I am a long term GrapheneOS user and would like to talk about it. r/privacy on the redditland blocks custom OS discussions which I think is very bad for user privacy, and I hope this post will be useful to anyone who are in the hunt for better privacy.
Nowadays smartphones are a much bigger threats to our privacy and Desktop systems, and unfortunately manufacturers has designed them to be locked down devices with no user freedom. You can’t just “install Linux” on most smartphones and it is horrible. And most preloaded systems spy on us like crazy. That was why I specifically bought a pixel and loaded GOS onto it.
According to https://grapheneos.org/features , they start from base AOSP’s latest version, imptoves upon it’s security and significantly hardens it. There’s hardened_malloc to.prevent against exploitation, disabling lots of debugging features, disabling USB-c data, hardening the Linux kernel and system apps etc. They even block accessing the hardware identifiers of the phone so that apps cannot detect whqt phone you’re using. That means with Tor and zero permissions given, apps are anonymous.
Compatibility with apps are best in Custom ROMs but there are still that can’t work, especially if they enforce device integrity. Very few apps usually enforce that tho. Also their community isn’t the friendliest but you can get help. Just don’t try and engage too much or have too many debates.
Anyone else here use GrapheneOS, or any other privacy ROMs? What is your experience? Do you disagree on any point? Let’s have a discussion!
I’ve been using it for many months and I like it a lot. Only one of my banking apps doesn’t work.
Currently my main issue is that webauthn stopped working after an update. And the community support hasn’t been helpful.
I wish they had better documentation in general.
I’m buying a Pixel, I’ll try it soon. But for now I like LineageOS+MicroG very much.
MicroG doesn’t have as much compatibility as Sandboxed Pkay. Also I think LineageOS is not as patched and kept up to date, maybe try DivestOS or CalyxOS (both forks of Lineage)
I have used it in the past on a Google Pixel 3A, and I’ve used Lineage OS for many years as well.
I was a long time lineageOS user and love the freedom of changing anything. I switched to grapheneOS and like it, but miss some features, that are just pointless and not relatable: no full AMOLED dark mode - the devs said the battery savings between dark and pure dark isn’t relevant. and the other thing is: why is the white bar on the bottom not removable?
Because of these things I switched back to lineageOS and realised how dumb it is because of two optical features. GOS is definitely worth to look over two missing features and I switched back to GOS.
Anyway the most interesting transition from an lineage user to an grapheneOS user is, you realise that root isn’t useful and more risk than fun.
Tbh i used OLED dark mode on my LG v50, and I got serious screen burn in as a consequence. OLED isn’t worth using for a smartphone IMO.
Yeah GrapheneOS rarely does eye-candy features. They have a very small team so they exclusively work on security features.
https://www.privacyguides.org/en/android/distributions/#aosp-derivatives
https://eylenburg.github.io/android_comparison.htm
I am a GOS user, it just works, so I don’t really think about it. It’s very nice to have storage and contact scopes.
My only complaint is I can’t share a VPN over hotspot or tethering, which is very useful for a travel router device (to make all traffic look like it’s coming from the phone). (Lineage and calyxos have this)
Really? I use rethink to filter my dns and that uses a local vpn and that works since ive configured it to not connect to internet unless through that vpn. U can then configure rethink to proxy via wireguard, orbot, or socks.
I’m not sure I understand your architecture.
Let’s say I’m traveling. I have two phones and one laptop
One of the phones has a SIM, unlimited data for the phone, and no data available for tethering. The Sim phone has a VPN
In your use case, how do I get other phone, and the laptop to use the VPN?
Ahh i see ur issue. I have my sim in my grapheneos with a vpn that i can then shair via hotspot. Ur trying to use a non graphene with a vpn that u then use to hopspot ur graphene and laptop? Id say thats an issue with ur non graphene phone cant shair a vpn via hotspot?
The graphene phone has the SIM card.
Now how does that phone share a VPN connection with the laptop? Or another phone that’s not graphene?
And my requirement for my scenario is, the upstream carrier cannot tell that the traffic is not coming from the graphene phone
So simply turning hotspot on on the graphene phone as well as the vpn then it will send all traffic over the vpn. Are u having issues with the carrier detecting ttl and thus blocking hotspot traffic cos as of present there is no fix for that.
Thank you for explaining your architecture. I understand now.
carrier detecting ttl and thus blocking hotspot traffic
There is a fix for that, sharing the VPN over the hotspot like in calyxos or lineageos.
graphene will route all hotspot traffic over the vpn so idk why it isnt changing ttl.
