GrapheneOS
@neurovagrant @mttaggart @tris @Viss @SecurityWriter Pixels have very competitive hardware and firmware security to iPhones. The stock Pixel OS isn't far behind iOS security. GrapheneOS only supports devices meeting reasonable security standards where we define reasonable as better than an iPhone.
Pixels provide hardware memory tagging which is a very useful powerful feature for defending against exploits and we were the first to deploy it in production. It's still only heavily used by us.
GrapheneOS
@SecurityWriter @neurovagrant @mttaggart @tris @Viss
> Majority of law enforcement ‘successes’ are against outdated, poorly secured devices with owners with terrible OpSec.
Cellebrite Premium can usually exploit current iOS and Android versions on the vast majority of devices. If the device is in the After First Unlock state, it can usually get the data. Pixel 6 and later / iPhone 12 and later will usually prevent getting data if it's in Before First Unlock state.
Security Writer
@GrapheneOS @neurovagrant @mttaggart @tris @Viss also, one more point on Celebrite, Apple will give you the best part of half a million dollars if you can demonstrate a POC of Celebrite/A N Other’s claimed exploit on a current device.
Majority of law enforcement ‘successes’ are against outdated, poorly secured devices with owners with terrible OpSec.
GrapheneOS
@SecurityWriter @neurovagrant @mttaggart @tris @Viss Google has a similar rewards program for Pixels:
Both Apple and Google pay substantially less than people get selling their exploits to exploit vendors. Cellebrite, NSO, etc. appear to largely do vulnerability discovery and exploit development themselves anyway. It was apparent from many of the Linux kernel USB driver vulnerabilities they were caught using that they likely extended with better USB support. syzkaller
GrapheneOS
@neurovagrant @mttaggart @tris @Viss @SecurityWriter If iOS had such good security, it would not be consistently failing to prevent Cellebrite and other companies from getting into devices whether it's physical data extraction or remote exploits.
There are areas where iOS does better at privacy and security, but there are also areas where the Android Open Source Project on a Pixel does better. GrapheneOS is a substantial upgrade over AOSP for privacy and security, and we focus on weaknesses.
Security Writer
@GrapheneOS @neurovagrant @mttaggart @tris @Viss I appreciate what you’re saying, but you’re also confusing security and privacy.
But mostly, there’s a lot of FUD surrounding celebrite, and they’re still unable to bypass a current OS version’s security, strong passcodes, encrypted file systems, and is completely stopped by lockdown mode.
I hate Apple as much as the next guy, but don’t spread misinformation.
GrapheneOS
@neurovagrant @mttaggart @tris @Viss @SecurityWriter GrapheneOS much more successfully stops real world exploits by sophisticated exploit development companies. GrapheneOS does have substantial adoption among people who are targeted with these exploits and governments, law enforcement and these vendors do heavily target it. Based on multiple leaks from different companies, they have a harder time with GrapheneOS.
iOS security is good but a lot of people in the security community overstate it.
GrapheneOS
@neurovagrant @mttaggart @tris @Viss @SecurityWriter It's not true that iPhones don't get compromised at computer hacking contests but that's a poor way of judging things. This thread has leaks of Cellebrite's documentation on their capabilities as an example:
https://discuss.grapheneos.org/d/14344-cellebrite-premium-july-2024-documentation
iPhones don't successfully block Cellebrite, Magnet Forensics (Graykey) and MSAB (XRY Pro) from getting into After First Unlock state devices. They consistently exploit new releases. Same goes for remote exploits.
GrapheneOS
@SecurityWriter @neurovagrant @mttaggart @tris @Viss
> I hate Apple as much as the next guy, but don’t spread misinformation.
We're not spreading misinformation. Leaks from Cellebrite and other commercial exploit developers show that iOS security does not hold up as well as you're portraying it. We have access to recent Cellebrite Premium documentation and can see that you're wrong. We also have similar information from several other exploit development companies. They keep up with updates.
GrapheneOS
@SecurityWriter @neurovagrant @mttaggart @tris @Viss
> I appreciate what you’re saying, but you’re also confusing security and privacy.
We're not confusing security and privacy. We're talking about security. You're overstating the security of iOS devices.
> they’re still unable to bypass a current OS version’s security
That's not true. They can usually exploit the latest iOS release in After First Unlock state. Pixel 6 and later / iPhone 12 and later successfully prevent brute force in BFU.
GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.
All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.