The 8232 Project

2024-09-27 01:47:15

GrapheneOS after one month

I made this post a few weeks ago, and I've finally been using GrapheneOS for one month. I'd like to point out things that changed, and my experiences with some of the GrapheneOS communities.

The changes

I stressed far too much about which methods to use for installing apps. In the end, it's up to you and your preference. Sure some are considered less secure than others, but it's your phone. I'll explain more about why I'm saying that later. Anyways. I get as many apps as I can via Obtainium, and install a few apps via Aurora Store.

I'd like to clarify the reason I have ProtonVPN installed via Aurora Store. App developers often develop different versions of the app depending on how you install it. Play Store versions of it might rely on Google services, whereas direct apk files may not. ProtonVPN allows you to use it as a guest, but only when you install the Play Store version. No other version of the app (e.g. installed via Obtainium) allows you to use it as a guest. Please stop commenting about this, I explained it to way too many people.

My game selection has remained the same, however Antimine is a bit of a weird one. It is still actively maintained, but the GitHub releases page is versions behind the F-Droid version, and the F-Droid version is versions behind the Play Store version. I tried installing the Play Store version, but it required Google Play Services to work (even though the app could actually run without it, it just thinks it needs it). So, unfortunately, I'll just use the outdated F-Droid version.

2048 by SecUSo actually got dark mode! Good for them for keeping things nice on the user end. Audire has been abandoned, and so I tried out Audile and it works fine.

As many users pointed out, AndBible is not abandoned. It also recently got updated. The UX is still sub par. Fossify projects are also, as many pointed out, not abandoned. Development is just slow. I'm eager to see what updates will come.

HeliBoard still has some weird autocorrect suggestions, but I made a few bug reports about it. KeePassDX no longer has the weird biometrics bug.

For eBooks, I tried out a lot of the top proprietary eBook readers:
- Amazon Kindle was authwalled (required logging in)
- FBReader was netwalled (required a network connection)
- Google Play Books was playwalled (required Google Play Services)

Then, I tried Moon+ Reader. I am so sorry, but this app is honestly fantastic. I will reiterate: it is proprietary, but it has support for Apple Book's page turning animation as well as other stuff. The open source eBook readers peril in comparison. The app is perfect, I just wish it was open source.

My music player has changed to VLC Media Player, which is honestly so much better than the desktop version. It has incredible support for use as a music manager. The only annoying bug is that it will sometimes lag for a few seconds before resuming, and there's no clear "queue" section.

I got too upset with Vanadium's lack of anti-fingerprinting and privacy features, that I switched to Brave. Honestly, I'm happy with it. It's not perfect, but I can get behind it.

The new stuff

Alright, now let me mention the new things I got to try. I wanted to try out an RSS reader, so I got Feeder. It's honestly what you expect from an RSS reader. I will say: I wish there was more distinction between read and unread articles. Currently the only difference is whether or not the title is in bold. I also wish the "Show read articles" could be changed for each feed, and not globally, or have an "Unread articles" section.

I have the I2P DEBUG app in case I ever want to access I2P pages. I'm learning about what I2P is. From what I gather, it's like Tor but... not Tor.

I tried out Image Toolbox for editing images. It's very feature rich, but very unintuitive to use.

This is the biggest change: I tried out Lawnchair and Lawnicons. It is honestly so great. I wish the default launcher had that level of customization. You can customize it in 100 different ways until your heart gives out, it's honestly fantastic. There are inconsistent minor bugs and annoyances, but the benefits far outweigh those. I'm a sucker for the iOS look, and I was very pleased I was able to achieve something in between Android and iOS. I just wish they would bring dock colors back! One of my favorite features is being able to customize any icon and name for any app on the home screen. I could make a dating app look like a graphing calculator, for example...

I tried out the proprietary Pydroid 3 app as a Python IDE. I give the developers a solid pat on the back. It's a great app. It works super well, and just has the occasional "upgrade to premium" popup to remove the "ads" that it can't load because it can't touch the internet. Good job guys.

I added Shadowsocks to my censorship circumvention toolkit. I can't find any free servers, but hey it's there in a pinch.

The community

I got some time to experience the Matrix/Discord/Telegram (they're all bridged) community as well as the issue tracker for GitHub. The issue tracker closes a lot of issues that I personally think should remain open. One I made was changing one of the default pings for an (obscure) menu from Google to GrapheneOS, a very simple fix. They closed it, which I'm upset about. I get it though, they can't fix everything.

