I am a long term GrapheneOS user and would like to talk about it. r/privacy on the redditland blocks custom OS discussions which I think is very bad for user privacy, and I hope this post will be useful to anyone who are in the hunt for better privacy.

Nowadays smartphones are a much bigger threats to our privacy and Desktop systems, and unfortunately manufacturers has designed them to be locked down devices with no user freedom. You can’t just “install Linux” on most smartphones and it is horrible. And most preloaded systems spy on us like crazy. That was why I specifically bought a pixel and loaded GOS onto it.

According to https://grapheneos.org/features , they start from base AOSP’s latest version, imptoves upon it’s security and significantly hardens it. There’s hardened_malloc to.prevent against exploitation, disabling lots of debugging features, disabling USB-c data, hardening the Linux kernel and system apps etc. They even block accessing the hardware identifiers of the phone so that apps cannot detect whqt phone you’re using. That means with Tor and zero permissions given, apps are anonymous.

Compatibility with apps are best in Custom ROMs but there are still that can’t work, especially if they enforce device integrity. Very few apps usually enforce that tho. Also their community isn’t the friendliest but you can get help. Just don’t try and engage too much or have too many debates.

Anyone else here use GrapheneOS, or any other privacy ROMs? What is your experience? Do you disagree on any point? Let’s have a discussion!

  • Gebruikersnaam
    link
    fedilink
    arrow-up
    2
    ·
    35 minutes ago

    Is the camera still good on Graphene? It is pretty much the only thing that holds my Oneplus 6T back.

  • youmaynotknow
    link
    fedilink
    arrow-up
    1
    ·
    56 minutes ago

    I’ve been on GrapheneOS for 4 years or so. I’ve tried CalyxOS every now and then, but always end up coming back to GrapheneOS. I find it simple, private, secure and free of BS. CalyxOS does come with some stuff preinstalled, which doesn’t really appeal to me, and I trust the sandboxes Google Play model much more that MicroG.

    About the devs, I really haven’t had any issues that I have not been able to resolve myself, so my interaction with the is non-existing. I have read some posts with interactions with them, and they do seem to be hostile towards anything that is not 100% aligned with their train of thought, which I find stupid, to say the least. But regardless of how rude they may be, I feel GOS literally has no competition in the Android landscape in terms of privacy and security.

  • Nicro@discuss.tchncs.de
    link
    fedilink
    arrow-up
    1
    ·
    1 hour ago

    I would absolutely buy a Pixel, if only they supported sd-cards. I get that Google is pushing cloud-storage. If I smash my phone on the sidewalk, I still want to have a local storage, I can take out and thus make live backups to. There are just some features Pixels lack and privacy shouldn’t lock you out of them.

  • N.E.P.T.R@lemmy.blahaj.zone
    link
    fedilink
    English
    arrow-up
    3
    ·
    2 hours ago

    My recommendation is GOS if you care about out of box experience and using gapps, DivestOS if you care about degoogling and removal of proprietary code. Both are hardened.

  • GHiLA@sh.itjust.works
    link
    fedilink
    arrow-up
    3
    ·
    3 hours ago

    I would but my Pixel 6’s USB connection is entirely useless. It hasn’t successfully connected to a cable in over a year.

    I was considering it for my next one, though, whenever that is. Don’t really feel the need for an upgrade atm.

  • N0x0n
    link
    fedilink
    arrow-up
    21
    arrow-down
    2
    ·
    6 hours ago

    I post someone’s comment on a controversial topic about google and GOS. I saved it because that’s exactly how I feel.


    Step 1 of installing GrapheneOS for de-googling your life: Buy a Google Pixel phone

    Look - I know, I know. I get it. Google allows you to unlock the bootloader while maintaining the phone’s unique and excellent hardware security features. The argument makes sense. It is compelling. Other manufacturers do not give you this freedom. I am not arguing about that. I have a Pixel phone running GrapheneOS myself.

