cross-posted from: https://slrpnk.net/post/15995282

Real unfortunate news for GrapheneOS users as Revolut has decided to ban the use of ‘non-google’ approved OSes. This is currently being posted about and updated by GrahpeneOS over at Bluesky for those who want to follow it more closely.

Edit: had to change the title, originally it said Uber too but I cannot find back to the source of ether that’s true or not…

Right? Have to pay google for the privilege

You can always buy a second hand one

Someone installing graphene os for security shouldn’t be trusting random second/third/etc hand hardware lol

There is absolutely no problem with that. The phone is wiped and encrypted when you flash graphene, and it does an integrity check every time it boots.

Hypothetically the hardware could have been modified, but that would take some insane level of a determined attacker to be fabricating modified pixels just to sell them on the used market.

Yes, this would only be a concern for targeted attacks by state actors, in which case not even buying new would be safe.

Thinking about it, in such a scenario buying used may even be safer

It also comes with a hardware auditor, although you need another trusted graphene phone to use it. I don’t know about the details, but sounds very hard to mess with it.

although you need another trusted graphene phone to use it

No, Auditor can be installed on any Android phone. It’s even available on the Play Store: https://play.google.com/store/apps/details?id=app.attestation.auditor.play

You can even perform a remote verification, which uses GrapheneOS servers and doesn’t require a second device at all: https://attestation.app/tutorial#scheduled-remote-verification

Nothing too hypothetical nor an “insane” level of work. Didn’t Israel do just that with some beepers to blow up children?

And you can even use the GrapheneOS Auditor app to perform a manual verification of the OS.

Shouldn’t trust anything then. They could intercept your new phone and modify it. They did it for switches. But your not worth it for “them”.

Your options are:

Apple phone

Bloated android phone like Samsung etc.

Chinese android phone (xiami etc)

Google phone with Android

Google phone with graphene. This still looks like the best of those options.

Or no phone? I guess people are hardcore enough that will be the option.

Edit: I stand corrected.

Fairphone? Swiftphone? eOS? Linuxphone? PostmarketOS etc?

Is swiftphone its own thing or did you mean shiftphone? I kinda want the shiftphone 8 myself even if they only ship to neighboring countries of mine.

There’s always package forwarding. I’m about to find out how bad an idea that is.

Ah sorry, you’re right. I meant shiftphone.

All of these are insecure as hell. Linux phones especially https://madaidans-insecurities.github.io/linux-phones.html

Fairphone also really fucked up: They signed their own OS with the publicly available (!) AOSP test signing keys. These guys really don’t know that they’re doing, and I would trust their hardware or software whatsoever. And no, installing a custom ROM doesn’t solve this. Considering how bad their security practices are, we genuinely have to assume that there are security issues with the device firmware as well.

/e/OS is based on the already insecure LineageOS, and it weakens the security further, so it’s not a good option either.

None of the options you mentioned can be compared to GrapheneOS. It’s currently the best option if you value your privacy and security. You don’t have to give Google money either, since you can just buy a used device, which is also cheaper and more environmentally friendly. Google also makes repairing their devices pretty easy for consumers and even works with iFixit. Here’s a Mastodon post I recently saw about that: https://social.linux.pizza/@midtsveen/113630773097519792

An used Pixel, assuming I can find one in my country, still costs four (4) times what I need to shell out for a in-market Lineage compatible phone.

Theoretical security is cute, but it has to be adjusted to practical feasibility. The most secure computer in the world is useless to you if you can’t boot it up.

Security-wise you’re better off using whatever OS comes with your device (as long as it gets updates) than downgrading to LineageOS. At least most smartphone vendors (except for Fairphone) manage to ship their Stock OS with a locked bootloader and somewhat working Verified Boot.

Security-wise you’re better off using whatever OS comes with your device

So, Android 9 / 10?

I’m sure not as heck going to spend zillions on a new phone (or a hard-to-find used one) when the one I have still works perfectly.

I use cheap motorola phone with lineage OS, add that to your options

I don’t think LOS has any privacy/security improvements over the stock android?

(IIRC) it’s even worse than stock because you can’t lock the bootloader after installation.

Though if your phone isn’t getting official updates, it’s probably safer with LOS.

There’s also the Lineage-based DivestOS that attempts to keep up with more security updates, and relocking the bootloader in phones that support it.

https://divestos.org/

Yeah, I myself am using CalyxOS, because DivestOS doesn’t support the Fairphone 5 unfortunately. CalyxOS also has relocking.

Calyx also comes with MicroG, right? So mitigates many problems with a bit more Google.

And Fairphone 4 here, partly for Divest (had it on Oneplus 6 before this and just used to it), partly because of a good deal for a barely used one.

Physical access is game over anyway?

Not with GrapheneOS, since you can entirely disable the USB controller from the settings on a driver level, making it impossible to connect the phone to a forensic data extraction device. GrapheneOS also has a convenient auto-reboot feature, which (together with their patches to the Linux kernel and Fastboot recovery OS to include memory zeroing) erases the encryption keys from memory, putting the device in BFU state and requiring the PIN/password to unlock. This is additionally secured by the Titan M2 secure element, which makes use of the Weaver API and drastically throttles brute-force unlock attempts. https://grapheneos.org/faq#encryption

Some cool features, wonder what backdoors google have put in the hardware

(IIRC) it’s even worse than stock because you can’t lock the bootloader after installation.

That’s a problem with the phone manufacturer, not with Lineage.

LineageOS itself drastically weakens security even compared to stock AOSP, for example by exposing root access or deploying insecure SELinux policies

Xiaomi has the biggest custom ROM scene out there btw despite them trying their hardest to stop bootloader unlocking. You really don’t need to have a company supporting unlocking to make ROMs for them. If they outright block it then that’s an issue.

I read somewhere that on some xiaomi phones in china you need to request it, https://github.com/melontini/bootloader-unlock-wall-of-shame/blob/main/brands/xiaomi/README.md

My friend just got a new Xiaomi phone. He tried unlocking it a few days ago and got “try again in 168 hours”. That happened in Europe. It’s an absolute mess nowadays, I remember when they started blocking you from unlocking the bootloader. First you had to wait 24 hours, then 3 days, now it’s an entire week. You also need to make sure you’re logged into your Mi Account on both phone and PC and do even more weird fuckery to ensure the process actually go through. Meanwhile, on GOOGLE Pixel devices you just type one command after you enable oem unlocking in settings and reboot into fastboot mode. Crazy.

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Posting a link to a website containing tracking isn’t great, if contents of the website are behind a paywall maybe copy them into the post
Don’t promote proprietary software
Try to keep things on topic
If you have a question, please try searching for previous discussions, maybe it has already been answered
Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
Be nice :)

Related communities

much thanks to @gary_host_laptop for the logo design :)

Revolut, McDonald's, and Authy have banned the use of GrapheneOS.(grapheneos.org)

Privacy

!privacy@lemmy.ml

A place to discuss privacy and freedom in the digital world.

Some Rules

Related communities

Community stats

Community moderators