Not really. There's some politics to it. On mobile so can't easily or cut link my saved references, but basically there's an unsanctioned, unofficial fork that uses websocket rather than gcm. Moxie (who has been very opposed to allowing non-Google Android builds to connect to Signal) has recently stated a list of requirements to pull a websocket-based implementation into the official code base, but they're quite stringent, and would be partially opposed by strong FOSS advocates, e.g. earn a couple of red marks on F-Droid.
If you're dead set on using Signal on Copperhead, you have these options:
- sideload or build Google services into your build.
- sideload or build MicroG + pre-reqs into your build
- use the unsanctioned, unofficial websocket fork (a good place to start reading is here)
None of these are great options, all involve some kind of risk, flakiness, unsupported complication, or compromise. Whether taking these negatives to be on the Signal network is worth it is your call.
There's a little-known option to donate monthly through Patreon. For me this is much easier than giving a one-off donation (and somehow more rewarding, as I'm helping to build a sustainable project)
Note to Copperhead crew: thanks for your work, and may I suggest adding links to the Patreon right next to the image download links?
If you did not buy your Pixel from CopperheadOS, you can download the source and build it yourself. The instructions are here.
Building it yourself is not terribly difficult, but it is also not trivial. You will need to get the Android build environment set up yourself. The instructions for this are not included in their online guide...it is assumed that you are capable of this yourself. They also release updates pretty frequently, so you will be rebuilding and flashing often.
If you do build it yourself and then go on to actually use it, you should consider a donation to these guys. This is more than just a reskin of stock android with a few extra features thrown in like most 'custom' ROMs. These guys are IT security professionals and invest a lot of time into this project.
The user-facing features are well-covered by https://copperhead.co/android/docs/usage_guide already. It also covers each of the bundled user-facing apps. It doesn't cover the under-the-hood features but those are documented elsewhere. I don't think there's anything more to do in terms of putting the resources out there for people.
I don't think having CopperheadOS incorrectly portrayed as being the Android Open Source Project with some differences in default apps is helpful. No one seems to care about the privacy and security features of the OS. Every review focuses on the bundled user-facing apps, which aren't really part of the OS.
The review misses the point like past ones. A real review would talk about CopperheadOS, as in the changes it makes compared to Android, not which apps it bundles or doesn't bundle. Instead, the reviews talk about AOSP and the default apps. They get basic facts wrong, give advice contradicting our usage guide, etc. I would expect a review to at least touch on some of the user-facing features of CopperheadOS and maybe gloss over the bulk of the work that isn't user-facing but they don't do that. It's very discouraging to have it repeatedly portrayed as if we're simply making production releases of AOSP with minor differences in bundled apps and selling that. That isn't CopperheadOS.
CopperheadOS does not include nor allow the installation of GAPPS (Google Services).
For email providers you can have a look at Privacy-Conscious Email Providers. Personally I use mailbox.org.
You should take a look at the official usage guide:
You can use Signal or Noise. Noise is recommended, because it's available through F-Droid in the Copperhead repository and thus easy and secure to update. It's the exact same code.
I don't know NordVPN. VPN works on COS. I've been using OpenVPN for Android (available on F-Droid) with .ovpn files before.
I don't know what Bitwarden is. It sounds like an anti virus application. If it is, then it does not really make sense to use at all.
Protonmail works, but push doesn't work.
You should use Chromium and if you want to use a browser with an ad blocker, use Brave. The reasoning behind this is explained in the usage guide. Orfox is available as the de facto Tor Browser for Android, but also has the implication of being based on Firefox.
Yes, you can reinstall Android. Moving your OTP over to COS is the same as to any other OS and depends on the app you're using.
> Could you elaborate on that?
https://copperhead.co/android/docs/usage_guide#updates-on-pixel-and-pixel-xl-phones
> Will the user be prompted before installing an update?
No.
> Or will the phone just update on its own when I connect to my home wifi (when I'm potentially trying to do critical work or call 9/11)?
It doesn't disrupt what the user is doing. It downloads and installs at low priority in the background and then verifies that the new OS installation hashes to the correct values. Once it's successful, it generate a notification asking the user to reboot to use the updated version. The option was also added to opt-in to it automatically rebooting after updating once the device has been idle for a long time, so that it can remain updated even if the device is left unattended for a long time.
Currently working on implementing Direct Boot support so it can work before the device is unlocked for the first time after booting. If the user opts into automatically rebooting when idle, it will be able to keep itself updated without user intervention. It's quite important.
You can download directly from https://www.whatsapp.com/android/. You need to update manually (i.e. download every time the new version) but, at least in my experience, whatsapp reminds from time to time when there is a new version.
It all depends on your needs. If you search reddit you can find some suggestion threads for FOSS apps.
CopperheadOS has some recommendations on their website.
A few I can recommended are:
I don't have too many apps installed, because I don't need many apps. I tend to use Chromium whenever I can instead of installing a proper app, but those are some apps I can recommend.
Prebuilt chromium was recently removed, so you have to build chromium from source. The docs have already been updated.
> Are the nexus devices getting Android 8 officially from Google?
Nexus Player, Nexus 5X, Nexus 6P, Pixel C, Pixel and Pixel XL are getting Android 8.0.
Nexus 6 and Nexus 9 are not receiving it and are both end-of-life this October.
> I was under the impression that security updates would end this year.
The Nexus 5X and 6P were released in September 2015 which means the end-of-life date is September 2018.
