What is Reddit's opinion of
CopperheadOS?
From 3.5 billion Reddit comments
100 reviews of this app found across Reddit:
Looks like they're taking in some of Copperhead OS' contributions. That's the Daniel Micay guy they mentioned.
Notice he contributes stuff back to AOSP upstream. They're not stealing his work if that's what you think. Apparently he's just a cool dude.
To any one else reading this, CopperheadOS is Android OS but hardened with more security. It has backport fixes that are faster than the Android security update patches you get monthly.
Yup, they are tied to CM, thus at the communities whim. Their latest builds are CM 12.1 and considered "very early" builds.
Why would they go out and bash BB when they in the same position? It's incredibly unprofessional.
"A-ABER DAS BEDEUTET JA SIE MÜSSEN VERSCHLÜSSELUNG ILLEGAL MACHEN, DIE VERSTEHEN GAR NICHT WAS DAS BEDEUTET"
... Habs euch von Anfang an gesagt, dass sie diese Route nicht gehen werden. Und nun schaut mal was für Instrumente genannt wurden. Whatsapp-Backdoor oder "Generalschlüssel für die E2E-Encryption" (rofl) sucht man vergeblich.
So to my understanding this is going to be a community supported version / fork of CyanogenMod, without paid devs. This ultimately will mean that they'll have much fewer resources supporting various devices. That IMHO puts a damper on the #1 thing that CyanogenMod was good at: Device support.
So for those who don't mind the amount of devices supported and are interested in a security-oriented fork of AOSP, I would suggest you try CopperheadOS, as it's backed by a team of infosec devs and part of the Guardian Project.
Copperhead os is a privacy focused, open source ROM. It doesn't use Google player services, so no Google Play Store. Instead they use the open source app store called F-Droid.
They don't have support for most Android devices but they do have sell phones like the Google Pixel and Pixel XL with it already installed. They support the Nexus 9, Nexus 5X and Nexus 6P.
https://copperhead.co/android/
It's a hardened custom ROM that's directly based on AOSP and is aimed to be stable, bugfree and more secure than Stock. It's only available for a handful of Nexus devices (Nexus 5, Nexus 9, Nexus 5X and Nexus 6P) but Copperhead provides support for them as long as Google does, so major version updates for at least two years after launch & security updates for three years after launch along with 1.5 years after the last device is sold. The sources for Copperhead are also available on GitHub.
Although the ROM itself is available as a free download for all devices, donations are welcome and devices with CopperheadOS preinstalled can be bought from their website (for non technical users or just to support them). Directly bought devices also include web-based support.
Here is a list of their changes/additions to AOSP, in case you're interested in the technical details: https://copperhead.co/android/docs/technical_overview
The aim isn't to improve all Android devices or to upstream everything. It's also mostly focused on other things than PaX and grsecurity ever since the stable patches became private but also because new features are a lot more useful over the long term than simply making short term device-specific ports of an existing project. A full grsecurity kernel along with other kernel hardening features is part of the long-term roadmap. See https://copperhead.co/android/docs/technical_overview for an overview of what it covers today (or the issue tracker for what's planned).
My problem with Copperhead OS is that it is not Free Libre Open Source Software.
> Commercial usage of CopperheadOS requires working out a licensing arrangement with Copperhead From: https://copperhead.co/android/downloads
Given that Monero is money it is pretty hard to use Monero without engaging in "commercial" activity.
CopperheadOS is a custom, hardened ROM for hardware that meets specific criteria.
If you pick some random custom ROM and put it on some random hardware it's not nearly as secure.
See /r/CopperheadOS and https://copperhead.co/android/ for details.
This is making me take a harder look at https://copperhead.co/android/.
I picked up the first blackphone years ago and I've been happy with it (more or less) but it's definitely not something you can give to your non-techie spouse and say 'you should use this instead.' So I was hoping the blackphone 2 would present something smoother. But I've been on the fence with the purchase.
Unfortunately a while back Silent Circle started running into financial difficulty, some executive changes, and the updates on the Blackphone 1 stopped coming. Apparently their expectation was that I was going to drop close to a grand on their new phone -- they just stopped putting work into the first device.
All that started pushing me towards looking for alternatives like Copperhead OS. The idea that Silent Circle is bricking devices pretty much killed them for me. Those pepole that purchased the phones from non-authorized dealers are never going to get their cash back. No way. Bricking their devices is punishment and that's not how a security conscious OS development group should operate. Prevent them from using their servers -- sure. Don't allow those phones to update -- fine. But don't punish anyone.
On top of all that, if you want to understand your Blackphone's OS and how it works -- forget it. There's very little in the way of transparency and so you are effectively taking their work for granted. This is also a sore point in my book. Security is very much about transparency in many ways. If you don't understand how your OS works then you can't say confidently that it is secure. The Blackphone docs suck. Certainly the Copperhead people are more forthcoming about how they harden the thing and the way they incorporate ideas from OpenBSD is comforting.
Pretty sure Silent Circle just lost a customer here.
Thank you for your great work! Is it somehow possible to have a recurring donation?
I feel like donating, but I can't really afford to donate a lot at the same time and it's easy to forget to do it every month manually.
