Rendered at 15:25:40 GMT+0000 (Coordinated Universal Time) with Cloudflare Workers.
Cider9986 1 days ago [-]
It's absolutely insane that phones have online accounts deeply integrated into the OS. You need to give Apple your phone number to download any apps on iOS.
For example:
Say anyone that downloaded IceBlock commited crime, Apple could give the govt everyone who downloaded its phone number, the govt could get the realtime location of everyone based on their phone number from the carrier.
And that's not even mentioning the other problem that nobody can download IceBlock anymore[1].
It's so refreshing for my phone not to ask for any identifying information when I set it up. GrapheneOS is a better software experience than iOS anyway[2].
Phones have great potential to be the most private and secure computers, cell services not withdrawing. And iPhones are one of the most private and secure devices. But, Apple uses that to restrict its users freedom and it makes Apple's users can easily be controlled by any government.
[2] once you install good apps. This is coming from a lifelong iOS user. Not prejudiced against Apple, I use a Mac (without an account) and their Advanced Data Protection is great (when I had an account).
monksy 1 days ago [-]
I agree with that.. additionaly, I'm finding it to be insane that organizations are trying to force you to have a "audited" phone to interact with them. (I.e. events, businesses, etc)
matheusmoreira 1 days ago [-]
Remote attestation is not just insane, it's the technology that will end free computing as we know it today.
What good is free software if using it marks our devices as untrusted and gets us banned from every service out there? Gets us ostracized from digital society? Because we "tampered" with the device?
We should be able to run whatever software we want and they should be none the wiser. Instead, we are part of the threat model now. Our devices are now cryptographically attesting that they are corporate owned and that we are under corporate control. It's so disgusting. The future we're heading towards is terrifying. Everything the word hacker ever stood for will be destroyed if this keeps up.
Cider9986 1 days ago [-]
It can be used for security and used privately [1] but I entirely agree with you, Google's use of it is anti-competitive and terrible.
[1] attestation.app
matheusmoreira 1 days ago [-]
It's all about who owns the keys and who trusts those keys. If you don't have the keys to "your" computer, then you don't own that computer, you're just renting it from the corporation.
And even if our own keys could be used, who's going to trust those attestations? Nobody. They will trust Google's keys, Microsoft's keys, Apple's keys. Not ours.
teravor 21 hours ago [-]
the intent is that no one owns those keys, your silicon should be the only entity in "possession" of those keys.
but no one uses blind signatures for attestation so it can be used to fingerprint your device's serial. they do try to make it hard. but generally you should assume that if whoever you are attesting to colludes with google they will obtain your HWID - and if it's google you are attesting to you should assume they have your HWID.
GOS uses a proxy for attestation, but it does absolutely nothing for this threat model.
PS: DRM is even worse, there is no intermediary and the APIs are open to all apps. you probably need to be a well resourced intel agency to make use of it as you need to source a valid DRM license server certificate. technically, actual license servers are in violation of their agreements with google, apple, etc if they use the license request for fingerprinting. but they do retain the ability to blacklist silicon (invalidate pirate devices from pirated media watermarks).
preisschild 1 days ago [-]
Yeah same as TPM and Secureboot. They can improve your own personal security (and thereby privacy) drastically, but it has to be controlled by the user.
myaccountonhn 1 days ago [-]
You'll probably just need to keep two phones. One hostile spying device that you use for authenticating and dealing with government stuff, and that becomes e-waste every 2 years. Then you have one that you can repair and extend for your own stuff that respects you and your privacy.
collabs 1 days ago [-]
I am doing this now. I have had a carrier locked iPhone SE 2020 which I only use on Wi-Fi for over five years now. I also have an android phone and I don't install any banking apps on my android phone.
charcircuit 1 days ago [-]
>What good is free software if using it marks our devices as untrusted
That is not what remote attestation is for. The operating system maintains isolation between apps, so a free software app being installed doesn't mean an app that needs high security is compromised.
marmarama 1 days ago [-]
I think you've misunderstood. It's not an app problem. The problem is that it makes Free Software OSes unviable. The copy of Android you compile and install yourself - or your copy of desktop Linux where you upgraded the kernel yourself - will never pass remote attestation, and it gives both the attestation provider and software that checks attestation the ability to unilaterally shut out any OS they like with no workaround, even those that do pass attestation.
In a world of deeply untrustworthy Big Tech, and trend of governments, banks and other basic services needed to exist in society relying on apps and in the future, websites that use remote attestation, that is very troubling.
There are better ways of dealing with the bad actors problem, but Big Tech has chosen violence.
floam 1 days ago [-]
I don’t see how it’s incompatible with open source, just because my development builds aren’t being blessed.
dpark 1 days ago [-]
It’s not incompatible with open source. It’s incompatible with free software. If Apple or Google or Microsoft or the government needs to “bless” your build, then you have no freedom to actually use your build.
marmarama 1 days ago [-]
Your "development build" is another person's daily driver.
Case in point: GrapheneOS (or any other custom Android distro) is unlikely to be able to ever pass remote attestation, even a signed, secure boot build with the bootloader relocked, because it's not the original OS for the hardware.
Same goes for any desktop Linux.
inigyou 1 days ago [-]
GrapheneOS implements its own attestation so you can attest that it's real GrapheneOS. The valid approach they've chosen is to try and get on a level playing field with the big guys rather than destroy the playing field. They have a good argument their OS is very secure, so you should accept its attestation. This is how a user-friendly OS backdoors into the attestation system.
I still think destroying the playing field is better, but less likely to succeed.
matheusmoreira 1 days ago [-]
> so you can attest
This isn't about you attesting anything though. It's about corporations attesting that your device is 100% corporate owned. Can't have you running software that impacts their bottom line after all.
GrapheneOS could be the most secure operating system to ever exist, it doesn't matter to the corporation because it's still under your control. When they say "security", they mean "the corporation's security against the user", not "the user's security against the hostile world out there".
inigyou 1 days ago [-]
They have to come and outright say "we block this because we don't control it". They can't say "we block this because it isn't secure" because it's obviously very secure. And you can sue them for that.
HybridStatAnim8 1 days ago [-]
GrapheneOS doesnt implement its own attestation. It simply inherits the existing, generic attestation system provided in the android open source project. Any fork of AOSP can provide this, the keys would just need to be whitelisted per OS.
charcircuit 1 days ago [-]
You can apply my same comment 1 layer up.
The hypervisor maintains isolation between operating systems, so a free operating system being installed doesn't mean an app that needs a high security operating system is compromised.
matheusmoreira 1 days ago [-]
Then why can't we install whatever we want on "our" devices?
charcircuit 1 days ago [-]
Because you are buying a device without the feature of installing a custom OS. If you want a feature, buy a device offering it.
matheusmoreira 1 days ago [-]
The whole point of this discussion is the trend towards societal scale denial of that feature by both market forces and governmental forces.
There is no such a thing as "just buy a different device" when this "different device" is actively discriminated against to the point it's a paper weight. I wouldn't be surprised if remote attestation becomes necessary to even get an internet connection in the future.
andai 1 days ago [-]
What is that? I don't seem to be finding anything relevant on Google.
monksy 1 days ago [-]
We're running into situations where the usage of smart phones and apps are becoming mandatory for using services.
For example: The UK has a digital ID requirement which is required for you to be employed in the UK. Additionally the EU digital identity services have a hardware/software attestitation that is required to run their apps. (Many of those which 3rd party software can't run).
Another example of this is the Australian eTA - (Everyone has to have a visa to visit Australia.. but the real only way to get a visa* is you have to get an electronic travel authorization which only works via an App)
myGov (Australian government app)
gov.br (Brazilian government app)
Ticketcorner
Authy
Chyrpe Dating
TextNow
mada Pay (Saudi NFC payment app)
McDonald's (International app used for many but not all countries not including the US)
Dott
My SEAT (Connectivity for SEAT cars)
SwissID
Volkswagen
BKK Faber-Castell & Partner
TK-Doc
TK-Ident
TK-App (Blocks access to TK-Safe, TK-GesundheitsMessenger, fingerprint login)
IO (Italian government app which uses it to gate access to the digital wallet feature)
PosteID (Italian postal service’s app used to access the national digital identity system "SPID")
Singpass
subscribed 1 days ago [-]
> The UK has a digital ID requirement which is required for you to be employed in the UK.
That's untrue.
There was a strong push towards the digital ID from the current administration, but it was abandoned 6 months ago.
What you likely mixed up with digital ID is the old digital visa scheme, mandatory for all non-UK citizens to prove right to work.
Re: your app list: looks a little bit eclectic, so it's worth mentioning most of the apps don't ban GoS specifically, but enforce Google play strong or device integrity pass, which GoS doesn't pass.
Some trip on some exploit protections, like secure app spawning, but these can be turned off per app in the latest releases based on Android 17.
andai 21 hours ago [-]
> the old digital visa scheme, mandatory for all non-UK citizens to prove right to work.
Weren't they accepting refugees without documentation?
subscribed 16 hours ago [-]
At some workplaces?
I don't know, probably? That always was an offence[1] anyway.
New scheme, mandatory digital ID, would simply stop Britons from being able to use their physical passport to prove they can work. For everyone else that would swap existing electronic-only scheme with another electronic-only scheme.
I don't think anyone half awake would mistake a refugee with a Brit. At least it's not a problem that would explain introducing a whole huge PITA -- like with mandatory IDs for voting: if I'm not mistaken TWO people total were sentenced for voting-related offences, yet we spend double digits of millions of pounds only to (knowingly) disenfranchise voters traditionally voting against the Conservative government.
Look, I'm a citizen of the EU country and my country's physical ID holds electronic layer containing private keys I can use to remotely sign stuff or authenticate myself. It also allows me to using a digital only ID, and the app ecosystem around that is truly amazing. And I'm a picky one.
Basically it's everything, along with basically every single one European physical ID with electronic layer built-in.
British digital ID was *nothing' of that. If it was a physical smartcard first, optional and not mandatory, I'd probably support it, but the government messaging about that was full of lies and handwaving, especially when people were bringing up the failures of digital only systems like Settled Status for Europeans. Nothing mattered, steamrolling over arguments with soundbites.
No, long story short: no, digital IDs are NOT mandatory and no, employment fraud is not that widespread, and the new system won't fix the employers skirting the law.
GrapheneOS and others should have lobbyists or rather lawyers and lawmakers to fight for using secure systems to mandatory be allowed for these. Sure, there must be some type of OS guarantee, but that should not be exclusive to Google and Apple. And indeed browsers with otp/authn devices (not one per service but yubi/thetis type of thing as those can be made sovereign for a large part); when an OS is not allowed, the browser and app should be mandatory allowed with such a device as that is, actually, more secure than the original device as it is an external encryption and encryption key source the hacker cannot reach.
Cider9986 1 days ago [-]
Us users might be effective as well. Hopefully anti-trust law catches up and bans play integrity. They are probably going to spend their money improving features and experience to get more users. There's threads on the forum dedicated to sending emails to Volkswagen to get them to support Grapheneos and it may be working.
andai 21 hours ago [-]
> We're running into situations where the usage of smart phones and apps are becoming mandatory for using services.
A new building is being built in my city, and the trash containers which were installed outside have instructions printed on them, indicating that you need to use a smartphone app to take out your trash.
I found this deeply offensive in a way that I cannot explain.
monksy 15 hours ago [-]
There are breastfeeding pods in airports that require an app and registration to use them as well. (But it's a well known code to use them. 80085 )
matheusmoreira 1 days ago [-]
> gov.br (Brazilian government app)
Sucks... At least brazilian banks don't ban it. At least not yet.
z3t4 1 days ago [-]
This sucks. The solution is to buy the cheepest iPhone and use it just for the goverment services.
MYEUHD 1 days ago [-]
The cheapest new iPhone is €720 (iPhone 17e)
grapheneos 22 hours ago [-]
It doesn't have to be new. They'll permit using an Android 8 to 10 device last updated over 6 years ago or a similarly old iPhone.
gib444 1 days ago [-]
> The UK has a digital ID requirement which is required for you to be employed in the UK.
False
In fact I can't think of a single Government service or legal requirement that requires a smartphone in the UK.
In the past year I have applied for a passport, applied for benefits, opened a bank account, passed through border control, filed a company tax return, closed down a business, helped someone else claim for benefits, made police reports, filed a case with the small claims court, paid my council tax, received an incone tax refund, travelled on public transport extensively, hired a car.
All had alternatives as far as I can recall.
Quite a few were done online just with a computer and optionally a phone number
And based on prior discussions here I have to point out that "require" doesn't mean "ok but the alternative is kind of inconvenient"
andwur 1 days ago [-]
Likely referring to Android's Play Integrity/hardware attestation API (good explainer from GrapheneOS [1]) that is practically used to restrict what devices/brands/Android builds an app will allow itself to be run on.
I miss the days when iOS jailbreaks allowed you to completely circumvent basically all DRM because the trust in Apple was so high that you could just assume a device is secure. Contrast that with Android, which has always had invasive attestation mechanisms because of widespread mistrust in OEMs. On iOS, sometimes you had individual apps trying to check for jailbreak but that was it
realusername 1 days ago [-]
Apps trying to check for jailbreak is still a thing on iOS and as you would expect, it's jank and can trigger on stock iOS if you are unluky
preisschild 1 days ago [-]
> that organizations are trying to force you to have a "audited" phone to interact with them. (I.e. events, businesses, etc)
Even worse, GOVERNMENTS do that. EU Governments basically forcing you to give Google (via the Google Mobile Services rootkit) or Apple (and via the cloud act also the Trump Admin) access to your entire phone (including all of your saved personal data) to use the govt eID system...
inigyou 1 days ago [-]
Use the old-school ID system.
roysting 1 days ago [-]
> organizations are trying to force
If it were only that and we actually had “free market capitalism” and “competition” you could simply choose, but leering and steering these “organizations” is the treasonous and inherently illegitimate government, which is increasingly indistinguishable from private corporations, mostly because it’s the same pool of people, which are reflexively moving us all towards a common focal point of a form of tyranny similar to hereditary oligarchy and/or serfdom.
daniela-vera 1 days ago [-]
[flagged]
ablob 1 days ago [-]
Don't phones have identifiers outside of phone number anyway?
I feel like you have to trust the hardware/os vendor anyway.
So if you don't trust apple to not misbehave, maybe not getting an iphone is better than chasing the whole phone-number idea.
Cider9986 1 days ago [-]
Your comment isn't super clear to me, let me know if I misunderstood anything.
