PIN Scrambling - One of the best features on GrapheneOS.
Auto Reboot - This feature, BFUing the device by selected time is just wonderful.
Network Permission - Big Techs will never include such feature in their proprietary operating systems.
The name itself, GrapheneOS.
I wonder how difficult it is to attack stock Android on a pixel, I doubt it's within everyone's reach. I watched an interview with the founder of VLC who talked about security and said that Chrome is extremely secure, so since many applications use Chrome an attack becomes virtually impossible. For privacy, there's an application called Android System Intelligence, which lets you retrieve personal information locally and process it without having access to the network. So Android stock is already very secure and privacy-friendly. Personally, the only (not pejorative) advantage I find in grapheneos is that it's a very streamlined operating system on which you can install whatever you want.
Itw of VLC : https://podcasts.google.com/feed/aHR0cHM6Ly9mZWVkcy5hY2FzdC5jb20vcHVibGljL3Nob3dzLzQzMTYwYWRjLWZhZGQtNDc2NC1iOTNmLWFhMWNhOTNmMjJiZg/episode/NjU2MGQ0ODZhMGVjNzEwMDEyNzNhODk2?ep=14
[deleted] Personally, the only (not pejorative) advantage I find in grapheneos is that it's a very streamlined operating system on which you can install whatever you want.
True, it's streamlined. But the real super power is the privilege to uninstall any piece of software you don't want on your system, too. That is a big advantage over stock android (among others) where you're stuck with google stuff (which is, for the most part, not only privileged, but also cannot be uninstalled).
Phead The fact that it is privileged also has its advantages: automatic updates, a really effective advanced protection program (no sideloader), the obligation to use the play store, which is apparently the most secure solution... So I'd say we'll have to see.
-What is the danger of having a privileged application?
-Have any users ever been put at risk because of this?
-What's the danger of this privileged application having access to hardware identifiers?
That's a real question, and I'd like to know what the dangers are. To have a threat model you have to know the risks and I don't really see them. From what I've seen since yesterday, it's more like people tinkering with who knows what to get this or that application working again 🤣
1] Privacy
2] Security
3] Privacy & Security
I don't get the reason for PIN scrambling. If the numbers are scrambled, it means I have to type the PIN slowly. I would much rather rely on a quickly typed PIN that has a standard interface than a slowly typed PIN with a jumbled interface. If someone is shoulder surfing you, they will absolutely not be able to see what I type, as long as there are at least 4 unique numbers. My PIN is over a dozen digits, which I switched to after using a password of slightly more characters, because of the difficulty in someone being able to acquire the password from shoulder surfing. The password was just too error prone and I couldn't type it very fast.
I can type my PIN in less than half a second, way too fast for someone to see it. Even if the PIN is long, if it's jumbled, it just takes above average vision and memory for an attacker.
gk7ncklxlts99w1 I don't agree. Two banking apps that I have and one work phone have it mandatory to use scrambled PIN input. With a good reason. The only way someone can figure out your PIN is if the record you...but the same applies for your super fast PIN input which can be easily guessed just observing where you place your fingers.
gk7ncklxlts99w1 you can type over 12 digits in less than half a second?
I tend to agree that PIN scrambling is overkill for the majority of standard threat models, it's a good feature and it's good that it's available, but the majority of users probably don't need to add this complexity every time they want to use their PIN.
Also, if you trust SE, a random 6-digit PIN code is correct, Google Pixel generations 6 to 8 use the Titan M 2 which is a really robust security chip.
I personally find the PIN scrambling feature helpful for users whose threat model includes being spied on through shoulder surfing or surveillance cameras.
If you are often forced to enter your password in public places or near people (metro, etc.) - e.g. due to the fingerprint bug - a long PIN + scrambling could in some cases be a better option than a password.
- The name itself, GrapheneOS.
I hadn't even thought about it, but you're right: GrapheneOS really is a cool name!
One thing I'm thinking about for the safety of battered women, for example, is not displaying emergency numbers in the call history.
[deleted] The lame GOS competitor we're not supposed to mention here has set this up, and I think it's a good thing.
What are your top 3 favorite features about Graphene?
A video definitely renders either method useless, assuming a decent frame rate and quality. A PIN typed fast enough might be harder to track even on video, but I wouldn't bet on it. A jumbled interface might make it so a video would need to get a good view of the numbers. But that's neither here nor there.
I still think I'd rely on my method more, in the absence of better logic. I don't see how your anecdote runs counter to my argument, just because a bank or employer requires jumbled PINs doesn't mean that's the best method.
It feels like it. It's probably more like 1 or 1.5 seconds (I just tested it). I'm not the fastest touchscreen typist but I've had practice with that particular PIN. It would be useful to have statistics on entering PINs...but I don't expect it.
Murcielago I include that in my threat model and I decided against using PIN scrambling for that very reason, cause I type it slowly enough that someone could pick it up. It's so much slower that it takes me about 30 seconds.
gk7ncklxlts99w1 Neither method is better... It depends on your threat model. What are the chances that a high resolution camera will be filming you from a perfect angle to see what numbers/letters you type to your phone... scrambled or not. Btw, enable the password input to be invisible for added security.
ivicaivica Yeah I had that option enabled. It was a bitch to type out, and I was using a fairly short (15-16 character?) password.
I see many of the preinstalled apps as bloat, even though understandable, because they are outdated and lack most features.
But for sure they are essential to have a minimal working system
gk7ncklxlts99w1 I can type my PIN in less than half a second, way too fast for someone to see it.
Have you noticed all the damn cameras all over the place, which are likely recording and may be able to capture your PIN for slow playback?