Also, everyone should check out their donate page.
>I dont care about government tracking
By the way, anyone with a IMSI-Catcher can also track you when you're using the cellular network. Not just the government.
>but google and apple tracking for example.
In this case, you should use Cyanogenmod or Copperhead OS on your phone without the Google apps (gapps). The list of compatible phones are available on each websites.
You can also use Replicant as already mentionned but you will need to use a very old phone and some features won't work at all with this option.
You could see if there's a version of Replicant for your phone. There's also CopperheadOS, but I don't know much about that project at all.
IMO CopperheadOS was never primarily focused on privacy, or software freedom --- most of its distinctive features were security hardening measures. See the list here:
https://copperhead.co/android/docs/technical_overview
I'm running LineageOS without Google Apps (F-Droid only) and it's basically fine. But from a privacy perspective, I think the most significant problems on mobile apply to all platforms more or less equally:
- Your cell provider has at least some of your location data (based on the towers you connect to)
- Mobile browsers are highly fingerprintable
- Cell basebands are black boxes and the general-purpose OS has limited control over them
If you're open to installing a custom rom, I'd suggest CopperheadOS.
Technically still have binary blobs for things like the phone radio etc., which you realistically can't get rid of.
That sounds like marketing gibberish. I would want a lot more detail about how this security was being created/provided/maintained, and what the specs of the phone are before I could talk about price.
I would be more inclined to purchase an open-source-friendly phone from a well-known hardware manufacturer, and install a security/privacy-friendly OS such as Copperhead OS.
How much security can you give me for $200? For $500? For $800?
If you buy a Nexus 5X, man you are in for a surprise. There is a secure and really nice ROM for it, it's named CooperheadOS. I don't think it has any traces of Gapps in it. I wish I could afford a Nexus so I can use this ROM.
Here : https://copperhead.co/android/ .
If you are into privacy, I think a good option is to buy android smartphone and install copperhead OS on it (Google-less android focused on privacy) but keep in mind that now it only supports a handful of devices listed on their website https://copperhead.co/android/
There's a little-known option to donate monthly through Patreon. For me this is much easier than giving a one-off donation (and somehow more rewarding, as I'm helping to build a sustainable project)
Note to Copperhead crew: thanks for your work, and may I suggest adding links to the Patreon right next to the image download links?
If you did not buy your Pixel from CopperheadOS, you can download the source and build it yourself. The instructions are here.
Building it yourself is not terribly difficult, but it is also not trivial. You will need to get the Android build environment set up yourself. The instructions for this are not included in their online guide...it is assumed that you are capable of this yourself. They also release updates pretty frequently, so you will be rebuilding and flashing often.
If you do build it yourself and then go on to actually use it, you should consider a donation to these guys. This is more than just a reskin of stock android with a few extra features thrown in like most 'custom' ROMs. These guys are IT security professionals and invest a lot of time into this project.
I really like the idea of CopperheadOS, but I really don't want to buy a new device now that they'll only support for ~1yr (2yr for security updates). That comes across as being incredibly wasteful.
I currently use CyanogenMod on my 2 year old MotoX gen2, and will likely be able to keep using this device for at least another year (or more!) since the CM folks aren't dropping support for it yet.
From what I've read, it isn't clear what OS security enhancements Blackphone offers beyond app isolation through "spaces" and a more granular permissions model. A lot of their marketing focuses more on the secure default apps. And while that's always nice, it's not something that makes SilentOS stand out.
CopperheadOS is an open-source flashable ROM for Nexus devices with an emphasis on security. The dev offers OTAs (so you can re-lock the bootloader after installing), dm-verity support, and a number of hardening features covered in the documentation. I've been using it for a while and it's pretty stable. Be aware, though: performance impact is significant (my phone gets around 60-70 percent of stock performance in benches), and you'll have to build from source if you want root.
This is a change in software, which is great, I hope Apple's ingenuity spreads. However if you want a secure device you can't go past Google with copperheadOS.
>"The Pixel 2 has a dedicated security chip providing hardware enforcement of exponentially increasing delays for decryption attempts."
The combination of the two would be great
They are both "Android spins". Can't speak about privacy from Google with LineageOS, but Copperhead is known as the most secure/privacy-focused Android rom. Here's their technical overview.
The user-facing features are well-covered by https://copperhead.co/android/docs/usage_guide already. It also covers each of the bundled user-facing apps. It doesn't cover the under-the-hood features but those are documented elsewhere. I don't think there's anything more to do in terms of putting the resources out there for people.
I don't think having CopperheadOS incorrectly portrayed as being the Android Open Source Project with some differences in default apps is helpful. No one seems to care about the privacy and security features of the OS. Every review focuses on the bundled user-facing apps, which aren't really part of the OS.
The review misses the point like past ones. A real review would talk about CopperheadOS, as in the changes it makes compared to Android, not which apps it bundles or doesn't bundle. Instead, the reviews talk about AOSP and the default apps. They get basic facts wrong, give advice contradicting our usage guide, etc. I would expect a review to at least touch on some of the user-facing features of CopperheadOS and maybe gloss over the bulk of the work that isn't user-facing but they don't do that. It's very discouraging to have it repeatedly portrayed as if we're simply making production releases of AOSP with minor differences in bundled apps and selling that. That isn't CopperheadOS.
