this post was submitted on 05 Sep 2023
62 points (89.7% liked)
Privacy
32159 readers
576 users here now
A place to discuss privacy and freedom in the digital world.
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
Some Rules
- Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
- Don't promote proprietary software
- Try to keep things on topic
- If you have a question, please try searching for previous discussions, maybe it has already been answered
- Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
- Be nice :)
Related communities
much thanks to @gary_host_laptop for the logo design :)
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Yes. To explain this further to you I will first define some jargon for you, as you seem to be new to this.
FOSS means "Free and Open Source Software". Here, free does not mean free as in beer, but means that the software is free to download, use, modify or study. This is different from just open source software, as this only means that the source code is publically available in some way.
Libre refers to the same concept as free, just in an edgy, viva la revolucìon, kind of way.
Privileged apps have a nasty amount of permissions and can access most of the device. They are always treated extra and are often the ones that get you.
Microg is an open source alternative for google services. It can directly replace them and only connects to the google servers when necessary for an app to function. This is also why Microg exists, as it keeps better compatability for apps, than just removing google services completely. It is not perfect though, so some apps might still not work. It can often times be completely disabled, so to have no Google API calls at all. The issue here is, that it is a priviledged App and can most times not be simply removed.
Sandboxed google play services are specific to GrapheneOS. Instead of using the rather incomplete and sometimes unstable Microg, they simply removed all privileges from Google services and made it an untrusted, sandboxed app, that may not even have internet access. This has the best "degoogled" implementation for compatability of apps using google services, but has obvious drawbacks of having closed source Google software on you device, though that device is the most secure device you will likely ever lay your hands on, so no biggie. GrapheneOS comes by default without any implementation or alternative of Google services, so it has incredible privacy with some incompatability issues, although if you use FOSS software, this should not really be an issue in the first place.
A proxy is essentially a server(1) you ask to ask another server(2) for some data. This way, the server(2) does not get your IP. It is different from a VPN you pay a subscription for, as not all your requests are run through a proxy. Only the specific app that uses the proxy will decide for which part of it's traffic it will use the proxy. There is also no fancy adblocking or other extra features like some VPNs provide.
F-Droid is an app store for FOSS apps. By default, it only lists the official F-Droid repository, which already has a bunch of good software. You can however add other repositories, as for example to add an app that is not quite FOSS, but still very private. The Proton E-mail client is an example, as it uses a singular proprietary library for popup notifications. IzzyOnDroid is a great example for a third party repository you can add for some more apps. Remember, the repositories can not hurt you, but the software you install from them may. Nothing is stopping anybody from distributing malicious software. Do not trust blindly.
Alternative front ends are nice if you want to access a service that has disadvantages you do not like. Libretube is a very nice Piped client. What does that mean? Well Piped acts as a middleman between Youtube (Google) and you, asking the Youtube Server for Videos, while your IP remains hidden. So, Libretube is basically a Youtube client with none of the tracking. Social media has frontends, but there are others. F-Droid has two popular front ends, Droidify and Neo Store. Why? Well, F-Droid is no bad guy. However, the app is rather old and developed for an old Android version. This is bad, as new Android patches and security updates may not hold. There are alternative front ends for a lot of stuff. There is this timetable client called Untis, which has an alternative frontend called BetterUntis lol. It's important to note though, that not every alternative frontend hides your IP by default. BetterUntis for example directly accesses Untis APIs from your phone. To hide your IP, use a VPN or configure the used app to use a proxy if the app provides an option for it.
The Aurora store is an alternative frontend for the google playstore, sharing a few google accounts between all of its users. You can also add your own account if you want, as the default accounts are often rate limited. Don't do that though.
The AOSP, or "Android Open Source Project" is exactly what it sounds like. It's simply supposed to make Android's code publically available.
Rooting is rather fun. As Android is based on Linux, Android inherits a lot from Linux. One such thing is the base of it's file system. The lowest path (imagine a folder) for Linux is called root. This makes sense, as it's the root of everything. When rooting a device, you kind of reenable the file system of the underlying Linux system that Android is built upon. Doing this used to be kewl, is rather problematic however, as this exposes the underlying system of Android, which creates a huge attack surface with a bunch of known vulnerabilities. It's kind of like stealing someone's belt, now everyone could pull down their pants.
The word ROM is a little falsely used sometimes. A ROM, or Read Only Memory, is a persistent data storage type that can not be written to, only read. Android OSs are often called ROMs. I don't actually know why, but it could be a decendant of video games, as those were often stored on ROM back in the day and maybe they still are, dunno. Android sort of runs on top of Linux, which feels similar to, say, a Nintendo game from a cartridge.
A bootloader is basically a small program that kickstarts the operating System (also called OS), a large and very complex program. For security purposes, most bootloaders are locked from the factory. This means, that you can't just change the program that is started when the device is booted without rooting the device. Some bootloaders are not unlockable however, so you would have to root the device to change the OS, which is insecure.
A secure execution environment is essentially a processer that has limited access to system resources and can thus improve security if properly used.
Google Pixels are very special devices. They are made by Google so you may think they are naturally bad for privacy. They are surprisingly not as intrusive as other devices. Take a Samsung device for example. The Galaxy has Android. Not AOSP, but Google's Android. They just take Google's Android that is meant to be installed on non Google devices and slap their own spyware on top of Google's spyware. So now, you are being spied on by an american monopoly as well as a korean monopoly. Yikes. Now, you want to install a custom rom anyways, right? So why care? I can just take any device, remove everything and use a custom rom. Well, most devices do not have good security in comparison to the Pixel, like the Fairphone. The Pixel has simply has good security. It's not all sunshine and roses though. You still support Google financially by buying a Pixel. In order to unlock a Pixel, you will also have to connect to the internet, send Google the phone's IMEI, which is unique and known by Google. So Google knows which devices have had an unlocked bootloader at least once and which didn't.
The Fairphone is my favorite. It is user serviceable, has pretty decent specs, and is supported by privacy respecting ROMs. It does not have a secure execution environment and generally has sub par security. It does not notify Google or Fairphone when unlocking the bootloader, this is, to my knowledge, Google specific.
The Shift phone is also very nice. It is very similar to the Fairphone, as it is user serviceable, has bad security, yet is just as free. It differs, in that it is not as easily repairable as the Fairphone. It is still extremely easy, but unlike the Shift, the Fairphone does not have weak little wires that can break. The Fairphone is literally just Lego at this point. The Shift phone however seems to be less talk than Fairphone, so if you want to be certain that what you pay for (in the case of these two, environmental friendliness) is achieved, the Shift has got you covered.
Hardening refers to the process of altering a piece of software in a way, that makes it more secure. It is also sometimes used to describe the process of making the software more private. This sounds very good and in theory it is. It does of course come with drawbacks. A hardened Linux kernel will bring the system to a crash on purpose, every time anything suspicious happens. That's kind of wrong, but for this example it's enough. This is incredibly secure, but brings along the con of having an artifically more unstable system than before. The biggest con of hardening is performance impact. You can often harden something to quite a high degree without performance degradation, but once you go the extra mile, things just slow down. GrapheneOS is hardened to the very most extreme. It is also a lot slower than most OSs.
I was out of town yesterday, but I just wanted to let you know that I read both of these. I do already know most of the basics, I use F-droid and have used custom Roms in the past, but I appreciate the OS breakdown you provided.
Thanks mate!