Reclaiming Mobile Privacy with GrapheneOS(xn--gckvb8fzb.com) |
Reclaiming Mobile Privacy with GrapheneOS(xn--gckvb8fzb.com) |
1. They're the only ROM project that actually focuses on improving application level safety. This is a bigger deal than a lot of people realise.
2. They offer installation remote attestation - again, worth using if you can.
3. Lots of drama with Calyx and GrapheneOS which is very hard to familiarise with. This is because the discourse is often deleted (this is the policy of the Graphene OS chatrooms) and so it is difficult to verify claims without pointing to another instance of deleted comments/purported harassment. If you can help it, I recommend to just try ignore the whole thing until they start screenshotting the actual harassment.
4. A lot of people talk about Graphene having worse performance than a lot of other ROMs but this is actually counter to my own experience. Graphene is consistently the fastest ROM I have used.
5. You may see people kick up a shit about how Graphene uses sandboxed play store and how that's a bad thing somehow. If you are worried, keep in mind you can still use Aurora if you want your install to be anonymised (but frankly I am not sure what the extent of the changes that Aurora makes). Similarly F-Droid is available, but is super weird about how they sign apps.
6. There are a LOT of updates. This is a good thing but it can throw you off if you're coming from another ROM.
> 3. Lots of drama with Calyx and GrapheneOS which is very hard to familiarise with. This is because the discourse is often deleted (this is the policy of the Graphene OS chatrooms) and so it is difficult to verify claims without pointing to another instance of deleted comments/purported harassment. If you can help it, I recommend to just try ignore the whole thing until they start screenshotting the actual harassment.
You can see the usual clearly inaccurate talking points from several of them in this thread including one of them making personal attacks and fabrications about me with their comment buried at the bottom. We've posted lots of information and proof including screenshots of harassment. Look at my personal @DanielMicay Twitter account where you can see blatant harassment from @maxtannahill, a Calyx reseller working with them and participating in their communities / private groups. He's openly a neo-nazi and I linked a post of his on Twitter where he openly engages in holocaust denial, but there's a lot more where that came from. You can look at what the Calyx devs/leadership were doing in their chat room yesterday, happily talking with someone who has repeatedly called for me to kill myself and spreading misinformation about myself and GrapheneOS with them. What proof is missing for you? We've posted screenshots / logs of their developers repeatedly calling me "crazy", "delusional", "schizophrenic", etc. as part of that consistent, pervasive bullying they've started across platforms.
> 5. You may see people kick up a shit about how Graphene uses sandboxed play store and how that's a bad thing somehow. If you are worried, keep in mind you can still use Aurora if you want your install to be anonymised (but frankly I am not sure what the extent of the changes that Aurora makes). Similarly F-Droid is available, but is super weird about how they sign apps.
It's an optional feature: the ability to run Google Play in the full standard app sandbox. It's the same sandbox used for every other user installed app and it's not clear why that would be concerned. The feature we provide is a compatibility layer which teaches Play services and the Play Store to work within the standard app sandbox by reimplementing all the privileged functionality they try to use with unprivileged implementations. Since they run as regular sandboxed apps, they simply get an exception / error if they try to use functionality that's not yet stubbed out or reimplemented. It's not a special sandbox, and we give them absolutely zero special access or privileges. People are running Google Play code inside apps like Tinder and Discord since those include the Google Play SDK / libraries, and those apps run in the same sandbox. No permissions need to be granted to sandboxed Google Play to have 99% of the functionality working well, which is more than can be said for most apps.
Re: your response to point 3, I appreciate that engaging with trolls and other harassment is not fun for the person being targeted, so my comment here is not actually targeted at you specifically, but anyone in Graphene willing to help here. Here is what I mean specifically:
Your provided examples are definitely better than the chatlog situation but there is still something that I would like to see different if possible. In each of your examples in your text block, you potentially provide with something I would call documentation, but the format is transient. There is no direct quote and no link.