Essential is about stock Android so I think it is pretty much on par with Nexus and Pixel. If I was you, I would go for a phone that is supported with Copperhead OS.[https://copperhead.co/android/downloads] This means Pixel lineup.
Essential is pretty cheap now and maybe it has LineageOS support?
I know CopperheadOS, but sadly in works basically on nexus and pixel devices. If you don't have those devices, a good option would be using android distro withou GApps, like LineageOS without installing the GApps package , at least you will have a up to date android. Hope this helped
- Google Search = DuckDuckGo, StartPage, searx...
- Gmail + Calendar + Contacts + Drive = Mail-in-a-Box
- Chrome = FireFox/ Tor Browser
- Android = CopperheadOS
- YouTube = use RSS-Feeds
- Hangout = Ring.cx, Jitsi
- Play Movies/TV/Music = I don't really have a solution*
*you could borrow movies offline, download music and play it locally, well TV is live so you need to be connected with something...
but feel free to keep asking questions
what have been you smoking?
- grsec/pax is not an alternative to selinux.
- the userspace COS code is non-commercially licensed.
- the vast majority of the code isn't pixel specific
- LineageOS is less secure as AOSP
I'm guessing you've never actually read through or used any of the COS code in question, nor even a basic read through the COS technical overview;
https://copperhead.co/android/docs/technical_overview
there is a world of difference in hardening between LineageOS and COS. the exec-based spawning + hardened allocator (alone) significantly harden the base system in COS... and that's only two features, look at all of the other features...LOS on the other hand isn't security minded and in some cases they have actually rolled back standard android security features, in other scenarios they forward-port insecure code to support old devices...
I'm not knocking LOS (I contributed code for klte/galaxy s5 kernel, back in CM days), but thinking LOS is as secure as COS is just crazy talk / very uninformed.'
This. Stock android doesn't have (much) crapware and makes it pretty easy to disable more stuff.
The only other thing I'd consider is https://copperhead.co/android/ which is supposedly super-secure, but haven't had the need, so meh.
> Could you elaborate on that?
https://copperhead.co/android/docs/usage_guide#updates-on-pixel-and-pixel-xl-phones
> Will the user be prompted before installing an update?
No.
> Or will the phone just update on its own when I connect to my home wifi (when I'm potentially trying to do critical work or call 9/11)?
It doesn't disrupt what the user is doing. It downloads and installs at low priority in the background and then verifies that the new OS installation hashes to the correct values. Once it's successful, it generate a notification asking the user to reboot to use the updated version. The option was also added to opt-in to it automatically rebooting after updating once the device has been idle for a long time, so that it can remain updated even if the device is left unattended for a long time.
Currently working on implementing Direct Boot support so it can work before the device is unlocked for the first time after booting. If the user opts into automatically rebooting when idle, it will be able to keep itself updated without user intervention. It's quite important.
Indeed. I dropped the factory ROM in favor of CopperheadOS over this. The Nexus is supposed to be the one Android phone which gets patches in a timely manner. ~~In two days, it will be a month since Dirty COW went public~~. Instead of working on a fix, Google blew up Microsoft's spot by publishing a zero day for Windows and did NOTHING about their own. Hypocrites. Just because SELinux mitigates the attack somewhat doesn't mean this is acceptable.
It's becoming evident that we need REAL Linux phones that come with root and let us take care of our own hardware, because trusting Google with the keys to my castle is getting harder and harder.
Edit: Misread a date. We Americans like to order things differently than the rest of the world.
> How stable is it?
It will be quite stable again now that the transition to Nougat is done. It's still considered a beta. The main thing we need to consider it stable are the resources (i.e. money to hire people and buy hardware) to perform more than basic QA on each release before publishing.
> Do I flash it through stock recovery?
As long as you have full control over your device, you can mitigate what Google collects. I don't think being a Google Phone makes any different when comparing with other Android devices if you're installing a custom rom.
No matter the device Google will have analytics on websites and Apps. Android also makes connectivity checks to Google domains. See this on Coppehead website under "Default connections made by CopperheadOS" > https://copperhead.co/android/docs/usage_guide#network-connection-information--statistics
If you don't install Google Services and use a firewall to block connections to Google I think you would be OK.
I use this, It works great and I really enjoy it. No issues at all over the last few months. Happy to chime in on any questions I can answer. I run it on a Pixel.
Devices, The reason these types of OS's have a limited selection of phone compatibility has to do with various security requirements, This link from copperhead explains why:
r/https://copperhead.co/android/docs/devices#minimum-requirements-for-copperheados-support
tldr; I run it it on a pixel a few months. Love it. Device support is more complicated than you think because the devices need to have secure-able characteristics.
This is a terrible advice. Realistically ALL people not using fingerprint are using a weak ass PIN that opens the device to easier brute-forcing (notice I didn't say easy but easiER). Particularly with the increased number of surveillance cameras that will quite easily make out your PIN, making even brute-forcing unnecessary.
