-
fomijafi[m]
So currently, fingerprint does not work in apps, only screen unlock. Is that a setting that I'm missing, or something that hasn't been implemented in the android 11 build for pixel 3?
-
nickcalyx[m]
> Is it hard to get the IMEI changed with a Pixel 4?
-
nickcalyx[m]
If you figure out how please let.me.know
-
cn3m[m]
!mjolnir watch #ptio-friends-bl:privacytools.io
-
jonah__
cn3m: that won't work lol
-
cn3m[m]
Jonah: ah thanks
-
cn3m[m]
you're quick
-
jonah__
dngray must be talking to you lol
-
dngray
lol true
-
strcat[m]
fomijafi: the next Android 11 release fixes biometric support
-
strcat[m]
we're waiting to get some other things fixed
-
fomijafi[m]
Cool. Just wanted to check in to make sure other people had reported or whether I should put something on the issue tracker
-
KE0VVT
I went ahead and got the 4a and will be waiting however long it takes to get a port for it. I will be donating $60 USD at some point.
-
brockin042[m]
Anybody using seedvault backup on USB stick? I don't recall ever getting a 12 word password to decrypt a backup.
-
Quan7um
<brockin042[m] "Anybody using seedvault backup o"> When you select the backup option, the first thing it'll do is provide the 12 words. You must have clicked past the screen.
-
Lia[m]
Also, you can clear data to Seedvault app to generate new 12 words and make new backup too
-
brockin042[m]
Lia: appreciate it, I deleted data from app. Now I see password to write down.
-
jin29
Hello grapheneos community,Thank you for the work that you do. I'm very happy to have found something that can help respecting my basic human rights like privacy from something as crucial as a smartphone. In my case I have a special need for this as I am being harassed by private investigators from a bitter ex family member. I installed grapheneos
-
jin29
on pixel 4 on my PC using my wifi. However I have recently discovered my home WiFi has been compromised and that they may have had access to my laptop. This is a large investigative firm with vast resources and she's spending a ton of money trying to make my life miserable. Anyways, I am a script kiddie that just knows how to follow instructions. I
-
jin29
probably should have tried to verify the download but I installed this in a hurry. If the attacker had access to my laptop and WiFi could they have compromised my download and planted something during the process? Sorry for my ignorance and I appreciate any help I can get.
-
parker
Hello grapheneos community,Thank you for the work that you do. I'm very happy to have found something that can help respecting my basic human rights like privacy from something as crucial as a smartphone. In my case I have a special need for this as I am being harassed by private investigators from a bitter ex family member. I installed grapheneos
-
parker
on pixel 4 on my PC using my wifi. However I have recently discovered my home WiFi has been compromised and that they may have had access to my laptop. This is a large investigative firm with vast resources and she's spending a ton of money trying to make my life miserable. Anyways, I am a script kiddie that just knows how to follow instructions. I
-
parker
probably should have tried to verify the download but I installed this in a hurry. If the attacker had access to my laptop and WiFi could they have compromised my download and planted something during the process? Sorry for my ignorance and I appreciate any help I can get.
-
lickidysplit-pti
Use auditor on another device
-
lickidysplit-pti
Or not. Just keep joining & leaving.
-
lickidysplit-pti
Saleh. Use auditor from another device to verify the intigredy of the OS install
-
parker
Hi I'm looking for a way to audit my grapheneos as I believe the laptop and wifi I was using was compromised
-
parker
Looking for someone to point me in the right direction as I'm a complete newbie
-
deetot
Any idea who compromised it
-
deetot
Or just worried
-
parker
Shady investigative firm
-
parker
Very resourceful. Cracked my iOS and android phones in the past
-
parker
IPhone 11 and galaxy s9 both broken into almost right away
-
deetot
That's my I'm a proponent of only using wired. WiFi can never be trusted
-
deetot
Only thing I know of is the grapheme audit app
-
aeonsolution[m]
get a new laptop and flash grapheneos again and use the auditor
-
deetot
* Only thing I know of is the graphene audit app
-
parker
Problem is I'm being tailed by these guys so I can't use public WiFi
-
aeonsolution[m]
you need to pay for forensics and research analysts to figure out if you are compromised otherwise
-
parker
Obtaining the file would be difficult
-
aeonsolution[m]
those are really your only options im afraid
-
aeonsolution[m]
if you flash grapheneos on a compromised computer
-
deetot
Stop using internet all together for a bit and see what they do
-
parker
They just follow me
-
parker
Acting skills aren't as good as their hacking skillsb
-
aeonsolution[m]
again, just get a new laptop and flash it again
-
parker
Yeah I need to find a way to do that without being tailed
-
aeonsolution[m]
then use auditor
-
parker
The auditor app doss that require two phones with grapheneos?
-
aeonsolution[m]
-
parker
OK thank you very much I will read into it.
-
parker
I'm glad this community is so helpful
-
aeonsolution[m]
you're welcome. good luck.
-
Lia[m]
Can't reproduce gallery app crashing when cropping
-
Lia[m]
Oh, it was on edit button
-
Lia[m]
Just reproduced it
-
ham5urg_
strcat[m], if IMEI is not changeable this must be a fraud:
movical.net/us-en/repair/google/pixel-4
-
null[m]
That page mentions restoring original IMEI, under both "Repair IMEI" and "Change IMEI"
-
anupritaisno1[m]
-
anupritaisno1[m]
Find a way under stock ROM to set USB mode to diag
-
anupritaisno1[m]
It will most likely only work on stock and if they implemented it
-
lickidysplit-pti
What's with everyone thinking they're being gang stalked
-
lickidysplit-pti
I get covid has fucked our mental health but cmon lol
-
shdudbdjdj[m]
<lickidysplit-pti "What's with everyone thinking th"> Their in a gang now :P
-
ham5urg_
Quite an investment for a test, I still did not bought an Pixel4. I hoped to find someone who can confirm or deny the possibility.
-
lickidysplit-pti
Its just a term lol
-
lickidysplit-pti
<ham5urg_ "Quite an investment for a test, "> It can be done, but its illegal and too time costly to implement such thing
-
ham5urg_
anupritaisno1[m], why is it illegal?
-
ham5urg_
Apple just implemented a MAC randomization for wifi. This is not illegal?
-
ham5urg_
Found this script, looks good. Is this illegal too?
-
ham5urg_
-
lickidysplit-pti
Because some countries are sissy countries hahahaa
-
lickidysplit-pti
The UK for example
-
lickidysplit-pti
Not in all countries tho
-
lickidysplit-pti
But the devs have spoken on this with Me already and they are not going to be implementing it anytime soon
-
lickidysplit-pti
I offered 500 aud and another member said he would match, so money isn't an issue. I think its more so the time and other stuff they have already going on
-
lickidysplit-pti
Fixing bugs in the OS itself etc.
