Been running GrapheneOS for about 18 months now on a Pixel 8 Pro. The banking app situation is genuinely better than the article implies. Sandboxed Play Services handles most major apps fine, including N26 and Revolut which I use daily for fintech work. The main friction is not apps but convenience features like auto-fill across profiles breaking if you use the separate work/personal profile setup.

What most people miss: the real value of GrapheneOS is not just escaping Google surveillance but the per-app network and sensor permission toggles. Being able to cut network access to apps that have no business phoning home changes how you think about every install. That alone is worth the switch.

Been using this for about a year on a p9 pro. It works very well. I hear the google tap to pay does not work, but I've never tried it. However Vipps with their tap to pay works fine. BankID works but not with biometric login, which some things require IIRC. And for some reason DnB private works fine, but you are not allowed in on the corp app.

It's mind boggingly stupid that they lock down apps like this, when you can just open the thing in a website anyway. I can use my bank on some linux distro, crazy that they trust me since it is not Windows - the truly secure OS!

Knew about those things before I started, so all in all I'm pretty happy. I'd recommend NOT using different users for different things (I started with banking etc in one profile, that ended up being a huge PITA and according to their docs it is mostly security theater anyway). Happy tinkering!

• madeforhnyo

  today at 2:53 PM

  A collegue of mine was tech lead at a large online bank. For the mobile app, the first and foremost threat that security auditors would find was "The app runs on a rooted phone!!!". Security theater at its finest, checkboxes gotta be checked. The irony is that the devs were using rooted phones for QA and debugging.

  • monksy

    today at 10:14 PM

    A lot of that is security theater at its best. However given the forced attack surface I would imagine that there is a hard push from authoritarians and the finance world to make a "secure chain" from service to screen.

    My guess: They're afraid that the scammers are going to mirror the screen and remote control access to the app. (More orgs are moving to app/phone based assumptions because it saves the org money and pushes cost on the consumer) Instead of providing protections from account take over.. we're going to get devices we don't own and we have to to pay for, maintain and pay for services to get a terminal to your own bank account. Additionally, there are many dictatorships, like the UK, North Korea, etc, that are very adimate that you don't look at things without their permission. So they're trying to close the gap of avoiding age verification bypasses with VPNs.

  • protimewaster

    today at 6:50 PM

    Meanwhile, it's probably A-OK for the app to run on a phone that hasn't received security updates for 5 years.

    I don't get it. If they're worried about liability, why not check the security patch level and refuse to run on phones that aren't up to date?

    I'm guessing it's because there are a lot of phones floating around that aren't updated (probably far more than are rooted), and they're willing to pretend to be secure when it impacts a small number of users but not willing to pretend to be secure when it impacts many users.

    • tadfisher

      today at 8:02 PM

      > If they're worried about liability, why not check the security patch level and refuse to run on phones that aren't up to date?

      Google doesn't provide an API or data set to figure out what the current security patch level is for any particular device. Officially, OEMs can now be 4 months out-of-date, and user updates lag behind that.

      Your guess is good, but misses the point. Banks are worried about a couple things with mobile clients: credential stealing and application spoofing. As a consequence, the banks want to ensure that the thing connecting to their client API is an unmodified first-party application. The only way to accomplish this with any sort of confidence is to use hardware attestation, which requires a secure chain-of-trust from the hardware TEE/TPM, to the bootloader, to the system OS, and finally to your application.

      So you need a way for security people working for banks to feel confident that it's the bank's code which is operating on the user's behalf to do things like transfer money. They care less about exploits for unsupported devices, and it's inconvenient to users if they can't make payments from their five-year-old device.

      And this is why Web Environment Integrity and friends should never be allowed to exist, because Android is the perfect cautionary tale of what banks will do with trusted-computing features: which is, the laziest possible thing that technically works, and keeps their support phone lines open.

      • protimewaster

        today at 8:15 PM

        All good points. Thanks for that!

        I'm not an Android developer, but I was thinking they could use something like the android.os.Build.VERSION.SECURITY_PATCH call to get the security patch level. Maybe that's not sufficient for that purpose, though.

        • tadfisher

          today at 8:27 PM

          Sure, there is enough information available to the app to determine what OS version and patch level it is running under. The issue is, the app would need to communicate this to the bank via an API, and the bank wants to trust the app in the first place in order to rely on this information.

          Even then, two things turn out to be true:

          - Banks don't actually want to put in the effort and deal with angry customers with slightly-out-of-date devices.

          - All the credential-stealing malware on Android works perfectly fine on stock, unmodified, non-rooted OS images anyway. They just need to socially-engineer the user to grant accessibility permissions to the malicious app.

      • KoolKat23

        today at 8:33 PM

        There's definitely some way of telling, Enterprises can block sign in with no recent updates in Microsoft authenticator or whatever app they use.

  • zobzu

    today at 3:00 PM

    ive seen: -"but ios can be jailbroken and it doesnt have an AV!" while the MDM does not allow jailbroken devices, and they also allowed sudo on linux.

    auditors are clueless parasites as far as im concerned. the whole thing is always a charade where the compliance team, who barely knows any better tries to lie to yhe auditor, and the auditor pick random items they dont understand anyway. waste of time, money and humans.

    • virtue3

      today at 5:29 PM

      at best it's "cover your ass security" so when you do get pwned you can say you went through an "accrediting auditor" - blah blah blah.

      Agreed on everything you said. Just wish there was a more efficient way to do things :/

  • dlcarrier

    today at 5:27 PM

    As long as copying some numbers, printed on a piece of plastic, into an online order form is all the authentication that is needed for a transaction, anything more than that is inherently security theater.

    • rahkiin

      today at 5:44 PM

      That’s why for most transactions I do with a credit card in my country, you need an extra validation with the mobile app. It is mostly American websites that do not enable this functionality.

      • monksy

        today at 10:17 PM

        Because we have anti-fraud consumer potection rules and CCs operate on a make money first type of bais. The debit networks on the otherhand are a different story.

      • drnick1

        today at 5:54 PM

        Yes, because we don't want these stupid locked down apps. Credit cards give buyers many protections, it's very easy to dispute an illegitimate transaction.

        • gwillem

          today at 6:06 PM

          However, you pay 2.7% for that convenience

          • drnick1

            today at 9:38 PM

            The consumer does not typically pay this directly. It may be passed onto the consumer indirectly through higher prices, but those apply to anyone regardless of payment method. On the contrary, I get cash back on purchases and other rewards.

  • sunaookami

    today at 3:12 PM

    Yeah that's the first thing a pentest will complain about, had the same problem too. I pushed back enough so that it's trivial to bypass but the bank and pentesters also agreed with me that it's security theater or else I would never had the chance.

    • hparadiz

      today at 3:38 PM

      I always ask them if they have root/admin on their computer. Then follow up playing dumb with "shouldn't we lock out PCs too?". Watching them stammer is worth the 30 second aside.

      • JoshTriplett

        today at 4:54 PM

        > Then follow up playing dumb with "shouldn't we lock out PCs too?".

        Unfortunately, some banks do, for various functionality; there are many things you can do via bank apps and not typically via their website.

      • GoblinSlayer

        today at 4:41 PM

        Locking down PCs is easy: just set a random password.

        • LoganDark

          today at 5:21 PM

          Just blow the right hardware fuses and secure boot will be forced with a key that doesn't (or can't) exist.

      • huflungdung

        today at 5:17 PM

        [dead]

  • bnjms

    today at 6:32 PM

    Who do we lobby to get this removed from the auditors checklists? This is a solvable problem but it’s political. And if we don’t solve it personal computing is at risk.

    • prasadjoglekar

      today at 6:37 PM

      Start by calling (or visiting the area office of) your senator and congressman. If you are reasonably articulate, they engage and listen. Doesn't matter if the listener is not a techie; they will ask questions around policy and why it affects constituents.

      This is 1000x more useful than online petitions or other passive stuff. Politicians know that one person to have taken the effort to do this, means 1000 others are feeling the same thing but are quiet.

      • monksy

        today at 10:19 PM

        From my experience with the fed level senator.. they're already lobbied to shit. For example, explaining to Duckworth that fed level id tying to your internet travel and encryption backdoors aren't safe.. they'll send you copy that she really wants you to know she's thinking about the children while rolling around in her wheelchair.

      • jstanley

        today at 7:41 PM

        This is nothing to do with politicians.

  • NewJazz

    today at 3:45 PM

    But grapheneos doesn't need to be rooted!

    • HybridStatAnim8

      today at 8:54 PM

      Unfortunately, root detection is greatly flawed, most of the time.

  • ACCount37

    today at 3:08 PM

    Oh how I fucking wish "security" wasn't a stupid cargo cult checkbox list 3/4 of the times.

    Unfortunately, the rot runs too deep.

    • empyrrhicist

      today at 3:27 PM

      Your password must be between 8 and 12 characters, and must have lowercase, uppercase, numbers, and punctuation.

      Pick up the can!

      • InitialLastName

        today at 3:35 PM

        My favorite is when it must have punctuation, but certain punctuation is silently banned, so I have to keep refreshing my password generator until it gives me an acceptable combination.

        • __MatrixMan__

          today at 9:44 PM

          Sometimes when that happens, and any of `:({ |&;` are on the no-no list, I try bypassing the client validations and setting my password to a shell fork bomb. So far as I'm aware it hasn't broken anything yet, but I'm determined to keep trying.

        • korhojoa

          today at 6:04 PM

          I came across a "special character" requirement while creating an account. The client validation was not the same as the server validation. The client proceeded as if my account was created, but it never was. The client functioned without an account until it was closed. I asked the creator what their app's problem was, why did I need to keep resetting my password, then be told that I don't have an account, and have to create it anew.

          They would not believe I was creating an account and using the device, because their own logging was so terrible.

          I had to send them a screen recording from me using this abomination, and only then was I told "you're using the wrong special characters". They helpfully gave me some examples of allowed special characters, which then would pass the server validation.

          I wish they would have gotten rid of the account requirement, as the device and client software seemed to work fine without them.

        • abustamam

          today at 4:27 PM

          Somewhat unrelated, is there any technical reason certain punctuation might be banned? I can understand maybe not allowing letters with diacritics or other NON-ASCII chars but why would a system reject an @ sign or bracket > for example?

          • GoblinSlayer

            today at 5:34 PM

            Depending on the protocol they can be url encoded or even helpfully html encoded; the same password can be used over different protocols. It's the best to not use punctuation by default (length supplies more entropy than charset), I add -0 at the end to make dumb password policies happy.

            • InitialLastName

              today at 8:53 PM

              Often, the same ones with limited punctuation also have length limits, so maximizing the character options is the only way to maximize entropy.

          • angst_ridden

            today at 5:37 PM

            A lot of the restricted stuff is cargo-cult fear of symbols that could be used in SQL-injection or XSS attacks.

            A properly-coded system wouldn't care, but the people who write the rules have read old OWASP documents and in there they saw these symbols were somehow involved in big scary hacks that they didn't understand. So it's easier to ban them.

      • delta_p_delta_x

        today at 4:05 PM

        Having more than just alphanumeric characters widens the domain of the password hash function, and this directly increases the difficulty of brute-force cracking. But having a such a small maximum password length is... puzzling, to say the least. I would accept passwords of up to 1 KiB in length.

        With rainbow tables, even 11-character simple passwords like 'password123' can be trivially cracked, and as the number of password leaks show, not everyone is great at managing secrets and credentials.

        • empyrrhicist

          today at 4:23 PM

          It's easier for me to remember really long passphrases than even short alphanumeric strings - small maximum password lengths set my teeth on edge. The passwords should be getting hashed anyway right?

          • raddan

            today at 5:35 PM

            The problem is that you never really know what a website operator does with your credentials. Ideally, you have both a unique email and a unique password for each site, because sadly credential stuffing [1] is a thing.

            [1] https://en.wikipedia.org/wiki/Credential_stuffing

          • abustamam

            today at 4:31 PM

            Should being the operative word...

        • tshaddox

          today at 4:22 PM

          I bet the rationale would be "anything over 12 characters will be too hard to remember and people will just write down the password."

          • empyrrhicist

            today at 4:30 PM

            But it's a maximum. It prevents people that want to use passphrases from doing so.

          • abustamam

            today at 4:30 PM

            I think we (whoever we is) should start normalizing the concept of passphrases; on sign-up screens they should show the benefits of a passphrase. I'm surprised that Googles PW generator does not use passphrases, and I don't know about ios because I haven't tried theirs yet.

            I started using passphrases after I saw this xkcd https://xkcd.com/936/

            When I'm trying to log into something on a device that has a terrible keyboard, like a TV or giant touchscreen, it's a lot easier to type words I know than gibberish.

            • delta_p_delta_x

              today at 4:52 PM

              correct horse battery staple; knew it before I clicked the link.

          • unethical_ban

            today at 5:02 PM

            Until the late 2010s, the AD account password at my financial institution employer was capped at 12 characters because, for a subset of workers, AD creds were sync'ed to a mainframe application that could only support that many characters.

        • abustamam

          today at 4:20 PM

          I recommend all my friends and family to use a password manager like Bitwarden, and if they can't do that for some reason, at least use a 3-word passphrase separated by a hyphen.

          The amount of times people have complained to me that this doesn't work because of low max-chars on passwords is insane.

          • empyrrhicist

            today at 4:24 PM

            One time I had to reset my password with the power company - they had such a system, and the lady had to read me something like:

            Uh4zB4DP55WD!

            Apparently I was a bit salty with the system when I set it.

            The fact that she shouldn't have even been able to look up the password in the first place due to hashing was lost on her.

            • abustamam

              today at 4:32 PM

              That's pretty funny on a few levels, not in the least that they required a "secure" password like that but stored them in plain text.

              • raddan

                today at 5:39 PM

                I regularly conduct transactions at the branch of my local bank wherein they ask me for no credentials whatsoever. I also once forgot to bring my account number with me and the teller said "no worries, I'll look it up for you." Kind of horrifying.

                • lostlogin

                  today at 5:47 PM

                  Oh! But that’s safe! Secret question time: What’s your mother’s maiden name.

                • jazzyjackson

                  today at 8:07 PM

                  It helps that it’s a jailable offense to make fraudulent transactions

              • empyrrhicist

                today at 7:25 PM

                Yeah I was a bit shocked... like... you're not supposed to know that!

              • tonyedgecombe

                today at 6:14 PM

                My bank’s password field is case insensitive. Of course they could have lowercased it before hashing but I doubt it.

      • abustamam

        today at 4:24 PM

        Haha having such a low range of max chars just makes it that much easier to brute force doesn't it?

        On password length, I once had an account on Aetna that let me put whatever I want for my password, so I used a three-word passphrase that bitwarden generated for me. It ended up being like 20 chars.

        Then I tried to log in with that password. Whooosies, the password input only allowed max 16 chars!

        Ended up using a much less secure password because of this.

        • empyrrhicist

          today at 4:29 PM

          Maximum lengths like this are like a big neon sign that says:

          "Hey idiot, I'm storing your password in plaintext, don't know anything about password security, and I'm also going to make you pick something you can't remember for 'security'."

      • barbazoo

        today at 3:34 PM

        > Pick up the can!

        Gotta admit, this triggered me. I don’t think those are the same thing. If no one had a good password we wouldn’t affect each other negatively. If no one picked up trash, we would.

        Edit: Sorry folks, didn’t get the reference.

        • estebank

          today at 3:50 PM

          I'm pretty sure it's referencing Half-Life 2, where an agent of an oppressive regime tells you to pick up a can that they just dropped on the floor as a sadistic display of authority (and to provide world-building and teach the grab mechanics to the player).

          The GP is equating policies for strong passwords that aren't trivially cracked with authoritarianism.

          If no one had a good password, we actually would affect each other negatively. If your personal banker can be easily compromised, that means that you could be easily parted with your money.

          I do agree that they are not the same thing.

          • empyrrhicist

            today at 4:27 PM

            > The GP is equating policies for strong passwords that aren't trivially cracked with authoritarianism.

            Incorrect - the requirements I mentioned make passwords less memorable and less secure (maximum length 12???). Obviously that's not as bad as authoritarianism, but I was trying to capture the arbitrary act being forced on us for no real justifiable reason.

        • smlavine

          today at 3:50 PM

          It's a Half-Life 2 reference: https://www.youtube.com/watch?v=nJshjMyg6no

  • mmooss

    today at 5:28 PM

    > the first and foremost threat that security auditors would find was "The app runs on a rooted phone!!!".

    GrapheneOS is not rooted, or is not required to be.

    • subscribed

      today at 9:26 PM

      No it's not, but it's bundled in the same basket. "Didn't pass DEVICE_INTEGRITY -> rooted"

• fodmap

  today at 12:17 PM

  > It's mind boggingly stupid that they lock down apps like this, when you can just open the thing in a website anyway. I can use my bank on some linux distro...

  Not in Spain. I can access my bank's website but I can't do anything without their bank app. Even sometimes they require to confirm my identity using their app in order to access their website.

  I have several linux phones but I can only do banking with their app downloaded from Aurora Store in my Vollaphone.

  • shevy-java

    today at 1:31 PM

    This should be illegal that the government forces people into apps controlled by private, commercial entities. I call such a government corrupt.

    Here in central Europe I can still access the bank website fine without smartphone. I need a physical device to yield a TAN though, but I can access and do online transactions fine. So I think something is wrong with the spanish government. People need to protest.

    • dotancohen

      today at 2:38 PM

        > This should be illegal that the government forces people into apps controlled by private, commercial entities. I call such a government corrupt.
      

      Or how about schools requiring parents to use WhatsApp to receive updates and information? Luckily my ex forwards to me the important stuff, but not everyone is as lucky to have an ex like mine ))

      • ryandrake

        today at 6:56 PM

        If the government (or school) is going to require us to have a smartphone in order to access critical government information, then we should demand that the government provide us with a compatible smartphone.

        • NewsaHackO

          today at 9:35 PM

          Would you use that phone?

      • raddan

        today at 5:51 PM

        Forget exes—-how about current partners! I predict with high confidence that my wife’s response to such a request would be “grow up and install WhatsApp already.”

    • antonyh

      today at 3:50 PM

      I switched bank in the UK due to enforced app use, from Starling to Nationwide. They use a card reader to issue codes, so I can still use the web. I see this as a much of a must-have as physical bank branches with real cashier services.

      • tonyedgecombe

        today at 6:19 PM

        But Starling has always been app only?

    • phantom784

      today at 2:18 PM

      Especially in Europe! They shouldn't be forcing you to run an OS from an American company.

      • wolvoleo

        today at 2:38 PM

        Even the EU initiative Wero requires Google or Apple. You can't even use it on a desktop pc and you're not even allowed to have developer options on. Ridiculous. I've never seen any app that is so strict.

        • kyusan0

          today at 7:11 PM

          That's not exactly right, Wero the app is not Wero the payment system. Banks and payment processors are expected to integrate Wero the same way they do with iDeal and similar systems. So ultimately if your bank's app doesn't require attestation you will be able to use Wero through it.

        • rahkiin

          today at 5:47 PM

          Weird, because Wero is an internationalization of the dutch iDeal and that worked fine without any apps. You clicked ‘continue to bank’, select your bank, and then login on the bank web portal.

      • wcallahan

        today at 5:26 PM

        American here who values individual liberties greatly. I know things are politically tense at the moment, but I’m not sure I understand this popular contemporary sentiment.

        I’ve always believed governments and companies should be regarded with fairly low trust, and the behavior of big tech companies and some recent government actions are great examples why.

        But what disappoints me a bit about this moment is (the perhaps inevitable?) response to nationalism with more nationalism.

        Just as I didn’t seek to punish the EU over authoritarianism in Hungary and Poland, I feel the current moment has many responding to the symptoms instead of the sources of the problems. This is not a defense of policies I believe concern you, it’s a question of priorities.

        I think the author of the article got it right. Because in addition to privacy, I believe one should be able to navigate the internet freely without a mandate to do business with monopolistic dominant companies, which includes rights like ownership of your data.

        • raron

          today at 7:32 PM

          I don't think this is about the current situation in the US.

          Big US tech companies are infamous for not following the EU's data protection rules, and they wouldn't even able to, because some US regulations (I think PRISM, FISA and others) are incompatible with the requirements of EU GDPR. This dates back at lest to Snowden leaks and the invalidation of EU-US data protection agreements by Schrems judgments.

          https://en.wikipedia.org/wiki/Max_Schrems#Complaints_with_th...

        • bogeholm

          today at 7:12 PM

          > But what disappoints me a bit about this moment is (the perhaps inevitable?) response to nationalism with more nationalism.

          Unfortunately it is now a question of sovereignty and basic risk management, not nationalism ([0] and multiple other sources).

          [0]: https://mspoweruser.com/europe-calls-out-us-tech-after-micro...

    • microtonal

      today at 2:35 PM

      My bank still supports TAN codes with a device too. Unfortunately, once it breaks or the battery goes dead you cannot get a new one and have to use their app. Fortunately, their app works on GrapheneOS without issues.

    • nazcan

      today at 8:07 PM

      As long as it includes websites made by commercial entities. Only standardized API endpoints!

    • Mindwipe

      today at 2:40 PM

      The DSA European digital wallet spec currently requires Google or Apple attestation, so not for much longer.

      And that is mandated by the EU.

      • notpushkin

        today at 3:50 PM

        Sigh.

        • k12sosse

          today at 6:38 PM

          Reputational awareness is what keeps people safe!

    • iamgrootali

      today at 2:50 PM

      [flagged]

  • Tharre

    today at 1:06 PM

    > Not in Spain. I can access my bank's website but I can't do anything without their bank app.

    I don't know about Spain specifically, but as far as I understand it no bank in the European Economic Area + UK should allow banking via just the website alone anymore, because of the "Revised Payment Services Directive" (PSD2) regulation.

    Essentially, banks are required to implement "strong customer authentication", which in essence is just multi-factor authentication with a password + either biometrics or a security device of some sort.

    And in practise that means a banking app, because most people do not want a separate token they have to buy and can lose. Though a lot of banks do offer those as well.

    • askonomm

      today at 1:19 PM

      In Estonia you can easily do banking via the website on all the banks (LHV, Swedbank, SEB). That said, we do have it all integrated with our digital-ID (which every ID card has private keys encoded into with a PIN you know) so it's not like you can access it with a simple password (our online voting works the same way).

      • edoceo

        today at 3:32 PM

        Can the PIN change? How to issue new key if needed? How does it integrate with the voting?

        • askonomm

          today at 6:16 PM

          Voting, much like all other things in Estonia such as getting married/divorced, doing taxes, signing documents, starting/closing companies, notary dealings, bank dealings, selling/buying vehicles, and many more things I can't even think of right now are entirely done via the digital ID that every citizen has. This means that you authorize/sign actions with it, including voting, because only you have your private keys (either in your personal ID card, in your phone's sim card, etc) that you yourself know the PIN for, which then authenticates you as being you. I think we're now at a point where there isn't a single government or business dealing you can not do entirely online (https://e-estonia.com/solutions/).

        • notpushkin

          today at 3:44 PM

          > Can the PIN change?

          You can change it in the app, yes.

          > How to issue new key if needed?

          I think you’ll have to reissue your ID.

          There’s also digi-ID (similar e-signature certificate on a card, but without any ID features), Mobiil-ID (e-signature on a SIM-card, no idea how it works), Smart-ID (in app, tied to secure storage in Android/iOS, cross-signed by the server which is supposed to check the device somehow) and probably something else I don’t remember. All of these are independent options, so you can, for example, revoke your Mobiil-ID if you lose your phone, and still use the your main ID card to sign things.

          • JCattheATM

            today at 4:49 PM

            > You can change it in the app, yes.

            Is the app tied to Google or Apple?

            • notpushkin

              today at 5:09 PM

              Nope, there’s a desktop version, too. And it’s all free/open source: https://github.com/open-eid

              (Though Smart-ID is its own thing and is a fair bit more locked down, but I’ve managed to get it running on a phone without Google services IIRC.)

              • NewsaHackO

                today at 9:39 PM

                Wow, that is definitely more sophisticated than we have in the states. It seems like you can use it for things that one would otherwise need a notary for, that is such a timesaver.

              • JCattheATM

                today at 5:15 PM

                Wow, that is nice!

          • GoblinSlayer

            today at 5:44 PM

            How much the certificate costs and lasts?

            • askonomm

              today at 6:09 PM

              It costs as much as your ID card costs by the government, and lasts as long as well. They are one and the same. Applying for a new ID card / national ID document in Estonia costs 35€ and the document is valid for 5 years. If you forget your PIN code, you can reset it with your PUK codes, but if you also lose your PUK codes you need to apply for a new ID card. The process for getting a new ID card from the moment you applied for it takes no more than 30 days. You can also have it fast tracked for 250€ and get it in 2 days.

              But, like the parent said, you have many other options other than the physical ID-card as well. Most people these days use Mobiil-ID or SmartID, which works on your phone and even smart watch. SmartID is completely free and Mobiil-ID is tied to your phones carrier, so the cost varies, but it's a one-time set-up fee of around 5€. Mobiil-ID certificate also lasts 5 years.

    • gunapologist99

      today at 1:56 PM

      TOTP not accepted?

      (When will people learn that biometrics are not another factor: they're entirely public and irrevocable. It's not just security theater, but Apple & Google know that this forces you into their ecosystem, which should be illegal. Of course, Brussels is full of rubes anyway.)

      • Tharre

        today at 2:50 PM

        The question is what generated that TOTP code. The banks must ensure that they "are independent, in that the breach of one does not compromise the reliability of the others," as article 4(30) states. That text is vague as hell, but published opinion of the European Banking Authority on the matter[0] is:

        "a device could be used as evidence of possession, provided that there is a ‘reliable means to confirm possession through the generation or receipt of a dynamic validation element on the device’"

        So in essence the TOTP has to be bound to the device in a way that prevents users from just extracting the secret and putting in in their password manager. Hypothetically that would still allow Yubikeys and other security keys that provide attestation from the factory, but in practise banks probably don't want to deal with the support headache and just provide their own, like the TAN generator mentioned by other commentors.

        Two other highlights from the interpretation of the EBA:

        "App installed on the device" -> not sufficient/compliant

        "In the case of an SMS, and as highlighted in Q&A 4039, the possession element ‘would not be the SMS itself, but rather, typically, the SIM-card associated with the respective mobile number’."

        "SIM-card associated with the mobile number" - is that even technically possible? Do mobile carriers provide a API for banks to verify that a number still corresponds to the same SIM card? If so I've never heard of it.

        [0] https://web.archive.org/web/20191207213213/https://eba.europ...

        • GoblinSlayer

          today at 6:42 PM

          But they do use apps, and since everything happens on a smartphone - a single point of failure - they aren't independent.

        • gunapologist99

          today at 4:14 PM

          Like most security regimes, it's both overly prescriptive and woefully insufficient. In short, dumb. :(

      • vbarrielle

        today at 2:57 PM

        TOTP not accepted, because the confirmation for payment must include the amount to be paid, which cannot be done under TOTP as far as I know.

        • pixelesque

          today at 3:47 PM

          Some UK banks (Nationwide and Barclays I know for certain) have had mini card-reader PIN devices since around 2010 that they've given customers, that basically generate on an LCD screen an 8-digit code for authentication.

          When confirming a large transfer, you also need to enter the payment amount in the device, and I assume this gets hashed into the number as well.

          More recently (last 3/4 years), you can also use their mobile app to do this instead / as well as.

          • amaccuish

            today at 5:16 PM

            Moved from the UK to Germany. My German card reader is even better, no manually entering the transaction details, I just scan a QR code from my laptop, and the card reader display shows the IBAN and amounts, before I confirm to get the code.

    • severino

      today at 2:45 PM

      > And in practise that means a banking app, because most people do not want a separate token they have to buy and can lose.

      It can be SMS. As said in another comment, the main banks in Spain offer this authentication method while being PSD2 compliant. Some also offer a card with coordinates. So it's not mandatory in any way to use a banking app.

      • Tharre

        today at 3:06 PM

        Probably not for much longer though. Several countries, including mine, have already banned SMS 2FA for banking, and it's likely that that will be implemented for all of Europe in the near future, possibly with PSD3. Not that SMS 2FA was ever a good idea in the first place.

        But yes banking apps are not mandatory, and likely won't be in the near future either, though the alternatives are treated a bit like second class citizens.

      • fodmap

        today at 4:07 PM

        My bank offered that option but not anymore. The use of their app is mandatory now.

        Edit to add this anecdote. My bank told me I need to use their app because SMS is not secure, but you need to activate their app using an SMS code!

  • severino

    today at 1:59 PM

    I don't know which banks you are using but in my case I work with five Spanish banks and I can do everything from their websites, no app required. Yes, they try to push you to use their app, some tried to activate mobile 2fa for me when this psd2 thing became mandatory but I always told them their app doesn't work on my phone (which is true) and they offered me alternate methods like sms.

    • dotancohen

      today at 2:41 PM

      In my country we have a large religious population who eschew the smartphone. This means that no government, banking, or other services require a smartphone.

    • fodmap

      today at 4:43 PM

      Can you access their websites without the need to confirm 'who you are' with their app? In my case, not anymore.

      My bank used to have other options but it has made mandatory the use of their app.

      • severino

        today at 7:49 PM

        > Can you access their websites without the need to confirm 'who you are' with their app?

        Yes, none of them required me to use the app a single time. In fact, for all the banks I work with, I always identified myself at a local office when opening the account for the first time, the last one less than a year ago. And all of them allow me to operate in the website without the need of an app (actually I could never use any banking app as my telephone lacks Google Play).

  • lejalv

    today at 1:29 PM

    > Not in Spain. I can access my bank's website but I can't do anything without their bank app. Even sometimes they require to confirm my identity using their app in order to access their website.

    https://triodos.es has 2FA via SMS, for what is worth.

    • fodmap

      today at 4:19 PM

      My bank used to have it as well but not anymore. I wonder for how long Triodos will be able to keep that option.

  • FullMetalBitch

    today at 12:48 PM

    I have been using GrapheneOS for a few months in Spain with and out of three banking apps only one gave me trouble, I had to enable "Exploit Protection Compatibility Mode" on "app information". Personally I refuse to pay with the phone so I am okay not having that option.

    If someone wants to try Graphene os maybe that option will work on their banks too.

  • b112

    today at 12:37 PM

    Not in Spain. I can access my bank's website but I can't do anything without their bank app. Even sometimes they require to confirm my identity using their app in order to access their website.

    I've seen this elsewhere, and it's absolutely ridiculous.

    Why?

    Because in almost all cases, the apps may only be installed with Google Play, and require the framework to work correctly. And that means?

    If you are not in good standing with Google, you cannot bank!!

