Posted by to3k 16 hours ago
If anyone wants this without GrapheneOS: https://f-droid.org/packages/dev.ukanth.ufirewall
If anyone wants this without GrapheneOS and without root: https://f-droid.org/packages/net.kollnig.missioncontrol.fdro...
I wish Europe would have forced that 10 years ago since the US is beyond saving.
Decompiling apps only works if you can get the app. I don't understand GP's problem with the apk format either, but you do need to break terms of service to get the files if you don't have a phone with Google services installed. Whether that's ethical or legal is up for debate
In regular use, main difference will be that /e/OS comes with access to the alternative cloud service that project provides. It uses the default FOSS solution microG for google api compatibility, unlike GrapheneOS with their sandbox approach. /e/OS sets on AppLounge to install and upgrade both play store or F-Droid apps. Graphene has a small curated app repo instead.
I'd never use GrapheneOS since I don't trust the project. /e/OS is also not my favorite since it feels like it is developing slowly, having had issues with outdated software versions - though it does work well in practice. Have a look at iode for an alternative.
Fair enough, you choose what you trust.
But personally, I have never seen a technical claim from GrapheneOS that was wrong or misleading. But I have seen many claims from /e/OS that were technically wrong or misleading. So I trust GrapheneOS more.
Then there is the drama, and all sides annoy me when they behave like this. But I have seen drama coming from all sides.
Sorry, I won't spend 30 minutes digging to find that :-). I follow /e/OS, GrapheneOS and (followed) Calyx. I have seen messages from all of those either on forums, Mastodon, etc.
Also, whenever GrapheneOS makes a technical point (which is often a blunt "GrapheneOS is superior because [...] does it wrong"), many users of those projects answer aggressively (and of course many GrapheneOS participate as well).
And on top of that, a lot of messages criticising some GOS people or the entire project and calling them "toxic" whenever GrapheneOS is mentioned.
I have no skin in this game, so it doesn't touch me. But I could understand that the GOS people feel "harassed" by this. If everywhere I went people said "have you seen this guy? I hear he's toxic", I would consider it harassment, I think?
You or other readers can check https://github.com/mozilla/ichnaea/issues/2065 for a public display on how GOS attacks work when they are mixed into technical debates, how they destroy any chance of cooperation.
Sure, you're free to do what you want. Just sharing my opinion given that I follow those projects from the outside.
> You or other readers can check
I guess what I am trying to say is that it takes multiple sides to argue.
For what it's worth, your link shows the founder of /e/OS engaging there. I have seen both technically wrong and misleading claims from the founder of /e/OS on Mastodon, then GrapheneOS explaining why they thought it was wrong on their forum, and then the founder of /e/OS calling them toxic and complaining about those attacks. And then /e/OS users would join the party and start attacking GrapheneOS, fully trusting those claims from the /e/OS founder. I can't really say that he didn't have any responsibility in the drama under those conditions...
Again, GrapheneOS tend to be blunt, but it doesn't make it technically wrong. And when the message is "it is unacceptable to us in terms of security", then it will be blunt anyway. I realised after years of using a phone I bought to Murena that my system (that they installed and sold to me) was entirely breaking the AOSP security model: it was signed with the Google testing keys and the bootloader was unlocked (and just couldn't be relocked, and anyway it wouldn't matter because of those keys that are not meant for production).
In other words, I bought a product to Murena that was unacceptable to me in terms of security, but genuinely thought it was better than Stock Android because of Murena / /e/OS marketing. I genuinely feel either they tricked me, or they didn't know it themselves. I have personally seen multiple /e/OS phones in a state where they were objectively less secure than Stock Android. I get that they don't like it when GrapheneOS says it, but that is not wrong.
For the security thing: It is wrong to claim that an unlocked bootloader completely breaks the android security model. If anything, it breaks one specific aspect, one that doesn't matter for many attacker models. Besides, on some phones the bootloader just can't be relocked, that's on the phone vendor though. Signing keys for bootloaders might just not matter if change detection was working or the bootloader was not relockable, but maybe I'm missing some specifics there.
So imho what you describe as catastrophic scenario likely wasn't one.
You seem knowledgeable about this, so I'll take the opportunity to ask: if I install a malicious app and it manages to escape the sandbox and alter the system, my understanding is that it will be detected next time I boot it (because the image hash won't match). Isn't that true?
> Signing keys for bootloaders might just not matter
Again a question, I haven't found it in the official documentation: aren't those keys the "system keys"? As in, if my system is signed with some keys and an app is signed with those same keys, doesn't it allow this app to get privileged permissions?
If a malicious app tries to alter the system in a bootloader relevant way, it would most likely fail. On those roms, apps don't have root rights, and users are even unable to activate a root account (part of why we need unlocked bootloaders in the first place to achieve user control over bought devices). But yes, as part of AVB system parts are hashed and a mismatch would be detected, see https://emteria.com/blog/android-verified-boot for a writeup.
For system apps, again two aspects. It's not that easy for an app to become a system app, it has to be moved to a specific place. Think about how the Gapps package is usually installed when you install a ROM, externally by the recovery system and not inside Android itself, that would be the reason. But yes, there are platform keys that the docs at https://source.android.com/docs/core/ota/sign_builds claim should be secret release keys.
About those release keys being also used for the system app verification, I think so. There are different keys on Android, like the release keys and the verity_key, but I think it follows from the docs that the release key is the one used to verify system apps (on modern Android versions).
It is debatable whether users not being able to exchange system apps then is a valid requirement for a FOSS Android distribution like /e/. But that position does exist, claiming users should build their ROM variants on their own with custom keys if they want to modify the system, to close this attack vector.
