what foss phone OS do you use and why?
from merompetehla@lemmy.ml to linux@lemmy.ml on 14 Jun 14:12
https://lemmy.ml/post/16868638
from merompetehla@lemmy.ml to linux@lemmy.ml on 14 Jun 14:12
https://lemmy.ml/post/16868638
I was thinking about using graphene OS, but I’ve read some lemmy users dislike this OS due to perceived misleading advertising and the pixel 7a you’re supposed to install graphene on because it’s from google (an advertising company).
Another option would be lineage OS, but there is so much false information about this OS, namely compatible phones that simply don’t work with this OS and no support.
what works for you? I want a phone with no google, that doesn’t force me to use the manufacturer’s ecosystem and that won’t show the apps I don’t want or need (on an asus I own you cannot neither get rid nor hide bloatware)
threaded - newest
I use Calyx on a Fairphone 4. It’s not totally degooglified, since it comes with MicroG which is used to connect to Google services. I use Aurora Store and a couple of original Google Apps like Gboard too (none of my Google apps can access the internet, since they’re behind the built-in firewall). It works well except call functionality which can be wonky and there’s the issue that a lot of apps from Play don’t work well with MicroG. I only use a small selection of Play apps though, so it doesn’t bother me too much.
What about banking appss?
My banking apps work fine on Calyx.
Banking apps normally check for rooted phones as the thing they don’t like. Because pixels come with an unlocked bootloader, you don’t need to root the phone to install a custom ROM, and so banking apps are still okay.
Calyx comes with microg right?
Yes
I was about to answer this, but decided I didn’t want that information in public.
However, the bank I use, which is a largish one, has an app that I’ve installed with the aurora store without microg or google play services on divestos and it complains that it won’t work without gsf, but it works fine after clicking ok.
This is what stops me from leaping to phone Foss.
I never bothered with banking apps. (Outside of the virtual debit card app from my bank. That one did install successfully. However, I never got try out in store because it deleted my virtual card after a few days and I didn’t care enough to set it up again.)
Depends on the bank’s app. I have CRDroid (LineageOS fork I think) and my local bank apps have either full support or no support for biometrics (everything else works).
I’ve never tried it out but I want to install nethunter if I had a chance because it can run terminal emulators
www.kali.org/docs/nethunter/
I use LineageOS because my phone is not a Pixel and it works fine for me. If you don’t want to pay Google for a Pixel, buy a used one. Other than that LOS is fine. It doesn’t have anonymization features like /e/OS or something like that but it doesn’t force nor promote any apps or ecosystems (except for Seedvault but it’s not a big deal) and it is FOSS
I have a Pixel and LineageOS is the best by far. Freedom to root, which I absolutely want… I want full control over my devices. I’m extremely picky about how every little thing runs and works in my phone and I can only get it with root. You can’t get root with GraphenOS without a huge pain in the ass with updates.
It’s hilarious people install GrapheneOS and think they are better off because Google services are installed as user apps instead of system. You lose as soon as you install them either way. They are getting the data they are after no matter if it’s installed as a user app or system app.
But anyway, I’ve been running LineagOS since it used to be Cynogenmod over 10 years ago. It’s the most established and reliable while remaining open to customization by far.
Unfortunately 90% of privacy-conscious people can’t live without Google services because Google Meet, banking apps and other Play Integrity needing stuff
That’s literally what MicroG is for, though. Spoof the Play store and GSF, no data in or out. I think a good part of that “90%” you mention knows about that solution?
But that’s what GrapheneOS uses afaik. The person I replied to said that LineageOS (a fully vanilla ROM) with root (which breaks banking apps) is a better solution. I agree but I added that the mentioned solution is really not for most people.
I don’t imagine that many privacy-conscious people are using Google Meet!
Trust me a lot of them do if it’s a requirement in their school or at work
Surely you wouldn’t have to use it on your phone then, just on a desktop browser?
What?
Why would school or work require you to specifically use Google meet on the phone app? Surely you’d use a school computer or your work-provided laptop, never needing to have play services on your personal device.
.
Stock AOSP shipped on Pixel.
GrapheneOS is probably the best option out there.
As you said, it’s only for Pixels currently, because
Pixels are cheap(ish) for what you get, and I believe Google makes them so cheap because 99% of users don’t care which ROM/OS is installed. Those are the advertisment-cows that will get milked. If you buy a Pixel and install a custom ROM on it, they will loose money.
My experience with GrapheneOS has been great. My Pixel 5 hit EOL a while ago and still gets maintenance updates almost weekly.
Many security additions are overkill for me, but quite some make a lot of sense.
I used CalyxOS for a year too, but now that I don’t get full updates anymore, I don’t feel safe anymore with it.
