GrapheneOS always strikes me as "perfect is the enemy of good". I don't necessarily need top-notch security features, I've been all right with all kinds of Android phones. The things I'd like are:
- ability to sandbox Google Play and Google Apps so that they live in their nice little Google bubble and have no control over my phone overall
- ability to run all applications sandboxed with fake permissions that I can whitelist for each application and without letting the app know it doesn't have the permissions it wants. Want location? Give the app a location point I've fixed for that app. (Or pass through real GPS location if I've chosen so.) Want contacts? Give the app empty contacts list. Or if I've allowed, give the app the contacts I've whitelisted.
The Android/Google ecosystem is all right in itself, I just want to limit all of it inside a cage that I control. I want the exact same for my browser: I want webpages to run in a highly controlled sandbox with my choice of spoofed environment and permissions instead of assuming any power over my system. Or my Linux desktop where I firejail or sandbox certain proprietary apps outside of my distro's repositories.
GrapheneOS has an OEM partnership with Motorola where they're working on improving their devices to meet our requirements because we won't lower our standards for updates and security features. A lot of work needs to be done for each supported device. There's a massive amount of work bringing the security-oriented, production-quality hardware memory tagging integration from Tensor to Snapdragon. We're working with Motorola and Qualcomm on it. If we simply ported it to many insecure devices we'd need have the time to work on features like this or the power to get an OEM and SoC vendor to work with us on it.
GrapheneOS has Contact Scopes and Storage Scopes for pretending all of the contacts, media and storage permissions are granted with the app unable to access any additional user data without the user explicitly adding it on a case-by-case basis. Unlike the recent iOS feature, apps can't see the Contacts permission group isn't granted and it supports giving less data than the whole contact too. It also supports labels for groups of contacts shared between apps.
Mock Location is a standard Android feature. We're working on a per-app Location Scopes replacement. We're also working on Camera Scopes and Microphone Scopes. We plan to continue down that road covering less major permissions too.
Sandboxed Google Play already works near perfectly with close to 100% app compatibility. It's only apps disallowing using a non-stock OS via the Play Integrity API or to a lesser extent certain other methods which aren't compatible. McDonalds is a major example. X forbids password login but you can use Vanadium to login with a passkey and then use that in the app. ~10% of banking apps do it but not most. We've convinced multiple banks to permit GrapheneOS, and that's going to become MUCH easier now.
This is very useful context. Especially around Contact Scopes etc. It's never made sense to me that iOS shares if the user is choosing to not share their contacts.
Apple seems to basically do privacy-related things to an 80% level but not bothering with getting it totally correct. This makes business sense because the extra 20% is way more difficult, but it's great to see GrapheneOS going all the way.
In what ways has the pursuit of perfection harmed the good in their development? (Your words, I don't agree.)
Graphene does everything you're asking, except for the niche fixed location feature you specifically want, which you're welcome to request, or just implement yourself and make a PR.
I'm going to be a bit snarky here, but I always find the entitlement around features in open source software baffling. This isn't a multi billion dollar corporation selling you something. It's enthusiasts making you something (honestly, incredible), for free, in their spare time, outside of their daily jobs. They're doing their absolute best here.
Our approach is why we have a partnership with Motorola where we're working with Motorola and Qualcomm on improving security of the devices to meet our requirements. It takes longer to get things done the way we want but that's part of the purpose of GrapheneOS. For example, it took us longer to have our own network-based location and geocoding but now we have great implementations of both. Our network-based location currently closely matches iOS but is going to have full offline support developed for it. We're working on our own local model text-to-speech at the moment too, although our focus is currently Android 16 QPR3 related work as a higher priority which delayed it. We do plan to overhaul or replace all the legacy AOSP apps, but our priority has been working on things people can't simply replace by installing more apps.
I don't follow. The poster above my comment complained that graphene os was lacking a list of features is already has, so I corrected that.
> Yes, but do these enthusiasts care at all if it meets some need for the users? ... And how can they find out how well it meets that need other than receiving (respectful!) feedback?
What makes you think they don't? Can you point to any instances of them ignoring the community at large?
You can open an issue in any of the open source repositories and request a feature. Others can vote and comment on it. Or you can discuss it in the very lively forum. All methods used to steer the project towards the desires of the users.
> GrapheneOS always strikes me as "perfect is the enemy of good".
GrapheneOS, as it ships, is rather bleak but you also need to consider that it is addressing the concerns of a very broad audience. That ranges from people who want to completely get rid of data leaking apps to those who want the apps but expect them to be sandboxed. Shipping two different versions won't really help them. It would only make more work on their end, with the results only reflecting two extremes. You are going to have some people willing to put up with some apps, but not others. You are going to have some people wanting some of those apps feeding fake data, but not others.
It's probably best to think of GrapheneOS as a base system that you build up to serve your personal needs, rather than thinking of them shipping it in a "perfect" state. While a handful of people will be happy with it in its default state, many will install something like F-Droid along with a collection of privacy preserving apps. Many others will install the Google Play Store along with a personally curated list of apps that reflect their needs, providing or denying access to their data as they see fit.
I believe the "build up" approach is the only viable way to handle this situation since we are talking about a group of users who are actively seeking out a third-party OS since they are particular about their needs. This isn't the typical consumer who will (gleefully or begrudgingly) put up with whatever the device vendor feeds them.
Our approach is why we have a partnership with Motorola where we're working with Motorola and Qualcomm on improving security of the devices to meet our requirements. It takes longer to get things done the way we want but that's part of the purpose of GrapheneOS. For example, it took us longer to have our own network-based location and geocoding but now we have great implementations of both. Our network-based location currently closely matches iOS but is going to have full offline support developed for it. We're working on our own local model text-to-speech at the moment too, although our focus is currently Android 16 QPR3 related work as a higher priority which delayed it. We do plan to overhaul or replace all the legacy AOSP apps, but our priority has been working on things people can't simply replace by installing more apps.
i don't understand, doesn't that make graphene the opposite of what that saying refers to? it's a real life project that has almost all of the features you mention while not being lagged down by pursuit of perfectionism?
That relates more to the public rhetoric surrounding Graphene than with how the OS itself operates imo. It's pretty practical and enables (or allows you to enable) everything that a typical Android does, except where Google Play Integrity checks fail, which is not in Graphene's control (e.g Google Wallet payments).
People bill it as making a ton of usability compromises in the name of security, but that doesn't match my experience. The only redeeming observation is that your phone _does_ lean towards secure-er and ungoogled defaults, which _does_ break functionality that a lot of people expect to "just work" OOTB. But it's trivial to restore it, and the upfront effort getting things to work is amortized over the lifetime of the device. It's maybe an hour's worth of work.
The counterfactual world where users need to forumcrawl how to get to secure/private defaults seems worse to me. By contrast, it's pretty easy to recognize when an app isn't working.
I agree with your post, but I wanted to point out one thing:
> People bill it as making a ton of usability compromises in the name of security, but that doesn't match my experience.
When you are talking about something like GrapheneOS, most of the people who are talking about usability compromises aren't worth listening to since they are looking for something that is pretty much the exact opposite of what GrapheneOS is trying to provide. While there are likely some legitimate criticisms in the mix, the compromises required for "works by default, for everyone" are pretty much the opposite of what GrapheneOS is.
I mean, GrapheneOS hits at least 2/3 of your demands pretty well.
The Play services are "regular" apps with permissions that you can take away.
For contacts and files you get "scopes", i.e. you decide what the app can see, while the app is left to believe that it can see everything there is.
That said, I think the marketing of GrapheneOS could be better. Every introduction of GrapheneOS I've seen paints the image of Graphene being "Absolute security, no compromises", whereas in reality GrapheneOS is the most "Things need to work, no compromises. Then make the rest as safe as possible" custom ROM that I've used thus far (in particular regarding them allowing you to install Google Play, rather than using MicroG).
I would certainly be using GrapheneOS if only I could get one to run on something else than a Pixel.
I have a perfectly good phone whose bootloader can be unlocked and I can install LineageOS or other AOSP installations there but all I'm aware of and I've researched come short on the sandboxing and permissions. I'd be willing to use GrapheneOS without support for specific security hardware (if only they supported that configuration) just for the features mentioned but Pixel phones are just too expensive. I've always been more than happy with a decent low-tier phone and I don't see a technical reason to change that. Nothing wrong with my phone.
> I would certainly be using GrapheneOS if only I could get one to run on something else than a Pixel.
But the whole idea of GrapheneOS is the reason why it (currently) only runs on Pixels. On other phones you can run anything based on LineageOS...
I don't want GrapheneOS to compromise on that: if I didn't care about it, I would use any other alternative. To me it's a bit like saying "I would be using Linux if it was a lot more like Windows" (that's something I often understand when Windows users explain what it would take for them to use Linux). But I, as a Linux user, really don't want Linux to look a lot more like Windows.
Pixel A's are quite affordable. GrapheneOS is open source so if there was a need, people could get it to run on insecure devices that aren't Pixels. Expecting that to be done by GrapheneOS developers who care about security just seems weird.
I'm personally happy with LineageOS on OnePlus stuff, but have you considered getting a Pixel that's 2 gens or so old from eBay? I find old flagships drop in price pretty quick and are often a better deal than a new low-end phone.
Doesn't help with the current situation though but I hope the partnering between Motorola and GrapheneOS is still up and going in a few years when I'll next have to replace my phone.
Mock Location exists but our Location Scopes feature will largely replace it for non-development use. Camera, Microphone and other scopes features will be provided too. We haven't fully fleshed out what the ones for other permission groups such as Phone will look like yet but it's planned.
You can disable many system apps via the Settings UI. For ones where the naive heuristics or manual exceptions believe it may break something and have it disabled, you can use ADB. You can also uninstall apps from a profile including Owner with ADB instead of disabling them which is NOT a good idea but you can do it...