    I cannot stress how inane it is, to have Google or Apple as the gatekeeping to identify verification. How not having an active, in good standing account with one of these two, means you cannot bank.

    And it's happening more and more.

    Meanwhile, banks -- which tend to make billions in profits quarterly, do this to save on infrastructure costs. They do it so they don't have to stand up their own push servers, or have an app which doesn't require firebase.

    Well cry me a river, boo-hoo Mr Banker, I'm not even remotely interested in you saving on infra-structure costs at the loss of autonomy. And on top of this, many banks are reducing hours, closing branches, claiming that they don't need them.

    Leaving absolutely no other choice.

    This sort of thing should be illegal. Being in Spain, but requiring a US megacorp to tell your own bank, that you're you.

    • jlokier

      today at 2:01 PM

      > They do it so they don't have to stand up their own push servers

      I don't agree with this dependency on being in good standing with Google either.

      But there is a technical reason that isn't wanting to avoid using their push servers. It is about battery usage and radio bandwidth.

      Keeping open an idle connection over WebSocket, long-poll HTTP or TCP/IP needs regular pings (typically 30 seconds are used), one ping per connection. Otherwise your app can't be sure to receive messages from the server in real time, as the connection can disappear into CGNAT or similar hole where it doesn't receive messages sent by the server. To an app not using pings to check, such a blackholed connection is indisinguishable from an idle connection with no pending messages.

      Waking the radio every 30 seconds, times 2 (back and forth), times the number of registered applications, would be quite battery draining. It drains battery both for background CPU usage and radio processing. Those pings in aggregate can even amount to a significant amount of data usage for users on smaller plans.

      So there is a battery and radio advantage in using a shared push service, which only need a single idle connection to be kept live with 30 second pings.

      There's another level to this, not available to regular developers using TCP/IP, HTTP or WebSockets.

      The mobile network itself has to maintain handset connection liveness to the nearest tower, at a lower level than IP pings, and this is obviously optimised for battery and radio performance, and always running.

      With arrangements in place with the mobile networks (which Google and Apple have), the mobile OS can leverage that for more reliable, lower power push notifications, by either guaranteeing the network will send something technically similar to a low-level SMS when there's an outstanding message, or by guaranteeing their special push IP connection will stay live by itself (no CGNAT blackhole) or be notified if something happens to it.

      This allows the mobile OS to offer a shared push service that's fairly reliable at real-time notifications, with zero continuous CPU and radio power overhead for the idle connection.

      • dotancohen

        today at 2:45 PM

        Why does a banking app that I'm not currently using need to ping a server occasionally?

        When I want to do banking I'll open the app, do my business, then close the app. A banking application does not need push notifications.

        • jlokier

          today at 3:29 PM

          My comment was about push service sharing generally, not banks, from a technical point of view that many people aren't aware of but may find interesting.

          Clearly, real-time notifications are useful with many apps, notably real-time messaging, even if you don't think they have a place with bank apps.

          For bank and credit card apps, I find their push notifications to be very useful. They are among the most useful notifications I get, because they tell me about things I find important, which I wouldn't notice otherwise.

          They tell me things about transactions that have gone through, sometimes after a long delay, transactions that need confirmation right now or they will be blocked, balance being too low, or too high (credit cards), payments that are required today, refunds that came through after a product was returned, transfers that completed on the receiving said, payment received from a client, direct debits that are going out tomorrow so I will need to make sure there's enough in the account, customer service messages that require a response from me or they will eventually close the account, and so forth.

          "Just open the app" doesn't work: All of those, except transaction confirmations, are things where I wouldn't know to open the app if I didn't get a message of some kind to tell me.

          These days, in some juristictions it's also required to send real-time notification to confirm some purchases, because the phone's security is considered better than card details alone. Depending on how the purchase is made (e.g. in-person vs online, different payment terminals), you might not know the reason a transaction is blocked or held is because it's waiting for you to confirm in the app, so the notification is useful for this.

          All these used to be done by SMS, and that was useful too. But SMSs are just push notificatons with a worse UI and worse visual cues.

          • dotancohen

            today at 3:36 PM

              > But SMSs are just push notificatons with a worse UI and worse visual cues.
            

            ... and no dependence on Google or Apple.

        • vbarrielle

          today at 2:59 PM

          Unfortunately it needs push notifications to authorize online payments.

          • dotancohen

            today at 3:28 PM

            So open the app when performing an online payment.

    • afpx

      today at 1:54 PM

      I thought this was what Larry meant when he said surveillance will keep citizens on their best behavior. If one’s reputation score is low, sorry no money. Also, if anyone in one’s network has bad behavior, no money and no friends. Maybe the kids will learn to accept it, but being of the last analog generation, to me it seems like a painful future.

    • vladms

      today at 1:27 PM

      As far as I remember, last time I needed to use Google play on a shared phone I could just create a random Google address (I mean, completely invented name, etc.) and it allowed me to do anything, just as my normal Android.

      I am too lazy to test, but did this change? Can't you just make a "fake" account and continue with your life? The phone company knows where you are, the bank knows what you purchase. Compared to that Google will know far less (ofc, if you don't activate everything)

      I find it much more insane that it was possible for so long to do banking WITHOUT strong authentication (however implemented) by just providing those 3 numbers on the back of the card (strong security!)

      • ImPostingOnHN

        today at 2:26 PM

        No, they will either immediately or shortly thereafter require you to link a phone number, etc

        • vladms

          today at 3:35 PM

          The original comment was saying:

          > If you are not in good standing with Google, you cannot bank!!

          > I cannot stress how inane it is, to have Google or Apple as the gatekeeping to identify verification. How not having an active, in good standing account with one of these two, means you cannot bank.

          Having to register some phone number (does not need to be your main number, a sim card is quite cheap) to a "fake/unused" email address (even if as you say you are required yo) does not require you to "be in good standing with Google" and they are not gatekeepers of identity.

          At this point in time I feel the banks and the mobile phone operators are much worse managers of identity, because, for example they even accept stolen identifiers to make an account in "your name" - for me that's more ridiculous, not that they require some multiple factor of authentication.

    • bytejanitor

      today at 1:33 PM

      In Germany for some banks you can buy a TAN generator and then you do not need a smartphone app anymore. Is this an option in your area as well?

      • noAnswer

        today at 9:54 PM

        At my "traditional" bank I even need the TAN generator for my phone. While at my "neo" bank I even need the phone app to access the website. :-) (That is how the neo bank tricked me. I read "website access" in their ad and thought I could still access the bank account if I lose my phone. But no, you can't login without the app.)

    • derbOac

      today at 2:05 PM

      It seems like the right time to advocate for open standards in things like banking.

    • FullMetalBitch

      today at 12:54 PM

      Why? Technofeudalism is not going to impose itself

    • bergheim

      today at 12:40 PM

      Especially with how things are currently, I whole heartedly agree - you cannot operate as a human being in Europe without having a good standing with either Alphabet or Apple.

      Absolute madness.

      • 6LLvveMx2koXfwn

        today at 1:38 PM

        Absolute madness or complete nonsense - I have neither an Apple account or device, nor a Google account or mandated device (e/os on Fairphone 3+) and operate perfectly successfully in the UK with (almost [1.]) zero friction.

        1. Revolut app stopped working so I emptied my account and opened a Wise account which is fully administer-able from their website. Revolut has subsequently started working again after a couple of app/OS updates.

        • notpushkin

          today at 3:55 PM

          > Revolut app stopped working so I emptied my account and opened a Wise account

          Same, though I’ve never returned to Revolut.

          Wise does have some quirks (e.g. they’ve blocked me from unfreezing or reissuing my cards recently for no apparent reason), but still they’re way way closer to zero-bullshit than any other neobanks I’ve tried.

  • abdullahkhalids

    today at 3:12 PM

    Similar in Canada.

    - RBC 2FA is that if I try to login through my browser, the phone app will ask if I authorize the login. I think I can disable this and use sms/call, but that's even more insecure, so I don't.

    - TD lets me login fine and do everything in the browser. But any online transaction that is moderately large or presumably fishy, will force me to authorize the transaction via the app.

    These are among the largest banks in Canada.

• BLKNSLVR

  today at 12:49 PM

  I'd also recommend to slowly migrate to GrapheneOS, getting to know where the boundaries are for specific apps. Once you've got your 'dailies' all up and running predictably, then you're good to go, but it could take a few days depending on how much spare time you have to find said boundaries. Having said that, I turn on most of the higher level security protections, which quite a few apps need exceptions from.

  But, yes, you can't tap to pay and it's unlikely you ever will. Banking apps will be hit and miss depending on their (generally hypocritical) paranoia levels.

  I pay with a tap-to-pay card, and I have never needed to do banking related things immediately, I've always done it via the bank's website.

  I also still have a not-very-old 'normal' android phone for some edge cases - which are few and far between (actually, I think it's usually to cast youtube to the TV since I only have the revanced youtube app on the GrapheneOS device).

  P.S. On the use of profiles, I use them to separate work apps and notifications from personal, from sporting club, from X, Y, and Z. Yes, they're a pain in the arse to switch between, but I'd argue it's more of a pain in the arse to have them all jumbled together causing even more notifications, frustrations, and distractions from whatever one should actually be concentrating on in the present moment.

  • HybridStatAnim8

    today at 8:56 PM

    I recommend dividing per persona rather than per app category.

• mtlmtlmtlmtl

  today at 6:14 PM

  About BankID: There was a regression in the app back in june that broke the app entirely. Back then I emailed the developers complaining about it, and their response indicated that there was no deliberate attempt at breaking BankID on GrapheneOS, and the specific developer who replied to me said he was a fan of the OS.

  Biometric login was also confirmed to work around the same time. I can however confirm that it doesn't work on the latest app version. It complains that the webview isn't Google Chrome.

  This is probably just an oversight. I will email them again; good chance they'll push a fix to recognise Vanadium webview.

• pmontra

  today at 1:35 PM

  > I can use my bank on some linux distro,

  Yes, I've been doing that since 2009 on Ubuntu and Debian but there are several caveats.

  One of those banks has its own TOTP device and they won't replace it when the battery dies. It's almost 20 years old now. Then it's the fingerprint sensor on my phone.

  The other banks authenticate accesses and many operations with either their app + fingerprint (all of them) or SMS (some of them). So basically I would still need a phone with a blessed OS. I could buy the cheapest one and store it in a drawer, but it's still a dependency on Google or Apple.

  GrapheneOS requirement of Pixel devices is a dependency on Google too.

  • microtonal

    today at 2:33 PM

    GrapheneOS requirement of Pixel devices is a dependency on Google too.

    They are currently working with an OEM to release a non-Pixel GrapheneOS phone in the future.

    • dotancohen

      today at 2:36 PM

      I hope and pray that is a Samsung S Ultra device. The built-in stylus transforms the whole user experience, I would not go back to a device that I must swipe my dirty fingers across.

      • dangus

        today at 2:45 PM

        I’m just imagining myself pulling out the stylus on the train/plane, dropping it, and watching it roll away forever.

        • dotancohen

          today at 3:33 PM

          They thought of that! The cutaway of the stylus is a rounded rectangle, comfortable in the fingers but does not roll.

          In any case, replacement stylii are very cheap online. Less than a screen protector.

        • edoceo

          today at 4:21 PM

          The Palm Pilot experience. But that stylus was required for operation. Fortunately, just a plastic stick, so 3-pack replacement were cheap.

        • izacus

          today at 5:40 PM

          Millions of owners of Samsung devices somehow manage to not do that every day.

    • aloisdg

      today at 3:58 PM

      as long as it is not fairphone. I am out. I don't want to have to choose between privacy and sustainability.

• jlokier

  today at 12:59 PM

  > when you can just open the thing in a website anyway. I can use my bank on some linux distro

  Unfortunately not.

  I'm in the UK. Two of my personal banks, all four business banks that I need to use, and several credit cards, require authentication using their phone app to confirm login on their website.

  None of those I've seen are using TOTP or SMS, for which I could use a general security service. All use their own phone or tablet app. One does something interesting where the website shows a unique QR code on each login, the phone app reads it with the phone camera, and then website login proceeds instantly without clicking anything.

  Oh, and some of them also require phone app confirmation for card purchase transactions.

  When my last phone's screen stopped working, I called one bank's "phone banking" line (using another phone of course) to make an urgent transaction, and they told me they can't do that, as only service they offer by phone is registering a new phone or tablet. They told me explicitly that it's not possible to login to their web-based banking service without using their app for authentication, and on a registered device.

  It's the reason I have my current phone. I had to buy a cheap-ish Android in a hurry from a local shop, in order to proceed with my bank transaction.

  Back to the main topic: I love the idea of a properly open source phone, I used to own not one but two Nokia N900s, and I once toyed with the idea of building my own Linux phone from scratch, big project though that is.

  But the security ecosystem around logins has changed, and so have the services I depend on. These days I use many bank and other financial-service related apps, and I'm not, in practice, free to switch providers. So I couldn't use a Nokia N900 or modern equivalent any more as my only mobile device. I'd have to carry a second phone as well.

  (Banking and other service authentications are also the only reason I have my current passport. I resented having to pay to renew my expired passport, given I had no plans to travel (small children) and the expired passport used to be accepted, but I found some banks, credit cards and even government services increasingly requiring to see a non-expired passport from time to time. When I asked one of them what do they do for the large number of people who don't have one, they simply told me they close those people's accounts and that's ok, they don't need to serve everyone. But that's another story.)

  • eloisius

    today at 1:11 PM

    > require authentication using their phone app

    And banks often have their apps region locked, so if you live abroad or have accounts in more than one country, you’re fucked.

    • amaccuish

      today at 5:19 PM

      Cough cough, Nationwide UK. I emailed them, they said they had no plans to make the Nationwide UK app available globally on the iOS App Store.

• birdsongs

  today at 12:06 PM

  I was the one that submitted the DNB Bedrift app report to the sec dev repo! I contacted DNB but they never responded to my email. I wonder if we can find a dev? I believe that's how the private app got fixed.

  Want to use Vipps tæpp so much but I have Nordea for private and they don't allow it on their cards, for whatever godforsaken reason.

  • bergheim

    today at 12:32 PM

    Ah. Where did you send this in?

    I wouldn't mind sending in a complaint to both BankID (allow biometric login) and of course DnB corpo edition.

    • birdsongs

      today at 12:35 PM

      Oh! Sorry, you described the current state of things so well I assumed you were close to the project.

      Here is the github repo where banking app compatibilities are tracked: https://github.com/PrivSec-dev/banking-apps-compat-report

      And it's rendered to a page here: https://privsec.dev/posts/android/banking-applications-compa...

      • bergheim

        today at 12:38 PM

        Hah - both were in my browser history, yes I know them :) I misunderstood and thought you had sent direct emails to relevant parties arguing for why they should be allowed on grapheneos.

        Thanks anyway!

        • birdsongs

          today at 1:05 PM

          Oh I also misunderstood! I did send an email to DNB Bedrift customer service about Graphene support, citing the private app fix. They technically gave me a response that it would be looked into, but it felt very handwavy, and that was 3 months ago. It was via the bedrift portal, there is a "Send E-Post" button.

          I don't know how to contact the engineering team. IIRC that is how the private app got fixed, someone got word to someone on the inside.

  • omgmajk

    today at 12:35 PM

    Does the Nordea app work on Graphene? I am curious because I have been itching to switch my main phone to an alternate OS.

    • birdsongs

      today at 12:58 PM

      Yep! Perfectly, I use it daily. (The private customer one, not sure about business.)

• vages

  today at 11:53 AM

  Thanks for the Norwegian perspective.

  I agree that the locking down is truly stupid. For what it’s worth, the reasoning for locking down mobile apps is allegedly that mobile users are a less technologically competent demographic than desktop users. I do not think so myself, given the difficulty in trying Graphene vs. Desktop Linux.

  • malfist

    today at 12:56 PM

    Those people who root their phone and install alternate OSes sure are less technologically competent than someone with a browser and a laptop

    • UqWBcuFx6NV4r

      today at 2:02 PM

      “Installing alternate OSs” is juicy bait for “tech enthusiasts” who know just enough to be effectively worse off than someone with a browser, yes, and at its core is this holier than thou attitude.

  • microtonal

    today at 2:47 PM

    I agree that the locking down is truly stupid.

    I don't agree that it is stupid. Both banking on a Windows PC or on an unlocked + rooted phone is potentially catastrophic. Windows because of the prevalence of malware, unlocked phones with custom AOSP forks because people download 'ROMs' (as they call them) from the most shady sites.

    Once 10,000s of Euros are siphoned from a bank account, it's usually the bank that has to deal with the mess. Especially if they cannot prove the transactions were done in on an insecure platform.

    Phones are generally safer (though there is a huge variance between the safety of different Android phones) because they use verified boot and strong application sandboxing.

    I think it is possible to believe the following two things a the same time:

    - Banking apps should only run on locked phones with secure boot.

    - Banking apps should not be limited to the Apple/Google duopoly.

    The solution is that there is some validation of alternative OS vendors, e.g. in the form of an audit, and that banks are required to approve apps on their platforms after the audit. This would be fairly straightforward tech-wise, because e.g. GrapheneOS supports remote attestation, but banking apps need to add/allow the hashes of the official boot keys: https://grapheneos.org/articles/attestation-compatibility-gu...

    • Aachen

      today at 4:47 PM

      Needing to use a verified boot chain with keys that the bank trusts is essentially the same as using the authenticator device from said bank, except this one costs 100€ or more, has a microphone and camera built in, and you use it for private messages as well. That's not a future I want to live in

      We have secure hardware already, it's called a smartcard and is what you find in all bank cards, SIM cards, authenticator devices... my phone is my phone, not a second factor, or at least I (as a hacker/tinkerer) don't want it to be that way, just like with my desktop which is also not the bank's to mandate whatever from

      Somehow they got the memo for devices where it is normal to have admin permissions, but for mobile devices the two big tech companies successfully scaremongered non-techies

      • microtonal

        today at 7:28 PM

        Needing to use a verified boot chain with keys that the bank trusts is essentially the same as using the authenticator device from said bank,

        It's not, because even though the authenticator is secure, you are entering the auth codes in a browser in general purpose desktop OS with (if you use Windows or desktop Linux) little to no sandboxing outside the browser. You are one malware app (or NodeJS package for tech users who claim they'll never download malware) for your session getting hijacked.

        The sad reality is that phones (and some tablets) are the only relatively secure computing environments that we have. Thanks to Windows with it decades of piled up legacy and Linux with large sandbox and secure boot-hating parts of its community, we cannot have nice things.

        (The part about the Linux community, which I'm also part of is a generalization, but the hostility against Flatpak, secure boot, etc. is pretty big.)

        • Aachen

          today at 7:45 PM

          That seems wrong. If malware can fake what the authenticator shows me, the authenticator is broken!

          It doesn't matter what device relays the code I typed over or otherwise transmits the approval through untrusted networks to the server

          > The sad reality is that phones (and some tablets) are the only relatively secure computing environments that we have

          My bank('s authenticator hardware) begs to differ

          • microtonal

            today at 8:13 PM

            That seems wrong. If malware can fake what the authenticator shows me, the authenticator is broken!

            That's not what I am saying. The authenticator is irrelavant to this attack. If your machine is compromised by malware, the malware could take over the browser session, regardless of how you log in.

            Phones are better protected against persistent malware because every application is sandboxed (harder to escalate) and much more of the boot chain/OS is validated (harder to persist).

• baq

  today at 12:13 PM

  > I can use my bank on some linux distro, crazy that they trust me

  enjoy it while it lasts. hardware attestation requirement for (at least) banking apps is a question of 'when', not 'if'.

  • BLKNSLVR

    today at 12:51 PM

    I hope this isn't going to be the case universally. If my bank cuts off my access from my browser-on-linux setup, then I'm finding an alternative bank (hopefully some will always exist), which I don't say lightly since I've been with my current bank since I was old enough to have a bank account.

    • izacus

      today at 5:41 PM

      You'll quickly find out - as people are finding out in EU nowadays - that *no* bank will go through the trouble of fighting checklist security auditors to keep your linuxes working.

      Wait till you find out that your prefered Linux bank won't have the same mortgage terms as you'd like and you'll be running to buy a Google/Apple phone to get those % down.

  • Aachen

    today at 4:56 PM

    My bank has always had hardware attestation, but it was their hardware that was being attested. Customers get it loaned when signing up

    I have no problem with a device that they trust being used for transaction approval, but that device shouldn't also be the device I use for my daily life and do all sorts of private things on. We should want to be able to inspect that one

    • baq

      today at 5:09 PM

      I agree completely, except looking at my 2fa app I'd need 20 physical tokens, so we actually need a super-duper-yubikey

      • Aachen

        today at 7:41 PM

        Yeah, I should have pursued the idea ten years ago of making a usable 2fa hardware device (that confirms what you're authenticating and an attacker can't simply pull auth codes for whatever they want)

        Still, I'm plenty okay with my phone as a second factor for my laptop and vice versa for nearly all services. The rest is about tying things to a government identity (bank cares only if it's me who's authorising the transaction; government cares only if it's me who's requesting a student loan) and can be done with the chip that's already in my identity document and a single 20€ nfc chip reader or by using a phone as nfc reader

  • today at 12:14 PM

• RandomPenguin

  today at 4:53 PM

  > It's mind boggingly stupid that they lock down apps like this, when you can just open the thing in a website anyway. I can use my bank on some linux distro, crazy that they trust me since it is not Windows - the truly secure OS!

  I'm worried the day will come when some sites will require, even on a computer, a full-chain verification from the bootloader to the OS, all the way down to the browser. By requiring that each of these elements be digitally signed so that if you're not on a "secure" platform, from the bootloader to the browser, sites such as home banking could restrict access. Imagine not being able to login to your home banking because your linux box is rooted.

  Btw, the good old days of modding are gone...

• Neil44

  today at 12:35 PM

  Same with Lineage OS, may daughter has an old Samsung with Lineage on it and the Wallet app doesn't work because the phone's been rooted.

  • notpushkin

    today at 4:46 PM

    Wallet app is still impossible to get working, but there’s been some development recently: https://github.com/microg/GmsCore/issues/361

    Some other apps are often willing to accept my current setup (Lineage for microG [0], plus Magisk, if you don’t need root – Magisk Hide does some magic I don’t really understand, but even without Play Integrity passing, apps just start working).

    With more tweaks, you might be able to get Play Integrity to work to some extent, but it’s hit or miss. I’ve just stopped using apps that demand it.

    [0]: https://lineage.microg.org/

  • Brybry

    today at 1:50 PM

    You're doomed to this issue with old phones in general.

    Even un-modified you'll then be stuck with an old version of Android that doesn't support the latest versions of apps and the old versions of apps won't work properly.

    It's really a shame because a lot of old phones work perfectly fine otherwise.

    • gunapologist99

      today at 2:00 PM

      Generally Lineage is the latest. Unfortunately, there are other issues (such as the blobs that Lineage needs drifting out of date, and it's usually suggested that you'll should backup and then wipe to upgrade to the next major release, etc.)

• moogly

  today at 5:14 PM

  It sorely needs to break free from the lackluster Pixel hardware. The OEM announcement can't come soon enough (and I hope it's Motorola).

• dotancohen

  today at 2:34 PM

  I have a few features that I need that I'm not sure if Graphene supports. If you could check that would help!

  Can you record phone calls? Do third party voice recorders continue recording even when the screen is locked? Thank you!

  • Cider9986

    today at 2:36 PM

    Yes to both.

    • dotancohen

      today at 2:47 PM

      Thank you!

• stronglikedan

  today at 4:41 PM

  > BankID works but not with biometric login

  Do you use any authenticator apps such as Okta? My org requires biometrics when using Okta on my phone.

  • birdsongs

    today at 5:19 PM

    I use microsoft authenticator, in its own work profile for work. I also use fingerprint login for Nordea, the Proton Suite, my personal 2fa program. Biometric works great on the Pixel 9A, at least, and it was fine on the 8 Pro when I had it.

    The BankID thing is a SW quirk on their end, but generic fingerprint seems works great across the ecosystem.

• iamgrootali

  today at 2:40 PM

  [flagged]

• kwanbix

  today at 10:21 PM

  [delayed]

The banking app compatibility issue gets framed wrong. The real problem is not "does Google Play work" but "does Play Integrity API work" - that is a device attestation mechanism, not a Google dependency per se.

Building fintech apps, we integrated Play Integrity as a fraud signal. Sandboxed Play Services on GrapheneOS actually passes most of these checks now, and false positive rates for legitimate users are negligible. The hardliners who refuse sandboxed Play can still use most banking apps that fall back to basic root detection rather than hardware attestation.

The real gap is NFC payments - Google Pay needs privileged hardware access that sandboxed apps cannot get. But that is one use case, not a reason to skip GrapheneOS entirely. Curve works fine in EU.

• sfRattan

  today at 10:23 PM

  If you're willing to invest in a smartwatch principally as a secure payment appliance, tap-to-pay with Garmin Pay works when configured on Graphene OS, and most Garmin Smartwatches will happily stay in airplane mode for months once it is configured.

  AFAICT, Garmin Pay works like Apple Pay, meaning (unlike Google Pay) no network connection is required.

I personally tend to own two Phones. One all-day carry GrapheneOS device (Pixel 8) and an older WiFi and at home only iPhone for all payment and ensurance stuff.

This is inconvenient in some ways, but at least it is sort of privacy as good as it gets while still being able to run official apps when I need them at home.

To de-google the phone, I use F-Droid as primary App store, Aurora as fallback for non-f-droid Apps and as a last resort Obtainium to install Apps that are not in these stores.

The only google App I really "need" (kind of) is the Camera App, which is sandboxed via GrapheneOS Storage Spaces and without Network permission (why would a camera need internet?).

To backup my phone, I use the integrated GrapheneOS Solution (seedvault!?) for storage and apps, immich for Photos and MyPhoneExplorer for Contacts.

Sometimes it is a bit hard to find good apps for specific purposes, so for everyone interested, here is a list of Apps that I personally use or have used.

  Newpipe - Youtube Client
  Audiobookshelf - Audiobooks
  Voice (PaulWoitaschek) - Local Audiobook Player
  Substreamer - Music
  DSub - Music (alternative)
  VLC - Video-Player
  Organic Maps - Google Maps alternative (not as good)
  PDF Doc Scanner - Open Source Document Scanner
  Wireguard - VPN
  Immich - Photo Backup / Viewer
  LocalSend - File Transfer
  K9 Mail / FairMail - Email Client
  KOReader - Ebooks
  Binary Eye - QRCodes and Barcodes
  Pure Todo - Self hosted PWA PHP Todo List 
  Signal - Messenger
  Open Camera - Open Source Camera App

• bramhaag

  today at 1:02 PM

  Some other FOSS apps I use daily:

  Aegis - 2FA (https://github.com/beemdevelopment/Aegis)

  Breezy Weather - A very good looking weather app (https://github.com/breezy-weather/breezy-weather)

  OnlyOffice Documents - MS Office suite replacement (https://github.com/ONLYOFFICE/documents-app-android)

  Fossify Calendar (https://github.com/FossifyOrg/Calendar)

  Fossify Messages (https://github.com/FossifyOrg/Messages)

  Aves - Local gallery with great organization (https://github.com/deckerst/aves)

  Termux - Terminal emulator (https://github.com/termux/termux-app/)

  Unexpected Keyboard - A unique keyboard that pairs nicely with Termux (https://github.com/Julow/Unexpected-Keyboard)

  WG Tunnel - WireGuard client (https://github.com/wgtunnel/wgtunnel)

  These are all easily installed through Obtainium: https://obtainium.imranr.dev/

  • Gormo

    today at 1:38 PM

    Some others that I use:

    * NextCloud -- client for personal NextCloud server; this app is used primarily for file sync, with other features accessed with other apps. (https://nextcloud.com/features/?filter=Clients#android-clien...)

    * KeePassDX -- password manager, shares DB with KeePassXC on desktop, which is synced via NextCloud. Also functions as a TOTP authenticator. (https://www.keepassdx.com/)

    * DAVx5 -- CalDAV and CardDAV client; keeps mobile calendar and contact list synced with private NextCloud server. (https://www.davx5.com/)

    * AntennaPod -- excellent FOSS podcatcher. (https://antennapod.org/)

    * KDE Connect -- desktop sync tool; allows file/clipboard/keyboard/audio/etc. sharing between phone and a Linux desktop. (https://kdeconnect.kde.org/)

    * Kore -- remote control app for a Kodi instance running on your LAN. (https://kodi.wiki/view/Kore)

    And I don't see F-Droid itself mentioned -- it's the most popular repository of FOSS software for Android, with an accompanying app: https://f-droid.org.

    • cf100clunk

      today at 5:08 PM

      > I don't see F-Droid itself mentioned

      F-Droid itself is great, but I find that the NeoStore front end to F-Droid is superior because it has multi-repository capability, offering a long list of alternative apk sources that can readily be verified for quality.

      • bramhaag

        today at 8:32 PM

        Additionally, the official F-Droid app creates unnecessary friction for GrapheneOS users they refuse to address: https://gitlab.com/fdroid/fdroidclient/-/issues/2914

    • compass_copium

      today at 2:04 PM

      I also like AntennaPod for audiobooks--fewer apps that way.

  • bahmboo

    today at 6:36 PM

    Thanks for the links. I am concerned about supply chain attacks and such with FOSS tools these days. It seems like the easiest attack surface. In my dev opinion it’s not if it’s when. Kinda sucks and I think the adversary is moving faster than the provider. (I have created and maintained public domain software but not currently. Now I’m crapping on the thread sorry. But no one else is sorry for crapping on threads…I need to stop over thinking or maybe just close this tab)

  • seanw444

    today at 6:01 PM

    Can't believe I've never heard of Unexpected Keyboard. Installing immediately. Thank you.

• 72deluxe

  today at 12:40 PM

  I like Organic Maps because it isn't full of the social things. Every time I open Google Maps it shows that card at the bottom with "what's popular in your area", full of pictures of people's breakfasts and other nonsense. Organic Maps is free of this noise.

  Also, the desktop client on Linux is quite useful.

  Alternatives for Windows etc. are Cruiser Maps, a Java application (and also available as an Android app).

  • sandreas

    today at 12:45 PM

    All map apps I tested so far were kind of usable but nowhere near Apple or Google maps. Especially for longer trips I often got lost and had to re-navigate by different reasons (voice announcement too late, no lane instructions, etc.).

    However, I listed it because it is a "usable" alternative that works offline.

    • notpushkin

      today at 4:55 PM

      Idk, pedestrian navigation has been pretty decent for me so far. (There’s been one case of it showing a path in Tbilisi that would require me to jump from a 3 m wall, but it was exactly once.) I suppose it depends on which city you’re in and how well mapped it is on the OSM.

