The antivirus: Used to be good, decent free (in price) tool if you’re in a situation where you need one. Otherwise, Windows Defender is good enough for your needs. (And just don’t install goofy ahh apps on Android, you also don’t need one there).
The VPN: Same as any other VPN company. Chances are you don’t need one, and all of them are based fully on trust. “Least bad” VPN award goes to Mullvad.
NordVPN (and their entire service stack) is not trustworthy at all.
““compromised device”” in this scenario is any device with a chat app installed, push notifications on, and the chat service uses Cloudflare CDN. This is a very common setup, Discord and Signal were mentioned as examples. Many others are vulnerable for the same thing. With read receipts on the chat platform (like Signal), no push notifications are required.
The headline is sensationalist, but it isn’t something to be ignored. Especially for more privacy focused platforms like Signal, even leaking the country someone is in can be considered a risk. That’s effectively what this attack allows.
Lead dev of grapheneos is extremely toxic in communication. I don’t trust someone like that developing the software running on a phone.
EDIT: This comment seems to be particularly controversial, with many people praising GrapheneOS as a project, while ignoring the developers views and actions. Although my opinion of the main developer is negative, the project itself and its goals are great. To clear up some confusion, I want to add to my previous statement:
At first, this seems like the standard “separating art from the artist”, however, GrapheneOS is a ton of code, not just art. When it comes to other forms of art, like literature or paintings, an artist maliciously hiding their personal beliefs in their otherwise “unbiased” work might degrade the quality of the final result, but does not have much significant impact outside of that. When it comes to code, programs, OSes, this changes. The artist (programmer) changing their art (code) based on their personal beliefs is not just a degradation in quality, but a security risk for anyone running the code and trusting the developer. Having seen the way the GOS dev speaks about its community and even people in support of him (see Louis Rossman’s video), it becomes clear that the mentioned “risk” of malware is very much present. Like many others, I don’t have the time to verify the source code of an entire Android rom myself, which means I would have to trust the GOS dev to not insert anything malicious, after the statements he’s made. I’d have to trust him after he’s grouped a majority of his community into “people who are after him and are swatting him”. It’s a very real possibility that someone with beliefs like that would add malicious code to his project, and I’m personally not willing to run that risk.
Please note that I am not encouraging people to “go harass the dev”, that is an immoral action nobody should be doing. I am trying to inform people of the developers behavior online, past and current, so they can make a decision for themselves whether to run his software on their personal devices.
I have used Waydroid, mainly with FOSS apps, and although it has some rough edges, it does often work for just having one or two Android apps functionality.
Linux on mobile as a whole isn’t daily driver ready yet in my opinion. I’ve only tried pmOS on a OP6, but that seems to be a leading project on a well-supported phone (compared to the rest).