overheadscallop: its not very clear

izymandias: looks like you have a load of 'active' matrix sessions. I'd recommend getting rid of all the ones you don't use and verify the others.

dazinism: im just curious if verifying these rooms is something that is safe to do

Think you either verify your sessions with each other (eg. Phone & computer) or other peoples, ideally when you meet them in person

Dont verify rooms

izymandias: its generally a good thing to do. With your own devices, its for sharing end to end encryption keys.

Between the devices that are verified. So you can read encrypted messages from any device.

Verifying other people lets you know your e2ee hasnt been man-in-the-middled

Also allows the client to let you know if your contact has new devices (which in some situations may be suspicious)

Can set it up to only encrypt messages to devices you've verified

Hopefully you can follow that - lol

ok

i get it

thNKS

If you suspected one of your devices may be compromised, probably not a good idea to verify it

strcat[m]: this was just merged GrapheneOS/platform_bionic #5

do you still want me to test with the last 2 commits?

renlord: yes

renlord: test without that commit and without the ASLR commit - just revert the most recent 2

ok

Does anyone know if there is another public server for Konele available to test out the Speech to Text function?

is there a way to stop Graphene from re-promping the password every so often? (when setup with fingerprint)

It is different from aosp? On aosp it just prompt after many hours, usually when you sleep it ask for password when u wake up, at least on my phone.

Maybe you press the fingerprint multiples times without noticing it, but nowadays the sensor should be turned off if the screen is covered eg in your pocket, not sure if that feature is present on pixels.

strcat[m]: test pass at HEAD~2

5cc8c34e60dbfeb1fd996bf83bb01a0443d93a8a

the 2nd stack ASLR was the commit that broke CTS test

hi

renlord: CTS on emulator would catch this too in theory, right

Wonder if it'd make sense to have an automated test just for the platform failures then. There can still be full device tests for proper verification, but it could still catch failures early

cdesai: yes

itd be good if it was possible to just run the tests directly in the bionic repo

i dont even know how the CTS gets compiled and how the source ends up in the CTS

wow, so few real irc users :(

Hello everyone

<snark "Hello everyone"> Hello

im using grapheneos with pixel 3a / pixel 3a xl - now installed on pixel 4

looks like motions sense and smooth display are not supported - I tried to find info on this matter but no success

<snark "im using grapheneos with pixel 3"> Congrats ^^

* Congrats

can't help with that

snark: those things are only distributed via the google vendor images i think

I'm on 3a

Maybe checking sensor permission?

if they dont exist on aosp, then you dont have those features

mmmh, these features are missing in the settings

* I'm on 3a

Maybe check the sensor permission?

like the active edges on 3a

thing is - they appear in google original firmware (never used it - wiped in favor of GrapheneOS immediately)

Yeah, those aren't implemented, for reasons "renlord" (matrix.to/#/@freenode_renlord:matrix.org) have stated

"not in AOSP" arguement sounds legit

its not an argument, it is a fact.

ok, can live with that fact as well :)

thanks for clarification

no prob

Hey lads, I'm looking to get the most out of my Pixel 4 with GrapheneOS installed, and I'm looking to install Gcam, Pixel launcher, and Pixel themes. Anyone know if there is any telemetry for these applications with Google and whether they work for Graphene?

Google apps don't work without microG to my knowledge

You can install a patch to get GCam working

Which we don't have on Graphene

Yes

Which is why I said install...

How can I get it to work?

github.com/lukaspieper/Gcam-Services-Provider download and install this apk, then whatever gcam app you wish to use. It'll work then @rednovember:matrix.org

<RedNovember[m] "How can I get it to work?"> use stock

CalyxOS?

<f8sai[m] "CalyxOS?"> RedNovember

Not really?

Or rather there is none for GrapheneOS

Due to it not meeting the hardware, firmware security requirements

I recommend searching the logs on freenode.logbot.info/grapheneos

cdesai: any progress on Chromium?

f8sai [GNU/GPL v3]: it doesn't support

I guess if we support pinephone we might as well support every phone on the market

it doesn't meet the requirements

Because pinephone isn't even CTS pass

It was never designed to run android

it doesn't have the functionality needed to run the OS and certainly can't be secure

Yeah, thanks for confirming it further

* Or rather there is none (no Pinephone builds) for GrapheneOS

no verified boot, no hardware-backed keystore, no hardware encryption support and many other things

not a possible target

f8sai [GNU/GPL v3]: also you need a development team

We are just securing devices that have already been developed for

You'd have to start from scratch for pinephone

And really we don't have those kinds of resources

<anupritaisno1[m] "f8sai [GNU/GPL v3]: also you nee"> Yeah, just answering the question. Not interested in building it due to not meeting the requirements and not having one myself.