What about the network permission?
Sure, that’s a nice to have. However, I don’t install any apps on my phone that don’t need the network. So for my use case it’s a bit moot
That’s a permission I wish stock Android had because it could be useful.
That alone makes me consider switching to GOS
U can completly block an app from internet as an app permission.
I wonder why this is not a permission available in the Android OS itself 🤷♂️
We b9th know why lol
Because fuck google? I know why and fuck google
Network permission is godly. App you need or want but don’t trust that shouldn’t be allowed to phone home? Fixed.
It’s great, but it drains my battery like hell, (with three profiles: default, google-ser-ices and owner… don’t know if that’s still recommended)
Yep. Been using it for about 2 years now. So far no issues except amazon prime but they gave me adds sufficiently annoying that i finally got around to setting up jellyfin. Been able to solve pretty much all my issues with dr gpt.
Every time i see someone posting about a new mobile phone exploit i get immense joy scrolling down through comments and finding someone posting the fact that graphene patched it 3 years ago and recommended a patch to google who have yet to implement it into base android.
Cellebrite and the new Grayjack or something both has zero ways to crack a GOS phone 🔥
Do you have difficulties running pokemon go (if you do play it) and/or banking apps?
Banking apps works for me, they have a list at privsec.dev check that out first.
My three banking apps work fine. Ymmv
Banking works fine for me.
None of my banking apps or my government ID 2FA app work in GOS, not even with sandboxed google play services. I had to go back to stock android since these are essential to my everyday life. Huge bummer since I replaced my old broken phone specifically with a pixel for GOS.
I am. It’s good. Don’t have any issues just huge compliments to the team.
I’ve been using it for a few months. Very happy with it. Minimalistic initial setup, gives you the feeling of control as well as privacy, bank apps work splendidly… an effortless transition, I say as somebody who previously used iPhone but wasn’t tied into the ecosystem.
I would love to buy a pixel to install GrapheneOS but ain’t no way I’m giving google money and I don’t know where I can buy a brand new pixel. There are currently 3 apps that scare me and not sure if they’re even working on GOS and one is my bank app
Here they aren’t officially available yet there are still plenty of resellers - I guess you can find some in your area. I was really scared that the bootloader wouldn’t unlock due to the origin country’s carrier shenanigans, but it went through just fine (still checked every bit of info I could before buying).
Last time I bought a phone it was sold as phone of my country then realized when started that was from another country in Europe so I’m scared of getting that again
At least the listings I have seen explicitly listed the origin country. Mine is Japanese, and it cost less than an Amerixan counterpart, for example.
It’s not a big deal but the thing I wanted to use was not available on that region🥲 then I learned how shitty the company was
Regarding banking app, check privsec.dev 's list.
Regarding Pixel, don’t see it as giving money to Google, see it as payingnfor good hardware.
I’m still paying a shitty company for good hardware. I will see if I can find a good refurbished, otherwise I’ll pay the hardware with money and not my data. Fuck google
I’ll pay the hardware with money and not my data.
Way to go
Of course mine isn’t supported 🥲 fuck google
Does yours have a website you can use through a mobile browser? With the exception of mobile depositing checks, which I do once every 15 years or so, I an do all of my banking in the browser
My bank app worked fine on lineage OS without Google Play Services, but I ended up leaving them anyway because I wanted to have a bank that would let me use a mobile website and that bank required the use of their app.
Good luck to me I guess! Thank you!
I have no problem giving google money to pay for good hardware as lobg as they give me the freedom to do with it as I please.
This is what kinda scares me. Pixels are/were the only phone I know with a green/gray screen problem. Can’t find images online (probably can’t find the right words to search for it)
I believe only the pixel 8 is effected?
I think it’s not PIxel only issue. Some Samsung S series devices also suffer from the same screen green tint issue.
Check out Swappa. They usually have plenty of phones in various condition to pick from.
It’s a refurbished website for the US? I’m in Europe and I can check something similar Thank you!
Getting a used/refurbished one doesn’t really give them anything, and actually prevents them from getting data on the next person who would have gotten the used phone and used the stock OS
True. I have to see which one is the right one for me and the price. I’ll check it later
I got a 6 a few months ago and it’s solid. I only got it as a test but ended up using it full time. I do wish j had gotten a newer one only to future proof more
I’ve found the 7 8/128 for ~270€ and it’s great! Good conditions too, it scares me the green screen problem which is a pixel thing
I am waiting for the LineageOS port for my SM-A536B.