More explicitly, there is a verbal reference to posts by @maxtannahill (I quickly browsed his twitter but just saw crypto nonsense), but missing are a direct quote with link to the tweets he made. The direct quote means he cannot delete the tweet and delete the wrongdoing, and the link provides a way for third parties to verify claims.
For example, this might look like e.g. "strcat did so and so"[1]. Then in the references section - [1] - quote pulled from https://URLofSpecificTweetInQuestion. Again, it wouldn't be something I'd ask you to do because if it is targeting you in particular, that would be somewhat confronting.
The same issue exists for the harassment you mentioned in this thread. There is a deleted comment by joemazerino, whom I assume is the harasser you are mentioning, and his replies are vague as fuck and slightly hostile (which is suspicious) but his post is deleted so its hard to come into it "fresh". A preemptive direct quote and link in situations like this is ideal.
Re: 5 I think I may have made an error that I need to correct. Based on the sandbox model, does that mean that, other than install and updates, the sandboxed playstore apps are just as private as the Aurora offering? And is there any plans to provide anonymisation for installs and updates moving forward?
- some crapplications do not want to run on custom rom
- more than mere mobile privacy I'm MUCH worried about new cars (witch happen to be mobile crapware connected crap)...
As a small dumb example, I've got my new EV, formally already fitted by default of crappy surveillance contracts with some vendors "pre-payed" and I have to unsubscribe to them all one-by-one. Car itself is a mobile OS, connected to the vendor and who knows what PLUS Android Auto/Apple CarPlay. Being semi-autonomous and connected can potentially blocked or cracked from remote and I doubt we can even LEGALLY flash other firmware's.
To add a small anecdote I found the car already bound to the vendor phone, it's new but probably they have do some test being a vehicle in their exposition, he simply forget to unbind it. Witch means he potentially track, remote open, remote power on etc the car.
In such terms while I prize all FLOSS efforts we can't have privacy on mobile crapware and craphw: the sole option is IMPOSING with popular acclaim mandatory FLOSS for anything and all "connections" must be in the term "your device can expose, at your options as the real owner of the device, some services to the net. All we offer is a connection service, with a public IPv6 address and a (sub)domain name for you. You choose what to do with it". No "push-OTA" and other stuff allowed by laws, with sanctions severe enough no one would even try to.
If you need help getting apps working, please ask on https://discuss.grapheneos.org/ or #grapheneos:grapheneos.org on Matrix. We'll be happy to help you get them working and if they aren't working we'll fix the remaining rare compatibility issues. Nearly every application works on GrapheneOS if you install the sandboxed Google Play compatibility layer and make use of the per-app exploit protection compatibility toggle for apps with memory corruption bugs. The compatibility mode doesn't reduce OS security, it just disables certain features protecting the app itself against attackers. We may eventually maintain a list of apps requiring the compatibility mode to do this for major apps like Among Us automatically. Also, note some apps require dependencies like Google Play Games which aren't installed for you automatically.
GrapheneOS provides our sandboxed Google Play compatibility layer allowing using the Google Play apps as regular apps in the full standard app sandbox with no special access or privileges. We've made them work like any other apps, with absolutely no ability to do something a regular user installed app can't do. You also don't need to grant them permissions to use 95% of functionality and can revoke our added Sensors toggle (Network COULD be revoked and you can use GSF + Google Camera + Google Photos with Network revoked from each but most of Play services exists to provide Google services so it would somewhat defeat the purpose, but it's possible).
Calyx supports Pixel3 and Fairphone, but otherwise looks pretty similar. According to GOS's main developer's comments in this thread, Calyx:
- doesn't have features like https://grapheneos.org/features#storage-scopes.
- doesn't have the Play sandbox
- "isn't a hardened OS and isn't at all comparable to GrapheneOS. They recently didn't even ship half the baseline Android security patches for 2 months, let alone providing much better patching and substantially hardening the privacy and security of the OS"
My opinion is biased since I'm a GOS user, and I have a very positive opinion of the project, so take this with a pinch of salt.
First, let me preface this with the fact that, in my opinion, overall it's a pretty solid OS. After having done research several times, the only other mod I've considered is LineageOS, but last I checked, there were no builds for my Pixel 6 Pro.
