After using LineageOS for long time, I have finally moved to GrapheneOS. I use a lot of banking and financial apps which I never felt comfortable using on LineageOS due to lack of proper sandboxing, unlocked bootloader etc.
GrapheneOS works flawlessly just like Android. You don’t even notice there’s hardening underneath. Also it protects from Google’s evil location tracking using WiFi/Bluetooth or even when the Location is turned off. I don’t understand how people in general are comfortable with Google tracking all the time. You can use Google Play and Play Services in a sandbox that works just like regular installation, but without deep tracking.
If you haven’t tried GrapheneOS, try it. You won’t go back to regular Android.
You must log in or register to comment.
I just looked it up and GrapheneOS only works on google hardware? So you had to give google some money first or did you get it to work on something else?
Yeah the fact that Pixel Phones are the defacto standard for privacy phones is absurd. It’s guaranteed chock full of hardware surveillance tools you can’t remove with custom roms or kernels.
Outside of the Pixel lineup, custom rom support is almost non-existant in 2024. it’s wild, you can get the same or better hardware for half the price.
Xiaomis and some other chinease brands have decent custom rom support, but no grapheneos and no bootloader relocking (except some oneplus phones)
I have a Xiaomi, I love their hardware and the fact that it’s bugged by a foreign nation rather than my own. But Xiaomi software is garbage and flashing is an absolute pain. I looked at what rom support modern Xiaomi devices have and I am not impressed. It’s almost all half baked or not privacy oriented. I’ve been struggling with one of said ROMs for years.
I am sick of flashing one-off ROMs without proper support or OTA, and constant system level bugs.
I’d love to have a manufacturer with open-source/open hardware focused cheap high performance repairable hardware and with privacy ROMs as a first-class citizen. Like a Fairphone if it was good.
But sadly all of these devices end up with bad support too in the end.
I think the main issue is that most ROM developers today only buy the most high end flagship devices, since those are the only ones that get any decent support. I’m guessing that’s because they all got high paying tech jobs now.
Well, there is no support from privacy roms, but I can survive with lineageos+microg (with somewhat decent updates) on redmi 4x. There is support for poco f5 and redmi 12 from crdroid, which supports microg and is apparently decent. Cheaper options usually have mediatek processors (mediatek doesn’t opensource their software or release fw blobs), so the support on those phones is terrible. Support on snapdragon xiaomis is still way better, then on samsung, oppo, etc.
If you buy one used that is how you can get around giving Google money.
From a security standpoint it might give you a temporary benefit since all of Google’s tracking IDs will be associated with the original owner. On a new phone I figure it’s associated with you immediately.
Not really. You carry arround a Google devices and people notice the brand and devices are more valuable when also desired second hand.
All of this supports Google
Cover the G logo with a pop socket or some shit. No one will give enough of a shit to desire your phone. Buying used always denies OEMs sales so its always good to buy used
Great!
I go back to regular degoogled Android btw. Not a fan of the new pixel design. May come back later
@PullPantsUnsworn
I’m honestly only afraid of bricking my primary phone. That’s the only reason I’m still on stock android. It’s the inconvenience of having to buy my way out of a brick.GrapheneOS is the easy to install OS among any mobile platform. Everything is through a web UI, so you are very unlikely to brick your phone. You don’t need to type a single command. Also even if you brick a Pixel phone, it’s very easy to install stock Android build through Google with a similar installation process.
@PullPantsUnsworn
Ah but I’m running a Fairphone 4, so I’m not sure how a restore would work. Although I know I won’t void the warranty by changing the OS. Maybe I’ll see what their policy is on repairing a buggered attempt at the OS change. They provide /e/os from the shop like.Ah well then you can’t have GrapheneOS anyway
iodéOS is available on the Fairphone 4 and also has a very easy installation process. You just plug your phone in via USB, download the installer and follow the on-screen instructions.
