reply on: My Graphene OS Journey So Far \ stacker news ~tech

535 sats \ 3 replies \ @final 31 Jul 2023 \ on: My Graphene OS Journey So Far tech

Great follow up! Great to see it is going well. I am considering upgrading device to Pixel Fold and eventually will put all the experiences on an article after the pre-order period ends. Despite it being out in some countries I've only seen one screenshot of GrapheneOS on the Pixel Fold, so I would like to see that gap filled. The GrapheneOS Forum (https://discuss.grapheneos.org/) has a lot of people discussing, so if you search a topic of interest with the search bar you can find a lot more info.

GrapheneOS phones from Google aren't the only applicable phones either. As long as they have no carrier/bootloader lock and aren't from Verizon or providers from there then you're good to go.

The data-only SIM with portable mobile setup can be overkill and I wouldn't really suggest everyone do it unless you had cellular tracking as something very likely and dangerous in your threat model. I don't do it myself. Airplane Mode turns the cellular radio off and can run in a Wi-Fi only mode and it is sufficient for many people. Also a lot better for battery from my experience.

I can also add these here, these should answer the parts you said you don't understand:

It enables features from the Tor uplift project and uses Arkenfox preferences. I had no idea what these projects were, so I have linked to sites where you can learn more.

Tor uplift is an umbrella for enhancements for Firefox done by the Tor Browser intended to being uplifted into the upstream. Arkenfox is a hardened security-privacy configuration file for Firefox.

I can’t believe how long a battery charge lasts. That was an unexpected huge benefit.

When running GrapheneOS at minimal brightness, battery saver, data saver mode and Wi-Fi only (Airplane mode on) I found I could last well over a couple days with it. Back when Pixel 4a was fully supported and I used that, I could end up getting several days of lifespan due to the smaller screen.

It is also a deblobbed browser. I won’t pretend that I fully understand what that means, but it removes proprietary blobs. I have learned that a blob is a “Binary Large Object”. These closed source objects are large and can place demands on storage systems and network bandwith. They can also contain malicious code.

In simple terms a 'blob' is just a proprietary component in an otherwise mostly open-source system, free software guys define it usually by CPU microcode updates or drivers, but they can be anything that is just binary rather than source. Web browsers may be open source but some may have a proprietary component to load DRMs like Widevine as part of the software for instance.

Mull is developed by the same person who develops DivestOS¹ which is a LineageOS soft-fork with some security enhancements from Graphene and others. He focuses a lot on deblobbing/running minimal proprietary components to my knowledge. Divest is a good project but he suggests Graphene over his OS.

He has some really good resources on comparing GrapheneOS to other operating systems, such as recent update and security comparisons for Vanadium, Chromium and other browsers ² ³ ⁴. And some other good info in a directory ⁵.

Mull Browser is forked from Fenix (Firefox).

Not a criticism but will mention this since you'll probably get this telling by asking another GrapheneOS user anyway, but GrapheneOS suggests avoiding Firefox-based browsers due to security ⁶ and prefer using WebView (Chromium) browsers because they will use the hardened renderer by Vanadium provided by the OS. Mull still has benefits because you can block ads without using a custom DNS server.

There was a similar browser for WebView called Bromite which GrapheneOS used to suggest until a schism between the developer(s) about how Bromite was allowing it's code to be upstreamed. Bromite doesn't get updated anymore so don't ever use it, but it was a considerable alternative for Vanadium if you wanted an adblocker (other than Brave) at the time. Daniel Micay also had some really good comments about Bromite and fingerprinting⁷. Using a browser other than Vanadium also has some limitations since the current WebView sandbox cannot do site isolation.

A Bromite fork came out recently called Cromite which stays up to date, and has some exclusive patches, but I don't trust it enough to use it yet since it is still very, very new. It's also currently one update behind as of me writing this.

I download my FOSS apps from F-Droid repositories, and I download most of my other apk’s from APK Mirror. This site has a good reputation for safety, but there are no guarantees.

You might be interested in Obtanium (https://github.com/ImranR98/Obtainium). It allows updating apps automatically by GitHub repository, F-Droid and can alert updates from APKMirror etc. It's a bit tedious since you need to get the URL of the app/repository first though, but it can alert you for updates by APKmirror or APKpure.

A lot of hardline GrapheneOS users use it due to security disagreements with F-Droid and past schisms with F-Droid and GrapheneOS developers.

52 sats \ 2 replies \ @siggy47 OP 31 Jul 2023

Thanks for all of the incredible information again. I will take your advice and look into other browsers. Would you have similar issues with Mullvad VPN browser? I will start using obtainium. It should make my life easier.

45 sats \ 0 replies \ @final 31 Jul 2023

Mull is fine for most people and I wouldn't really consider it an urgent deal to move over.

Firefox browsers on Desktop are much better than on Android. Mullvad, Brave and Tor are the best browsers on PrivacyTests with about the same results on each: https://privacytests.org/

Chromium-based browsers have some very good exploit protections and stronger process and site isolation but Firefox is improving well. Most of these exploit protections only really mean a lot on Windows though due to Windows-specific features.

0 sats \ 0 replies \ @franzap 1 Aug 2023

obtainium is awesome

Footnotes