graphemes is not all that

GrapheneOS is all of that. You won’t admit because you have personal antipathy with the lead developer. This is unacceptable because you run a community, and you deliberately choose to spread misinformation about a project instead of actually help people if they needs or wants change OS. You should give them all the possibility available, not the ones you like.

GrapheneOS make substantial security and privacy improvements, such as

• Hardened malloc
• hardened kernel
• enhanced verified boot
• hardened app runtime
• strong app sandbox
• hardware based attestation
• jitless Vanadium (off by default) etc.
• sensor permission toogle
• network permission toggle
• full mac randomization per-network
• mitigations against browser fingerprinting
• reboot the phone after N hours if its locked (off by default)
• secure application spawning system

Etc.

you can see the full list here

No other android OS makes so much improvements.

They are going to add an implementation to run Google Play Services (aka. Google Mobile Services / “GMS”) and related apps (Google Services Framework, Google Play Store) as regular, unprivileged user apps. This approach is way better than microg, because doesn’t break the security model of android

What you are telling me is to trust Google hardware here.

Not at all, I linked useful source to explain why pixels are the recommended devices. Instead, you didn’t counter the source. The trust is implicit, you have to trust every software and hardware that you use.

GrapheneOS may itself be a good ROM, but the exclusivity of it being used with Google Pixels is extremely suspicious to me.

CalyxOS also uses only pixels, and you suggest it. Instead, you should suggest both CalyxOS and GrapheneOS.

Pixels permit to maintain the android security model, it’s doesn’t matter if is suspicion to You. They use those phone for valid reasons.

He is about as much of a security researcher as I am, and that is not much really. I never call myself an expert or anything, but he does in third person more often than not.

Again, I’m not interested in madaidan, I linked his article because he made an objective analysis about Firefox. I asked you many times to give me useful source to counter his article. Instead, you gave me reddit delete comments about people who you defined sockpuppet. I don’t care to read a thread between you an micay. My point is not defend those people. I asked valid source like the one I linked to you about the Linux kernel by openSSF. You clearly failed to provide this.

I doubt you will ever find extensive research papers and journal books and Buzzfeed articles on anonymous personalities involved in the privacy community.

I simply looking for actual researchers like this one not really related to this discussion, just an example.

I will cite the famous Underhanded C Contest here: https://en.wikipedia.org/wiki/Underhanded_C_Contest . This proves it false that closed source code can be audited properly.

This doesn’t counter my point at all. The underhanded C contest can be apply also to open source software.

The Underhanded C Contest is a programming contest to turn out code that is malicious, but passes a rigorous inspection, and looks like an honest mistake even if discovered. The contest rules define a task, and a malicious component. Entries must perform the task in a malicious manner as defined by the contest, and hide the malice. Contestants are allowed to use C-like compiled languages to make their programs.[1] Closed source and open source can be both verified. Depend if there are competent people to audit the software.

Open source it’s not equal to automatic security and privacy. Both open source and closed source software can be audited and you can find malicious code in both. This contest doesn’t mean that you can’t property audited closed source code.

Huawei is a Chinese company owned by its employees, and has no links to NSA or 14 Eyes countries due to stark political and ideological differences. I will use a historical reference as example. You are trying to tell me that 8 Nation Alliance collaborated with Qing Dynasty to sell the Chinese citizens opium to grow British trade?

Not true at all source; the national bureau of Asian research.

Huawei claims it is an “independent, privately-held company…owned by [its] employees through an Employee Stock Ownership Program,” which allows it to pursue long-term growth without shareholder pressure and to act independently of CCP direction. However, significant evidence exists directly tying both Huawei and founder Ren Zhengfei to the CCP and People’s Liberation Army (PLA). This has raised concerns that the CCP could access Huawei clients’ data or compel it to support the party’s espionage work.

Ren, who retains veto power over strategic decisions and strong operational control, served in the PLA prior to founding Huawei. U.S. officials claim that this included a stint with a military intelligence unit. Ren is a CCP member, attended the 12th National Congress, and was honored in 2018 as a leading private entrepreneur who safeguarded CCP leadership.

The links, however, run far deeper than Ren’s personal ties. A 2005 report described a “digital triangle” linking nominally private Chinese tech companies, including Huawei, to state-backed research institutions and the PLA. In 2013, former head of the CIA and National Security Agency (NSA) Michael Hayden stated that there is tangible classified evidence that Huawei has engaged in CCP-directed espionage activities.

In June 2019, a report found that Huawei employees, operating in their personal capacities, collaborated with the PLA on surveillance-related military research that is apparently not connected to Huawei’s legitimate operations. Additionally, earlier in 2019, a Huawei employee in Poland was arrested on suspicion of working as a Chinese intelligence agent. While the charges appear unrelated to the employee’s work, numerous Huawei employees believe that Chinese intelligence agencies regularly embed agents in their offices and monitor their conversations. In July 2019, Czech Huawei employees reportedly passed information on clients directly to the Chinese embassy.

Verified secure boot is such a meme. You think Evil maid attacks need an unlocked bootloader? One needs to be able to use privileged escalation, which is easier to achieve via social engineering instead. Many methods of attacking users exist. Just go and check how Cellebrite and all these kits work in real world.

Verified boot it’s not a meme at all.

Verified Boot strives to ensure all executed code comes from a trusted source (usually device OEMs), rather than from an attacker or corruption. It establishes a full chain of trust, starting from a hardware-protected root of trust to the bootloader, to the boot partition and other verified partitions including system, vendor, and optionally oem partitions. During device boot up, each stage verifies the integrity and authenticity of the next stage before handing over execution.

You think Evil maid attacks need an unlocked bootloader?

That’s security through obscurity. Verified boot it’s not a panacea against all kind of possible attacks but it’s still a very useful security and privacy feature. It prevent the malware to get persistent. Users shouldn’t disable for any reason.

Pixels have also become the most vulnerable and worst phones to buy now (always were, now botnet loaded), considering Anøm phones are going onto markets as second hand.

Two different problems. Pixels didn’t became the most vulnerable because of the anom phones.