Use long password + fingerprint: use the long password when the phone starts and then switch to fingerprint. If you have any concern for the security of your phone data, immediately shut it down.
edit: A bit more on that, although the project is dead, the information is still valid: https://copperhead.co/android/docs/usage_guide#authentication--encryption
It all depends on your needs. If you search reddit you can find some suggestion threads for FOSS apps.
CopperheadOS has some recommendations on their website.
A few I can recommended are:
- Feeder (Good simple RSS reader)
- K-9 Mail (Email client)
- NewPipe (YouTube with great features)
I don't have too many apps installed, because I don't need many apps. I tend to use Chromium whenever I can instead of installing a proper app, but those are some apps I can recommend.
Prebuilt chromium was recently removed, so you have to build chromium from source. The docs have already been updated.
That's not an accurate portrayal of those technologies. As I said, you can be against those technologies while remaining honest about what they are and the reasons for their existence.
We spent a lot of time over the past couple months working on a remote attestation system based on secure processing features:
This wouldn't be possible if devices didn't support secure computing environments for features like hardware-backed keys and attestation without the ability to replace the secondary operating system running there.
If you look through our minimum requirements for hardware support you'll see that we require features like verified boot, hardware-backed keys and remote attestation. Those features require having hard-wired signature checks for the firmware loaded before the OS along with the firmware that runs on components like the Trusted Execution Environment or Secure Element. We won't support a device without these security features.
In an ideal world, we would have a massive company with vertical integration for the entire hardware and software stack. Our devices would have all of the features listed there and much more. The hard-wired signing keys would be our own and we'd use fuse-based downgrade protection for all of the included firmware / software. The OS would use a microkernel and would be entirely written in memory safe languages, with as little trusted memory unsafe code as possible. We'd have architecture support for accelerating integer overflow checks, bounds checks, etc. It could have full backwards compatibility for Android apps via an Android / Linux compatibility layer. However, that's just fantasy and we aren't in a position to build something like that...
CopperheadOS works on Nexus5 and Nexus6P.
LineageOS has a pretty long list of supported cellphones. Just don't install the google extras.
> Are the nexus devices getting Android 8 officially from Google?
Nexus Player, Nexus 5X, Nexus 6P, Pixel C, Pixel and Pixel XL are getting Android 8.0.
Nexus 6 and Nexus 9 are not receiving it and are both end-of-life this October.
> I was under the impression that security updates would end this year.
The Nexus 5X and 6P were released in September 2015 which means the end-of-life date is September 2018.
> but it's comes at a cost of breaking the Android security implementations.
Can you elaborate more on that? How does it break its security? Firstly, have you ever read CopperheadOS' documentation?
https://copperhead.co/android/docs/technical_overview
Edit: >a harden iPhone from 2016+
Since we are in r/Privacy, with CopperheadOS other than its good security, it has no Google dependencies. So you gain both security and privacy with it. Remember, security and privacy go hand in hand. CopperheadOS does also receive almost weekly security updates. You can checkout r/CopperheadOS.
If you're new to custom ROMs and find it hard to pick one, my suggestions would be one of these:
- Lineage OS for stability and weekly updates
- Copperhead OS for easy, built-in security
- Pure Nexus for the closest experience to the Pixel UI
Pure and Lineage are not necessarily private or secure, but if you don't flash Google Apps you're a long way toward privacy already. They are, however, well maintained and stable projects more than fit for daily use while you research how to further your device privacy and security.
I can't speak from personal experience with Copperhead, but judging by all user testimonies I've seen it is trustworthy and safe. However, it may be further from the Android experience that you're used to.
Sidenote: Unless you do go for Copperhead, make sure to have the F-droid app handy after flashing your new ROM. That will be your open source replacement for Google Play.
Edit: typo
You can consider this one:
https://copperhead.co/android/
Edit:
>Which devices are currently supported?
>CopperheadOS currently supports the Nexus 9, Nexus 5X and Nexus 6P. Pixel and Pixel XL support is in development without a timeline for release.
Thank you for your reply. I do understand you choosing the license you find appropriate. Like I said I appreciate the work you've done. You do have the right to license your work anyway you want. I get that and that doesn't bother me. I'm not hating on it.
I can see you have disclosed your license nicely on your download page. But what I do have a problem with is here it says "Open-source". I'm not trying to harm you by pointing this out.
I'm glad that at least you didn't say "free software" as I don't think there is definition of free software that allows commercial restrictions. But also I am not aware of definition of open source that has this. OSI's definition of open source definitely does not include commercial restrictions.
How the license is "marked" has no bearing over how you presented the situation on Twitter and generally when the license change occurred. I feel very certain that to most people reading
> So here's the plan: the nougat-release branch will start off with a non-commercial usage license, and migrate to GPL3 as it gets funded.
sounds like the license change is meant to be temporary, and not that there is basically (to paraphrase and summarize the various posts above) no chance in hell it's going to be reverted any time soon.
You may dislike people like myself, but I dislike projects that capitalize on a pretense to be free open-source software (which your site does state: "Open-source and free of proprietary services") when in fact it's not open-source under any of the commonly accepted definitions (OSI, FSF, DFSG, pick your choice), trying to attract donations in the process, when in fact it is a commercial project with no intention of ever becoming free software [again] despite public hints on Twitter and the like. It's a misrepresentation and a disservice to actual free, open-source software.
https://copperhead.co/android/docs/technical_overview#pdf-viewer
If you're aware of another usable memory safe PDF implementation, let us know. It will be difficult to replicate the same kind of hardened rendering stack though, unless by some miracle it includes that too.
