Hello, making this post to get some honest, and technical opinions about GrapheneOS. Please do not be bother by this question. I’ve heard that there is some of the google code into the “sandbox” feature. Say your opinion below! 👇👇

  • oranki@lemmy.world
    link
    fedilink
    arrow-up
    0
    ·
    4 months ago

    Not much to comment on the technical side, but quite a bit of things get upstreamed or reported from GrapheneOS. I believe they really know what they’re doing. You can ignore the rest if you don’t care for the general opinion.

    Yes, there’s probably Google code in the sandbox feature, it’s basically the stock Android userland app sandbox. The magic is the compatibility layer that allows Google apps to run as regular userland apps.

    ...

    I bought a Pixel 7a, just so I could try GrapheneOS.

    Installed it straight after unboxing, with Play services. Ended up using it pretty much like any Android phone. Installation is simple using the web installer. On recent versions, even Android Auto works, so the only thing you’re really giving up is NFC payments. Some banking apps may don’t work, but I’m lucky (or rather not unlucky) that the ones I use do. I believe those rare apps are somewhat lazily developed, and rely / trust on Google to do security for them.

    Some months later, I went back to the stock ROM, mostly for comparison. Stock Pixel OS has a lot of appealing features, but most of those are just “nice to have” things. Stayed on stock for a few months, but the plethora of obscure Google “privacy settings” put me back to GrapheneOS, and finally off Google. Reverting to stock was also simple, just as easy as flashing GrapheneOS.

    Now I don’t have Play services at all anymore, and have cleared most Google services (gmail, photos, drive…) so at least not much new data will go there. I do use Google Camera, and have Photos installed since I think the post-processing happens in Photos. Both have network permission denied, which is one of the nicest added features of GrapheneOS. The stock GOS camera is OK, but that’s one thing I think Google does better, though this is a subjective thing.

    The only thing I kind of miss is Google’s find my phone stuff. Even though it’s quite invasive, I have needed it once and it resulted in me getting a lost phone back. A simple solution is not to lose your phone.

    Apart from the per-app network permission, another really nice feature in GrapheneOS are the settings to toggle WiFi and Bluetooth off automatically. Why these are not in any “official” ROM tells a tall tale about how much they care about your privacy. The auto reboot if not unlocked in a while also brings some assurance regarding losing your phone, at least the storage will automatically back in encrypted unlocked state.

    Vanadium might be the best browser I know for Android. Pretty much Chrome without all the things that make Chrome one of the worst browsers. Vanadium’s point is security, privacy (e.g. adblockers) is not the main focus. I’m not sure if there actually even is adblock features bundled nowadays.

    If you want all the nice modern bells and whistles, stay on some other OS. If the benefits above appeal to you, there’s really not much you give up in the end with GrapheneOS. It requires a bit more technical mindset, but not really even technical know-how. I haven’t noticed bugs or broken stuff anywhere, with or without Play services. Android Auto (requires Play services) gets stuck sometimes, but that may also be my low-tier car too.

    The “sandboxed” Google Play refers to the apps running as user installed apps vs the system-wide root-access-to-everything apps they are on stock. The same limitations you can apply to any other app you install apply to GSF apps too. So even if you install Play services, you are severely limiting the scope of data Google gets from you. It’s a solid middle ground between full degoogling and stock OS.

    I’m not even an Android app developer, and will gladly admit technical mistakes. If you want something negative, the vocal minority of GOS users is really vocal and really full of themselves.

  • GolfNovemberUniform@lemmy.ml
    link
    fedilink
    arrow-up
    0
    ·
    4 months ago

    It’s a middleground between a regular stock spyware ROM and a degoogled one with pretty good security thanks to lockable bootloader.

    P. S. I can hear the drama coming unfortunately. This ROM’s devs have haters.

    • foremanguy@lemmy.mlOP
      link
      fedilink
      arrow-up
      0
      ·
      4 months ago

      I’ve seen that you basically have two choice (more but not very relevant) GrapheneOS for security and /e/OS for privacy. Thoughts on it?

      • Lemongrab@lemmy.one
        link
        fedilink
        arrow-up
        0
        ·
        4 months ago

        DivestOS is the most thoroughly degoogled of the android ROMs (it removes the most proprietary binary blobs). DivestOS is also decently security hardened, better security hardening than any other Android ROM other than GrapheneOS. But since it removes more of these proprietary blobs, it further reduces the attack surface of the ROM. Both GOS and DivestOS are good options. As commented by another user, /e/OS falls behind on security updates often, which is quite bad for a security or privacy focused OS.

