My setup on GrapheneOS with all the exploit protections on except some off for apps with compatibility issues. Thoughts?
Pro tip. If you go to an apps notification settings, then set a category to silenced and option called “minimize” should show up which allows the notification to be hidden from the notification bar, but shown in the drawer
Oh that’s very cool, I didn’t know that. Although I think it isn’t the most useful for me since I don’t have lockscreen notifications and I have all my apps on the home screen
It doesn’t bother you to see mullvard in the top all the time?
Quite the opposite, I rather it be up there so I see it’s running. Altough not that it matters much since I have a killswitch
chrome could be firefox. much better, and no effort at all to switch.
bonus for using ublock origin and never seeing ads again.
Firefox is not secure on mobile, Vanadium is a great browser made by the GrapheneOS devs
Firefox is not secure on mobile
Can you elaborate?
I’m on the go right now. This is a quote for an old privacy guides snapshot, but when I was looking for it, I saw some articles from April saying that this was no longer true, so further searching needed when I get home
On Android, Firefox is still less secure than Chromium-based alternatives: Mozilla’s engine, GeckoView, has yet to support site isolation or enable isolatedProcess.
People in the comments already have “Avoid Gecko-based browsers like Firefox as they’re currently much more vulnerable to exploitation and inherently add a huge amount of attack surface. Gecko doesn’t have a WebView implementation (GeckoView is not a WebView implementation), so it has to be used alongside the Chromium-based WebView rather than instead of Chromium, which means having the remote attack surface of two separate browser engines instead of only one. Firefox / Gecko also bypass or cripple a fair bit of the upstream and GrapheneOS hardening work for apps. Worst of all, Firefox does not have internal sandboxing on Android.”
deleted by creator
Oh, i didn’t know it was a fork. I’d take adblock over it though, just for the fact it blocks rogue malicious javascript along with ads.
I generally recommend Firefox for people that don’t use it, but there are more secure forks too if that’s your jam.
I mean Gecko based browsers are actively recommended against on mobile. Chromium based browsers are recommended. Also I use mullvadVPN DNS based ad blocking, and I also have Brave that has built in ad blocking. Do yourself a favor and ditch adblock in favor of Ublock origin
never heard of it. by whom? for what reason?
I haven’t really dived into this but I’m pretty sure GOS dev are one of the groups to recommend against it
Some apps that you use are not safe. Aurora store doesnt send too much data to google but it doesnt verify app signatures which can lead to installing malicious apps, use normal play store instead which verifies app signatures (its also suggested to use by grapheneos devs). Whatsapp, collects data about you. Cromite, uses adblock plus which is really bad. Also here is another reason why cromite is bad:
“Cromite has very problematic changes included which substantially reduce privacy and security. It reduces security more than it improves it. For example, it includes the highly problematic Eyeo filtering engine from the company behind Acceptable Ads, Adblock Plus, etc. which took over the forked uBlock extension misleading people with the name pretending to be the uBlock Origin project among other extensions. Eyeo’s C++ code is low quality and has memory corruption issues… Cromite including the incredibly sketchy Eyeo content filtering engine and stuff like additional codecs goes against what we’re trying to achieve. We also don’t think the randomization-based anti-fingerprinting approach works, among other issues”.
"Casually reminds you that Ironfox exists & it’s a lot more “private” than most chromium-based browsers, & has ublock origin. (slow by default tho)
also while aurora store doesn’t verifies signatures, is has Exodus integrated which dynamically analyses & warns about spyware, tracks and telemetry so you more caucious about the littered “free” apps…
Yes, ironfox is good too (i forgot to mention it) but on grapheneos you will want to end up using their browser
Avoid Gecko-based browsers like Firefox as they’re currently much more vulnerable to exploitation and inherently add a huge amount of attack surface. Gecko doesn’t have a WebView implementation (GeckoView is not a WebView implementation), so it has to be used alongside the Chromium-based WebView rather than instead of Chromium, which means having the remote attack surface of two separate browser engines instead of only one. Firefox / Gecko also bypass or cripple a fair bit of the upstream and GrapheneOS hardening work for apps. Worst of all, Firefox does not have internal sandboxing on Android. This is despite the fact that Chromium semantic sandbox layer on Android is implemented via the OS isolatedProcess feature, which is a very easy to use boolean property for app service processes to provide strong isolation with only the ability to communicate with the app running them via the standard service API. Even in the desktop version, Firefox’s sandbox is still substantially weaker (especially on Linux) and lacks full support for isolating sites from each other rather than only containing content as a whole. The sandbox has been gradually improving on the desktop but it isn’t happening for their Android browser yet.
