I just installed Graphene on a new pixel. I've only used it for two days, but I got that same feeling of "finding buried treasure in your backyard" I got when I first installed Linux in 1999. I can't believe this amazing software is free in all senses of the word. It is a TON of work and they got so much right. The security and usability settings give all the grainular control I've known was possible and wanted for a long time.
I see some core team on this thread, so just wanted to say THANK YOU! Awesome job! Keep fighting for the users!
I'm totally the wrong person to offer recommendations on mobile, but so far it works very well for me, but then, I use almost no third party apps, and none of them are Play store only. My only complaint is the hardware (outside of their control).
csmattryder · 1h ago
I got it installed last weekend, really powerful mobile OS.
I did do about three weeks of research, as I worried that maybe a number of apps wouldn't run on it or needed some form of deep attestation. Didn't find much, OpsGenie and other work apps are happy with the GOS level of attestation provided.
Great to have Google kicked off the phone. So nice to shut off the network permission for any apps that only require an internet connection to serve ads.
One tip from me, if you came from stock Pixel: You can download the default Pixel sounds and set them up like it was. Have a look for "Your New Adventure" online, the message sound is "Eureka".
exe34 · 1h ago
> So nice to shut off the network permission for any apps that only require an internet connection to serve ads.
For those of us who aren't ready to cut the umbilical cord to the mothership, you can also root/firewall on normal android to stop this. In fact I choose to not be able to use banking apps in order to cut out the crappy ads.
morserer · 1h ago
Root, while more efficient, isn't strictly necessary. AdAway (FOSS, F-Droid) can run without root using the stock Android VPN backend.
lrvick · 2h ago
> I can't believe this amazing software is free in all senses of the word.
I wish that were true, but if you delete the 100s of binary blobs (many with effectively root access) copied from a stock donor vendor partition the phone won't function at all.
There is no such thing as a fully open source and user controlled Android device today.
morserer · 1h ago
It's not all grim. GrapheneOS utilizes IOMMU to isolate the baseband and sandbox the wireless components. Even with binary blobs, the wireless radios cannot read encrypted traffic.
Sure, it's not perfect, but it's still really, really good. Even with the binary blobs that are on it, Graphene phones have been impossible to unlock via commercial cracking tools since 2022.
Was there ever? And is the situation improving or worsening?
I am alright with things that allow for improvement, at least in theory
couscouspie · 1h ago
Anyways, we as informed consumers are hopefully all agreeing on striving for an open mobile OS and open hardware. For those of us, who consider themselves democratic, that is even an imperative.
bornfreddy · 1h ago
Not sure what the situation is with Librem, Pine and Joola/SailfishOS, maybe those qualify?
cherryteastain · 1h ago
This is also the case with mainline linux though. Good luck using Nvidia graphics with only FOSS components.
Even more FOSS friendly graphics vendors like AMD and Intel rely on binary firmware.
bowsamic · 19m ago
Indeed, mainline linux distros aren't free software either
dgan · 3h ago
do you need to access your mobile for bank accounts ? does that work ?
I'm always afraid of my phone getting stolen or losing it somewhere so I have a completely separate iPhone, which runs my banking apps. I keep that phone at home.
dotancohen · 2h ago
Depending on where you live, a burglary might be more common than a robbery. Why don't you just use the bank's website on your desktop computer (assuming you have a desktop computer)?
spaqin · 1h ago
Because in infinite banking sector's wisdom, logging into the website requires a confirmation with the mobile app.
bornfreddy · 1h ago
I'm in a similar position and I hate it. They somehow managed to convince themselves that if you issue tokens for 2FA within the mobile app it is still "two" factor authentication. Of course since you already have mobile app now, you can just use it directly (and there is no way to disbale that). So while webapp is 2FA, there is now a mobile app which is not. Good thinking.
ekianjo · 25m ago
Are there banks without such requirement these days?
exe34 · 1h ago
I've changed banks for less.
jakweg · 2h ago
It depends what banking apps you use. Some are available. From my observation major banks in Poland work just fine. You can pay via NFC using the mBank app if you need to. Revolut also works fine. gPay just doesn't work however therefore you cannot pay with this via NFC.
I use my Garmin watch to pay for all things in physical stores anyway, so no need for NFC payments anyway.
ZeWaren · 2h ago
I have a rooted Graphene on a Pixel 9, and the only bank which isn't working is Revolut.
shaky-carrousel · 27s ago
[deleted]
rahen · 2h ago
You shouldn't root Graphene, it breaks its security model and is certainly the reason why Revolut doesn't work on your phone. It works like a charm on mine.
lawn · 2h ago
In Sweden all the banking apps I've tried works, including BankID.
gf000 · 3h ago
As a single datapoint, revolut does not work unfortunately, so I moved back to the default pixel OS.
cyanwave · 2h ago
I can’t recall the switch, I believe it’s mem exploit protection. When disabled it typically fixes banking apps. You tried that?
senorqa · 2h ago
Revolut does work for me. They added support for GrapheneOS long time ago
1024core · 5h ago
Where do you get the apps from? Google's App Store?
mikae1 · 4h ago
Obtanium[1], F-Droid[2], Aurora Store[3] and FFUpdater[4] are some options. Signal self updates from the APK download[6].
I recommend putting proprietary Play Store apps grabbed with Aurora Store in the work profile with Shelter[5].
On the GrapheneOS forum you will see a lot of bad opinions about F-Droid, for example this:
> It doesn't matter that the app is trustworthy, because F-Droid are extremely incompetent with security and the apps you install from F-Droid are signed by F-Droid rather than the developer.
> If the app is only available on F-Droid / third party F-Droid repo, use F-Droid Basic and use the third party repo rather than the main repo if available.
>
> If the app is available on Github then install the APK first from Github then auto-update it using Obtanium. Be sure to check the hash using AppVerifier which can be installed from Accrescent (available on the GrapheneOS app store).
By the way, while GrapheneOS recommends Accrescent, I don't use it anymore because they can't even add apps like CoMaps, while some of the apps they actually added are proprietary.
prmoustache · 18m ago
>the apps you install from F-Droid are signed by F-Droid rather than the developer.
That doesn't seem like a con if you take into account the context: F-droid is not shipping pre-build binaries from the developper, it asks for a buildable project from the developper.
If the source repo of the upstream dev are compromised, so will be hid own binaries anyway.
tkel · 4h ago
Work profiles are inferior to separate user profiles, which are built-in to GrapheneOS.
Also "private space" is now available with Android 15 and can provide the same separation within a single user profile.
piaste · 1h ago
> Work profiles are inferior to separate user profiles, which are built-in to GrapheneOS.
Different use cases. User profiles are only active when you manually switch to them, while work profiles are active _alongside_ your main profile.
So for untrusted apps that you only use occasionally and on-demand (like the myriads of travel / shopping / random services apps), user profiles are great. For apps that you want to keep in the background, such as the proprietary messaging apps that all your friends use, a work profile is much nicer.
Unroasted6154 · 3h ago
Don't you have user profiles in Pixels? I can create another user an switch. Just not super convient.
Work profiles are actually pretty good good... For work.
shaky-carrousel · 3h ago
I put them in the private space. Is there an advantage on putting them in the work profile?
Happily2020 · 3h ago
Private space is identical to work profile. In the past, private space didn't exist and people used work profile instead as a workaround, but now that's not needed.
morserer · 5h ago
Aurora Store on F-Droid is a FOSS frontend for the Google Play Store that is a seamless drop-in. Requires no Play Services, nor an account.
homebrewer · 2h ago
It doesn't work for everything; one of the banks I'm forced to use checks for how it was installed, and Android for some incomprehensible reason is happy to report that to any application that asks (along with lots of other information like bootloader status and developer mode — you really have fewer rights to 'your' device than random applications).
After opening the application, it complains about being installed through an "insecure method", and bails. Reinstalling through Google Play magically fixes that.
These "security checks" are spreading like measles, so expect to see this sooner or later.
mschuster91 · 17m ago
> one of the banks I'm forced to use checks for how it was installed, and Android for some incomprehensible reason is happy to report that to any application that asks
That's because apps that aren't published just on the Play Store but also on other stores or for direct sideloads (for users running Huawei for example which doesn't have Play Store) need to be able to detect the installation method to do updates on their own if there is no backing store.
bboygravity · 4h ago
But than the apps you download (your banking app) require play services right?
So then what's the point of having a Play Store without Google Play services?
gf000 · 3h ago
GrapheneOS managed to make Google play services into normal android services, without higher privileges that they have on other android systems.
I am personally more than okay with using the official, proprietary GP services from time to time if they abide by the same rules, especially that I can make these rules as strict as I want.
ThePowerOfFuet · 3h ago
Many apps claim to require Play Services, but all my (several) bank apps work perfectly on GrapheneOS. No notifications because they rely on Google, but that is more feature than bug in my books.
Signal brings its own notifications, so they work perfectly.
The only app which was broken to the point of unusability was Too Good To Go, which demands that you pick locations on a map which relies on Play Services; the manual city entry is broken.
I use Google Maps only in Firefox Focus, but I've heard that builds of Google Maps up to about a year or so ago didn't rely on Play Services, and with Aurora Store you can manually enter a build number to install.
tl;dr: 10/10, fabulous experience.
easyKL · 3h ago
Need the Maps data, the satellite picture, or StreetView? All these past years this WebView wrapper have been working like a charm https://f-droid.org/packages/us.spotco.maps
anthk · 3h ago
Uh GF uses TooGoodToGo, I might try if it works with MicroG and the companion app which appears at FDroid (can't recall now the name, but it appeared with Droidify and some repos). It must be a Play Services API placeholder out there too.
Install Droidify, enable the repos, and install "microG Services" and "microG Companion".
I agree. I love using Graphene OS. Came for the security, stayed for the lack of bullshit.
sierra1011 · 4h ago
GrapheneOS? On a Pixel? You must be one of those criminals
/s
haloboy777 · 2h ago
Arrest this individual
sandreas · 4h ago
Happy long term user, great project. Here is a list of Open Source Apps, I use to replace Google stuff:
Aurora Store - Anonymized frontend for Playstore
F-Droid - Open Source App Store
Obtainium - App Store for other sources (e.g. github)
Organic Maps - Open Source navigation (not as good as proprietary ones though)
SherpaTTS - Text to speech for Organic Maps
PDF Doc Scanner - Little Trickster, Open Source document scanner
Binary Eye - Barcode reader
K9 Mail / FairMail - Mail client
LocalSend - Cross Platform File Transfer
Syncthing Fork - Catfriend1 Syncthing fork to sync files
VLC Media Player - media player
KOReader - ebook reader
Voice - Paul Woitaschek, local audiobook player
AudioBookShelf - Remote audiobook player
Immich - image backup
Fossify File Manager - file manager
Substreamer / DSub - Audio streamer for navidrome self hosted server
OpenCamera - Open Source camera app
I wish I had this list from the start... Hope it helps someone :-)
pedro_caetano · 2h ago
Worth mentioning that Fossify also has an amazing Contacts and Calendar app (using both right now on Android 15).
> Organic Maps - Open Source navigation (not as good as proprietary ones though)
Note that a community fork done by some core contributors was just spawned: CoMaps [1]
> K9 Mail / FairMail - Mail client
And now there's Thunderbird, which is branded version of K9 Mail IIUC (I don't know if there's any reason to switch from K9 Mail to Thunderbird for existing users)
for someone who doesn't want to replace Google services, does it still make sense to move to Graphene?
other8026 · 1h ago
Absolutely. You can basically get almost the same experience as you would on a stock OS device, but with much better privacy. On the stock OS, Google apps get privileged access, so they can still access photos and your camera and all that, but what people don't realize is that their privileged access also includes things like usage data, hardware identifiers, etc. Using Google apps on GrapheneOS makes a lot of sense.
The only problems you might run into would be some features might require privileged access, things like Now Playing. Makes sense because normal apps cannot have unrestricted access to the microphone like that. Google Wallet works, but you cannot make payments because the app refuses to work on alternate OSes.
Besides that kind of stuff, though, I've used all sorts of Google apps without issues.
ovalanche · 7m ago
True privacy is such a rare commodity these days. It’s a breath of fresh forest air to enter an OS unwatched, allowing your mind to be free.
Not to get too deep, but contemporary philosophy posits that our phones have become extensions of our brains (not only theoretically, but literally! See e.g. Andy Clark and David Chalmers, “The Extended Mind,” 1998). Our devices have access to profound parts of our lives— our habits, friends, desires, notes, thoughts… With something this fundamental, it’s vital to have privacy.
Thank you, Graphene team, for all the hard work you do.
lollobomb · 55m ago
I am a long time GrapheneOS user, amazing project. One thing that is not clear to me is the support for NFC payments. Las time I checked, NFC payments on Graohene didn't work at all, but I am reading on this thread that some users do manage to pay via NFC? Did Iget this right? Mind explaining how?
I do not use banking apps (I only use banks that allow me to log in via browser using a 2FA which is not a proprietary app, like a FIDO key or other physical dongle), but do I get it right that Revolut would allow me to pay via NFC in this case? Is this something geo-dependent?
prophesi · 23m ago
The issue isn't with NFC. It's passing the Play Integrity check that app developers optionally can use to prevent devices that don't pass the check from running their app, or remove parts of its functionality. IIRC I don't think any custom ROM's can pass the check. So you might be able to pay via NFC with a banking app if they don't implement the Play Integrity API. For Graphene's thoughts on the matter (2024):
Last I heard, Google discontinued publishing device trees and driver binaries for Pixel devices with their recent changes to their stewardship of the AOSP [0]. Was it something definitive or are they merely delayed? If the practice is being discontinued, what would be the reason why? Doesn't publishing these artifacts create a business case for customer demand for the Pixel devices? Or is there some cost that outweighs the benefits? Is it maintainer overhead?
I didn't bring this up when it was a news story last month because there was a lot of cynicism in the thread, but I am genuinely curious. I am really grateful for both GrapheneOS and Google for creating a phone platform that Just Works for the essential stuff and that I can reasonably recommend to non-technical people!
Android 16 no longer provides device trees for Pixels as part of the Android Open Source Project. It's important to note it doesn't provide those for any other devices. There are no other OEMs providing similar AOSP support. A few OEMs publish more basic device trees for older Android versions. This was Pixels losing one of their advantages compared to non-Pixels but it was never one of our hardware requirements, which are listed at https://grapheneos.org/faq#future-devices. It isn't part of why Pixels are the only devices meeting our requirements. We're working with a major Android OEM to change that though, hopefully for 2026 or at least 2027.
GrapheneOS typically ports to new yearly Android releases in a couple days and tends to have it reach the Stable channel in under 2 weeks. We completed our initial port to Android 16 in a similar time period after the release on 2025-06-10. However, we then had to reimplement device support in a similar way to how we would support a non-Pixel device. Our initial production release based on Android 16 was published on June 30th. As usual, we had to spend around a week making a series of releases fixing regressions reported by users. It reached our Stable channel on July 8th.
Since our port to Android 16 took significantly longer than usual, we backported most of the Android 16 firmware, all of the kernel drivers and parts of the userspace device support to our now obsolete Android 15 QPR2 branch and did a few more releases based on Android 15 QPR2 where we were able to provide the full 2025-06-05 patch level which also turned out to be the full 2025-07-05 patch level due to no vulnerability fixes in the July 2025 Android Security Bulletin or Pixel Update Bulletin. This was an unusual approach and not generally a reasonable way of doing things. We were able to do it successfully.
It won't be nearly as much of an issue going forward since we dealt with building the new automation we needed. Our port to Android 16 QPR1, Android 16 QPR2, Android 16 QPR3, Android 17, etc. shouldn't be nearly as difficult and we should get back to our typical porting time for major releases.
notachatbot123 · 3h ago
> We're working with a major Android OEM to change that though, hopefully for 2026 or at least 2027.
Quite a lot of detail on this comment, thanks for that!
But I'm still left a bit confused about the future devices GraphaneOS will support:
Because you said discussion are being done with an OEM, will GraphaneOS switch from pixels to a different device?
You also said that not having the device tree won't be a major hurdle in building GraphaneOS for the future, does that mean we can expect the pixel 10 to have GraphaneOS or it's too early to know ?