They're misrepresenting what has been said by GrapheneOS and also lack a good understanding of it themselves. They're definitely not a good source of information about this.
1. Is it correct that the secure boot protects again a malicious app escaping the sandbox and persisting into the system?
2. Is it correct that if the system is signed with the Google testing keys, then someone could sign an app with those keys and the app would get more permissions than it should (I believe it's called the "signature" permissions)?
That's not just a claim, this is an objective fact. GrapheneOS has a excellent track record when it comes to security, they have made several patches that got upstreamed to Android, etc.
GrapheneOS has been heavily analyzed by privacy and security experts who say it provides far better privacy and security. There's a large amount of real world evidence showing GrapheneOS very successfully defends against commercial exploits tools. /e/ has been heavily criticized for having poor privacy and atrocious security by many experts. /e/ doesn't keep up with basic privacy/security patches and misses many important standard protections.
> keep in mind that it is not an independent comparison
That's not true. It's an independent comparison and the site compares a lot of other software. Contributors to many of the projects compared by it submit issues to it which doesn't many it not an independent comparison.
> In regular use, main difference will be that /e/OS comes with access to the alternative cloud service that project provides.
GrapheneOS users have many cloud services available including suites from Proton and others. Murena services have poor privacy and security overall due to neglecting server security, updates and more. Their speech-to-text service being a thin wrapper around OpenAI sending this sensitive user data to them rather than doing it locally as our SpeechServices app does similarly to Apple (even Google has that as an option):
https://community.e.foundation/t/voice-to-text-feature-using...
> It uses the default FOSS solution microG for google api compatibility
Their approach with microG gives highly privileged access to Google apps/services by default. GrapheneOS doesn't include sandboxed Google Play by default and they're installed as regular apps. microG doesn't change the fact that the apps are using closed source Google libraries, which are still present with microG and have strictly more access to user data on /e/ than GrapheneOS with sandboxed Google Play. Sandboxed Google Play is an entirely opt-in feature people need to install. /e/ has microG set up where it downloads closed source Google Play components it runs with privileged access as the default.
> /e/OS sets on AppLounge to install and upgrade both play store or F-Droid apps
This is a strange merger of Aurora Store, F-Droid and more. It's very misleading and confusing for users.
> /e/OS is also not my favorite since it feels like it is developing slowly, having had issues with outdated software versions - though it does work well in practice. Have a look at iode for an alternative.
Neither /e/ or iodéOS keeps up with updates to Android, Chromium, firmware, drivers or the Linux kernel. Both mislead users with an inaccurate Android security patch level. iodéOS lags far less behind /e/ and doesn't have nearly as many privacy violating services and added privacy/security flaws but neither is a privacy or security hardened OS. Neither keeps the privacy or security of standard AOSP intact.
- If your phone is supported by GOS, you should go for GOS.
- If your phone is not supported by GOS, you should look carefully and compare between /e/OS and Stock Android.
I had a Fairphone 3, and after 5 years, /e/OS was outdated by 4 years w.r.t. the manufacturer updates. In other words, Stock Android coming from Fairphone was more secure than /e/OS on that Fairphone.
In my experience, /e/OS has a tendency to claim that they support everything, but they just can't, there is too much. And then they complain when GrapheneOS criticises the fact that some /e/OS users believe their phone is well supported but actually isn't. And GrapheneOS is not wrong: I realised I was in that case after 4 years with /e/OS.
Mine is running /e/ and reporting Android 13, which appears to be the last one Fairphone support. /e/ said it was too difficult to support 14 with the kernel involved. It's had continual security updates apart from the Android version.
Edit: Murena make it clear which phones are officially supported and which have "community" support.
This is not the manufacturer updates. I was talking about the manufacturer updates. I just checked and someone complained a few months ago and they updated them. Before that, they had not been updated in years on /e/OS, but they were up-to-date on Stock Android.
> Edit: Murena make it clear which phones are officially supported and which have "community" support.
I bought a phone to Murena, advertised by Murena, through Murena. It really felt like it would be officially supported, otherwise they should have made it clear that they advertise and sell something that they won't support, wouldn't you say? My feeling is that they just stopped supporting it after a while.
Also I would assume that "supported" means that it receives both the LineageOS updates and the manufacturer updates. Apparently they have a different definition of "supported" (which is fine, maybe it's just "we will continue sending you our own updates"). It's just that in my book, if I get more security updates with the Stock Android than with /e/OS, then Stock Android is more secure.
Nope, it doesn't receive most privacy and security patches. Users are being heavily misled about what's provided. First of all, the kernel is nearly entirely not being updated which is a massive portion of the privacy and security patches. Murena's devices have poor privacy and atrocious security including due to the failure to properly provide basic privacy/security patches. Their claims about what they provide need to be distinguished from what is actually provided. /e/ updates the patch level regularly to claim they provide the security patch backports but that doesn't mean they actually provided all of them. It's an arbitrary value and they don't set it accurately.
Fairphone 3 uses the end-of-life Linux 4.9 branch, Fairphone 4 use the end-of-life Linux 4.19 branch and Fairphone 5 uses the end-of-life 5.4 branch. Each was largely not receiving the upstream LTS updates while they were still provided but now they're not provided. An OS that's not receiving basic kernel updates is definitely not receiving security patches anymore, but they were largely never providing these updates in the first place long before the kernel branch or devices were considered end-of-life.
Similar to iOS and other operating systems, Android only backports a subset of privacy and security patches to older Android branches. Only Android 16 QPR2 has the full set of Android privacy and security patches. You aren't receiving all of the standard Android privacy and security patches if you're not on Android 16 QPR2. Many of the patches are also treated as optional and deferred as being mandatory far into the future. It's also worth noting the dates are misleading. Android's March 2026 security backported have been finalized for a while and up to August 2026 are available to ship by OEMs already but a lot more will be added to June 2026. February 2026 Android security patches are the latest with a public bulletin but not the latest available to ship.