Yes there are still identifiers when using cellular data service, but they aren't connected to your phone number that you give out. Phone number gets a determined threat actor real time location, which is what I explained. Threat actor gets location from any carrier identifier. Cellular was built in a terrible way for privacy and security.
Android doesn't let apps see hardware identifiers if that's related.
Yes you're correct about having to trust Apple, but my point is that the way Apple is collecting all this extra info allows them to be compelled to hand it over. It's not about trusting Apple, it's about them following the law, which they will do.
matltc 1 days ago [-]
Curious to hear: how much effort did it take to migrate to GrapheneOS? I own a pixel, grabbed it in anticipation of unlocking, but the effort it seems it would take from reading GrapheneOS docs has stopped me from committing to it on my daily driver. Would you please provide a quick time estimate and any snags you hit?
hellojesus 1 days ago [-]
It took me about an hour. I sat down, read the docs, installed it via the web installer, then spent the next 45 min deciding how I wanted to segment separate profiles for play services.
Nowadays it seems a lot easier because there seems to be a separate profile isolater you can run in the main profile, which I would choose if I was installing today.
The only hiccup I've had is that sometimes group messages don't send correctly and send individual messages to everyone, but I think that's because I'm on a secondary profile, and it only happens when the phone is receiving a bunch of messages all at once while I try to send to the same group. But I deny network access to my installed swype keyboard, so it may have something to do with that too.
I've been running this for years, since the Pixel 7 came out, which I'm still using.
I love it. I can confidently go through customs knowing that if they yank my phone during some weird checkpoint and try to celbrite it, I'm as secure as can be.
matltc 1 hours ago [-]
Thanks for the info! Might take the dive.
Itoldmyselfso 23 hours ago [-]
Time estimate depends heavily on the apps you use (data migration in them) and maybe some features that don't easily work out-of-the-box in GOS like Google's find my device, where you'd ideally migrate to use foss alternatives like FMD[1]. For the easiest setup by far just install the sandboxed Google Play Store and get your apps from there. In general the more additional security features you enable, the more issues you may face, so I'd recommend leaving everything to GOS default, like leaving Sensors permission ON by default. There are a few gotchas that may not be mentioned in GOS official documentation or elsewhere such as BT tracker devices not being supported for the most part, requiring workarounds. There are also few apps that don't currently support GOS [2][3], so be sure to check them out beforehand.
Thanks for the references, especially FMD tip; have the Google version disabled due to lack of trust.
grapheneos 22 hours ago [-]
It takes around 10 minutes to install it. Most of the time people spend on it is deciding how they want to set things up. It's very easy to set it up in a similar way that you would use the stock OS. You can use a single profile with sandboxed Google Play installed.
Many people want to segment things more than that by having a dedicated profile for apps depending on sandboxed Google Play. A work profile, Private Space or secondary user can be used for it. A work profile or Private Space is a lot more convenient. Using a work profile avoids wasting the Owner user's Private Space if you want to use it for sensitive data. We want to add support for multiple Private Spaces per user in the future instead of only 1 per user to fully obsolete work profiles for local usage.
matltc 1 hours ago [-]
Wow, straight from the source! Heartfelt thanks for maintaining this project; it becomes more pertinent by the day as we slide ever deeper into living into this dystopian surveillance state.
1vuio0pswjnm7 18 hours ago [-]
"Phones have great potential to be the most private and secure computers."
How would that be achieved
We could assume that a user could make their own computer "private and secure"
But if a third party, e.g., Apple, Inc., Google, LLC, GrapheneOS Foundation, etc., has RCE, e.g., "auto-updates", then how can the computer be "private and secure" against that third party and any party that they "work with", voluntarily or not, e.g., a business partner, a government, but also others that might target these third parties, such as an attacker who isn't interested in their bug bounty programs, etc.
To achieve "private and secure", would the user need to remove the RCE capability of the third party (parties)
What about data collection and surveillance by the third party (the user would have to review the source code and compile the OS themselves to be sure about data collection and surveillance)
If there is data collection and surveillance, then how could the user be sure that the data collected and surveillance capability held by the third party is "private and secure" from that third party (e.g., Apple, Google, etc.), any third parties that work with them, and others who might target these third parties
Assuming the user even knows the identities of all these third parties, what if their operations are secretive and non-transparent
What if they have a history of dishonesty
What if they make no promises to the user that could be enforced and instead they just assume "trust"
Perhaps each user might have a different concept of "private and secure"
I’m on the edge of migrating from my iPhone to a Pixel with GrapheneOS.
But there is ONE feature I love on iOS and it’s the Live Photos. I feel like it’s an amazing way to keep family memories. Do you know if it exists on GrapheneOS?
mschild 1 days ago [-]
Natively it doesn't.
There are 3rd party camera apps that support it, but you'd have to download them separately. GrapheneOS camera app is fine but nothing outstanding. It will give you decent pictures but don't expect any fancy upscaling or editing features.
4gotunameagain 1 days ago [-]
But you can install google camera without giving it network permissions.
mschild 1 days ago [-]
Sure but that's arguably 3rd party at that point.
aucisson_masque 1 days ago [-]
Only in Google camera, which is usable on grapheneos: You get a live shot feature, it ain't exactly the same tho, look into that.
I run pixelos and the amount of stuff I miss from iphone is staggering, the difference between pixelos/grapheneos isn't as big as the difference between iphone/pixel.
Cider9986 1 days ago [-]
Hmm, don't really miss anything from iOS besides tap the top screen to go to top of page. Also Apple Notes is great.
No back button on iOS is madness and also the Android rotate screen integration is way better than iOS.
aucisson_masque 1 days ago [-]
It's mostly the app. Nothing come close to apple notes or reminder for instance.
Even safari... On Android, you get chromium that doesn't have any extension or Firefox that has incredibly frustrating UI and doesn't work well on some website.
Cider9986 1 days ago [-]
I can understand extensions but I like Vanadium a lot more than Safari. Reminders is hard to replace unfortunately. Overall I like android apps a lot more though. Once you find the right ones.
k4rli 1 days ago [-]
Obsidian might be even greater for notes. Looks beautiful, and it's super immersive on OLED especially. Worth trying for sure.
Tap to scroll might be possible to get also. Haven't felt need for it when it takes a few regular scrolls anyway.
Cider9986 1 days ago [-]
Thanks for the rec, I'll try it it. I like the open nature with markdown but when I tried on Mac it was a bit confusing.
Cider9986 1 days ago [-]
Yes, I have it and I use Google camera and Google photos. Not sure if default camera and gallery have it.
tonyhart7 1 days ago [-]
well you cant blame apple for that since Government can literally force your company to doing shit like this
Cider9986 15 hours ago [-]
I blame them for collecting the phone numbers. They can already make sure you're running an apple account on real hardware. If they didn't collect phone numbers, they couldn't give them away, that's how all good privacy respecting companies like Signal operate.
izacus 1 days ago [-]
I mean... your sentiment is in the right place, but Android phones (non-GrapheneOS) can be used without Google account just fine.
Yes, you need to use F-Droid & Co. to get apps (just like on Graphene), but otherwise they're functional and many people are actually using them like that.
surcap526 1 days ago [-]
[dead]
NeutralWanted 1 days ago [-]
[flagged]
HybridStatAnim8 1 days ago [-]
GrapheneOS does not interfere with law enforcement doing their jobs.
Thats like saying the right to remain silent interferes with law enforcement doing their jobs. Law enforcement has one job, enforcing the law, and that includes following their own laws. People have a right to privacy, and GrapheneOS is one of the many methods that allow people to exercise that right.
NeutralWanted 13 hours ago [-]
Not talking about graphene. I use graphene daily. I was responding to the dude butthurt about the ICE app being banned
Anvoker 1 days ago [-]
And why not? Law enforcement does not represent supreme justice and good. There are higher moral principles out there. Respect for law enforcement in the absence of justice is a disaster for society. All it does is give cover for bad actors.
izacus 1 days ago [-]
There's plenty of high moral principles, but "let's build technology that explicitly protects criminals - especially child and women traffickers - against investigation" ain't one of them for majority of people living in democracies.
milutinovici 1 days ago [-]
How does it protect trafficers especially? Does it have some extra trafficking features? Does it unlock additional capabilities if you're a criminal?
Or maybe it just protects everyone?
everyday7732 1 days ago [-]
Your assumption that "criminals" are doing something morally wrong is fundamentally flawed. Civil rights activists were criminals, as were suffragettes, and the people who protected Jews in Nazi Germany, and gay or trans people just existing in countries where that isn't allowed. All criminals. Law enforcement isn't even always carrying out the law, as we've seen with ICE arresting, assaulting, searching, deporting people on no other basis than their skin color.
Democracy dies when people can't protest. When they are under constant surveillance, afraid of being singled out by the government intelligence gathering mechanisms. Unable to speak out about injustice, organise and engage in healthy counter culture.
Look at Russia, look at China. Don't imagine that giving your own government and law enforcement the same tools of surveillance and oppression will have a different outcome.
budsniffer952 1 days ago [-]
You do realize there's another side to it, right? There are morally good examples where privacy is needed, and morally bad examples where not being able to access data is harmful.
I personally agree with you, but for most people it's not black or white. They want privacy when it suits them, but would take yours away in a heartbeat.
everyday7732 23 hours ago [-]
I agree that privacy is not always a force for good. I think that when we remove privacy we normally lose much more than we gain.
People easily focus on negative consequences of privacy (dangerous people being able to communicate secretly) and don't notice the benefits they enjoy because of privacy.
izacus 1 days ago [-]
Yes, exactly, but if you actually follow all of those groups, none of them changed things by building bunkers into which police couldn't ever enter and any crime could happen there.
As someone who grew up on the other side of the iron curtain, I find this idea that you'll make your own government an enemy and shield criminals against it utterly naive, since that's not what actually changes society. It's a form of techno-cowardice, where people hide behind technology to avoid doing the hard stuff.
everyday7732 23 hours ago [-]
It's not cowardice. It's a standard defence against tyranny. Governments can change quickly so even if you think your present government is democratic and healthy it still pays to keep the tools to defend against it if it changes.
If your government is seeking to remove those tools from you then that is a warning sign.
HybridStatAnim8 1 days ago [-]
Thats... exactly what they did. They relied on secrecy and hidden locations to aid their cause.
Like... this is how the entire underground railroad and many other examples worked out.
izacus 1 days ago [-]
Not in my part of the world, which is both safer and more democratic than the US approach you're defending.
There were also other groups hiding away and doing interesting things - killing, maiming murdering. It took access to private communication and files to take those down - you may have have heard of some [0].
Critical thinking isn't exactly your strong suit, clearly.
HybridStatAnim8 1 days ago [-]
If you are referring to GrapheneOS, there is nothing that GrapheneOS offers or advertises that "explicitly protects criminals".
GrapheneOS is not for criminals, its not aimed at criminals, its not designed for criminals. Not implicitly or explicitly.
inigyou 1 days ago [-]
Do you believe window curtains should be legal? Should it be legal for a TV to not include a microphone and require an internet connection (as recent LG TVs do)?
izacus 7 hours ago [-]
If you're too lazy to engage with the topic at hand, don't.
Anvoker 1 days ago [-]
In the era before the advent of mass digital surveillance, it was well understood that there are many different ways to fight crime. Now every time I see this conversation being had, it's treated as if keeping any amount of privacy beyond what you personally find acceptable is tantamount to endorsing the existence of human traffickers. Warrantless spread-shot digital surveillance is now often treated as essential.
I have a question for you. Why don't you advocate for more surveillance? The more active and widespread the surveillance, the more criminals can be caught. If you think it's not entirely practical, just embark on a thought experiment with me -- assume it would be practical. Would you do it? Would you have everyone be under perfect surveillance 24/7 in order to catch every criminal? Let's call this stance surveillance maximalism.
If you agree with surveillance maximalism, then we're just very different people and I don't think we can find common ground. I hope we can live peacefully in different countries with different laws that suit our preferences.
If you disagree with surveillance maximalism, then why is your arbitrary tradeoff so good? It's not obvious why it's better. You are assuming the moral high ground, but you're also doing the same thing you're accusing me of -- you're accepting some amount of traffickers existing by not being a surveillance maximalist.
By adopting this moral high ground, the discourse is kept at a shallow level. We talk less about which surveillance measures are actually effective or not, what has happened to crime rates over time, what is the context in which crime occurs, what are the negative consequences of undermining privacy, what are the negative consequences of mass surveillance etc. Instead we waste our time and energy on cheap moral opprobrium.
izacus 1 days ago [-]
> In the era before the advent of mass digital surveillance, it was well understood that there are many different ways to fight crime. Now every time I see this conversation being had, it's treated as if keeping any amount of privacy beyond what you personally find acceptable is tantamount to endorsing the existence of human traffickers. Warrantless spread-shot digital surveillance is now often treated as essential.
That's not what anyone writes, especially not me.
> I have a question for you. Why don't you advocate for more surveillance? The more active and widespread the surveillance, the more criminals can be caught. If you think it's not entirely practical, just embark on a thought experiment with me -- assume it would be practical. Would you do it? Would you have everyone be under perfect surveillance 24/7 in order to catch every criminal? Let's call this stance surveillance maximalism.
Because it's a bad tradeoff between free society and safe society. There's a reason why we put checks and balances on enforcement agencies and why it's so important to keep them up to date.
> If you agree with surveillance maximalism, then we're just very different people and I don't think we can find common ground. I hope we can live peacefully in different countries with different laws that suit our preferences.
I do not agree with surveillance maximalism.
> By adopting this moral high ground, the discourse is kept at a shallow level. We talk less about which surveillance measures are actually effective or not, what has happened to crime rates over time, what is the context in which crime occurs, what are the negative consequences of undermining privacy, what are the negative consequences of mass surveillance etc. Instead we waste our time and energy on cheap moral opprobrium.
I agree, so perhaps losing your mind and going into mindless screaming every time anyone opens a debate about tradeoff between access, surveillance and privacy isn't the best way forward. Which is what's happening here way too many times.
Just because I acknowledge an issue which gave us things like surveillance warrants and existence of police forces doesn't mean you can just strawman me into whatever position you hate. Perhaps think on the reason why every single stable prosperous society has concepts of police and police warrants which grant access to private spheres when deemed necessary.
ktallett 1 days ago [-]
You forgot terrorists on your usual list of reasons e2e is bad. Technology will always be used for bad and good, but there are far more people using it for good than bad.
Cider9986 1 days ago [-]
I meant the government deciding that downloading iceblock is a crime, because it shouldn't be, not that people who downloaded it used it commit crimes. Apologies for not being clear if that's how you were interpreting.
inigyou 1 days ago [-]
Didn't that already happen?