> I've found the new PDF reader is incapable of opening "large" (>5-10 pages) PDFs, either that or it takes so long that I'm unwilling to wait (at least 45 seconds or more).
It works well for hundred page samples here. Do you have an example? PDF is a complex file format and there might be cases that it's not currently very good at handling, but it's not because they're 50 pages or so since it handles that just fine.
I'm not aware of another non-stock Android OS using verified boot. Most of them go out of their way to roll back security features. They also won't have the security features: https://copperhead.co/android/docs/technical_overview. CopperheadOS is hardly just a different set of defaults.
> There isn't time to work on device-specific issues
Considering COS only supports a very limited set of devices, and this bug breaks a privacy feature you advertise as being supported right on your front page, I'm not sure your response of "someone else should fix it, not us" is really appropriate in this case. At the very least, your webpage should be updated to reflect that this feature doesn't work on half of your supported phones.
And F-Droid. No Google Play store.
You still have the problem of the hardware/radio software blobs which are closed source, so it's still not a total solution, but better than nothing.
Also, CopperheadOS for the security minded and the Jolla phones for being totally open source.
Nonetheless, I think it's a good opportunity to shift most community efforts to something like https://copperhead.co/android/, which is much more focussed on security and robustness.
Due to the lack of resources, they only develop for Nexus devices at the moment. They've partnered with F-Droid and The Guardian Project: https://guardianproject.info/2016/03/28/copperhead-guardian-project-and-f-droid-partner-to-build-open-verifiably-secure-mobile-ecosystem/
They sell Nexus 5X and Nexus 6P with CopperheadOS pre-installed for a premium price (for additional support and for inexperienced users I think).
https://copperhead.co/android/buy
There's a screenshot right there. The ROM is based on AOSP, so I guess it looks pretty much like vanilla Android, just with added security features, probably a lot of "under the hood" changes that you will never actually notice.
> will void the warranty
imho, it's worth it :). The Android that comes with the phone often has some bloat or telemetry; I always flash to Cyanogenmod (or better, CopperheadOS). I don't speak for everyone though; some are OK with it.
A first step would be to randomize the keypad layout for PIN codes.
Fingerprint on the screen often giveaway PIN codes and reduces drastically the possible codes.
It's what Copperhead Android (https://copperhead.co/android/) does.
Depends on how much you trust Google. :)
According to head of Copperhead Security, who's forking Android to develop CopperHead OS, Marshmallow is VERY secure, probably more than Blackberry's Android fork.
Cyanogenmod is an insecure mess. The system is signed with test keys (exposed private key), you have to leave a wide open recovery installed, and most people leave their bootloader unlocked after installing it. If someone wants your data, running Cyanogenmod makes their job easier.
A commercial CyanogenOS device fixes those things, but that introduces more closed stuff. I doubt random XDA ROMs do it right either.
Best thing I've seen coming is Copperhead OS.
The smallest card on Ting's pop-out SIM card is a nano SIM, so it's physically compatible. As for the bands, it should have everything we need.
I might get one. Maybe if Copperhead OS sees the light of day and gets ported to it. I don't like the direction OnePlus seems to be going with its supposed Android fork.
Pixels allow 3rd party OS's like ours to have a Verified Boot locked state. Can verify which devices provide this here https://copperhead.co/android/docs/install/#testing-the-android-bootloader-for-unlockable-compatibility
That's the reality actually, there are lots of community free software efforts, heck! one of the most secure operating systems in the industry is not a corporation product, Also here is an example of a secure mobile operating system, and it's Android based!
Yes you can. The CopperheadOS project was meant to guarantee these type of things (privacy + security), it is currently a dead project due to conflicts between the owners but the rationale remains and I'm expecting a replacement to happen mid-term, check out the doc to understand a bit more: https://copperhead.co/android/docs/usage_guide
If this is about the connectivity checks mentioned <strong>here</strong> in the COS documentation, please consider not changing this. It's explained in more detail in the documentation, why it is not a bad thing, just because it's Google. Google is the standard connectivity check URL for every Android device in the world and there is no personal information being sent. Changing this will make us completely stand out. If you change it to your proposed address, you can rest assured that every single user of this OS will be easily trackable through this.
Again, not sure if this is about this, but if it is, it probably would be a bad idea for our fingerprints. strncat stated the reason why he left this URL as is multiple times and it makes a lot of sense. No other device regularly connects to your URL, whereas billions of devices use Google's connectivity check.
I think it would be best to just stick 100% to strncat's code. Changes like these would actually worsen privacy for users, even if they may seem good at first thought.
It seems that you can't build AOSP without proprietary binaries: https://source.android.com/setup/build/building#obtaining-proprietary-binaries
To be fair, building COS also reqiures vendr file: https://copperhead.co/android/docs/building#extracting-vendor-files-for-nexus-and-pixel-devices
Giving yourself to Apple is not that different from giving yourself to Google. At least with android, you can have control.