I think GrapheneOS is technically superior to Calyx, especially due to the sandboxing they do. MicroG has full root privileges and can do with your phone what it wants, while also breaking some apps due to missing dependencies. If you choose to enable Play Services on GrapheneOS, they are user level and heavily restricted, and only you decide how much access you want to give them.
Regarding Calyx, since they don’t limit themselves as much in terms of security, they also offer a ROM for the Fairphone. Maybe check that out too.
DivestOS also seems to be a good option. AFAIK it’s based on LineageOS and supports a lot of devices, while being more secure than LOS.
Regarding Linux phones, I don’t have any experience with them. I tried Phosh (Mobile Gnome) on an exhibition a while ago, and it felt great and interesting, but from what I’ve heard, they are nowhere as good as Android.
My personal ranking:
Great synopsis!
The cool thing about GrapheneOS: It provides basically all the comforts and usability as any Android (stock) ROM minus some compatibility issues with a portion of Google Apps and services (Google Pay doesn’t and probably will never work, for example) while providing state-of-the-art security and privacy if you choose to utilize those features. A modern Pixel with up-to-date GrapheneOS, configured the right way, is literally the most secure and private smartphone you can get today.
Same here, I have an old Pixel 4a that still gets security updates from GrapheneOS. Banking apps and Amazon don’t seem to like it, but I don’t mind just doing those on my laptop anyway.
The pixel 4a is end-of-life. I recommend switching to something newer.
Oh yeah I know. It’s just one of those money/time things I’ll get around to eventually.
Android is so secure, I guess 60% of users use insecure EOL devices.
They will get Pegasus, okay. But only if they are targeted.
Try going into the app’s settings and toggle Exploit protection compatibility mode. That let me use my banking apps that didn’t work before.
That worked for banking, thanks!
Also, as for reasoning for choosing a Pixel, Pixels are not really a product for Google but rather a device for Google employees to test things on but as a consequence can be sold as well. This makes them perfect for hacking
DivestOS also has longer somewhat-support for Pixels. But GrapheneOS still ships some updates to my 4a so not sure about that
Honestly not sure if you mean “good” or actually meant “goof” there lol
Typo, sorry. Corrected. Thanks for letting me know.
Crdroid with microg is what I use Getting rid of google services altogether is a huge mess. Its hard for me tbh. Lineages for microg (lineageos4microg) is also something that I wanna checkout. Grapheneos is fine only if you want to pay for it.
i have calyx on a pixel 7a since it’s easy to use
GrapheneOS on a Pixel 8 Pro. I’ve been super happy with it since I switched from iOS.
Graphene on Pixel 8 here, also pretty happy with it. Previously had a Pixel 3a with Graphene.
I’m fairly happy with LineageOS myself
I think you’re overreacting a bit calling it “false information”. LOS is a FLOSS project that many individuals have ported to their device — and either at some point they buy a new phone and drop that development, or they realise what a massive project it is to maintain it. That’s just a general bummer with open source, especially when people volunteer their free time.
I mean, the website has officially supported devices. If you are running an unofficial rom made by some random on a forum, that’s on you.
Same argument stands though. It’s not like LOS is a company with a ton of venture capital. Maintainers are the same randos from the same forums, they just banded together under a common flag. Some of the “official” LOS devs even release unofficial prereleases on other sites. And sometimes support drops because the maintainers may or may not have the physical device to test on.
LOL you haven’t lived until you flashed a weird ROM off XDA-dev to realise it was developed for some regional variation of your device, the UI is all in a language you don’t read, and the developer customised the OS to their own niche use case that you’re not partial to.
Mind, it used to be easier to casually flash ROMs (for me at least) back in the Jellybean/KitKat days. Fun times!
Calyx. It just works. I’ve honestly just used it like stock Android, using as many private apps as possible. It’s so fun seeing all the cool little projects not on iOS! I just recently discovered Petals, which helps with measuring THC intake.
GrapheneOS is fundamentally better, if CalyxOS didnt fix up their mess in the past months.
By what standards? Micay adding features risking lives of privacy users, like shutter sounds? Or the countless times he has lied about people and events? Or the dogmatic nonsense he and his community spreads in privacy community everyday? Or the crybullying and witch hunting he and his mods/members do? Or the outright bans delivered upon the slightest criticism or questions?
GrapheneOS is the worst thing a phone privacy user can use, outside of iOS.
I also use calyx but I’ll agree that graphene is technologically superior of the two. I’m more comfortable with the idea of using MicroG as opposed to sandboxes google play but that’s not to slant the implementation in any way.
I also avoid sandboxed play like hell.
But note
Sandboxed Play is better for privacy and may prevent a Pegasus/malware vector.
DivestOS has sandboxed microG but I didnt try it. Also note that microG could break any time and the Google binaries may be outdated.
Privileged android apps are a huge attack surface as so many devices have them. So outdated privileged microG binaries may be a target.