Also, having exodus integration in app downloader is good but not worth it for exchange of no signature verification, so it’s better to just check it in browser instead or use their app to check trackers
Cool, especially more so on PWA.
But I’d still recommend having ironfox for general browsing & not throwing privacy to the window.(You won’t believe it but, I just wrote a blog-size reply and accidently deleted it for trying to put it on a pastebin service…)
deleted by creator
Ah fuck, I use Cromite because I find vanadium PWA for the stuff I use are buggy and slow. I used to use brave for this purpose, should I go back? Damn I guess I will need to link this phone to my throwaway gmail account (which still has private data) WhatsApp I can’t ditch due to family and Signalphobic friends
On grapheneos you should be using vanadium since its most secure browser on phone. On other android devices, use brave instead. Also if family and friends dont want to use signal but want to use whatsapp then uninstall whatsapp, one way or another they would have to either end up using sms or other form of contact
Hmm I might do that actually, I’ve been wanting to get rid of WhatsApp for a while now, I think I’m still gonna use a second browser (Brave now) for my PWAs, my threat model allows it
On the contrary if in the end everyone moves to SMS and normal calls wouldn’t that actually be pretty bad? Since WhatsApp is E2EE (with the major flaw of default unencrypted backups which are shoved down your throat). But maybe it’s not that big a deal since I assume most if not all of the people I’m talking to likely have unencrypted backups
Are those green mini icons an indication of a PWA shortcut?
I use the app Hermit to run isolated websites, usually as PWAs. It’s replaced quite a few apps, but I’ve noticed that many companies are intentionally making their web experience shit so they force you to use invasive apps.
Anyway, it can create home icons for those sites, and they run separately (i.e. in your task switcher), so it works better than browser shortcuts.
It does, that’s the icon for Cromite.
I didn’t quite catch that actually but yes it’s cromite PWAs
What device are you using
Google Pixel 8 with GrapheneOS
Keep what’s app and any Aurora store style apps inside the Private Space section. Then keep it locked when not in use
I mean currently I only have protonpass and whatsapp from aurora so I’m chilling, everything else is from obtainium. But I’ll try it out (last time I didn’t understand how it works, idk If it’s bugged for me but the apps I put in the private space stayed on my “desktop”)
Completely out of topic but,
I just noticed that this post has more comments than upvoted 🤣KeePassDX, nice choice! I really wish I could have DX or XC on both phone and desktop. Love both but would prefer to donate to one. Wallet is unhappy but I really try to donate to all FOSS apps I use…
Yeah keepass the goat! I use mainly proton and keepass for when I’m more paranoid
For me that has lately been always
Do you have a backup? I recently lost my crypto due to my KeePassDX getting deleted accidentally (I saved the seed there) :(
(I didn’t have a wallet at the time so I was cooked)
Oh shit… Damn. sorry that happened to you :(
I do back it up with the rest of my stuff to an external hard drive, but that’s… Like once in a year so could be better.
I have my keepass database file in my cloud that i use to sync it between phone and PC. I create a backup of all of my files on my PC + cloud folder once a year to an external hard drive. Better than nothing but probably would be better to do this more frequently 😄
I also empty my phone from time to time and move everything I want to keep to my PC (like photos).
BTW I find SimpleX is great for syncing between your phone and PC. I used it with multiple computers/profiles on GOS and just created an incognito group without history and with disappearing message and that’s how I moved stuff like addresses and passwords to my PC. The app is also great for communication ofc
Nice tip, thanks! still haven’t given simpleX a try. Mostly because it was hard enough to get family and friends to move to signal :)
Note is that I don’t link my SimpleX to my PC but create separate profiles
Wait isn’t that defeating the purpose of KeePass? I strictly use it as a local password manager (no cloud backups and such), since I thought that was the main spelling point
You can of course. I think the selling point is that you control it and it’s a single file that you can decide where you’ll keep it, how you access it, and what app you use to interact with it.
