Discussion

Back

emilfihlman: This is huge and amazing!

yason: GrapheneOS always strikes me as "perfect is the enemy of good". I don't necessarily need top-notch security features, I've been all right with all kinds of Android phones. The things I'd like are:- ability to sandbox Google Play and Google Apps so that they live in their nice little Google bubble and have no control over my phone overall- ability to run all applications sandboxed with fake permissions that I can whitelist for each application and without letting the app know it doesn't have the permissions it wants. Want location? Give the app a location point I've fixed for that app. (Or pass through real GPS location if I've chosen so.) Want contacts? Give the app empty contacts list. Or if I've allowed, give the app the contacts I've whitelisted.The Android/Google ecosystem is all right in itself, I just want to limit all of it inside a cage that I control. I want the exact same for my browser: I want webpages to run in a highly controlled sandbox with my choice of spoofed environment and permissions instead of assuming any power over my system. Or my Linux desktop where I firejail or sandbox certain proprietary apps outside of my distro's repositories.

fsflover: > GrapheneOS always strikes me as "perfect is the enemy of good"... I've been all right with all kinds of Android phonesI fully agree with you. I never received a reasonable reply to this from GrapheneOS fans or developers. Latest attempt: https://news.ycombinator.com/item?id=47182376

handedness: If you feel like you can't get a reasonable reply from anyone on a given subject, it's possible that the subject matter is purely indefensible and everyone but you is wrong about it, or it's possible that there's one constant in all this which you're overlooking.Anyway, in terms of laptop/desktop security, Apple's doing the best job of anyone on that front at present and is still moving in the direction of improvement. Overall, modern Pixels running GrapheneOS are still the most resistant to a variety attacks, compared to just about any consumer device with any practical value.Most laptop/desktop hardware architecture is wildly vulnerable in some specific ways that Pixels and iPhones just aren't, and no amount of OS enhancements built on that foundation will fully overcome its limitations. Your refutation to that is typically, "But, Google." I get it. I'm no fan of Google, but their architectural chops on modern Pixels is excellent.Suggesting in the next breath that people look at the Librem 5 or PinePhone while criticizing the security of GrapheneOS makes me think you might just be completely out to lunch on this one. The Purism project is just not a serious security project in so many ways, and while I appreciate the appeal of hardware switches, the rest of their approach makes the hardware switches and domestic supply chain option and shipping protocols little more than security theatrics. The Librem 5 is so easily compromised that the switches are practically a necessity, I suppose, because the hardware and the software (from the OS to device drivers and--gasp--closed blobs!) just isn't trustworthy. With the clever rhetorical games they play to overstate the reality of the device it's difficult to place any trust in them.'You shouldn't use this device because Google drove the architecture,' just isn't as compelling to me as, 'you should use this device with outdated drivers, no secure element, no sandboxing, and no IOMMU, no hardware resistance to attacks, baseband isolation that's literally an all-or-nothing affair,' and so on, is a terrible followup recommendation which completely undermines credibility.You're citing hypothetical weaknesses as a reason to dismiss GrapheneOS while advocating devices with numerous demonstrable weaknesses. The Librem 5 not only isn't very resistant to attacks, it's highly vulnerable to attacks. And then you complain when serious people stop engaging with you. (Not being a serious person, I persist.)As a former PinePhone user, it's a wonderful effort and I love that they're doing what they're doing, but the device and its software is just completely lacking in security to any real degree. Which is fine, because that isn't the device's reason for being, but we shouldn't overstate its position, which you continually do.All that said, I genuinely think if you take the time to really fairly understand the situation, you'll find value in GrapheneOS as a project. Whether or not it's for you is another matter, but the only reason I'm bothering to quibble with a faceless stranger on the internet over the issue is because I think the project is one of the most important consumer-device security projects of this era, and I massively hope it succeeds. The planet will be better off for it if it does. And yet, every single time it comes up you make the same lazy dismissals of it, ignore substantive responses, then invariably play the victim when people eventually tire of playing your game.A broader ecosystem of supported devices is something I very much hope for, and am excited to seem take the step into working directly with one OEM, and I hope for more. The virtualization aspects of their roadmap are exciting, and I expect they'll bring great upstream contributions to whatever hypervisor they choose, as they have for AOSP. Their talks of targeting a laptop which meets their hardware requirements is incredibly exciting, and here's hoping it's a ThinkPad, which seems genuinely possible now.All this is the most compelling alternative to something like Apple, which, while great at leveraging the advantages of being the behemoth in the market, is too inherently motivated in its pursuit of commercial outcomes to be something I'm likely to want to use.I lack any real hope that you'll come around on this one, but if you're going to play the game of linking to prior discussions to settle an argument, at least I now have a comment to link to, too. Thanks for fueling my future efficiency.

