Android (Stock Google) + GrapheneOS

• Secure an Android Device Blog
• Android Security Features Blog
• Madaidan's Insecurities - Android Blog
• Madaidan's Insecurities - Mobile Security and Privacy Advice Blog
• GrapheneOS: a OpenSource privacy and security focused mobile OS with Android app compatibility Blog
• GrapheneOS community Wiki
• Insider Attack Resistance Blog
• Google can't decrypt your locked phone with your Google Password Blog
• Android Privacy and Security Wiki
• Important Android Security mitigation's Reddit
• How Android Encryption works Reddit
• Storage Permissions Reddit
• Why "Magisk", "Xposed" & "Xprivacy(Lua)" don't work and are bad Reddit
• Wipe free space Reddit
• MAC address, serial number, IMEI, ANDROID_ID & Phone permission Reddit
• Cellebrire UFED extraction Reddit
• How Secure is your Android Keystore Authentication? Blog
• Gyrophone: Recognizing Speech From Gyroscope Signals Blog
• Why F-Droid isn't recommend for security GitHub
• a technical chat about Android with Daniel Micay
• Architectural decomposition and isolation of the Media Frameworks over time Image
• Data Driven Security Hardening in Android Blog
• Securing Android from any unauthorized individual or criminal Video
• Continuing to Raise the Bar for Verifiable Security on Pixel Blog
• Why does the F-Droid website nearly always host an outdated F-Droid apk? Forum
• CVE-2017-5947: OnePlus EDL triggering through ADB or Hardware Key Combination Blog
• CIS Security Benchmark
• NIST Security Technical Implementation Guide
• F-Droid InSecurity
• How private are Android keyboards?
• Waydroid or GrapheneOS? Reddit
• broken VPN
• Malware on the Google Play store leads to harmful phishing sites
• Attacking the Android kernel using the Qualcomm TrustZone
• Why Eve and Mallory Still Love Android: Revisiting TLS (In)Security in Android Applications

iOS (Apple)

• (2016) tfp0 GitHub
• (2016) Demystifying the Secure Enclave Processor YouTube
• (2018) A14's new memory tagging - "Memory Tagging and how it improves C/C++ memory safety" YouTube
• (2018) KTRR GitHub
• (2019) Recreating An iOS 0-Day Jailbreak Out Of Apple's Security Updates YouTube
• (2019) "What's in a Jailbreak? Hacking the iPhone: 2014 - 2019" YouTube
• (2019) Evolution of iOS mitigations PDF
• (2019) Examining Pointer Authentication on the iPhone XS Blog
• (2019) APRR GitHub
• (2020) sandbox profiles in iOS 14
• (2020) The core of Apple is PPL: Breaking the XNU kernel's kernel Blog
• (2020) PAN GitHub
• (2020) "Psychic Paper" GitHub
• (2020) Behind the scenes of iOS and Mac Security YouTube
• Billy Ellis YouTube Channel
• ARM assembly basics Blog
• Why are iPhones considered better for privacy/security? Reddit
• data minimization Reddit
• clear explanation of how tracking is changing in iOS14 Reddit
• Browser for iOS Reddit
• Cellebrite and case scenarios Reddit
• Apple's new security program Reddit
• Chances of backdoors in Apple operating systems Reddit
• iCloud data security overview
• Privacy Review - See the trackers hidden in your apps Blog
• Should I get an iPhone if I value privacy? Reddit
• iOS advantages Reddit
• iOS use an improved implementation of ARM's Pointer Authentication Codes (PAC), ensuring backward and forward-edge protection
• Complete W^X implementation in iOS via code signing
• how sideloading and third-party app stores would undermine iPhone security PDF
• CIS Security Benchmark
• NIST Security Technical Implementation Guide
• A Look at iMessage in iOS 14 Blog (Keywords: Blastdoor, Re-randomization of the Dyld Shared Cache Region)
• JITSploitation I: A JIT Bug | II: Getting Read/Write | III: Subverting Control Flow
• Page Protection Layer (PPL)
• iOS 16: restricted Userclients
• some resources about iOS/ MacOS system security
• Clone your finger - bypassing TouchID
• VPNs on iOS are a scam and somehow broken
• InAppBrowser.com - see what JavaScript commands get injected through an in-app browser
• iOS hardened allocator, called kalloc_type
• why ApplePay is more secure and private than GooglePay
• (A15 chip and above) Safari hardware security mitigation called JITBox
• Location Services Privacy Overview
• Lockdown Mode - a thread about what happens (also available for Apple Watch with watchOS 10)
• When does an old iPhone become unsafe to use?
• What if we had the SockPuppet vulnerability in iOS 16?
• Apple Health Privacy Overview - how the Health app and HealthKit protect your privacy
• App Tracking Transparency
• (iOS 17.0) features: Link Tracking Protection in Messages, Mail, and Safari; Communication Safety & Sensitive Content Warning; Photos privacy prompt improvements; Add-only Calendar permission; App privacy improvements; more secure Lockdown Mode; Privacy changes with Safari 17
• An analysis of an in-the-wild iOS Safari WebContent to GPU Process exploit
• Advancing iMessage security: iMessage Contact Key Verification
• Operation Triangulation: What You Get When Attack iPhones of Researchers
• Apple's iPhone 15 Under the C: Hardware hacking tooling for the new iPhone generation
• Bifröst: Apple's Rainbow Bridge for Satellite Communication
• Stolen Device Protection for iPhones
• how Apps abuse Push Notifications for Tracking
• App privacy report
• (A17 Pro chip and above) Apple Intelligence & Private Cloud Compute
• (iOS 18) Locked and hidden apps, Contacts permission improvements, Accessory Setup Kit, Rotate Wi-Fi Address
• (iPhone 16 / A18 chip and above) Secure Exclave like the M4 (and above) iPad Pro
• (iOS 18) Inactivity Reboot