Fairphone and especially /e/ also have very incomplete patches for firmware and drivers. /e/ also has major issues patching other components including the browser engine used by the OS for the WebView.
If you have an iPhone that's still supported, you have strong privacy and security. If you have a phone that's not an iPhone and not supported by GrapheneOS then you likely have a phone with atrocious privacy and security regardless of OS choice. If people can afford to get a secure device with years of proper support remaining then they should do that rather than using an insecure device with a sidegrade for privacy and security using a problematic AOSP fork. LineageOS is far less problematic than /e/. If people want to switch the OS to something else due to the OEM abandoning it or to avoid Google Mobile Services they should use at least use LineageOS which is less of a privacy and security downgrade from OS. LineageOS does not fully maintain the privacy and security of AOSP or fully keep up with updates but it's a lot less bad than /e/. Most alternate OSes are forks of LineageOS to reuse their work on hardware support and nearly entirely make privacy and security worse, not better, so why not use the upstream project instead?
> I had a Fairphone 3, and after 5 years, /e/OS was outdated by 4 years w.r.t. the manufacturer updates. In other words, Stock Android coming from Fairphone was more secure than /e/OS on that Fairphone.
It's important to note that an alternate OS depends on the OEM for firmware and in practice much more than that including kernel and driver updates. It's theoretically possible to replace the kernel and drivers with much different ones but it's not done in practice by alternate AOSP-based operating systems. If the device is abandoned by the OEM then you aren't going to have a secure device.
/e/ lags far behind on standard privacy and security updates everywhere but misleads users with an inaccurate Android security patch level along with many inaccurate privacy and security claims. LineageOS is much better than the fork of it by /e/ and does much less to mislead users, although it still has the inaccurate Android security patch level and many people still wrongly believe they're getting patches they aren't after the OEM dropped support.
I can confirm that I did, and was not very happy when I realised it.
/e/OS community talking about it: https://community.e.foundation/t/article-from-grapheneos-abo...
And then maybe this: https://eylenburg.github.io/android_comparison.htm
Hope that helps.
Sure they have hardened everything but realistically, that's not the main threat for your average user.
Their top contribution to android is the sandboxed Google Play, by far.
It's a misconception that GrapheneOS is focused on security over privacy. It heavily works on privacy features and the work on security features is entirely to protect privacy. There's widespread use of commercial exploit tools and GrapheneOS is proven to provide far better real world protection against those. Most alternate operating systems reduce privacy from AOSP and massively reduce security while GrapheneOS is preserving the baseline and heavily improving both side by side.
GrapheneOS is also very focused on usability and app compatibility, making sure to preserve those with the major privacy and security enhancements.
Tor Browser seems to be a project that requires multiple full time developers. I don't think GrapheneOS have the resources right now to do this alongside their OS development, device support and app overhaul plans.
Also please don't take this as any criticism of your suggestion, but there have been multiple 'privacy' browser projects based on Chromium for Android. It's a little frustrating that they couldn't collaborate some base like this to the open source community.
As far as I know none of these projects have tackled the JS fingerprinting problem. The most earnest attempts seem to be Brave and Firefox with the Arkenfox user.js, but they have their own problems. The basic issue is that JS gives websites far too much control over the user's device. The JS spec should have never allowed websites control over the clipboard (e.g. to disable paste), to know if the user is active, when the mouse is being moved, etc. Since it is too late now, short of disabling JS entirely, there will be usability tradeoffs, but I think these are necessary (at least optionally) in an OS like Graphene.
Unfortunately, browsers have often done too little, too late when it comes to privacy. For example, until recently, most browsers allowed third party cookies by default.
The "ideal android" in my head would just have a dynamic ruleset to patch/nop tracking libraries as the app loads, which as far as I know, nobody does that, eOS doesn't either. Kind of like Revanced but on steroids and built into Android.
I feel like you can't really fix android anyways, the design is just broken and if you care about security / privacy, you should just use everything in a browser or a Linux distribution.
Sure the work GrapheneOS does is valuable but it's like removing water from a lake with a bucket.
I feel like shielding the mess that Android is into something like an improved Waydroid with a mindset of "yeah let's keep it there and the sane stack for the rest" sounds a better approach to me.
Content filtering is built into the browser. GrapheneOS have always maintained that you cannot prevent an app from exfiltrating data, especially if it has internet access. Enumerating badness is an unsustainable approach they don't want to encourage. Instead they attack the heart of the issue with Storage Scopes/Contact Scopes/Network Permission/Sensors Permission etc. They allow aps to think they have full access when they do not, so you can control exactly what data they get in the first place. Maybe all of the other AOSP projects could contribute App Communication Scopes/Enhanced Clipboard Privacy and other things because this approach makes a lot of sense to me. Like preventing an illness instead of wasting energy treating symptoms.
>The "ideal android" in my head would just have a dynamic ruleset to patch/nop tracking libraries as the app loads, which as far as I know, nobody does that, eOS doesn't either. Kind of like Revanced but on steroids and built into Android.
Something similar was addressed some years ago as a feature request for GrapheneOS https://github.com/GrapheneOS/os-issue-tracker/issues/284. To summarise there was no way to do this without an unacceptable security cost to the OS, but this is sort of doable if you run your own userdebug build which you have the power to do.
