splattergames True, we don't have evidence.

If you’re not basing your beliefs on evidence then you should reevaluate your beliefs.

splattergames Operation Triangulation is just the most recent example of very sophisticated attacks that would require immense knowledge about the hardware and software, that external threat actors would have a lot of problems obtaining without some insider information.

You’re just asserting they would need insider info but that’s not based on anything. Complexity != backdoor.
https://social.treehouse.systems/@marcan/111725519494168675

splattergames We don't know if that was in cooperation with Apple

Then why assume? Btw AOSP is run by Google and your Pixel phone is also made by Google, they could just as easily put a backdoor in as well. But there’s no evidence that they ever did, so there’s no reason to believe that.

splattergames But we definitely should operate under the assumption that iOS is an unsafe OS for high-profile targets where nation state actors and expert cybersecurity companies (remember Pegasus everyone?) will likely have a way to get in.

iOS has stopped these attacks in the past. Anyone’s definition of unsafe is going to be completely subjective, but the fact that iOS requires these expensive exploits shows that it does a better job than a lot of other operating systems at protecting you.

    fria

    If you’re not basing your beliefs on evidence then you should reevaluate your beliefs.

    We didn't have evidence of mass surveillance by the US until 2013. Everyone who claimed that (and especially those in the "friendly countries" like Germany) were labeled as lunatics. We are more than lucky that one (!) man came forward and revealed the massive scope of the whole operation. Including Angela Merkels bugged phone (though she didn't seem to care about it at all). Those who didn't base their beliefs on evidence, but rather stayed cautious because of possibility, were the winners.

    Complexity != backdoor.

    That's true. But in this case, I quote: "It does not appear there is any new evidence which would implicate Apple. But it is notable that it relied on an Apple-specific TrueType specification, and bypasses previously undisclosed hardware memory protections." it's not far fetched to say that it's incredibly hard to find never-mentioned specifications/hardware features. Not saying Apple was involved here in some way, but there's always a possibility which we shouldn't rule out considering the laws they have to follow.

    Then why assume? Btw AOSP is run by Google and your Pixel phone is also made by Google, they could just as easily put a backdoor in as well. But there’s no evidence that they ever did, so there’s no reason to believe that.

    AOSP is open source, unlike iOS. If Google were to hide a backdoor, it would be embedded somewhere in the proprietary builds. Hiding a backdoor in open source code is evidently harder.

    iOS has stopped these attacks in the past. Anyone’s definition of unsafe is going to be completely subjective, but the fact that iOS requires these expensive exploits shows that it does a better job than a lot of other operating systems at protecting you.

    That's in the past and that's what we know about. For every disclosed CVE there's probably 10 more that are undetected. The aforementioned "Operation Triangulation" has been running for years before it was discovered. And we're talking about 4 zero days that were used in tandem to make it work. Some nation states around the world use state issued malware for critical investigations that needs to work 100% of the time guaranteed. Call me a tin-foil guy, but it's really not that far fetched to say that they wouldn't risk losing their most valuable cyberweapons that cost them millions of dollars over a software update.

      splattergames We didn't have evidence of mass surveillance by the US until 2013.

      Yes sometimes conspiracy theories turn out to be true. There’s no evidence that the moon landing was faked, but that doesn’t mean you should believe that hoping one day that new evidence pops up.

      splattergames It does not appear there is any new evidence which would implicate Apple.

      Your own quote spells it out. They’re just saying that it’s notable, nothing more.

      graphy00 I have seen resellers that do exactly what you propose. You can get a Pixel phone with preinstalled GrapheneOS and a privacy oriented app suite. Given the relatively small number of GOS devs it's better they just focus on the OS itself imo.

        Byku

        These resellers are highly suspect. If I recall correctly, it's very common such resold GOS Pixels do not in fact have GOS, or it's rooted GOS, or any number of other janky crap. I believe I have heard of these or similar being used as honey pots by law enforcement and scam artists, etc etc etc.

        The problem with GOS creating a one-button pack installer is that they would be endorsing whatever they include in that.

        They are very, very careful about what they endorse, and I think it is for good reason.

        That abundance of caution protect their reputation.

        Beyond that, vetting a bunch of apps that aren't strictly necessary in order to utilize the hardware is a LOT of work that is beyond the scope of a project that is for the most part focused just on hardening AOSP.

