So a VPN isn't a VPN on Android? Regardless of this bug. Do other locked down operating systems act the same?
Mullvad and others reported on that one ages ago
It's a concern to me, because humans often extend their trust to computer trust based upon misunderstanding of the identically spelled words and lack of recognition of differing context.
VPNs, at least originally, were designed to provide access to private/business networks across another network. Office to office, home to office, that sort of thing. VPNs were only later turned into some kind of (supposed) security tool.
If your take on VPN code is "as long as your phone can reach the office printer over 5G" then this is a tiny bug. QUIC connections aren't being shut down properly, like they weren't before the introduction of the feature.
If your take on VPN code is "this wireguard tunnel must keep my identity safe no matter what" or "my security relies on this wireguard tunnel being an exact copy of all traffic exchanged over the internet" then this is a massive problem.
I don't think Android VPNs, or any VPN to be honest, were ever designed as a privacy or security measure. Especially not against apps with code execution on the device. The device itself will do all kinds of network interactions, some happening from within the modem chip itself.
Closing the bug was a mistake on Google's part, but I can see why they don't consider this a security bug in their bug bounty programme.
Google's Pixel hardware division likely operates at a loss - or breaks even.
and even if every active HN user bought $100-$400 used Pixels from Swappa, meaningless money to them.
Step one… completely reform MBA programs.
If you patch it, you'd need to find another way to de-anonymize those users.
I feel like this should be toward the top of the terms of service for the phone, even above the mandatory arbitration clause.
What planet are you from?
"Nah dog, we like watching everything you say and do."
I have been interested in using GrapheneOS but hesitant about actually getting a Pixel phone. Used phone prices are usually >$300 even for "a" series unless I go back several generations. Whether the device bootloader can be unlocked is also a question. I am definitely not ready to spend $449 on a new Pixel 10a.
Side note: I did get the 10a on launch from Google Fi for ~300.
Basically, buy a Pixel 6 or later (I suggest Pixel 7 or later, since Pixel 6 will be minimal support soon) that you are sure has an unlockable bootloader. The majority you'll see don't have an unlockable bootloader.
Which mostly means either buy direct from Google, or buy one on eBay that already has GrapheneOS/CalyxOS/LineageOS on it or for which the seller expressly says it has an unlockable bootloader.
(IME, don't bother trying to ask a seller to check bootloader, if they haven't already said. Almost no one is going to go through the process to check, the answer is probably no anyway, they might misunderstand your question and answer that it's "unlocked", and they may be tired of people asking.)
Then I decided everyone who knows about bootloader unlocking would've already checked and mentioned if it was unlockable (but not if it wasn't, since why confuse normal buyers with a fringe thing), and I've never gotten a positive response trying to tell any seller about it, so I think I'm just wasting everyone's time.
Your mileage may vary.
Used is a gamble due to improper OEM unlocking practices, so make sure it has a good return policy and try to verify OEM unlocking is accessible if you purchase used.
Yeah, do that.
It’ll still be the snappiest phone you’ve ever used.
I'm surprised they honored the embargo at that point, and delayed the fix until May. Why not just release immediately?
So just download f-droid yourself? Why the fixation on having a definitive, preloaded app store?
>I much prefer a fully OSS package manager and there is real value in having people compile from the sources externally, maybe even reproducibly so, instead of trusting the github packages.
Operating an app store is almost as much work as maintaining an Android fork, and it's hard to fault the authors for not sinking massive amounts of effort into doing it, when there's already f-droid, play store (plus aurora store), obtanium, and many others.
Out of the box it has only a launcher and the minimal OS. All the minimalist needs.
If you want more, you get to decide where to go for that.
I call it empowering users, you call it inconvenience, but maybe in that case it's not the best OS for you?
GrapheneOS has the "App Store" to get the most basic apps required for general usage. Accrescent is distributed there because it follows Android's security baseline for being an actual app repository while F-Droid and Aurora Store do not. There really isn't a value in having third parties compiling apps to check for any malicious activity, which F-Droid does. These checks are not reliable and have been bypassed. It's one of the reasons why Wireguard is no longer on F-Droid. If you don't trust an app enough to get it directly from the developer, then don't use the app at all. The privacy and security benefits of GrapheneOS are supposed to be nearly invisible to the average user. Examples include a hardened memory allocator and memory tagging extension to protect from memory corruption bugs, and the ability to install sandboxed Google Play to use Google services without Google having complete control of your device.
GrapheneOSs App Store is present to fulfil the role of the first party appstore that AOSP requires. It also serves to provide updates to first party apps out-of-band, and mirror apps for various case-by-case reasons.