We'd also need to create our own security bulletins

And get security researchers to find issues

Along with rolling out security patches ourselves

Anyways, thanks for an informative answer. A question, is it possible to tinker or build Android settings without building the whole OS due to limitations in RAM and CPU?

* Anyways, thanks for an informative answer. A question, is it possible to tinker or build Android settings without building the whole OS due to limitations in RAM and CPU of the computer itself?

Maybe that will not be feasible due to it having to be tested. Nvm

(the changes)

f8sai [GNU/GPL v3]: sometimes

But this is strictly developer only and assumes you have a build with your own keys in the first place

If you have your own keys you can rebuild individual parts like apps and test them quickly instead of building a full system image

Figures, guess I can't do that just yet

Thanks for the info

strcat[m]: I did a bunch of builds with different configs, need to check status. But haven't got it working yet unfortunately

I compiled 85. And master too hoping that if they have a fix we can backport, need to recheck as I fired off the build before logging out on Friday

<lovesausage[m] "Hi! I just ordered my pixel phon"> that breaks verified boot

along with other weaknesses

that is not GrapheneOS if you install magisk

app ipc is too strong on Android anyway that adds a ton of attack surface even if you fully trust the app

<lovesausage[m] "Hi! I just ordered my pixel phon"> why do you need root so badly

If you go with root then I will recommend you to set a tasker task which will verify important partitions on the boot. It will show if any files have been modified in last 24 hours before you enter your lock screen password.

<theultron[m] "If you go with root then I will "> that doesn't work

<lovesausage[m] "Well I use a lot of magisk stuff"> Just use PrivateDNS for blocking

works the same

<cn3m[m] "that doesn't work"> Why won't it work? It works fine for me.

<theultron[m] "Why won't it work? It works fine"> you can very easily bypass that app if you get root and change what it is verifying

there is not physical root of trust

it is at the whims of the attacker

Verified Boot has to be in software

* Verified Boot has to be in hardware*

even partially hardware solutions don't work well like CloudReady which has many holes in the implementation

But if an attacker is so committed to hack into you then he will find any way. May be he buys an exploit for your device hardware.

<lovesausage[m] "I also use root to change encryp"> You don't need root for that. You can set a long password.

<theultron[m] "But if an attacker is so committ"> The blobs and everything is verified with verified boot too

<lovesausage[m] "I also use root to change encryp"> that is not needed with the architectural changes on Android and Pixels

a 4 digit pin on a Pixel would take 650 years to crack with unlimited computing power

I also use root to change encryption password/key from 4 digits to longer one, is this feature included in Graphene?

nice, but the same pass for encryption and lockscreen . how come a 4 digit pin takes so long to crack on a Pixel when it goes a lot faster to bruteforce it on others?

I think the Pixel have something called Titan M which makes brute forcing difficult. You still may go with a longer password to be on the safer side.

ah , I never understood what the titan M did really

I personally feel the Graphene community enlarges the risk of being rooted on your phone and totally neglect the benefits which come out of it.

The Titan M is extremely close to the Secure Enclave from Apple which has still secure after 7 years

The Titan M and Secure Enclave both offer Insider Attack Resistance and rollback protection

This means Google, GrapheneOS, or Apple could never make a backdoor to open a device after it was locked without your PIN. If they did before it would only work until the next update

lovesausage: it is very cool tech

<cn3m[m] "The Titan M and Secure Enclave b"> researchers made work on sep, see Hao Xu abstract mosec.org/en/2020

Very cool :)

The other thing is even if you did attack these chips they have key derivation. For example on the default iPhone with a full SEP exploit would still take on the dedicated crypto hardware 4200 hours

to break a pin

if you had a password or a longer than default pin it would be even longer

<theultron[m] "I personally feel the Graphene c"> rooting breaks the security model of Android. It opens up your device to persistent threat

It's not easy for any app to gain root access on your phone unless it finds an exploit (something like xhelper gained access on older android version but there were enough signs of you being infected)

if you want to break your remote security and physical security go for it

or you root your phone and manually give access.