-
JTL
I think the concern is fraud, (i.e steal a phone, original owner gets the IMEI blacklisted, and the thief changes the IMEI thus using a stolen phone)
-
ham5urg_
A confirmed shell-howto like the one I posted before is good for me.
-
ham5urg_
I don't want to change the IMEI more than once.
-
lickidysplit-pti
<ham5urg_ "Apple just implemented a MAC ran"> Graphene has this as default
-
ham5urg_
lickidysplit-pti, yes.
-
lickidysplit-pti
Mac WiFi and imei are too different things
-
ham5urg_
I know, but they have simillar concepts.
-
ham5urg_
What about Bluetooth Mac? Is it randomized too?
-
lickidysplit-pti
I'm aware. U can change imei very easy with root. But that breaks gos security
-
lickidysplit-pti
<ham5urg_ "What about Bluetooth Mac? Is it "> I don't believe so
-
cn3m[m]
yes
-
lickidysplit-pti
Well I was wrong
-
null[m]
Doesnt that mean having to re-do the pairing every time you connect to a BT device?
-
lickidysplit-pti
<null[m] "Doesnt that mean having to re-do"> I don't experience this.
-
lickidysplit-pti
Auto connects to my car unit, portable speaker etc.
-
cn3m[m]
-
cn3m[m]
"Bluetooth has MAC randomization as part of the spec"
-
cn3m[m]
"unlike Wi-Fi, privacy is standard in the Bluetooth LE spec"
-
ham5urg_
That is good and makes life easier.
-
lickidysplit-pti
if you are only using Bluetooth like Wi-Fi and removing pairings then the privacy is comparable to Wi-Fi privacy
-
ham5urg_
Is it possible to get root-access to a GrapheneOS-device without breaking it? To get adb and fastboot work.
-
renlord
ham5urg_: what are you trying to do
-
ham5urg_
renlord, to get my old IMEI into a Pixel4.
-
lickidysplit-pti
Your old imei???? Why would u wanna do that
-
lickidysplit-pti
Did u change it before installing GoS and now carrier won't work?
-
lickidysplit-pti
Only way to change it would be to flash stock - root / reinstate your old imei and reflash GoS :/
-
iandeb[m]
What's happened to the off topic room?
-
lickidysplit-pti
#grapheneos-offtopic:matrix.org
-
lickidysplit-pti
Still there for me
-
ham5urg_
Sorry, did not know about the offtopic channel. I will switch to it.
-
iandeb[m]
Thanks. I somehow dropped out.
-
EEE
can this be used on a supported device and connected to a large screen to act as a tv box? it wont be android tv interface i dont think, but at least an android interface on a large screen? maybe using rf remote/keyboard? rf keyboard is ideal, but ir or other ideas you may have (bluetooth is last resort)
-
lickidysplit-pti
If your devices supports HDMI out I think so.
-
alzxjm[m]
<lickidysplit-pti "If your devices supports HDMI ou"> Which Pixels do not, unfortunately. Stupid Google removed Miracast support, too.
-
alzxjm[m]
You have to use Chromecast.
-
lickidysplit-pti
The hardware is there. The software is not
-
EEE
i wonder if miracast was removed for secu reasons...its a source of data leak perhaps...or maybe they're just extending and extinguishing ala msft
-
EEE
also there are plenty of tv boxes, some of which work with both android and linux like pine64...would getting gos on there be as simple as recompiling kernel with firmware specific to that board, putting dtb files and recreating an iso? or maybe even just using the dtb+kernel+drivers+firmware of the android images for those boards, while putting gos userspace there? how modded is gos kernel/firmware/lowlevel?
-
cn3m[m]
EEE: GrapheneOS has development support for the hikey boards
-
EEE
pine64-lts using allwinner a64 is particularly good contender as there are many other form factors using the a64 chip and also it doesnt require raminit blob, apparently there is a fix for the cpu bug
-
cn3m[m]
the issue is these devices can't officially be supported beyond test targets due to lacking hardware security features
-
creigh[m]
So I lost my beloved Pixel 3a running Graphene OS but it was returned to lost & found and I'll get it back tomorrow. I know the odds are astronomical that somebody tampered with the device. Correct me if I'm wrong but there's two options basically:
-
creigh[m]
1. Somebody modified the bootloader. I would see that easily because of "verified boot".
-
creigh[m]
2. Somebody brute-forced my 4-digit PIN. How could I verify this didn't happen? Is there any system logs I could inspect regarding authentication attempts?
-
-
-
-
deetot
I hope you at least have it setup so you can enter pins more than 4 digits when entering a pin
-
louipc
how many? 16?
-
bobfett
I have a question: is this expected behavior that once you were not able to unlock with fingerprint it is locked until you reboot the device or not?
-
bobfett
If not, is this bug solved with the fix to biometrics in the development build? I have no possibility to factory reset my device.
-
bobfett
I am on pixel 3xl if it helps or change something
-
bobfett
* I have a question: is this expected behavior that once you were not able to unlock with fingerprint it is locked until you reboot the device or not?
-
bobfett
If not, is this bug solved with the fix to biometrics in the development build? I have no possibility to factory reset my device in order to test the development build.
-
bobfett
I am on pixel 3xl if it helps or change something
-
-
louipc
if you reboot it will still be locked
-
-
louipc
you need to enter your pin or passphrase, then you will be able to fingerprint unlock for a period of time
-
louipc
im not sure if its time, or activity based exactly
-
louipc
but pin will be required if theres too many bad fingerprint attempts
-
bobfett
When I enter my passphrase, the fingerprint unlock is still locked. The only way to enable it again is to reboot, put my passphrase and then I am able to unlock it with fingerprints again
-
bobfett
Hydroalcoolic gel is so bad for this... 😔
-
deetot
Sounds like a security feature to me
-
bobfett
<deetot "Sounds like a security feature t"> Can it be confirmed? It was not the case before, it changed with the update to Android 11
-
louipc
oh i dunno
-
renex
A question, would it be possible to setup the phone so that if it is unlocked in the presence of a specific bluetooth device it would stay unlocked (even if the screen goes blank) as long as the specified bluetooth device is nearby?
-
Beaver52
@renex correct me if im wrong, but didn't android have that under "smart lock" in previous versions?
-
Beaver52
but did smart lock get phased out?
-
renex
Don't know, can't find anything relevant in Settings. There is a something called Trust agents, but it is empty
-
Beaver52
smart lock was the only thing I knew of that did exactly what you want, sorry.
-
null[m]
I recall smart lock too
-
null[m]
Maybe it requires play services
-
Beaver52
might be.
-
Beaver52
an old device of mine running android 9 with play services has smart lock feature.
-
alzxjm[m]
I doubt there are many Google Fi users here but, after another go at it, I think I can say that Google Fi does not work on GrapheneOS.
-
alzxjm[m]
Phone calls work for a while, and seemingly after reboots, but after a while incoming calls do not work.
