fid02
fid02 1) I take it that you are asking how quickly GrapheneOS ships security and feature updates compared to the upstream Android Open Source Project (AOSP).
Answer: quickly. The monthly security patches are pushed to the Alpha channel in a matter of a few hours after the AOSP release. Usually arrives in the Stable channel after about a day, or sometimes less than that. The quarterly feature updates are shipped about as quickly.
2) No.
3) The project only recommends Vanadium, which now has adblocking included by default (it currently is using the Easylist and Easyprivacy for theblocklists). GrapheneOS has about 200k users (a conservative estimate calculated by the project). Vanadium users will generally be able to blend in with the pool of other Vanadium users; there are exceptions that will require more detailed explanation from my part.
Bromite is severaly outdated and I highly discourage its usage. It's insecure.
4) Google Play Protect works fine and is able to scan the app inventory in the profile.
Doesn't make sense to use a virus scanner. Likely requires high priveleges.
Your statement about a full-system compromise caused by a malicious app implies that the app takes advantage of an undiscovered critical vulnerability that will be able to escape the app sandbox. Keep your GrapheneOS device up-to-date.
If you are worried about a system compromise, I highly encourage you to set up Auditor. You can set up remote attestation and verify the system integrity by signing in to attestation.app from another device and checking the information provided there.
5) I encourage you to read https://attestation.app/about and the setup tutorial https://attestation.app/tutorial
6) You can start your knowledge journey on this topic by reading this section: https://grapheneos.org/features#exploit-protection
7) No idea what this is.
8) Haven't seen any problem reports with these apps. Likely works completely fine in a profile with Sandboxed Google Play. GrapheneOS has Android app compatibility; only a small subset of apps enforce a Play Integrity check to ban alternative OSs and rooted devices from using their apps.
1) Thank you, this is for both the OS upgrades and security patch?
2) could you please elaborate? I want to run a system wide VPN based on one app (PIA's APK). This is impossible?
3) while I understand that you will blend in with other users of Vanadium it doesn't seem to have a strong fingerprint protection yet compared to Brave (farbling? I don't remember what it is called but it spoofs) or hardened firefox.
Can you safely use either in Graphene?
The site is outdated then because I remember reading to use either Vinadium or bromite but bromite raised red flags for me.
4) thank you, this explains a lot. I will read the full documentation later but, in short, is there anything or any way to prevent malicious apps to be installed based on invalid SHA, certificate or anything else? I generally know what I'm doing (not always) but kids have access too.
5) thank you I will read it.
6) thank you I will read this as well
7) eIDAS 2.0 is basically having government approved cancer. It will force all browsers and products that have "a browsing feature" to install a root certificate. This root certificate can be swapped in while browsing and replace the site certificate at any moment. It is not allowed for browsers to mention that this has happened or is happening. The browsing agent should show the normal certificate (Lets Encrypt for discuss.grapheneos.org), the only way you will notice is that the thumbprint won't match (Should be AAAAAAAA but is swapped by government BBBBBBBB thumb print). It is a government approved MITM to "protect citizens of the EU".
8) thank you, this explains enough for me. As a small question on this, the pixel hardware protection is still honored in Graphene and it installs as unrooted by default. Do I understand that correctly?