• General

  • Selling phones with GrapheneOS preinstalled - how to trust?

I'd like to start selling phones with GrapheneOS pre-installed. I understand there is a dim view of that around here:

final Things like this is why you never trust retailers who sell GrapheneOS devices or people trying to sell you support. Most of them are just people trying to make bucks from criminals or take advantage of them, or worse, they are in illicit trade as well. When you see people going out to sell something like this and they aren't a transparent company with directors, you should just assume they are sketchy. The market for secure smartphones are a swamp of snake oil, criminal run businesses.

I have been using GrapheneOS for about four years already, when I stopped maintaining my own AOSP builds for Sony devices (which prior to Google's change of heart with recent Pixels, had the longest driver support period, and decent open source community support). I have technical abilities but am not yet a contributor to the OS project.

I recognize also this is a terrible business as far as making money. The only thing people replace less than phones seems to be cars and appliances.

https://discuss.grapheneos.org/d/8160-thoughts-on-selling-of-pixels-with-preinstalled-grapheneos/9

Max-Zorin After all the work I did to set this up, it would of been better for me to to get a second job delivering pizzas in the evening. With the profit I made and the hours I put in, it was maybe $1.25 / hr.

I want to sell phones with GrapheneOS, because I would like to buy them, and I know others as well who would.

I will be installing the stock OS and not making my own build, so unless I am mistaken the boot screen hash will match the official posted hashcodes, and will OTA update.

I will be contributing back 20% of profits to GrapheneOS, and some other percent for escape-surveillance-capitalism supporting projects, ie DAVx5, F-Droid, Signal, Syncthing, etc.

Is this sufficient to build confidence that this would be safe to buy? Is this still not good enough? What would leave you confident in a new device with GrapheneOS preinstalled?

I am fine if the answers here are respectful, but not kind. I am very interested in feedback in any form.

        I certainly wouldn't buy a phone with grapheneos preinstalled. There's no reason to, its a pixel, installation of grapheneos is trivial!

        Anyone without the very very little technical capability needed to install it, also wouldn't have the capability of verifying that its a good install, and therefore could NOT trust it. Further, even if the OS checked out, purchasing the physical phone from an unknown source introduces the possibility that the hardware has been tampered with at some level and therefore can't be trusted on that basis.

          bookreader

          I have seen there are people who prefer open source software, and for whom this is something they would pay to avoid:
          https://grapheneos.org/install/web

          Further, they would also like to not deal with submitting personal information to, eg
          https://store.google.com/product/pixel_7a

          There are other vendors (eg, Best Buy) but there is a subset then who would rather deal with an independent reseller than a large chain.

          I understand this might not be a product for you, and that's fine.

          But you mention hardware tampering. How would one detect this when ordering from another vendor? Is the threat concern interdiction, or that all the devices have some hardware modification, or otherwise? How do you know the source you have obtained a device from has not been tampered with? How did you do this the last time you purchased a device?

              PoppyGrunfeld Hello Poppy, The dim views are unfortunate as an idea like this could really help awareness which is much needed. I feel people are becoming more aware of privacy invasion, but are not aware of their options or that open source addresses many privacy issues. And then there are those who just feel the change is to challenging and they have become too dependent on convenience. Protecting privacy comes with inconveniences. But at least for me, the inconveniences give me HUGE piece of mind. And it’s not really that inconvenient…at least not for me…and probably most of us here.

              I love the idea but what a can of worms. Are you going to get pulled into warranty and support? Will folks purchasing these really understand what they are getting and how to preserve the benefits of what you’re offering with GOS? You may need a disclaimer as part of the sale.

              I feel people interested in GOS could install it themselves. However, that being said, there are folks that are interested that can’t do the install. And others just don’t want to be bothered with it.

              Marketing could be a challenge as well. So many folks want the benefits of GOS, but don’t realize it, or realize it exists. How does the general public find GOS…smart phone privacy searching? Aside from search results like VPN’s, McAfee and so on, you’ll get results like ” Here are some of the best smartphones for privacy and security, Apple iPhone 14 Pro Max, Samsung Galaxy S23 Ultra, Purism Librem 5, Blackphone PRIVY 2.0, Google Pixel 7”, ect. (Actual search results).