      Where it’s lacking is POIs – there’s way more stuff on Google Maps, and if I’m looking for some place in particular, I usually go straight to Google, then copy the location over to CoMaps.¹ I then try to add it to OSM when I have the time. Still again, there’s no reviews or photos (in the app; OSM does support photo linking).

      Public transit is another problem. It’s usually okay for metro (MRT/LRT/etc), but I wouldn’t trust it with buses just yet.

      ¹ – yes, there’s been another fork: https://en.wikipedia.org/wiki/CoMaps#History

    • 72deluxe

      today at 5:38 PM

      I used OrganicMaps for navigation from the UK through France, Germany, Switzerland, back into France and then Spain last year on a 2 week enjoyable camper van trip. It can take a while for routing changes if you ignore it and decide to drive elsewhere, and I don't really use the voice alerts (I just have it on my phone on the dashboard via a magnet), but all in all it worked really well.

      Although I would like speed limits shown in MPH in the UK, OrganicMaps' KMH limits were useful on the Continent.

  • lejalv

    today at 3:43 PM

    > I like Organic Maps

    Does anybody know of a project that offers public transport routing? Ideally with real time information, but I can live with only using schedules or even just average passage interval.

    The other general sticking point for me is the reviews, but I could invite more serendipity to my restaurant search.

    • shantara

      today at 5:39 PM

      FWIW Organic Maps are aware of this issue. In the poll on their mastodon account, lack of public transit information was voted as number one missing feature. As far as I’m aware, they are looking into integrating the public APIs for it wherever possible.

    • Zak

      today at 3:59 PM

      Öffi, if it has coverage for the areas relevant to you: https://oeffi.schildbach.de/index.html

  • itissid

    today at 1:06 PM

    Google maps discover feature is a dumpster fire for fomo driven brain fog

• amatecha

  today at 7:47 PM

  Due to [0] and [1] I'm using the new fork "CoMaps" now, feature comparison: https://www.comaps.app/support/how-do-the-features-differ-fr...

  It's pretty excellent! The improved integration with OpenStreetMaps to provide edits/additions is great. I made my first contribution to OSM via CoMaps.

  [0] https://www.comaps.app/news/2025-04-16/1/

  [1] https://www.comaps.app/news/2025-04-25/2/

• epistasis

  today at 6:35 PM

  Thanks for this, it's so helpful for people trying out a new platform.

  I'd love to have something like this for Linux desktops as well. Maybe a website that has app-lists, where people can then potentially add info about their use cases and reasoning for their choices. Could be a great subreddit!

  I tried Omarchy specifically because installed an opionated selection of apps to covered most bases, and it got me started in Arch fairly quickly. I've now completely swapped out all the components so I no longer use Omarchy at all, but it was a great way to get back into desktop Linux after being away for 20 years.

• goda90

  today at 3:41 PM

  What would sandboxing an app like Google Maps look like? There are definitely situations where a sub-par map app would be detrimental. Obviously it's going to send data to Google, but do I have to sign into an account or will it have some other way of identifying my phone if I used a one-off account just for it?

  • dlcarrier

    today at 5:45 PM

    It doesn't need to be logged on to a Google account, and it supports locally storing map data and generating routes, so you could turn on network access, download local maps, block network access, then use it for navigation without it calling home.

    • goda90

      today at 6:02 PM

      There's also value in live traffic and road closure information.

• Handrail

  today at 6:58 PM

  I like your recommendations mostly, just wanted to point out that Organic Maps has had a falling out with the Open Source community that built it, so I wouldn't use that anymore. The community fork is called 'CoMaps' now.

• nickorlow

  today at 12:14 PM

  Grayjay is another good YouTube (and other streaming platform) client made by the company that owns Immich

  • sandreas

    today at 12:52 PM

    Uh this looks nice. Thank you.

• walthamstow

  today at 12:40 PM

  Voice audiobook player is so nice and simple, a pleasure to use

  • sandreas

    today at 12:49 PM

    I recently PR'ed some improvements within the search (series and part are now searchable).

    I also made a custom fork with some quality of life improvements, like series and part visible on screen, headset remote click patterns (tap for play/pause, double-tap for next, etc.).

    Currently I'm working on a totally DIY build offline audio (book) player with the footprint a bit bigger than the iPod Nano 7g that maybe never will be finished, but ATM it is fun to work on... (see https://github.com/sandreas/rust-slint-riscv64-musl-demo for the testing repo and https://github.com/nanowave-player/nanowave-ui for the latest code I'm working on)

"Break free from Google" and buy a Pixel phone from them to do so.

But unironically Pixels are currently some of the best actually open phones. They do not lock down or require shady practices for unlocking the bootloader (although they do require a network check once that happens automatically, but it will permanently allow unlocking the bootloader if successful once. Pixels are very easy to restore and almost un-brickable, allow bypassing the boot screen warning by pressing the power button twice, actually allow relocking the bootloader and don't void your warranty unlocking it, don't have a shady one-time fuse like Samsung phones do with Knox, etc.

• birdsongs

  today at 5:25 PM

  Graphene is supposedly working with a major OEM manufacturer to have future device support independent of google, on a flagship device. It's been in the works for awhile but it's very exciting.

  https://www.androidauthority.com/graphene-os-major-android-o...

  • I_am_tiberius

    today at 7:32 PM

    I hope it's Fairphone.

    • dannyfritz07

      today at 9:01 PM

      The tea leaves are indicating Motorola.

    • HybridStatAnim8

      today at 8:59 PM

      Its not.

• microtonal

  today at 2:56 PM

  Pixels are really great despite being from Google. I hope they will continue to make them unlockable/relockable. As you say they are also surprisingly hard to brick. Here is someone trying to break it intentionally during the GrapheneOS install:

  https://www.youtube.com/watch?v=ik0AiO0WtuU

  If you don't like giving money to Google, plenty of companies offer refurbished Pixel phones.

  • neelc

    today at 3:30 PM

    In the US, many refurbished Pixel phones are Verizon variants which disallow OEM unlocking.

    When was in college and had Sprint this was a nightmare since then I wanted root for unlimited hotspot (Sprint made it easy that way), but most refurbished Pixels were Verizon variants.

    And I couldn't just use OnePlus because they were only designed GSM networks or later Verizon CDMA-less. Then, new Pixels were unaffordable for me, but parents insisted on using Sprint.

    I ended up getting a Pixel 3 off Mercari (which I still own) just to keep root.

    Now, I can afford a Pixel 10 Pro new (which I am right now), alongside spare Pixel 9 and OnePlus 13R units. But even then (a) my income is lower than when I worked at Microsoft and (b) The OnePlus was from a trade-in deal.

    • microtonal

      today at 4:11 PM

      Oh man, sorry to hear that! On the other side of the pond, carrier-specific/locked phones haven't been a thing for ages. Haven't seen a carrier-specific phone since 2013 or 2014.

    • perching_aix

      today at 3:54 PM

      Is it not possible to buy a phone in the US without any cellular providers involved? I thought that kind of lock-in was a thing of the past.

      • Zak

        today at 4:09 PM

        It is possible, but many people still buy them from their provider with financing or subsidies. That means people shopping for used Pixels who want to unlock the bootloader need to avoid the special Verizon variant which forbids unlocking the bootloader.

        This is separate from SIM locking, which forbids use with another carrier. US carriers still do that, but are required to remove the lock after a while if the customer doesn't owe them money.

        It's not clear why Verizon insists on permanently locked bootloaders or why Google agrees to it for Verizon when they don't do it on Pixels sold anywhere else.

        • NoGravitas

          today at 5:32 PM

          Yep. I lost a restocking fee when I bought a used "unlocked" Pixel. Turned out it was not SIM locked, but it was impossible to unlock the bootloader. It was pretty easy to find a bootloader-unlockable Pixel once I knew what to look out for, but the first time I had no idea this was something you had to look out for.

• aktenlage

  today at 3:15 PM

  I have a Pixel 6a with GrapheneOS. Runs great for years, except for one or two apps that require an "official" Android.

  Anyway, I now need to get the battery replaced, because apparently they are dangerous and Google pays for the replacement. Unfortunately, the replacement process requires the stock android to be installed. Meaning, I would need to backup the whole phone, reinstall stock android, then restore everything - and hope the whole ordeal works out.

  • Aachen

    today at 5:03 PM

    That makes no sense. If there is a recall program for safety, surely they have to accept whatever software is on there? It's not relevant to the hardware repair

• hydrogen7800

  today at 2:49 PM

  I've wanted to try this on my old Pixel 5, but it has the dreaded screen/motherboard failure. It appears there is no solution for that short of replacing the screen/mobo, which i've already done once after cracking it.

• today at 2:39 PM

And once you are on GrapheneOS, break free from your proprietary watch ecosystem and switch to GadgetBridge (https://gadgetbridge.org/)

I run a Thinkpad with NixOS and KDE, a Pixel 9 with GrapheneOS, and an Amazfit watch paired with GadgetBridge on my phone.

It's a testament to the hard work of the FOSS maintainers of these projects, and the spirit of open source, that everything works flawlessly together without any cloud service sucking up my data. For example, I can control youtube and music playback on my laptop with my watch because KDE Connect syncs my laptop and my phone, and gadgetbridge syncs the phone and the watch. The breezy weather app on my phone can automatically push its data to gadgetbridge which in turn pushes the data to the watch. And so on. So many little things, developed independently, working like a single well oiled machine.

• rcMgD2BwE72F

  today at 2:12 PM

  I tried GadgetBridge because it cannot sync the activity files (.fit and/or .gpx) so I still had to plug the watch into a computer to keep the actual data.

  So I ended installing ActivityLog2[0] to do something with the files I had to have on desktop and GadgetBridge was of little use because relying on GadgetBridge without actually syncing the files might make me forget about doing the backup to a device I control (GrapheneOS or a computer).

  As soon as GadgetBridge support syncing the files from the watch to the app (or any local folder on Android), I'll install it again and stop doing the manual backups over USB. Syncthing will do it automatically.

  [0] https://github.com/alex-hhh/ActivityLog2

  • no-reply

    today at 5:23 PM

    Under settings->automations->auto export, you have "Auto export zip" where you can specify export interval. The zip file includes all the data (personally, I only see .fit files) from your app. For sync, you might have to use something like syncthing.

• k4rli

  today at 1:04 PM

  Garmin watches seem quite open even without that. I have all my data syncing to influxdb every 15min for a Grafana dashboard and it works great.

  In background I also have Withings scale sync the measurements a couple of times a day to Garmin.

  • pscanf

    today at 3:06 PM

    How do you sync the data out of Garmin? Something like https://github.com/matin/garth, or syncing directly from the watch?

  • haskman

    today at 1:06 PM

    Probably the reason why Garmin watches are well supported by GadgetBridge

• BLKNSLVR

  today at 12:57 PM

  I didn't need anything more on my to-do list, but this is intriguing.

  • haskman

    today at 1:05 PM

    Setting up GadgetBridge is very easy since it's just an android app. No flashing firmware etc. However, not all gadgets are equally supported, and you should check the support status of your device - https://gadgetbridge.org/gadgets/ (I bought my watch only after checking that page for compatibility).

• fsflover

  today at 5:23 PM

  Alternatively, consider PineTime, which even offers a choice of the OS it runs: https://pine64.org/documentation/PineTime/

• p-e-w

  today at 1:04 PM

  > And once you are on GrapheneOS, break free from your proprietary watch ecosystem and switch to GadgetBridge

  Then switch back to Google/Apple after half a year when you discover that you can’t run

  - your banking app - any government app - the app required to access large sports events - the pandemic tracking app without which you can’t enter an airport - various other random apps

  because they ALL detect that you’re running on a phone with an unlocked bootloader and will flat out refuse to start. And for many of those, there is no legal alternative.

  (The extent of this varies depending on where you live, of course.)

  • HybridStatAnim8

    today at 9:02 PM

    Most banking apps work perfectly, most government apps work perfectly, etc. It is only an exceptionally small subset of apps using anticompetitive measures such as play integrity.

    Also, do not leave your bootloader unlocked. That is an incomplete GOS install and you will need to lock it to secure your device. Not locking it is both insecure and will make a much higher number of apps fail.

  • jhasse

    today at 1:59 PM

    You can lock the bootloader again with GrapheneOS and many banking apps work.

    • Mindwipe

      today at 2:51 PM

      You won't pass Google Play hardware attestation that way, and you won't find a bank in Europe or the UK that doesn't require that to log on to their website within five years.

      • HybridStatAnim8

        today at 9:02 PM

        You pass basic, but not device or strong integrity. This is purely googles fault and is an artificial limitation that requires regulatory restrictions.

      • microtonal

        today at 3:00 PM

        My bank works fine after relocking (in NL, Europe). And last time I checked all Dutch banks work. My VISA credit card app (from ICS) also works. Same for the government identification app, the government message app, our insurance app. In fact, I haven't encountered anything outside of Google Pay that didn't work.

        (I don't deny that there are apps that won't work. Best to check before switching full-time.)

  • neobrain

    today at 2:12 PM

    > - the pandemic tracking app without which you can’t enter an airport

    Not sure if airports specifically used another mechanism, but the Android contact tracing APIs were actually reimplemented in microG, allowing these apps to work even on custom roms.

    Your other examples don't hold universally either (banking apps are compatible with un-rooted custom ROMs more often than not, and not sure how many sports event apps use integrity checks), but your general point stands that it may come with trade-offs.

  • haskman

    today at 1:12 PM

    YMMV. I run sandboxed Google Play Services on GrapheneOS so almost every app works. My digital payments app works, and the same with most government apps I have tried. My private bank's app doesn't work, but I just use their website for the handful of times a year I need to access it.

    • PenguinCoder

      today at 1:17 PM

      Does NFC work with those digital payment apps on Graphene?

      • haskman

        today at 1:32 PM

        In India we use QR codes for payments. NFC in general does work (for example, I use a yubikey for 2FA).

  • kakacik

    today at 1:58 PM

    No banking app on phone because why; no government app because oh fuck why, whats wrong with your government (at least in primary phone and I never needed secondary); app for sport events - thats just me but I prefer doing sports rather than passively watch them, so 0 loss; pandemic what? its 2026 and I never saw such requirement in Europe, Africa nor Asia; no other app requires that.

    Thats not coming from some paranoid security person, just regular (software dev) joe.

Been running GrapheneOS for a while on a Pixel 9, and extremely happy with it! Apart from the usual perks of the FOSS ecosystem, there are a few things specific to GrapheneOS that are not immediately apparent but have turned out to work very well -

1. The Pixel camera app works, including all modes and settings. A camera that takes good photos was absolutely a requirement for me, and the FOSS camera apps are not quite as good yet.

2. I don't have Google Photos and the pixel camera app tries to launch google photos when you want to review the picture you just took. But there is a FOSS app called GPhotosShim that uses the same namespace as google photos and thus fools the camera into launching that app instead. Once launched, it just launches whatever media management app you actually have configured, so it's seamless.

3. Android Auto works!

4. Android QuickShare works!

5. NFC tags / Yubikey integration works!

6. Screencasting works!

7. Sensor access and internet access can be disabled for apps by default (and I do).

• mctt

  today at 1:42 PM

  8. External storage works. This is the only mobile OS I've found that has stable support for an External SSD.

  I bought a second hand Pixel 7 to test this and an exFat SanDisk Extreme Portable 2TB works with reads/writes perfectly.

  • fsflover

    today at 5:25 PM

    > This is the only mobile OS I've found that has stable support for an External SSD.

    My Librem 5 running PureOS also supports external storage just fine.

  • haskman

    today at 3:48 PM

    Very good to know!

• seanw444

  today at 9:10 PM

  I originally wanted to get the Pixel camera app working when I got started with GOS a few years ago, but then I found Open Camera and haven't looked back. Does it do something cool that Open Camera doesn't?

• kwhat4

  today at 3:30 PM

  > 3. Android Auto works!

  Does this require installing google play and other google services to work?

  Edit: https://grapheneos.org/usage#android-auto

• rcMgD2BwE72F

  today at 2:01 PM

  >4. Android QuickShare works!

  Does that require being logged into a Google account? How to ensure Google knows nothing about your shares?

  I have Graphene w/ Google Play Services (required for my job) and would love a easy way to share files/info with various devices (incl. iOS/macOS which I remember should work with QuickShare in the future) but will avoid a service that shares data with Google.

  • haskman

    today at 3:52 PM

    Unfortunately yes, and I am signed into my Google account for it.

    • Tepix

      today at 7:39 PM

      That's a hard pass.

• greenie_beans

  today at 3:22 PM

  wish my yubikey would work with bitwarden

  • lawn

    today at 5:34 PM

    My Yubikey works with bitwarden on GrapheneOS using NFC.

• kakacik

  today at 1:48 PM

  A quick question from potential buyer of next generation of pixel phones, since samsung keeps disappointing hard with their top line - is there any difference in quality between default photo app and what graphene os bundles with?

  Pixel are supposed to be very good in photography, part hardware and part software, and my concern would be degradation of that software part. With small kids, there is nothing more important on phone for me than photos/video quality these days (apart from never going into apple ecosystem, I am just incompatible with that company' philosophy).

  Or its just about slapping some commercial photo app (like I heard from other photographers is often done on apple to get most out of it, but forgot the name of the app) and not caring about this?

  • gunapologist99

    today at 2:03 PM

    Yes, it's a huge difference. However, you can install the very latest Google Camera app through the Aurora app (or Play Market), and it works perfectly except you don't get photo preview within that app; to fix that minor issue, you can install the Gphotoshim which someone else mentioned in the comments.

    On the other hand, if you switch to the latest Google camera app, you will not really be participating in making the open source version better.

    https://play.google.com/store/apps/details?id=com.google.and...

    • Aachen

      today at 5:06 PM

      Duckduckgo's only hit for "Gphotoshim" is your comment. Any hint at what to look for?

      • no-reply

        today at 5:41 PM

        https://github.com/CaramelFur/GPhotosShim

        • Aachen

          today at 7:32 PM

          Thank you! Double s in the middle was the fix I see :)

  • FullMetalBitch

    today at 2:35 PM

    If photos are important for you GCam is a must, you can download it

I've used GrapheneOS on a Pixel 3a, 5, 8 and 10 Pro so far and it's worked really well. I couldn't imagine going back.

The only things I'm missing (which don't exist in other OS'es either):

- Being able to configure contact scopes in such a way that the app in question only gets access to the phone numbers of the contacts belonging to the label I specified, e.g. "WhatsApp", nothing more. Yes, one can of course add contacts' phone numbers to the contact scopes "by hand" but 1) there is a limit on the number of contacts/phone numbers configured this way, and 2) AFAIK there is no way to back up that list.

- Being able to install browser extensions in Vanadium.

- Being able to configure multiple VPNs at once, e.g. for Tailscale, ad filtering, blocking HackerNews during times when I should be doing something more productive :) etc., especially since the Vanadium browser doesn't support extensions (see above). I was hoping that the Rethink app might implement something like this (https://github.com/celzero/rethink-app/issues/1047) but it doesn't look like it's coming and it'd probably be much better to do this at the OS level.

• haskman

  today at 6:19 PM

  > Being able to install browser extensions in Vanadium.

  You can use IronFox - available in Accrescent store that comes with GrapheneOS, and install firefox extensions

• privacyking

  today at 7:50 PM

  You can have a second or third VPN active if you use a work profile and private space

• blahaj

  today at 2:52 PM

  You can use labels for contact scope.

  • codethief

    today at 4:46 PM

    You might want to read my comment again. :) If you use labels, the app will have full access to the associated contacts, not just to their names & phone numbers.

    • blahaj

      today at 10:06 PM

      So it's not about labels, but you want the ability to restrict the fields an app has access to rather than an all or nothing – full access to a contact or none at all?

    • rkagerer

      today at 9:00 PM

      I'm annoyed at everyone who shares my name, phone number and any other details with Meta. I never consented to it. The behavior of their app slurping up your contacts database is despicable.

      This doesn't answer your question, but in case it helps for others out there: it's possible to use WhatsApp with no access whatsoever to your contacts and I used it that way for years. Connecting with people is slightly jankier but it still works.

• paul_h

  today at 12:52 PM

  Note to self: look for second hand unlocked Pixel 10 pro!

About his comment:

> Unfortunately, I must recommend Windows 10/11 here, because then you don’t have to mess around with any drivers; it’s the simplest option.

When I worked at Microsoft but ran FreeBSD at home, I often used my work Windows laptop to install custom ROMs. This is because FreeBSD was finicky with adb.

Now I run Fedora and the Android drivers are pre-installed. I installed GrapheneOS on both a Pixel 10 Pro (main) and Pixel 9 (spare) that way.

On Windows, I've had more trouble with Android drivers than I did on non-Windows.

• OsrsNeedsf2P

  today at 5:02 PM

  This has been my experience with Windows too. Airpods connect out of the box on Linux, but on Windows they would stop pairing every couple minutes until I fixed some drivers

This is especially interesting in regard to the recent HN dicussion on spyware by for-profit intel firms having access to Whatsapp, Telegram, Signal, etc. (https://news.ycombinator.com/item?id=47033976) through OS-level no-click hijacks.

I wonder how secure GrapheneOS is in that regard, and what the other contenders are?

• subscribed

  today at 11:40 AM

  Hard to say how it fares against those specific attacks but some of the vulnerabilities that will go out in the mid-2026 on the mainstream handsets are already patched: https://grapheneos.org/releases#2026021200

  (it's not magic. All big vendors have these details, just choose to take their sweet time to patch them. GOS has partnered with a major OEM vendor who provides them with access)

  Other than the specific patches above, there's a list of generic GOS features: https://grapheneos.org/features#exploit-protection

  All in all you're probably much safer.

• ozlikethewizard

  today at 11:51 AM

  GrapheneOS themselves dont pretend that their secure from that level of attack, but its about evaluating your own threat level. State sponsered actors aren't burning zero days on the vast majority of people, and you only need to look at how badly several european governments want to ban graphene and similar to see that such exploits aren't even being burned on organised crime. Realistically unless you're a journalist or considered a political target you're gonna be fine with graphene.

  • mentalgear

    today at 2:46 PM

    Thank you for the insight. Indeed, a concerning state of the world where criminals are less at risk from spyware than journalists and activists.

    • ozlikethewizard

      today at 3:10 PM

      Its definitely a scary world, safe to assume all your online activity could be hacked if so wanted. Just gotta hope its not wanted and that it doesnt become possible to do it on a mass scale (UK is currently pushing to ban E2E lol, and I know the EU has contemplated similar. If you do fall into the wanted category, face 2 face is really the only option. I know a lot of politcal/investigative journalists also constantly cycle and maintain burner devices but even thats a risk of just how long is a safe time before a device is considered burned.

• cartoonworld

  today at 11:38 AM

  GrapheneOS have hardened_malloc which is a huge advantage, I think. It makes the weird machines problem much harder. I would say be very careful, because you can still get previews of images, or old and weird media formats that could be exploitable, and android/GrapheneOS doesn't have the same sorts of policy as say Apple with the iMessage blast door. They control safari, etc.

  Android's attack surface seems pretty jagged. For example there is only one webrender engine on iOS, where you can run anything you like on Android/GrapheneOS.

• zozbot234

  today at 11:45 AM

  It's quite secure against casual attacks, but a proprietary mobile platform has inherent issues wrt. withstanding even mildly sophisticated attackers, including mercenary spyware services. You still have a huge attack surface from all sorts of proprietary firmware blobs and hardware IP blocks that are running directly on the SoC. It's not clear that it's really worth even trying to secure it as opposed to just treating it like an untrusted toy.

  • subscribed

    today at 8:49 PM

    So if a toy OS is the only one to withstand attacks with Cellebrite, what do you consider not a toy?

  • mentalgear

    today at 2:47 PM

    Interesting. What are the alternatives to GrapheneOS that you wouldn't consider a "toy" ?

    • fsflover

      today at 5:31 PM

      In my understanding, it's not the OS that makes it a toy but the hardware. I guess something with open schematics (Librem 5, Pinephone) should be better, or an open-hardware device like Precursor.

      • subscribed

        today at 8:55 PM

        If the open hardware offers at least comparable security then maybe. If the hardware is an open book then no.

        A short list of the hardware security measures necessary to consider it "not a toy" ;) -- https://grapheneos.org/faq#future-devices

        • fsflover

          today at 9:04 PM

          I'm not convinced that all of these is required for security. My Qubes OS desktop is probably more secure than any GrapheneOS phone, and it only requires good hardware virtualization for that.

          > If the hardware is an open book then no.

          So you choose security through obscurity. I have no further questions.

  • cartoonworld

    today at 1:29 PM

    well, a concerted attack could easily subvert the baseband if you have a few million dollars and the correct letterhead or private contacts.

    GrapheneOS really wants the software in the phone to not pwn the phone. This is good. Its a different, and much more difficult problem to secure the connection to the telco, and the larger internet, because the transport is attacker controlled.

    Think of it this way: Say you use Qubes because security is valued very highly for you. Even if you run Qubes, if your router is controlled by your attacker, what kind of a security guarantee could you really get for yourself?

    • raron

      today at 7:50 PM

      > well, a concerted attack could easily subvert the baseband

      In theory Pixel phones have IOMMU and GrapheneOS is using them, so even a compromised baseband doesn't result unrestricted access to the system.

    • fsflover

      today at 5:29 PM

      > Even if you run Qubes, if your router is controlled by your attacker, what kind of a security guarantee could you really get for yourself?

      I do run Qubes, and a compromised router, e.g., will not get access to any passwords that I store in an offline VM as text, even with any previously known vulnerability since 2006.

• StilesCrisis

  today at 1:20 PM

  It's just an Android fork. Almost certainly it's equally affected.

  • microtonal

    today at 3:06 PM

    That's too simple. First of all, Pixel (which GrapheneOS requires) is one of the few Android phones with a separate secure enclave. GrapheneOS also applies a lot of hardening that other vendors do not: https://grapheneos.org/features#exploit-protection

    This does make a material difference, e.g.: https://x.com/MetroplexGOS/status/1982163802188575178

    That said, if a state-level actor is up against you, then it's hard to defend yourself against that.

I've been using GrapheneOS for about 3 years now. For the most part, it works very well. I don't have any issues with banking apps, nor any other closed source apps. I'm using two profiles both with sandboxed Google play installed. I'm logged in into my private Google account on the work profile.

However, there was one case that lead me to thinking about ditching grapheneos to this day. I installed Uber on my phone and I was able to successfully create an account and use it. When it came to booking a ride, the app crashed and I had to log in again. Once I did that, I was told that my account has been suspended for violating the terms of services. All I did to that point was creating an account and booking a ride. I was able to resolve the issue luckily after a few days and going back and fourth a couple of times with the Uber support, however, the risk of getting banned on any such platform is still risky, and thus I'm not sure if grapheneos is usable if you need to use such services.

• rcMgD2BwE72F

  today at 10:40 AM

  That's clearly a Uber problem. I'm also a GrapheneOS and used Uber once -- it worked.

  • HunOL

    today at 12:21 PM

    It's clearly end user problem who is not able to book a ride. Root cause is on Uber side.

• ozlikethewizard

  today at 11:44 AM

  Maybe not being able to use Uber isn't the downside you think it is though. UK centric view but call a cab and pay in cash, you haven't comprimised your security and you're not engaging with an unethical business.

  • rationalist

    today at 12:57 PM

    Well, you still might engage with an unethical business, but at least the chance goes from 100% to somewhere between 0% and 100%.

    I've run into my share of scammy taxi drivers.

    • ozlikethewizard

      today at 3:05 PM

      Right but at least then you are the one being scammed, and can decline to be scammed if you wish. As opposed to willingly partaking in a shitty system.

• budududuroiu

  today at 11:01 AM

  I'm a new GrapheneOS user and stopped using Uber as altogether. Taxis aren't that bad where I'm at, and cheaper than Uber

  • subscribed

    today at 8:48 PM

    I wish I could stop using them for these rare occasions I need a transport.

    Taxi across the town is £20, Uber usually 5-10. There are no other providers.

    Taxi from my airport (some 15 miles away) is £60-80, Uber usually £30-ish. Public transportation (2 trains + 2 buses) over £50.

    I wish I had an option.

• peanut_merchant

  today at 10:40 AM

  I regularly use Uber on Graphene OS and have had no issues.

• OsrsNeedsf2P

  today at 5:04 PM

  How do you know this was Graphene OS' fault?

• palata

  today at 11:06 AM

  No problem here with Uber on GrapheneOS.

  • subscribed

    today at 12:55 PM

    Same. Using it (rarely) off the secondary profile and everything works.

• prmoustache

  today at 3:04 PM

  Last time I checked you could still book a ride using the website.

• backscratches

  today at 12:01 PM

  Uber works in browser on mobile (and desktop). Last I checked lift did not.

  • rationalist

    today at 12:58 PM

    Lyft app works on GrapheneOS.

    • backscratches

      today at 4:29 PM

      Using websites instead of apps, while often more annoying, minimizes dramatically the privileges you provide to services.

      • Aachen

        today at 5:13 PM

        And the amount of lock-in. If they ever decide to kick out your favorite OS or hardware vendor, well, good luck doing that if you can use the services on a website. They'd have to port all the web users over to mobile and know they'll lose at least some of those customers

• ThePowerOfFuet

  today at 10:57 AM

  >there was one case that lead me to thinking about ditching grapheneos to this day

  Your aim is misplaced: ditch Uber, not GrapheneOS.

• franga2000

  today at 11:03 AM

  What exactly is the risk of getting temporarily banned on Uber? You have to use a different taxi app? As if such a thing even exists?!? Unacceptable!!

  Every app on my phone has at least one other app, usually already installed, that can replace it. This wasn't intentional, it just happened naturally. Unless all two or three apps in a category get blocked for me at the same time, this already unlikely situation is barely an inconvenience.

  • simonh

    today at 11:13 AM

    The key phrase there is "such services". It's not just about one problem once with Uber, it's the risk of problems like this with any service of that kind, or really any service you rely on.

    If using GrapheneOS significantly increases the risk a person won't be able to use a service they rely on, that may be unacceptable.

    • franga2000

      today at 12:20 PM

      But that's my point, what one irreplacable app/service do people rely on? The only thing that comes to my mind is messaging apps, but even there, almost everyone I need to talk to is reachable on at least one other app. I have multiple taxi apps because I compare prices and availability, like any reasonable consumer should. I have two banks, but even if I didn't, I can pay by cash or card, not just phone. If I need to make a bank transfer, I can go to a branch or do it online. I have two map and navigation apps because they have different strengths and weaknesses. My email is accessible by browser if the app breaks.

