Graphene does only work on the pixel devices. What makes it special is that you can lock the bootloader again after installing it, which with things like lineage, you cannot do. I have never used /e/OS but i use lineage as my daily and it can be installed on FP
this post was submitted on 20 Jul 2024
70 points (100.0% liked)
Privacy
787 readers
1 users here now
A place to discuss privacy and freedom in the digital world.
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
Some Rules
- Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
- Don't promote proprietary software
- Try to keep things on topic
- If you have a question, please try searching for previous discussions, maybe it has already been answered
- Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
- Be nice :)
Related communities
Chat rooms
-
[Matrix/Element]Dead
much thanks to @gary_host_laptop for the logo design :)
founded 4 years ago
MODERATORS
What makes it special is that you can lock the bootloader again after installing it
I'm not sure why this is considered special. You can also re-lock the bootloader with CalyxOS, iodéOS and DivestOS. This is a Pixel thing, not a GrapheneOS thing.
Okay, I was not aware of that, so thanks for the information.
Honestly trusting the bootloader feels very risky
In that case, have fun coding up your own bootloader and flashing it onto the device. If you can't trust the bootloader, then you can't trust anything at all from the operating system that sits on top of it, because it could be compromised. If you can't trust a bootloader, then the only thing you can trust is a pen and a piece of paper.
True but it feels like obscurity via obscurity.
load more comments
(4 replies)
GrapheneOS uses pixels because not even Google employees can break into it.
I'd be more worried about the ROM that runs before the bootloader that you can't inspect, or possible hardware implants if you don't trust the bootloader shipped to you from the vendor.
I don't trust it not to be flawed
Ok what is your alternative? Android Verified Boot with a secure hardware keystore like the Google Titan M2 is basically the best thing you can get.
Strong encryption with a password you know only. The password should have a high enthropy
DivestOS is the way to go.
Yes, GrapheneOS only works on Pixel devices, because the project has some pretty extensive hardware security requirements: https://grapheneos.org/faq#future-devices
The Fairphone is a highly insecure device, which comes nowhere close to the (hardware) security of a Pixel. On top of that, the Fairphone company doesn't even know how to maintain their own Fairphone OS. The verified boot implementation is fundamentally broken and very misleading, since it's signed with the publicly available (!!!) AOSP test private keys. This is such a blatant disregard of security practices, that should have made it impossible to certify their devices. It's not a surprise either that Fairphone regularly misses important Android security patches, or delivers them months later. That's also why GrapheneOS will never support devices like the Fairphone. There are more issues with Fairphone's misleading update policy that I haven't covered in detail.
I highly recommend against purchasing such insecure, and poorly maintained hardware. DivestOS is the best option for "damage control", if you already own a Fairphone. Its developer actually cares about users and their security, and the OS is properly signed.
I've never heard of Fairphone and have only barely heard of DivestOS.
There are several degoogled OS options for the Fairphone models, with different levels of degoogling and privacy: LineageOS, CalyxOS, DivestOS, iodéOS and /e/OS.
Most of these are based on LineageOS (I understand that CalyxOS isn't, but I might be wrong). I personally use iodéOS and I like the helpful developers, the ability to remove / replace any of the apps preinstalled with the system, and the iodé blocker which blocks trackers, adds and any connection you want to at a system level.
There are only a few to consider. /e/os if you want it easy or DivestOS if you want it most secure and private. All the other possibilities have disadvantages compared to these.
Please be aware that you should buy FP5 as FP4 has huge hardware issues and the support is a dissapointment. And yes, /e/ is available for FP5 (but not via easy installer, but it's not hard to flash it yourself)
/e/ is announced as 'degoogled' but that's not 100 % true (and not nearly as well). For example MicroG connects to Google as well as connectivity backup check. Patch level is far behind AOSP. The App Lounge uses clean APK for some apps which is very risky. Communication is a problem and they do not react like they should for example when Mike Kuketz analysed /e/ and found several problems.
The community is huge and they support many devices.
DivestOS is better in most points but is managed by one person alone. MicroG is not included by default (if you need it) and multi sim support is a problem.
You can disable microg connecting to google servers, but basically you get a standard gms free experience, with most apps simply not working from play store. They list in the wiki how and why they connect to google: https://github.com/microg/GmsCore/wiki/Google-Network-Connections
A completely google free experience would be unusable for "normal" people, so they somewhat right as they target "normal" users. I also don't like /e/, but because they are deliberately obfuscating a lot of things in their documentation, and they try to sell their os as something genuine, but it's mostly just AOSP with microG.
Fairphones can also run CalyxOS if you want to look into that
If I had a Fairphone I'd use CalyxOS or DivestOS. They seem to be the best for privacy and security out of the OS that Fairphone supports.
As somebody that might be changing phone sometime this year and to cover all the possibilities, do we have a recent comparison of all these projects?
Yes! There is a really helpful (from a privacy and security standpoint) comparison chart here. It also includes GrapheneOS and "stock" Android.
load more comments
(1 replies)
/e/OS, DivestOS, LeneageOS and CalyxOS are some options I'm aware of.
/e/OS is often a month or more behind on Android updates (including security). Unacceptable I think.
Some info about patch history here: https://www.divestos.org/pages/patch_history
General comparison table of Android ROM features: https://eylenburg.github.io/android_comparison.htm
FP4 with CalyxOS works perfectly.
Depending on your linux knowledge, you may want to use real linux (postmarketOS). But beware, the amount of things that require closed source OSs like android or ios isnt 0. banking apps for example arent accepting of non proprietary phones yet. I dont know about emulation though.
For emulation there is Waydroid. I've never tried to run bank apps with it, but everything else worked smoothly.
Thanks for mentioning it. I heard about waydroid but havent tried it yet.
I've used it in multi windows mode with a libhoudini (installed thru a script, I think it was this) (had no luck with libndk) on desktop (x86) because some android apps are not compiled for x86. No need for it on an arm device.
If you have a dual gpu setup, enable software render because it got issue with dual gpus (see here).
load more comments
(6 replies)
May i know why you do not like the pixel phones?
They are expensive and I don't want to give money to Google
I highly encourage everyone to buy their pixel phones for grapheneos secondhand. there's enough pixel fanbois out there you should be able to deprive any corporation of the money of your sale by buying a like new condition last generation pixel (Like an 8 now that the 8a and 9 are out)
Recently bought a used Pixel for just under $200.
I refuse to buy new when a 1-2 year old flagship is 1/3 the price of new.
Especially since when was the last time you got a phone that impressed you? Like phones haven't been getting better they've been getting more gimmicky
Yup. Bought a secondhand 7a for ~$250. Maybe I should have looked for an 8, but honestly I don't think the 7a is too bad all considered.
Yeah that's not a bad idea
If you don't want to give money to Google, why not take money from Google?
Then, once you've offset enough money, then you can buy a Pixel at an overall loss on Google's side.
They are way cheaper than fairphones where I live.
Sorry I wasn't comparing to fairphones. I was comparing the minimum you'd have to pay for a phone that has everything you could possibly need with the only difference being a not-that-great camera. So like a budget Xiaomi phone that I use.
load more comments
(1 replies)
DivestOS is a good option
I use CalyxOS on my FP4. I have been happy. Almost 2 years now.
What about de-googled android? Is that private/secure?
No given the recent Cellebrite leak. You're only secure if you use Pixel 6 and after, stock or GOS.
Of course that mostly only apply if you put government into your threat model.
That's a threat to any device. Also the pixel scored way better than many other devices
view more: next ›