this post was submitted on 27 Dec 2024

28 points (80.4% liked)

Privacy

32535 readers

111 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
Don't promote proprietary software
Try to keep things on topic
If you have a question, please try searching for previous discussions, maybe it has already been answered
Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
Be nice :)

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago

MODERATORS

[email protected]

GrapheneOS (lemmy.world)

submitted 4 days ago by [email protected] to c/[email protected]

18 comments fedilink hide all child comments

So i am installing GrapheneOS rn and i need help:

i want app tracking protection to every app something like duckduckgo's app tracking protection if there is something better?!
someone explain me (with simple words) what is auditor cause i can't understand even if i read about it on GrapheneOS' website (i am like 50% noob with these things)
is my wifi masked automatically with GrapheneOS or should i 100% use a vpn? is there a setting in the OS somewherere? i need a lot of privacy and security to my phone!!!

also tell me additional tips for privacy/security for GrapheneOS if u have any!

thanks a lot!

top 18 comments

sorted by: hot top controversial new old

[–] [email protected] 1 points 1 day ago

This "app tracking protection" is just a DNS filter. You can achieve the same by setting a filtered DNS resolver like base.dns.mullvad.net in the Private DNS options.

Auditor just verifies that your installation of GrapheneOS is real and unmodified, meaning it hasn't been tampered with by an attacker or corrupted in any other way.

I would recommend using a VPN. That's also why I prefer the DNS filter over something like app tracking protection, since it doesn't occupy your VPN slot. GrapheneOS only improves the actual Wi-Fi connection privacy (by randomizing your Wi-Fi MAC address), but it has nothing to do with the data transmission over the Wi-Fi network. That's what you need a VPN for. You can check out this comment about the Pros and Cons of VPNs, as well as the criteria for picking a good and trustworthy VPN provider: https://lemmy.dbzer0.com/comment/15631872 Here's some more advice about VPNs: https://www.privacyguides.org/en/vpn/

[–] [email protected] 9 points 4 days ago* (last edited 4 days ago) (1 children)

Not sure on this one.
The auditor is to make sure you are installing an authentic version of graphene. That it is not a modified version that has been tampered with (e.g., backdoors).
Automatically enables MAC randomization. This can help with being tracked on public networks. Fingerprinting techniques have gotten better though with deep packet inspection and even measuring radio characteristics. I've seen demos of two brand new and identical models of iPhones being distinctly picked out due to variances in the radios during manufacturing.

Doesn't help with advertisers tracking behavior based on IP. VPNs help with "blending-in" by putting multiple users behind the same IP. Provider matters here. Needs to be a VPN provider that won't just sell your data or cave to law enforcement. Mullvad is my preference. Paid with crypto. RAM only logs. That said, use Tor or I2P for anything you don't want subpoenaed.

For additional tips:

Can't remember if its on by default, but auto-reboot to put data at rest (encrypted and not in RAM). This is for a state-actor threat level, and less about advertisers.
I prefer pin codes to unlock my device and don't use biometrics. Graphene has a feature to randomize the pin pad every time to protect against a recording of the pin be entered. Specifically where the numbers aren't picked up on the video but the pattern your hand makes can be seen. Again, more of a state-actor threat level.

[–] [email protected] 2 points 4 days ago (4 children)

I've been eyeing Graphene for a while now but I'm not really a tech person. I fumbled my way through installing and doing basic tweaks on Linux Mint but I don't know the first thing about coding or programming. Is that kind of knowledge a must for this OS or is it more dummy friendly? And what's a good cheap phone to grab to start messing with it and getting familiar, do you have any recommendations on that front?

[–] [email protected] -1 points 1 day ago (1 children)

I'm not really a tech person

You don't say? You reported me to myself on a community that I created, lol.

[–] [email protected] 1 points 1 day ago (1 children)

Yeah, that's on me. I didn't read the sidebar and assumed a community named similarly to "askreddit" would require posts to have questions

[–] [email protected] 1 points 1 day ago

I created the sub (and my instance redlemmy) because they are close enough to Reddit that anyone looking to jump ship might see mine when looking for a new home, but the community is intended to be open-ended and doesn't require a strict format. Intent is to generate discussion

[–] [email protected] 5 points 4 days ago

It's almost the same as plain Android, only with the Google services removed or locked down, and additional security restrictions and permissions control. Most apps work without any additional configuration, unless they're doing something unusual.

The only supported devices are Pixels, so take your pick from the list: https://grapheneos.org/faq#supported-devices

[–] [email protected] 5 points 4 days ago

No programming knowledge required.

Graphene only supports Pixels due to the titan chip. The versions with "a" are cheaper. Check when they go end of life to find the cheapest if you care about updates. So probably the 6a or 7a if you want at least 2 years of updates.