      I'm not doing this on purpose, I just now scrolled through my app list looking for one app that would actually fuck me up if I lost it in an instant. There are none. And I'm not currently even running graphene or anything else, just a stock Samsung.

    • SadErn

      today at 12:16 PM

      [dead]

  • g947o

    today at 11:51 AM

    If the same thing happens with the Lyft app, you may be stuck at your current location indefinitely, especially in less populated areas/late hours.

    • gf000

      today at 2:28 PM

      And what is preventing Lyft/Uber whatever's algorithm to have a bug and just falsely flag your account after registration? Like there is no guarantee it works on a stock android/apple device either and I'm fairly sure they have a long list of false flaggings that support has to unlock day-to-day.

It's a shame only Pixel phones are supported. I have PWM sensitivity and Pixel phones are notoriously bad for this, my eyes hurt when I look at one for more than 30mn. Due to the lack of good, secure alternative, I have had to give up on privacy in exchange for manufacturer updates.

• sudonem

  today at 10:57 AM

  The Pixel limitations has been my main concern as well.

  The good news is that they are actively working on developing their own hardware. The bad news is that it’s been delayed. But I’m watching closely.

  https://www.galaxus.at/en/page/grapheneos-postpones-pixel-al...

  • wolvoleo

    today at 2:42 PM

    That article speculates the OEM is Samsung but I find that very hard to believe. Samsung is totally beholden to Google. The discontinued their own DeX and Tizen smartwatch OS for Google alternatives and as for their "AI" features most of them actually come from Google.

    Google would not allow this and they're way too entangled with Samsung.

  • 6jQhWNYh

    today at 12:55 PM

    Interesting article. Let's now hope for a reasonable price, even though it will be challenging for their team. It would be a shame if the target audience is limited to overpaid nerds like most of HN.

• lejalv

  today at 11:34 AM

  > when I look at one for more than 30mn

  That limitation might be doing you a favor, as these things go...

  Even if Pixels hadn't PWM a larger screen (or, dare I say, a book) will be an improvement for longer reading sessions.

• wishfish

  today at 12:37 PM

  I'm in the same boat. Bought a 9 Pro XL and had to return it. Hope their OEM will use DC dimming for the screens or have an IPS option.

  In the meantime, I use a Motorola G Power 2024 which has IPS. I'm very much a non-expert but made a minor hobby out of trying to de-google it as much as possible.

  Never signed into Google with it. Using NetGuard with a whitelist to prevent most of the phoning home. Uninstalled or disabled most built-in apps. The apps I use are installed via either Obtanium or Fdroid. Have Dropbox from Aurora. Use Motorola's private space for keeping some data and apps in a separate, supposedly secure locker.

  I'm sure this doesn't come close to GrapheneOS's security level but it's the best I can do within the limitations of this device. It was a fun mini-project. NetGuard is invaluable for this purpose. Almost feels like the phone is truly mine.

• ktm5j

  today at 1:27 PM

  Seriously. Especially if you're someone who wants to cut ties with Google.

  • microtonal

    today at 3:13 PM

    So, buy it refurbished? Google doesn't directly profit from it, you create less pollution, and once you have GrapheneOS on it you can leave Google out the door.

    The problem with nearly every other phone, except maybe Samsung flagships, is that they don't fulfill the security requirements. And Samsung is hostile against unlocking (even when it was still possible, it would burn a Knox eFuse).

    • ktm5j

      today at 4:05 PM

      Not a bad idea.

• backscratches

  today at 12:13 PM

  Seconded. Really hope the new Graphene device does not have terrible PWM. Battery benefit to OLED is great but not if I can't look at my phone.

This is the phone version of saying “the power utility is an evil awful monopoly that treats me like shit, so I’m gonna get solar and batteries and go off grid.”

It’s cool it’s possible, but it’s not practical for most people.

GrapheneOS' approach is to focus more on security than privacy, because they believe increased security leads to increased privacy. Unfortunately, that means their hardware requirements pretty much limit the hardware that you can run it on (currently only the Pixel phone range). Worse, it also means they stop supporting a device when it reaches End-Of-Life as software security updates stop for it (see How long can GrapheneOS support my device for? - https://grapheneos.org/faq#device-lifetime ). Sad though - GrapheneOS on Sony Open Devices ( https://developer.sony.com/open-source/aosp-on-xperia-open-d... ) would have been nice.

• palata

  today at 12:05 PM

  The whole reason why GrapheneOS is superior to its alternative is because they do all that.

  I also with they could support non-Google phones, but that's a problem coming from the manufacturers, not from GrapheneOS.

  My understanding is that there are close to half a million GrapheneOS users. And many potential users don't want to buy a Google phone. So it feels like it is starting to become worth considering for manufacturers...

  I don't get why Fairphone doesn't look into that. Is it because they are not aware, or is it too hard for them to make hardware that is compliant with what GrapheneOS requires? Hundreds of thousands of devices may not count so much for Samsung, but they must definitely count for Fairphone.

  • Aachen

    today at 5:18 PM

    > The whole reason why GrapheneOS is superior to its alternative is because they do all that.

    What is "its alternative"?

    > I also wish they could support non-Google phones, but that's a problem coming from the manufacturers, not from GrapheneOS.

    The manufacturers aren't blocking the installing of GrapheneOS...

    • palata

      today at 9:00 PM

      > What is "its alternative"?

      I meant alternativeS, sorry. Well, anything AOSP-based that is not Android.

      > The manufacturers aren't blocking the installing of GrapheneOS...

      Of course they are not. But they produce hardware that is not secure enough for GrapheneOS to consider. I wish they saw value in GrapheneOS and produced hardware that met their requirements.

      It's actually weird, because I'm convinced that it's completely worth it: just add those requirements to the design of one new model, and a potential of hundreds of thousands of people may buy it just for GrapheneOS.

    • no-reply

      today at 5:47 PM

      GOS has minimum hardware requirements and most of the available smartphones don't meet them

      • Aachen

        today at 7:37 PM

        That's like saying Tulip blocked the installation of Vista because they didn't install enough RAM to run it

        The OS makers don't have to go out of their way to support a device they don't want to (that's the beauty of open source passion projects), but it's also not like any manufacturer (that allows bootloader unlocking or ships an unlocked bootloader) is blocking GrapheneOS or anyone else from doing it, which the quote implies in my reading (maybe other people read it differently)

        • palata

          today at 9:02 PM

          > That's like saying Tulip blocked

          I agree, but you are the one who talked about "blocking". I did not :-).

      • fsflover

        today at 6:13 PM

        This is a contradiction. There is nothing "minimal" about a requirement that excludes every device but one. Also some people (me) value independence from Google more than the highest degree of security (which relies on Google hardware).

        • palata

          today at 9:04 PM

          > This is a contradiction. There is nothing "minimal" about a requirement that excludes every device but one.

          I don't get your logic. Requirements are a choice. It's very easy to create requirements that exclude every device but one.

          Example: "It has to be the Samsung Galaxy S23". Done.

          Now you can disagree with those requirements, but that's completely different from saying that the requirements are wrong.

          • fsflover

            today at 10:15 PM

            I disagree that such requirements are minimal. Nothing prevents running GrapheneOS on a device with lower requirements. It's a questionable choice by the developers restricting the choice for users.

        • Itoldmyselfso

          today at 7:36 PM

          You are not independent from Google if you purchase an android device from another manufacturer. You're then having your data sent to both Google and that manufacturer, resulting in far worse privacy overall than with just Google, not to mention worse security at hardware level. If you don't want to "support" Google, just buy any used Pixel 6 to 10 series.

          • fsflover

            today at 8:01 PM

            I use Librem 5 as a daily driver. It has no dependence on Google.

            • palata

              today at 9:05 PM

              Sure, you're free to use whatever you want. So am I. I want GrapheneOS :-).

• stephenr

  today at 12:00 PM

  I'm not sure I fully understand this.

  Why are GrapheneOS releases dependant on Google releases?

  • palata

    today at 12:07 PM

    They are dependent on the AOSP releases (which Google develops) and on the manufacturer updates (and because GrapheneOS runs on Pixels, then it goes back to Google again).

    • stephenr

      today at 12:41 PM

      I can understand relying on an OEM to provide hardware support for a given model - but I'm finding it hard to understand why they're unable to continue supporting a release just because the upstream removes support for something.

      I'm not even really sure what you mean by "manufacturer updates".

      The more I hear about this project, the less is sounds like an alternative OS and more it sounds like a thin skin around whatever shit Google throws out, to be honest.

      • andrewaylett

        today at 1:22 PM

        They rely on manufacturer support for device firmware, just like anyone else.

        • Aachen

          today at 5:20 PM

          Debian surely doesn't depend on Lenovo or Asus to release OS updates for my laptop. Apparently it's not "everyone else" that needs this but it's some sort of dependency for mobile (qualcomm?) devices

          I have trouble understanding why this is different on mobile devices. People keep speaking of blobs but that doesn't seem to be a thing in laptop/desktop hardware, unless they mean something like the firmware running on your wifi card and uefi chip? But those can be interfaced with from any kernel version, afaik, so I don't get it

          • palata

            today at 5:32 PM

            Debian does not write the whole software stack running everywhere on your system. So if you want your system to be "supported", as in, "if a security flaw is discovered in a firmware, I want it patched and I want my firmware to be updated", then you need whoever writes that firmware to do it.

            That's a dependency: if you want your system to be secure, you depend on the software running on your system to be patched when a security flaw is published.

            • Aachen

              today at 7:18 PM

              Interesting, so any security patches to kernel level and above (AOSP code, browsers, other apps) can still be fully up-to-date when the manufacturer says a device is out of support. Not sure I understand the fuss then that Fairphone had about selecting a SoC with long support. Really thought it was some sort of problem updating the kernel or other AOSP components when using manufacturer blobs

              The attack vectors against this firmware are virtually always physical right? As in, hardware access in one way or another (including radio waves reaching the device), not something that can be routed over a (cell) network

      • palata

        today at 1:07 PM

        > why they're unable to continue supporting a release just because the upstream removes support for something.

        If you have an EOL Pixel and a new major version of Android is released, Google will not port this new version of Android (and therefore AOSP) to it. So GrapheneOS would have to do it. GrapheneOS just say they don't have the resources to do that, so they follow the Google releases. Could you keep an EOL Pixel without receiving updates? Sure. But then it's not supported anymore, it's just outdated, insecure software.

        > I'm not even really sure what you mean by "manufacturer updates".

        There are the AOSP updates (which bring new features, but importantly in our case bring security fixes) that come from Google, but your phone is more than that. There is a bunch of hardware running in your phone and a bunch of firmwares exposing it. Say your camera, or your wifi module, etc. If there is a security issue in the firmware of the camera, then it won't be fixed in the AOSP codebase. You need the camera manufacturer to fix it and release a firmware, pass it to the phone manufacturer who will then deploy it on your phone.

        Google split both of those concepts years ago in order to deploy Android updates faster and make everybody more secure, because manufacturers had a tendency to lag a lot. Some still do but the situation generally improved, I think. Anyway, you need to receive those security updates from your manufacturer because they are independent from Google.

        > the less is sounds like an alternative OS and more it sounds like a thin skin around whatever shit Google throws out, to be honest.

        If you think that AOSP is shit, then sure. I mean, if you think that the Linux kernel is shit, maybe you don't want to run a Linux distribution.

        I personally think that AOSP is pretty great, and vastly superior to Linux on mobile (among other because it has a much better security model). I am not a big fan of Google being root on my phone (with Android and system apps like Play Services), which is something that GrapheneOS fixes (by making Play Services run like any other, unprivileged app). GrapheneOS is also adding privacy features, be it by proxying your location requests (so that they go through the GrapheneOS servers instead of directly to Google) or by adding features like "scopes", where you can choose exactly which contact you share with an app, for instance, or refuse Internet access to an app without breaking it (GrapheneOS will just make the app believe that it has the permission to access the internet but there is just no connection right now). And of course GrapheneOS hardens the system in terms of security (e.g. with a hardened malloc or memory tagging stuff that Apple recently introduced as well).

        So yeah, it is relatively thin, because AOSP is a huge codebase. But it doesn't mean that it's worthless: this skin makes it more secure, more private, and for me more enjoyable than Android.

        • stephenr

          today at 2:52 PM

          Sounds a bit disingenuous then for an article to have a title that includes the phrase "break free from Google".

          • microtonal

            today at 3:36 PM

            I think they mean breaking free from Google Analytics, Google Play Services, Google Play, Google Location Services, etc. Play Services and Play are not installed on GrapheneOS by default, so it is possible to run your phone with just GrapheneOS with your choice of open/closed source apps on top.

            I think breaking away from open source Google code is not really meaningful. It's kinda like saying "I don't want to run Linux because it contains code from IBM/Google/Meta". AOSP is a great and useful project. If the day that Google stops releasing AOSP ever comes, a consortium of interested organizations can fork it. But it does not make a whole lot of sense to start a new mobile ecosystem completely from scratch, if one that is great and open source already exists and buys you compatibility with millions of apps.

          • palata

            today at 3:13 PM

            It was first "break free from Android", but somebody complained so they changed it. Titles are hard, I guess :-).

While I admire GrapheneOS and its goals, I feel that until we free the proprietary baseband processors and their RTOS from the grips of Qualcomm and friends it's a pyrrhic victory, at best.

• palata

  today at 11:07 AM

  When there isn't a perfect solution, the next best thing is... the next best thing :-).

  • today at 11:09 AM

  • darkwater

    today at 11:20 AM

    Unless the next best thing makes you think you are already achieving the "perfect solution" for what you think you care about, but in truth does not.

    I'm not a mobile phone security expert but my feeling is that in the case of GrapheneOS - which target is probably high-profile people at risk of state actors et similia attacks - a zero-day in the closed source firmware from Qualcomm will probably screw you anyway.

    I understand that you are anyway reducing the attack surface (now they need to target the modem firmware specifically), I understand the concept of security in depth and I also understand that by using GrapheneOS you are already placing mitigations for many other known and unknown attack vectors. But still...

    • Tharre

      today at 12:18 PM

      > a zero-day in the closed source firmware from Qualcomm will probably screw you anyway.

      All the devices that GrapheneOS supports implement a clear separation of the baseband and the CPU in the form of SMMU, ARMs version of IOMMU. So a zero-day in the baseband does not immediately screw you - unless the code on the CPU side also contains vulnerabilities or there is a major flaw in the SMMU implementation that somehow breaks isolation.

      • darkwater

        today at 12:37 PM

        Thanks for the clarification (and to the others that answered as well).

        I probably explained myself in a shitty manner, I didn't try to downplay GrapheneOS efforts, and I should have kept my initial statement about "next best thing can create a false sense of completeness" as a generic remark and not specific to GrapheneOS, for which I don't have enough knowledge to know if it applies or not.

    • cartoonworld

      today at 11:32 AM

      fyi a Cell Site Simulator can masquerade as the legitimate telco operator and push type 0 messages to the handset.

      What that means is they can push malicious settings and configurations (Definitely) and probably malicious firmware to the handset at will. They don't need to code this, they buy the software packages from the usual suspects. Adversary simply needs to put a drt box or a hailstorm or what-not close enough to the handset to do the work.

      The baseband can do a lot, it has dma (if I recall correctly) and can almost certainly screen look, and extract information from some but not all base bands. This varies.

      GrapheneOS cannot really influence this, but hardened_malloc could conceivably help. What would be great is a bench firmware re-flash, but I don't want to do this every single day.

      • ylk

        today at 12:24 PM

        > The baseband can do a lot, it has dma

        There's an IOMMU:

        > Is the baseband isolated? > Yes, the baseband is isolated on all of the officially supported devices. Memory access is partitioned by the IOMMU and limited to internal memory and memory shared by the driver implementations. [...]

        https://grapheneos.org/faq#baseband-isolation

        > GrapheneOS cannot really influence this, but hardened_malloc could conceivably help.

        They can and do, see above. But I don't see how hardened_malloc is related to the baseband doing DMA.

        • cartoonworld

          today at 1:33 PM

          Thanks, this is very good information!

          To answer your question, I thought it might just be slightly harder to extract secrets or exploit a running process directly. Thats all I was saying.

      • evolve2k

        today at 1:14 PM

        I don’t have the source (I’ll have to try find it), but I read that the cell site simulators can work on 4G and earlier but don’t work on 5G. So one thing folks can do is set ur phone to use 5G networks only (unless ur stuck and then u can make it looser but be aware your less protected at that time).

        I do this on iOS I’m sure it’s do-able on GrapheneOS and hopefully on Android too.

        • cartoonworld

          today at 1:32 PM

          5G CSS is harder yes, but keep in mind that most 5G is the 5G_NSA variety, and is really just riding on the same cell bands, no mmwave here. You probably notice that your phone often slips out of 5g, or you inhabit different modes here.

          Essentially, 5G is sort of a lie. Phones spend a lot of time exchanging information via 4g/lte, and just like 2g/3g and 3g/4g, there are simply downgrades that can be performed in the field, without getting too far into the weeds.

          5G matters not for this.

    • subscribed

      today at 11:59 AM

      So no, their target is people who marginally care about privacy and security but don't want to use iOS. I don't think they target any particular demographic but I see security engineers and activists among users.

      And it's not only security - simple stuff like USB data off unless the phone is unlocked, native call recording, much enhanced user profiles (to separate data mining apps like Uber or Instagram from your financial affairs), etc.

      And yes, it's about reducing the attack vector. On most other handsets you'll get most of the fixes 6 months or a year later. At best.

    • 1dom

      today at 11:37 AM

      I think the appeal and use case for Graphene and similar OS for most users is the Google/privacy/ownership type argument.

      I do understand your point that people at risk of state level attacks might get a false surface level appearance of defence from this. But then anyone who's a target of state level attacks and is making OS decisions based on a surface level understanding of the tech is not going to have a good time anyway.

• nickorlow

  today at 12:17 PM

  iirc Graphene is in talks with an unnamed HW vendor to make a grapheneos specific phone. They refer to the vendor as someone who makes phones and you've likely heard of, but haven't given any more info otherwise.

  • domh

    today at 12:33 PM

    Yeah spot on. I think this is the only thing that's been announced so far: https://www.androidauthority.com/graphene-os-major-android-o...

• BirAdam

  today at 2:52 PM

  Don't allow perfect to be the enemy of good.

• today at 11:23 AM

• dj0k3r

  today at 11:12 AM

  That and blocking the query all apps feature on android

• fsflover

  today at 5:49 PM

  > until we free the proprietary baseband processors and their RTOS

  How about Pinephone with its partially freed baseband OS [0] or Librem 5 with its removable modem [1]?

  [0] https://github.com/the-modem-distro/pinephone_modem_sdk

  [1] https://en.wikipedia.org/wiki/Librem_5

• goodpoint

  today at 4:14 PM

  To make things worse it needs a google phone, of all things.

• direwolf20

  today at 12:43 PM

  Do you also need the WiFi chip to be fully free?

Break free from Google*. As long as you buy a Google phone. I really want to use it, but the Pixel only requirement is a deal breaker

• timbit42

  today at 10:14 PM

  They are working with a partner to get their own phone hardware.

  You could also buy a used Pixel.

> For me, it works like this: on the Owner user, because that’s the name of the main account created automatically with the system, I installed the Google Play Store along with Google Play services and GmsCompatConfig

Many people here might recoil at this: to go through the trouble of de-Googling your phone and then just install Google Play services and the Play Store, but the important part is that it is a choice they could make.

Pixels are arguably the best option for software choice among mainstream phones (and iPhones are the worst), but both are a huge regression of choice compared to traditional personal computing platforms.

• ethagnawl

  today at 5:01 PM

  I've found using separate accounts for Non-Play (default) and Play (exception/escape hatch) to be a very happy medium.

I use and appreciate GrapheneOS due to it being one of, if not the best, option we currently have.

That said, I do not like how much the project depends on Google.

- GrapheneOS is based on Android, which is solely developed by Google.

- GrapheneOS only supports Google Pixel devices. Thankfully, they are working on partnering with a different manufacturer, but details are still very limited.

- They recommend using the Google Play Store (requires a Google account) to get apps and recommend against using F-Droid.

- Their Vanadium web browser is based on Chromium, which is controlled by Google. It also does not have an ad blocker or support extensions. They recommend against using Firefox. Firefox, and Safari to a more limited extent, are the only web browsers keeping Google from having complete control over web standards and the way we can access the internet.

This is not a criticism of the GrapheneOS project or developers. I understand that security is the biggest priority of GrapheneOS and I understand that Google is often good at security. They are following the goals of the project. It is more directed towards the GrapheneOS community that often blindly recommends GrapheneOS as the only option and treats any alternative as inferior and not to be considered. Most users do not need security at all costs. Especially among the free and open source enthusiast community, freedom and user control are often prioritized. There should be more awareness and discussion about what the user wants and whether that actually aligns with the security-first goals of GrapheneOS.

• niam

  today at 6:50 PM

  > It also does not have an ad blocker

  It does have a network-level ad blocker. What it doesn't have is a blocker which modifies/injects Javascript into pages, which iiuc is the main reason that the blocker doesn't help with ads on YouTube much, or pages which employ similar techniques.

  > They recommend against using Firefox.

  To clarify: they recommend against Firefox Mobile because it didn't support site isolation until last month's v147 updates. I don't know if the goalpost has moved since, but in any case: there's nothing on Graphene that would prevent you from using Firefox.

  • strcat

    today at 7:20 PM

    Firefox 147 doesn't provide site sandboxing or even basic content sandboxing on Android. They enabled multi-process support by default but still don't provide any form of sandbox for the separate processes. They enabled the separation part of site isolation which is partially implemented for Firefox desktop and now mobile but do not have content sandboxing and partial site sandboxing as they do for the desktop browser. See https://bugzilla.mozilla.org/show_bug.cgi?id=1565196 for their still open issue with many other issues as dependencies for sandboxing.

    The complete lack of content and site sandboxing on Firefox for Android is only one of the reasons we recommend against it. It has major security deficiencies beyond this and cannot benefit from many of the hardware and OS protections due to it. Vanadium is much more secure than standard Chromium while Firefox is much less secure than it, so there's quite a stark difference between them.

    Recommending against using Firefox and F-Droid due to major security deficiencies doesn't in any way reduce user choice as the post above portrays it. Having a lot of accurate information provided by GrapheneOS enables our users to make more well informed decisions. We also do not specifically recommend the Play Store as the post says above but rather we provide nuanced information about the available choices. Specifically for obtaining apps from the Play Store which aren't available directly from the developers, we recommend using the sandboxed Play Store for users who using sandboxed Google Play in a profile for app compatibility already. Play Store itself has signature verification while Aurora Store only has TLS with a smaller set of trusted CAs by default similar to many Google apps. Aurora Store is sometimes needed to work around app's filtering who can install it so we do recommend it for that specific purpose. Aurora Store still logs into a Play Store account and making a throwaway account to use the Play Store app doesn't reduce privacy compared to using sandboxed Google Play without one.

• today at 5:24 PM

• strcat

  today at 7:12 PM

  > GrapheneOS is based on Android, which is solely developed by Google.

  GrapheneOS is based on the Android Open Source Project. It's incorrect to say it's solely developed by Google and it's open source software which we're free to change as we see fit.

  > GrapheneOS only supports Google Pixel devices. Thankfully, they are working on partnering with a different manufacturer, but details are still very limited.

  No, we already have a partnership with a major Android OEM. It's not something we're working on obtaining and we've provided a fair bit of details including that it will be publicly announced by the OEM in March, that the devices will launch in 2027 and that they'll use a high end Snapdragon SoC which is either the flagship (most likely) or one step below it.

  > They recommend using the Google Play Store

  No, that's not our recommendation.

  > recommend against using F-Droid

  We recommend against F-Droid due to it being an unnecessary middleman between users and app developers which does not truly reduce trust the app developers. F-Droid apps are consistently out-of-date and often lag months being on important privacy and security fixes. F-Droid consistently makes problematic undocumented changes to apps including rolling back dependency updates. F-Droid is known to use highly outdated build infrastructure which is very poorly secured. They have a bunch of bad security practices throughout their approach and have made it clear it isn't a priority for them. They've repeatedly said they don't believe app sandboxing is useful and much more than that. Many open source apps including Signal and WireGuard have asked to have their apps omitted from F-Droid due to the security and trustworthiness issues with the project. That's not at all something specific to GrapheneOS.

  > Their Vanadium web browser is based on Chromium, which is controlled by Google.

  Chromium is an open source project which is collaboratively worked on by multiple projects using it as the basis for their browsers. That includes Microsoft who implemented the WebAssembly interpreter available in the upstream Chromium codebase which is used by Vanadium but is dead code in Chrome and regular Chromium builds since it was added for Edge.

  > It also does not have an ad blocker

  No, that's not true. Vanadium has a default enabled ad blocker which uses EasyList, EasyPrivacy, EasyList's Adblock Warning Removal List and also selectively activates a whole bunch of EasyList affiliated language/regional lists based on the currently active languages. This approach avoids adblocking being used for fingerprinting, avoids greatly weakening site isolation sandboxing as extensions do and is much higher performance which is important on mobile. It very clearly has ad blocking and a per-site toggle for it.

  > or support extensions

  Extensions greatly weaken site isolation and give third party code without verified boot extensive access to website content similar to dangerous Android accessibility service apps. Very few extensions are focused on privacy and security in a similar way to GrapheneOS and would compromise what we're trying to build. It's not the approach we want to use in Vanadium. If you want to use extensions then you can use a browser with them but it doesn't fit into what we're building with Vanadium where we want to implement features ourselves in a very private, secure and robust way which cannot be done with extensions. Extensions fundamentally reduce security including because they used a shared process across all isolated websites which inherently reduces isolation. Few extensions take this seriously, even the ones focused on privacy. They commonly add leaks between sites. There are plenty of other browsers available but ours is aiming for a standard of privacy and security which cannot be achieved with extensions.

  > They recommend against using Firefox.

  Firefox's Android app has atrocious privacy and security. A browser without even basic content sandboxing let alone sandboxing with full site isolation. That's combined with major other major security deficiencies and it isn't something we could recommend using. Recommending against it doesn't mean people can't use it...

  You'll still be using Vanadium as the web content engine within apps using the WebView such as email clients rendering HTML email and many more. Many people have a misunderstanding of what the WebView is and confuse it with custom tabs which are provided by the user's selected default browser rather than the WebView used within other apps.

  > This is not a criticism of the GrapheneOS project or developers.

  How isn't it criticism of GrapheneOS? Regardless, Vanadium does have an adblocker and we don't specifically recommend the Play Store as you said. The biggest issue is that what you're saying about what we prioritize, advise or provide isn't accurate.

  > I understand that security is the biggest priority of GrapheneOS

  Privacy is the biggest priority of GrapheneOS and privacy depends on security. GrapheneOS is a privacy project.

  > It is more directed towards the GrapheneOS community that often blindly recommends GrapheneOS as the only option and treats any alternative as inferior and not to be considered.

  Our project and community regularly recommends iOS as an alternative which provides far better privacy and security than non-GrapheneOS options. Most other options have very poor privacy/security including lacking even basic privacy/security patches and protections. Similarly, our project and community regularly recommends using macOS for better privacy and security than either Windows or desktop Linux. What you're saying are blind recommendations are anything but that but rather very well informed information provided by the GrapheneOS project.

  > Most users do not need security at all costs.

  GrapheneOS is not about security at all costs and this misconception which regularly comes up that it's about security rather than privacy is completely wrong. Many projects failing to provide decent privacy treat it as if privacy is solely about which apps/services are bundled rather than needing to provide privacy patches, privacy protections and solid security to protect that from being bypassed. Much of what GrapheneOS provides are privacy features such as Contact Scopes, Storage Scopes and the Sensors/Network toggles along with much more. The security protections it provides exist to protect privacy. Why else would the security protections be there other than to protect privacy? It's not a separate thing from privacy but rather is a huge part of providing it. There's no other reason for us to work on security than protecting privacy. It doesn't make sense to say we work on security instead of privacy.

  Most users do need basic privacy/security updates and protections. Failing to keep up with basic updates and misleading users about it is a severe issue. There isn't any major non-GrapheneOS AOSP-based OS that's doing the bare minimum of keeping up with updates.

  > Especially among the free and open source enthusiast community, freedom and user control are often prioritized. There should be more awareness and discussion about what the user wants and whether that actually aligns with the security-first goals of GrapheneOS.

  You aren't accurately representing what GrapheneOS provides, our approach or our priorities. People can see for themselves from the detailed article that it provides a highly usable and compatible system with a huge amount of user choice. People can choose from a wide range of approaches based on their privacy and security goals. It doesn't impose choices on people. You treat it as if people are forced to use Vanadium when it's another choice of browser which people have on GrapheneOS but not elsewhere. GrapheneOS users have more choice among browsers and the one we have DOES provide ad blocking contrary to what you said. GrapheneOS users can use F-Droid despite us recommending against it due to the major security deficiencies. Providing well informed recommendations with detailed explanations does not in any way hinder user choice but rather informs people so they can make better choices. Our recommendations not aligning with your personal beliefs or preferences doesn't mean we're somehow reducing user choice.

The biggest hold-back for me is that, here in Australia, Google Wallet (aka Google Pay) is the only way you can do tap credit card payments that I know of. Can't with Paypal. Not with any banking apps that I know of.

It's just so damned convenient. And the recording of transactions on the phone saves me having to collect paper receipts.

• seanw444

  today at 9:07 PM

  If you want to fight back‚ let convenience take the back seat.

One of the only big downsides I've noticed with GrapheneOS is that several banking apps don't work with it at all thanks to being tied to Google's verification ecosystem.

Luckily I have hardware 2FA keys from my bank so I can authenticate using that. It also slightly decreases the suck-factor from whenever the phone decides to fly off down a drain. This may not be the case for you, so do your research on what you need for daily living.

• rcMgD2BwE72F

  today at 10:51 AM

  I contacted my bank, insisting that GrapheneOS is one of the most secure OS on the market and therefore should be supported if they actually care about users' security (it's actually far more secure than all the old, far less secure but Google-approved devices out there). They acknowledged an fixed their app, one of the most popular in France.

  Still missing Android Pay but that's due to Android Pay being closed. I wish banks would do something and support NFC payment systems that don't require the device to be controlled by Google (how can we be okay with this?!)

  • estherney

    today at 12:47 PM

    German bank Comdirect / Commerzbank did this as well, whitelisting GrapheneOS signing keys for their 2FA app. https://github.com/PrivSec-dev/banking-apps-compat-report/is...