    However… It is just so very obviously ironic that one needs to trust Google’s hardware and purchase a Google product to de-google their life through GrapheneOS. I think that it is a perfectly valid position for someone to raise their eyebrows, laugh, and remain skeptical of the concept either because they do not want to support Google at all, or because they simply will not trust Google’s hardware.

    The reason why I think that this is “controversial” is because I have seen multiple instances of someone pointing out the irony, followed by someone getting defensive about it and making use of the technical security arguments in an attempt to patch up the irony.

    https://mander.xyz/comment/15084264

    • Darth_Vader__@lemmy.worldOP
      link
      fedilink
      arrow-up
      5
      ·
      4 hours ago

      Yeah it’s ironic but what is the alternative? At least we CAN remove Google’s known spyware from the device, and there’s no evidence of firmware level spying. If you get Samsung, or some chinese crap, you can’t remove Google period, and you might get spied by the manufacturer as a cherry on top. There is no way to have a perfect solution, well unless Samsung starts to provide Custom ROM support or something.

    • jet@hackertalks.com
      link
      fedilink
      English
      arrow-up
      9
      ·
      5 hours ago

      If your objective is to punish Google, or to have nothing to do with Google. I completely agree with you using a pixel phone just doesn’t make any sense. You shouldn’t do it

      If your objective is to have the most security possible… Then you should install graphene on a Pixel phone.

    • Tinkerer@lemmy.ca
      link
      fedilink
      arrow-up
      6
      arrow-down
      1
      ·
      6 hours ago

      This is exactly why I don’t have graphene os, the irony of having to support google is too much for me call me paranoid but i also dont trust them with the hardware piece either lol. I’ve been running lineage os without gapps and its honestly great, updates and patches are every few weeks, super stable and awesome.

      • Darth_Vader__@lemmy.worldOP
        link
        fedilink
        arrow-up
        1
        ·
        4 hours ago

        I assume you’re using it with bootloader unlocked. The issue is somehow some malware injects your phone and roots it, it can just install itself as a system service and just live there and you’ll never know. The security feature that protects against it is disabled once bootloader is unlocked.

        Also I’ve heard that LineageOS has not all security updates present since some firmware updates needs to be provided by the specific manufacturer. For Pixel, Google provides it and GOS uses it.

    • bloubz@lemmygrad.ml
      link
      fedilink
      arrow-up
      4
      ·
      6 hours ago

      I don’t have any answer for the point where you would not trust Google even for the hardware (even though I don’t think there is any risk on the current devices)

      But concerning the “don’t want to support Google” an easier answer is to buy a second-hand Pixel

      • eleitl@lemm.ee
        link
        fedilink
        arrow-up
        3
        ·
        6 hours ago

        The point of not trusting Google hardware is that there is no way to know what hidden function is in there. De-lidding and reversing isn’t practical at current integration density. So, no, I don’t trust the hardware to not contain remoteable backdoors. But it’s a pretty high threat level.

  • communism
    link
    fedilink
    arrow-up
    5
    ·
    4 hours ago

    Last 4 or so phones have all been GrapheneOS (I’m not buying new phones all the time to be clear; I use phones till they break; I’m just a long-time user) and yeah I’ve really had no problems to speak of. I currently have a separate profile with Play services for certain apps, and also just to isolate non-privacy-respecting apps that I have to have installed for whatever reason.

    Almost all the apps I use are FOSS apps who are aware that a significant amount of their userbase will be using various AOSP forks so I’ve not run into any app compatibility issues. Even back when I used banking apps, I’d used 4 different banks’ apps on GrapheneOS and all of them worked completely fine. Now I don’t have a banking app because I won’t install proprietary software unless I actually have to for some reason, and I can bank on the web just fine.

  • Yep. Been using it for about 2 years now. So far no issues except amazon prime but they gave me adds sufficiently annoying that i finally got around to setting up jellyfin. Been able to solve pretty much all my issues with dr gpt.

    Every time i see someone posting about a new mobile phone exploit i get immense joy scrolling down through comments and finding someone posting the fact that graphene patched it 3 years ago and recommended a patch to google who have yet to implement it into base android.