              I hope these random thoughts are helpful to you Poppy. And I hope you go for it and are successful.

                  commodore64 I love the idea but what a can of worms. Are you going to get pulled into warranty and support? Will folks purchasing these really understand what they are getting and how to preserve the benefits of what you’re offering with GOS? You may need a disclaimer as part of the sale.

                  Warranty: I will have to follow consumer protection laws. Because there is not much appetite for markup, this is just business risk I will have to take on.

                  Disclaimer: Yes, I am currently saying that I expect users to have some level of tech familiarity at first. I have still found interested buyers.

                  Support: I am anticipating some level of support will need to be provided, yes, but limited. I will direct to other communities as appropriate (GrapheneOS, each app), but this forum is not a general-purpose "what do I do now that the phone is running fine" forum. I do not currently know of any minimalism / privacy / security minded communities or forums that are welcoming I could point a new user into. Many are not a place I even choose to go, as I find them frustrating and... biased in a direction I am not interested in. So I may start forums, which is another large endeavor.

                  Marketing: I am aiming for more tech aware users at first, aiming at people with existing understanding of surveillance capitalism. I am planning on some basic education, but this is something I will be working on for a long time. For instance, I have already written packaging that makes it clear how to check the boot hash to verify there was no tampering, and how to check with an outside source to not just trust the printed material.

                      PoppyGrunfeld hey, I personally like the idea! Anything that helps get out there to maybe less technically savvy people who are actually interested in security and privacy, but for whatever reason aren't interested in, or cannot install GrapheneOS themselves, is a good thing to me!

                      I can help maybe in a small way, by giving you the like to my guide for new users, it is descriptive of all the basic features of GrapheneOS, and also a guide to setting it up like a regular Android with stock Google apps for those who don't want to have a pure FOSS experience.

                      I'll be making adjustments in a bit to point to other guides for those who do want the full de-googled experience, as well as other versions for other considerations. I just wrote it this way when this is what I was doing when I first came to GrapheneOS, and wanted to share. Then I re-wrote it to improve and add in a lot more data a few months ago.

                      Might be useful to you, I've had great feedback at least. You have permission to freely distribute it, just not to charge anything for its distribution. I wrote it as a free resource for the community, so please respect that and distribute it freely if you choose to use it...

                        PoppyGrunfeld But you mention hardware tampering. How would one detect this when ordering from another vendor? Is the threat concern interdiction, or that all the devices have some hardware modification, or otherwise? How do you know the source you have obtained a device from has not been tampered with? How did you do this the last time you purchased a device?

                        Exactly, how would you know its been tampered with? How would you know if its been opened and something added or modified? By definition, if you purchase the device from g*, then it has not been tampered with, since they're the ones who designed the device to begin with, including whatever spying hardware it may or may not include by default, but it hasn't been tampered with to add MORE, since they've already designed it with whatever they need. The probability of tampering is incredibly low from major retail chains. But buying something from somebody on the internet.... could have had anything done to it -- you never know.

                          PoppyGrunfeld

                          Is this sufficient to build confidence that this would be safe to buy? Is this still not good enough? What would leave you confident in a new device with GrapheneOS preinstalled?

                          I started trusting GOS once I saw the project implicitly endorsed by Proton via a fundraiser.
                          That trust has since grown independently from there over time through observing the team's work in practice and on this forum.
                          The longevity of the project was also a factor (most people are not the type to be an early adopter, like signing up for experimental new medical procedures for example)

                          My trust in Proton is, in turn, the result of my observations of that org's interactions with a number of others.

                          Personally, I would only trust a business offering pre-loaded GOS if it had a similar endorsement from the GOS team.
                          If not GOS, then another trusted org, preferably multiple orgs.

                          So in short: longevity and endorsements.

                            If Google or Best Buy sold pixels with GrapheneOS out of the box, I would buy one …… otherwise no way.

                            • de0u replied to this.

                              Blastoidea If Google or Best Buy sold pixels with GrapheneOS out of the box, I would buy one …… otherwise no way.

                              How about EFF?

                                  de0u
                                  Don’t know much about them ….. I’d consider that a definite maybe.