What you can do without changing phone and without rooting phone/changing rom:
- Deactivate "Android Device Manager" in security settings;
- Disable Google Play Services (only after deactivating "Android Device Manager");
- Disable all Google Apps, basically anything that as Google in its name (disabling Google dialer may break phone call interface);
- Install a firewall, like Netguard (it does not need root);
- Download a hosts file, add Google domains to it (and other tracking domains) and configure the firewall to use it if possible (Netguard can do this). Or, if you have root, use the host file directly.
Be aware of the apps you install, and block specific tracking domains, for example:
- graph.facebook.com
- api.facebook.com
- b-api.facebook.com
- app-measurement.com
- crashlytics.com
Opt-out of services you don't really need and/or change to open source alternatives
For app store alternatives you can use f-droid, or Yalp (yalp is an alternative app to access the Play Store with your account or a default account).
Android will still send http requests to Google to check for internet connectivity. See https://copperhead.co/android/docs/usage_guide
You may not opt-out of every tracking, but you can reduce it by a lot. Hope it helps.
See previous posts on the topic along with documentation on the website, Google Camera is not supported and will most likely never be supported on the CopperheadOS platform.
https://copperhead.co/android/docs/usage_guide#advanced-camera-features
Yeah, that's not supported and is too far away from what we support.
Only devices launched with Android 8.0+ can be realistically supported (due to Treble). We have strict security requirements for officially supported devices but that doesn't really impact ease of porting.
Okey, it seems you need some clarifications.
(a) F-Droid is an appstore of open-source hardware. It would be the equivalent of Google Play Store / Apple App Store.
(b) A substitute of yout OEM/Google Andorid OS would be LineageOS with or without google services (the one I'm using), or Cooperhead. Notice that "installing" this OS's requires flashing, so it might not be reversible. There are more, but this ones are the more common.
F-Droid will not change your Andorid OS, and can co-habit your device with google play store. See 1(b) if you change OS.
More than installing F-Droid is substitute aps from the google play store by apps from F-Droid, this is more the objective. And the ideal would be use only open-source apps and drop all your dependencies to google play services.
That it can completely replace your Google dependency, and you will not find there banking apps, or Tinder.
Use the search bar with key terms like LineageOS, Android, F-Droid, Google "calendar/docs/drive" substitute for android, etc.
Goodspeed
if your avoidance is due to the inherent security problems of android and/or troubling google related topics, i am with you 100%.
i would recommend flashing copperheados. especially if your android device is supported. google-free and updated with CVE security patches all the time. and its surprisingly usable if you can live without google play services / google play store.
Some even compare its security to a standard linux distro and most who use it would trust it more than any default ubuntu os
check em out. especially if you own a nexus or a pixel https://copperhead.co/android/
As per the Usage Guide:
>Avoid Gecko-based browsers like Firefox. They’re significantly less secure and are among the few apps not able to benefit from the full set of CopperheadOS hardening features due to shipping their own linker and custom JIT compiler within the app process. The WebView is inherently Chromium-based so using Gecko also means exposing the attack surface of two browser engines rather than one. Firefox Focus currently uses the system WebView rather than Gecko but Mozilla plans to change that.
If you want to make modifications to CopperheadOS you need to do the full process in https://copperhead.co/android/docs/building for each update. You aren't going to get the answer you want. It will break.
> Oh, I thought AOSP had google services in it natively.
No, it doesn't.
> Because in that case I think I'll just go with an AOSP rom and those apps.
It still needs to be Oreo to have security updates.
> Do you know if there are any installable zips with the copperhead default apps. With F-Droid and Silence and all that? Because in that case I think I'll just go with an AOSP rom and those apps.
CopperheadOS isn't a set of apps. You can't get the privacy and security features elsewhere. The bundled apps aren't particularly relevant to what it is.
Hello - here is an article from Android Authority on best Dual-Sim phones https://www.androidauthority.com/best-dual-sim-android-phones-529470/.
I can't speak much to not sending info to Google. I think there are options like Copperhead OS (https://copperhead.co/android/) which is based on Android but focuses on security. I believe it has f-droid, which is an alternative to the Play Store. You would have to be comfortable unlocking your bootloader and flashing, which isn't extremely difficult if you follow the walkthrough. I know some Corporate environments don't like phones with unlocked boot loaders, so that might not be an option for you.
An iPhone might be your best option if you want to avoid Google, but I'm not sure of a dual SIM option and they don't have a slot for MicroSD cards. However, they play nicely with Microsoft Apps like OneNote. I currently have an iPhone 7 and use Wifi Calling, and use my iPad for OneNote. It's a good combo. I don't love being locked into the Apple Ecosystem, so I have an Android as a backup.
Best of luck to you and let us know what you end up getting.
Maps.me has been awesome. The Copperheas User Guide suggests it and links the apk. Just make sure to download the map with routing and you should be set.
https://github.com/mapsme/api-android https://copperhead.co/android/docs/usage_guide#maps
> CopperheadOS is not focused on privacy
It's focused on both privacy and security. It adds privacy features like the network permission toggle, sensor permission toggle (sensors leak location, input, low frequency audio and require no permission on iOS or stock Android), forbidding network statistics access, forbidding background clipboard access, associated MAC randomization, default incognito keyboard, etc.