farkanoid: Not sure how I feel about this. Motorola seems to be the exclusive provider of encrypted cellular networks and associated devices to the Israeli military [1][2].I'm under the impression that basebands still require a proprietary/binary blob, basically rendering the security features of the underlying Open Source OS useless, since it sits between the user and outside connectivity.How can GrapheneOS ensure that there are no hidden backdoors (ie: Pegasus-like spyware, which was created by ex-IDF soldiers via NSO Group), etc, in the baseband?[1] https://www.whoprofits.org/companies/company/3808[2] https://www.motorolasolutions.com/newsroom/press-releases/mo...

raffael_de: > Not sure how I feel about this. Motorola seems to be the exclusive provider of encrypted cellular networks and associated devices to the Israeli military [1][2].makes me feel good about it.

Aeglaecia: what exactly makes you feel good about a privacy black hole with the worlds foremost anti privacy captain at the helm ?

imcritic: The opportunity to be blown up by your phone upon a trigger pulled by mossad. Obviously.

strcat: You're confusing Motorola Mobility with Motorola Solutions. These haven't been part of the same company since 2011. We would happily support devices from Motorola Solutions with their collaboration too but have no contact or partnership with them as they're an entirely different company. We want to support more devices meeting our requirements and if people have issues with one of the choices due to their opinions on geopolitics they can use another.

strcat: GrapheneOS has an OEM partnership with Motorola where they're working on improving their devices to meet our requirements because we won't lower our standards for updates and security features. A lot of work needs to be done for each supported device. There's a massive amount of work bringing the security-oriented, production-quality hardware memory tagging integration from Tensor to Snapdragon. We're working with Motorola and Qualcomm on it. If we simply ported it to many insecure devices we'd need have the time to work on features like this or the power to get an OEM and SoC vendor to work with us on it.GrapheneOS has Contact Scopes and Storage Scopes for pretending all of the contacts, media and storage permissions are granted with the app unable to access any additional user data without the user explicitly adding it on a case-by-case basis. Unlike the recent iOS feature, apps can't see the Contacts permission group isn't granted and it supports giving less data than the whole contact too. It also supports labels for groups of contacts shared between apps.Mock Location is a standard Android feature. We're working on a per-app Location Scopes replacement. We're also working on Camera Scopes and Microphone Scopes. We plan to continue down that road covering less major permissions too.Sandboxed Google Play already works near perfectly with close to 100% app compatibility. It's only apps disallowing using a non-stock OS via the Play Integrity API or to a lesser extent certain other methods which aren't compatible. McDonalds is a major example. X forbids password login but you can use Vanadium to login with a passkey and then use that in the app. ~10% of banking apps do it but not most. We've convinced multiple banks to permit GrapheneOS, and that's going to become MUCH easier now.

jonpurdy: This is very useful context. Especially around Contact Scopes etc. It's never made sense to me that iOS shares if the user is choosing to not share their contacts.Apple seems to basically do privacy-related things to an 80% level but not bothering with getting it totally correct. This makes business sense because the extra 20% is way more difficult, but it's great to see GrapheneOS going all the way.

gruez: >Latest attempt: https://news.ycombinator.com/item?id=47182376Your Qubes OS comparison doesn't really work because Android distributions need extra work to support each new device, whereas for Qubes OS, they're probably using some virtualization framework that makes it pretty trivial to add support for CPUs without virtualization. There's nothing stopping you from starting a new fork that supports your motorola phone, for instance.

fsflover: I understand that supporting new phones is a lot of extra work. My only question is whether the developers of GrapheneOS would accept patches from community for such support without full set of security features.

handedness: You keep coming back to this. GrapheneOS accepting community patches with a reduced feature set degrades the nature of the project. It's an absurd proposal.Fork it, make your own. Not only are they OK with that, they're actively supportive of it.Criticizing them for not actively supporting the Balkanization and unavoidable dilution of the security and therefore total value of their project makes me wonder whether the strength with which you hold your opinions has any meaningful connection to the extent to which you even understand the subject matter. It's just mind-boggling the things you assert every single time an OS you don't even use comes up.Your love of Qubes OS (which I share) somehow even increasingly seems rooted in something that just isn't reality. If it were, you'd be able to fairly assess both projects and see the relative strengths and weakneses of both with useful accuracy.As it stands, you're just spouting harmful noise. Please don't do that.

