mirror of
https://github.com/privacyguides/privacyguides.org
synced 2024-11-10 21:23:41 +01:00
Fix a other typos and move things about (#482)
Signed-off-by: Daniel Gray <dng@disroot.org>
This commit is contained in:
parent
18b5974baf
commit
b25c7f43d3
@ -76,7 +76,7 @@ The main privacy concern with most Android devices is that they usually include
|
|||||||
<h5><strong>Android Rooting</strong></h5>
|
<h5><strong>Android Rooting</strong></h5>
|
||||||
<p>Rooting Android phones can decrease security significantly as it weakens the complete Android security model. This can decrease privacy should there be an exploit that is assisted by the decreased security. Common rooting methods involve directly tampering with the boot partition, making it impossible to perform successful <a href='https://source.android.com/security/verifiedboot'>verified boot</a>. Apps that require root will also modify the system partition meaning that verified boot would have to remain disabled. Having root exposed directly in the user interface also increases the <a href="https://en.wikipedia.org/wiki/Attack_surface">attack surface</a> and may assist in <a href="https://en.wikipedia.org/wiki/Privilege_escalation">privilege escalation</a> vulnerabilities and <a href="https://en.wikipedia.org/wiki/Security-Enhanced_Linux">SELinux</a> policy bypasses.</p>
|
<p>Rooting Android phones can decrease security significantly as it weakens the complete Android security model. This can decrease privacy should there be an exploit that is assisted by the decreased security. Common rooting methods involve directly tampering with the boot partition, making it impossible to perform successful <a href='https://source.android.com/security/verifiedboot'>verified boot</a>. Apps that require root will also modify the system partition meaning that verified boot would have to remain disabled. Having root exposed directly in the user interface also increases the <a href="https://en.wikipedia.org/wiki/Attack_surface">attack surface</a> and may assist in <a href="https://en.wikipedia.org/wiki/Privilege_escalation">privilege escalation</a> vulnerabilities and <a href="https://en.wikipedia.org/wiki/Security-Enhanced_Linux">SELinux</a> policy bypasses.</p>
|
||||||
|
|
||||||
<p>Adblockers (Adaway) which modify the <a href="https://en.wikipedia.org/wiki/Hosts_(file)">hosts file</a> and firewalls (AFWall+) which require root access persistently are dangerous and should not be used. They are also not the correct way to solve their intended purposes. For Adblocking we suggest <a href="/providers/dns/">DNS</a> or <a href="/providers/vpn/">VPN</a> based blocking solutions instead. Adaway in non-root mode will take up the VPN slot preventing you from using privacy enhancing services such as Orbot or a VPN. AFWall+ works based on the <a href="#graphene-calyxos">packet filtering approach</a> and is bypassable in some situations.</p>
|
<p>Adblockers (AdAway) which modify the <a href="https://en.wikipedia.org/wiki/Hosts_(file)">hosts file</a> and firewalls (AFWall+) which require root access persistently are dangerous and should not be used. They are also not the correct way to solve their intended purposes. For Adblocking we suggest <a href="/providers/dns/">DNS</a> or <a href="/providers/vpn/">VPN</a> based blocking solutions instead. RethinkDNS, TrackerControl and AdAway in non-root mode will take up the VPN slot preventing you from using privacy enhancing services such as Orbot or a real VPN. AFWall+ works based on the <a href="#graphene-calyxos">packet filtering approach</a> and is bypassable in some situations.</p>
|
||||||
|
|
||||||
<p>We do not believe that the security sacrifices made by rooting a phone are worth the questionable privacy benefits of those apps.</p>
|
<p>We do not believe that the security sacrifices made by rooting a phone are worth the questionable privacy benefits of those apps.</p>
|
||||||
|
|
||||||
@ -131,7 +131,7 @@ We have these general tips:
|
|||||||
<p>GrapheneOS extends the <a href="/android/#android-security-privacy">user profile</a> feature allowing a user to press an "End Session" button. This button clears the encryption key from memory. There are plans to add a <a href="https://github.com/GrapheneOS/os-issue-tracker/issues/88">cross profile notifications system</a> in the future.</p>
|
<p>GrapheneOS extends the <a href="/android/#android-security-privacy">user profile</a> feature allowing a user to press an "End Session" button. This button clears the encryption key from memory. There are plans to add a <a href="https://github.com/GrapheneOS/os-issue-tracker/issues/88">cross profile notifications system</a> in the future.</p>
|
||||||
|
|
||||||
<h5><strong>INTERNET permission vs packet filtering</strong></h5>
|
<h5><strong>INTERNET permission vs packet filtering</strong></h5>
|
||||||
