this post was submitted on 03 Oct 2024
208 points (97.7% liked)

DeGoogle Yourself

9013 readers
3 users here now

A community for those that would like to get away from Google.

Here you may post anything related to DeGoogling, why we should do it or good software alternatives!

Rules

  1. Be respectful even in disagreement

  2. No advertising unless it is very relevent and justified. Do not do this excessively.

  3. No low value posts / memes. We or you need to learn, or discuss something.

Related communities

!privacyguides@lemmy.one !privacy@lemmy.ml !privatelife@lemmy.ml !linuxphones@lemmy.ml !fossdroid@social.fossware.space !fdroid@lemmy.ml

founded 4 years ago
MODERATORS
 

Google's latest flagship smartphone raises concerns about user privacy and security. It frequently transmits private user data to the tech giant before any app is installed. Moreover, the Cybernews research team has discovered that it potentially has remote management capabilities without user awareness or approval.

Cybernews researchers analyzed the new Pixel 9 Pro XL smartphone’s web traffic, focusing on what a new smartphone sends to Google.

“Every 15 minutes, Google Pixel 9 Pro XL sends a data packet to Google. The device shares location, email address, phone number, network status, and other telemetry. Even more concerning, the phone periodically attempts to download and run new code, potentially opening up security risks,” said Aras Nazarovas, a security researcher at Cybernews...

... “The amount of data transmitted and the potential for remote management casts doubt on who truly owns the device. Users may have paid for it, but the deep integration of surveillance systems in the ecosystem may leave users vulnerable to privacy violations,” Nazarovas said...

you are viewing a single comment's thread
view the rest of the comments
[–] multi_regime_enjoyer@lemmy.ml 11 points 2 months ago (5 children)

What is the advantage over Calyx/Lineage/iode OS on compatible devices? I just don't want Google to have any of my money at all. Buying a privacy solution from them recoups their loss.

[–] yonder@sh.itjust.works 18 points 2 months ago

It's my understanding that Graphene has security as its main goal, not privacy, though it's also quite private.

[–] Tazerface@sh.itjust.works 15 points 2 months ago (2 children)

I don't know about Calyx or Iode but Lineage doesn't allow for a locked bootloader. This is a massive security hole and without security, sooner or later, your privacy will be violated.

Currently, GrapheneOS on a newer Pixel are the only phones that Celebrite can't breach. Celebrite machines are cheap enough that the border guards and your local cops probably have one. In my country, it's the law that a cop is allowed to examine a phone during a traffic stop.

[–] sleepyplacebo@rblind.com 2 points 1 week ago (1 children)

Schools even have Cellebrite devices now, that is how prolific they have become. GrapheneOS has a duress password to wipe the phone and you can block all data or even power to the USB port while the phone is running. If you blocked all power to the USB port while the phone is on the only way to charge it is if it is fully turned off putting your encrypted data at rest. You can just disable data on the USB port options menu in GrapheneOS if you don't want to completely turn off the whole port.

You probably already know this stuff I was just mentioning it for people reading this comment section. :)

[–] Tazerface@sh.itjust.works 1 points 1 week ago

I'm aware but it's worth saying for the new people. :-)

[–] Chulk@lemmy.ml 1 points 2 months ago (1 children)

In my country, it's the law that a cop is allowed to examine a phone during a traffic stop.

One underrated feature of the Graphene OS is that you can set a duress PIN that wipes your entire phone when entered.

[–] Tazerface@sh.itjust.works 1 points 2 months ago* (last edited 2 months ago) (1 children)

I have the duress pin/password set, the pin is written on a post-it in the case.

I should clarify, the cop can give the phone a once over but not connect to a machine or clone the phone. Cloning is a bit more involved - legally speaking.

[–] Chulk@lemmy.ml 1 points 2 months ago (1 children)

Oh, I was mostly leaving the comment for other people who might be interested in the feature.

the pin is written on a post-it in the case.

That's not a bad idea. If someone steals the phone, they might inadvertently erase it for you if they find that post-it.