How the license is "marked" has no bearing over how you presented the situation on Twitter and generally when the license change occurred. I feel very certain that to most people reading
> So here's the plan: the nougat-release branch will start off with a non-commercial usage license, and migrate to GPL3 as it gets funded.
sounds like the license change is meant to be temporary, and not that there is basically (to paraphrase and summarize the various posts above) no chance in hell it's going to be reverted any time soon.
You may dislike people like myself, but I dislike projects that capitalize on a pretense to be free open-source software (which your site does state: "Open-source and free of proprietary services") when in fact it's not open-source under any of the commonly accepted definitions (OSI, FSF, DFSG, pick your choice), trying to attract donations in the process, when in fact it is a commercial project with no intention of ever becoming free software [again] despite public hints on Twitter and the like. It's a misrepresentation and a disservice to actual free, open-source software.
https://copperhead.co/android/docs/technical_overview#pdf-viewer
If you're aware of another usable memory safe PDF implementation, let us know. It will be difficult to replicate the same kind of hardened rendering stack though, unless by some miracle it includes that too.
> I've found the new PDF reader is incapable of opening "large" (>5-10 pages) PDFs, either that or it takes so long that I'm unwilling to wait (at least 45 seconds or more).
It works well for hundred page samples here. Do you have an example? PDF is a complex file format and there might be cases that it's not currently very good at handling, but it's not because they're 50 pages or so since it handles that just fine.
> There isn't time to work on device-specific issues
Considering COS only supports a very limited set of devices, and this bug breaks a privacy feature you advertise as being supported right on your front page, I'm not sure your response of "someone else should fix it, not us" is really appropriate in this case. At the very least, your webpage should be updated to reflect that this feature doesn't work on half of your supported phones.
Because you give this random company access to literally everything on your phone, and because they themselves state in their own privacy policy (https://www.cerberusapp.com/privacy), among other:
> When you use the LSDroid Services, our servers automatically record certain information about your usage from your mobile device and web browser. These server securely logs may include information such as a mobile device identification number and device identifier, web requests, Internet Protocol ("IP") address, browser type, browser language, referring / exit pages and URLs, platform type, number of clicks, domain names, landing pages, pages viewed and the order of those pages, features used in the LSDroid mobile application, the amount of time spent on particular web pages, the dates and times of your requests, and one or more cookies that may uniquely identify your browser.
It's a horrible application for anyone even somewhat privacy-concious.
DNS Crypt uses other ports than 53, its also encrypted and includes servers with no logs.
There has been too many vulnerabilities to TLS, I barely consider it a deterant but I still wouldnt for example use HTTP for sensitive stuff.
You are thinking about DNSSEC.
And I think DNSCrypt does use TLS and not anything less insecure. https://www.opendns.com/about/innovations/dnscrypt/
A mitigation strategy could be to avoid saving the information on your phone and mainly access it through web-services, e.g. your personal Nextcloud server. When you have to travel you can clean the cache, history and passwords in your browser (deniability). Additionally you can install bogus email, calendar and contact accounts on the phone.
It's also being rolled out via the Play Store: https://play.google.com/store/apps/details?id=app.attestation.auditor.
This extends verification support to the Huawei Mate 20 Pro LYA-L29, Samsung Galaxy S9 SM-G960W and Xiaomi POCOPHONE F1. It also has the new AOSP sample build keys.
Version 4 adds support for 11 new device models including initial support for next generation devices like the Pixel 3 with key attestation v3 including separate patch levels for the boot, system and vendor images.
The update will also be available via the Play Store once it propagates:
https://play.google.com/store/apps/details?id=app.attestation.auditor
There's more work left to fully support the capabilities of next generation Android devices with key attestation v3 and StrongBox Keymaster implementations but the basics work now.
Play Store link: https://play.google.com/store/apps/details?id=app.attestation.auditor
See the thread I posted on Twitter for more details:
For me, all three of your alternatives: https://f-droid.org/repository/browse/?fdid=de.blinkt.openvpn
This excellent (IMHO) client can connect with a v 2.4 or greater OVPN server using their new TLS encrypted control channel/data channel option. This means that if one uses tcp 443, the connection will appear superficially - even to DPI - to be an HTTPS connection; useful at WAPs that allow only browsers and/or wish to block or throttle down VPNs. (under this configuration, this is known as a "stealth" vpn).
I use this client to connect to my home router/2.4 OVPN server where I run various malware/adware filters, and then on to the WAN. (Actually through another VPN on to a Swiss VPN ISP service)
Advice if you want to install apps only available on the Google Play store (e.g. Skype):
Thanks!
> note that you need factory images for a fresh install
A factory image of Nougat from Google?
> Someone would have to try this to find out, and perhaps there's a tweak that could be made to make it work if it doesn't already.
If anybody feels like it...
Install Open Camera from F-Droid.
Open the app.
Go to "Settings".
Enable "Use Camera2 API"
Open "Settings > Photo Settings > RAW > JPEG and DNG (RAW)"
See if it captures DNG files.
It seems that you can't build AOSP without proprietary binaries: https://source.android.com/setup/build/building#obtaining-proprietary-binaries
To be fair, building COS also reqiures vendr file: https://copperhead.co/android/docs/building#extracting-vendor-files-for-nexus-and-pixel-devices
See previous posts on the topic along with documentation on the website, Google Camera is not supported and will most likely never be supported on the CopperheadOS platform.
https://copperhead.co/android/docs/usage_guide#advanced-camera-features
Yeah, that's not supported and is too far away from what we support.
Only devices launched with Android 8.0+ can be realistically supported (due to Treble). We have strict security requirements for officially supported devices but that doesn't really impact ease of porting.
