D
dgzeij

  • Dec 6, 2023
  • Joined Jun 21, 2023
  • dgzeij I can autofill via bitwarden but having two password fields it puts username in first password field and actual password in second field .

    • dgzeij
      Ok, that makes it more clear for me and my set-up now. Thanks again.

    • I was prepared to reset my device back to stock PixelOS just to test whether or not I could get FIDO2 working in web browsers there. However, I now heard that my company's FIDO2 project has concluded that FIDO2/CTAP2 is simply not supported in Android. They will have to either wait for official support (I suppose only Google knows when/if this is going to happen) or use a third-party API to get proper FIDO2 working as SSO. Probably the latter.

      dgzeij Proton.me @ Vanadium accepts security key, although it just ignores pin code.

      This might help in understanding why certain sites do not enforce PIN: https://support.yubico.com/hc/en-us/articles/4402836718866-Understanding-YubiKey-PINs

      PIN prompts are a result of a WebAuthn setting known as User Verification. This setting is controlled by each service provider.

      If a service provider does not specify a setting for User Verification, most modern browsers will default setting it to Preferred (as per the WebAuthn spec), which may result in a PIN prompt.

      Microsoft enforces FIDO2, and if the browser or device does not support it... I'm looking at you, Google.

      dgzeij Does Microsoft and Google disable option to log in with security key on Android? Or is just something broken at my end?

      I'm enrolled in Google's advanced protection program, and I do get the option to sign in with Yubikey in both Vanadium and Play Store. However, it still enforces a password in addition to Yubikey. Which is much better than phishable MFA, but still. I find it hilarious that Google supports FIDO2 with Yubikey as passkey on desktop, but their own OS does not.

      Microsoft enforces FIDO2, which is why they don't even give you the option for security keys in web browsers on Android – there's really no point in displaying the option, as it just doesn't work.
      If you enable desktop mode, you do get the option for security key with either USB or Bluetooth. But the dialog closes just after authenticating, and Microsoft tells you that something went wrong.

      Organizations can utilize Microsoft's own FIDO2 implementation in Microsoft apps (Microsoft Entra certificate-based authentication), as long as they follow the steps outlined here and the security key supports certificates. However, this is beyond the scope of most GrapheneOS users. Although I can confirm that Microsoft Authenticator detects the Yubikey correctly on GOS, I have yet to be able to test this properly as my organization has not rolled out Certificate-based auth.

      • Protons fundraising campaign is open for entries again.
        Here is a link to the blog post of Proton:
        https://proton.me/blog/lifetime-fundraiser-survey-2023

        And here is the direct link to the form:
        https://form.typeform.com/to/zB7qwhLQ

        Please consider to fill the form. If we are lucky like last year GrapheneOS gets chosen, which will help with the general funding.

        Thats all, thank you guys for this amazing project and all of your hard work!

      • If you want to know the difference between sync and async mode:

        https://community.arm.com/arm-community-blogs/b/operating-systems-blog/posts/new-mte-user-guide

        Synchronous mode (SYNC)

        In synchronous mode, a mismatch between the tag in the address and the tag in memory causes a synchronous exception. This identifies the precise instruction and address that caused the failure, at the cost of a slight performance impact.

        Asynchronous mode (ASYNC)

        In asynchronous mode, when a tag mismatch occurs the processor continues execution until the next kernel entry, such as a syscall or timer interrupt. At this point, it terminates the process with SIGSEGV using code SEGV_MTEAERR. The processor does not record the faulting address or memory access. ASYNC mode has a smaller impact on performance than SYNC mode.

        As synchronous mode prioritizes accuracy of bug detection over performance, it is most useful during development or as part of a continuous integration system. In these situations, the precise bug detection capability is more important than the performance overhead.

        On other hand, ASYNC mode is optimized for performance over accuracy of bug reports. The information about where the bug occurred is less precise, but ASYNC mode provides a low overhead detection mechanism for memory safety bugs. It is useful for production systems when performance is more important than detailed bug information.

        • GrapheneOS is interested. That said, there might be a reason why Google hasn't enabled it yet.