Telaneo 1 days ago [-]
Law enforcement aren't always moral (and sometimes even lawful!) when performing their jobs.
ktallett 1 days ago [-]
Law enforcement don't have a legal right to access all that people do, say, and think. They are there to investigate and present evidence to court incase of illegal activity, nothing more.
Cider9986 1 days ago [-]
>I work at Google, and yes. We use a monorepo for absolutely everything you can think of. But good luck getting that code off a corp device without being caught
On this subject since it's an Australian seller and marketed as "DV safe".
Australia has a national test of it's phone alert system in 10 days at 27/07/26, 2PM AEST. (People in North America would know it as Cell Alerts/Presidential Alerts etc.)
There have been warnings that hidden phones will almost certainly sound, and their recommendation is to ether power off the phone or put it into airplane mode at least an hour before the test...
subscribed 1 days ago [-]
Since it seems to be missed, in GOS you can disable these alerts completely.
grapheneos 1 days ago [-]
GrapheneOS supports fully disabling wireless alerts via the Settings app. It's possible to disable it on other Android devices via ADB.
saltamimi 1 days ago [-]
You should be able to disable these alerts via the Wireless Emergency Alerts.
b112 1 days ago [-]
You cannot on many phones, and often phones will even lie when it says all categories are disabled, as some jurisdictions have laws against turning off some of the highest alert categories.
tenacious_tuna 24 hours ago [-]
There was a tornado warning a few towns over a month ago. My spouse's phone for wireless emergency alerts kept going off every five minutes for the other town: no other warnings for our town specifically.
She ended up disabling the alerts entirely, which seemed a shame to me, but the ear splitting siren every 5minutes wasn't really conducive to our sanity or our dog's or our ability to actually hear the weather radio.
Moreover, it's a huge pain to get to the history of emergency alerts, which seems like a design flaw. Surprising how poorly a critical life system can be designed.
grapheneos 1 days ago [-]
GrapheneOS supports fully disabling wireless alerts via the Settings app. It's possible to disable it on other Android devices via ADB.
b112 1 days ago [-]
I've dealt with Android phones for which there was zero way to disable the highest alert, adb regardless. Unless you have root, it's often not possible.
Yes, GrapheneOS of course allows this.
Edit: re followup comment.
No, adb cannot be used in all cases to disable the packages involved. At all. Some phones refuse to lets users disable some packages, no matter what.
Yes, I know what I'm talking about.
As someone with decades of Linux and Android experience, who often works nights, having Quebec police use presidental alerts... CRTC regardless, to warn of a child abducted by a parent 2000km away from me, is an exceptionally strong motivator.
The sheer stupid of an alert you cannot control the volume, sound, and length of in any way, is absurd. Try going back to sleep after something screams at you, at your equiv of 2am is madness.
By god I hate those alerts.
So yes, I know. If you don't have root, and the phone won't let you disable some packages, you're done.
And it's another reason I like GrapheneOS.
grapheneos 1 days ago [-]
ADB can be used to disable it without GrapheneOS by disabling the packages providing the high level implementation of wireless emergency alerts. It's not something most people can be expected to do though. It's actually a lot easier to install GrapheneOS via the web installer than using the CLI ADB shell. ADB is also quite dangerous and people can be tricked into giving very invasive access to malware with it. We're not recommending that people use ADB for this but rather just noting it can be done.
chopin 1 days ago [-]
[flagged]
AussieWog93 1 days ago [-]
This post is literally just SEO copy designed to sell degoogled phones to (justifiably) anxious DV victims?
Their phones are more than twice as expensive as equivalent models at JF HiFi too (and 5-10x the price of an older, but still perfectly useful degoogled phone from Marketplace).
Why is it on the front page of HN?
grapheneos 1 days ago [-]
Getting a new phone is very useful to someone that's a victim of a controlling partner but it doesn't particularly need to be a GrapheneOS device. GrapheneOS has features useful for this including Auditor and standard Android profiles (Private Space, secondary users) with improvements but we're not specifically recommending it for this ourselves. People who are victims of this probably just need a new phone of any kind and to prioritize other things.
> and 5-10x the price of an older, but still perfectly useful degoogled phone from Marketplace
Devices with drastically worse privacy and security than the Android Open Source Project including lack of bare minimum updates aren't in the same space as GrapheneOS.
It's generally better for people to install GrapheneOS themselves since it's very easy and saves a lot of money. It takes 10 minutes to install GrapheneOS with the web installer. It also avoids needing to trust a company to do it, although it's possible to verify an install done by someone else is genuine with the verified boot key fingerprint and/or Auditor. An existing install by someone else should be factory reset it to avoid any sketchy configuration.
izacus 1 days ago [-]
Ok, but this is outright a scam for those victims, you realize that? A company profiteering massively from vulnerable people.
grapheneos 1 days ago [-]
There are a bunch of companies selling devices with GrapheneOS at a significant markup despite it being very easy for non-technical people to install it themselves in 10 to 20 minutes. There's a lot of demand for it and companies set prices based on what they can get away with charging.
The linked post is a mess which was probably generated with an LLM. GrapheneOS does have useful properties for this even though it isn't the focus. Someone could write a proper article making a case for it even though this isn't one.
GrapheneOS is free and we recommend people install it themselves with the web installer. People can also save a lot of money getting a used device, but we strongly recommend against an older device than a Pixel 8 due to support time. A used Pixel 8a tends to be the cheapest option. An important thing to watch out for with used devices is avoiding ones which were originally sold by carriers locking their devices. Some phone sellers wrongly label locked devices as being fully unlocked.
If people buy a device with GrapheneOS instead of doing it themselves as we recommend, we a guide to follow to make sure it's genuine GrapheneOS and get rid of any strange software or configuration it ships with:
Academically, is it a bad thing companies are selling phones preinstalled with grapheneos?
I mean in the long run, it should be a good thing to separate out the hardware phone market from the OS it comes with IMO. And for large scale adoption, it's extremely useful to have the most non-technical people using your OS, because they will complain and bugs will get reported (maybe not through the preferred channels, though).
No notes on the markup though. Infuriating there's no negotiating ability to say "you can't sell this OS on a cheap phone for 600% margins".
mrkeen 1 days ago [-]
Reasonably happy with GrapheneOS, but the number of bugs (maybe more ecosystem bugs) would make me hesitant to suggest other people rely on it as a communication device.
I have notifications turned ON for WhatsApp, Signal and Telegram. I never receive notifications from Telegram. I have to open that app to see if anyone said anything. WhatsApp and Signal notifications seem to vary between late or never? This is despite a constant notification reminder that Signal has Background connection enabled.
Also I can only send messages to some whatsapp contacts. My messages appear as pending for a while and eventually turn into 'could not send'.
HybridStatAnim8 1 days ago [-]
This is not an issue with GrapheneOS, this is an issue with your configuration, which is trivial to solve.
All of those apps support using google services FCM for push notification delivery. I dont think Telegram has a fallback, and Signal and Whatsapp have power-intensive fallbacks. You may also need to reinstall these apps for them to detect google services (apps generally dont check for google services more than once on initial launch).
classified 20 hours ago [-]
That's not how I understand the meaning of "trivial".
andai 1 days ago [-]
Can someone explain this? I've used custom ROMs back in the day (Cyanogen!) but I'm not familiar with GrapheneOS.
I remember Cyanogen ships without Google Play etc., right? (Because if you install Google Services and a bunch of crap from their store (theirs and otherwise) that spies on you, it defeats the purpose of a privacy preserving OS.
So I'm assuming Graphene is at least as strict as that? (Well Cyanogen at least give you the option of installing all that crap but that would seem to defeat the purpose in this case.)
But more broadly I'm not sure I understand the relevance in this particular context. The article mentions that an abuser could put spyware on your phone? Is that a realistic scenario? (Ok I suppose half the stuff on the Play store is spyware so maybe it's more realistic than I'm thinking...)
grapheneos 1 days ago [-]
> So I'm assuming Graphene is at least as strict as that?
GrapheneOS is a privacy and security hardened OS. LineageOS and CyanogenMod aren't in that space. GrapheneOS preserves the standard privacy and security features and updates of the Android Open Source Project as a baseline. It greatly improves privacy and security with major privacy and security features along with much better privacy/security updates. It keeps up with the major OS updates including having a release based on Android 17 since the day it was released (2026-06-16).
> Can someone explain this? I've used custom ROMs back in the day (Cyanogen!) but I'm not familiar with GrapheneOS.
GrapheneOS is a production quality OS with around 15 people paid to work on it. It's not a hobbyist project. We've never used the term custom ROM since it isn't accurate and propagates misconceptions. It's best to avoid it.
> The article mentions that an abuser could put spyware on your phone? Is that a realistic scenario?
Yes, stalkerware is very common and there are a bunch of apps marketed for this purpose. It's helpful to get a new phone set up from scratch without the same accounts or automatically restoring any data on it. This can be a GrapheneOS phone but it doesn't particularly need to be. It's not GrapheneOS recommending itself for this purpose. There are an assortment of privacy and security features relevant to this in standard Android 17 and in the features added by GrapheneOS but nothing essential to this. GrapheneOS makes sense as a general choice for a new phone for many people due to being a highly usable, compatible, private and secure device but we're not specifically recommending it for being who are victims of stalkerware ourselves.
yjftsjthsd-h 1 days ago [-]
> We've never used the term custom ROM since it isn't accurate and propagates misconceptions. It's best to avoid it.
It's a ROM (in the phone sense), and it's not stock (so installing it is a customization). In what way is it not a custom ROM?
grapheneos 22 hours ago [-]
> It's a ROM (in the phone sense)
There are multiple ROMs involved but GrapheneOS isn't one. There's an SoC boot ROM which loads SoC firmware from the SSD, verifies it and transfers control to it. The littlekernel-based firmware stage which loads GrapheneOS isn't a ROM. GrapheneOS and most of the SoC firmware are simply stored on SSD partitions. There are A/B partitions for both the SoC firmware and the OS on the SSD. Installing (flashing) GrapheneOS involves writing out images to those partitions on the SSD and erasing an existing data partition which also happens as part of unlocking or locking the device. Those partitions aren't read-only from an OS perspective. Verified boot secures what's stored on those, not any form of hardware or firmware level write protection.
There are also boot ROMs for other hardware components. Many of those are responsible for receiving firmware uploaded by the OS to the hardware component at boot, verifying it and transferring control to it. The secure element has separate persistent firmware with a separate verified boot process since the OS isn't allowed to update it until the Owner user has successfully authenticated so it needs persistent firmware. Other hardware components mostly don't need persistent firmware and it's more secure if they don't have it.
> it's not stock
GrapheneOS will be available as the stock OS on multiple Motorola Mobility devices based on our partnership. It won't necessarily be available as the stock OS when the official support for it launches since it's not one of the minimum requirements but it's planned.
> so installing it is a customization
It's a separate OS forked from the Android Open Source Project but this terminology gives many people the incorrect impression that it's a modification of the stock OS. It leads to many people asking questions about what it removes from the stock OS and believing we removed Google integration when that was never present in the baseline. There are a lot of misconceptions which are propagated by this terminology. We don't use it and think it only serves to create unnecessary confusion and misconceptions.
> In what way is it not a custom ROM?
It was just never accurate terminology for forks of the Android Open Source Project on modern devices. The terminology originates from phone modding prior to Android and there was a time it made sense. It hasn't made sense for a long time.
yjftsjthsd-h 21 hours ago [-]
>> It's a ROM (in the phone sense)
> There are multiple ROMs involved but GrapheneOS isn't one.
> [...]
> It was just never accurate terminology for forks of the Android Open Source Project on modern devices. The terminology originates from phone modding prior to Android and there was a time it made sense. It hasn't made sense for a long time.
I did say "in the phone sense". I suppose if you want to be pedantic and point out that it is not literally stored on read-only memory, and you agree that the same is true of every such system (e.g. you would equally say that LineageOS isn't a custom ROM because it lives in rw flash memory), that's... not how anyone uses that word, but fine, yes that is technically true for the meaning of the word that nobody uses outside of low-level hardware engineers.
>> it's not stock
> GrapheneOS will be available as the stock OS on multiple Motorola Mobility devices based on our partnership. It won't necessarily be available as the stock OS when the official support for it launches since it's not one of the minimum requirements but it's planned.
So we agree. It's not stock. Someday, it might be available on some devices as the stock OS, but it isn't today, and even when it is available as such it will also be available as a custom ROM, unless you intend to discontinue it for all other devices.
>> so installing it is a customization
> It's a separate OS forked from the Android Open Source Project but this terminology gives many people the incorrect impression that it's a modification of the stock OS. It leads to many people asking questions about what it removes from the stock OS and believing we removed Google integration when that was never present in the baseline. There are a lot of misconceptions which are propagated by this terminology. We don't use it and think it only serves to create unnecessary confusion and misconceptions.
I start with a device. I replace its OS. It works differently. I have customized the device. I would agree that GOS isn't a mod, say, but it is a custom change.
Also, it's bizarre to object to being described as a customized ROM when the whole point is how much it changes from AOSP. The entire selling point - everything listed on https://grapheneos.org/features - is explicitly why its changes are an improvement. If you want to emphasize that it's a full replacement I guess that's a distinction, but it's still a customization of the phone vs stock.
Cider9986 1 days ago [-]
Zero Google services are shippsx by default, but you can install Play Store and Services in a sandbox and it has minimal privacy problems, depending on the permissions you give it.
Their docs are really good, not only for their phone but for learning about privacy and security: https://grapheneos.org
You could still install an app that spies on you on grapheneos because it has 99.99% android app compatibility, so if you gave an app designed for spying the relevant permissions, it would still be able to spy. No way it could hide location indicator or anything like that, but I doubt it could do that on other OSes (don't quote me on other OSes).
lewiscollard 1 days ago [-]
> The article mentions that an abuser could put spyware on your phone? Is that a realistic scenario?
Yes, stalkerware is an entire genre of software and it is designed for exactly this purpose.
A web search for the term will turn up many more results. Graphene OS's hardening against exploits, compared to the abysmal record of Android vendors, gives much better odds against any of these apps being able to run with elevated privileges, which means Android's sandboxing is effective.
(Happy Graphene OS user of many years here.)
palata 1 days ago [-]
Happy GrapheneOS user here as well, but...
I am having a hard time believing your first link, which says:
> In Anna’s case, stalkerware was disguised as a picture message, sent to her by the man she was dating (let’s call him David), just a few weeks after they met. She was then under constant surveillance for about two years
That sounds like an NSO-level attack, right? I doubt abusers routinely pull that out?!
