Frage an euch: Viele zögern, #GraphenOS zu installieren, obwohl es eigentlich recht einfach ist. Wie wäre es, wenn der Kuketz-Blog eine Dienstleistung anbietet, die die Installation gegen eine Aufwandsentschädigung von etwa 50 € übernimmt? Was denkt ihr – gäbe es dafür Interesse?
#android #datenschutz #privacy #customrom
@[email protected]
Da #grapheneos leider den Support für mein Pixel4a eingestellt hat, werde ich demnächst zu #divestos wechseln.
Ich möchte eben mein Gerät so lang wie möglich nutzen. Ist halt das Spannungsfeld zwischen Sicherheit und Ressourcensparsamkeit.
@[email protected] @[email protected] It’s a highly insecure device with known remote code execution vulnerabilities and many local vulnerabilities including ones which are known to have been successfully actively exploited. It hasn’t received any driver, firmware or other device specific patches since after August 2023. You already should have stopped using it and moved to a reasonably security device long before GrapheneOS stopped releasing legacy extended support releases each month. We just slowed it down.
@[email protected] @[email protected] There is little point in us doing a release each month for the end-of-life 4th generation devices. We do still unofficially support them in the sense that we will keep these insecure devices working without pretending that any serious form of security can be provided for them. You should not use them, and you will not make them at all secure by using another OS. You’ll only be misleading yourself, not attackers with basic exploits for years old vulnerabilities. Up to you.
@[email protected] @[email protected] Current devices have 7 years of support from launch. Buying a device with 7 years of support near launch and using it for 7 years or better yet buying one someone has already used for a year is the best way for you to conserve resources while having any security at all. You will not have privacy or security on a 4th gen Pixel, and using another OS will not provide it for you even if you wrongly believe that the subset of the AOSP patches you’re getting make it reasonable.
@[email protected] @[email protected] It is a highly insecure device where basic privacy and security can’t be provided. OS choice really doesn’t matter. We tell people all this very clearly in our docs and each release for extended support releases called them out as insecure before they were legacy extended support. Replace the device if you care about privacy and security. Moving to LineageOS or DivestOS will not solve your problem. Neither of those provides decent security even on a non-end-of-life device.
@[email protected] @[email protected]
Thanks for your detailed explanation. And as already said, #GrapheneOS is always my first choice if possible. You’re doing a great job!
Do you know where to find a brief overview of all unpatched CVE for Pixel4a?
The only summary I’vr found is on
https://app.opencve.io/cve/?vendor=google&%3Bproduct=pixel_4a
A search on the NIST cve database was noch successful.
@[email protected] @[email protected]
Look at each of the Android and Pixel security bulletins for September 2023 and later. You’re missing all the fixes in the YYYY-MM-05 section and the Pixel security bulletin page. You’re also missing nearly all of the Moderate/Low severity AOSP patches since Android 14 was initially released because only Critical/High severity patches are backported to older releases in general. The monthly, quarterly and yearly releases of Android have many extra privacy/security patches.
@[email protected] @[email protected] For the YYYY-MM-05 sections, anything about Qualcomm or Broadcom is generally relevant. Most driver/firmware related vulnerabilities are not listed in the Android Security Bulletin. Pixel Security Bulletins list all the vulnerabilities tied to hardware components in Pixels, such as the GPU, radios (cellular, Wi-Fi, Bluetooth, NFC, GNSS and UWB radios) and various other components. Similarly to the ASB, look for Qualcomm and Broadcom components there among others.
@[email protected] @[email protected] thanks for the hints. This might help to perform a very personal risk analysis :)
@[email protected] @[email protected] There are Critical tier remote code execution vulnerabilities for the GPU, cellular, Wi-Fi and Bluetooth drivers. There are also critical remote code execution vulnerabilities for the cellular, Wi-Fi and Bluetooth firmware. It doesn’t really get much worse than the kinds of things which have been fixed regularly. Current Tensor Pixels have dramatically better hardening and security features too, not only receiving current patches. A lot more to privacy/security than patches.