          That reason might be because they want to enable it when they have improved/finished their desktop mode, or it might be that it is buggy and can cause serious issues, so they're keeping it disabled until those are addressed.

          For GrapheneOS to enable it early, rigorous testing would need to be done to ensure that it is safe to deploy at this time.

        • I'm currently enjoying my P7P+GOS, but am thinking of buying the new iPhone 15 with a credit card [not cash, so it's more traceable], with a new SIM, new number, installing Facebook and Twitter, posting what I had for lunch [with an image], connecting an Apple ID, backing up to iCloud, then turning it off, placing it in the desk draw and NEVER turning it on again. Then the spooks can spend their time trying to track that phone while I enjoy my privacy with my P7P GOS :]

          • VAULT Should I buy 8 Pro now or hold out for the Pixel 12 that's due in 2027?

            I'm not sure the Pixel 12 will be the best tactical move. After all, it will still be cellular, while the Pixel 13 will communicate via quantum entanglement instead. Sure, QE will be a little slower than 7G cellular, but it will be much harder to tap, and I think most GrapheneOS users will want to prioritize privacy over higher-def YouTube streaming.

            To be serious... MTE does sound like a genuine advance. But it may well take months for the software to successfully deploy the new capability offered by the hardware, and in those months the price of a Pixel 8 seems more likely to go down than to go up.

            So my personal advice would be to encourage people with a 4a, 4a5g, or 5 to move quickly to a 6/7/8 based on personal factors such as threat model, price sensitivity, carrier support, etc. I expect that people more concerned about exploits will probably be buying genuine extra protection by plunking down the additional money for an 8. People with a 4a, 4a5g, or 5 who are more concerned about price and/or widespread carrier support might well pick a 6-series or a 7-series.

            I would recommend against 5a's except for people who want to test the waters with a second device, or who want a second device for development purposes. Given the current situation with backups, I would recommend against moving one's life onto a 5a as a primary device, even though they're pretty cheap and will likely get cheaper pretty fast.

            But that's just me! And I don't speak for the GrapheneOS project.

          • Should I buy 8 Pro now or hold out for the Pixel 12 that's due in 2027? Imagine how much better that will be 😉

            I'm thinking of using strong selfcontrol, and waiting for the Pixel 12... only 1,457 days to go guys!

            • dgzeij Yes, not only google but apple does the same, they announce something on the stage and will say coming soon.
              But for the cloned apps there was no official announcement i believe, it was there in the Developer Preview version though.
              check these links.
              https://www.xda-developers.com/android-14-app-cloning/
              https://www.sammobile.com/news/android-14-announced-copies-samsungs-app-cloning-feature/
              https://twitter.com/mishaalrahman/status/1623408888757223425?s=61&t=mi0s-owyk0dRcnPebZjz3w

              • [deleted]

              • Edited

              dgzeij Do a fresh install of GrapheneOS.

              A factory reset should be fine in most cases (⁠•⁠‿⁠•⁠)

            • iyanmv So I guess it will not be useful to discuss further with them.

              Maybe you could get a tech journalist to publicly mock them?

            • QuasarJoke first of all welcome to the community, it's great how you appreciate the project and want to help your parents in tech.

              I have taught 2 adult people to use GrapheneOS (40+ and 50+ years old) and might be able to give you some answers.

              1.) The most important thing is: Make it as easy and as automated as possible for them. You don't want them to have a lot of negative/restrictive experiences when getting used to a new environment, even if it means to compromise on security and privacy in some regards. You'll also be their go-to tech guy for questions so please make your life easier (you can always make it more private down the road if wished).