      • GolfNovemberUniform@lemmy.ml
        link
        fedilink
        arrow-up
        0
        ·
        4 months ago

        /e/OS is not for privacy but more for anonymization. It has a built in VPN and a ton of spoofing stuff afaik. It’s closer to Qubes if you ask me. And I heard it had proprietary software so ehh it’s made to make you look like the most average internet user so you can search anonymously. I don’t have enough information about this ROM but I wouldn’t use it on my main device.

          • GolfNovemberUniform@lemmy.ml
            link
            fedilink
            arrow-up
            0
            ·
            4 months ago

            Convenience, proprietary software and because it’s not completely degoogled. I use LineageOS on my device and I’m happy with it. I can use Qubes or a VPN if I want an anonymous search.

              • GolfNovemberUniform@lemmy.ml
                link
                fedilink
                arrow-up
                0
                ·
                edit-2
                4 months ago

                LineageOS actually seems to be getting less degoogled recently. They’re adding stuff for better Google apps support (that can be installed manually). But I believe it’s as degoogled as reasonable custom ROMs get. Not much advanced privacy/anonymization features though and no stuff like Play Integrity support obviously. It’s a ROM for these who don’t need gapps at all. And if you do, just buy a second hand device with the stock ROM and put your banking apps there. Play Integrity doesn’t work well on any custom ROMs now anyways.

                EDIT: also EOS is EndeavourOS that is a Linux distro.

              • Miss Brainfarts@lemmy.blahaj.zone
                link
                fedilink
                arrow-up
                0
                ·
                4 months ago

                Like the other reply said, Lineage doesn’t do a whole lot in terms of degoogling. I quite enjoy DivestOS, it’s a project that takes Lineage as a base and strips out as much Google and proprietary code as possible.
                In fact, it’s so Google-free that neither sandboxed Play Services nor MicroG are officially supported, though the latter can still be installed and used just fine, though with a few drawbacks.

                Same as Lineage, it runs on more devices, but certain features like bootloader relocking depend on the phone.

    • 乇ㄥ乇¢ㄒ尺ㄖ@infosec.pub
      link
      fedilink
      arrow-up
      0
      ·
      edit-2
      4 months ago

      There’s a lot of false information in your statements, GrapheneOS is not spyware, and it does a better job at degoogling than any other ROM mentioned in this thread, the only one that comes close is DivestOS, and no eOS is NOT like Qubes…

      GOS wanted to reduce the attack surface as much as possible so they removed all the unecessary Bloat, it doesn’t even ship with wallpapers !!

      This list is not exhaustive and covers a tiny bit of the differences between these custom ROMs but it’s a good place to start

      https://eylenburg.github.io/android_comparison.htm

      • GolfNovemberUniform@lemmy.ml
        link
        fedilink
        arrow-up
        0
        ·
        4 months ago

        What I meant by a “middleground” is that GOS has gapps, even though they are sandboxed. There is no way it can be more degoogled than LOS or any other fully vanilla ROM that’s actually degoogled.

        • 乇ㄥ乇¢ㄒ尺ㄖ@infosec.pub
          link
          fedilink
          arrow-up
          0
          ·
          4 months ago

          That’s also not accurate, GOS comes fully degoogled, and doesn’t include any GAPPS or Google Play services, you have to install them yourself if you want compatibility with Google Apps or some banking apps

          even though they are sandboxed. There is no way it can be more degoogled than LOS

          That’s just false, even LOS isn’t fully degoogled and it still connects to Google in the background for necessary connectivity checks ( e.g. DNS ) and Esim activation for example

          • GolfNovemberUniform@lemmy.ml
            link
            fedilink
            arrow-up
            0
            ·
            edit-2
            4 months ago

            Oh ok then. If it has a vanilla version then it is degoogled and can be more degoogled than LOS. What I meant was if GOS was microg only, it couldn’t be as degoogled as LOS because LOS is vanilla. Still it’s a shame that LOS can’t find a better supporter than Google.

            • 乇ㄥ乇¢ㄒ尺ㄖ@infosec.pub
              link
              fedilink
              arrow-up
              0
              ·
              4 months ago

              it couldn’t be as degoogled as LOS because LOS is vanilla

              This is about to change since LOS are about to include MicroG by default in future releases… Or so I heard from some Mastodon users who shared screenshots about an LOS update that installed MicroG

              GOS is private and secure more than any other ROM, but once you install the Unprivileged play store you lose some of that privacy while retaining security, MicroG is private but not as secure

              Still it’s a shame that LOS can’t find a better supporter than Google

              Wdym?