[–] Tazerface@sh.itjust.works 1 points 1 week ago

I have a new strategy on the Duress. If a thief can easily reset the phone, which is what the Duress password does, they can sell the phone at a pawnshop. I now use a Duress pin that the cops will have access to but a thief wouldn't. Examples of this are date or birth, s.i.n.

[–] VARXBLE@lemmy.dbzer0.com 11 points 2 months ago (2 children)

Mainly the locked bootloader that GrapheneOS offers. It's more secure, and GrapheneOS emphasizes security over all else, but privacy features are part of that security.

[–] Andromxda@lemmy.dbzer0.com 3 points 2 months ago

As well as all the other security features offered by Pixels, like the Titan M2 secure element, which securely stores encryption keys and makes brute-force attacks basically impossible.

[–] N4CHEM@lemmy.ml 1 points 2 months ago

Other OSs let you lock the bootloader too. I know that iodéOS and CalyxOS do, for example.

[–] RubberElectrons@lemmy.world 8 points 2 months ago (2 children)

I like calyx, might try graphene some day. But I absolutely won't run Google's play services ala graphene. It's sandboxed, supposedly, but why run it at all?

Calyx uses microG, a much smaller, fully open source emulator of Google's services.

[–] tht@mstdn.social 4 points 2 months ago (1 children)

@RubberElectrons @multi_regime_enjoyer its not actually fully open source, it uses a lot of closed-source libraries, and its not as battle-tested as google's official one so there really isn't a reason to use it

[–] RubberElectrons@lemmy.world 3 points 2 months ago* (last edited 2 months ago) (1 children)

Just about all of your identifying data is stripped out by the framework before interacting with Google at all: https://github.com/microg/GmsCore/wiki/Google-Network-Connections

That alone makes it an important tool. I'm not too worried about memory exploits as I don't really install apps, but it's an important feature in graphene's toolkit.

For most people who want an Android alternative that's open source but don't have time to fiddle with it, calyxOS seems like a good solution. It just works out of the box.

[–] Andromxda@lemmy.dbzer0.com 2 points 2 months ago (1 children)

Just about all of your identifying data is stripped out by the framework before interacting with Google at all

For all of them, we strip device identifier (MAC addresses, IMEI, etc)

This is literally nothing special, as all user-installed apps are denied access to identifiers like the IMEI and MAC address since Android 10. Since GrapheneOS isolates Play services in the Android application sandbox, they don't have access to any of these identifiers either.

I’m not too worried about memory exploits as I don’t really install apps

That's not how memory corruption exploits work. These can occur anywhere in the system, and just need to be triggered by an attacker. This doesn't require you to install an app, receiving a rogue message might for example be enough to exploit a memory vulnerability in the SMS app. Visiting a rogue website, which loads malicious JavaScript can be enough to trigger a memory corruption vulnerability in the Chromium WebView. That's why GrapheneOS doesn't just use hardened_malloc, but it also disables the JavaScript JIT compiler in Vanadium by default, and offers a toggle in the settings to disallow JavaScript JIT compilation in all apps making use of the system WebView component.

[–] RubberElectrons@lemmy.world 1 points 2 months ago* (last edited 2 months ago) (1 children)

Very nice. Can I use the much smaller codebase of microG instead of Google's? Even you do not know how Play Services actually works, and that's a problem.

Further, a memory exploit that leads to compromise would need a chain of privilege escalation. There's a lot in the way of making that trivial even on stock Android. And you know what helps reduce risk of exploit? Smaller codebases.

[–] Andromxda@lemmy.dbzer0.com 1 points 2 months ago (1 children)

If you only care about security, you should keep Play Services isolated in a separate profile. That way, even if there happens to be a memory corruption vulnerability in Play services, which isn't caught by hardened_malloc or the hardware MTE in newer devices with ARMv9 chips, the rest of your system would still be safe, since Play services aren't running as root, and in order to compromise the entire system, there would need to be a privilege escalation vulnerability in all of Android, not just Play services.

And you know what helps reduce risk of exploit? Smaller codebases.