It's badness enumeration which is an unworkable approach to providing strong privacy. It fundamentally can't provide it, only weak case-by-case improvements which are very fragile and trivially bypassed. It can also be done by modifying APKs instead of having a hooking framework within the OS heavily compromising security. You don't need the OS providing anything to use arbitrarily modified APKs. We also don't want to give apps a legitimate reason to ban GrapheneOS as opposed to being able to convince the tiny number of apps enforcing Google certification to allow it.
> GrapheneOS does not have an equivalent of ublock origin built into the OS which I'd consider step 1 of fighting the problem.
Enumerating badness by trying to list domains which are solely used for advertising, telemetry, etc. doesn't address any of the main privacy invasive behavior by apps which is done through their own services and server side contact with third parties.
uBlock Origin has the same problems in the browser but the rules within a browser are a lot more flexible than the extreme limitations of domain-based blocking whether any useful purpose of the domain results in blocklists not being able to include it or apps would break. Domain-based filtering is also far less usable in practice and is typically not per-app either.
RethinkDNS on GrapheneOS works far better than the domain blocklist in /e/ but it's not a strong approach to privacy and does not address much.
Apps can easily work around it and prevent the filtering, as can the SDKs. One way is doing server-side connections and another is using DNS-over-HTTPS for DNS resolution. Facebook has fallback IPs and DNS resolution in a growing number of their apps and can do it in their SDKs too.
Using a fundamentally unworkable approach that's increasingly becoming less useful is not how GrapheneOS approaches privacy.
> The "ideal android" in my head would just have a dynamic ruleset to patch/nop tracking libraries as the app loads, which as far as I know, nobody does that, eOS doesn't either. Kind of like Revanced but on steroids and built into Android.
This is another fundamentally unworkable enumerating badness approach which is not how GrapheneOS approaches privacy. GrapheneOS avoids apps getting access to sensitive data rather than trying to stop them sending it to specific places.
> I feel like you can't really fix android anyways, the design is just broken and if you care about security / privacy, you should just use everything in a browser or a Linux distribution.
GrapheneOS is a Linux distribution. Desktop Linux distributions have far worse privacy and security than GrapheneOS. The ports of desktop Linux distributions to mobile are largely losing even more security. That's a huge setback for privacy and security, not progress. They don't have similar privacy protections, don't have a similarly strict approach to privacy for default services and lack security to keep privacy intact. Using mostly or only open source software doesn't mean you don't need privacy and security protections. Aside from that, the open source mobile app ecosystem for Android and GrapheneOS is far better than it is for those operating systems.
> Sure the work GrapheneOS does is valuable but it's like removing water from a lake with a bucket.
GrapheneOS provides drastically better privacy and security than the desktop operating you think are better. It has a great open source app ecosystem available with lots of high quality apps. You're portraying it as if people must use privacy invasive apps but that's not at all the case. Plenty of desktop users are using apps like Discord where they can access the entirety of their data as opposed to GrapheneOS where it's a heavily sandboxed app with lots of user control along with prevention of coercion to get access via the scopes features we add for pretending to grant permissions while actually granting access to no files/media/contacts by default where it simply appears there are none until users explicitly opt-in to adding them.
> I feel like shielding the mess that Android is into something like an improved Waydroid with a mindset of "yeah let's keep it there and the sane stack for the rest" sounds a better approach to me.
Waydroid has far worse privacy and security from Android apps than running them on AOSP or especially GrapheneOS. It loses the Android app sandbox and permission model. It uses a very outdated fork of AOSP and breaks the privacy/security model through how it's implemented. It runs on top of a far less secure host OS with worse isolation for the apps inside it from the rest of the OS than exists on Android itself. Moving to a drastically less private/secure host OS while running Android apps in a much less private/secure way is hardly progress.
GrapheneOS does care about both, quite obviously. And GrapheneOS tends to say that if your security is bad, then it is affecting your privacy too. Whereas others say "sure, we break the Android security model by unlocking the bootloader and signing our system with the Google test keys, but your apps will contact Google through microG instead of the Play Services, so it's more private". Which is worth what it is worth...
I'm not sure Cyanogenmod had a marketing team that convinced me of anything when I first installed their rom in 2013 and explored my phone's capabilities with root. Accessing the sensor devices, inspecting what the different apps do, what the OS is doing, installing Xprivacy to provide fake data to tracking apps... none of that is possible on GrapheneOS, you can only use the Android APIs, same as on stock
Am I brainwashed by marketing?!
My point is that
1. If you care about privacy, you should care about security. If your email server is compromised and your emails leak in the public internet, then they are not private anymore.
2. GrapheneOS does care about both security and privacy.
> explored my phone's capabilities with root. Accessing the sensor devices, inspecting what the different apps do, what the OS is doing, installing Xprivacy to provide fake data to tracking apps... none of that is possible on GrapheneOS
I think you're talking about something like "freedom", here. GrapheneOS doesn't claim to give you the freedom to do whatever you want. In fact, part of the Android security model is to limit your freedom.
Which is not to say that you should not want the freedom to have root access on your phone. But if that's what you want, GrapheneOS is probably not it.
You can invert your logic as well: Why care about security without privacy? If your apps are leaking everything to the internet, what's there to keep secure. One could argue this is the essential dependency, not the other way around, since security depends on the threat model but, without privacy, there's no more secrets
> I think you're talking about something like "freedom", here
In part, as well as a means to an end, yes. (GrapheneOS uses this as well, since without the freedom to bring your own OS, they couldn't run on Google's devices. I would think we all enjoy having the freedom to do what we want with our own hardware.) Note also the part where it says "provide fake data to tracking apps": that's privacy which GOS doesn't offer but a user root device / any desktop OS would
Reminds me of https://xkcd.com/1200/
When you run an app on Android, it runs in a sandbox. Meaning that your social media app cannot access the files of your banking app by default. They are "sandboxed".
