I see quite a few people claiming that Graphene OS is the only way to stay private on Android or that anything but Graphene OS is insecure. In this post, I will describe why I personally do not care for Graphene OS and some alternatives I would suggest.

First off, let’s address the security features of Graphene OS. A lot of the security of Graphene OS comes from AOSP itself. In fact, AOSP has a very good track record. If you get malware on your device, you most likely can just uninstall it. For reference, here is the Android security page: https://source.android.com/docs/security/features

There are some Graphene OS unique security features. For instance, it has a hardened kernel and restricts access. I think this is actually pretty useful but I haven’t seen a need for it much in the real world. The tightened permissions are nice, and I think that is the main benefit of Graphene OS over AOSP. It is also nice that device identifiers are restricted from a privacy perspective. However, from my perspective, you should not run apps that are bad for privacy. Running it in the web browser will be more secure than bare metal could ever be.

One place I strongly disagree with Graphene OS is the sandboxed Google services framework. They say having Google in a sandbox is more secure. It may be more secure, but it isn’t going to be as private as MicroG. The real benefit of MicroG is that it is community-built. It isn’t a black box like Google framework, and any data sent back is randomized. I think it is a mistake for Graphene OS not to have support for it, even if it is also run in a sandbox.

Another thing I have noticed is that Graphene OS prioritizes security above all else. That doesn’t mean it isn’t private as it itself is great for privacy. However, if you start installing privacy-compromising applications such as Gmail and Instagram, your privacy is quickly lost. The apps may not be able to compromise the OS, but for them to be used, they need permissions. To be fair, this is a problem that is not unique to Graphene OS, but I think its attempts to be closer to Google Android make it more tempting for people to stick to poor privacy choices.

I think other ROMs such as Calyx OS take the ethical component much more seriously. Unlike Graphene, it promotes F-droid and FOSS software like MicroG. Graphene purely focuses on security while Calyx OS focuses on privacy and freedom. On first setup, it offers to install privacy-friendly FOSS applications such as F-droid and the like. I realize that MicroG is not perfectly compatible, and some people need apps, but I think alternatives are going to always be better.

One of the most annoying parts about Graphene OS is the development team and some of the community. They refuse to take criticism and have been known to delete any criticism of Graphene OS. Not only that, they have a history of trying to harm any project or person they don’t like.

Here is a page that isn’t written by me that sums it up: https://opinionplatform.org/grapheneos/index.html I think their take is fairly extreme, but I agree with them in many ways. I also understand how upsetting it can be to be censored.

  • Andromxda 🇺🇦🇵🇸🇹🇼@lemmy.dbzer0.com
    link
    fedilink
    English
    arrow-up
    1
    ·
    edit-2
    4 months ago

    A lot of the security of Graphene OS comes from AOSP itself

    GrapheneOS never claimed anything different, in fact, on their website, they say:

    GrapheneOS is a private and secure mobile operating system with great functionality and usability. It starts from the strong baseline of the Android Open Source Project (AOSP) and takes great care to avoid increasing attack surface or hurting the strong security model.

    GrapheneOS just adds to the already solid security of AOSP. The security improvements are listed at https://grapheneos.org/features. Also, a bunch of AOSP security features originate from the GrapheneOS project and were merged into the AOSP codebase. Just so you know.

    If you get malware on your device, you most likely can just uninstall it.

    This is not the kind of stuff GrapheneOS is defending against. GrapheneOS specifically focuses on persistant malware by improving Android Verified Boot along with other security mechanisms.

    I think this is actually pretty useful but I haven’t seen a need for it much in the real world.

    There is a real-world need for it. Hardening the system against attacks from commercial/state-sponsored spyware like NSO Group’s Pegasus or Cytrox’s Predator requires extensive defense-in-depth improvements to the entire operating system stack. If you want to see an instance of actual, real world kernel-level exploits against mobile devices, look no further than the case of UAE-based human rights activist Ahmed Mansoor. In 2016, his iPhone 6 was attacked by the UAE government, using the Pegasus spyware made by an Israeli cyber mercenary company known as NSO Group. The attack used a payload delivered via SMS, which contained a link to a malicious website. If Mansoor would have clicked on the link, a zero-day exploit in WebKit CVE-2016-4657 would have been triggered. The attack used the Trident exploit chain, which if successfully deployed, would have remotely jailbroken Mansoor’s iPhone, using, CVE-2016-4655 and CVE-2016-4656, two kernel-level exploits present in iOS at the time. There are very good reasons for a security-focused OS like Graphene to make substantial improvements to all parts of the Android operating system, including the underlying Linux kernel.

    However, from my perspective, you should not run apps that are bad for privacy. Running it in the web browser will be more secure than bare metal could ever be.