My biggest two issues with it are that it doesn't have any usability improvements other mods have. It's not on them though, as it's an expectation I have of mods, but obviously this is like having an expectation of support for FLOSS. It's annoying, but it is what it is.
The default camera app is subpar compared to the stock camera app of Pixel phones. I use OpenCamera, but it's also not great (though that opinion might stem from me not knowing how to use it properly).
The bigger issue I have with it is that, while sandboxed Google services generally work pretty well, some apps don't work properly with the location requests proxy. I'd love to enable it, but, for example, Citymapper is unable to track me when I use it. Finding a location sometimes can take very long.
I would love to have LineageOS improved by having the hardening patches that are in GrapheneOS.
I've personally found the GrapheneOS camera to be great, and it's what I use 995 of the time on GrapheneOS. I especially like that it has the ability to remove Exif data from photos without me having to run them through a metadata eraser app.
That said, Google Camera works great on GrapheneOS with Sandboxed Google Play. In fact, you currently only need GSF to use it (not Play Services or Play Store). You can even put GSF + Google Camera in its own user profile and deny the network permission to both of those apps. Doesn't get much better than that.
>The bigger issue I have with it is that, while sandboxed Google services generally work pretty well, some apps don't work properly with the location requests proxy. I'd love to enable it, but, for example, Citymapper is unable to track me when I use it. Finding a location sometimes can take very long.
It's important to understand that Sandboxed Google Play re-routing location to the OS is an option that can be changed. A lot of apps will expect the same kind of location accuracy present on Stock OS with regular Play Services, and so they may not work as expected. It's not really something that GrapheneOS can fix, but it does of course provide the ability to switch to the same kind of location services that are used on Stock for maximum compatibility. In general, with GrapheneOS, you get choices; that's the magic of it.
I've learned to expect that from FOSS software that has any kind of security claims and purports to help me be more private or secure. Particularly since I don't have the necessary skills/knowledge to do so myself.
On one hand I like the no spoofing position the devs took, on the other hand my banking app.
- wipe after X incorrect attempts
- configure a "kill" passcode instantly wipes phone
- configure arbitrary passcodes that are mapped to actions when entered
- there's a feature to make phone reboot every X hours, if not unlocked, add a parallel feature to wipe phone if not unlocked in X hours.
- something where the passcodes are use once, and using an already used passcode wipes the phone. So you can bait LE and say "last time I unlocked it with X" and if they're stupid enough to not question you further, and just try X, it'll wipe, and it'll be their fault
- something to set a chance of wipe on the correct passcode, so you can say "any passcode might wipe the device"
I'm interested in hearing more ideas here.
I really miss syncthing.
I'd love to run one of them but I bought a Motorola explicitly because it wasn't a Google device.
I also want to be as far away from Google as I can, but I felt as though the hardware was probably a loss leader for goog and worth it to me for what I would gain.
GrapheneOS takes great care to only list features that they add on top of AOSP, instead of marketing AOSP features as their own. You can check their features page here:
The phone bricked due to frequent updates. Which now I see happened to many people with Pixel phones, custom ROM or original. I did not find a easy way to delay or disable the updates.
And they immediately upgrade everything not just security updates, so something will probably break, apps stops working, and your workflow in general, because a lot of things change across android versions
Most people are not tying running away from the 3 letters agencies. We want as most privacy and security possible, but we also want a fast phone, usable, compatible with apps, and customizable. This OS looks more like a exercise in security, a good one, but clearly prioritized over privacy and usability
The developers, I am sure they are trying to do what they think is best, but they come across a bit arrogant
I don't care if root is an insecure vector, I will 100% root my phone. And use Google camera app. And use f-droid and whatever insecure app I wanna use
Especially in conflicts with other open source communities, like Bromite, F-droid, CalyxOS, ASOP, microg... deciding to just do as much alone as possible, which sounds unsustainable
Their built in browser still sends data to Google, privacy by blending in, but I would recommend install Bromite, with the model of blocking everything
Edits: several
Then there's also play services. A lot of things do work without it, but a lot either won't start (Uber) or become annoying with pop-up errors (Robinhood). It really makes me appreciate software that was designed to work without all that stuff.
