Final's avatar
Final
final@stacker.news
npub1hxx7...g75y
Security specialist and member of the GrapheneOS open source project. Posts my own and not endorsed by my employer. AI slop and Nostr DMs ignored. Matrix: f1nal:grapheneos.org
Final's avatar
Final 3 days ago
Privacy and security on computing devices need to become far stronger to protect people from pervasive violations of their rights. Users have their privacy pervasively violated by corporations, criminals and governments. There are endless privacy and security weaknesses in software with exploits of those happening on a large scale. Operating systems, browsers and other apps need to do a much better job protecting users. Enormous progress is needed on both privacy and security. #GrapheneOS provides a massive upgrade for privacy and security over the standard Android Open Source Project. GrapheneOS is nowhere near good enough and we have an enormous amount of work to do improving both. Our work is an ongoing process and doesn't have an end point. Privacy and security heavily involve competition between attackers and defenders. Most defenders are making little progress and falling increasingly far behind. Attackers continue improving their exploits of privacy and security weaknesses. Commercial exploit tools are increasingly widely deployed for broad attacks. Software has a very high density of privacy and security vulnerabilities. LLMs are accelerating both vulnerability discovery and exploit development. For most computing devices, defense is increasingly far behind offense. iOS and GrapheneOS are exceptional cases not representative of degrading privacy and security across computing devices. Growing numbers of internet connected devices are incorporated into botnets. This harms the privacy and security of the internet as a whole through heavily pushing it towards centralization behind services such as Cloudflare. Insecure devices without security patches harm the internet as a whole. It isn't only embedded devices but also desktops, mobile devices and servers being used as part of these botnets. It isn't only people with these insecure devices who are harmed. It can get much worse. We're building GrapheneOS to protect everyone's privacy and security. It's aimed at widespread adoption and is highly usable. It's compatible with the vast majority of Android apps. It has major privacy benefits for every user including stopping a lot of data collection by apps and services with a better permission model increasingly addressing being coerced to grant access. GrapheneOS has many users with little technical knowledge and isn't hard to install or use. We're continuing to work on improving privacy, security, usability and app compatibility for all of our users. Contact Scopes, Storage Scopes, per-app Sensors toggle, VPN leak protection and many other features we provde are very important privacy protections. We're building alternatives to the Camera, Microphone and other permissions too. Our major improvements to exploit protections are there to protect user privacy. Privacy depends on security and that's why we heavily work on security too. Contrary to what's often claimed, GrapheneOS is far more usable and requires far less sacrifice compared to other alternatives. Providing far better protection against sophisticated exploits isn't at the expense of that. Our opt-in sandboxed Google Play compatibility layer combines privacy and high usability. We're gradually making replacements for more Google services apps rely on. Location services, network-based location, geocoding and more has already been replaced and much more is coming.
Final's avatar
Final 1 week ago
The alignment on the app drawer is fixed now. image
Final's avatar
Final 1 week ago
We need more apps with widgets. Can't make my home screen look good...
Final's avatar
Final 1 week ago
Gaël Duval is the founder and president of the /e/ foundation along with the CEO of Murena. Duval and his organizations have consistently taken a stance against protecting users from exploits. In this video, he once again claims protecting against exploits is for only useful pedophiles and spies. Transcription in French: > Il y a la surface d'attaque, là pour le coup on est pas des spécialistes de la sécurité, donc je ne pourrais pas te répondre avec précision, mais des discussions que j'ai eu, il semblerait que tout ce qu'on fait, ça réduit la surface d'attaque. Donc oui, probablement ça aide. Par contre, on a pas une approche "sécurité durcie", on développe pas un téléphone pour les pédo(bip) pour qu'ils puissent échapper à la justice. Donc il y a pas des trucs pas possibles pour voir si la mémoire est pas corrompue, des trucs de sécu vraiment durcis qui pourraient être utiles clairement pour des dirigeants, dans les services secrets ou que sais-je. C'est pas notre but, notre but c'est de partir d'un constat, aujourd'hui nos données personnelles sont pillées en permanence et ça serait pas légal dans la vraie vie avec le courrier ou le téléphone, on veut changer ça. Donc on vous fait un produit qui change ça par défaut pour n'importe quelle personne. Translation to English: > There's the attack surface, on that front we're not security specialists here, so I couldn't answer you precisely, but from the discussions I've had, it seems that everything we do reduces attack surface. However, we don't have a "hardened security" approach, we aren't developing a phone for pedo(censored) so they can evade justice. So there aren't difficult things to check if the memory is corrupted, really hardened security stuff that could clearly be useful for executives, in the secret service, or whatever. That's not our goal, our goal is to start from an observation: today our personal data is constantly being plundered and that wouldn't be legal in real life with the mail or the telephone, we want to change that. So we are making you a product that changes that by default for anyone. GrapheneOS exists to protect users from having their privacy invaded by arbitrary individuals, corporations and states. Privacy depends on security. GrapheneOS heavily improves both privacy and security while providing a high level of usability and near perfect app compatibility. /e/ has far worse privacy and security than the Android Open Source Project. They fail to keep up with important standard privacy and security patches for Android, Linux, firmware, drivers and HALs. They fail to provide current generation Android privacy and security protections. For years, Gaël Duval has spearheaded a campaign to misrepresent GrapheneOS as not being usable, not compatible with apps and only useful to a tiny minority of people. He has repeatedly claimed GrapheneOS is for pedophiles, criminals and spies while claiming /e/ is for everyone. It's hardly only GrapheneOS focusing on protecting users against exploits. Apple and Google have put a ton of work into it. Apple heavily focuses on privacy and security. That includes protecting against remote exploits, local exploits from compromised apps and data extraction. GrapheneOS and iOS are both heavily focused on privacy and security. Both are gradually adding much stronger protections against apps/sites scraping data, coercion users into giving data via alternatives with case-by-case consent and increasingly strong exploit protections. /e/ is far weaker in all of these areas compared to the standard Android Open Source Project on secure hardware. It doesn't keep up with standards updates and protections. It adds tons of low security attack surface and privacy invasive services. It's not in the same space as us. /e/ and Murena devices are far worse for privacy and security than an iPhone. It's trivial to break into their devices remotely or extract data from them compared to an iPhone. They have weaker privacy protections from apps too. Their main approach to privacy is a DNS blocklist. Their DNS blocklist can only block domains not used for useful functionality to avoid ruining usability. Meanwhile, the most privacy invasive behavior by apps is rarely ever split out into separate domains. Even for those, apps and websites can trivially evade DNS blocklists. It's common for apps and websites to do everything through their own servers. That's best practice to avoid leaking API keys. It's increasingly common for invasive libraries to use hard-wired IPs and/or DNS-over-HTTPS to evade blocking. DNS filtering is increasingly less useful. Murena is a for-profit company owned by shareholders including Gaël Duval. /e/ has a non-profit organization which is also led by Gaël Duval. /e/ includes paid services from Murena. /e/ very clearly exists to build products for Murena to sell in order to enrich the shareholders.