Thanks again!
wishfish · 1h ago
As you're working with the OEM, I hope you'll consider a model which will come with either an IPS screen or is compatible with a 3rd party IPS replacement.
I bought a Pixel 9 Pro Xl specifically to use with GrapheneOS. Unfortunately, its OLED and my eyes were incompatible. The PWM on the screen was terrible and I had to return it after some headaches.
Of course, none of that was the fault of GrapheneOS. I absolutely loved using it and think your project is vital.
71bw · 4h ago
Is it now possible to build a custom release of graphene for any of my non-Pixel devices or will that, again, bring graphene ninjas to my abode?
minimalist · 6h ago
I suppose this means that supporting future Pixel devices will be more difficult? If someone has the ear of anyone at Google, especially someone who works with Android, please share this cause with them!
poisonborz · 2h ago
The comment above was describing in great detail how this is not the case and after some initial effort should prove no difference at all.
NewJazz · 7h ago
I heard unsubstantiated rumors that it was somehow antitrust-related. If they are selling off their device business (again), then it makes sense that the device drivers would not be part of AOSP...
strcat · 7h ago
> If they are selling off their device business
Android and Chrome are potentially going to be split from Google:
Pixels are no longer the Android reference devices. An Android company ending up with the OS, Google Play and Google's OEM partners wouldn't need Pixels. That's a possible reason for the change. However, the simplest explanation is that they're continuing to take cost cutting to an extreme where it negatively impacts their long term revenue far more than the money it saves. A lot of Pixels were sold due to first class support for using other operating systems including it not voiding the warranty.
sebtron · 5h ago
I have used LineageOS [0] for a few years on my old phone, and last year I got a Pixel 4 and I am using Graphene on it. Both systems work well and I am really glad they exist; Graphene gets extra points for its extremely easy installation process. Unfortunately it seems Graphene is already phasing out support for the Pixel 4 [1], so I'll have to switch back to Lineage at some point.
The only technical limitation I have encountered using these ROMs is related to GPS: my position is often lost and I need at least multiple minutes to gain it back (or sometimes it never comes back, depending on where I am). This is likely related to not using Google's location services, even though I have turned on all settings like using WiFi / bluetooth to improve the location accuracy. I tried every advice I found online, without luck. Somehow the issue is a bit worse on Graphene, as my position is lost every time I close the Maps app, but it may be related to the phone and not the OS.
>The only technical limitation I have encountered using these ROMs is related to GPS: my position is often lost and I need at least multiple minutes to gain it back (or sometimes it never comes back, depending on where I am). This is likely related to not using Google's location services, even though I have turned on all settings like using WiFi / bluetooth to improve the location accuracy. I tried every advice I found online, without luck. Somehow the issue is a bit worse on Graphene, as my position is lost every time I close the Maps app, but it may be related to the phone and not the OS.
Pixel 8 works amazingly with Graphene's new network location feature. Position fixes are SO MUCH FASTER. It is truly a gamechanger. First it was Wi-Fi only, but they just released cellular location as well. They provide a proxy to Apple's location services.
throwaway-0001 · 8h ago
The main missing feature is password under duress that would open a different “user”. So even if you’re forced to give away your password they won’t get to the real account (some hidden profile or similar).
At least hidden profiles would be good enough for basic protection.
GrapheneOS community manager here. The problem with something like this is that it cannot be reasonably hidden when it would be exposed by someone using basic tools. Our Duress PIN/Password feature doesn't make any attempts to mask itself, precisely because we think doing that only gives people a false sense of security.
We think there's a good chance a motivated adversary is going to be familiar with GrapheneOS and its features, and the more mainstream it becomes, the more this can mean "your abusive significant other" rather than someone at the border.
The moment people know this feature exists, it can become dangerous even if you don't use it. You can be threatened to unlock, and even if you do, the adversary can choose to not believe you since they can think you're just hiding it. That puts you in a dangerous situation where they think you can provide something that's literally not there.
It's a very difficult problem to solve, and we don't think that proposal can solve it.
YoumuChan · 7h ago
I hate to say this but I don't foresee Graphene being "mainstream". Most users will stick to the stock ROM. The most "mainstream" custom ROM Lineage is only installed on 0.04% of Android devices as of 2023 [1]. Even if Graphene appears in some mainstream news, I highly doubt any ordinary person can recognize it when they see one.
If the threat model is hiding from random people, I think a hidden profile works very well.
Now let's talk about motivated adversary as you put it. Hidden profile and wiping are not either-or, they can coexist. If one is really targeted by a motivated adversary, it should be apparent in most cases, and the targeted person can choose to enter the wiping PIN instead of the secondary profile PIN.
Now if one is targeted by a really motivated and threatening adversary, I don't think wiping PIN is any better than secondary profile PIN. The moment one chooses to wipe the phone, the adversary could be triggered by the action and harm the victim anyway.
GrapheneOS isn't a project that plans to be an aftermarket OS forever. In fact, we're currently working with an OEM to have their devices have official GrapheneOS support. This can mean devices being sold with GrapheneOS without someone even having to install it.
We're of the opinion that there's a growing portion of the population that is becoming more security and privacy conscious, and that's reflected in our userbase, which has been growing consistently over the last few years.
We're not saying we're going to have iPhone's marketshare, but we're constantly growing.
>Now if one is targeted by a really motivated and threatening adversary, I don't think wiping PIN is any better than secondary profile PIN. The moment one chooses to wipe the phone, the adversary could be triggered by the action and harm the victim anyway.
Yes, but at that point, the data is irreversibly rendered inaccessible. There are situations where the data itself is the most important factor, and where the owner of the device being hurt doesn't benefit the adversary now that the data is gone. Of course, as with everything, it depends on one's situation, but the duress PIN feature doesn't involve trickery. It's a way to reliably and quickly do a very specific thing.
dotancohen · 2h ago
> we're currently working with an OEM to have their devices have official GrapheneOS support.
It's a long shot, but please see if you can get this vendor to include an EMS stylus like the Samsung Note devices and S Ultra devices. That is what is keeping me on Samsung, and I will be one of their first customers if they have an integrated EMS pen.
crossroadsguy · 6h ago
> In fact, we're currently working with an OEM to have their devices have official GrapheneOS support
Oh god, yes. Please! I can't wait to leave the walled fruit garden, but can't tolerate Google sniffing everything I do or do not do on my phone either.
PS. I just hope it's an OEM that sells devices to a lot of countries including developing ones and not something like Fairphone.
ThePowerOfFuet · 1h ago
Google has no access to anything you do on a Pixel with GrapheneOS installed just because it's their hardware.
YoumuChan · 5h ago
I think it is all about audience. There is no one-size-fit-all. Different audience have different threat models and different requirements.
For a corporate using an OS in work phones. The threat model is state/corp-sponsored actors. Trade secret leak is unacceptable. When in doubt, data should be wiped. Now wiping PIN makes total sense and is the only sensible option.
An ordinary person, on the other hand, often deals with non tech-savvy ordinary people. The threat model is different. Most likely plausible deniability is enough. The threat level is low. Those users may accept to trade some data security for a more friendly feature.
The ultimate question is whether Graphene envisions itself an opinionated OS that always follows the "best practice" or a generic OS that allows users to define their own threat models.
throwaway-0001 · 8h ago
Tbh I’d say 99% of the criminals won’t know about this.
Let’s say someone have you at gunpoint, you can just give your mains profile pass.
If they don’t even know there is a secret profile you’re good to go.
You’re right, they might assume you’re hiding, but I’d say 99% won’t know what’s even graphene and from those who know I’d say they might force you and you can have 3 sets of bank accounts:
Main profile: 100
Secondary: 1000
Terriary: $$$
Also if you hide all traces of grapheneos would be safer too. Nobody even knows is graphene, so they can’t even check what features you have. Again we are talking about 99% of the criminals, not the tech savvy 1%.
I’d prefer plausible deniability like Vera crypt than what we have now.
mbananasynergy · 7h ago
You can argue most bad people won't know about it - but I would say we can't really know.
I think the main problem is that people can be affected that aren't even using it, which is why it is such a big problem. You can't really hide it's GrapheneOS either, even just by virtue of the features available on the device, you'll be able to deduce what it is.
I understand the idea behind it but it simply isn't realistic to provide and can put people in danger - the very thing it's meant to prevent.
throwaway-0001 · 7h ago
But also in your case criminals can threaten you to give access to bank accounts you don’t have.
When I say hide, again for 99% of the people. Splash screen, setting spoofing. Sometimes good enough is better than perfect.
And even if the attacker can see the other profile you can just say was your friend’s profile and it’s lost.
Or better, not sure if possible: export the profile in a file like veracrypt. Then when you need the profile import from this file and would restore the secret profile.
AndyMcConachie · 2h ago
> Tbh I’d say 99% of the criminals won’t know about this.
It's not about criminals. It's about the police, government spy agencies, and other knowledgeable threat actors.
jrexilius · 7h ago
There are certain threat/risk models where having multiple profiles might be helpful (non-forensic examination by an offical at a securtiy screening kinda scenario). But you're right, it's nuanced, requires know-how by the user, and possibly a foot-gun for some caught unawares. NOT an easy problem to solve. Personally, as a user, I'd like the ability to be able to choose that option in the instances where I needed it, but it's likey a TON of work for a very small actual user community who needs it.
cromka · 7h ago
I think this feature nowadays would be mostly for the border control checks, especially in the US. Basically to avoid being sent back over a JD Vance meme found at a glance, as opposed to actually being held hostage.
OsrsNeedsf2P · 8h ago
I've seen this be requested for years from various mod users. Is it too difficult to implement or something?
throwaway-0001 · 8h ago
They say a hidden profile is not secure enough so not worth implementing.
I rather have this hidden profile that would stop 99% of criminals than what they have now.
I think their approach to this project is to deliver real security at the cost of features.
bugsMarathon88 · 7h ago
This hyperbole is extreme, and unnecessary. If your life depends on the ability to simulate a fake user on a phone, there are more significant problems than a lack of operating system features, and a general failure to defend in depth.
kragen · 4h ago
This is a fully general argument against any single thing your life might depend on: seat belts, defibrillators, bulletproof vests, etc.
If the only thing protecting you from getting shot to death is a bulletproof vest, clearly a lot has already gone very wrong, and you're likely to die today anyway. But that kind of thinking is exactly what leads to a failure to defend in depth.
Ros23 · 4h ago
GrapheneOS Discussion Forum: "This site is best viewed in a modern browser with JavaScript enabled. "
Security my ass ...
To "GrapheneOS community manager" - please fix this. Where is .onion site?
gf000 · 2h ago
Security doesn't mean you have to go feed the cows and leave behind everything.
In fact, a core aspect of security is having access to a feature in the very first place.
A forum, being hosted on the web has absolutely no reason to stay away from the de facto scripting language of the platform. What would be your threat model for that forum? A zero day that would break the whole world?
progval · 3h ago
You can read it just fine with Javascript disabled, though.
ThePowerOfFuet · 1h ago
It's Discourse.
SchwKatze · 9h ago
My only problem with Graphene is the ridiculous low number of supported devices, i know I know, security reasons and so on. But I would accept an lower security hardened version but at least have Graphene instead of Google's junk
However, we're currently working with another OEM and are hoping to have a device of theirs meet our requirements that can be launched in 2026 or 2027. Nothing set in stone, but we're optimistic thus far.
benreesman · 8h ago
Extremely happy GrapheneOS user here. Thank you so much for the work you and your colleagues do. Speaking for myself, the adoption of a mobile communication and computing choice that both put me in control of what information I interact with and respects my agency enough to present me with the hard choices about what I do and don't want for myself has been a life-altering upgrade in something midway between "peace of mind" and "outright mental health".
Much like you don't hear the sound of a busy city until you go somewhere truly quiet, you don't remember owning your own brain until you evict all of the entities who have been living rent free in it.
Keep doing the great work you're doing: it's making people's lives better in dramatically more significant ways than most software.
mbananasynergy · 8h ago
We really appreciate the kind words!
_blk · 3h ago
I can only attest to that. Been using it for 3 years on a Pixel 6a. The only thing I'd wish for, is a scrolling PDF viewer.
In any case, thank you for all the work so far!
tenthirtyam · 42m ago
I can understand the GOS' rationale in choosing only the most secure phones. However, I'm more concerned about privacy, and not so much about security. It'd be great to have something like a "GOS-Lite" which accepts some security compromises in order to bring privacy to more people. (And yes, I understand that lower security means less privacy from targeted attacks but even GOS depends on OEM blobs, right?)
zvmaz · 8h ago
If it's a repairable phone like the Fairphone, that would be fantastic. Otherwise, I'm already very satisfied with what you offer. Thanks for you work.
mbananasynergy · 8h ago
Fairphone do not meet our requirements and haven't really been trending towards meeting them generation-by-generation. It doesn't seem to be something that interests them.
The unfortunate thing is that they make security promises which aren't upheld in practice (such as shipping security updates on time), so it doesn't inspire confidence as an OEM you could trust to properly support a device for multiple years.
We're hoping that there will be people who will enjoy a device from the OEM we're in talks with - we know that there are many people who for various reasons don't want a device from Google, so this will at least offer an option for people who want to use GrapheneOS on a non-Google device.
At the risk of doing their work for them, that seems like a near ideal partnership opportunity for graphene, so it’s extra sad to see.
mbananasynergy · 8h ago
It's important to note that these "8 years" aren't actually that in practice due to the delays. The latest generations of Pixels (starting with the 8th) have 7 years of actual security updates, which is one year less, but is proper support. Hopefully the industry trends towards that as a whole - buying devices that only get 2-3 years of updates should be a thing of the past.
rjzzleep · 7h ago
Isn't that related to how expensive it is to get licenses from MTK and Qualcomm for updates? Given that Pixels run on their "own" chip, driver support is probably much easier.
strcat · 7h ago
Fairphone devices have 1-2 month delays for partial security patches. They have a year or more of delays for new major releases. Their recent Fairphone 5 uses the Linux 5.4 LTS branch going end-of-life in December 2025 with no plan to port to a new LTS branch. Their past devices use end-of-life Linux kernel branches. They do not provide the expected security patches even shortly after release. They aren't doing the bare minimum and aren't even compliant with recent EU regulations for device updates.
Google provided resources for the Linux kernel to extent LTS support for 6 years for their 5 year guarantee with the Pixel 6. It ended up not being needed since Pixels began moving to newer Linux LTS branches. The official Linux kernel LTS support is back down to 2 years. The 6 years was meant to benefit all Android devices but it proved to be too difficult to do well and it makes more sense to invest a far smaller amount of resources moving to new LTS branches.
Fairphone presents providing an Android OS release 3 years after it was released as providing 3 more years of extra support compared to an OEM releasing it in the month it was launched as their final update. That doesn't make sense.
They've repeatedly had blatant security flaws such as using publicly available private keys for signing the OS on the Fairphone 4. These issues are downplayed rather than being acknowledged.
There are important security features missing, but the main issues are the lack of proper updates and their approach to security flaws being reported and discussed.
Many Android OEMs are a better fit for a partnership with us and we're working with one.
I really hope it's the Nothing Phone you're talking to.
orbisvicis · 8h ago
I'm working my way down your requirements.
> Hardware memory tagging
I had to Google this. Is this like a fine-grained version of mprotect, i.e. associated permissions with each tag? Or are you only interested in the memory safety benefits? Regardless, why target requirements that even most desktop computers don't meet?
> Hardware memory tagging is going to provide a massive increase to protection against remote exploitation for GrapheneOS users. It's the biggest security feature we'll be shipping since we started in 2014.
strcat · 8h ago
> Is this like a fine-grained version of mprotect, i.e. associated permissions with each tag?
It provides the ability to tag 16 byte granules of memory with 4-bit tags where only pointers with the correct tag can access the memory. This provides an approximation of memory safety very useful for security.
As an example of how it gets used, our implementation of the system allocators via hardened_malloc tags each allocation with a randomly generated tag excluding the adjacent random tag values and previous random tag value for the slot. It has the standard setup of a single statically reserved tag (zero) used for free memory but adds 3 more dynamic exclusions. This provides deterministic detection of small overflows, linear overflows, many forms of use-after-free and fallback to probabilistic detection of other spatial (bounds) or temporal (use-after-free) memory safety issues. We use a lightly modified variant of the standard MTE integration for PartitionAlloc in our Vanadium browser, but we plan to improve it to match hardened_malloc. We use the standard Linux kernel implementation for the internal Linux kernel allocators which needs a lot of improvement.