There's a standard Mock Location feature in Android usable for it. We're making a better per-app Location Scopes feature as a replacement. Mock Location is global which has bad usability.
There's a standard Mock Location feature in Android usable for it. We're making a better per-app Location Scopes feature as a replacement. Mock Location is global which has bad usability.
There's a standard Mock Location feature in Android usable for it. We're making a better per-app Location Scopes feature as a replacement. Mock Location is global which has bad usability.
There's a standard Mock Location feature in Android usable for it. We're making a better per-app Location Scopes feature as a replacement. Mock Location is global which has bad usability.
There's a standard Mock Location feature in Android usable for it. We're making a better per-app Location Scopes feature as a replacement. Mock Location is global which has bad usability.
Go to [Settings] » [Apps] » [Special app access] » [Display over other apps] and check if any preinstalled carrier apps or anything suspicious has this permission granted.
Your Qubes OS comparison doesn't really work because Android distributions need extra work to support each new device, whereas for Qubes OS, they're probably using some virtualization framework that makes it pretty trivial to add support for CPUs without virtualization. There's nothing stopping you from starting a new fork that supports your motorola phone, for instance.
I understand that supporting new phones is a lot of extra work. My only question is whether the developers of GrapheneOS would accept patches from community for such support without full set of security features.
You keep coming back to this. GrapheneOS accepting community patches with a reduced feature set degrades the nature of the project. It's an absurd proposal.
Fork it, make your own. Not only are they OK with that, they're actively supportive of it.
Criticizing them for not actively supporting the Balkanization and unavoidable dilution of the security and therefore total value of their project makes me wonder whether the strength with which you hold your opinions has any meaningful connection to the extent to which you even understand the subject matter. It's just mind-boggling the things you assert every single time an OS you don't even use comes up.
Your love of Qubes OS (which I share) somehow even increasingly seems rooted in something that just isn't reality. If it were, you'd be able to fairly assess both projects and see the relative strengths and weakneses of both with useful accuracy.
As it stands, you're just spouting harmful noise. Please don't do that.
"accepting patches" is still a lot of work and often means taking on the maintenance burden; i suspect that if qubes had to do extra hardware enablement work/maintenance for VT-d-less devices they might've had the same position
Qubes hasn't always shipped Xen patches nearly as quickly as I would like. It's the unfortunate reality of the situation they're in, simultaneously trying to catch up with broad-spectrum device support, with a miles-long HCL with many entries having sub-threads attempting to resolve significant compatibility issues. Don't buy hardware that's too new, don't buy hardware that's too old, certified hardware doesn't necessarily stay certified, and so on. It's a mess.
I love what they're doing and it's my preferred daily driver, but from a security standpoint they're still pushing molasses up a sandy hill.
GrapheneOS is not QubesOS. We have our own approach and goals. Our approach includes heavily focusing on our resources on our mission which includes needing to do a lot of hardware-related work to deploy features like hardware memory tagging. We're actively working with Motorola and Qualcomm on improving their hardware to meet our requirements. We're also going to work with Qualcomm on improving Linux kernel security. It's not part of our mission to support devices where we can't provide our core feature set. It would drain a huge amount of our resources and lead to people buying those instead of devices with real GrapheneOS providing all the features. Supporting devices with less than 7 years of support also isn't very appealing when we have those via Pixels and can have the same for the new devices.
GrapheneOS does support budget devices. Pixel 8a, Pixel 9a and Pixel 10a are budget devices. It's true that they aren't on the low side of budget pricing at launch but they have 7 years of support from launch. Pixel 8a is approaching 2 years old but has over 5 years of support remaining. The only limitation in practice is that Pixels aren't sold officially in enough countries yet, which can be solved by our Motorola partnership. We don't need more than a range of devices fulfilling what most people want which are available internationally. People would still need to go out of the way to buy a device with GrapheneOS support if we supported more than the 20 models we do.
You're also ignoring all of the work we have to do on devices which is already a massive amount with 20 supported models of Pixels. We build specialized releases with minimum attack surface for each with plans to use per-device RANDSTRUCT and other similar features too. We could make most of the OS builds generic as AOSP has support for it but it goes against our goals. We also have to test it on each device ourselves before Alpha. Each device needs to be tested more broadly by our community.
Our goals have never included supported a huge range of devices. It would drain our limited resources and destroy our ability to provide what we do. It would water down what GrapheneOS provides and sabotage our ability to partner with OEMs. It simply doesn't interest us. People are free to use LineageOS but we strongly recommend avoiding the supposed privacy-focused forks of it which are worse at privacy and security. On nearly any device you won't get basic kernel, driver and firmware updates with LineageOS and it's not a privacy or security hardened OS. Their time is largely spent on device support and it massively slows down how quickly they can do updates too. They wouldn't have time to work on the kinds of privacy features we do let alone the security ones. It isn't as if they're not working hard on their project, they just chose different things to work on and we aren't choosing those over what we work on.
GrapheneOS will run on more than Pixels soon. It will start with a regular flagship and then both flip/fold variants. It can then start supporting lower end devices once they improve. The OEM is going to be helping us implement and maintain it which is the only reason it's going to be practical to do it. We already struggle to support as many devices as we do but it's going to be easier on our end to support the ones from Motorola than supporting Pixels due to collaboration.
If you feel like you can't get a reasonable reply from anyone on a given subject, it's possible that the subject matter is purely indefensible and everyone but you is wrong about it, or it's possible that there's one constant in all this which you're overlooking.
Anyway, in terms of laptop/desktop security, Apple's doing the best job of anyone on that front at present and is still moving in the direction of improvement. Overall, modern Pixels running GrapheneOS are still the most resistant to a variety attacks, compared to just about any consumer device with any practical value.
Most laptop/desktop hardware architecture is wildly vulnerable in some specific ways that Pixels and iPhones just aren't, and no amount of OS enhancements built on that foundation will fully overcome its limitations. Your refutation to that is typically, "But, Google." I get it. I'm no fan of Google, but their architectural chops on modern Pixels is excellent.
Suggesting in the next breath that people look at the Librem 5 or PinePhone while criticizing the security of GrapheneOS makes me think you might just be completely out to lunch on this one. The Purism project is just not a serious security project in so many ways, and while I appreciate the appeal of hardware switches, the rest of their approach makes the hardware switches and domestic supply chain option and shipping protocols little more than security theatrics. The Librem 5 is so easily compromised that the switches are practically a necessity, I suppose, because the hardware and the software (from the OS to device drivers and--gasp--closed blobs!) just isn't trustworthy. With the clever rhetorical games they play to overstate the reality of the device it's difficult to place any trust in them.
'You shouldn't use this device because Google drove the architecture,' just isn't as compelling to me as, 'you should use this device with outdated drivers, no secure element, no sandboxing, and no IOMMU, no hardware resistance to attacks, baseband isolation that's literally an all-or-nothing affair,' and so on, is a terrible followup recommendation which completely undermines credibility.
You're citing hypothetical weaknesses as a reason to dismiss GrapheneOS while advocating devices with numerous demonstrable weaknesses. The Librem 5 not only isn't very resistant to attacks, it's highly vulnerable to attacks. And then you complain when serious people stop engaging with you. (Not being a serious person, I persist.)
As a former PinePhone user, it's a wonderful effort and I love that they're doing what they're doing, but the device and its software is just completely lacking in security to any real degree. Which is fine, because that isn't the device's reason for being, but we shouldn't overstate its position, which you continually do.
All that said, I genuinely think if you take the time to really fairly understand the situation, you'll find value in GrapheneOS as a project. Whether or not it's for you is another matter, but the only reason I'm bothering to quibble with a faceless stranger on the internet over the issue is because I think the project is one of the most important consumer-device security projects of this era, and I massively hope it succeeds. The planet will be better off for it if it does. And yet, every single time it comes up you make the same lazy dismissals of it, ignore substantive responses, then invariably play the victim when people eventually tire of playing your game.
A broader ecosystem of supported devices is something I very much hope for, and am excited to seem take the step into working directly with one OEM, and I hope for more. The virtualization aspects of their roadmap are exciting, and I expect they'll bring great upstream contributions to whatever hypervisor they choose, as they have for AOSP. Their talks of targeting a laptop which meets their hardware requirements is incredibly exciting, and here's hoping it's a ThinkPad, which seems genuinely possible now.
All this is the most compelling alternative to something like Apple, which, while great at leveraging the advantages of being the behemoth in the market, is too inherently motivated in its pursuit of commercial outcomes to be something I'm likely to want to use.
I lack any real hope that you'll come around on this one, but if you're going to play the game of linking to prior discussions to settle an argument, at least I now have a comment to link to, too. Thanks for fueling my future efficiency.
I don't want to gush about this too much, but it's SUCH a big deal. Graphene has languished with hardware support for so long - they basically only had Pixel devices as first-class citizens, which are not bad devices per se, but it's hard when you're spending most of your time doing something without the manufacturer's support.
There is a very real possibility that we end up with devices that can play modern mobile games at high frame rates on a secure, privacy-focused mobile OS, which is a huge step towards general adoption of something like this as a daily driver.
This is such a strange comment that is full of contradictions. Pixels are supported because the manufacturer supports alternate OSes. I don't get what languishing means here. Pixel hardware lags behind the latest Snapdragon hardware, but it's not something that average people know or care about. So, you can gush all you want, but I don't see why it's a big deal. It's great that they found an OEM and it's great for the overall health of the project, but not because of gaming or the latest Snapdragon.
Does pixel support alternate OSes or it just doesn't get in the way of custom firmware developers?