See the usage guide and technical overview.
> MAC address changing [the iPhone also does this]).
iPhones don't use associated MAC randomization.
It's why CopperheadOS added a toggle for sensor access: https://copperhead.co/android/docs/usage_guide#sensors-permission. Since Android and iOS don't do that, every app can access sensor data and use it for crude but still effective (by applying external data and machine learning) audio recording and location tracking.
To a cleaner Google free android/linux, or something else altogether. Amazon did it to a large extent, their Fire is android based but devoid of Google. Hardware based backdoors do scare me though.
https://en.wikipedia.org/wiki/List_of_custom_Android_distributions
Unfortunately no, Copperhead only works on devices supported by the base Android project. That is only four phones at the moment: Nexus 5X, Nexus 6P, Pixel, and Pixel XL.
Your confusion about requiring root might come from the fact that Samsung devices don't want you to install custom ROMs.
Here is the documentation: https://copperhead.co/android/docs/install
Here are the instructions for installing Copperhead: https://copperhead.co/android/docs/install
You can also buy a preflashed device direct from their website.
Edit: You should probably know that Copperhead unfortunately has limited device support. They only target phones supported by the base Android project. Currently: Nexus 5X, Nexus 6P, Pixel, Pixel XL.
There are APIs exposed to apps that are gated on the INTERNET permission and using a firewall doesn't block those. That's why CopperheadOS implemented this with a toggle for a Network permission group with the INTERNET permission.
That still has caveats noted in the CopperheadOS usage guide like browsers allowing apps to open URLs via ACTION_VIEW: https://copperhead.co/android/docs/usage_guide#network-permission.
I recommend https://copperhead.co/android/ and to read my carding on android tutorial, for uber it might have root detector to decline cards, but I have no idea, you have to test for yourself.
https://www.reddit.com/r/Fraudnet2/comments/66ew8o/tutorial_on_how_to_card_on_android_pcphone
Sinnvoller als Apps zu entfernen ist ein Open-Source Custom ROM zu installieren. CopperheadOS wäre ideal. Ist Open-Source und hat als Schwerpunkt Security. Da es aber nur wenige Geräte unterstützt, kann man alternativ LineageOS oder AOSP installieren. Kommen beide ohne Google Apps.
Außerdem ist Root eine Sicherheitslücke. Dadurch haben Angreifer zusätzliche Möglichkeiten, weil der Root User (fast) alle Sicherheitsmaßnahmen von Android umgehen kann.
Nokia 3310 original neuwertig gibt es auf eBay oder Amazonde ab 25 EUR. Mit einem neuen Li-Polymer 1800 mAh hast Du Standbyzeit von locker 1-2 Wochen. Man kann das Ding in Sekunden ein und ausschalten, und auch einfach den Akku entfernen. Es gab frueher LED-flasher die rein parasitaer via RF der Antenne angetrieben wurden. Gibt es leider nicht mehr zu kaufen, muss man selber loeten.
GSM Betrieb in Germoney sollte bis 2025 gesichert sein.
MiFi gibt es wie Sand am Meer, und die sind Teil von untrusted-Zone, daher Fabrikat recht egal. Ich benutze einen TP-Link M7350 mit 6 GB von der debilen Tel fuer 10 EUR/Monat, 24 Monate Laufzeit (3 Monate vorher kuendigen).
Ich habe einen Samsung S3 meiner Frau recycled, seit Mai gibt es Replicant 6.0 https://blog.replicant.us/2017/05/replicant-6-0-released/ was ich aber noch nicht benutze. Ich baue einen OpenVPN Tunnel zum eigenen Endpunkt auf. Tor ist auch drauf, fast noetig.
Man kann sich auch einen Nexus 5X besorgen und den mit https://copperhead.co/android/downloads flashen. Leider gibt es kein reines WLAN Tablet mit freiem Android-fork support. Deswegen kaufe ich auch kein Tablet.
Gehen tut vieles, aber es macht Arbeit.
This whole experience is driving me nuts. I'm a casual user who's in over his head. If anyone in or around Nashville TN is reading this, I'll pay you to help me install this OS: https://copperhead.co/android/docs/install
While my phone's in Bootloader, the command fastboot devices gives me: no permissions (verify udev rules); see [http://developer.android.com/tools/device.html] fastboot
The command adb devices doesn't give me the list of connected devices, unless my phone is turned on (not in bootloader mode)
Hey thanks I appreciate this.
So essentially only apps that have access to the camera and microphone, can actually turn these on? Some apps, like the contacts app, has been asking permission for my location, and calendar; I'm not sure why it's asking for such, so I've just been denying it everytime.
I may have simply misunderstood about the firewall thing. I showed my technical understanding friend this:
https://copperhead.co/android/
Which says this:
Firewall & network hardening Along with improvements like MAC randomization
> Should I specifically get a phone that supports Copperhead?
Yes, it's pretty much the #1 contended for a privacy and security conscious phone.
If you load it for free and like it, consider donating to the project: https://copperhead.co/android/donate
>Snowden also endorsed a service that I have to give up my phone number to even use. Know the information a phone number can give up? Geolocation and who I am.