The Matrix/Discord/Telegram community is... interesting. There's 3 people: The ones who understand almost nothing and need a lot of help, the general users who are super friendly and have wholesome interactions, and the ones who know (and/or think they know) everything. That third group is quite prevalent. They will constantly push their own threat model on you as if it's the only correct answer, and will (quite often) refuse to answer questions if it goes against their threat model (e.g. questions about Aurora Store when "Play Store is the only correct answer").

It's annoying to say the least. I try to mention as much as possible that everyone has their own threat model and it's your phone so you get to choose your own preferences at the end of the day, but that never goes over well. GrapheneOS isn't always known for taking kindly to some lesser threat models, which is a double edged sword. It's good that they have such high standards, but they need to know when to relax and let other people help. It's not bad by any means, you'll get the help you need, but it's not a good look at the end of the day.

Conclusion

That's my experiences after one month. It's been nothing short of fantastic, even with some problems. I am a strong advocator for open source software, but for a couple things the proprietary alternatives are simply the best. That's the unfortunate truth for some things. This will be my last post about my experiences with GrapheneOS, but coming from iOS, it is a super fun transition.

I'd also like to mention quickly for anyone wondering: Backups for me are currently under 5GB (not including music), and in a month with all the app downloads and music transfers over LocalSend, I used about 70GB of internet. Tubular used the most internet (about 22GB in a month). For all you curious, this can give you a nice baseline.

Thanks for reading!

The 8232 Project

2024-10-14 02:20:01

I am researching the claim that Chromium is more secure than Firefox

Edit: Here is the verdict: lemmy.ml/post/21887275

I am currently doing a deep dive into whether or not Chromium is more secure than Firefox, and I will make a very long and comprehensive Lemmy post outlining my findings with specific sources. I expected this to take a few days, maybe a week, but after finding out many of the claims for both sides give no real sources, I expect this to take a month or longer. I will be reaching out to multiple first-party sources (Mozilla, GrapheneOS, etc.) to get their detailed statements on the matter. I want to provide something that actually covers the full picture of the issue with up to date sources, to hopefully put this to rest for anyone who doesn't want to do the research.

I'm making this post in case anyone wants to provide any extra resources they have about the issue. Do not fight about this issue in the comments, save that until after I am able to release my work. I'm tired of the constant back and forth about this with little to no direct sources. This means that my other project, Open Source Everything, will be put on pause. The FAQ section of that very project is what sparked this, because I realized the issue was far more complex than I outlined in there. (Don't trust the information in the FAQ just yet: it is still in the works.)

As always, don't just give blind support to this just because I am making promises, but if you feel your support is needed then by all means go for it.

If any of you want me to turn this post into an update log, let me know and I will.

DISCLAIMER: These update logs are NOT meant to be taken as a source. I am generalizing a lot of things here for simplicity and brevity, so do not try to pick it apart. Anything I say here is likely a summary of something that will be talked about in fine detail in the article, and so it may contain mistakes.

Update 1

I need to stop posting before bed, since I end up not being able to respond to drama quickly and it grows out of proportion. Anyways, I want to answer a few questions that keep popping up (maybe I'm obsessed with writing FAQs, I don't know) and then talk about my research process.

Google Chrome is NOT the same as Chromium

This is something I already have a draft to write about in my article, because a lot of people mess up the distinction. Google Chrome is Google's proprietary "en-Googled" browser. That browser obviously has numerous privacy issues. What I am referring to in the article is what Google Chrome was built off of: Chromium. Chromium is open source (or source available, or something like that. Please stop trying to remind me of the difference, "open source" gets the point across). Many browsers such as Brave were built on top of Chromium. Many users in the privacy community use Chromium-based browsers. Chromium is mainly maintained by Google, but I will not be focusing on that since I am taking a look at the actual software and not any future problems that may arise.

I'm summarizing things here, but I will go in depth in a section of my article about this, since a lot of people are still stuck on the mindset that Google is always evil. It is true that Google is bad with privacy, but they are good when it comes to security. They have to be, given that Chromium-based browsers and Android are the most used in their respective fields. Any privacy issues can be nullified with some projects like ungoogled-chromium or GrapheneOS which remove any privacy invasive Google components. Anything Google tries to sneak in doesn't get past those projects, like a safety net, because they take very close inspection of the code.