As per the Usage Guide:
>Avoid Gecko-based browsers like Firefox. They’re significantly less secure and are among the few apps not able to benefit from the full set of CopperheadOS hardening features due to shipping their own linker and custom JIT compiler within the app process. The WebView is inherently Chromium-based so using Gecko also means exposing the attack surface of two browser engines rather than one. Firefox Focus currently uses the system WebView rather than Gecko but Mozilla plans to change that.
If you want to make modifications to CopperheadOS you need to do the full process in https://copperhead.co/android/docs/building for each update. You aren't going to get the answer you want. It will break.
> Oh, I thought AOSP had google services in it natively.
No, it doesn't.
> Because in that case I think I'll just go with an AOSP rom and those apps.
It still needs to be Oreo to have security updates.
> Do you know if there are any installable zips with the copperhead default apps. With F-Droid and Silence and all that? Because in that case I think I'll just go with an AOSP rom and those apps.
CopperheadOS isn't a set of apps. You can't get the privacy and security features elsewhere. The bundled apps aren't particularly relevant to what it is.
Maps.me has been awesome. The Copperheas User Guide suggests it and links the apk. Just make sure to download the map with routing and you should be set.
https://github.com/mapsme/api-android https://copperhead.co/android/docs/usage_guide#maps
Hey thanks I appreciate this.
So essentially only apps that have access to the camera and microphone, can actually turn these on? Some apps, like the contacts app, has been asking permission for my location, and calendar; I'm not sure why it's asking for such, so I've just been denying it everytime.
I may have simply misunderstood about the firewall thing. I showed my technical understanding friend this:
https://copperhead.co/android/
Which says this:
Firewall & network hardening Along with improvements like MAC randomization
The license is clearly marked at https://copperhead.co/android/downloads. No one is being misled. By misrepresenting what's going on, you're only further distancing us from caring about what entitled people think about this. The door is being closed by people like yourself, only willing to complain rather than doing any work or making it sustainable to use a FOSS license. It wasn't us that sat there not doing anything for the 2 years that the project was FOSS.
> well, not really since it was never explained
Firefox is significantly less secure than Chromium. Browsers based on the Chromium WebView are more hardened than Firefox, but not as much as the standalone Chromium app or browsers based on that. There's a section on Chromium in the documentation.
> For example, it supports only Google search and does not let you change the default search engine to anything else.
That's not true. It doesn't have a great selection of search engines but it does have choices and we can add more of those. The default is also something that can be changed. Disabling location-based search by default is already planned.
> That's a rather disappointing letdown for an Android distro touting security and (implied) separation from those who want to watch you.
It would be unreasonable to use a browser not based on Chromium in a hardened OS.
> It's basically a wrapper for Android WebView
The WebView is Chromium, albeit with an inferior sandbox. It's built from the same source tree and is mostly the same thing. It will even be the same build / apk once MonochromePublic.apk is ready to replace the split SystemWebView.apk + ChromeModernPublic.apk that we use today.
> Incognito mode
Supported in Chromium.
> Adblocking
It supports it poorly, apparently based on domain filtering via one hard-wired list. There's nothing preventing a good implementation of content filtering in Chromium supporting the usual lists based primarily on CSS selectors with support for element hiding.
> Support for proxying through Tor, I2P, or custom/other proxies
Application support isn't required for that. I don't think it makes sense to expect each app to support this, rather than doing it generically.
I think it depends how much that particular app relies on play services. Some apps may lose some functionality, but the majority of the app might work, while others will just not run.
Also, this is another option to get APKs. It's similar to Yalp, expect it can pull from APKMirror as well, which is decently reputable, and other sources if you wish. It uses the same API to talk to the Play Store as the Yalp app. Yalp is designed for older devices, and this app is a little more modern looking.
Thanks for the update, glad to hear there's at least a temporary solution. I would be willing to volunteer to sysadmin a VPS instance running gitlab (after demonstrating my ability to do so first before you'd make the move), and would have no problem giving y'all sysadmin privileges on the VPS & in the gitlab instance. Given the target audience for this OS, and its ambitions, I'm not sure it's the best solution, but it would help remove artificial limitations imposed by the Git*.com folks.
It's just an idea, so don't kill me if you think it's terrible :)
You might like: https://f-droid.org/packages/chromiumupdater.bamless.com.chromiumsweupdater/
Info and links on fdroid app page. Links to github of unofficial build - has adbpock built in.
Caveat emptor and all that.
You didn't mention what type of network share you have but assuming it's smb/cifs (as is most commonly so), I know that Amaze File Manager has support for it. I use it for accessing my network share and haven't had any issues. It has a nice material design interface as well.
I know you said you were defeated by pass and GPG, but just in case others are curious for keepass alternatives... I use pass on all my systems, and use Password Store to sync to my device.
Hey /u/DanielMicay
I think this stuff is great engineering but we're almost making too much progress on that side but too little (zero?) on the side of keeping things out of sight.
What am I saying here? Key Disclosure Law. There are like 3 countries [1] in the entire world where you won't find yourself in medium/high legal trouble if you don't disclose your encryption key when politely asked. Today the best thing to do when you cross borders is wipe all your devices clean before you cross, then download your backup and setup everything back once crossed. Guarantee you Lineage plus this method is more secure in real life conditions than crossing the UK/US/AUS/... border with a Pixel 3 Google factory image or AOSP.
And this is only half the problem, the other half is the $5 wrench attack. Pixel 3 security won't do none to help here either.
It's really the elephant in the room in the netsec field: (almost) nobody talks about it, yet it's the weakest POF.
At least hardware Crypto wallets get it, both Trezor and Ledger have implemented plausible deniability in there - it should be the absolute strict minimum as a security, but it's really nowhere to be found aside from on those devices.