-
alzxjm[m]
Other things like visual voicemail and receiving MMS are always broken.
-
alzxjm[m]
Again, not unexpected. But I would caution against even trying.
-
strcat
lickidysplit-pti: ham5urg_: there isn't a way to change the IMEI with root access, or with fastboot, you're posting incorrect information
-
strcat
in general, modern basebands do not allow changing it, due to regulations forbidding that
-
strcat
a blog post from 2015 (over 5 years ago) about an HTC phone substantially older than the post itself is not going to help you
-
strcat
-
strcat
it has no relevance anymore
-
genghiz
I'll be changing a 5-year-old iPhone 7 next year for a new phone. In general, would I get a good phone experience with Graphene in case I install it on, say, a hypothetical Pixel 5(a) when it comes out next year?
-
genghiz
Mostly that boils down to will I be able to use apps like Uber, Grubhub etc.? Are they available on F-Droid?
-
genghiz
And can they work without Play Services?
-
strcat[m]
you can install apps from the Play store with Aurora Store, the standard F-Droid repository only has open source apps
-
cwecw2d323de32d3
hi, i did a development build with no keys, which i just want to install on my testing device. Where can i find the img file to use?
-
strcat[m]
genghiz: many apps will work without Play services, others won't
-
strcat[m]
consider using web sites instead when they won't
-
genghiz
You mean PWAs?
-
louipc
web apps
-
genghiz
Yeah. Progressive Web Apps.
-
louipc
whats the diff between that and a normal web app
-
strcat[m]
cwecw2d323de32d3: `out/target/product/$DEVICE/`
-
genghiz
I dunno. I thought all web apps these days were PWAs
-
strcat[m]
cwecw2d323de32d3: up to you to make sure to flash all the images and firmware if you're doing it that way (the quick development cycle)
-
genghiz
PWAs utilise service workers.
-
genghiz
I don't think any normal web app is bound to do so.
-
louipc
yikes
-
cwecw2d323de32d3
is it system.img ?
-
cwecw2d323de32d3
seems so =) thx
-
genghiz
Why the yikes?
-
strcat[m]
cwecw2d323de32d3: no
-
strcat[m]
cwecw2d323de32d3: you need to flash all the firmware and OS images
-
strcat[m]
cwecw2d323de32d3: not 1
-
strcat[m]
cwecw2d323de32d3: when you do a signed build per the instructions, it generates a factory images bundle with all the images and a script to flash them for you
-
strcat[m]
since you're doing it by hand, you need to know what to flash
-
strcat[m]
first of all you need to flash radio and bootloader firmware partitions to make sure those are all the correct version (and then you don't need to flash them when doing further development builds until they change again)
-
strcat[m]
you need to flash all the OS partitions and flash them again when they change / keep them in sync
-
strcat[m]
initially, super, vbmeta, boot, dtbo, vbmeta, vendor, vbmeta_system, system, product
-
strcat[m]
if you're doing things with development builds and flashing manually you need to know what to flash and when
-
strcat[m]
just do a signed build + use factory images if you don't want to deal with that
-
cwecw2d323de32d3
ok please bear with me, all i did was pressing m and enter. then after some hours it said build process complete
-
cwecw2d323de32d3
so the next step would be : Generating signed factory images and full update packages
-
cwecw2d323de32d3
?
-
strcat[m]
no
-
cwecw2d323de32d3
i need my phone connected and flash the bootloader firmware right
-
cwecw2d323de32d3
using adb tools
-
strcat[m]
did you source envsetup.sh and used choosecombo, etc?
-
strcat[m]
in the same shell
-
cwecw2d323de32d3
yes i went trough these steps @ Setting up the OS build environment
-
cwecw2d323de32d3
it chose the default settings
-
cwecw2d323de32d3
i think it was user
-
cwecw2d323de32d3
the bootloader on my device is unlocked too
-
strcat[m]
cwecw2d323de32d3: what exactly are you trying to do?
-
strcat[m]
development builds solely for testing?
-
human451[m]
Will Google pixel C ( the tablet) ever be support?
-
strcat[m]
no
-
strcat[m]
it's EOL and didn't meet our security requirements
-
strcat[m]
even before it was EOL I mean
-
strcat[m]
it was not a typical Android Pixel device and had a ChromeOS-style bootloader without support for hardware security features with an alternate OS
-
strcat[m]
there are probably non-Pixel tablets that are more viable targets than that
-
human451[m]
I see. I guess I'll have to stick with a degoogled lineage tablet for the moment
-
strcat[m]
use an iPad
-
anupritaisno1[m]
[human451](
matrix.to/#/@human451:matrix.org): pixel C doesn't even meet the glassrom requirements
-
strcat[m]
it stopped being sold in 2017 and was last updated in June 2019
-
cwecw2d323de32d3
strcat[m] i'm just trying to run an insecure test build on my new 3a device
-
anupritaisno1[m]
Encryption doesn't work
-
anupritaisno1[m]
Lockscreen password doesn't work
-
anupritaisno1[m]
Selinux is permissive
-
strcat[m]
cwecw2d323de32d3: you could just flash all the images by hand then
-
cwecw2d323de32d3
quick and dirty
-
anupritaisno1[m]
[human451](
matrix.to/#/@human451:matrix.org) how can anyone accept this?
-
cwecw2d323de32d3
how?
-
-
strcat[m]
anupritaisno1: encryption and SELinux worked for it on AOSP
-
strcat[m]
it's just not supported anymore
-
strcat[m]
the only problem with it was that the bootloader doesn't support alternate OSes properly
-
cwecw2d323de32d3
is m oattools-package useful here?
-
strcat[m]
so you can't have verified boot and full keystore functionality
-
strcat[m]
other than that it's just really old, end-of-life (not updated anymore), doesn't support modern AOSP (wasn't a Treble device)
-
strcat[m]
cwecw2d323de32d3: only if you want to do a signed build
-
strcat[m]
cwecw2d323de32d3: otherwise you can just flash the images by hand already assuming you built properly
-
anupritaisno1[m]
[strcat](
matrix.to/#/@strcat:matrix.org): actually why not just force otatools to be built?
-
anupritaisno1[m]
That works too
-
cwecw2d323de32d3
it said build completed
-
strcat[m]
because I don't want to force it to be built in dev builds
-
strcat[m]
waste of time
-
cwecw2d323de32d3
but then i did m oattools-package and stopped it after a couple minutes
-
cwecw2d323de32d3
that was bad
-
anupritaisno1[m]
Ah
-
strcat[m]
cwecw2d323de32d3: make sure to use the same shell
-
strcat[m]
with the environment set up
-
cwecw2d323de32d3
i am in the same shell
-
anupritaisno1[m]
[cwecw2d323de32d3](
matrix.to/#/@freenode_cwecw2d323de32d3:matrix.org): make installclean and run it again then
-
strcat[m]
you can't switch to another unless you set it up there too
-
strcat[m]
cwecw2d323de32d3: it should run just fine
-
cwecw2d323de32d3
okay, but did the m oattools package overwrite the old build now?