Final's avatar
Final 2 weeks ago
(updated post) The Nekogram telegram client contains code that grabs your Telegram ID and phone number to send to their own bots, also some other OSINT bots mentioned. They admitted to it in their channel (@NekoUpdates) and are insulting users in the comments. Assume your number and user can be correlated at a worst case. Keep away from third party clients.
GitHub
[Spyware, Malicious code] Malicious Code Injection and User Data Leaking in Release Binaries · Issue #336 · Nekogram/Nekogram
Open-source third-party Telegram client with not many but useful modifications. - [Spyware, Malicious code] Malicious Code Injection and User Data ...
GitHub
GitHub - RomashkaTea/nekogram-proof-of-logging: A proof of Nekogram sending phone numbers to the developer
A proof of Nekogram sending phone numbers to the developer - RomashkaTea/nekogram-proof-of-logging
Final's avatar
Final 3 weeks ago
We are hiring Android app software engineers to develop and take ownership of maintaining new #GrapheneOS default applications. This is a fully remote, worldwide position. If you have experience in Kotlin, Jetpack Compose and shipping production Android applications with commitment to security and privacy principles, come help fruit the next chapters of GrapheneOS. Apply:
Hiring | GrapheneOS
Final's avatar
Final 0 months ago
Pixel 10a users can now try out our experimental release of #GrapheneOS. Help us fix any potential regressions for a stable release! View quoted note →
Final's avatar
Final 0 months ago
#GrapheneOS version 2026032000 released. This release introduces experimental support for the Pixel 10a. - add experimental Pixel 10a support - Launcher: change app drawer search bar to cancelling search when the back action is invoked instead of the query becoming empty - backport SELinux policy for CameraX extensions property used by the Pixel Camera HAL from Android 16 QPR3 - hardened_malloc: multiple small optimizations to improve performance - kernel (6.1): update to latest GKI LTS branch revision including update to 6.1.166 - kernel (6.6): update to latest GKI LTS branch revision including update to 6.6.127 - kernel (6.12): update to latest GKI LTS branch revision including update to 6.12.76 - Vanadium: update to version 146.0.7680.153.0 - adevtool: add support for keeping only certain unpacked images to help with constrained storage - switch to cross-device gmscompat_lib key for 10th gen Pixels - Auditor: update to version 91 All of the Android 16 security patches from the current April 2026, May 2026, June 2026, July 2026 and August 2026 Android Security Bulletins are included in the 2026032001 security preview release. List of additional fixed CVEs: Critical: CVE-2026-0039, CVE-2026-0040, CVE-2026-0041, CVE-2026-0042, CVE-2026-0043, CVE-2026-0044, CVE-2026-0049, CVE-2026-0052, CVE-2026-0073, CVE-2026-0080 High: CVE-2025-22424, CVE-2025-22426, CVE-2025-48600, CVE-2025-48612, CVE-2026-0016, CVE-2026-0036, CVE-2026-0048, CVE-2026-0050, CVE-2026-0053, CVE-2026-0054, CVE-2026-0055, CVE-2026-0056, CVE-2026-0059, CVE-2026-0060, CVE-2026-0061, CVE-2026-0062, CVE-2026-0063, CVE-2026-0065, CVE-2026-0067, CVE-2026-0070, CVE-2026-0074, CVE-2026-0075, CVE-2026-0076, CVE-2026-0077, CVE-2026-0078, CVE-2026-0079
Releases | GrapheneOS
Final's avatar
Final 0 months ago
GrapheneOS will remain usable by anyone around the world without requiring personal information, identification or an account. GrapheneOS and our online services will remain available internationally. If GrapheneOS devices can't be sold in a region due to their regulations, so be it.
Final's avatar
Final 1 month ago
The official microG OS project (https://lineage.microg.org) leaked their private keys for logging into their servers and signing releases:
GitHub
December 2025 security issues
Contribute to lineageos4microg/l4m-wiki development by creating an account on GitHub.
 We make our official builds on local machines. Our signing machine's keys aren't ever on any storage unencrypted. Our roadmap for improving security of verifying updates is based on taking advantage of the reproducible builds. We plan to have multiple official build locations and a configurable signoff verification system in the update clients also usable with third party signoff providers. We don't have faith in any available commercial HSM products being more secure than keeping keys encrypted at rest on the primary local build machine. Instead, we're planning to develop software for using the secure element on #GrapheneOS phones as an HSM for signing our releases.