Get the top HN stories in your inbox every day.
_rdvw
notyoutube
I'm using microg's lineage, and something I was wondering when choosing a rom was, how secure are all those roms in terms of supply chain/developpers. There are many, with no big reassuring name behind, and it's hard to trust that what looks like a random rom from the internet is not just a full trojan horse.
It would be nice to have just the one or two options, with app store and some kind of official entities backing (say, states, or universities, or distros).
izacus
It's safe to assume that there's very little-to-none supply chain protection. It's mostly all single people or tiny groups of people releasing this.
notyoutube
Sad to hear. It feels like the EU could fund some entity to manage, develop and distribute such a degoogled android with only a very small fraction of its other spendings, and that would help a lot with reducing google/apple's hold on the european market… A cheap deal.
kaba0
GrapheneOS is by far the most secure option. Unfortunately, it’s only for pixels (as the former “director” (in my opinion rightly) claims that there is not much point to “extreme” security if the hardware itself is already vulnerable, and most android phones have very shitty hardware security)
4ggr0
> not much point to “extreme” security if the hardware itself is already vulnerable
What I don't get about this is that a lot of people who install custom ROMs do so, to ungoogle their devices, and just plainly get rid of Google. So why exactly is Google deemed to be a safe hardware vendor?
geraldhh
afaik microg is developed by a german guy with a grant from the goverment. can't get more legit than that in the android ecosystem :D
commoner
I'm having a great experience using microG, which lets me selectively enable and disable cloud messaging for every app that attempts to use Google Play Services. microG does not implement the ads and tracking (Google Analytics) APIs of Google Play Services. microG also lets me use Mozilla Location Services to replace Google Location Services, which obtains a location much faster than GPS alone. With microG being free and open source, I trust it much more than the proprietary Google Play Services, even with sandboxing applied.
It's weird that the article doesn't mention microG even once, since it's what /e/ uses instead of the Google Play Services client.
3abiton
There are no real answers to this, taking trust out of the equation, the only way to be sure is to inspect the source code and build it yourself. On a side note, it's always possible to hook dns to a remote piehole setup, and monitor connections. Aside from the security issues related to roms, there are still the binary blobs from OEMs.
maratc
> It would be nice to have just the one or two options, with app store and some kind of official entities backing
I won't doubt that you know that iPhone is a thing.
crossroadsguy
Maybe yes. But then look at the list of supported devices and you’d see why. Graphene is barely supported. It just supports Pixels/Google.
What privacy is that which is not accessible?
_rdvw
My DivestOS supports decade+ old devices and provides monthly security updates for seven versions of Android, no other project does this.
GrapheneOS has good reason to only support Pixel devices, they consistently do the right thing with regards to relocking, verified boot, CFI/SCS support, strongbox support, and even now MTE support.
Many other devices fail to support these, eg: https://divestos.org/pages/faq#kernelCFI
Even the FP4 shown in the article is fundamentally broken and trusts the AOSP public test-keys for verified boot: https://divestos.org/pages/faq#deviceBootloader
crossroadsguy
For me bank and finance apps are very important and they all stop working without Google services. One of the reasons I am stuck on iOS. Not to me mention with every patch and release there's a risk of doing the whole flashing/setup again. Also, if there's a need for service some OEMs just refuse to even entertain you if there's another ROM installed.
nicman23
dont know how up to date it is but you can use android auto without gapps
DirkH
I used to use CalyxOS till GrapheneOS got Google Place Sandbox working. Now there is nothing I can't get working on GrapheneOS. Everything works including Google Pay. I just have a user profile for when I need to use an app that needs Google and otherwise my main user profile is just apps that work without Google.
To me this is leagues ahead of any other degoogled experience because at any time I can temporarily turn on Google when I need it (and I often do). But it doesn't defeat the purpose because for the most part you can just turn it off
prmoustache
Probleme about grapheneOS is it only supports newest Pixel phones. They recommend a minimum of Pixel 6 which most people can't afford, even in the second hand market unless they have a broken screen or are in a sorry state while I can get a Samsung Galaxy S9+ in very good shape for the price of a new entry level smartphone and install it with /e/, iodé or divestOS.
So I would say they are not targetting the same users and you can't really compare them equally.
josebama
Using old devices that no longer receive security updates, like the Galaxy S9+ you mentioned, is unsecure. It makes sense that GrapheneOS, a security-oriented OS, only recommends devices that are still getting security updates both for the OS itself but also for hardware firmware, which only the manufacturer of the hardware can provide.
There are old versions of GrapheneOS for older devices, and some devices are still in extended support, like the Pixel 4a (although not for long I expect). So if you are OK with the compromised Galaxy S9+, you could also be OK with the compromised Pixel 3a, which received the June 2022 security patch in GrapheneOS[1], while the S9+ received the March 2022 security patch[2]
[1]: https://grapheneos.org/releases#2022081800 [2]: https://doc.samsungmobile.com/sm-g965f/dbt/doc.html
realusername
I think it would be nice for GrapheneOS to have two sorts of distributions, the normal one and another one which could be called "lite" or "legacy" and could support an extended range of devices even if the hardware guarantees aren't as good.
