Notices by GrapheneOS (grapheneos@grapheneos.social), page 2

Companies should treat user data as toxic waste rather than as something they want to gather and hoard for business models like targeted advertising. It's not a good thing to have a bunch of sensitive data which could be obtained by adversaries or requested by a government.

Telegram has heavily participated in misinformation campaigns targeting actual private messaging apps with always enabled, properly implemented end-to-end encryption such as Signal. Should stop getting any advice from anyone who told you to use Telegram as a private messenger.

Telegram is capable of handing over all messages in every group and regular one-to-one chat to authorities in France or any other country. A real private messaging app like Signal isn't capable of turning over your messages and media. Telegram/Discord aren't private platforms.

Telegram has full access to all of the content of group chats and regular one-to-one chats due to lack of end-to-end encryption. Their opt-in secret chats use homegrown end-to-end encryption with weaknesses. Deleting the content from the app likely won't remove all copies of it.

We're going to be supporting and funding an approach where the data is available for anyone to use local databases on their devices or host their own servers. For GrapheneOS, we plan to provide both a local database option and a GrapheneOS server option. We'll only use open data.

Having an open source client/server won't make up for having proprietary data requiring giving your location to a server. They want to lock people into streaming their location to them in real time. Replacing Apple or Google with far less trustworthy people isn't progress at all.

Wired was manipulated into spreading misinformation to market Palantir and iVerify by misrepresenting a vulnerability in a disabled demo app as being a serious problem which could be exploited in the real world. They should retract the article but won't.

https://wired.com/story/google-android-pixel-showcase-vulnerability/

@kkarhan @tasket @stman

> To me it's still flabberghasting me that #GrapheneOS doesn't seem to be interested in partnering with or starting their own devices if they know their field so well...

No, this is thoroughly inaccurate. We've actively pursued partnerships with multiple OEMs. They've failed to provide what we need and create devices meeting our requirements.

Fairphone and Shift have made it fairly clear that security is not a priority to them and have not wanted to collaborate.

GrapheneOS App Store now includes a mirror of Accrescent, which is a privacy and security focused alternative to the Play Store distributing developer builds of apps:

https://accrescent.app/

Accrescent comes from within the GrapheneOS community and we're collaborating together.

@kaia It's useful as a stand for charging and giving it better audio. It's unfortunate that it doesn't have a USB hub since you can't use both the USB-C port and stand pogo pins USB connection at the same time. The one that's connected first blocks the other from being used.

Positon (https://positon.xyz/) is a geolocation service closely tied to a group of people targeting our team with harassment. We urge people to avoid submitting their sensitive location data to this service. People involved in it have supported doxxing and swatting attacks.

They intend to lock people in to the service by keeping a lot of the data proprietary. They've repeatedly talked about locking people into it and avoiding having alternatives to it. Their priority is having control and ownership of data while sabotaging decentralized approaches.

Wise silently disabled adding our EUR account as a contact on Wise, blocking people from transferring us money on the platform. They're stonewalling us about it. We've received 3 donations via EUR today, so transfers from other banks to our Wise account are still working fine...

Wise's initial response was they're unable to talk to us about it for security/regulatory reasons and needed to talk to the people trying to send us money instead. Fine, but they stonewalled each of those people and said they couldn't say anything for security/regulatory reasons.

Wise won't tell us which of our accounts has disabled functionality or which functionality has been disabled. It only appears to impact receiving EUR via Wise, not sending it and not other currencies. We likely triggered a false positive and they simply default to stonewalling.

Our experience with financial services is that the only way to solve the problems is to post on social media about it, get significant traction and eventually someone who works with the company prods them internally to get it sorted out, which ends up being a quick/simple fix.

There were 2 main issues:

1) memory not wiped when booting firmware-based fastboot mode, allowing exploiting it to get previous OS memory
2) AOSP device admin API depends on reboot-to-recovery to wipe before Android 14 QPR3

Neither is issue is being fixed outside Pixels yet.

Our 2024052100 release backported the upstream wipe-without-reboot feature being shipped in the June 2024 release of Android (Android 14 QPR3): https://grapheneos.org/releases#2024052100.

We extended it to make it more robust via extra redundancy in our 2024060400 release: https://grapheneos.org/releases#2024060400.

We explained this in our previous thread:

https://grapheneos.social/@GrapheneOS/112204437363495338

CVE-2024-29748 was a mitigation for the issue implemented in the Pixel bootloader. Full solution is implementing wipe-without-reboot, which is now a standard feature in Android 14 QPR3 released as part of AOSP.

This is being widely incorrectly reported in tech news coverage. Pixel Update Bulletins are almost entirely patches for vulnerabilities which apply to other devices too. Android Security Bulletins are the list of what other OEMs are required to fix, not the full list of patches.