And for the gaming aspect, there is a huge market for mobile gaming, specially in Asia, so having a manufacturer like Motorola adopting GrapheneOS as a first class citizen will improve the chances that high performance applications will have better performance in such OSes which is a big win.
I do hope however having a Snapdragon device will be beneficial to having postmarketOS support.
For now having Android-type OS on a daily driver is a must, but for older devices (thinking of 10 years time) I'd like to explore an OS which doesn't depend of Google open-source drops and delayed security open-source drops, which is the situation for ROMs without an ODM partner.
Do you mean to say that postmarketOS is somehow better on non Pixel devices? I would assume that Pixels are closest to upstream and have the longest software support life in Android world.
pmOS runs well on a couple OnePlus phones (6, 6T). For whatever reason the Snapdragon 845 and 865 have decent mainline support. I expect the OnePlus 8T to join the prior list of phones in the near future. You can similarly look at which gaming handhelds are supported by ROCKNIX and what SoC they use to get an idea for which ARM SoCs have decent mainline support. I expect the vast majority of phones and other ARM devices to not be very well-supported. RockChip is usually the safest bet, but I've been pleasantly surprised with some Snapdragon stuff.
I wouldn't consider gachas to be "actual games" (sue me), but yeah, they do tend to have way more complex gameplay and graphics than the timewaster freemium games of yore. Genshin Impact is essentially a single-player MMO, it has an open world and lots of characters and different weapons etc etc.
The "general phone audience" is some 5 billion people. If even 10% of them want to play games, on what is in the current year likely to be their primary if not only computer, that's already a market segment of 500 million. It wouldn't honestly surprise me if the number is closer to 15 or 20%, mobile gaming is extremely popular.
I think a lot of HN users, living in our own PC-oriented bubble, may not have realised the world has completely passed PCs by and that smartphones are the personal computers of the current generation. While PS5 and Switch each have about 100-150 million in sales, there are an estimated 3 billion mobile game players. Are a majority of those "mobile game players" playing Flappy Bird, sure. But again, even 10% of that number being interested in "real games" would outnumber PS5 and Switch players combined. Fortnite and PUBG each have hundreds of millions of active users, most are on console but around 20% appear to be on mobile from a quick search. Genshin Impact also has tens of of millions MAU, a non-neglible percentage of which are mobile players. There are hundreds of millions of people for whom being able to play 3D games on their phone matters.
The key enabler is the camera. Manage a flagship level result in a Motorola, that’s the main reason people pay for High end devices nowadays.
I’m seeing enthusiasts go out of their way to get vivos and xiaomis now that they are surpassing the western counterparts based solely on that.
I think it’s doable, pixels did it with meh hardware for years. But I’m not sure if there’s enough overlap between people who care about selfie quality and open source enthusiasts.
Motorola Signature and Motorola Razr Fold are ranked above the Pixel 10 Pro on https://www.dxomark.com/smartphones/. Pixels have fantastic camera hardware and software which is fully functional on GrapheneOS which isn't something we need to lose on a Motorola flagship. There will be much better CPU and GPU performance via Snapdragon too. The compromises are mostly in terms of getting some security improvements while losing others but we'll still be able to meet all of our official security requirements.
it's quite a big deal Motorola will have officialy devices with unlockable bootloader now that Samsung is ditching it and Xiaomi is making unlocking almost impossible, Sony reintroduced it but has probably the worst VFM in the market, so having Motorola with pretty good VFM (better than Pixel outside US) is big news, though they don't really make smaller phones and I'm worried about camera quality or gcam stability
Unfortunately from what I read a couple of times, including a month or so ago, GrapheneOS discourages and doesn't support rooting the phone for security reasons that seem vague to me and don't appeal to my need to actually own my phone and OS. You could still root it with some third party tools from what I know, but not having root as the default makes it less of a secure FOSS OS and more of a closed down toy.
As for payment apps and other crap that refuses to run if I, the owner and administrator of my own device, don't have admin access, I would just refuse to run it. What's next - websites refusing to work if I have root on my Linux desktop?
LineageOS also discourages and doesn't support replacing the core of the OS with a rootkit providing persistent app accessible root. GrapheneOS is no different from LineageOS in that regard. People do this with GrapheneOS regardless of our strong recommendation not do it. Our reasons for discouraging it aren't vague. It very directly harms the security model and is not a good approach to implementing any of the features hacked together through it. Those features should be properly implemented to fit within the overall approach taken by GrapheneOS. Giving root access to a huge portion of the OS harms security even if you never use the feature. It does not mean you can't do it, we only recommend you don't.
>but not having root as the default makes it less of a secure FOSS OS and more of a closed down toy.
I don't get it, it's "less of a secure FOSS OS" to not have root by default, but it's secure to run random apps as root and breaking android's security model? What's the threat model here?
Yeah, this is the deal breaker for me as well. The fact that I own my device is non-negotiable. It is the reason I left the stock OS and I'm not going back. The idea that I can't access my own files if an app doesn't explicitly give me access is wild to me. I understand there are security risks of a root permission but it is important to have that fallback when you need it and the existing permissions aren't sufficient.
LineageOS also discourages and doesn't support replacing the core of the OS with a rootkit providing persistent app accessible root. GrapheneOS is no different from LineageOS in that regard. People do this with GrapheneOS regardless of our strong recommendation not do it. Our reasons for discouraging it aren't vague. It very directly harms the security model and is not a good approach to implementing any of the features hacked together through it. Those features should be properly implemented to fit within the overall approach taken by GrapheneOS. Giving root access to a huge portion of the OS harms security even if you never use the feature. It does not mean you can't do it, we only recommend you don't.
LineageOS provides ADB root access in stock builds. Sure, it isn't as convenient as some su apps but at least I can use ADB to access every file on the device. It probably also improves the attack surface compared to a su app.
> It very directly harms the security model
What do you mean by this? You mean that it is a "god permission" that bypasses other permissions? If so then yes, with great power comes great responsibility and it shouldn't be used lightly.
> and is not a good approach to implementing any of the features hacked together through it.
Maybe not, but is there an alternative? What is your recommended way to access all files of any app? This is my primary use case. Modification would also be valuable but I would be ok with read-only access.
> Giving root access to a huge portion of the OS harms security even if you never use the feature.
Can you explain why root access must be given to a huge portion of the OS? Why can't it be limited to specific apps or features (like ADB shell)?
> It does not mean you can't do it, we only recommend you don't.
Of course. It is your right to recommend whatever you want :)
The "access your own files" thing is so insane! Hard to describe my feelings [negative] when I found out that all of my voice notes were in the voice recorder and the easiest way to get them out was to manually send each one to myself over discord. Google helpfully mentions that you can just "download them through google takeout" and doesn't leave any option for people who don't just give all their personal data to google.
I use a FOSS voice recorder app from F-Droid. It's just called "Voice Recorder" with an orange icon. It does exactly what it says, records audio from your microphone, lets you play them back. They're just files on the device.
Anytime I need a "simple" utility, I check f-droid first to get the one-trick-pony app over spyware from the play store.
Other utilities I use are:
WorkTimer: pomodoro app
DiskUsage: self explanatory
Http Request Shortcuts: setup home screen app shortcuts that run http requests
> [I want root,] The fact that I own my device is non-negotiable.
I read that a lot, and I agree that I want to own my device. But that does not mean that I should have root access on the OS I choose to install on it.
Owning my device means that I should be able to install whatever OS I want. It does not mean at all that OS developers must do whatever I tell you to do.
Yes, that is why it is a deal breaker. I'll choose to run a different OS. I didn't say that GrapheneOS must support root. Just that I won't run it if they don't.
And I'm fine with you wanting root on the device you own. But you were implying that not having root means that you don't own your device. I disagree with that. You can totally own your device and not be root.
I think it is important, because I read a lot of comments that imply that "owning their device" means "owning the developers". And that's a wrong fight.
The real fight is that it should be illegal to prevent me from installing my preferred OS on a general-purpose computer.
Fair enough. Owning means having a choice. The unlockable bootloader enables that. But for me the choice of OS will be one that lets me access all files on the device should I need to.
What should that support look like? Maybe have a userdebug build already built and available? I don't include a root account on hardened container images for some of the same reasons they cite. So including it for everyone and creating a way to activate it is suboptimal for people who don't want that trade off. A parallel build pipeline seems the most reasonable to me?
Yeah, I would be fine with a different build stream. I do think it could be sufficiently secure in a single stream but it will always be increased attack surface so the safest option is to do separate builds.
I also don't include a root account in my container images, but you probably have a root account on the sever that runs them in case you need to debug something. But you can probably also build and deploy a new container. At the end of the day you almost always want some last-resort way to access the data stored in case something goes very wrong. Whether that is for backups, "hostile" data export or for other reasons it is important to me.
I don't actually. Devs don't get root at my employer. Even on a vm. I have rootless podman, and can be root in a container. Even our gitlab instances don't have any privileged runners. So kaneko etc.
There's nothing GrapheneOS-specific about it and it doesn't prevent rooting. LineageOS doesn't officially support it any more than GrapheneOS does. It doesn't stop people doing it for either. Our recommendations aren't law.
Any files created by apps in their main data directories are inaccessible on most distributions of Android (I think it is actually required to be Google certified). The exception is apps that go out of their way to store files in user accessible directories or provide a feature to export or share data out of the app.
By rooting your device you can access the app data directories as you wish.
As far as I know, root and tap to pay are pretty much mutually exclusive, at least if you meant Google Pay? Unlocked and rooted devices do not pass remote attestation. And it's not just something you can fake when you have root, since it is anchored in hardware (the attestation certificate chain is signed by a hardware-backed key and contains the verified boot state and verified boot key).
I can tap to pay with google pay on my rooted pixel while the spoof key isn't blacklisted, IIRC it uses dumped credentials extracted from other devices but I can reliably spoof Play Integrity and SafetyNet. It would be nice to not have an adversarial relationship with my things for once.