              • GolfNovemberUniform@lemmy.ml
                link
                fedilink
                arrow-up
                0
                ·
                4 months ago

                This is about to change since LOS are about to include MicroG by default in future releases

                Should I bet all my savings this isn’t gonna happen? Just don’t trust unverified rumors and never ever spread them as the truth.

                more than any other ROM

                ROMs without network support.

                Wdym?

                I believe LOS uses Google stuff because they get money for doing it, especially for making it the default search engine in the default browser.

                • 乇ㄥ乇¢ㄒ尺ㄖ@infosec.pub
                  link
                  fedilink
                  arrow-up
                  0
                  ·
                  edit-2
                  4 months ago

                  never ever spread them as the truth.

                  How did you know it’s not the truth…because I implied it wasn’t… and I don’t see it as something that couldn’t happen, people asked for MicroG support for years…

                  ROMs without network support.

                  I’m not a huge fan of trolling

                  because they get money for doing it,

                  I can tell you no Open source ROM gets funds by Google, unless if it’s a program… For example GOS received many rewards for discovering vulnerabilities in AOSP

  • StormWalker@lemmy.zip
    link
    fedilink
    arrow-up
    0
    ·
    4 months ago

    I have been using GrapheneOS on a Pixel 7 Pro for 3 months now. I am BLOWN AWAY at how good it is. I have 3 user profiles. Main profile has no google services at all, and 95% of my apps are running there. Then I have a second user I can switch to that has sandboxed google services and my banking apps on it. I then have a third user that also has sandboxed google services running where I can install any random app that demands google services. (I have only 1 app on that user) . So 99.9% of the time my phone is running with no google services at all. (Side note: without even the sandboxed google services installed, apps need to be left open in the app switcher in order to receive notifications. If you swipe all your apps away, then you won’t receive notifications. This is not a problem for me, as I just keep my messaging apps open in the app switcher. But if it is a problem for you, you would need to run the sandboxed google services).

    I see GrapheneOS as a way of removing 99% of all the tracking, spyware and things that I dont like, while still having the convenience of having all the apps and features that are available on a regular smartphone.

    There is a learning curve, and many settings to learn and customize. But definitely worth it.

    To get a Pixel, instead of paying £900 for a new pixel 8 pro, I paid £300 for a second hand Pixel 7 Pro on eBay that was in perfect condition. So for £300 I now have a privacy phone and an AMAZING camera, which was very important for me the camera.

  • Possibly linux@lemmy.zip
    link
    fedilink
    English
    arrow-up
    0
    ·
    edit-2
    4 months ago

    Toxic culture run by someone who is questionable at best. Honestly I don’t see a need for it. It is certainly not the only option.

    • Sunny' 🌻@slrpnk.net
      link
      fedilink
      arrow-up
      0
      ·
      4 months ago

      The person you are referring to did actually step down as lead developer… Best to be more informed before making claims. Could you elaborate on why you consider it toxic? I’ve yet to find the Graphene community toxic myself.

      • Possibly linux@lemmy.zip
        link
        fedilink
        English
        arrow-up
        0
        ·
        4 months ago

        They still have a lot of control though. Also I find that Graphene community thinks it is better than everyone else. I don’t have a problem with people being proud the problem is that Graphene is spreading false information like every other ROM is insecure. That’s not the case especially in terms of security as anything but stock is less secure. From a privacy perspective non google is better than Google but everyone seems to skip over that. People will say “Lineage OS uses Google DNS” but in reality your ISP could be using Google DNS the key it to setup Private DNS which takes only a few minutes to do. Graphene isn’t the only option. In reality there are tradeoffs everywhere.

        The fact that the larger community only knows of Graphene OS and stock is a bit scary.

    • user@lemmy.world
      link
      fedilink
      arrow-up
      0
      ·
      edit-2
      4 months ago

      Not the only one but its factually the best one. Questionable to me is your expertise on this topic when you deter people from using the best option, based on your unrelated, subjective, non-technical views.

      • Possibly linux@lemmy.zip
        link
        fedilink
        English
        arrow-up
        0
        ·
        edit-2
        4 months ago

        There isn’t a factual"best" one as peoples needs vary completely. That’s why I say the Graphene community is toxic. They are convinced that there is only one way to do things.

        Graphene is useless to me because I have no need or want for a Pixel or even a new phone. How can it be the “best” for me if I can’t even use it? As it turns out there is no right answer. It might work for you but that doesn’t make it the best for everyone.

