Conversation

You’re unable to view this Tweet because this account owner limits who can view their Tweets. Learn more

Replying to

and

As the post says, it was fixed in the February security update, so it doesn't impact the latest versions in any way. grapheneos.org/releases#2020. You would need to ask about releases before 2020.02.04.01. Don't have time to look back every old vulnerability and analyze them, sorry.

Replying to

and

Their exploit is only for Android 8-9 since they say exploiting Android 10 is harder so there's already a catch before GrapheneOS hardening comes into play. If you want to pay a security researcher to revert fixes for old vulnerabilities and analyze impact of hardening, go ahead.

You’re unable to view this Tweet because this account owner limits who can view their Tweets. Learn more

Replying to

and

Bluetooth is already disabled by default in GrapheneOS. Leave it disabled and remove the quick settings entry so you don't toggle it on by accident. This isn't a good reason to make alternate builds of the OS. That requires substantial resources and wouldn't make much sense.

Replying to

and

GrapheneOS can't have assorted variants of the official builds disabling different combinations of features. Our resources are already stretched thin and we're considering dropping support for devices without maintainers. Can't be maintaining variants of the official releases.

Replying to

and

There's tons of work that needs to be done: github.com/GrapheneOS/os_ github.com/GrapheneOS/Van github.com/GrapheneOS/Aud github.com/GrapheneOS/Att github.com/GrapheneOS/har github.com/GrapheneOS/Pdf Can't afford to lose a day per month making builds removing a disabled-by-default feature.

github.com

Issues · GrapheneOS/hardened_malloc

Hardened allocator designed for modern systems. It has integration into Android's Bionic libc and can be used externally with musl and glibc as a dynamic library for use on other Linux-base...

You’re unable to view this Tweet because this account owner limits who can view their Tweets. Learn more

Replying to

and

So either leave Bluetooth enabled or don't authorize apps to use it unless you trust them with it. The concerns you are raising don't make sense to me and I don't understand why you want special treatment for Bluetooth. We aren't making builds for things toggles handle just fine.

You’re unable to view this Tweet because this account owner limits who can view their Tweets. Learn more

Replying to

and

Doesn't make sense. You're saying you're worried about attacker with local code execution on the device that's succeeding escalating privileges to the point that they can bypass the permission model / sandbox and change settings. Why focus on Bluetooth over the 3 other radios?

3:37 AM · Apr 23, 2020Twitter Web App

Replying to

and

Enabling Bluetooth does NOT give apps unfettered access to it. You have to approve it. And why would an app exploit the OS to enable Bluetooth and grant themselves access to it in order to locally exfiltrate data when they can use audio that you can't hear with no permission.

Replying to

and

If they have exploits to able to enable radios and then bypass the sandbox to grant privileges to their app, why would they need Bluetooth? Why not Wi-Fi, cellular and NFC? Can't understand why you want such special treatment for Bluetooth. We already disable it by default.

You’re unable to view this Tweet because this account owner limits who can view their Tweets. Learn more

Replying to

and

Contact tracing in other operating systems doesn't impact GrapheneOS even if GrapheneOS users make use of Bluetooth. GrapheneOS is never going to force contract tracing on people. If you want GrapheneOS to do something it has to make sense and have a real threat model.

Show replies