-
strcat[m]
no
-
cwecw2d323de32d3
ok cool
-
cwecw2d323de32d3
so can i just take the img file now ?
-
cwecw2d323de32d3
system.img ?
-
strcat[m]
cwecw2d323de32d3: no
-
strcat[m]
read what I wrote above please
-
cwecw2d323de32d3
flashing
-
strcat[m]
cwecw2d323de32d3: no
-
human451[m]
<anupritaisno1[m] "[human451](
matrix.to/#/@"> ?
-
strcat[m]
if you aren't going to read what I wrote you aren't going to get a good result
-
cwecw2d323de32d3
ok i go back
-
strcat[m]
there are multiple firmware images you need to flash and multiple OS images
-
strcat[m]
cwecw2d323de32d3: if you aren't able to do that by hand then continue following the instructions
-
strcat[m]
make a signed build and flash that with the script
-
anupritaisno1[m]
[cwecw2d323de32d3](
matrix.to/#/@freenode_cwecw2d323de32d3:matrix.org): for i in $(ls *img | sed 's/.img//g'); do fastboot flash "$i" "$i".img; done
-
anupritaisno1[m]
Worked for me lol
-
strcat[m]
you also need to format userdata
-
cwecw2d323de32d3
ok better stick with the signed build now
-
cwecw2d323de32d3
which means i need to build again?
-
strcat[m]
no
-
anupritaisno1[m]
-
strcat[m]
just continue the instructions
-
cwecw2d323de32d3
thank you
-
anupritaisno1[m]
. script/envsetup.sh
-
anupritaisno1[m]
m target-files-package otatools-package
-
anupritaisno1[m]
script/release.sh whatever
-
anupritaisno1[m]
Some apps like messaging will force a full build idk why
-
NorbertTretkowsk
human451: offtopic, but I use the microG builds of LineageOS 15.1 on my Pixel C (with microG completely disabled), works perfect, and has Security patch from August:
download.lineage.microg.org/dragon
-
anupritaisno1[m]
But incremental build of that is around 10 minutes
-
anupritaisno1[m]
<NorbertTretkowsk "human451: offtopic, but I use th"> Go to offtopic chat then
-
strcat[m]
Norbert Tretkowski: no, it doesn't have the security patch from August
-
strcat[m]
that's a false claim
-
strcat[m]
Norbert Tretkowski: LineageOS uses a fake security patch level across most devices
-
strcat[m]
it's not accurate
-
anupritaisno1[m]
Well
-
strcat[m]
the last available security patch level for the Pixel C is June 2019
-
anupritaisno1[m]
Lineage trues to backport the security patch for up to 5 or so past versions
-
anupritaisno1[m]
But your kernel and vendor are unpatched
-
strcat[m]
doesn't matter
-
strcat[m]
exactly
-
strcat[m]
and so are components in system not developed as part of AOSP
-
strcat[m]
they dropped Pixel C support
-
anupritaisno1[m]
* Lineage tries to backport the security patch for up to 5 or so past versions
-
anupritaisno1[m]
I hate legacy tbh
-
anupritaisno1[m]
There was this device soc
-
anupritaisno1[m]
Msm8994
-
anupritaisno1[m]
CAF only did 2 versions and then dropped it
-
anupritaisno1[m]
Had to merge LTS and track several repos for security patches
-
strcat[m]
the reality is that the device never supported secure installations of alternate OSes and has been end-of-life without full security updates being available anywhere for over a year
-
anupritaisno1[m]
I somehow managed to do so for 3 years
-
anupritaisno1[m]
Then I was like fuck it
-
anupritaisno1[m]
And left
-
anupritaisno1[m]
Because backporting the security patches to an EOL kernel itself took away 80% of my time
-
anupritaisno1[m]
Not worth it
-
anupritaisno1[m]
BTW I also updated the vendor
-
anupritaisno1[m]
Took as many blobs from other devices as I could.
-
vartaa[m]
Hi, i have a question. If i enable dark mode for web contents on Vanadium, i'll make my fingerprint unique?
-
deepthought[m]
Hi all, how is the storage encryption done, is it FDE or FBE? Does an option exist to do FDE?
-
Lia[m]
FBE
-
sentientted[m]
Hey, sorry if this has already been asked a lot, but I was on the beta channel and didn't realize. My phone updated to android 11 and now I cannot use mobile data and I was just wondering if this was a common problem. Thanks for any help
-
deepthought[m]
thx Lia, any chance to start off with Graphene OS based on Android 9 and keep FDE?
-
Lia[m]
No.
-
Lia[m]
Profile-based encryption uses FBE
-
deepthought[m]
ok, thx
-
Autopsy[m]
<sentientted[m] "Hey, sorry if this has already b"> You checked the APN settings for your carrier?
-
sentientted[m]
Autopsy: I tried finding the apn in the settings and cannot find it, would you be able to tell me where it is?
-
strcat[m]
deepthought: I'm not sure why you wouldn't want per-profile encryption where the data can become at rest when a profile is logged out, rather than the key being stuck in memory after early boot until the device is off
-
strcat[m]
deepthought: in fact, considering that your phone is probably on nearly all the time, I'm not sure what you really get from FDE vs. a sophisticated adversary unless you have time to turn off the phone
-
anupritaisno1[m]
Iirc wrappedkey is a thing
-
anupritaisno1[m]
That makes FBE outperform
-
deepthought[m]
I would accept FBE on top of FDE as and additional security measure
-
Autopsy[m]
<sentientted[m] "Autopsy: I tried finding the apn"> Usually network > mobile network,
-
anupritaisno1[m]
Might be a thing with pixel 5
-
strcat[m]
deepthought: layering encryption on more encryption doesn't make it more secure
-
anupritaisno1[m]
[deepthought](
matrix.to/#/@deepthought:matrix.org): you do realize you're technically fde right?
-
anupritaisno1[m]
Metadata encryption basically gets you close to FDE anyway
-
anupritaisno1[m]
Double encryption usually doesn't work well
-
strcat[m]
it's not about it not working well but that it's security theater
-
strcat[m]
all data and file names are encrypted
-
sentientted[m]
Autopsy: Yeah that is the problem that I found out, it is not there on android 11 and I cannot find anything showing where it is. Do you have any other idea where i could find it, do you think it could be in developer options?
-
anupritaisno1[m]
-
deepthought[m]
Does anybody know if this still up-to-date?
