Are you still running Android or iOS? We gotta talk, because stuff like this is going to just keep coming:

Microsoft uncovers a security flaw impacting Android apps with billions of combined downloads

The heart of the “Dirty Stream” vulnerability lies in the potential for malicious Android apps to manipulate and abuse Android’s content provider system. This system is typically designed to facilitate secure data exchange between different applications on a device. It includes safeguards such as strict isolation of data, the use of permissions attached to specific URIs (Uniform Resource Identifiers), and thorough validation of file paths to ward off unauthorized access.

And stuff like this:

Active exploitation of Google Pixel zero-days underway

No additional details regarding the exploitation of the zero-days but the GrapheneOS team said that forensic companies were behind the intrusions, with attacks leveraging CVE-2024-29748 noted to potentially result in the disruption of a device admin API-stemming factory reset process.

"Forensic companies are rebooting devices in After First Unlock state into fastboot mode on Pixels and other devices to exploit vulnerabilities there and then dump memory," said GrapheneOS in a series of posts on X, formerly Twitter.

Understanding GrapheneOS:

The Features Overview for GrapheneOS speaks to me in my language. I’m not sure how to translate this 8,000+ word security blanket for non-technical folk. Basically this system is like Qubes and OpenBSD before it. Rather than waiting around for a CVE to turn up, the developers assume the worst about everything, and act accordingly.

As an example of their cautious approach, elderly network protocols 2G and 3G are not available, nor is bleeding edge 5G. Things that are old don’t get maintained and subtle bugs can linger. Things that are new are hotly exploited. You get the mature network option, no more, no less.

Like Qubes, you will pay a significant “security tax” in learning how to run it, but then your device will be YOURS. My read on it is that it’s NOT the enormous leap that a move to Qubes entails, more like switching from one of the two main phone operating systems to the other.

Why Pixel 8:

GrapheneOS works on Pixel 6 and the Pixel 7a is reportedly the best bang per buck. Why get the absolutely newest model? Hardware memory tagging.

8th generation Pixels provide a minimum guarantee of 7 years of support from launch instead of the previous 5 year minimum guarantee. 8th generation Pixels also bring support for the incredibly powerful hardware memory tagging security feature as part of moving to new ARMv9 CPU cores. GrapheneOS uses hardware memory tagging by default to protect the base OS and known compatible user installed apps against exploitation, with the option to use it for all apps and opt-out on a case-by-case basis for the few incompatible with it.

The new ARMv9 CPUs are like GrapheneOS - the assume the worst about each application and lock them away in their own work area. There are a lot of exploits that depend on memory insecurity and that particular misfeature is just gone.

The Google Pixel 8a’s release is imminent. And that is affecting Pixel 8 prices.

Personal Plans:

I first mentioned GrapheneOS in GrapheneOS: Pondering Pixels, wherein I managed to type the $550 price of a Google Pixel 8 without using the Scanners movie exploding head gif. I laid out what I was going to be doing in May in Upgrading All The Things and life just keeps bumpin’ along. The Qubes laptop is now an Ubuntu Budgie desktop replacement, my spare workstation is a Qubes 4.2.1 system, and my daily driver HP Z420 is having a rest in the corner. The iPhone really should join the Z420 in the corner of quiet contemplation, but I’m biding my time until the Pixel 8a release and the inevitable burst of lower cost Pixel 8 phones that will follow.

Conclusion:

Retiring Signal & Taking Time Off was my response to the endless ugliness in the world finally getting under my skin. Compartmentalization and burner phones have kept things around here sane, and I expect to have a bit brighter view when I return, but I don’t imagine things are going to improve much. Taking the time to master GrapheneOS and coming back with a bulletproof phone will be a source of comfort.

And I expect I’ll be parachuting right into the middle of who knows what when I do feel rested enough to rejoin the fray …