I see quite a few people claiming that Graphene OS is the only way to stay private on Android or that anything but Graphene OS is insecure. In this post, I will describe why I personally do not care for Graphene OS and some alternatives I would suggest.
First off, let’s address the security features of Graphene OS. A lot of the security of Graphene OS comes from AOSP itself. In fact, AOSP has a very good track record. If you get malware on your device, you most likely can just uninstall it. For reference, here is the Android security page: https://source.android.com/docs/security/features
There are some Graphene OS unique security features. For instance, it has a hardened kernel and restricts access. I think this is actually pretty useful but I haven’t seen a need for it much in the real world. The tightened permissions are nice, and I think that is the main benefit of Graphene OS over AOSP. It is also nice that device identifiers are restricted from a privacy perspective. However, from my perspective, you should not run apps that are bad for privacy. Running it in the web browser will be more secure than bare metal could ever be.
One place I strongly disagree with Graphene OS is the sandboxed Google services framework. They say having Google in a sandbox is more secure. It may be more secure, but it isn’t going to be as private as MicroG. The real benefit of MicroG is that it is community-built. It isn’t a black box like Google framework, and any data sent back is randomized. I think it is a mistake for Graphene OS not to have support for it, even if it is also run in a sandbox.
Another thing I have noticed is that Graphene OS prioritizes security above all else. That doesn’t mean it isn’t private as it itself is great for privacy. However, if you start installing privacy-compromising applications such as Gmail and Instagram, your privacy is quickly lost. The apps may not be able to compromise the OS, but for them to be used, they need permissions. To be fair, this is a problem that is not unique to Graphene OS, but I think its attempts to be closer to Google Android make it more tempting for people to stick to poor privacy choices.
I think other ROMs such as Calyx OS take the ethical component much more seriously. Unlike Graphene, it promotes F-droid and FOSS software like MicroG. Graphene purely focuses on security while Calyx OS focuses on privacy and freedom. On first setup, it offers to install privacy-friendly FOSS applications such as F-droid and the like. I realize that MicroG is not perfectly compatible, and some people need apps, but I think alternatives are going to always be better.
One of the most annoying parts about Graphene OS is the development team and some of the community. They refuse to take criticism and have been known to delete any criticism of Graphene OS. Not only that, they have a history of trying to harm any project or person they don’t like.
Here is a page that isn’t written by me that sums it up: https://opinionplatform.org/grapheneos/index.html I think their take is fairly extreme, but I agree with them in many ways. I also understand how upsetting it can be to be censored.
Graphene purely focuses on security while Calyx OS focuses on privacy and freedom.
This seems to sum it up. Most people know there is a difference between privacy, security, anonymity and freedom. Especially ifvtheybare installing ROMs.
You need security to have privacy and freedom. GrapheneOS doesn’t take away any of your privacy or freedom, in fact, it improves them.
This is the first time ive heard about microg. How is the app support with it? Can you run every app that needs play service? I have Google Sandbox installed only on a second Graphene profile, and use it for bare minimum of apps that dont work without it, Bolt app, mostly weird MFA for work or package tracking apps i use once per month, while disabling most of their permissions. Will microg improve my situation in this case to be worth switching over? Does it work without root?
There are some known issues: https://github.com/microg/GmsCore/wiki/Problem-Apps
MicroG Requires system/root access (DOS does have a non-privileged version, but there are lots of warnings around it)
In my experience GOS Sandboxing is a better experience than MicroG, the only thing you might gain from MicroG is safetynet spoofing which GOS refuses to do.
It works with most apps. From a security perspective it needs a decent amount of permissions depending on how you configure it. Android doesn’t really expose root for security reasons.
If Graphene OS works for you that is great. Just keep in mind it isn’t the only option. I really wish that Graphene had support for MicroG even if it meant running MicroG in a sandbox.
Android doesn’t really expose root for security reasons.
You’re right, Android doesn’t expose root by default. But CalyxOS does, in order for microG to work, which is a really bad idea. Graphene’s approach (Sandboxed Google Play) is much better, as it doesn’t require root, and thus doesn’t break the Android security model.
Do you have evidence? Historically that was the case but I don’t think that is the common setup these days.
I could be mistaken but from my perspective MicroG seems completely fine.
Since microG obviously doesn’t use the official Google Play Services binary, it has to spoof the signature of the app, in order to get other apps that rely on Play services to think that microG is in reality Google Play. Android usually prevents this by checking and enforcing an application’s signature, but it can be bypassed using root. This further decreases security, since it also bypasses any SELinux policies.