-
anupritaisno1[m]
I'm working on fixing it
-
deepthought[m]
-
strcat[m]
deepthought: no
-
anupritaisno1[m]
-
strcat[m]
deepthought: and it's somewhat misinformed in the first place
-
anupritaisno1[m]
I am unable to test the fix myself
-
strcat[m]
not written by someone that knows what they're talking about or tried to educate themselves on the topic first
-
strcat[m]
but rather they have preconceived opinions and regular take the opportunity to push those
-
strcat[m]
I'm not sure why you care what's written by a consistently dishonest and manipulative person who pushes misinformation after it is corrected
-
strcat[m]
all you have to do is look at their twitter feed and how they regularly do that over and over again
-
strcat[m]
goal is clearly not makings things better or educating others
-
strcat[m]
they mostly do it about things like bitcoin
-
deepthought[m]
strcat: Thx, I am just used to FDE and I personally consider FBE less secure
-
strcat[m]
deepthought: okay, I'm not sure how a key for the entire data partition in memory from early boot until power off (how often is your phone powered off?) is more secure
-
strcat[m]
but you do you
-
strcat[m]
what value does FDE have on a device that's always powered on?
-
sentientted[m]
anupritaisno1: just so you know I already pmed you, but there is no rush
-
strcat[m]
to properly benefit from encryption you need fine-grained encryption where you can keep data at rest
-
anupritaisno1[m]
FYI BDE (the FDE you're talking about) actually leaks metadata anyway
-
strcat[m]
I doubt you turn off your phone even when you're asleep
-
anupritaisno1[m]
Android already mounts filesystem's with allow discards
-
anupritaisno1[m]
See system/vold
-
anupritaisno1[m]
So BDE really
-
anupritaisno1[m]
It's debatable if it does not leak metadata
-
strcat[m]
if you want to properly benefit from encryption you need to use profiles
-
anupritaisno1[m]
It might be leaking more
-
strcat[m]
and if there was only FDE you could not take good advantage of it in practice
-
strcat[m]
because how often do you actually have your phone powered down
-
anupritaisno1[m]
Never?
-
strcat[m]
and if your concern is a sophisticated adversary, and the phone is powered on / decrypted, it's not really defending against them
-
strcat[m]
the key is right there in memory
-
strcat[m]
until it's powered off again
-
anupritaisno1[m]
[strcat](
matrix.to/#/@strcat:matrix.org): BTW what about wrappedkey?
-
strcat[m]
at least with per-profile encryption you can keep sensitive data in a profile you rarely use
-
deepthought[m]
BDE?
-
anupritaisno1[m]
There is a key in ram but it is invalid after a reboot
-
strcat[m]
anupritaisno1: none of that seems very relevant to this
-
anupritaisno1[m]
The real key is in keymaster
-
strcat[m]
anupritaisno1: the TEE keymaster
-
anupritaisno1[m]
Yeah
-
strcat[m]
and the TEE memory is the same physical memory as the SoC just partitioned with IOMMU protection
-
anupritaisno1[m]
Google might tie it with the titan M
-
strcat[m]
TEE is not a secure element
-
strcat[m]
anupritaisno1: but they don't use it AFAIK
-
strcat[m]
Titan M doesn't have an API for that stuff just the regular keystore API
-
anupritaisno1[m]
Yes
-
anupritaisno1[m]
Already tried on pixel 4
-
strcat[m]
I'm sure it can work but it uses TEE
-
anupritaisno1[m]
The kernel driver is there but it refuses to set up wrapped keys correctly
-
strcat[m]
I don't really see how that helps anything
-
anupritaisno1[m]
<deepthought[m] "BDE?"> Block device encryption
-
strcat[m]
the only benefit of keeping the encryption key away from the OS is if an attacker compromises the OS they get all your data but maybe they don't get the persistent encryption key
-
strcat[m]
so if they're kicked out of controlling the device
-
strcat[m]
but without wiping
-
strcat[m]
and then somehow get physical access later on
-
strcat[m]
they can't decrypt it
-
strcat[m]
seems like a super contrived, basically useless threat model to me
-
deepthought[m]
anupritaisno1: Thx, that's what I meant by saying FDE
-
strcat[m]
so yeah it's an improvement
-
anupritaisno1[m]
You're not technically encrypting your entire disk
-
strcat[m]
but I don't think wrappedkey or similar features have much real world benefit
-
anupritaisno1[m]
You're encrypting a part of it
-
strcat[m]
deepthought: with FBE, all data and file names are encryption, data is encrypted on a per-block basis like FDE
-
deepthought[m]
anupritaisno1: Yes, I know, some parts must be kept unencrypted
-
strcat[m]
i.e. generally 4k blocks
-
strcat[m]
file names are encrypted in 32 byte blocks on GrapheneOS (16 byte on the stock OS)
-
anupritaisno1[m]
Also FDE actually works a lot better
-
anupritaisno1[m]
* Also FBE actually works a lot better
-
anupritaisno1[m]
Might not be noticeable on pixel
-
strcat[m]
* deepthought: with FBE, all data and file names are encrypted, data is encrypted on a per-block basis like FDE
-
anupritaisno1[m]
CAF had broken discard support for hardware accelerated BDE for several years
-
anupritaisno1[m]
Google never used it
-
anupritaisno1[m]
But this meant most old phones used to slow down
-
anupritaisno1[m]
A lot
-
strcat[m]
deepthought: either way all data is encrypted, FBE is just finer-grained since there can be per-directory / per-file keys, that's the difference
-
deepthought[m]
Is discard really important considering the lifespan of a phone today?
-
strcat[m]
deepthought: file names are padded out to 32 byte blocks so the length of a file name isn't known (just multiple of 32 byte, nearly all files are <= 32 byte names though, and I'm unaware of data being stored in file names)
-
strcat[m]
deepthought: yes, it's important, and I don't know what you mean by the lifespan of a phone
-
strcat[m]
and I'm not sure why that matters anyway
-
anupritaisno1[m]
<deepthought[m] "Is discard really important cons"> Trim is important
-
strcat[m]
I prefer to be concerned about real things based on threat models
-
strcat[m]
not imaginary stuff and baseless FUD
-
deepthought[m]
I never use trim/discard on encrypted PC partitions
-
strcat[m]
deepthought: and why is that? can you justify it?
-
-
kryptonymous[m]
<strcat[m] "all you have to do is look at th"> Matthew Green does seem have a thought-provoking Twitter feed. This thread from this morning is particularly concerning- commenting on a Nation article about DHS surveillance
nitter.net/matthew_d_green/status/1308406474864033800#m
-
anupritaisno1[m]
The performance hit is huge
-
strcat[m]
kryptonymous: really not sure on the relevance
-
strcat[m]
US politics is a bad fit for this channel
-
anupritaisno1[m]
<strcat[m] "deepthought: and why is that? ca"> Basically users trim a lot and then ask why their performance sucks
-
anupritaisno1[m]
Continued in OT
-
strcat[m]
don't most devices just have a configuration that uses fstrim
-
deepthought[m]
anupritaisno1:
-
deepthought[m]
information content of the TRIM information will be small.