strcat: You're confusing Motorola Mobility with Motorola Solutions. These haven't been part of the same company since 2011. We would happily support devices from Motorola Solutions with their collaboration too but have no contact or partnership with them as they're an entirely different company. We want to support more devices meeting our requirements and if people have issues with one of the choices due to their opinions on geopolitics they can use another.

fluffypony: I don't want to gush about this too much, but it's SUCH a big deal. Graphene has languished with hardware support for so long - they basically only had Pixel devices as first-class citizens, which are not bad devices per se, but it's hard when you're spending most of your time doing something without the manufacturer's support.There is a very real possibility that we end up with devices that can play modern mobile games at high frame rates on a secure, privacy-focused mobile OS, which is a huge step towards general adoption of something like this as a daily driver.

bubblethink: This is such a strange comment that is full of contradictions. Pixels are supported because the manufacturer supports alternate OSes. I don't get what languishing means here. Pixel hardware lags behind the latest Snapdragon hardware, but it's not something that average people know or care about. So, you can gush all you want, but I don't see why it's a big deal. It's great that they found an OEM and it's great for the overall health of the project, but not because of gaming or the latest Snapdragon.

gchamonlive: Does pixel support alternate OSes or it just doesn't get in the way of custom firmware developers?And for the gaming aspect, there is a huge market for mobile gaming, specially in Asia, so having a manufacturer like Motorola adopting GrapheneOS as a first class citizen will improve the chances that high performance applications will have better performance in such OSes which is a big win.

throawayonthe: i mean, that sounds like a subjective distinction, but it lets you unlock the bootloader and then re-lock it with your own keys so eh..?

gchamonlive: [delayed]

thisislife2: This is great news - would love to run Sailfish OS on it. Wonder if it can dual boot?

strcat: SailfishOS is a largely closed source OS with poor privacy and atrocious security compared to the Android Open Source Project even without the improvements made by GrapheneOS. It doesn't and likely won't use any of the security features which are being worked on with Motorola and Qualcomm. Why buy a device based on it providing GrapheneOS support to run an OS without similar needs?

m00dy: I think banking apps especially the ones in UK, won't work on this device.

strcat: 90% of banking apps work on GrapheneOS. Curve Pay works for tap-to-pay.https://privsec.dev/posts/android/banking-applications-compa... has a UK section.

birdsongs: In what ways has the pursuit of perfection harmed the good in their development? (Your words, I don't agree.)Graphene does everything you're asking, except for the niche fixed location feature you specifically want, which you're welcome to request, or just implement yourself and make a PR.I'm going to be a bit snarky here, but I always find the entitlement around features in open source software baffling. This isn't a multi billion dollar corporation selling you something. It's enthusiasts making you something (honestly, incredible), for free, in their spare time, outside of their daily jobs. They're doing their absolute best here.

CivBase: > In what ways has the pursuit of perfection harmed the good in their development?Their lack of device support means I am still running Google's Android and will continue to be until a GraphineOS-supported device that meets my needs becomes available. This means I'm not just lacking in security, but I'm also stuck with Google and all of their anti-consumer practices.Running GraphineOS without all the security features they want would be better for me than what I currently have.

t0bia_s: Hopefully those Motorola devices will be smaller than Pixels.

strcat: The initial supported devices will be flagships. They have regular, fold and flip variants of the flagships. The main advantage of flip phones is better one-handed use.

wobfan: The biggest argument for me to buy one of these phones - when they actually arrive - next to running GrapheneOS, will be whether these phones, like all others, are way too big to use with only one hand. Like, I don't have a lot of requirements. Just make it run GrapheneOS and let it be >6 inches. I'll immediately buy it.

strcat: The initial supported devices will be flagships. They have regular, fold and flip variants of the flagships. The main advantage of flip phones is better one-handed use.

flawn: It would be amazing if GrapheneOS would distribute rooted versions of their OS with locked bootloader

strcat: Persistent app-accessible root greatly regresses OS security and breaks the verified boot security model. We're definitely not going to increase the number of build variants from 40 to 80 in order to provide an insecure option which would take away from efforts to properly implement features instead of doing it via hacks using apps running commands as root. If you want it you can make your own builds with it instead of us doubling the number of builds and deltas we need to make. Most of the people doing it are modifying the official builds and resigning them. Anyone who can understand the consequences of app-accessible root is capable of doing that.

flawn: I get that but the core issue is not inconvenience but the fact that also doing that still locks you out of applications that many people call essential (tap2pay, banking, streaming, other various apps relying on Play Integrity).Google is actively locking down the ecosystem in that regard and it would be amazing having a company that caters to people that are savvy AND would like to still be attested for integrity tests (assuming Google would be OK with that, but as mentioned in another comment unlikely)

ForHackernews: I think this is great news, but I thought GrapheneOS considered unlocked bootloaders to be a terrible security risk? What's changed?

strcat: It has always been a hardware requirement to be able to unlock the device, install GrapheneOS and lock the device again. Verified boot has been a requirement since it was introduced for Pixels and the is main benefit of locking the device. There are additional security features enabled by verified boot. The overall hardware requirements are listed at https://grapheneos.org/faq#future-devices.

butz: Will this help running Linux mobile OS'es on Motorola phones, like postmarketOS?