@Ilandar
How is it for sandboxing banking apps? That’s my biggest worry about switching phone OS is losing access to my banking apps. I get I can use the browser, but sure we all know mobile browsing is made purposefully shit to drive up app installs anyway.I can’t definitively say, as that depends on your financial institution. There is a community list here with apps that have been confirmed as compatible or incompatible. You could also try searching the Plexus app, which is a larger community app compatibility project. My credit union’s app has worked on every deGoogled ROM I’ve used, including iodéOS, and I’ve never experienced the problems others mention.
@swamptin @PullPantsUnsworn I’ve been using /e/os for a few months and like it. Good integration with Nextcloud.
@futureidentity
That’s cool! Any experience with banking apps? I expect to have to sandbox at least one, but Revolut might even have a native build?Edit: Forums indicate Revolut hasn’t worked naively since 2021
@PullPantsUnsworn@swamptin @PullPantsUnsworn Sorry… I don’t use my phone for banking :^(
There’s also CalyxOS if you don’t want to run anything Google on your phone at all, but still have functional apps and such.
I mean, Graphene does that too, by default. It just has the app store available to be installed in their apps updater. If you don’t go there to install it by yourself, it’s a Google-less device by default.
Functional apps is the important bit, use of microG allows apps to provide push messaging etc without knowing Google services aren’t installed. There’s still some communication with Google as a result, but it’s fully sanitized.
I invite you to try installing common apps like Strava or Pokemon go without any Google services at all.
I was under the impression you could use microG instead of google services as well if you installed it manually?
I haven’t run graphene, so I can’t speak for it. But on any other android variant, microG is a system-app, so that it can spoof Google’s services properly. That means patching the system.
I believe the google framework is installed with less privilege than a system application
It’s anti-libre software.
deleted by creator
GraphmemeOS
honestly the only thing that is stopping me moving rn is Google Pay contactless for my bank cards and my bank app having ridiculous requirements with safetycheck.
Definitely go ahead and tell your bank that you are annoyed by their mobile app only working on the stock OS. Call them, send them an email, whatever. If enough people complain or even threaten to switch banks over this, they might add better support using actual secure hardware-based attestation, which also works on GrapheneOS.
I even switched banks because of their ridiculous requirements for the mobile app, just so I could continue using GrapheneOS. I know that Graphene is much more secure than any other Android-based OS, and running my banking app on it is much safer than on another device. Banks should finally realize this too, which is why we need to complain.
I wish there was a way to keep Grapheneos installed and locked down without root, but with a way to adjust screen color. The only way I can tolerate pixel screen color reproduction is to root it and use an app to adjust it.
I don’t mind giving graphene a try but I’ll be honest, I have the following issues:
- Need to buy a pixel phone for this.
- I use a memory card so pixel phones might not be an option.
- fear of bricking a phone that I just got.
It’s impossible to brick a Pixel while flashing GrapheneOS, thanks to their super easy to use Web-based installer, and Google’s great support for alternative operating systems, which also makes the installation process easier and safer.
If you mess anything up, you can always restart from the beginning and get it fixed. You can’t break a Pixel during flashing.Why not buy a used one? I plan on picking one up from ebay or something.
I can but the issue is that I won’t be using it. My current phone will be better than a used phone bought.
People contemplating moving to graphene, do be aware that banking etc. absolutely can be a major PITA on graphene as well. Several official apps used where i live cannot work in graphene, even with sandboxed play services installed, making day-to-day life functionally impossible with graphene. Luckily reverting to stock android is easy, although I probably wouldn’t have bought a pixel phone if I was planning on using stock OS.
Isn’t it only Google Wallet that doesn’t work? I actually cancelled a bank account I had because their app only worked with Google Wallet. Some banks roll their own NFC payment thing.
I’m on CalyxOS btw, not Graphene.