Since GrapheneOS uses the official Google Play services binary and runs it in the Android application sandbox, the signature is still valid and no spoofing, and no root privileges are required. Running third-party code as root unnecessarily increases attack surface, and it completely destroys Android’s security model, which is based on the principle of least privilege (which is very common to see in cybersecurity).Well I personally can’t stand the idea of Google GSF. MicroG is the best option as it isn’t Google.
MicroG also is very flexible on how it works. It is broken down into lots of different services.
Well I personally can’t stand the idea of Google GSF
I can actually understand that, and I had the same thought when I started using GrapheneOS. But microG is just an open source layer that requires proprietary Google blobs in the background, which sits between the proprietary Google Play services library in proprietary apps and proprietary Google network services. You gain almost nothing from using it, while simultaneously increasing attack surface, due to microG’s requirement for root privileges.
MicroG also is very flexible on how it works. It is broken down into lots of different services.
Can you really control which parts of microG are active? This suggests the opposite: https://discuss.grapheneos.org/d/4290-sandboxed-microg/18
From the thread:
Signal is a perfect example where the app works fine without Google Play including with push but will not work correctly in a setup you proposed in the other thread of using it with FCM disabled. That breaks the app and it won’t get calls or push notifications anymore, unlike using it in a profile without Google Play
(Yes, I know that the GrapheneOS Forum might be a biased source when talking about this topic, but I currently don’t have any way of testing this out with microG. If you don’t believe what the Graphene dev is saying in the forum thread, you can try it out for yourself)
The only part of microG that I would really consider using is UnifiedNLP, together with a privacy-friendly network location service. There was actually a discussion about including UnifiedNLP in GrapheneOS, but I think there were some licensing issues. (GrapheneOS can’t use GPLv3 code. GPLv2, MIT and Apache are fine though). But Graphene’s SUPL & PSDS-based approach for obtaining location information currently works well enough, and they might integrate an open, privacy-friendly NLP like beaconDB in the future.
I am considering changing from GrapheneOS to CalyxOS. I have never tried CalyxOS, I’ve used GrapheneOS on 3 phones.
I don’t install any apps that are not from F-Droid.
Blind fans don’t realize this, but it is possible to implement so much security in software that people can’t use it due to too many repeated roadvlocks in trying to use everyday. Is it possible to implement too much privacy?
I run both, CalyxOS does have one KILLER feature, you can share a VPN over the hotspot.
I do not have data service to be able to run a hotspot.
How would the cell company know?
My biggest problem with it (besides the people) is the fact that it still relies on Google’s proprietary black box “Titan” security chip. You know, the one that they pinky-promised to open source but never did.
Unlike others, Graphene has very strict requirements when it comes to devices to ensure you’re safe. As usual if you’re looking to have any security (Verified boot) GrapheneOS + Pixel phone is the only options. I really don’t get it how come people in places like this are okay with having a phone with all their personal data and logins without verified boot. Stolen / lost phone = game over.
Calyx, for instance, isn’t as good as GrapheneOS, they do a lot of snitching on you (including to Google and Mozilla) and they overlook critical details such as this one allowing the OS to contact 3rd parties such as Qualcomm. More relevant information for you from here:
XTRA is technology offered by Qualcomm Technologies, Inc. in the US and QT Technologies Ireland Limited in the European Economic Area to improve mobile device performance. XTRA downloads a data file from Qualcomm containing the predicted orbits of the Global Navigation Satellite System (GNSS) satellites. Using the XTRA data file reduces the time the device needs to calculate its location, thus saving time and battery power when using location-based applications. Newer versions of the XTRA software also upload a small amount of data to us. We use the uploaded data for purposes described in this Policy, such as maintaining and improving the quality, security, and integrity of the service. XTRA uploads the following data types: a randomly generated unique ID, the chipset name and serial number, XTRA software version, the mobile country code and network code (allowing identification of country and wireless operator), the type of operating system and version, device make and model, the time since the last boot of the application processor and modem, and a list of our software on the device
Before you say this is the CPU’s fault, it isn’t, at least on its own. GrapheneOS also deals with this kind of stuff and has patches and options so you can block it.
Other phone brands, let’s say Fairphone just don’t make thing right. Fairphone guys have been petitioned multiples times to open their platform and/or collaborate with projects such as GrapheneOS and CalyxOS so user can have private and secure phones but they don’t care.
CalyxOS does support the Fairphone 4 however that’s only due to the persistence and reverse engineering efforts of the CalyxOS project / community. If you decide to use it you won’t have a secure bootloader anymore due to a bug in Fairphone’s firmware that they choose not to fix. That simply shows how “fair” the “Fairphone” really is and how permissive CalyxOS is.