Why does CalyxOS include the F-Droid privileged extension then? It's yet another component running with elevated permissions and unnecessarily increasing attack surface. Why does it include Google's eUICC component with elevated privileges and no proper sandboxing?

[–] RubberElectrons@lemmy.world 1 points 2 months ago* (last edited 2 months ago) (1 children)

Err... That component appears to be built from source per Calyx's Gradle rules? The source is pulled from here: https://android.googlesource.com/platform/frameworks/base/+/refs/heads/main/telephony/java/android/telephony/euicc

My hardware is too old to support MTE. I'm running a pixel 3 because I'm more worried about damaging our earthly environment with this constant hardware churn.

I'm sorry you're unhappy that I'm happy. I'm still able to run Android 14 in a reasonably secure manner, I'm able to exchange information with other people easily, without Google getting much information from me, and that's satisfactory. My actual security relevant machinations happen on my much better protected laptop.

Thanks for your input, have a nice day.

[–] Andromxda@lemmy.dbzer0.com 1 points 2 months ago

Err… That component appears to be built from source per Calyx’s Gradle rules? The source is pulled from here: https://android.googlesource.com/platform/frameworks/base/+/refs/heads/main/telephony/java/android/telephony/euicc

That's apparently not the entire thing though. I haven't used CalyxOS in a long time, could go to the settings menu for adding a new eSIM and take a screenshot of it?

I’m sorry you’re unhappy that I’m happy.

Oh I'm absolutely not. I'm glad you found an OS you like, I just pointed out that GrapheneOS is far superior in terms of privacy and security, and therefore probably the better choice, but you are obviously free to use whatever suits your needs and makes you happy. And it's better than the stock OS I guess.

My actual security relevant machinations happen on my much better protected laptop.

How do you protect a laptop to be more secure than a modern mobile device? Desktop operating systems are inherently less secure, since they lack proper application sandboxing, they often don't even have mandatory access control mechanisms (such as SELinux or AppArmor) in place and don't have a good way of verifying the boot image. Secure Boot is broken and essentially useless, and can't be compared to Android Verified Boot whatsoever. TPMs aren't secure either, and can't even remotely be compared with proper secure elements such as the Google Titan M2 or Apple's Secure Enclave. Do you use QubesOS, or how did you achieve better protection on your laptop compared to your smartphone?

[–] Andromxda@lemmy.dbzer0.com 4 points 2 months ago* (last edited 2 months ago) (1 children)

but why run it at all?

Because it is unfortunately required by some apps. microG is not a viable alternative, as it requires root access on the device, which drastically reduces the security. It also has worse compatibility than Sandboxed Play services, and doesn't offer much of a benefit. It still downloads and executes proprietary Google blobs in the background in order to function. Apps that require Google services also include a proprietary Google library, making microG essentially useless. It's an open source layer that sits between a proprietary library and a proprietary network service, using proprietary binaries and requiring root access. You gain absolutely nothing from using it, and significantly increases the attack surface of your device.

fully open source emulator

This is simply false, as I explained, only a tiny bit of what microG requires to function is open source

You're far better off using Sandboxed Play services on GrapheneOS

[–] RubberElectrons@lemmy.world 1 points 2 months ago (1 children)

Dude I'm looking at the source code, there's only a binary downloaded for enabling Safety net. Why are you making false statements?

[–] sleepyplacebo@rblind.com 2 points 1 week ago (1 children)

The legacy SafetyNet check bypass may not be around much longer especially because hardware based attestation will be gradually replacing it.

https://grapheneos.social/@GrapheneOS/111504057847795464

Below is a guide for app developers who want to support third party OSs in a way that does not rely on Google. Most apps work on GrapheneOS just fine already but there are some banking apps and NFC payment systems that do not.

https://grapheneos.org/articles/attestation-compatibility-guide

[–] RubberElectrons@lemmy.world 1 points 1 week ago* (last edited 1 week ago)

Sigh. It just doesn't stop. But it's ok, Pokemon go required attestation and so I simply stopped playing. Thanks for your links.

I've wanted to run graphene but absolutely do not want google code running on my system if I can avoid it. If only there were some way to run microG on graphene.