              This is what I recommend:

              • Install Sandboxed Google Play Services (as described on the official homepage) and if your parents have a google account already, let them log in so they don't have a complicated experience down the road (if they don't, make a throwaway account for them). Install all apps through the Play Store since it's auto-updating them. If there are any apps they need to use and that are not available in the Play Store, try Neo Store in addition to Play Store as this is the only other store to allow auto background updates to my knowledge.
              • Set every store up to auto-update on Wi-Fi (might need to remove battery restrictions). Also set GOS to auto-update on unmetered networks and auto-reboot after.
              • Disable auto-reboot for the system (security settings) or set it up to 48h if you are sure your parents will use the phone more often. People don't like it when their tech behaves "weird" without their input.
              • Disable the Pin on the sim card, don't do pin scrambling and set up a 6+ digit GOS pin they are used to enter. Make sure that's the only pin they have to enter when using GOS (don't use app passwords or anything if not needed or only if your parents are used to it). They might have to use it on banking apps as well when confirming a transfer, so explain it to them.
              • Set up fingerprint unlock with them. I have read and seen on Side of Burritos that it's supposed to be computed and stored on the device securely and never sent to Google, but I can't tell you any details. My point would be again: Convenience over privacy in the beginning. GOS is very private even when using Play Services compared to any out of the box Android OS. Explain to your parents that they will need to enter the 6 digit pin from time to time and that it's update related and a good thing.
              • In their home WiFi, check if the default per-connection randomization doesn't cause connection trouble. If it does, set it to per network randomization.
              • Regarding Bitwarden: Yes that's a good idea (if they use vanadium or any browser that supports it, e.g. not Brave Browser currently). Explain it to them and make sure they have a quick access tile at hand in case the auto fill doesn't pop up.
              • In general: Stick to what works and what they are used to do. Don't try everything at once. E.g. if they use YouTube, install the official app and don't try to get them to Newpipe or Libretube right away, it breaks regularly and will cause confusion.
              • Make yourself available to them so they know how to reach you if anything doesn't work for them. If you followed the tips above, it won't be that often.

              That's all for now, I hope it helps you and them to have a good experience.

              • Defining types of users

                First, we have to understand how a user uses their device. Usually, there are three types of users: light, medium, and powerful. Below, I am going to define all three types of users. You can choose which category you fall into. They can be a bit subjective.
                 
                Light user
                Light users are involved in tasks like making calls, sending messages, checking emails, occasional web browsing, and minimal app usage. They don't heavily multitask or use resource-intensive applications. On average, they get 1–2 days of battery backup.
                 
                Medium user
                Medium users engage in tasks like moderate web browsing, social media, occasionally streaming music and videos, and some app usage. They multitask, but they don't push their device to its limits with constant heavy usage. They get around 12–24 hours of battery backup.
                 
                Power user
                Power users are individuals who heavily rely on their phones. They play games and use productivity tools regularly. They stream videos, engage in multitasking, and use their phones for work-related activities. They get around 4–8 hours of battery backup.
                 
                These battery backup durations can vary depending on your device model. Models like the Pixel 6a have 4410 mAH, and the Pixel 6 Pro has 5003 mAH. So don't compare your phone with those that have a high battery capacity.
                 

                Tips to maximize the battery backup

                 

                1. Use features like turning off WiFi and Bluetooth automatically.
                   
                2. Turn off NFC and printing.
                  For convenience, use QuickTile for NFC.
                   
                3. Use GrapheneOS Power
                  GrapheneOS offers disabling apps. This feature is beneficial for both privacy and battery backup. Some apps deserve to be disabled, like food delivery and shopping apps. They give notifications like "70% off or 90% off orders now". Disable those apps that you don't use frequently. Maybe you have a taxi app, a Google Maps app, or some other app that can help you in an emergency.
                  For example, if you have multiple apps that serve the same purpose, like Organic Maps and Google Maps, and you are using organic maps to replace Google Maps but also want to use Google Maps for searching complicated places or for traffic, you can disable Google Maps and use organic maps until you need Google Maps.
                   
                4. Use Data and Battery Saver
                  Enable these two features for good battery backup. These features can break some apps that need to run in the background with unrestricted data, for example, Syncthing. You can always whitelist these apps from these restrictions.
                   
                5. Keep apps optimized
                  There are some unique scenes. Some apps are so necessary that we can't simply disable them. They keep refreshing in the background.
                  For example, I want a weather app with good animation, a better UI, and more features like Rain. But it doesn't give an option for manual refreshing. So I keep this app on "restricted battery".
                   