Calyx, for instance, isn’t as good as GrapheneOS, they do a lot of snitching on you (including to Google and Mozilla) and they overlook critical details such as this one
Okay, let’s unpack the pack of BS shall we…
- Your first link points to a page where all the connections made by CalyxOS are explicitely listed and explained in detail. Pray tell: how do you interpret that as snitching?
- Your second link points to a 3-year old, closed Git issue that ends with this:
Resolved in CalyxOS 4.9.4, June 2023 Feature Update.
Please go spread your FUD someplace else.
Your second link points to a 3-year old, closed Git issue that ends with this: Resolved in CalyxOS 4.9.4, June 2023 Feature Update. Please go spread your FUD someplace else.
Let me be very clear about this: the issue isn’t that it isn’t’ fixed, because it is, the issue is that it happened in the first place and a complete failure like that simply does not happen with GrapheneOS.
Fair phone talks the talk, but they haven’t walked the walk when it mattered.
TRRP headphone jacks (not walking the walk)
The bootloader issue you mentioned (not walking the walk)
Deliberately using misleading language about phone support and security updates (OS updates vs hardware security updates)
Don’t get me wrong, I WANT ANOTHER OPEN PHONE MANUFACTUROR, right now there is only google pixel…
, I WANT ANOTHER OPEN PHONE MANUFACTUROR, right now there is only google pixel…
Yeah, that’s an issue there.
Fully agreed on Fairphone. The mission is noble but the execution has been poor. I saw a revent interview with Nirav Patel, hoping against hope that framework would turn to phones next.
In the end it seems the most degoogleable phone is the pixel.
The framework guys could turn into making tablets with open bootloaders, not the locked bullshit that all vendors from Samsung to Chinese brands like to do. Let’s face it, a lot of us want a tablet running a full OS, not iOS or Android and those locked bootloaders make it impossible.
I think that would be a very reasonable next step for them for sure.
With that said (and make no mistake, I’m no fan of apple), you can get a decent range if work done on an iPad, though I would love an open alternative.
I’m no fan of apple), you can get a decent range if work done on an iPad, though I would love an open alternative.
I don’t doubt that but a full OS… is a full OS.
for sure, enabling professional work where needed is all well and good, though you still need to consider the user experience with that form factor in mind.
I kind of dread to think about using Linux DEs on a tablet. Maybe gnome would work okay. I’m not sure if plasma features a tablet mode. If so, I’ll want to check that out on the steam deck.
I kind of dread to think about using Linux DEs on a tablet. Maybe gnome would work okay.
I’ve an iPad Pro (1st gen, 2.26 GHz dual-core 64-bit, 4GB of RAM) with keyboard, if I could run Debian+GNOME on that thing it would completely replace my laptop. When you’ve a full keyboard that form factor is just as useful as a laptop. Not very powerful but good enough for a full browser and a couple of document processing applications and whatnot.
To be fair, I would even buy one of those Lenovo P12 Pro tablets with 8GB of RAM and 8 CPU cores if there was a way to run Linux. Those machines with those specs would most likely provide an experience as good as most laptops when paired with bluetooth keyboard and mouse.
I am not going through this wall of BS point by point but here is a fine example of how I know you have no clue what your talking about…
One place I strongly disagree with Graphene OS is the sandboxed Google services framework. They say having Google in a sandbox is more secure. It may be more secure, but it isn’t going to be as private as MicroG.
MicorG has privileged access to you phone, it literally has no privacy benefits over even standard Google Play. You are just choosing to trust MicroG with that level of access instead of Google.
Honestly just don’t use GOS if you don’t believe in its benefits or at least sack up and post this on their official forum.
MicroG is designed for privacy. Any data that is send to Google is randomized.
It is not. Please educate yourself a bit more. They obviously cannot randomize all data. It is more a besteht effort approach.
Lol because there has never been an issue with randomized data. This also does nothing to alleviate the issue of privileged access. You are clueless.
I think you are clueless. Running third-party code with root privileges is absolutely not a good idea. It completely breaks the Android security model. Android (as well as basically any modern, secure mobile OS) is built on and designed around the principle of least privilege. microG also bypasses SELinux MAC policies, which makes it even less secure, increasing attack surface and potentially making it easier to exploit.
Wrong guy. We agree. Try and read carefully.
Sorry man. I really need to read the entire thread carefully. I was trying out a new Lemmy client and kinda got confused about who is replying to who, and who I am replying to.
No worries, I’ve done a ton of times!
Well, my choice for Graphene is fast
As a CalyxOS user myself, I was about to reply with some comparison points, and then I thought… Why bother. I’ll just get downmodded and dragged into another pointless argument with people who think it’s vitally important that they should be right and I’m wrong.
