Interestingly enough, almost all Android phone bootloaders can be unlocked. Especially Google's Pixel devices have an "unlock-friendly" bootloader: You can unlock it, install another operating system such as GrapheneOS and then even relock it to be able to use verified boot. Verified boot is an important security feature that confirms the integrity of the installed operating system on every boot (even for third party OSes assuming you relock the bootloader), thus preventing offline modifications or malware from persisting across reboots. You can also unlock the bootloader again, install the stock OS made by Google and relock it again. In comparison, lots of other Android phones (Samsung for example) are also unlockable, however you will not be able to lock the bootloader again, even when you install the stock OS again, because when unlocking the bootloader, a physical fuse on the circuit board of the phone will be tripped. This will also void your warranty. Some custom ROMs have been developed for phones with bootloaders that can't be relocked. These ROMs might provide better privacy at the cost of decreased security because verified boot is unavailable. It is a good idea to force the vendors to let the bootloaders be relocked after installing third party operating systems.
It may seem to be weird but... Google Pixel can be what you are looking for. You can install Graphene OS which is focused on security. You'll find list of supported devices at the bottom of the linked website. Additionally, you can watch The Hated One's newest video about Graphene OS.
Is seems to be very interesting project.
Yes, to deGoogle your phone you can't be using the stock -- deeply Googled -- OS. That said, please don't ever flash a Pixel with LineageOS. Please instead flash GrapheneOS. Lineage has immense security and privacy degradations. Graphene on the other hand offers the most private and arguably most secure mobile device on the market. I really can't encourage you enough to look into it. Not only for privacy and security, but also ease. Graphene offers a web installer that allows you to install the OS from start to finish by primarily just clicking a couple buttons in your browser. It's dead simple and near impossible to mess up so long as you follow the instructions.
I hope this helped, have an amazing rest of your day!
Hi there, long-time GrapheneOS user here. It seems to me that GrapheneOS is a great choice for your use-case. In my opinion the best!!
First of all, I'd like to suggest doing a little reading about app sandboxing on Android - sesms to me you don't really need a Work Profile for those apps and likely won't see any privacy improvements by doing so in this case.
I'm not sure why you don't think GrapheneOS is right for your use-case, and I don't mean to presume, but I want to assure you that it's a quality OS improving upon the security model of Android (where most others weaken it) without sacrificing performance or usability. Some custom OSes like LineageOS support microG, but this should be avoided if you're serious about security/privacy. GrapheneOS has the option of using Play services as fully sandboxed applications which fixes many compatibility issues with Play-dependent apps in a sensible way. I believe Google Maps and Telegram work fine without Play services, anyway.
My last piece of advice would be to be sceptical of YouTube as a means for education around privacy/security - it's really very hit-or-miss when it comes to the quality of a lot of the advice (it's mostly miss), not to mention the vast quantities of misinformation. I'd encourage you to read GrapheneOS's website which goes into a lot of detail about decision-making around the project which can help you understand the failures of many others to live up to their purported goals as "privacy" projects.
Good luck 👍
Please check your facts.
GrapheneOS does not ship with Play Services but they provide a compatibility layer to run it as a sandboxed app.
https://grapheneos.org/usage#sandboxed-play-services
Edit: typo
GrapheneOS now as a sandboxed compatibility layer that let you install Play Services without giving them access to your phone. I don't know if it works well and I don't know if Android Auto works with it because I don't use it, but I've heard good stuff about it being better than MicroG and the like.
According to MicroG documentation, they do not support Android Auto
Using Waze and "getting permanently away from Google" isn't compatible, unfortunately. Yes, you have the convenience of getting live traffic updates because Google track every step you (and all other users) do. An alternative that works well, has live-traffic and is privacy-friendly is Magic Earth.
I understand that not everybody can deGoogle, but you said "get permanently away from Google"
Proper Linux phones, which, although there's a lot of progress in the area, are nowhere near "average Joe material" and maybe never will be.
Another option would be a Google Pixel with something like GrapheneOS into it. But with Google now starting to use their own silicon, this might go the way of the dodo, as well.
My god! Game changer.
This article is particularly useful for ALL android users! It really clarifies that many banking apps are designed to only run on Google approved devices.
Now to get that banking app to
https://grapheneos.org/articles/attestation-compatibility-guide
"Banking apps are increasingly using Google's SafetyNet attestation service to check the integrity and certification status of the operating system. GrapheneOS passes the basicIntegrity check but isn't certified by Google so it fails the ctsProfileMatch check. Most apps currently only enforce weak software-based attestation which can be bypassed by spoofing what it checks. GrapheneOS doesn't attempt to bypass the checks since it would be very fragile and would repeatedly break as the checks are improved. Devices launched with Android 8 or later have hardware attestation support which cannot be bypassed without leaked keys or serious vulnerabilities so the era of being able to bypass these checks by spoofing results is coming to an end regardless.
The hardware attestation feature is part of the Android Open Source Project and is fully supported by GrapheneOS. SafetyNet attestation chooses to use it to enforce using Google certified operating systems. However, app developers can use it directly and permit other properly signed operating systems upholding the security model. GrapheneOS has a a detailed guide for app developers on how to support GrapheneOS with the hardware attestation API. Direct use of the hardware attestation API provides much higher assurance than using SafetyNet so these apps have nothing to lose by using a more meaningful API and supporting a more secure OS.
"
https://grapheneos.org/install/web if you can follow this you can do it.
It's pretty simple just use the official cable you get from your pixel and also make sure your pixel is an unlockable non carrier version.
Sure, security and privacy are different things, but this is why OP is recommending GrapheneOS, instead of Google's Android - GrapheneOS has a lot of privacy controls which aren't present in stock Android.
For instance (just off the top of my head):
No Google Play Services, but it supports installing a sandboxed version of Play Services which has limited rights
It replaces the standard system webview and browser app with Vanadium, which is a privacy (and security) hardened version of Chromium. There's way too many patches to go into detail but it does stuff like removing all Google stuff from the code, disabling third-party cookies by default, disabling network prediction, metrics, article suggestions, WebRTC IP leaks, analytics and so much more.