You should read https://grapheneos.org/usage#banking-apps and https://grapheneos.org/articles/attestation-compatibility-gu.... GrapheneOS has full hardware-based attestation support and we use it ourselves in a much more secure way than this weak anti-fraud approach. The long-term solution is convincing major apps wanting to deploy this to allowlist GrapheneOS via hardware attestation.
We currently choose not to ship patches spoofing the traditional software-based SafetyNet attestation / Play Integrity API attestation. The reason for this is because we don't really want to ship a set of hacks which will stop working when they improve it and will permanently stop working when a service starts checking for strong verification. Having users start depending on Google Pay NFC payments working and then having it go away would be a problem for a production quality OS in a way that it wouldn't for a hobbyist project where expectations are different. We don't want to essentially commit to providing something we know is impossible to keep providing due to hardware attestation.
You can only spoof the weak basic verification, and whether it passed strong verification is always there in the result. It's only a matter of time before those services require it. It's based on when they're ready to start phasing out support for devices launched with Android 7.x and earlier along with a few phones that shipped with broken verified boot / attestation support even after it was required such as OnePlus. They can require it only for certain features if they want. Android 10+ is needed for security updates, so if they truly do care about security, nearly 100% of devices launched with Android 7.x and earlier are irrelevant now since only a small portion got upgraded to Android 10 (almost none beyond it) and those are now losing security support. Android 10 will be losing security support soon.
We may reconsider and ship spoofing for the legacy software-based attestation (known as non-strong verification by those APIs) if not shipping it becomes an adoption issue due to others shipping it. It doesn't mean we think it's a good idea but we'd rather have people using a more secure OS than a highly insecure one often without proper security patches and a fake patch level displayed...
> The reason for this is because we don't really want to ship a set of hacks which will stop working when they improve it and will permanently stop working when a service starts checking for strong verification.
This is what I really like about the project philosophy. I think you all are right even though the decision breaks some compatibility.
So you are using a Google app (Google Camera) in an objectively much weaker sandbox than the one provided by GrapheneOS. You're giving it shared storage access since it requires it and CalyxOS doesn't have features like https://grapheneos.org/features#storage-scopes. The whole point of sandboxed Google Play on GrapheneOS is that it runs in the full standard app sandbox. It has absolutely no special access or privileges. It's not different than running another app. Same sandbox, same permission model, and all the same GrapheneOS improvements to those including user-facing ones like Storage Scopes, Sensors permission toggle and the Network permission toggle which blocks more forms of access than a firewall-based approach.
You can even use Sandboxed Google Play in a specific user profile, instead of options like MicroG where it has to be privileged for a lot of its features/functionality to function, and where it's ever-present in all of your profiles.
Furthermore, since we're talking about Google apps and services, I find the fact that CalyxOS ships with the privileged eSIM activation Google app which is enabled by default and to my understanding cannot be disabled very concerning...
https://blog.privacyguides.org/2022/04/21/grapheneos-or-caly...
On the other hand, (again) GrapheneOS has it disabled by default and you're given the choice to use it if you need it, instead of having it forced on you by default.
After looking at all options for alternative Android OSes, not matter which way you slice it, GrapheneOS takes the cake, so I don't really understand how someone who has actually looked at both options can call it "terrible".
Be a tiny bit respectful at least.
GrapheneOS isn't any less 'smooth' than the stock OS. You should read https://grapheneos.org/usage#exec-spawning about the optional secure spawning feature which requires additional time for cold start application spawning.
It doesn't really sound like you've used GrapheneOS
> I used it for a year and it was not very smooth
CalyxOS isn't a hardened OS. It substantially reduces security rather than improving it. It recently didn't ship half of the August security patches until part of the way into October including critical remote code execution vulnerabilities. They currently have missing security patches. They roll back the security model. It sounds like you're coming here from that community. A typical pattern from their community is pretending to be GrapheneOS users unhappy with it and spreading misinformation about it, which is obvious to people who know about it and have used it themselves.