On a normal Android, the Play Services are installed as a system app. It is privileged app that has "system" access. A system app is not sandboxed.
GrapheneOS allows you to install the Play Services and the Play Store as "sandboxed" apps in that they run unprivileged, just like WhatsApp or TikTok or your banking app.
So running the proprietary Google apps in the sandbox is obviously more private than running them as system apps, wouldn't you say?
I agree there's some marginal benefit that sandboxed GApps need to prompt the user for permissions (rather than having privileged system level access) but at the end of the day, Google Maps will get GPS perms and Google will know everywhere your phone goes.
Sure, but that's the same if you run TikTok with microG (which will relay your data to the Google servers just like the Play Services) or in waydroid on a Mobile Linux. But you can't blame the system for what the apps are allowed to do by the user.
Take your Google Maps example: if the user wants to run Google Maps, obviously they will be sharing data with Google. It's very weird to blame the system for that.
What the sandbox brings is that for users who want to run the Play Services (because they want to run TikTok, knowing that it will share data with some servers, including but not limited to the Google servers through the Play Services), then at least the Play Services are not root on their OS. So then instead of running microG, you can run the Play Services and have the same kind of benefits.
Now if you don't want your apps to contact Google, then by all means, don't install the Play Services! But don't install microG either! And don't install Google Maps!
It's all about trade-offs, it's not an all or nothing situation. Sandboxed Play Services is better than privileged Play Services.
You're of course correct that we can't blame the system for choices made by users, but I do think GOS lulls users into complacency by focusing on the security angle only and encouraging users to install sandboxed GApps: https://grapheneos.org/usage#sandboxed-google-play
Sandboxed-Google-Play is not encouraged or promoted. It is suggested if you need apps only accessible via Google Play or needing Google services purely because it provides the maximum compatibility. GrapheneOS have always said that Android's strnegth is a large wealth of open source apps (many of which do not need Google). If more everyday apps (media streaming, taxi, food delivery & rewards, banking, government, social media) did not depend on Google, GrapheneOS would not spend the time, resources and effort that they have on sandboxed-google-play.
microG still forwards the requests to the Google servers. Not sure what you mean by "tracking APIs"? microG is a reverse-engineered, open source implementation of a subset of Play Services, right? It's not obviously a better option: for instance, some things that are supported in Play Services are not supported in microG, and microG sometimes breaks (because of changes in the API).
> allows you to select alternative Location Providers
GOS does that, too.
> I do think GOS lulls users into complacency by focusing on the security angle only and encouraging users to install sandboxed GApps
I don't get that. It does not encourage them to install Play Services, it makes it available. Because for many (most?) users, it is important to have it.
I am not sure what you are trying to say: is your opinion that there is no point in using an alternative OS (like GOS, /e/OS, LineageOS, IodeOS, ...) or are you trying to say that GOS is not the most secure/private alternative OS?
My opinion is that GOS is very successful at its own stated goal of having an extremely secure mobile OS that rolls out patch updates quickly. I think it's far less successful at protecting user privacy because — as you even admit, many/most of them will find their phones unusable with vanilla GOS and immediately follow the GOS user guide to install Google Play and help them securely upload their personal data to the world's biggest adtech firm.
I think iodéOS and /e/OS are more in line with what I want from a mobile OS.
I installed the Play Services right away, just like I installed microG right away on a LineageOS system (I don't know about iodeOS, but /e/OS comes with microG by default). In terms of privacy, I don't think it is very different: microG is an open source implementation of the Play Services, that also contacts the Google servers. Many will use something like the Aurora store, which is a client for the Play Store. Etc.
GrapheneOS has proxies, e.g. for the location service. They are doing a lot for privacy, that's very clear.
> I think iodéOS and /e/OS are more in line with what I want from a mobile OS.
And that's your right. I think that GrapheneOS is more secure, and not less private than those. Actually in my experience with /e/OS, it was less secure than Stock Android (though more private, admittedly).
And sandboxed Google Play services serve both goals -- it runs the service as a regular android service, not an exceptional one that has a bunch of extra permissions. So you can allow/restrict it as you seem fit, while not "getting behind" on features/apps that mandate it.
That's also why I don't keep anything important on my phone as I don't trust what's going on there despite having all the secure features that you would want.
Any privacy you have on a system is reliant on no one tampering with that system and on software behaving itself. Without security, you can't trust the system to implement any privacy.
You can't fix a lack of trust like you have in Android with technical solutions. The flaw in Android is fundamentally a social problem.
If you want something backed by objective data, my phone has an advertising ID built in the OS and my laptop doesn't. My phone had 100s of privacy scandals and my laptop doesn't have one.
I do applaud GrapheneOS don't get me wrong but I have a feeling that they are fighting a losing battle.
GrapheneOS provides far better privacy and security than a desktop OS. There's no such thing as an advertising ID built into GrapheneOS so it's a strange thing to bring up. There are plenty of privacy invasive things built into desktop operating systems and applications, including open source ones. They nearly entirely lack the ability to protect against apps and services being privacy invasive in the first place. They also have far weaker protection against exploitation.
You can find hardware identifiers exposed by Linux distributions more than by Android itself. That Google adds a nice sauce on top... yeah that's a sorry state of affairs, but an optional layer if you don't use the stock OS if it ships with Google Play
edit: but I appreciate looking it up nonetheless! I wasn't completely sure that I hadn't missed that Android (AOSP) includes this now as well
/e/OS (and similar "non-LineageOS" ROMs really) instead focus more on de-Googling. They're still generally security focused, but the priority is less "someone's after you" and more "corporate surveillance is kinda scary innit". The aim is less to avoid someone actively trying to drain your phone of data and more to prevent your phone from passively sending everything it can possibly find to the Big G's ad machine (as well as whatever other trackers get snuck into apps.) Because of this, they usually have better depreciation timelines and support a lot more devices compared to GOS who only support the Pixel line (which is an increasingly awful set of phones truth be told); their scope is much smaller.
