It seems like every week it's another OS where a problem like this is discovered. If it's critical that your traffic goes over a VPN, you really need to be using something like Whonix.
I wonder if this also applies if you use their in house app "intra" which is made for journalists and whistleblowers (part of the Google Jigsaw project) to avoid getting exposed?
Yeah, I'm impressed by all the enhancements like this that GrapheneOS put the work into. However I can't see myself using them because of their stance towards rooting. I strongly disagree that a user having full administrative access to their phone is something intolerable when it's accepted on a desktop or laptop. With Magisk I get a similar security barrier to sudo or UAC with biometric authentication to use su, and I can't really trust my phone unless I have full visibility. I understand their reasoning but the whole point of flashing a custom ROM is that I'm in control.
That being said, it's a shame that LOS doesn't borrow more from Graphene.
I completely agree, but I think it's worth giving up that access and control in the name of stronger security on my primary device.
Magisk and other tools are a prime target.
A LOT of the concerns I had with losing control can be worked around. I've been using/building LineageOS/CM for many years and can highly recommend GrapheneOS.
That's totally fair and valid. I don't need root a lot of the time, but the one use I do depend on is network blocking via hosts like AdAway allows. If I understand correctly the GrapheneOS alternative is running a local VPN to accomplish this?
That doesn't suffice for me since then I'm limited by Android only allowing one VPN at a time and would then have to choose between having adblocking or hiding my public IP. Yes, I can (and do) use a custom DoH like NextDNS for blocking as well, but I also like having a static hosts file so I have a baseline blocklist on my phone itself. However that's just my personal preference, any of those approaches are valid.
Having the ability for logcat would be nice too, since I depend on that to audit apps and track down strange bugs occasionally.
My main defense in limiting my attack surface is just not installing very many apps in general, and preferring apps from F-Droid that are as simple as possible and offline only, or that are connecting to a self-hosted service that I control. Which I'm sure helps but is obviously not as thorough as Graphene's hardening.
Verified boot is an awesome feature though, I think the ideal for me would be using my own custom keys to have verified boot, so I can include and sign whatever I want in my ROM. Though, I know there are the hardware backed keys you can't change and at that point I'd essentially just have my own custom ROM. I might just be spoiled from what I get with the Pureboot firmware on my Librem laptop and being able to verify firmware with my own GPG key.
I also think it's awesome that we have enough privacy-focused ROM choices on Android to be having this discussion :)
Seems like even if you enable the option to block connections outside a VPN, Android is designed to still do connectivity checks for special cases like identifying captive portals (like hotel WiFi).
From the article:
> “Even if the content of the message does not reveal anything more than "some Android device connected", the metadata (which includes the source IP) can be used to derive further information, especially if combined with data such as WiFi access point locations.”
> Mullvad is still debating the significance of the data leak with Google, calling them to introduce the ability to disable connectivity checks and minimize liability points.
> Notably, GrapheneOS, Android-based privacy and security-focused operating system that can run on a limited number of smartphone models, provides this option with the intended functionality.
11 comments
[ 4.2 ms ] story [ 34.6 ms ] threadEDIT: Looks to be AOSP according to this https://issuetracker.google.com/issues/249990229?pli=1
The main AOSP derivatives, including LineageOS don't address it at all.
That being said, it's a shame that LOS doesn't borrow more from Graphene.
Magisk and other tools are a prime target.
A LOT of the concerns I had with losing control can be worked around. I've been using/building LineageOS/CM for many years and can highly recommend GrapheneOS.
That doesn't suffice for me since then I'm limited by Android only allowing one VPN at a time and would then have to choose between having adblocking or hiding my public IP. Yes, I can (and do) use a custom DoH like NextDNS for blocking as well, but I also like having a static hosts file so I have a baseline blocklist on my phone itself. However that's just my personal preference, any of those approaches are valid.
Having the ability for logcat would be nice too, since I depend on that to audit apps and track down strange bugs occasionally.
My main defense in limiting my attack surface is just not installing very many apps in general, and preferring apps from F-Droid that are as simple as possible and offline only, or that are connecting to a self-hosted service that I control. Which I'm sure helps but is obviously not as thorough as Graphene's hardening.
Verified boot is an awesome feature though, I think the ideal for me would be using my own custom keys to have verified boot, so I can include and sign whatever I want in my ROM. Though, I know there are the hardware backed keys you can't change and at that point I'd essentially just have my own custom ROM. I might just be spoiled from what I get with the Pureboot firmware on my Librem laptop and being able to verify firmware with my own GPG key.
I also think it's awesome that we have enough privacy-focused ROM choices on Android to be having this discussion :)
https://news.ycombinator.com/item?id=33177629
(154 points, 76 comments)
Anyways reposting my comment from that thread:
Seems like even if you enable the option to block connections outside a VPN, Android is designed to still do connectivity checks for special cases like identifying captive portals (like hotel WiFi).
From the article:
> “Even if the content of the message does not reveal anything more than "some Android device connected", the metadata (which includes the source IP) can be used to derive further information, especially if combined with data such as WiFi access point locations.”
> Mullvad is still debating the significance of the data leak with Google, calling them to introduce the ability to disable connectivity checks and minimize liability points.
> Notably, GrapheneOS, Android-based privacy and security-focused operating system that can run on a limited number of smartphone models, provides this option with the intended functionality.