> why target requirements that even most desktop computers don't meet?
Desktop computers are far less secure than an iPhone or a Pixel with the stock OS. GrapheneOS exists to provide a higher level of privacy and security than those. GrapheneOS is primarily aimed at mobile devices which are almost entirely 64-bit ARM. Hardware memory tagging (MTE) is a standard ARMv8.5 / ARMv9 feature provided by every standard ARMv9 Cortex core. MTE is only missing with custom CPU cores or cache while cutting this corner.
Pixels are not the only devices providing MTE. Exynos and MediaTek have provided it and Snapdragon should be providing MTE starting at the end of this year. The only reason Snapdragon is late to the party is due to their custom cores/cache.
We're currently working with a major Android OEM towards multiple of their future devices meeting all of our requirements and providing official GrapheneOS support. They view all of our officially listed requirements as completely reasonable and a target they can meet for their next generation of devices.
The purpose of GrapheneOS is providing a high level of privacy and security, not making security less bad for devices people already have. Hardware and firmware security matters quite a lot and software security depends heavily on hardware-based security features including MTE. Nearly all GrapheneOS users buy a device to use GrapheneOS and that would still be the case if we supported several other devices. The vast majority of Android devices lack proper security patches for drivers/firmware, are missing important hardware-based security features and don't provide serious support for using another OS where the security features can be kept intact. Samsung's flagships are closest to meeting our requirements after Pixels but do not allow another OS to use verified boot, important secure element features and more. Samsung permanently cripples their devices if they're unlocked and voids the warranty, unlike Pixels.
The reason we're working with an Android OEM is because existing non-Pixel devices don't provide a base we can use to provide what GrapheneOS offers. It would be missing huge parts of the core features elsewhere and would be worse in significant ways than the stock OS. It would go against what we're trying to achieve to have people buy devices we can't properly secure. Long term support for drivers and firmware is also important because people use devices more than 3 years from launch in practice. Pixels get 7 years of proper support from launch, which is unique. A couple OEMs market their devices as having similarly long support but the updates are significantly delayed and far less complete.
We've had numerous opportunities to work with OEMs where they weren't able to provide our requirements. We simply aren't interested in having a far less secure device with GrapheneOS as the stock OS. We expect our requirements to be met, and we think the OEM we're currently working with is fully capable of providing what we need. It will hopefully be available in 2026 or 2027. The initial goal is not doing better than Pixels, just providing a competitive alternative for people who want to use GrapheneOS on another brand of device.
nicman23 · 4h ago
that is great but i hope it is not a small run with a 200+ price as happens with the various linux phones.
bubblethink · 8h ago
What's ridiculous about it ? There are now 4-5 gens of Pixels with their major/minor bumps too (A series, pro, etc.). There's enough variety at different price points for everyone there.
konstantinua00 · 8h ago
4-5 versions of the same phone in the gigantic sea of possible devices
bubblethink · 8h ago
The other devices don't meet the criteria. Be happy that Pixels are supported, for Google seems to closing down Pixel OS too, making this whole effort rather difficult.
konstantinua00 · 7h ago
> The other devices don't meet the criteria
you got it wrong way around
the CONSUMER criteria is "we want better independent security ON DEVICES WE ALREADY OWN"
complaints like in this thread are symptoms of unfullfilled demand - and they can't be solved by saying "oh gosh, what a stupid demand that doesn't agree with our supply"
homarp · 4h ago
car analogy:
I want my gazoline car to have hybrid engine. For free.
vendor: not possible
you: unfulfilled demand
me: the way I see it, you get a product for free if you fulfill certain conditions. If not, you buy these conditions.
cwillu · 6h ago
Nobody said it was stupid, but you wanting something doesn't make it a requirement for a project with different goals.
rambambram · 4h ago
I was going to type something, but upon a second read I see you say 'consumer' instead of 'customer'. Fair enough.
crossroadsguy · 6h ago
I actually like Graphene's focus in Pixel. It is available in a lot of countries unlike Fairphone - via Pixel of course.
So Graphene is actually not limited to the developed/western world. As for not supporting other devices, I believe the reason could be the team size and the fact that the fragmented Android world is known for unique shenanigans of every OEM. Besides Google's update/upgrade cycle is another reason it is an appropriate choice.
beeflet · 4h ago
por que no los dos?
gf000 · 2h ago
Because as mentioned, Fairphone has lackluster hardware security.
You can have the best alarm system in the word, if you leave the back door open and anyone can just walk in from the street.
beefnugs · 8h ago
Sounds like google is going hostile to the project, so if enough of us miss it i guess we will have to work on new hardware support
mbananasynergy · 7h ago
GrapheneOS community manager here. Google did make it harder to support Pixels, but we're still doing it and plan to continue supporting new Pixels provided they keep meeting our requirements.
At the same time, we're in communication with an OEM to have some of their devices have official GrapheneOS support, so we're moving towards redundancy.
metalman · 9h ago
https://calyxos.org/
does a few other devices, seems aimed strait at true privacy
CalyxOS downgrades security compared to the Android Open Source Project, often falls significantly behind on standard Android privacy and security patches as is the case right now (they still haven't ported to Android 16 which is required to have the latest patches) and doesn't provide similar privacy or security features.
Features like Contact Scopes, Storage Scopes and our Sensors permission toggle are some of the privacy features includes in GrapheneOS.
Privacy necessitates security. The security provided by GrapheneOS is in order to be able to protect privacy.
pshirshov · 3h ago
> The security provided by GrapheneOS is in order to be able to protect privacy.
But there is still no way to reset/spoof android device ids, and the apps can reliably identify the user after reinstalls.
spaqin · 5h ago
According to the link you provided, it does seem to be ahead of stock Android (assuming AOSP) and LineageOS, disproving your point that it's falling behind.
The point of the OP is not that it would be better than your solution anyway; rather, if you have a device unsupported by GrapheneOS, Calyx would be better than nothing.
rfoo · 2h ago
> Calyx would be better than nothing.
Depends on your threat model. If Google, low-effort scam apps or being profiled by apps are your only adversary, then that's true. If random threats on Internet or APTs pwning your phone, or being forensic-proof are part of your threat model, then Calyx is strictly worse than stock.
user070223 · 3h ago
A question for strcat / other Graphene developers:
Can you clarify what can one expect from legacy extended support. Will old devices get any more updates? how long, how often, is it just security patches etc..
Thanks for you hard work!
largbae · 6h ago
The most fun feature of GrapheneOS is the ability to look at the logs of any app at any time from the App Info page.
torium · 2h ago
> ""will never again be closely tied to any particular sponsor or company"". Work on GrapheneOS is supported by a Canada-based foundation created in 2023; there appears to be almost no public information available regarding this organization, though.
bugsMarathon88 · 6h ago
Graphene is a fantastic operating system for Pixel devices. Simple, reliable and with plenty of security and privacy features to make you feel warm and fuzzy. System updates are automatic, actual phone functionality is flawless, perhaps the only complaint to be had is the quality of camera, which probably lacks proprietary drivers. Signal works fairly well - even without abusive Google Services installed, making this a perfect daily mobile driver. Much gratitude to the developers of this project.
maelito · 1h ago
My main complain by far to LineageOS is the necessity to wipe everything for major releases on my S10. That's not possible every year.
What about Graphene ? Can I get 5 years of updates without needing to wipe the phone ?
tholdem · 44m ago
You don't need to wipe the phone when updating GrapheneOS. It's as painless as on stock Pixel OS. OTAs downloaded and installed on the background, just reboot the phone after.
Sytten · 6h ago
Been using it for the past two years and supporting the project. I personally love it but you do have to tinker a bit once in a while so I would hesitate to put it in the hands of my parents (though I bought them pixel just in case). Google Pay not working is mildly annoying (hoping to get PayPal or Curve eventually). Android Auto works but I didnt yet try to make voice commands work. Some app behave weird if you block access to the sensors (though it is nice to be able to do it). Sandboxed google play works great for the most part.
icar · 1h ago
Curve NFC payments work for me.
hft · 5h ago
My workaround for using both NFC payments and Graphene OS is wearing a Google Pixel Watch (1). All other Google Wallet features besides NFC payments should work.
Sadly that solution does not work everywhere. In a lot of countries, Google Pay cards are added by the bank's app and it's on the bank to support rolling out cards on WearOS as well. A lot of banks in my country only support putting a card in Wallet on phones, but not WearOS watches (not sure if it is laziness on their part or whether security of WearOS watches is not deemed acceptable in general due to the lack of secure elements, shorter/no PINs, etc.).
b8 · 6h ago
I'd install Graphene OS in a heartbeat on my Pixel if they'd add support for Google call screening and feature like Hold for me. Thise features are why I bought my pixel and it's too much of an inconvenience to go without them now. Spam calls have went down significantly and has saved me a lot of time.
BLKNSLVR · 2h ago
The article mentions the lack of a swipe keyboard, which is an issue for me.
There is an option though: Heliboard with a custom swipe configuration applied (which is apparently sourced from Google, I'm not sure how "grey" that is).
It definitely works as a swipe keyboard, but it's just not as good as GBoard. I will persist, however. I hope that it's learning at least...
pdesi · 2h ago
Check out FUTO keyboard (it's only ok). Or install GBoard, download the language of interest, and then disable network access to it
Night_Thastus · 5h ago
I've been interested in Graphene OS, but being limited to just the Pixel phones is kind of lame. Have a Galaxy A55 I'd have liked to try it with.
senorqa · 2h ago
My personal favorite feature of GrapheneOS is that we can toggle the network access permission.
In the past, I'd have to root my phone just to be able to install a firewall to do the same.
Big props to GrapheneOS!
nvdr · 3h ago
Big thank you to the GrapheneOS team! I have been running it for a week now on my 9pro and the user / app sandboxing is great. If there's a way to donate with cryptocurrency or help contribute, let me know!
I was tempted to use this but when I looked into the team behind it there seemed to be some issues as exposed by Louis Rossman here: https://youtu.be/Dl1x1Dy-ej4.
Instead, I installed CalyxOS and have been using it over a year now and I'm very happy with it. Check it out.
onli · 3h ago
You are exactly right. To summarise for those who do not want to watch a video, the video shows communications with Graphenes lead developer in which he was extremely hostile and threatened Rossman. It also goes into how said developers hallucinates being attacked by specific other sites, like a Linux YouTube channel that obviously did nothing to him. His goons then attack those projects.
You have to be aware that you give that person root when you use Graphene. All possible technical improvements aside this is a very big risk. He claimed he would step back after the video released, then called that a lie and continued with everything.
Calyx seems to be the best alternative right now without such a risk factor.
bernoufakis · 2h ago
I second this opinion, with some additional nuance.
While I don't think the developers necessarily hallucinates being attacked (i.e. given the nature of the project, I would expect them to be persons of interest, be it from surveillance agencies, or even state actors), the main issue with Rossmann is their claim that he is either personally directing harassment against GOS, or colluding with and encouraging other communities to harass (mainly Kiwifarms, Techlore, CalyxOS, and other Android related FOSS projects).
This claim seems to originate then cascade from Rossmann leaving the comment "Informative, but unfortunate" on TechLore's video criticizing GOS's leadership.
This is taken as explicit support of TechLore community's / KiwiFarms alleged harrassement on the lead GOS developer, and this has somehow been cascaded and blown out of proportions, and considered by GOS developers as evidence of Rossmann's wrong doing against them.
As mentioned somewhere else, I am using GrapheneOS since 2 or 3 years now, based on Rossmann recommendations.
The software is very good, pretty much native Android experience, but without the extra alleged Google snooping / root access.
Rossmann himself seemed to have stopped using it as his main device because of fear of retaliation given that the GOS devs could potentially target him. Better safe than sorry.
I still use it because I am not that high profile of a person, and generally will use throwaway when it comes to discussing anything GOS related at this point.
The overall leadership however, based on Rossmann's and later my personal interactions with them however, did leave a bad after taste.
other8026 · 25m ago
> Rossmann himself seemed to have stopped using it as his main device because of fear of retaliation given that the GOS devs could potentially target him.
But he didn't. It's clear in his later videos that he was still using GrapheneOS, I believe even for months after the video.
> Better safe than sorry.
People who are familiar with how GrapheneOS updates work wouldn't agree. No identifiers are sent to the update server, so targeted updates aren't possible that way. Also, update servers only host static files. If Rossmann was really that worried, all he'd have to do is use a VPN. But that was all just a huge dramatic act so his video would get more views, and possibly to entertain his fellow Kiwi Farms members.
other8026 · 34m ago
There's way much more to it than what you said here.
> extremely hostile and threatened Rossman
At the time, he was very upset. You know, because he was swatted multiple times. Of course he was upset when Rossmann showed his true colors and was trying to talk to him. Rossmann saw this as an opportunity and recorded it as it was happening. He tries to portray Daniel as crazy and people who attack the project and his friends on Kiwi Farms lap that stuff up.
It's not true that he stopped using GrapheneOS, though. He continued using GrapheneOS for months after that video, which you can see by watching his later videos.
> hallucinates
Repeating baseless claims that he's crazy.
> You have to be aware that you give that person root when you use Graphene.
What? This is a very strange way to say it. Either way, it's literally impossible for someone on the GrapheneOS team to target someone like what was claimed in the video. GrapheneOS devices don't send identifiers when they contact the update server. The update servers also only host static files.
> Calyx seems to be the best alternative right now without such a risk factor.
The "risk factor" is completely false. It's all made up to attack GrapheneOS, making the founder look like a crazy person, then people are scared of using the OS. CalyxOS is not a hardened OS and rolls back security in some ways. It's not the next best alternative for people who care about these things.
onli · 22m ago
Nothing I said is baseless and contrary to you, I do provide sources.
> Of course he was upset when Rossmann showed his true colors
I saw the chats. You lie. Showing his true colors = not accepting that there is an evil conspiracy and asking for proof. You are completely brainwashed and I will not continue this discussion.
If Calyx is not the next best alternative be invited to link to what you think is the best alternative. I still think it's Calyx.
gf000 · 2h ago
Calyx has lackluster security practices, and even removes signature checking so they can sell microG as Google Play Store to apps. This is an objective statement, graphene OS is leagues ahead of anything on the market in terms of security, while calyx is basically just a custom ROM to tinker with.
As for the personal aspect, the lead developer is definitely not the best representative of the project from a communication perspective as he might not have that kind of social skills (based on his posts). [1]
But he (Micay) is an excellent security researcher, and has an excellent track record when it comes to prioritizing his users. There was a sponsorship in the beginning, where the legal entity, CopperheadOS tried to hijack the whole project. But Micay rather kill the project, than let the users' security suffer and revoked the signing keys. And I'm sure such a betrayal would cause anyone to lose a lot of faith in others' actions.
> Give that person root
Complete bullshit, what root?! And if anything, you are the one who are trying to discredit a project here, by sharing some dumb clickbait video.
[1] I see that there is now a project manager doing most of the communication, which is an excellent solution!
onli · 2h ago
Do I have to explain what root is, or what are you not understanding about the concept of the software provider having complete control of the software on your phone and thus having root rights?
Your CopperheadOS description is one perspective, one that does not look all that believable now after his mental illness became clear.
I did not share the video, but I would and it is not clickbait.
I will not further respond to you, I don't think this would lead to a fruitful discussion. Kindly think about what kind of trust is necessary to trust in the proper functioning of a device as personal as a modern phone, and think about attack scenarios that could occur when the main developer of your OS is not trustworthy in the slightest.
other8026 · 9m ago
> after his mental illness became clear.
Here you are again in yet another comment repeating these baseless claims about mental illness.
> think about attack scenarios that could occur when the main developer of your OS is not trustworthy in the slightest.
First of all, he's not the main developer. There are multiple developers. The other developers do most of the development work these days.
But to say that the OS is untrustworthy is completely false. You say GrapheneOS's founder has a mental illness based on watching a video where someone turned malicious toward the project recorded a conversation where the founder was extremely upset after being swatted multiple times.