<theultron[m] "It's not easy for any app to gai"> why are you even looking for a secure rom then? There are a lot cooler roms if you don't care about security

Clickjacking attacks in 2020 are dumb.

you don't need clickjacking

just an ipc attack

which is super common on Android

look at MRW Labs finding 11 to get persistence on Android without memory corruption

Firefox recently had a vulnerability that would let any app hijack it

<cn3m[m] "why are you even looking for a s"> Ofcourse I care for security. I won't put any cool rom on my phone where I don't know what's inside.

<theultron[m] "Ofcourse I care for security. I "> you are not running GrapheneOS if you root

that is not GrapheneOS

What the hell is going on here?

You can isolate using User Profile for threats using IPC. 2 apps require to communicate for IPC.

cn3m: apart from the 1M bounty are you describing Qualcomm TEE or Titan M because Qualcomm TEE does that as well

<cn3m[m] "look at MRW Labs finding 11 to g"> Any link for the same?

There are other reasons for the titan M to be used

theultron: labs.f-secure.com/archive/chainspot…ding-exploit-chains-with-logic-bugs

<anupritaisno1[m] "There are other reasons for the "> yeah

Even if your phone gets hijacked there will be something out of ordinary you notice - notifications? firewall log? check recently installed app?

theultron: just get grapheneos?

you are missing the point we want to have secure devices here not ones you have to figure out when you are hacked

xD

Rooting GrapheneOS is impossible because then it is not GrapheneOS

cn3m: *installs magisk on grapheneos*

<anupritaisno1[m] "cn3m: *installs magisk on graphe"> that is not GrapheneOS

How so

theultron[m]: all instances of GrapheneOS are signed, verified, built reproducibly, there are multiple levels of digital signature validation, and each installation is bitwise identical across each given instance of each device and traceable back to the release keys.

This is why we say that "it's not GrapheneOS" if you modify it.

Daniel has clearly stated for something to be GrapheneOS it has to be locked and can't have play services or magisk

If it is not locked and has things like that you are running an OS that is not GrapheneOS

Makes sense

I am not on GrapheneOS as I am happy with my manufacturer's rom. I am not doubting GrapheneOS security at all. I am saying that the risk of being root is blown out of proportion.

theultron: then recreate dm-verity and use external attestation, it's still weak BTW

if you have root you have a non immutable OS which is just not going to work with verification

> I am not on GrapheneOS as I am happy with my manufacturer's rom. I am not doubting GrapheneOS security at all. I am saying that the risk of being root is blown out of proportion.

For average use maybe....graphene is trying to be as secure as possible though.

Android isn't built like a desktop operating system, but rather, it's built out of many mutually-distrusting and separate components. The attitude that upstream took is remarkably pragmatic: they realized that a perimeter security model breaks down the instant you run code that may not be 100% trustworthy. So what they did instead was attempt to design android as mutually-distrusting components

that are constrained via mandatory access controls to be permitted to do only what they should be doing.

but graphene isn't root lmao

find /system | sort ->hashes

assert (hashes=oldhashes) else git diff

Or whatever diff you like

This is why only init and a few other components have root-equivalent access.

This isn't a replacement for dm-verity

By rooting, you're essentially saying "screw good security design."

Also with root on your phone things like "check logs" become moot, since those could be altered too

<TheJollyRoger "This is why only init and a few "> init is restricted

TheJollyRoger: iirc 5 processes have root on android

cn3m[m], anupritaisno1[m] ah, okay.

Time to add a 6th /s

TheJollyRoger: you free?

anupritaisno1[m]: a little. What can I do for you?

TheJollyRoger: I sent 5 PRs

cn3m: I saw the mwk labs findings. It uses samsung push service for ipc. It's not possible in my case as the only apps which have internet access is Bromite & Orbot. I have removed the updater component of my OEM. You need to plan a specific targeted attack for me.

I did test them and I was running them for 2 weeks

But if you can, test them one by one

anupritaisno1[m]: ok, uh... might need a bit of help. Sec.

the only area Android gets an F on security is accessibility services and no easy way to check them. GrapheneOS mitigates this with the Auditor app and remote attestation

I'll go get onto that in a bit.