    Some apps simply can’t be run in a web browser, and they require you to install them on your device. GrapheneOS significantly helps with running untrusted applications in a safe manner, especially when using the hardened user profiles feature, which essentially makes you anonymous (in regard to device and profile identifiers, it is still important to use a VPN/Tor, etc.)

    I think other ROMs such as Calyx OS take the ethical component much more seriously.

    Claiming to be a secure OS while repeatedly missing important AOSP security patches is pretty misleading, and giving the user a false sense of security is not quite ethical. GrapheneOS is very minimalistic, and the user is free to choose how they want to get their apps. Although I support the fact that CalyxOS bundles apps like Signal and F-Droid, some other users might see it as unnecessary bloat. I prefer Graphene’s approach of only including strictly necessary apps, and leaving the rest up to the user.

    Graphene purely focuses on security while Calyx OS focuses on privacy and freedom.

    A secure base device/OS is what enables privacy and user freedom. It’s not like GrapheneOS is taking away any of your privacy or freedom, in fact, it is very private by default, due to its minimalistic nature: https://grapheneos.org/faq#default-connections

    I realize that MicroG is not perfectly compatible, and some people need apps, but I think alternatives are going to always be better.

    The main problem with microG is the fact that it needs to run as root, whereas Sandboxed Play Services uses a much more secure approach for getting Google services, while still preserving user privacy.

    One of the most annoying parts about Graphene OS is the development team and some of the community.

    Not quite sure what you mean. The GrapheneOS team just really cares about good, high-quality, secure and complete code, and they like to call out any projects that don’t follow these principles. Just like Linus Torvalds has a history of rejecting poor, low-quality code, in order to keep the Linux kernel codebase clean and easy to maintain. They’re just focused on quality, and if people are offended by that, they should really overthink their own approach to writing and maintaining code.

    Here is a page that isn’t written by me that sums it up: https://opinionplatform.org/grapheneos/index.html

    That website almost feels like a shitpost. Any source that tells you to “Avoid [GrapheneOS] like the plague”, but claims that LineageOS is “Good to go!” shouldn’t be taken seriously. Recommending people a highly insecure OS that doesn’t even allow for locking the bootloader is straight-up user-hostile. I could go through each one of the “arguments” brought up against GrapheneOS, but they are so bad that I don’t feel like wasting my time on a whole bunch of them. But let’s just go through one example:

    https://opinionplatform.org/grapheneos/strcat-tactical-licensing-20230409.html

    This post suggests that GrapheneOS is somehow against open-source software, and shows the following chat log:

    backpacklaptop: Do anybody know what happened to bromite?

    Apr. 9, 12:59

    joe: it’s not actively maintained Apr. 9, 14:32

    there’s no proper announcement or notice, that’s the bigger issue Apr. 9, 14:35

    strcat: we’re working on completing state partitioning including for cookies in Vanadium, and we’ll be adding other features like content filtering

    collaboration welcome

    Bromite was using nearly all of our work on it and they decided to start disallowing us from using their work in return by strictly licensing it only as GPLv3 Apr. 9, 14:46

    so we switched to using GPLv2-only with additional permissions (to make it more permissive) which blocked them using our code since GPLv2 forbids GPLv3’s additional restrictions

    may have something to do with it dying, don’t know

    it’s possible we can switch back to MIT licensing if it’s dead but I’m not going to do that yet

    Apr. 9, 14:47

    Bromite literally used Graphene’s code and then changed the license to prevent GrapheneOS from using any of the Bromite code. In response to this anti open-source move, GrapheneOS changed the license for their Vanadium browser from MIT to the more restrictive (but still FOSS!) GPLv2 license. But apparently GrapheneOS is “using tactical licensing changes against bromite”. What a stupid argument. Anyone who spreads such garbage on the internet can’t be taken seriously. The chat log also shows the GrapheneOS main dev (strcat) saying:

    collaboration welcome

    But the exact same post on that troll website claims that GrapheneOS is “discouraging cooperation between developers”. I think I gave more than enough examples why this shit can’t be taken seriously. It also shows really well how hostile some parts of the community are against GrapheneOS, for no real reason and with absolutely no arguments.

    Another example of this is Jonah Aragon, who posted a really stupid toot on Mastodon, comparing the GPLv2 license of GrapheneOS to FUTO’s source-available license. This claim is so infinitely stupid, and by Jonah’s definition, the Linux kernel isn’t FOSS since it’s also licensed under the GPLv2. These are the kinds of people that Graphene devs have to deal with all the time. A bunch of trolls and absolute morons.

  • refalo@programming.dev
    link
    fedilink
    arrow-up
    1
    ·
    4 months ago

    My biggest problem with it (besides the people) is the fact that it still relies on Google’s proprietary black box “Titan” security chip. You know, the one that they pinky-promised to open source but never did.