Security vs. Privacy

Security and privacy are two distinct topics with some overlap. As I mentioned above, any privacy issues can be dealt with by using some variants of the software. Because of this, my article will focus primarily on how secure these browsers are. I do understand that security and privacy can go hand in hand: Without security there is little privacy, and without privacy there is little security. However, that is all out of the scope of what I am researching here. The reason a lot of projects such as GrapheneOS recommend against Firefox browsers (especially on Android) is because they claim Firefox has weak site isolation. That is the main point of research for my article. If I can prove that those claims are true, I can demonstrate why it is such an issue. If I can prove that those claims are false, I can try to see if Firefox is more private than Chromium, and is therefor a better option. There will be other related ideas that will crop up that will be covered in the article, that I will research about. The broad hypothesis is "Chromium is more secure than Firefox" and it is my job to find out why people say that and investigate it.

Also, many users talked about ad blocking and the recent removal of Manifest V2, which killed a lot of Chromium ad blockers. This is not the focus of the article, but let me remind you that using a browser such as Brave lets you block ads entirely. Brave is the only other browser recommended by the GrapheneOS project for its security, besides Vanadium. Yes, Brave has some bloat that can infringe on privacy, but those can be disabled. Don't forget that Brave is open source, so you are free to make a fork of it and remove whatever you'd like. The point is this: Both Chromium and Firefox both still have ad blocking, so this is a non-issue.

Who am I?

@dingdongitsabear@lemmy.ml

lemmy.ml/post/21367269/1428365…

first off, I have serious doubts that any one dude - or even a group of those for that matter - can ascertain the security of such a complex system; a browser is essentially an operating system, with all the layers and complexities that entails.

even if you're somewhat successful in such an endeavor, I don't really care if it potentially is. chromium comes from those shitmakers and I'm not willingly using anything they had their nasty fingers in. they threw one shovel of shit too many on the heap and they are now forever on my ignore list. if that means that I don't get to access certain domains, sites, and/or apps - so be it, I'll make do without.

@echolalia@lemmy.ml

lemmy.ml/post/21367269/1428393…

Are you a single person or a group of people? Do you have any credentials that you'd like to share that might give some context to your research?

Where is the quote in your bio from?

I could leave some cryptic retrospective answer here, and I would love to, but as fun as that would be it may cause more harm than good. I am an independent, singular person. If I were in your shoes, I too would doubt that any one person could research the intricacies of the matter. However, I don't need to look over every piece of code to make a conclusion. The main focus of the article, as I said, is site isolation. This is what most people reference when they talk about Chromium being "more secure" than Firefox. I already addressed the other argument about Chromium being "evil," as there are other projects that aim to remove some of the damage that has been done. Readers of my article will need to let down their precedent of Chromium being as bad as Google, and realize that Google is bad for privacy but good for security.

If by "credentials" you mean actual identification, no. Even if I told you exactly who I was, you still would have no idea who I am. However, I can give you some of my background: I am advanced in the privacy field, proof of this can be seen with my other project. I used to work as a penetration tester for a low ranking government branch, focusing on network and website security. I am fluent in Python and C++, so I can understand a lot of the code that has been written. I hope that gives you context into who I am and what I do. I guess I could also mention I like to keep high standards, I'm a bit of a perfectionist. I want the article to be nothing short of extremely thorough and comprehensive.

The quote in my bio “Unjust laws only burden the just, as the lawless will not heed them.” is my own (hence why I put "- 8232" there). I have other quotes, but that one is my favorite.

How is the research going?

I didn't quite know where to start, but eventually I settled for this: I have three notes. One is for questions I have (e.g. "What is site isolation?") that I put answers under as I find them. This means I will never be trying to fill in the gaps without sources in the article. I'll have a well informed knowledge of everything. The next note is for all the sources about the issue, categorized into "Primary," "Secondary," and "Unverified" (when there is no source listed for the claim). The last notebook is people. This one contains people and groups who know about the issue that I may get statements or help from for the article. That is all I have right now, because I needed some sleep. I plan to add a "To-Do" note, some various drafts, and a list of documents about the issue. I'll keep this updated.

An-anonymous-coder / Open-Source-Everything · GitLab

A curated list of the best open source software.

^GitLab