Anyway: thanks for all your awesome work, I wish I'd have half your skills.
Everything works fine...I mean I never used the updater as I've always built myself out of paranoia.
I patched mine for MicroG, but even so, I just followed the guide for building copperhead. It's similar to building Lineage or others, except for a few special steps...
Basically, follow these and replace the references to the copperhead github repos with the androidhardening one above:
Messaging is one of the user-facing apps that isn't maintained anymore. Note that it's listed in https://copperhead.co/android/docs/usage_guide#built-in-user-facing-apps.
The Dialer app is fully maintained in AOSP and matches Google Dialer. As far as I know, Messaging is something they wrote specifically for AOSP so it would have an SMS app. I think it replaced an older AOSP SMS client. I don't think the stock OS ever used Messaging or something based on it. Look at when it started:
Call blocking is a fairly recent (Nougat?) OS level feature. Blocked contacts in Messaging might be just be something implemented in the Messaging app, I don't know.
The claim that there was a regression for MAC address randomization on the Nexus 6P is untrue. The robust scanning MAC randomization is a firmware / hardware / driver feature and we cannot implement it for devices without it. You'll notice the feature is listed in our minimum requirements for new hardware: https://copperhead.co/android/docs/devices#minimum-requirements-for-copperheados-support.
Our implementation of associated MAC randomization used to be hardware-independent for the Nexus 5 and Galaxy S4, but the drivers broke the way we were approaching it after that era. It never worked until we made a specialized implementation built into the qcacld-2.0 driver on Pixel phones and then the qcacld-3.0 driver on the Pixel 2 (XL). From the table, you can see that we don't actually have as good of an implementation on the Pixel 2 (XL) yet.
Once Android P (9.0) is released and we migrate to it, we're going to be able to switch both generations of Pixel phones over to a better form of associated MAC randomization thanks to infrastructure improvements. The default will be randomizing the MAC whenever connecting to a network, with the fallback option of per-network MAC randomization where it saves and reuses the MAC address for known networks. That will cover most use cases without needing to fully disable it (there will be 3 states).
It's incredibly disrespectful to dismiss all of the research and hard work we put into designing, implementing and testing features like this. If we could simply choose to have the same features across all devices, it would already be that way. However, we don't make the hardware or Wi-Fi firmware so there are some things we can't do and we also have very limited resources so we can't get everything done that could be done in software.
I have posted this else where too... I ran into another issus with Chromium
I exactly followed - https://copperhead.co/android/docs/building#chromium-and-webview
'The apk needs to be copied from out/Default/apks/MonochromePublic.apk into the Android source tree at external/chromium/prebuilt/arm64/MonochromePublic.apk'
I did build 'MonochromePublic.apk' and placed it in $Home/copperheados-${build_tag}/external/chromium/prebuilt/arm64/
However, I dont see chromium app after flashing the OS to my phone.
Can someone explain me what am I doing wrong here?
ps - (i'm kinda noob, though I managed to build chromium and copperheados and was able to flash it to my device...) i did patch chromium with copperhead patches.
>I exactly followed - https://copperhead.co/android/docs/building#chromium-and-webview
>
>'The apk needs to be copied from out/Default/apks/MonochromePublic.apk into the Android source tree at external/chromium/prebuilt/arm64/MonochromePublic.apk'
>
>I did build 'MonochromePublic.apk' and placed it in $Home/copperheados-${build_tag}/external/chromium/prebuilt/arm64/
>
>However, I dont see chromium app after flashing the OS to my phone.
>
>Can someone explain me what am I doing wrong here?
>
>ps - (i'm kinda noob, though I managed to build chromium and copperheados and was able to flash it to my device...)
>
>edit - i did patch chromium with copperhead patches
Mi A1 doesn't meet our requirements:
https://copperhead.co/android/docs/devices#minimum-requirements-for-copperheados-support
It will eventually be possible to support other devices, but only devices launched with Android 8.0+ where the device vendor adds support for verified boot for other operating systems. It would be very helpful if that was required for devices supporting unlocking...
They already had to rebuild it to redistribute Chromium:
https://copperhead.co/android/docs/building#redistribution
They also have to build Clang / LLVM.
That will remain true for derivatives even if we change the license, since they need to respect the CopperheadOS trademark, etc.
This should work on CopperheadOS now. It can be installed via Yalp Store for now until there's an F-Droid package.
https://copperhead.co/android/docs/usage_guide#installing-apps-from-the-play-store
That's not even the stable release of Chromium, let alone our modified version. It must be built into the operating system since it provides the WebView too...
Read https://copperhead.co/android/docs/usage_guide#browsing.
https://copperhead.co/android/store
> Major Android version upgrades and full security updates are guaranteed until at least October 2020 (3 years). It will remain supported beyond that date to a lesser extent.
I don't really see the point of updating Chromium without updating the rest of the OS, although updating the OS past the vendor EOL is also going to become somewhat pointless.
Yalp. Most apps are available through Yalp (available in fdroid). Some apps claim they require Google Play Services (Authy, ProtonMail) but will work fine with some reduced functionality (warning message, no notifications).
The official documentation gives a great overview of some of these issues as well: https://copperhead.co/android/docs/usage_guide
As mentioned, CopperheadOS can be purchased from our online store. A Blackphone is no comparison to CopperheadOS in terms of security (we rapidly patch vulnerabilities, implement advanced exploit mitigation techniques and stay on top of the latest security threats) and privacy (Blackphone is completely Google enabled).
The end-of-life date after which point full security updates aren't possible is November 2018:
https://copperhead.co/android/docs/devices#support-status
After that point, it would only be feasible to continue applying AOSP security patches, etc.