  • ouch@lemmy.world
    link
    fedilink
    arrow-up
    5
    ·
    5 hours ago

    Personally for me the most important thing in Android is automatic native call recording. If GrapheneOS gets that, I will consider buying a Google Pixel device.

    Also, banking and other apps should stop using Play Integrity API.

    • egerlach@lemmy.ca
      link
      fedilink
      arrow-up
      5
      ·
      5 hours ago

      It’s okay if they use the Play Integrity API, they just need to also whitelist the keys that sign the official Graphene OS ROMs. Not that I expect they’ll do that, mind you…

  • this@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    1
    ·
    3 hours ago

    Yea I did the same thing as you about 2 years ago. Gonna maintain and use this phone for as long as I possibly can before either betting another one or find a equally good or better solution that doesn’t give money to google(and hopefully one with a replaceable battery)

  • Object@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    11
    ·
    edit-2
    7 hours ago

    Other than Starbucks app and VoLTE stuff, I haven’t encountered an issue yet. Somehow all my banking apps work. The profile feature alone makes it worth it. They also recently increased the number of profiles that can be run in parallel, too.

        • acockworkorange@mander.xyz
          link
          fedilink
          arrow-up
          1
          ·
          4 hours ago

          That’s a dealbreaker for me. I do use my phone as a phone rather frequently. What’s the deal? Is VoLTE not supported by default on GOS? Is ou it a specific device incompatibility?

          • Metz@lemmy.world
            link
            fedilink
            English
            arrow-up
            1
            ·
            2 hours ago

            Is VoLTE not supported by default on GOS?

            Yes and no. e.g. see https://grapheneos.org/usage#carrier-functionality

            Wi-Fi Calling, VoLTE, Visual Voicemail, MMS, SMS, Calling and 5G (SA and NSA) all are supported, however some functionality may not be usable due to Google not supporting carriers on the stock OS officially or due to GrapheneOS not shipping proprietary apps required in order for this functionality to work on some carriers.

            Generally 5G, SMS, MMS, Calls and VoLTE will work fine on GrapheneOS with officially supported carriers by Google.

            Some carriers may restrict functionality, such as VoLTE, on imported Pixel devices as they only whitelist the IMEI ranges of Pixel device SKUs which were sold locally.

            And https://grapheneos.org/usage#lte-only-mode

            VoLTE / VoWi-Fi works on GrapheneOS for most carriers unless they restrict it to carrier phones.

            So… it depends

            If your carrier is official supported by google, your carrier itself supports it and your device is not imported, it is likely to work.

          • Object@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            1
            ·
            edit-2
            2 hours ago

            Honestly, not quite sure why it happens, but I know it’s something to do with using it in Korea, where Pixel phones are not natively supported. In other words, it happens with Pixel phones, regardless of the OS.

            As to how I knew it would work with the fix, it was a gamble. I rooted my phone and enabled VoLTE prior to that app.

          • Object@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            1
            ·
            4 hours ago

            Unless the phone is rooted, I don’t think so; I need to enable wireless debugging first, then run Shizuku, then enable a bunch of options in the Pixel IME app. But then again, this can be done permanently with root.

    • jet@hackertalks.com
      link
      fedilink
      English
      arrow-up
      3
      ·
      6 hours ago

      How do you like the cross profile notifications? What’s your workflow? Do you have multiple profiles active at the same time?

      • Object@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        5
        ·
        edit-2
        6 hours ago

        I have one “Daily” profile where I keep thing I don’t mind showing others, and many other private profiles. Each private profile has a unique environment I find myself using every now and then, so it’s a bit like VMs. For example, one profile has VPN on 24/7, another with Orbot, and another with a non-functional VPN (which is basically no network). It enforces the rule so that I don’t fuck things up by accident. Primary profile is just a package manager for me.

        I have multiple profile active, but it’s usually just for long downloads. It was annoying whenever I go back to a profile expecting some long job to be done, only to find out it got killed 10 seconds after starting it. Or worse, finding out my Daily profile got killed.