Finally, it's worth noting that the GOS community is absurdly toxic to anyone doing anything privacy-related that isn't under the banner of GOS. It's extremely maximalist, tends to get very upset at other projects whenever they get attention (see sibling reply to this, where they pretty much melted down because an outlet dared to recommend a Fair phone+/e/OS) and the projects official channels have generally encouraged this sort of behavior. It doesn't really damage the software itself, but it's worth considering.
> it's worth noting that the GOS community is absurdly toxic to anyone doing anything privacy-related that isn't under the banner of GOS
What I have seen (and I am not involved in any of those projects) is that GOS does care a lot about security, has a higher quality in that regard than anything else, and tends to be blunt about "inferior" projects communicating about security.
Not that they couldn't improve their communication style, but usually when they call out technical limitations of other projects (e.g. /e/OS), they are right. And I mean the technical arguments. Then I have seen a bunch of drama, but to be fair I have seen those other communities show toxic behaviour towards GOS just as much as the opposite.
It feels like it is GOS vs "the others", because the others don't criticise each other, and GOS bluntly criticises when they see claims they find are wrong (I have seen claims by /e/OS going from misleading to downright wrong).
On my particular phone, after 5 years with /e/OS, the Fairphone updates were outdated by 4 years. In terms of security I would have been better with the Stock Android. It depends on the phone of course, because /e/OS tends to claim that they support everything and they just can't. Even on a phone that /e/OS supports well, GrapheneOS is superior, period.
But I agree, I could do without all the drama. I guess my point is that it goes both ways.
> GOS does care a lot about security, has a higher quality in that regard than anything else, and tends to be blunt about "inferior" projects communicating about security.
Two remarks:
- There's a difference between "blunt" and hostile or misleading. GOS (owners) are often the latter two from what I read, where by misleading I mean distorting reality about whom you should be protecting from and recommending you should never use anything else to reach your goals (as opposed to GOS' goals)
- They also reply when privacy comes up in other projects, not just security, but they treat it as though it's essential for privacy. Not everyone is running from an intelligence agency or cellebrite border checkpoints, some people just want a phone with as many open components as possible or want to lie to Facebook about which contacts are on their device. You don't need a locked bootloader and be prevented from accessing your own data for that (can't access /data on your own device on any official GrapheneOS build; which is fine if that's what you want, but not everyone's goals are the same)
OK, but would it be such a bad thing if most people's personal devices were pretty damn resilient to mercenary spyware by default? I really don't think the standards GrapheneOS are aspiring to are the problem with this picture.
With the current mobile OS landscape, getting away from ubiquitous overseas dependencies, constant tracking, and closed-source mandatory apps is, to me, much more direct-impact than protecting against this extremely remote chance of having an exploit, customised to my software stack, finding its way onto my device somehow. I'd much rather have the freedom to do with my hardware what I wish
Some people will prefer one thing, and other people another. Neither is a bad choice if it fits your goals and you know the risks of each one. So what I'm saying (and seem to be repeating over and over and over in any graphene fanboy thread) is that it's a choice, not a one-size-fits-all, and not a foregone conclusion (as GOS authors pretend it is, which this subthread started with)
In my case, it was a few months ago, so end of 2025.
I think it's just that they can't possibly support thousands of Android devices. I just don't like that they are not being very clear about it. You would think that buying a phone through Murena would guarantee some kind of support, but it actually doesn't.
I would suggest having a look at CoMaps, a recent fork of OrganicMaps :-).
https://archive.is/SWXPJ https://archive.is/n4yTO
The communities of several projects including /e/ have heavily engaged in spreading misinformation about GrapheneOS including fabricated stories about our team. They've even taken it to the point of repeated swatting attacks aimed at killing our team members. There are relentless raids on the GrapheneOS community platforms including our chat rooms where Child Sex Abuse Material, gore and endless harassment towards our team members including fabricated stories and harassment content from Kiwi Farms and elsewhere is posted.
LineageOS is degoogled unless you install google apps as a deliberate choice, so I don't really see any advantage or /e/OS or Murena over it.
> Securitywise it's hard to argue against them, although GOS tends to sacrifice usability in favor of security, which leads to odd decisions.
GrapheneOS doesn't make any major usability sacrifices for security. Privacy or security features with usability compromises are either opt-in or opt-out.
> Worth noting however is that usage of GOS is also seen as a signal in and of itself for the authorities that you may have something unsavory to hide
GrapheneOS is far more widely used than most alternate mobile operating systems and there's a lack of basis to claim that it's widely seen in the way you're describing in a way that other operating systems are not. In fact, they're largely conflating other operating systems with GrapheneOS because it's the most widely talked about and known about. They're calling devices GrapheneOS devices which aren't running it. In many cases it's not even a fork of it.
> have said that the OS is popular with organized crime
This is completely unsubstantiated and not evidence has ever been provided. On the other hand, it's known that law enforcement in Europe has widely sold devices to organized crime which they marketed by claiming they were based on GrapheneOS:
https://darknetdiaries.com/episode/146/
Using portions of our code doesn't make something GrapheneOS and marketing is also a different thing than reality. Most of what's claimed to be GrapheneOS in this context is not GrapheneOS but rather trademark infringement by forks or even non-forks.
