social.tchncs.de is one of the many independent Mastodon servers you can use to participate in the fediverse.
A friendly server from Germany – which tends to attract techy people, but welcomes everybody. This is one of the oldest Mastodon instances.

Administered by:

Server stats:

3.9K
active users

Mike Kuketz 🛡

GrapheneOS hat eine neue Sektion auf der Website hinzugefügt: Eine Liste von Apps, die explizit die Nutzung von GrapheneOS über die Play Integrity API blockieren, inklusive Links zu den entsprechenden Play Store-Seiten. 👇

grapheneos.org/articles/attest

GrapheneOS logo
GrapheneOSGrapheneOS attestation compatibility guideGuide on using remote attestation in a way that's compatible with GrapheneOS.

@kuketzblog kann man dagegen nicht mal ein Gesetz machen? Also eins das auch durchgesetzt wird...

@kuketzblog

Hmm, bis jetzt keine Probleme mit Revolut auf Graphene gehabt...

@tscharly @kuketzblog They only started doing it for new logins. Don't logout of the app or clear the app data, it will stop working. You can try installing it in a new Private Space, work profile or secondary user to see that logging in won't work.

@kuketzblog

Ich denke, von den fünf Äpps braucht man keine einzige ...

@Gafurr @kuketzblog
Stimmt aus _meiner_ Sicht auch, hat aber nur bedingt was mit dem zugrundeliegenden Problem zu tun!

@Gafurr @kuketzblog Diese Logik ist dieselbe wie: „Ich habe nichts zu verbergen, warum sollte ich mich um Datenschutz kümmern?“. Es geht darum, dass sie es tun, nicht darum, ob man die Apps braucht.

@josh @kuketzblog

Tja, dann musst du bei den Usern anfangen. Daher meine ständige Forderung nach IT (nicht M$) Unterricht in der Schule.

Eine ausländische Firma dazu zu bewegen ehtisch akzeptable Produkte zu bauen ist ... 🤡

Es braucht informierte Benutzer. Und das wissen darum was solche Äpps eigentlich darstellen ... Das sind reine Harvester die pers Daten zur monetarisierung sammeln und zusammenführen.

@Gafurr @kuketzblog Ich kenne keine Alternative zu Revolut. Zumindest keine, die eine Kreditkartenzahlung mit Namen "F. Merz" einfach durchwinkt. Will auf Schmuddelseiten ja nicht meinen richtigen Namen verwenden.

@Gafurr @kuketzblog

Ich habe leider Authy.

Auch wenn ich bei jeder neuen 2. Faktor Einrichtung, inzwischen zusätzlich den in Keepass hinterlege.

@kuketzblog Es wäre interessant zu wissen, wie es bei CalyxOS ist. Gibt es dazu sich infos?

@Kubiac @kuketzblog

Google hat angefangen "Sicherheitsatteste" auszustellen. Diese werden von den Herstellern eines Gerätes beantragt. Beispielsweise dürfen die sicherheitsupdates nicht älter als ein jahr (!) sein. Das basiert auf selbstauskpnften der hersteller.

Es gibt die vermutung, dass google damit anti-monopol-bemühungen der EU umgehen will (aber es könnte massnahmen von USA und EU gegen Google bewirken).

So gelten 8 jahre alte smartphones teilweise als sicher. GrapheneOS könnte um das Attest zu erhalten, lügen oder unsicherer werden. Stattdessen ist GrapheneOS im Gespräch mit der EU.

Google drängt App-Entwickler die Atteste für ihre Apps einzufordern.

Andere Betriebssysteme als GAndroid (und eventuell Android-Varianten der großen Hardware-Hersteller) - also CustumROMs - werden kaum eine Chance haben, ein Attest zu erhalten.

Innerhalb von Google will wohl die Sicherheitsabteilung GrapheneOS aufnehmen, aber die PR-Abteilung legte Veto ein.

Eine Folge könnte auch sein, dass app-entwickler sich von den (im prinzip sinnvollen) Attesten abwenden.

Und es könnte zur zerschlagung von google führen.

@Kubiac @kuketzblog microG does not implement the Play Integrity API or the overall majority of Google Play functionality so it never gets a chance to be rejected as not allowed. CalyxOS has far less app compatibility than GrapheneOS along with not being a hardened OS. It does not improve privacy or security in the same sense as GrapheneOS and it's a misconception that they're at all similar projects. It's also a misconception that it's easier or more broadly compatible, it's the opposite.