I appreciate the info. For my own learning, could you provide a link to some context around the types of official binaries leveraged by microG? The only firm info I have of its behaviour is that it will pseudonomise as much user information as possible.
I’m familiar with sandboxed google play on grapheneOS and have used it in the past.
No I dont know what they download. It should be in the scripts in their repo.
But they dont document that at all, instead giving the impression that it would be reverse engineered and open source.
I appreciate that you’re trying to inform me but if you make such a claim, you should be able to prove it.
A friend was able to provide some context, regardless:
The one binary I’m aware of microG downloading (assuming it still does) is the SafetyNet “DroidGuard” thing, which it only does if you explicitly enable SafetyNet, which is not on by default. There is no other way to provide it.
microG only has privileged access if you install it as a privileged app, which is up to you / your distribution, as microG works fine as a user app (provided signature spoofing is available to it). Also, being privileged itself really doesn’t mean giving privileges to “Google”.
Apps needing Google services may indeed contain all sorts of binaries, generally including Google ones, which doesn’t mean they contain Google services themselves. Anyway, they are proprietary apps and as such will certainly contain proprietary things, and it’s all to you to install them or not. It’s not like microG includes them.
Its also just a reimplementation of a small handful of useful Google services, such as push notifications, or the maps (not the spyware stuff like advertising) and each can be toggled on/off.
Also all apps on android are sandboxed
Also, SafetyNet is deprecated, and Google has said that app developers shouldn’t use it for a long time before that, so I’ve never had to use it. My experience of a blob-free microG has been really good, and I trust FOSS code a hell of a lot more than sandboxed proprietary code, because I can’t be sure what it does with the data I inevitably do provide it.
MicroG has also been very clear IMO about SafetyNet not being a reimplementation, but rather a sandbox when it was relevant.
Appreciate the additional context! Have thankfully not needed to use the safetynet module with microg either.
Re-implementation means reverse-engineering and building new binaries. What’s the point of MicroG if it is just downloading google binaries? An app with privileged access is different than a remote access trojan. The whole point of a sandbox is not to have the same access as the original app.
What you are saying doesn’t make any sense.
Strong words here.
I couldnt find what is the correct definition of “reimplementation” but we can assume it either means “taking the binaries and bundling them in a different bundle” or “writing different code to do the same thing”.
What sandbox? Not the Android app sandbox, as microG (when I used it) needed to be installed as system app i.e. flashed to the system partition.
microG may isolate the binaries or whatever code it runs in some way, but not via the Android App sandbox.
Now GrapheneOS uses a privileged app that channels the calls of the unprivileged to the OS. This is also possible for microG, so it can run unprivileged too. DivestOS does that.
The concept of signature spoofing and more is poorly pretty flawed.
I would really like if a fully open source rewrite of the core services could just work, but these apps are written for Google, contain the official proprietary code anyways, and signature spoofing only works if you dont use many hardware security features.
GrapheneOS can be extremely secure when degoogled, but it cannot securely fake to be a Google Android. And neither can microG Android.
You would need to change the apps to do that.
GrapheneOS as well with profiles
I run LineageOS for microG, on LOS for more than 5 years now. I am not willing to pay for Pixel phones, even the used devices are to expensive for me. I do not really care about an unlocked bootloader, so that’s alright.
As of the latest release (21), you can simply install microG on regular LOS and no longer need to install LineageOS for microG since it now includes the necessary signature spoofing support.
Shorty after release it still had no support for UnifiedNLP, which I rely on for a decent location. That’s basically the only reason I use LineageOS for microG, as I am kind of an OpenStreetMap power user.
I use CRDroid /CRAndroid, because it was the only de-Googled ROM for my specific model of phone (S20 FE Exynos), also (I think) it’s a fork of LineageOS.
There isn’t any Foss phone. Graphene os and everything else requires proprietary software for the modem to operate at a minimum.
If you are ok with some proprietary software go with Lineage OS.
For devices that support Lineage OS go here: wiki.lineageos.org/devices/
LineageOS is less proprietary than GrapheneOS.
Its better to have less proprietary which is why LineageOS is better.
GrapheneOS is nearly the worst custom ROM you could use to achieve privacy, and Google Pixels the worst phones you could use to get away from Google.
GrapheneOS officially supports and encourages the use of Google Play Services and a Google account for “security” purposes. Their “unofficial” members also spread propaganda advocating for the same.
i.imgur.com/bUdVCpH.jpg
They are also an embargo partner with Google for security patches, and add features that may threaten the lives of privacy users, or end up in jail or death in certain circumstances.
web.archive.org/web/…/1564322206414524420#m
old.reddit.com/…/what_is_your_opinion_of_graphene…
There are a lot of GrapheneOS astroturfers in this thread. They are not organic fans.
