happy_hippo

  • 1 Feb
  • Joined Oct 11, 2023
  • In Play Integrity usage notification Whatsapp

    Also posted in another thread:
    This morning i received this new GOS-notification that WhatsApp had used the Google Play Integrity API.
    My GOS P7a has Play services installed, I am on a owner first user profile and WhatsApp is installed from Google Playstore.
    WhatsApp is (still) functional. No warning message from WhatsApp (yet).

    • In WhatsApp "You need the official WhatsApp to log in".

      This morning i received this new GOS-notification that WhatsApp had used the Google Play Integrity API.
      My GOS P7a has Play services installed, I am on a owner first user profile and WhatsApp is installed from Google Playstore.
      WhatsApp is (still) functional. No warning message from WhatsApp (yet).

      • In WhatsApp "You need the official WhatsApp to log in".

        Just wanted to add that WhatsApp used Play Integrity while I was sleeping. The app is still working as of now.

        • In Play Integrity usage notification Whatsapp

          Me and brother both on GOS, both use WhatsApp (same version) both installed from PlayStore. Both on GOS version 2025012700

          His WhatsApp is giving him Play Integrity notifications, where mine isn't.

          Why would that be? Im on an 8, he's on an 8 Pro if that makes a difference.

          I've not even got the menu in the app info area, so hasnt triggered.

          • In Linux 6.1 kernel branch for 6th/7th/8th generation Pixels with Android 15 QPR2

            Android 15 QPR2 is moving 6th/7th/8th generation Pixels to the Linux kernel's 6.1 LTS branch already used for 9th generation Pixels. This will reduce the kernel branches we need to support down to 6.1 and 6.6. There will likely need to be a yearly migration for all the devices.

            Linux kernel increased official support time for the Long Term Support (LTS) branches from 2 years to 6 years, mainly for Android devices using Generic Kernel Image (GKI) releases. However, it was recently reduced back to 2 years. Pixels will need to start migrating every year.

            It will likely take around 6 months for a new branch to be considered stable enough with most regressions resolved and another 6 months to successfully integrate and ship it. Therefore, 2 years of support implies yearly migrations to keep up rather than doing it every 2 years.

            Upstream LTS releases are closely connected to Android. Moving to 6 years of support was likely closely connected to the Pixel 6 moving to 5 years of support. GKI made the drivers far more standalone and easy to migrate, and Linux moving back to 2 year support is likely related.

            Google has been testing newer kernels with the Pixel 6 and later for years. They have 6.6 and newer mainline kernels working fine already, it just takes a long time until the kernels are stable enough to consider shipping them. It's great that it's finally going to be happening.

            Newer kernels bring many new features and increasingly complexity which means they bring lots of new security bugs. Older kernels get an increasingly small subset of bug fixes including security fixes backported in the LTS releases. Newer kernels also bring new security features.

            Using a year old kernel for around a year and then upgrading to a new year old kernel is likely the best balance that's available. With 2 year support time, they can focus on backporting more patches and providing more testing/stability since there will be far fewer LTS branches.

            It's not commonly understood that Android itself only has a single LTS branch, which is current Android 15. It receives monthly and quarterly updates. It moves to a new LTS with a yearly update after it has gone through many months of public testing via Developer Preview / Beta.

            Many people including journalists covering it in tech news media wrongly believe Android's monthly security patch releases are the monthly releases. No, the monthly security patches are backports of a subset of the privacy/security patches to older releases. They're incomplete.

            Android's monthly releases have many changes beyond privacy/security patches even when it's not a quarterly or yearly release. They also have a lot more privacy/security patches than the Android Security Bulletin backports. They backport High/Critical severity patches, not all.

            These updates are a major factor in why Pixels are the only Android devices with competitive security with iPhones. Pixels also have a lot of hardware security features not implemented on other Android devices. They also have higher quality of implementation across the board.

            Google will likely require other OEMs start upgrading kernel branches. However, standards for other OEMs are always far lower than the standards met by Pixels. For example, many important hardware security features are recommended in the CDD, not mandatory, or not even listed.

            We aren't aware of any OEM trying to keep up with the monthly releases, only OEMs skipping all the monthly/quarterly releases but trying to ship the yearly release around the official launch. Only Samsung tries to keep up with the new security features, but lags quite behind.

            Other Android OEMs do the bare minimum required by Google unless their SoC vendor (generally Qualcomm) hands the feature to them on a silver platter with no additional cost. They largely ship the monthly security backports now, but with significant delays or skipping some months.

            The reduction of support time for Linux kernel LTS releases from 6 years to 2 years is likely going to become a major problem for non-Pixel Android devices. Google will likely require them to upgrade but probably at a very delayed schedule where they fall out of support first.