I totally get the problem that "the abuser knows the iCloud password and can use the FindMyPhone feature to track the victim", or "the abuser convinced the victim to install an app that would track the victim without their consent". But I am genuinely wondering how much GrapheneOS protects against that.
grapheneos 1 days ago [-]
> That sounds like an NSO-level attack, right?
There are many tiers of far easier remote attacks far easier than exploiting an up-to-date iPhone through iMessage of WhatsApp. It doesn't mean that's what happened but it's often not something that's extremely difficult. Many people use phones with years of missing security patches. It's getting increasingly easy to exploit those in the age of LLMs.
Regardless, it sounds more like a social engineering attack tricking someone into installing an invasive app and granting invasive permissions to it.
> I doubt abusers routinely pull that out?!
They do regularly use social engineering to trick their partners into setting up stalkerware or permitting it to be installed. Getting a new phone and accounts is a very helpful for people who are victims of it. They've often given access to their accounts and devices without knowing how to fully get rid of it. Reclaiming the existing devices and accounts is far easier if they have a clean one to start from where they can get technical help. It doesn't specifically need to be a GrapheneOS device, but it's a good choice in general and doesn't require being technically savvy to use or even install it.
palata 1 days ago [-]
> Many people use phones with years of missing security patches
Right, yeah that's actually a good reason to use GrapheneOS.
> It doesn't specifically need to be a GrapheneOS device, but it's a good choice in general and doesn't require being technically savvy to use or even install it.
I totally agree here. Very good choice, and I would argue that a "normal" person wouldn't make the difference between GrapheneOS with sandbox Play Services and stock Android. Installing may be intimidating, even though the GrapheneOS installer is extremely impressive (it just works and doesn't require any knowledge). Still normies tend to get intimidated just from the idea of reinstalling their system :-).
watwut 1 days ago [-]
> That sounds like an NSO-level attack, right?
Not really, these are available to any script kiddy as long as unpatched phones and software exists. It takes some initial effort to find them out, but that is it.
And I remember similar attacks floating around few years ago even outside domestic violence situation.
izacus 1 days ago [-]
It's an advertisement. That's pretty much the difference, the company selling these phones has a very high margin for essentially resell of Google phones with reflash of GrapheneOS.
Nursie 1 days ago [-]
I mean, some obvious things are there in the article, IMHO -
- App isolation and hidden profiles (up to 32 separate profiles)
- Verified Boot (tamper detection on every startup)
So you can do stuff on there that's not going to tip off someone who's controlling enough to demand to see your phone, and so you'll at least be tipped off if someone compromises it.
palata 1 days ago [-]
> hidden profiles (up to 32 separate profiles)
I am a happy user of GrapheneOS, I don't know about "hidden" profiles. I am not sure what they are talking about.
> App isolation
That's an Android thing, not specific to GrapheneOS.
> Verified Boot (tamper detection on every startup)
That's an Android thing, not specific to GrapheneOS.
mrkeen 1 days ago [-]
Indeed, whenever I reboot (which is very frequently, because Mastodon will only open, not reopen. If I close it, I need to reboot before using it again) I see the tamper detection. It warns me that I'm using GrapheneOS, not Android.
palata 1 days ago [-]
Yeah that's telling you that you are using custom signing keys (the ones of GrapheneOS, which should be compared once with those published on GrapheneOS' website).
Stock Android runs the tamper detection just the same; they just don't warn about the custom keys because the keys are not custom, they are the ones expected by the manufacturer :-).
defrost 1 days ago [-]
[flagged]
Walf 1 days ago [-]
Have you got a link to anything about hiding parallel accounts? I use GrapheneOS, and don't see anything in the UI about it. Am I looking for the wrong thing? From what I can see, it's the same as stock Android's user switching, which has obvious UI elements about switching session.
As much as I don't like to, I do use Google things on phone, and I've really only ever used secondary profiles to use shady apps with far too broad permissions, such as the kind required to update firmware or get data from wireless/Bluetooth devices.
If you do want a smart phone, but don't want rubbish on it, Graphene is very bare-bones by default. F-Droid and other FOSS-friendly app stores can fill in a lot of gaps, and respect your privacy.
Some apps will simply not run without Play Services, but if you had to use such an app, I believe you could do it in a second profile and have Play Services disabled in your main. Regular apps installed for secondary profiles show as "Not installed for this user" in my main, but Play Services is a bit special.
defrost 1 days ago [-]
[flagged]
palata 1 days ago [-]
> I may very well be assuming things about G-OS that it doesn't yet have (or may never have).
No offence but... next time maybe make it clear that you are just assuming and don't have any experience with the thing you are describing?
> My mental picture would have been it having partitioned storage (to reduce chance of accidental over writes) filled with "random seeming 'noise'" that held hidden account specific data only accessible with a user provided key.
That would be a normal account on an encrypted phone. Nothing special about that.
defrost 1 days ago [-]
[flagged]
monksy 1 days ago [-]
I use GrapheneOS, I would endorse it for anyone that is technically capable.
senectus1 1 days ago [-]
[flagged]
karlkloss 1 days ago [-]
The site has CAPTCHAs, and I'm too dumb to solve them, because the pictures are so bad that I can't make out anything.
How did we get there?
redleader55 1 days ago [-]
It's funny the page recommends de-Googled phones, but requires a Google service(reCaptcha) to view the page.
OsrsNeedsf2P 1 days ago [-]
Just open your favorite browser MCP and ask it to beat the captcha
I've used GrapheneOS, but not PrivacyPros setup. The site is interesting. It is almost like a to do list of things for my phone. Most of the things they've done feels like a topic to look into and consider implementing.
lazycatjumping 1 days ago [-]
The Fingerprint with Pin 2FA is a huge game changer.
inigyou 1 days ago [-]
This the same country that exiled the creator of Session because privacy is illegal?
trial_version 1 days ago [-]
Haven't anybody noticed an iPhone in the illustration, or is it just my mind working that way?
Barbing 1 days ago [-]
Stock photo - yeah that triple camera is equivalent to an Apple logo. Perhaps royalty-free image chosen without enough care or b/c it’s just a stock photo. (Or they already licensed that one.)
aucisson_masque 1 days ago [-]
Why care about what Google know about you, in case of domestic abuse ?
It's not like Google is going to sell your tracking data to abuser.
There are many reasons to get rid of Google altogether, I just don't understand this one.
Cider9986 1 days ago [-]
Any data collected can be abused. This is like saying why care about what flock knows about you, when it's been used by far too many police to stalk their romantic interests.
Police can obtain data from Google. Police can be abusers or friends with abusers.
nyargh 1 days ago [-]
You should google 40% of police..
poly2it 1 days ago [-]
So that your abuser cannot obtain real-time information about you via integrated accounts.
fragmede 1 days ago [-]
> It's not like Google is going to sell your tracking data to abuser.
No, that's exactly the fear. With enough disclaimers and third parties involved, a motivated, highly intelligent and rich attacker with the right connections could get that information.
izacus 1 days ago [-]
Explain how (in comparison to GrapheneOS) please.
Cider9986 1 days ago [-]
Zero Google services ship by default.
izacus 1 days ago [-]
I meant - explain how would that data retrieval actually happen in real life for a domestic abuser.
inigyou 1 days ago [-]
Abuser calls police and says the victim did some crime, police subpoena Google for location history.
bryan_w 23 hours ago [-]
How is that different from getting that data from the phone company?
inigyou 23 hours ago [-]
It isn't?
fragmede 16 hours ago [-]
The end result is the same, the abuser gets the location of their victim. More routes for the abuse to get that is worse than fewer ways for them to get it.
The tl;dr is that you can either share this data by accident through some sort of "locate my family" app, or because your abuser gets access to your Google/Apple account (for instance because you're signed in on another device they have access to).
The threat model here can be: domestic abuse victim flees a situation at home in a hurry, stays signed in on a computer. Abuser uses the sign-in on that computer to track their phone, figures out they're staying at their aunt's place.
Yes, you can avoid this on a regular Google phone as well, but that requires correctly configuring it (and a lot, such as location and search history, can be re-enabled remotely!). If you're running Graphene you are protected by default, rather than compromised by default.
aucisson_masque 1 days ago [-]
Even on grapheneos you got to install the play store and play services to get most app to work, which mean connecting to a Google account.
Technically you can use fdroid, Aurora store, or only use stock applications but if we are serious, not all domestic abuse victims are also geeks that know how to do all these things.
They will need their apps, for instance for social security. Also, many people use their phone to pay nowadays, can't do on grapheneos.
Domestic abuse is a serious threat and people are motivated to stay away from their abusers, but if you give them something so barebone that they can't do 90% of their stuff, a significant percentage of them will revert to their old behavior and risk compromising themselves. For instance, buying a second phone and connecting it to the old Google account just to browse tiktok.
StingyJelly 1 days ago [-]
They don't need completely bare-bones setup. Sweet spot for non-geeks is installing play services, which can be used without signing into an account and by default have invasive permissions revoked. Then installing playstore apps from aurora store.
Cider9986 1 days ago [-]
Play store is not a significant privacy risk. It is a huge improvement being sandboxed, not installed by default, not given permissions by default.
Grapheneos has 99.99% app compatibility and over 90% of banking apps are compatible.
izacus 1 days ago [-]
This is a submarine Advertisement for a company that will resell you a Google Pixel phone with likt 50% markup and preinstalled GrapheneOS.
Let's not normalize this kind of profiteering out of OSS.
mmooss 1 days ago [-]
Is GrapheneOS usable by everyone, including the most non-technical phone users, in a secure way?
They also recommend at least 12 GB RAM. What about domestic abuse survivors requires that?
Cider9986 1 days ago [-]
Yes it's usable by everyone. It's secure by default but anyone can make something insecure. For example granting malicious apps accessiblity permissions would not be great for security.
It has 99.99% android app compatibility. Over 90% of banking and government apps work. These apps take extra measures to ban grapheneos, apps must put in work to make their app incompatible, not the other way around.
I wouldn't say anyone can use it, if you can't sign in to a Google account by yourself then you would have trouble setting it up. But that would be similar on iOS. For the average person, definitely. There's no code or anything like that. Works just like stock Pixels.
If I was giving it to my grandma then I would install her apps and she would be fine clicking icons. But similar on iOS.
Yeah that RAM mention is very strange, not the best article.
mmooss 1 days ago [-]
See my response to the sister comment, if you don't mind.
> anyone can make something insecure
Many consumer products, including iPhones to a significant degree, are designed to prevent this, much to the frustration of hackers. 'What do you mean I can't sideload random apps?' Or other products: It takes a lot of effort to make your car insecure, or to make your stove leak gas. They are carefully designed for safety.
rcMgD2BwE72F 1 days ago [-]
Yes, I find it much easier to set up and use than any other Android phone. There’s less bloatware, and battery life is noticeably better.
Two tips for beginners:
Google Play Store and Google Play Services can be installed from the App Store. They aren’t included by default because GrapheneOS works fine without them.
If a trusted app has trouble running, try enabling Exploit protection compatibility mode on the app’s Info screen (long-press the app icon → Info → Exploit protection).
People in IT vastly overestimate what others understand:
> Google Play Store and Google Play Services can be installed from the App Store.
Few will manage this on their own. What is Play Store? And what are Play Services? What does 'services' mean? Do I need both? Can I just use one or the other? When would I use them?
> They aren’t included by default because GrapheneOS works fine without them.
It doesn't, from what I understand. For normal users, 'works fine' means they can download and install any app.
> If a trusted app has trouble running, try enabling Exploit protection compatibility mode on the app’s Info screen (long-press the app icon → Info → Exploit protection).
lol - 'exploit'? 'mode'? 'app’s Info screen'? Even 'long-press' is not usuable by many, especially older people and others with less manual dexterity than 20-something software designers.
> you should switch to a more trustworthy bank
That isn't a serious solution. I love GrapheneOS, but it isn't ready for typical end-users.
____mr____ 1 days ago [-]
Very weird post, I dont see how a victim with not enough agency to control what apps are on their phone will somehow be able to install a custom os
It's not as easy as it can be (the text is aimed at people familiar with Android flashing) but in practice you need to toggle one setting, reboot holding the volume button, and then click four buttons in your browser in order, with the exact names for settings spelled out in the guide itself.
I don't think wiping an abuser's malware is such a great solution unless you've already managed to get out of the DV situation. Perhaps GrapheneOS is a good idea on a secret second phone?
tripleee 1 days ago [-]
You'd be surprised how easy GrapheneOS is to install. You literally do it through a browser with your phone connected via USB.
palata 1 days ago [-]
I don't think it was the point of the parent. Sure it's easy to install, but the point is that if an abuser can somehow control your phone and install that kind of app, then they probably won't let you remove it.
I am a (very happy) GrapheneOS user, I am certain that I can install a tracking app on it. I can even easily side-load an abusive app that would be banned on the Play Store...
Like I would totally recommend GrapheneOS because it's great, but I don't think it solves the problem of "a domestic abuser can access your phone by making you give access to your phone".
____mr____ 1 days ago [-]
I know how easy it is to install graphene. But if your abuser is controlling the apps you install they can (should) see you installing a new OS or changing your phone?
raffael_de 1 days ago [-]
also recommended for government abuse victims.
charcircuit 1 days ago [-]
This is just the company use DV as a manipulation tactic to get you to buy their phones.
b112 1 days ago [-]
This is just dumb. I'm sorry, it's dumb.
Why?
Here we're discussing a domestic abuse situation, where people are forcing victims to hand over their phone, and have apps installed to keep track of them. Against their will.
And the solution is to... what? Mysteriously have control of your own phone, and install an OS which prevents this? Seriously? I can just imagine it, when the unfamiliar OS is discovered, or the app not working. This is a domestic abuse situation, it's not about hidden sneakiness.
It's about in-your-face control. It's about forced compliance, or else. It's about the abuser becoming exceptionally upset about their tracking not working, or about a new, mysterious OS.
Installing GrapheneOS would not be tolerated. It would be an act which comes with reprisals. I can just imagine the reaction when the abuser can't get the phone to do as they wish, for the person to disclose what the OS is, or just to hand over their unlocked phone, and discover it's GrapheneOS, and Google it and see what it's for.
It's actually horrible advice to advocate the someone in this situation installs GrapheneOS. How could it possibly help?
GrapheneOS is great to protect from secret, unknown spying. Not some domestic abuse situation where spying isn't via secretness.
mnw21cam 1 days ago [-]
Agreed. It'd be great for after the person has left the DV situation but not really beforehand.
d--b 1 days ago [-]
This is a website made by people who sell phones that are 100% tracker-free, and that run on GrpheneOS.
