Revamping the Android section

[TommyTran732]

Migrating Android into it's own navbar item using the new format.

Closes: #79

Link: https://deploy-preview-390--privacyguides.netlify.app/android/

[netlify]

✔️ Deploy Preview for privacyguides ready!

🔨 Explore the source changes: 403b4e0

🔍 Inspect the deploy log: https://app.netlify.com/sites/privacyguides/deploys/61bfd28cd147dd00081f0be6

😎 Browse the preview: https://deploy-preview-390--privacyguides.netlify.app

[SkewedZeppelin]

Some notes:

• DivestOS includes the Mulch WebView on all versions which is largely based on the Vanadium WebView. It is only the only known WebView for 32-bit that enables CFI.
  • OTA updates for Mulch are also available via the default enabled F-Droid repository for out-of-band WebView updates.
    • I think CalyxOS does this too?
• DivestOS includes all of the legacy AndroidHardening kernel hardening patches and the bulk of the modern GrapheneOS kernel hardening patches.
  • DivestOS goes even further with defconfig hardening too. This is far more effective than most people consider as the AOSP trees often have security features backported but disabled, eg. page poisoning is available on most 4.4 trees despite being a 4.6 feature
  • The recent loose versioning work actually brought page sanitization to all 3.4 devices
• DivestOS includes the GrapheneOS hardened_malloc on 16.0 and 17.1 for all 64-bit devices. I would like to bring this to 18.1 eventually.
• DivestOS has the exec_spawning feature on 16.0 and 17.1 but is disabled due to breaking things like VoLTE, however I very likely ported it wrong. This is lower priority, as effective as it is, it caused older devices like the Nexus 4 to take very long to open apps.
• New AdAway has a VPN mode fwiw

[TommyTran732]

Right I will add a note for this

[SkewedZeppelin]

I'd note that the version of Orbot available on their F-Droid repo and Google Play is often out-of-date. The latest version from GitHub, currently 16.5.2, has many performance, reliability, security, and arguable privacy improvements. https://github.com/guardianproject/orbot/releases edit: also I don't think it was ever confirmed, but I'd recommend isolate destination addresses when using the app vpn mode. edit2: also perhaps recommend the order of use for an app be vpn mode first, then socks5, then http. an app using http proxy won't route dns through tor iirc

[TommyTran732]

I'd note that the version of Orbot available on their F-Droid repo and Google Play is often out-of-date. The latest version from GitHub, currently 16.5.2, has many performance, reliability, security, and arguable privacy improvements. https://github.com/guardianproject/orbot/releases edit: also I don't think it was ever confirmed, but I'd recommend isolate destination addresses when using the app vpn mode. edit2: also perhaps recommend the order of use for an app be vpn mode first, then socks5, then http. an app using http proxy won't route dns through tor iirc

That was the intension lmao

[ph00lt0]

If we recommend people to buy preloaded GrapheneOS phones, we should add some explanation on how to verify the device's integrity.

[ph00lt0]

Maybe add similar explanation about rooting as here:
https://divestos.org/index.php?page=faq#rootSupport

I really like this as it also shows why you probably do not need it. It's a common misconception that you need root to uninstall system apps f.x.
adb shell pm uninstall -k --user 0 com.example.app works without root. Just as adb shell pm disable-user --user 0 com.example.app

[ph00lt0]

In the device shopping section we might need to add recommendation to pay in cash. This prevents the IMEI number to be linked to you. This obviously also requires you not to use a phone plan linked to you.

[SkewedZeppelin]

I like it! Thank you @TommyTran732 for this page among others. You are raising the bar, hopefully the communities will realize it.

[dngray]

In the device shopping section we might need to add recommendation to pay in cash. This prevents the IMEI number to be linked to you. This obviously also requires you not to use a phone plan linked to you.

In practice though I'm pretty sure most countries require drivers license/details when activating a SIM card though don't they?

Its also worth noting a SIM card keeps a record of every IMEI it has come in contact with and regularly transmits that.

[ph00lt0]

In practice though I'm pretty sure most countries require drivers license/details when activating a SIM card though don't they?

Its also worth noting a SIM card keeps a record of every IMEI it has come in contact with and regularly transmits that.

https://www.comparitech.com/blog/vpn-privacy/sim-card-registration-laws/

and yes it does. So you shouldn't use the same sim card in a new phone.

[TommyTran732]

I think that would be highly dependant on the threat model (do you wanna be anonymous or do you just wanna private with your data)

Plus its a general phone recommendation thing, not an Android thing, so i think we're fine eithout mentioning it

[TommyTran732]

Oh by the way we will have an iOS section at some point too, and hopefully with the same kind of content (here are some apps to use, which iphones are acceptable, what you should avoid doing, blah blah)

[SkewedZeppelin]

DivestOS does not handle firmware updates well currently.

Here is the status of that: https://gitlab.com/divested-mobile/firmware-empty/-/blob/master/STATUS

[TommyTran732]

@SkewedZeppelin So I noticed LineageOS added the toggles for data and wifi connection in the application information area for each app. I just wanna confirm - Divest also inherits the same settings, right?

[SkewedZeppelin]

@SkewedZeppelin So I noticed LineageOS added the toggles for data and wifi connection in the application information area for each app. I just wanna confirm - Divest also inherits the same settings, right?

Indeed.
https://divestos.org/images/screenshots/11/Network.png

[SkewedZeppelin]

Please add this as a note regarding Pixels:
Any Verizon, Telus, Rogers, EE, or IMEIs starting with 35 cannot be bootloader unlocked. In general always avoid carrier variants.

I've seen too many people in chat rooms end up with Verizon models that they couldn't unlock.

[dngray]

IMEIs starting with 35 cannot be bootloader unlocked

Is this a standard thing? Or are there other IMEIs that don't start with 35 that also can't be unlocked?

[SkewedZeppelin]

The 35xxx IMEI is the easiest way to discern them. Sellers are often happy to list the devices as carrier unlocked and not know/label what true carrier it came from.
The 35xxx only applies to Google Pixels.

Also protip: some eBay sellers will label their devices and they will blur out the IMEI on the label, but there is usually barcode that you can still scan and determine the IMEI from.
The label is generated by a popular phone testing software many sellers happen to use.

Edit:
An example:
https://www.ebay.com/itm/304255408859
The barcode says the IMEI starts with 35803 despite being labels "carrier unlocked", it is highly likely to be Verizon or Telus.

[dngray]

I'd be careful generally buying any phones from ebay, especially Pixels. Is there any good reason/market where you can't buy a Pixel?

[SkewedZeppelin]

Where else would you buy them?
New in box from Google? that requires a Google account
New in box from Best Buy? That requires $300+.
Not everyone can afford these devices, one of the primary reasons I made DivestOS.

[dngray]

I wouldn't buy a secondhand phone from ebay, possible the complete IMEI might even be blacklisted if it was stolen, or the IMEI might have been involved in some criminal offending.

[SkewedZeppelin]

Nah, most of the bigger sellers actually buy them from the carriers or the carrier warranty partnerships.
I've bought at least 3 dozen phones off of eBay and never has one been blocked.

[freddy-m]

Give it one final check, but it looks good to me!

[SkewedZeppelin]

Nit:

includes kernel patches from GrapheneOS, enabling security features in defconfig.

These are two difference things, needs an and.

[dngray]

These are two difference things, needs an and.

Done.