        Honestly, the fact that GOS even ships with a calculator, a PDF viewer, and an image gallery is already a luxury, when you think about it from that point of view.

        Accrescent is sounding like it is likely going to be the closest thing to a one-stop shop for trustworthy apps. It is its own project, with its own team, and the whole point is to be a repository for thoroughly vetted apps.

        Frankly, the fact that GOS is putting the Accrescent app in GOS's apps repository is pretty surprising. That's a looot of trust they are putting in Accrescent - they are essentially saying "while recommending apps is for the most part outside the scope of the GOS project, we trust Accrescent to do it well enough that what they give you won't compromise the work we do on the OS."

        GOS is entrusting their reputation to Accrescent.

        Think about what it's like recommending someone to be hired by the company you work for. If they turn out bad, that impugns YOU, too.

        These things take time. This applies to both GOS and Accrescent. Both are works in progress. Simply due to the fact that GOS is forked from / built upon(?) AOSP and is focused on hardening over pretty much everything else... GOS will lag behind AOSP by a tiny bit and lag behind Stock OSes by a lot in terms of feature richness, user-friendliness, and aesthetics. These things ARE taken into account, they just aren't the top priority.

        This is the price for being at the forefront of free and open-source mobile device OS security.

        Same goes for Accrescent... It is brand spanking new, ambitious, and is essentially herding cats because it's gotta make sure all the apps on it are worthy, and that means reading and checking the work of an ever-increasing list of developers.

        That's like trying to regulate the sanitation and safety of a bunch of restaurants, each of which serve completely different kinds of foods, all with only a few people.

        Holy cow, y'know?

        So yeah, I get that this lack of features out of the box (so to speak) and the "easy to use for anyone age 5 to 75" and the extreme convenience provided by highly integrated ecosystems like Apple's is frustrating and is definitely a barrier to entry.

        Trust me, I used iOS for like... A decade. Look at my post history, switching from iOS straight to GOS was an ordeal.

        I know it's a pain in the butt.

        But these inconveniences are a necessary consequence of what GOS has to do to be what it is.

        Anyone who is able to install GOS, install Google Play, configure and set up everything will probably also be able to get a few other apps on their device

        I think this has drifted off a bit.

        The obvious points are

        Pro "more apps"

        • GrapheneOS is extremely barebones and the b/w style is kinda ugly
        • there is no appstore available to use, which is a huge UX problem
        • there are many apps that can be just as nice as apples:
          • fossify gallery (has a small editor)
          • localsend (not as easy as apples but works on every device)
          • organicmaps (really smooth and works without issues, osmand is way more advanced but requires removing hardening)
          • StandardNotes or other services are there
        • preinstalling a slim wireguard VPN would prevent the "boot in safe mode" bypass
        • grapheneOS tries to be perfect securitywise but instead it has nothing, no usable appstore apart from Google Play (which is often problematic as seen with Syncthing) and not many preinstalled apps
        • app recommendations being GPL etc would not be a legal issue as they are not shipped alongside the OS

        Contra "more apps"

        • developers do an amazing job at the essentials: a slim, pretty heavily modified and still rock solid AOSP-based OS
        • these projects would be outside their control, vendoring such apps can cause problems
        • legal issues with copyleft licenses
        • there are many competitors, as people prefer different things

        But from these points, I think a reasonable conclusion would be:

        • it will take quite a while until Accrescent is ready enough to have the "perfect" solution for preinstalled apps. Until then, obtainium with a URL list could work
        • not preinstalling anything will deter people
        • or it will make them do bad choices, as there arent multiple people deciding but everyone on their own
        • having an official list or website with obtainium URLs for recommended apps, or even a setup page installing them as user apps, could have a big disclaimer we do not manage these apps, they are independent projects would be a huge UX benefit.

        Otherwise currently, in my example, I buy a phone used, flash GrapheneOS and set it up, talking with the person and also kinda giving free tech support. This worked for a non-tech-savvy close friend, but may not be scaleable.

          missing-root If we restrict the recommendation space temporarily to just messaging apps, and set aside the question of whether the form of a GrapheneOS team recommendation would, hypothetically, be pre-installation versus including in the "App Store" app versus publishing Obtaining settings...

          Which messaging app(s) to recommend? Signal, Molly, Molly-FOSS, Telegram, Session, SimpleX, WhatsApp, Discord, Element, SchildiChat, FluffyChat, Subway Tooter, Megalodon? Hopefully not all of them!