Nexus 5X and 6P also aren't at all on par with the security provided by the current generation devices. Pixels have substantially better firmware / hardware security features.
The Nexus phones aren't receiving Android P (9.0) so they won't be running current generation CopperheadOS after August. They'll be supported via a legacy maintenance branch and won't get any new features, only continued bug fixes / security fixes.
It's very late into the lifecycle of Nexus phones to be buying them.
Nexus 5X and 6P also have serious hardware reliability issues. Nexus 6P has very high failure rates for the battery, which is much more difficult to replace than the battery in most phones. Nexus 5X has much more severe hardware reliability issues where it completely stops working due to parts becoming detached from heat / stress and the poor build quality.
If you're fine with only receiving improvements until August 2018 and then security updates until November 2018, buying a Nexus 6P and replacing the battery could be fine. Other than the battery issue, the 6P is fairly reliable. Even if you can get a Nexus 5X for free, it isn't necessarily a good idea to use it unless you're okay with a 50% chance of it dying before the end of the year.
> They are free of bloatware and come unlocked meaning they are ideal candidates for mods and roms
They're far from supporting our basic security requirements: https://copperhead.co/android/docs/devices#minimum-requirements-for-copperheados-support.
> I really want to use CopperheadOS but there is no compiled ROM available. Would it be possible to request this please? I am willing to donate crypto for this..
Those devices don't have Treble so they fundamentally can't run AOSP or CopperheadOS without turning it into a completely different OS.
They don't support locking the bootloader and using verified boot with an OS like CopperheadOS either, along with missing a lot of our other security features.
It's unlikely they'll release a device meeting our requirements. Security is low on their list of priorities and firmware, hardware and device-specific OS code all plays a big role in the overall security of a phone. It isn't only about the OS.
Apples and oranges.
LOS's goal is broad device support. Copperhead's objective is security and privacy.
First, it's important to realise this distinction. This will make digesting the experience way easier ;). Look at all the apps you use from Google Play and think about just how useful they really are: you may be surprised to find that all of those apps you think you need aren't actually that useful! Alternatively, you can look for similar functionality apps on the F-Droid store. Location services works and ChromeCast works (tested on P2 and P1).
I'd recommend against buying a Pixel 1 as finding CopperheadOS for it will be difficult - you can either build it yourself, or acquire it from one of our regional distributors. Best case scenario, you buy a Pixel 2 from us.
The Pixel Visual Core works on CopperheadOS for apps supporting it. The quality of a picture taken in the same app on stock and CopperheadOS is the same.
https://copperhead.co/android/docs/usage_guide#advanced-camera-features
> On the Pixel 2 and Pixel 2 XL, HDR+ via the Pixel Visual Core is available to apps on CopperheadOS with support for it. Unfortunately, the AOSP Camera app doesn’t currently support it.
It's not yet very stable though. It likely has issues with the memory corruption mitigations which will need to be worked out to avoid the chance of taking a picture screwing it up until reboot. Progress on resolving all of the known memory corruption bugs in Android that are uncovered by our mitigations is very slow.
For those reading along, I would like to add that, if you own a Copperhead Pixel 2 devise, and are even remotely curious about the integrity or validity of the OS, you should absolutely download the Auditor app.
More info can be found here: https://copperhead.co/android/docs/auditor_privacy_policy
And here: https://copperhead.co/android/docs/usage_guide#verified-boot-attestation-pixel-2-and-later
The minimum guarantees for full security updates are listed in https://copperhead.co/android/docs/devices#support-status with this note:
> CopperheadOS can continue OS updates past end-of-life for a long time but full security updates require continued releases of the firmware for components like the baseband, WiFi, TrustZone, etc.
We'll continue support for Pixels for longer but we don't know what form that will take yet. It's not clear how long full security updates will be possible anyway, only the minimum guarantee.
Is your bootloader updated? Are you following the documentation at https://copperhead.co/android/docs/install ?
Here is a thread from about a month ago that might be helpful: https://www.reddit.com/r/copperheados/comments/824jt1
I bought a Pixel2 XL yesterday- your docs are... misleading: https://copperhead.co/android/docs/devices It's not my daily driver yet because of this lack of support so I'm happy to use it as a guinea pig to test/QA builds and provide logs/dumps/feedback if you'd like- my day job involves big iron more than SOC stuff but I could also spin up a decently-sized AOSP build env and give you remote access if you'd like :)
Back up your personal data (photos, music, videos, documents...) first. To do, connect the phone to pc and take the data to pc. It will take a lot of time (depends how much files you have on your phone). More info you will find on https://copperhead.co/android/docs/install
We'll only support devices where full security updates are possible (i.e. firmware and drivers are maintained) and that are up to the security standards.
https://copperhead.co/android/docs/devices
Either way, we don't simply give away the official builds anymore.
So the WebView works for you which means it's probably specific to the Email app, in which case I recommend using something else since it's one of the near unmaintained legacy AOSP apps:
https://copperhead.co/android/docs/usage_guide#built-in-user-facing-apps
The update server for the Nexus 5X / 6P is completely overloaded so it couldn't even serve the metadata requests for https://copperhead.co/android/downloads yesterday. It's not sustainable.
You might have done something to prevent updates from working but the update server is known to be very slow.
Pixels don't have this issue since they don't have massive load from users using the official releases for free along with many companies illegally flashing and selling thousands of devices with them.
There's a reason we've kept Nexus devices on a completely separate server despite it being quite possible to have them on the same one. Our customers shouldn't suffer because of our past mistake of releasing official builds for free.