"While the spoof key isn't blacklisted" is the critical bit. Soon, all the keys will be, as these old devices age away from being too common to blacklist.
GrapheneOS doesn't give you root access, citing security issues it introduces.
You could re-compile your own copy with root access, though not sure if we'll then be back to some non-certified OS that can't make payments...
Yikes. Nevermind. The whole phone security model is one of the worst things to happen to computing, the concept that you shouldn't own your device for safety is so fucked.
> the concept that you shouldn't own your device for safety is so fucked.
That's not it. The concept is "if you choose to install this particular OS on the device you own, then it comes with this particular security model". That's totally fine. If you own your device, you can run Linux on it and you'll have root access.
"Not owning your device" means "not being able to install the OS you want on it". I want to own my device, obviously. But it does not mean that I own the developers of every OS in the world and that they should do whatever I tell them to do, for free.
A non rooted device is NOT really my device, just seems like a leased device.
If we want to use banking app we have to use a non-rooted/leased device. That is what is really messed up. Personally I only use bank now that has website for banking. If they don't have a web site only app, then it is a red alert for the company.
I think is great, if there are no ramifications when skilled people unlock it.
There's just too much hacking going on, malicious behaviour, to allow uneducated masses to have root on a phone. I've seen so many people just not understanding the outcome of their actions. You'd get people rooting because some shady app lied about why, and just wanted control.
And we don't need more botnets. And it's why banks sometimes throw a fit.
So if a recompile does the trick, and no downside, then it'd be fine.
> There is a very real possibility that we end up with devices that can play modern mobile games at high frame rates on a secure, privacy-focused mobile OS, which is a huge step towards general adoption of something like this as a daily driver.
This might be true, but the priorities are depressing.
If anyone from Motorola is reading this: Please add a smaller device to your Portfolio, about max the size of a Pixel 8. I'm not hoping for an audio jack any more but at least small it could be.
It's the smallest phone available with a real telephoto lens. I think it was only available in India, but I got one on eBay because it has those two features (not huge with telephoto) I was looking for.
Currently running a Sony Xperia 5 V which farm factor is acceptable, and still will get a number of months of updates. And the winning point is that the bootloader can be unlocked and is supported by LineageOS.
The issue of "enthusiast phones" is not the same as for small phones. The problem that MKBHD is describing is that a company that starts as an enthusiast phone can not grow by getting the niche larger, so they need to start competing in the "average consumer" market. But a large, established company like Motorola and Samsung can for sure segment their product line to serve a particular demand.
I think the issue of small phones is that, while there people saying they would buy if it was available, no one is saying "I would buy one small phone at flagship prices, even if they don't have flagship features".
I suspect there's a large overlap between people who want a small phone and people who only upgrade their phone when there's a pressing need. I am in both groups.
The root cause is that the phone is not a primary device for me. It's what I use when bringing a PC is too much trouble.
Same here. And I have a friend who keeps his small IPhone because they stopped building smaller phones, too. There is a demand, maybe not that big.
For me, I want to be able to operate the phone with one hand, and the large screen makes it difficult to reach all the spots on the screen even with large hands. I do operate my Fairphone 5 with one hand, but it is super awkward and at some point, the phone will fall into a gully because I cannot hold it tight while navigating.
And I wouldn't mind 2mm more thickness if this means the cameras are flush with the back and the battery is larger.
Whenever I see this when talking about small phones, I'm reminded of the stats, where the iPhone minis were a small proportion of iPhone sales but still by themselves outsold most manufacturers.
I was in the same boat and literally this week bought a Pixel 8. It's a 2 year old phone but with the extended support period that's no longer a problem, and being old means you can get it new for about €300 or refurbished for even less.
The other option is the Samsung S2x line, which you can apply the same strategy to.
I watched the first video. One point they didn't mentioned is that their android example of the "last small flagship phone", asus zenfone 9/10, is about the same size as an iphone 12/13, not the mini.
Do regular iphones sell well? If so, the small flagship phones are not dead, because iphones are not dead. If iphones are not counted as small phones, then the small android flagship phones are dead long time ago.
I run a Xperia 10 V. Great phone, great form factor, easy to unlock. It runs for days, almost a week, on one battery charge. Sony is doing something right here.
Are we really sure "nobody actually wants it"? I need to help my family select the smallest possible phone every time. Meanwhile choices are dwindling and the remaining 2 models are either overpriced or outdated and so I need to tell them it's better to take a (whatever currently goes for) "medium sized" model, which shifts upwards every time I/they need a new one. No wonder that people don't buy small phones anymore if they don't exist
I don't buy this nonsense about small phones being a niche when so many people are actively seeking them out, both online and offline in my practical experience
It's just harder to make, heat dissipation or battery will be restricted, doubly so if you're a niche manufacturer without a big budget, or one who tries to keep it repairable and needs the extra space for screws. So I can understand that Fairphone doesn't release a small model (even if it means I simply cannot use it: I actually put my money down and bought one, but sadly had to sell it onwards after a few weeks of trying) but for Graphenorola I'm not sure that restriction exists. It may just not please everyone if the chip is underclocked for heat and battery efficiency reasons and so they're not likely to. Doesn't mean there's no market for a small variant for any manufacturer that has more than one device on the market
My mom's and my current phone (same model) is what I'd call medium sized (per 2019 standards, when it was new) and the battery life sucks, but I'd buy this model again anyway if it came out with a ≥2025 SoC because I can actually use it unlike nearly any other phone on the market. Not properly reach the top, but at least the left side so that'll have to do
>And the winning point is that the bootloader can be unlocked and is supported by LineageOS
Don't banking, security and payment apps detect the unlocked bootloader and prevent them from working on lineageos? At least that's what happened to me after i flashed lineage on my old tablet.
Because then what's the point of a smartphone if it can't do banking, payment, shopping, ticketing, etc? Use it as a gimped pocket web browser and ebook reader? There's not gonna be any mass market adoption for such "smartphones" until they can run all apps out of the box like vanilla androids and IOS phones.
Your average consumer isn't gonna wanna fuck around with signing keys and bootloader relock. Hell, even this tech savvy HN user doesn't want to do that because he has better things to do with his time. The days from my childhood when I always rooted my Android phone, installed custom ROMs with custom kernels, magisk, titanium backup, cerberus to make the phone "my own" are long behind me.
There is the option to register the signing key of the ROM with the bootloader and then relocking it, thereby making those apps happy again.
The biggest issue is that there is a different way to do this for every device, so most custom ROMs don't bother. It's relatively simple and automatable for Pixel devices, so the GrapheneOS installer takes care of it. e/OS/, which is based on Lineage, allows this for some devices, iirc.
(at least on pixels and apparently this future motorolla,) it can be re-locked, so it passes the integrity check; however there is an additional layer that needs google signing keys, which of course means you can't pass that one if you can't ship the keys
funnily enough my banking app works but the mcdonalds app doesn't, lol
Mcdonalds decided it's "unsafe" to run their app in private space of Android. In literally the most locked down part :) Marketing must have gotten a nice bonus for that mental effort.
I can run banking apps like that, corporate apps like that, but I can't show a QR code to order happy meal.
You can't even use the McDonald's app if you have an overlay. I use KineStop and in the car I'm already choosing what to order and I can't click anything until I turn off KineStop...
In comparison the Burger King app works without problems and is very fast.
It was likely their management doing random shit to fix it. Instead of fixing real problem, which was bogus campaign rules. Reddit was full of people abusing their app discounts and ordering insane amount of food for free. It was well described.
None of that was due to app security holes. It was an issue in their promotional campaign. It was still working after those "secure" app limitations appeared.
if you can order for free or below cost doing anything in the app, you are not paranoid, you are directly stupid, is like being able to modify the shopping cart total in the browser and the server accepting that as the correct price. Everything should be server side validated where you have the full control of it.
I'm all in favor of voting with your wallet, though easier said then done when your mortgage, long-term saving accounts, etc. are tied up with your bank account.
That said, my banking and credit card apps work fine on GrapheneOS.
You cannot, the OS does not have that level of access. Attestation is anchored in a (typically) non-replaceable bootloader and trusted execution environment, both of which the OS does not have access to. A remote server can verify that the attestation chain is signed by a hardware-backed key and contains the verified boot status and verification key. If you would change this information, it would be detected by the remote server, since the signature would not be valid anymore.
Ironically I always find when these new devices like the fairphone come out, I'm disappointed and don't buy it because the screens are actually too small. They tend to focus on an unuseable middle point (probably in an attempt to please everyone).
All the flagships have huge screens, the big guys would have paid millions on market research, I can't understand why they arent just trying to achieve flagship parity (in terms of specs not price or software). No one is going to say it's unreasonable and they save themselves the market research
> The small form factor phones simply do not sell.
yeah, clearly nobody buys Samsung Galaxy S series for years, they are like the least popular Android phone model... /s
I'm running Pixel 6a (which was followed bu successors with worse screen:body ratio for years and only now the new Pixels finally matched and slightly improved the ratio, what a progress), but considering all the HW issues (baterries and displays) with Pixels I'd rather avoid it, the worst case will buy as next phone Xiaomi and hopefully somehow unlock it, if there is no suitable Motorola
edit: added HW issues explanation since I am rate limited on comments
yeah pixel used to be great. probably the best phone I ever owned after iPhone SE was a Pixel 3a.
till I got the abomination that was a pixel 6a. fucking overheated - then finally battery exploded. Other pixels suffer the same problems as well - overheating n display being finnicky.