  • heleos@lemm.ee
    link
    fedilink
    arrow-up
    0
    ·
    4 months ago

    I used it for quite a while, but with most of the Google apps. One morning RCS chat stopped working and would not reconnect, since I use RCS for texting most people I’m back on stock for now. I know it’s not graphenes fault, but I didn’t want to have to keep dealing with Google randomly disabling stuff. Up until then, everything worked as it was described

  • umbrella@lemmy.ml
    link
    fedilink
    arrow-up
    0
    ·
    4 months ago

    if you have a pixel theres absolutely no reason why you shouldnt use it.

    if you dont i dont think its worth to buy one just for graphene

    • ExcessShiv@lemmy.dbzer0.com
      link
      fedilink
      arrow-up
      0
      ·
      edit-2
      4 months ago

      if you have a pixel theres absolutely no reason why you shouldnt use it.

      Plenty reasons to not use it on a pixel…I had horrible compatibility with all sorts of banking apps, government 2FA and traffic warning systems, to the point where they just couldn’t work at all. Their sandboxed play services breaks a shitload of day to day convenience and even necessities to increase privacy.

      • umbrella@lemmy.ml
        link
        fedilink
        arrow-up
        0
        ·
        4 months ago

        this is a problem with all ROMs, actually.

        banking apps especially do everything in their power to block every phone that isn’t stock.

        • Possibly linux@lemmy.zip
          link
          fedilink
          English
          arrow-up
          0
          ·
          4 months ago

          They encourage proprietary software and locked down systems. For instance, they use Google play services instead of microG and they promote the play store. I personally think that F-droid apps are much better from both an software freedom perspective and a privacy perspective. I’m not against people installing proprietary apps as I realize sometimes that is unavoidable but they could at least encourage the use of Foss. Graphene could simply have both F-droid and Aurora store by default and on setup explain the difference. They could even allow the install of Play services instead. However, they don’t even really try. They focus on security which at the end of the day is subjective.

        • /home/pineapplelover@lemm.ee
          link
          fedilink
          arrow-up
          0
          ·
          4 months ago

          Most likely talking about how the lead developer had a mental health crisis and lost his marbles. From what I’ve heard, he has stepped off to take care of that and the project is still going great.

        • Possibly linux@lemmy.zip
          link
          fedilink
          English
          arrow-up
          0
          ·
          4 months ago

          I said ethical not technical. Anyway from a technical perspective Graphene os is only supported on a handful of devices so it is off the table for many people.

            • user@lemmy.world
              link
              fedilink
              arrow-up
              0
              ·
              4 months ago

              None. This person doesn’t know what they are talking about and they try to discredit the project based on their personal views and demonize the dev team.

          • user@lemmy.world
            link
            fedilink
            arrow-up
            0
            ·
            4 months ago

            By this logic rpiOS sucks because its only supported on Raspberry PIs. Only Pixel hardware meets the security requirements of Graphene.

            • Possibly linux@lemmy.zip
              link
              fedilink
              English
              arrow-up
              0
              ·
              4 months ago

              Raspberry Pis suck in general as they lack open firmware. You are stuck with the Raspberry Pi kernel and all of its blobs. “Security requirements” is something Microsoft says about Windows 11. If you are concerned about security your best bet is stock software as it is maintained by Google.

              • user@lemmy.world
                link
                fedilink
                arrow-up
                0
                ·
                4 months ago

                Again, you demonstrate that you don’t have the sufficient knowledge. There is no commerical device with open-source firmware. “Security Requirements” are not some kind of marketing bullshit as you seem to think. Graphene’s can be found here: https://grapheneos.org/faq#future-devices

                I doubt you understand what any of them mean, since you seemingly think Windows 11 requirements are just random things that are just there to hurt you.

                You thinking that Stock Google devices are more secure than GOS simply shows that you fundamentally lack the understanding of how things work. They are built on the same core but Graphene has massively reduced attack surface and fewer ways to exploit remotely. And then we didn’t even talk about the hardened kernel and such.

                I wouldn’t try to discredit projects I don’t know anything about if I were you.

                • Possibly linux@lemmy.zip
                  link
                  fedilink
                  English
                  arrow-up
                  0
                  ·
                  4 months ago

                  https://www.fsf.org/resources/hw/single-board-computers (2021)

                  https://pine64.org/documentation/ROCK64/

                  Pine64 boards rarely need proprietary software and they don’t need it to boot like the raspberry pi does. However, that is a discussion for another time.

                  You are also illustrating my point. The Graphene community has a my way or the highway mentality. As it turns out stock will often be more secure as it will have the latest security updates and will have less people handing it in general so less risk of supply chain attack from a bad actor in the community. However, this is a non issue. I find a lot of the so called security holes to be fairly mild as they require very specific targeting to exploit.