I wouldn’t recommend domestic violence victims to install graphene os on their phone by themselves
grapheneos 1 days ago [-]
It's generally better for people to install GrapheneOS themselves since it's very easy and saves a lot of money. It takes 10 minutes to install GrapheneOS with the web installer. It also avoids needing to trust a company to do it, although it's possible to verify an install done by someone else is genuine with the verified boot key fingerprint and/or Auditor. An existing install by someone else should be factory reset it to avoid any sketchy configuration.
Getting a new phone is very useful to someone that's a victim of a controlling partner but it doesn't particularly need to be a GrapheneOS device. GrapheneOS has features useful for this including Auditor and standard Android profiles but we're not specifically recommending it for this ourselves. People who are victims of this probably just need a new phone of any kind and to prioritize other things.
harvey9 1 days ago [-]
I flashed a pixel using their webpage. They have made it remarkably simple to do.
mmooss 1 days ago [-]
How do you know what they installed? Also, I understand that GrapheneOS installs are very simple now.
I should have been explicit: I used the GrapheneOS webpage. I am placing my trust in them but I am not under any particular threat and just liked that they have stated they won't support age verification.
HybridStatAnim8 1 days ago [-]
GrapheneOS provides verification steps at the end of both installation methods to ensure your install is genuine.
Cider9986 1 days ago [-]
Auditor [1] might work. But GrapheneOS recommends flashing yourself.
[1] attestation.app
bigiain 1 days ago [-]
The website also says:
"Australian research shows that 99% of domestic violence cases now involve some form of technology-facilitated abuse."
Where the "Australian research" is linked to a page where the first Key Finding states:
"Over one quarter (27%) of domestic violence cases involve technology-facilitated abuse of children."
Doesn't fill me with confidence in anything they say (even if I do believe the advice is right).
defrost 1 days ago [-]
The relevant quote* from the linked Australian research is:
Technology-facilitated abuse is becoming more and more of a key feature of domestic and family violence. A 2015 survey of 546 domestic and family violence frontline workers found that 98% of respondents had clients who had experienced technology-facilitated abuse.
The research then focuses specifically on children, finding that of all the domestic violence cases, 27% involve technology-facilitated abuse of children.
Can you expand on what it is that "Doesn't fill [you] with confidence" ?
98% of "frontline workers" having direct experience of "Technology-facilitated abuse" (ie. have encountered at least one case of it out of all their cases)
is very different to
98% of "all domestic violence cases" involving "Technology-facilitated abuse".
Cider9986 1 days ago [-]
I'm curious what you are considering with recommending buying a privacy phone vs buying a regular phone and flashing in a DV situation?
arkhiver 1 days ago [-]
It's almost like they're trying to sell you one of their phones... not cool
Cider9986 1 days ago [-]
I disagree, it's cool to promote good projects like GrapheneOS that help people.
Have you seen how many articles recommend not secure and not private alternative phones, that's not cool.
Edit: damn some of their phones with it preloaded are like 4x the price your can get for pixels in the state's. Can't speak to Australian prices for regular pixels tho.
bigiain 1 days ago [-]
The cheapest option, Pixel 10, costs $1349 from Google, they want $1990 (in Australian Dollars, that's about $940 and $1390 in USD)
So not quite a 50% markup on the bard phone, not quite as bad as 4x.
And while I'd feel like a jerk if I asked for money helping someone at risk of DV setting this up, if I was doing it as a business with the mandatory warranty and support this'd need to include in Australia, I think that's expensive but probably fair?
Cider9986 1 days ago [-]
Yeah fair enough. I see 400-500 USD new 10s on eBay so that's where I was coming from. I wonder how much shipping and importing from the US would be.
Interesting they don't sell the 10a, seems like a great budget phone from what I've seen.
Edit: I didn't consider taxes and initially I assumed exchange rates were more similar then they are.
Law in my profile heh (not on purpose)
tranq_cassowary 1 days ago [-]
GrapheneOS user and community member here. TLDR: The blog post that this thread links is full of misrepresentations and falsehoods about what GrapheneOS offers and also is heavy mismarketing of the phones and services PrivacyPros offer. I recommend to avoid PrivacyPros.
The basic premise, that a secured and private phone, is useful for domestic abuse victims is of course okay. It is true that protecting your privacy from abusive family members can be useful and GrapheneOS' features, which are accurately described on their own website (contrary to the linked blog post), certainly help remove threats in that regard. See : https://grapheneos.org/features
. This is dependent on the specific situation, of course, (e.g. huge difference between ex-partner stalking you and a current partner you live with abusing you), because if you are forced to give your phone password at the threat of being hurt, a secure phone won't really help you a lot.
While the licenses that GrapheneOS uses permit companies to establishes businesses using GrapheneOS software, it's not recommended by the project to buy pre-installed phones, certainly not pre-configured phones, like PrivacyPros offers. The install process of GrapheneOS is simple if you are using the WebInstaller, and there is a lot of free support available in the community chat rooms and fora if you bump into issues. This saves you a lot of money because you can buy a new, used or refurbished Pixel with the stock OS installed at a much lower price. If you install GrapheneOS itself the guide also mentions you have to verify the integrity of your installation. That also holds true for preinstalled phones, you should check the verified boot hash and set up Auditor app. Preconfigured phones should actually be completely factory reset, not only from the OS but preferably also from recovery mode and then set up again, with a check of the boot hash and a set up of Auditor app before you install any apps or start changing settings. You don't know what PrivacyPros has changed to the settings, what they loaded on the device and Auditor should be set up by yourself and straight from the beginning, before you start using the device, because pinning-based security is an important part of its security model and you would want to be pinned to a clean state from the post install.
The blog post and also the PrivacyPros website where they promote and sell their phones is riddled with unnecessary misguided advice and also falsehoods about what GrapheneOS offers and what the dangers of the stock Pixel OS and Android in general are. Pixel OS and Android in general are portrayed way too negatively. I'll just give a few examples because it will cost me way too much time too debunk and correct all of it. These ones are verified easily by yourself and I hope it just makes clear you can discard everything PrivacyPros has written and makes clear you should just consult the official GrapheneOS website. So, they pretend as if Android and Pixels themselves don't have a permission model, multiple users and verified boot. This is untrue. GrapheneOS hardens the app sandbox and permissions model more and offers stuff like storage scopes to work around to broad permissions, but the sandbox and permissions model itself exists for Android in general. Verified boot is also a standard Android feature, and also exists on iPhones and even on MacOS and ChromeOS. Multiple users are part of Android, GrapheneOS just increases the available number of users and increases their usability. Also note that users don't improve sandboxing. Sandboxing and access control exist within profiles as well, profiles are mainly meant for increased isolation via separate user data, user settings and VPN slots. They also offer separate encryption keys allowing you to selectively put data at rest etc. The whole idea of a "ghost" profile and user profiles being at the centre to security and privacy is misguided. They also call about kill switches, Pixels don't have hardware kill switches and the software kill switches are just part of Android.
pbgcp2026 1 days ago [-]
Good luck with "age verification" ...
Sn4ppl 1 days ago [-]
[dead]
surcap526 1 days ago [-]
[dead]
wolvesechoes 1 days ago [-]
[flagged]
lewiscollard 1 days ago [-]
> God, I hate techno-solutionism.
I don't hate it nearly as much as this weird genre of accelerationism where any attempt to improve one's immediate circumstances is just a distraction from the real work that needs to be done.
wolvesechoes 1 days ago [-]
And where the acceleration comes in in such description?
Improving one's immediate circumstances in such context is talking to someone and asking for help, not spending days installing latest set of tools endorsed by privacy advocates and bricking one's phone due to accident while flashing privacy-friendly ROM.
grapheneos 1 days ago [-]
There's no risk of bricking a device by using the official GrapheneOS web installer and it takes 10 minutes. Devices can also be purchased with GrapheneOS installed.
Aside from that, GrapheneOS isn't read-only memory firmware and that incorrect term should be avoided since it propagates misconceptions.
wolvesechoes 22 hours ago [-]
Thanks for correction, I'll try to be more accurate in the future
ButlerianJihad 1 days ago [-]
This.
I looked at this headline and I thought to myself, that I couldn't think of a stupider solution or a dumber sales pitch than "hey DV victims! use this complex gadget!"
No. I mean, come on. This is the sort of thing where people read a poster in the ladies' room and then they carefully plan a discreet exit from their life of abuse. These are very low-tech escapes. They involve packing your necessities and slipping out while your abuser's not watching.
And yes, the social safety nets, and the institutional protections, are the operational needs here. No gadgets, please.
watwut 1 days ago [-]
Domestic abuse victim still need to call their workplace, childcare, manage bank account, pay bills. They have grandparents they contact, they have acquitances and friends. Otherwise said, live.
The discret exist where you leave everything behind is the most disasterous situation to be in.
dmsehuang 1 days ago [-]
[flagged]
appplication 1 days ago [-]
Did you get lost from the music video thread?
virajk_31 1 days ago [-]
[flagged]
Cider9986 1 days ago [-]
What was troubling for you using it or setting it up?
virajk_31 1 days ago [-]
[flagged]
grapheneos 21 hours ago [-]
Many of the GrapheneOS features including Contact Scopes, Storage Scopes, Sensors toggle and things most users can understand and are very interested in having. Most of what GrapheneOS provides is under the hood which is a good thing for usability but there are plenty of features non-technical users can see and understand.
Installing sandboxed Google Play is done by simply pressing the install button for it in the GrapheneOS App Store.
1 days ago [-]
nunobrito 1 days ago [-]
[flagged]
Cider9986 1 days ago [-]
Grapheneos is the least shady OS. Why would a mass surveillance agency compromise hardware when they can simply spy at the software level though Google's deep insights into devices?
Those Android distributions you refer to are not up to date, don't fully remove Google services, don't ship patches fast, don't improve exploit protections, have worse compatibility, don't make Google's services more private by running them in a sandbox, dont add additional important permissions.
Grapheneos ships security updates faster then Google on pixels. If you want the best protection against zero days or mass surveillance, grapheneos is the best option.
Grapheneos is fully run on donations and has provided information in various posts. Most crypto donations by volume are in Monero, Eth and Bitcoin have a few large donations. They are registered as a legal entity in Canada.
nunobrito 1 days ago [-]
[flagged]
grapheneos 22 hours ago [-]
There's a lot of evidence showing governments need to develop or purchase exploits for iPhones and Pixels. There's no evidence of there being any hardware backdoors.
> It is also suspicious the preferential treatment given to that suspicious distro while all others are left in the dark.
We don't receive any preferential treatment from Google. Android's business side disallowed us from receiving any form of partner access and took away the security patch preview access given to us by Android's security team. That has been the case for years. We have security preview patch access but it isn't from either Google. Google also hasn't ever allowed us to have early access to major Android releases but that doesn't mean we haven't obtained it.
> Using hardware from a vendor that cannot be audited and every possible business interest in spying you.
You can claim this about any hardware. Pixels meet our hardware requirements and we're expanding support to multiple upcoming Motorola Mobility (Lenovo) devices meeting our requirements. There will be a growing number of Motorola devices with official support for GrapheneOS.
> Same excuse argued by Signal
GrapheneOS has never received any government grants and is fully funded by donations. Signal didn't cover up that they were received Open Technology Fund grants and other government money.
> It is easy to be transparent about donations rather than opaque: publish the operating costs and level of donations by a certified auditor without need to disclose names.
The entirety of the GrapheneOS funding comes from donations. Our finances are audited every year as a requirement for a Canadian non-profit receiving more than $500k/year in revenue. The purpose of the audits is nearly entirely to make sure we're spending all of the money. It makes sure that all the money is accounted for and being spent appropriately. A subset of our expenses are specifically checked to make sure of it. It also involves more than that but it has little to do with where the donations are received from. Donations are largely made anonymously. We can see names for Wise and PayPal donations but they're often not the legal names of individuals or companies. Most donations are received via cryptocurrency.
We can publish information on our revenue and expenses but it's not clear what that has to do with the unsubstantiated claims you're making about us or why it would stop you from doing it.
> But you won't, strangely enough.
You weren't responding to anyone that's part of the GrapheneOS project.
ChrisRR 1 days ago [-]
What do you think are the non-shady android distros?
nunobrito 1 days ago [-]
[flagged]
grapheneos 22 hours ago [-]
> Android itself is shady as heck
In what sense is anything shady about the Android Open Source Project (AOSP)?
> WiFi and SIM card chips are compromised right out from the factory
This is an unsubstantiated claims not only lacking evidence but heavily contradicted by a large amount of available evidence. It also has nothing to do with Android.
> People are usually OK with options like postmarketOS (non-Android) or with the most popular distros like LineageOS. Some jump to things like SailFishOS (attention: russian financial hands on that one).
postmarketOS and the desktop software stack it uses is far less private and secure than AOSP.
SailfishOS isn't open source like AOSP and is far less private and secure than it. It combines many of the worst aspects of desktop operating system security with low-end Android device security.
LineageOS is another fork of AOSP but doesn't preserve all the standard updates and privacy/security protections.
None of those are a hardened OS greatly improving privacy and security compared to the baseline of AOSP. None are as private and secure as unmodified AOSP. Those aren't in the same space as GrapheneOS.
> Even a cheap chinese smartphone with their "stock" Android can argue for being less shady and raise less attention to yourself than a distro which forces you into specific poisoned hardware. That is just dumb.
You aren't backing up your claims of hardware being compromised with evidence. You're also not being specific about what it is you consider to be a problem. You have an issue with us using Pixels. Does that also apply to the upcoming Motorola Mobility (Lenovo) devices too? Which specific hardware do you think would be okay to use? We need hardware meeting our requirements for updates and hardware-based security features which is why Motorola needs to improve their devices to meet our requirements. GrapheneOS also needs extensive porting work to devices due to the hardware-based security features and the need for drivers/HALs to be made compatible with the exploit protections.
HybridStatAnim8 1 days ago [-]
Saying "and that is a fact" doesnt somehow make it a fact. Youre making stuff up. You will gain privacy by using GrapheneOS. The wifi and cellular hardware are not compromised.
GrapheneOS only supports devices that meet the baseline hardware security requirements. Pixels arent "poisoned" and there is no evidence to suggest any hardware backdoors exist, and quite a lot of evidence to show they dont exist.
For example:
Say anyone that downloaded IceBlock commited crime, Apple could give the govt everyone who downloaded its phone number, the govt could get the realtime location of everyone based on their phone number from the carrier.