Aachen: That would be as big as Signal stepping away from the phone number requirement. Sadly I've lost hope on both of these, no idea why obviously good things (I'd say pro choice if it didn't have another connotation) are always such a no-go

strcat: Persistent app-accessible root greatly regresses OS security and breaks the verified boot security model. We're definitely not going to increase the number of build variants from 40 to 80 in order to provide an insecure option which would take away from efforts to properly implement features instead of doing it via hacks using apps running commands as root. If you want it you can make your own builds with it instead of us doubling the number of builds and deltas we need to make. Most of the people doing it are modifying the official builds and resigning them. Anyone who can understand the consequences of app-accessible root is capable of doing that.

Aachen: Hi strcat, we had this conversation often enough that I'm starting to recognise the username. It's the same every time: Graphene argues it's dangerous, tech-savvy users want it but aren't necessarily interested in the upkeep (even if they're technically capable of making such a build), plus missing security patches (part of the point of this OS, otherwise you can use Lineage or whatever), and Graphene is under no obligation to provide anything to anyone. Same arguments today as they were from the start except now maybe the security patches' embargo time makes it even more hostile to do custom builds by power users

Frannky: Damn I would love to buy it. In the past I tried different mods trying to get rid of google, the problem was always the same, lot of little annoyances making it very painful for daily usage. A de Googled phone without annoyances and security would be very cool.Another interesting thing is that I haven't had any reason to buy a new phone in a very long time so we are probably in a time where the hardware is commodotized enough for motorola to be able to ship exactly what I need.Never thought I would have think of routing for Motorola in 2026 but you never know!

carpenecopinum: I mean, GrapheneOS hits at least 2/3 of your demands pretty well. The Play services are "regular" apps with permissions that you can take away. For contacts and files you get "scopes", i.e. you decide what the app can see, while the app is left to believe that it can see everything there is.That said, I think the marketing of GrapheneOS could be better. Every introduction of GrapheneOS I've seen paints the image of Graphene being "Absolute security, no compromises", whereas in reality GrapheneOS is the most "Things need to work, no compromises. Then make the rest as safe as possible" custom ROM that I've used thus far (in particular regarding them allowing you to install Google Play, rather than using MicroG).

strcat: Mock Location exists but our Location Scopes feature will largely replace it for non-development use. Camera, Microphone and other scopes features will be provided too. We haven't fully fleshed out what the ones for other permission groups such as Phone will look like yet but it's planned.

gvurrdon: Would there be any means of preventing apps from seeing one's phone number, IMEI etc.?

tarruda: One thing that annoys me is the ability that my mobile carrier has to just throw ad popups.Is that something that GrapheneOS fixes?

pluc: Your carrier does what now?

tarruda: I have a pixel 8a with a TIM SIM card and every once in a while I see an ad popup on my phone.

pluc: Like a popup how? What kind of dialog is it? It's more likely to be an app that's bundled by your carrier than your carrier MitM'ing ads into your stuff which is kinda what it sounded like

ibejoeb: > We've convinced multiple banks to permit GrapheneOS, and that's going to become MUCH easier now.I did not know that. That is very interesting.On that topic, an honest question: what is the killer feature of banking apps that everyone is so hot on? Are we talking like retail banking or money transmitters? I am not using any bespoke banking apps, and I don't feel like I'm missing out, but maybe I just don't know what I'm missing.What does detract from my GrapheneOS experience is the keyboard. It's just ok. I need swipe typing though, and I haven't found anything even close to gboard glide.

patrakov: We are talking about banking and pseudo-banking apps with the following typical features:* A wallet for QR-code based payments backed by a national standard for their content and by the money in your bank account;* A software implementation of an NFC-enabled credit or debit card, or sometimes with a magnetic strip emulation in addition to that;* An interface to transfer money to other bank accounts in the same country or abroad, or to convert between local and foreign currency if you have a foreign currency bank account;* A way to pay common utility bills - in some cases, by scanning the QR code on the bill;* A way to manage banking and investment accounts - e.g., if you want an extra savings account in Japanese yen with a new debit card attached to it, tap a few times and it's there;* A chat with bank representatives - for example, to provide supporting documents by photographing them, without ever visiting the bank;* A second factor (as in 2FA) to approve money transfers initiated from the desktop web browser, meeting the bank standards where TOTP can't meet them (e.g., due to the legal requirement to say what transaction the code is for).The real problem is that many banks are deprecating their browser-based interfaces and are turning app-only.