  • jet@hackertalks.com
    link
    fedilink
    English
    arrow-up
    0
    ·
    edit-2
    4 months ago

    Use what you like! No reason to fight people over which OS they want to run.

    GrapheneOS is very clear they are security focused, and not anonymous.

    Nothing is stopping people from using fdroid on GOS, the default GOS install has no opinions, nothing is installed.

    Contact Scopes, Storage Scopes, Pin Randomization are some of the security and agency over user data that helps users have a better experience with combative apps like whatsapp

    The core problem with microg is that it runs privileged, which is counter to the GOS principles of minimum privileges for non-system components. (update: MicroG does download and run binary blobs from google on demand in the privileged system) DivestOS does have a form of microg running as a normal app, so that could be a interesting approach in the future https://divestos.org/pages/faq#microgEnable

      • jet@hackertalks.com
        link
        fedilink
        English
        arrow-up
        0
        arrow-down
        1
        ·
        edit-2
        4 months ago

        Fair enough, its a option, a very strong option, but it isn’t for everyone and the ecosystem is richer with many active and competing projects. Great ideas are borrowed and stolen for everyone’s betterment.

        Be aware: MicroG still downloads binary blobs from google and runs them with root privilege, that should factor into the threat model as well.

        • Vik@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          edit-2
          4 months ago

          What binary blobs does microG download from Google? If you’re referring to safetynet, this is opt in and deprecated now anyway.

          MicroG can also work unprivileged though that is contingent on your ROM

            • Vik@lemmy.world
              link
              fedilink
              English
              arrow-up
              1
              ·
              edit-2
              4 months ago

              Safteynet is now more or less deprecated anyway. I shared this concern until I reached out to the team, mind you.

              I also only recently learned that microg can run unprivileged

  • The Hobbyist@lemmy.zip
    link
    fedilink
    arrow-up
    0
    ·
    4 months ago

    I don’t care which is better. But I can share certain unique features which make me personally chose GrapheneOS over all other options I know of:

    • it is possible to relock the bootloader
    • you can disable the internet permission
    • the location service is independent on google services, even if you install them
    • you can use mutliple profiles and pipe notifications from one profile to another
    • you control native app debugging (and its off by default)
    • you have storage scope (as well as contacts scope)
    • you get all the latest security patches and really fast
    • and more…
  • BobGnarley@lemm.ee
    link
    fedilink
    arrow-up
    0
    arrow-down
    1
    ·
    4 months ago

    Micro G has to run on the root level. If that isn’t a concern for you then Graphene OS probably doesn’t fit your needs.

  • ExtremeDullard@lemmy.sdf.org
    link
    fedilink
    arrow-up
    1
    ·
    edit-2
    4 months ago

    As a CalyxOS user myself, I was about to reply with some comparison points, and then I thought… Why bother. I’ll just get downmodded and dragged into another pointless argument with people who think it’s vitally important that they should be right and I’m wrong.

    So my take is this: whatever works for you.

    You like GrapheneOS? More power to you.
    You like CalyxOS? You’re a rockstar.
    You like IodéOS, LineageOS or /e/? Cool!

    What matters is not to run Google’s surveillance stack. That’s what’s important! Even if your deGoogled OS of choice isn’t quite entreprise-grade, it’s still 95% safer and 200% more honest than anything with straight Google on it.

  • Imprint9816@lemmy.dbzer0.com
    link
    fedilink
    English
    arrow-up
    0
    ·
    edit-2
    3 months ago

    I am not going through this wall of BS point by point but here is a fine example of how I know you have no clue what your talking about…

    One place I strongly disagree with Graphene OS is the sandboxed Google services framework. They say having Google in a sandbox is more secure. It may be more secure, but it isn’t going to be as private as MicroG.

    MicorG has privileged access to you phone, it literally has no privacy benefits over even standard Google Play. You are just choosing to trust MicroG with that level of access instead of Google.

    Honestly just don’t use GOS if you don’t believe in its benefits or at least sack up and post this on their official forum.

  • Mikina@programming.dev
    link
    fedilink
    arrow-up
    0
    ·
    4 months ago

    This is the first time ive heard about microg. How is the app support with it? Can you run every app that needs play service? I have Google Sandbox installed only on a second Graphene profile, and use it for bare minimum of apps that dont work without it, Bolt app, mostly weird MFA for work or package tracking apps i use once per month, while disabling most of their permissions. Will microg improve my situation in this case to be worth switching over? Does it work without root?

    • jet@hackertalks.com
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      4 months ago

      There are some known issues: https://github.com/microg/GmsCore/wiki/Problem-Apps

      MicroG Requires system/root access (DOS does have a non-privileged version, but there are lots of warnings around it)

      In my experience GOS Sandboxing is a better experience than MicroG, the only thing you might gain from MicroG is safetynet spoofing which GOS refuses to do.