Graphene OS is about security, not privacy yeah?
Please read the paper by Ken Thompson, co-creator of Unix and C, on why we should be able to trust the developer and NOT the code. cs.cmu.edu/…/Thompson_1984_ReflectionsonTrustingT…
Trusting unstable people and projects like GrapheneOS is a massive risk. Micay has lied more times than anyone in the history of privacy community, as far as “prominent” people go.
LOL boy if I’ve ever seen propaganda and sensationalism that’s it right there
I’ve used LineageOS in the past, and have nothing to complain about it, but realistically I only root and change the OS of my phones after warranty is over and I could potentially lose it without being a problem.
Can you elaborate on being misled there?
As for google devices - yes, there’s irony in the notion that the most de-googleable phones are theirs, sure. They’re often sold at a loss around the holiday season, though.
I’ve had calyxOS on this phone now for about 2 uears now. Its pretty good. It comes with microG to simulate the google apis.
Ι use Murena’s e/OS, I like the iphone-likeness of it. It works.
I’m currently running GrapheneOS on a Pixel 8 Pro. I use the provided sandboxed google services because of some apps (banking, etc). I use F-Droid for most of my needs. I don’t understand what you mean by misleading advertising.
I’m using /e/ os for more than 3 years on different devices (with some customizations) and it works like a charm. An important aspect is that you can install e on any phone that has the bootloader unlock and supports GSIs - theoreticaly any device that runs Android > 9
/e/ has a gsi image which is neat!
I don’t use nor promote any banking apps or other G**gle/proprietary dependendent apps.
Why nobody talks more about e.foundation /e/ OS?
Enlighten me please 🙂
+1 for /e/OS! Brilliant combo of user friendliness with open source and privacy
why do you mention banking apps ? are they particularly difficult to run ?
So long as the browser login still works 🤷♂️
my online payments need to go through the Banxo app unfortunately
Banking (and some digital ID) apps are notoriously difficult to run on degoogled custom ROMs because they will often check for Google services and bootloader lock/root status at startup. I’ve jumped through so many hoops to hide root, spoof GSF etc. In the end I resorted to just using my bank’s website…
I confirm too that banking apps on /e/ is a bit of a nightmare. But I used /e/ for 3 years or so and was very happy until I moved to GrapheneOS.
Banking apps work on Graphene ? it’s good to know because that would be a dealbreaker for me
Some do.
oh that’s neat thanks for the link !!
You’re lucky to use the website… All my banking apps need the app to login to their website. I open the app, it crashes and complains about not being a reliable system. Tried magisk and all those modules…only one of them works after all the hoops.
Yeah that’s unbelievable, I had the same experience! You must never install your bank app, otherwise it will start always requiring it.
thanks for the info
.
yes, most will not work as they relay on G**gle ecosystem…
I had no idea !
Any chance to use Whatsapp on /e/ ?
You can, but the question is why would you contribute to their data collection? Try: signal.org
I use Signal, but I’m unable to force everybody to do the same.
Not need to force anyone to use anything mate!
Here is my personal example: I made my choices a long time ago…
I ditched ANY:
AND still I need to do so much about privacy and my life in general and I continue to learn & apply as much as I can…
Also, I kindly invited and explained others why I choose to ditch products/software/companies/people that do not respect Humans in general and consider all of as as being just dumb “assets”…
Indeed it feels lonely sometimes, but i prefer the silence rather than noise/propaganda/parotting/or really any kind of bullshit.
Peace!
I would love to try /e/, but for some reason there is no support for the Sony Xperia 1 iii.
In fact, LineageOS is my only option, and after a bunch of time spent learning how to set it up and tweaking it to meet my needs, it’s mostly fantastic. My biggest complaints are missing camera features and no easy way to do OS updates while maintaining root.
If anyone knows of a way to automate the process of regaining root after updates, please tell me!
Are you using Magisk?
Yes
Doesn’t Magisk have a built-in superuser?
Magisk requires patching the boot image to gain root. The i believe the boot img gets overwritten during an OS update, and so each time it needs to be repatched. I’m not knowledgable enough to automate patching the boot image automatically after an OS update.
Not in my ideal spot but tolerating Android via LineageOS for microG on a Sony Xperia 5 III as their ROMs make microG painless & hardware-wise I get a fast-enough CPU, OLED, a headphone jack, & microSD.
I used to do that then I discovered that I didn’t need MicroG
Oh? I’ve been completely off Google services and apps for a decade but I still find that MicroG is nice to have for spoofing a few apps that checks for GSF to run. I’m curious how you managed to disentangle yourself to the point of not even needing MicroG.
I just get all my apps from F-Droid. For notifications I use unified push
I wish the modern xperia phones were more popular and got more love. Hardware-wise they are amazing, i just wish they had easily-replaceable batteries.