          Sometimes "the only winning move is not to play."

          missing-root

          GrapheneOS is extremely barebones and the b/w style is kinda ugly

          GrapheneOS does not use a black and white theme. This is a misconception. It has the same kind of colored theme as the stock OS with a similar blue as the main color. Our icons use black on white because that matches the general concept of GrapheneOS. Many other apps use a single color on a white background too, and a few are black on white. The most common Android app icon background is white. Look at Google Maps, Gmail, Pixel Camera, Play Store and other Google apps. What's the problem with us using a similar consistent color scheme for our own apps? What's ugly about it? What do you consider to look good about those Google apps but not ours? The fact that they have 4 foreground colors instead of 1? Many other apps use 2 colors.

          there is no appstore available to use, which is a huge UX problem

          GrapheneOS includes our App Store which includes 2 app stores: the most widely used one for Android (Google Play Store) and Accrescent. Why should specific third party app stores be preinstalled? They're trivial to install from our App Store.

          preinstalling a slim wireguard VPN would prevent the "boot in safe mode" bypass

          The official WireGuard implementation has memory corruption bugs incompatible with MTE. MTE is force enabled for all base OS components and we aren't going to add an app that's not compatible. Do you expect us to bundle a specific VPN service's app such as Mullvad? Mullvad's app is the only one meeting our standards... but yet it is for a specific third party, paid service where we do not really know how well they run it and can only extrapolate based on the overall high quality public code for stuff like their app. It is not our way of doing things to bundle hard-wired support for specific third party services.

          legal issues with copyleft licenses

          No GPLv3 code is going to be included. GPLv2-only with Apache 2 exception may be acceptable in some cases but we don't trust GPLv2-or-later to remain GPLv2 because it implies they are going to move to GPLv3. It should just be permissively licensed, Apache 2 is fine, so code can be shared properly across apps, etc.

          grapheneOS tries to be perfect securitywise but instead it has nothing, no usable appstore apart from Google Play (which is often problematic as seen with Syncthing) and not many preinstalled apps

          Not true at all. Also, presenting the unmaintained Syncthing app which is not keeping up with target API levels as an example disproves your entire point. Why should we promote an app store with substantially lower privacy and security standards than the Play Store? Those are the main requirements you're referring to avoiding if you're talking about Syncthing since the issue with it was that they were not keeping up with target API levels which are largely about backwards incompatible privacy/security changes and to a lesser extent UX improvements such as edge-to-edge being the default for targeting Android 15 (API 35) which is the only thing we need to change in our own apps in practice. Isn't it a good thing that all apps on the Play Store are going to finally end up supporting edge-to-edge? Why do you want poorly maintained, insecure apps unable to keep up with basic security patches and security standards? If you want that, F-Droid can be installed with the bonus of untrustworthy people building the apps in an outdated build environment and often lagging far behind on updates or introducing issues such as the state of Organic Maps being broken. Expecting us to promote F-Droid is pointless. It is horrible and we aren't going to put our users at risk that way.

          having an official list or website with obtainium URLs for recommended apps, or even a setup page installing them as user apps, could have a big disclaimer we do not manage these apps, they are independent projects would be a huge UX benefit.

          There are very few apps we can truly recommend, and it's one thing to mention an app like Organic Maps or Mullvad as being generally quite good but quite another to actually bundle it. It is not as if we've heavily reviewed them and we're largely extrapolating from what we've seen and know about them to the overall app. Have we looked in depth at the code for them? No, but from what we've seen they are high quality. Is that a reasonable position to push them to our users? Not really. We avoid making a bunch of recommendations for a reason.

          Otherwise currently, in my example, I buy a phone used, flash GrapheneOS and set it up, talking with the person and also kinda giving free tech support. This worked for a non-tech-savvy close friend, but may not be scaleable.

          They could have started with the same apps they would have used on the stock Pixel OS from the Play Store and figured out which open source apps they want to use over time. We're fine with that. It's the main way we expect people to be onboarded. They start using the same apps, then move to more privacy respecting ones.

          Obtainium is fine as a stopgap but is not an approach we can seriously recommend long term. Apps should be in Accrescent or provide a self-updater and be in the App Verifier database for the initial install which can be integrated into GrapheneOS eventually as we've planned to do since before the app was made.

