I’m considering the switch to GrapheneOS, so I watched this interview with one of the members of the GrapheneOS team, and honestly, I feel it was a great general introduction to it and touched on common features and misconceptions.
For those who don’t know, it’s one of the most secure and private mobile operating systems out there. Some things that I took away:
-
They touched upon MAC randomization. I researched a bit on my own about what the need for it is. Apparently, it’s standard practice to randomize MAC addresses when scanning WiFi connections. However, GrapheneOS (and Pixel firmware) are even better at this, as they make sure they don’t leak any other identifiers when doing so. They also allow you to get a new random MAC for every connection that you make (not sure whether this is very useful, as this can cause problems). On a related note, even when WiFi/Bluetooth are “off,” stock Android can still scan in the background to improve location accuracy (by matching visible networks/devices against Google’s database). So basically, even with WiFi/Bluetooth off, Google still knows where you are. In GrapheneOS, this option is off by default.
-
They have their own reverse proxies that they use to talk to Google on your behalf when needed.
-
Apparently, in the USA you can be compelled to provide a fingerprint or Face ID. Courts have ruled this doesn’t violate the 5th Amendment because it’s physical, not testimonial. BUT you cannot be compelled to provide a password/PIN. That’s considered testimonial evidence, protected by the 5th Amendment. GrapheneOS has a two-factor system where, after using your fingerprint, you still need to enter a PIN, so it helps with this. They also have a BFU state after reboot, which is the safest and requires you to enter your full passphrase.
They also have a duress PIN.
I believe if you are compelled by police to unlock your device, and you wipe it instead, you may be charged with destruction of evidence, or at least obstruction of justice
For point 1, you can choose the MAC privacy settings on a per-connection basis. For example, my MAC is randomized periodically on all connections except my home network, where I use my device MAC.
I mean that is standard on all mobile OS. IOS has it standard android has it.
deleted by creator
grapheneOS is a great system, it’s a shame about the absurd accusations made against eOS and iodé. On the other hand, the biggest problem with grapheneOS is its exclusivity: it only works on certain Pixel models, which are very difficult to find and expensive. Here in South America, it’s very difficult to find a Pixel, not to mention that they’re prohibitively expensive. But I suppose if you need that level of security, you’ll pay whatever it takes.
Translated with DeepL.com (free version)
- Mac randomization is also on ios
- Apple provides an ip hiding proxy service
- ios has BFU where biometric is disabled. And holding power button disables biometric unlock. And nothing is better than just having biometric unlock turned off.
Does iOS also provide:
- Duress password?
- Scrambled PIN input layout?
- Storage scopes?
- Contacts scope?
- Full permission control on Apple apps like their app store?
- Hardened segregation of profiles?
- Fully controllable sandboxing?
Honest questions. I don’t use anything Apple, but have used GrapheneOS for years.
How’s Graphene OS as a daily driver?
As I said, I’ve been on GOS for a few years now, after having tried CalyxOS before ever hearing about GOS. Having said that, I have absolutely no complaints. My main Profile runs nothing but FOSS apps, and then I have a secondary profile for anything that requires Google Play to work (banks, maps, IoT platforms, etc.) I don’t use ‘normie’ social networks or chat apps at all (WhatsApp, Instagram, discord, etc.) so I can’t speak to those.
Not only does my battery last ridiculously longer than it did on stock Pixel, but every interaction seems to be way faster as well (admittedly, I didn’t really last long on stock Pixel, so I might be biased by that).
The only app that doesn’t want to work for me is the Chase bank app, but that’s fine, I just bank via browser.
I cannot compare experience with iOS, since I haven’t touched any Apple device in years, but from what I read and research, failing to get a pixel phone to make it a GOS device, phones seem to be the second best option to be somewhat secure and private.
Every other self-denominated “privacy mobile OS” out there is just smoke and mirrors, as I’ve tested against my network and they all send information to Google and other big tech third parties in one way or another. GOS is the only one that seems to keep everything in my control 100%.
- Apple also collects a massive amount of data on their users. But thats ok apparently as long as they just say “trust me bro”.
They definitely use your data to market to you on their platform. They might not be selling your data outside their network, but does that suddenly make it okay? They are still using your data to their enrich themselves.
deleted by creator
I told you I will switch to Graphene OS, you don’t have to sell it to me.
Even the iPhone can handle the bully tactics with cops. Simply attempt to shut down the phone. You don’t have to follow through, pulling up the shutdown slider is enough. It will require a password to unlock after that.
Also, if you press the power button 5 times on iPhone it does a hard lock requiring the passcode to unlock.
My only problem with GrapheneOS is the lead developer.
What’s wrong with the lead developer?