I just replaced the battery in mine. I had to get a heat gun to take off the back plate, as well as a new seal for the back plate. I’m not 100% convinced it is still water resistant, and I don’t plan on finding out.
The hardware is good & you can get phones under 6".
They have 2 big flaws: price & years of continued support. The catch 22 is you can get a good price on them after the support window (2 years, but looks like 5 will be going forward). Luckily LineageOS always picks up after the support window if willing to take on possible firmware vulnerabilities knowing software will continue to be updated—but the camera requires the proprietary apps/libs or it looks low-end.
I am on a pixel 7 with graphene OS. Been great. Ive been using this phone for about a year or so now.
Also posting from a Pixel 7 running Graphene for abouta year. No issues, I use Fdroid for most apps and Aurora when I have too. Only bummer is I haven’t found a good FOSS keyboard with swipe. Really miss gboard for that and gif insertion.
Have you tried Heliboard? You’ll need to download a (proprietary?) library for it though. github.com/Helium314/HeliBoard
Thanks for the rec! Typing on it now. Pretty decent so far. I dig the hover on the word as i swipe
Would like to know too! I use a proprietary OS for now and want to jump ship with my next phone.
It’s a non-profit, there is no advertising.
Yeah I dunno what that’s supposed to mean. You can’t install it on an iPhone or most other Android devices because they all have locked bootloader’s (among other reasons). They only develop for Pixel because it streamlines the development process, along with having the highest level of security in the SoC.
Lineage is a great project, and fairly private, but as the name implies, it’s intended for older phones to increase their life. Not necessarily to be private.
Graphene
My thoughts exactly seeing this post. Haven’t heard that particular rhetoric here before. Typing this from my Pixel 7a running GrapheneOS
Lineage OS is a base system that you can use to get the AOSP experience with modern apps. It is most certainly not for just for older phones. It also is going to be updated more frequently than anything else.
No one said it was.
From above
Yes I’m fully aware of the comment that I wrote some hours ago. Read it again. More carefully this time.
The name “lineage” is because it’s a “descendant” of cyanogenmod, not because it’s intended for older phones
Went with lineage since I grew up on cyanogenmod.
I’ve used Lineage on multiple devices, Calyx, and Graphene. Graphene by far has the least issues (basically none), and the best compatibility in my experiences. Being able to relock the boot loader is perfect for a mobile device too.
grapheneos on a secondhand pixel 5 which was about 280$AUD. though i probably should have gotten a newer model considering the 5 is nearing end of life for GOS
Same mistake I made. But I’ll probably keep using it until the battery is completely dead.
I use proprietary AOSP because I require online banking :(
Couldn’t you use the website?
PureOS
No OS is perfect, as you likely do have to use a proprietary modem and some proprietary apps, but CalyxOS works well for me on my Fairphone 4. I like the base install being as free as realistically possible on a modern Android phone, especially replacing Google apps with microG. Just don’t enable SafetyNet if you don’t want it to run (sandboxed) Google blobs. That API is deprecated anyways.
The experience is smooth, free and I get a repairable phone without having generative “”“AI”“” shoved down my throat. A win on all fronts in my opinion.
I use Graphene on my phone and DivestOS on my tablet
Cool, there are supported tablets now?
I use GrapheneOS. Can't go back!
I’m looking at getting a new phone this Christmas. I’ve been fucking with fedora on my main and Garuda on a cheap mini pc in the garage. So I’d like to swap my phone over too. What is a good model to look into or a good model to await?
Pixel 6 or 7 any variant, not carrier locked. I use a 6a
I personally prefer Lineage OS
Using GrapheneOS on a pixel 8 pro bought for this. Never used the stock OS. Coming from iOS it is a breeze of fresh air to feel “private”. I tried lineage some times ago but it isn’t as polished as graphene, and it feels like a classic android OS, I didn’t feel " private".
.
My dear friend, can you elaborate ?
Used pixels are surprisingly cheap for how well they hold up over time, and graphene works well.
Which generation would you recommend? As used.
If you want updates, may be go for gen 6/7. 5a won’t be receiving updates after August 2024.
See: grapheneos.org/faq#device-lifetime
Thanks
I like the 7. IIRC, the 6 had reliability issues, and the 5 was only available in a smaller size.
I’ve been using a 6 since it’s release, it’s been solid for me. The 7 is slightly sleeker/smaller but they’re almost identical in performance.
7a would be the best balance between cod and expected support timeframe
Thanks.
I miss my pixel 5 :(
I totally agree. Used pixels are superb with grapheneos. Syncthing is what i use ad a backup. I think the problemi is that google stops releasing updates after 5 yearss old units don’t get updates I think. I have the 5th June build and it reports a security update of December 2023.