No, it's not supported as mentioned in https://copperhead.co/android/store. Sprint requires a remote administration backdoor suite (https://en.wikipedia.org/wiki/OMA_Device_Management) which we aren't including.
> Is it any less secure buying and flashing my own Nexus 5X instead of buying a phone with Copperhead OS pre-installed?
Nexus 5X is less secure than a Pixel and support ends in 2018.
This is discussed in the User Guide. https://copperhead.co/android/docs/usage_guide#messaging
I was using Signal before switching to COS but with the battery problem I've stuck with the stock Silence messenger. It leaves a weird signature on the end of incoming texts and MMS seems to be broken but it could be an easy fix.
It doesn't meet our security requirements:
https://copperhead.co/android/docs/devices
It isn't supported by the Android Open Source Project and doesn't support Treble either. I don't think it even has Oreo support yet.
> Only change to build i did was to add the vendor image before building.
You're not supposed to add the vendor image. The build instructions cover generating the vendor files: https://copperhead.co/android/docs/building.
As part of the Oreo update, the Nexus 5X and Pixels get a substantially better form of scanning MAC randomization: https://copperhead.co/android/docs/devices#wifi-driver--firmware. Scanning MAC randomization is always enabled so there's no toggle for it.
Associated MAC randomization will eventually be implemented for the Nexus 5X and Pixels but it needs to be done differently than it was on the Nexus 5 and Nexus 9.
I strongly recommend not relying on trust of the cellular network. You should use encrypted messaging and calls. I don't see the value prospect in adding attack surface / complexity to detect mobile network interception. There's no reason to trust the carrier and their infrastructure. Similarly, why block silent / flash SMS? It would give a false sense of security as it doesn't really accomplish anything. Even if sending an SMS was required for some form of tracking, which it isn't, disguising it as spam would be a trivial workaround if blocking / detecting of silent / flash SMS was deployed.
You can use our LTE only feature if you want to reduce attack surface. Even though it isn't a goal of the feature, it will defeat IMSI catchers based on 2G / 3G that rely on forcing downgrades from LTE. LTE has basic authentication / encryption for the mobile network but it's still flawed. Perhaps 5G will be better and there can eventually be a 5G only mode, but there isn't that much value in securing the connection to the mobile network since the carrier and their infrastructure privacy/security is still inherently trusted if you're relying on that.
Our view of these features is that it's little more than security theatre. The meaningful approach is reducing attack surface and using encryption for everything, even if it's only at the transport layer like HTTPS as opposed to end-to-end encryption like Signal texts / calls.
https://copperhead.co/android/docs/usage_guide#browsing
Nothing will break if you use Firefox as your main browser instead. You can't disable Chromium. Any app using the WebView to display web content is using Chromium. That even applies to Mozilla's Firefox Focus / Firefox Klar browser which is currently just a thin wrapper around Chromium like other WebView-based browsers.
If you don't have working VoLTE, traditional voice calls won't work with the LTE only mode. See https://copperhead.co/android/docs/usage_guide#lte-only-mode.
I think Rogers has VoLTE, but VoLTE doesn't work for us right now. Help is needed to improve carrier compatibility.
https://copperhead.co/android/docs/usage_guide is expanding over time and it's worth reading through it and checking up on it once every few months. It needs to be expanded to mention the new Quick Settings changes and other user-facing features that are only documented in the Technical Overview or not at all yet.
Toggle on https://copperhead.co/android/docs/usage_guide#background-clipboard-access for the time being. There may be compatibility issues with it that could be worked around without needing to toggle it, but I don't have time to do everything myself.
For what it's worth, I'm seeing this same issue on my Nexus 5X. The download seems to hang after about 518MB from my phone using the updater or a web browser (downloading the update zip from https://update.copperhead.co/builds/bullhead-ota_update-2017.07.23.16.40.26.zip using both Chromium and Firefox Nightly), but downloading from the website using a browser on a laptop or wget work fine. My 5X is currently running the 2017.06.29.02.31.13 update, and the issue is present across multiple WiFi networks and using cellular data.
Edit: Following the sideloading instructions worked fine for me. I'll report back here if the issue persists with the next update.
I'm in the same situation. I build the factory image with my own keys, flashed it and locked the bootloader again.
How do I build "each update"? Here's how I understood to do it:
make clobber
repo init -u https://github.com/CopperheadOS/platform_manifest.git -b refs/tags/N2G48B.2017.07.18.08.53.56 repo sync
make target-files-package -j20
make -j20 brillo_update_payload
script/release.sh sailfish
This will generate sailfish-ota_update-$BUILD_NUMBER.zip
and I just side load this via adb as described here https://copperhead.co/android/docs/install ?
make clobber
did the trick. Now CopperheadOS boots fine after flashing.
I just learned about make clobber
today. I always used rm -rf out/
before to start over again, but it seems like this caused the messed-up build and make clobber
does more than just simply removing the out/
directory. Might be helpful for others to add a note to https://copperhead.co/android/docs/building to use make clobber
in case something went wrong and you need to start over again.
> It seems to me that Copperhead is more secure since it has features such as verified boot and MAC address randomization.
See https://copperhead.co/android/docs/technical_overview for details on the privacy / security features in CopperheadOS.
> I am wondering how it and Copperhead compare.
There's not much in common beyond the Android Open Source Project base. They don't support any devices where it's possible to patch all of the public security vulnerabilities and I think they would choose not to update firmware anyway. CopperheadOS is pragmatic. Open source software is not inherently more secure and shipping updates for proprietary code including security fixes is important. It would be nice if there were fewer blobs so we could apply compiler hardening to more and fix encountered bugs earlier, but beyond that it doesn't really matter. It's not a black box since the assembly can be audited but it's too painful to apply patches.