  • palata

    today at 11:13 AM

    > I wish banks would do something and support NFC payment systems that don't require the device to be controlled by Google

    There are countries where it's possible to pay everywhere with the banking app scanning a QR code. No need for NFC :-).

    • yason

      today at 1:59 PM

      The point of NFC-on-a-phone is that you don't need the damn banking apps and internet and retailer support for all that to validate a simple transaction. My credit card has NFC, no internet and no app, and it's universal.

      • palata

        today at 4:21 PM

        > you don't need the damn banking apps

        You need the Google/Apple app though, don't you? Or can you write your own personal app that will handle that?

        • Andromxda

          today at 9:34 PM

          There are several banks, especially over here in Europe, that have their own implementations of contactless payments, if that's what you mean. Here's a German article outlining this and mentioning a few examples: https://www.kuketz-blog.de/nfc-datenschutzfreundlich-bezahle...

    • stephenr

      today at 11:34 AM

      I use qr based payments regularly where I live, and in my home country I use nfc payments (watch/phone/card) essentially always, when we visit.

      NFC is by far more convenient and reliable.

      • palata

        today at 12:08 PM

        I can't say about "convenient" because I don't use it, but I have been using QR codes for years and I haven't had a single issue. I don't know anyone who has.

        QR codes are reliable.

        • landgenoot

          today at 12:52 PM

          You need an active internet connection to pay via QR.

          NFC (EMV) works offline.

          • palata

            today at 1:17 PM

            Got it, that's a good point! It's so much not an issue where I live that I hadn't realised :-). But it is an issue nonetheless.

        • stephenr

          today at 12:46 PM

          It's regularly unreliable here, because it's reliant on a bank app which in turn is reliant on an internet connection, and banks here are kind of shit.

          It's pretty common here that people will be told they need to turn off an otherwise working Wifi connection when facing problems because bank apps will often just not work properly on wifi.

          But as I said, even without that, the convenience level is ridiculously different. It's arguably quicker to open your wallet and use a debit card with an NFC chip than it is to use QR codes, before we even talk about the convenience of watch/phone payments using NFC.

          • palata

            today at 1:21 PM

            > It's regularly unreliable here, because it's reliant on a bank app which in turn is reliant on an internet connection

            Got it, that's a fair point!

            > But as I said, even without that, the convenience level is ridiculously different. It's arguably quicker to open your wallet and use a debit card with an NFC chip than it is to use QR codes

            This part sounds like those people who use a different unit system than I do and explain to me how my unit system is objectively more inconvenient than theirs. To which I answer: "I think I know better than you what is more convenient for me, given that I use it everyday" :-).

            I use QR codes instead of opening my wallet, which kind of hints towards the former being more convenient than the latter for me. And for the millions of people who also do that.

            • stephenr

              today at 3:08 PM

              Did you miss the part where I said I use both?

              I'm not saying "yours" is less convenient. I'm saying the one you and I both use regularly is less convenient than anything NFC based, which I also use semi-regularly.

              • palata

                today at 3:24 PM

                I'm confused. You say:

                > It's arguably quicker to open your wallet and use a debit card with an NFC chip than it is to use QR codes

                So I assume that even though QR codes are available where you live, you use your debit card with an NFC chip because it is quicker than using QR codes...

                Anyway, the important part is that NFC doesn't require an internet connection, and I had missed that. Now I wonder why a QR code couldn't work without an internet connection just the same. I'll have to look into that!

                • stephenr

                  today at 5:16 PM

                  > So I assume that even though QR codes are available where you live, you use your debit card with an NFC chip because it is quicker than using QR codes...

                  Yes, I generally use my card rather than than QR unless the shop doesn't take cards, doesn't have a paywave/etc-enabled card reader, the card reader is broken, the sales person doesn't know how to use it, or the sales person insists I give them my card and PIN to pay (none of those are hypotheticals, I've experienced all of those first hand, some of them quite repeatedly).

                  > Now I wonder why a QR code couldn't work without an internet connection just the same.

                  Because a QR code is just a short piece of information to tell your banking app who to send funds to - it's like putting a mailto: link on a website rather than asking people to re-type your email address to contact you.

                  • palata

                    today at 5:50 PM

                    Oh right, of course the phone has to send information back to the terminal, which NFC does but not the QR code. Hence the internet connection.

  • jackhalford

    today at 10:54 AM

    I’m interested which french bank is this?

  • ninininino

    today at 8:17 PM

    Play Integrity and APIs like it aren't about security, they are about anti-fraud/anti-scam.

• mentalgear

  today at 10:46 AM

  "Banking Applications Compatibility with GrapheneOS" https://privsec.dev/posts/android/banking-applications-compa...

• joebe89

  today at 11:27 AM

  What about the small matter of having to purchase a Google phone in the first place?

  • backscratches

    today at 12:26 PM

    Most anti-google move: buy a second hand pixel, they receive no revenue on the device which is (assumed) already highly subsidized by google so that they can profit off users' data, then you use their subsidized hardware without running their spyware OS. Google only loses money in this scenario, it is a great protest.

    • Aachen

      today at 5:25 PM

      Have you seen those prices? I don't think the devices need subsidising at all. How else could competitors, who aren't selling off your data, offer it for cheaper?

      • backscratches

        today at 9:45 PM

        competitors also sell off your data, via uninstallable google spyware in most cases!

  • palata

    today at 12:11 PM

    I see it as a necessity, because the Google phone is the only one worth it if you care about security.

    The problem is not GrapheneOS, but rather that phone manufacturers other than Google don't care. Now if there were millions of GrapheneOS users, it would start becoming interesting for other phone manufacturers to care.

    My point being that I buy Pixel in order to give more weight to GrapheneOS, in the hope that other manufacturers will eventually realise that.

  • microtonal

    today at 3:46 PM

    Besides the already mentioned point of getting one refurbished, Pixels tend to get really cheap towards the end of the yearly cycle. At that point, they were mostly going to make money from you using their ecosystem and then you are sticking it to them by installing GrapheneOS :p (probably they don't care).

    E.g. a new Pixel 9a is currently 369 Euro in The Netherlands and 367 Euro in Germany. The Pixel 10a will be released soon, but the 9a will run GrapheneOS just fine (same SoC except modem as the vanilla 9).

  • direwolf20

    today at 12:45 PM

    Google makes high quality hardware and untrustworthy software. Graphene's approach is to take the hardware and leave the software.

• adezxc

  today at 10:32 AM

  Yup, also Google Pay doesn't work, though there are other providers which work fine (Curve Pay I think works in all of EU), but it just made me carry my wallet everywhere and I understood I don't mind that at all.

  • kaopor

    today at 10:16 PM

    Since all of comments are about NFC payments, this should be higher. Can confirm Curve Pay works (pixel 9a) at least with one Greek bank and Revilut. Not affiliated in any way with them and don't know this service is actually works just Yeah I'm amazed too.

  • microtonal

    today at 3:47 PM

    I still have my Apple Watch configured, so I'm just doing the NFC payments with that :).

• stinos

  today at 10:32 AM

  Author is installing Google Play Services it seems, wouldn't that work around this?

  In any case, for me this also sort of defeats the purpose: I'd rather break free from Google and Apple, not just (stock) Android and iOS.

  • UnreachableCode

    today at 10:39 AM

    No, because most banking apps call upon the Google Play Integrity API, which GrapheneOS doesn't (or can't?) use. There's a decent list kicking around of which ones work (Monzo, for instance).

    https://privsec.dev/posts/android/banking-applications-compa...

  • palata

    today at 11:18 AM

    > this also sort of defeats the purpose

    Not really. On GrapheneOS, the Play Services/Play Store run as sandboxed apps, i.e. they are not system apps like on Android. They just run like a normal, unprivileged app. That's a lot better than on Android.

    > I'd rather break free from Google and Apple, not just (stock) Android and iOS

    If you want to break free, you don't have to install the Play Services / Play Store on GrapheneOS, just like you don't have to install microG on LineageOS. There is a misconception that microG is better than sandboxed Play, but I disagree. With microG, your apps still connect to the Google servers, so you're not "breaking free".

    • microtonal

      today at 3:51 PM

      With microG, your apps still connect to the Google servers, so you're not "breaking free".

      Moreover, some OSes (e.g. /e/OS) give certain Google apps higher privileges than other apps even with microG, install Android Auto and it's still game over. GrapheneOS does not have this issue because as you say, Google apps/services get sandboxed.

      Obligatory link: https://eylenburg.github.io/android_comparison.htm

• dgxyz

  today at 10:45 AM

  Does anyone know if HSBC's UK app works on it? I've seen inconsistent reports that it does and doesn't.

  Edit: ignore this - there's a list elsewhere in this thread!

• tonylemesmer

  today at 3:32 PM

  yep - tried GrapheneOS for the first time today and my banking app detected that the phone was jailbroken.

  • microtonal

    today at 3:42 PM

    Did you relock the bootloader and disable OEM unlocking as part of the GrapheneOS onboarding?

• zhouzhao

  today at 10:37 AM

  Of course that is highly depdendet on the bank used, but so far none of my banking apps didn't work!

  If you are using a rather popular banking app, chances are high that it has been discussed in the GrapheneOS forum.

  Anyway, with google play services installed, mine have worked out of the box.

One thing that is a game changer on GrapheneOS is the network toggle for apps. Turn off network access for your keyboard, camera app, calculator, files, etc.

• Aachen

  today at 6:43 PM

  Definitely one of the best features to have this in the native UI, though it's also possible in other ways

  If anyone wants this without GrapheneOS: https://f-droid.org/packages/dev.ukanth.ufirewall

  If anyone wants this without GrapheneOS and without root: https://f-droid.org/packages/net.kollnig.missioncontrol.fdro...

We need Linux OSes and phones to catch up to really break free from this duopoly. Only when there is enough traction, essential infrastructure like banks will start supporting Oses like that. It's a chicken and egg kind of problem.

• gf000

  today at 11:06 AM

  Android is a Linux OS and is eons ahead anything that would sit on top of "GNU/Linux" userspace.

  Why start from scratch?

  • pelzatessa

    today at 12:33 PM

    I think that the main problem is that android has a lot of weird modifications that are not consistent with the rest of linux distros. The user data is suddenly in /data instead of /home, theres no package manager, no systemd (for better or worse), and there's hella lotta security gotchas, for example call recording is impossible without root as far as I know. I'm not saying that Android is not hackable, but it's a different type of hackability than desktop linux, you have to learn it all over again and in my opinion it's much harder to master than desktop linux.

    I've been on ubports for 3 years and while it also has some weird caveats like read only rootfs, no working package manager (due to read-only fs. however ubports has pretty cool support for lxc containers where you can use apt). Due to chronic lack of time I haven't been able to sit down on my phone to play with it a bit (for example id like to install waydroid), but it seems a lot easier than android. For example, while there isn't an app for call recording, some guy worked around it by writing a systemd user service as a workaround[1]. This is exactly the type of thing I'm thinking about when talking "linux phone".

    For me as a linux user, the difference if ubports was a human, I'd think that perhaps they were sick, whereas if android was a human, i'd shoot them in the face :)

    [1] https://forums.ubports.com/post/75157

  • galangalalgol

    today at 11:14 AM

    Yeah, just need to decide where to start the fork. The larger problem is radio firmware. FCC regs were the initial excuse, for wifi and Bluetooth too, but we need to open up the source for all of these and allocate money for enforcement if we are truly worried people are going to start adding wifi channels etc. Open firmware phone radios would let you do things like truly turning off the radio when wifi was present, no gps ping even.

    • palata

      today at 11:44 AM

      The good news being that the work made by Linux on Mobile projects regarding the radio firmware benefits AOSP projects, and inversely, right?

• palata

  today at 11:12 AM

  While I respect the Linux on Mobile work, I believe that AOSP is a lot better, with a much better security model.

  Remember that GrapheneOS is not Android: it's an AOSP-based OS.

  • Hackbraten

    today at 12:52 PM

    You’re not wrong. The thing that bothers me is that AOSP is being developed behind close doors and controlled by a single company which wields way too much power and control over our daily lives, and which has a track record of abusing that power.

    • palata

      today at 1:24 PM

      Agreed. Though my hope is that AOSP could be forked. Without the contributions from Google, it would surely move slower, but... well it may work.

      I actually had hopes that Huawei would start that with HarmonyOS.

• svilen_dobrev

  today at 1:21 PM

  what happened to Sailfish? the successor of meego et-al

  It is finnish, anyone knows how are they going?

  i used that for 2 years, it's linux+kde bottom to top, a terminal + shell is a builtin, though only supporting 5+ years old Sony phones got tiresome.

  Still.. it seems the only one that's usable enough apart of the duopoly. May have to switch to it again.

  • strcat

    today at 8:55 PM

    The portions of SailfishOS specific to it including the user interface and application layer are nearly entirely closed source, unlike the open source Android Open Source Project (AOSP). SailfishOS has far worse privacy, security, functionality and usability than the Android Open Source Project. It isn't possible to make a fork improving it due to it not being open source like AOSP.

    You can run desktop apps on GrapheneOS including on a desktop monitor via the desktop mode with free form windows. There's support for non-native apps via hardware-based virtualization. These features are experimental but already work pretty well.

  • ttkari

    today at 2:09 PM

    There's a new Jolla Phone in pre-marketing phase right now (almost 9000 phones have been pre-ordered so far). First device deliveries are scheduled for this summer and this should easily be the new benchmark for officially supported SailfishOS devices.

    The situation with Sony Xperia devices is not great, the best experience is still on the X10III (from 2021 I think) and there are significant issues with the support of 10 IV and V generation devices (a free beta release is available for those as well).

    It seems that recently there has been quite a lot of buzz in the Sailfish community compared to the past few years. In the public repos there are some interesting contributions like xdg-shell support for Lipstick, which looks set to enable compiling many previously unavailable Linux apps natively if that will actually be integrated in an upcoming OS version.

    • strcat

      today at 8:56 PM

      See https://news.ycombinator.com/item?id=47053198.

  • raron

    today at 8:26 PM

    Jolla mishandled the funds they got for the tablets, it went bankrupt and bought up by a company connected to the Russian state. Jolla lied a lot during these events and tried to hide what happened, and I don't think that's an acceptable thing to do when the main selling point of your product is privacy and trust. AFAIK they recently got bankrupted again and bought by the original owners, but it's hard to rebuild trust.

    • strcat

      today at 8:57 PM

      See https://news.ycombinator.com/item?id=47053198.

    • today at 8:56 PM

  • Paianni

    today at 1:43 PM

    They have been underfunded for a decade now, with some unfortunate consequences - the web browser is based on Gecko 91.

    • strcat

      today at 8:57 PM

      See https://news.ycombinator.com/item?id=47053198.

Until these OS also start putting forward something like WebOS that tried to get phones back to on open web, there is no breaking the binary format and Appstore monopoly.

I wish Europe would have forced that 10 years ago since the US is beyond saving.

• strcat

  today at 8:36 PM

  There's a huge open source app ecosystem for Android and it has the best support of any major platform for well integrated web applications. There are a bunch of alternatives for getting apps including getting them directly from the developers which has been automated without needing an app store. The linked post talks about using Obtainium for getting apps more directly from developers when possible.

• SahAssar

  today at 6:31 PM

  Was WebOS really that much about openness? Are you not thinking of FirefoxOS/B2G?

• gf000

  today at 2:25 PM

  What binary format?? Go read facebook's "source code", is that any more open than a random apk? If anything, apks decompile quite well.

  • Aachen

    today at 5:29 PM

    So long as browsers allow you to open the developer tools and inspect memory etc., they're more open than remote attestation of a stock android or ios device

    Decompiling apps only works if you can get the app. I don't understand GP's problem with the apk format either, but you do need to break terms of service to get the files if you don't have a phone with Google services installed. Whether that's ethical or legal is up for debate

Let’s just say, it took a while for the Stingray to get in while moving at 70mph. But it got in when it’s 0mph

The main problem with the Pixel phones, along with most Android phones these days, is the lack of a μSD card slot and a 3.5mm headphone jack. When I recently had to purchase a new phone, I had to go with a Motorolo G, as it had both of those features.

Does anyone have a good grasp of the differences between GOS and /e/OS? I'm buying a Fairphone soon and was wondering what both are like

• onli

  today at 10:54 AM

  GrapheneOS claims to be a lot more secure, having additional hardening. See https://eylenburg.github.io/android_comparison.htm - keep in mind that it is not an independent comparison, the Graphene guys directly feed what this table is supposed to say in the issue tracker, https://github.com/eylenburg/eylenburg.github.io/issues/. But it gives a good representation of the state of the ROMs according to Graphene.

  In regular use, main difference will be that /e/OS comes with access to the alternative cloud service that project provides. It uses the default FOSS solution microG for google api compatibility, unlike GrapheneOS with their sandbox approach. /e/OS sets on AppLounge to install and upgrade both play store or F-Droid apps. Graphene has a small curated app repo instead.

  I'd never use GrapheneOS since I don't trust the project. /e/OS is also not my favorite since it feels like it is developing slowly, having had issues with outdated software versions - though it does work well in practice. Have a look at iode for an alternative.

  • palata

    today at 11:31 AM

    > I'd never use GrapheneOS since I don't trust the project

    Fair enough, you choose what you trust.

    But personally, I have never seen a technical claim from GrapheneOS that was wrong or misleading. But I have seen many claims from /e/OS that were technically wrong or misleading. So I trust GrapheneOS more.

    Then there is the drama, and all sides annoy me when they behave like this. But I have seen drama coming from all sides.

    • onli

      today at 11:35 AM

      I have never seen drama from /e/ or any other project GrapheneOS attacks, like Calyx. Please link me to it - I asked this several times, people never can follow up. So far?

      • palata

        today at 12:14 PM

        > Please link me to it - I asked this several times, people never can follow up. So far?

        Sorry, I won't spend 30 minutes digging to find that :-). I follow /e/OS, GrapheneOS and (followed) Calyx. I have seen messages from all of those either on forums, Mastodon, etc.

        Also, whenever GrapheneOS makes a technical point (which is often a blunt "GrapheneOS is superior because [...] does it wrong"), many users of those projects answer aggressively (and of course many GrapheneOS participate as well).

        And on top of that, a lot of messages criticising some GOS people or the entire project and calling them "toxic" whenever GrapheneOS is mentioned.

        I have no skin in this game, so it doesn't touch me. But I could understand that the GOS people feel "harassed" by this. If everywhere I went people said "have you seen this guy? I hear he's toxic", I would consider it harassment, I think?

        • onli

          today at 12:17 PM

          Sorry, but then I take this as the usual - GOS is attacking other projects, that I can easily see in all their socials, and the other projects have done nothing wrong. GOS always claims that the other projects attack them since years, and never shows any proof. And indeed, I still never have seen any attack against GOS. Seems like this won't change today.

          You or other readers can check https://github.com/mozilla/ichnaea/issues/2065 for a public display on how GOS attacks work when they are mixed into technical debates, how they destroy any chance of cooperation.

          • palata

            today at 12:53 PM

            > Sorry, but then I take this as the usual

            Sure, you're free to do what you want. Just sharing my opinion given that I follow those projects from the outside.

            > You or other readers can check

            I guess what I am trying to say is that it takes multiple sides to argue.

            For what it's worth, your link shows the founder of /e/OS engaging there. I have seen both technically wrong and misleading claims from the founder of /e/OS on Mastodon, then GrapheneOS explaining why they thought it was wrong on their forum, and then the founder of /e/OS calling them toxic and complaining about those attacks. And then /e/OS users would join the party and start attacking GrapheneOS, fully trusting those claims from the /e/OS founder. I can't really say that he didn't have any responsibility in the drama under those conditions...

            Again, GrapheneOS tend to be blunt, but it doesn't make it technically wrong. And when the message is "it is unacceptable to us in terms of security", then it will be blunt anyway. I realised after years of using a phone I bought to Murena that my system (that they installed and sold to me) was entirely breaking the AOSP security model: it was signed with the Google testing keys and the bootloader was unlocked (and just couldn't be relocked, and anyway it wouldn't matter because of those keys that are not meant for production).

            In other words, I bought a product to Murena that was unacceptable to me in terms of security, but genuinely thought it was better than Stock Android because of Murena / /e/OS marketing. I genuinely feel either they tricked me, or they didn't know it themselves. I have personally seen multiple /e/OS phones in a state where they were objectively less secure than Stock Android. I get that they don't like it when GrapheneOS says it, but that is not wrong.

            • onli

              today at 2:32 PM

              I still haven't seen what you describe, the behaviour of other projects. And I dont believe it without proof (since it was claimed so often by GOS without proof being shown, or in some cases with it obviously not existing).

              For the security thing: It is wrong to claim that an unlocked bootloader completely breaks the android security model. If anything, it breaks one specific aspect, one that doesn't matter for many attacker models. Besides, on some phones the bootloader just can't be relocked, that's on the phone vendor though. Signing keys for bootloaders might just not matter if change detection was working or the bootloader was not relockable, but maybe I'm missing some specifics there.

              So imho what you describe as catastrophic scenario likely wasn't one.

              • palata

                today at 2:59 PM

                > It is wrong to claim that an unlocked bootloader completely breaks the android security model.

                You seem knowledgeable about this, so I'll take the opportunity to ask: if I install a malicious app and it manages to escape the sandbox and alter the system, my understanding is that it will be detected next time I boot it (because the image hash won't match). Isn't that true?

                > Signing keys for bootloaders might just not matter

                Again a question, I haven't found it in the official documentation: aren't those keys the "system keys"? As in, if my system is signed with some keys and an app is signed with those same keys, doesn't it allow this app to get privileged permissions?

                • onli

                  today at 4:29 PM

                  Take what I say with a grain of salt. There are many people that know more than me. But I'll try to answer to the best of my knowledge.

                  If a malicious app tries to alter the system in a bootloader relevant way, it would most likely fail. On those roms, apps don't have root rights, and users are even unable to activate a root account (part of why we need unlocked bootloaders in the first place to achieve user control over bought devices). But yes, as part of AVB system parts are hashed and a mismatch would be detected, see https://emteria.com/blog/android-verified-boot for a writeup.

                  For system apps, again two aspects. It's not that easy for an app to become a system app, it has to be moved to a specific place. Think about how the Gapps package is usually installed when you install a ROM, externally by the recovery system and not inside Android itself, that would be the reason. But yes, there are platform keys that the docs at https://source.android.com/docs/core/ota/sign_builds claim should be secret release keys.

                  About those release keys being also used for the system app verification, I think so. There are different keys on Android, like the release keys and the verity_key, but I think it follows from the docs that the release key is the one used to verify system apps (on modern Android versions).

                  It is debatable whether users not being able to exchange system apps then is a valid requirement for a FOSS Android distribution like /e/. But that position does exist, claiming users should build their ROM variants on their own with custom keys if they want to modify the system, to close this attack vector.

                • strcat

                  today at 7:53 PM

                  > You seem knowledgeable about this, so I'll take the opportunity to ask: if I install a malicious app and it manages to escape the sandbox and alter the system, my understanding is that it will be detected next time I boot it (because the image hash won't match). Isn't that true?

                  They're misrepresenting what has been said by GrapheneOS and also lack a good understanding of it themselves. They're definitely not a good source of information about this.

                  • palata

                    today at 10:06 PM

                    Could you provide some insights there? That would be appreciated.

                    1. Is it correct that the secure boot protects again a malicious app escaping the sandbox and persisting into the system?

                    2. Is it correct that if the system is signed with the Google testing keys, then someone could sign an app with those keys and the app would get more permissions than it should (I believe it's called the "signature" permissions)?

                  • today at 8:52 PM

  • gf000

    today at 11:12 AM

    > GrapheneOS claims to be a lot more secure

    That's not just a claim, this is an objective fact. GrapheneOS has a excellent track record when it comes to security, they have made several patches that got upstreamed to Android, etc.

  • goodpoint

    today at 4:16 PM

    /claims/

  • strcat

    today at 7:51 PM

    > GrapheneOS claims to be a lot more secure, having additional hardening.

    GrapheneOS has been heavily analyzed by privacy and security experts who say it provides far better privacy and security. There's a large amount of real world evidence showing GrapheneOS very successfully defends against commercial exploits tools. /e/ has been heavily criticized for having poor privacy and atrocious security by many experts. /e/ doesn't keep up with basic privacy/security patches and misses many important standard protections.

    > keep in mind that it is not an independent comparison

    That's not true. It's an independent comparison and the site compares a lot of other software. Contributors to many of the projects compared by it submit issues to it which doesn't many it not an independent comparison.

    > In regular use, main difference will be that /e/OS comes with access to the alternative cloud service that project provides.

    GrapheneOS users have many cloud services available including suites from Proton and others. Murena services have poor privacy and security overall due to neglecting server security, updates and more. Their speech-to-text service being a thin wrapper around OpenAI sending this sensitive user data to them rather than doing it locally as our SpeechServices app does similarly to Apple (even Google has that as an option):

    https://community.e.foundation/t/voice-to-text-feature-using...

    > It uses the default FOSS solution microG for google api compatibility

    Their approach with microG gives highly privileged access to Google apps/services by default. GrapheneOS doesn't include sandboxed Google Play by default and they're installed as regular apps. microG doesn't change the fact that the apps are using closed source Google libraries, which are still present with microG and have strictly more access to user data on /e/ than GrapheneOS with sandboxed Google Play. Sandboxed Google Play is an entirely opt-in feature people need to install. /e/ has microG set up where it downloads closed source Google Play components it runs with privileged access as the default.

    > /e/OS sets on AppLounge to install and upgrade both play store or F-Droid apps

    This is a strange merger of Aurora Store, F-Droid and more. It's very misleading and confusing for users.

    > /e/OS is also not my favorite since it feels like it is developing slowly, having had issues with outdated software versions - though it does work well in practice. Have a look at iode for an alternative.

    Neither /e/ or iodéOS keeps up with updates to Android, Chromium, firmware, drivers or the Linux kernel. Both mislead users with an inaccurate Android security patch level. iodéOS lags far less behind /e/ and doesn't have nearly as many privacy violating services and added privacy/security flaws but neither is a privacy or security hardened OS. Neither keeps the privacy or security of standard AOSP intact.

  • MaroonBear

    today at 9:25 PM

    [dead]

• palata

  today at 11:36 AM

  I have been using /e/OS for 5 years, and also GOS. My take is:

  - If your phone is supported by GOS, you should go for GOS.

  - If your phone is not supported by GOS, you should look carefully and compare between /e/OS and Stock Android.

  I had a Fairphone 3, and after 5 years, /e/OS was outdated by 4 years w.r.t. the manufacturer updates. In other words, Stock Android coming from Fairphone was more secure than /e/OS on that Fairphone.

  In my experience, /e/OS has a tendency to claim that they support everything, but they just can't, there is too much. And then they complain when GrapheneOS criticises the fact that some /e/OS users believe their phone is well supported but actually isn't. And GrapheneOS is not wrong: I realised I was in that case after 4 years with /e/OS.

  • gnufx

    today at 1:57 PM

    > I had a Fairphone 3, and after 5 years, /e/OS was outdated by 4 years w.r.t. the manufacturer updates

    Mine is running /e/ and reporting Android 13, which appears to be the last one Fairphone support. /e/ said it was too difficult to support 14 with the kernel involved. It's had continual security updates apart from the Android version.

    Edit: Murena make it clear which phones are officially supported and which have "community" support.

    • palata

      today at 2:54 PM

      > Mine is running /e/ and reporting Android 13, which appears to be the last one Fairphone support.

      This is not the manufacturer updates. I was talking about the manufacturer updates. I just checked and someone complained a few months ago and they updated them. Before that, they had not been updated in years on /e/OS, but they were up-to-date on Stock Android.

      > Edit: Murena make it clear which phones are officially supported and which have "community" support.

      I bought a phone to Murena, advertised by Murena, through Murena. It really felt like it would be officially supported, otherwise they should have made it clear that they advertise and sell something that they won't support, wouldn't you say? My feeling is that they just stopped supporting it after a while.

      Also I would assume that "supported" means that it receives both the LineageOS updates and the manufacturer updates. Apparently they have a different definition of "supported" (which is fine, maybe it's just "we will continue sending you our own updates"). It's just that in my book, if I get more security updates with the Stock Android than with /e/OS, then Stock Android is more secure.

    • strcat

      today at 8:06 PM

      > It's had continual security updates apart from the Android version.

      Nope, it doesn't receive most privacy and security patches. Users are being heavily misled about what's provided. First of all, the kernel is nearly entirely not being updated which is a massive portion of the privacy and security patches. Murena's devices have poor privacy and atrocious security including due to the failure to properly provide basic privacy/security patches. Their claims about what they provide need to be distinguished from what is actually provided. /e/ updates the patch level regularly to claim they provide the security patch backports but that doesn't mean they actually provided all of them. It's an arbitrary value and they don't set it accurately.

      Fairphone 3 uses the end-of-life Linux 4.9 branch, Fairphone 4 use the end-of-life Linux 4.19 branch and Fairphone 5 uses the end-of-life 5.4 branch. Each was largely not receiving the upstream LTS updates while they were still provided but now they're not provided. An OS that's not receiving basic kernel updates is definitely not receiving security patches anymore, but they were largely never providing these updates in the first place long before the kernel branch or devices were considered end-of-life.

      Similar to iOS and other operating systems, Android only backports a subset of privacy and security patches to older Android branches. Only Android 16 QPR2 has the full set of Android privacy and security patches. You aren't receiving all of the standard Android privacy and security patches if you're not on Android 16 QPR2. Many of the patches are also treated as optional and deferred as being mandatory far into the future. It's also worth noting the dates are misleading. Android's March 2026 security backported have been finalized for a while and up to August 2026 are available to ship by OEMs already but a lot more will be added to June 2026. February 2026 Android security patches are the latest with a public bulletin but not the latest available to ship.

      Fairphone and especially /e/ also have very incomplete patches for firmware and drivers. /e/ also has major issues patching other components including the browser engine used by the OS for the WebView.

  • strcat

    today at 7:58 PM

    > If your phone is not supported by GOS, you should look carefully and compare between /e/OS and Stock Android.

    If you have an iPhone that's still supported, you have strong privacy and security. If you have a phone that's not an iPhone and not supported by GrapheneOS then you likely have a phone with atrocious privacy and security regardless of OS choice. If people can afford to get a secure device with years of proper support remaining then they should do that rather than using an insecure device with a sidegrade for privacy and security using a problematic AOSP fork. LineageOS is far less problematic than /e/. If people want to switch the OS to something else due to the OEM abandoning it or to avoid Google Mobile Services they should use at least use LineageOS which is less of a privacy and security downgrade from OS. LineageOS does not fully maintain the privacy and security of AOSP or fully keep up with updates but it's a lot less bad than /e/. Most alternate OSes are forks of LineageOS to reuse their work on hardware support and nearly entirely make privacy and security worse, not better, so why not use the upstream project instead?

