There's no legitimate excuse for banning using a much more private and secure operating system while permitting devices with no security patches for a decade. Meanwhile, Revolut's shoddily made app tells users they're banning GrapheneOS because they're "serious about keeping your data secure".
=> More informations about this toot | View the thread
Play Integrity API checks that Google's monopolies are supported through devices licensing Google Mobile Services and integrating their browser, search engine, advertising, etc. It's anti-competitive and clearly illegal. Multiple governments are taking regulatory action and are in contact with us.
=> More informations about this toot | View the thread
GrapheneOS fully supports standard Android hardware attestation for verifying the hardware, firmware and operating system along with the app that's using it. See https://grapheneos.org/articles/attestation-compatibility-guide. If apps insist on checking device integrity, that's the only way they should do it.
=> More informations about this toot | View the thread
Revolut is specifically banning GrapheneOS by checking for the build machine hostname and username being set to grapheneos. We've changed these to build-host and build-user. Combined with another change, this allow our users to log in to it again until they roll out Play Integrity API enforcement.
=> More informations about this toot | View the thread
There's no legitimate reason for any app to ban GrapheneOS users. It has the full standard security model and massive security improvements. There's no logic in banning GrapheneOS. It makes no sense for them to ban anything when they permit a device with no patches for 10 years. It's performative.
=> More informations about this toot | View the thread
Revolut uses a bunch of shady closed source third party libraries in their app and it's one of these libraries banning GrapheneOS. These libraries are a major security risk and put user data at risk of being compromised. Revolut is not taking user security seriously at all and is cutting corners.
=> More informations about this toot | View the thread
Revolut's app will stop working against once they start enforcing having a Play Integrity API result showing it's a Google certified device. This is not a security feature but rather anti-competitive behavior from Google deployed by apps like Revolut wanting to pretend they care about security.
=> More informations about this toot | View the thread
Choosing to write the Matrix server software in Python in the first place was a huge mistake. It's now far harder to develop and maintain the software. It heavily contributes to it being buggy and fragile. It's the biggest factor in it being so incredibly slow and hard to scale.
=> More informations about this toot | View the thread
A chat server running on powerful hardware collapsing when handling more than 100 events per second isn't acceptable. Events scale up based on room activity from non-local users including spammers too. It's an issue for a server with 12 users too.
https://element.io/blog/scaling-to-millions-of-users-requires-synapse-pro/
=> More informations about this toot | View the thread
Vanadium version 132.0.6834.79.2 released:
https://github.com/GrapheneOS/Vanadium/releases/tag/132.0.6834.79.2
See the linked release notes for a summary of the improvements over the previous release and a link to the full changelog.
Forum discussion thread:
https://discuss.grapheneos.org/d/19065-vanadium-version-13206834792-released
[#]GrapheneOS #privacy #security #browser
=> More informations about this toot | View the thread
MTE directly uncovers memory corruption bugs which are often security bugs. Type-based CFI uncovers type mismatches which block deploying it but rarely have any direct security impact. These are major ongoing areas of work as software changes, not only for the initial deployment.
=> More informations about this toot | View the thread
Unlike Chrome, we enable type-based forward edge CFI for our Vanadium browser to cover the default browser and WebView. Other than that, the usage of Clang CFI has the same scope as the stock Pixel OS and our focus is on higher impact areas. Expanding it causes regressions we have to address.
=> More informations about this toot | View the thread
Our most recent release enabled MTE for Linux kernel allocators too: https://grapheneos.org/releases#2025011500. We need to improve the kernel implementation to enforce deterministic guarantees with it as hardened_malloc does. We're also planning to deploy stack allocation MTE for both the kernel and userspace.
=> More informations about this toot | View the thread
Instead of working on expanding CFI coverage, our focus is on higher impact features including hardware memory tagging (MTE). We have a best-in-class implementation of MTE for heap protection in hardened_malloc and we deploy MTE for all but a single userspace process (camera HAL).
=> More informations about this toot | View the thread
Unlike the stock Pixel OS, we enable pointer authentication (PAC) return protection for userspace instead of only the kernel. Similar to BTI, this is easy to enable and doesn't cause regressions. Unlike the stock Pixel OS, we use Shadow Call Stack as an extra layer on top of PAC in the kernel.
=> More informations about this toot | View the thread
Android uses Clang type-based forward edge Control Flow Integrity (CFI) for the kernel and a subset of userspace. It isn't a high impact security feature. We used to have changes expanding userspace coverage but Android is already doing it and we moved this effort to higher impact work.
=> More informations about this toot | View the thread
Unlike the stock Pixel OS, we enable branch target identification (BTI) to address holes in Clang CFI coverage in the kernel and the lack of full deployment in userspace. BTI is coarse grained CFI and is an extremely weak security feature but it's easy to enable and doesn't cause regressions.
=> More informations about this toot | View the thread
GrapheneOS version 2025011500 released:
https://grapheneos.org/releases#2025011500
See the linked release notes for a summary of the improvements over the previous release.
Forum discussion thread:
https://discuss.grapheneos.org/d/19017-grapheneos-version-2025011500-released
[#]GrapheneOS #privacy #security
=> More informations about this toot | View the thread
Vanadium version 132.0.6834.79.0 released:
https://github.com/GrapheneOS/Vanadium/releases/tag/132.0.6834.79.0
See the linked release notes for a summary of the improvements over the previous release and a link to the full changelog.
Forum discussion thread:
https://discuss.grapheneos.org/d/19000-vanadium-version-13206834790-released
[#]GrapheneOS #privacy #security #browser
=> More informations about this toot | View the thread
Can see from the dashboard above they did the usual no changes (https://chromium.googlesource.com/chromium/src/+log/e5f87164633afb3ab0e1d2fb08831f249cc6f03f) release of the previous stable branch today (131.0.6778.261). That's usually done alongside a stable release of the new version replacing the early stable rather than rolling it out to stable.
=> More informations about this toot | View the thread
=> This profile without reblog | Go to GrapheneOS@grapheneos.social account This content has been proxied by September (ba2dc).Proxy Information
text/gemini