Side question: what's a good way of getting a GrapheneOS phone?
I have been interested in using GrapheneOS but hesitant about actually getting a Pixel phone. Used phone prices are usually >$300 even for "a" series unless I go back several generations. Whether the device bootloader can be unlocked is also a question. I am definitely not ready to spend $449 on a new Pixel 10a.
Is this really true? The Mullvad report a year or so ago was that they didn’t want to turn on no exceptions mode because it breaks network connectivity until reboot if you don’t pause it when updating the app, not that the feature doesn’t exist. They also recently shipped it anyway, opt in and behind a warning.
Terminology like "private" and "trust" differ in meaning from computer land to human convention.
It's a concern to me, because humans often extend their trust to computer trust based upon misunderstanding of the identically spelled words and lack of recognition of differing context.
MacOS has had instances where their own apps could bypass always-on VPN. I'm not sure if there have been exploits or gaps where traffic could go to arbitrary destinations directly.
this is not an ocassional bug this is still the system design today. privacy gateways upstream of big tech are the way to go on this because privacy isn't their profit center
Not damaging their relationship with Google as a vendor most likely. For better or worse, GrapheneOS is depend on Android which is controlled by Google.
We all agree. But what's the solution? We know 99% of the users don't care. So, the only pressure point is phone manufacturers. I don't have any power to influence anybody significant in this space. I feel helpless.
First motorola grapheneos phone i am buying to get fully off the google pain train. Grapheneos tides me over until a real linux smart phone shows up or i die of old age. Now if home assistant could get thread network join*ng working without an android phone with a google account i could ve fully ris of those eh holes.
Carrier-sold Pixels generally don't have "OEM-unlockable" bootloaders.
Your best bet for now is to buy a new Pixel direct from Google, or a used one from eBay that the seller advertises as already having GrapheneOS on it (or otherwise guarantees that the bootloader is unlockable). These ones are worth a lot more than the ones that can only run Google/carrier Android.
I own two GrapheneOS Pixel 7 units, which should get any Google blob security updates (which GrapheneOS incorporates) through October 2027, and GrapheneOS may still support it with source updates after that. So in a year or so, I might get the GrapheneOS Motorola if it's available, or a later Pixel. (I never buy these new, since I don't want to carry a several hundred dollar phone when a 2 gen old one is still great, thanks to GrapheneOS.)
I finally left Verizon after nearly 20 years. I had it with their enshittification, couldn't stand it anymore. I switched to US Mobile and on the Darkstar (AT&T) network. I have no regrets. I caught it on a black friday deal, so I'm paying basically $20/mo for top tier service. You wouldn't have caught me dead with an AT&T service or MVNO years ago because I'd seen so many bad experiences second-hand, but these days it's been a breeze knock on wood
I also did the math and determined buying a new unlocked phone outright on this plan was far cheaper than paying Verizon monthly for one.
+1 for US Mobile. Verizon was also good, but a few months ago my cofounder and I discovered we were absurdly overpaying for our decade-old small business plan and found that US Mobile offered a better end product for a fraction of the price.
Currently running my Pixel on Warp (Verizon) with zero practical difference, and starting Monday I'll also have a backup iPhone with a small $8/mo Darkstar line. The money I've saved since switching more or less paid for the iPhone, and I'll be getting 2x reliability for way less ongoing cost. The better app/website/support and extra features are just a bonus.
I don't see a problem with supporting their legitimate hardware or cloud business models. But of course I see a problem supporting their illegitimate adware and spyware business models.
At some point digital security turns into physical security, and there are national security interests that have fine-tuned their detection logic on these kinds of "buggy" behavior.
If you patch it, you'd need to find another way to de-anonymize those users.
The issue reported on lowlevel.fun [0] and discussed on GrapheneOS forums [1] does seem like a security issue. It isn't clear why engineers in charge would mark it infeasible as the breach demonstrates more than one failure.
1. A new (albeit "hidden" [2]) network API registerQuicConnectionClosePayload(fd, payload) lets a process set any byte array for the OS to send on its behalf.
2. No ("panaroid networking") permission checks against the calling uid/process when sending that byte array out on a OS-owned UDP socket.
3. Bypassing ("panaroid android") permission checks [3] by simply calling network-related syscalls (or libc/bionic functions) as opposed to Android SDK APIs.