> /e/OS (and similar "non-LineageOS" ROMs really) instead focus more on de-Googling.
Nope, /e/ always connects to multiple Google services regardless of configuration and gives highly privileged access to them. GrapheneOS doesn't connect to Google servers by default and avoids giving privileged access to installed Google apps via our sandboxed Google Play compatibility layer.
> They're still generally security focused.
No, that's definitely not the case. /e/ has absolutely atrocious security and fails to provide even basic security patches and protections. This is also part of why it provides poor privacy due to lagging far behind on privacy patches in addition to security patches along with being missing important standard Android privacy and security protections due to being far behind and not having it all set up. /e/ doesn't provide comparable privacy features to GrapheneOS Storage Scopes, Contact Scopes, Sensors toggle and far more not only the security features. /e/ isn't just not a security hardened OS, it's also not a privacy hardened OS. LineageOS has better privacy and security than /e/. AOSP has better privacy and security than LineageOS.
> Because of this, they usually have better depreciation timelines
/e/ doesn't provide proper updates for any devices. Many of the devices they support aren't getting driver and firmware updates from them even when they're available. They lag far behind on kernel, Android, Chromium (including WebView) and other updates too. They support many devices without kernel, driver and firmware updates available but they're usually way behind even when they are. /e/ simply doesn't care about providing basic privacy and security so they continue having people buy and use highly non-private and insecure devices lacking basic patches.
> Finally, it's worth noting that the GOS community is absurdly toxic to anyone doing anything privacy-related that isn't under the banner of GOS. It's extremely maximalist, tends to get very upset at other projects whenever they get attention (see sibling reply to this, where they pretty much melted down because an outlet dared to recommend a Fair phone+/e/OS) and the projects official channels have generally encouraged this sort of behavior. It doesn't really damage the software itself, but it's worth considering.
No, completely backwards. The massive amount of false marketing, misinformation and harassment engaged in by the /e/ project and community is what's toxic. The founder and CEO of /e/ and Murena openly spreads content from Kiwi Farms and neo-nazi sites. He directly engages in harassment towards the GrapheneOS team. Here's him supporting authoritarians smearing GrapheneOS by replying to threads about it linking to harassment content based on fabrications on a neo-nazi conspiracy site:
https://archive.is/SWXPJ https://archive.is/n4yTO
The communities of several projects including /e/ have heavily engaged in spreading misinformation about GrapheneOS including fabricated stories about our team. They've even taken it to the point of repeated swatting attacks aimed at killing our team members. There are relentless raids on the GrapheneOS community platforms including our chat rooms where Child Sex Abuse Material, gore and endless harassment towards our team members including fabricated stories and harassment content from Kiwi Farms and elsewhere is posted.
People should review https://eylenburg.github.io/android_comparison.htm which is a third party maintained comparison between AOSP-based operating systems which addresses many of the misconceptions you have about how GrapheneOS compares to AOSP, /e/ and other operating systems. You're not at all correct about what's provided by /e/ which fails to keep up with basic updates or provide the standard protections.
We can provide large amounts of further examples of the founder and CEO of /e/ and Murena participating in this harassment.
The attacks towards us including your libelous claims about us here are what's absurdly toxic.
> It's extremely maximalist
It isn't but rather is very pragmatic and focused on usability, robustness and compatibility alongside the major focus on privacy. The focus on security is to protect privacy because it depends on it.
To put it concretely, GrapheneOS recommends running all the proprietary Google apps in a locked "sandbox" so they can't read data on the phone outside the sandbox -- but obviously Google still gets to see everything you do in their apps. /e/OS tries to provide [largely but not entirely FLOSS] alternatives (e.g. their own Maps app, their own email, their own calendar) that make your phone usable out of the box without Google software.
Well, the actually scary part of google services is that they have this quasi-elevated access in your phone where it can do a lot of stuff ordinary android services just can't do. E.g. google maps' location sharing works this way (but don't quote me on that).
GrapheneOS managed to "put it back into the bottle", and it runs as a regular android service anyone could write, with the same rules applying. So you have much more control on what you allow it, and this will also limit what data apps relying on google services can leak about you.
Right. Something that GrapheneOS boosters often fail to mention. It's not like those guys at Google are just idiots and don't know how to make a hardened allocator. Android uses a different hardened allocator that is much, much faster and uses less space. GrapheneOS is slower and uses more memory.
Another tradeoff GrapheneOS makes is because of the way they configure the USB port makes it more possible that you will irreversibly brick your phone by accident. You could say that the USB management is the only really material difference between Android and GrapheneOS when it comes to a law enforcement search threat model, but that also comes with a tradeoff.
Good point about the USB thing btw. It's obvious to me and the reason why I go one step further and leave USB debugging always enabled now that there's this private key authorisation method anyway (it asks for computers whose key it doesn't yet trust), but indeed a lot of users might follow GrapheneOS' advice without realising
A common misconception is that people believe GrapheneOS is less usable than much less private and far less secure options but it's the other way around. GrapheneOS provides nearly perfect app compatibility when taking into account the per-app exploit protection compatibility toggle and sandboxed Google Play. Nearly the only apps not working on GrapheneOS are ones banning any alternate OS and a larger number of those work on GrapheneOS than elsewhere due to a subset specifically permitting GrapheneOS due to far higher rather than weaker security. Apps have legitimate reasons for being concerned about the poor security of many alternate operating systems but they're wrongly grouping it all together as if GrapheneOS.
/e/ lags weeks, months and even years behind on providing updates for drivers, firmware, the Linux kernel and more. They miss a large portion of the monthly Android security bulletins which are a limited subset of the patches in the first place but then claim to provide the latest patch level despite many of the required patches being missing.