Sensor and network network toggles
Per-connection MAC address randomisation (with DHCP flush between reconnection to prevent the network from potentially identifying that it's the same client).
I recommend checking out their FAQ, which goes into great detail explaining all the privacy and security features (as well as caveats).
No it doesn't anymore, its came along way with the recent updates. You can use google play services and framework without any security issues due to its sanboxing. https://grapheneos.org/usage#sandboxed-play-services
GrapheneOS has support for installing the official releases of play services as sandboxed and unprivileged application. This approach, unlike microg, doesn't ruin the android security model and provides substantially more compatibility.
Get yourself a Pixel 3a and flash GrapheneOS on it. It's the most secure and private mobile OS I know of.
Check out their subreddit for more details.
GrapheneOS is a really fantastic Android project that puts security and privacy first. Anyone truly serious about opting out of the big tech ecosystem should use it, and it's best experienced on Google's own Pixel devices.
It's all mentioned in Grapheneos installer: https://grapheneos.org/install/web#replacing-grapheneos-with-the-stock-os
there is an additional step to revert changes on the bootloader as well
They recently added a feature, Sandboxed Play Services, that may help you, instead of using microG: https://grapheneos.org/usage#sandboxed-play-services
I've not tried it myself, as I don't need it, but I read it's working pretty well, maybe you could give it a try.
See https://grapheneos.org/usage#sandboxed-play-services. It allows you to run Play services as fully sandboxed apps with no special access or privileges. Apps within the same profile use it so it enables broad app compatibility without sacrificing OS privacy or security.
Buy a pixel and load Graphene OS. I’m not confident that this solution will last forever though; I wouldn’t be surprised to see some sort of certificate validation on app installs in the future.
Because it's an insecure device that doesn't receive security updates since 2019: https://support.google.com/pixelphone/answer/4457705#when_updates&zippy=%2Cpixel-phones
https://grapheneos.org/faq#legacy-devices explains why it's not supported anymore (they used to).
I am not sure what you expect to find, but I believe GrapheneOS already provides a good description of it's features in comparison to AOSP (which is what CalyxOS essentially is). Did you read https://grapheneos.org/features already?
I would avoid Lineage OS it possible since it's a security nightmare. If possible, get a Google Pixel and flash GrapheneOS (maximum infosec but limited functionality) or CalyxOS (more functionality but lessened infosec). You can see which apps each platform supports at Plexus
GrapheneOS has very little in the way of performance/usability tradeoffs - see their Sandboxed Play services feature which is far superior to microG's insecure approach, and allows for broad app compatibility without sacrificing user privacy/security like microG. Much of what is claimed about "performance tradeoffs" is misinformation spread from toxic communities and "influencers" who likely benefit from discrediting GrapheneOS - a lot of it comes from a single misleading comparison video which tests GrapheneOS on a phone without even a proper SSD, using poor eMMC storage.
From the GrapheneOS website :
>LTE-only mode
>
>If you have a reliable LTE connection from your carrier, you can reduce attack surface by disabling 2G / 3G connectivity in Settings ➔ Network & Internet ➔ Mobile network ➔ Preferred network type. Traditional voice calls will only work in the LTE-only mode if you have either an LTE connection and VoLTE (Voice over LTE) support or a Wi-Fi connection and VoWi-Fi (Voice over Wi-Fi) support. VoLTE / VoWi-Fi works on GrapheneOS for most carriers unless they restrict it to carrier phones. US carriers other than T-Mobile tend to be missing these features due to us not including their proprietary apps.
>
>This feature is not intended to improve the confidentiality of traditional calls and texts, but it might somewhat raise the bar for some forms of interception. It's not a substitute for end-to-end encrypted calls / texts or even transport layer encryption. LTE does provide basic network authentication / encryption, but it's for the network itself. The intention of the LTE-only feature is only hardening against remote exploitation by disabling an enormous amount of legacy code.
As a general rule, it's best to avoid relying on normal calls and SMS.
I know this is such a minor thing, but it’d be really good if you could hyperlink most of the stuff mentioned here- Signal, Graphene OS etc just so that people who’s interest is piqued can have it easily accessible?
Graphene OS recommends against using anything other than inbuilt browser (Vanadium) or Bromite which are based on chromium.
Read - https://grapheneos.org/usage#web-browsing
Chromium has much stronger security like they explained. Using an unofficial fork of Firefox like Fennec is risky.
GrapheneOS offers substantial defenses against these kinds of attacks on the OS and apps. Defending against unknown vulnerabilities especially remote code execution bugs in apps and the OS is a major focus of the project. It's also focused on fundamentally improving privacy and security in other ways.
Please read through the overview at https://grapheneos.org/features. This only lists enhancements we offer compared to AOSP. You can see that this is a substantial focus including using our own entirely different heap implementation. Most of these attacks use memory corruption bugs, and most of those are heap corruption bugs. It's the whole point of our extensive work on https://github.com/GrapheneOS/hardened_malloc and other features. It certainly doesn't make you immune to exploitation, but it will often help to mitigate a generic memory corruption exploit targeting an app or OS component, alongside other changes.
Please read https://grapheneos.org/#history.
They forked our code and continue to copy our newer changes. They're fraudulently claiming to have created it and are selling phones with it for a lot of money. They're primarily dedicating their resources to harming us as much as possible, not building anything. They want to take our work, sell it, and wipe out the original open source project at all costs. I recommend looking at the other threads about it in /r/GrapheneOS. This one is about a very specific thing.
