People keep mentioning GraphineOS as a reason to buy a Pixel, but in other regards the Pixel hardware doesn’t seem so great. If you get a different phone that can run Lineage, is Graphene really better? Thanks.
GrapheneOS user here – for many years and several devices. Also had many devices, prior to that, running LineageOS.
GrapheneOS
First thing to weigh, between your two options, is that GrapheneOS is considered its own mobile operating system at this point, and the development of this mobile operating system is driven chiefly by privacy and security. While founded on AOSP, GrapheneOS gets such benefits as – but not limited to – more frequently updated kernel patches, code removal or alteration to abate zero-day vulnerabilities normally addressed more slowly (or not at all) in vanilla Android, the security of a re-locked bootloader (only available on Pixel devices), an isolated and sandboxed Google Play to access normal apps (microG and other replacements are considered, in GrapheneOS circles, less secure), isolated user profiles for different sets of apps that have the ability to push notifications to each other, hardened memory allocation, and so much more.
Pixel hardware is a great fit for GrapheneOS due to the kind of security chipsets they employ, too. By selecting a device that allows users to re-lock the bootloader (other devices do not afford this), as well as leverage Pixel-specific hardware-level security features, there’s a measure of consistency for overall security provided to GrapheneOS users and developers, alike. The devs don’t have to provide workarounds, for example, in the same way other ROM makers do, such as for LineageOS. There can be focus. And that benefits everyone who is primarily interested in privacy and security in a phone OS.
LineageOS
Second thing to weigh, between your two options, is the intent behind LineageOS: it’s an open source variation of AOSP, and is considered both an excellent extension mechanism for aging Android devices and an open source alternative to vendor-created – and often vendor-locked – ROMs that come, by default, on a variety of devices. LineageOS has been focused on being one of the most consistent, open source ROMs around. This means the consistency in UX, features, and flexibility of LineageOS can translate between many targeted devices. Over 20 vendors of devices benefit from the hard work of LineageOS.
Like GrapheneOS is focused on privacy and security for their users, LineageOS is focused on being a solid, consistent ROM for their users.
Further Consideration
I can go into the weeds of both, but at some point I made a decision to buy into the Pixel ecosystem – and subsequently learned about GrapheneOS as an option. I value what they offer, and I understand their stricter alignment with their approach to developing an OS isn’t random. While I choose to lock myself into the Pixel lineup of phones, I would also consider a LineageOS – modified to my own specs – if I had to shift to another device. Each have their strengths.
Graphene is technically more secure than Lineage, because you can re-lock the bootloader.
But wait, the latest versions of Lineage you can re-lock the bootloader on Pixel devices (or is it with DivestOS, a Lineage fork, on Pixels? I forget). Either way, both can be re-locked on Pixel (I know, I’ve done it).
At that point there’s little difference in my opinion, if you aren’t using any kind of Google services.
Once you go to use Google services (either sandboxed on Graphene, or microG on Lineage), it can be argued that Graphene is more secure. Though Lineage and Divest install microG as user apps, so you could install them to a second profile and isolate it there.
But if you’re going to run some form of Google services, you’re kind of negating the advantages of Graphene at that point (though some would argue it’s still more secure, again, depending on your threat model - if a state actor is after you, don’t go putting Google stuff on your phone).
Really it all comes down to your threat model. I’m currently running DivestOS on a Pixel with microG, because there were a few apps I still needed. My next reset (in about 3 months) that will be gone, and I’ll no longer need anything Google. But I’ll probably stick with DivestOS, as there’s no clear advantage for me to switch to Graphene.
Yeah, Graphene does updates, GP sandboxing, and direct configuration type stuff that is next level better than a typical swap ROM. The entire reason why Graphene uses the pixel is not because of the hardware but because of the (trusted protection module) TPM chip on pixels. It is the same chip as secure boot on a PC.
The basics of TPM is that it is like a microcontroller that generates and stores encryption keys. It can generate a key internally that can never be extracted or accessed through communication with the TPM chip. You can send it a hash to verify a match with a key it owns and it will verify any encryption. Graphene is using this feature to create keys and a secure system that can be verified and can get OTA updates all the time securely. You can use an old device to confirm that your device is secure too using a provided authorization app.
Custom ROMs often are terrible about security and how Android actually works. Things like adding root to a device or any of the packages that are capable of modifying the kernel are super sketchy dangerous. You’re a user just like every developer for every app you use on Android. This is how it just works while knowing about networking and securing an operating system is not required. The entire model is designed to fail safe. The moment you start changing packages available in the kernel there can be problems.
Graphene handles this by only giving root access over USB. Vanadium is also quite outstanding and far more than just a browser. At first you’re likely to try to use a ton of apps like you may be accustomed to doing. After a few years with Graphene, you are more likely to greatly limit your apps and only use vanadium for everything. With my setup on a 2 year old device, I still get over 2 whole days of battery life; nearly the same as when new. I’m not using anything from Google and have around a dozen apps total. I’m also primarily on a network that blocks all undesired connections on a whole different level than adblock.
I have been dancing around taking the plunge into GrapheneOS – I have a pixel. Glad to hear you say this, bc it gives me confidence that I could move to it and not lose absolutely all the apps I have become accustomed to. There exists a list of apps that are compatible once de-googled (un play-protected), right? Also, I saw you mentioned that graphene can sandbox google play?
Yeah, read up on the Graphene webpage. I don’t use any of it, but there are options. You’re most likely to have issues with banking apps, from what I have seen. Anything that can’t be done in a browser is a stalkerware scam IMO. I consider them irrelevant if they lack this fundamental functionality.
My experience: most of my apps work fine without Google services. Even more advanced apps - sometimes they just can’t verify licensing, so may complain occasionally. Even now, Macrodroid can’t verify licensing through microG, but the dev has a process for licensing with a serial key based on your Google account.
I really wish there was a way to run microG with graphene. I don’t want google binaries on my pixel at all if I can avoid it.
Till then, Calyxos with microG is privacy respecting but likely won’t resist feds trying to get at your data. If you’re just looking for strongly improved privacy and some moderately improved security, Calyx is pretty nice.
You DONT buy pixel for raw soc performance… If that’s your priority, this product ain’t really for you. Security and privacy is the name of the game