> Besides the phone bricked due to frequent updates. Which now I see happened to many people with Pixel phones, custom ROM or original.
> I did not find a easy way to delay or disable the updates.
https://grapheneos.org/usage#updates-disabling
This has been near the top of the usage guide for years and if someone asked on the discussion forum, Matrix chat room, Twitter community or elsewhere they'd almost always be told about it or linked to it.
There's absolutely no common issue with Pixels being bricked on updates. It definitely doesn't happen outside of extremely rare cases with GrapheneOS. It's unlikely that it happened here. Sometimes users do think their device isn't booting since it can take ~20 minutes after certain kinds of updates, but it does boot fine, and if they power it off it will just trigger rolling back.
> And they immediately upgrade everything not just security updates, so something will probably break, apps stops working, and your workflow in general, because a lot of things change across android versions.
We follow along with the stable releases of Android. These go through months of public betas. It's not possible to delay upgrading the major release on Pixels without going months without providing full security updates like LineageOS and LineageOS derivatives like CalyxOS. Not providing critical remote code execution patches for literally months as was the case this year from August until part of the way until October for CalyxOS is a serious problem. This occurs for them regularly with the browser engine and other patches too.
> Lets be real most people are not tying running away from the 3 letters agencies. We want as most privacy and security possible, but we also want a fast phone, usable, compatible with apps, and customizable. This OS looks more like a exercise in security, prioritized over privacy and usability
This is not at all accurate. GrapheneOS is highly usable and has broad app compatibility. It has far broader app compatibility than the OS you're trying to promote (CalyxOS). If you've used GrapheneOS, then you're aware it has the sandboxed Google Play compatibility layer (https://grapheneos.org/usage#sandboxed-google-play) allowing using nearly every app on the Play Store without giving any additional access to Google Play than it would have through the SDK / libraries included in those apps.
> The developers, I am sure they are trying to do what they think is best, but they come across a bit arrogant.
I think what comes across as arrogant is someone who is clearly unfamiliar with GrapheneOS and what it provides pretending they know all about it and other projects they haven't used or familiarized themselves with either. Typical for Hacker News though.
> I don't care if root is an insecure vector, I will 100% root my phone. And use Google camera app. And use f-droid and whatever insecure app I wanna use
Google Camera works fine on GrapheneOS without anything special. Google Play works fine on GrapheneOS as regular apps in the full standard app sandbox with all the GrapheneOS improvements to the app sandbox and permission model, and absolutely no special access or privileges. If you've used GrapheneOS or just read our features page and usage guide, then I'm sure you know all this already and don't need me to tell you here.
> Especially to other open source communities, like Bromite, F-droid, CalyxOS, deciding to just do everything alone, which sounds unsustainable
Unlike those projects, we do a substantial amount of collaboration with upstream projects. We do upstream work on AOSP, the Linux kernel, LLVM and other projects. We work with DivestOS, ProtonAOSP and other projects on areas where we have aligned goals. We won't work with people who engage in spreading misinformation about our project and targeting our developers with bullying/harassment like many of the people involved with Calyx.
> Their built in browser still sends data to Google to increase privacy, by blending in, but I think I prefer Bromite model of blocking everything.
This is not accurate. Vanadium doesn't send any user data to Google.
On other custom ROMS such as CalyxOS (my go-to for my Pixels), or LineageOS, I have used microG and it works very well.
[0] https://nitter.net/GrapheneOS/status/1437380576055541761
In practice, you can run most apps on GrapheneOS.
Although it's missing the cons of GOS (if any) and citation for:
> without a strong HSM
So the post smells a bit like a sales pitch for GOS, nonthless it's useful info. Thanks again!
Does this mean you could install and run Google Play apps on GrapheneOS now? Last I used GrapheneOS (2020), I wasn't able to.