    > I had a Fairphone 3, and after 5 years, /e/OS was outdated by 4 years w.r.t. the manufacturer updates. In other words, Stock Android coming from Fairphone was more secure than /e/OS on that Fairphone.

    It's important to note that an alternate OS depends on the OEM for firmware and in practice much more than that including kernel and driver updates. It's theoretically possible to replace the kernel and drivers with much different ones but it's not done in practice by alternate AOSP-based operating systems. If the device is abandoned by the OEM then you aren't going to have a secure device.

    /e/ lags far behind on standard privacy and security updates everywhere but misleads users with an inaccurate Android security patch level along with many inaccurate privacy and security claims. LineageOS is much better than the fork of it by /e/ and does much less to mislead users, although it still has the inaccurate Android security patch level and many people still wrongly believe they're getting patches they aren't after the OEM dropped support.

    • palata

      today at 10:04 PM

      > many people still wrongly believe they're getting patches they aren't after the OEM dropped support.

      I can confirm that I did, and was not very happy when I realised it.

• today at 10:52 AM

• SockThief

  today at 10:51 AM

  Consider this (by Graphene OS): https://discuss.grapheneos.org/d/24134-devices-lacking-stand...

  /e/OS community talking about it: https://community.e.foundation/t/article-from-grapheneos-abo...

  And then maybe this: https://eylenburg.github.io/android_comparison.htm

  Hope that helps.

  • realusername

    today at 11:05 AM

    I like GrapheneOS but they fail to understand in this post that the #1 security concern an android user face is the lack of privacy.

    Sure they have hardened everything but realistically, that's not the main threat for your average user.

    Their top contribution to android is the sandboxed Google Play, by far.

    • strcat

      today at 8:26 PM

      GrapheneOS is primarily privacy project. It keeps up with important Android updates with major privacy enhancements and very important privacy patches. It builds crucial privacy protections such as Storage Scopes, Contact Scopes, Sensors toggle and much more into the OS. Privacy depends on security so security protections and security patches are part of providing strong privacy too.

      It's a misconception that GrapheneOS is focused on security over privacy. It heavily works on privacy features and the work on security features is entirely to protect privacy. There's widespread use of commercial exploit tools and GrapheneOS is proven to provide far better real world protection against those. Most alternate operating systems reduce privacy from AOSP and massively reduce security while GrapheneOS is preserving the baseline and heavily improving both side by side.

      GrapheneOS is also very focused on usability and app compatibility, making sure to preserve those with the major privacy and security enhancements.

      • drnick1

        today at 9:47 PM

        Since you seem to be one of the developers, one thing that I wish Graphene focused on more is browser fingerprinting. This is is probably the number one threat against privacy nowadays. Vanadium is very usable, but it seems to be quite easily fingerprintable.

        • ysnp

          today at 9:59 PM

          The founder, afaik, not just a developer.

          Tor Browser seems to be a project that requires multiple full time developers. I don't think GrapheneOS have the resources right now to do this alongside their OS development, device support and app overhaul plans.

          Also please don't take this as any criticism of your suggestion, but there have been multiple 'privacy' browser projects based on Chromium for Android. It's a little frustrating that they couldn't collaborate some base like this to the open source community.

          • drnick1

            today at 10:19 PM

            > 'privacy' browser projects based on Chromium for Android

            As far as I know none of these projects have tackled the JS fingerprinting problem. The most earnest attempts seem to be Brave and Firefox with the Arkenfox user.js, but they have their own problems. The basic issue is that JS gives websites far too much control over the user's device. The JS spec should have never allowed websites control over the clipboard (e.g. to disable paste), to know if the user is active, when the mouse is being moved, etc. Since it is too late now, short of disabling JS entirely, there will be usability tradeoffs, but I think these are necessary (at least optionally) in an OS like Graphene.

      • realusername

        today at 8:42 PM

        The #1 security problem your average Android user face isn't an attack by some Israeli firm but data leaks by advertisers and unless I missed something (it's possible), GrapheneOS does not have an equivalent of ublock origin built into the OS which I'd consider step 1 of fighting the problem.

        The "ideal android" in my head would just have a dynamic ruleset to patch/nop tracking libraries as the app loads, which as far as I know, nobody does that, eOS doesn't either. Kind of like Revanced but on steroids and built into Android.

        I feel like you can't really fix android anyways, the design is just broken and if you care about security / privacy, you should just use everything in a browser or a Linux distribution.

        Sure the work GrapheneOS does is valuable but it's like removing water from a lake with a bucket.

        I feel like shielding the mess that Android is into something like an improved Waydroid with a mindset of "yeah let's keep it there and the sane stack for the rest" sounds a better approach to me.

        • ysnp

          today at 9:40 PM

          >GrapheneOS does not have an equivalent of ublock origin built into the OS which I'd consider step 1 of fighting the problem.

          Content filtering is built into the browser. GrapheneOS have always maintained that you cannot prevent an app from exfiltrating data, especially if it has internet access. Enumerating badness is an unsustainable approach they don't want to encourage. Instead they attack the heart of the issue with Storage Scopes/Contact Scopes/Network Permission/Sensors Permission etc. They allow aps to think they have full access when they do not, so you can control exactly what data they get in the first place. Maybe all of the other AOSP projects could contribute App Communication Scopes/Enhanced Clipboard Privacy and other things because this approach makes a lot of sense to me. Like preventing an illness instead of wasting energy treating symptoms.

          >The "ideal android" in my head would just have a dynamic ruleset to patch/nop tracking libraries as the app loads, which as far as I know, nobody does that, eOS doesn't either. Kind of like Revanced but on steroids and built into Android.

          Something similar was addressed some years ago as a feature request for GrapheneOS https://github.com/GrapheneOS/os-issue-tracker/issues/284. To summarise there was no way to do this without an unacceptable security cost to the OS, but this is sort of doable if you run your own userdebug build which you have the power to do.

          • strcat

            today at 9:49 PM

            > Something similar was addressed some years ago as a feature request for GrapheneOS https://github.com/GrapheneOS/os-issue-tracker/issues/284. To summarise there was no way to do this without an unacceptable security cost to the OS, but this is sort of doable if you run your own userdebug build which you have the power to do.

            It's badness enumeration which is an unworkable approach to providing strong privacy. It fundamentally can't provide it, only weak case-by-case improvements which are very fragile and trivially bypassed. It can also be done by modifying APKs instead of having a hooking framework within the OS heavily compromising security. You don't need the OS providing anything to use arbitrarily modified APKs. We also don't want to give apps a legitimate reason to ban GrapheneOS as opposed to being able to convince the tiny number of apps enforcing Google certification to allow it.

        • strcat

          today at 9:47 PM

          GrapheneOS provides greatly improved privacy including through features like Contact Scopes and Storage Scopes.

          > GrapheneOS does not have an equivalent of ublock origin built into the OS which I'd consider step 1 of fighting the problem.

          Enumerating badness by trying to list domains which are solely used for advertising, telemetry, etc. doesn't address any of the main privacy invasive behavior by apps which is done through their own services and server side contact with third parties.

          uBlock Origin has the same problems in the browser but the rules within a browser are a lot more flexible than the extreme limitations of domain-based blocking whether any useful purpose of the domain results in blocklists not being able to include it or apps would break. Domain-based filtering is also far less usable in practice and is typically not per-app either.

          RethinkDNS on GrapheneOS works far better than the domain blocklist in /e/ but it's not a strong approach to privacy and does not address much.

          Apps can easily work around it and prevent the filtering, as can the SDKs. One way is doing server-side connections and another is using DNS-over-HTTPS for DNS resolution. Facebook has fallback IPs and DNS resolution in a growing number of their apps and can do it in their SDKs too.

          Using a fundamentally unworkable approach that's increasingly becoming less useful is not how GrapheneOS approaches privacy.

          > The "ideal android" in my head would just have a dynamic ruleset to patch/nop tracking libraries as the app loads, which as far as I know, nobody does that, eOS doesn't either. Kind of like Revanced but on steroids and built into Android.

          This is another fundamentally unworkable enumerating badness approach which is not how GrapheneOS approaches privacy. GrapheneOS avoids apps getting access to sensitive data rather than trying to stop them sending it to specific places.

          > I feel like you can't really fix android anyways, the design is just broken and if you care about security / privacy, you should just use everything in a browser or a Linux distribution.

          GrapheneOS is a Linux distribution. Desktop Linux distributions have far worse privacy and security than GrapheneOS. The ports of desktop Linux distributions to mobile are largely losing even more security. That's a huge setback for privacy and security, not progress. They don't have similar privacy protections, don't have a similarly strict approach to privacy for default services and lack security to keep privacy intact. Using mostly or only open source software doesn't mean you don't need privacy and security protections. Aside from that, the open source mobile app ecosystem for Android and GrapheneOS is far better than it is for those operating systems.

          > Sure the work GrapheneOS does is valuable but it's like removing water from a lake with a bucket.

          GrapheneOS provides drastically better privacy and security than the desktop operating you think are better. It has a great open source app ecosystem available with lots of high quality apps. You're portraying it as if people must use privacy invasive apps but that's not at all the case. Plenty of desktop users are using apps like Discord where they can access the entirety of their data as opposed to GrapheneOS where it's a heavily sandboxed app with lots of user control along with prevention of coercion to get access via the scopes features we add for pretending to grant permissions while actually granting access to no files/media/contacts by default where it simply appears there are none until users explicitly opt-in to adding them.

          > I feel like shielding the mess that Android is into something like an improved Waydroid with a mindset of "yeah let's keep it there and the sane stack for the rest" sounds a better approach to me.

          Waydroid has far worse privacy and security from Android apps than running them on AOSP or especially GrapheneOS. It loses the Android app sandbox and permission model. It uses a very outdated fork of AOSP and breaks the privacy/security model through how it's implemented. It runs on top of a far less secure host OS with worse isolation for the apps inside it from the rest of the OS than exists on Android itself. Moving to a drastically less private/secure host OS while running Android apps in a much less private/secure way is hardly progress.

    • palata

      today at 11:39 AM

      I think it's more of a marketing claim from less secure systems that "privacy is not security, and GrapheneOS focuses on security while we focus on privacy".

      GrapheneOS does care about both, quite obviously. And GrapheneOS tends to say that if your security is bad, then it is affecting your privacy too. Whereas others say "sure, we break the Android security model by unlocking the bootloader and signing our system with the Google test keys, but your apps will contact Google through microG instead of the Play Services, so it's more private". Which is worth what it is worth...

      • Aachen

        today at 6:23 PM

        > I think it's more of a marketing claim from less secure systems that "privacy is not security

        I'm not sure Cyanogenmod had a marketing team that convinced me of anything when I first installed their rom in 2013 and explored my phone's capabilities with root. Accessing the sensor devices, inspecting what the different apps do, what the OS is doing, installing Xprivacy to provide fake data to tracking apps... none of that is possible on GrapheneOS, you can only use the Android APIs, same as on stock

        Am I brainwashed by marketing?!

        • palata

          today at 9:52 PM

          I am not sure what you are trying to say.

          My point is that

          1. If you care about privacy, you should care about security. If your email server is compromised and your emails leak in the public internet, then they are not private anymore.

          2. GrapheneOS does care about both security and privacy.

          > explored my phone's capabilities with root. Accessing the sensor devices, inspecting what the different apps do, what the OS is doing, installing Xprivacy to provide fake data to tracking apps... none of that is possible on GrapheneOS

          I think you're talking about something like "freedom", here. GrapheneOS doesn't claim to give you the freedom to do whatever you want. In fact, part of the Android security model is to limit your freedom.

          Which is not to say that you should not want the freedom to have root access on your phone. But if that's what you want, GrapheneOS is probably not it.

      • ForHackernews

        today at 1:55 PM

        This is only my opinion, but GrapheneOS's approach to privacy seems obtuse to me. They will claim that an unlocked bootloader is a risk, but then turn around and recommend you install proprietary apps GApps in their sandbox. The sandbox doesn't matter if all the private data is in the same sandbox!

        Reminds me of https://xkcd.com/1200/

        • palata

          today at 2:46 PM

          Feels like you don't know what "the sandbox" is. It's not "their" sandbox, it's from AOSP.

          When you run an app on Android, it runs in a sandbox. Meaning that your social media app cannot access the files of your banking app by default. They are "sandboxed".

          On a normal Android, the Play Services are installed as a system app. It is privileged app that has "system" access. A system app is not sandboxed.

          GrapheneOS allows you to install the Play Services and the Play Store as "sandboxed" apps in that they run unprivileged, just like WhatsApp or TikTok or your banking app.

          So running the proprietary Google apps in the sandbox is obviously more private than running them as system apps, wouldn't you say?

          • ForHackernews

            today at 3:08 PM

            If the Tiktok app passes your data to Play Services (say, to support notifications with GCM) then it doesn't make any difference that Play Services is nominally "sandboxed".

            I agree there's some marginal benefit that sandboxed GApps need to prompt the user for permissions (rather than having privileged system level access) but at the end of the day, Google Maps will get GPS perms and Google will know everywhere your phone goes.

            • palata

              today at 3:19 PM

              > If the Tiktok app passes your data to Play Services (say, to support notifications with GCM) then it doesn't make any difference that Play Services is nominally "sandboxed".

              Sure, but that's the same if you run TikTok with microG (which will relay your data to the Google servers just like the Play Services) or in waydroid on a Mobile Linux. But you can't blame the system for what the apps are allowed to do by the user.

              Take your Google Maps example: if the user wants to run Google Maps, obviously they will be sharing data with Google. It's very weird to blame the system for that.

              What the sandbox brings is that for users who want to run the Play Services (because they want to run TikTok, knowing that it will share data with some servers, including but not limited to the Google servers through the Play Services), then at least the Play Services are not root on their OS. So then instead of running microG, you can run the Play Services and have the same kind of benefits.

              Now if you don't want your apps to contact Google, then by all means, don't install the Play Services! But don't install microG either! And don't install Google Maps!

              It's all about trade-offs, it's not an all or nothing situation. Sandboxed Play Services is better than privileged Play Services.

              • ForHackernews

                today at 4:06 PM

                I agree it's about trade-offs. I think MicroG - which provides dummy no-op implementations of Google Play tracking APIs, and allows you to select alternative Location Providers and notification backends - is a better option than running first-party Google software.

                You're of course correct that we can't blame the system for choices made by users, but I do think GOS lulls users into complacency by focusing on the security angle only and encouraging users to install sandboxed GApps: https://grapheneos.org/usage#sandboxed-google-play

                • ysnp

                  today at 9:50 PM

                  >GOS lulls users into complacency by focusing on the security angle only and encouraging users to install sandboxed GApps: https://grapheneos.org/usage#sandboxed-google-play

                  Sandboxed-Google-Play is not encouraged or promoted. It is suggested if you need apps only accessible via Google Play or needing Google services purely because it provides the maximum compatibility. GrapheneOS have always said that Android's strnegth is a large wealth of open source apps (many of which do not need Google). If more everyday apps (media streaming, taxi, food delivery & rewards, banking, government, social media) did not depend on Google, GrapheneOS would not spend the time, resources and effort that they have on sandboxed-google-play.

                • palata

                  today at 4:18 PM

                  > I think MicroG - which provides dummy no-op implementations of Google Play tracking APIs, and allows you to select alternative Location Providers and notification backends - is a better option than running first-party Google software.

                  microG still forwards the requests to the Google servers. Not sure what you mean by "tracking APIs"? microG is a reverse-engineered, open source implementation of a subset of Play Services, right? It's not obviously a better option: for instance, some things that are supported in Play Services are not supported in microG, and microG sometimes breaks (because of changes in the API).

                  > allows you to select alternative Location Providers

                  GOS does that, too.

                  > I do think GOS lulls users into complacency by focusing on the security angle only and encouraging users to install sandboxed GApps

                  I don't get that. It does not encourage them to install Play Services, it makes it available. Because for many (most?) users, it is important to have it.

                  I am not sure what you are trying to say: is your opinion that there is no point in using an alternative OS (like GOS, /e/OS, LineageOS, IodeOS, ...) or are you trying to say that GOS is not the most secure/private alternative OS?

                  • ForHackernews

                    today at 5:55 PM

                    I'm trying to say the same thing I said up at the top: GOS's approach to privacy is obtuse. They deliberately conflate security with privacy (you even write "secure/private" as though they're the same thing) in a way that does a disservice to users.

                    My opinion is that GOS is very successful at its own stated goal of having an extremely secure mobile OS that rolls out patch updates quickly. I think it's far less successful at protecting user privacy because — as you even admit, many/most of them will find their phones unusable with vanilla GOS and immediately follow the GOS user guide to install Google Play and help them securely upload their personal data to the world's biggest adtech firm.

                    I think iodéOS and /e/OS are more in line with what I want from a mobile OS.

                    • palata

                      today at 9:58 PM

                      > as you even admit, many/most of them will find their phones unusable with vanilla GOS and immediately follow the GOS user guide to install Google Play

                      I installed the Play Services right away, just like I installed microG right away on a LineageOS system (I don't know about iodeOS, but /e/OS comes with microG by default). In terms of privacy, I don't think it is very different: microG is an open source implementation of the Play Services, that also contacts the Google servers. Many will use something like the Aurora store, which is a client for the Play Store. Etc.

                      GrapheneOS has proxies, e.g. for the location service. They are doing a lot for privacy, that's very clear.

                      > I think iodéOS and /e/OS are more in line with what I want from a mobile OS.

                      And that's your right. I think that GrapheneOS is more secure, and not less private than those. Actually in my experience with /e/OS, it was less secure than Stock Android (though more private, admittedly).

        • gf000

          today at 2:39 PM

          They recommend you install google play services if you need it. Privacy is in no small part a user-decision - no matter how secure your device is if you just scroll Facebook all day.

    • gf000

      today at 11:14 AM

      privacy != security.

      And sandboxed Google Play services serve both goals -- it runs the service as a regular android service, not an exceptional one that has a bunch of extra permissions. So you can allow/restrict it as you seem fit, while not "getting behind" on features/apps that mandate it.

      • strcat

        today at 8:30 PM

        GrapheneOS provides major privacy enhancements including Contact Scopes, Storage Scopes, Sensors toggle, per-connection Wi-Fi privacy via per-connection DHCP state + MAC randomization and far more. It's a privacy project and privacy depends on security so it heavily focuses on protecting against exploitation of privacy and security vulnerabilities too. Privacy and security are not separate things from each other but rather closely tied together and our work is on both for the sake of improving privacy. Our only reason to work on security features is protecting privacy.

      • realusername

        today at 11:19 AM

        I disagree, privacy is an essential part of security, if there's no privacy, then there's no security.

        That's also why I don't keep anything important on my phone as I don't trust what's going on there despite having all the secure features that you would want.

        • scheeseman486

          today at 11:36 AM

          Other way around, actually. It's possible to make concessions to privacy, like providing crash reports, or running applications in sandboxes which limits what they can harvest, while keeping the platform secure.

          Any privacy you have on a system is reliant on no one tampering with that system and on software behaving itself. Without security, you can't trust the system to implement any privacy.

          • realusername

            today at 11:40 AM

            I also disagree with that, I trust my Linux distribution to behave well much more than I trust any Android platform and it doesn't even have much app sandboxing at all.

            You can't fix a lack of trust like you have in Android with technical solutions. The flaw in Android is fundamentally a social problem.

            • strcat

              today at 8:34 PM

              There's a massive open source app ecosystem for Android which is far larger than the subset available in F-Droid. Open source does not imply private or trustworthy. Completely trusting applications with access to all your data with no insight in to what they're accessing or sending to services means you wouldn't know if your privacy is being violating anyway.

              • drnick1

                today at 9:54 PM

                The (desktop) Linux security model is different. You trust the distro maintainers in the same way you trust the GOS devs, and instead of "app sandboxing" you use user accounts, containers or VMs to protect personal information. The Android security model makes sense in the context of laypeople using mostly commercial malware on the stock OS however.

            • scheeseman486

              today at 11:49 AM

              That reads more as sports team flag wavey thoughts and feelings trust than anything actually backed by objective data.

              • realusername

                today at 11:57 AM

                That's the difference between trusted computing (Linux distribution) and untrusted computing (Android).

                If you want something backed by objective data, my phone has an advertising ID built in the OS and my laptop doesn't. My phone had 100s of privacy scandals and my laptop doesn't have one.

                I do applaud GrapheneOS don't get me wrong but I have a feeling that they are fighting a losing battle.

                • strcat

                  today at 8:32 PM

                  There's a huge open source app ecosystem available for Android. The distinction you're trying to draw is inaccurate. Open source apps also very open do privacy invasive things. On Android, people can see that many open source privacy even including Signal include dark patterns such as repeatedly asking for access to contacts when it works without it. On a desktop OS, the apps and services will simply have access to nearly everything by default so you aren't aware of it happening for the most part.

                  GrapheneOS provides far better privacy and security than a desktop OS. There's no such thing as an advertising ID built into GrapheneOS so it's a strange thing to bring up. There are plenty of privacy invasive things built into desktop operating systems and applications, including open source ones. They nearly entirely lack the ability to protect against apps and services being privacy invasive in the first place. They also have far weaker protection against exploitation.

                • Aachen

                  today at 6:27 PM

                  What advertising ID is built into the OS?

                  • realusername

                    today at 8:33 PM

                    See https://support.google.com/googleplay/android-developer/answ... for Android and https://developer.apple.com/documentation/adsupport/asidenti... for iOS

    • MaroonBear

      today at 9:28 PM

      [dead]

• noirscape

  today at 11:10 AM

  GOS creates a complete bunker of a phone that can provide defense against pretty much all but the most dedicated state level actors. If you're worried that someone would steal your phone specifically to target you, Graphene will protect against that. Securitywise it's hard to argue against them, although GOS tends to sacrifice usability in favor of security, which leads to odd decisions. Their device depreciation timeline is also pretty aggressive and really just matches that of the Pixel. (You're also buying the Google phone... to not want Google in your life; this bizarre paradox will always be strange). It's not exactly a recommendation for long-term support. Worth noting however is that usage of GOS is also seen as a signal in and of itself for the authorities that you may have something unsavory to hide, so using it stands out in that regard; some law enforcement officers (I think it was in Spain?) have said that the OS is popular with organized crime. GOS obviously denies the connection and they're probably honest in that the OS isn't deliberately designed for criminals, but it's worth noting at the very least. (Basically GOS is the paradox where someone trying their hardest to be anonymous ends up standing out way too much from the crowd and drawing attention to themselves.)

  /e/OS (and similar "non-LineageOS" ROMs really) instead focus more on de-Googling. They're still generally security focused, but the priority is less "someone's after you" and more "corporate surveillance is kinda scary innit". The aim is less to avoid someone actively trying to drain your phone of data and more to prevent your phone from passively sending everything it can possibly find to the Big G's ad machine (as well as whatever other trackers get snuck into apps.) Because of this, they usually have better depreciation timelines and support a lot more devices compared to GOS who only support the Pixel line (which is an increasingly awful set of phones truth be told); their scope is much smaller.

  Finally, it's worth noting that the GOS community is absurdly toxic to anyone doing anything privacy-related that isn't under the banner of GOS. It's extremely maximalist, tends to get very upset at other projects whenever they get attention (see sibling reply to this, where they pretty much melted down because an outlet dared to recommend a Fair phone+/e/OS) and the projects official channels have generally encouraged this sort of behavior. It doesn't really damage the software itself, but it's worth considering.

  • palata

    today at 11:28 AM

    I have been a user of /e/OS for 5 years, and also of GOS and would like to share my opinion on this:

    > it's worth noting that the GOS community is absurdly toxic to anyone doing anything privacy-related that isn't under the banner of GOS

    What I have seen (and I am not involved in any of those projects) is that GOS does care a lot about security, has a higher quality in that regard than anything else, and tends to be blunt about "inferior" projects communicating about security.

    Not that they couldn't improve their communication style, but usually when they call out technical limitations of other projects (e.g. /e/OS), they are right. And I mean the technical arguments. Then I have seen a bunch of drama, but to be fair I have seen those other communities show toxic behaviour towards GOS just as much as the opposite.

    It feels like it is GOS vs "the others", because the others don't criticise each other, and GOS bluntly criticises when they see claims they find are wrong (I have seen claims by /e/OS going from misleading to downright wrong).

    On my particular phone, after 5 years with /e/OS, the Fairphone updates were outdated by 4 years. In terms of security I would have been better with the Stock Android. It depends on the phone of course, because /e/OS tends to claim that they support everything and they just can't. Even on a phone that /e/OS supports well, GrapheneOS is superior, period.

    But I agree, I could do without all the drama. I guess my point is that it goes both ways.

    • Aachen

      today at 6:15 PM

      I'm also not involved with any mobile privacy/security project, unless OpenStreetMap data and self-hosting can be said to be such

      > GOS does care a lot about security, has a higher quality in that regard than anything else, and tends to be blunt about "inferior" projects communicating about security.

      Two remarks:

      - There's a difference between "blunt" and hostile or misleading. GOS (owners) are often the latter two from what I read, where by misleading I mean distorting reality about whom you should be protecting from and recommending you should never use anything else to reach your goals (as opposed to GOS' goals)

      - They also reply when privacy comes up in other projects, not just security, but they treat it as though it's essential for privacy. Not everyone is running from an intelligence agency or cellebrite border checkpoints, some people just want a phone with as many open components as possible or want to lie to Facebook about which contacts are on their device. You don't need a locked bootloader and be prevented from accessing your own data for that (can't access /data on your own device on any official GrapheneOS build; which is fine if that's what you want, but not everyone's goals are the same)

      • ysnp

        today at 9:08 PM

        >Not everyone is running from an intelligence agency or cellebrite border checkpoints

        OK, but would it be such a bad thing if most people's personal devices were pretty damn resilient to mercenary spyware by default? I really don't think the standards GrapheneOS are aspiring to are the problem with this picture.

    • lejalv

      today at 11:36 AM

      /e/OS/ was bad with updates for a long time (I had to switch 2022). IodéOS is very good at it, in my experience (I have used all three)

      • strcat

        today at 8:25 PM

        iodéOS lags far behind on Android, Linux kernel, browser engine and other updates too. It's much less behind than /e/ and misleads users less but they still do. They set an inaccurate Android security patch level which misleads users just as /e/ does.

      • palata

        today at 11:42 AM

        > /e/OS/ was bad with updates for a long time (I had to switch 2022).

        In my case, it was a few months ago, so end of 2025.

        I think it's just that they can't possibly support thousands of Android devices. I just don't like that they are not being very clear about it. You would think that buying a phone through Murena would guarantee some kind of support, but it actually doesn't.

    • strcat

      today at 8:23 PM

      The founder and CEO of /e/ and Murena openly spreads content from Kiwi Farms and neo-nazi sites. He directly engages in harassment towards the GrapheneOS team. Here's him supporting authoritarians smearing GrapheneOS by replying to threads about it linking to harassment content based on fabrications on a neo-nazi conspiracy site:

      https://archive.is/SWXPJ https://archive.is/n4yTO

      The communities of several projects including /e/ have heavily engaged in spreading misinformation about GrapheneOS including fabricated stories about our team. They've even taken it to the point of repeated swatting attacks aimed at killing our team members. There are relentless raids on the GrapheneOS community platforms including our chat rooms where Child Sex Abuse Material, gore and endless harassment towards our team members including fabricated stories and harassment content from Kiwi Farms and elsewhere is posted.

    • zwarag

      today at 2:53 PM

      I guess on /e/OS you can just run Google Maps in a browser if you really want Google Maps features (like searching for a restaurant). Organicmaps works fine if you just need to get from A to B. It does lack live traffic, but you'll have to live with fewer features if you really want to not use Google for most stuff.

      • palata

        today at 4:19 PM

        > Organicmaps

        I would suggest having a look at CoMaps, a recent fork of OrganicMaps :-).

  • strcat

    today at 8:23 PM

    It's a misconception that GrapheneOS is focused on security over everything else. It's a privacy project and privacy depends on security so it heavily focuses on both. It also provides major privacy improvements on a technical level rather than only avoiding privacy invasive apps and services. Privacy involves a lot more than which apps and services are bundled with the OS, contrary to how most supposedly private phone options are marketed.

    > Securitywise it's hard to argue against them, although GOS tends to sacrifice usability in favor of security, which leads to odd decisions.

    GrapheneOS doesn't make any major usability sacrifices for security. Privacy or security features with usability compromises are either opt-in or opt-out.

    > Worth noting however is that usage of GOS is also seen as a signal in and of itself for the authorities that you may have something unsavory to hide

    GrapheneOS is far more widely used than most alternate mobile operating systems and there's a lack of basis to claim that it's widely seen in the way you're describing in a way that other operating systems are not. In fact, they're largely conflating other operating systems with GrapheneOS because it's the most widely talked about and known about. They're calling devices GrapheneOS devices which aren't running it. In many cases it's not even a fork of it.

    > have said that the OS is popular with organized crime

    This is completely unsubstantiated and not evidence has ever been provided. On the other hand, it's known that law enforcement in Europe has widely sold devices to organized crime which they marketed by claiming they were based on GrapheneOS:

    https://darknetdiaries.com/episode/146/

    Using portions of our code doesn't make something GrapheneOS and marketing is also a different thing than reality. Most of what's claimed to be GrapheneOS in this context is not GrapheneOS but rather trademark infringement by forks or even non-forks.

    > /e/OS (and similar "non-LineageOS" ROMs really) instead focus more on de-Googling.

    Nope, /e/ always connects to multiple Google services regardless of configuration and gives highly privileged access to them. GrapheneOS doesn't connect to Google servers by default and avoids giving privileged access to installed Google apps via our sandboxed Google Play compatibility layer.

    > They're still generally security focused.

    No, that's definitely not the case. /e/ has absolutely atrocious security and fails to provide even basic security patches and protections. This is also part of why it provides poor privacy due to lagging far behind on privacy patches in addition to security patches along with being missing important standard Android privacy and security protections due to being far behind and not having it all set up. /e/ doesn't provide comparable privacy features to GrapheneOS Storage Scopes, Contact Scopes, Sensors toggle and far more not only the security features. /e/ isn't just not a security hardened OS, it's also not a privacy hardened OS. LineageOS has better privacy and security than /e/. AOSP has better privacy and security than LineageOS.