And that's not even mentioning the other problem that nobody can download IceBlock anymore[1].
It's so refreshing for my phone not to ask for any identifying information when I set it up. GrapheneOS is a better software experience than iOS anyway[2].
Phones have great potential to be the most private and secure computers, cell services not withdrawing. And iPhones are one of the most private and secure devices. But, Apple uses that to restrict its users freedom and it makes Apple's users can easily be controlled by any government.
GrapheneOS delivers that dream.
[1] https://www.iceblock.app/
[2] once you install good apps. This is coming from a lifelong iOS user. Not prejudiced against Apple, I use a Mac (without an account) and their Advanced Data Protection is great (when I had an account).
What good is free software if using it marks our devices as untrusted and gets us banned from every service out there? Gets us ostracized from digital society? Because we "tampered" with the device?
We should be able to run whatever software we want and they should be none the wiser. Instead, we are part of the threat model now. Our devices are now cryptographically attesting that they are corporate owned and that we are under corporate control. It's so disgusting. The future we're heading towards is terrifying. Everything the word hacker ever stood for will be destroyed if this keeps up.
[1] attestation.app
And even if our own keys could be used, who's going to trust those attestations? Nobody. They will trust Google's keys, Microsoft's keys, Apple's keys. Not ours.
but no one uses blind signatures for attestation so it can be used to fingerprint your device's serial. they do try to make it hard. but generally you should assume that if whoever you are attesting to colludes with google they will obtain your HWID - and if it's google you are attesting to you should assume they have your HWID.
GOS uses a proxy for attestation, but it does absolutely nothing for this threat model.
PS: DRM is even worse, there is no intermediary and the APIs are open to all apps. you probably need to be a well resourced intel agency to make use of it as you need to source a valid DRM license server certificate. technically, actual license servers are in violation of their agreements with google, apple, etc if they use the license request for fingerprinting. but they do retain the ability to blacklist silicon (invalidate pirate devices from pirated media watermarks).
That is not what remote attestation is for. The operating system maintains isolation between apps, so a free software app being installed doesn't mean an app that needs high security is compromised.
In a world of deeply untrustworthy Big Tech, and trend of governments, banks and other basic services needed to exist in society relying on apps and in the future, websites that use remote attestation, that is very troubling.
There are better ways of dealing with the bad actors problem, but Big Tech has chosen violence.
Case in point: GrapheneOS (or any other custom Android distro) is unlikely to be able to ever pass remote attestation, even a signed, secure boot build with the bootloader relocked, because it's not the original OS for the hardware.
Same goes for any desktop Linux.
I still think destroying the playing field is better, but less likely to succeed.
This isn't about you attesting anything though. It's about corporations attesting that your device is 100% corporate owned. Can't have you running software that impacts their bottom line after all.
GrapheneOS could be the most secure operating system to ever exist, it doesn't matter to the corporation because it's still under your control. When they say "security", they mean "the corporation's security against the user", not "the user's security against the hostile world out there".
The hypervisor maintains isolation between operating systems, so a free operating system being installed doesn't mean an app that needs a high security operating system is compromised.
There is no such a thing as "just buy a different device" when this "different device" is actively discriminated against to the point it's a paper weight. I wouldn't be surprised if remote attestation becomes necessary to even get an internet connection in the future.
For example: The UK has a digital ID requirement which is required for you to be employed in the UK. Additionally the EU digital identity services have a hardware/software attestitation that is required to run their apps. (Many of those which 3rd party software can't run).
Another example of this is the Australian eTA - (Everyone has to have a visa to visit Australia.. but the real only way to get a visa* is you have to get an electronic travel authorization which only works via an App)
https://grapheneos.org/articles/attestation-compatibility-gu...
Apps that ban graphene-os being used:
That's untrue.
There was a strong push towards the digital ID from the current administration, but it was abandoned 6 months ago.
What you likely mixed up with digital ID is the old digital visa scheme, mandatory for all non-UK citizens to prove right to work.
Re: your app list: looks a little bit eclectic, so it's worth mentioning most of the apps don't ban GoS specifically, but enforce Google play strong or device integrity pass, which GoS doesn't pass.
Some trip on some exploit protections, like secure app spawning, but these can be turned off per app in the latest releases based on Android 17.
Weren't they accepting refugees without documentation?
I don't know, probably? That always was an offence[1] anyway.
New scheme, mandatory digital ID, would simply stop Britons from being able to use their physical passport to prove they can work. For everyone else that would swap existing electronic-only scheme with another electronic-only scheme.
I don't think anyone half awake would mistake a refugee with a Brit. At least it's not a problem that would explain introducing a whole huge PITA -- like with mandatory IDs for voting: if I'm not mistaken TWO people total were sentenced for voting-related offences, yet we spend double digits of millions of pounds only to (knowingly) disenfranchise voters traditionally voting against the Conservative government.
Look, I'm a citizen of the EU country and my country's physical ID holds electronic layer containing private keys I can use to remotely sign stuff or authenticate myself. It also allows me to using a digital only ID, and the app ecosystem around that is truly amazing. And I'm a picky one.
Basically it's everything, along with basically every single one European physical ID with electronic layer built-in.
British digital ID was *nothing' of that. If it was a physical smartcard first, optional and not mandatory, I'd probably support it, but the government messaging about that was full of lies and handwaving, especially when people were bringing up the failures of digital only systems like Settled Status for Europeans. Nothing mattered, steamrolling over arguments with soundbites.
No, long story short: no, digital IDs are NOT mandatory and no, employment fraud is not that widespread, and the new system won't fix the employers skirting the law.
[1] https://www.gov.uk/government/publications/illegal-working-p...
A new building is being built in my city, and the trash containers which were installed outside have instructions printed on them, indicating that you need to use a smartphone app to take out your trash.
I found this deeply offensive in a way that I cannot explain.
Sucks... At least brazilian banks don't ban it. At least not yet.
False
In fact I can't think of a single Government service or legal requirement that requires a smartphone in the UK.
In the past year I have applied for a passport, applied for benefits, opened a bank account, passed through border control, filed a company tax return, closed down a business, helped someone else claim for benefits, made police reports, filed a case with the small claims court, paid my council tax, received an incone tax refund, travelled on public transport extensively, hired a car.
All had alternatives as far as I can recall.
Quite a few were done online just with a computer and optionally a phone number
And based on prior discussions here I have to point out that "require" doesn't mean "ok but the alternative is kind of inconvenient"
[1] https://grapheneos.org/articles/attestation-compatibility-gu...
Even worse, GOVERNMENTS do that. EU Governments basically forcing you to give Google (via the Google Mobile Services rootkit) or Apple (and via the cloud act also the Trump Admin) access to your entire phone (including all of your saved personal data) to use the govt eID system...
If it were only that and we actually had “free market capitalism” and “competition” you could simply choose, but leering and steering these “organizations” is the treasonous and inherently illegitimate government, which is increasingly indistinguishable from private corporations, mostly because it’s the same pool of people, which are reflexively moving us all towards a common focal point of a form of tyranny similar to hereditary oligarchy and/or serfdom.
Yes there are still identifiers when using cellular data service, but they aren't connected to your phone number that you give out. Phone number gets a determined threat actor real time location, which is what I explained. Threat actor gets location from any carrier identifier. Cellular was built in a terrible way for privacy and security.
Android doesn't let apps see hardware identifiers if that's related.
Yes you're correct about having to trust Apple, but my point is that the way Apple is collecting all this extra info allows them to be compelled to hand it over. It's not about trusting Apple, it's about them following the law, which they will do.
Nowadays it seems a lot easier because there seems to be a separate profile isolater you can run in the main profile, which I would choose if I was installing today.
The only hiccup I've had is that sometimes group messages don't send correctly and send individual messages to everyone, but I think that's because I'm on a secondary profile, and it only happens when the phone is receiving a bunch of messages all at once while I try to send to the same group. But I deny network access to my installed swype keyboard, so it may have something to do with that too.
I've been running this for years, since the Pixel 7 came out, which I'm still using.
I love it. I can confidently go through customs knowing that if they yank my phone during some weird checkpoint and try to celbrite it, I'm as secure as can be.
1: https://gitlab.com/fmd-foss/fmd-android
2: https://grapheneos.org/articles/attestation-compatibility-gu...
3: https://privsec.dev/posts/android/banking-applications-compa...
Many people want to segment things more than that by having a dedicated profile for apps depending on sandboxed Google Play. A work profile, Private Space or secondary user can be used for it. A work profile or Private Space is a lot more convenient. Using a work profile avoids wasting the Owner user's Private Space if you want to use it for sensitive data. We want to add support for multiple Private Spaces per user in the future instead of only 1 per user to fully obsolete work profiles for local usage.
How would that be achieved
We could assume that a user could make their own computer "private and secure"
But if a third party, e.g., Apple, Inc., Google, LLC, GrapheneOS Foundation, etc., has RCE, e.g., "auto-updates", then how can the computer be "private and secure" against that third party and any party that they "work with", voluntarily or not, e.g., a business partner, a government, but also others that might target these third parties, such as an attacker who isn't interested in their bug bounty programs, etc.
To achieve "private and secure", would the user need to remove the RCE capability of the third party (parties)
What about data collection and surveillance by the third party (the user would have to review the source code and compile the OS themselves to be sure about data collection and surveillance)
If there is data collection and surveillance, then how could the user be sure that the data collected and surveillance capability held by the third party is "private and secure" from that third party (e.g., Apple, Google, etc.), any third parties that work with them, and others who might target these third parties
Assuming the user even knows the identities of all these third parties, what if their operations are secretive and non-transparent
What if they have a history of dishonesty
What if they make no promises to the user that could be enforced and instead they just assume "trust"
Perhaps each user might have a different concept of "private and secure"
But there is ONE feature I love on iOS and it’s the Live Photos. I feel like it’s an amazing way to keep family memories. Do you know if it exists on GrapheneOS?
There are 3rd party camera apps that support it, but you'd have to download them separately. GrapheneOS camera app is fine but nothing outstanding. It will give you decent pictures but don't expect any fancy upscaling or editing features.
I run pixelos and the amount of stuff I miss from iphone is staggering, the difference between pixelos/grapheneos isn't as big as the difference between iphone/pixel.
No back button on iOS is madness and also the Android rotate screen integration is way better than iOS.
Even safari... On Android, you get chromium that doesn't have any extension or Firefox that has incredibly frustrating UI and doesn't work well on some website.
Tap to scroll might be possible to get also. Haven't felt need for it when it takes a few regular scrolls anyway.
Yes, you need to use F-Droid & Co. to get apps (just like on Graphene), but otherwise they're functional and many people are actually using them like that.
Thats like saying the right to remain silent interferes with law enforcement doing their jobs. Law enforcement has one job, enforcing the law, and that includes following their own laws. People have a right to privacy, and GrapheneOS is one of the many methods that allow people to exercise that right.
Democracy dies when people can't protest. When they are under constant surveillance, afraid of being singled out by the government intelligence gathering mechanisms. Unable to speak out about injustice, organise and engage in healthy counter culture.
Look at Russia, look at China. Don't imagine that giving your own government and law enforcement the same tools of surveillance and oppression will have a different outcome.
I personally agree with you, but for most people it's not black or white. They want privacy when it suits them, but would take yours away in a heartbeat.
People easily focus on negative consequences of privacy (dangerous people being able to communicate secretly) and don't notice the benefits they enjoy because of privacy.
As someone who grew up on the other side of the iron curtain, I find this idea that you'll make your own government an enemy and shield criminals against it utterly naive, since that's not what actually changes society. It's a form of techno-cowardice, where people hide behind technology to avoid doing the hard stuff.
If your government is seeking to remove those tools from you then that is a warning sign.
Like... this is how the entire underground railroad and many other examples worked out.
There were also other groups hiding away and doing interesting things - killing, maiming murdering. It took access to private communication and files to take those down - you may have have heard of some [0].
[0]: https://www.npr.org/transcripts/138889467
GrapheneOS is not for criminals, its not aimed at criminals, its not designed for criminals. Not implicitly or explicitly.
I have a question for you. Why don't you advocate for more surveillance? The more active and widespread the surveillance, the more criminals can be caught. If you think it's not entirely practical, just embark on a thought experiment with me -- assume it would be practical. Would you do it? Would you have everyone be under perfect surveillance 24/7 in order to catch every criminal? Let's call this stance surveillance maximalism.
If you agree with surveillance maximalism, then we're just very different people and I don't think we can find common ground. I hope we can live peacefully in different countries with different laws that suit our preferences.
If you disagree with surveillance maximalism, then why is your arbitrary tradeoff so good? It's not obvious why it's better. You are assuming the moral high ground, but you're also doing the same thing you're accusing me of -- you're accepting some amount of traffickers existing by not being a surveillance maximalist.
By adopting this moral high ground, the discourse is kept at a shallow level. We talk less about which surveillance measures are actually effective or not, what has happened to crime rates over time, what is the context in which crime occurs, what are the negative consequences of undermining privacy, what are the negative consequences of mass surveillance etc. Instead we waste our time and energy on cheap moral opprobrium.
That's not what anyone writes, especially not me.
> I have a question for you. Why don't you advocate for more surveillance? The more active and widespread the surveillance, the more criminals can be caught. If you think it's not entirely practical, just embark on a thought experiment with me -- assume it would be practical. Would you do it? Would you have everyone be under perfect surveillance 24/7 in order to catch every criminal? Let's call this stance surveillance maximalism.
Because it's a bad tradeoff between free society and safe society. There's a reason why we put checks and balances on enforcement agencies and why it's so important to keep them up to date.
> If you agree with surveillance maximalism, then we're just very different people and I don't think we can find common ground. I hope we can live peacefully in different countries with different laws that suit our preferences.
I do not agree with surveillance maximalism.
> By adopting this moral high ground, the discourse is kept at a shallow level. We talk less about which surveillance measures are actually effective or not, what has happened to crime rates over time, what is the context in which crime occurs, what are the negative consequences of undermining privacy, what are the negative consequences of mass surveillance etc. Instead we waste our time and energy on cheap moral opprobrium.
I agree, so perhaps losing your mind and going into mindless screaming every time anyone opens a debate about tradeoff between access, surveillance and privacy isn't the best way forward. Which is what's happening here way too many times.
Just because I acknowledge an issue which gave us things like surveillance warrants and existence of police forces doesn't mean you can just strawman me into whatever position you hate. Perhaps think on the reason why every single stable prosperous society has concepts of police and police warrants which grant access to private spheres when deemed necessary.
https://news.ycombinator.com/item?id=46440276
Hmm, I hope you don't work on AOSP!