If you need MicroG, you get CalyxOS. The reason they don't do it is because it requires signature spoofing, which is a security risk. Another reason they don't allow it is because it requires many permissions to run, so again, has the possibility to be hijacked into something malicious. GrapheneOS has worked hard to harden android as much as they can, improving encryption methods, better sandboxing and much more. If they allowed MicroG or GAPPs it would greatly impact their main focus, extreme privacy and security. CalyxOS on the other hand, is more focused on improving privacy while not being to inconvenient, which is why they include MicroG out of the box and don't change nearly as much as the GrapheneOS devs do. Though, on GrapheneOS's website they do say they are trying to make it so MicroG could run as a regular app.
I think that's why there is Fennec in F-Droid. In any case, since it's on Android I would maybe just suggest Bromite as was also mentioned in PTIO (source) and I also lean onto GrapheneOS developer's explanation on the use case with regards to browsers in Android:
https://grapheneos.org/usage#web-browsing
As an alternative to the said password manager, I would recommend KeePassDX instead.
> Does it work on every Pixel phone? Even the latest?
The current recommended devices for longevity are pixel 3a, pixel 3a XL, pixel 3 and pixel 3 XL. Pixel 2 will likely be abandoned so that means no more updates. Pixel 4 does not have support.
> I’m a noob in android as I always used iPhones...
Android is very easy to understand, watch videos explaining the android operating system or run a android VM on your desktop to get familiar before you make the switch.
> Is it as full featured as Lineage?
That depends what features you're talking about. They both run on android 9.0 which comes with all standard android features. If you're talking about security features they have multiple differences.
> If so, why isn’t everyone (having a pixel phone) using it?
There's many reasons and I'll list them all below
They don't know it exists
They do not care about their privacy
They do not understand how to install it
They're using a locked bootloader version of the pixel like Verizon's version. (You need the google version of the pixel not a carrier branded one. Carrier branded ones lock the boot loader)
They want google app/google play services support (You need to understand that graphene OS/lineage OS with no GAPPS is going to be different than an iPhone, you're going to have to install your own app stores and some apps will not work since they rely on googles framework. Keep in mind many alternatives to these apps exist that are FOSS ie newpipe instead of the youtube app, and osmand instead of google maps.)
You can find more info about graphene here https://grapheneos.org/ or go to r/grapheneos
This is the first of it’s kind on Android and this project above many others deserves financial supoort especially since i’m pretty sure it’s all just being ran by one man the lead developer.
This is next level privacy we may never see again if it’s just not feasible to continue maintaining this for free.
Hey OP, I don't use what's app, but I do need some non-privacy respecting apps too on Graphene. I won't repeat stuff because u/FauxParrot already explained a lot in great details.
For this I use Insular from F-droid, which is a fork of Shelter/Island without telemetry or phoning home at all. And for other stuff like banking/entertainment, I have completely different profiles, but that won't really work for you as I'm guessing you need notifications and direct access to the app. At the moment, the implementation of sandboxed PlayServices works well, but I'd say the way to install it is not super practical. (But it will change in the future.) From Graphene website : >In the future, we'll have a client app for our repository so you'll be able to install and update the official Play services apps through that app and you won't need to deal with split APK installation manually. https://grapheneos.org/usage#sandboxed-play-services
Graphene is as easy to install as any other ROM, although I don't know how the process is if you're installing from Windows.
Lastly, if you're having issues, like u/FauxParrot said, CalyxOS will definitely be easier to configure for your needs, but imo, Graphene is worth the efforts.
I am personally using GrapheneOS, and they now have support for sandboxed play services, but I am a bit intense and I completely deGoogled and avoid all big tech so I have no need for MicroG / PlayServices. The only apps installed on my phone are opensource and sourced directly from F-Droid (or third-party repositories).
I am certainly not an expert, but if you have any question, feel free to ask me in PM
GrapheneOS is not slow. But here's some info about the exec spawning process which may cause some initial delay:
> GrapheneOS creates fresh processes (via exec) when spawning applications instead of using the traditional Zygote spawning model. This improves privacy and security at the expense of higher cold start app spawning time and higher initial memory usage. It doesn't impact runtime performance beyond the initial spawning time. It adds somewhere in the ballpark of 100ms to app spawning time on the flagship devices and is only very noticeable on lower-end devices with a weaker CPU and slower storage. The spawning time impact only applies when the app doesn't already have an app process and the OS will try to keep app processes cached in the background until memory pressure forces it to start killing them.
Their motivation is wiping out the open source project they've copied and turned into a product. They massively ramped up their attacked after we published https://grapheneos.org/install/web since their business model is dying. They're desperate. They aren't capable of building any of value themselves. They don't do actual privacy and security work. They copy us, fraudulently take credit for it and sell it as an expensive product with tracking. They also desperately want to cover up all the awful things they've done. They want to be able to lie about everything that happened unopposed.
Installation is straight forward and can be done in 10min from any Mac, Windows, or Linux PC. At worst, you will have limited functionality or non-functional apps that require google play services. These are few and far between however; even google maps works. Check out https://grapheneos.org/install for pixel devices, or lineageos.org for other handsets
It actually can hurt in regards to fingerprinting. If you're using a VPN you would preferably be using the DNS they provide. As for non-VPN users, one should preferably be using none or a popular resolver.
Buying a refurbished Thinkpad and installing a security-focused distribution of Linux is the route I would personally take here. Depending on how much convenience you're willing to exchange for security, the distro will change. For the vast majority of security / privacy minded, I would recommend any major Linux distro with full disk encryption (Fedora is my personal choice, Pop!_OS and Mint are also good). If you need to remain completely secure and anonymous (e.g. whistleblower under authoritarian rule), Tails is made for this.
For installation procedures of GrapheneOS, just follow the official documentation from the GrapheneOS team. https://grapheneos.org/install/
I would also be happy to advise you on how to secure your Linux system and FOSS replacements for closed-source apps / spyware on Android if you'd like, just PM me.
You can already use this Alpha release of our new Camera app.
Google Camera also works fine in a profile with sandboxed Play services. https://grapheneos.org/usage#camera doesn't yet cover out own camera app and probably won't until we include it as a replacement for AOSP Camera in a few weeks.