        I don’t get many cross profile notifications because I almost never receive one outside of the Daily profile.

  • capably8341@sh.itjust.works
    link
    fedilink
    arrow-up
    1
    ·
    4 hours ago

    Been using it for about five years now. I absolutely love it. But I will say some of these comments make it sound like it’s a little easier than it is. I’d say about 80% of your knowledge from Android will transfer over and just work. But the last 20% is a bit of a learning curve, and will take at least a few weeks to get the hang of.

    What I recommended to some of my friends that switched is to get the phone and mess around with it for a few weeks before you switch your sim. Then you’ll get the hang of things like alternative app stores and sandboxed play services, and you’ll figure out what you can and can’t do.

    I will say the vast majority of things do work easily because of protection compatibility mode and sandboxed play services. But there will be some things that are just more hassle then they’re worth. I find keeping a second device, like a tablet, without a custom ROM makes that stuff easier.

    And there are some things that seem impossible to get working properly, at least for me. For example, casting to a TV is basically impossible from what I can tell. Also, tap to pay, even for things like tickets doesn’t work (although if you have play services, you can use Google wallet for things with barcodes).

    Overall, it’s totally worth trying out. Just don’t set your expectations too high. You’re not getting a completely “just works” experience.

    As for other custom ROMs, I’ve tried CalyxOS and LineageOS for MicroG. I didn’t find either of them quite as good, but that was many years ago. Maybe they’ve gotten better.

  • Samsy
    link
    fedilink
    arrow-up
    7
    ·
    edit-2
    6 hours ago

    I was a long time lineageOS user and love the freedom of changing anything. I switched to grapheneOS and like it, but miss some features, that are just pointless and not relatable: no full AMOLED dark mode - the devs said the battery savings between dark and pure dark isn’t relevant. and the other thing is: why is the white bar on the bottom not removable?

    Because of these things I switched back to lineageOS and realised how dumb it is because of two optical features. GOS is definitely worth to look over two missing features and I switched back to GOS.

    Anyway the most interesting transition from an lineage user to an grapheneOS user is, you realise that root isn’t useful and more risk than fun.

    • Darth_Vader__@lemmy.worldOP
      link
      fedilink
      arrow-up
      2
      ·
      4 hours ago

      Yeah GrapheneOS rarely does eye-candy features. They have a very small team so they exclusively work on security features.

    • Zorsith@lemmy.blahaj.zone
      link
      fedilink
      English
      arrow-up
      1
      arrow-down
      1
      ·
      3 hours ago

      Tbh i used OLED dark mode on my LG v50, and I got serious screen burn in as a consequence. OLED isn’t worth using for a smartphone IMO.

  • jet@hackertalks.com
    link
    fedilink
    English
    arrow-up
    9
    ·
    edit-2
    7 hours ago

    https://www.privacyguides.org/en/android/distributions/#aosp-derivatives

    https://eylenburg.github.io/android_comparison.htm

    I am a GOS user, it just works, so I don’t really think about it. It’s very nice to have storage and contact scopes.

    My only complaint is I can’t share a VPN over hotspot or tethering, which is very useful for a travel router device (to make all traffic look like it’s coming from the phone). (Lineage and calyxos have this)

      • jet@hackertalks.com
        link
        fedilink
        English
        arrow-up
        2
        ·
        edit-2
        6 hours ago

        I’m not sure I understand your architecture.

        Let’s say I’m traveling. I have two phones and one laptop

        One of the phones has a SIM, unlimited data for the phone, and no data available for tethering. The Sim phone has a VPN

        In your use case, how do I get other phone, and the laptop to use the VPN?

          • jet@hackertalks.com
            link
            fedilink
            English
            arrow-up
            1
            ·
            6 hours ago

            The graphene phone has the SIM card.

            Now how does that phone share a VPN connection with the laptop? Or another phone that’s not graphene?

            And my requirement for my scenario is, the upstream carrier cannot tell that the traffic is not coming from the graphene phone