These steps essentially amount to app sandbox escape (2,3) and privilege escalation (1,2). I am utterly confused why the Android security team at Google won't take this more seriously.
[2] In as much the code mmap'd into your own process can be "hidden" away. For their exploit though, the author cleverly abuses Binder IPC primitives to reach the "hidden" parts.
[3] This bypass probably only works for this one scenario because of #2.
Side question: what's a good way of getting a GrapheneOS phone?
I have been interested in using GrapheneOS but hesitant about actually getting a Pixel phone. Used phone prices are usually >$300 even for "a" series unless I go back several generations. Whether the device bootloader can be unlocked is also a question. I am definitely not ready to spend $449 on a new Pixel 10a.
Don't buy Pixel 10a, 9a is almost exactly the same thing and still sold new.
You could wait it out for a bit. There is work underway to support more phone hardware. Which brand was a bit up for speculation.
It was announced a while ago to be Mororola: https://motorolanews.com/motorola-three-new-b2b-solutions-at...
I bought a Pixel 7 from BackMarket to test out GrapheneOS. I have previous positive comments and conversations in my account history.
> Because system_server operates with elevated networking privileges and is exempt from VPN routing restrictions
So a VPN isn't a VPN on Android? Regardless of this bug. Do other locked down operating systems act the same?
Ios does the same, only way around it is if you have an ?enterprise? licence (250+ devices)
Mullvad and others reported on that one ages ago
Is this really true? The Mullvad report a year or so ago was that they didn’t want to turn on no exceptions mode because it breaks network connectivity until reboot if you don’t pause it when updating the app, not that the feature doesn’t exist. They also recently shipped it anyway, opt in and behind a warning.
Terminology like "private" and "trust" differ in meaning from computer land to human convention.
It's a concern to me, because humans often extend their trust to computer trust based upon misunderstanding of the identically spelled words and lack of recognition of differing context.
MacOS has had instances where their own apps could bypass always-on VPN. I'm not sure if there have been exploits or gaps where traffic could go to arbitrary destinations directly.
this is not an ocassional bug this is still the system design today. privacy gateways upstream of big tech are the way to go on this because privacy isn't their profit center
How hard would it be to fix the system_server (and any other) bypass?
> Google maintained its position, authorizing public disclosure on April 29.
I'm surprised they honored the embargo at that point, and delayed the fix until May. Why not just release immediately?
Not damaging their relationship with Google as a vendor most likely. For better or worse, GrapheneOS is depend on Android which is controlled by Google.
The researcher who discovered the bug is not affiliated with Graphene
Stock Android is spyware and adware, back in the day we called such software malicious and removed it, now it's the default.
We all agree. But what's the solution? We know 99% of the users don't care. So, the only pressure point is phone manufacturers. I don't have any power to influence anybody significant in this space. I feel helpless.
I know there are bad business reasons, but how can someone classify a VPN leak as "not a security issue" and keep their pride?
That assumes there is pride they have to bother to keep.
Interestingly GrapheneOS being so good brings more money to Google as only Pixel phones are supported.
First motorola grapheneos phone i am buying to get fully off the google pain train. Grapheneos tides me over until a real linux smart phone shows up or i die of old age. Now if home assistant could get thread network join*ng working without an android phone with a google account i could ve fully ris of those eh holes.
> Now if home assistant could get thread network join*ng working without an android phone with a google account
There is already a way to do this. It's fiddly, but not by much. Once set up it's a much better experience, though.
https://www.matteralpha.com/how-to/how-to-use-home-assistant...
> real linux smart phone shows up
What’s most glaringly missing, for you specifically, from the plethora of options available?
It seems like plenty of options are getting 7/10 things right.
I am patiently waiting for that one. I have been willing to move to GrapheneOS for a while, but I don't feel like buying Google hardware.
There should be at least one Motorola phone before end of the year that has GrapheneOS support.
Sadly, Verizon Pixel phones, even after carrier unlocking, seem to be forever blocked from using GrapheneOS.
Carrier-sold Pixels generally don't have "OEM-unlockable" bootloaders.
