Considering buying a Pixel 7a but Ive been wondering how effective is Graphene against security threats like Pegasus. Can it stop infiltration entirely, and if not, can it at least trace activities of Pegasus?

    Xtreix I'm actually posting on behalf of someone who has been a past victim of Pegasus. So the fears are largely warranted in this case. With that info out of the way, I'd generally like advice on whether to pick iOS or GrapheneOS.

    • zzz replied to this.
      • Edited

      Xtreix

      From that link:

      [...] the majority of users [...] are not at risk, unless they are politically active and suspect someone might have reason to target them.

      The article is largely just this assertion, with little explanation of why. Not particularly helpful in this context without more specifics.

      I also notice a publishing date of 2021, seems a little stale to be informing decisions in 2024.

      Does anyone have a recommendation for other sources that are more recent / in-depth?

      sausage

      I'd generally like advice on whether to pick iOS or GrapheneOS

      On the GOS forum, you will generally get more recommendations for GOS.

      It might be helpful to review this section of the website:
      https://grapheneos.org/faq#cellular-tracking

      Cellular networks use inherently insecure protocols and have many trusted parties. [...] Legacy calls and texts should be avoided as they're not secure and trust the carrier / network along with having weak security against other parties.

      Maybe others with more knowledge could chime in with more information about Pegasus specifically.

      A supported iPhone with lockdown mode is a good choice, generally. A lot of what lockdown mode does, GrapheneOS does by default, and a lot of what lockdown mode does beyond that is just disabling Apple services that aren't in GrapheneOS in the first place.

      With that out of the way, GrapheneOS focuses a lot on preventing remote and physical exploitation. A lot of what we offer is detailed in the features page. I would recommend starting by reading this section in particular:

      https://grapheneos.org/features#exploit-protection

      Saying "yes, just use this and you'll be 100% bulletproof" isn't something you're going to find in this community or any serious security community that's not selling lies to people. That said, GrapheneOS (especially on an 8th gen device where MTE is used) is in my opinion one of the most secure consumer device/OS combos for people with a threat model that requires them to worry about targeted malware/spyware.

        Additional to what was said, Citizen Lab is one of the primary sources to read more about Pegasus.

        From my knowledge Pegasus started with phishing attacks in addition with drive by download and then later developed to use zero-click exploits to gain access.

        With enough time and money, nothing is safe. But by using hardened devices and strict OpSec, a subject can increase the wall the threat agent has to overcome.

        If I would be a high valuable target with highly sensitive information, I would not trust just using a secure device. History shows that the subject itself is the most critical vulnerability.

        matchboxbananasynergy the person I'm posting on behalf of (an activist/journalist) is an elderly person who is not very tech savvy. I've heard somewhere that GrapheneOS requires quite some tech savvy as it effectively de-Googles the phone. Will it be convenient for him to use Pixel 7 with that in mind?

          sausage I've heard somewhere that GrapheneOS requires quite some tech savvy as it effectively de-Googles the phone. Will it be convenient for him to use Pixel 7 with that in mind?

          You've heard wrong. GrapheneOS can be used by anyone regardless of their age and understanding/experience with technology.

          sausage My mother, who is 60+, uses it with sandboxed Google Play Services installed in the main user. She doesn't even realize that the device isn't running the stock OS.

          • Edited

          sausage I would say it depends on the person being comfortable with using Android in general. If I personally had struggled with using Android UIs in general, I would have struggled with using GrapheneOS as well. GrapheneOS' UI is closely based on the Android Open Source Project. I personally find it easy and comfortable to use.

          That being said, Android variants can have very different UIs. I personally find Samsung's UI more cumbersome to use than GrapheneOS'. To me Samsung adds more clutter to its menus that is slightly confusing to me.

          One of my reasons for using GrapheneOS is that its security features very rarely cause me usability issues. Unless an app crashes because GrapheneOS catches a security issue in that app (such as memory corruption), I don't have to think about it. There are simple toggles to disable some of GrapheneOS' exploit protections for the problematic apps, if you choose to.

          Google Play Services are not included by default, but can be easily installed by opening the app called Apps, tapping on Google Play Services and then Install. This will also install Play Store. Google apps can be downloaded from the Play Store if desired. The vast majority of them will function just as well as on Pixel's stock OS. The most notable exception is Google Pay's NFC functionality. It's a choice by Google to require a Google-certified OS for that functionality. The app "Google Personal Safety" also does not work. I can't think of any incompatible Google apps beyond that. I'm writing this using Gboard.