Are you talking about Signal or some other service?
I mean, if you really care about privacy, I would argue that a Googleless Android is safer then iOS and iMessage. Getting a Pixel or Nexus and then putting something like CopperheadOS and using F-Droid and only FOSS applications is the best way to go. That way a majority of the code is open source, verifiable, and out of the hands of big companies like Apple, Google, or anyone else.
Thank you for replying to me. I appreciate your work and I do understand your need to license your work the way you did. Not everyone is able to produce free and open source software. I get it and your choice for license is none of my business.
You do disclose your license neatly on your downloads page, but here it's advertised as open-source. I would consider this page to be advertisement material and I find it false advertisement to claim CC BY-NC-SA to be open source license. OSI's definition of open source includes the criteria of Free Redistribution also for commercial uses.
The license is clearly marked at https://copperhead.co/android/downloads. No one is being misled. By misrepresenting what's going on, you're only further distancing us from caring about what entitled people think about this. The door is being closed by people like yourself, only willing to complain rather than doing any work or making it sustainable to use a FOSS license. It wasn't us that sat there not doing anything for the 2 years that the project was FOSS.
Just to clarify things for everyone, you are (probably) talking about the CopperheadOS (https://copperhead.co/android/docs/install).
These devices are NOT open source hardware and as far as I know they don't ship with open-source software.
Someone in another sub gave me this explanation:
> The same reason why most app developers write for iOS first before moving on to Android: a limited stable of known variables that can be consistently tested against, instead of a Zoo’s breakfast of wildly differing variables.
So, I guess, it's because with hardware tailored specifically to Google's needs, Android has less leaks and malfunctions, giving a better foundation for making a hardened Android. I don't think the device is privacy-focused at all, rather the environment is supposedly more uniform to ward off malfunctions.
> Mainly because it's the only custom ROM that allows you to lock the bootloader.
The security features it implements don't count for anything? https://copperhead.co/android/docs/technical_overview
Signed, tested release (i.e. user, not userdebug) builds of AOSP with verified boot and secure updates is the baseline for a production quality build of Android. If an OS isn't doing that then it isn't showing up to the privacy / security challenge in the first place.
Conversations.im is another one to look at. It's recommended by the CopperheadOS devs on their website. CopperheadOS Then only issue I have had with using XMPP isn't on my CopperheadOS device, it's whom I communicate with. The majority of my friends are on iOS. ChatSecure works well but closes in the background (I believe this is due to iOS, not the devs of ChatSecure) so the messages are hit or miss.
Run Cyanogenmod or CopperheadOS if your device is supported without Google Apps and you'll have a mostly free device.
F-Droid acts as a second app store for only free and open source software. Do be aware that without Google Apps, Google Play will not function, thus there is a tradeoff, but the privacy (and battery!) benefits are enormous.
> well, not really since it was never explained
Firefox is significantly less secure than Chromium. Browsers based on the Chromium WebView are more hardened than Firefox, but not as much as the standalone Chromium app or browsers based on that. There's a section on Chromium in the documentation.
> For example, it supports only Google search and does not let you change the default search engine to anything else.
That's not true. It doesn't have a great selection of search engines but it does have choices and we can add more of those. The default is also something that can be changed. Disabling location-based search by default is already planned.
> That's a rather disappointing letdown for an Android distro touting security and (implied) separation from those who want to watch you.
It would be unreasonable to use a browser not based on Chromium in a hardened OS.
> It's basically a wrapper for Android WebView
The WebView is Chromium, albeit with an inferior sandbox. It's built from the same source tree and is mostly the same thing. It will even be the same build / apk once MonochromePublic.apk is ready to replace the split SystemWebView.apk + ChromeModernPublic.apk that we use today.
> Incognito mode
Supported in Chromium.
> Adblocking
It supports it poorly, apparently based on domain filtering via one hard-wired list. There's nothing preventing a good implementation of content filtering in Chromium supporting the usual lists based primarily on CSS selectors with support for element hiding.
> Support for proxying through Tor, I2P, or custom/other proxies
Application support isn't required for that. I don't think it makes sense to expect each app to support this, rather than doing it generically.
Copperhead should work very well for you then. Its mostly stock android with only security tweaks more than anything. You can use the system.ui tuner to show the battery percentage in the battery icon. You can see everything it has to offer https://copperhead.co/android/docs/technical_overview or the main page https://copperhead.co/android/
https://copperhead.co/android/
Run by the same guy who packages linux-grsec, hardening-wrapper, and paxd for the Arch Linux distribution. I would avoid using Google apps at all if privacy is important to you.
IMHO you can turn a Nexus (actually getting rebranded to Pixel in Oct) into a nice device by reflashing a good OS. Try https://copperhead.co/android/.
It will be Android minus junk & bloat. No Google Play. Nothing from Google actually.
It looks like the OS is provided for free. So that's a pretty hefty price for them to flash it on your phone basically.
For anyone actually downloading and flashing it, consider supporting the developers.
Android Safe Mode will reboot your device with third-party
applications disabled. We explain how to access Android
Safe Mode in CopperheadOS
https://copperhead.co/android/docs/usage\_guide/#android-safe-mode