There's tons of value on the software side on GrapheneOS and those legacy devices could benefit from it.
jwells89
Even if older devices are less secure, it’s a shame that GrapheneOS doesn’t support them. I have a Pixel 3XL that runs great with the latest Android, but to run latest I’ve had to opt for Pixel Experience since most other Android distros leave the 3XL with only old versions.
prmoustache
Well, if you want to be whatanalboutist about security, GrapheneOS running pixels aren't either because the Graphene project do not write, audit and provide the firmwares either.
eptcyka
The problem is that Google doesn't support older pixel devices. If the older devices don't get security updates, GrapheneOS can't in good faith support said devices.
lawn
Unfortunately GrapheneOS only supports Pixel phones.
So I'm running CalyxOS on Fairphone and I've gotten almost all play store apps to work via MicroG and anonymous login on Aurora store (in-app purchases don't work).
jcul
Agree, GrapheneOS is probably the best I've used. The sandboxed Google play works perfectly for me. I actually bought a second hand pixel 6 to install calx or graphene, tried both and found graphene much better.
The only things that don't work that I've noticed are android auto (I don't use it anyway), Google passive / offline music recognition, and Google pay.
I thought Google pay not working was a known issue, so I'm surprised you say it works for you?
fifteen1506
He probably doesn't use Google Wallet (which, by the way, appears to now crash at start). Other things which don't work
* McDonalds international app ("phone insecure")
* Pokemon Go's VR
* Android Auto (but will "soon")
* Google One's backup & restore
codethief
> Everything works including Google Pay.
Wait, what? What did I miss here -> https://github.com/GrapheneOS/os-issue-tracker/issues/1986 ?
geraldhh
sounds about as practical as dualbooting, or is switching user profiles on android considerable more seamless than i care to imagine?
DirkH
It is certainly not perfect but it certainly way faster and seamless than rebooting into another OS.
If you don't mind the battery drain and having both profiles running it is just a menu drop down + single button and ~1 second wait and you have your other profile.
Personally I hate the battery drain so the process for me is a menu drop + single button and ~3 second wait and then unlock pin and I am in my other profile (not ideal, but far better than anything else if you want degoogled).
You can even get notifications from other user profile(s). This is absolutely impossible with dual boot.
_rdvw
You can use a work profile via Shelter/Insular instead which makes this entirely seamless, simply swipe right on your launcher to launch work apps. They even get their own VPN slot too!
sureglymop
It's way more seamless, especially if keeping the google apps in a work profile. Every UI component on android where an app or activity can be chosen (e.g. the share menu) already has a small toggle to toggle between these profiles. The work profile filesystem can also be mounted and is then visible in the file explorer. The only issue is that it's only possible to have one additional work profile. Otherwise full user profiles must be used which are less convenient.
DirkH
I use user profiles since I figured I wanted more than just 2 profiles. Am thinking the increased privacy is not worth the decreased convenience and I'd advise others to start using work profiles and only start using user profiles once you have a third use case you're sure you need
pshirshov
This is exactly my story. But NFC payments don't work on Graphene.
josebama
clarification: NFC payments in Google Pay. For example my bank app has mobile payments implemented and they work on GrapheneOS.
AFAIK the only reason why Google Pay NFC payments don't work is because Google Pay keeps a list of hardware and OS that's allowed to use that feature, and GrapheneOS is not in that list. It's not an OS limitation.
There was an open issue to spoof this data so that Google Pay NFC payments, among other Google features behind this check, would work. But it looks like it got discarded 2 days ago: https://github.com/GrapheneOS/os-issue-tracker/issues/1986
Kiuhrly1
I think Graphene spoofs the most basic level of Google's security thing but they never wanted to spoof anything higher because it would just turn into a cat and mouse game that they would eventually lose.
They recommend that app developers adopt the much stronger and vendor-neutral Android hardware attestation API instead.
neilv
Noteworthy related work the article missed: https://grapheneos.org/features
unnouinceput
Quote:"“This feature is based on tracker detection. Facebook/WhatsApp technically don’t use trackers so they are green flagged regarding privacy,” Murena offered when we queried the high score for the Facebook app, adding: “We will improve this score by adding more information about personal data collection that can be found in apps Terms of Services.”"
Oh, OK then. Hard pass from me for this little experiment. Coming from a former communist country this is the equivalent of "I guess if the neighbor is not using video to rat you to state police he's a good guy and you can trust him with your anti-communist ideas" attitude. The river bed of Danube-Black Sea channel is ridden with the bones of people who trusted their neighbors.
pjmlp
> So this is where the dream of deGoogling Google Android breaks down into a series of compromising glitches.