mmh0000: If true. And I put a big if on that.I WILL be buying their flagship model.My go to for Graphene has been used Pixels from eBay. Because I can’t give money to Google in good conscience.

dataflow: You should really try to buy any phone used if you can, whether Pixel or Google or not.

scrollop: Why?

dataflow: For the environment? To reduce e-waste? And you'll almost certainly save substantial money too.

palata: How good is it for the environment / e-waste? If you buy a used phone every year from someone buying a new phone every year, it means that you both use one phone every two years, right? It's a lot worse than buying a new phone and keeping it for 8 years.If I said "I buy new phones regularly, but I sell them in second hand, for the environment". Would you consider I actually make an effort for the environment?

dataflow: [delayed]

thot_experiment: I'm not holding my breath but it would be amazing to have root and be able to tap to pay without constantly playing cat and mouse with google.

diacritical: Unfortunately from what I read a couple of times, including a month or so ago, GrapheneOS discourages and doesn't support rooting the phone for security reasons that seem vague to me and don't appeal to my need to actually own my phone and OS. You could still root it with some third party tools from what I know, but not having root as the default makes it less of a secure FOSS OS and more of a closed down toy.As for payment apps and other crap that refuses to run if I, the owner and administrator of my own device, don't have admin access, I would just refuse to run it. What's next - websites refusing to work if I have root on my Linux desktop?

strcat: LineageOS also discourages and doesn't support replacing the core of the OS with a rootkit providing persistent app accessible root. GrapheneOS is no different from LineageOS in that regard. People do this with GrapheneOS regardless of our strong recommendation not do it. Our reasons for discouraging it aren't vague. It very directly harms the security model and is not a good approach to implementing any of the features hacked together through it. Those features should be properly implemented to fit within the overall approach taken by GrapheneOS. Giving root access to a huge portion of the OS harms security even if you never use the feature. It does not mean you can't do it, we only recommend you don't.

Narushia: I agree that the features should ideally be provided by the base system so that the user does not have to "hack them in" with root-powered apps. But the reality is that most Android "distros" simply do not support the features that I would consider basic functionality. I mainly root for three reasons:- Backing up all app data via Neo Backup. Android has an auto-backup feature that backs up app data to the user's Google Drive, but unfortunately the app developer can simply opt out of this, and the user cannot do anything about it. The app data may be lost when migrating to a new phone.- High-quality call recording via Call Recorder. For some reason, some (most?) phones do not allow apps to access the raw incoming audio stream. Non-root apps have to rely on capturing the other end through the microphone, which is horrible.- /etc/hosts-based ad blocking while using a VPN via AdAway. DNS-based ad blocking is possible via apps like AdGuard, which use a local VPN to accomplish this. Unfortunately, Android only allows one VPN connection at a time, which means that without root I would not be able to use a VPN for any other purpose and block ads simultaneously.---I have no experience with GrapheneOS, so I'd be interested to hear if these features are possible on it without rooting. If not, can I request these features somewhere?