/e/ has a supposedly private speech-to-text sends data to OpenAI and their own servers without obtaining explicit user consent to share sensitive data with a third party.
https://community.e.foundation/t/voice-to-text-feature-using...
They say the data is anonymized based on passing it through their own servers before OpenAI but OpenAI is receiving all of the user speech data under their usual terms of service enabling them to store and leverage it.
Fairphone lags significantly behind on OS updates and patches with only a small subset of what should be provided being shipped. Their hardware omits important security protections required by GrapheneOS which it uses to protect users against widespread commercial exploit tools. Fairphone doesn't provide upstream Linux kernel updates in practice which is a massive omission for their updates. Fairphone 4 has an end-of-life 4.19 kernel branch and the Fairphone 5 despite not being very old already has an end-of-life 5.4 kernel branch. Neither was providing the LTS revisions prior to end-of-life so from their perspective nothing really changed but it means it's a huge task for an alternative OS to provide basic updates since they'd need to port everything to a newer kernel branch.
/e/ does not provide similar privacy features to GrapheneOS such as Contact Scopes, Storage Scopes, Sensors toggle and much more. It focuses on bundling things which can be provided with apps such as RethinkDNS on GrapheneOS with a higher quality implementation. GrapheneOS delegates as much as it can to apps while focused on the core OS. If a feature can be done better with an open source app, we'd rather leave it up to that app and many provide privacy and security protections which apps cannot. For the most part, apps can't improve OS privacy and security. Enumerating badness via blocklists which cannot block anything that's dual purpose functionality is also a very weak approach to privacy which is increasingly less useful. The most privacy invasive behavior of apps is nearly all done through their own services which also provide their functionality. Among other things, /e/ uses this system for labeling app tracking and permissions which is incorrect and misleading as shown by this example:
https://reports.exodus-privacy.eu.org/en/reports/com.faceboo...
Facebook clearly doesn't have no tracking but rather this system only detects a small number of specific third party libraries they've decided are trackers. Those choices are often very questionable such as portraying even opt-in crash reporting as tracking because it used a third party library on their list. Meanwhile, Facebook's lite app supposedly has no trackers. The permissions list is thoroughly inaccurate and not how Android permissions work. The core permissions are opt-in with apps having to request them so listing those as if they're granted on install and mandatory due to being possible to grant is incorrect. Most of the rest have special access toggles which are opt-in for the sensitive ones or other toggles such as the battery optimization mode where Restricted stops apps starting themselves and delays those things until it's run by another app or the user.
Privacy requires providing privacy patches and strong privacy protections. It also depends on security which means providing security patches and strong security protections. GrapheneOS is heavily focused on all of that rather than simply treating not having bundled Google apps and services as meaning a private OS. There are also worse things for privacy than Google apps and services. /e/ sending speech data to OpenAI vs. Apple doing the processing locally as we've it implemented for GrapheneOS is a good example. Google at least has partial local speech-to-text support and a better privacy policy than OpenAI for the cloud portion. Avoiding Google apps/services is not the same thing as providing strong privacy.
https://eylenburg.github.io/android_comparison.htm
In short, GrapheneOS is vastly superior.
So it would follow that a valid privacy-respecting third option would potentially help Apple customers as well as Google customers.
Well, "Android" generally means either variant. I run GrapheneOS and I call it Android. If someone asks, I say I run Android, not GrapheneOS. Actually in terms of experience, it is Android to me.
But in a context where we oppose GrapheneOS to Android, then I think it's important to be clear. GrapheneOS belongs to the family of OSes that are based on AOSP (like Android, LineageOS, IodeOS, /e/OS, CalyxOS), while Android is itself a "subfamily" of that, including the Google Android, the Samsung Android, the Xiaomi Android, etc.
In a way, I personally feel like GrapheneOS is closer to Google Android than the Samsung Android is from the Google Android, if that makes sense. Moving from GrapheneOS to Google Android, I really don't see significant differences. Now Moving to a Samsung Android, I need to adapt a little.
All that to say, I really only make a difference when we are talking about AOSP-based systems as a distinct group, by opposition to "Android certified" systems. Just like it sometimes make sense to talk about GNU/Linux in specific conversations, but generally, we refer to a Linux distribution as "Linux".
My running watch is from a chinese company that I do not trust, so I lock down the permissions quite far. I like that Graphene lets me control the network permission and have offline maps that cannot report anything external.
Overall the most annoying thing is not being able to iMessage... I moved who I could over to signal.
Also the battery life is amazing because I keept restricting apps from background usage and the defaults already do a good job of that
Are there valid reasons to only support pixels?
https://grapheneos.org/faq#future-devices
GrapheneOS is partnered with a major Android OEM working on improving their future devices to meet our requirements. The first devices with official GrapheneOS support from them are planned for 2027. It takes time and resources to make reasonably secure devices. Future generations can improve further including adding hardware-based privacy/security protections unavailable on Pixels.
https://www.androidauthority.com/graphene-os-major-android-o...
It's just so damned convenient. And the recording of transactions on the phone saves me having to collect paper receipts.
I am probably going to switch back to a used old iPhone for "phone appliance" tasks, but keep around the Pixel for other things.
My main takeaway from the experience is that iMessage is an even bigger weapon than I thought.
As an aside, from the latest release notes: Sandboxed Google Play compatibility layer: add toggle for granting Play services access to ICC auth in order to support RCS with carriers requiring it for RCS in Google Messages including T-Mobile (see RCS usage guide)
The best thing would be to switch to Signal (Molly) for texting.
If anything, iOS seems buggier and less reliable, but I know (and am related to) a lot of people who insist on using iMessage/RCS, and I can't be missing messages.