="https://avatars.githubusercontent.com/u/78900789?v=4" width="100px;" loading=lazy /><br /><sub><b>Triple T</b></sub></a><br /><a href="https://github.com/privacyguides/privacyguides.org/commits?author=I-I-IT" title="Documentation">📖</a></td>
     </tr>
+    <tr>
+      <td align="center" valign="top" width="20%"><a rel="nofollow noopener noreferrer" href="https://github.com/IDON-TEXIST"><img src="https://avatars.githubusercontent.com/u/73442356?v=4" width="100px;" loading=lazy /><br /><sub><b>IDON-TEXIST</b></sub></a><br /><a href="https://github.com/privacyguides/privacyguides.org/commits?author=IDON-TEXIST" title="Documentation">📖</a></td>
+    </tr>
   </tbody>
   <tfoot>
     <tr>

mkdocs.blog.yml

@@ -23,7 +23,7 @@ site_url: "https://www.privacyguides.org/articles/"
 site_dir: "site/articles"
 
 site_name: Privacy Guides
-site_description: "Privacy Guides is your central privacy and security resource to protect yourself online."
+site_description: "Privacy Guides is the most popular & trustworthy non-profit privacy resource to find privacy tools and learn about protecting your digital life."
 edit_uri_template: blob/main/blog/{path}?plain=1
 
 extra:
@@ -128,6 +128,8 @@ plugins:
     blog_dir: .
     blog_toc: true
     post_url_format: "{date}/{file}"
+    post_excerpt: required
+    post_excerpt_max_authors: 0
     authors_profiles: true
     authors_profiles_toc: true
     categories_allowed:

theme/layouts/blog.yml

@@ -0,0 +1,110 @@
+definitions:
+  - &site_name >-
+    {{ config.site_name }}
+
+  - &page_title >-
+    {{ page.meta.get("title", page.title) }}
+
+  - &page_description >-
+    {{ page.meta.get("description", config.site_description) or "" }}
+
+  - &logo >-
+    theme/assets/brand/logos/svg/logo/privacy-guides-logo-notext-colorbg.svg
+
+  - &updated_time >-
+    {% if page.config.date.updated %}
+      {{- page.config.date.updated.strftime('%Y-%m-%d') -}}
+    {% else %}
+      {{- page.config.date.created.strftime('%Y-%m-%d') -}}
+    {% endif %}
+
+  - &author_mastodon >-
+    {%- if page.authors[0].mastodon -%}
+      @{{- page.authors[0].mastodon.username -}}@{{- page.authors[0].mastodon.instance -}}
+    {%- else -%}
+      {{- "@privacyguides@neat.computer" -}}
+    {%- endif -%}
+
+  - &author_twitter >-
+    {%- if page.authors[0].twitter -%}
+      @{{- page.authors[0].twitter -}}
+    {%- else -%}
+      {{- "@privacy_guides" -}}
+    {%- endif -%}
+
+# Meta tags
+tags:
+  # Open Graph
+  og:type: article
+  og:title: *page_title
+  og:description: *page_description
+  og:image: "{{ image.url }}"
+  og:image:type: "{{ image.type }}"
+  og:image:width: "{{ image.width }}"
+  og:image:height: "{{ image.height }}"
+  og:url: "{{ page.canonical_url }}"
+
+  # Blog
+  article:published_time: "{{ page.config.date.created.strftime('%Y-%m-%d') }}"
+  article:modified_time: *updated_time
+  article:section: "{{ page.categories[0].title }}"
+  article:author: "https://www.privacyguides.org/articles/{{ page.authors[0].url }}"
+
+  # Mastodon
+  fediverse:creator: *author_mastodon
+
+  # Twitter
+  twitter:site: "@privacy_guides"
+  twitter:creator: *author_twitter
+  twitter:card: summary_large_image
+  twitter:title: *page_title
+  twitter:description: *page_description
+  twitter:image: "{{ image.url }}"
+
+# -----------------------------------------------------------------------------
+# Specification
+# -----------------------------------------------------------------------------
+
+# Card size and layers
+size: { width: 1200, height: 630 }
+layers:
+  # Background
+  - background:
+      color: "#FFD06F"
+
+  # Page icon
+  - size: { width: 630, height: 630 }
+    offset: { x: 570, y: 0 }
+    icon:
+      value: material/book-open-page-variant
+      color: "#00000033"
+
+  # Logo
+  - size: { width: 64, height: 64 }
+    offset: { x: 64, y: 64 }
+    background:
+      image: *logo
+
+  # Site name
+  - size: { width: 768, height: 42 }
+    offset: { x: 160, y: 78 }
+    typography:
+      content: *site_name
+      color: "#2d2d2d"
+      font:
+        family: Bagnard
+        style: Bold
+
+  # Page title
+  - size: { width: 864, height: 256 }
+    offset: { x: 62, y: 192 }
+    typography:
+      content: *page_title
+      align: start
+      color: "#2d2d2d"
+      line:
+        amount: 3
+        height: 1.5
+      font:
+        family: Bagnard
+        style: Bold