The update client checks for updates every 4 hours. It only checks when the configured constraints for battery and network type are satisfied. It doesn't implement any idle or overnight check.
I recommend reading the last paragraph in https://grapheneos.org/releases#about-the-releases about the release process and checking the list of releases on this page for up-to-date information on whether the release is in the Beta or Stable channels. You might be expecting to get an update to a release before it's actually available in the channel you have configured.
Release notes are published and announced before they arrive in the Beta channel, so that it's available for people to read when the update is actually pushed out.
Assuming:
>You've got a Pixel series device >Know some Linux (.deb has more detailed readme's) >Are willing to completely excise Google from the device...
Check out the GrapheneOS.
Things you'll lose:
>GooglePlay store >GoogleMaps >Gmail >Digital Assistant >Other (tbh if you're ready to fully degoogle, you won't miss much) [There's alternatives to all these]
I've been running GrapheneOS on Pixel 4 near a full year now. Love it! Some minor inconveniences, but I'll never go back.
If you only want to get started by uninstalling the Google branded stuff and use a non-google app store, I think you're looking for the "Aurora Store" or "F-Droid" (better).
> Versus all the Time and Work to buying a Pixel and installing Graphene.
Using our WebUSB installer only takes about ~20 minutes from start to finish with a few clicks of a button. Makes no sense whatsoever to pay so much money for a device preloaded with GrapheneOS. When you can simply install it yourself and help the actual project by donating to GrapheneOS.
https://grapheneos.org/faq#hardware-identifiers
No user installed app can access unique hardware identifiers. That includes sandboxed play services (I confirmed this in the matrix chat room).
As for what they actually see, I don't know exactly what, but since they don't get unique identifiers, I don't care
Well, the os and all info about it is up at https://grapheneOS.org. If you wanna improve your privacy more, check out [privacytools](privacytools.io) [r/privacy](reddit.com/r/privacy) [r/privacytoolsio](reddit.com/r/privacytoolsio) [r/degoogle](reddit.com/r/degoogle) and [r/grapheneOS](reddit.com/r/grapheneos).
https://swappa.com/buy/google/phones
Pixel 2 and 2 XL look like they're around the $150 mark. The phones are supported by /r/GrapheneOS but also have a thriving xda developer community with many ROMs to choose from.
> GrapheneOS provides production releases for the Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a and Pixel 3a XL. The recommended devices with the best hardware, firmware and software security along with the longest future support time are the Pixel 3a, Pixel 3a XL, Pixel 3 and Pixel 3 XL.
If you are still undecided on your device, you can get yourself a Pixel 3a and flash GrapheneOS on it. It's the most secure and private mobile OS I know of.
It's completely degoogled and far more security hardened, than LineageOS. And, by the way, it receives OTA updates, so no need for manual updates.
Check out their subreddit for more details.
It's a fully sandboxed app following the same rules as every other app. It can't do anything that Google Camera or another app can't do themselves. The whole point is that you aren't making sacrifices compared to simply installing any other app. Google Camera only requires GSF, not Play services and the Play Store. You can take away the Network permission via the toggle added by GrapheneOS for both GSF and Google Camera. You should try our modern GrapheneOS camera app first. There's a detailed guide:
https://grapheneos.org/usage#camera
You only need Google Camera if you need the particularly fancy features and we'll have many of those including Night Sight and Portrait mode likely within the next year via CameraX extensions.
GrapheneOS has a great modern camera app included out-of-the-box. It has far less need for Google Camera than CalyxOS. Our documentation has an extensive guide on using our camera app and a comparison to Google Camera listing the additional features it provides.
https://grapheneos.org/usage#camera
Google Camera only requires GSF. It doesn't require Play services (GMS) or the Play Store. Network access can be removed for both GSF and Google Camera.
Our recommendation for most people is using the modern GrapheneOS Camera app which replaced the legacy AOSP Camera app.
I know you've probably read it, but it's worth reading about why from the GrapheneOS team. Phones are a serious expense for some people, and I understand the desire to make the most out of your devices, but I'd recommend buying one of the supported devices if you can... second-hand they can be quite reasonable.
You can make a generic build of GrapheneOS and run that on any hardware with Treble. However, it will not longer be GrapheneOS...
> I have a quite old Samsung Galaxy A7 (2017) phone. Can I install Graphene OS to it?
FYI, the 2017 Galaxy A7 EOL was in February.
"A full port of GrapheneOS requires making releases for a device including updates (and hardening) for the device support code including the kernel, firmware, userspace components, etc." - d.m
Please read https://grapheneos.org/faq#future-devices as it explains the answer for you in detail.
> I know that a Google Pixel phone is recommended, that's not what I'm asking
Yes, we recommend only 4a5g, 5, and the 5a currently.
> that's not what I'm asking
Perhaps asking which devices are supported by the GrapheneOS project would be more appropriate?
Or
GrapheneOS.org has all the answers to frequently asked questions.
In this case:
https://grapheneos.org/faq#supported-devices
> My question is will I get a unable functioning phone after installing Graphene os? Or will it just not install it?
Short answer: (re: galaxy a7) why would you want to after reading this comment and https://grapheneos.org/ (as it outlines the purpose of GrapheneOS.)
Using microG requires having signature spoofing support, which lets apps bypass signature verification. With this in place there is no way for you to know that an app is actually what it say it is. I'd highly recommend using a pixel phone with Graphene and without microG. If you really need Play Services you can now install the sandboxed version on Graphene (https://grapheneos.org/usage#sandboxed-play-services). I'm using my banking apps on Graphene without play services or microG so this might work as well for you.
Don't use CopperheadOS, use GrapheneOS. GrapheneOS is what CopperheadOS used to be. CopperheadOS is now a proprietary project.
>The new product branded as CopperheadOS is closed source and not associated with the original project. They took our project's previous name and copied our legacy source code and documentation. Attribution to us has been stripped away and they pretend to be the ones who created it.