I can copy, delete, move it all without needing a service for it. Can modify it offline and everything!
I don’t host the file on a password manager dedicated cloud, it’s my own cloud space with other files I have there as well. So the file is just in my cloud space, with other files, and i have a synced folder on my phone + pc and just access that cloud folder with the file from keepassXC on my PC and keepassDX on my phone :)
For me keepass offered a single databae file that I can decide where and how I keep it. Also works offline because the cloud syncs folders and even without internet a version exists on my phones cloud folder (until it gets synced again with internet).
Or is the database file encrypted with a password? If not you might want to use something like VeraCrypt to encrypt and password protect the database files on the cloud
Nobody seems to talk about the OG pen and paper password manager!
Is this my phone? Lol
You might wanna run auditor lil bro
What’s the chrome app?
Is nano GPT 100% offline? Or self hosted?
I see two: Cromite (Green) and Vanadium (Gray, Chromium variant by GrapheneOS)
Fixed the name now, thank you. With all the chromium variants out there, I had it as cHromite in my head
Understandable. The name is a play on the Bromite, which is the dead project Cromite forked from.
In NanoGPT You also got TEE (Trusted Execution Environment) models which are more private/secure from my understanding. From GPT-OSS 120B TEE:
“TEE‑based AI models run their inference or training inside a Trusted Execution Environment (TEE), a hardware‑secured enclave that isolates code and data from the rest of the system. This provides data confidentiality, protects the model’s IP, enables cryptographic attestation of the exact model version, and satisfies regulatory privacy requirements, making AI services trustworthy and suitable for secure multi‑party or decentralized applications.” One downside is that they are usually pretty expensive to run
You are also able to bring your own S3 compatible storage
NanoGPT is more “no-logs” from what I understand buttt you can pay in XMR and have a dedicated “account” (you get a sign in link to keep safe) and run it under tor
deleted by creator
What’s the app directly above Orbot and Mullvad?
Cromite, but I have switched to brave since, it has better fingerprinting protection, more updates, better security and better sandboxing and isolation. At least that’s what Deepseek R1 with websearch has to say
Isn’t Brave just a scammy cryptocoin browser and ad server? I’ve heard bad things about them.
It’s audited and open source
If anyone Is wondering, this setup was based mainly on PrivacyGuides
deleted by creator
If you don’t mind hardening firefox on android. You can try Firefox with uBlock. It give some small advantage compared to Brave like more filters list from uBlock, the element picker thing, and no brave, etc. The performance can be questionable though.
I heard gecko browsers are insecure on mobile
Yes it is true. It have insecure sandbox but in your case it seem like you still use vanadium, if you only use Firefox for known website for the webapp. The insecure sandbox is not that big of a deal anymore. Still from a pure security point, Firefox is not great.
I think overall I have an edge with Brave, since I use it for NanoGPT webapp which I need to be fast or I’ll kys because it was already slow AF on Vanadium so I assume on FF it will be a lot worse
I’m thinking if I need to use WhatsApp again I’ll try to download it, connect to WhatsApp web on my laptop and then delete it from my phone. Idk if it’ll work but it’s worth a shot
Don’t!
Your whatsapp session will expire over time & you gonna need to reinstall it on your phone.
Ether install whatsapp on private space or, if you feel adventurous, selfhost a Matrix-Whatsapp bridge.Alternatively, convince your socials to use smh foss & more reliable,
Maybe telegram if they insist on mainstream,
It got a foss client but telegram doesn’t enable E2EE by default (Secret Chat).Signal would be better for a mainstream secure communication as Telegram has its flaws, and E2EE is not enabled by default. It’s also not available in channels.