@[email protected] @[email protected] Simply due to being on Android 13, you’re missing 2 years of privacy/security improvements to Android, over a year of our privacy/security improvements in GrapheneOS and 2 years of Moderate/Low security patches. The missing Critical/High severity hardware/driver patches is a whole separate problem that’s not fixable even if we received a massive influx of resources specifically for reviving support for older devices, which we would not do for ethical reasons anyway.
@[email protected] @[email protected] We would not accept substantial money and developers given to us to both revive support for insecure devices and improve the rest of the project to justify it. Why? We do not want to encourage people to use highly insecure devices. We do not want to be the cause of people being harmed because they wrongly believed they were safe because we kept releasing updates for insecure devices where we cannot patch important vulnerabilities. It is not just about lack of resources.
@[email protected] @[email protected] Pixel 5a is end-of-life since after August 2024. Qualcomm SoC related vulnerabilities no longer get listed in Pixel security bulletins for September 2024 onwards since there are no Qualcomm SoC devices remaining. Pixel 6 and later are the Tensor SoC which is heavily based on Exynos including a Mali GPU and they have a Samsung cellular radio instead of Qualcomm. Still Broadcom Wi-Fi other than 7a which is standalone Qualcomm, but also Broadcom/Samsung GNSS instead of Qualcomm.
@[email protected] @[email protected] You’re missing a couple dozen Critical/High severity patches and hundreds of Moderate/Low severity patches. You will not get any of those moving to DivestOS or LineageOS. We think it would be harmful for us to continue providing regular legacy extended support releases where people mislead themselves into believing it’s fine and they don’t really need to listen to us about it. Perhaps this helps you understand why we’re trying to get people to stop using these devices.
deleted by creator
@[email protected] @[email protected] Current Pixels have 7 years of support from launch rather than 3. Get a Pixel 9 or Pixel 8a, use it for 7 years and then replace it with another new device. You can send back the Pixel 4a to them as part of buying it directly from them they’ll pay you around $30 for it despite it being so old because they accept everything from the Pixel 1 with a floor on how low they go for the trade-in value.
Pixels even have longer proper support than iPhones now unless Apple extends it.
@chrisw @kuketzblog Ist mir noch gar nicht aufgefallen, aber das letzte Update ist schon über zwei Monate her. https://grapheneos.org/releases#sunfish Ich habe die Info, dass der extended legacy support nun vorbei ist, nicht gefunden. @GrapheneOS
@mahlzahn @kuketzblog @GrapheneOS
Ja ist nicht direkt ersichtlich, da steht etwas von Support bis zur Major-Vorversion. Und nun ist Android 15 released. Android 13 ist also jetzt außen vor.
Hab deswegen kürzlich auch mal ein eigenes GOS Image Build versucht und kam dabei an NTFS Pfadgrenzen während des Compilerens. Das Phänomän habe ich bei Standard LineageOS Builds nicht. Aber mag an meinem kruden OS Setup NTFS-Mount unter KDE Neon liegen.
@chrisw It’s a highly insecure device with known remote code execution vulnerabilities and many local vulnerabilities including ones which are known to have been successfully actively exploited. It hasn’t received any driver, firmware or other device specific patches since after August 2023. You already should have stopped using it and moved to a reasonably security device long before GrapheneOS stopped releasing legacy extended support releases each month. We just slowed it down.
@[email protected] There is little point in us doing a release each month for the end-of-life 4th generation devices. We do still unofficially support them in the sense that we will keep these insecure devices working without pretending that any serious form of security can be provided for them. You should not use them, and you will not make them at all secure by using another OS. You’ll only be misleading yourself, not attackers with basic exploits for years old vulnerabilities. Up to you.
@[email protected] Current devices have 7 years of support from launch. Buying a device with 7 years of support near launch and using it for 7 years or better yet buying one someone has already used for a year is the best way for you to conserve resources while having any security at all. You will not have privacy or security on a 4th gen Pixel, and using another OS will not provide it for you even if you wrongly believe that the subset of the AOSP patches you’re getting make it reasonable.
@[email protected] It is a highly insecure device where basic privacy and security can’t be provided. Your OS choice really doesn’t matter. We tell people all of this very clearly in our docs and each release for the extended support releases called them out as insecure before they were legacy extended support. Replace the device if you care about privacy and security. Moving to LineageOS or DivestOS will not solve your problem. Neither of those provides decent security even on a non-end-of-life device.