After using LineageOS for long time, I have finally moved to GrapheneOS. I use a lot of banking and financial apps which I never felt comfortable using on LineageOS due to lack of proper sandboxing, unlocked bootloader etc.

GrapheneOS works flawlessly just like Android. You don’t even notice there’s hardening underneath. Also it protects from Google’s evil location tracking using WiFi/Bluetooth or even when the Location is turned off. I don’t understand how people in general are comfortable with Google tracking all the time. You can use Google Play and Play Services in a sandbox that works just like regular installation, but without deep tracking.

If you haven’t tried GrapheneOS, try it. You won’t go back to regular Android.

102 points

For people looking to change and are worried about banks bullshit here is a link to a list of currently supported bank apps.

permalink
report
reply
23 points

This is stupid helpful, thank you. I wouldn’t have thought to look this up on my own but now that I know it I’m a good bit more likely to try Graphene on my next phone. This is way more apps than I would have guessed.

permalink
report
parent
reply
13 points

My bank apps all work fine. Just keep your physical bank cards on you because Google Wallet won’t work with credit cards, NFC or transport passes. Your gig tickets and membership cards will load fine though.

You probably don’t want Google rummaging through your purchase history anyway. I certainly don’t miss it.

permalink
report
parent
reply
5 points
*
Deleted by creator
permalink
report
parent
reply
4 points

I personally have to toggle on Exploit protection compatibility mode in App info to get some of my banking apps to work

permalink
report
parent
reply
2 points

Really helpful, thanks. Just curios, does this list apply also for LineageOS + MicroG ?

permalink
report
parent
reply
2 points

I couldn’t tell you. The page / list was made for graphene and I don’t know the technical differences between running that and lineage + micro g so not sure if the same list could apply. Sorry.

permalink
report
parent
reply
64 points

If they can get it to work on non-Google devices, I will consider it. Right now Graphene compatibility is extremely limited. I basically have to give Google money to avoid Google.

🤪

permalink
report
reply
40 points

Have people forgotten about the used market? Buying things second hand is the way.

permalink
report
parent
reply
24 points

Doesn’t change that this only runs on Pixel devices. I simply don’t want a Pixel device for various reasons. Used or not, Graphene won’t run officially on a Sony, a Fairphone, etc.

permalink
report
parent
reply
31 points
*

If the security benefits of a pixel is less important then the fact Google made it then GOS is simply not meant for you.

Its silly people complain about it being only compatible for pixels but never seem to blame other android brands for making significantly less secure phones. The responsibility should be put on phone makers to create secure phones that meet GOS requirements, not to expect GOS to make a less secure OS.

The whole AOSP environment is very Google centric so its pretty weird to think because your not buying a pixel that you are somehow avoiding Google.

permalink
report
parent
reply
13 points

still pricey as fuck in my country. barely any pixels here.

permalink
report
parent
reply
7 points

My country’s second hand market sucks donkey balls. Import fees are crazy if you even dare to use Amazon instead of cheap Chinese shop. I just wanna scream.

permalink
report
parent
reply
4 points

Damn, that really sucks, I’m sorry :(

permalink
report
parent
reply
5 points

I’m always wary of buying second hand phones. How healthy is that battery going to be?

permalink
report
parent
reply
5 points

It is possible to replace them, with a little research. Or just taking them to a phone repair shop if you’re too anxious for that

permalink
report
parent
reply
0 points
*
Deleted by creator
permalink
report
parent
reply
29 points

Yeah, it’s kind of wild and ironic that one of the most private OSes requires a Google phone.

permalink
report
parent
reply
15 points
*

Not only that but it relies on the Pixel’s black box “Titan” security chip, that google pinky-promised to open source but never did…

permalink
report
parent
reply
13 points

The Titan security chip is not a black box. The Titan M1 gas been scrutinazed by blackhat: https://dl.acm.org/doi/fullHtml/10.1145/3503921.3503922

Just because something is not open source does not mean you can’t verify it (no, i’m not shilling closed slurce; no i don’t think closed > open; no i don’t think closed source is more secure)

permalink
report
parent
reply
16 points

permalink
report
parent
reply
13 points

Buy a Pixel second hand. Then you’re just reimbursing someone who already made that mistake. ;)

permalink
report
parent
reply
4 points

Just research ahead and don’t buy one with a known hardware defect such as the 5As which are notorious for frying motherboards and screens. Went through 5 of them with the extended warranty over my phones life and they all died while in my hand abruptly. Less than a year or life per device almost always failing around 8 months for me.