@GrapheneOS
I used GrapheneOS for several month on my Pixel 6 and switched now to CalyxOS to see the differences.
GrapheneOS is heavily security focused. But Google Play, even in a Sandbox, is a privacy concern for me, because I still can't really control or see what it's doing.
CalyxOS is more privacy focused. With MicroG I can see what apps are connected to the Google notification server and even block it. Maps data is from open street maps and not from Google maps.

@Kubiac CalyxOS is far less privacy focused than GrapheneOS. It doesn't have crucial privacy features such as Contact Scopes, Storage Scopes needed for parity with iOS. It has the leaky network toggles from LineageOS, leaky anti-privacy VPN toggles, still uses multiple Google services by default and gives Google services privileged access within the OS. It has a bunch of privacy issues fixed on GrapheneOS. A recent example we addressed is leaking contacts to hands-free calling Bluetooth devices.

@Kubiac You're missing that apps using Google Play are running Google Play libraries. The code running within the apps can and does directly contact Google servers. You are not avoiding running and trusting Google Play code by using microG with apps using the Google Play libraries.

GrapheneOS has support for redirecting Google Play APIs to alternate implementations which is what we do with location services by default. That is not exclusive to microG. We will do it with more APIs than location.

@Kubiac You control which apps can contact Google Play services via which ones you install in the same profile, such as putting it into a Private Space. However, each app using it includes the Google Play libraries and does not need to be able to talk to Google Play to use Google services. There is absolutely no requirement to have Google Play to use Google services. That's a misconception. Many apps use Google services directly including through Google libraries, with or without Play services.

@Kubiac microG also has a bunch of privacy and security weaknesses including data leaks between applications and many holes poked in how the security model is meant to work. It was unacceptable for inclusion in GrapheneOS, so we began making our own compatibility approach in 2021 instead. Since then, we've been extending our approach including reimplementing more of the Google Play services and other functionality ourselves. That's not going to be limited to the current location redirection.

@Kubiac GrapheneOS is in the process of implementing several features within the OS not tied in any way to Google Play compatibility including network location and geocoding. Our approach is implementing the features in the OS in a way that's not tied to Google Play and then redirecting the Google Play APIs to the OS implementation. We'll be providing our own implementation of FIDO, passkeys, maps, text-to-speech, voice typing and other features. GrapheneOS doesn't include Google Play and won't.

@Kubiac You're misunderstanding our sandboxed Google Play approach and what it means for it to be in a sandbox. It is the same app sandbox used for other apps, and they are simply regular apps constrained by the same permission model as everything else including our major improvements to it. Google Play services running on GrapheneOS has 0 additional access to anything compared to the Google Play code running as part of an app like Discord. In fact, it has less access, because it's separate.

@Kubiac It's a misconception that we've made a special sandbox for running Google Play services. That is not what we provide. There is no special sandbox or modified version of Google Play for GrapheneOS. You can simply install them as regular sandboxed apps with all our usual privacy improvements to the app sandbox and permission model. The feature is a compatibility layer which enables them to work with exactly the same restrictions as other apps that are not granted any permissions by you.

@Kubiac The whole point of this approach is that they have zero additional access compared to the Google Play code running within the apps using them. Those apps can do everything that sandboxed Google Play services can do without it installed. It gives absolutely no extra access or capabilities to the Google Play code that's running as part of them. Plenty of the Google libraries function fine without Play services and make connections to their services without it. Not everything requires it.

@Kubiac The idea that Play services is needed to use Google services or that there's something special about what it does is wrong. Everything it does as sandboxed Google Play on GrapheneOS can be done by other apps. It has no special access or capabilities. It does not give absolutely any additional access that's not already available to the Play code in apps. If you want to avoid Google Play, you have to only use apps not including Google Play code, such as using Molly FOSS instead of Signal.

@GrapheneOS That sounds great. Can't wait to test this out.

@GrapheneOS
I'm aware of the fact, that almost all app form the Play Store or Aurora store do have one or more tracker build-in. For this reason I self-host a Adguard Home server and my phone is connected via DoT to this server. It's unbelievable how many crap is filtered every day.