-
strcat[m]
TRIM simply discards unused blocks
-
deepthought[m]
-
deepthought[m]
strcat: Yes, I know what it does, never enabled it on my PCs
-
strcat[m]
the only information is which blocks are used / not used
-
strcat[m]
nothing beyond that
-
strcat[m]
with FDE chances are the attacker gets your device with the data decrypted anyway
-
strcat[m]
with FBE you can partition it between profiles and at least avoid them getting the device with more than the active profile decrypted
-
deepthought[m]
I would not enable it on a phone either as lifespan of a phone is 2-3 years because after that time, there are not security updates anmyore. I am not a phone power user, so why would trim be a huge advantage for me
-
strcat[m]
we want to provide more control over user profiles so there is direct control over keeping a profile active in the background (for example, to receive alerts of notifications) or logging it out immediately so that the data is at rest again
-
strcat[m]
it's one of the things being worked on
-
strcat[m]
various aspects of improving profiles
-
strcat[m]
since it's one of the most important encryption features along with being very useful for isolating workspaces with different shared data
-
strcat[m]
encryption is no good if you just keep data decrypted all the time
-
deepthought[m]
strcat: I do not really need the partitioning of FBE as I do not store secret stuff on my phone, but I agree that it is useful for others
-
strcat[m]
that's like how many companies claim data on their servers is encrypted because they use FDE
-
strcat[m]
but the servers are just always on and decrypted
-
anupritaisno1[m]
<strcat[m] "that's like how many companies c"> Useless
-
strcat[m]
deepthought: I think you're misunderstanding why it's useful and how profiles can be used then
-
deepthought[m]
strcat: Yes, that's right.
-
anupritaisno1[m]
If police, etc want to raid they can do freezing attacks and so on
-
deepthought[m]
strcat: That may be the case
-
strcat[m]
deepthought: also just because the granularity is currently limited to profiles doesn't mean it can't be more granular
-
anupritaisno1[m]
[strcat](
matrix.to/#/@strcat:matrix.org): BTW encryption does help
-
strcat[m]
it only helps if it's at rest or it's an unsophisticated adversary
-
kryptonymous[m]
<strcat[m] "kryptonymous: really not sure on"> Agree politics are a low-level waste of time. But the article Matthew Green cited (
thenation.com/article/politics/homeland-security-portland) was not focused on politics, but on phone cloning and surveillance. The journalist, Ken Klippenstein, is reputable. Protection from the these illicit activities I would imagine would be of particular concern to GOS
-
kryptonymous[m]
users.
-
anupritaisno1[m]
Example the homeserver I'm chatting from has SED + dm-crypt
-
anupritaisno1[m]
So that if my provider throws the drives away nothing is disclosed
-
anupritaisno1[m]
But even my provider openly admits it won't protect against an advanced adversary
-
strcat[m]
kryptonymous: I don't see the relevance to the discussion or channel
-
strcat[m]
you're just being contrarian with little basis and for no clear reason
-
anupritaisno1[m]
You can just open a SED by not cutting off the drive's power and data can be extracted from RAM anyway
-
strcat[m]
someone linking a story you think is interesting doesn't mean they are an honest person
-
strcat[m]
and I really don't see the relevance to their bias and manipulative behavior when it comes to these things
-
riapreg[m]
Hi all
-
riapreg[m]
I forgot my password and now my phone is useless. Graphene os on the latest release for 3a. I managed to POWER OFF+VOLUME DOWN and now I'm stuck on choice "start/power off/BarCode/Rescue mode/Recovery Mode/Restart Bootloader"
-
riapreg[m]
Can I somehow safe my phone (full wipe) and start all over?
-
strcat[m]
which are plainly visible from looking through their feed about how they act when it comes to topics like this
-
kryptonymous[m]
You referenced Matthew Green's twitter feed. I try to learn from you and others every day. That's the only reason I went there. Just trying to make sense of everything
-
strcat[m]
and what I said is that they always take the opportunity to push misinformation when it suits them
-
strcat[m]
and don't retract it
-
strcat[m]
and continue pushing it
-
strcat[m]
that doesn't mean their feed consists solely of misinformation
-
strcat[m]
it means you can't trust what they say
-
anupritaisno1[m]
-
anupritaisno1[m]
Once booted to a dead android logo press power and then press volume up
-
anupritaisno1[m]
Use the volume up/down keys to go to factory data reset and use power to confirm
-
anupritaisno1[m]
Ah BTW
-
strcat[m]
they are smart and know better, but choose to feign ignorance and push misinformation when it suits them
-
anupritaisno1[m]
Think I forgot my pixel 4 password too
-
kryptonymous[m]
You'd mentioned Bitcoin above- is that in particular a topic on which he disinforms?
-
anupritaisno1[m]
Shit
-
anupritaisno1[m]
Anyway there was nothing important on it
-
strcat[m]
kryptonymous: encryption, secure messaging, cryptocurrencies, mobile phone security, mobile OS security, various privacy topics, web browsers
-
deepthought[m]
strcat: anupritaisno1 Thx for the information and answers
-
strcat[m]
they like to push a lot of misinformation
-
strcat[m]
sometimes they change their mind and push misinformation in the other direction
-
strcat[m]
they are almost as likely to spread FUD about iOS as Android even though they are a pretty fervent iOS fanboy
-
strcat[m]
can't trust what they say, it's that simple
-
Autopsy[m]
<anupritaisno1[m] "Think I forgot my pixel 4 passwo"> 42069
-
strcat[m]
inherently dishonest person
-
strcat[m]
so for example they always promote Signal but then every now and then they'll push some FUD about it when they dislike something
-
strcat[m]
they don't stick to factual criticism
-
deepthought[m]
BTW, in Linux it is possible to do FDE and e.g. Encfs, or additionally encrypt files with pgp
-
strcat[m]
same for stuff like Telegram and lots of other things
-
strcat[m]
there is legitimate criticism mixed in with a whole lot of FUD
-
strcat[m]
and they know it's not true
-
strcat[m]
they just don't care
-
riapreg[m]
anupritaisno1: yes. correct. thanks a lot! you saved me 😉
-
deepthought[m]
I found some more references regarding issues with FBE
-
strcat[m]
deepthought: and what about the issues with FDE?
-
kryptonymous[m]
Interesting. OK thanks.
-
deepthought[m]
comparted to FDE it was not just the link I sent
-
anupritaisno1[m]
[deepthought](
matrix.to/#/@deepthought:matrix.org): how many times does it need to be said?