If you don’t live in the EU. Here you get a better new phone from xiaomi/motorola/oneplus than a pixel for the same price. Yes, I get grapheneos and relockable bootloader, but used things are too expensive here. If you need a cheap phone, buy a cheap phone (fuck EU’s import regulations).
I don’t know what you are on about, but if brand-new Pixels are too expensive for you (although their price is uniformed to the US one), you can easily find them second-hand.
For example at a time where my Pixel 7 was available for 500$ (466€) in the USA + 100$ trade in (93€) for my Galaxy S8 = 400$ = 373€ it still was 620€ in Austria on Amazon, the only way to buy it because Google did not offer it through their Google store here and normal stores didn’t go below 650€. I could’ve gotten 20€ trade in for my old phone = 600€. 60% more than in the USA at the same time.
Used market basically didn’t exist because Pixels generally were a bit overpriced
Doesn’t it seem that this problem is caused by Google not operating the markets in the same way?
Yes, but Persen’s point still stands.
(And Pixels also have way less features here, the only advantage they give is access to GrapheneOS, great camera and AI photo editing)
Which features do the lack?
US-only:
Call screening
Hold for me
Direct my call
Wait times
Call transcription
Answering calls with text to speech
Emergency calls on crash
English-only:
Speaker labels for Google recorder transcripts
Google recorder transcripts generally don’t work well in other languages, but at least the option to get a subpar transcript exists
Probably missed some
That’s the point. You can’t import anything to EU without paying a 20% import tax ±5€ depending on the import. This makes the used device market prices in EU inflated.
Why would you import used devices from the US in the first place? People sell them in Europe too.
Most of the market was from UK (where we all know what happened) plus taxing imports inflated the EU market.
I like grapheneos, very close to stock android without google shit
Lineage is kinda bad privacy and security wise, from the little I know its not fully degoogled
My understanding is kinda the opposite:
Both GrapheneOS and LineageOS publish monthly updates with upstream security patches for all supported devices.
Both GrapheneOS use network-provided DNS by default.
Apparently both GrapheneOS and LineageOS connect to connectivitytest.gstatic.com via http as a Captive Portal test by default,althoughh this was as of 2019-2020 and both might have changed since then.
Most of this is right, but needs some things corrected.
LOS is kept up by individual maintainers of the devices, and so it can cover more of them. But that also means you expand your attack surface to lineage, maintainer, microg, etc. And that’s just on supported devices. Unofficial devices are even more wild-west, having much delayed releases, OS updates, security updates, everything.
Not only that, but Lineage requires that you unlock your bootloader and often have your phone rooted to be able to do everything. This introduces special points of insecurity and possible issues in the future.
GOS is from a single source, for a single line of phones, and uses a designed method to load cryptographically signed ROMs onto the device, and then validate updates using the same method. The Play Services are sandboxed and disabled by default, so you can just never use them if you want. Overall, this makes for a more cohesive device. One that is more private and more secure. Especially so, when you can buy a new Pixel device and have guaranteed updates for as long as Google will do so for the same device.
the play services are not installed by default*
Thank you, I missed that
GrapheneOS doesn’t ship with any Google services by default. We do provide an easy and safe way to install the Google Play components if desired, they are run under the same sandbox and constraints as any other ordinary app you install. Because they expect privileged access that they don’t get on GrapheneOS, we add a compatibility layer that essentially teaches them to work under the normal circumstances that is the sandbox. If you don’t want them you don’t have to do anything, they are not present in that case.
LineageOS does make connections to Google by default, as does AOSP. GrapheneOS changes those connections while LineageOS doesn’t. They can be viewed here:
eylenburg.github.io/android_comparison.htm
Keep in mind, that table isn’t exhaustive. It lists the regular connections AOSP makes and how each OS handles them, but doesn’t include information on any additional connections that occur.
You can absolutely download apps from F-Droid on GrapheneOS, what makes you think you can’t, and how did you conclude that LineageOS is more private and secure?
LineageOS is pretty commonly behind on updates. As an example, it seems that LineageOS 21 (based on Android 14 QPR1) came out in February of this year.
9to5google.com/2024/03/12/lineageos-21-review/
You cannot ship the full security patches without being on the latest version of Android, which is Android 14 QPR3 now. Of course, if the device is EOL, that’s doubtly the case, and no OS can fix that.
I don’t know if this was the case in 2019, but it certainly isn’t the case now. On GrapheneOS, you have the choice of using the GrapheneOS server for the internet connectivity check, changing it to Google’s server or even disabling it altogether.
I never said that GrapheneOS couldn’t download apps from F-Droid. I didn’t mention GrapheneOS being able to use F-Droid in my dot points but that was just an oversight, not intenttional.
The problem with this is that so many apps use Google Play Services. If I didn’t want a phone that used Google, I wouldn’t use an OS that bent backwards to make it work.