strcat: GrapheneOS is not QubesOS. We have our own approach and goals. Our approach includes heavily focusing on our resources on our mission which includes needing to do a lot of hardware-related work to deploy features like hardware memory tagging. We're actively working with Motorola and Qualcomm on improving their hardware to meet our requirements. We're also going to work with Qualcomm on improving Linux kernel security. It's not part of our mission to support devices where we can't provide our core feature set. It would drain a huge amount of our resources and lead to people buying those instead of devices with real GrapheneOS providing all the features. Supporting devices with less than 7 years of support also isn't very appealing when we have those via Pixels and can have the same for the new devices.GrapheneOS does support budget devices. Pixel 8a, Pixel 9a and Pixel 10a are budget devices. It's true that they aren't on the low side of budget pricing at launch but they have 7 years of support from launch. Pixel 8a is approaching 2 years old but has over 5 years of support remaining. The only limitation in practice is that Pixels aren't sold officially in enough countries yet, which can be solved by our Motorola partnership. We don't need more than a range of devices fulfilling what most people want which are available internationally. People would still need to go out of the way to buy a device with GrapheneOS support if we supported more than the 20 models we do.You're also ignoring all of the work we have to do on devices which is already a massive amount with 20 supported models of Pixels. We build specialized releases with minimum attack surface for each with plans to use per-device RANDSTRUCT and other similar features too. We could make most of the OS builds generic as AOSP has support for it but it goes against our goals. We also have to test it on each device ourselves before Alpha. Each device needs to be tested more broadly by our community.Our goals have never included supported a huge range of devices. It would drain our limited resources and destroy our ability to provide what we do. It would water down what GrapheneOS provides and sabotage our ability to partner with OEMs. It simply doesn't interest us. People are free to use LineageOS but we strongly recommend avoiding the supposed privacy-focused forks of it which are worse at privacy and security. On nearly any device you won't get basic kernel, driver and firmware updates with LineageOS and it's not a privacy or security hardened OS. Their time is largely spent on device support and it massively slows down how quickly they can do updates too. They wouldn't have time to work on the kinds of privacy features we do let alone the security ones. It isn't as if they're not working hard on their project, they just chose different things to work on and we aren't choosing those over what we work on.GrapheneOS will run on more than Pixels soon. It will start with a regular flagship and then both flip/fold variants. It can then start supporting lower end devices once they improve. The OEM is going to be helping us implement and maintain it which is the only reason it's going to be practical to do it. We already struggle to support as many devices as we do but it's going to be easier on our end to support the ones from Motorola than supporting Pixels due to collaboration.

handedness: There it is.

handedness: "Every time someone makes the same unreasonable demand of you, you offer the same explanation of why their demand is unreasonable."

Imustaskforhelp: Is this feature gonna be on All phones including Low-end/mid-end (4-8Gb ram) and their flagship phones?It's gonna be huge if that's the case because Pixel's here are expensive, their second hand prices are in "non-global" countries[0] and you have to pay a premium. Also I live in world's largest second-hand phone market and it can have its worries as well.You can't say to anyone who wants privacy, oh just buy a second-hand pixel. It's just not that easy.But if Motorola can launch multiple phones and there are always gonna be some deals one way or another (with cards) and as motorola phones are pretty competitive in price, Finally we can have phones worldwide where privacy isn't charged extra.I have spent some hours looking at online second hand phone stores to find but due to its somewhat rarity, I always feel like being frugal, I am just paying extra for privacy and so I am really happy with decision from motorola using their supply chain of phones and partnering up with Graphene.I was gonna buy a phone for myself, I was thinking a second hand pixel phone but given the things I said earlier at this point, I might as well wait for a few more months to get the moto phone.I just hope that they launch an affordable phone with grapheneos. I really don't care about specs as I have been able to live my life with 7 year old motorola phones too in 2026 for sometime.I will definitely recommend my family Motorola phones in the future and slowly convert everyone to motorola if motorola releases an affordable phone with actual privacy.[0]:https://www.xcitium.com/blog/news/why-is-google-pixel-not-gl...

backscratches: graphene has said only flagships at first, but eventually they hope to end up on lower tier devices.

Imustaskforhelp: Looks like I might have to wait for sometime then but still I am pretty excited about it yea!

HugoTea: GrapheneOS doesn't give you root access, citing security issues it introduces. You could re-compile your own copy with root access, though not sure if we'll then be back to some non-certified OS that can't make payments...

thot_experiment: Yikes. Nevermind. The whole phone security model is one of the worst things to happen to computing, the concept that you shouldn't own your device for safety is so fucked.

charcircuit: Android is not UNIX, and that's a good thing. The root account was a historical mistake and not having access to it doesn't mean you don't own your device. That mindset is just trying to project how things worked with a half century old operating system with how modern operating systems work.

fsflover: Perhaps you may be interested in Librem 5 or Pinephone, both of which have hardware kill switches for modem and available schematics. The latter even has most of the modem software freed.

strcat: Those devices have atrocious security at a hardware, firmware and software level. Their microphone kill switch also doesn't prevent audio recording. They aren't open hardware despite many attempts to mislead people with the marketing.> The latter even has most of the modem software freed.Pinephones have entirely closed source baseband firmware. They use a highly unusual cellular radio which includes both an incredibly outdated Qualcomm baseband processor with atrocious updates and security combined with an extremely outdated proprietary fork of Android running on an extra CPU core which isn't present in any mainstream smartphone. It's only replacing the unusual extra OS which has been done. That whole component doesn't exist on other smartphones and the only reason it's possible to replace it is because the whole radio has absolutely atrocious security. The radio is connected via a far higher attack surface USB connection providing far less isolation for the OS and the USB connection can be used to flash the proprietary Android OS via the fastboot protocol. The baseband firmware itself doesn't have any replacement available.

daneel_w: > Pinephones have entirely closed source baseband firmware.> The baseband firmware itself doesn't have any replacement available.Same with the Google Pixels and their Samsung Exynos modem. Neither you nor GrapheneOS users have any idea at all what's going on in their cellular transceivers. What will it be for the upcoming Motorola phone?