No that doesn’t work either, but we use a 2FA app to enable mobile banking access, SS access, school communications/message board etc., basically anything that requires you to prove your identity. That app doesn’t work in graphene at all, it flat out refuses and states the OS isn’t secure or the app isn’t installed from a valid source, so all things dependant on this doesn’t work on graphene.
Edit: a lot of other things also fail because graphene apparently doesn’t pass the google play safety check either.
Ah interesting. All my 2FA things work on CalyxOS. But maybe that app is the problem
Some banking apps won’t run without SafetyNet (technically now Play Integrity). Pure AOSP doesn’t have it, and AOSP distributions with sandboxed play services or whatever usually fail the hardware attestation requirements. There are some other reasons banking apps won’t work, but a lot of it is similar stuff.
Well, I never really missed being able to pay via NFC on a phone, but I also never done it. My NFC chip in my card works fine.
When my baking app started detecting my rooted phone, I just switched to using their web-app via Firefox, which allows you to create a direct link to it as an “App”. Which is probably better anyway, than installing random proprietary apps on a phone. And logging into it every time is also easy with a password manager.
So I guess, as long as the banks still offer a website, I am good.
“Making day to day life functionally impossible” is a bit drastic. I think that depends on each individual person, their needs both in terms of banking and privacy.
My banking app doesn’t work on Graphene but I also couldn’t care less. I can just as easily log in to my account via my browser on my phone if I need to do something and it isn’t exactly hard, it takes all of 30 seconds more than using an app.
I realise in some other countries you don’t have that option but were I in the same situation for me that would be enough to change banks, I don’t want to be forced to use an app for anything.
Everyone has different lengths they are willing to go to to protect their privacy and I’m willing to make my life slightly harder where as others may not but I think saying it makes life functionally impossible is a bit of an overstatement and it needs to be judged based on individual needs.
There is a list of what banking apps work and what don’t.I’ll post it in a top level comment for visibility.
The thing is, I’d need the government 2FA app (which doesn’t work in graphene) when logging in to my bank on a browser as well, so that doesn’t change anything.
And I can’t do anything, I can’t check my digital mailbox (not email, we have something specifically for official communication with bank, government etc.), I can’t log in to check messages from my kids school, I can’t order a doctors appointment…you get the picture.
Sounds like more of a problem with your government than GrapheneOS.
it’s a problem because graphene os doesn’t pass google play safety check, or whatever it is called. They are apparently not able to make the sandboxes play services good enough to pass so the app accepts it’s validity.
It’s actually a problem with Google, because the only reason GrapheneOS doesn’t pass the Play Integrity API check is that Google enforces a whitelist of allowed operating systems. Even though GrapheneOS is 10x as secure as the stock OS, Google doesn’t allow it. Since this is a highly monopolistic practice, the GrapheneOS team is talking to regulators to finally stop this: https://grapheneos.social/@GrapheneOS/112916691727814901
Yeah i understand what you are saying and that is why everyone’s individual needs come into play.
I don’t know what country you are in and that can obviously affect things, my banks 2FA is an SMS. I have options in terms of the other things you mentioned, where as you may not have.
Banking compatability by country. In my experience even banking apps not mentioned also work. https://privsec.dev/posts/android/banking-applications-compatibility-with-grapheneos/
deleted by creator
Does RCS work reliably on Graphene? I thought Google was fucking with RCS quietly for those on custom ROMs or other things.
I have graphene OS on my pixel 8. RCS works flawlessly with the Google messages app. No issues…
excellent, glad to hear
I don’t use RCS myself, but there are recent posts on the GOS forums and it appears to be working fine once all of the prerequisites are installed.
Woot! Welcome to the club! Fuck Google!
Graphene uses the same sandboxing as AOSP. If you are talking about Google services framework then that makes a little sense but by itself the apps are about the same in terms of security.
Uh, u sure?
Yes
My next phone is definitely going to be a Pixel for this reason. But my current one is not even 6 years old so I’ll wait a bit.