Paranoid and has some outburst from time to time. Dude does some amazing work though.
Being paranoid is quite helpful when hardening a system.
The only thing I missed when switching to GrapheneOS from Android was Google Pay, and that wasn’t that big of a loss.
You have to install GrapheneOS’ Google Play (sandboxed) and services for banking and government apps. And you can install Google Play with stock Graphene, it is very easy.
In my country everything is built around this 2FA app that requires Google Play Services. But a phone with GrapheneOS and sandboxed google play should be better in total than just running stock android I guess? I wish I didn’t need google play services, but currently I do.
Yes. The top comment says Google Pay, not Google Play. The sandboxed play API has worked well for me personally.
The threat level for google play services is different in graphene as it runs in what they call an “appbox,” which basically means Google Play is just another app that’s sandboxed like everything else.
Would there be any benefit in running google play services in a private space, or does the sandboxing already provide that separation?
I don’t think so. From what I gathered, the only thing Play Services can see on GrapheneOS is the list of other apps you have installed. That’s it. They can’t see anything else unless you grant access to it. You’re not giving Google root access to your phone, you’re just installing an app that happens to be made by Google, and it’s locked down like everything else.Edit: https://youtu.be/YB01HHFitFA?t=625 I just saw this video apparently apps can still communicate with each other so you might want to isolate if that’s something you’re worried about.
Yeah, as they said most banking apps now work, however, Google Pay doesn’t.
There are alternatives to it like curve pay but I haven’t done the research whether they’re trustworthy enough. EU company I think.
I tried to set up Curve on my pixel 7 with graphene os and it wouldnt let me create an account. After filling in my contact details the app just said “We are unable to verify your identity” even though it never even asked me to show ID (I never reached that screen).
When i emailed Curve customer support (which is terrible btw, theres about 2 months between replies) they just said things like “We cannot offer you an account at this time” and “We were unable to verify your identity” and “We are unable to disclose the reason for denial for security reasons”.
I’m not sure if graphene os had something to do with it.
So just in case if you want to set up Curve maybe create the account first on a non-graphene phone, then log into the app on graphene after the account is already created.
I just got a phone case that holds my debit card in the back and turned off NFC.
That’s cool and all. But I just want a working Linux phone to use as a daily driver. That doesn’t require constant fiddling and is made with modern, powerful, hardware.
Keep an eye out for what people say about Jolla’s next phone, when it’s out sometime next year.
Hey there, GrapheneOS user here!
They also allow you to get a new random MAC for every connection that you make (not sure whether this is very useful, as this can cause problems).
This can not only be turned off entirely in settings, but you can actually modify it on a per-network basis! For example, on my home network, I can tell it to use no randomized MAC at all, or a per-network randomized MAC, meaning it will choose a different MAC address than my normal one whenever I connect to my home network, but it will always be the same MAC on my home network, only changing on other networks.
They have their own reverse proxies that they use to talk to Google on your behalf when needed.
Which you can also disable if you don’t want GrapheneOS to proxy any particular type of your data, and you’d rather it just go straight to Google instead for security reasons, even if you give up a little privacy.
Apparently, in the USA you can be compelled to provide a fingerprint or Face ID
BUT you cannot be compelled to provide a password/PIN.
Yep, however an important caveat is that if you’re not a US citizen, you can still be compelled to give up your password or PIN, otherwise you’ll be denied entry to the country. And, if you’re a US citizen, you can have your phone seized and held for some time (i.e. months), even if you’re then allowed entry to the country. (this is likely so the government can wait for an exploit to become known, or have more time to run a cracking algorithm that’s computationally expensive)
GrapheneOS has a two-factor system where, after using your fingerprint, you still need to enter a PIN
Not enabled by default though! This can also be used within the OS itself. For example, I can set a PIN+Fingerprint access for my lockscreen, or PIN-only access, then still individually lock an app on my phone with a fingerprint without it also having to be enabled for my lockscreen. I’m unsure if that’s supported on stock Android.
They also have a BFU state after reboot, which is the safest and requires you to enter your full passphrase
All phones have a BFU (before first unlock) state, and GrapheneOS doesn’t require a passphrase unless you’ve set one, otherwise it’s your PIN. Fingerprint unlock is disabled until after BFU though, so it requires essentially using a backup PIN even if you always use your fingerprint, at least for first unlock.
However, GrapheneOS is unique in that companies like Cellebrite, who sell the government hardware and software to crack people’s phones and exfiltrate their sensitive data, have stated in leaked slides that they can’t unlock GrapheneOS devices BFU, (if they’re updated to at least security patches after 2022, which any GrapheneOS user reasonably should be) while they can crack stock Android devices BFU.