> yeah, clearly nobody buys Samsung Galaxy S series for years, they are like the least popular Android phone model... /s
I don't think the smaller Galaxy S models are what people generally mean when they talk about small phones, those are still much bigger than the iPhone Mini was.
it's basically just Samsung S series, Pixels, overpriced bad value Sony and few exotic/abandoned phones (Asus is done with phones, they had always horrible SW, Xiaomi only model 12 many years ago, Meizu not available outside China)
The whole Moto G series has audio jacks, at least as of a year or so ago. I hope that Graphene makes it to those affordable models. I don't need high end cameras or AI on my phone. In fact AI is quite unwanted.
I think I went through the first ~3 or so generations of the Motorola Moto G, and they were great for the price, besides the fact that each generation it got bigger and bigger, defeating the original motivation I bought them in the first place. Eventually the iPhone 12 Mini was released and I moved to iPhone at that point.
I also hope that the new GrapheneOS device from Motorola will be in the "smaller" size factor so it actually fits in my (apparently) tiny hands, but to be honest I'm probably getting one regardless, as iOS gets worse and worse every time I update it.
Lol, no, according to graphene, an aux jack is a security problem. So is a microsd. But the hole punch with the camera pointed at your face, that's just fine.
When my current phone dies, I'm basically returning to a dumb phone with a removable battery. Now that Xperia dropped open source, every phone out there is terrible and I just don't want any of them. Anything that would support a ROM has features to make my skin crawl.
Their hardware requirements do not say this, where'd you get that idea? Graphene has stated they'll work with the Motorola team on supporting their devices, starting with the successors of the Razr foldable and the signature line, but there really hasn't been any talk about how additional peripherals like aux would be a no-go. USB is also a security concern, which is why they give you the option to disable it outright, disable data or disable until after-first-unlock. I don't see what would keep them from implementing this for aux, although since it's unidirectional I'm not sure if it even makes sense to compare aux to USB. They've supported pixels with aux ports in the past, and I don't think it's inclusion would be a blocking criteria.
The comment about the camera is also kinda misguided. They zero out the camera input if you disable it, unlike traditional android. You can have a camera toggle in your quick settings and keep it disabled literally all the time. Enabling it when you bring up any camera related app takes either pin or biometrics, having the hardware here really shouldn't be a concern since you can look at how the code handling it works yourself.
I'm not trying to convince you to use a pixel or a Motorola phone, do what you want, but at least be informed about stuff like this when you state things as if they are facts.
> I don't see what would keep them from implementing this for aux, although since it's unidirectional
No electric circuit is unidirectional. Beyond the pause/play and volume commands that it supports (edit: and mic as mentioned in a sibling comment), Graphene would probably reason it's an easy way to externally read voltage levels and so an unnamed entity can mount side channel attacks with backdoored headphones
> since it's unidirectional I'm not sure if it even makes sense to compare aux to USB
Most phone aux support microphones and acting as an antenna for FM radio reception. I don't see how either could be used for a security exploit however.
>but there really hasn't been any talk about how additional peripherals like aux would be a no-go.
It's water under the bridge. You're NEVER getting a Graphene phone that supports a microsd. It won't happen. The AUX jack, you will biligerently be told to get a USB DAC or otherwise you are an old man yelling at clouds.
Graphene and Motorola will work together by happy accident. Tell ya what though, if they make a GrapheneOS phone with 3.5mm, dual sim, microsd, and >no notch or hole punch< and I will buy it. I won't even care how much it costs. All the Xperias I've owned were among the most expensive phones on the market.
It's unlikely for the Razr line to support microsd since those are foldables, and flagships like the signature line generally tend not to, but nowhere on their hardware requirements list does it say that a potentially supported device cannot have a microsd card slot, thats just wrong. There is nothing about a memory slot that would make the phone less safe inherently, they already support USB drives, internal emmc memory isnt that much more crazy than that, right? I just think its super weird to be like preemtively mad at them for an imagined aversion to supporting hardware that doesnt exist.
I get that the people involved with the project can be a little prickly when you ask them for advice about stuff, but what do you expect them to do here? They support the devices they do not out of some sort of adherence to a skewed model of security, they actually genuinely need the hardware to be able to do all of the things they ask for, which currently literally only the pixel line offers.
If a manufacturer like Sony who tends to do aux, microsd slots and no holepunch cameras were to adapt to their hardware standards (https://grapheneos.org/faq#future-devices) there would likely be an effort by people to get these supported, its not the lack of will from the devs, its the lack of support from phone manufacturers that has kept the line of supported devices constrained to pixels.
Does it? My banking works in any browser that supports javascript, and chatting has been possible on desktops (and laptops etc.) longer than it has on phones
I haven't found a >=2025 phone (I started looking in the summer) with a headphone jack that I can actually use more conveniently than a tablet. Everything now requires two hands, not counting warrantyless china phones like the jelly star, or ones with a chipset that would have been considered fast in 2018
As for the camera, a webcam sticker seems much more convenient than needing to mess with the hardware internals
Citation needed. A lot of dumb phones still only support 2g, for example, and you need to watch out that you don't buy a model that won't work anymore when carriers take that off the air. No smartphone hardware has that issue
Motorola has such great quality/price ratio and the user experience is decent. There's still some nagging and such but overall it's much better than the competition.
But I still can't get over my old iPhone 6. That phone size was just perfect. Easy to hold and do everything with one hand, easy to fit into any pocket.
I really want an Android like that. I don't need 3 cameras and bunch of other nonsense.
No, it's not small, but it's afaik the smallest model you can find that's still unlockable and runs any ungoogled OS
> I'll be forced to go back to dumbphones in the future... along with many others, I guess.
Going back to a dumbphone for me would mean changing my outdoor hobbies (like contributing to openstreetmap), so I'll take my losses and continue on a smartphone, but I share the sentiment. Power to you if you do it!
Not sure how I feel about this. Motorola seems to be the exclusive provider of encrypted cellular networks and associated devices to the Israeli military [1][2].
I'm under the impression that basebands still require a proprietary/binary blob, basically rendering the security features of the underlying Open Source OS useless, since it sits between the user and outside connectivity.
How can GrapheneOS ensure that there are no hidden backdoors (ie: Pegasus-like spyware, which was created by ex-IDF soldiers via NSO Group), etc, in the baseband?
In the same way they can(not) do it on Pixel phones - and I would be surprised if Google was not already cooperating with the state actors. You do what you can. Even open source drivers (which are not gonna happen when operating within tightly regulated radio bands) won't help if there's a hardware backdoor.
The way I see it, I don't have much direct control over the actualities of that kind of nation-state spying stuff. However:
1. I can direct my consumer-dollars towards the vendors that promise to respect ownership and privacy in general, and they will also have the most to lose if they are caught enabling spying.
2. Defense in depth. Security features generally add to the spying's difficulty, expense, or risk of detection, and that in turn decreases the incentive for abuse.
Just only ever speak in a language of your own invention that uses both cryptographic and steganographic techniques which you invented while colocated, maybe.
I personally am more afraid of what "someone" can convince other people to do rather than listening to me. Sadly there are enough people that are easily manipulated that probably the "smarter" people are completely ignored.
If I would be to place a bet I would place it on mass propaganda targeting people below average - it might be simpler, easier and cost effective. So lots of this talk about "encryption", "privacy" might be in fact great for those "actors": smart people worry about their precious technology and principles, while "they" talk to "the masses".
If you're not in country X which spies on you, but you live in country Y, is it preferable to have country X or Y to spy on you, given one is further away and cannot really impact your daily life, compared to the other country?
This. I know some people who work for the former and they are always having to say "no, I don't work for that Motorola". The shared name is entirely historic.
I did. There's long term patent cross-licensing agreements between the two companies. Motorola mobility may be a separate company now, but they didn't start from scratch.
They did. You're nitpicking to not lose face while you could have easily say "OK, didn't know they were separate brands" and we'd all move on with our lives.
The mororola mobility is a Chinese company with Chinese management. They bought the brand and the patent portfolio. They sure as hell are not supplying Israel or NSA.
None of it matters. If the device has a SIM card (virtual or physical), it will execute commands sent over the network. It's required by the GSM/LTE standards. The best you can hope for is to have separate SoC for the OS and separate SoC for the GSM/LTE connectivity, but that means double the power consumption.
defcon21 is from the pre-snowden world (2013), for anyone else wondering. Mobile landscape (our reliance on them, the central role they play in our lives) back then was a little bit different and indeed I'd not be surprised if most models support that the carrier can remotely read out any memory location or something
Let me give you another perspective - you cannot fight a foreign state that wants to hack your device and access your personal data. Even Apple iPhones, who often taut how "secure" their devices are, remain vulnerable to state spywares. A secured device, at most, will protect your data from the police or lay cracker or malware, who lack the means to use more sophisticated methods to access your data. When Android forks (like Lineage OS or Graphene OS) advertise that their Oses are more "secure", with better "data protection", what they mean is that their OSes try and prevent data leakages to the OS vendors (like Google or Apple or other BigTech) or to online services integrated with the OS or through system and user installed apps. In other words, "privacy and security" primarily means that they try and prevent surveillance capitalism.
> Not sure how I feel about this. Motorola seems to be the exclusive provider of encrypted cellular networks and associated devices to the Israeli military [1][2].
You're confusing Motorola Mobility with Motorola Solutions. These haven't been part of the same company since 2011. We would happily support devices from Motorola Solutions with their collaboration too but have no contact or partnership with them as they're an entirely different company. We want to support more devices meeting our requirements and if people have issues with one of the choices due to their opinions on geopolitics they can use another.
You're confusing Motorola Mobility with Motorola Solutions. These haven't been part of the same company since 2011. We would happily support devices from Motorola Solutions with their collaboration too but have no contact or partnership with them as they're an entirely different company. We want to support more devices meeting our requirements and if people have issues with one of the choices due to their opinions on geopolitics they can use another.