>
>They've essentially stolen the identity of our open source project and have invested substantial resources into misrepresenting GrapheneOS as being a new project. They've built a business based on taking credit for research and development not done by them. Substantial damage has been done to GrapheneOS through an organized campaign of misinformation and harassment.
Besides that your post is on point. Many Xiaomi phones are officially supported by LineageOS, that's already way better than stock rom, just don't install crap on it and you are good to go. Even stock rom is probably not going to be an issue: Imagine if it was found out Xiaomi tries to extract private keys from user devices... The shitstorm would be instant. Xiaomi is a business that is doing just fine in the past couple of years, they won't risk it all to get to your $5 worth of SHIB.
Both can be made fairly secure (iPhone is a bit easier) but if you want privacy then apple is clearly the winner.
If you are an absolutist then get a pixel Phone and load a new OS on it like GrapheneOS. https://grapheneos.org this route will be painful because you won’t have access to many of the most popular apps.
>How is Graphene able to re-lock the bootloader?
Because you install GrapheneOS's custom signing keys during the install process. It's something any ROM can do, but basically only Pixel devices can do it, so other ROMs seem to ignore this basic security feature because 99% of the phones they support can't do this.
>How does Sandboxed Play Services work?
In my experience, they pretty much don't ;)
To be fair, they are quite new and have probably improved a bit in even the last month since I last tried them. Basically you install the official Google Play applications, but Google Play isn't given any special system-level integration into GrapheneOS, making their security pretty great. You can read about them here: https://grapheneos.org/usage#sandboxed-play-services
The problem is that unlike MicroG which can use non-Google providers for a lot of data, like location APIs for example, you are still using official Google Play clients and connecting to Google, which is probably a no-no when it comes to privacy.
I'm looking to replace my Essential PH-1, it still works well but I want to have a plan ready in case I need a new phone. I'm eyeing the Pixel 5. I know there are a lot Android hardware manufactures but many of these companies have been flagged for spying. Google already spies on us enough, no need to add extra 3rd parties. Samsung I think is still concerned "secure" but does not run a pure Android install so they are out as far as I am concerned.
Personally I have been looking to install Graphene OS on my next phone which limit my options to their list here. The 5a is newer but going back to a "plastic" back and gorilla glass 3 after the PH-1 just doesn't sit well with me. Maybe the Pixel 6 will be better.
GrapheneOS has official production support for the following devices:
Recommended:
Pixel 5 (redfin)
Pixel 4a (5G) (bramble)
Pixel 4a (sunfish)
Supported:
Pixel 4 XL (coral)
Pixel 4 (flame
Pixel 3a XL (bonito)
Pixel 3a (sargo)
Pixel 3 XL (crosshatch)
Pixel 3 (blueline)
If you have an android device, its also possible to privacy-harden it by removing the Google Play Services Rootkit.
A way to do it is by installing an custom operating system, like GrapheneOS.
Or buy a phone that comes with it: https://shop.nitrokey.com/shop/product/nitrophone-1-199
They aren’t putting it in there, they’re giving people the option to do it themselves while making sure that it is completely sandboxed. It looks promising. I’ll be trying it when my Pixel 3 XL gets here this weekend.
GrapheneOS doesn't care if a phone typically ships with an Android OS or not but rather only about the actual functionality of the device with a strong focus on the privacy and security properties it can offer. Certain things are a hard requirement. For example, at this point, we consider it a hard requirement to have a well made secure element providing a compatible hardware keystore and encryption integration. The encryption integration is described in detail at https://grapheneos.org/faq#encryption and is needed to provide secure encryption for anything short of a high entropy passphrase (i.e. what most users will use in practice). It's also still nice to have even with a strong passphrase, and there are a lot of benefits from a proper hardware keystore. A lot of other things like proper IOMMU isolation for components (radios, GPU, media encode/decide, etc.), full security updates, Wi-Fi anonymity (much more than MAC randomization) and other things are also requirements.
We're in talks with some hardware vendors to try to get them to make devices suiting our needs. See https://twitter.com/grapheneos/status/1356385317952102400. We don't have shared goals with Purism and a lot of our approach / goals conflict heavily with what they do, so there's little chance of ever having official GrapheneOS support for their hardware. People are free to make unofficial support, of course.
> What I am trying to understand is how one flub on their post undoes the years of trust they have earned, so much that many people are running into the arms of companies that have never earned any trust…
Some individuals switched into the Apple ecosystem only because of privacy. When that suddenly looks to be headed in a bad direction the equation for competitors looks more appealing.
> (people going to Linux is fine, it’s the “well guys I’m going to buy a Samsung phone and a windows laptop now!” Crowd I’m talking about).
I'm personally looking at GrapheneOS, but a number of Android operating systems exist that prioritize privacy and security. I do agree that running into the arms of Google or Microsoft for privacy reasons is foolish, but those aren't the only options.
https://www.privacytools.io/operating-systems/#aosp_os
I already ran Linux on half of my machines, now I am considering if I will move to the M1/Apple Silicon machines or just slowly replace with Linux.
The biggest issue is that this signals a bad methodology for decision making at Apple. This is an anti-feature that provides zero value to the consumer buying it. If they introduced this system (with more details) and said it would allow us to do end-to-end encryption that would be an entirely different story. If they introduced it and it defaulted to on, but you could disable it manually that would be a different story.
>i was just curious even after all this isn't apple better in terms of privacy and functionality?
functionality ? maybe
privacy ? Definitely better on calyx or graphene.
> i also heard u can now run google apps on graphene via sandbox?
Yes, but it's still experimental.
>I tried lineage with microg honestly it was hard to use(limitations)
Hmm, what kind of issues did you have ? I used to run lineage from the very start (even when it was still CyanogenMod) and never had any issue.
I’m wondering the same thing. It’s not completely necessary for me but I don’t want to lose the convenience. With the google play sandbox thing it sounds like most apps will work. Just depends on whether they check safetynet or not.
