B

bootloader

0xsigsev Yes, me too, it's not at all the first time I've read and heard these kinds of statements and pseudo-links between privacy tools and criminals. An effective riposte against this nonsense is simply to say that criminals use their cars, do their shopping etc. like us, they even breathe ! So it's clear that oxygen is widely used by criminals.

other8026

Well said. And where is light, there is also shadow.

0xsigsev Source please.

It's a real narrative that some have tried to push. There's no doubt some criminals use GrapheneOS, but I get the feeling they're outnumbered by the rest of us. Anyone who spends some time in our community will find that average GrapheneOS users are simply people who care about their privacy and the security of their devices.

Linuxx If I completely disable USB function and use wireless charging, would that make the phone the safest it can be?"

I don't know how wireless charging works, but I believe it includes negotiation for various rates. If so, in theory, that communication channel might have an exploitable implementation on the device.

bootloader
The hash for SimpleX is available in AppVerifier's database already, but just in case:

chat.simplex.app
3C:52:C4:FD:3C:AD:1C:07:C9:B0:0A:70:80:E3:58:FA:B9:FE:FC:B8:AF:5A:EC:14:77:65:F1:6D:0F:21:AD:85

What update channel do you gave selected? When a new update is relased it appears instantly on the alpha branch, then it moves to beta and lastly to stable. You can check what you have selected in the system update menu

bootloader

Completely normal.

A release announcement indicates that the source code tags are available and that the official builds will soon be pushed out via the Alpha channel.

https://grapheneos.org/releases#release-announcements

A release announcement does not mean it is available in the stable channel yet, and occasionally it night never be (in case of major issues discovered in alpha or beta testing).

I just switched to the alpha channel on my Pixel 8 and updated it.
It’s working perfectly! :)

So, both the Pixel 8a and Pixel 8 are running smoothly, just like a fish in water.

Really, thank you so much, this is fantastic, and I’m sure many people have been waiting for this update.

HAPPY NEW YEAR, AND LONG LIFE TO GOS AND ITS TEAM!

Thank you, I just tried flashing a Pixel 8a, and honestly, it’s magical.
You are amazing, thanks to the entire GOS team.

Nothing to say, it’s great.

And here’s the additional part about Diceware:

Diceware is a method of generating strong passphrases using a random selection of words. The longer the passphrase, the more secure it is. The method works by rolling dice to select words from a list, typically consisting of 7776 possible words.
Examples of Diceware passphrases:

4 words: piano finger window chair
5 words: mango rocket whisper dance paper
6 words: sunshine actor paper pencil cloud clock
7 words: cat turtle hat piano window goose march

Security and Difficulty:

The security of Diceware passphrases depends on the number of words used. For example, a 4-word passphrase has about 7776⁴ (approx. 3.7 trillion) possible combinations, while a 7-word passphrase has 7776⁷ (about 1.4 quadrillion) possible combinations.

Mathematically, brute-forcing a 4-word passphrase would take considerable time, but with modern processing power, it’s not impractical. In contrast, a 7-word passphrase, due to its vastly larger keyspace, would be extremely hard to brute-force within a reasonable timeframe, even with a powerful attack.

Effectiveness of Diceware:
Diceware’s strength lies in its simplicity and ease of use while still being extremely secure. It is considered one of the best ways to generate memorable yet strong passphrases.

You can read more about Diceware and its effectiveness here: https://www.eff.org/dice

HAPPY NEW YEAR

In my opinion, face unlocking is a high security risk. The new method makes more sense to me.
Thanks to the Graphene OS team for their work and support

INSTALLED on P9P XL and working as expected! Will report any issues if found. Amazing work as per usually... GOS is the best thing since sliced bread!

androidin It's far more convenient to use fingerprint+PIN than entering 6 diceware words you've memorized for a strong passphrase not depending on secure element throttling. The feature is not intended for use by people who are going to use a PIN as their main unlock method. It's for people who want to use a strong passphrase.

These are our recommended setups for people who care about the security of their device against data extraction:

1) random 6-digit PIN without biometric unlock, which provides secure encryption entirely depending on the secure element's throttling feature
2) 6 random diceware words with fingerprint+PIN as a secondary unlock method, which provides secure encryption not depending on the secure element at all

Our expectation is that most people would use a random 6-digit PIN and people who care more can use the new approach. What we've done is make using a strong passphrase far more convenient without allowing unlocking your device with only a biometric unlock method which can be physically/legally coerced or theoretically cloned from lifting your fingerprints off things you've touched (or by extensively recording your face and replicating it well, but we don't currently support camera-based face unlock due to security concerns).

nullable As @cdflasdkesalkjfkdfkjsdajfd said, the SHA-256 hash being compared here is the certificate hash which changes very rarely. If it changes for an app you already had installed, Android will not let you update the app as the new hash is not trusted. In that case you would need to contact the developer of the app to see what happened.

cdflasdkesalkjfkdfkjsdajfd
Yes. You can install AppVerifier via Accrescent (available from the GOS app store)

Concerning some of the recent comments, people have the right to privacy, but they're also free to share private information about themselves if they choose to. If community members want to share, I don't think it's productive to alienate them for doing anything that isn't 100% private by other community members' standards.

Yes, sharing a list of apps may give away some private details about a person, such as the country they're living in if they share a hash for a bank app, for example. But I would hope that anyone sharing such information is aware of what they're doing.

There is a limit to how long posts can be edited or deleted. If someone here has second thoughts and wants something removed, they can contact a moderator privately and we can help with that.

I personally don't have a problem with community members sharing hashes in this thread, but I hope that community members keep in mind that they should install apps from secure app stores. The official recommendation is to use Accrescent if possible, and Google Play Store for other apps. Using F-Droid isn't recommended, but if you choose to use F-Droid anyway and share hashes for apps downloaded with F-Droid, please make that clear to reduce confusion since the majority of apps on F-Droid are signed by them.

Ammako I'm surprised that a privacy-conscious person like yourself wouldn't intuitively understand what could be at stake here tbh

This post makes this whole thread sound somehow threatening, while at the same time being unconstructively vague. And why are you making this about me instead of reasoning about what is "at stake"?

People on this forum are every day sharing publicly which apps they are using, but this thread is somehow unique? It's not intuitively clear why that is. If you think that the verification info from Appverifier is a personal identifier, you are simply wrong.

If people find this thread problematic, that is something they should discuss with a moderator. They all have contact info in their bios. That seems a more constructive approach than making vague comments about me as a person.

Clark For apps you already have installed, simply open Appverifier and select "App list". For APK files you have downloaded, simply open them with Appverifier.

bootloader "app-arm64-v8a-release.apk" is what you want. You can use AppVerifier for verification. https://github.com/soupslurpr/AppVerifier.