Yeah I would rather just nudge them towards Signal, I very much dislike telegram and have recently retired it
:O uhhhhm, Great!! 👍 Don’t mind me, I accidentally wrote a whole blog
It happens to the best of us
I use Molly with Orbit proxy, so I feel Signal is the next best thing after SimpleX
WARNING: this reply have 2 ounces of opinion-like ““facts””, a pinch of logic that make 0 sense & a whole bottle of chunky post,
Read, at your own warrenty…Of course, signal, molly&unipush or even threema or anything more practical / security-audited is more worthy of your phone number and storing your data in an encrypted form,
I’d recommend conversation or matrix even more so they don’t require a phone number(but for some reason, they’re more scarce in usage)Since messaging apps have to do with, well, messaging people & socializing, going to a person that doesn’t have your app & genteelly asks them to install an app is an inconvenience that people want to avoid…
Don’t get me wrong, I’d spend an hour talking messaging apps their differencies & cons but, as far as I’m aware, most non-tech invested ppl would consider this “dead-time” and would rather already text on the “avaliable app”
So, instead, you’d preinstall “mainstream” apps to not even mention it and start texting instandly since you’re usually expected to have it (pre)installed. (i remember whatsapp and fb-messanger being preinstalled on some vendors)
This or use imessage & make them question their existence :) Even on android
To the best of my knowledge, the top “mainstream” apps out there are:
whatsapp, telegram, discord (yes, DiScOaRd), imessage and sadly, facebook messanger.(I know signal is getting recognised in “mainstream” & getting more adoption, but for some reason, I don’t see ppl installing it because it’s not “that” viral to have enough contacts or it would go unoticed by them because “muh FBI and privacy controversies are too creepy” )
most ppl are aware of these apps and their mass adoptions so they wouldn’t even bother and just get it done with or install the app already.
Out of these options only 2 are actually viable for secure & private messaging especially for Floss: Telegram, for being “transparent” & having it’s source avaliable for security auditing. imessage: for being E2EE encrypted by default with The Manufactureᵀᴹ showing some dedication about the anonimity & security of the product.
Telegram don’t E2EE by default, but you can just start a secret chat that would be private, at least they allowed for foss, third-party clients & made their own “proxy” while encoraging VPNs,
imessage can’t be really called floss because the offical client isn’t & is also gate-limited by The Manufactureᵀᴹ , but at least it has a foss unoffical client that still faily usable (with the compromise of needing MacOS “installed & certified” or paying for an access token.
Outside of this, there’s really no scope for consideration, most messaging apps that made it to “mainstream” ether doesn’t care about their users securities & would actively report anything big bros for " the general safety of the userbase" or be a hidden honeypot that collect dats & sell it to advertisers while lying about it. (even whatsapp does that & think we’re dumbies),
When one starts to pick for messaging applications, there’s no “choice”, “consideration” or even the qualities to think if it genually a good platform, you’re left with only dedication to utilize a messaging app for what it offers & push your circle of people to join you there…
You may convince your friends, but you can’t convince your coworker, team, boss, partner of a project, your online fellas or even your family memebers depending on their tech literacy.
OP didn’t consider ditching whatsapp, instead, they considered methods to hinder whatsapp’s privacy violations & telemetry, I’m not OP but, that’s seemingly the case;
Even if they run whatsapp on an sandboxed, private space & use a 20 yr-old trash phone, running whatsapp at all on android is a risk since android has lots of APIs that provides device metadata that can be used to uniquely profile users & fingerprint them.
I can be wrong, but I see only 2 actions OP can do:
- Utilize whatsapp web (& android vm to scan) to setup a bridging server / service (like matrix-bridge or beeper & make devices connect to it (port forward, local “vpn” or beeper) or,
- Push their circule of people to use an another “mainstream” platform OP can trust…
Sometimes, having online conversation can be totally inconvenient or tiresome, not only because of whom, but how, this is one of them…
I don’t like telegram at all, especially so with the latest policy change but, it’s easier.
Alright, in the future I will likely run an Android VM with WhatsApp using a physical SIM bought with cash or a virtual SIM bought with monero
I see,
But at this rate, you gonna always make sure whatsapp runs on a VPN AND behind a kill switch so it doesn’t leak,also maybe you’re interested in using tailscale or netbird to skip the port forwarding / domain hassle so you can connect to your matrix server and use the bridge in minutes.
There’s a new foss netbird client for android if it satisfies.
Ofc, I always have killswitch on my VPN, using alternatives didn’t cross my mind so thanks, I’ll also keep the client in mind