<theultron[m] "cn3m: I saw the mwk labs finding"> that is not how it works at all

<anupritaisno1[m] "theultron: then recreate dm-veri"> It's weak but works.

For example if you have any app with root it doesn't care about network permissions(Android apps can bypass virtually all firewalls without root even). Any app can be hijacked

<theultron[m] "It's weak but works. "> If it is weak that is the definition of not working

<cn3m[m] "For example if you have any app "> How do you bypass AFWall+? Even my kernel is not able to do it.

cn3m: BTW

<theultron[m] "How do you bypass AFWall+? Even "> uh no, the kernel absolutely can bypass AFWall. You can talk to other apps like browsers, you can use low level network sockets, you can side step it with root. Just to name a few methods

<anupritaisno1[m] "cn3m: BTW "> yeah?

<cn3m[m] "uh no, the kernel absolutely can"> AFWall is incredibly not robust

Imagine using a third party firewall

You have to plan a very specific attack in order to target me. If I am under any such threat of attack then I won't even use a phone.

Riotx crashed on me

Do you think the stock charging animation resembles grapheneos?

<theultron[m] "You have to plan a very specific"> en.wikipedia.org/wiki/Security_through_obscurity

<anupritaisno1[m] "Do you think the stock charging "> yeah it looks pretty minimal(in a good way)

looks prettier than the one on mine

element is basically riotX

except that it crashes after a while

Did support riot.im and riotx stop now? No more updates?

<fll[m] "Did support riot.im and riotx st"> just renamed

We Element boys now

Hey any way to use dual apps on one account?

well thanks for the info, I guess I will have to manage without root then :) Will feel weird :)

<lovesausage[m] "well thanks for the info, I gues"> fortunately unrooted Android is far better than it was

I use shelter now for dual apps but someone mentioned a while ago that its not safe, someone might now why?

<youpie12 "I use shelter now for dual apps "> it is not that bad really

it does share clipboard and uses a device manager in the work profile

neither of which is ideal

But in case of someone obtaining my device while i restarted it; it shouldn't become less harder to attack right?

Its more of a privacy issue

while on

or am i mistaking

If someone obtains your device after you restart it, that phone is encrypted.

no it wouldn't make it easier to break your phone physically

Remember that each profile is encrypted with different keys, which need to be derived using a combination of access tokens contained in the HSM, information in the header partition, and your password.

<TheJollyRoger "If someone obtains your device a"> with restricted usb even not rebooted you should be fine. Apple hasn't had a Cellebrite like attack claimed since doing that and we just added that back a year ago

Thanks, the phone still loads up in a second for me with a 20 character password which makes me sometimes think its not encrypted at all.

Ideally reboot, but GrapheneOS is holding on strong :)

youpie12: Would you like to try a simple experiment?

Cellebrite is my enemy atm

Yeah

Ok. Got a password set? A four digit pincode will do.

yes

<youpie12 "Cellebrite is my enemy atm"> don't worry about them lol

My ''attacker'' will probably try cellebrite ufed

if got hands on my phone

thats the reason im on graphen

dont trust the standard android encryption

You do realize those UFED devices when they list supported devices, are for extracting the images of already unlocked devices, correct? Only "lockscreen bypass" means they've got an exploit.

<youpie12 "dont trust the standard android "> you should it is fantastic

<TheJollyRoger "You do realize those UFED device"> they can't extract images with the security chips

I've seen new iphones get hacked

they could but they are useless

This pixel chipset shoudl safe

<youpie12 "I've seen new iphones get hacked"> not really ever since iOS 11 something

They claim they can get in

ios 13

Ok, simple experiment coming up: reboot your phone, and then when you see "password required after reboot" at the lockscreen, hit 00000 (unless that is your password, in which case you should change it) and press return. Repeat this 50 times;

in news pages

iPhones are generally more resistant to these things, but GrapheneOS closes that gap

Same 000000

or just similar

and repeat that 50 times?

Yes, or anything but your password. You'll notice that after the first five attempts, it's going to force you to time out 5 seconds, then after the first ten, it's going to force you to time out for 30.

Ah theres a timer

Once you hit 50, it's going to force you to time out for one minute.

You cant get around a timer?

After two weeks of this, it's going to reach 24 hours between attempts.

Like an exploit

Because android stock also

Has one

No, you can't. The Titan M contains an access token and its own internal incremental timer that doesn't answer to the host timer.