-
anupritaisno1[m]
FBE + metadata encryption is equivalent to BDE
-
anupritaisno1[m]
Or better in some cases
-
strcat[m]
it's not equivalent
-
strcat[m]
anyway it's not interesting to discuss a technical topic based on conjecture and claims not based on how it actually works
-
strcat[m]
if you wanted to use FBE with a global boot passphrase and use it the only way you can use FDE, nothing stops you from using it that way
-
anupritaisno1[m]
Metadata encryption does encrypt sector 0 though
-
strcat[m]
I don't find metadata encryption to be much an improvement but sure it has that now
-
strcat[m]
file names were already padded + encrypted
-
strcat[m]
* if you wanted to use FBE with a global boot passphrase to use it the only way you can use FDE, nothing stops you from using it that way
-
strcat[m]
there is no data that's not encrypted - the difference is not that
-
strcat[m]
the difference is that FBE is granular so it's more flexible in how it's used and can be used in a way that provides finer-grained encryption keys
-
strcat[m]
either way all data is encrypted
-
deepthought[m]
The difference it, the device did not boot the full OS yet with FDE
-
strcat[m]
FBE is what enables per-profile encryption keys and the ability to explicitly store data that's device encrypted which is what makes it so that accessibility services don't need to disable credential-based encryption like before (since it's per-profile)
-
strcat[m]
and for example our Updater app explicitly opts into direct boot and stores the downloaded updates with device encryption
-
strcat[m]
deepthought: the device booted the OS either way
-
strcat[m]
deepthought: and while FBE enables finer-grained encryption keys it doesn't force that to be done
-
strcat[m]
deepthought: I don't think designing around a global boot passphrase makes much sense especially when the real value is in data that's kept at rest while locked
-
strcat[m]
but FBE certainly does not prevent using that approach
-
strcat[m]
either way, FDE or FBE, all data stored is encrypted
-
strcat[m]
if you wanted you could use a single global encryption key with FBE
-
strcat[m]
it's not a property of whether you use block layer or filesystem layer encryption
-
strcat[m]
the filesystem layer encryption as used in the default AOSP encryption has per-profile encryption keys, that's a higher level design choice
-
strcat[m]
it wasn't possible with FDE, but FBE obviously doesn't force doing it that way
-
strcat[m]
previously if you enabled an accessibility service
-
strcat[m]
with FDE
-
strcat[m]
credential-based encryption was simply disabled
-
strcat[m]
because how else could it work? it didn't have the flexibility to be able to configure anything (including security restrictions) before entering the passphrase
-
strcat[m]
so also
-
strcat[m]
the setting for a limit on the # of attempts to decrypt couldn't really work with FDE at least without a hardware implementation
-
strcat[m]
and you didn't have a way to get an over-the-air security update without decrypting all data so you couldn't apply a security fix in a situation where you didn't want to decrypt your data
-
strcat[m]
among other examples
-
strcat[m]
and of course having per-profile encryption keys is a pretty big deal especially considering how focused we're going to be on profiles
-
deepthought[m]
strcat: anupritaisno1 Thank you.
-
strcat[m]
profiles are the way that the OS provides having separate identities / workspaces
-
strcat[m]
apps can't share data or communicate across them
-
strcat[m]
and that's the only way you can have multiple instances of an app
-
strcat[m]
previously with a boot passphrase, the owner of the device would have to enter that on boot and then everything is decrypted until it's powered off
-
strcat[m]
vs. the approach of per-profile encryption keys based on the per-profile lock method
-
strcat[m]
with support for convenience via secondary unlock mechanisms (currently biometrics, but if you look in the tracker, we have plans for 2-factor secondary unlock)
-
strcat[m]
so you can set a passphrase for each profile, the passphrase is required for the initial unlock (on boot, or if it was logged out after usage)
-
strcat[m]
secondary unlock mechanisms are only used for lockscreen security + protecting keystore
-
anupritaisno1[m]
How do you recover from 2fa?
-
strcat[m]
they don't weaken encryption
-
strcat[m]
anupritaisno1: what do you mean
-
strcat[m]
it's a secondary unlock mechanism
-
anupritaisno1[m]
Let's say your fingerprint hardware broke
-
strcat[m]
it doesn't matter if it stops working or you forget it
-
anupritaisno1[m]
What now?
-
strcat[m]
anupritaisno1: so you're inconvenienced by having to log in with your passphrase every time instead of only for the initial unlock
-
strcat[m]
don't really see how 2FA secondary unlock changes that
-
strcat[m]
* don't really see how 2 factor secondary unlock changes that
-
anupritaisno1[m]
[strcat](
matrix.to/#/@strcat:matrix.org): wait so is 2fa like a simpler passphrase + biometric and you keep a complex passphrase for encryption?
-
strcat[m]
it will work exactly as secondary unlock mechanisms already do
-
strcat[m]
anupritaisno1: yes it's simply the ability to add a 2nd factor (PIN, passphrase) to secondary unlock
-
strcat[m]
it has nothing to do with the primary unlock mechanism used for the profile's encryption key
-
strcat[m]
secondary unlock is only usable for a limited time and a limited # of attempts after primary unlock
-
strcat[m]
and of course can't be used for the initial unlock
-
strcat[m]
that's how it already works, this is how it is now
-
anupritaisno1[m]
So what's the threat model?
-
strcat[m]
the feature we plan to add is just the ability to add a PIN + passphrase to secondary unlock
-
anupritaisno1[m]
Somebody can't unlock when you're asleep?
-
strcat[m]
we want people to be able to use a strong passphrase for their primary unlock mechanism
-
strcat[m]
while having convenience
-
strcat[m]
which is why the existing secondary unlock feature is useful
-
strcat[m]
but right now secondary unlock only offers biometric options (IR-based face scanning or IR-based fingerprint scanning)
-
anupritaisno1[m]
Also I hear biometric manager now uses the same methods for face and fingerprint so what stops this feature from being implemented?
-
strcat[m]
so we want to add the ability to add a PIN + passphrase for secondary unlock
-
strcat[m]
so then it's knowledge + biometric instead of just a physical thing
-
strcat[m]
it's a straightforward feature
-
strcat[m]
anupritaisno1: nothing stops it from being implemented
-
strcat[m]
there are a lot of planned features on the tracker, this is one of them
-
anupritaisno1[m]
Does seem there's challenges
-
strcat[m]
making the UI
-
strcat[m]
is the main challenge
-
strcat[m]
not really much of a challenge
-
anupritaisno1[m]
Care will need to be taken to make sure we store the passphrase somewhere secure
-
strcat[m]
you don't store passphrases
-
anupritaisno1[m]
Like we can't put the passphrase in the DE by accident
-
anupritaisno1[m]
<strcat[m] "you don't store passphrases"> Yes hashed
-
anupritaisno1[m]
Can we reuse the per user code for pin scrambling?
-
strcat[m]
I don't remember how we implemented the setting for that
-
strcat[m]
I don't think it can be done the same way
-
strcat[m]
the main 'challenge' is figuring out the existing UI flow, where to put this, and implementing the UI securely
-
strcat[m]
since it's largely a UI security feature (it only works when the profile is already logged in with the main unlock method)
-
strcat[m]
maybe we could wire it up to further secure the keystore locking security
-
strcat[m]
but that might not be realistic
-
anupritaisno1[m]
Basically don't create a system ui bypass vuln?