Australia has a national test of it's phone alert system in 10 days at 27/07/26, 2PM AEST. (People in North America would know it as Cell Alerts/Presidential Alerts etc.)
There have been warnings that hidden phones will almost certainly sound, and their recommendation is to ether power off the phone or put it into airplane mode at least an hour before the test...
She ended up disabling the alerts entirely, which seemed a shame to me, but the ear splitting siren every 5minutes wasn't really conducive to our sanity or our dog's or our ability to actually hear the weather radio.
Moreover, it's a huge pain to get to the history of emergency alerts, which seems like a design flaw. Surprising how poorly a critical life system can be designed.
Yes, GrapheneOS of course allows this.
Edit: re followup comment.
No, adb cannot be used in all cases to disable the packages involved. At all. Some phones refuse to lets users disable some packages, no matter what.
Yes, I know what I'm talking about.
As someone with decades of Linux and Android experience, who often works nights, having Quebec police use presidental alerts... CRTC regardless, to warn of a child abducted by a parent 2000km away from me, is an exceptionally strong motivator.
The sheer stupid of an alert you cannot control the volume, sound, and length of in any way, is absurd. Try going back to sleep after something screams at you, at your equiv of 2am is madness.
By god I hate those alerts.
So yes, I know. If you don't have root, and the phone won't let you disable some packages, you're done.
And it's another reason I like GrapheneOS.
Their phones are more than twice as expensive as equivalent models at JF HiFi too (and 5-10x the price of an older, but still perfectly useful degoogled phone from Marketplace).
Why is it on the front page of HN?
> and 5-10x the price of an older, but still perfectly useful degoogled phone from Marketplace
Devices with drastically worse privacy and security than the Android Open Source Project including lack of bare minimum updates aren't in the same space as GrapheneOS.
It's generally better for people to install GrapheneOS themselves since it's very easy and saves a lot of money. It takes 10 minutes to install GrapheneOS with the web installer. It also avoids needing to trust a company to do it, although it's possible to verify an install done by someone else is genuine with the verified boot key fingerprint and/or Auditor. An existing install by someone else should be factory reset it to avoid any sketchy configuration.
The linked post is a mess which was probably generated with an LLM. GrapheneOS does have useful properties for this even though it isn't the focus. Someone could write a proper article making a case for it even though this isn't one.
GrapheneOS is free and we recommend people install it themselves with the web installer. People can also save a lot of money getting a used device, but we strongly recommend against an older device than a Pixel 8 due to support time. A used Pixel 8a tends to be the cheapest option. An important thing to watch out for with used devices is avoiding ones which were originally sold by carriers locking their devices. Some phone sellers wrongly label locked devices as being fully unlocked.
If people buy a device with GrapheneOS instead of doing it themselves as we recommend, we a guide to follow to make sure it's genuine GrapheneOS and get rid of any strange software or configuration it ships with:
https://grapheneos.org/faq#preinstalled-devices
I mean in the long run, it should be a good thing to separate out the hardware phone market from the OS it comes with IMO. And for large scale adoption, it's extremely useful to have the most non-technical people using your OS, because they will complain and bugs will get reported (maybe not through the preferred channels, though).
No notes on the markup though. Infuriating there's no negotiating ability to say "you can't sell this OS on a cheap phone for 600% margins".
I have notifications turned ON for WhatsApp, Signal and Telegram. I never receive notifications from Telegram. I have to open that app to see if anyone said anything. WhatsApp and Signal notifications seem to vary between late or never? This is despite a constant notification reminder that Signal has Background connection enabled.
Also I can only send messages to some whatsapp contacts. My messages appear as pending for a while and eventually turn into 'could not send'.
All of those apps support using google services FCM for push notification delivery. I dont think Telegram has a fallback, and Signal and Whatsapp have power-intensive fallbacks. You may also need to reinstall these apps for them to detect google services (apps generally dont check for google services more than once on initial launch).
I remember Cyanogen ships without Google Play etc., right? (Because if you install Google Services and a bunch of crap from their store (theirs and otherwise) that spies on you, it defeats the purpose of a privacy preserving OS.
So I'm assuming Graphene is at least as strict as that? (Well Cyanogen at least give you the option of installing all that crap but that would seem to defeat the purpose in this case.)
But more broadly I'm not sure I understand the relevance in this particular context. The article mentions that an abuser could put spyware on your phone? Is that a realistic scenario? (Ok I suppose half the stuff on the Play store is spyware so maybe it's more realistic than I'm thinking...)
GrapheneOS is a privacy and security hardened OS. LineageOS and CyanogenMod aren't in that space. GrapheneOS preserves the standard privacy and security features and updates of the Android Open Source Project as a baseline. It greatly improves privacy and security with major privacy and security features along with much better privacy/security updates. It keeps up with the major OS updates including having a release based on Android 17 since the day it was released (2026-06-16).
> Can someone explain this? I've used custom ROMs back in the day (Cyanogen!) but I'm not familiar with GrapheneOS.
GrapheneOS is a production quality OS with around 15 people paid to work on it. It's not a hobbyist project. We've never used the term custom ROM since it isn't accurate and propagates misconceptions. It's best to avoid it.
> The article mentions that an abuser could put spyware on your phone? Is that a realistic scenario?
Yes, stalkerware is very common and there are a bunch of apps marketed for this purpose. It's helpful to get a new phone set up from scratch without the same accounts or automatically restoring any data on it. This can be a GrapheneOS phone but it doesn't particularly need to be. It's not GrapheneOS recommending itself for this purpose. There are an assortment of privacy and security features relevant to this in standard Android 17 and in the features added by GrapheneOS but nothing essential to this. GrapheneOS makes sense as a general choice for a new phone for many people due to being a highly usable, compatible, private and secure device but we're not specifically recommending it for being who are victims of stalkerware ourselves.
It's a ROM (in the phone sense), and it's not stock (so installing it is a customization). In what way is it not a custom ROM?
There are multiple ROMs involved but GrapheneOS isn't one. There's an SoC boot ROM which loads SoC firmware from the SSD, verifies it and transfers control to it. The littlekernel-based firmware stage which loads GrapheneOS isn't a ROM. GrapheneOS and most of the SoC firmware are simply stored on SSD partitions. There are A/B partitions for both the SoC firmware and the OS on the SSD. Installing (flashing) GrapheneOS involves writing out images to those partitions on the SSD and erasing an existing data partition which also happens as part of unlocking or locking the device. Those partitions aren't read-only from an OS perspective. Verified boot secures what's stored on those, not any form of hardware or firmware level write protection.
There are also boot ROMs for other hardware components. Many of those are responsible for receiving firmware uploaded by the OS to the hardware component at boot, verifying it and transferring control to it. The secure element has separate persistent firmware with a separate verified boot process since the OS isn't allowed to update it until the Owner user has successfully authenticated so it needs persistent firmware. Other hardware components mostly don't need persistent firmware and it's more secure if they don't have it.
> it's not stock
GrapheneOS will be available as the stock OS on multiple Motorola Mobility devices based on our partnership. It won't necessarily be available as the stock OS when the official support for it launches since it's not one of the minimum requirements but it's planned.
> so installing it is a customization
It's a separate OS forked from the Android Open Source Project but this terminology gives many people the incorrect impression that it's a modification of the stock OS. It leads to many people asking questions about what it removes from the stock OS and believing we removed Google integration when that was never present in the baseline. There are a lot of misconceptions which are propagated by this terminology. We don't use it and think it only serves to create unnecessary confusion and misconceptions.
> In what way is it not a custom ROM?
It was just never accurate terminology for forks of the Android Open Source Project on modern devices. The terminology originates from phone modding prior to Android and there was a time it made sense. It hasn't made sense for a long time.
> There are multiple ROMs involved but GrapheneOS isn't one.
> [...]
> It was just never accurate terminology for forks of the Android Open Source Project on modern devices. The terminology originates from phone modding prior to Android and there was a time it made sense. It hasn't made sense for a long time.
I did say "in the phone sense". I suppose if you want to be pedantic and point out that it is not literally stored on read-only memory, and you agree that the same is true of every such system (e.g. you would equally say that LineageOS isn't a custom ROM because it lives in rw flash memory), that's... not how anyone uses that word, but fine, yes that is technically true for the meaning of the word that nobody uses outside of low-level hardware engineers.
>> it's not stock
> GrapheneOS will be available as the stock OS on multiple Motorola Mobility devices based on our partnership. It won't necessarily be available as the stock OS when the official support for it launches since it's not one of the minimum requirements but it's planned.
So we agree. It's not stock. Someday, it might be available on some devices as the stock OS, but it isn't today, and even when it is available as such it will also be available as a custom ROM, unless you intend to discontinue it for all other devices.
>> so installing it is a customization
> It's a separate OS forked from the Android Open Source Project but this terminology gives many people the incorrect impression that it's a modification of the stock OS. It leads to many people asking questions about what it removes from the stock OS and believing we removed Google integration when that was never present in the baseline. There are a lot of misconceptions which are propagated by this terminology. We don't use it and think it only serves to create unnecessary confusion and misconceptions.
I start with a device. I replace its OS. It works differently. I have customized the device. I would agree that GOS isn't a mod, say, but it is a custom change.
Also, it's bizarre to object to being described as a customized ROM when the whole point is how much it changes from AOSP. The entire selling point - everything listed on https://grapheneos.org/features - is explicitly why its changes are an improvement. If you want to emphasize that it's a full replacement I guess that's a distinction, but it's still a customization of the phone vs stock.
Their docs are really good, not only for their phone but for learning about privacy and security: https://grapheneos.org
You could still install an app that spies on you on grapheneos because it has 99.99% android app compatibility, so if you gave an app designed for spying the relevant permissions, it would still be able to spy. No way it could hide location indicator or anything like that, but I doubt it could do that on other OSes (don't quote me on other OSes).
Yes, stalkerware is an entire genre of software and it is designed for exactly this purpose.
How “stalkerware” apps are letting abusive partners spy on their victims https://www.technologyreview.com/2019/07/10/134249/stalkerwa...
The Abuser in Your Pocket: How Stalkerware Threatens Women’s Privacy https://safeescape.org/stalkerware-threatens-womens-privacy/
'I thought I'd been microchipped': How abusers spy on partners with 'parental control' apps https://news.sky.com/story/i-thought-id-been-microchipped-ho...
A web search for the term will turn up many more results. Graphene OS's hardening against exploits, compared to the abysmal record of Android vendors, gives much better odds against any of these apps being able to run with elevated privileges, which means Android's sandboxing is effective.
(Happy Graphene OS user of many years here.)
I am having a hard time believing your first link, which says:
> In Anna’s case, stalkerware was disguised as a picture message, sent to her by the man she was dating (let’s call him David), just a few weeks after they met. She was then under constant surveillance for about two years
That sounds like an NSO-level attack, right? I doubt abusers routinely pull that out?!
I totally get the problem that "the abuser knows the iCloud password and can use the FindMyPhone feature to track the victim", or "the abuser convinced the victim to install an app that would track the victim without their consent". But I am genuinely wondering how much GrapheneOS protects against that.
There are many tiers of far easier remote attacks far easier than exploiting an up-to-date iPhone through iMessage of WhatsApp. It doesn't mean that's what happened but it's often not something that's extremely difficult. Many people use phones with years of missing security patches. It's getting increasingly easy to exploit those in the age of LLMs.
Regardless, it sounds more like a social engineering attack tricking someone into installing an invasive app and granting invasive permissions to it.
> I doubt abusers routinely pull that out?!
They do regularly use social engineering to trick their partners into setting up stalkerware or permitting it to be installed. Getting a new phone and accounts is a very helpful for people who are victims of it. They've often given access to their accounts and devices without knowing how to fully get rid of it. Reclaiming the existing devices and accounts is far easier if they have a clean one to start from where they can get technical help. It doesn't specifically need to be a GrapheneOS device, but it's a good choice in general and doesn't require being technically savvy to use or even install it.
Right, yeah that's actually a good reason to use GrapheneOS.
> It doesn't specifically need to be a GrapheneOS device, but it's a good choice in general and doesn't require being technically savvy to use or even install it.
I totally agree here. Very good choice, and I would argue that a "normal" person wouldn't make the difference between GrapheneOS with sandbox Play Services and stock Android. Installing may be intimidating, even though the GrapheneOS installer is extremely impressive (it just works and doesn't require any knowledge). Still normies tend to get intimidated just from the idea of reinstalling their system :-).
Not really, these are available to any script kiddy as long as unpatched phones and software exists. It takes some initial effort to find them out, but that is it.
And I remember similar attacks floating around few years ago even outside domestic violence situation.
- App isolation and hidden profiles (up to 32 separate profiles)
- Verified Boot (tamper detection on every startup)
So you can do stuff on there that's not going to tip off someone who's controlling enough to demand to see your phone, and so you'll at least be tipped off if someone compromises it.
I am a happy user of GrapheneOS, I don't know about "hidden" profiles. I am not sure what they are talking about.
> App isolation
That's an Android thing, not specific to GrapheneOS.
> Verified Boot (tamper detection on every startup)
That's an Android thing, not specific to GrapheneOS.
Stock Android runs the tamper detection just the same; they just don't warn about the custom keys because the keys are not custom, they are the ones expected by the manufacturer :-).
I see hidden profiles is an open issue, here: https://github.com/GrapheneOS/os-issue-tracker/issues/5003
If you do want a smart phone, but don't want rubbish on it, Graphene is very bare-bones by default. F-Droid and other FOSS-friendly app stores can fill in a lot of gaps, and respect your privacy.
Some apps will simply not run without Play Services, but if you had to use such an app, I believe you could do it in a second profile and have Play Services disabled in your main. Regular apps installed for secondary profiles show as "Not installed for this user" in my main, but Play Services is a bit special.
No offence but... next time maybe make it clear that you are just assuming and don't have any experience with the thing you are describing?
> My mental picture would have been it having partitioned storage (to reduce chance of accidental over writes) filled with "random seeming 'noise'" that held hidden account specific data only accessible with a user provided key.
That would be a normal account on an encrypted phone. Nothing special about that.
How did we get there?
It's not like Google is going to sell your tracking data to abuser.
There are many reasons to get rid of Google altogether, I just don't understand this one.
Police can obtain data from Google. Police can be abusers or friends with abusers.
No, that's exactly the fear. With enough disclaimers and third parties involved, a motivated, highly intelligent and rich attacker with the right connections could get that information.
The tl;dr is that you can either share this data by accident through some sort of "locate my family" app, or because your abuser gets access to your Google/Apple account (for instance because you're signed in on another device they have access to).