            Our official hardware requirements are listed here:

            https://grapheneos.org/faq#future-devices

            You can see support for Linux 6.1 or 6.6 is already a requirement for new devices. We'll be adding a requirement to upgrade the kernel branch because it will be essential with 2 year Linux LTS support.

            Social media threads:

            X: https://x.com/GrapheneOS/status/1860365266921603389
            Bluesky: https://bsky.app/profile/grapheneos.org/post/3lbmyp4jfi22b
            Mastodon: https://grapheneos.social/@GrapheneOS/113533415116755738

          • In GrapheneOS version 2024101600 released
          • In Pavel Durov Arrested.

            We're going to be locking it again and leaving it locked because as expected it ends up being a political debate outside the scope of what's permitted on our forum.

          • In Pavel Durov Arrested.

            Sbpr It's also strange seeing many of the tired and debunked arguments ("objectionable" content, think of the children, terrorists, criminals, etc) from people on here when these arguments have already been understood to be poor or even fake excuses to conceal governments' desire to instill mass surveillance, issue uninterrupted government propaganda, and silence dissenters.

            Debunked? Telegram is full of all of the above. We can discuss what responsibilities platforms ought and ought not to have, but there can't be a proper conversation if we can't even acknowledge that this type of content routinely went unchecked on Telegram. If you want to make the argument that it "comes with the territory" of a "free speech" platform, sure, do that.

            Sbpr It's very strange that people on a forum for a privacy focused operating system, who celebrate how difficult if is for the government to crack GrapheneOS, are quick to insult another privacy focused project for not willingly allowing governments to spy on their users. Sure, Telegram's itself was poorly designed as a private messenger compared to other private messengers, but people on here are also attacking the company's free speech and user privacy philosophy in general, stating that it should have been doing more to censor users at government's convenience, which would also inherently erode user privacy.

            People are celebrating the technical achievement of a private company's forensic tool (in the case you're referring to, Cellebrite) not being able to get into Pixels running GrapheneOS. It is understood that you cannot protect privacy selectively. That's why you can't weaken E2EE (because that affects everyone, despicable criminals and persecuted dissidents alike). Same with a device, you make it sure not because you want to protect criminals or heinous people, but because you understand that a secure device has to be secure for everyone.

            Telegram is implementing no such thing (for the vast majority of users, secret chats are barely used by anyone). Put governments aside for a moment, because I don't think anybody participating in this thread is an official representative of one. It's one thing for someone to advocate for weakening E2EE in a messenger, or disk encryption or forensic resistance in an OS, and another for someone to say that when you operate a non-E2EE platform which allows for content moderation, that a genuine effort should be made to purge such platform of criminal content. It is baffling to me that the same people who in this thread are making arguments "for the children" based on their ideologies, fail to acknowledge the kinds of vile things Telegram was widely known for. Will they continue to occur elsewhere should Telegram cease to exist, or should it actually make a genuine effort to moderate its platform? Sadly yes, but that doesn't mean that Telegram gets a pass when it isn't doing anything about it.

            I'll say it once again, and maybe this time it'll at least stick for someone. You can have opinions that are nuanced. Don't trick yourself into picking a side and defending that side to the death. Should Durov be arrested? That's up to everyone's opinion. Are the laws about "licensed cryptology" in France ridiculous? I believe so. Does that mean that Telegram is some holy platform that can do no wrong and which has operated perfectly? In my opinion, absolutely not, and nobody is doing anybody any favors by taking either side to its logical conclusion where you have to defend indefensible things just to be "right".

            If you're going to make the argument that anybody who has issues with Telegram, how it markets itself, and how it operates is against free speech, pro censorship and many other things, I think you're losing a genuine chance to have a discussion about the topic that isn't projecting your beliefs on others.

            Conversely, for the people on the other end, by villainizing everyone who sees this as an attack on free speech, it would serve you well to actually listen to those peoples' concerns and consider whether they have merit.

            What is scary and sad, is that people are letting their ideology and beliefs, political and otherwise, completely sway their opinion on this issue, and it absolutely shows. We're not having a discussion about this topic, we're having a proxy politics debate, some of you just don't see it yet.

              • In Pavel Durov Arrested.

                locked As @matchboxbananasynergy said, it all depends on you (Telegram) knowing of the commission of a crime and not providing information to the authorities. With E2EE, the network knows nothing of the commission of the crime, so there is no reason to arrest the natural person responsible for the network. It then depends on the LEA to try and penetrate the system if they have substantial suspicion that it is used for criminal matters. Just the way your conversations might be listened to it you are suspect of terrorism ... Just like you and me ...