                  In general, the people around Graphene os and Divest OS are very toxic. In the F-droid board meeting the issue was brought up that the is censorship is promotion happing for Divest OS. People who criticized Divest OS were getting banned. The person who brought this complaint has a page where they go over there beliefs and bring forward evidence. I think they are a bit harsh but they do have a point.

                  http://opinionplatform.org/

  • CrypticCoffee@lemmy.ml
    link
    fedilink
    arrow-up
    0
    ·
    4 months ago

    Well it’s open source android, if the code is bad, it’s jettisoned. While I cannot stand Google, not every line of code they write is trash.

    The sandbox is good and you do not need to install Play if you do not want to. I use f droid where possible.

    I want Linux Mobile but it is not ready yet. In the mean time, this is the best we have.

        • Possibly linux@lemmy.zip
          link
          fedilink
          English
          arrow-up
          0
          ·
          4 months ago

          Do you? It ships proprietary Google services and encourages closed source solutions. Not only that, but the original developer is convinced that he is the only source of truth.

          • user@lemmy.world
            link
            fedilink
            arrow-up
            0
            ·
            4 months ago

            It does not “ship” them. They are available at your option. Other solutions to solve the google problem such as MicroG have/had several security issues. My favourite was when they leaked user passwords.

          • CrypticCoffee@lemmy.ml
            link
            fedilink
            arrow-up
            0
            ·
            4 months ago

            It actually doesn’t.

            It is the open source code. You can optionally install Google play in a restrictive sandbox if you wish. You do not have to.

            I cannot disagree with the last sentence. He has his fair share of issues, but it doesn’t take away from his ability or contributions.

        • foremanguy@lemmy.mlOP
          link
          fedilink
          arrow-up
          0
          ·
          4 months ago

          So you will have to emulate all this apps? Like I’m not talking about these on the play store like games or others, I’m talking about the great apps that you can find on fdroid

          • CrypticCoffee@lemmy.ml
            link
            fedilink
            arrow-up
            0
            ·
            4 months ago

            Depends on what you are referring to. If Linux Mobile, Android apps can be run on Waydroid and there is a compatibility layer like Wine available. However, for Linux Mobile, you’ll open up Gnome and KDE apps. In Plasma, you have kirigami which enables convergent apps (that work on desktop, mobile and tablet). As it matures, more apps will be developed that supports it.

            The world and ecosystem now doesn’t define the ecosystems of the future.

  • fart_pickle@lemmy.world
    link
    fedilink
    arrow-up
    0
    ·
    4 months ago

    I’ve been using GrapheneOS for over a year. I cannot complain about it, it works as advertised and it does it the best way possible. However, here’s the list of things I find annoying/missing. Keep in mind, this is a subjective list.

    • some (quite a lot of for me) apps require Google Play Framework (or whatever the name is) to work properly
    • Aurora store tends to be unavailable randomly, which makes installation/updates difficult sometimes
    • some features are wonky, e.g. GrapheneOS has no issues with disabling wifi when leaving my home but I was never able to enable wifi when I’m back home.
    • default apps work ok-ish but it’s far from good old iOS/Android experience
    • Android Auto experience was a shitshow for me
    • Freuks@lemmy.ml
      link
      fedilink
      arrow-up
      0
      ·
      4 months ago

      +1 for the first 2, maybe 1 year or longer user too (others points doesnt apply for me as I not use them)

  • springonion@discuss.online
    link
    fedilink
    arrow-up
    0
    ·
    4 months ago

    GrapheneOS has something in store for everyone. The fully de-googled setup by the common definition a lot of people strive for is a fully supported configuration, it comes that way out of the box in fact, making zero connections to Google - unlike many other operating systems. But you can also transform it into a more “regular” phone by installing Google Play and all the bells and whistles and enjoy the benefits while still feeling save, thanks to the app sandbox applying to it. So you can take away its permissions and feel rest assured it can’t snoop on you even if it wanted to. Or you take a middleground somewhere inbetween if that’s your cup of tea; functionality is an important factor for many, and there’s little you need to sacrifice.

  • TheBigBrother@lemmy.world
    link
    fedilink
    arrow-up
    0
    ·
    4 months ago

    Ask me when the NSA knocks at your door, what I think about it? I think it’s a big honeypot.

    Think about it, if you were the NSA or the CIA would you push a privacy oriented OS? Honeypot vibes get stronger

      • Imprint9816@lemmy.dbzer0.com
        link
        fedilink
        English
        arrow-up
        0
        ·
        edit-2
        4 months ago

        Its always better to try and get firsthand knowledge through the FAQ then rely on, possibly inaccurate, Lemmy users. I would also seek answers on their official forum over Lemmy as well.