Conversation

Calyx is the best privacy focused OS in terms of app compatibility. It's not perfect but it's become very stable over the last few months of using it as a daily. Has some very nice features too like a firewall that completely disables data access to individual apps.

Daniel Micay

@DanielMicay

Replying to

and

GrapheneOS now has grapheneos.org/usage#sandboxe providing substantially broader app compatibility. microG only provides a small subset of Play services functionality. CalyxOS does not add a firewall. AOSP already has one and they're just presenting features in their own firewall UI.

Replying to

It's worth noting that their take on network filtering is fundamentally flawed and doesn't work: gitlab.com/CalyxOS/calyxo. It's not something missing but rather the approach is fundamentally incorrect. Solely packet-based filtering can't provide what it's presented as providing.

gitlab.com

App can bypass network isolation (#454) · Issues · CalyxOS / calyxos · GitLab

http://play.google.com/store/apps/details?id=com.gombosdev.ampere is able to show ads even with network-isolation configured. (Main toggle for the app in Datura / "Allow network access" in Settings.

Replying to

Network access via IPC also needs to be blocked, and in a systemic way rather than case-by-case. So, sure, they have a UI for the standard firewall with added features. The plan in their tracker is to fix 1 specific hole caused by a general problem of not blocking IPC networking.

Replying to

Our approach is adding a Network toggle which removes both direct socket access (like that kind of firewall) and also indirect access. Some apps aren't happy with network access being truly fully revoked so github.com/GrapheneOS/os- is planned to fix some apps handling it poorly.

github.com

improve app compatibility of Network toggle while keeping it just as strict via alternate error...

Replying to

The Network toggle already works for the base OS. Not every app is going to properly enforce INTERNET permission checks for services they provide to other apps though. This is a common issue with permissions: you trust an app not just with that access, but to protect the access.

Replying to

There are 2 issues with naive firewalls: 1) apps can use interfaces providing network access offering by the OS and other apps 2) apps can use DNS to bypass fine-grained address/domain whitelists/blacklists twitter.com/GrapheneOS/sta In both cases, it's standard indirect access.

Quote Tweet

GrapheneOS

@GrapheneOS

May 29, 2021

The fine-grained firewall leak demonstration can essentially be a pastebin site implemented as an app sending arbitrary data to the server via DNS queries. It's an easy way to demonstrate to users that their fine-grained firewall filtering and/or monitoring isn't really working.

Show this thread

1:00 AM · Aug 7, 2021Twitter Web App

This Tweet is unavailable. Learn more

Replying to

So, that leaves a choice: do you offer users a feature which fundamentally cannot work, or do you provide something that will work but isn't as appealing as a concept and will take longer to make? In general, most privacy/security projects choose former approach to most things.