                6. Dark theme
                  Don't use the usual gray-dark theme .bIt will not help you save batteries. The gray-dark theme doesn't let the screen's pixels go off. Instead of that, use a pitch-black theme. Most of the apps offer dark themes along with pure dark themes under different names.
                   
                7. Screen Brightness
                  Screen brightness plays a very significant role in battery consumption. Everyone has noticed it at some point. Adjust the screen brightness according to your environment. For convenience, use adaptive brightness. If you are using a pure dark theme on an OLED display, you can save so much battery power even at high screen brightness.
                   
                8. Disable auto-sync
                  Disable auto-sync for accounts that don't require real-time updates. Decrease the frequency of app refreshing. For example, Obtainium, Feeder, Forecastie, etc. You can set their frequency to once a day.
                   
                9. Disable Google's crap
                  If you have sandboxed Google Play, try limiting it as much as possible for better battery life and privacy.
                  Under settings>>Apps>>Sandboxed Google Play>>Google settings, you can delete the Google advertising ID, turn off nearby sharing, disable unknown tracker alerts, and other useless crap that is not going to work because of sandboxing.
                   
                10. Keeping your phone away from heat
                  Heat is the biggest enemy of any electronic appliances. Make sure your phone is not heated for long periods of time.
                  Don't charge your phone with your laptop if your AC is not on. Charging your phone slowly is good for the battery. But it takes so much time to charge your phone, and your phone is hot during this very long time and generates heat.
                   
                   
                  Optional
                   
                11. Disable "Secure app spawning"
                  Use it at your own risk. Again, use it at your own risk. Disable this feature according to your threat model. Before reading further, I highly recommend you read this.
                  Now I will tell you why I am telling you to disable this feature. This feature makes your CPU do extra processing, which requires extra power from your battery. I have no data. It is only based on assumptions.
                   
                  You can completely skip this if you are going to replace your battery when it degrades.
                   
                12. Healthy charging habits
                  Use your phone between 20% and 80%, don't use fast charging, etc. It is not usual blah-blah. Don't believe this type of article. If you don't like your phone to use between 20% and 80%, then don't follow this tip. But at least put yourself in a position where you are guiding others in the right direction. Instead of that, read this . There are already so many studies conducted and so many videos available on YouTube that show how lithium-ion batteries work.

                Myths

                1. High resolution consumes so much power
                  High resolutions only consume a high amount of power when your GPU needs to work harder, like when you play games at a higher resolution. Here is a video you can watch.
                   
                2. Disabling animation 
                  Disabling animation doesn't help you save battery. It is very hard to say how much power it saves. But it saves very little power, which gives you an extra few seconds or a minute to use your phone. I also disable animation not to save battery but to make my phone snappier.
                   
                   ### Problems

                The only problem with the battery is unusual drain. If your idle battery drain is high or your phone is not lasting like it did two weeks ago, idle battery drain is 3%–4%. Below are some methods to solve high battery usage.
                 

                • Use battery usage statistics in settings. Identify those apps that are using so much power.

                • Under developer options>>Running services, see if you can find the app that should not run.

                  Warning

                  Don't kill system apps like settings, GmsCompat, Keyboard, Android Services Library, etc. Look for only apps that you have installed, and they should not be running. After that, remember to turn off developer options.

                • My own method to identify high idle battery drain
                  To check which apps are causing high battery drain, you have to check battery usage stats when your phone is idle. I would suggest using Accubattery usage statistics. AOSP's battery usage stats are half-baked. The best way to try this is before sleeping. Here are all the different combinations:
                   
                  The first day, reboot the phone and enter the password so that apps and services will autostart. Turn off Wi-Fi and mobile data. If possible, keep airplane mode on.

                The second day, reboot the phone and enter the password. Wi-Fi or mobile data is on.
                 
                Compare the usage of both days.
                 
                On the third day, don't reboot the phone. Keep Wi-Fi and mobile data off.
                 
                _Fourth day, same setup as the third one, but keep Wi-Fi or mobile data on. _
                 
                Compare the usage of all four days to each other.
                 
                If you were unsuccessful in solving the problem, then you should wait for an update. After an update, usually battery-related problems get solved, or in extreme cases, you can ask for help from the developer.
                 