The sandbox model is OK in theory, except when your bank app asks for permissions for microphone, camera, contacts and files, and refuses to start without them.
The app model is a bit broken IMO and GrapheneOS both enables and perpetuates it.
I might be being a bit naïve here, but Android 14 came out in October, 4 months prior to LOS 21, which is not particularly long. Android 13 is still supported by upstream. This sounds a bit like running RHEL or Debian vs bleeding edge Arch, no? It’s a common debate whether RHEL systems are constantly out of date, the counterargument being that vulnerabilities are often found in new software versions. Without real statistics about security vulnerabilities over time it’s difficult to make an informed decision about software version policies.
That is excellent, I’m glad to hear GrapheneOS is changing some of the defaults to be a bit better.
GrapheneOS doesn’t “bend backwards” to make apps relying on Play Services work. Sandboxed Google Play is highly compatible and all you need to do is install the apps, just like you would any other apps. The argument that since many apps require Google Play Services, you should use stock OS where they have privileged access rather than being sandboxed doesn’t make a lot of sense.
Apps installed on operating systems that don’t have a sandbox and thus a permission model get access to straight up everything. Your scenario is exactly why GrapheneOS features contact and storage scopes; as an alternative to the regular permissions for more granular control. You can grant an app only a subset of contacts/files or nothing at all, the app won’t complain since on its end, everything’s been supposedly granted. There are more planned features to address other permissions in a similar way. Furthermore you could put it in its own little box via a secondary profile (you can have up to 32), and have that only run when you need it.
4 months without proper patches to known vulnerabilities is very long. Previous versions of Android aren’t properly supported; they only receive a subset of patches, not nearly everything. In fact, not even Android 14 is currently getting full patches. At the time of writing, for a device to be properly patched, it must be on Android 14 QPR3. It’s why we put great care in porting everything over as quickly as possible. You don’t have to make guesses about vulnerabilities, you can simply look at all of the known vulnerabilities that haven’t been patched yet, or will never be patched, in previous Android versions. It’s not a matter of “what if”, it’s what’s actually happening.
Graphene OS users, what options are available for backing up your phone? I tried looking for an answer but wasn’t able to find anything recent on this topic.
I want to try it but this is the one thing holding me back.
I just use nextcloud as a target for backups (Aegis, Signal, QkSMS). Apps such as KeePassDX I have load the file via nextcloud. My contacts and calendar go through it as well, photos are just set to auto upload along with a few other directories.
As for the home screen layouts, I just take screenshots once I have it how I like and try to remember to take them again if I change stuff.
It’s not a full backup but I’m back up and running fairly quickly (Pixel 5A died on me 3 times in under a one year lifespan per device).
Syncthing is my answer though I appreciate it doesn’t get to the root of your question.
There are local backups that include your system settings, text messages, contacts, call history and (optionally) apps. The one thing I want is the ability to pick a directory for the local backup so I can make it work with syncthing without jumping through hoops.
It’s also compatible with Nextcloud and WebDAV if those are options for you.
I put lineageos on my old OnePlus, which had started to lag so much that even the password prompt would take a minute to register my key presses. The moment I put lineage on it, it started working as if it was new and finally had security updates for the first time in 2 or so years. I now use it as a backup device, and also as a webcam for my pc using scrcpy.
CrDroid… Use it mostly because it’s stock android with a few extra options…
And you can have micro g if you need cloud messaging or google apps.
Btw, is there a stripped down from AOSP custom rom around? I only want to use my old phone as alarm clock but standby holds only a week, despite the battery being rather big. My old Galaxy S3 with custom rom and BBS optimized held a month at least.
Lineageos with no apps is light enough, I think.
But that’s what i did. Still only a week.
Then you might need to change the battery.
GrapheneOS is perfect. Pixel phones are Google hardware yes, but works like a dream once GOS is installed. NO MORE GOOGLE !!! Frequent OS updates, love it
I loved it too until I forgot my wallet one day. It’s the one thing I had to go back to stock Android for because I forget everything but my phone constantly.
You can’t pay with the phone with GrapheneOS?
I’m afraid not. You can have Google Wallet installed but you can’t have bank cards on it on GrapheneOS.
Edit: this link for more context
Ty. Saving others some time:
But:
Didn’t know about Barclays! Thank you for educating me.
No, Google Wallet doesn’t pass the security check.
Which is weird because I thought Graphene can pass attestation. I can pass it and use Wallet with Magisk on an unlocked bootloader, not sure what’s preventing on Graphene.
Low-tech solution: keep your bank card in your phone case
Calyxos user here. I like it so far. Half a year into it. I can live with microg instead of gms. And it also works on moto g32, 42 and 52 so you don’t need Google hardware.
I’ve been using Graphene since the pixel 4a, have never considered going back. It works wonderfully.