Your best bet for now is to buy a new Pixel direct from Google, or a used one from eBay that the seller advertises as already having GrapheneOS on it (or otherwise guarantees that the bootloader is unlockable). These ones are worth a lot more than the ones that can only run Google/carrier Android.
https://grapheneos.org/install/web#prerequisites
I own two GrapheneOS Pixel 7 units, which should get any Google blob security updates (which GrapheneOS incorporates) through October 2027, and GrapheneOS may still support it with source updates after that. So in a year or so, I might get the GrapheneOS Motorola if it's available, or a later Pixel. (I never buy these new, since I don't want to carry a several hundred dollar phone when a 2 gen old one is still great, thanks to GrapheneOS.)
https://support.google.com/pixelphone/answer/4457705
I finally left Verizon after nearly 20 years. I had it with their enshittification, couldn't stand it anymore. I switched to US Mobile and on the Darkstar (AT&T) network. I have no regrets. I caught it on a black friday deal, so I'm paying basically $20/mo for top tier service. You wouldn't have caught me dead with an AT&T service or MVNO years ago because I'd seen so many bad experiences second-hand, but these days it's been a breeze knock on wood
I also did the math and determined buying a new unlocked phone outright on this plan was far cheaper than paying Verizon monthly for one.
+1 for US Mobile. Verizon was also good, but a few months ago my cofounder and I discovered we were absurdly overpaying for our decade-old small business plan and found that US Mobile offered a better end product for a fraction of the price.
Currently running my Pixel on Warp (Verizon) with zero practical difference, and starting Monday I'll also have a backup iPhone with a small $8/mo Darkstar line. The money I've saved since switching more or less paid for the iPhone, and I'll be getting 2x reliability for way less ongoing cost. The better app/website/support and extra features are just a bonus.
> I also did the math and determined buying a new unlocked phone outright on this plan was far cheaper than paying Verizon monthly for one.
On any plan.
There’s a reason that as soon as you walk into a cell store they immediately try to schmooze you into signing contracts and leasing phones.
It’s the way they make the most margin!
So far. Other companies surely will make their devices compatible if the market share increases for it
I’ve seen this repeated here, but:
Google's Pixel hardware division likely operates at a loss - or breaks even.
and even if every active HN user bought $100-$400 used Pixels from Swappa, meaningless money to them.
I don't see a problem with supporting their legitimate hardware or cloud business models. But of course I see a problem supporting their illegitimate adware and spyware business models.
I agree, especially when you are buying for the used market.
We need to bring back shame.
Step one… completely reform MBA programs.
They're paid not to.
At some point digital security turns into physical security, and there are national security interests that have fine-tuned their detection logic on these kinds of "buggy" behavior.
If you patch it, you'd need to find another way to de-anonymize those users.
So, somewhere, some government or organization might want to blow the user into kibble, and that's an important use case?
I feel like this should be toward the top of the terms of service for the phone, even above the mandatory arbitration clause.
How can someone consider unwanted disclosure of personal information a security issue, and work at Google?
Corporations have no pride. They are soulless, psychopathic accountability sinks.
What planet are you from?
The issue reported on lowlevel.fun [0] and discussed on GrapheneOS forums [1] does seem like a security issue. It isn't clear why engineers in charge would mark it infeasible as the breach demonstrates more than one failure.
1. A new (albeit "hidden" [2]) network API registerQuicConnectionClosePayload(fd, payload) lets a process set any byte array for the OS to send on its behalf.
2. No ("panaroid networking") permission checks against the calling uid/process when sending that byte array out on a OS-owned UDP socket.
3. Bypassing ("panaroid android") permission checks [3] by simply calling network-related syscalls (or libc/bionic functions) as opposed to Android SDK APIs.
These steps essentially amount to app sandbox escape (2,3) and privilege escalation (1,2). I am utterly confused why the Android security team at Google won't take this more seriously.
[0] https://lowlevel.fun/posts/tiny-udp-cannon-android-vpn-bypas...
[1] https://discuss.grapheneos.org/d/35152-android-always-on-vpn...
[2] In as much the code mmap'd into your own process can be "hidden" away. For their exploit though, the author cleverly abuses Binder IPC primitives to reach the "hidden" parts.
[3] This bypass probably only works for this one scenario because of #2.
It wasn't patched by Google because it's a backdoor. For various reasons, modern mainline Android is substantially hazardous to use.