Other than Starbucks app and VoLTE stuff, I haven’t encountered an issue yet. Somehow all my banking apps work. The profile feature alone makes it worth it. They also recently increased the number of profiles that can be run in parallel, too.
Did you fix VoLTE stuff? What was the issue?
The issue is that I can’t make phone calls and send SMS… But it can be fixed using this tool:
https://github.com/kyujin-cho/pixel-volte-patch/blob/main/README.en.md
I need to run Shizuku every GOS update and enable VoLTE, so it’s tedious, but necessary. Phone incapable of phone call is ridiculous.
Oh, and even with this fix, I can’t call some people for some reason. I can receive call from them though.
Could you automate that with Tasker?
Unless the phone is rooted, I don’t think so; I need to enable wireless debugging first, then run Shizuku, then enable a bunch of options in the Pixel IME app. But then again, this can be done permanently with root.
That’s a dealbreaker for me. I do use my phone as a phone rather frequently. What’s the deal? Is VoLTE not supported by default on GOS? Is ou it a specific device incompatibility?
Honestly, not quite sure why it happens, but I know it’s something to do with using it in Korea, where Pixel phones are not natively supported. In other words, it happens with Pixel phones, regardless of the OS.
As to how I knew it would work with the fix, it was a gamble. I rooted my phone and enabled VoLTE prior to that app.
Is VoLTE not supported by default on GOS?
Yes and no. e.g. see https://grapheneos.org/usage#carrier-functionality
Wi-Fi Calling, VoLTE, Visual Voicemail, MMS, SMS, Calling and 5G (SA and NSA) all are supported, however some functionality may not be usable due to Google not supporting carriers on the stock OS officially or due to GrapheneOS not shipping proprietary apps required in order for this functionality to work on some carriers.
Generally 5G, SMS, MMS, Calls and VoLTE will work fine on GrapheneOS with officially supported carriers by Google.
Some carriers may restrict functionality, such as VoLTE, on imported Pixel devices as they only whitelist the IMEI ranges of Pixel device SKUs which were sold locally.
And https://grapheneos.org/usage#lte-only-mode
VoLTE / VoWi-Fi works on GrapheneOS for most carriers unless they restrict it to carrier phones.
So… it depends
If your carrier is official supported by google, your carrier itself supports it and your device is not imported, it is likely to work.
So basically not a technical issue, just corporate shenanigans.
How do you like the cross profile notifications? What’s your workflow? Do you have multiple profiles active at the same time?
I have one “Daily” profile where I keep thing I don’t mind showing others, and many other private profiles. Each private profile has a unique environment I find myself using every now and then, so it’s a bit like VMs. For example, one profile has VPN on 24/7, another with Orbot, and another with a non-functional VPN (which is basically no network). It enforces the rule so that I don’t fuck things up by accident. Primary profile is just a package manager for me.
I have multiple profile active, but it’s usually just for long downloads. It was annoying whenever I go back to a profile expecting some long job to be done, only to find out it got killed 10 seconds after starting it. Or worse, finding out my Daily profile got killed.
I don’t get many cross profile notifications because I almost never receive one outside of the Daily profile.
Personally for me the most important thing in Android is automatic native call recording. If GrapheneOS gets that, I will consider buying a Google Pixel device.
Also, banking and other apps should stop using Play Integrity API.
It’s okay if they use the Play Integrity API, they just need to also whitelist the keys that sign the official Graphene OS ROMs. Not that I expect they’ll do that, mind you…
That would leave LineageOS and everything else broken.
I hope EU forces Google to make Android more open again.
Ive used it for around a year and a half and never had any issues. My banking app stopped working after about 8 months but I just log in via a browser and it hasn’t effected my life at all.
For anyone considering the move here is a list of bank apps and their current working status as I know that is a big consideration people worry over.
My banking app recently stopped working on graphene too. Mildly annoying.
I personally don’t even find it that annoying as it takes around 30 seconds more to log in via a browser for me and I barely ever use it anyway. I’m more annoyed that my bank has the audacity to think they can dictate what I use on my phone citing “login blocked due to custom ROM” or something similar when I last tried to use the app.
Fuck banks.
The UBL app isn’t listed, hope it’ll work 🙏
You can always give it a run and add a report. Also, if it doesn’t work, give the app devs feedback that it is preventing you from using it. It might not be much but we can at least try to make our voices heard.