theme/layouts/home.yml

@@ -46,7 +46,7 @@ tags:
 
   # Twitter
   twitter:card: summary_large_image
-  twitter.title: *page_title_with_site_name
+  twitter:title: *page_title_with_site_name
   twitter:description: *page_description
   twitter:image: "{{ image.url }}"
 

theme/layouts/page.yml

@@ -79,9 +79,13 @@ tags:
   og:image:height: "{{ image.height }}"
   og:url: "{{ page.canonical_url }}"
 
+  # Mastodon
+  fediverse:creator: "@privacyguides@neat.computer"
+
   # Twitter
+  twitter:site: "@privacy_guides"
   twitter:card: summary_large_image
-  twitter.title: *page_title_with_site_name
+  twitter:title: *page_title_with_site_name
   twitter:description: *page_description
   twitter:image: "{{ image.url }}"
 

theme/layouts/pride.yml

@@ -66,7 +66,7 @@ tags:
 
   # Twitter
   twitter:card: summary_large_image
-  twitter.title: *page_title_with_site_name
+  twitter:title: *page_title_with_site_name
   twitter:description: *page_description
   twitter:image: "{{ image.url }}"
 

theme/main.html

@@ -31,6 +31,8 @@
     {% endif %}
     {% if page.meta and page.meta.author %}
     <meta name="author" content="{{ page.meta.author }}">
+    {% elif page.authors %}
+    <meta name="author" content="{{ page.authors[0].name }}">
     {% elif config.site_author %}
     <meta name="author" content="{{ config.site_author }}">
     {% endif %}
@@ -83,12 +85,8 @@
     <meta name="robots" content="max-snippet:-1, max-image-preview:large">
   {% endif %}
 
-  <meta name="fediverse:creator" content="privacyguides@neat.computer" />
-
   {% if config.extra.context == "production" %}
-  <meta http-equiv="onion-location" content="{{ "http://www.xoe4vn5uwdztif6goazfbmogh6wh5jc4up35bqdflu6bkdc5cas5vjqd.onion/" ~ config.theme.language ~ "/" ~ page.url }}" />
-  {% elif config.extra.deploy %}
-  <meta http-equiv="onion-location" content="{{ "http://" ~ config.extra.deploy ~ ".netlify.xoe4vn5uwdztif6goazfbmogh6wh5jc4up35bqdflu6bkdc5cas5vjqd.onion/" ~ config.theme.language ~ "/" ~ page.url }}" />
+  <meta http-equiv="onion-location" content="{{ page.canonical_url | replace("https://www.privacyguides.org", "http://www.xoe4vn5uwdztif6goazfbmogh6wh5jc4up35bqdflu6bkdc5cas5vjqd.onion") }}" />
   {% endif %}
   {% if page and page.meta and page.meta.schema %}
   <script type="application/ld+json">