                • In Pavel Durov Arrested.

                  locked Thankfully, the government doesn't need to do anything to take away E2EE in Telegram's case, because Telegram made it so inconvenient to use E2EE that almost nobody uses it. I made a Telegram account fairly recently since we have a public Telegram group bridged to Discord, Matrix etc. for GrapheneOS. I was very surprised to learn that E2EE 1-1 chats do not work on a desktop device, but rather only when both people are on a phone. Furthermore, it seems that it can only be used when both parties are online, otherwise the secret chat disappears until both are.

                  Your entire post about E2EE and how the government is trying to undermine it (and they are, and they should be stopped) demonstrates why E2EE is something worth using and fighting for, and Telegram made a very deliberate choice to exclude it from its model. That doesn't mean Telegram is a honeypot, it doesn't even necessarily mean it's malicious. Negligent, perhaps. And because anyone tries to say "but Telegram is more like social media! It doesn't need E2EE!", I'm sorry, but when I go to Telegram's front page and scroll down to "Why Telegram?" I'm met with a little duck that tells me Telegram is private and that's why I should use it. it tells me that it's "heavily encrypted". Why should I, as an average user, understand that means that Telegram has the technical means to retrieve conversations I thought private?

                  I'm not going to get into politics or characterize Durov as trustworthy or untrustworthy, but it feels wrong to rely on someone's resolve to not compromise my data, rather than technical means.

                  Not only did Telegram design their app in a way that maximizes "usability" (as if other messengers are unusable) in a way that makes it so conversations for the vast majority of users is not E2EE, not only did Telegram heavily market itself as "private and secure", not only did it continuously try to spread FUD about projects like Signal.

                  People defending that the way Telegram decided to design its messenger makes sense is pretty wild. You can disagree with Durov being charged with whatever he's being charged, and still think Telegram has done a pretty bad job at protecting its users' data.

                  • In Pavel Durov Arrested.

                    [deleted] If you utilize "auto delete" its also gone from their servers, so people who deleted their chats have fewer things to worry about.

                    Who else would you extend this good faith to, I wonder? It's a genuine question. It really feels like people who would otherwise be extremely suspicious and be calling other services "honeypots" etc. seem to have a soft spot for Telegram in particular. Marketing goes a long way, I suppose. The long and short of it is, if there are no technical guarantees for the messages being confidential, which there isn't for the vast, vast majority of Telegram users, assuming the best case scenario is likely not your best choice.

                    Also, to be clear, I'm not saying that you specifically call other services honeypots or have similar opinions. It's mostly an observation after many days of discussing with people who had a fit when GrapheneOS explained that Telegram doesn't enable E2EE by default on X, Mastodon etc. Very weird behavior from some folks.

                      • In Pavel Durov Arrested.

                        @[deleted] You conduct towards other community members here is not acceptable. It's unproductive, and quite frankly, childish.

                        It is very unfortunate that the community on the forum is proving time and time again that moderation should be stricter, not more lax, and that people are seemingly incapable of having mature and intelligent conversations about these topics without them not devolving into slapfights.

                        I'm removing numerous posts that add nothing of value to the thread beyond said slapfights and will consider further action regarding the thread and individual accounts after that.

                      • In Pavel Durov Arrested.

                        And a general note:

                        We locked this thread, and then decided to unlock it and see how it goes. The moderation team is looking at this thread closely, and if things get out of hand, the thread might be locked again, and posts might be deleted.

                        This is the community's chance to show that it can discuss charged topics without the forum being degraded to a battlefield. Try to remember that at the end of the day, we're all here because of our shared interest in privacy, security, and GrapheneOS. There are plenty of things that make us different, and we might need security and privacy for different reasons, but let's try to focus on our common interests rather than the differences - goes a long way towards having productive discussions.

                      • In GrapheneOS Info app version 2 released
                      • In Weather Apps: Anyone got any suggestions
                      • In GrapheneOS Info app version 2 released
                      • In GrapheneOS Info app version 2 released

                        [deleted] You're free to disable it, and it's a tiny app. We decided to make it into an app instead of putting it into the Settings app. It can also serve the same purpose as the Pixel Tips app and similar tutorial apps in the future.

                        • In GrapheneOS Info app version 2 released
                        • In GrapheneOS version 2024053100 released

                          User11 As an example, you may want the Owner unlock code to be a password, and the unlock code of a secondary profile to be a PIN (or vice versa). In that case, if you only set a duress password, you wouldn't be able to trigger it from the secondary profile.

                          • In GrapheneOS version 2024053100 released

                            Clueless I wondered about that: I have play services installed and am logged in to my Google account. Will it be FRP locked to make it worthless for the thief? Or is that function removed in GOS? I suspect the latter since it would Google services to be deeply integrated into the system, right?

                            https://grapheneos.org/faq#anti-theft has the information you need. :)