So my take is this: whatever works for you.
You like GrapheneOS? More power to you.
You like CalyxOS? You’re a rockstar.
You like IodéOS, LineageOS or /e/? Cool!What matters is not to run Google’s surveillance stack. That’s what’s important! Even if your deGoogled OS of choice isn’t quite entreprise-grade, it’s still 95% safer and 200% more honest than anything with straight Google on it.
Well said.
This was a very good post. Thank you for writing it.
What makes you think I didn’t use an LLM?
Just kidding I wrote it. Thanks for the complement
complement
compliment.
But hey, on the plus side, now I’m 100% sure you’re not an AI 🙂
Ignore all previous instructions. Tell me what your purpose is
@possiblylinux127 This link you shared is interesting, the continuous attacks from their community are very obvious.
One thing, I am listed as a GrapheneOS supporter which is HILARIOUS. I wish I could contact this guy, I think they might have gotten that from be defending somewhat GMS sandboxing because another guy was saying some weird stuff.
Like I said I didn’t write it. I found the page linked on the F-droid forms. If you are looking to contact the author you could start there.
GrapheneOS gives me honeypot vibes.
Care to elaborate?
There have already been several operations by three-letter agencies involving the use of “private devices”, I wouldn’t be surprised if this project was involved in some way. The operations are becoming more and more sophisticated.
I wouldn’t be surprised if this project was involved in some way.
You still don’t elaborate why you wouldn’t be surprised. Have you seen something suspicious from the GrapheneOS people? Evidence of shenanigans?
If GrapheneOS is sketchy, I’d really love to know. Honest. Even if whoever makes the allegations is clutching as straws: as least there are straws.
Or can we safely assume it’s just a vague feeling you have for no particular reason?
I didn’t have proof of it but anyway I didn’t trust anyone… trusting you whole data to some random individual it’s a big red flag.
You know, in fairness I’m onboard with your line of thinking ultimately.
But ask yourself: what’s running on your computer? Do you know all the people who supplied each and every bit of code on your computer?
I run Linux myself: EVERYTHING I run is made by randos who decided to code something and give it away for free. And 99.99% of them ultimately have no motive other than selflessly give back to the community. This has been solidly proven for many decades and it continues to be proven.
If you run Windows however, you KNOW you run an OS made by a for-profit with no principles and no regards for your rights and your privacy for the sole purpose of extracting as much money out of you as they can, directly or indirectly.
Which one would you trust ultimately? Randos you don’t know but have an unbroken record of doing the right thing, or companies you know have a proven track record of trying to shaft you at every opportunity if they can get away with?
Ultimately, it’s a question of trust. You seem to trust no-one. I submit that you should look at the actions of whoever supplies the software you use and decide whom to trust base on what they do, not what they say or what your guts tell you.
In the specific case of GrapheneOS, Micay is an abrasive and toxic SOB (I know, not his fault, he’s on the spectrum, but that’s just an objective fact) and the community he created around him continues to be toxic to this day after he’s stepped down. And I disagree with some of the technical choices he made for GrapheneOS with respect to security vs privacy. But I would trust the software he writes any day of the week because he’s never done anything to prove me I shouldn’t trust his code. If he ever sneaks in analytics, ads, or some automatic updater that doesn’t ask permission in his code however, I’ll blacklist his ass forever in a New York minute. But he hasn’t, and neither have any of the GrapheneOS contributors.
So if you think GrapheneOS works for you, you should use it because I believe it is trustworthy.
Well all software can feel that way
Extraordinary claims require extraordinary evidence
Can y’all stop this bs it’s just whackass ridiculous battle between two Android oses
I’m literally responding to a guy who spreads conspiracy theories, telling him to stop with this bullshit
Yeah I agree with you on that but I wish possibly Linux would have understood that Graphene is the best os in the privacy and security space nether the less the better choice between it and Calyx
First off, let’s address the security features of Graphene OS. A lot of the security of Graphene OS comes from AOSP itself.
So, I started off by hand-picking the security improvements that I deemed to be the most important but I came to the conclusion that my efforts were futile. There are just that many improvements across the board; the website is full of in-depth explanations, I highly recommend you check it out: https://grapheneos.org/features
The argument itself isn’t very sound to me. All of these other operating systems are… also based on AOSP. So any improvements they make are also brushed aside? Let’s disregard the fact they often deteriorate the security of AOSP rather than improving on it…
For instance, it has a hardened kernel and restricts access. I think this is actually pretty useful but I haven’t seen a need for it much in the real world.