            GrapheneOS

            While on the topic, are there some other apps that you'd consider "generally quite good"? That 'rating' from you would mean a lot to someone like me who can't read code/evaluate the good level of an app!

            GrapheneOS

            Thanks for the answers.

            Theming

            GrapheneOS is different than Apple and Google. All have their advantage.

            Icons:

            • Apple has very distinct icons, pretty "classy" and not following a special style like material icons on Android etc
            • Google apps are always multi-color which makes no sense as everything looks the same
            • GrapheneOS apps are all black/white which makes sense to have them distinct from most other apps.

            Beauty is an opinion, I think the default look is fine but not appealing to people that really would use apple for the fancy looks.

            The background is black, which makes sense for conserving battery and it is also kinda distinct. But this is a point too.

            instead, coloring the app foreground color in pastel colors, each one in a different one, could make it look more beautiful.

            Also using a kind of gradient like red/blue/green as background could be neutral but look better.

            Kinda like /e/OS does it, while they pretty obviously copy apple.

            Designwise, Android was always worse than Apple I think. The alarm tones were strange and oddly specific, while apple just nailed their ringtones etc. This kind of "being precise, specific, distinct but not cringe" is appealing to a lot of people.

            App store

            I hope you get what I mean. Okay, your point is that the Playstore is secure, and it is certainly usable and okay for privacy.

            If Syncthing-android was just blocked for not being up to date, that may be fine. But it didnt sound like that, instead it sounded like Google complaining about some random permission the app has. The dev never got to talk with a human about this and have up after months.

            Apps that need to do things like that, or even require some elevated permissions with adb, while being FOSS and not malicious, will always face issues like that.

            Meanwhile, garbage apps like Slack (and everything else?) get along with bs changelogs like

            we did some cleanups and fixes, that are so complex even we dont really understand them

            Like, this is allowed?

            The same happened for Conversations, where the dev had no privacy policy, but the app had optional contact permissions. Which led to a quite funny privacy policy (which was changed so it is not funny anymore).

            The playstore is full of fakes especially of FOSS software. It simply is full of garbage, unlike F-Droid (where you would just find a ton of very outdated, but not malicious software).

            I know your stance on F-Droid, and while I have a bunch of points to add pro F-Droid I also agree on your negative arguments. I personally use Obtainium, which is kinda bad and background updates simply dont work. There will be something better, probably Accrescent, but not yet.

            And still, even F-Droid lacks tons of Apps. Users will install software from random locations, and by not giving a semi-good option, you leave people alone.

            I understand why you wouldnt like to preinstall Obtainium etc. But I hope you get my points here.

            I get why you dont want to recommend random software. The outcome simply is that users need someone else to do that, somehow.

            Switching to GrapheneOS

            in my case, this was an iOS users, looking for things for sync, airdrop, notes, maps etc.

            They have a work profile which is always on, sandboxed play in there (after more hacky things like Obtainium+APKPure caused random issues) and it works well.

            But finding these base tools was an issue.

            I will do a writeup of my personal app recommendations behind the above link, and totally get why you wouldnt want to do that.

              missing-root

              GrapheneOS is different than Apple and Google. All have their advantage.

              We follow the official Material style guide, we simply lack the resources to overhaul all of the legacy AOSP apps. We're in the process of updating all of our own apps to follow modern Material 3 + Material You along with targeting Android 15 including edge-to-edge across them. Overhauling the AOSP apps we plan to keep like Dialer, Contacts and Files will need to be done. It's unclear what to do about the keyboard, calculator, messaging, etc. since alternatives don't really meet our requires. There's a certain gallery app we'll likely fork for Gallery + image editing. We could avoid removing the AOSP one immediately to give people time to transition and complain about what's missing so we can potentially add it before the old one is dropped.

              Designwise, Android was always worse than Apple I think. The alarm tones were strange and oddly specific, while apple just nailed their ringtones etc. This kind of "being precise, specific, distinct but not cringe" is appealing to a lot of people.

              Many people don't agree and bear in mind AOSP has a bunch of legacy sounds, etc. compared to Pixel stock OS. We have fixed a lot of these little things but not sounds in particular, and not the legacy AOSP apps. You may not have that much experience with the current stock Pixel OS if you use GrapheneOS. The stock Pixel OS also has several proprietary fonts it uses and other differences. We changed the default AOSP green theme to a blue one that's very similar to theirs, use the same rounded icons, rounded corners, etc. but there are little UI quirks and differences from things the stock Pixel OS changes compared to AOSP. In the past couple years, we have eliminated a lot of these UI issues, etc. but there's more to do.