The update client doesn't send identifiers when checking for updates, and the update servers only have static files saved to them. You're making stuff up here, and clearly trying to turn people off of using GrapheneOS by repeating baseless claims that the founder is crazy and fake worries of being targeted by them.
gtsop · 3h ago
Can you elaborate on why this is a risk factor? What do you mean by saying we're giving him root? If a person is paranoid of being chased i would expect them to put even more effort into the security of the OS he develops, not to add backdoors. But please expand your own reasoning.
bernoufakis · 2h ago
To put it simply, the (at the time) lead developer of GOS and Rossmann had some disagreements.
At the time, Rossmann was mainly using GOS, but due to what he perceived as hostile behavior from GOS toward him through their communication, he opted to stop using GOS (at least on his main device, as he claims).
His rationale was that the behavior of said lead developer was not "rational" and "scary", and since the developer has not only edit access to GOS code but also update publishing infrastructure, Rossmann's data or himself could be targeted through malicious code pushed via an update, for example.
While GOS is opensource and malicious code or exploits could be detected by the community, he himself did not have confidence to audit the source code to make sure it was safe, hence his decision to stop using.
By risk factor, I think the grandparent suggests that something similar could happen to someone else using GOS, the risk factor being essentially at the mercy of GOS developer, would they wish to harm said user.
other8026 · 4m ago
> Rossmann's data or himself could be targeted through malicious code pushed via an update, for example. While GOS is opensource and malicious code or exploits could be detected by the community, he himself did not have confidence to audit the source code to make sure it was safe, hence his decision to stop using.
This isn't even possible given how updates on GrapheneOS work. The update client doesn't send identifiers to the update server, and the update server only hosts static files.
Rossmann either doesn't understand this, or he made it up to get more views, or possibly to entertain fellow Kiwi Farms members.
To be honest, I don't think that he didn't understand that he couldn't be targeted. He continued using GrapheneOS for months after the video. As I understand it, it was clear in a few videos months after the initial video was published.
gtsop · 2h ago
So rossmann literally feared of a patch that was like this getting into graphene
if (user is rossmann) {
// do bad things
}
makes me think who is paranoid here.
fph · 1h ago
Note that this patch would have to be sent out to all users though, since I don't think there is an authentication mechanism that lets them send out different upgrades to different users.
And if your whole business is a secure OS, it's a very risky proposition: you get caught doing this once, and your reputation is gone forever.
bernoufakis · 1h ago
Your example is a strawman, as a determined enough actor, especially a security expert(s) like GOS developers could pull it off and get such patch / exploit.
The probability is not zero.
It will probably not be obvious to spot, would be spread over multiple files of code that don't necessarily relate to each other at first glance, as many documented CVE illustrated (one that comes to mind given HN context is the XZ utils backdoor from last year for e.g.)
Rossmann himself has no confidence to audit the code, so why take the risk ?
Good enough reason to be "paranoid", or at least feel uneasy about it if you ask me.
gtsop · 50s ago
Is it really a strawman? At some point, the code would need to identify rossmann. Please elaborate on the techniques required to do it and how it could be obfuscated.
GOS doesn't use an account, so the code would have to perform very targeted heuristics in order to verify this is Luis' phone. It would have to compare his sim number against a known one, or dig into application data to find his logins and compare them against known emails. So the only reason to not write `if (user is rossmann)` would be to send various diagnostics over the wire, to a service that contains these identifiers and perform the comparison onlinr, meaning he would introduce an imense security whole into everyone's phone, and everyone would see there is a home calling.
So it's either a patch of if user == rossmann, or a home calling patch.
onli · 3h ago
Well, he can do everything to your phone, software and data by pushing software updates. When there was a dispute in the former project copperhead he deleted the cryptographic keys, blocking software updates. Paranoia could result in just making the system more secure, but why not add a backdoor to find the spies in your userbases that communicate with the black suited men that secretly run our government? After all it is easy, they all play a specific game where they communicate via secret messages in chat.
You just don't know what will happen is what I'm saying.
The "he has root" is also a reference to ubuntus shuttleworth.
gf000 · 2h ago
> when there was a dispute in the former project copperhead
You mean who tried to hijack the project in a very questionable direction, harming their users, he rather lighted the project on fire then let the users' security be compromised?
If anything, that is the greatest compliment you could give him.
Also, this is fud that he can push any kind of code, like you can easily check any part of the pipeline.
bernoufakis · 1h ago
> You mean who tried to hijack the project in a very questionable direction, harming their users, he rather lighted the project on fire then let the users' security be compromised?
> If anything, that is the greatest compliment you could give him.
On one hand, sure it can be a compliment.
On the other hand, it only increases the perception that he is could enact significant harm if he ever comes after you.
> Also, this is fud that he can push any kind of code, like you can easily check any part of the pipeline.
Who is "you" ? Neither Rossmann, neither me (software dev albeit not in cybersecurity), and even less so the average GOS user, and I would venture to guess that neither you can audit GOS code with enough confidence to declare that the risk of an exploit or backdoor being introduced is zero.
Open-source is not a guarantee that code or software is secure (for e.g. CVE in xz utils and many such cases).
Edit: some clarifications.
mbananasynergy · 7h ago
Hi there. GrapheneOS community manager here.
It's a weird video to bring up without any context. Louis Rossmann made that video and leaked private conversations that were had fairly soon after the person in question was repeatedly swatted by someone who has a fan of the person Rossmann was voicing support for.
Unfortunately, Rossmann turned out to be very dishonest, which in retrospect makes sense, seeing as he has no issues with using Kiwi Farms. He's verified account there is named "larossmann". I suggest you look into it.
It's not just something he's done with GrapheneOS and the founder of the project. There are many videos, such as the one he did on Linus from Linus Tech Tips where he similarly misrepresented things and ascribed mental health labels on them.
Regarding CalyxOS, I would recommend people check out https://eylenburg.github.io/android_comparison.htm as a third-party comparison for various projects, including GrapheneOS and CalyxOS. They're not similar projects.
onli · 3h ago
> Louis Rossmann made that video and leaked private conversations that were had fairly soon after the person in question was repeatedly swatted by someone who has a fan of the person Rossmann was voicing support for.
I am sure you have proof for such a justiciable acccussation? The perpetrator is in jail and you can link to the court proceedings for example? You are surely not just regurgitating another hallucination by the Graphene developer, right?
other8026 · 55m ago
The swatting attacks are public record, and can be confirmed through Toronto police records.
> another hallucination by the Graphene developer
I'm going to assume that by you saying "another" you mean that there were hallucinations before this one.
What you are doing here is repeating baseless claims that they're crazy, which is complete nonsense. This is exactly the kind of problematic stuff that shows up on Kiwi Farms. Again, Rossmann has an account there and some of his videos seem to be made to appeal to Kiwi Farms users.
onli · 38m ago
> The swatting attacks are public record, and can be confirmed through Toronto police records.
Which is not what I'm talking about. You claim you know who did it. Where is the proof?
Though I never doubted that the swatting attacks occurred, I am noticing now that you mention police reports without linking them. Let me guess, there is nothing online, no police press release, nothing?
> I'm going to assume that by you saying "another" you mean that there were hallucinations before this one.
Yes. Like the attacks he hallucinates from project like Calyx and from the Techlore Youtube channel, and the documented way he turned on Rossman. Always claiming there is proof he already provided for the evil machinations of the others, with references going to other claims of having provided proof before, with none to be found anywhere down that chain. That is pretty easy to categorize behaviour. I personally would not call him crazy (who the fuck is "they"?), that seems to be hurtful, but I am confident in seeing signs of a mental disorder there and stating that publicly.
> Again, Rossmann has an account there and some of his videos seem to be made to appeal to Kiwi Farms users.
Complete Bullshit. Provide links to the videos, otherwise that is another evidenceless attack and just confirms your pattern.
bernoufakis · 42m ago
Is having an account on Kiwifarms evidence that Rossmann is either directly or indirectly responsible for harassment against the GOS developer(s) ?
bernoufakis · 3h ago
Unfortunately I don't think they do.
Disclaimer, I am a GrapheneOS user. I was introduced to GOS by Louis Rossmann initial 2 or 3 videos talking about giving them a FUTO grant, as well as praising GOS and showing how it easy it was to install, and how it gave back control to the user, and all the good things that GOS genuinely provides.
I have (unfortunately) followed this saga and went down the rabbit hole since the very beginning. To my understanding based on publicly available data, the key "evidence" put forward by GOS developer(s) / community manager would be:
1. Louis Rossmann leaving the now pinned comment "Informative but unfortunate" on TechLore's video on the leadership of GOS. They claim this is Rossmann showing support for Techlore and his community to (allegedly) harassed the (at the time) lead developer of GOS.
2. Louis Rossmann having KiwiFarm account. Yes, KW is a cesspit. However, all of Rossmann's message on the board mostly focus on either addressing misconceptions about himself, or promoting right to repair and similar topic. This can be easily checked, and at no point there is any public evidence of him supporting harassment toward the GOS developers.
3. Louis Rossmann being acquainted with leadership of other de-googling Android OSes (CalyxOS mainly I think) and also giving them a FUTO grant.
Essentially, "guilt by association". I know this because I have asked the community manager (goes by mbananasynergy on HN, and similar aliases on other platforms), and that is what they provided as "evidence" for Rossmann being guilty of harassing or promoting harassment against them (along with mentions of having 2 millions of USD worth of backing and ready to sue Rossmann, which has not materialized as far as know since ~1.5 years ago).
I want to preface by saying that GOS is really a good software, I have been using it for 2 or 3 years since then, and no complaints on that side.
My biggest gripe however, is indeed with the leadership and management of the community.
I created a new account instead of posting this with my main because the leadership is in my experience very abrasive, to say the least.
I have been banned without appeal from their Mastodon for leaving "thumbs up" smiley on : 1) messages suggesting the GOS devs to do an interview with Rossmann (as he did with other projects that received a FUTO grant) to further spread the word, or 2) messages suggesting to clear up the misunderstanding between the devs and Rossmann.
Any disagreement on their official narrative, or contrary opinion (even in good faith) leads to bans if they are in control of the platform, and accusations of collaborating with groups that harass the developers. Even here, anything contrary to that narrative will receive the usual wall of text describing the poster as sockpuppets, harassers directed by Rossmann, Techlore, CalyxOS, or any other projects GOS developers are beefing with.
I am disappointed by the situation, because I think GOS could have a larger presence and contribute to raising awareness about the importance of data security, but their leadership seems to be a considerable roadblock on that direction.
gtsop · 2h ago
This is a very interesting summary indeed, however I think matters are simpler and noone needs to dive that deep.
Unfortunatelly, EVERYONE, from all parties, fire shots for the wrong reasons, which perverts the discussion.
When you say to people to not use GOS because the lead dev is paranoid or the community is hostile you are throwing out the baby with the bathwater. The value GOS brings is undisputable. The quirkiness of the leadership is also undisputable. Let's decouple the two. If you wish for the community to get better, become yourself the better contact point amd generally focus on suggestion on that matter. Don't say to people to not use arguably the most secure android rom!
I used to respect Rossmann a lot, but he fell in my eyes both for the LTT and the GOS incident. I have been watching LTT since a kid and I know that his has grown to be a jerk without looking at his private communications, but his competitors fired shots at him for the wrong reasons (honey case) and so did Rossmann, riding the wave.
If you want to criticize someone for being a jerk do it, but do it for the right reasons, don't muddy the waters by injecting other stuff in the discussion.
bernoufakis · 2h ago
> When you say to people to not use GOS because the lead dev is paranoid or the community is hostile you are throwing out the baby with the bathwater. The value GOS brings is undisputable. The quirkiness of the leadership is also undisputable. Let's decouple the two. If you wish for the community to get better, become yourself the better contact point amd generally focus on suggestion on that matter. Don't say to people to not use arguably the most secure android rom!
It's one thing to separate the artist from the art, but I think that analogy does not apply when it comes to e.g. an operating system which essentially handles all of your private data.
If anything, not being able to separate the art from the artist is the exact reason why GOS exists, the artist being "Google" and all their controversial practices.
(Edit: or a simpler analogy, would you trust the food (art) of a cook (artist) that threatens to ruin your life ?)
The OOP is entitled to express his informed opinion and even provided what he based it upon.
As a user, I think that is important context when it comes to picking something as sensitive as an OS.
> I used to respect Rossmann a lot, but he fell in my eyes both for the LTT and the GOS incident. I have been watching LTT since a kid and I know that his has grown to be a jerk without looking at his private communications, but his competitors fired shots at him for the wrong reasons (honey case) and so did Rossmann, riding the wave.
I happen to have a similar background as far as LTT (weekly WAN show and what not) and Rossmann are concerned
As I mentioned before I (unfortunately) went into the GOS incident rabbit hole and overall still think Rossmann was principled.
As far as Rossmann's criticism of Linus about the LTT Honey case, perhaps he could have had a more nuanced approach, yes.
Regarding the BilletLabs cooling block, or the "Trust Me Bro", his criticism was substantive, and came from his own business background on dealing with customers (although you can argue that Rossmann has high standards).
I don't think Rossmann "fired shots for the wrong reasons", namely since LTT has publicly acknowledge the issues.
> If you want to criticize someone for being a jerk do it, but do it for the right reasons, don't muddy the waters by injecting other stuff in the discussion.
Just curious, but who is muddying waters, and how ?
tholdem · 14m ago
Your logic seems to fall apart here.
> an operating system which essentially handles all of your private data.
This is exactly why one should continue using GrapheneOS as it is by far the best, most secure and private option. If you do not agree with one project member about something that is not related to the technical features of the project, it does not matter, since you can not be targeted with any GOS updates. Same updates would have to go to all GOS users and as stated before, the previous project leader has a stellar reputation when it comes to their work and prior actions regarding users security and privacy.
> the artist being "Google" and all their controversial practices
You believing this is a problem, you should then be using an iPhone anyway.
You are worrying GOS devs might push a malicious update, even when there are no proofs of that happening? What prevents the same from happening with other projects that are already inferior in every way? You are implying people should switch to less secure options because of this one thing that also applies to all other options? It does not make any sense and seems dishonest.
gtsop · 23m ago
> Just curious, but who is muddying waters, and how ?
In the context of this whole rabbit hole, pretty much all of the parties.
When you bring someone's dirt put in the public, not to support an argument but just to attack them because you don't like them, uou are muddying the waters.
MegaLag did it for Linus
Steve did for Linus
Luis did for Linus
Linus did for Steve
Linus did for Luis
Henry did for Daniel
Luis did for Daniel
And of course Daniel pretty much does for anyone :p
These were not conversations based on logic, each had a reason to dislike the other and dag up dirt for clicks and for leverage.
nicman23 · 4h ago
that comparison you are pasting in multiple replies has lineageos without micro-g.
icar · 1h ago
MicroG is extremely insecure. Does nobody remember that they used to print your Google password in plain text in the logs?
nicman23 · 1h ago
k but i do not care about an account that i do not have. i only use it for the gms or whatever is called now
BLKNSLVR · 7h ago
"Never meet your heroes". Also, the opening monologue to Tool's Third Eye[0].
The older I get the more examples I've come across of a person destroying their reputation by either self-over-exposure (social media) or just basic exposure via news of some outrageous or illegal behavior.
I don't have a problem with whatever line you choose to not cross, and I was once much more self-righteous, but I've more recently pretty much made the conscious decision to separate product from producer, art from artist, etc.
Theo Lengyel was recently arrested for murdering his girlfriend, and yet I will still listen to and enjoy Mr. Bungle's music.
Gary Glitter... I still like the song Rock n Roll Part Two.
J.K. Rowling has some controversial views on transsexual women, but that doesn't mean that the Harry Potter series is any less worthwhile reading than it was before.
ReiserFS
I still buy Nestle Quik occasionally
Steve Jobs, Bill Gates, Mark Zuckerberg, name almost any tech bro... (but not Steve Wozniak, he's a treasure)
Sports stars.
Musicians.
I wonder how many other things are worthy of protest if we knew all the facts about all the people who were involved in it's creation.
(I'm attempting to respond to the general concept of "he/she/they bad = it bad", not commenting on GrapheneOS vs CalyxOS or anyone's personal choice over where / what they choose to apply "he/she/they bad = it bad" to, other than saying that it should be a conscious decision not a reflexive reaction)
It's interesting that the only devices complying with the security requirements are Google's.