Hardware Attestation seems to be older, so maybe most apps use that. This article on grapheneos’s website is good for reference but not too helpful for users who encounter problems, but developers who already use hardware attestation should be able to add grapheneos to their apps.
It's fully sandboxed like any other app and always has been. The only difference with https://grapheneos.org/usage#sandboxed-play-services is that the OS now provides a compatibility layer to coerce it into working that way. It only has access / permissions you provide it and only apps within the same profile can use it.
You have control over it like any other app. It doesn't work any differently. That's the whole point of the compatibility layer.
Signing into it is an option and it's entirely up to you what kind of account you use. Nothing stops you using a different one in different profiles. Apps can't communicate / share data across profiles and Play services sees each one as a separate device, just like any other app, because that's all it is on GrapheneOS: a regular sandboxed app.
Installing it doesn't grant it any additional access compared to the Play libraries included in each app using it.
We're implementing a compatibility layer to allow it to run in the standard sandbox, not the sandbox. That was always there and that's why it didn't work before because it expects to be deeply integrated into the OS with extensive privileges / access to the entire system. It's simply 3 regular sandboxed apps for us.
I'm not familiar with Sailfish. The reason why Graphene and Calyx prefers (and in Graphenes case only works on) Pixels is because it has some kind of chip as well as it allows to relock the bootloader after the install to get a full verified boot, so it gets more security. Lineage is being built for many devices which may or may not support relocking (or something similar, for example you have to sell your soul for Xiaomi to unlock the bootloader) so the install becomes more vulnerable. Lineage is more diverse. If you buy a Pixel at that point you shouldn't really bother with Lineage. But definitely read their documentation. https://grapheneos.org/faq#supported-devices
It's not a reimplementation of Play services and isn't something included in GrapheneOS. You can choose to install the official Play services apps, which receive no special access or privileges as they usually would in an OS integrating them. GrapheneOS won't use them and doesn't trust them. They run as regular sandboxed apps, like any other user installed app. The feature involves providing assorted shims to coerce them into working without any special privileges.
The only apps working that I use on GrapheneOS are Signal and Tutanota as well.
But in the last release note, we can see they're working on implementating the play services in a safe way (I guess) https://grapheneos.org/usage#sandboxed-play-services So it will help in that matter.
Hi u/erick2020x
Just a quick FYI.
The current recommended devices for GrapheneOS, may be found here:
https://grapheneos.org/faq#recommended-devices
The Pixel 4's End of Life is October 31, 2022, while the Pixel 5's End of Life is October 31, 2023
For more information on EOL's check https://support.google.com/nexus/answer/4457705?hl=en#zippy=%2Cpixel-phones
https://grapheneos.org/faq#device-support
"GrapheneOS has official production support for the following devices:
from a hardware perspective, once you take the operating system off a phone its just a processor, ram, storage, etc. i can't personally verify graphene claims so that's a whole different discussion but who makes your phone hardware is relatively meaningless in terms of privacy. are you giving google money? sure. if your goal is to avoid giving them any money at all then avoid the pixel+graphene route, but if you're ok with paying them for just hardware and giving them the shaft on their data collection methods then its a good option to have.
https://grapheneos.org/install/web
It is reasonably easy, even if you've not done something like it before.
I run Graphene and it is basically Android with no google anything anywhere at all. Looks the same, acts the same but doesn't leak your personal info like a colander with even more holes.
Downside, some apps don't work very well without the googly bits. Of course, most of them are trash like facebook and such.
It has never required you to have 2 of the supported phones. It only recently became possible to install from another phone at all.
Look at the officially supported platforms for installation listed for https://grapheneos.org/install/web and https://grapheneos.org/install/cli.
They're not at all successfully and they aren't actually trying to build anything useful. They're focused on grifting as much money as possible and using most of it to cause harm to us to help them with further grifting. There is no apparent long term plan. I needed to make these posts to draw attention to some of the things they're doing. They've massively escalated their attacks on us since we launched https://grapheneos.org/install/web and we really need this to end. They keep threatening our contributors and disrupting development in any way that they can.
If we can also talk about security,i'll just point out that according to the GrapheneOS devs Chromium-based browsers have the strongest sandbox implementation
A few months back I compared the existing ROMs, chose GrapheneOS and it's great.
The only downside is that they officially don't support a lot of devices (more). I bought a new phone to be sure it's gonna be stable.
No your device doesn’t meet the minimum standards of the project. There is no reason to support a device that will not offer meaningful privacy and security.
“Devices need to be meeting the standards of the project in order to be considered as potential targets. In addition to support for installing other operating systems, standard hardware-based security features like the hardware-backed keystores, verified boot, attestation and various hardware-based exploit mitigations need to be available. Devices also need to have decent integration of IOMMUs for isolating components such as the GPU, radios (NFC, Wi-Fi, Bluetooth, Cellular), media decode / encode, image processor, etc., because if the hardware / firmware support is missing or broken, there's not much that the OS can do to provide an alternative. Devices with support for alternative operating systems as an afterthought will not be considered. Devices need to have proper ongoing support for their firmware and software specific to the hardware like drivers in order to provide proper full security updates too. Devices that are end-of-life and no longer receiving these updates will not be supported.”
GrapheneOS is a hardening project to extend on the security model of AOSP without reverting it(which is what custom ROMs have to do almost always). With careful device selection designed around user freedom a secure variant of Android is possible. https://grapheneos.org/faq#future-devices
I have been using GrapheneOS and CalyxOS user for a while. I am a community moderator for GrapheneOS. I am very impressed with the AOSP Alliance. 4 Custom ROMs focused on security and sharing developments for their niches. That is the kind of work I like to see and support in the open source community. I have gotten to know most of the developers. Great projects. Worth looking into.
Firefox vs Chrome security has never been the hottest topic. I don't think many people have changed their minds lately or given much insight into their thoughts. It is mostly secure OS projects that are working with these browsers like Whonix and GrapheneOS that keep their users up to date on the state of security.