@Kubiac Those DNS filter lists that you're using are designed to only block connections to domains not used for anything other than ads or tracking. They deliberately do not block connections to dual-use domains needed for real functionality. That heavily limits what can be done that way. If they did block everything used for tracking then a whole lot of mainstream apps would not work anymore so it wouldn't be usable or truly useful. Protecting privacy from apps requires permission controls.

@Kubiac Android's permission controls are not good enough. Apps force you to give media, storage and contacts permissions to use them. iOS has solutions for that and so do we. We're in the process of adding more of these features for Location (to replace global Mock Location), Microphone, Camera and Phone. This is crucial for privacy. You cannot achieve privacy blocking some connections from the client while still allowing apps to connect to their servers and from there share with any 3rd party.

@GrapheneOS
You are right. I knew this already. I'm still following you on Mastodon. 😉 But to be honest, people don't care so much about this important details. People using CalyxOS usually don't install Google apps or services. CalyxOS uses still Googles time and GPS server, but is stripping out some information. And eSIM aktivaion goes to Google, if I remember right.

@Kubiac Then why are you claiming it offers better privacy than GrapheneOS?

CalyxOS comes with some Google services that it always uses, more than the ones you are listing, and no it does not strip out any information whatsoever.

Aside from that, microG is a privileged implementation of Google services. It does use multiple Google services. Saying people don't install Google services is meaningless. It comes with them built into the OS with privileged access unavailable to regular apps.

@Kubiac It does not implement basic privacy features needed for parity with iOS. iOS 18 added an equivalent to the core Contact Scopes feature set, just not selecting specific subsets of data. Earlier iOS already essentially had most of Storage Scopes. We also fix some more minor privacy issues needed for parity.

CalyxOS does implement a bunch of misguided changes mainly taken from LineageOS, a lot of which either give a false sense of privacy or even reduce it compared to standard Android.

@GrapheneOS I'm a happy convert (of 5 days of usage :))

I found out about apps effectively banning GrapheneOS:
grapheneos.org/articles/attest

I'm not well-versed in these things; if someone from the community could maybe create an email template, I'd happily write and leave feedback. ❤️

GrapheneOS logo
GrapheneOSGrapheneOS attestation compatibility guideGuide on using remote attestation in a way that's compatible with GrapheneOS.

@kuketzblog

Die George Banking App der Erste Bank aus Österreich funktioniert aus dem selben Grund auch nicht.

@kuketzblog Mindestens genauso ärgerlich finde ich Apps, die ohne Not #googleplayservices erfordern. Die App der #Telekom Tochter #frænk zum Beispiel lief immer Problemlos auf einem googlefreien Gerät. Lief. Seit ein paar Monaten startet die auch nur noch, wenn Google Play Dienste installiert sind. Super nervig sowas. -_- Den Support bei denen hat das auch nicht interessiert. :-/

@kuketzblog
Kann die Liste ergänzen:
* Postident
* Ingress Prime ( Spiel)

verweigern die Installation, bzw. gehen nicht bei GrapheneOS.
#grapheneos #android

@ratisbonner @kuketzblog Both of those apps very likely use the Play Integrity API to ban using GrapheneOS or any other alternate OS. However, we need to confirm that's the case.

Until recently, there were nearly zero cases of apps which weren't usable on GrapheneOS.

Some apps require the per-app exploit protection compatibility mode toggle to work around memory corruption bugs detected by GrapheneOS, but those aren't incompatible just app bugs requiring a workaround until they fix it.

@ratisbonner @kuketzblog We know for sure that Ingress uses the Play Integrity API but we hadn't confirmed if they'd added an exception for GrapheneOS yet. If you recently tried and it doesn't work, clearly they haven't.

Can you give us a link to the Play Store page for the Postident app? Is there an existing thread on our forum about it? It's hard for us to confirm if people are talking about the same app since we don't know about it and can't use it ourselves.

@kuketzblog McDonald's funktioniert übrigens auch nicht auf CalyxOS.

Ob es aus dem selbigen Grund und/oder anderen Gründen (z.B. Micro G statt G Play) ist, weiß ich nicht

@kuketzblog Ich habe die/den Beauftragte/n für Datenschutz bei der TK angeschrieben und um Stellungnahme gebeten, warum die TK die Nutzung ihrer App unter GrapheneOS unterbindet.

@kuketzblog

Sind nur besonders Datenschutz freundliche Roms betroffen?

Bei Linagos habe ich keine Probleme, außer natürlich die besonders Anspruchvolle Apps wie NFC Payment via Google Wallet.