If grapheneOS wasn’t so damn good I would’ve left pixels after that, Pixel XL abruptly died, 2XL had both cameras and the fingerprint sensor die out of nowhere, then the 4 5As. On an 8a right now and love it so fingers crossed it lasts!

If they had a user repairable device that ran it I’d buy it in a heartbeat

permalink
report
parent
reply
2 points

YES :D

permalink
report
parent
reply
1 point

this

permalink
report
parent
reply
-1 points
*

Like Google will bankrupt without my money. I’d rather remove their malware.

permalink
report
parent
reply
26 points
*

I would like to switch, but there are a couple of points that are still holding me back right now:

  • Charge limits, on LOS I can root the phone, install ACC and still use the OTA updates, if I apply the patch afterwards. (Will be resolved in A15)

  • Option for sandboxed MicroG, IMO privacy is also very important for security, and people should be able to decide if they like more privacy or more security.

  • Option for rooting sandboxed apps from outside. IMO I, and a person, like to have full control over my phone. Trust often comes with control. If I choose to trust one app to have root access to another app in order to inspect it, then this should be possible. Sandboxing could allow one app to have root access to individually chosen other apps, thus limiting the impact compared to system-wide root access. Maybe offer rooting gated behind a separate hardware token authentication. (sudo like) A lot there can be improved IMO, while still providing it and making it more secure in general.

I know that my understanding of security and privacy might be different from what GrapheneOS understands, but as a long time Linux Admin, I don’t like black boxes, I like to peek into them, modify or patch them, when they do something I don’t want them to do, etc. So that when I enter personal information into them, I am still in control what happens to them, at least that is my desire.

Taking control away from the user in order to “improve security” might be a valid approach to some, but it is not something I have much trust in.

permalink
report
reply
2 points

What are you contemplating switching from? Does your current OS meet those criteria?

permalink
report
parent
reply
15 points

I am currently using a rooted LOS with MicroG. It certainly is not as secure as GrapheneOS in terms of app sandboxing, encryption, regular security updates, etc., but I have control of the system, in case I need it, for instance ACC, F-droid privilege extension (F-Droid auto updates), ReVanced Manager (not using it currently) etc.

I trust GrapheneOS much more than Apple, but both go into a similar direction with their understanding of security. IMO taking control away from the user might be a good option, if you are dealing with just regular consumers, but I don’t really like the “one-size-fits-all” approach of it. And it is my device, I should be allowed to decide what I want to do with it.

BTW, this is just a personal annoyance of mine. The GrapheneOS devs do a very good job.

permalink
report
parent
reply
5 points

You can root GOS like any other Android-based OS. It’s just highly discouraged, completely unsupported and, in the opinion of the GOS devs, you will no longer be considered to be running GOS since you are compromising the core OS by doing so.

permalink
report
parent
reply
2 points

I didn’t realize GrapheneOS limited control like that. Thanks for sharing!

permalink
report
parent
reply
1 point

What’s ACC? Anyway I would strongly discourage using root under Android as it breaks the security model. You should find ways around using root and if you can’t you probably shouldn’t be doing on your phone anyway. Root is very dangerous as it can survive a factory reset.

As for MicroG, it is sandboxed but it does require device admin for full functionality. It isn’t running as root but it requires a lot of device permissions. You can turn off the permissions you don’t need but that could break things.

permalink
report
parent
reply
7 points
*

What’s ACC?

ACC - Advanced Charging Controller, which allows to set charge limits, thus extending the battery life, which should have been part of Android from the beginning,

Anyway I would strongly discourage using root under Android as it breaks the security model.

Security isn’t a binary, security works like an onion, you have multiple layers of security and multiple decisions to make on every level. Currently you might be right, that having root access to a device might compromise it in some ways, but that isn’t necessarily so and depends on how it is done.

You should find ways around using root and if you can’t you probably shouldn’t be doing on your phone anyway.