Ah now i get it.

So even if you found an exploit for the operating system, the Titan M is going to say "Sorry, but your timer doesn't match mine. Fifty seconds, by MY COUNT, and not yours."

youpie12: they can't get into iOS 13

And remember, the Titan contains the access tokens which are needed to derive the keys from the password.

also key derivation so even if they bypass the timer they still have issues

So, youpie12 -

Let's say you set a four digit pincode and that four digit pincode is /perfectly/ random, like you used D&D dice to generate it and it's hard to guess. I know you probably are going to set a much longer password, but bear with me for the sake of a thought experiment.

Yeah i know

Mathematically

This will take a long time for

a brute froce

Yep. After two weeks of getting to the maximum, it'll take 650 years to exhaust the keyspace.

If you're not certain 650 years is enough for you or you want a little extra peace of mind or you want something to remember, you can use a diceware passphrase.

*want something easier to remember.

It takes half a year for an iPhone encryption chip to break into itself if it were to bypass the timer for a default random pin. That is with bypassing the timer.. crazy hard. I don't know the key derivation on the Pixel though

I'll shrink down my pass

it is probably close

even if you bypassed the timer the PIN would not be trivial to break

youpie12: I prefer to use a word passphrase, but that's because I find them easier to memorize.

which is a big if

a really big if

I have avery bigg passphrase

20 characters pass

But by knowing this ill cut down half

youpie12: size matters, but what matters more in this case, is secrecy, uniqueness, and difficulty of guessing.

Have random symbols and a random numebr

twenty characters' worth of passphrase accounts for zero security bits if it's your mother's maiden name and her year of birth.

10 even might be overkill if it is random

Use even longer password for ssd

Yeah i'll use an easier pass

Even though apparently password guesser thinks that that's ~65 bits if I enter it into the "password strength meter."

Logging in any time took so much effort

Someone any reccomendation to use instead of shelter, seems to not be working everytime i restart the pone fully i have to reinstall it.

even with just upper, lower, and numbers a 10 character password would be very strong even with a timer bypass

Just noticed now again

So using a 8 digit code

Random

Would be already more than enoug

for no person to be able to get in to in a small timeframe

<youpie12 "So using a 8 digit code"> yes, but if you had a timer bypass that would eventually fall

Yeah. That's why the Titan has its own timer that's sealed within the chip and it only answers to its own timer.

Rather than the host's.

Two randomly selected words from the pocket edition of the Oxford English Dictionary would give you enough brute force resistance to last probably until well after the Earth gets swallowed by the Sun.

Since the pocket edition of the Oxford English dictionary has more than 50,000 words, that's more than 2.5 x 10^9 possible combinations.

Well eventually there will be a way to still access the data of the phone

With technology in 10 20 years i dont think the earth is swallowed then but we still dont know that much about computers

the iPhone has key derivation of ~150ms with dedicated crypto hardware. The Titan M must be similar that is impressive

that is of course with a timer bypass

youpie12: the good news is, the devs already gave thought to that.

not enforced at all with hardware or software it is all math

Yeah math

Untill we discover another way

to achieve information from a computer

derivation is very cool

untill we discover bats and rats instead of bits

Which already are there but we dont know

The cipher on disk is AES-256-HEH for the metadata and AES-256-XTS for your actual data. The cipher was designed to live for more than a century and although there is the possibility of a sufficiently powerful quantum computer being invented in the far future, Grover's Algorithm will only reduce the key strength by its square, which still leaves you with ~128 bit equivalency against a brute

force attack.

128bit AES is insanely overkill still imo

it would need a flaw in the spec and an almost physically impossible quantum computer

to get through that AES 256

thats what i mean with bats and rats we will discover the quantum pc and stuff and eventually get in all data in a completely data rich wor;ld

most crypto is highly quantum resistant at this point

Yes and smoking cigarettes was considered healthy

once a time

youpie12 what are you trying to get us to say?

I'm going to be frank here: what do you want to hear?

Nothing just sharing my not so important opinion

there is really no better option(maybe marginally the secure enclave), but overall Titan M is basically our best option

What cn3m[m] said. If you start to bog yourself down in "what could happen" you're honestly never going to be satisfied. Security is a complex and nuanced topic, and simple answers to complex and nuanced topics don't tend to get you very far outside of giving you a warm and fuzzy feeling.

