It depends on what you're defending against. Both hackers and surveillance can happen behind the scenes, so while no data loss or noticeable breaches happened, that doesn't mean that nothing happened.
For PDFs I simply use GrapheneOS's PDF reader, I don't have any other recommendations in terms of other PDF readers.
I currently started using Moon+ Reader, which is proprietary, simply because I could not find any good open source alternative that matches the quality. It might be able to handle PDFs.
I was about to make a pull request to expand the list to the top 109 websites, but the developer blocked me from all interactions because I "spammed too many issues" (I opened 5 and they were all legitimate). Buggy software gets multiple bug reports, what a surprise... The software (or at least the idea) has a lot of potential, but a lot of work and care needs to be put into it.
After getting the crash issue resolved (it is now fixed), I tested this to see how it behaves by using PCAPdroid. I also attempted to decrypt the traffic, to see what it sends.
This is the traffic analysis:
It sends to a random list of hosts, all of which are listed here:
I'm going to parrot what people in the GrapheneOS community would say: "The most secure place to get apps from is Accrescent. If an app isn't available there, the next best place is the Play Store itself with an anonymous Google account." Some bother to add that Obtainium+AppVerifier can be used if it isn't available for either of those methods. Anyways, they're very stingy about where they get their apps from.
Here is my take: Despite claims of F-Droid and Aurora Store having security issues, I don't care. It's based on your threat model and personal preference. Google may soon be forced to open up Play Store apps to more third parties, so more secure methods of getting them may crop up in the future. You'll really never have a 100% private way to get apps, that's the unfortunate reality of how things are. If your threat model is against Google and supply chain attacks, those limit your options down to some less-than-convenient methods. If you do decide to use AppVerifier, do note that you only need to verify the hash once and you're good for the rest of your phone's life.
I agree, and this is no easy task. For now, I am hoping I can gather information and let some of the pieces fall together before I can begin making hard decisions.
I don't know if this was intentional or not, but I found it humorous.
In my drafts of the article I have made sure to include sections specifically pointing out that this is not a be-all-end-all, and it doesn't tell you what to do or what you can and can't use. In the end, people are free to use whatever they want. I am simply here to document and clarify some perceived issues.
The answer to this is a bit complicated: I had a list of sources, but many of them were not primary sources, and so I am currently in the process of recollecting sources and better categorizing them. I'm currently collecting as many different types of sources as I can, and I will find out what is actually useful later.
You mentioned you want more, but where are you looking to start? For example are you looking at the CVE database?
CVE databases will be some of the primary sources I will use in the article, and I may even try to get in touch with the individuals who documented some of the CVEs. I can't make any promises about that, though.
Are you looking at competitions like Pwn2Own? Or detailed project group like Google Project Zero?
I am not familiar with these yet, so I will look into them.
Is it fair to compare Chromium, which is not an end user product, to Firefox which is? Do you plan to look at or compare forks of the software?
For the sake of clarity in this post I used "Chromium" and "Firefox" to simplify what I am doing for users who aren't as aware of the fine details. I will be comparing a wide variety of projects, such as Chromium, Vanadium, Brave, ungoogled-chromium, whatever hardened Chromium Secureblue uses, etc. to a variety of Gecko-based projects such as Firefox, the Tor Browser, Mullvad Browser, and other varieties I may be unfamiliar with. These will be compared on their various platforms, such as Windows, macOS, various Linux distros (where available), iOS, Android, and special cases such as Qubes, Tails, and Firejail. Essentially, I want to compare what the most and least secure varieties of each browser pose, and make observations from there.
As an example both Google Chrome and Mozilla Firefox enable “Google Safe Browsing” by default, however the fork “ungoogled-chromium” does not include “Google Safe Browsing” (and they provide their reasoning).
As far as I currently know (and please note I am still in the early research stages), Google Safe Browsing is a feature that primarily affects privacy and is more of a failsafe. For one, it warns you about malicious websites. This is a failsafe for users who are not aware of which websites are malicious. This isn't directly a security protection, but rather a security "suggestion" for non-advanced users. It also sends data to Google to report websites, which mainly affects privacy. I'm pulling most of this from my head, and so I may be off base with this. Either way, it will not be the main focus of this, as it doesn't matter if Google Safe Browsing is safe or not if it can simply be disabled. I plan to mainly focus on sandboxing issues with Firefox and any related topics that sprout up from that.
What makes Firefox desirable over Chrome is that it’s not beng developed by massive corporation that gets the majority of its profits selling user data and delivering targeted adverts.
This is a separate issue of being able to trust developers, which is not being covered here. Projects like ungoogled-chromium exist, after all. I will be inspecting the software as a whole, and not any future interference that may happen.
Google Chrome is not the same as Chromium, and protection from Google is not what this topic is covering. It is covering protection from malicious websites, and mainly claims about site isolation.
Also, no. A commit log or version control system does not show information about security issues that have not been fixed yet.
It depends on what you're defending against. Both hackers and surveillance can happen behind the scenes, so while no data loss or noticeable breaches happened, that doesn't mean that nothing happened.