You're confusing Motorola Mobility with Motorola Solutions. These haven't been part of the same company since 2011. We would happily support devices from Motorola Solutions with their collaboration too but have no contact or partnership with them as they're an entirely different company. We want to support more devices meeting our requirements and if people have issues with one of the choices due to their opinions on geopolitics they can use another.
This is a fallacious argument that has been thoroughly debunked countless times, and frankly it has no place on a platform where we expect a baseline level of digital literacy.
Privacy isn't about hiding crimes, it's about limiting how much power one government has over you.
History has shown stuff that’s totally fine today can be treated like a problem tomorrow. A surveillance system built under a “good” government can be handed to a shady one.
all technology companies are to some extent in cahoots with secret agencies. but israel has no room for mistakes, they only work with the best.
no doubt they will ask for backdoors. but no phone is safe from governments anyway - grapheneos or not.
Perhaps you may be interested in Librem 5 or Pinephone, both of which have hardware kill switches for modem and available schematics. The latter even has most of the modem software freed.
Security theater, it has absolutely no use. If you can't trust your hardware that it won't actively listen to the microphone without your knowledge and permission then what are you even doing with that device?!
I do trust my device. However in specific circumstances where privacy may be critical, an additional protection might save me even from a state-sponsored attack.
I'd say you're paranoid. Nobody cares about you, and they won't invest billions just so they can see your hot nude pictures. There are much easier ways to get information out of a phone, no need for a backdoor.
If there were ever any backdoor in some phone, it would have been found. No smartphone company is gonna take that chance that someone will find their backdoor, it will literally kill the company.
Sometimes you become a target purely by chance. You may witness something you should not have seen, are at the wrong place at the wrong time, the "algorithm" glitches and increases your "thread level" by 5000%. In most of these situations preparations like running graphene os can be quite the boon.
Or think of friends and family. When they become the target, you are prepared, you have the knowledge and tools ready, you can be the guide that helps them navigate a hostile digital world.
Whether parent is paranoid or not, Pegasus literally is used to spy, just because the state might not care about his hot nude pictures does not mean they don't care about other phone usage.
"While NSO Group markets Pegasus as a product for fighting crime and terrorism, governments around the world have routinely used the spyware to surveil journalists, lawyers, political dissidents, and human rights activists."[0]
Information these they can be much as powerful as a bomb, for example, I could learn more about your calls and discover that you do something immoral but not illegal and use it to blackmail you.
As if spying on “governments around the world have routinely used the spyware to surveil journalists, lawyers, political dissidents, and human rights activists” wasn't already alarming, Pegasus has also been used to spy elected officials.
A recent court case investigating spying on 37 elected representatives [1] (including the prime minister, three ministers, and regional politicians) had to be closed in 2023 and again in 2026 “for lack of cooperation of the Israeli government”.
I'm guessing you missed out on the Snowden revelations? Or the news articles about federal agents literally laughing at private dick pics.
And your second paragraph seems to go on the premise that the average person care if there is a backdoor.
I don't know why you wouldn't take security seriously, when even the US government is telling everyone to be careful where they supply their devices because of spying. Just don't trust them to point the finger the right way.
The UK government is known to spy on anti genocide protestors.
The US government is known to spy on anti ICE protestors.
If you have an opinion your government doesn't like, or a potential future government doesn't like, there's a good chance you have or will be spied on.
Perhaps you lack a single opinion worth caring about, but most people do not.
This is such a low-iq argument I cannot even. Yes, nobody cares about OP, you, me, whatever - until they do. Not to mention general harvesting for profiling and propaganda reasons.
General: What do people in this city/country/region/etc are thinking - This is the main one where the data is used and collected, then grouped. It is extremely powerful information for targeted agenda whichever it might be.
Targeted: Oh, you or someone from your close ones went to a political protest? Too bad we have all this information to put you and your family in jail - This is where suddenly they will care about you, even when it is NOT YOU but someone from your close circles were the ones upsetting them.
I'm glad to hear that. That means these devices will be a popular target, perhaps the popular target for alternative operating systems both Android-based and non-Android Linux.
with the advent of AI assists, I can't wait for people to start hooking up SoCs, GPUs, and other components burdened by proprietary driver and firmware to logic analyzers, and letting AI have a crack at it. I wonder what'll happen - this might well be the end of proprietary blobs, and I'm here for it.
That would be wonderful but cracking proprietary blobs which may be and probably are encrypted, would take massive amount of time, and later rework could take a lot of tokens and broken SoCs. Nowadays electronics are driven by software so one bit off and voltage can get 9V instead of 3V for example
Oh, This might be one of the few ideas I approve AI use of.
Cursor spent like Million dollars on creating a browser which people were able to make later with a 200$/100$ subscription in the same amount of days as cursor with human assistance.
I don't think that this can be "autonomous", we assumed that making browsers could be autonomous process but it wasn't. That was the take I took from it all.
Will this be an example of autonomous tho? I think we still need a human experienced with reverse engineering in the loop but it might significantly improve their workflow
I wish if cursor, instead of having burnt million $ to something worthless essentially, Could have atleast done this experiment.
I don't think the market of people buying used phones for the purpose of graphene is going to make a dent in profits for Google. It raises resale value maybe by say, $0, considering the price is set by the average consumer
that depends what you consider a healthy resale value, I bought my Pixel 6a with no issues for 100EUR :-) (and not because I care about Google's business, I don't have gapps in my phone, I just like good deals/VFM)
Didn't know more people are doing this. I am also using a used Pixel 4a which I got from eBay. Still has good battery. I don't see any reason to upgrade any time soon.
Speaking of battery, veeeeery soon phones will have mandated replaceable batteries in the EU. I'm just hoping my current moto (a $99 job perfectly adequate for absolutely everything I do) survives until then.
Aside: I've noticed over the years that phones die in one of the following ways:
- too fast charging (battery dies, charge controller dies)
- usb port dies
- screen broken
- all sorts of falls
A lether folio case, gorilla glass, and a Qi charging adapter solve all of those problems (the charging adapter also limits the current by virtue of being inefficient). It has a magnetic connector (it's a simple two-pin job and it doesn't have any issues) - in the rare occasion I want to charge up real quick, I can still hook up directly via usb c, and meanwhile the port is stuffed with the converter's plug which prevents it from accumulating dirt and fluff.
I'm glad to say that even despite many falls, some directly onto the screen, the phone itself still works very well, even if the case and glass protector are obviously ragged.
I hope once unlockable Moto's come around I'll be able to keep that one for a long while as well.
When you say replaceable, do you mean repairable or swappable? Like, does it need to be done without tools (probably takes <1 minute) or would it take me 2 hours with a load of tools (no change from today) just that there's a legal requirement for them to be commercially available?
Fwiw, besides people that crack the screen I have not seen any of the failures you've mentioned. The only phone I saw someone replace, for reasons other than software support, was myself because the gnss chip was cooked after 3 years (would track me perfectly, like if I step to the right it would notice, but with an offset of hundreds of metres so I'm in another town). All other phones I've owned are still perfectly functioning (the oldest Android phone I have, 2012, has a more reliable battery than my daily driver!), I don't use any case or screen protector. They're just software-wise obsolete because no updates and developers require the newer android apis
imo the RAM bloat/overly aggressive OS. on a similar aged device without zswap I couldn't run more than one maybe two things without the OS killing everything in the background. I think it was better before I got stuck updating to 15
How good is it for the environment / e-waste? If you buy a used phone every year from someone buying a new phone every year, it means that you both use one phone every two years, right? It's a lot worse than buying a new phone and keeping it for 8 years.
If I said "I buy new phones regularly, but I sell them in second hand, for the environment". Would you consider I actually make an effort for the environment?
Mr. Rich Guy sells me his personal device he used in the previous year because he wants new shiny phone, but he may have the very slightest chance of being a super evil genius? The government selling tampered phones on ebay, when they could just.. go directly to vendors and put their backdoors directly into new phones/software?
Sorry for the light snark, but this attack vector seems way too complicated for not much benefit. Unless you are some very VIP person being personally targeted.
Does anyone know where I can read more about which devices will be supported? GrapheneOS website devices FAQ doesn't list any Motorola devices, and the press release doesn't have much either.
As I understand that situation, GrapheneOS developers are super picky about hardware they want to support. So out of all android phones they decided to support only Google Pixel because only these phones provide good enough hardware support for security features they want to provide.
So likely no existing Motorola phones are good enough and only new ones, developed in collaboration with GrapheneOS developers, will be suitable.
They said on Twitter that future devices in the Razr (foldable) and signature line will be supported. The current devices by Motorola do not fulfill their hardware requirements, so no need to buy one yet. This is speculation on my part, but its not unthinkable that non-flagship support could happen eventually, although mid tier SoCs generally don't have the hardware required to support graphene (hardware memory tagging, sufficiently open secure element, etc), so in the medium term, it's unlikely that anything but the flagships will be supported by graphene.
There's no details yet, but I was reading it won't likely emerge until 2027 so ostensibly these will be models that are yet to be announced. Might even be models dedicated to grapheneos (and other open source roms as they mentioned here)
I'm pretty sure strcat was saying on a previous thread that it will only be future models, so nothing in their current line up in guaranteed to be compatible.
Thank god (or China) for not needing Google devices for Graphene in the future!
Motorola devices are 10x more affordable in my country, as Pixel phones aren't even officially here and must be imported with high taxes, while Motorola has official stores and even builds phones locally!
One of the greatest things I miss from Samsung after some time with GrapheneOS is the dex.
The current provided desktop mode is rudimentary, and mostly working. But it has so much potential. We could have all in one device with us, and just plug that into an usb-c dock. Or watch things on big screens in hotels if a mouse emulation on touchscreen like samsung would be supported.