<p><a href="https://en.wikipedia.org/wiki/Firewall_(computing)#Packet_filter">Packet filter</a> based solutions such <a href="/android/#graphene-calyxos">Datura Firewall</a>, <a href="https://gitlab.com/LineageOS/issues/android/-/issues/3228">LineageOS</a> (DivestOS), AFWall+ and Netguard, are not ideal as they can leak and don't prevent an app from proxying a network request through another app using an <a href="https://developer.android.com/guide/components/intents-filters">intent</a>. Other filtering solutions such as RethinkDNS also prevent you from using a VPN at the same time.</p>
|
<p><a href="https://en.wikipedia.org/wiki/Firewall_(computing)#Packet_filter">Packet filter</a> based solutions such <a href="/android/#graphene-calyxos">Datura Firewall</a>, <a href="https://gitlab.com/LineageOS/issues/android/-/issues/3228">LineageOS</a> (DivestOS), AFWall+ and NetGuard, are not ideal as they can leak and don't prevent an app from proxying a network request through another app using an <a href="https://developer.android.com/guide/components/intents-filters">intent</a>.</p>
|
||||||
|
|
||||||
<p>Android has a built-in <a href="https://developer.android.com/training/basics/network-ops/connecting"><code>INTERNET</code></a> permission. This is enforced by the operating system. On AOSP and most of its derivatives, it is treated as an install time permission. GrapheneOS changes it to <a href="https://en.wikipedia.org/wiki/Runtime_(program_lifecycle_phase)">runtime</a> permission, meaning that it can be revoked to deny internet access to a specific app.</p>
|
<p>Android has a built-in <a href="https://developer.android.com/training/basics/network-ops/connecting"><code>INTERNET</code></a> permission. This is enforced by the operating system. On AOSP and most of its derivatives, it is treated as an install time permission. GrapheneOS changes it to <a href="https://en.wikipedia.org/wiki/Runtime_(program_lifecycle_phase)">runtime</a> permission, meaning that it can be revoked to deny internet access to a specific app.</p>
|
||||||
|
|
||||||
@ -156,7 +156,7 @@ We have these general tips:
|
|||||||
|
|
||||||
<p>Android 12 comes with special support for seamless app updates with <a href="https://android-developers.googleblog.com/2020/09/listening-to-developer-feedback-to.html">third party app stores</a>. The popular Free and Open Source Software (FOSS) repository <a href="https://f-droid.org">F-Droid</a> doesn't implement this feature and requires a <a href="https://f-droid.org/en/packages/org.fdroid.fdroid.privileged">privileged extension</a> to be included with the Android distribution in order to have unattended app installation.</p>
|
<p>Android 12 comes with special support for seamless app updates with <a href="https://android-developers.googleblog.com/2020/09/listening-to-developer-feedback-to.html">third party app stores</a>. The popular Free and Open Source Software (FOSS) repository <a href="https://f-droid.org">F-Droid</a> doesn't implement this feature and requires a <a href="https://f-droid.org/en/packages/org.fdroid.fdroid.privileged">privileged extension</a> to be included with the Android distribution in order to have unattended app installation.</p>
|
||||||
|
|
||||||
<p>GrapheneOS doesn't compromise on security, therefore they do not include the F-Droid extension therefore, users have to confirm all updates manually if they want to use F-Droid. GrapheneOS officially recommends <a href="https://grapheneos.org/usage#sandboxed-play-services">Sandboxed Play Services</a> instead. Many FOSS Android apps are also in Google Play but sometimes they are not (like <a href="/video-streaming/">Newpipe</a>).</p>
|
<p>GrapheneOS doesn't compromise on security, therefore they do not include the F-Droid extension therefore, users have to confirm all updates manually if they want to use F-Droid. GrapheneOS officially recommends <a href="https://grapheneos.org/usage#sandboxed-play-services">Sandboxed Play Services</a> instead. Many FOSS Android apps are also in Google Play but sometimes they are not (like <a href="/video-streaming/">NewPipe</a>).</p>
|
||||||
|
|
||||||
<p>CalyxOS includes the <a href="https://f-droid.org/en/packages/org.fdroid.fdroid.privileged">privileged extension</a>, which may lower device security. Seemless app updates should be possible with <a href="https://auroraoss.com">Aurora Store</a> when CalyxOS is upgraded to Android 12 and <a href="https://gitlab.com/AuroraOSS/AuroraStore/-/merge_requests/153">#153</a> is completed.</p>
|
<p>CalyxOS includes the <a href="https://f-droid.org/en/packages/org.fdroid.fdroid.privileged">privileged extension</a>, which may lower device security. Seemless app updates should be possible with <a href="https://auroraoss.com">Aurora Store</a> when CalyxOS is upgraded to Android 12 and <a href="https://gitlab.com/AuroraOSS/AuroraStore/-/merge_requests/153">#153</a> is completed.</p>
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user