Mastodawn

WebRTC is a peer-to-peer communications protocol for web sites and therefore causes numerous privacy issues through making direct connections between participants. By default our Vanadium browser disables the peer-to-peer aspect by only using server-based (proxied) connections.

GrapheneOS Jun 3

Vanadium provides a user-facing setting at Privacy and security > WebRTC IP handling policy.

From least to most strict:

Default
Default public and private interfaces
Default public interface only
Disable non-proxied UDP

For Vanadium, "Disabled non-proxied UDP" is the default.

GrapheneOS Jun 3

The tracking technique described at https://arstechnica.com/security/2025/06/meta-and-yandex-are-de-anonymizing-android-users-web-browsing-identifiers/ is prevented by Vanadium's default "Disabled non-proxied UDP" value. It's also prevented by "Default public interface only", which does permit peer-to-peer connections but won't try to use the loopback interface for it.

Meta and Yandex are de-anonymizing Android users’ web browsing identifiers

Abuse allows Meta and Yandex to attach persistent identifiers to detailed browsing histories.

Ars Technica

GrapheneOS Jun 3

We have a list of most of the features provided by Vanadium at https://grapheneos.org/features#vanadium. There are dozens of additional privacy and security features planned along with data import/export and improved support for system backups. It takes time to implement these things properly.

GrapheneOS features overview

Overview of GrapheneOS features differentiating it from the Android Open Source Project (AOSP).

GrapheneOS

GrapheneOS Jun 3

Vanadium doesn't have billions or even millions of users which limits our ability to prevent fingerprinting. We plan to address this by launching it for use outside GrapheneOS including publishing it through the Play Store. We want to implement more of the planned features first.

GrapheneOS Jun 3

For the non-WebRTC issue being abused by Yandex, Chromium 137 shipped a fix for it behind a feature flag that's being gradually rolled out. We can roll this out to 100% of Vanadium users through a Vanadium Config update. We can start Alpha testing for that new flag later today.

GrapheneOS Jun 4

Vanadium Config version 95 enables protection for local networks and loopback. The user interface for making per-site exceptions isn't available for Android yet. The overall feature can be disabled via chrome://flags if for some reason someone needs that functionality right now.

asyncmeow (disambiguation)Jun 4

@GrapheneOS so, as someone 100% unfamiliar with android’s internals…

could apps be isolated to different network namespaces a-la linux containers, so localhost to one app isn’t localhost on another app?

Andromxda 🇺🇦🇵🇸🇹🇼Jun 5

@pearl @GrapheneOS https://github.com/GrapheneOS/os-issue-tracker/issues/5225#issuecomment-2799038011

This change would be too large for GrapheneOS to implement it on their own. Especially maintaining such a large feature over time, as updates come out and the underlying network infrastructure in Android changes would require lots of time and effort. It's not feasible for anyone other than Google to implement this.

a sneaky app can detect VPN is on in another profile · Issue #5225 · GrapheneOS/os-issue-tracker

I installed an app in Private Space and it requires me to turn off VPN in Owner Profile in order to log in. I have no VPN in Private Space and the app is not installed in other profiles including O...

GitHub

GrapheneOS Jun 5

@pearl Android does use namespaces to an extent but primarily uses SELinux to make the app sandbox.

It would be possible to use per-profile or per-app network namespaces but it would be very difficult to integrate and maintain in a fully compatible way.

@GrapheneOS yesterday you posted about WebRTC and how Vanadium has safe defaults and user can choose the less secure configuration. Is this fix for when users choose the less secure configuration? How does it differ from choosing only public interface for WebRTC? Local network communication protection is probably new, but loopback protection is enabled as long as private interface is forbidden, or am I missing something? Thanks.

@GrapheneOS Thank you

@GrapheneOS Great - I will wait for the Alpha release for testing.

GrapheneOS Jun 3

@lusca Note it will just be an Alpha release of Vanadium Config since we have that to avoid needing browser updates to change flags or update content filters. Chrome simply fetches flags from a server and it's largely based on randomized subsets of users for different feature trials. We prefer rolling out the flag changes via our Alpha, Beta and Stable channel system to 100% of the users on each channel via Vanadium Config. We don't like doing staged rollouts or A/B testing the way they do it.

@GrapheneOS So, in theory, updating Vanadium Config could be used to test flags in Alpha such as:
chrome://flags/#strict-origin-isolation
chrome://flags/#origin-keyed-processes-by-default
chrome://flags/#enable-fingerprinting-protection-blocklist-incognito

Note: These are just example flags.

@GrapheneOS How about implementing this in addition? https://brave.com/privacy-updates/27-localhost-permission/

Localhost Resource Permission | Brave

Starting in version 1.54, Brave for desktop and Android will include more powerful features for controlling which sites can access local network resources, and for how long.

Brave

math dealer 𑁍 ☮︎ ☾ 𖤓 ૐ Jun 3

@GrapheneOS no need to publish it on play store which is from google. publish it on F Droid instead!

@m4th1337 @GrapheneOS Tbh might as well put it on the Play Store too, I mean, users that will get it outside of GrapheneOS are almost surely using the Google Play Services.
And when you have the Play Services either way, whether you get the app on F-Droid or Play Store, it does not really change much in terms of privacy, but apparently the Play Store might (will?) be more secure.