Or, as Samsung already has created this, maybe that could be somehow ported to GrapheneOS via some 3rd party patcher? I'd really like to use samsung clock and gallery, as well, as those are quite a lot better than AOSP ones.
I like GrapheneOS, and the promise of it. Just a few minor things and it would be awesome instead of really good.
> The current provided desktop mode is rudimentary, and mostly working. But it has so much potential. We could have all in one device with us, and just plug that into an usb-c dock.
An acquaintance at a local hackerspace has no laptop, just a Fairphone 5 and a device that looks like a laptop but is really just an external screen and keyboard. He connects his Ubuntu Touch phone and uses that as a laptop, developing software on it etc.
It's not perfect as a phone (Android apps work rather well from what I've seen (I think the emulator is called Waydroid), but e.g. passing through Bluetooth is an issue so there are limitations) but maybe that's an interesting option for you as well
With Motorola being owned by the Chinese company Lenovo can these new devices be used in secure environments? I remember when Lenovo took over making ThinkPads they were banned in some secure environments because of Lenovo links to CCP.
Honestly I’d prefer Chinese backdoors over western ones. China is still a land far far away and I couldn’t care less about what they’d do with my data, unlike western alphabet boys who could freeze my accounts and assets for ”wrongthinking” in the future.
THIS so much! I'm more at risk from the US and my own (UK) government than the Chinese, and in answer to the questions below:
- No I don't know anyone from or in China
- I'm highly unlikely to go anywhere near China (or fly over it, around it) - I'm poor
So unless my local Chinese takeaway is classed as Chinese soil, I'll more than happily buy my phone from there
Most phones are already made over there anyway so know knows what kind of backdoor, listening devices are coded into the chips they put into 'Western Company's' phones.
One has to be careful when flying. Your flight's origin or destination might not be in China, and may not even be through Chinese airspace, but if there is an in-flight emergency, an airport in China might be the closest landing spot.
The true reason you can't trust a Chinese company, and other countries can't trust US companies, is the Western patent regime that allows various companies to sit on patents for absurd amounts of times, preventing others from selling you completely clean hardware on which every piece of software can be replaced.
Iphone is made by Chinese companies too. Same with Tesla. A lot of those components made by purely Chinese companies and yes can be trace to individuals who are CCP. It is extremely hard to source another purely away from any Chinese connections. If you say the main company is USA, you seems to ignore how the pager exploding setup was done. Go into any IT rooms in USA and you audit it as zero from China even if you ignore Taiwan as recognized by American law as part of China. We can't buy anything truly made non-China. Even F35 has some components (and that is official, unofficial we dont know) made in China. Google want to sell Motorola to American companies, not even Pentagon or NSA bother back then. Think about it, how hard to engineer a backdoor exactly same components (say capacitor) or motors during shipment for those phones.
Depends on what environment you mean. Chinese secure environments would see a Chinese OEM as an advantage vs. Google Pixels. In the US yeah you'd want a Pixel.
European tech is in shambles and everyone else is barely holding it together outside of tech.
The whole point about having an open platform from boot is you don't have to trust it. You run your own code from first power on.
Is it possible that it's backdoored, have a secret opcode / management engine? Probably, but that goes to everyone, as it's not practical to analyze what's in the chip (unless you're decapping them and all)
I don't know what secure environments you're talking about, if it's an airgapped system then you should be secure even when what's inside 'tries to get out'.
Korean and western made stuff guarantee to have such thing. CNC devices in Russia stopped working. Even NVIDIA gpu has back door according to China and NVIDIA had to settle this matter behind the scene with China government. At this point, your phone is 100% backdoorable by western government. The only thing protect you is you are non-threat and too small to be bother with.
Not OP but I guess it’s where the threat model includes worrying about the foreign government actors. Like US infrastructure, government contracting or some major tech companies.
The biggest argument for me to buy one of these phones - when they actually arrive - next to running GrapheneOS, will be whether these phones, like all others, are way too big to use with only one hand. Like, I don't have a lot of requirements. Just make it run GrapheneOS and let it be >6 inches. I'll immediately buy it.
Would be super dope if they brought back headphone jack Google teased Samsung over then a year later removed entirely. I haven’t even once considered GrapheneOS since I refuse to go without basic I/O.
Having physical disconnect switches (Bluetooth/Wifi, Modem, Power, Microphone/Speaker), and integrated lens cover like Lenovo laptops (at least for the front camera whereas a case can cover the rear cameras).
On a side-note:
Triple active SIM would be amazing, but one can dream. I would love to have a phone that has an active AT&T, T-Mobile, and Verizon SIM at the same time.
Just get a SIM from another country and use roam like at home. I can use any network here as though it's my home network.
The provider isn't required to support this (they can give me 2 weeks' notice any time) but I use very little of my subscription (the smallest one they have) so I assume they're happy with the deal and don't have to pay the roaming carriers much
Also a disconnect switch for the telco signal. Yet in my experience, even when turned off, a phone may send out a signal periodically anyway for tracking / triangulation purposes.
However to avoid that, removal of the battery is required. A disconnect switch for power would do the same?
I think moving to micro-PCs is the answer, and then having an add-on to get a telco-signal. Why trust Motorola? Start at grass roots where possible. Everything needs to be open-source and based on open standards. No trojans, telemetry or remote overrides.
Maybe the product is an adapter case for a Pi that adds a screen, battery, antenna and whatever else is required to make it a smartphone alternative?
> A disconnect switch for power would do the same?
I would think so. I don't necessarily care about removable batteries because I use a portable power bank. Why carry an extra battery that only works for one device, when I can carry a "battery" that works for many devices?
I wholeheartedly concur (see also: Linux phones), but what about device attestation requiring iOS or Google Play Integrity? That's my main worry, as age verification seems poised to making us dependent on those.
I'm not so fond of it because it has a fan. But if you could use it at home, and then had a "phone conversion housing" you could attach it to a belt and have a smartphone. Run wired earbuds out it. Have a trackpoint nub.
The power draw looks like it's at least 4W with a max of maybe 45W. That's maybe 7 hr with a 10000 mAh battery assuming it's sleeping the entire time and not really doing anything. Not very practical for people used to a small phone lasting all day without a charge.
> You know what would be good for security: Having physical disconnect switches
Wouldn't those become failure points? Anything mechanical will not only wear, but will be affected by dust, dirt, sand, dead skin cells, body oils, etc.
Light switches do not go with hundreds of thousands of people to the beach, the desert, left in hot cars, rained on, sat on, dropped, pressed against sweaty facts, etc.
Triple active SIM would be amazing, but one can dream. I would love to have a phone that has an active AT&T, T-Mobile, and Verizon SIM at the same time.
You can fit several esims on one of these adapters AIUI.
Fi launched with Sprint and T-Mobile roaming and added US Cellular, but is presently T-Mobile only. I don't think AT&T has ever been a supporter carrier.
That's just security theater. If you can't trust the very CPU/OS that it only uses the camera/microphone when the notification is on, then what are you even doing with that device?
You still get the same rectangular screen size for a given size of phone body, unless you want no front camera and sharp square corners. You still get an entire 16:9 screen area in the middle of a rounded corner screen, just with extra screen replacing the bezels on each end.
I'm fine with rounded corners. But I would also like a phone without a selfie camera. I just don't ever use it. If my phone can spy on me then that's the only use the front camera has ever had.
Given that Google has said they'll be delaying source code release for Android to every X months intervals (iirc), how is GrapheneOS planning to handle security updates? Will they just be Google's binary blobs?
Isn't that about feature releases? My understanding was that security patches are separate from this
edit: looked up the announcement https://www.androidauthority.com/google-android-development-... but it doesn't even mention the word security. I don't know enough about the manufacturer side of things to say whether this means there's also no security updates while they work on new features
I don't think they will ever do that. If they want to compete with Android, they need hardware attestation [1], which requires that they get recognised as a trusted Android alternative.
If they distributed rooted versions, then banks and the likes would not be willing to trust them.
Yeah, I would install this in a heartbeat. I am very close to building myself but manually updating the phone every week or two is a big effort. I could use one of the third-party OTA builds but that is extending trust much more than I need to.
Is there an overview somewhere of stable third parties that do these builds? I might want to use one of them and didn't know this was a thing. Not having access to my own data is the only reason I haven't installed the OS yet
The problem is that even if you build this yourself, and sign it with your keys, the signature of the builds will not lead to positive hardware attestation. This, as noted by @palata, is required for passing Play Integrity Checks, and in turn is the requirement for using banking, tap2pay & co.
It's really a bummer that Google probably won't certify pre-rooted devices. It would obviously only do harm to them and not fit into the scheme of our big tech companies pushing anti-circumvention laws, but some high-spirited side inside of me still has hope.
That would be as big as Signal stepping away from the phone number requirement. Sadly I've lost hope on both of these, no idea why obviously good things (I'd say pro choice if it didn't have another connotation) are always such a no-go
Motorola reps reading this : I almost bought the Motorola Signature, but changed my mind after hearing of all the adware and crapware that you continuously install on your devices.
If you want to invest into software, this should be #1 of your list.
Unlikely. The reason graphene doesn't run ön non-pixels even today is that it depends on certain hardware features that most vendors (beside Google) lacks.
So, what is Motorola's incentive here? I love it, but why are they pursuing this? It's an enterprise / government play around auditable privacy and security?
They know their software and update story sucks, so partnering with a company which promises to handle all that and they have an existing audience means they'll sell a lot more of that model.
GrapheneOS currently has like half a million users and growing. And many of those users would love to not be forced to have a Google Pixel (even if those are really good phone).
The question for Motorola is: "given the cost of meeting GrapheneOS' requirements, how many more devices will we sell?". Hundreds of thousands of devices is not nothing, I guess. Plus they get free consulting from the team building the most secure phone OS out there.