This is why I always make sure to fully shut down my phone before I go through airport security, for example. It’s also possible to simply “Lockdown” the phone to disable biometrics again and require a PIN/Password like during BFU, but in that state the phone is not actually in a BFU state, so it’s not fully protected.
even when WiFi/Bluetooth are “off,” stock Android can still scan in the background to improve location accuracy (by matching visible networks/devices against Google’s database). So basically, even with WiFi/Bluetooth off, Google still knows where you are. In GrapheneOS, this option is off by default.
There’s a tiny bit more nuance to this. Your cell service will still be active even if you disable WiFi/Bluetooth, and that can still track you, even if it’s not through Google’s location services, since your carrier still gets pings from your phone.
GrapheneOS’s airplane mode disables the cellular radio entirely, whereas some OEMs don’t do that on their phones, even when you turn on airplane mode, meaning your cell provider could still triangulate your position regardless of if you have airplane mode on or off.
Also, GrapheneOS additionally supports a proxy service for more accurate GPS positioning, which can reduce the amount of data available to Google, even if you need more accurate positioning data using nearby networks.
Thanks for the Mac address tip. My home WiFi UI gets super slow after I have a million different devices connected because I have multiple GrapheneOS devices. Now I won’t have to constantly delete logged devices
Don’t forget the Duress password!
Thanks for the in-depth answer, I think I will try installing Graphene today.
This can not only be turned off entirely in settings, but you can actually modify it on a per-network basis!
Oh nice ! Makes it way more useful then as I saw forum threads of people saying there’s no point in randomizing on your home network and may cause issues.
GrapheneOS’s airplane mode disables the cellular radio entirely, whereas some OEMs don’t do that on their phones, even when you turn on airplane mode, meaning your cell provider could still triangulate your position regardless of if you have airplane mode on or off.
Did not know that, fascinating! Even Airplane mode is upgraded :D
I will try installing Graphene today.
Good luck!
First thing I’d recommend you do when you get it set up is literally just go through every single settings menu and see if anything catches your eye. There’s a lot of random settings that GrapheneOS adds that can be very useful. Some of these might not be visible at first glance. (for example, when you’re installing an app, a popup will appear asking if you want to grant the app network access when you install it, and if you toggle it off, that app can’t talk to the internet at all, not for ads, telemetry, or anything at all.)
Just be aware that some features that Google implements on stock Android aren’t available, because they’re not part of the Android Open Source Project (AOSP)
Things like Google’s Find My Device features, some of the extra lock screen customization (e.g. custom clocks other than just simple color changes), automatic music recognition, (e.g. Shazam but built into the OS and running in the background for some reason), etc.
One thing I haven’t understood properly I feel is how notifications work. They talked there’s basically 3 ways of sending notifications on android. FCM (googles system) , websockets, unifiedpush. Most apps use FCM so you need play services installed to get notifications, right?
How does that work through profiles though? Some commenter in this thread said you can forward them from another profile if that profile is running in the background? But if I have google play services installed on profile B but not profile A? Do I have to install them on every profile?
I may not fully understand how profiles work yet.
Most apps use FCM so you need play services installed to get notifications, right?
Not all, and especially not 99% of FOSS alternatives. Many apps simply fallback if they can’t reach Google’s system service. For example, all my banking apps worked fine without play services, could send notifications, etc. Discord even sent relatively up-to-date (with a small delay) notifications… but one day, it stopped doing that, and now Discord requires (sandboxed) Play Services to send me notifications.
It’s a bit of a mixed bag, but the vast majority of apps I’ve used seem to have fallbacks, excluding most games, and a larger percentage of banking apps compared to other ones.
How does that work through profiles though?
Think of profiles as just your regular user experience on the phone, just on a separate account that can do all the same things but is totally isolated, without shared app data, settings, etc. The user experience is like having two completely separate phones, just with the same cellular network, OS version, and it’s running on the same hardware. (oh, and only your primary (default, one you start out with) profile can manage all the other profiles. It’s sort of like the default “admin” account of the phone)
Everything is isolated, unless you tell GrapheneOS to connect the two in some way, the only way I know of currently being… Notifications!
Now imagine that if you’re on Profile B, and Profile A gets a notification. You just get a notification saying “Profile A has a notification” with a button saying Switch to Profile A.
Simple as that. Profiles run in the background as long as you’ve unlocked the profile at least once since the phone’s last restart, and any corresponding notification services on each, even though they’re isolated to their own profiles, will just cause the system to send a notification to whichever profile you’re on saying there’s a notification available.
If I have Play Services installed on Profile A, and an app sends a notification through it, it doesn’t matter if Profile B has Play Services, because the system is just picking up that a notification is detected on Profile A, and letting me know on Profile B.