I'm not interested in a licensing discussion especially with a biased take on "freedom" where BSD licensing is not considered 'more free' than GPL and the line is drawn at whatever restrictions the current version of the GPL imposes. GPLv3 would have been considered non-free in the GPLv2 era...
From https://copperhead.co/android/docs/building
The factory images and update package will be in out/release-marlin-$BUILD_NUMBER.
From https://copperhead.co/android/docs/install
tar xvf sailfish-factory-2017.04.27.21.03.07.tar.xz
cd sailfish-n2g47j
./flash-all.sh
See the anti-theft protection column in this table though: https://copperhead.co/android/docs/devices#bootloader-firmware. LG deviated from the proper design for Google devices for the Nexus 5X. They also don't have a serial debugging toggle, although the Nexus 6P implementation isn't tied to lock state anyway.
There is also the compiling.
I'd guess that most versions of chromium are compiled as plainly as possible - the objective being broad compatibility on multiple platforms.
IIUC, CHOS has paid a LOT of attention to compiler options (e.g. memory protections, tool chains, etc.) as well as which compiler to use itself. Likely both the OS and chromium are compiled together, able to use leading edge configurations designed for security as well as stability. <https://copperhead.co/android/>
Depends upon the "value" of your messages (or consequences if compromised). IMHO use the best app available, and use a "lesser" app depending upon your correspondent. The best guideline I've seen for picking and choosing "best app" is described here https://copperhead.co/android/docs/usage_guide (it just happens to have been authored by CHOS).
Greets, UserNameWasTaken
*1. Ditto Hatperigee - do not install TWRP, as it requires rooting and therefore becomes a vulnerability. The official guide is quite good.
*2. Messaging. This is covered extremely well in the use guide: https://copperhead.co/android/docs/usage_guide
An sample from this guide follows:
".....Recommended messaging app preference list:
Conversations + OMEMO Conversations + OTR to communicate with users on XMPP clients without OMEMO Noise to communicate with Signal users Silence encrypted SMS to communicate with Android users without data connections Other apps with end-to-end encryption if you can’t convince contacts to install one of the above (Wire, WhatsApp, etc.) Apps with transport encryption without end-to-end encryption Unencrypted SMS or apps without transport encryption..."
*3. Take a look at the post "Is there a beginner's guide on CopperheadOS or how to install it? "
You need to use an up-to-date official adb from Google. The documentation in https://copperhead.co/android/docs/install about adb / fastboot applies to things like backups too. It can't be relied upon if it's out-of-date or unofficial.
In general we only sell within North America using the North America model as per https://copperhead.co/android/buy. Case-by-case exceptions can be made in terms of shipping and the phone model but normally it will just be a North America model with the smaller storage option. I don't know about this specific order since I'm not involved in sales / shipping. /u/darknetj should be around later but it would be better to email.
Where did you confirm that it's the international version? By email?
> Earlier posts here suggest that Chromium (aosp) has been compiled with hardening options for security - and additionally "cleaned up" by COS so as to enhance privacy. Do I have that right?
See https://copperhead.co/android/docs/technical_overview#chromium--webview.
> Also, is the same true for "Email" and perhaps other apps?
No. Only Chromium. Most of the standard AOSP user facing apps are obsolete/unmaintained and will likely be removed eventually (particularly Calendar, Email and Music). Chromium is our replacement for the sample AOSP browser.
> I'm guessing it is not true for "Silence" - a 3rd-party app!?
There are no modifications to Silence. It's our build of it without modifications.
I don't really know whether CopperheadOS integrates the patches needed to make it work (due to signature reasons), but µg provides an alternative to the Play Store client as well as various other free and open replacements for parts of the Play Services.
Thirst of all thanks for Your answer.
>Sounds like an interesting feature to work on. I don't know exactly what it would look like, so the first step would be someone clearly laying out a design, receiving feedback and then beginning an implementation.
I found this: https://android.googlesource.com/platform/external/iptables/+/jb-mr1.1-dev-plus-aosp/iptables/
If it is interesting I can try to make gui for it
and AFWall+ is one of the realization for https://github.com/ukanth/afwall/wiki/IPtables
I figured this out finally. It was a really simple fix. tl;dr make sure your fastboot is up to date.
I followed the official documentation and when I ran
which fastboot It returned
$ /usr/bin/fastboot
Turns out that was an out of date fastboot. I followed the official android documentation to install android-studio and updated it. Then, because I'm a bit of a n00b I used
sudo nautilus
and navigated to home/Android/platform-tools, copied the fastboot there and then went to /usr/bin and deleted fastboot from there and pasted the new one. Then I just followed the instructions and everything worked.
Also, when sideloading the update I ran into problems. I had to rename the update file to update.zip and that seemed to work. Now that I have everything up and running I'm going to contribute financially to the project.
Believe it or not... the majority Copperhead work is actually ported from other projects (OpenBSD, PaX, grsecurity, etc.) and applies to only a very narrow threat category: memory corruption attacks. We perform lots of "real security R&D" and have funded many audits, including the only cryptographic audit of OMEMO. In fact, we worked closely funding the developers of OMEMO before it was even called OMEMO.
Armadillo Phone is the only phone with deniable block-level encryption. We've integrated multiple passwords (secure password, decoy password, wipe password) directly into Android. We also use hardened SCRYPT paramters that mitigate "chip-off" attacks, as our password generation is hardened and it's done completely in software. I could continue listing the nuances between the applications you listed (we use pinned TLS 1.2 connections, video calling, randomized subjects etc.) but you seem to be dismissive about the "apps and gimmicks we can do for ourselves". We've pioneered commercial mobile hardware security by phyiscally inspecting phones, disassembling them and removing sensors. Armadillo Phone also invented the concept of using pre-packaged wireless anti-theft beacons to physically secure devices.