No i'm just sharing my opinion as in i dont think that we know enough now to be sure to not be able to not get hacked in 5 or 10 years. Overall i'm already satisfied with the answer that cellebrite cant get in the fking phone more than that i dont have any top nasa secret terrorist information

And i dont think my ''attacker'' would wanna spend more than 5k 10k to get in my phone

So for me i'm safe for what it is now

Of course.

Well, in three years, the Pixel 4 will end its support. What I would probably do then, would be to transfer all your data off to cold storage or back it up, then factory reset your phone once it becomes what we call a "pop tart."

I certanily only use it for chatting

No specific data as photos or hwat

what

At that point, you can recycle it, or you can keep it as a souvenir.

Buut even with end of support

Will the chipset not be safe

We call old phones that are no longer supported "pop tarts" because they're useful for supplying energy, but not much else.

Kind of like how actual Kellog Pop Tarts are good at supplying calories, but they're about as nutricious as a slice of cardboard otherwise.

Well they add

Vitamins to it

Vitamin powder ;)

Ha! That's funny actually, I didn't know that XD

I didnt know either but recently saw

All these vitamins

That's hilarious.

But i dont think that my cholocate

breakfast

is helping me

Ack XD

<cn3m[m] "youpie12: they can't get into iO"> Its best to think that they can get into iphones or pixels. Cellebrite or Nso may have an os exploit to disable the delay timer.so the advice should be to use alphanumeric password cos i dont think the 4 digit passw is safe.

<zugzwang[m] "Its best to think that they can "> the exploits they use is just attacking the OS so they bypass the lockscreen

USB restricted mode on iOS and GrapheneOS are very effective

Anyone in here who uses some app cloner app that works everytime? Shelter doesnt wanna do the trick

<youpie12 "Anyone in here who uses some app"> There is a fork of island i read on github

Island is like shelter

this one?

<cn3m[m] "USB restricted mode on iOS and G"> Apparently having to press enter once your password is ready rather than it automatically taking it once the correct amount of characters are entered is a big help as well

<cn3m[m] "the exploits they use is just at"> Still alphanumeric password is safer to use

Thats island

But there is a fork of it i cant seem to remember the name of it now

The fork is maintained

<riotuser1993[m] "Apparently having to press enter"> Not on ios

<zugzwang[m] "But there is a fork of it i cant"> Shelter

<zugzwang[m] "Still alphanumeric password is s"> sure

I downloaded shelter from aurora store

Might that cause problem

doesnt wanna start up after restarting

<youpie12 "I downloaded shelter from aurora"> Insular is the name of island fork

Thankyou will try now

<zugzwang[m] "Insular is the name of island fo"> Shelter from fdroid should work fine. Uninstall the aurora one and try the fdroid

Download from apk online?

Alrihgt

will do now thanks

Cant seem to remove

Shelter

Uninstall is greyed out

Can remove any othe app even the aurora store itself

<youpie12 "Uninstall is greyed out"> Cant uninstall from settings?

Nope but was able via aurora app

Think because of sandbox>?

<youpie12 "Download from apk online?"> Download it from fdroid

It should work

Sometimes you have to force close it when adding app into shelter

cant install because of unknownb error says fdroid

i restart sec

youpie12: best to use user profiles though rather than shelter

I have 3 telegram acounts

Is hard to switch

And 3 whatsapp

Lol

Yeah.. using app cloner on my prior android was easier

Shelter is easy and works fine on graphene

Still doesnt wanna install from f droid store

Says unknown error while installing

Is there an apk availabel

Just sometimes have to force close it when its not sheltering apps

Have you installed on another profile shelter aswell?