Custom ROMs (like LineageOS, etc)

• Madaidan's Insecurities - Custom ROMs Blog
• Is LineageOS secure? Reddit
• LineageOS problems with firmware updates & user-debug builds Reddit
• Why can't LineageOS address its security issues? Reddit
• read what's wrong with /e/ aka eelo Blog
• avoid toxic CalyxOS Reddit
• ClearOS (Freedom Phone) is not great
• Problems with iodéOS
• Positon location service

CopperheadOS (Warning! Scam)

• Info about CopperheadOS Twitter
• CopperheadOS Bogus Legal Threat Blog
• Just a reminder that GrapheneOS is being sued by a company that has been harassing Graphene devs Reddit
• Unbelievable: Copperhead registered the grapheneos.ca and grapheneos.net domains and redirected them to their site Twitter
• ongoing attacks on GrapheneOS Reddit
• Log of someone who spent hours raiding the GrapheneOS chat channels with many accounts spamming Copperhead talking points and disrupting discussion admitting to being paid 10 EUR / hour by Copperhead. They quickly try making up an excuse but it's clearly not true. Log
• Log from near end of 12 hours of Copperhead spamming / concern trolling in our chat channels yesterday. They join with a new account matching a session of a couple previous ones use to spam, falsely claim to have found a vulnerability, dig themselves in a hole and openly troll via private messages Log
• Copperhead CEO has admitted to their new OS tracking devices including via device identifiers in the update system which are stored in databases mapping device identifiers to customers by their official phone sellers. It's a backdoor enabling targeting devices/users with specially crafted updates Twitter
• Proof of Copperhead threatening a PhD student for working on GrapheneOS with bogus legal claims. It also shows how they tried to get him in trouble with his university by framing it as him using their resources (which he didn't do) for copyright infringement (which didn't happen, it is open source) Reddit
• Archive of Copperhead CEO trying to get Ian Carroll (well known security researcher) fired for sending a single Direct Message to @CopperheadOS on Twitter with a middle finger emoji. He was able to DM them because they stole the account from the open source project and they hadn't unfollowed him Archive
• STATEMENT OF DEFENCE AND COUNTERCLAIM against Copperhead in their bogus lawsuit aimed at intimidating GrapheneOS and draining our time, energy and money. We're also filing a federal lawsuit against Copperhead over their fraudulent copyright claims and may take further action PDF
• Archive of Copperhead's early threats, ultimatums and false claims against the open source project. They threatened @yegortimoshenko for archiving it and attempted to get it taken down with a bogus DMCA. Be aware it's full of false claims. Compare the false narratives back then to their claims now Github
• Help spreading CopperheadOS scam Twitter
• History of GrapheneOS Website

Linux Phones (like Purism)

• Madaidan's Insecurities - Linux Phones Blog
• Linux in general is quite bad for security Reddit
• Librem firmware and hardware is not open source Reddit
• Librem security theater Reddit
• Linux phones are not automatically secure Blog