Accrescent is mirrored due to it having a focus on privacy and security. It is currently in alpha and app submissions are closed. They will be open Soon:tm:.
Google play is mirrored for app compatibility with apps that require google play, and for access to the playstore.
The GrapheneOS community favors Obtanium due to its ability to fetch developer-signed apps from places like Github. Fdroid signs and builds nearly every app on the main repository with outdated build infrastructure and poor moderation.
GrapheneOSs security model inherits and builds upon the AOSP security model.
You're safer using a standard Android phone than using an OS as duct-taped together as CalyxOS.
Care to source this claim?
CalyxOS is not a private or secure operating system. They have added several 3rd party apps and services, which includes several 3rd party connections. On top of this, several of these services are given problematic, privileged access.
A notable example of this is Android Auto. CalyxOS grants substantial privileged access to this component by default, while GrapheneOS sandboxes it, and exposes 4 opt-in toggles for privileged access. The user may granularly decide what privileged access they wish to grant.
Can you even lock the bootloader on your device? [2]
[2] calyxos.org/lock
https://old.reddit.com/r/CalyxOS/comments/1t3tdt6/calyxos_pr...
The all apps stemming from app stores in the builting App Store is to provide a minimalist experience by default whilst keeping google play apps accessible. GrapheneOS has a majour focus on accessibility. They avoid users having to be technical to install an app store to get their apps.
See, mobile phone vendors have their hands tied - they can offer bootloader unlocking, but they can't touch Google spyware, otherwise they won't be "certified", won't be able to use Google Play or even the name Android.. That's of course not enough for Google, they also want to go after users which of such systems / modified systems (with unlocked bootloader) - that's what "Play Integrity" is about, they work hard to make sure the phone gets as useless as possible.. Together those two basically prevent vendors from making the mobile privacy landscape any better.
In the EU, we should outlaw Play Integrity first, by mandating that security level attestation might only be done in a way there's an independent auditing body that might certify alternative operating systems (these could use standard Android attestation) based on objective security criteria, not the Google spyware criteria. I heard about the "UnifiedAttestation" initiative but I'm not sure what's the progress on that.. not that I'm a fan of attestation at all, but you need to understand that it's a different thing when you attest the security model of the system, and a different thing where a system being "secure" actually implies Google spyware must be installed. For banking apps, I'd just want a secure OS, like GrapheneOS - without GMS.
Howver, the main antitrust investigation should happen in the US, only US courts can bring relevant Google executives to justice.
"GrapheneOS responded by disabling the underlying optimization entirely in release 2026050400."
GrapheneOS "fixed" the leak by disabling the optimisation
Some HN commenters in the past have praised QUIC and downvoted comments that questioned who QUIC stands to benefit the most
Using QUIC may serve the interests of others but for me the tradeoffs are not worth it; I block QUIC traffic
QUIC is sometimes on by default in software distributed by Google, like Android, and in some cases there is no option to disable it
GrapheneOS also has fixes for around 5 other VPN leaks and more fixes on the way. Android currently implements VPNs in a way that's prone to leaks due to VPNs being per-profile but profiles not using their own network namespaces yet and also depending on central services for the DNS resolver and various other things which have to properly handle VPN support. We have plans to improve the VPN architecture in the future to make it very resistant to leaks. There will also be support for running apps or groups of apps in VMs which can have even stronger protection against it.
QUIC as it is is brilliant, and this is not a feature of the protocol, it's a feature of the surveillance OS (Google's Android).
Other than that I checked on the OS before the latest release, and it didn't work anyway.
1. A new (albeit "hidden" [2]) network API registerQuicConnectionClosePayload(fd, payload) lets a process set any byte array for the OS to send on its behalf.
2. No ("panaroid networking") permission checks against the calling uid/process when sending that byte array out on a OS-owned UDP socket.
3. Bypassing ("panaroid android") permission checks [3] by simply calling network-related syscalls (or libc/bionic functions) as opposed to Android SDK APIs.
These steps essentially amount to app sandbox escape (2,3) and privilege escalation (1,2). I am utterly confused why the Android security team at Google won't take this more seriously.
[0] https://lowlevel.fun/posts/tiny-udp-cannon-android-vpn-bypas...
[1] https://discuss.grapheneos.org/d/35152-android-always-on-vpn...
[2] In as much the code mmap'd into your own process can be "hidden" away. For their exploit though, the author cleverly abuses Binder IPC primitives to reach the "hidden" parts.
[3] This bypass probably only works for this one scenario because of #2.