Haveno other profiles i know of

Have you uninstalled it or just removed it from the homescreen

I went fdroid types in shelter

It found the shelter i installed from aurora

clikced uninstall

And restarted phone now click install

Still says unknown error

First time using f droid

Ok, when you used it from aurora

yees

What was the prbl

How wasnt functioning

app started

havent tried using 2 whatsapp

but the app worked

but after restrating

app wouldnt open

i had to reinstall

from aurora

Which app wouldnt open shelter or the cloned app

shelter itself

havent tried cloning any app yet

Hmm strange

Working fine for me

apk from site wouldnt install

Even from aurora should work as its the same one as from google play

Is there any way to see f droid errors

I know its stupid but Check under the all apps settingst to see if you havent uninstalled it cos sometimes

yeah im stupid

but still uninstall is greyed out

it is gone from my app list

thats not in settings

youpie12: i said its stupid for me to suggest that cos sometimes i just remove apps from screen thinking i uninstalled them

i couldnt uninstall from settings

but i uninsylled via fdroid so thought

now ist gone from ap pscreen

What you mean STILL greyed out

You said you uninstalled it from aurora store

No if i go to settings

then apps and

shelter

the button uninstall it not possibel to click

greyed out

Yes uninstalled from store but its apparently

still in

settigns

even after restart

So you havent uninstalled it thats why you cant install it from fdroid

yep

Thats why the error on fdroid

yes im trying to find my way to uninstall it restarting phone again

Its nit recommended here adb but thats the only option to uninstall if its a corrupt install i think

Someone else can advise better if they know

when i iinstalled shelter it said if you use any custom rom you should click quit the app but i continued to click conttinue

might also be a reason for the issue

No its not that

As multiple people said shel;ter worked on grapehneos i though

It does

But under the apps notifications all apps and still cant uninstall?

Even drag to uninstall

you need to remove it as an administrator first of all if you have enabled it.

Then you need to goto serttings and remove work profile

then and only then will Shelter uninstall

That did the trick

Now installing it again from fdroid

Creating new work profile

shelter is running but no main screen

It is supposed to be like that

cdesai

Think you could help me get a device to support android-prepare-vendor?

Sure, should just work as long as you can feed it a factory image, there's an option to give a path to the image and skip download

But why? I'd justt use lineage extract tools

cdesai (@freenode_cdesai:matrix.org): lineage extract tools do firmware?

Not extraction afaik, but this doesn't do anything special for that either really.

Worth checking gerrit if you don't see it in the source.

Why would you want use Shelter?

I just make new user profiles

<LinusSexTips[m] "I just make new user profiles "> that is much more robust

especially if you reboot before switching profiles

then you have an anti cold boot attack and AFU attack on the other profiles

I usually reboot after switching. Is it better to do it before?

Oh sorry it lagged just saw the last line you sent

Don't use shelter

Use island

<LinusSexTips[m] "I usually reboot after switching"> yeah even if you get exploited in one profile it can't jump like it normally would

multiple user profiles and rebooting before and after switching is ideal

OK I will start rebooting before as well. Phone is pretty quick actually doesn't take long

cdesai: maybe we can alter the build system to make an apk

instead of an app bundle

strcat[m]: it has been app bundle ever since trichrome launched right

I can/will look into this tomorrow

cdesai: yeah but we can prob generate apk instead

like monochrome and the other targets

Yeah good idea

might be simple, dunno

a lot of the build system is shared

might be simpler than it seems to do apk

most is templated

<cn3m[m] "multiple user profiles and reboo"> What are the implications if you dont reboot at all between switching user profiles? Does that make it significantly les secure? Lets say you have a main user, and a certain app you want seperated (like facebook). Does not rebooting before switching profiles undo/affect the isolation? Or is the rebooting mainly for physical risks. I have not found instructions on how to go

about user profile switching on the site/reddit

<broda721[m] "What are the implications if you"> I would think it has to do with logging off the profile so apps dont run on background after you switch profiles

broda721: zugzwang have a look at hub.libranet.de/wiki/and-priv-sec/wiki/user-profiles

cdesai:

<anupritaisno1[m] "Don't use shelter "> The shelter dev is working on it again. They got a test build out of the next release.

Thinking they'll probably be addressing the issues they talked to you about?

They also working on a new matrix client

*they got a release candidate out

Peter is?

anupritaisno1: yeah, they also got a matrix room for shelter now...

Send the link

I know him

#shelter:neo.angry.im

cn3m: thinking the AFU worries are addressed if apps keep data encrypted with Titan when screen is locked?

Pity not many do. Seen password stores and OTP apps

Be nice to have other apps notes, contacts....

<dazinism "cn3m: thinking the AFU worries a"> well if the key is in memory that is the issue

there is nothing stopping you from fully owning and dumping a phone if you can exploit it while logged in

cn3m: developer.android.com/reference/and…otection#isUnlockedDeviceRequired()

This is done by titan

dazinism: thanks