-
strcat[m]
keystore protects keys that are tied to lock state when locked
-
strcat[m]
and of course that's based on lock methods
-
strcat[m]
ideally it would use fingerprint + PIN for that not just fingerprint
-
strcat[m]
but it may not be realistic to do that
-
anupritaisno1[m]
-
strcat[m]
the main unlock method isn't something we want to change other than perhaps removing the bad choices (pattern, PIN) and limiting PIN to secondary unlock
-
-
strcat[m]
but I don't think it makes sense to remove those choices from secondary profiles
-
anupritaisno1[m]
Should the password be asked here?
-
strcat[m]
no
-
strcat[m]
it's solely about secondary unlock
-
deepthought[m]
-
deepthought[m]
Unable to connect
-
anupritaisno1[m]
[strcat](
matrix.to/#/@strcat:matrix.org): so secondary password only on lock screen?
-
strcat[m]
yes
-
strcat[m]
keep it simple
-
anupritaisno1[m]
Not if a biometric app wants it?
-
strcat[m]
it's unrelated to that
-
strcat[m]
biometrics can be set to only be usable in apps rather than secondary unlock
-
strcat[m]
they're separate uses
-
strcat[m]
(it's just only in the Settings app for face unlock atm)
-
anupritaisno1[m]
[strcat](
matrix.to/#/@strcat:matrix.org): then should this password be backed on titan m or no?
-
strcat[m]
look at the face unlock settings on the Pixel 4
-
anupritaisno1[m]
<strcat[m] "look at the face unlock settings"> Oh BTW they need fixing
-
strcat[m]
anupritaisno1: no - there's no reason to store it anywhere but the profile's credential encrypted data
-
strcat[m]
what about it needs fixing?
-
anupritaisno1[m]
Unless you are on the dark theme some UI elements are not visible
-
anupritaisno1[m]
Happens on the official GSI too
-
strcat[m]
atm the priorities are SetupWizard and the APN stuff
-
strcat[m]
really need that done this week
-
anupritaisno1[m]
APN probably today
-
anupritaisno1[m]
Waiting for this build to finish
-
anupritaisno1[m]
Also not sure if we can fix that face unlock issue [strcat](
matrix.to/#/@freenode_strcat:matrix.org)
-
anupritaisno1[m]
Might need to decompile the face unlock app and fix the resources
-
strcat[m]
no
-
strcat[m]
I don't really see why it would be a problem
-
strcat[m]
copying their xml configuration is an easy option but we could also just figure it out ourselves
-
anupritaisno1[m]
Well it isn't
-
strcat[m]
and I don't know why you say there might be a possibility we can't fix it
-
strcat[m]
doesn't make any sense
-
anupritaisno1[m]
Just a few instructions on the setup screen aren't readable
-
strcat[m]
ok and it's just some ui code
-
strcat[m]
why wouldn't we be able to fix it
-
strcat[m]
even if we didn't have something to use as a reference we could fix it
-
anupritaisno1[m]
Dunno
-
anupritaisno1[m]
We can?
-
strcat[m]
there are other minor issues with dark vs. light theme in some of the UI
-
strcat[m]
no reason it can't be fixed
-
anupritaisno1[m]
How would you
-
strcat[m]
we just don't have the Settings app fully configured properly
-
strcat[m]
don't know what you mean
-
strcat[m]
but you not knowing how to do something doesn't mean it can't be done
-
strcat[m]
a minor UI issue is entirely fixable
-
anupritaisno1[m]
<strcat[m] "we just don't have the Settings "> So more overlays?
-
strcat[m]
if that's the problem
-
strcat[m]
usually the problem is we're missing resource configuration
-
strcat[m]
no point of doing it with overlays if we want the same configuration across all devices
-
strcat[m]
we can just change the default Settings resources
-
strcat[m]
look at the existing examples in the Settings repo
-
strcat[m]
the Settings app has resources you can use to configure various aspects of the appearance, which settings are enabled and to add things like demonstration graphics
-
anupritaisno1[m]
Doing it
-
strcat[m]
even if it didn't we can just change the code
-
strcat[m]
but any differences are going to be from resources
-
anupritaisno1[m]
[strcat](
matrix.to/#/@strcat:matrix.org): actually I think I got it
-
anupritaisno1[m]
So the problem is white text on white, maybe some resource is hardcoded somewhere?
-
anupritaisno1[m]
I was able to figure that out in the past working on oms
-
bypassbobby[m]
Anyone have any opinions on the safety of using KeepassDX on graphene
-
jpds
bypassbobby[m]: It's an open-source app, and you can deny it network access
-
bypassbobby[m]
I mean if authorities got the phone how secure is it
-
uchihaitachi[m]
may be it depends on your master password
-
alzxjm[m]
bypassbobby: Do you mean if the authorities get the phone while it's unlocked?
-
dazinism
Lynn had a quick look at it and said it appeared respectable. They are a cryptographer who had a closer look at Aegis Authenticator
github.com/lynn-stephenson/analysis…r/Aegis%20Authenticator%20v1.1.4.md
-
alzxjm[m]
If the phone is locked they'll have to unlock it first to even try at your encrypted password databse.
-
dazinism
They said use Aegis over andOTP
-
bypassbobby[m]
Yes if they somehow unlocked the phone and keepass was the only thing between them and all my password
-
bypassbobby[m]
* Yes if they somehow unlocked the phone and keepass was the only thing between them and all my passwords
-
jpds
bypassbobby[m]: I suggest watching
vimeo.com/95066828 from 16:33 onwards for a threat model vs a government
-
dazinism
bypassbobby: should be reasonably safe. Guess if you had biometric database unlocking enabled and they were able to fake your biometrics you passwords are theirs
-
dazinism
Otherwise would depend on the strength of your passphrase.
-
bypassbobby[m]
Is it possible to open veracrypt files on graphene
-
bypassbobby[m]
<jpds "bypassbobby: I suggest watching "> Thanks I'll check that out
-
jpds
16:13* actually
-
bypassbobby[m]
I'm thinking an encrypted USB would be better to load the encrypted container with my passwords on
-
bypassbobby[m]
<jpds "16:13* actually"> What the hell was that haha
-
nickcalyx[m]
I know a lot of people here like to use profiles..
-
nickcalyx[m]
-
nickcalyx[m]
Working on having seedvault back up profiles...
-
dazinism
<bypassbobby[m] "Is it possible to open veracrypt"> Theres EDS -
sovworks.com/index.php also EDS lite on fdroid, which is an older version.
-
faxing[m]
Any timeline for when Android 11 is coming to GrapheneOS?
-
madaidan[m]
<faxing[m] "Any timeline for when Android 11"> Likely soon
github.com/GrapheneOS/os_issue_tracker/milestone/2
-
strcat[m]
faxing: Android 11 GrapheneOS is in the Beta channel