Fission is not a big issue on it's own, but supposedly it should help on the sandbox dismal state at least on Windows. Which is very encouraging. On Windows you can also force CFG Windows Security and it doesn't crash. I think Windows Firefox security is doing okay. The other ones are a different story. Will have to see how Mozilla laying off 250 employees effect this though
I love Vanadium. It is basically Chrome without the (albeit little) crud left and way better security. Vanadium has a very specific security and privacy model. I would suggest your read the Usage Guide and FAQ for GrapheneOS to figure out what they are about. It is very focused on correctness and not implementing anything that wouldn't hold up.
https://grapheneos.org/usage#web-browsing
Lineage also has a lot of security issues. I generally recommend a debloated stock. You keep verified boot, rollback protection, full sandboxing, remote attestation, and has accurate patch levels. Lineage doesn't take security seriously and if you can get stock in a state you prefer that is the way to go
Good summary but I felt that some parts are embellishments or should be done away with as they diminish other parts which are good summaries.
I will point out, they are most definitely not open, and their critical parts are not open source, but loosely based on some open source, kind-of-sort-of. If you start to redefine open source, you might be able to make it suit a narrative, but they certainly do not fit the spirit of openness, you cannot obtain or contribute to the source code of their critical systems today - one only needs to go and actually look at what is actually available for those systems to see what I mean, just have a look. On the contrary, the two As (Apple and Amazon) are the biggest leeches on open source.
Also it's worth nothing that the e2ee is not truly e2ee as Apple still holds the keys to decrypt your backups, and they hand those keys over to law enforcement on request.
Thanks for mentioning GrapheneOS, I've been hearing about it and only just started looking at it. From its main page I'm finding it very compelling - the combination of control and privacy. What would be nice though is some way of 'trying' it and fully understanding its limitations; like a dual boot.
That is the strongly preferred way of running Graphene, and it only runs on Pixel hardware. The Graphene installation process involves installing Graphene's own boot keys (to enable secure boot functionality) and re-locking the bootloader to prevent modifications.
You should look into it: https://grapheneos.org/
It's a security-focused project (unlike Cyanogen/Lineage), it's really perfect if you are worried about US gov. intervention. I don't know if you've heard of/followed CopperheadOS but it's by their former security researcher.
GrapheneOS doesn't allow you to root your device or sideload things like Google Play however by design, so you are stuck with manually installing APKs (or manually installing through F-Droid/Aurora Store). It's impossible to install an app store with auto-update functionality without root/sideloading it as a system app.
It's really the perfect solution for people who don't trust government actors and Google. If you do trust Google, your method is probably more convenient.
https://grapheneos.org/usage#default-connections
Other then that, it's up to you really, you can use any search engine you want. Graphene does not have any Google services so no location or other data is sent.
I have Pixel 2 XL myself, I recently installed GrapheneOS on it and it has no Google at all or at least no google services. Also check out r/GrapheneOS. Google does all kinds of surveillance, analytics and what not despite disabling their stuff but some of their services can't be disabled. Hence, if you don't need google stuff at all, GrapheneOS is the way to go : )
By reading https://grapheneos.org/install you won't have a problem. Pay special attention to using the latest platform-tools (fastboot and adb) from Google, and to update to the latest stock version before flashing Graphene. If you get stuck somewhere just ask around here and someone will help.
I don't see how it would be a bad thing to have another cloud backup option available as a normal app that people could install. It's not deliberate that that apps like Google Maps and Google Drive aren't available as options on GrapheneOS but rather they depend on the OS including hard-wired, special cased support for Google services which obviously isn't going to happen. If they simply worked as regular apps, without any OS support for them, then I wouldn't have any issue with people choosing to use them. It's up to the OS to provide a good app sandbox and permission model, which it does, and it's being substantially improved upstream and by GrapheneOS. If people want to use a Google service for something like this, that's their prerogative, and I don't think it's a worse option than some other centralized service like Dropbox. I would recommend that people locally encrypt anything they store on a service like that, but that's service-agnostic advice.
People do have options to use them via third party apps like NewPipe for YouTube and of course the web browser. GrapheneOS is obviously not going to do anything to stop people from using their chosen apps and services, and while it's going to recommend certain apps / services and recommend against others, that's going to be based on the actual facts and differences between them rather than convenient misinformation and dishonesty. You can see an example of this in the new usage guide being put together at https://grapheneos.org/usage#web-browsing. It contains an accurate and fact-based comparison of the available options with recommendations based on that.
> since it demands rare hardware features
What rare features?
> verified boot for third-party software
This is supported by many devices now.
> and current firmware. the moment a phone stops recieving android updates it'll stop recieving grapheneOS updates too
I don't think it would make sense for GrapheneOS to support devices without full security updates, where there are a bunch of known vulnerabilities in the firmware (including the radios, GPU, etc. exposed to remote attack surface) without patches available. Similarly, it's unrealistic to completely take over maintenance of all the drivers in both the kernel / userspace and other device-specific code in userspace despite that being possible. It would be a very poor use of resources.
As explained in https://grapheneos.org/#device-support, broad device support is simply not a goal of the project. The goal is developing privacy and security technology and making that usable. It's not aiming to be something that people install onto their existing devices to make them somewhat more secure. That's just not what the project is about.
Without root, you can disable them with pm uninstall -k --user 0 <name of package
. Guide: https://www.xda-developers.com/uninstall-carrier-oem-bloatware-without-root-acces.
To completely uninstall them, you will need to install a custom ROM/OS (e.g., LineageOS, GrapheneOS).
The whole point of that step is to avoid trusting the update server, but it's a server specifically for GrapheneOS updates, is kept up-to-date and only has SSH with key-based authentication and the web server. If you simply obtain the fingerprint from the install documentation and don't confirm it elsewhere, there's not much point, since https://grapheneos.org/ is a comparable server. The same applies to obtaining GPG. If you don't have it included in your OS or standard package manager repositories, it isn't really going to help, especially since you're trusting the installer for GPG and that could be compromised by an attacker instead.
