L
lbc

  • Sep 12, 2023
  • Joined Sep 2, 2023
  • In Is IMEI deanonymizing you on every reboot?

    tmwqjr If you happen to have backdoor access to Kenya's immigration servers
    I see! No need to convince me how plausible that is, I just didn't think you were referring to state actors. (Or other above-the-law type of private actors.) And you're right, "intelligence fusion" as you so elegantly put it makes this not only plausible in concept but trivial in practice over there. And I'm worried that we are not so far behind over here.

    tmwqjr for your passport number to get ejected to some endpoint
    I'm more curious about how this might work.

    tmwqjr imagine if they could then go to either government involved, and say, "Here's a pile of location data tagged with IMEI.
    To my understanding this is what data brokers are known to do, at least in the USA. I'm more bothered by this type of thing than by the idea of being monitored or investigated by some nation's intelligence service.

        • In ActivityNotFoundException thrown by app requesting LoginActivity

          I've installed a rather unkown app (legitimate municipal service thing). This app keeps crashing every time I try to authenticate against it with an Android.content.ActivityNotFoundException because the app is requesting a LoginActivity. Installing Firefox made the problem disappear and allows me to authenticate on the app issuer's website, which gets opened in Firefox. Is there something missing in Vanadium that might be causing this? Is it by design or should I file a bug report? I've successfully authenticated against half a dozen other apps that seemed to leverage Vanadium with no trouble prior to this.

          I'd be happy to share what app is concerned in a private message.

          • In Is IMEI deanonymizing you on every reboot?

            [deleted] Thanks! Feeling silly, as I'd read this FAQ more than once but it contains so much knowledge that it's hard to assimilate all of it before tying it to practical concerns.

            • In Is IMEI deanonymizing you on every reboot?

              I would be out of my league trying to figure out which scenario applies to which classes of hardware devices out there, but this post piqued my interest as I've just read this 2019 paper and started chasing after apps that use the READ_PHONE_STATE Android permission.

              Though as I begin my journey into figuring out what threat model if any makes sense for someone like myself, I'd certainly love to hear about some of the ways one might be deanonymized down to their passport number because of something like chatty WAN-supporting hardware.

              • In Is GrapheneOS purposefully hiding input device type from browsers?

                I am getting a red border-color on Mozilla's test page as well. Using a Pixel 6 with latest GOS on normal release channel. I tried this both in Vanadium and in Firefox. What kind of device are you using?

              • In App installation and compartementalization models for a privacy-minded use case

                Hi,
                I've recently committed to using GrapheneOS and am in the process of studying its usage guide, FAQ, and browsing this discussion forum to this end. I've noticed that questions regarding how many profiles to create and how to use them are plentiful (I've seen this thread, this one, this one, this one and that one); I'll keep my question focused: how should I square the two following assertions found in the Sandboxed Google Play section of the usage guide?

                • I you want to choose which apps use Google Play [...] it makes more sense to try to use as much as possible without Google Play rather than treating not using it as the exceptional case.
                • The Play Store app is also the most secure way to install and update apps from the Play Store.

                Does the latter point not plead in favor of making the Play Store, hence all of the GSF bits, available to all profiles instead of relying on some third party store like Aurora, or an alternate installation and update mechanism, for one or more non-GSF profiles? I've taken to sideloading APKs and keeping them updated with de.apkgrabber in such profiles for the moment, but I'm wondering how misguided I might be in doing so given this latter point in the usage guide.

              • In How exactly auditor works?

                I am not an expert in software attestation but maybe the following bits of general knowledge can help you understand the security model of the Attestation app:

                • every pixel device would not need to have the same private key hidden/stored inside its hardware; each one could have its own unique private key, with its the corresponding public key being cryptographically signed by a Google PKI server.
                • Typically, setting up public-key cryptography infrastructures is done in multiple tiers. A company like Google might have a couple of PKI server delivering its keypairs to Pixel devices inside each factory; such servers would have their keypairs cryptographically signed by a region-wide Google PKI server whose access conditions are more secure; and such a region-wide server would itself have its keypair signed by a global Google PKI server stored and maintained at the highest tier of physical and software security. So you might have hundreds of factory-specific Google server certificates existing in the field (this is especially true since an admin would tend to generate a new certificate and invalidate the old one multiple times a year following PKI best practices), yet all of these certificates delivered on a factory floor and copied onto a device's hardware key store would be cryptographically tied to the single, top-level Google PKI certificate, which might have a 10 year validity period, and would be published widely to all interested parties through root certificate lists (which are usually found shipped with operating systems). Signed certificates have a kind of transitive property in this way, hence the expression chained up to a known root certificate

                Hope this is relevant to you.