.
PostmarketOS, pinephone, using phosh (sxmo is good too, but no support for dvorak keyboard :( :( :( ). Very jank, but I would never go back to Google/Android (or derivatives) after tasting what could be. Might try to switch to Void Linux or base Alpine since PostmarketOS is shipping systemd by default next release (“optionally, with openrc still being supported”, but we all know openrc is being pushed to the side, especially since it needs recompilation to switch back). Hope to boot OpenBSD on it some day.
While I really want the pinephone to be good, I just could not use it for daily use given its extremely poor battery life. I ended up getting a oneplus 6 and running postmarketOS before switching to DivestOS for camera support. I might switch back given that updating packages is much easier on linux compared to android.
Not next release, the one after. And even then probably not by default yet. And SXMO will not even support systemd at all. Yes OpenRC will remain an option.
systemd is good software and people should find proper reasons for disliking it for once instead of just following the hate train.
Are “breaking portability with non-linux unix systems (and even linux systems that don’t use systemd)” and “overly complex codebases inherently being more bug-prone and systemd having a poor security track record” good enough reasons for you?
@merompetehla
Such question I like to answer with this link from a security specislist.
privsec.dev/posts/
Please check the category Android.
Graphene seems the best possible custom rom.
I use Lineageos because I got an old phone for free.
I like how you highlight one of my pet peeves there.
Docs like this should be living so they can be fixed.
@corsicanguppy
Could you elaborate what you mean with that?
Not sure why GrapheneOS is getting down voted so much here, did I miss something recent that happened?
I’ve been using GrapheneOS on my Pixel 6a for around 2 years and really like it.
If I couldn’t use GOS though, I would probably go with DivestOS. I haven’t looked deep into other alternative Android ROMs.
I use phones that are at least 5 year old and cost 100€ max. Graphene supports only new pixel phones, so I never got to use it. I put LineageOS with MicroG on every phone and I’m super happy with it.
Fair point, Pixels aren’t flagship expensive, but they definitely aren’t cheap either.
The reason why GrapheneOS is hated here is because one single user who spreads constantly misinfo about the project.
For me LineageOS is a good baseline. I don’t have anything against “privacy” OS’s but they’re not really for me. I just use F-Droid to get apps and don’t care about compatibility with proprietary stuff so neither microG nor the GrapheneOS sandboxed Play services are of interest to me. I don’t use GrapheneOS because I don’t have or want a Pixel phone.
LineageOS significantly increases the lifespan of devices it supports and that’s important to me. Planned obsolescence is cancer.
My ideal mobile OS would be something like Mobian (or even better, a GNU Guix based distribution) but it should be noted that AOSP is also a Linux based operating system and thus anything derived from that is a Linux mobile OS.
There is no misleading advertisement. Go with Graphene if you own a Pixel (from Pixel 5 up) or you can find a cheap second-hand one.
Care to share which devices are you talking about? If a device is officially supported by the latest LineageOS version, it works.
It really depends on what you want from your phone and what matters to you.
I recently got a refurbished OnePlus 9 and put lineage on it. I would have gone with a pixel and graphene, but pixels with more storage are hard to come by and expensive.
Find which roms are available for your phone and choose from there, or if you want to change the Asus phone, look at your target specs and which phone ROM combination you can find
Been using /e/OS on a OnePlus 6T for the last ~2 years and love it. The built-in ad tracker blocker works well. GoS works for the best part and if it doesnt, heading over to the website usually works.
.
I am very happy with my moto g42 and Calix OS. The phone is reasonably priced (around 120.- euros).
Only downside is you have to register online to get full root access and I also had to wait like three days till everything unlocked. Otherwise I found the process very easy even for a caveman like me.
CrDroid on Poco F3, it just works and it’s on latest Android version.
eylenburg.github.io/android_comparison.htm This is a nice overview
just so everyone is aware grapheneos only support’s pixels because it is specifically designed for taking advantage of the hardware security features found in google’s tensor and titan chips. and thus installing it on another phone would kinda miss the point (and vastly increase the scope of the project)
google is also basically the best company when it comes to phones for custom roms, as they provide stock images, a simple bootloader unlocking process (that doesn’t void your warranty as far as i can tell), and generally the aosp and software support that comes from being the phone of the developer of android.
Also because the google pixel its bootloader can be relocked without much trouble. that is a big part of why GOS only supports pixel phones.
CalyxOS, lovely community and MicroG is FOSS (as opposed to Sandboxed Play Services being literally Google play services.)
Stuck on a relatively new Galaxy rn, but if I could install a custom ROM, it would be GNOME shell mobile
Ran LineageOS on a OnePlus 6T for a couple months. Overall, it was perfectly usable, but also lacked some of the polish of my daily (Galaxy S23), which was totally to be expected.