Thank you for the explanation!
https://grapheneos.org/usage#google-camera
You can revoke Network from Google Camera and GSF if you'd like. Google Photos works that way too. None of those need Play services and the Play Store, but you can use Play services and the Play Store as regular sandboxed apps on GrapheneOS. GrapheneOS has MUCH broader app compatibility than CalyxOS and without making the privacy/security sacrifices it does to integrate microG into the OS. CalyxOS has privileged Google services integration built into the OS so you don't need to install anything, but installing apps from our app repository and getting far broader app compatibility with fewer sacrifices isn't a problem for users.
CalyxOS isn't a hardened OS. It substantially reduces security rather than improving it. They roll back the security model and go months without shipping the baseline Android privacy/security updates. They shipped half the August and September security part of the way into October including multiple critical remote code execution vulnerabilities. This happens every year and throughout the year. It's not simply not hardened but not a safe option even for people not focused on privacy/security. Providing proper security updates is the bare minimum. There are still missing security patches with it today, and they're still downplaying and misleading users about it. Just check their recent news posts announcing the August and September updates while admitting they aren't providing half of them. Note: what they say about providing all the open source patches is wrong, since lots of what they skipped was open source, and the updates they skipped were mostly more important than the ones they shipped.
Google Camera works fine as a sandboxed app on GrapheneOS. You can install GSF as a regular sandboxed app alongside Google Camera and use it. Google Photos works fine too. You can disable the Network toggle for all 3 apps if you'd like.
https://grapheneos.org/usage#camera has more information on these topics, although it needs to be updated for recent improvements in our Camera app.
You don't need Play services or the Play Store for Google Camera, but you can use those as part of our sandboxed Google Play feature on GrapheneOS to run nearly all apps from the Play Store.
Regarding community among people valuing security and privacy...
On my most recent big phone/handheld switch, I tried CalyxOS first, but found that I personally preferred GrapheneOS.
I think CalyxOS also has its merits.
Users of CalyxOS and GrapheneOS are relatively small groups, with overlapping interests, and together are stronger, if the tone is friendly competition and mutual assistance.
Check the recent screenshot I posted about a Calyx reseller who works with them (@maxtannahill) and is in several of their private Signal, Matrix and Discord chat rooms. I linked a thread where he openly states his neo-nazi views which he has done repeatedly. He's openly a holocaust denier who supports fascism, wants democracies turned into authoritarian dictatorships and overtly a white supremacist wanting the US as a white homeland. Calyx permits Kiwi Farms server in their room and has had no problem with the abuse targeted towards me. In fact, the leader of the organization has repeatedly participated in it when it happens, encouraging it while also steering it away from being done inside their rooms. These logs have been archived and while the lead CalyxOS developer has gone back and purged a lot of it from the Matrix history, much of it is still there. You can check for yourself what happened yesterday and can confirm the main person attacking me there and in other rooms is a Calyx community member friends with several of them and has openly told me to kill myself.
> Users of CalyxOS and GrapheneOS are relatively small groups, with overlapping interests, and together are stronger, if the tone is friendly competition and mutual assistance.
Calyx developers / leadership have repeatedly engaged in an extreme bullying/harassment campaign targeting me. They've heavily focused on spreading misinformation both about CalyxOS and GrapheneOS to mislead and scam users.
We're never going to work with people who have done these things. No one else should be working with them or tolerating them either, but unfortunately people don't do anything about the massive amount of charlatans and abusers in the privacy/security industries. It's sad. You should never expect that I'm going to tolerate it.
CalyxOS is not a hardened OS. It's also blatantly insecure by not shipping patches fully or on time while misleading users. I'm not sure how it's a competitor with GrapheneOS. Presenting it as a private and secure OS in their marketing doesn't make it one. Engaging in all kinds of abusive and underhanded behavior is not going to turn it into one either.
I hope any pressing harm to anyone stops immediately.
If necessary, I think you could get advice from US and Canada lawyers.
GrapheneOS handily beats out every other project on security and technical merit -- let the code and project speak for itself, because jumping in to every single convo between end users you can find, doesn't help quell any of it.
From a GrapheneOS user for many years who thanks you for your work and dedication