                Tools

                I use AccuBattery and SaverTuner. Accubattery is useful to get alerts when the battery reaches to a certain percentage and for detailed battery stats. It should always run. It consumes very little power, like 2%–3% in the cycle of full charge and discharge.
                Savertuner is nothing but an extreme battery-saving app. Savertuner doesn't need to run. You can delete the app after setup. Read this for further information.
                 
                I will edit this post if I find any problems and you people suggest something.

                • primipare with a bit of luck the next generation of pixel phones will support external displays and a desktop mode (similar to Samsung DeX).

                  This might be just what you want: Everything in one device, no sync needed. When you get home and want to work on a bigger screen, simply plug in a display, mouse and keyboard et voilà.

                  • ahawez Is the 7a worth the extra 30 bucks?

                    Definitely, I'd say. The 7a is quite a significant upgrade in hardware compared to the 6a.

                  • jepew52149 Google Camera uses Google Play services for location. You should use sandboxed Google Play. It will work with the default Location rerouting feature so you don't actually need to use Google Play services location services unless you want to use them (see our configuration guide for that in our usage guide). Sandboxed Google Play are regular apps without any special access. They cannot do anything that Google Camera or other apps can't already do on their own.

                  • Our app repository client demonstrates that we're capable of building a great app fulfilling a ton of our requirements well. To do this for a backup app, it will take us dedicating around 2 experienced developers to it for a couple months to get it written and then continuing to put work into it for around a year for it to reach the point that it's a great app. Our app repository client was quite usable from early on but it wasn't really a great app until the recent rewrite and major improvements. There are no longer any pressing issues for it. It's in a great state and just works. People don't really think about it much because it does the job that it's meant to do well and there's no need to fiddle with it. The same thing should apply to the backup app.

                    • We want an encrypted backup app fully supporting BIP39/SLIP39 (beyond what SeedVault supports) which backs up app/OS data to your home directory, a storage drive or via a device-to-device transfer. It doesn't need to initially support backing up home directory files since they can already be backed up without it. t will always use device-to-device mode meaning that allowBackup="false" and the legacy backup file exclusion system will be completely ignored since they only apply to cloud backups. One of the main issues with SeedVault is that it's considered to be a cloud backup. It should also support choosing which apps get backed up, and if and when backing up the home directory is supported which parts of that are included.

                      It doesn't need to support SAF or cloud storage since people can simply grant use a cloud storage app and tell it to sync the backup directory. GrapheneOS supports Storage Scopes now which means users never need to give access to files in their home directory to use apps and therefore having things in your home directory is a much better approach than it ever was in the past since there's no need to give apps access to everything. We should still get more users doing this as intended, but we don't need to focus on working around the storage model anymore.

                      We would focus on making a robust, highly usable app providing the bare minimum and then we can improve it from there. Look at our app repository client for the most recent example of an app we built ourselves without a legacy codebase we need to improve upon. It's a very good app and supports a lot of modern features not included in other app repository clients including split APK support, selection of best match release based on min API level / architecture, fs-verity, dependency management with circular dependency support, atomic multi-package installation for groups of packages with interdependencies, release channels, parallel downloads/installs, automatic update checks, idle-only fully automatic updates to avoid respawning apps that are being actively used including when it isn't a privileged app, compressed app downloads, resuming interrupted downloads, proper metadata signing with key rotation, TLS key pinning, etc. It also has a pretty good user interface. It's actually a very good app, which we built from scratch and expanded based on our needs. We can do the same thing with a backup app but we need more developers. The app repository client is a shining example of what we're capable of doing now when we apply significant resources to a task like this for enough time. Our other apps haven't gotten the same level of attention yet, but they could. Camera app is in a fairly similar state as the app repository client before the recent rewrite to greatly improve it. Our other apps are much older and aren't as good (note: not including the badly aged AOSP apps as ours).

                      We simply need to do this ourselves. No one else is going to build what we need for us. They do not share our approach or goals, they don't know how to make great software and they're incredibly hostile towards not only us but also our users. They lie to our users when they report issues to blame them on us. There's no path forward beyond replacing the app. We can continue updating it but it's not getting less awful.