I wonder if Google actually has an internal version of Android that's more security-focussed. Given that critical engineers' personal devices being hacked should be a security threat that's on Google's radar, it's possible.
bernoufakis · 3h ago
According to the developers, beside the AOSP software itself, there seems to also be hardware requirements that only the Pixel satisfies.
As a large company, they are probably targeted through their devices and since they have the means, it does make sense that the Pixel devices have high security standards compared to other OEMs.
rdescartes · 5h ago
Why firefox in andriod is "more vulnerable to exploitation" ?
I want Graphene OS on a non-Google compact smartphone.
Not "pixel compact", but the size of an iPhone mini.
torium · 2h ago
Does anybody else here see as problematic that this OS supports mostly Pixel, a Google phone?
Over and again people on HN make the following argument: "Google is a company that makes most of its revenue from ads and surveillance. Therefore, you should always assume that Google is spying on you". But somehow when it comes to Pixel people give it a pass?
Prediction: If Pixel isn't already hardwired to phone home and report on your activities, it will slowly become so over time, as Google realizes its interest. You know, as it happened with Android, Chrome, and everything else that Google touches.
zevon · 2h ago
I think it's perfectly valid to consider this as problematic (the GrapheneOS team certainly seems to think this is not ideal, for example). However - somewhat counter-intuitively - it's also valid to consider Pixels as among the most secure and most appropriate Android phones for something like GrapheneOS.
Your prediction is about a hardware product, and your examples are both software products (one is a browser and another is a mobile OS, both of which are platforms for running other software, and thus extremely well-suited to the task of reporting user data back to Google).
I'm not an expert, but baking telemetry into the hardware (or at least the kind of telemetry that I assume Google is interested in) seems like skipping a few levels of abstraction, and thus more trouble than it's worth.
_vere · 2h ago
This is just conspiratorial fearmongering based on vibes. If pixels somehow phoned home on a hardware level, do you think we wouldn't be able to tell? Do you think we wouldn't see it in our network logs?
GrapheneOS supports pixels because they are currently the only devices that fulfill their list of requirements, like an actually usable secure element, hardware memory tagging, etc.
They have said and continue to reiterate that they would support other devices that fulfill their requirements and seem to be currently looking into working with OEMs to move away from pixels in the long term.
Just saying "you claim to degoogle phones yet the phone you use is a GOOGLE pixel, suspicious" is baseless nonsense.
bitpush · 2h ago
+1. It is kinda sad that folks seem to have lost critical thinking or even just some plain perspective on things.
They hear their favorite influencer spout something, and they parrot it everywhere. Google bad, hurr durr.
No comments yet
tonydav · 5h ago
I've been using graphene since 2 weeks. It's been great. I'm only missing 1 feature: auto call recording.
matheusmoreira · 4h ago
It's a shame that Android as a whole is trending towards hardware remote attestation. It's pretty much guaranteed that app developers will eventually start writing their apps so that they refuse to run on anything that doesn't pass Google Play Integrity. Being unable to run WhatsApp or bank apps on GrapheneOS will render it useless as a smartphone operating system. It might not be happening right now but the threat of it looms eternal. My bank could flip a switch somewhere and suddenly my phone becomes useless for the purpose of accessing my bank account.
The Google Pixel requirement also makes me sad. I understand that they have solid reasons why. The problem is Google is incapable of selling their phones worldwide. It's really embarrassing for Google and unfortunate for me.
icar · 3h ago
Hardware attestation and Google Play Integrity are two different things, and the former solves the monopolistic practices of the latter.
matheusmoreira · 3h ago
Not at all. They are one and the same. Both of those things will literally destroy the computer freedom we enjoy today.
GrapheneOS can attest to the device's security. The question is whether the app developers will trust such an attestation. Will they put money, time and effort into evaluating and trusting GrapheneOS? Of course not. They will just decide to trust nobody except Google and Apple.
This is the future. We'll be discriminated against. Can't even log into an account from an "unauthorized device". Their servers will just refuse to talk to our phones if they can't cryptographically verify that we have not "tampered with" them. We'll be refused service straight up unless our computers are straight up owned by corporations.
This so called "integrity checking" is meant to protect the corporations from us, not the other way around. It's so we can't do things like hack our way around their "policies".
lrvick · 2h ago
GrapheneOS (like all modern AOSP based ROMS) can literally not function with just the open source code. It requires hundreds of binary blobs from the vendor partition of a stock Android ROM, many of which have root access and have not been audited by anyone, including Google, who often lacks source code for them.
Beyond that, the GraheneOS team still controls a single signing keychain for all phones in the wild, which we have to assume is still controlled by Daniel Micay (strcat) as it has not rotated as far as I can tell since he mostly stepped away from public view.
He is without question a brilliant security engineer, but we can't ignore his very public Terry-Davis-esqe history of mental illness. Making -anyone- a single point of failure for a ROM frequently recommended for journalists and dissidents is a bad plan, and especially not someone very prone to believing wild conspiracy theories.
I can't recommend GrapheneOS for any high risk use cases until:
1. they are able to find a device they can run 100% open source code on with no binary blobs
2. The ROM can be full source bootstrapped to mitigate trusting trust attacks.
3. The ROM builds 100% deterministically and is reproduced and signed by multiple team members publicly
4. Threshold signing or a quorum managed enclave issues the final signature only if multiple team members give it signed approvals of a hash to sign.
Until at least those points are covered, the centralized trust model of GrapheneOS is a liability and the central keyholder is at high risk of being targeted for manipulation or coercion.
Honestly there is no good solution to these problems right now, and as a security and privacy researcher my best advice today to potentially targeted individuals is don't carry a phone at all, or if you must carry one, keep it in airplane mode whenever possible and do not do anything sensitive on it. Consider QubesOS or AirgapOS for such things.
If you are fine with centralized control of a phone, and fine with binary blobs controlled by random corpos having God access to your device, but would prefer to eliminate as much proprietary corpotech bullshit as possible, then I would suggest considering CalyxOS which is at least run by a former LineageOS maintainer with a great reputation.
ChrisArchitect · 7h ago
Related:
Cops say criminals use a Google Pixel with GrapheneOS – I say that's freedom
That project background reads suspicious as all hell, but then the thing does do what it says on the tin from all the news I see, so go figure.
mbananasynergy · 8h ago
Hi, GrapheneOS community manager here.
There are some corrections that we have contacted the author about regarding the history of the project. They initially e-mailed us to ask a few questions but seems to have maybe misunderstood something.
For clarity, GrapheneOS is the continuation of CopperheadOS, not a new project that spun off from it.
As an example, it can be seen that our repositories and legacy bugtrackers are ours:
It's a direct continuation, but was renamed to GrapheneOS post the failed takeover attempt. GrapheneOS has persevered and is all the stronger for it. Over a decade now. :)
onli · 3h ago
That is not correct, or at best a very questionable interpretation. Graphene is a continuation of the open source side of copperhead, but the copperhead project continued to exist even though the Graphene dev sabotaged it by deleting the cryptographic keys. Copperhead is the continuation of copperhead is my reading, Graphene is just also a continuation in a different project.
Why lie about something so easy to disprove by a bit of research? There were a bunch of articles about this back then, even wikipedia states it clearly.
perching_aix · 3h ago
Ah sorry, might have been unclear: by background, I meant the current governance and contributions situation they describe in the post.
z3c0 · 9h ago
I think Graphene gets posted here yearly. Having tested a variety of ROMs dedicated to different elements of security, I can attest that Graphene allows the most "normal" phone usage compared to many others. The biggest factor is the sandboxed Google Play Services, which allow you to use a lot of apps that you wouldn't be able to otherwise.
I've used Lineage without MicroG, as a comparison, and that's becoming more-and-more unusable every day some lousy Android developer tethers their company's app to some feature exclusive to Play Services.
nicman23 · 4h ago
yeah but lineageos with μg is quite good.
ranger_danger · 9h ago
unfortunately it doesn't support google pay, which is a dealbreaker for me
mbananasynergy · 8h ago
Google Pay is not available on any alternative OS due to Google blocking it. It's unfortunately their choice, rather than a lack of support on our end.
Depending on where you are in the world, there might be other NFC payment options for you.
In the EEA and UK, Curve pay works. Paypal made their own solution and is rolling it out, starting with Germany. Both work with GrapheneOS. Many banks also have their own solutions.
DANmode · 6h ago
Phone-wallet case.
h4kunamata · 7h ago
It is insane the amount of "news" about GOS that somehow get things wrong.
It cannot be coincidence but misinformation on purpose.
On Twitter, GOS team have to often reply with the actual correct information, it is insane man.
Reading some comments here regarding hidden profile, security through obscurity doesn't and will never work.
Add to that the fact that GOS is well known now, those people think that if they were forced to give their phone away, they won't have to disclose the hidden profile??? Newbies!!
I don't wonder why GOS team never bothered to prioritise this.
I have been using GOS for a few years now, it is perfect, full control over everything, the teams support is like no other and full transparency about everything, the release notes are like no other.
I really hope this project will never die.
throwaway-0001 · 7h ago
I know you talking about my hidden profile. But let say you have a banking account you don’t want people to find out.
Currently you can only keep it on the main profile or any other secondary, which are easily visible.
With my approach you can minimise 99% of the risks for most users.
And even so, you can have 2 hidden profiles. So you can always show the decoy hidden profile.
ranger_danger · 10h ago
Maybe my tinfoil hat is on too tight, but I always thought it was interesting that Graphene OS places so much blind trust in a proprietary black box security chip from Google that they pinky-promised to open source but never did.
TheCraiggers · 9h ago
Because they are a software project. When you're only concerning yourself with software, you have to pick some hardware and move on.
Going down the rabbit hole of secure hardware leads you down a slippery slope of eventually needing to create your own chips. And that's basically impossible these days for anybody smaller than Google or Samsung. So you do some research, pick the best you can, and hope for the best.
Perfect is the enemy of good.
JacobThreeThree · 8h ago
You're worried about Google hardware but your requirement for a phone is that it must have Google Pay? Bizarre.
transpute · 9h ago
OpenTitan has open silicon (RISC-V) and is capable of open firmware (based on Rust TockOS) and is coming to 2025 Chromebooks, https://news.ycombinator.com/item?id=44416304. Hopefully a derivative of OpenTitan will ship in future Pixel devices.
Google Pixel hardware provides nested virtualization, enabling a Debian Arm "Linux Terminal" in pKVM/AVF VM, with use of Debian package repos.
sigmar · 9h ago
Are you referring to the titan M2? why do you describe Graphene OS putting "so much blind trust in" it? I don't think they put much trust in it besides using it for storing keys and for their "Auditor" app
TheCraiggers · 9h ago
> I don't think they put much trust in it besides using it for storing keys
Ummm. Was this sarcasm that went over my head? Because if not, I have a hard time thinking of anything that requires as much trust as your private key storage.
bjackman · 9h ago
If you think the org that produced the hardware might have backdoored it, architecting your software to avoid the TPM or whatever is dumb. Targeting Google HW at all is an unavoidable act of complete trust so you might as well use the HW properly.
Also, why would Google bother backdooring their special HW when 99.999% of its users are anyway gonna be running a totally Google-controlled proprietary SW stack?
perching_aix · 9h ago
> Targeting Google HW at all is an unavoidable act of complete trust
Doesn't the existence of FHE downgrade that to just "complete practical trust" at least? Not that I know of it being employed, but that it could be, and that it may be worth shouting out exactly cause of how niche and impractical it is.
bjackman · 4h ago
We are talking about hardware here so ultimately you need to trust some manufacturer, software algorithms don't help.
With SEV-SNP and Intel TDX I think it's possible to build a hardware platform that doesn't require the user to trust the OEM although they still need to trust at least one large American tech company that controls the root of trust.
But I don't think this is ever gonna happen for consumer devices. AFAIK it's only sorta kinda happened for any real-world platforms at all (but maybe someone can correct me).
Ultimately if your threat model includes Google as a potential adversary, and you are not in control of nuclear weapons, you are gonna have to make some serious sacrifices to achieve security IMO. Smartphones are out. (Actually, I guess if you trust China you have a way forward).
XMPPwocky · 9h ago
How is it a black box? You can get the firmware trivially.
gtsop · 2h ago
As a long time GOS user I just want to remind what a joy it is to see my very old phone outlive flagships due to the lack of bloatware. I upgrade phones just for a single reason: it has been physically hit so hard over the years that it stops being physically functional.
aussieguy1234 · 8h ago
The one thing that prevents me from switching my Pixel over is the lack of support for emergency services to see your location if you call the emergency number. I know this because I called twice while having GrapheneOS installed.
I do some watersports and always take my phone with me, so letting emergency services see my location is good for my safety in case I ever got into trouble on the water. I also have a PLB, but I like to have two devices for redundancy, as is best practice.
strcat · 7h ago
It sounds like you're in a region not supporting E911 but rather depending on Google's proprietary Emergency Location Service. We plan to make our own implementation of what that provides:
GrapheneOS supports E911 and has our own network location implementation you can enable which gets used by it. Unlike Google's implementation, our network location is based on location position estimation similarly to iOS. Unlike iOS, we'll be providing full offline support for it.
bugsMarathon88 · 7h ago
Counter-point: Pixel 9 with GrapheneOS, location services off, Netguard installed and active; I engage with emergency services on a regular basis for work and always receive the public record which tracks the incident. The reported coordinates are almost always within 100' of my actual location, so YMMV.
cromka · 7h ago
This should be higher up.
strcat · 7h ago
GrapheneOS supports E911. It doesn't have Google's proprietary Emergency Location Services implemented as part of Google Play services which some countries depend on. We plan to implement the same standard it does for regions without support for a variant of E911:
It the Australian emergency number (000). Not sure if they're using the Google Play services implementation of Emergency Location Services.
VladVladikoff · 7h ago
This is almost enough to make an Apple fanboy switch to android. Maybe I’ll get a second phone just to try it out. Which model would be best?
BLKNSLVR · 6h ago
If it's just for trying out, then go for the cheapest second hand Pixel that's still supported by GrapheneOS and still has a battery that can hold charge for as long as you need it to for testing.
I bought a second hand Pixel 7a for my recent migration. Battery isn't great, but it's good enough to get me through a day.
mjbale116 · 8h ago
While a big proponent of this, to my mind, it seems a bit counterintuitive to place your trust in a community who will probably cannot be held into account once some bad actor slips into their ranks, creates a bad patch and empties my bank account.
mbananasynergy · 8h ago
Hi there. GrapheneOS community manager here.
It's important to note that GrapheneOS is not some niche barely-used project. It has existed since 2014 and is used by multiple hundreds of thousands of people at this point. There are also many eyes on the project through people forking it to make their own products, people maintaining their own builds etc. GrapheneOS is also reproducible in addition being open source.
On our side, we are very particular about accepting outside contributions if they don't need meet our standards, and code is heavily reviewed within our team before being merged.
All in all, your concern, while valid, isn't something that's likely to happen precisely because we're very aware of situations where it has (see xz) and are therefore very vigilant. The kind of thing you're worried about isn't likely to come from a big project like GrapheneOS that has many eyes on it, but rather something small that's used everywhere and barely has a couple of devs working on it, if that (again, see xz).
chasil · 6h ago
However, do you consider yourselves as able to resist a nation-state level adversary with resources dedicated to compromising you?
I think of two things, the Solar Winds build corruption, and putty's mishandling of e521 keys.
What is your vulnerability to a similar disaster, exploited or not?
Crontab · 8h ago
> it seems a bit counterintuitive to place your trust in a community who will probably cannot be held into account once some bad actor slips into their ranks, creates a bad patch and empties my bank account
From what I have observed, nobody is held to account when there is a software issue, commercial or open source.
gruez · 8h ago
>counterintuitive to place your trust in a community who will probably cannot be held into account once some bad actor slips into their ranks
Open source software is everywhere. Do you think Microsoft or Redhat going to be held to account if they accidentally added some backdoored OSS code? Moreover all of the development happens in the open and you can build it yourself. I'm not sure what the alternative is. Just trust Apple has their shit together with iOS?
bugsMarathon88 · 7h ago
This take demonstrates most people's inability to rationally threat-model: you would rather trust a known-abusive authority than an unknown-good samaritan, because of a false notion your bank balance is actually significant enough to warrant such an attack.
nullc · 4h ago
Google also cannot be held to account, its legal team out resources countries and if you attempt to litigate at best they will just keep you busy until you're bankrupt.