The threat model here can be: domestic abuse victim flees a situation at home in a hurry, stays signed in on a computer. Abuser uses the sign-in on that computer to track their phone, figures out they're staying at their aunt's place.
Yes, you can avoid this on a regular Google phone as well, but that requires correctly configuring it (and a lot, such as location and search history, can be re-enabled remotely!). If you're running Graphene you are protected by default, rather than compromised by default.
Technically you can use fdroid, Aurora store, or only use stock applications but if we are serious, not all domestic abuse victims are also geeks that know how to do all these things.
They will need their apps, for instance for social security. Also, many people use their phone to pay nowadays, can't do on grapheneos.
Domestic abuse is a serious threat and people are motivated to stay away from their abusers, but if you give them something so barebone that they can't do 90% of their stuff, a significant percentage of them will revert to their old behavior and risk compromising themselves. For instance, buying a second phone and connecting it to the old Google account just to browse tiktok.
Grapheneos has 99.99% app compatibility and over 90% of banking apps are compatible.
Let's not normalize this kind of profiteering out of OSS.
They also recommend at least 12 GB RAM. What about domestic abuse survivors requires that?
It has 99.99% android app compatibility. Over 90% of banking and government apps work. These apps take extra measures to ban grapheneos, apps must put in work to make their app incompatible, not the other way around.
I wouldn't say anyone can use it, if you can't sign in to a Google account by yourself then you would have trouble setting it up. But that would be similar on iOS. For the average person, definitely. There's no code or anything like that. Works just like stock Pixels.
If I was giving it to my grandma then I would install her apps and she would be fine clicking icons. But similar on iOS.
Yeah that RAM mention is very strange, not the best article.
> anyone can make something insecure
Many consumer products, including iPhones to a significant degree, are designed to prevent this, much to the frustration of hackers. 'What do you mean I can't sideload random apps?' Or other products: It takes a lot of effort to make your car insecure, or to make your stove leak gas. They are carefully designed for safety.
Two tips for beginners:
Google Play Store and Google Play Services can be installed from the App Store. They aren’t included by default because GrapheneOS works fine without them.
If a trusted app has trouble running, try enabling Exploit protection compatibility mode on the app’s Info screen (long-press the app icon → Info → Exploit protection).
Check whether your bank is supported: https://privsec.dev/posts/android/banking-applications-compa.... If it isn’t, it likely depends on the Play Integrity API, which means it requires customers to stay under constant surveillance by the world’s largest advertising company, with no real security justification (see https://grapheneos.org/articles/attestation-compatibility-gu...). In that case, you should switch to a more trustworthy bank.
> Google Play Store and Google Play Services can be installed from the App Store.
Few will manage this on their own. What is Play Store? And what are Play Services? What does 'services' mean? Do I need both? Can I just use one or the other? When would I use them?
> They aren’t included by default because GrapheneOS works fine without them.
It doesn't, from what I understand. For normal users, 'works fine' means they can download and install any app.
> If a trusted app has trouble running, try enabling Exploit protection compatibility mode on the app’s Info screen (long-press the app icon → Info → Exploit protection).
lol - 'exploit'? 'mode'? 'app’s Info screen'? Even 'long-press' is not usuable by many, especially older people and others with less manual dexterity than 20-something software designers.
> you should switch to a more trustworthy bank
That isn't a serious solution. I love GrapheneOS, but it isn't ready for typical end-users.
It's not as easy as it can be (the text is aimed at people familiar with Android flashing) but in practice you need to toggle one setting, reboot holding the volume button, and then click four buttons in your browser in order, with the exact names for settings spelled out in the guide itself.
I don't think wiping an abuser's malware is such a great solution unless you've already managed to get out of the DV situation. Perhaps GrapheneOS is a good idea on a secret second phone?
I am a (very happy) GrapheneOS user, I am certain that I can install a tracking app on it. I can even easily side-load an abusive app that would be banned on the Play Store...
Like I would totally recommend GrapheneOS because it's great, but I don't think it solves the problem of "a domestic abuser can access your phone by making you give access to your phone".
Why?
Here we're discussing a domestic abuse situation, where people are forcing victims to hand over their phone, and have apps installed to keep track of them. Against their will.
And the solution is to... what? Mysteriously have control of your own phone, and install an OS which prevents this? Seriously? I can just imagine it, when the unfamiliar OS is discovered, or the app not working. This is a domestic abuse situation, it's not about hidden sneakiness.
It's about in-your-face control. It's about forced compliance, or else. It's about the abuser becoming exceptionally upset about their tracking not working, or about a new, mysterious OS.
Installing GrapheneOS would not be tolerated. It would be an act which comes with reprisals. I can just imagine the reaction when the abuser can't get the phone to do as they wish, for the person to disclose what the OS is, or just to hand over their unlocked phone, and discover it's GrapheneOS, and Google it and see what it's for.
It's actually horrible advice to advocate the someone in this situation installs GrapheneOS. How could it possibly help?
GrapheneOS is great to protect from secret, unknown spying. Not some domestic abuse situation where spying isn't via secretness.
I wouldn’t recommend domestic violence victims to install graphene os on their phone by themselves
Getting a new phone is very useful to someone that's a victim of a controlling partner but it doesn't particularly need to be a GrapheneOS device. GrapheneOS has features useful for this including Auditor and standard Android profiles but we're not specifically recommending it for this ourselves. People who are victims of this probably just need a new phone of any kind and to prioritize other things.
[1] attestation.app
"Australian research shows that 99% of domestic violence cases now involve some form of technology-facilitated abuse."
Where the "Australian research" is linked to a page where the first Key Finding states:
"Over one quarter (27%) of domestic violence cases involve technology-facilitated abuse of children."
Doesn't fill me with confidence in anything they say (even if I do believe the advice is right).
Can you expand on what it is that "Doesn't fill [you] with confidence" ?
* Page 9: https://www.esafety.gov.au/sites/default/files/2020-12/Child...
98% of "frontline workers" having direct experience of "Technology-facilitated abuse" (ie. have encountered at least one case of it out of all their cases)
is very different to
98% of "all domestic violence cases" involving "Technology-facilitated abuse".
Have you seen how many articles recommend not secure and not private alternative phones, that's not cool.
Edit: damn some of their phones with it preloaded are like 4x the price your can get for pixels in the state's. Can't speak to Australian prices for regular pixels tho.
So not quite a 50% markup on the bard phone, not quite as bad as 4x.
And while I'd feel like a jerk if I asked for money helping someone at risk of DV setting this up, if I was doing it as a business with the mandatory warranty and support this'd need to include in Australia, I think that's expensive but probably fair?
Interesting they don't sell the 10a, seems like a great budget phone from what I've seen.
Edit: I didn't consider taxes and initially I assumed exchange rates were more similar then they are.
Law in my profile heh (not on purpose)
The basic premise, that a secured and private phone, is useful for domestic abuse victims is of course okay. It is true that protecting your privacy from abusive family members can be useful and GrapheneOS' features, which are accurately described on their own website (contrary to the linked blog post), certainly help remove threats in that regard. See : https://grapheneos.org/features . This is dependent on the specific situation, of course, (e.g. huge difference between ex-partner stalking you and a current partner you live with abusing you), because if you are forced to give your phone password at the threat of being hurt, a secure phone won't really help you a lot.
While the licenses that GrapheneOS uses permit companies to establishes businesses using GrapheneOS software, it's not recommended by the project to buy pre-installed phones, certainly not pre-configured phones, like PrivacyPros offers. The install process of GrapheneOS is simple if you are using the WebInstaller, and there is a lot of free support available in the community chat rooms and fora if you bump into issues. This saves you a lot of money because you can buy a new, used or refurbished Pixel with the stock OS installed at a much lower price. If you install GrapheneOS itself the guide also mentions you have to verify the integrity of your installation. That also holds true for preinstalled phones, you should check the verified boot hash and set up Auditor app. Preconfigured phones should actually be completely factory reset, not only from the OS but preferably also from recovery mode and then set up again, with a check of the boot hash and a set up of Auditor app before you install any apps or start changing settings. You don't know what PrivacyPros has changed to the settings, what they loaded on the device and Auditor should be set up by yourself and straight from the beginning, before you start using the device, because pinning-based security is an important part of its security model and you would want to be pinned to a clean state from the post install.
The blog post and also the PrivacyPros website where they promote and sell their phones is riddled with unnecessary misguided advice and also falsehoods about what GrapheneOS offers and what the dangers of the stock Pixel OS and Android in general are. Pixel OS and Android in general are portrayed way too negatively. I'll just give a few examples because it will cost me way too much time too debunk and correct all of it. These ones are verified easily by yourself and I hope it just makes clear you can discard everything PrivacyPros has written and makes clear you should just consult the official GrapheneOS website. So, they pretend as if Android and Pixels themselves don't have a permission model, multiple users and verified boot. This is untrue. GrapheneOS hardens the app sandbox and permissions model more and offers stuff like storage scopes to work around to broad permissions, but the sandbox and permissions model itself exists for Android in general. Verified boot is also a standard Android feature, and also exists on iPhones and even on MacOS and ChromeOS. Multiple users are part of Android, GrapheneOS just increases the available number of users and increases their usability. Also note that users don't improve sandboxing. Sandboxing and access control exist within profiles as well, profiles are mainly meant for increased isolation via separate user data, user settings and VPN slots. They also offer separate encryption keys allowing you to selectively put data at rest etc. The whole idea of a "ghost" profile and user profiles being at the centre to security and privacy is misguided. They also call about kill switches, Pixels don't have hardware kill switches and the software kill switches are just part of Android.
I don't hate it nearly as much as this weird genre of accelerationism where any attempt to improve one's immediate circumstances is just a distraction from the real work that needs to be done.
Improving one's immediate circumstances in such context is talking to someone and asking for help, not spending days installing latest set of tools endorsed by privacy advocates and bricking one's phone due to accident while flashing privacy-friendly ROM.
Aside from that, GrapheneOS isn't read-only memory firmware and that incorrect term should be avoided since it propagates misconceptions.
I looked at this headline and I thought to myself, that I couldn't think of a stupider solution or a dumber sales pitch than "hey DV victims! use this complex gadget!"
No. I mean, come on. This is the sort of thing where people read a poster in the ladies' room and then they carefully plan a discreet exit from their life of abuse. These are very low-tech escapes. They involve packing your necessities and slipping out while your abuser's not watching.
And yes, the social safety nets, and the institutional protections, are the operational needs here. No gadgets, please.
The discret exist where you leave everything behind is the most disasterous situation to be in.
Installing sandboxed Google Play is done by simply pressing the install button for it in the GrapheneOS App Store.
Those Android distributions you refer to are not up to date, don't fully remove Google services, don't ship patches fast, don't improve exploit protections, have worse compatibility, don't make Google's services more private by running them in a sandbox, dont add additional important permissions.
Grapheneos ships security updates faster then Google on pixels. If you want the best protection against zero days or mass surveillance, grapheneos is the best option.
Grapheneos is fully run on donations and has provided information in various posts. Most crypto donations by volume are in Monero, Eth and Bitcoin have a few large donations. They are registered as a legal entity in Canada.
> It is also suspicious the preferential treatment given to that suspicious distro while all others are left in the dark.
We don't receive any preferential treatment from Google. Android's business side disallowed us from receiving any form of partner access and took away the security patch preview access given to us by Android's security team. That has been the case for years. We have security preview patch access but it isn't from either Google. Google also hasn't ever allowed us to have early access to major Android releases but that doesn't mean we haven't obtained it.
> Using hardware from a vendor that cannot be audited and every possible business interest in spying you.
You can claim this about any hardware. Pixels meet our hardware requirements and we're expanding support to multiple upcoming Motorola Mobility (Lenovo) devices meeting our requirements. There will be a growing number of Motorola devices with official support for GrapheneOS.
> Same excuse argued by Signal
GrapheneOS has never received any government grants and is fully funded by donations. Signal didn't cover up that they were received Open Technology Fund grants and other government money.
> It is easy to be transparent about donations rather than opaque: publish the operating costs and level of donations by a certified auditor without need to disclose names.
The entirety of the GrapheneOS funding comes from donations. Our finances are audited every year as a requirement for a Canadian non-profit receiving more than $500k/year in revenue. The purpose of the audits is nearly entirely to make sure we're spending all of the money. It makes sure that all the money is accounted for and being spent appropriately. A subset of our expenses are specifically checked to make sure of it. It also involves more than that but it has little to do with where the donations are received from. Donations are largely made anonymously. We can see names for Wise and PayPal donations but they're often not the legal names of individuals or companies. Most donations are received via cryptocurrency.
We can publish information on our revenue and expenses but it's not clear what that has to do with the unsubstantiated claims you're making about us or why it would stop you from doing it.
> But you won't, strangely enough.
You weren't responding to anyone that's part of the GrapheneOS project.
In what sense is anything shady about the Android Open Source Project (AOSP)?
> WiFi and SIM card chips are compromised right out from the factory
This is an unsubstantiated claims not only lacking evidence but heavily contradicted by a large amount of available evidence. It also has nothing to do with Android.
> People are usually OK with options like postmarketOS (non-Android) or with the most popular distros like LineageOS. Some jump to things like SailFishOS (attention: russian financial hands on that one).
postmarketOS and the desktop software stack it uses is far less private and secure than AOSP.
SailfishOS isn't open source like AOSP and is far less private and secure than it. It combines many of the worst aspects of desktop operating system security with low-end Android device security.
LineageOS is another fork of AOSP but doesn't preserve all the standard updates and privacy/security protections.
None of those are a hardened OS greatly improving privacy and security compared to the baseline of AOSP. None are as private and secure as unmodified AOSP. Those aren't in the same space as GrapheneOS.
> Even a cheap chinese smartphone with their "stock" Android can argue for being less shady and raise less attention to yourself than a distro which forces you into specific poisoned hardware. That is just dumb.
You aren't backing up your claims of hardware being compromised with evidence. You're also not being specific about what it is you consider to be a problem. You have an issue with us using Pixels. Does that also apply to the upcoming Motorola Mobility (Lenovo) devices too? Which specific hardware do you think would be okay to use? We need hardware meeting our requirements for updates and hardware-based security features which is why Motorola needs to improve their devices to meet our requirements. GrapheneOS also needs extensive porting work to devices due to the hardware-based security features and the need for drivers/HALs to be made compatible with the exploit protections.
GrapheneOS only supports devices that meet the baseline hardware security requirements. Pixels arent "poisoned" and there is no evidence to suggest any hardware backdoors exist, and quite a lot of evidence to show they dont exist.