Yep, and this is why most people won't care.
geraldhh
i suspect there are at least two kinds of smartphone users:
the first downloads a handful of useful apps and stays with them
the second downloads apps on a dayli basis
pjmlp
If people care about being tracked, Web applications running in someone else's computer is probably not what they should reach for.
TheNightman
Have these folks done any sort of actual audit on the Android code base to ensure they’ve removed _all_ of the “phoning home”? Not so much doubting their claims, more so just curious to see what they found. Is it possible google has baked in some tracking features deep in the OS, outside of gapps? Things you wouldn’t see with a mitm proxy? I’d be interested to know
_rdvw
They literally include Google Widevine DRM and Google EUICC:
https://gitlab.e.foundation/e/devices/android_device_fairpho...
https://gitlab.e.foundation/e/devices/android_device_fairpho...
microG itself connects directly to Google: https://github.com/microg/GmsCore/wiki/Google-Network-Connec...
and /e/OS default enables those connections: https://gitlab.e.foundation/e/os/android_prebuilts_prebuilta...
including the default download and running of the proprietary Google SafetyNet binaries: https://gitlab.e.foundation/e/os/android_prebuilts_prebuilta...
Kuketz covered the connections made in full at the very end here: https://www.kuketz-blog.de/e-datenschutzfreundlich-bedeutet-...
Qwertious
microG itself connects directly to Google: https://github.com/microg/GmsCore/wiki/Google-Network-Connec...
No shit, of course they do.
>In general, we obviously try to minimize the connections to Google, but some services strictly rely on them and would just not work without.
What exactly do you think they should do instead?
_rdvw
Be opt-in like the other systems, not opt-out.
eloisant
What I'm wondering is: if I want to use Google Calendar and Google Maps, do I get any benefit in using a "deGoogled" Android?
Or by activating the Play Store and installing a couple Google apps, am I negating all the privacy benefits I would get from a deGoogled Android?
Kiuhrly1
Not entirely. With GrapheneOS, google play services and any other google apps have the same level of control over permissions as any other app. So you can deny access to any features that you don't want it to have access to. Others in this thread have recommended using a separate profile for google apps so it's not even running when you're not using it.
yellow_lead
> One account for your privacy
> Your @murena.io account is at the center of the your private digital life, allowing you to store, back up and retrieve your data safely on remote servers.
Not very private
LeifCarrotson
At least their incentives are aligned.
Google is an advertising company. I expect them to serve ads based on their reading of any Gmail emails, Drive documents, or image analysis of Google Photos, any Google Search/Maps queries, any Chrome browsing, and notifications/app usage/other entries in Googleified Android.
That makes storing documents in Google's cloud significantly not private.
Murena's whole reason for being is privacy, if it came out through whistleblowing or user analysis that Murena was analyzing and selling user data... that would (I hope, though I have less faith than I used to) that would sink the company.
I'm not paranoid enough to think that Google or the FBI is attacking the CalyxOS supply chain with rootkits that analyze/upload data on Murena phones in the same way they do on regular Android phones because that data is not useful to them. If they can't show ads in your murena.io email, why would they go to great lengths to read it?
I do think that the only option left for those who are individual targets of investigation from a nation-state or international mega corporation is to not use cloud services and smartphones.
_rdvw
They've already leaked user data once and never published a follow up like they said they would, just told users to delete files/contacts/calendars that weren't their own.
https://community.e.foundation/t/service-announcement-26-may...
Per https://docs.nextcloud.com/server/latest/admin_manual/config...
> The encryption app does not protect your data if your Nextcloud server is compromised, and it does not prevent Nextcloud administrators from reading user’s files. It encrypts only the contents of files, and not filenames and directory structures.
geraldhh
are you going for something specific here, or is it just a reference to @icloud?
Vinnl
Weird - I have the exact same FP4+/e/OS combination, and it doesn't feel laggy at all for me. Granted, I've never had a top-line phone, but still.
userbinator
I'm not sure if they had this in mind when they came up with the name, but /e/ is indeed best visited in privacy.
geraldhh
they definitely had this in mind and i do share your concern
DeathArrow
Why not just use LineageOS?
geraldhh
apple-style theming in /e/ is really good. functional playstore shim is based
Almondsetat
Not having an app drawer is horrible. Even Apple finally added one
johnea
Been running e/OS for about a year.
I still prefer a straight-up linueageOS install...
Get the top HN stories in your inbox every day.
/e/OS falls significantly behind the other alternative Android systems with regards to privacy and security.
Please see this independent comparison table: https://eylenburg.github.io/android_comparison.htm
And additionally the reviews by Kuketz: https://www.kuketz-blog.de/android-grapheneos-calyxos-und-co...
See also my table that shows historical release dates for monthly Android Security Bulletins: https://divestos.org/misc/a-dates.txt
and the Chromium (WebView): https://divestos.org/misc/ch-dates.txt