If your bank's app doesn't work on GOS, ask them to use the hardware-based attestation API (which is also more secure than SafetyNet) and adding the public keys for GrapheneOS.
https://grapheneos.org/usage#banking-apps https://grapheneos.org/articles/attestation-compatibility-guide
I see. Yes, with the sandboxed Google Services this works way better now. Still has some quirks but this is the way forward. There will also be toggles to use the OS APIs instead of play services.
Also, there will be an app repository soon. Things are getting better all the time.
I also really like the recently released camera app. It's still early in the game but the picture quality is amazing already.
Our new Camera app is dramatically better than AOSP Camera including better performance and dramatically better image quality. The app is 3.2M and that includes all the CameraX portability workarounds for handling far more than Pixel devices. It has a very simple, minimal UI and isn't in any way bloated. It has no connection to the prior AOSP Camera app. The new app was written by GrapheneOS in Kotlin with CameraX. AOSP Camera wasn't made by GrapheneOS and we only had one trivial change to it.
Strongly recommend trying the app and taking some photos with it. Read https://grapheneos.org/usage#grapheneos-camera-app for a detailed guide. It's very minimal and doesn't have any niche frills. Features like a shot timer, exposure slider, wide angle camera support, lightweight HDR+, taking pictures during video recording, etc. are not niche frills. Most people who take pictures/videos regularly want this functionality.
Can I suggest, rather than buying a new phone, since you have a Pixel try installing GrapheneOS. It's easy to do, it will completely De-Google your Pixel to everything but the bare bones, and you can still install a few apps. Since it doesn't have Google Play it forces you to be very intentional about what you install.
They recently created a new default camera that takes advantage of most of the Pixel hardware and they're constantly working on it so soon it will be competitive with Google Camera.
To install, all you need is a chromium based browser, a USB Cable, and follow the instructions here: https://grapheneos.org/install/web simply clicking the buttons does the work for you, after you unlock the bootloader- which is easy and described in these instructions too.
The only caveat is it has to be a non-carrier locked Pixel. If you bought it through a carrier it probably won't work.
Those apps work fine on GrapheneOS. In fact, most apps which work on stock Android will work on GrapheneOS thanks to sandboxed Play services. To ask about specific app compatibility, I'd recommend asking in the community Matrix rooms in the off-topic channel - the community is friendly and helpful, and the devs often pop in to answer questions.
Hi u/sriawren
Please read these log entries explaining why Google allows for the bootloader to be unlocked:
https://freenode.logbot.info/grapheneos/20210421#c7725659
And:
https://freenode.logbot.info/grapheneos/20210518#c8057380
We have detailed info explaining this on our website:
> Devices need to be meeting the standards of the project in order to be considered as potential targets. In addition to support for installing other operating systems, standard hardware-based security features like the hardware-backed keystores, verified boot, attestation and various hardware-based exploit mitigations need to be available. Devices also need to have decent integration of IOMMUs for isolating components such as the GPU, radios (NFC, Wi-Fi, Bluetooth, Cellular), media decode / encode, image processor, etc., because if the hardware / firmware support is missing or broken, there's not much that the OS can do to provide an alternative. Devices with support for alternative operating systems as an afterthought will not be considered. Devices need to have proper ongoing support for their firmware and software specific to the hardware like drivers in order to provide proper full security updates too.
Notifications work fine on GrapheneOS. For apps relying on Play for notifications, see the Sandboxed Play services compatibility layer which is far superior to some other projects' insecure and non-private implementations.
GSF is part of the Play Store and there are 3 components you would need to install: https://grapheneos.org/usage#sandboxed-play-services Installing the Play Store is safe on Graphene since it's sandboxed.
There's a reason why GrapheneOS doesn't come with things like microG or enable signature spoofing. When microG is enabled apps can intercept each other's data via security flaws in it, to say the least.
Please read this thread for detailed information https://twitter.com/GrapheneOS/status/1437380576055541761
Also, for users convenience, GrapheneOS's website has a excellent guide on usage page explaining the how to install and use the sandboxed play services. https://grapheneos.org/usage#sandboxed-play-services
I think this should have you covered: https://grapheneos.org/usage#sandboxed-play-services
Just install the packages in order and you can revoke permissions after installing. You can install apps through Aurora Store (available on fdroid) to avoid having to log in to the play store.
CalyxOS is a good OS, however for your thread model I would go a step further and install GrapheneOS, which has more enhanced security (https://grapheneos.org/features). I have used both and have been quite happy with them, but stayed with GrapheneOS due to their features.
You can read more about encryption on Pixel phones here: https://grapheneos.org/faq#encryption Most of it holds true for all Pixel phones due to their Titan M security chip. Just be sure to turn off your phone while crossing boarders.
From what I read, graphene does not allow microg, instead there is a sandboxed layer with profiles https://grapheneos.org/usage#sandboxed-play-services
I tested graphene and it is slightly difficult to switch profiles and some apps didn't start.
I am not saying one is better than other. Just saying OP to try it and if its fits his usecase, fine.
Nope, it is not. From https://grapheneos.org/history/ :
>[...] In late 2015, a company was incorporated which became the primary sponsor of the project. GrapheneOS was previously known as CopperheadOS while it was sponsored by this company.
> [...] In 2018, the company was hijacked by the CEO who attempted to take over the project through coercion, but they were rebuked. They seized the infrastructure and stole the donations, but the project successfully moved on without them and has been fully revived. Since then, they've taken to fraudulently claiming ownership and authorship of our work, which has no basis in fact.
[...] After splitting from the former sponsor, the project was rebranded to AndroidHardening and then to GrapheneOS and it has continued down the original path of being an independent open source project. It will never again be closely tied to any particular sponsor or company.