    > Because of this, they usually have better depreciation timelines

    /e/ doesn't provide proper updates for any devices. Many of the devices they support aren't getting driver and firmware updates from them even when they're available. They lag far behind on kernel, Android, Chromium (including WebView) and other updates too. They support many devices without kernel, driver and firmware updates available but they're usually way behind even when they are. /e/ simply doesn't care about providing basic privacy and security so they continue having people buy and use highly non-private and insecure devices lacking basic patches.

    > Finally, it's worth noting that the GOS community is absurdly toxic to anyone doing anything privacy-related that isn't under the banner of GOS. It's extremely maximalist, tends to get very upset at other projects whenever they get attention (see sibling reply to this, where they pretty much melted down because an outlet dared to recommend a Fair phone+/e/OS) and the projects official channels have generally encouraged this sort of behavior. It doesn't really damage the software itself, but it's worth considering.

    No, completely backwards. The massive amount of false marketing, misinformation and harassment engaged in by the /e/ project and community is what's toxic. The founder and CEO of /e/ and Murena openly spreads content from Kiwi Farms and neo-nazi sites. He directly engages in harassment towards the GrapheneOS team. Here's him supporting authoritarians smearing GrapheneOS by replying to threads about it linking to harassment content based on fabrications on a neo-nazi conspiracy site:

    https://archive.is/SWXPJ https://archive.is/n4yTO

    The communities of several projects including /e/ have heavily engaged in spreading misinformation about GrapheneOS including fabricated stories about our team. They've even taken it to the point of repeated swatting attacks aimed at killing our team members. There are relentless raids on the GrapheneOS community platforms including our chat rooms where Child Sex Abuse Material, gore and endless harassment towards our team members including fabricated stories and harassment content from Kiwi Farms and elsewhere is posted.

    People should review https://eylenburg.github.io/android_comparison.htm which is a third party maintained comparison between AOSP-based operating systems which addresses many of the misconceptions you have about how GrapheneOS compares to AOSP, /e/ and other operating systems. You're not at all correct about what's provided by /e/ which fails to keep up with basic updates or provide the standard protections.

    We can provide large amounts of further examples of the founder and CEO of /e/ and Murena participating in this harassment.

    The attacks towards us including your libelous claims about us here are what's absurdly toxic.

    > It's extremely maximalist

    It isn't but rather is very pragmatic and focused on usability, robustness and compatibility alongside the major focus on privacy. The focus on security is to protect privacy because it depends on it.

  • MaroonBear

    today at 9:36 PM

    [dead]

• strcat

  today at 7:44 PM

  GrapheneOS is a privacy and security hardened OS. It preserves the standard privacy and security of the Android Open Source Project (AOSP) along with keeping up with the updates. It builds major privacy and security improvements on top of that. /e/ is the direct opposite and reduces privacy and especially security compared to AOSP. /e/ doesn't keep up with updates, has huge delays for important privacy and security patches along with reducing privacy and especially security in many other ways. GrapheneOS is a much more widely used OS with much more testing and provides much broader app compatibility. Unlike /e/, GrapheneOS only connects to GrapheneOS services by default and provides a high level of control over it. /e/ still uses a bunch of Google services by default and gives extensive privilege access to Google apps/services. Our approach is that Google apps/services are an optional thing people can install which do not receive any special access and can't do more than other regular apps since they're installed as regular sandboxed apps on GrapheneOS via our Sandboxed Google Play compatibility layer.

  A common misconception is that people believe GrapheneOS is less usable than much less private and far less secure options but it's the other way around. GrapheneOS provides nearly perfect app compatibility when taking into account the per-app exploit protection compatibility toggle and sandboxed Google Play. Nearly the only apps not working on GrapheneOS are ones banning any alternate OS and a larger number of those work on GrapheneOS than elsewhere due to a subset specifically permitting GrapheneOS due to far higher rather than weaker security. Apps have legitimate reasons for being concerned about the poor security of many alternate operating systems but they're wrongly grouping it all together as if GrapheneOS.

  /e/ lags weeks, months and even years behind on providing updates for drivers, firmware, the Linux kernel and more. They miss a large portion of the monthly Android security bulletins which are a limited subset of the patches in the first place but then claim to provide the latest patch level despite many of the required patches being missing.

  /e/ has a supposedly private speech-to-text sends data to OpenAI and their own servers without obtaining explicit user consent to share sensitive data with a third party.

  https://community.e.foundation/t/voice-to-text-feature-using...

  They say the data is anonymized based on passing it through their own servers before OpenAI but OpenAI is receiving all of the user speech data under their usual terms of service enabling them to store and leverage it.

  Fairphone lags significantly behind on OS updates and patches with only a small subset of what should be provided being shipped. Their hardware omits important security protections required by GrapheneOS which it uses to protect users against widespread commercial exploit tools. Fairphone doesn't provide upstream Linux kernel updates in practice which is a massive omission for their updates. Fairphone 4 has an end-of-life 4.19 kernel branch and the Fairphone 5 despite not being very old already has an end-of-life 5.4 kernel branch. Neither was providing the LTS revisions prior to end-of-life so from their perspective nothing really changed but it means it's a huge task for an alternative OS to provide basic updates since they'd need to port everything to a newer kernel branch.

  /e/ does not provide similar privacy features to GrapheneOS such as Contact Scopes, Storage Scopes, Sensors toggle and much more. It focuses on bundling things which can be provided with apps such as RethinkDNS on GrapheneOS with a higher quality implementation. GrapheneOS delegates as much as it can to apps while focused on the core OS. If a feature can be done better with an open source app, we'd rather leave it up to that app and many provide privacy and security protections which apps cannot. For the most part, apps can't improve OS privacy and security. Enumerating badness via blocklists which cannot block anything that's dual purpose functionality is also a very weak approach to privacy which is increasingly less useful. The most privacy invasive behavior of apps is nearly all done through their own services which also provide their functionality. Among other things, /e/ uses this system for labeling app tracking and permissions which is incorrect and misleading as shown by this example:

  https://reports.exodus-privacy.eu.org/en/reports/com.faceboo...

  Facebook clearly doesn't have no tracking but rather this system only detects a small number of specific third party libraries they've decided are trackers. Those choices are often very questionable such as portraying even opt-in crash reporting as tracking because it used a third party library on their list. Meanwhile, Facebook's lite app supposedly has no trackers. The permissions list is thoroughly inaccurate and not how Android permissions work. The core permissions are opt-in with apps having to request them so listing those as if they're granted on install and mandatory due to being possible to grant is incorrect. Most of the rest have special access toggles which are opt-in for the sensitive ones or other toggles such as the battery optimization mode where Restricted stops apps starting themselves and delays those things until it's run by another app or the user.

  Privacy requires providing privacy patches and strong privacy protections. It also depends on security which means providing security patches and strong security protections. GrapheneOS is heavily focused on all of that rather than simply treating not having bundled Google apps and services as meaning a private OS. There are also worse things for privacy than Google apps and services. /e/ sending speech data to OpenAI vs. Apple doing the processing locally as we've it implemented for GrapheneOS is a good example. Google at least has partial local speech-to-text support and a better privacy policy than OpenAI for the cloud portion. Avoiding Google apps/services is not the same thing as providing strong privacy.

• ForHackernews

  today at 1:49 PM

  The main difference is that GrapheneOS prioritizes security hardening first and foremost (above usability or compatibility). /e/OS focuses on privacy (i.e. reducing data leakage to adtech) and usability over security.

  To put it concretely, GrapheneOS recommends running all the proprietary Google apps in a locked "sandbox" so they can't read data on the phone outside the sandbox -- but obviously Google still gets to see everything you do in their apps. /e/OS tries to provide [largely but not entirely FLOSS] alternatives (e.g. their own Maps app, their own email, their own calendar) that make your phone usable out of the box without Google software.

  • gf000

    today at 2:48 PM

    > but obviously Google still gets to see everything you do in their apps

    Well, the actually scary part of google services is that they have this quasi-elevated access in your phone where it can do a lot of stuff ordinary android services just can't do. E.g. google maps' location sharing works this way (but don't quote me on that).

    GrapheneOS managed to "put it back into the bottle", and it runs as a regular android service anyone could write, with the same rules applying. So you have much more control on what you allow it, and this will also limit what data apps relying on google services can leak about you.

  • MaroonBear

    today at 9:43 PM

    [dead]

  • jeffbee

    today at 4:13 PM

    > security hardening first and foremost (above usability or compatibility).

    Right. Something that GrapheneOS boosters often fail to mention. It's not like those guys at Google are just idiots and don't know how to make a hardened allocator. Android uses a different hardened allocator that is much, much faster and uses less space. GrapheneOS is slower and uses more memory.

    • Aachen

      today at 6:31 PM

      I assume this is all technically correct, but in practice I've not noticed any speed difference between stock Pixel and GrapheneOS. Maybe their Vanadium browser when tab switching, that feels slow, but I wasn't planning on being part of the Chromium monoculture anyway so this doesn't matter to me

      • jeffbee

        today at 6:39 PM

        That's great and, of course, only your experience matters to the choice of which OS you use. I just don't want people to get the impression there are no tradeoffs.

        Another tradeoff GrapheneOS makes is because of the way they configure the USB port makes it more possible that you will irreversibly brick your phone by accident. You could say that the USB management is the only really material difference between Android and GrapheneOS when it comes to a law enforcement search threat model, but that also comes with a tradeoff.

        • ysnp

          today at 8:52 PM

          I just want to note that I believe the default setting is that data is disabled for the USB port when the phone is locked except after a reboot (before unlocking the phone for the first time), so if you break your screen you have the option to use the keyboard if you reboot the phone.

        • Aachen

          today at 7:06 PM

          Not sure if I'm understanding you right, but I wasn't saying that my experience is the only one that matters. Just that it's not a thing one notices in practice, at least not under conditions I've experienced (I figure a reader can fill in that last bit for a comment written in the first person). Saying AOSP's is "much, much faster" suggests it would be noticeable and afaik it's not (at human timescales), so I wanted to add that info to the thread

          Good point about the USB thing btw. It's obvious to me and the reason why I go one step further and leave USB debugging always enabled now that there's this private key authorisation method anyway (it asks for computers whose key it doesn't yet trust), but indeed a lot of users might follow GrapheneOS' advice without realising

• lawn

  today at 10:53 AM

  Read this:

  https://eylenburg.github.io/android_comparison.htm

  In short, GrapheneOS is vastly superior.

  • Aachen

    today at 6:33 PM

    Read the rest of the thread here. The blanket statement is a bit short-sighted (some people might even say 'vastly')

As a long time iOS user, I now mainly run Graphene + GadgetBridge with a helio strap. Pretty nice and private setup.

My running watch is from a chinese company that I do not trust, so I lock down the permissions quite far. I like that Graphene lets me control the network permission and have offline maps that cannot report anything external.

Overall the most annoying thing is not being able to iMessage... I moved who I could over to signal.

Also the battery life is amazing because I keept restricting apps from background usage and the defaults already do a good job of that

"Break free from Google ..." by purchasing Google hardware and using [software "based on"] Google software

Is it really "breaking free" from a company if the method of "breaking free" requires continued cooperation from the company

This is not to suggest using a modified version of Android isn't useful. This comment is not about GrapheneOS. (But there will be HN replies that will try to redirect focus to it anyway.) This comment is about claiming it's possible to "break free" from something while still remaining inextricably tied to it

In addition to using a custom ROM, there are methods of stopping the Pixel's attempts to "phone home" to the company that work even with the version of Android pre-installed by the company intact. However if a method requires software, e.g., drivers, or is "based on" software controlled by the company, then ultimately the company holds the cards. IMHO, this is not what it means to "break free"

Perhaps the most reliable method of stopping these connections to the company is one that does not rely on cooperation by the company. This is because if the company decides to stop cooperating, the method still works

• Refreeze5224

  today at 8:20 PM

  Your "perfect" is a massive enemy of the "good" that is GrapheneOS compared to using stock Android.

• timbit42

  today at 8:18 PM

  They are working with a partner to create their own hardware to run GrapheneOS on.

FYI: Google Fi + GrapheneOS doesn't work. My son recently tried setting up GrapheneOS and got everything working but couldn't get connected to Google Fi to work, even with a SIM card.

"Break Free from Android and iOS" looks inside - Android

• mft_

  today at 10:47 AM

  It should probably be "break free from Google and Apple"?

  • g947o

    today at 11:54 AM

    As long as it is based on AOSP, it is at the mercy of Google to release source code and updates. Given recent trends, I wouldn't be surprised if Google stops shipping Android source completely.

  • to3k

    today at 10:50 AM

    You are right! I will change the title :)

  • mvanbaak

    today at 1:37 PM

    how will it help you to break free from apple if it only supports pixel phones?

    • timbit42

      today at 8:14 PM

      They are working on making their own phone hardware.

    • mft_

      today at 2:22 PM

      One reason that people use Apple phones is they are seen as a less privacy-invasive option than Android/Google.

      So it would follow that a valid privacy-respecting third option would potentially help Apple customers as well as Google customers.

  • goodpoint

    today at 4:17 PM

    ...on a google phone.

    • timbit42

      today at 8:16 PM

      They are working with a partner to provide their own hardware.

• palata

  today at 11:45 AM

  GrapheneOS is not Android. It's AOSP-based.

  • seba_dos1

    today at 12:46 PM

    You may be surprised to learn what that "A" stands for.

    • palata

      today at 1:16 PM

      You may be surprised to realise that you actually don't understand the difference between AOSP and Android :-). See https://news.ycombinator.com/item?id=47047167

      • Aachen

        today at 6:39 PM

        I would love if there were a different OS name to designate "Android phones with Google Services snooping in the background" but with the Android Open Source Project being called what it is, I fear "Android" will continue to be understood as a word for either variant

        • palata

          today at 9:41 PM

          > I fear "Android" will continue to be understood as a word for either variant

          Well, "Android" generally means either variant. I run GrapheneOS and I call it Android. If someone asks, I say I run Android, not GrapheneOS. Actually in terms of experience, it is Android to me.

          But in a context where we oppose GrapheneOS to Android, then I think it's important to be clear. GrapheneOS belongs to the family of OSes that are based on AOSP (like Android, LineageOS, IodeOS, /e/OS, CalyxOS), while Android is itself a "subfamily" of that, including the Google Android, the Samsung Android, the Xiaomi Android, etc.

          In a way, I personally feel like GrapheneOS is closer to Google Android than the Samsung Android is from the Google Android, if that makes sense. Moving from GrapheneOS to Google Android, I really don't see significant differences. Now Moving to a Samsung Android, I need to adapt a little.

          All that to say, I really only make a difference when we are talking about AOSP-based systems as a distinct group, by opposition to "Android certified" systems. Just like it sometimes make sense to talk about GNU/Linux in specific conversations, but generally, we refer to a Linux distribution as "Linux".

      • seba_dos1

        today at 5:51 PM

        It's not necessary to spam the comments with your personal reinterpretations of widely known project names that don't match how these names are actually being used. If you really feel the need to be wrong on the Internet at least try to not repeat yourself.

The list of open source apps in this article was very informative and something you can benefit from even if you don't use GrapheneOS. Many of the apps listed I hadn't heard of.

Does anyone have an answer to the problem of an OS for a laptop? I'm thinking about strong security here, less so about privacy (which is doable, for example via a Linux distribution).

Switched to this from Apple a year and a half ago. Works for most things. Unexpectedly, replacement apps lack polish. Also, RCS works very inconsistently (been without it for months), seems to be Google's fault. There may be workarounds, but I haven't had the energy to try the more complicated suggestions.

I am probably going to switch back to a used old iPhone for "phone appliance" tasks, but keep around the Pixel for other things.

My main takeaway from the experience is that iMessage is an even bigger weapon than I thought.

• drnick1

  today at 9:28 PM

  > Also, RCS works very inconsistently (been without it for months), seems to be Google's fault.

  The best thing would be to switch to Signal (Molly) for texting.

• microtonal

  today at 3:39 PM

  Are you in the US? I get the impression that iMessage and RCS are only big there. Almost nobody uses them here in Europe. (It's mostly WhatsApp where I live and Signal is slowly getting more popular.)

  As an aside, from the latest release notes: Sandboxed Google Play compatibility layer: add toggle for granting Play services access to ICC auth in order to support RCS with carriers requiring it for RCS in Google Messages including T-Mobile (see RCS usage guide)

  https://grapheneos.org/releases#2026021200

  https://grapheneos.org/usage#rcs

• empyrrhicist

  today at 3:23 PM

  The RCS issue is why I switched back to iPhone, reluctantly.

  If anything, iOS seems buggier and less reliable, but I know (and am related to) a lot of people who insist on using iMessage/RCS, and I can't be missing messages.

How is it a break from google/appple if the only supported devices are Pixels? I can't use my sony or other vendors hardware at all.

Are there valid reasons to only support pixels?

• strcat

  today at 9:34 PM

  Pixels are the only devices providing the required updates and security features. These requirements are listed here:

  https://grapheneos.org/faq#future-devices

  GrapheneOS is partnered with a major Android OEM working on improving their future devices to meet our requirements. The first devices with official GrapheneOS support from them are planned for 2027. It takes time and resources to make reasonably secure devices. Future generations can improve further including adding hardware-based privacy/security protections unavailable on Pixels.

• gf000

  today at 11:17 AM

  They are the only Android phones that have the proper security primitives to build a secure OS on top.

  • jsheard

    today at 11:27 AM

    Also, they are working on bringing a non-Pixel alternative to market:

    https://www.androidauthority.com/graphene-os-major-android-o...

It's not breaking free from Google, but pretending it does not affect you. You are still at mercy of app developers and Google which may introduce some changes that will affect you. Additionally you never know what will work or stop working.

• Tepix

  today at 12:18 PM

  If something truly unacceptable happens, you still have a while to switch to something else, in the meantime you will still have a working system.

• _heimdall

  today at 12:14 PM

  That's pretty unavoidable at that level unless you are able and willing to build your own phone hardware, OS, and all the apps you need.

  • timbit42

    today at 8:20 PM

    They are working with a partner to create their one phone hardware.

What about device attestation? Will you be able to run banking apps and Netflix et. al.?

For me the biggest concern is that while you may be able to use and run your own device, you will be locked out of most propietary services. Much like how more and more websites simply don't work with Firefox anymore.

• drnick1

  today at 9:33 PM

  > For me the biggest concern is that while you may be able to use and run your own device, you will be locked out of most propietary services.

  Although this is not the case, moving away from proprietary services (and self-hosting your own) is an important goal in itself. See for instance the recent controversy regarding Discord's age verification.

• galangalalgol

  today at 11:08 AM

  I only use Firefox. It has been years since I ran into a chrome only website. Though recently I ran into an edge only websit on my corporate network, not even sure how that happens.

• buzzwords

  today at 10:52 AM

  This might be one of those things were if there is big enough user base, companies will start to take it seriously.

  • strcat

    today at 9:35 PM

    Nearly all non-banking apps work with very few exceptions. A large majority of banking apps work. A growing number of banking apps were adding checks for Google certification but now a growing number of those are explicitly allowing GrapheneOS via the Android hardware-based attestation system it supports which can be used to verify the hardware, OS and app with an alternate OS or non-Google-certified hardware if it adds the hardware support for it.

• domh

  today at 12:37 PM

  Here's a community maintained list of apps and whether or not they work:

  https://privsec.dev/posts/android/banking-applications-compa...

  This is linked to from the Banking Apps section on GrapheneOS docs: https://grapheneos.org/usage#banking-apps

  Sample size of 1: my UK banking apps all work fine.

• xnacly

  today at 10:53 AM

  Well i do use banking and netflix on graphene os on my pixel 8a and everything works perfectly

• lawn

  today at 10:58 AM

  All Swedish banking apps I've tried works great. Including BankID, swish, Sparbanken, Nordea, LF, Revolut and more.

  I've had less issues than with CalyxOS for example, where more apps broke.

• ThePowerOfFuet

  today at 10:59 AM

  Netflix and almost all banking apps work fine.

  https://grapheneos.org/articles/attestation-compatibility-gu...

  https://privsec.dev/posts/android/banking-applications-compa...

I've been using /e/OS for years. Since 2025 I'm on Pixel 9A and GOS. It's excellent. Everything I need works great. Updates are so frequent. Attention to details regarded to security is amazing. My favorite mobile OS.

Been using GOS since roughly 2020. I refuse to use a Phone without GOS on it. It's been amazing.

• palata

  today at 11:46 AM

  I am really hoping that other phone manufacturers will eventually realise that and start making phones that can be supported by GOS.

  • strcat

    today at 8:58 PM

    GrapheneOS was contacted by one of the largest Android OEMs in June 2025 and we're actively working with them. They're going to be announcing our partnership in March 2026 and the phones meeting our requirements with official GrapheneOS support are scheduled for 2027.

    • palata

      today at 9:33 PM

      March? Wow that it huge! Congrats!

      • strcat

        today at 9:37 PM

        Yes, March 2026 is when the first announcement from the OEM will be which is when people will find out which OEM it is. A fair bit into 2027 is when the devices supporting GrapheneOS will be launched. It was theoretically possible for it to happen for 2026 but not very realistic and the hardware wasn't quite there yet.

        • palata

          today at 9:44 PM

          In my opinion (which is worth what it is worth), 2027 is perfectly fine (my Pixel should live a lot longer than that anyway). What I find huge is that it is concretely happening! It will show recognition for GrapheneOS, and it will be great to have an alternative to the Google Pixels.

          Also, people looking at GrapheneOS want technical excellence, so better not rush it :-).

I wish there were a good iPhone Mini sized phone I could install GrapheneOS on.

• timbit42

  today at 8:18 PM

  They are working with a partner to provide their own hardware to run GrapheneOS on. Maybe they will have more than one model.

Switched a couple of weeks ago and works perfectly. I also found so many better apps that dont steal your data for basic stuff like weather, notes, messaging,...

> "Perplexity - I switched to Gemini, but I confirm it works"

Oh the irony.

• raincole

  today at 12:09 PM

  Where is it? I had a really hard time finding the irony.

  • rcMgD2BwE72F

    today at 2:20 PM

    If they switch mostly for privacy reason, then starting using Gemini might be counter productive as Google might learn far more about the end-user than if they just did some basic search on any other Android devices. To enable Gemini, one was to accept some crazy T&C and accept that Google collects an incredible amount of personal data.

    I prefer to use intermediaries like Kagi Assistant, thanks to the strict privacy conditions of the API and the mixing of queries from thousands of users.

    • raincole

      today at 3:36 PM

      I mean... yes? But I really don't think there is any 'irony' here. The author clearly stated:

      > It’s thanks to them that we even have the option of at least partially freeing ourselves from Google (Android) and Apple (iOS)

      partially. And I do think they successfully did this. Asking Gemini questions when you really have something to ask is very different from integrating your whole digital life with Google.

Wallet Apps and Tap-to-pay do not work. Even got banned from PayPal. Android needs an architectural change from the ground up.

• aniviacat

  today at 6:04 PM

  I use the PayPal app with Tap-to-pay on GrapheneOS and I haven't been banned.

  But of course that's entirely up to how their algorithm happens to feel about you.

• dopidopHN2

  today at 11:39 AM

  I'm happy with grapheneOS as a daily driver. Can you elaborate on being banned from paypal so I don't do the same ?

• ozlikethewizard

  today at 11:39 AM

  I mean you're not degoogling yourself if you put all your transactions through a google server. Cash if possible, card if not.

  (Also it is possible to do these things if you root your phone, but caries its own risks and I wouldn't recommend. Ending your dependency on third party processors is probably the best outcome)

• Tepix

  today at 12:19 PM

  If you don't use the paypal app, you should be fine, right?

How does this break free from Google? Isn't the Android that Google themselves writes and maintains the upstream of Graphene? Are they going to disconnect completely from upstream Android or something?

• dangus

  today at 2:48 PM

  The article directly answers your questions, specifically in the “what is GrapheneOS?” section.

  For the end user, breaking free from Google means exiting from Google’s services surveillance system wherever possible. It doesn’t mean complete elimination of the use of source code written by Google employees.

  GrapheneOS is really the most private option of all viable daily drivable smartphone operating systems available, because your only other options generally involve Apple and Google services dependency.

  You can use GrapheneOS and never send any user information to Google, that’s how you “break free.”

Should be noted that in order for OEM unlocking toggle to work, you need to turn on WiFi and connect to the internet.

• Aachen

  today at 6:54 PM

  Huh, and here I thought Google was one of the few manufacturers left that simply support it on their hardware. So it depends on some cloud service being alive.

  Do you know if it's the same for Fairphone or Shiftphone? Or is there another manufacturer that doesn't require this?

  I've recently bought a new phone so it's not relevant for me anymore but when I next go looking, it can factor into it. As it was, I had Google marked in my spreadsheet as the most accessible unlock method together with brands like Oneplus and Fairphone

I had a Pixel 6a with Graphene OS for a year before the phone started to glitch and eventually die. It ran pretty hot; sometimes it was hard to even hold the phone in my hands without burning myself.

I could not get a replacement as I bought the phone in a foreign country (Google doesn’t sell Pixels here in Brazil).

So as much as I love the idea of running a more private phone, I found the hardware extremely fragile and poorly designed, so I will not buy from them again anytime soon.

• sfRattan

  today at 8:59 PM

  > I had a Pixel 6a with Graphene OS for a year before the phone started to glitch and eventually die. It ran pretty hot; sometimes it was hard to even hold the phone in my hands without burning myself.

  This sounds like your phone may have been one of the Pixel 6a models with a defective battery[1]. It was a major problem for which Google pushed out an update that nerfed the battery life. There is a tool online where you can check if your particular 6a was one with a battery from the bad production batch[2].

  But that unfortunately doesn't help if you are in Brazil where, as you say, Pixels aren't officially sold and import/export controls tend to make tech warranties useless in practice.

  [1] https://www.lifewire.com/pixel-6a-battery-overheating-warnin...

  [2] https://support.google.com/pixelphone/answer/16340779?hl=en

• gib444

  today at 4:03 PM

  Yeah Pixels are poor quality. Mine developed the common pink vertical line display issue after 18 months

  The flag ship should not be more than $500

  • drnick1

    today at 9:36 PM

    > The flag ship should not be more than $500

    Which is (almost) the case during sales. The P10 was on sale for $599 not long ago, and you could buy a 9a for little more than $300. That is extremely good value compared to any iThing repoted your every move to Apple.

Do they just not have ANY screenshots of the OS anywhere on the web site

• OuterVale

  today at 2:29 PM

  It is just Android. If you're familiar with the usual Material styling of Android, you're familiar with what Graphene looks like.

  • cbeach

    today at 4:50 PM

    If they'd put a screenshot, that would then have been immediately clear to casual visitors.

    My initial assumption was "this is gonna look like a typical OSS product, and not as polished as iOS or Android". A single screenshot would have dispelled that notion.

• matthewkayin

  today at 2:26 PM

  It looks about the same as stock android.

• today at 2:25 PM

I've been using it for more than 2 years, and I can't think of ever going back to a stock OS. I had to send my phone for a screen repair, in the meantime I picked up my old Samsung, and the sheer amount of apps I didn't want, notifications and dark patterns to tricking me into handing over my data made me anxious. I couldn't finish setting the phone up and drove to my parent's home to pick up their old, remotely nerfed by Google, Pixel 4a so I could install GrapheneOS into it and use it while I waited for my repaired Pixel 8.

• iugtmkbdfil834

  today at 1:47 PM

  ~6 months here. In my case, it became almost a full daily driver ( putting corporate spyware on it would kinda defeat the purpose ). It is by no means perfect, but I can recommend it ( and I could not do the same with other phones that should have been better on paper -- linux phones like pinephone or purism ).

• netbioserror

  today at 1:43 PM

  Same. Not only has using it been no trouble, but having a barebones core app selection, a few picks from F-Droid, and using the browser for the rest makes my phone feel refreshingly under my control. It lasts for 3-4 days of low usage to boot, when nothing is phoning home constantly.

Google is so much engrained in our lives that we can't really break free. You can't just don't use youtube and for that you need a google account.These projects are nice and good for tinkering, but can't use this as a dialy driver.

• drnick1

  today at 10:00 PM

  Like others have said, you can use Youtube without Google account. Moreover, you can give Google the middle finger by using uBlock Origin or viewing though a third party client like VacuumTube. Also don't forget the shorts filter recently featured on HN to remove those annoying portrait format videos.

• strcat

  today at 9:12 PM

  GrapheneOS is very usable as a daily driver. Nearly every Android app can be used on it and there's a huge ecosystem of open source Android apps. You should read the whole linked article which explains in depth how someone new to using it set up their device. They chose a certain way of doing it to balance their priorities. Only a tiny portion of apps can't be used on GrapheneOS which are mostly a subset of around 15% of banking apps which ban using a non-Google-certified OS in a way we can't easily work around. Most banking apps do work and extremely very other apps are unavailable. Google apps and services aren't used by GrapheneOS by default but can be installed as regular sandboxed apps.

  You don't need a Google account to use YouTube and can use it via the browser, NewPipe or several other alternatives rather than their app.

  The linked article covers someone's first experience with it with a lot of detail. They're using it as their daily driver with mainly open source apps and separate profiles with mainstream apps they still need. They're using those with much better privacy protections including having sandboxed Google Play in those profiles for using mainstream apps rather than regular highly privileged Google Play heavily integrated into the OS and not running with the standard app sandbox or privileges.

• aniviacat

  today at 5:51 PM

  As someone who doesn't have a Google account, I can use YouTube just fine on my GrapheneOS phone using apps like NewPipe.

• mrtesthah

  today at 5:20 PM

  Why do I need a Google account for Youtube? It seems I can watch nearly any video I want without logging in. Moreover there are anonymity proxies like Invidious.

GrapheneOS needs at least the modem blob provided by the OEM. It runs as root, it has full network control. Same could go for other "drivers" like wifi+bluetooth.

Privacy is more a dream than a real thing.

• strcat

  today at 9:02 PM

  No, that's a misconception. GrapheneOS has only ever supported devices where the cellular radio is isolated from the OS and unprivileged. It does not have access to memory it hasn't been permitted to access by GrapheneOS. Wi-Fi, Bluetooth, NFC, UWB, etc. are isolated components too. Our hardware requirements are listed in our FAQ and require proper isolation for radios:

  https://grapheneos.org/faq#future-devices

  8th, 9th and 10th gen Pixels provide our full set of requirements with 7 years of support from launch. 6th and 7th gen Pixels are missing the ARMv9 security features including the extremely important hardware memory tagging (MTE) feature we heavily use to protect against exploitation. Even the first devices we supported back in 2014 including the Nexus 5 had isolation for the cellular radio but similar isolation for Wi-Fi/Bluetooth started with the Nexus 5X.

• timbit42

  today at 8:11 PM

  They are working on getting their own hardware.