Lemme know if you have any more questions. I’ve been daily driving GrapheneOS for a while now and have a current install on my phone, so I can help explain any specifics of most features it has that you’re curious about.
All phones have a BFU (before first unlock) state, and GrapheneOS doesn’t require a passphrase unless you’ve set one, otherwise it’s your PIN. Fingerprint unlock is disabled until after BFU though, so it requires essentially using a backup PIN even if you always use your fingerprint, at least for first unlock.
To add to the security of the PIN and to prevent reading screen smudges you can enable an option so that the digits on the PIN pad are randomized each time it loads.
Graphene also supports fully isolated user accounts. Applications running in one profile can not even discover the existence of the other profiles*. There is a way to forward notifications from user containers but is disabled by default. Each account, when inactive, is encrypted independently of the system drives and the key is generated at user login with the entry of a password and overwritten in memory upon logout.
*If you enable the notification forwarding, a hostile application running on the primary account could deduce that there is at least one other user profile on the phone by analyzing the notifications.
To add to the security of the PIN and to prevent reading screen smudges you can enable an option so that the digits on the PIN pad are randomized each time it loads.
I can’t believe I forgot to mention that! I use it myself, and while it can take a bit to get used to typing by actual numbers and not muscle memory, it’s great for minimizing the risk of shoulder surfing.
Graphene also supports fully isolated user accounts.
And it supports stock Android’s Private Space feature, too!
Wow they really put a lot of detailed work into it
That’s only a tiny, tiny piece of it. If you want to know more: https://grapheneos.org/features
On #3: every modern phone running encryption has a BFU (before-first-unlock) state where the data on the device is more secure than after its first unlock because you haven’t entered your password/PIN to decrypt the data. GrapheneOS also has this, but it is not unique to GOS.
FWIW, considering the 5A context above, I momentarily assumed that stood for Back the Fuck Up 🤣
Yeah but on my Android phone I can’t require a password for first unlock.
… I think… Unless I want a password for every unlock
No. Even on standard Android, you must enter the password/PIN on first unlock because that is required to load the decryption keys that make biometric authentication worm.
I think he means that graphene has a complete separate full password for bfo, not just your pin
I wish that were a thing, but I don’t think it is. I’d like to set a long password that’s hard to brute force for the first BFU decryption unlock, but use a separate shorter PIN for subsequent screen unlocks.
I recently learned that police will clone your device storage and brute force the password without having to go through the phone’s PIN entry, so you’ll need a long to make brute force time consuming.
You’re right, I don’t think it is a thing either, even on graphene. Sounded cool.
You can set that on any android. Pin is just the default, but it’s up to you to use a full password, then you need the full password for first unlock after boot.
Does it also work with lockdown mode?
No, BFU is stronger, you have nothing in memory until initial decryption.
Thanks. Makes a lot of sense.
Yeah I apologize, I incorrectly assumed that GrapheneOS’s BFU state is more secure and requires you to enter your passphrase by default and not PIN and that this is not available on stock android which some people pointed out it is.
On a related note though, Graphene does have an interesting feature where if phone hasn’t been unlocked for some time it will force reboot to get into that BFU state. Metroplex sets it to 8 hours.
I think they also have some aggressive USB port control, but I haven’t looked into it. Where you can only charge phone in BFU state or something like that. Haven’t had time to read into it : https://grapheneos.org/features#usb-c-port-and-pogo-pins-control
The USB control is a good point because for example my Xperia 5ii defaults the port control to full data connection
Not only that, Sony will, after you disable port data transfer, will silently re-enable it after a time.
Would be great if it was possible to protectively encrypt the phone from an on-state, as it were in BFU. Through a shell command or an app or something…
Great summary! Thanks for this! If I were to make the switch to GOS - which I am considering, Samsung user ATM, I’d never travel abroad - especially to and from the US - with my daily GOS driver. I’d travel with a backup phone that contains nothing. A new SIM card and some random chat app for communication with my loved ones. This is for plausible deniability (if I indeed were involved in anti government activism etc) and to avoid all the fuss. Not unlocking my phone gets me into trouble. Wiping my phone gets me into trouble. In that case, I just leave my daily driver at home.
I’ve been using Grapheme on a Pixel 8 Pro for about 6 months it’s been an adventure. There are so many options to lock stuff down but when you try full lock down some apps don’t work and the error messages they throw don’t say much so you in harden one thing at a time to make them work. This is not a phone you can just throw your SIM in and expect it to be just like your old phone.
I do feel pretty confident with this phone on a Cabe SIM but you do need to commit.
What is a Cabe SIM?