[–] [email protected] 4 points 4 days ago

It's pretty dummy friendly. Accept that some things may not work or will work differently (Most notably tap to pay is a no go AFAIK,) and be willing to learn if something comes up would probably be how I describe it. The only problem that might turn up that an app that you need doesn't pass gOS' security checks, but there's an app level setting to lessen security restrictions if it's something you NEED.

Otherwise, meh? Flashing back to stock is super easy via a google web tool if you don't like it. (I had to for a trip, Ticketmaster was being wonky and all my shows were ticketmaster haha. I've never had a problem before with the Ticketmaster app so IDK if it's an ongoing thing or not)

[–] [email protected] 7 points 4 days ago

Best tip i can give you is this...

https://discuss.grapheneos.org/

Make an account there and find all your answers. The community is VERY knowledgeable. Good luck

[–] [email protected] 3 points 3 days ago* (last edited 3 days ago)

Tracking protection on every app is best done via custom DNS. Since you successfully installed graphene OS, you can probably follow instructions well enough to set up a few DNS servers.

Personally, I have a few adguard -> unbound (unbound set as a recursive resolver) and then adguard set up with block lists at varying levels of strictness.

A very lax instance for my router as to not break the internet for anyone on my WiFi.
A few setup strict for my devices (phone, TV etc). Personally I keep the TV on a different instance as its super chatty and I don't want it muddying up my stats for other devices
I have a separate one that services my IoT devices

If you don't feel like setting up adguard/unbound you could use nextdns or adguard hosted, but local control gives you the most configurability and privacy, depending on your threat model.

Edit: unsure why I'm being down voted. All duckduckgo is is an app that acts as a VPN and blocks traffic to trackers. Why use their blocker when you can use your own, and have it for all of your devices, not just your phone?

[–] [email protected] 5 points 4 days ago

1 i prefer netGuard but trackerControl, which is based on netGuard, seems to be what you're describing there

3 when you write "my wifi", to what do you connect your phone to?

[–] [email protected] 1 points 3 days ago (1 children)

I've been using Graphene for a while. Here are some things i've changed and found useful:

I really like the storage scopes feature. Whenever an app requests access to storage/contacts, i setup scopes for it. This feature alone makes me never want to leave Graphene.

I also really like the random mac adress feature. Whenever i connect to wi-fi, my mac adress gets randomized to appear as a different device, (except on my LAN, otherwise, my router would be flooded with different devices that in reality, are the same).

Multiple profiles is also a nice feature. I've used them before, but now i just use everything under the root profile, even Google services. Since they run in a sandbox, i'm ok with it. This is probably something you want to avoid if your threat model requires you to, but i have found that for banking apps, it was a major drawback for me, that i had to switch profiles everytime i wanted to acess them. And even worst, if i wanted to send documents over e-mail, since my e-mail was on my non-Google profile, it was very annoying, so, i simply went with everything under root.

The on/off toogle for camera & microphone is also really nice. I use it all the time.

I've also set a 1 min timer to disable my wi-fi when i have no active connection, (e.g when i leave my house).

I've changed my DNS to a more private one, (currently using family.dns.mullvad.net).

On settings, if you go to NFC, you have an option to request device unlock to use NFC. I've set this to on, dispite having NFC off all the time.

[–] [email protected] 2 points 3 days ago (1 children)

How do you set toggle timers? This is new.

[–] [email protected] 1 points 3 days ago (1 children)

I've found this video very useful when i installed Graphene.

The answer to your question can be found on minute 07:00.

[–] [email protected] 1 points 1 day ago

I watched it. Thanks.

[–] [email protected] -2 points 2 days ago* (last edited 2 days ago)

Idk if good idea and this needs root try to change the etc/hosts you can find some online.
The only con is it needs to be updated manually and requires root
You can use AdAway to do it automatically for you

[–] [email protected] 0 points 4 days ago

use FOSS software whenever you can try https://github.com/MuntashirAkon/AppManager it lets you see every known tracking library that apps have and you can even block those, while maintaining functionality. set fingerprint and don't lend your phone to anyone scan all downloads with virustotal use a hosts file based ad and malware blocker (you need root for it) like AdAway use Invizible Pro, where you can configure Tor, i2pd, dnscrypt run at the same time. Use Cromite or Tor browser or Vanadium update your software as soon as possible use a password manager, like any maintained keepassxc fork or bitwarden, with a foss authenticator app (i use Aegis) change email provider: protonmail, tutanota use Termux for everything that you don't need a gui for or don't have a gui for (like low-level operations, getting system info, compiling, converting and compressing niche formats, http server, network analysis and so on)