At least graphene wouldn't be expected to shield the perpetrator.
rtkwe · 8h ago
You say the same thing about Linux? This feels like old open source FUD, the only case I know of off hand is the xz util backdoor and that was found and patched before the malicious patch had made it into the main distribution channels.
I see some core team on this thread, so just wanted to say THANK YOU! Awesome job! Keep fighting for the users!
I'm totally the wrong person to offer recommendations on mobile, but so far it works very well for me, but then, I use almost no third party apps, and none of them are Play store only. My only complaint is the hardware (outside of their control).
I did do about three weeks of research, as I worried that maybe a number of apps wouldn't run on it or needed some form of deep attestation. Didn't find much, OpsGenie and other work apps are happy with the GOS level of attestation provided.
Great to have Google kicked off the phone. So nice to shut off the network permission for any apps that only require an internet connection to serve ads.
One tip from me, if you came from stock Pixel: You can download the default Pixel sounds and set them up like it was. Have a look for "Your New Adventure" online, the message sound is "Eureka".
For those of us who aren't ready to cut the umbilical cord to the mothership, you can also root/firewall on normal android to stop this. In fact I choose to not be able to use banking apps in order to cut out the crappy ads.
I wish that were true, but if you delete the 100s of binary blobs (many with effectively root access) copied from a stock donor vendor partition the phone won't function at all.
There is no such thing as a fully open source and user controlled Android device today.
https://grapheneos.org/faq#baseband-isolation
Sure, it's not perfect, but it's still really, really good. Even with the binary blobs that are on it, Graphene phones have been impossible to unlock via commercial cracking tools since 2022.
https://osservatorionessuno.org/blog/2025/03/a-deep-dive-int...
I am alright with things that allow for improvement, at least in theory
Even more FOSS friendly graphics vendors like AMD and Intel rely on binary firmware.
Check if yours is on the list.
I recommend putting proprietary Play Store apps grabbed with Aurora Store in the work profile with Shelter[5].
[1] https://obtainium.imranr.dev/
[2] https://f-droid.org/
[3] https://f-droid.org/packages/com.aurora.store/
[4] https://f-droid.org/packages/de.marmaro.krt.ffupdater/
[5] https://f-droid.org/packages/net.typeblog.shelter/
[6] https://signal.org/android/apk/
> It doesn't matter that the app is trustworthy, because F-Droid are extremely incompetent with security and the apps you install from F-Droid are signed by F-Droid rather than the developer.
https://discuss.grapheneos.org/d/20212-f-droid-security-in-s... https://discuss.grapheneos.org/d/18731-f-droid-vulnerability...
They also say, if you use F-Droid, at least use F-Droid Basic:
> Dont use the main F-Droid client. Android is pretty strict about SDK versions and as F-Droid targets legacy devices, it is very outdated.
https://discuss.grapheneos.org/d/11439-f-droid-vsor-droid-if...
> If the app is only available on F-Droid / third party F-Droid repo, use F-Droid Basic and use the third party repo rather than the main repo if available. > > If the app is available on Github then install the APK first from Github then auto-update it using Obtanium. Be sure to check the hash using AppVerifier which can be installed from Accrescent (available on the GrapheneOS app store).
https://discuss.grapheneos.org/d/16589-obtainium-f-droid-bas...
By the way, while GrapheneOS recommends Accrescent, I don't use it anymore because they can't even add apps like CoMaps, while some of the apps they actually added are proprietary.
That doesn't seem like a con if you take into account the context: F-droid is not shipping pre-build binaries from the developper, it asks for a buildable project from the developper.
If the source repo of the upstream dev are compromised, so will be hid own binaries anyway.
Also "private space" is now available with Android 15 and can provide the same separation within a single user profile.
Different use cases. User profiles are only active when you manually switch to them, while work profiles are active _alongside_ your main profile.
So for untrusted apps that you only use occasionally and on-demand (like the myriads of travel / shopping / random services apps), user profiles are great. For apps that you want to keep in the background, such as the proprietary messaging apps that all your friends use, a work profile is much nicer.
After opening the application, it complains about being installed through an "insecure method", and bails. Reinstalling through Google Play magically fixes that.
These "security checks" are spreading like measles, so expect to see this sooner or later.
That's because apps that aren't published just on the Play Store but also on other stores or for direct sideloads (for users running Huawei for example which doesn't have Play Store) need to be able to detect the installation method to do updates on their own if there is no backing store.
So then what's the point of having a Play Store without Google Play services?
I am personally more than okay with using the official, proprietary GP services from time to time if they abide by the same rules, especially that I can make these rules as strict as I want.
Signal brings its own notifications, so they work perfectly.
The only app which was broken to the point of unusability was Too Good To Go, which demands that you pick locations on a map which relies on Play Services; the manual city entry is broken.
I use Google Maps only in Firefox Focus, but I've heard that builds of Google Maps up to about a year or so ago didn't rely on Play Services, and with Aurora Store you can manually enter a build number to install.
tl;dr: 10/10, fabulous experience.
Install Droidify, enable the repos, and install "microG Services" and "microG Companion".
https://www.fossify.org/apps/
Fossify is a FOSS project with a handful of volunteers and they do take donations:
https://www.fossify.org/donate/
Note that a community fork done by some core contributors was just spawned: CoMaps [1]
> K9 Mail / FairMail - Mail client
And now there's Thunderbird, which is branded version of K9 Mail IIUC (I don't know if there's any reason to switch from K9 Mail to Thunderbird for existing users)
[1] https://f-droid.org/en/packages/app.comaps.fdroid/
The only problems you might run into would be some features might require privileged access, things like Now Playing. Makes sense because normal apps cannot have unrestricted access to the microphone like that. Google Wallet works, but you cannot make payments because the app refuses to work on alternate OSes.
Besides that kind of stuff, though, I've used all sorts of Google apps without issues.
Not to get too deep, but contemporary philosophy posits that our phones have become extensions of our brains (not only theoretically, but literally! See e.g. Andy Clark and David Chalmers, “The Extended Mind,” 1998). Our devices have access to profound parts of our lives— our habits, friends, desires, notes, thoughts… With something this fundamental, it’s vital to have privacy.
Thank you, Graphene team, for all the hard work you do.
I do not use banking apps (I only use banks that allow me to log in via browser using a 2FA which is not a proprietary app, like a FIDO key or other physical dongle), but do I get it right that Revolut would allow me to pay via NFC in this case? Is this something geo-dependent?
https://grapheneos.org/articles/attestation-compatibility-gu...
No comments yet
I didn't bring this up when it was a news story last month because there was a lot of cynicism in the thread, but I am genuinely curious. I am really grateful for both GrapheneOS and Google for creating a phone platform that Just Works for the essential stuff and that I can reasonably recommend to non-technical people!
[0]: https://news.ycombinator.com/item?id=44259921
GrapheneOS typically ports to new yearly Android releases in a couple days and tends to have it reach the Stable channel in under 2 weeks. We completed our initial port to Android 16 in a similar time period after the release on 2025-06-10. However, we then had to reimplement device support in a similar way to how we would support a non-Pixel device. Our initial production release based on Android 16 was published on June 30th. As usual, we had to spend around a week making a series of releases fixing regressions reported by users. It reached our Stable channel on July 8th.
Since our port to Android 16 took significantly longer than usual, we backported most of the Android 16 firmware, all of the kernel drivers and parts of the userspace device support to our now obsolete Android 15 QPR2 branch and did a few more releases based on Android 15 QPR2 where we were able to provide the full 2025-06-05 patch level which also turned out to be the full 2025-07-05 patch level due to no vulnerability fixes in the July 2025 Android Security Bulletin or Pixel Update Bulletin. This was an unusual approach and not generally a reasonable way of doing things. We were able to do it successfully.
It won't be nearly as much of an issue going forward since we dealt with building the new automation we needed. Our port to Android 16 QPR1, Android 16 QPR2, Android 16 QPR3, Android 17, etc. shouldn't be nearly as difficult and we should get back to our typical porting time for major releases.
Is there any chance that you fabulous guys could lobby for a smaller <5 inch phone with that OEM? (reference https://news.ycombinator.com/item?id=44586723)
But I'm still left a bit confused about the future devices GraphaneOS will support:
Because you said discussion are being done with an OEM, will GraphaneOS switch from pixels to a different device?
You also said that not having the device tree won't be a major hurdle in building GraphaneOS for the future, does that mean we can expect the pixel 10 to have GraphaneOS or it's too early to know ?
Thanks again!
I bought a Pixel 9 Pro Xl specifically to use with GrapheneOS. Unfortunately, its OLED and my eyes were incompatible. The PWM on the screen was terrible and I had to return it after some headaches.
Of course, none of that was the fault of GrapheneOS. I absolutely loved using it and think your project is vital.
Android and Chrome are potentially going to be split from Google:
https://www.nytimes.com/2024/11/20/technology/google-search-... (https://archive.ph/egRL4)
Pixels are no longer the Android reference devices. An Android company ending up with the OS, Google Play and Google's OEM partners wouldn't need Pixels. That's a possible reason for the change. However, the simplest explanation is that they're continuing to take cost cutting to an extreme where it negatively impacts their long term revenue far more than the money it saves. A lot of Pixels were sold due to first class support for using other operating systems including it not voiding the warranty.
The only technical limitation I have encountered using these ROMs is related to GPS: my position is often lost and I need at least multiple minutes to gain it back (or sometimes it never comes back, depending on where I am). This is likely related to not using Google's location services, even though I have turned on all settings like using WiFi / bluetooth to improve the location accuracy. I tried every advice I found online, without luck. Somehow the issue is a bit worse on Graphene, as my position is lost every time I close the Maps app, but it may be related to the phone and not the OS.
[0] https://lineageos.org/
[1] https://grapheneos.org/faq#supported-devices
Pixel 8 works amazingly with Graphene's new network location feature. Position fixes are SO MUCH FASTER. It is truly a gamechanger. First it was Wi-Fi only, but they just released cellular location as well. They provide a proxy to Apple's location services.
At least hidden profiles would be good enough for basic protection.
They have this which wipes your device, but you can get killed under duress. https://discuss.grapheneos.org/d/14722-using-duress-password...
We think there's a good chance a motivated adversary is going to be familiar with GrapheneOS and its features, and the more mainstream it becomes, the more this can mean "your abusive significant other" rather than someone at the border.
The moment people know this feature exists, it can become dangerous even if you don't use it. You can be threatened to unlock, and even if you do, the adversary can choose to not believe you since they can think you're just hiding it. That puts you in a dangerous situation where they think you can provide something that's literally not there.
It's a very difficult problem to solve, and we don't think that proposal can solve it.
If the threat model is hiding from random people, I think a hidden profile works very well.
Now let's talk about motivated adversary as you put it. Hidden profile and wiping are not either-or, they can coexist. If one is really targeted by a motivated adversary, it should be apparent in most cases, and the targeted person can choose to enter the wiping PIN instead of the secondary profile PIN.
Now if one is targeted by a really motivated and threatening adversary, I don't think wiping PIN is any better than secondary profile PIN. The moment one chooses to wipe the phone, the adversary could be triggered by the action and harm the victim anyway.
[1] https://9to5google.com/2023/11/20/lineageos-number-of-device...
We're of the opinion that there's a growing portion of the population that is becoming more security and privacy conscious, and that's reflected in our userbase, which has been growing consistently over the last few years.
We're not saying we're going to have iPhone's marketshare, but we're constantly growing.
>Now if one is targeted by a really motivated and threatening adversary, I don't think wiping PIN is any better than secondary profile PIN. The moment one chooses to wipe the phone, the adversary could be triggered by the action and harm the victim anyway.
Yes, but at that point, the data is irreversibly rendered inaccessible. There are situations where the data itself is the most important factor, and where the owner of the device being hurt doesn't benefit the adversary now that the data is gone. Of course, as with everything, it depends on one's situation, but the duress PIN feature doesn't involve trickery. It's a way to reliably and quickly do a very specific thing.
Oh god, yes. Please! I can't wait to leave the walled fruit garden, but can't tolerate Google sniffing everything I do or do not do on my phone either.
PS. I just hope it's an OEM that sells devices to a lot of countries including developing ones and not something like Fairphone.
For a corporate using an OS in work phones. The threat model is state/corp-sponsored actors. Trade secret leak is unacceptable. When in doubt, data should be wiped. Now wiping PIN makes total sense and is the only sensible option.
An ordinary person, on the other hand, often deals with non tech-savvy ordinary people. The threat model is different. Most likely plausible deniability is enough. The threat level is low. Those users may accept to trade some data security for a more friendly feature.
The ultimate question is whether Graphene envisions itself an opinionated OS that always follows the "best practice" or a generic OS that allows users to define their own threat models.
Let’s say someone have you at gunpoint, you can just give your mains profile pass.
If they don’t even know there is a secret profile you’re good to go.
You’re right, they might assume you’re hiding, but I’d say 99% won’t know what’s even graphene and from those who know I’d say they might force you and you can have 3 sets of bank accounts:
Main profile: 100 Secondary: 1000 Terriary: $$$
Also if you hide all traces of grapheneos would be safer too. Nobody even knows is graphene, so they can’t even check what features you have. Again we are talking about 99% of the criminals, not the tech savvy 1%.
I’d prefer plausible deniability like Vera crypt than what we have now.
I think the main problem is that people can be affected that aren't even using it, which is why it is such a big problem. You can't really hide it's GrapheneOS either, even just by virtue of the features available on the device, you'll be able to deduce what it is.
I understand the idea behind it but it simply isn't realistic to provide and can put people in danger - the very thing it's meant to prevent.
When I say hide, again for 99% of the people. Splash screen, setting spoofing. Sometimes good enough is better than perfect.
And even if the attacker can see the other profile you can just say was your friend’s profile and it’s lost.
Or better, not sure if possible: export the profile in a file like veracrypt. Then when you need the profile import from this file and would restore the secret profile.
It's not about criminals. It's about the police, government spy agencies, and other knowledgeable threat actors.
I rather have this hidden profile that would stop 99% of criminals than what they have now.
I think their approach to this project is to deliver real security at the cost of features.
If the only thing protecting you from getting shot to death is a bulletproof vest, clearly a lot has already gone very wrong, and you're likely to die today anyway. But that kind of thinking is exactly what leads to a failure to defend in depth.
In fact, a core aspect of security is having access to a feature in the very first place.
A forum, being hosted on the web has absolutely no reason to stay away from the de facto scripting language of the platform. What would be your threat model for that forum? A zero day that would break the whole world?
However, we're currently working with another OEM and are hoping to have a device of theirs meet our requirements that can be launched in 2026 or 2027. Nothing set in stone, but we're optimistic thus far.
Much like you don't hear the sound of a busy city until you go somewhere truly quiet, you don't remember owning your own brain until you evict all of the entities who have been living rent free in it.
Keep doing the great work you're doing: it's making people's lives better in dramatically more significant ways than most software.
In any case, thank you for all the work so far!
The unfortunate thing is that they make security promises which aren't upheld in practice (such as shipping security updates on time), so it doesn't inspire confidence as an OEM you could trust to properly support a device for multiple years.
We're hoping that there will be people who will enjoy a device from the OEM we're in talks with - we know that there are many people who for various reasons don't want a device from Google, so this will at least offer an option for people who want to use GrapheneOS on a non-Google device.
At the risk of doing their work for them, that seems like a near ideal partnership opportunity for graphene, so it’s extra sad to see.
Google provided resources for the Linux kernel to extent LTS support for 6 years for their 5 year guarantee with the Pixel 6. It ended up not being needed since Pixels began moving to newer Linux LTS branches. The official Linux kernel LTS support is back down to 2 years. The 6 years was meant to benefit all Android devices but it proved to be too difficult to do well and it makes more sense to invest a far smaller amount of resources moving to new LTS branches.
Fairphone presents providing an Android OS release 3 years after it was released as providing 3 more years of extra support compared to an OEM releasing it in the month it was launched as their final update. That doesn't make sense.
They've repeatedly had blatant security flaws such as using publicly available private keys for signing the OS on the Fairphone 4. These issues are downplayed rather than being acknowledged.