If you want to build a patchwork "secure phone" by stitching together various off-the-shelf parts, that's great but it will probably work a lot worse than you think and expose yourself to extra attack surface. Not to mention be difficult to use. Armadillo Phone is a reliable turnkey solution you simply give to a user, and they can use it anywhere in the world without having to worry about installing apps, changing SIM cards, roaming fees or pressing the wrong button and compromising your security.
I admit I was probably wrong to think that it wasn't anymore secure than OTR beside the usability features it introduces, but I got that impression from their proposed XEP document.
Can you elaborate on why it's more secure?
Works great Thank you! Since last month I really have nothing to complain as even my phonecall drops are gone... They probably fixed something in AOSP for the Netherlands (couldn't find it in the release notes), because my signal is way better.
Also it seems the OTA recovery failure is now fixed in AOSP: 'Improves recovery in the instance of OTA update failure'. This was probably my problem 2 months ago.. (The shop finally decided to replaced the Pixel 3 XL, so now I got a spare one for testing)
O and I really don't notice any speed or compatibility isues with androidhardening other than my ProtonVPN that crashes when i try to connect.. (not a real issue for me)
Thanks everyone for all the comments! Definitely learning a lot. Does anyone have a guide or recommendation on the most secure settings to be used by openvpn (current setup is TCP with NordVPN) I'm running orbot as well which as far as can tell is being forced via VPN by having "always active VPN / block connections without VPN set under network & internet settings if I purposely supply wrong credentials to openvpn orbot has no abilities to connect.
Reason I'm asking this question is that under network & internet > data usage > Mobile data usage its showing the individual app usage and I would have assumed openvpn usage would be the only one listed as all data should be forced thru it. The only app data usage hidden are those using Tor hidden services so the usage is allocated to orbot.
Any extra info / suggestions would be appreciated
Like you I am also primarily concerned about tracking and intrusive data collection and I feel Copperhead is a pretty good basis for that.
What I am doing is this:
1) connecting through a VPN I trust (AirVPN). Care to elaborate why you think this is unreliable? Yes it might leak at boot time but I feel this does not substantially compromise what I want out of it - browse the web with some basic IP obfuscation as a first layer of privacy (complemented by 2)-4) below) and shut out my telco from snooping around in my browsing habits.
2) using Firefox with a set of privacy related extensions (ublock, httpseverywhere, canvasblocker, self-destructing cookies and random agent spoofer which also has some more settings to minimise browser fingerprinting)
3) signal for encrypted sms, linphone for encrypted VoIP, K9 with APGP for encrypted email
4) email over my own domain and nextcloud for carddav and caldav syncing
5) not breaking CopperheadOS by rooting it, side loading stuff or other things that I suppose strncat has not included for a reason.
Well, as I implied, I don't really like the design of the feature much and would rather improve the convenience of user profiles along with exposing useful existing functionality for locking down user profiles that's just not exposed via the UI.
https://developer.android.com/reference/android/os/UserManager.html
Android for Work is a bit odd, and I don't really understand the design goals. It's usable for things other than BYOD though. For example, https://play.google.com/store/apps/details?id=com.oasisfeng.island is just a thin wrapper around Android for Work, which is exposed via the device management API. It's not really a great fit for what they're doing. I like what user profiles do much more, and they enforce things like a user profile not being able to record audio in the background already without us doing anything.
> Waze (or Google maps in browser maybe? I really need good nav)
Google Maps in a browser intentionally doesn't provide turn-by-turn navigation to force people to use the app.
maps.me is the best option. It's not in F-Droid because they don't want other people using the server where they host the maps, but they make an apk available and offer an option to disable the analytics. OSMAnd has an awful UX but works... and is in F-Droid.
> Snapchat
It won't work on an aftermarket OS since it requires SafetyNet. Need to use alternatives unless you want to make your own OS builds with heavily integrated Play Services, likely some features disabled and fight the endless battle of trying to bypass SafetyNet. Bypassing SafetyNet is isn't going to work for a long time before they break the bypass. Not something you can rely on.
> * Plex (with casting) > * Netflix (with casting)
Netflix started requiring SafetyNet to install it from the Play Store so real SafetyNet integration on their streaming servers is likely coming. No point in working around the initial SafetyNet block by downloading the apk elsewhere when integration within the app / servers is likely coming.
Chromecast is part of Play Services so that isn't available. There are likely alternatives but nothing is integrated / enabled. There was no interest from the community in taking over real maintenance of WiFi display, and no one has put together the hacks required to simply get it working without maintenance for CopperheadOS.
The Plex app likely works without Play and is on the Amazon App Store.
https://www.amazon.com/Plex-Inc/dp/B004Y1WCDE
> Hangouts (this is a big one)
That's very unlikely to work without Play Services. You would need to use Wire, Signal, WhatsApp or other alternatives that aren't strongly tied to the Google ecosystem since they tie everything to Play Services.
BubbleUPnP (https://play.google.com/store/apps/details?id=com.bubblesoft.android.bubbleupnp) will cast to a Chromecast without Play Services, so it works on CopperheadOS.
It won't let you cast Netflix for example, but it does work for local files and things like Youtube.
You can get the free version using Yalp or on APKMirror, but the only (legal) way to get the pro version without Play Services is by buying it on the Amazon App Store.