Break free from Android... by installing Android? I'm not sure it's really breaking free when the first task to do is intall Google Play Services so your banking app works.

Sounds like we can't actually breaking free from Android and iOS. Maybe with Linux like the Fedora Atomic for mobile devices? https://github.com/pocketblue/pocketblue Or PostmarketOS? https://postmarketos.org/

Even then banking would probably only work through the browser... Sad state of the world really.

• arein3

  today at 10:54 AM

  And the 50% of banking apps still wont work because it wants an android signed by google.

  And no tap to pay.

  Hopefully the new EU banking system will work on Graphene and Ill switch back

  • lejalv

    today at 11:39 AM

    I would put the focus on having capable web-banking. I never install the banking app on my phone.

    I must also be getting old, because I don't get the big fuss about NFC payments. Firstly, I'd never use them if they go through Google/Apple. But even when/if they don't, it's not a big deal to use a card, isn't it (if you hate cash)?

    • palata

      today at 11:51 AM

      Agreed about NFC, I'm happy to scan a QR code.

      > But even when/if they don't, it's not a big deal to use a card, isn't it (if you hate cash)?

      Card is usually linked to the US. Some people would like to not depend on that. But the rational solution IMO is for the banking system to use QR codes instead of NFC. Some countries do that and it just works.

      • lejalv

        today at 1:32 PM

        > Card is usually linked to the US. Some people would like to not depend on that.

        You have a point, and even though it looks like it will be a very corporate-driven system, and possibly dependent on Google or Apple, there seems to be an EU payment system on the making (if it ends up depending on Google or Apple, that will be the irony of leaving VISA/Mastercard to fall in the fangs of Google / Apple, but... oh well, one step at a time).

        I think the name is Wero, it was on HN a few days ago.

  • palata

    today at 11:49 AM

    > And the 50% of banking apps still wont work because it wants an android signed by google.

    Where do you get that number from? All the banking apps I've tried work on GrapheneOS.

    > And no tap to pay.

    There are countries where the payment terminals show QR codes, and banking apps work by scanning it. No need for NFC :-).

  • Maken

    today at 11:35 AM

    The new payment networks are not an independent app. They are a protocol your banking app has to implement, so unless your bank supports non-Google phones you are out of luck (not my case, thankfully).

  • wisplike

    today at 11:11 AM

    [dead]

• to3k

  today at 10:53 AM

  I tried Ubuntu Touch and Droidian

  https://blog.tomaszdunia.pl/ubuntu-touch-eng/

  https://blog.tomaszdunia.pl/droidian-eng/

• palata

  today at 11:48 AM

  You're confused. GrapheneOS is not Android, it's an AOSP-based OS.

  > I'm not sure it's really breaking free when the first task to do is intall Google Play Services so your banking app works.

  sandboxed Google Play Services. It's an important difference.

  • hengistbury

    today at 12:36 PM

    What is the difference here between "Android" and "AOSP" (Android Open Source Project)?

    • palata

      today at 1:15 PM

      AOSP is Android without the Google proprietary stuff (and without the manufacturer proprietary stuff, e.g. Samsung's). If you install bare AOSP, it will look like the Android on a Pixel phone, but the biggest difference you will see is that it won't have the Play Services or some Google apps.

      If you want to be a certified Android system (like all Android manufacturers do), you have to port AOSP to your hardware, install the Play Services as a system app (giving Google root access), install the system apps you want (e.g. Samsung have their own UI, maybe their own camera, their own store that they want to be installed as system apps), pass some conformity tests by Google (Google wants to ensure that it's good enough to be called "Android") and pay a ton of money to Google for the licence.

      But as an individual, you can just download the AOSP sources, build them and install them on your phone. It's AOSP, but not Android.

      GrapheneOS is based on AOSP. /e/OS is based on LineageOS which is based on AOSP. Those are not Android systems, they are AOSP-based systems. In a way like Linux Mint is based on Ubuntu which is based on Debian. Those are different layers. If you hate Canonical, it doesn't mean that you have to hate Debian, even though Canonical does contribute to software that runs in Debian (like the Linux kernel). The comparison is worth what it's worth, but I hope you get my point :-).

      • seba_dos1

        today at 6:07 PM

        You're confused.

        To quote Google's documentation:

        > To build an Android-compatible mobile device, follow this three-step process: > 1. Using AOSP, implement Android on your device. > 2. Ensure your device complies with the Android Compatibility Definition Document. The CDD enumerates the software and hardware requirements for an Android-compatible device. > 3. Pass the Compatibility Test Suite (CTS). Use the CTS as an ongoing aid to evaluate compatibility during the development process.

        AOSP is how Android is being distributed. Being "Android-compatible" (implementing Android and passing CTS) does not automatically give you access to Google Play, it just unlocks the possibility of licensing it:

        > After achieving compatibility, your device is considered Android compatible and you can consider Licensing Google Mobile Services (GMS) and prepare to use the Android trademark.

        Google restricts the use of "Android" trademark on hardware, packaging or marketing materials of devices and requires prior approval of any use, but that doesn't make AOSP "not Android". If you insist otherwise, you're going against common use of these terms.

        In fact, not just "common use", but even Google's use - AOSP's homepage has this as its headline:

        > Android is an open source software stack created for a wide array of devices with different form factors.

        It also tells you how to "get the Android source" or "build the Android OS".

        Sure, many apps that are being called "Android apps" are in fact apps for the Google Play platform (perhaps that's where you got your confusion from), but that doesn't make Android-based systems non-Android.

        • palata

          today at 9:29 PM

          Just like Linux can mean "the Linux kernel" or "a Linux distribution" in "common use of the terms", Android can mean "a device that can legally be advertised using the Android trademark" or "whatever looks like Android to people".

          Now when someone says "Break free from Android... by installing Android?", either they are having fun by using the two different meanings in the same sentence, or they are confused and genuinely believe that using GrapheneOS does not allow you to break free from the system running on a device that can legally be advertised using the Android trademark.

          To that, I answer that GrapheneOS is not a system that can legally be advertised using the Android trademark, but rather a system that is based on what is commonly (and can legally be) called AOSP, which is made of the open source codebase that builds the system that can legally be advertised as Android.

          Similarly, in a discussion about kernels, Android is a Linux system, but in a discussion about OSes, Android is not a Linux system. If I write an article about "breaking free from Linux by using Android", where the context makes it exceedingly clear that I'm talking about Linux as an OS and not Linux as a kernel, and you say "it makes no sense, you're talking about breaking free from Linux by installing... Linux", then I think you're confused. As in: you did not understand what the article was talking about.

Break free from Google by paying money to Google for a Pixel phone? Even with a used Pixel, you're helping prop up their used market value which helps Google

• timbit42

  today at 9:55 PM

  You could buy a used Pixel. Also, they are working with a partner to create their own phone hardware.

• paulnpace

  today at 1:51 PM

  This statement implies ignorance to the reasons the project selected Pixel devices.

It's weird that here on HN some people are trying to break free from Google and Apple and on the other side some people are married to Gemini, and both look like to be the majority at times.

Many are complaining about banking app compatability, but I've never felt compelled to use anything other than my browser for banking. What's the big deal with the banking apps? Am missing out on some huge advantage here?

• dgan

  today at 11:06 AM

  Some banks force you to validate transfers on your phone; unfortunately its not the user who decides

• rationalist

  today at 1:12 PM

  Depositing checks by taking a picture of them.

  • Aachen

    today at 6:47 PM

    If I knew what a cheque even looks like, that might be a benefit

    • rationalist

      today at 7:18 PM

      I don't think that comes across how you intend.

      • Aachen

        today at 7:33 PM

        That being?

I want to break free - Queen :)

Lyrics https://genius.com/Queen-i-want-to-break-free-lyrics

How are the cameras on the latest devices running GrapheneOS? My last Android experience was the Oneplus One and the experience left me with the feeling that cameras are just too proprietary to work well once you go tinkering with custom ROMs and camera apps.

I'm not a photographer or anything, I just want to quickly point and shoot and get on with whatever I'm doing without thinking too hard.

• strcat

  today at 8:53 PM

  GrapheneOS has the same camera features and quality as the stock Pixel OS within the same apps. You can use Pixel Camera on GrapheneOS even without sandboxed Google Play in the same profile if you want the full feature set. If you want extremely good cameras, the Pixel 10 Pro and Pixel 10 Pro XL are the best choices. Those provide the highest quality image sensors among the available supported devices and the Pro mode in Pixel Camera. See https://www.dxomark.com/smartphones/ for how those compare to other devices. Our own Camera app will be heavily overhauled to narrow the gap more with the Pixel Camera app but you can already use that especially if you care a lot about this.

• gf000

  today at 2:51 PM

  You can run the proprietary Pixel camera software on GrapheneOS just fine (properly sandboxed).

• ForHackernews

  today at 1:42 PM

  GrapheneOS only works on Pixel devices so it only targets a very limited set of Android camera hardware.

Graphene is very attractive, the two things that prevent me from going are a) using your phone as a credit card, I'm too attached to that now. b) work profile does not work with rooted phones

• strcat

  today at 8:51 PM

  There are multiple options for tap-to-pay on GrapheneOS in the UK and European Economic Area. It depends on where you are.

• ysnp

  today at 8:27 PM

  GrapheneOS isn't rooted. Did you mean that your corporate MDM app doesn't run on non-certified OSes?

I need to try this out.

This is so well-written with obvious care! Answers so much of what I've been wanting to know, as someone who's thinking about taking this plunge.

Some privacy settings for GrapheneOS:

https://inteltechniques.com/blog/2026/01/05/grapheneos-2026-...

There's several AOSP based ROMs in forums like xda. Mostly developed by enthusiasts.

Recall using one years ago on my Samsung device with happy results. That was long before banking apps etc. Wondering what's the difference with this? Extra security?

What is the smallest phone that Graphene will run on? I would love to switch but these massive pixel phones are a no go for me.

• ysnp

  today at 8:22 PM

  From a quick look online it may be the Pixel 8 https://www.gsmarena.com/google_pixel_8-12546.php at 150.5 x 70.8 x 8.9 mm based on recommended devices.

• Aachen

  today at 6:51 PM

  Maybe an old Pixel with an old version of GrapheneOS, but at that point you're losing most of the security benefits and, depending on your goals, you may be better served with a small phone running a different OS

> Break free from Google and Apple

Step 1: Buy a Google phone

• timbit42

  today at 10:13 PM

  They are working with a partner to get their own phone hardware.

Is there a great phone with high end specs this runs on?

Currently have an iPhone 16 pro, and probably my next phone will be something like this.

I need to be able to share photos easily with my wife, typically I’ve been using airdrop.

• aniviacat

  today at 4:34 PM

  You can use GrapheneOS with the Google Pixel lineup, or in particular the Pixel 10 Pro XL [1].

  GrapheneOS supports Android's Quick Share, which (on the Pixel 10 family) is compatible with AirDrop [2].

  [1] https://grapheneos.org/faq#supported-devices

  [2] https://blog.google/products-and-platforms/platforms/android...

  • Gud

    today at 6:09 PM

    What if I don't want to give money to Google at all?

    • aniviacat

      today at 6:14 PM

      Then GrapheneOS is currently not an option, however they are working with another OEM to have non-Google phones available with GrapheneOS by next year [1].

      [1] https://grapheneos.social/@GrapheneOS/115987006592879172

GrapheneOS is Android isn't it? Same binary blob issues and such? Or is that not an issue on Pixel devices?

• palata

  today at 11:54 AM

  It is not. GrapheneOS is AOSP-based.

  But yeah, same binary blob issues for firmwares, but Linux on Mobile has the same issues.

  • dizhn

    today at 3:27 PM

    It's not very important but what are you referring to with "it is not" ? AOSP is Android (it's in the name) so I don't get it. Are you talking about blobs re Pixel devices?

    • palata

      today at 4:13 PM

      No, I really meant that AOSP is not Android. Android builds on top of AOSP. I elaborated here: https://news.ycombinator.com/item?id=47047167

      • dizhn

        today at 5:22 PM

        Well. I do get your point and I am aware of the situation and how Google pivoted away from a truly open source OS by systematically moving components like the keyboard to separate closed source apps. The fact remains though that it's Android Open Source Project where all Android systems are based on. It's become sort of a GNU/Linux kind of distinction where the "certified" Android is AOSP + Google. Though the situation is not that clear because there are other Android based phones that do not contain the Google layer but are still Android.

        • palata

          today at 5:47 PM

          > Though the situation is not that clear because there are other Android based phones that do not contain the Google layer but are still Android.

          Which ones? I'm pretty sure that being "Android" means that you are certified by Google. You cannot sell an Android device if it's not certified by Google.

          > It's become sort of a GNU/Linux kind of distinction where the "certified" Android is AOSP + Google

          It depends on the context. If someone asks you "are you using Windows or Linux?", answering "I'm using GNU/Linux" is a way to show that you are that kind of people. But if someone asks you what userland you are using, then suddenly it makes sense to make a distinction between GNU and, say, busybox.

          When someone asks me if I have and iPhone or Android, I say Android (even though I am running GrapheneOS). But when we're talking specifically about an alternative to Android that builds upon AOSP, then I think it makes sense to make a distinction. There is a whole (niche) market of AOSP-based alternatives to Android, that users choose specifically because they are not Android. When we talk about that, it makes sense to use the right words.

I had to replace my old phone a few months back and I went with a used Pixel 8 pro from Backmarket specifically so I could try GrapheneOS. I'll never go back if I can help it. I love this OS.

Has anyone tried monitoring traffic from this ROM and see whether their claim of having minimal analytics and booseted privacy is true?

• ysnp

  today at 8:15 PM

  https://www.kuketz-blog.de/grapheneos-der-goldstandard-unter...

It's very annoying that they restrict themselves to Pixels. I get they can't guarantee all the security features they want on other phones, but even a subset of those security features and the other advantages like the lack of cruft would make it very attractive to be able to run on other phones.

• timbit42

  today at 10:16 PM

  They are working with a partner to get their own phone hardware, hopefully by next year.

• ysnp

  today at 8:13 PM

  I can understand the frustration, but it wouldn't be right to say they 'restrict themselves to Pixels'. They believe strongly in a standard for privacy/security of people's personal devices, and unfortunately only Pixels are close to meeting those standards. It's not even like Pixels are their ideal device.

  I feel the frustration should be targeted at OEMs that don't meet very reasonable requirements like minimum 5 years of monthly (timely) security updates.

  • JCattheATM

    today at 8:33 PM

    > I can understand the frustration

    It's not frustration, just disapproval.

    > but it wouldn't be right to say they 'restrict themselves to Pixels'.

    It's absolutely right to say that. You justify why in your next sentence.

    > They believe strongly in a standard for privacy/security of people's personal devices, and unfortunately only Pixels are close to meeting those standards.

    That doesn't prohibit them from releasing a version that runs on other phones, even if it's missing a few (and it would only be very few) features. Most of the graphene users are not using it because of those features.

    > I feel the frustration should be targeted at OEMs that don't meet very reasonable requirements like minimum 5 years of monthly (timely) security updates.

    Again, though, no frustration; I wouldn't run graphene even if I could as I have my own setup I'm quite happy with. Just disapproval at an arbitrarily high standard that isn't doing the good they think it is, and ultimately, actually does more harm in not making their product accessible to the hundreds of thousands of people it would benefit.

It's a sign of how far we've come that this article says "Break Free from Google and Apple", not "Break Free from Google, Apple and Microsoft".

• nusl

  today at 11:36 AM

  People seem to fondly remember the Microsoft phones. If they made them now though, I can't really imagine what sort of Copilot-filled abomination they would be.

• guerrilla

  today at 11:28 AM

  Yeah that's not actually good. As much as I'd never use anything from Microsoft, having less diversity is not a step in the right direction.

• Tepix

  today at 12:21 PM

  I heard that Windows on phones is about to make a return later this year, thanks to NexPhone.

They should get the same level of financing (donations) as Tor project at least. Some big organization like Open Technology Fund or NLnet should give them yearly grants.

• olejorgenb

  today at 3:16 PM

  900+ donors on github (https://grapheneos.org/donate#github) is not *too* bad, but likely not enough to cover a full salary.

So you were happy in your orchard/garden but then plenti arrived offering the forbidden fruit; android. This is the slippery slope that led us here, open rebellion against the tech patriarchy

My observation is - It is the ecosystem that is sticky not just the OS.

• empyrrhicist

  today at 3:25 PM

  You can install Google Apps as a regular set of user apps rather than a system-level admin monstrosity, and it mostly works - Play Store included.

  Whether or not that defeats the purpose is an exercise left to the reader.

• Aachen

  today at 6:52 PM

  You're not the first to notice! It's called the network effect

Citibank app does not work in GrapheneOS

I really don't want to give Google money so the Pixel is off for me until GrapheneOS supports something else.

For now I consider smartphones as disposable toys that can't be trusted with anything sensitive and use a computer for privacy.

I also don't like the idea of running Android, I still hope for a real linux phone at some point.

• timbit42

  today at 10:20 PM

  You could buy a used Pixel.

  Also, they are working with a partner to get their own phone hardware, hopefully by next year.

is it worth to buy google pixel just for installing grapheneos? in my country, it is kinda pricey and of course it cannot install bank apps because almost all of them are must non root phone.

• riedel

  today at 1:19 PM

  Break free from Google by buying their hardware and be dependant on them to actively support the device. Things are absurd at this stage. I guess there is different motivations behind mobile OSes.

  • ysnp

    today at 8:08 PM

    "Break free from Google," is not GrapheneOS's motivation, just so people are aware. That is the blog writer's motivation.

Why only pixel phones are supported?

• timbit42

  today at 10:22 PM

  They are working with a partner to get their own phone hardware, hopefully by next year.

• lpcvoid

  today at 10:37 AM

  Because google actually cares about hardware and software security. Read the FAQ: https://grapheneos.org/faq#supported-devices

  • zhouzhao

    today at 10:40 AM

    >Because google actually cares about hardware and software security.

    That statement might not have aged so well, especially consindering googles attempt to lock out apps from their devices, If the developers do not comply with being oficially registered.

    • lowdude

      today at 10:46 AM

      There is a difference between security and privacy or freedom of use. Locking down the device to only allow a subset of apps that Google has some control over (by requiring developers to register) is a measure that can increase security, even though it obviously takes some control away from the end-user.

      The fact that the play store is not exactly known for exceptionally high standards w.r.t. malware, or that there are lots of valid concerns that come along with a company controlling who is allowed to supply apps for the device is a different topic.

    • izacus

      today at 10:47 AM

      Don't mix security and freedom. They're commonly opposed to each other.

      • palata

        today at 11:58 AM

        This is true, I don't get the downvotes.

• erremerre

  today at 10:42 AM

  I believe (as it's open source) there is nothing impeding anybody else to compile grapheneOS in a samsung S10, which would not be as secure, but should still work as any lineage

  However I haven't seen anybody try

• anal_reactor

  today at 11:14 AM

  Because phones have device-specific code. Effectively, each single model is running its own fork of Android. Naturally, Google has no incentive to change this - it makes it difficult to update (planned obsolescence) and install other software (like GrapheneOS).

Combine it with OnemanBSD to be really FREE. Lookhere: https://www.youtube.com/watch?v=2wHaoQhXOYY

If Apple partners with Starlink, this is my next mobile OS

Am I the only one who finds monospace font barely readable for articles? Good for code, bad for longer forms of text.

• Aachen

  today at 7:22 PM

  No, I also click away articles in that font style if it's not exceptionally interesting or relevant to me

  In this case, reader mode fixes it (your browser probably has a button built in)

Breaking free from Google by using a Google phone with a Google designed processor

Hah, just talked with my colleague, his feedback is that it’s too raw to be used daily

• Aachen

  today at 7:25 PM

  If you're tech-literate enough to find the bootloader unlock, I find that a strange statement. Could $colleague be anymore specific?

• rationalist

  today at 1:11 PM

  You might want to reconsider trusting your colleague's technical opinions.

I can't take this seriously when their mission statement is to "break free from Google and Apple" and their entire output is a fork of a Google repo.

If you're based on AOSP, the project is still 100% reliant on Google!

It seems extremely cynical to me to depend on the work of a thousand-man team to build your OS, then patch out a couple of lines and claim you've broken free from them. Without Google, none of this project could exist.

• niam

  today at 1:39 PM

  You'd be pleased to hear, then, that "break free from Google and Apple" is not Graphene's mission statement, because this is a blog.

The article is a wall of text with not a single screenshot.

And I couldn't easily find a link to a page that summarised GrapheneOS with some images so I could see how polished it looked.

This is one of the reasons why OSS fails to gain mainstream appeal (as much as I want it to)

• strcat

  today at 9:21 PM

  GrapheneOS is based on the latest release of the Android Open Source Project (AOSP) which is Android 16 QPR2. It looks nearly the same as the stock Pixel OS also based on the same AOSP release. The main UI differences are user-facing portions of the many privacy and security features added by GrapheneOS. There are minor differences such as the stock Pixel OS having a few different fonts than AOSP. The main thing to show would be the UI for features such as Contact Scopes, Storage Scopes, per-app exploit protection controls, etc. It looks like the stock Pixel OS without the Google app/service integration not present in AOSP with added privacy and security controls.

  There are many useful videos about GrapheneOS here:

  https://www.youtube.com/@sideofburritos/videos

  Any of the videos older than December 2025 will be prior to Android 16 QPR2 so the overall UI will be outdated. That's part of why we don't focus on screenshots or videos because many would need to get updated every 4 months. We'd mainly be using them for our own features which often improve more frequently than that.

"Break free from Google"

All supported devices are exclusively Pixels.

For some (and other not-so) obvious reasons I switched to Graphene a few weeks ago. For years I've been pushing towards de-cloudifying my digital life and there were several reasons for it: On one hand it was the constant content subscription which gave me 0 guarantees that what I am interested in will still be available the next morning, even though I've paid for it, and the other was, you guessed it, the idiotic LLMs everywhere and subsequently the complete annihilation of security practices by giving a probabilistic model unrestricted access to all of your data.

First things, first, kudos to the GrapheneOS team for making it this easy to install and the surprisingly rapid support for new devices. Sure, there are features which I otherwise liked in the stock android that came with Pixel phones(swipe typing is something I very much enjoyed) but all in all, I can't say I miss much from it otherwise. I've slimmed down my list of apps to basic functionalities backed by self-hosted services (nextcloud, immich, jellifin, etc. along with a VPN I maintain myself) and I honestly don't miss much from the stock Android.

I want to point out that for a very long time I worked for a company that developed games for mobile devices and while the data we collected was mostly anonymous(*unless you logged in with facebook and by implications we had your facebook id) and it was never even utilized all that much beyond bad attempts at maximizing sales(not effectively anyway cause the people in charge were as incompetent as they could get), I can say that we collected ungodly amounts of data: most of the cloud bills were storage for that specific reason. While we did not have bad intentions and had to operate under strict GDPR regulations, this was a large company that was constantly monitored. Small companies can fly under the radar and get away with not abiding by the rules and laws and commonly they are not even aware what the repercussions could be. Similarly, the US and Asia-based giants can simply shrug it off and toss a few billions in fines. Make no mistake, no company is looking for your best interest and with that in mind, I couldn't recommend GrapheneOS (and self-hosting everything) enough, assuming you know what you are doing.

• strcat

  today at 9:25 PM

  You can use a different keyboard than the default AOSP keyboard with more modern features including but not limited to swipe typing. We plan to replace AOSP keyboard with a fork of a more modern app but there isn't yet one meeting the functionality requirements which is under a license we can use. FlorisBoard is what we have plans to eventually use, although it might not be what we end up using.

• 8K832d7tNmiQ

  today at 11:29 AM

  Check out FUTO Keyboard, It has swipe-typing feature.

After reading this blog post, going to grapheneos's site, and browsing a half-dozen or so pages that I thought might show me what it looked like... I cannot find a single image of it.

GrapheneOS team, I'm begging you... Hire or recruit one person with advertising or copy-for-public-consumption experience. Just one.

• Aachen

  today at 6:59 PM

  Answered 2h ago before your comment: https://news.ycombinator.com/item?id=47047720

  Saving a click, it looks like any bare Android without vendor customisations. You just get extra settings like turning off network per app

  I don't disagree that some screenshots might be good marketing

I switch from iPhone to a pixel 9 fold, and installed graphene after 2 weeks on stock android.

Look, it's better than stock android overall, UI much more simplified even though it gives you a lot more security control, battery feels slightly longer, but there are drawbacks, i.e. twitter/x wouldn't install, neither would my bank's app. However from time to time I go to use iOS on the iphone and it just feels like better software, with better ergonomics overall, the combination of the xnu kernel plus the design and feel of the..buttons.. on iOS is still years ahead in my opinion. So keep that in mind if you're switching away from apple to it, as android still feels like decade plus old software.

Now for the upsides.. there's a built in terminal and debian vm you can install and run your agentic AI tools (claude code,opencode etc) in a portable sandboxed environment which you just don't get onios. You can even fire up a graphical xfce session albeit that takes quite a bit of work to get it to go.

As for the tablet form factor of the phone itself when unfolded, i found it amazing the first few weeks and then later found myself rarely using it.

Overall I'm going to stick with itand will never go back to stock android, but am quite annoyed at how much better it could actually be.

• strcat

  today at 9:27 PM

  You can bypass Play Store restrictions on app installs by using Aurora Store. There's a high chance your banking app can be used but it may require toggling the per-app exploit protection compatibility mode. Most banking apps work on GrapheneOS. X is one of extremely few apps disallowing using a non-Google-certified OS but it only partially disallows it in their store listing which can be worked around and for regular password login. Login is still possible to X via a passkey or Google login. X should stop doing that but they're quite understaffed and did this as a misguided anti-spam measure.

I really doubt they have an issue tracking you despite all this added effort.

Why is it that Google find my doesn’t work? I can’t get it running on my pixel, seems like a known issue.

I use this and lineage, but in a few years time this could be moot if Google decides to completely lock down devices. That leaves commercial options like Fairphone

• strcat

  today at 9:29 PM

  Fairphone is far from meeting the update and security requirements for GrapheneOS. It isn't a viable platform for a hardened OS to use and isn't likely to ever become one due to security being very far from a priority for them.

  GrapheneOS has a partnership with one of the largest Android OEMs. They're going to be announcing it in March 2026. Devices meeting all of the update and security requirements from them with official GrapheneOS support are planned for 2027. We don't expect future Pixels to prevent installing GrapheneOS but we'll be fine if they do. We'd still like to keep supporting new Pixels but they'll become a secondary option in the future since there will be devices with official support.

If you are using social media, you might get a shadowban, just because you needed to unlock your bootloader to install this OS.

the OS is great, but too risky in certain situations.

• Aachen

  today at 7:27 PM

  Try a social media that is not antisocial. HN, Mastodon, Tildes, various forums... lots of communities and tech content are available in browsers or via open source apps

  I'm not aware of any that bans you when not using an allowlisted OS, so maybe it was something else that caused this shadowban, or (more likely) that's just my bubble

Anyone like GrapheneOS better? Like it has some features? Or is it a locked down version of Android?

• MattTheRealOne

  today at 3:37 PM

  I love the ability to block apps from accessing the network. There is no reason apps like the keyboard, camera, or other offline apps and games need access to the internet.

GrapheneOS is like using Firefox. Works on most sites, but those few things just don’t. Maybe it’s a dealbreaker for some. And they’re dependent on Google.

What you want is a solar 6502 with lots of memory and GMRS mesh

Unless govts make web a primary citizen of information dissemination and acceptance, it will be only apple/google on the sim card linked access

A lot like Linux zealots people say a lot of things along these lines:

“It’s perfect. I love it. It works great. No complaints” and then go on to list 100 rough edges that mainstream phone OS users never have any issues with. It’s funny.

As great as GrapheneOS has been, I'm still tempted to switch to LineageOS. Sure, it would be objectively less secure, but at least then I might be able to disable the obnoxious "automatically disabled 3 unused background apps" notifications.

The biggest problem with security culture is its obsessive hyperfocus on security. Any change that could possibly be less secure (even in extremely exclusive circumstances) must be wrong. Even if it improves accessibility, it must be rejected out of hand.

GrapheneOS promises to liberate us from the enshittification of Google's anticompetitive moat; but it focuses that effort exclusively on security. Everything else that was enshittified gets carefully preserved as-is in the name of "security".

All I want is a mobile computer that does what I tell it to. Why is that constantly treated as an unreasonable fantasy?

[dead]

[dead]

  Full control over app permissions

  GrapheneOS allows for full control over what permissions each application can have. 
  For example, in conventional Android forks, every application by default has granted 
  Network (internet access) and Sensors [...] permissions.

  Has anyone ever wondered if all apps on a phone need Internet access? 

https://news.ycombinator.com/item?id=40667147

[dead]

Break free from Google and Apple by buying a phone from Google /s

• backscratches

  today at 12:35 PM

  I commented elsewhere but GrapheneOS on Pixels actively siphon resources from Google and is arguably a good protest against google.

  They subsidize Pixel hardware (to incentivize users to adopt their spyware OS), you (buying used obviously) take their subsidized hardware and do not repay them by using their spyware, replacing it with Graphene. Only google loses. Their hardware is technically very good otherwise (in fact no other hardware fits the strict graphene security requirements).

  • imcritic

    today at 1:54 PM

    How about they start supporting more devices instead?

    • strcat

      today at 9:31 PM

      There are currently no other devices meeting the update and security requirements. GrapheneOS is partnered with a major Android OEM working on making devices meeting all of those requirements along with providing official GrapheneOS support. The devices are planned for 2027 but is being announced by the OEM in March 2026 so people will know which OEM it is soon.

    • ysnp

      today at 7:55 PM

      You should probably be asking Android OEMs why the requirements listed here https://grapheneos.org/faq#future-devices are unreasonable.

    • backscratches

      today at 4:27 PM

      Good news they are making their own devices. But until then pixels are technically the most secure android devices and graphene would not be as robust on other devices.

      • ysnp

        today at 7:53 PM

        Small correction, GrapheneOS are not making them. They are partnering with an existing large OEM to ensure one or a number of future flagship devices meets their security, privacy and support requirements.

      • mathfailure

        today at 8:25 PM

        No, there are no such news yet, only hearsay.

        • strcat

          today at 9:32 PM

          It has been officially stated that GrapheneOS is partnered with a major Android OEM working on making devices meeting all of those requirements along with providing official GrapheneOS support. The devices are planned for 2027 but is being announced by the OEM in March 2026 so people will know which OEM it is soon.

    • MaroonBear

      today at 10:01 PM

      [dead]

[flagged]

• today at 10:38 AM