There are important security features missing, but the main issues are the lack of proper updates and their approach to security flaws being reported and discussed.
Many Android OEMs are a better fit for a partnership with us and we're working with one.
https://discuss.grapheneos.org/d/24134-devices-lacking-stand... is a better thread about this than the one you linked.
> Hardware memory tagging
I had to Google this. Is this like a fine-grained version of mprotect, i.e. associated permissions with each tag? Or are you only interested in the memory safety benefits? Regardless, why target requirements that even most desktop computers don't meet?
https://discuss.grapheneos.org/d/8439-mte-support-status-for...
> Hardware memory tagging is going to provide a massive increase to protection against remote exploitation for GrapheneOS users. It's the biggest security feature we'll be shipping since we started in 2014.
It provides the ability to tag 16 byte granules of memory with 4-bit tags where only pointers with the correct tag can access the memory. This provides an approximation of memory safety very useful for security.
As an example of how it gets used, our implementation of the system allocators via hardened_malloc tags each allocation with a randomly generated tag excluding the adjacent random tag values and previous random tag value for the slot. It has the standard setup of a single statically reserved tag (zero) used for free memory but adds 3 more dynamic exclusions. This provides deterministic detection of small overflows, linear overflows, many forms of use-after-free and fallback to probabilistic detection of other spatial (bounds) or temporal (use-after-free) memory safety issues. We use a lightly modified variant of the standard MTE integration for PartitionAlloc in our Vanadium browser, but we plan to improve it to match hardened_malloc. We use the standard Linux kernel implementation for the internal Linux kernel allocators which needs a lot of improvement.
> why target requirements that even most desktop computers don't meet?
Desktop computers are far less secure than an iPhone or a Pixel with the stock OS. GrapheneOS exists to provide a higher level of privacy and security than those. GrapheneOS is primarily aimed at mobile devices which are almost entirely 64-bit ARM. Hardware memory tagging (MTE) is a standard ARMv8.5 / ARMv9 feature provided by every standard ARMv9 Cortex core. MTE is only missing with custom CPU cores or cache while cutting this corner.
Pixels are not the only devices providing MTE. Exynos and MediaTek have provided it and Snapdragon should be providing MTE starting at the end of this year. The only reason Snapdragon is late to the party is due to their custom cores/cache.
We're currently working with a major Android OEM towards multiple of their future devices meeting all of our requirements and providing official GrapheneOS support. They view all of our officially listed requirements as completely reasonable and a target they can meet for their next generation of devices.
The purpose of GrapheneOS is providing a high level of privacy and security, not making security less bad for devices people already have. Hardware and firmware security matters quite a lot and software security depends heavily on hardware-based security features including MTE. Nearly all GrapheneOS users buy a device to use GrapheneOS and that would still be the case if we supported several other devices. The vast majority of Android devices lack proper security patches for drivers/firmware, are missing important hardware-based security features and don't provide serious support for using another OS where the security features can be kept intact. Samsung's flagships are closest to meeting our requirements after Pixels but do not allow another OS to use verified boot, important secure element features and more. Samsung permanently cripples their devices if they're unlocked and voids the warranty, unlike Pixels.
The reason we're working with an Android OEM is because existing non-Pixel devices don't provide a base we can use to provide what GrapheneOS offers. It would be missing huge parts of the core features elsewhere and would be worse in significant ways than the stock OS. It would go against what we're trying to achieve to have people buy devices we can't properly secure. Long term support for drivers and firmware is also important because people use devices more than 3 years from launch in practice. Pixels get 7 years of proper support from launch, which is unique. A couple OEMs market their devices as having similarly long support but the updates are significantly delayed and far less complete.
We've had numerous opportunities to work with OEMs where they weren't able to provide our requirements. We simply aren't interested in having a far less secure device with GrapheneOS as the stock OS. We expect our requirements to be met, and we think the OEM we're currently working with is fully capable of providing what we need. It will hopefully be available in 2026 or 2027. The initial goal is not doing better than Pixels, just providing a competitive alternative for people who want to use GrapheneOS on another brand of device.
you got it wrong way around
the CONSUMER criteria is "we want better independent security ON DEVICES WE ALREADY OWN"
complaints like in this thread are symptoms of unfullfilled demand - and they can't be solved by saying "oh gosh, what a stupid demand that doesn't agree with our supply"
vendor: not possible
you: unfulfilled demand
me: the way I see it, you get a product for free if you fulfill certain conditions. If not, you buy these conditions.
So Graphene is actually not limited to the developed/western world. As for not supporting other devices, I believe the reason could be the team size and the fact that the fragmented Android world is known for unique shenanigans of every OEM. Besides Google's update/upgrade cycle is another reason it is an appropriate choice.
You can have the best alarm system in the word, if you leave the back door open and anyone can just walk in from the street.
At the same time, we're in communication with an OEM to have some of their devices have official GrapheneOS support, so we're moving towards redundancy.
I would recommend checking out https://eylenburg.github.io/android_comparison.htm for a third-party comparison of these projects. They're not really similar.
CalyxOS downgrades security compared to the Android Open Source Project, often falls significantly behind on standard Android privacy and security patches as is the case right now (they still haven't ported to Android 16 which is required to have the latest patches) and doesn't provide similar privacy or security features.
Features like Contact Scopes, Storage Scopes and our Sensors permission toggle are some of the privacy features includes in GrapheneOS.
Privacy necessitates security. The security provided by GrapheneOS is in order to be able to protect privacy.
But there is still no way to reset/spoof android device ids, and the apps can reliably identify the user after reinstalls.
The point of the OP is not that it would be better than your solution anyway; rather, if you have a device unsupported by GrapheneOS, Calyx would be better than nothing.
Depends on your threat model. If Google, low-effort scam apps or being profiled by apps are your only adversary, then that's true. If random threats on Internet or APTs pwning your phone, or being forensic-proof are part of your threat model, then Calyx is strictly worse than stock.
Can you clarify what can one expect from legacy extended support. Will old devices get any more updates? how long, how often, is it just security patches etc..
Thanks for you hard work!
What about Graphene ? Can I get 5 years of updates without needing to wipe the phone ?
[1] https://discuss.grapheneos.org/d/475-wallet-google-pay/4
There is an option though: Heliboard with a custom swipe configuration applied (which is apparently sourced from Google, I'm not sure how "grey" that is).
It definitely works as a swipe keyboard, but it's just not as good as GBoard. I will persist, however. I hope that it's learning at least...
Instead, I installed CalyxOS and have been using it over a year now and I'm very happy with it. Check it out.
You have to be aware that you give that person root when you use Graphene. All possible technical improvements aside this is a very big risk. He claimed he would step back after the video released, then called that a lie and continued with everything.
Calyx seems to be the best alternative right now without such a risk factor.
While I don't think the developers necessarily hallucinates being attacked (i.e. given the nature of the project, I would expect them to be persons of interest, be it from surveillance agencies, or even state actors), the main issue with Rossmann is their claim that he is either personally directing harassment against GOS, or colluding with and encouraging other communities to harass (mainly Kiwifarms, Techlore, CalyxOS, and other Android related FOSS projects). This claim seems to originate then cascade from Rossmann leaving the comment "Informative, but unfortunate" on TechLore's video criticizing GOS's leadership. This is taken as explicit support of TechLore community's / KiwiFarms alleged harrassement on the lead GOS developer, and this has somehow been cascaded and blown out of proportions, and considered by GOS developers as evidence of Rossmann's wrong doing against them.
As mentioned somewhere else, I am using GrapheneOS since 2 or 3 years now, based on Rossmann recommendations. The software is very good, pretty much native Android experience, but without the extra alleged Google snooping / root access. Rossmann himself seemed to have stopped using it as his main device because of fear of retaliation given that the GOS devs could potentially target him. Better safe than sorry. I still use it because I am not that high profile of a person, and generally will use throwaway when it comes to discussing anything GOS related at this point. The overall leadership however, based on Rossmann's and later my personal interactions with them however, did leave a bad after taste.
But he didn't. It's clear in his later videos that he was still using GrapheneOS, I believe even for months after the video.
> Better safe than sorry.
People who are familiar with how GrapheneOS updates work wouldn't agree. No identifiers are sent to the update server, so targeted updates aren't possible that way. Also, update servers only host static files. If Rossmann was really that worried, all he'd have to do is use a VPN. But that was all just a huge dramatic act so his video would get more views, and possibly to entertain his fellow Kiwi Farms members.
> extremely hostile and threatened Rossman
At the time, he was very upset. You know, because he was swatted multiple times. Of course he was upset when Rossmann showed his true colors and was trying to talk to him. Rossmann saw this as an opportunity and recorded it as it was happening. He tries to portray Daniel as crazy and people who attack the project and his friends on Kiwi Farms lap that stuff up.
It's not true that he stopped using GrapheneOS, though. He continued using GrapheneOS for months after that video, which you can see by watching his later videos.
> hallucinates
Repeating baseless claims that he's crazy.
> You have to be aware that you give that person root when you use Graphene.
What? This is a very strange way to say it. Either way, it's literally impossible for someone on the GrapheneOS team to target someone like what was claimed in the video. GrapheneOS devices don't send identifiers when they contact the update server. The update servers also only host static files.
> Calyx seems to be the best alternative right now without such a risk factor.
The "risk factor" is completely false. It's all made up to attack GrapheneOS, making the founder look like a crazy person, then people are scared of using the OS. CalyxOS is not a hardened OS and rolls back security in some ways. It's not the next best alternative for people who care about these things.
> Of course he was upset when Rossmann showed his true colors
I saw the chats. You lie. Showing his true colors = not accepting that there is an evil conspiracy and asking for proof. You are completely brainwashed and I will not continue this discussion.
If Calyx is not the next best alternative be invited to link to what you think is the best alternative. I still think it's Calyx.
As for the personal aspect, the lead developer is definitely not the best representative of the project from a communication perspective as he might not have that kind of social skills (based on his posts). [1]
But he (Micay) is an excellent security researcher, and has an excellent track record when it comes to prioritizing his users. There was a sponsorship in the beginning, where the legal entity, CopperheadOS tried to hijack the whole project. But Micay rather kill the project, than let the users' security suffer and revoked the signing keys. And I'm sure such a betrayal would cause anyone to lose a lot of faith in others' actions.
> Give that person root
Complete bullshit, what root?! And if anything, you are the one who are trying to discredit a project here, by sharing some dumb clickbait video.
[1] I see that there is now a project manager doing most of the communication, which is an excellent solution!
Your CopperheadOS description is one perspective, one that does not look all that believable now after his mental illness became clear.
I did not share the video, but I would and it is not clickbait.
I will not further respond to you, I don't think this would lead to a fruitful discussion. Kindly think about what kind of trust is necessary to trust in the proper functioning of a device as personal as a modern phone, and think about attack scenarios that could occur when the main developer of your OS is not trustworthy in the slightest.
Here you are again in yet another comment repeating these baseless claims about mental illness.
> think about attack scenarios that could occur when the main developer of your OS is not trustworthy in the slightest.
First of all, he's not the main developer. There are multiple developers. The other developers do most of the development work these days.
But to say that the OS is untrustworthy is completely false. You say GrapheneOS's founder has a mental illness based on watching a video where someone turned malicious toward the project recorded a conversation where the founder was extremely upset after being swatted multiple times.
The update client doesn't send identifiers when checking for updates, and the update servers only have static files saved to them. You're making stuff up here, and clearly trying to turn people off of using GrapheneOS by repeating baseless claims that the founder is crazy and fake worries of being targeted by them.
At the time, Rossmann was mainly using GOS, but due to what he perceived as hostile behavior from GOS toward him through their communication, he opted to stop using GOS (at least on his main device, as he claims).
His rationale was that the behavior of said lead developer was not "rational" and "scary", and since the developer has not only edit access to GOS code but also update publishing infrastructure, Rossmann's data or himself could be targeted through malicious code pushed via an update, for example. While GOS is opensource and malicious code or exploits could be detected by the community, he himself did not have confidence to audit the source code to make sure it was safe, hence his decision to stop using.
By risk factor, I think the grandparent suggests that something similar could happen to someone else using GOS, the risk factor being essentially at the mercy of GOS developer, would they wish to harm said user.
This isn't even possible given how updates on GrapheneOS work. The update client doesn't send identifiers to the update server, and the update server only hosts static files.
Rossmann either doesn't understand this, or he made it up to get more views, or possibly to entertain fellow Kiwi Farms members.
To be honest, I don't think that he didn't understand that he couldn't be targeted. He continued using GrapheneOS for months after the video. As I understand it, it was clear in a few videos months after the initial video was published.
if (user is rossmann) {
}makes me think who is paranoid here.
And if your whole business is a secure OS, it's a very risky proposition: you get caught doing this once, and your reputation is gone forever.
Rossmann himself has no confidence to audit the code, so why take the risk ? Good enough reason to be "paranoid", or at least feel uneasy about it if you ask me.
GOS doesn't use an account, so the code would have to perform very targeted heuristics in order to verify this is Luis' phone. It would have to compare his sim number against a known one, or dig into application data to find his logins and compare them against known emails. So the only reason to not write `if (user is rossmann)` would be to send various diagnostics over the wire, to a service that contains these identifiers and perform the comparison onlinr, meaning he would introduce an imense security whole into everyone's phone, and everyone would see there is a home calling.
So it's either a patch of if user == rossmann, or a home calling patch.
You just don't know what will happen is what I'm saying.
The "he has root" is also a reference to ubuntus shuttleworth.
You mean who tried to hijack the project in a very questionable direction, harming their users, he rather lighted the project on fire then let the users' security be compromised?
If anything, that is the greatest compliment you could give him.
Also, this is fud that he can push any kind of code, like you can easily check any part of the pipeline.
On one hand, sure it can be a compliment. On the other hand, it only increases the perception that he is could enact significant harm if he ever comes after you.
> Also, this is fud that he can push any kind of code, like you can easily check any part of the pipeline.
Who is "you" ? Neither Rossmann, neither me (software dev albeit not in cybersecurity), and even less so the average GOS user, and I would venture to guess that neither you can audit GOS code with enough confidence to declare that the risk of an exploit or backdoor being introduced is zero. Open-source is not a guarantee that code or software is secure (for e.g. CVE in xz utils and many such cases).
Edit: some clarifications.
Unfortunately, Rossmann turned out to be very dishonest, which in retrospect makes sense, seeing as he has no issues with using Kiwi Farms. He's verified account there is named "larossmann". I suggest you look into it.
It's not just something he's done with GrapheneOS and the founder of the project. There are many videos, such as the one he did on Linus from Linus Tech Tips where he similarly misrepresented things and ascribed mental health labels on them.
Regarding CalyxOS, I would recommend people check out https://eylenburg.github.io/android_comparison.htm as a third-party comparison for various projects, including GrapheneOS and CalyxOS. They're not similar projects.
I am sure you have proof for such a justiciable acccussation? The perpetrator is in jail and you can link to the court proceedings for example? You are surely not just regurgitating another hallucination by the Graphene developer, right?
> another hallucination by the Graphene developer
I'm going to assume that by you saying "another" you mean that there were hallucinations before this one.
What you are doing here is repeating baseless claims that they're crazy, which is complete nonsense. This is exactly the kind of problematic stuff that shows up on Kiwi Farms. Again, Rossmann has an account there and some of his videos seem to be made to appeal to Kiwi Farms users.
Which is not what I'm talking about. You claim you know who did it. Where is the proof?
Though I never doubted that the swatting attacks occurred, I am noticing now that you mention police reports without linking them. Let me guess, there is nothing online, no police press release, nothing?
> I'm going to assume that by you saying "another" you mean that there were hallucinations before this one.
Yes. Like the attacks he hallucinates from project like Calyx and from the Techlore Youtube channel, and the documented way he turned on Rossman. Always claiming there is proof he already provided for the evil machinations of the others, with references going to other claims of having provided proof before, with none to be found anywhere down that chain. That is pretty easy to categorize behaviour. I personally would not call him crazy (who the fuck is "they"?), that seems to be hurtful, but I am confident in seeing signs of a mental disorder there and stating that publicly.
> Again, Rossmann has an account there and some of his videos seem to be made to appeal to Kiwi Farms users.