GrapheneOS Jun 3

@martin F-Droid is not a secure or trustworthy way to distribute apps. We already have our own app repository with far better security, proper automatic updates, dependency management, atomic updates and other important features. The preferred way to obtain Vanadium will be through our App Store. The reason to publish on the Play Store is so billions of people who use it will be able to easily use Vanadium without knowing how to install our App Store as an APK to obtain and then update it.

GrapheneOS Jun 3

@m4th1337 F-Droid is not a secure or trustworthy way to distribute apps. We already have our own app repository with far better security, proper automatic updates, dependency management, atomic updates and other important features. The preferred way to obtain Vanadium will be through our App Store. The reason to publish on the Play Store is so billions of people who use it will be able to easily use Vanadium without knowing how to install our App Store as an APK to obtain and then update it.

There are two things i regularly run into when trying to use vanadium:

1. No adblocking/contentblocking (for usability-reasons, not privacy)
2. Missing support for "external" password managers via the autofill service

From what i have read, 1 is a future feature (that i probably can also work around with an adblocking vpn app), and two *should* work. But i am not getting the prompts. Do i need to configure anything special for that?

GrapheneOS Jun 3

> 1. No adblocking/contentblocking (for usability-reasons, not privacy)

That's incorrect. Vanadium has content filtering via EasyList + EasyPrivacy with a per-site toggle. It also uses EasyList Germany when German is enabled as a browser language and we plan to extend that to more language lists. This approach is being used to avoid fingerprinting.

> 2. Missing support for "external" password managers via the autofill service

That's incorrect. It fully supports password managers.

GrapheneOS Jun 3

@newhinton Both of those are already available in Vanadium and have been for a long time now. It fully supports using a password manager for autofill and passkeys. You need to set the autofill mode to using external autofill instead of built-in autofill to use an app like Proton Pass for passwords and passkeys. Chromium tries to auto-detect for the default setting but it may choose incorrectly and you may want to switch it from what it initially chose if you started using a password manager.

@GrapheneOS Oh, you're right! I was looking through the settings and i must have overlooked the 'Ads'-section. That's great! From github issues it looked like it was still experimental.

And i have figured out why the password prompt seemingly does not work. I have been using two-stage logins (ebay/amazon) where it only shows up for the password. Single stage ones seem to work fine. Is this expected, or depends on which password manager i am using?

Sorry for the confusion, and many thanks!

GrapheneOS Jun 3

@newhinton It should work with those. You may need a smarter password manager though.

@GrapheneOS @newhinton
Can fully confirm both.

1) Stuff gets filtered but not so much as some would like which is a compromise for fingerprinting not to stand out too much

2) see attached, PWM are working with autofill. KP as autofill service configured and working.

@JeGr @GrapheneOS Thanks, see my other comment. I have overlooked the 'ads' section in the settings which enables/disables adblocking. I wonder if it deserves a more prominent link to it...

Have you had issues with multi-stage logins?

@newhinton @GrapheneOS
Multi Stage as in? Multiple pages and steps? User, then PW, etc instead of all on one page? Then yes that is sometimes a bit hit or miss and dependent on the form naming etc.
But most times the PW field is fine.

@JeGr @GrapheneOS Yes exactly, multiple pages.

On firefox it works (mostly) as expected, but in vanadium i never got the initial prompt for the username, which put me under the impression it wasn't supported. (And, i remembered that chromium/chrome didn't support autofill at all, but that is probably outdated regardless)

GrapheneOS Jun 3

@newhinton @JeGr Blocking ads is enabled by default. There's a per-site opt-out which is shown in the site settings shortcut next to the URL bar.

NotYourfbiagent Jun 4

@GrapheneOS hell yeah!

@GrapheneOS Thats rigth choice.
One suggestion, please add user scripts and user agent as it is done in cromite it is also open source

GrapheneOS Jun 4

> add user scripts

This is bad for security.

> and user agent

This is bad for privacy and not a good approach to achieving what you probably want to accomplish.

> as it is done in cromite it is also open source

This browser makes many misguided changes and we highly recommend against it. Making more changes does not result in something being better especially when many are done incorrectly or directly significantly reduce security.

@GrapheneOS Okay, I get it, it doesn't fit the purpose of your browser. By the way, I mentioned cromite and the fact that it's opensource. So that if you decide to incorporate these features into your browser you can see the open source code, or just as a resource where I've seen it.
Look, I don't really need a user agent, and I use user scripts only to be able to run YouTube or other streaming services in the background when the phone is turned off. Maby you can implement this feature.

@GrapheneOS
And, I think I've seen such a switch in mobile brave browser. In general I would be very glad of a background media playback feature in your browser.
I am a graphene os user and appreciate and support what you are doing.

@GrapheneOS And thanks for the advice to stop using the browser in favor of security

Olio Aojo Jun 9

@GrapheneOS This is smart.

@GrapheneOS Data import/export (particularly bookmarks) is a feature I am eagerly awaiting. Managing hundreds or thousands of bookmarks without a way to export them is not good.

Orca 🌻 | 🎀 | 🪁 | 🏴🏳️‍⚧️Jun 3

@GrapheneOS The Meta and Yandex scandal?

strangefinder Jun 3

little ot,
is it possible to show bookmarks
as the Startpage.
just like Vivaldi somehow?
A sync /backup to nextcloud would be nice to.

so or so great³ work!