NoboruWataya: > On that topic, an honest question: what is the killer feature of banking apps that everyone is so hot on? Are we talking like retail banking or money transmitters? I am not using any bespoke banking apps, and I don't feel like I'm missing out, but maybe I just don't know what I'm missing.For me, the killer "feature" is that I need to generate an auth code on my bank's app to be able to log in to my account and make transfers via my browser (or I can use the app directly). In other words, it's considerably more difficult to actually do (retail) banking without my bank's app.

john01dav: What, exactly, is sandboxed Google play prevented from accessing? Can I feed it a fake location or disable location access? Is it prevented from running in the background 24/7? Can I force it and just it through a VPN? Or is it just blocked from accessing apps and files that aren't in the sandbox? There are many such questions and all could be considered "sandbox".

Itoldmyselfso: Sandboxed Google Play receives no special access at all, so you can deny it all permissions if you want, but you should grant network (and maybe notifications) permission for it to actually function.https://grapheneos.org/features#sandboxed-google-play

bornfreddy: Well that's a bit misleading answer. Some apps refuse to work if G services are disabled, so they clearly communicate with them. It would be nice to know what exactly G learned about the phone through those "sandboxed" apps.

palata: I denied the contacts permission to the Play Services. It just shows a notification when it tries to access them, which is actually not common at all.

distantranges: The only thing that keeps me from switching to GrapheneOS on my Pixel 10 pro is satellite SOS which isn't supported on GrapheneOS. It's something important to me as I do mountain sports and in some locations there is no network signal.I know that in the US Verizon and Tmobile customers have access to satellite connectivity and it's possible to get this feature working on a GrapheneOS phone if you are one of their customers, but I am in Europe and European providers don't provide satellite connectivity.

fsflover: Removing access of users to their device is not security. At least not when users do not want this.

ibejoeb: Got it. That makes more sense, i.e., that you're essentially required to use it rather than getting something in addition.

subscribed: And this is somehow harming who?You're free to fork it to adapt it to your device.The expectation that the entire project brand must be diluted (by lowering the security) to support you specifically, or you feel wronged, is a little, my apologies -- absurd.

hn_acc1: There are a couple of apps I use that I kind of need: jb4 and Mando ECS (both for my car). Would be nice if they worked - anyone know?My S21 FE 5G is still fine (for now), going on 3 years. But I'm sure Samsung will cripple the battery life at some point..

thisislife2: Let me give you another perspective - you cannot fight a foreign state that wants to hack your device and access your personal data. Even Apple iPhones, who often taut how "secure" their devices are, remain vulnerable to state spywares. A secured device, at most, will protect your data from the police or lay cracker or malware, who lack the means to use more sophisticated methods to access your data. When Android forks (like Lineage OS or Graphene OS) advertise that their Oses are more "secure", with better "data protection", what they mean is that their OSes try and prevent data leakages to the OS vendors (like Google or Apple or other BigTech) or to online services integrated with the OS or through system and user installed apps. In other words, "privacy and security" primarily means that they try and prevent surveillance capitalism.

chpatrick: Actually Graphene has been shown to be resilient (uniquely) to some of the forensic tools used by governments.

M95D: Probably because nobody targeted them yet.

latentsea: Which demographics do you think run GrapheneOS as a daily driver other than people who have shit to hide? They've definitely been targeted.

NotPractical: ...apparently most of HN, judging by these recent threads?

yooastan: A physical keyboard device with GrapheneOS would mog

WithinReason: Just buy a keyboard case for it, no need for permanent attachment. Or carry a tiny bluetooth keyboard in your pocket:https://www.amazon.co.uk/dp/B0FWC8G2Q8/

bitwize: Ah, Doohoeek, a time-honored, trusted brand.

hn_acc1: I'd rather buy from Doohickey.

deno: Go to [Settings] » [Apps] » [Special app access] » [Display over other apps] and check if any preinstalled carrier apps or anything suspicious has this permission granted.

tarruda: Just checked, and only "Phone" and "Google" have this permission.There are no preinstalled apps, I bought this phone clean on Germany and then added a Brazil's SIM card when I got back.Could it be that the SIM card has some control over the Phone app?

deno: You can tap on the three dots to show System apps and see if you can disable the permission for SIM Toolkit.

ysnp: The Google Pixel has first-class support for alternate OSes (not custom firmware like a Chromebook). The OEM has to go out of their way to support avb_custom_key as mentioned in https://android.googlesource.com/platform/external/avb/+/mas... and I believe the GrapheneOS founder strcat was heavily involved in helping Google design this feature and flow for Android Verified Boot.