Complete Bullshit. Provide links to the videos, otherwise that is another evidenceless attack and just confirms your pattern.
Disclaimer, I am a GrapheneOS user. I was introduced to GOS by Louis Rossmann initial 2 or 3 videos talking about giving them a FUTO grant, as well as praising GOS and showing how it easy it was to install, and how it gave back control to the user, and all the good things that GOS genuinely provides.
I have (unfortunately) followed this saga and went down the rabbit hole since the very beginning. To my understanding based on publicly available data, the key "evidence" put forward by GOS developer(s) / community manager would be:
1. Louis Rossmann leaving the now pinned comment "Informative but unfortunate" on TechLore's video on the leadership of GOS. They claim this is Rossmann showing support for Techlore and his community to (allegedly) harassed the (at the time) lead developer of GOS.
2. Louis Rossmann having KiwiFarm account. Yes, KW is a cesspit. However, all of Rossmann's message on the board mostly focus on either addressing misconceptions about himself, or promoting right to repair and similar topic. This can be easily checked, and at no point there is any public evidence of him supporting harassment toward the GOS developers.
3. Louis Rossmann being acquainted with leadership of other de-googling Android OSes (CalyxOS mainly I think) and also giving them a FUTO grant.
Essentially, "guilt by association". I know this because I have asked the community manager (goes by mbananasynergy on HN, and similar aliases on other platforms), and that is what they provided as "evidence" for Rossmann being guilty of harassing or promoting harassment against them (along with mentions of having 2 millions of USD worth of backing and ready to sue Rossmann, which has not materialized as far as know since ~1.5 years ago).
I want to preface by saying that GOS is really a good software, I have been using it for 2 or 3 years since then, and no complaints on that side. My biggest gripe however, is indeed with the leadership and management of the community.
I created a new account instead of posting this with my main because the leadership is in my experience very abrasive, to say the least. I have been banned without appeal from their Mastodon for leaving "thumbs up" smiley on : 1) messages suggesting the GOS devs to do an interview with Rossmann (as he did with other projects that received a FUTO grant) to further spread the word, or 2) messages suggesting to clear up the misunderstanding between the devs and Rossmann.
Any disagreement on their official narrative, or contrary opinion (even in good faith) leads to bans if they are in control of the platform, and accusations of collaborating with groups that harass the developers. Even here, anything contrary to that narrative will receive the usual wall of text describing the poster as sockpuppets, harassers directed by Rossmann, Techlore, CalyxOS, or any other projects GOS developers are beefing with.
I am disappointed by the situation, because I think GOS could have a larger presence and contribute to raising awareness about the importance of data security, but their leadership seems to be a considerable roadblock on that direction.
Unfortunatelly, EVERYONE, from all parties, fire shots for the wrong reasons, which perverts the discussion.
When you say to people to not use GOS because the lead dev is paranoid or the community is hostile you are throwing out the baby with the bathwater. The value GOS brings is undisputable. The quirkiness of the leadership is also undisputable. Let's decouple the two. If you wish for the community to get better, become yourself the better contact point amd generally focus on suggestion on that matter. Don't say to people to not use arguably the most secure android rom!
I used to respect Rossmann a lot, but he fell in my eyes both for the LTT and the GOS incident. I have been watching LTT since a kid and I know that his has grown to be a jerk without looking at his private communications, but his competitors fired shots at him for the wrong reasons (honey case) and so did Rossmann, riding the wave.
If you want to criticize someone for being a jerk do it, but do it for the right reasons, don't muddy the waters by injecting other stuff in the discussion.
It's one thing to separate the artist from the art, but I think that analogy does not apply when it comes to e.g. an operating system which essentially handles all of your private data. If anything, not being able to separate the art from the artist is the exact reason why GOS exists, the artist being "Google" and all their controversial practices. (Edit: or a simpler analogy, would you trust the food (art) of a cook (artist) that threatens to ruin your life ?)
The OOP is entitled to express his informed opinion and even provided what he based it upon. As a user, I think that is important context when it comes to picking something as sensitive as an OS.
> I used to respect Rossmann a lot, but he fell in my eyes both for the LTT and the GOS incident. I have been watching LTT since a kid and I know that his has grown to be a jerk without looking at his private communications, but his competitors fired shots at him for the wrong reasons (honey case) and so did Rossmann, riding the wave.
I happen to have a similar background as far as LTT (weekly WAN show and what not) and Rossmann are concerned As I mentioned before I (unfortunately) went into the GOS incident rabbit hole and overall still think Rossmann was principled. As far as Rossmann's criticism of Linus about the LTT Honey case, perhaps he could have had a more nuanced approach, yes. Regarding the BilletLabs cooling block, or the "Trust Me Bro", his criticism was substantive, and came from his own business background on dealing with customers (although you can argue that Rossmann has high standards). I don't think Rossmann "fired shots for the wrong reasons", namely since LTT has publicly acknowledge the issues.
> If you want to criticize someone for being a jerk do it, but do it for the right reasons, don't muddy the waters by injecting other stuff in the discussion.
Just curious, but who is muddying waters, and how ?
> an operating system which essentially handles all of your private data.
This is exactly why one should continue using GrapheneOS as it is by far the best, most secure and private option. If you do not agree with one project member about something that is not related to the technical features of the project, it does not matter, since you can not be targeted with any GOS updates. Same updates would have to go to all GOS users and as stated before, the previous project leader has a stellar reputation when it comes to their work and prior actions regarding users security and privacy.
> the artist being "Google" and all their controversial practices
You believing this is a problem, you should then be using an iPhone anyway.
You are worrying GOS devs might push a malicious update, even when there are no proofs of that happening? What prevents the same from happening with other projects that are already inferior in every way? You are implying people should switch to less secure options because of this one thing that also applies to all other options? It does not make any sense and seems dishonest.
In the context of this whole rabbit hole, pretty much all of the parties.
When you bring someone's dirt put in the public, not to support an argument but just to attack them because you don't like them, uou are muddying the waters.
MegaLag did it for Linus
Steve did for Linus
Luis did for Linus
Linus did for Steve
Linus did for Luis
Henry did for Daniel
Luis did for Daniel
And of course Daniel pretty much does for anyone :p
These were not conversations based on logic, each had a reason to dislike the other and dag up dirt for clicks and for leverage.
The older I get the more examples I've come across of a person destroying their reputation by either self-over-exposure (social media) or just basic exposure via news of some outrageous or illegal behavior.
I don't have a problem with whatever line you choose to not cross, and I was once much more self-righteous, but I've more recently pretty much made the conscious decision to separate product from producer, art from artist, etc.
Theo Lengyel was recently arrested for murdering his girlfriend, and yet I will still listen to and enjoy Mr. Bungle's music.
Gary Glitter... I still like the song Rock n Roll Part Two.
J.K. Rowling has some controversial views on transsexual women, but that doesn't mean that the Harry Potter series is any less worthwhile reading than it was before.
ReiserFS
I still buy Nestle Quik occasionally
Steve Jobs, Bill Gates, Mark Zuckerberg, name almost any tech bro... (but not Steve Wozniak, he's a treasure)
Sports stars.
Musicians.
I wonder how many other things are worthy of protest if we knew all the facts about all the people who were involved in it's creation.
(I'm attempting to respond to the general concept of "he/she/they bad = it bad", not commenting on GrapheneOS vs CalyxOS or anyone's personal choice over where / what they choose to apply "he/she/they bad = it bad" to, other than saying that it should be a conscious decision not a reflexive reaction)
[0]: https://genius.com/Tool-third-eye-lyrics
I wonder if Google actually has an internal version of Android that's more security-focussed. Given that critical engineers' personal devices being hacked should be a security threat that's on Google's radar, it's possible.
https://grapheneos.org/faq#future-devices
As a large company, they are probably targeted through their devices and since they have the means, it does make sense that the Pixel devices have high security standards compared to other OEMs.
Not "pixel compact", but the size of an iPhone mini.
Over and again people on HN make the following argument: "Google is a company that makes most of its revenue from ads and surveillance. Therefore, you should always assume that Google is spying on you". But somehow when it comes to Pixel people give it a pass?
Prediction: If Pixel isn't already hardwired to phone home and report on your activities, it will slowly become so over time, as Google realizes its interest. You know, as it happened with Android, Chrome, and everything else that Google touches.
They write about their reasoning and criteria for device support here, for example: https://grapheneos.org/faq#future-device.
I'm not an expert, but baking telemetry into the hardware (or at least the kind of telemetry that I assume Google is interested in) seems like skipping a few levels of abstraction, and thus more trouble than it's worth.
They hear their favorite influencer spout something, and they parrot it everywhere. Google bad, hurr durr.
No comments yet
The Google Pixel requirement also makes me sad. I understand that they have solid reasons why. The problem is Google is incapable of selling their phones worldwide. It's really embarrassing for Google and unfortunate for me.
GrapheneOS can attest to the device's security. The question is whether the app developers will trust such an attestation. Will they put money, time and effort into evaluating and trusting GrapheneOS? Of course not. They will just decide to trust nobody except Google and Apple.
This is the future. We'll be discriminated against. Can't even log into an account from an "unauthorized device". Their servers will just refuse to talk to our phones if they can't cryptographically verify that we have not "tampered with" them. We'll be refused service straight up unless our computers are straight up owned by corporations.
This so called "integrity checking" is meant to protect the corporations from us, not the other way around. It's so we can't do things like hack our way around their "policies".
Beyond that, the GraheneOS team still controls a single signing keychain for all phones in the wild, which we have to assume is still controlled by Daniel Micay (strcat) as it has not rotated as far as I can tell since he mostly stepped away from public view.
He is without question a brilliant security engineer, but we can't ignore his very public Terry-Davis-esqe history of mental illness. Making -anyone- a single point of failure for a ROM frequently recommended for journalists and dissidents is a bad plan, and especially not someone very prone to believing wild conspiracy theories.
I can't recommend GrapheneOS for any high risk use cases until:
1. they are able to find a device they can run 100% open source code on with no binary blobs
2. The ROM can be full source bootstrapped to mitigate trusting trust attacks.
3. The ROM builds 100% deterministically and is reproduced and signed by multiple team members publicly
4. Threshold signing or a quorum managed enclave issues the final signature only if multiple team members give it signed approvals of a hash to sign.
Until at least those points are covered, the centralized trust model of GrapheneOS is a liability and the central keyholder is at high risk of being targeted for manipulation or coercion.
Honestly there is no good solution to these problems right now, and as a security and privacy researcher my best advice today to potentially targeted individuals is don't carry a phone at all, or if you must carry one, keep it in airplane mode whenever possible and do not do anything sensitive on it. Consider QubesOS or AirgapOS for such things.
If you are fine with centralized control of a phone, and fine with binary blobs controlled by random corpos having God access to your device, but would prefer to eliminate as much proprietary corpotech bullshit as possible, then I would suggest considering CalyxOS which is at least run by a former LineageOS maintainer with a great reputation.
Cops say criminals use a Google Pixel with GrapheneOS – I say that's freedom
https://news.ycombinator.com/item?id=44658908
Cops in [Spain] think everyone using a Google Pixel must be a drug dealer
https://news.ycombinator.com/item?id=44473694
ICEBlock, an iOS Exclusive
https://news.ycombinator.com/item?id=44672521
There are some corrections that we have contacted the author about regarding the history of the project. They initially e-mailed us to ask a few questions but seems to have maybe misunderstood something.
For clarity, GrapheneOS is the continuation of CopperheadOS, not a new project that spun off from it.
As an example, it can be seen that our repositories and legacy bugtrackers are ours:
-https://github.com/GrapheneOS/platform_manifest/forks?includ...
-https://github.com/GrapheneOS/platform_bionic/forks?include=...
-https://github.com/GrapheneOS-Archive/legacy_bugtracker/issu...
It's a direct continuation, but was renamed to GrapheneOS post the failed takeover attempt. GrapheneOS has persevered and is all the stronger for it. Over a decade now. :)
Why lie about something so easy to disprove by a bit of research? There were a bunch of articles about this back then, even wikipedia states it clearly.
I've used Lineage without MicroG, as a comparison, and that's becoming more-and-more unusable every day some lousy Android developer tethers their company's app to some feature exclusive to Play Services.
Depending on where you are in the world, there might be other NFC payment options for you.
In the EEA and UK, Curve pay works. Paypal made their own solution and is rolling it out, starting with Germany. Both work with GrapheneOS. Many banks also have their own solutions.
Reading some comments here regarding hidden profile, security through obscurity doesn't and will never work. Add to that the fact that GOS is well known now, those people think that if they were forced to give their phone away, they won't have to disclose the hidden profile??? Newbies!!
I don't wonder why GOS team never bothered to prioritise this.
I have been using GOS for a few years now, it is perfect, full control over everything, the teams support is like no other and full transparency about everything, the release notes are like no other.
I really hope this project will never die.
Currently you can only keep it on the main profile or any other secondary, which are easily visible.
With my approach you can minimise 99% of the risks for most users.
And even so, you can have 2 hidden profiles. So you can always show the decoy hidden profile.
Going down the rabbit hole of secure hardware leads you down a slippery slope of eventually needing to create your own chips. And that's basically impossible these days for anybody smaller than Google or Samsung. So you do some research, pick the best you can, and hope for the best.
Perfect is the enemy of good.
Google Pixel hardware provides nested virtualization, enabling a Debian Arm "Linux Terminal" in pKVM/AVF VM, with use of Debian package repos.
Ummm. Was this sarcasm that went over my head? Because if not, I have a hard time thinking of anything that requires as much trust as your private key storage.
Also, why would Google bother backdooring their special HW when 99.999% of its users are anyway gonna be running a totally Google-controlled proprietary SW stack?
Doesn't the existence of FHE downgrade that to just "complete practical trust" at least? Not that I know of it being employed, but that it could be, and that it may be worth shouting out exactly cause of how niche and impractical it is.
With SEV-SNP and Intel TDX I think it's possible to build a hardware platform that doesn't require the user to trust the OEM although they still need to trust at least one large American tech company that controls the root of trust.
But I don't think this is ever gonna happen for consumer devices. AFAIK it's only sorta kinda happened for any real-world platforms at all (but maybe someone can correct me).
Ultimately if your threat model includes Google as a potential adversary, and you are not in control of nuclear weapons, you are gonna have to make some serious sacrifices to achieve security IMO. Smartphones are out. (Actually, I guess if you trust China you have a way forward).
I do some watersports and always take my phone with me, so letting emergency services see my location is good for my safety in case I ever got into trouble on the water. I also have a PLB, but I like to have two devices for redundancy, as is best practice.
https://github.com/GrapheneOS/os-issue-tracker/issues/1174
GrapheneOS supports E911 and has our own network location implementation you can enable which gets used by it. Unlike Google's implementation, our network location is based on location position estimation similarly to iOS. Unlike iOS, we'll be providing full offline support for it.
https://github.com/GrapheneOS/os-issue-tracker/issues/1174
I bought a second hand Pixel 7a for my recent migration. Battery isn't great, but it's good enough to get me through a day.
It's important to note that GrapheneOS is not some niche barely-used project. It has existed since 2014 and is used by multiple hundreds of thousands of people at this point. There are also many eyes on the project through people forking it to make their own products, people maintaining their own builds etc. GrapheneOS is also reproducible in addition being open source.
On our side, we are very particular about accepting outside contributions if they don't need meet our standards, and code is heavily reviewed within our team before being merged.
I'd also recommend giving https://grapheneos.org/faq#audit a read through.
All in all, your concern, while valid, isn't something that's likely to happen precisely because we're very aware of situations where it has (see xz) and are therefore very vigilant. The kind of thing you're worried about isn't likely to come from a big project like GrapheneOS that has many eyes on it, but rather something small that's used everywhere and barely has a couple of devs working on it, if that (again, see xz).
I think of two things, the Solar Winds build corruption, and putty's mishandling of e521 keys.
What is your vulnerability to a similar disaster, exploited or not?
From what I have observed, nobody is held to account when there is a software issue, commercial or open source.
Open source software is everywhere. Do you think Microsoft or Redhat going to be held to account if they accidentally added some backdoored OSS code? Moreover all of the development happens in the open and you can build it yourself. I'm not sure what the alternative is. Just trust Apple has their shit together with iOS?
At least graphene wouldn't be expected to shield the perpetrator.