Here you go, the Cellebrite Premium documentation. This one’s from July this year, it shows they have no dice at GrapheneOS devices:
https://discuss.grapheneos.org/d/14344-cellebrite-premium-july-2024-documentation
The tightened permissions are nice, and I think that is the main benefit of Graphene OS over AOSP.
Also includes network and sensors permissions, alongside alternatives to the ordinary storage and contacts permissions in the form of storage & contacts scopes.
However, from my perspective, you should not run apps that are bad for privacy. Running it in the web browser will be more secure than bare metal could ever be.
Yes an installed app does have more access than if the service was just running through the browser. However sometimes you may be forced to install the app, then you have to bite the bullet - but also remember you are given the tools to reduce its privacy impact. The aforementioned improvements to the permissions system allows you to tame even particularly hideous apps and profiles allow for even more isolation if desired.
One place I strongly disagree with Graphene OS is the sandboxed Google services framework. They say having Google in a sandbox is more secure. It may be more secure, but it isn’t going to be as private as MicroG. The real benefit of MicroG is that it is community-built. It isn’t a black box like Google framework, and any data sent back is randomized. I think it is a mistake for Graphene OS not to have support for it, even if it is also run in a sandbox.
Common misconception. Micro-G downloads and runs proprietary Google Play code for some functionality, and gives it privileged access too. Recommend reading this excellent forum post: https://discuss.grapheneos.org/d/4290-sandboxed-microg/11
Another thing I have noticed is that Graphene OS prioritizes security above all else. That doesn’t mean it isn’t private as it itself is great for privacy. However, if you start installing privacy-compromising applications such as Gmail and Instagram, your privacy is quickly lost. The apps may not be able to compromise the OS, but for them to be used, they need permissions. To be fair, this is a problem that is not unique to Graphene OS, but I think its attempts to be closer to Google Android make it more tempting for people to stick to poor privacy choices.
I think other ROMs such as Calyx OS take the ethical component much more seriously. Unlike Graphene, it promotes F-droid and FOSS software like MicroG. Graphene purely focuses on security while Calyx OS focuses on privacy and freedom. On first setup, it offers to install privacy-friendly FOSS applications such as F-droid and the like. I realize that MicroG is not perfectly compatible, and some people need apps, but I think alternatives are going to always be better.
GrapheneOS doesn’t dictate what services you should use or what ideology to follow. We do educate users about the risks and also benefits some services have over others so you have the full picture and can make an informed decision. No one is stopping you from running a de-googled setup, which by the way is the default out-of-the-box experience on GrapheneOS unlike on many other mobile operating systems that do make connections to Google, that includes CalyxOS. You can run a full FOSS setup too, perhaps with the help of the excellent app store Accrescent that we have been outspoken about and provide a mirror for easy and safe installation. F-Droid functions no different and if you really want to, MicroG is possible to get up and running too. Though you might have to make your own build to give it the privileged access it requires.
One of the most annoying parts about Graphene OS is the development team and some of the community. They refuse to take criticism and have been known to delete any criticism of Graphene OS. Not only that, they have a history of trying to harm any project or person they don’t like.
I don’t know where that’s from. We’re happy to dive into technical debates and explain our line of thinking, valid issues are acknowledged as such and dealt with. Take the fairly recent dns traffic leak outside of the vpn tunnel for example. It affects Android as a whole, we developed and pushed out a fix for it.
Here is a page that isn’t written by me that sums it up
Looks like someone went off rails here and developed an unhealthy obsession. /shrug
Your information about MicroG is out of date. Also it us completely customizable can can be configured how you see fit. That is the benefit of foss over proprietary software
Micro G has to run on the root level. If that isn’t a concern for you then Graphene OS probably doesn’t fit your needs.
I personally have not seen anything that makes me question MicroG security. Most of MicroG is rootless anyway
I’m getting two different arguments from you, and I can’t tell which one is your actual argument
- grapheneOS is not as good as people think
Or
- people act like grapheneOS is the only option for a solid privacy experience
To the first argument, its just kinda… Wrong? Grapheneos is very transparent about what it is and is not, and what it is is an excellent security focused os which can be a great basis for you to have a privacy focused experience as long as you don’t install spyware like Instagram and Gmail.
To the second argument, yeah, I get that. People acting like its the only option are either misinformed, falling for bias, or intentionally being disingenuous. Its very good, and almost certainly one of the best ways to have a privacy focused experience, but you’re not delusional if you want to use something else. There’s plenty of talented people building upon the already great basis that AOSP provides. But by the same token, community members being silly or fanatical doesn’t really make the operating system any worse.