Ms-J: While it's nice to have somewhat of a choice between terrible and bad, we need a Linux based OS that doesn't depend on Google at all.While I'm at it, I don't trust GrapheneOS. The devs injecting certain types of politics into the project.But it's better than both Apple and Google who both are known to spy and have tons of backdoors.

deno: Apparently this is handled by the privileged STK[1] service. It can launch browser which is I think what's happening.GrapheneOS doesn’t do anything different in this case, they pull it from AOSP without modifications. However you can disable it using SIM Toolkit App as someone pointed out.[1] https://wladimir-tm4pda.github.io/porting/stk.html

Fokamul: Banking apps will be catastrophe in the future. Petition your bank, you want to use PC web app with certificate authentication.If they don't support it -> notify them and change bank. Enough people doing this, something will change.

dns_snek: Good luck with that. Of all the things people don't really care about, I think that might be at the far end of the list.Certification authentication is neat technology in principle, I use it internally, but in my experience anyone who recognizes it also hates it passionately. It's the thing that seemingly stops working every time their taxes are due, courtesy of terrible government software.If I started telling people that they should be demanding certificate authentication from their banks, they'd probably think that I escaped an asylum.

DANmode: > Neither you nor GrapheneOS users have any idea at all what's going on in their cellular transceiversPixel has an IOMMU - are you implying that’s being defeated, or that you weren’t aware of it?

Aachen: Read what I wrote, "demanding" was addressed (though with the word obligation, functionally the same here):> and Graphene is under no obligation to provide anything to anyone.And here I thought it felt repetitive between (sub) threads

dns_snek: You say you understand that they're under no obligation to do anything, you already knew their reasoning, yet you still wrote a comment [seemingly] complaining about it. Was there a different purpose to it?

DANmode: Yeah, I hide that I’m using apps from other spyware apps.What of it?

kevincox: Yeah, this is the deal breaker for me as well. The fact that I own my device is non-negotiable. It is the reason I left the stock OS and I'm not going back. The idea that I can't access my own files if an app doesn't explicitly give me access is wild to me. I understand there are security risks of a root permission but it is important to have that fallback when you need it and the existing permissions aren't sufficient.

thot_experiment: The "access your own files" thing is so insane! Hard to describe my feelings [negative] when I found out that all of my voice notes were in the voice recorder and the easiest way to get them out was to manually send each one to myself over discord. Google helpfully mentions that you can just "download them through google takeout" and doesn't leave any option for people who don't just give all their personal data to google.

MSFT_Edging: I use a FOSS voice recorder app from F-Droid. It's just called "Voice Recorder" with an orange icon. It does exactly what it says, records audio from your microphone, lets you play them back. They're just files on the device.Anytime I need a "simple" utility, I check f-droid first to get the one-trick-pony app over spyware from the play store.Other utilities I use are: WorkTimer: pomodoro app DiskUsage: self explanatory Http Request Shortcuts: setup home screen app shortcuts that run http requests

thot_experiment: Yeah I swapped to using the f-droid version after that debacle, though the one i use has a green icon. XD

yason: I would certainly be using GrapheneOS if only I could get one to run on something else than a Pixel.I have a perfectly good phone whose bootloader can be unlocked and I can install LineageOS or other AOSP installations there but all I'm aware of and I've researched come short on the sandboxing and permissions. I'd be willing to use GrapheneOS without support for specific security hardware (if only they supported that configuration) just for the features mentioned but Pixel phones are just too expensive. I've always been more than happy with a decent low-tier phone and I don't see a technical reason to change that. Nothing wrong with my phone.

jasonvorhe: Pixel A's are quite affordable. GrapheneOS is open source so if there was a need, people could get it to run on insecure devices that aren't Pixels. Expecting that to be done by GrapheneOS developers who care about security just seems weird.

ethbr1: > Pixel A's are quite affordableThere's first-world, upper-middle-class affordable (~$500) and then there's global affordable (<$250).

Gander5739: I got a Pixel 7 secondhand (but good condition) for the equivalent of about $270. It would have been less but I needed 256 gb of storage.

thot_experiment: What a disgusting take. It's actually so depressing to see anyone say this, presumably sincerely. It's how all the modern operating systems I use work.It's what makes computers so wonderful and powerful, you can just have it do whatever you want. Turning that into "whatever google decides i should be allowed to do" is not gonna lead us to a bright future.