This kind of thinking is the ‘I know better than you’ mentality, that I sometimes see around people advertising GrapheneOS. Having ‘root’ permissions to the device is owing it, I want to decide what to do with it, not the vendor of the ROM, or who ever else. They aren’t me, they don’t know what I want to do with it.

The goal of security models is allowing me, the owner, to do what ever I want with my device, while preventing others, non-owners, un-trusted applications or the internet from doing what they want with my device. If the security model doesn’t allow me, the owner, to do what I want, then it failed its job at least partially.

Root is very dangerous as it can survive a factory reset.

Why is that dangerous? The first thing I do, when I get a new phone is boot into the boot loader, and overwrite the whole partition, then the system is trusted again, at least if I trust the vendor of the boot loader. When I want to do a factory reset, I do the same, overwrite the flash with a fresh OS image.

IMO, there are other reasons why the current implementation of root are dangerous: They currently considered binary and I think they could be implemented more gradually. Like one application having root over individual other applications, e.g. accessing their files. Allowing/Disallowing individual privileged system calls, or access to specific system files, etc. All of this could be hidden behind a switch in the developers menu. Maybe only allow applications to gain root access when using a registered hardware token, etc.

permalink
report
parent
reply
1 point

You can make changes to the OS when it isn’t booted. You can even compile your own image. The problem is having root in the application layer. You are exposing yourself to unnecessary risk. Ideally you should flash a overlay in the Lineage OS recovery or TWRP. You can do this for a few other things such as the F-droid privileged extension.

permalink
report
parent
reply
1 point
*

Maybe CalyxOS would be a better fit then?

permalink
report
parent
reply
13 points

Woot! Welcome to the club! Fuck Google!

permalink
report
reply
9 points

I just looked it up and GrapheneOS only works on google hardware? So you had to give google some money first or did you get it to work on something else?

permalink
report
reply
12 points

If you buy one used that is how you can get around giving Google money.

From a security standpoint it might give you a temporary benefit since all of Google’s tracking IDs will be associated with the original owner. On a new phone I figure it’s associated with you immediately.

permalink
report
parent
reply
0 points

Not really. You carry arround a Google devices and people notice the brand and devices are more valuable when also desired second hand.

All of this supports Google

permalink
report
parent
reply
6 points

Cover the G logo with a pop socket or some shit. No one will give enough of a shit to desire your phone. Buying used always denies OEMs sales so its always good to buy used

permalink
report
parent
reply
5 points

Yeah the fact that Pixel Phones are the defacto standard for privacy phones is absurd. It’s guaranteed chock full of hardware surveillance tools you can’t remove with custom roms or kernels.

Outside of the Pixel lineup, custom rom support is almost non-existant in 2024. it’s wild, you can get the same or better hardware for half the price.

permalink
report
parent
reply
3 points

Xiaomis and some other chinease brands have decent custom rom support, but no grapheneos and no bootloader relocking (except some oneplus phones)

permalink
report
parent
reply
3 points

I have a Xiaomi, I love their hardware and the fact that it’s bugged by a foreign nation rather than my own. But Xiaomi software is garbage and flashing is an absolute pain. I looked at what rom support modern Xiaomi devices have and I am not impressed. It’s almost all half baked or not privacy oriented. I’ve been struggling with one of said ROMs for years.

I am sick of flashing one-off ROMs without proper support or OTA, and constant system level bugs.

I’d love to have a manufacturer with open-source/open hardware focused cheap high performance repairable hardware and with privacy ROMs as a first-class citizen. Like a Fairphone if it was good.

But sadly all of these devices end up with bad support too in the end.

I think the main issue is that most ROM developers today only buy the most high end flagship devices, since those are the only ones that get any decent support. I’m guessing that’s because they all got high paying tech jobs now.

permalink
report
parent
reply

Privacy

!privacy@lemmy.ml

Create post

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

  • Posting a link to a website containing tracking isn’t great, if contents of the website are behind a paywall maybe copy them into the post
  • Don’t promote proprietary software
  • Try to keep things on topic
  • If you have a question, please try searching for previous discussions, maybe it has already been answered
  • Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
  • Be nice :)

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

Community stats

  • 4.6K

    Monthly active users

  • 2.9K

    Posts

  • 77K

    Comments