I really don't understand why smaller smartphone manufacturers didn't fight before for that. Say Fairphone: I don't know about today, but a few years ago they finally got profitable by selling something like 200 thousands units a year. If they had designed a phone to be supported by GrapheneOS, that would surely have increased their sales quite a bit. Now that ship has sailed, GrapheneOS will be focused on Motorola for a few years.
My guess is that this is a great way for them to standout, fill a niche, and get tons of free advertisements in order to gain back some of their Android market share.
Motorola has effectively lost in the Android market and are on downward spiral into irrelevance (already there?), so they have to do something different.
Add to that existing grapheneos users at best only care about good enough performance and a good camera, the selling feature is security and so a lot less overhead to market such a phone. Those who want the latest features will continue to buy pixels, Samsung, and iphones. The only thing I feel is missing from the picture at a quick glance is a tablet for the few who want a secure tablet device.
Plain Linux on phones is still quite bad. It's not unusable like it was a few years ago, but it's still not good enough to gain any traction. Jolla is trying, desperately, and it's not working, even with the ever growing anti-American sentiments.
For Motorola to partner with one of the Linux phone projects, someone would have to invest significant resources in mainlining the drivers, replacing blobs with open source drivers where feasible, and maintaining that code when new upstream firmware and drivers make it downstream with patches and fixes. Looking at postmarketOS, you can see it takes years of community effort to port a device to the point of becoming useful. Once the software is done, the hardware is outdated enough that Motorola won't be making any money on sales any more.
In theory all of this would be a lot easier if Qualcomm, MediaTek, and the other SoC manufacturers would take the burden of mainlining drivers upon themselves the way Intel and AMD do. With the recent high-end Qualcomm chips, the company does seem to put in some effort, but these companies simply don't care about Linux support.
GrapheneOS is an Android fork so of course they're partnering with an Android company. They also don't have the capacity to maintain their own kernel + security patches + drivers, which is why they rely on upstream maintenance (from Google, historically) with their own Android-level improvements to remain secure.
Grapheneos has well established its role in the android ecosystem. Having developed and upstreamed features that have as a whole, improved the security of android.
Pine64 has targeted a very different market around extensibility and hacker/maker mindset. However while their phones have a lot of potential, security measures are half baked (microphone cutoff switch doesn't actually cut off the microphone), performance mediocre, and demand missing. While I love my pinephone pro, its not a dailiable device. A phone that cannot access common services like your bank account are non viable for 99% of users.
Because, and I really mean no offense to them, their phones fucking suck. Like, dogshit slow hardware with terrible drivers and a modem that barely works with last gen tech.
Their most advanced phone is based on a >10 year old SoC, that wasn't even that good when it was first released.
And even then they still don't live up to their promises, it is still not open hardware - there are a bunch of proprietary firmware, but especially silicon on these devices.
Do we know if there there be Widevine L1 keys that aren't deleted on unlock? (Certain phones restore access to L1 on bootloader relock, as long as AVB passes, including with custom keys.)
Well, I'll surely be buying a Motorola device when GrapheneOS support lands.
I've been running on several half-working recent android ports to my Xiaomi Mi 9t for many years now.
If I can get a modern phone, modern android, my privacy preserved and a hackable phone (to the extent an unlockable bootloader allows, which isn't a given nowadays, I especially hate how Xiaomi does it), I'm 100% sold.
That's not really sideloading, though. The stock recovery doesn't let you install apps or anything like that, it's meant for loading official versions of Samsung operating systems onto devices that got corrupted somehow.
You can probably try to use the stock recovery to flash a custom ROM, but I doubt it'll work. Custom ROMs rely on tools like TWRP or LineageOS Recovery for a reason.
This is how you can install GrapheneOS on these. Also, if you're wondering how does the security of something like this work: if you change the boot hash then the phone forgets all the hardware-stored secrets, for example the disk encryption keys.
Why? Multiple times in the last 8 or so years I've considered both Nokia (HMD) and Motorola. Looking at reviews and specs I decided every time in favor of Motorola, despite liking the design of Nokia's more, and didn't regret it.
Even though there doesn't seem to be huge mainstream consumer demand for this (although I actually question how well consumer demand for privacy and customization can ever be ascertained when the price signals are corrupted by a market where the winning players are essentially chosen by the state, as is arguably the case with both TSMC and Qualcomm), it still feels like the world simply couldn't go on with both iOS and Android become caged, cheapened, fragile shadows of the visions we once had for them (particularly AOSP).
I think we can only expect the demand for privacy to grow into the future given that people tracking in a trenchcoat schemes are popping up everywhere through governmental and private efforts trying to gather data for ads and control.
Not to be flippant but who cares? People don't know there's an option. I've run Graphene for years and will gladly pay a premium for it. Beyond the bolstered security the battery life is exponentially better than a default Android device because of all the constant background traffic that Google doesn't allow any control over that you instantly have a choice with on GrapheneOS.
And as soon as you start showing these things to people they do start to care and ask how. So the fact that the mainstream is ignorant and doesn't care enough yet doesn't matter because it's very likely a much larger segment of users will care when the tech evangelists they trust stop using IOS and Google Android. That's how these things started and that's how they could very well play out in this scenario as well.
Not all markets are trendy B2C stuff. The Motorola press release specifically mentioned B2B/corporate sales where security is important and there's plenty of government, journalist, non-profits/activists, etc usecases on top of the usual corporate locked-down environments like banking.
Is this feature gonna be on All phones including Low-end/mid-end (4-8Gb ram) and their flagship phones?
It's gonna be huge if that's the case because Pixel's here are expensive, their second hand prices are in "non-global" countries[0] and you have to pay a premium. Also I live in world's largest second-hand phone market and it can have its worries as well.
You can't say to anyone who wants privacy, oh just buy a second-hand pixel. It's just not that easy.
But if Motorola can launch multiple phones and there are always gonna be some deals one way or another (with cards) and as motorola phones are pretty competitive in price, Finally we can have phones worldwide where privacy isn't charged extra.
I have spent some hours looking at online second hand phone stores to find but due to its somewhat rarity, I always feel like being frugal, I am just paying extra for privacy and so I am really happy with decision from motorola using their supply chain of phones and partnering up with Graphene.
I was gonna buy a phone for myself, I was thinking a second hand pixel phone but given the things I said earlier at this point, I might as well wait for a few more months to get the moto phone.
I just hope that they launch an affordable phone with grapheneos. I really don't care about specs as I have been able to live my life with 7 year old motorola phones too in 2026 for sometime.
I will definitely recommend my family Motorola phones in the future and slowly convert everyone to motorola if motorola releases an affordable phone with actual privacy.
As domh mentioned, some (not all) banking apps do seem to work well at the moment. My concern would be that what works today may not work tomorrow. My HSBC app seems to get more crippled with every update and it wouldn't surprise me at all if a future update rendered it unusable on GrapheneOS (which is the main thing stopping me from moving to it).
It's probably a pipe dream but I do hope that someone like Motorola officially supporting GrapheneOS will make businesses take support somewhat seriously. If nothing else you sound less like a crazy person when you tell your bank's customer support "I bought a Motorola phone and now your app doesn't work" than "I flashed a custom ROM to my Pixel and now your app doesn't work".
This whole thing feels like a subversion, instead of having graphene independent from devices and widen the attack vector, now the spooks can just focus on the “supported official device” only. That being said, the hardware isn’t open source (cell modem is enough to expose you), some binary blobs for the firmware aren’t open source, motorola is a US company with all what that means, if you are after anonymity or even privacy, I would stay away from it entirely, you will be like a person putting a full mask on while on public, except that mask is scanning your face in real time. You will stand out like a sore thumb, your best strategy is blending in, so the automated systems scanners won’t flag you and thus put you under further monitoring.
The timing is super weird too, when all corporations are pushing for digital ID, are actively lobbying to deanonymize the users, cooperating with gov too to have a smooth pipeline for such process, and motorola the known company of having defense contracts, are suddenly caring about open source privacy?! Cmon
>This whole thing feels like a subversion, instead of having graphene independent from devices and widen the attack vector, now the spooks can just focus on the “supported official device” only.
Graphene is currently only supported on Pixels, so not sure what you mean by that.
The only speculation part is the timing, the rest are facts, only a naive will think a smart phone is ever private or anonymous. Your phone has a unique ID tied to the hardware that can ID you, your cell modem isn’t open source and is equipped with builtin high accuracy GNSS, plus other hardware and its non open drivers that can be exploited, among many attack vectors that are easily exploited on modern smartphones. This issue isn’t unique to phones too, many modern laptops are also part of it, TPM and plenty of hardware that aren’t really open, the only exception is a laptop can be used in an air gapped environment, not really the case with a smartphone, because assuming you managed to do so, it defeated its purpose to start with.
The conclusion here is if you are after anonymity then you should ditch your phone entirely, having a “secure OS” won’t provide such goal but it might bring more attention to you than using of-the-shelf average phone.
- ability to sandbox Google Play and Google Apps so that they live in their nice little Google bubble and have no control over my phone overall
- ability to run all applications sandboxed with fake permissions that I can whitelist for each application and without letting the app know it doesn't have the permissions it wants. Want location? Give the app a location point I've fixed for that app. (Or pass through real GPS location if I've chosen so.) Want contacts? Give the app empty contacts list. Or if I've allowed, give the app the contacts I've whitelisted.
The Android/Google ecosystem is all right in itself, I just want to limit all of it inside a cage that I control. I want the exact same for my browser: I want webpages to run in a highly controlled sandbox with my choice of spoofed environment and permissions instead of assuming any power over my system. Or my Linux desktop where I firejail or sandbox certain proprietary apps outside of my distro's repositories.
reply