              Also using a kind of gradient like red/blue/green as background could be neutral but look better.

              We're not going to massively deviate from standard Android Material style. For now, we have simple icons that are much better than the legacy AOSP ones and which were the approach we took for our own apps. People only complained after we replaced the AOSP sample app legacy icons and never when it was just our own apps. Those AOSP icons were awful and this was a low resource way to replace them with something matching the modern Android style and giving us themed icon support without having to make 2 different icons as we would if we designed the main ones with more than 2 colors. Don't forget we need both themed icons and regular icons, and our current ones are actually both at once although it isn't why they are black on white and that isn't a limitation on color.

              If Syncthing-android was just blocked for not being up to date, that may be fine. But it didnt sound like that, instead it sounded like Google complaining about some random permission the app has. The dev never got to talk with a human about this and have up after months.

              They hadn't updated the target API level and were blocked from making new updates by the target API level being required around 1 year after being introduced by the new yearly update. That's what happened to it. It's clear from the target API level and the timing. A fork of it fairly easily updated it to 34 but wrongly updated it all the way to 35 without testing on Android 15.

              Meanwhile, garbage apps like Slack (and everything else?) get along with bs changelogs like

              Changelogs are not part of what's actually reviewed. They review the app's code/data/metadata including permissions and there are a bunch of things to submit to say why you use certain permissions, etc. Changelogs are for end users and they do not care what's put in them beyond it not being offensive.

              missing-root The same happened for Conversations, where the dev had no privacy policy, but the app had optional contact permissions. Which led to a quite funny privacy policy (which was changed so it is not funny anymore).

              Having a privacy policy is required. They make it very clear you simply need to provide a URL, similar to filling out the forms. It's not hard to do and there are few requirements about it. The same goes for declaring why you use certain permissions. As long as it fits into something they allow, it tends to be easy. If it doesn't or they strictly regulate it, you may have a problem. This does not impact the vast majority of apps and isn't relevant to any of these ones.

              They have a work profile which is always on, sandboxed play in there (after more hacky things like Obtainium+APKPure caused random issues) and it works well.

              Private Space is what's recommended now and is much easier for people to set up.

              I know your stance on F-Droid, and while I have a bunch of points to add pro F-Droid I also agree on your negative arguments. I personally use Obtainium, which is kinda bad and background updates simply dont work. There will be something better, probably Accrescent, but not yet.

              It does not truly avoid trust in app developers. They don't even pretend to review things. They just AV scan them, etc. and build them automatically, then sign them in batches. Malicious developers can check that in advance and make sure they don't trip it.

              Their build environment does not make all builds reproducible and introduces issues such as recently breaking Organic Maps and other apps due to outdated tools and build environment. This introduces security issues which aren't noticed too. F-Droid is consistently using outdated software and development practices, which impacts the apps they build.

              I understand why you wouldnt like to preinstall Obtainium etc. But I hope you get my points here.

              Obtainium really can't be the answer. It's only even seriously considered because Android has signing verification built-in with pinning, but it lacks an answer for the initial installation being secured well which is important.

              Aurora Store is problematic although may become less problematic... but it's just an unofficial way to use the Play Store and we have sandboxed Play Store support already. You're installing code from the Play Store that's almost all APKs generated/signed by the Play Store and many use the Google Play SDK although there's 0 requirement to use it unless you want to do push where they don't really allow an alternative to FCM for power saving reasons or payments (may be different due to recent court wins against them).

              I get why you dont want to recommend random software. The outcome simply is that users need someone else to do that, somehow.

              There are some rare cases like Organic Maps where we could talk make it available in our own App Store with a changed app id and icon so it doesn't conflict with the developer builds, and just leave it pointing to their site, etc. inside the app. We don't really want to ship mirrors of developer builds in our own App Store with the exception of sandboxed Google Play and Pixel apps not available via Play Store, since that's for Accrescent to do or the Play Store for other Google apps, Uber, etc.

                GrapheneOS

                Thanks for the in depth explanations!

                I will switch to Syncthing-Fork once their new build is proven stable.

                Also good infos on F-Droid, I will update my repo accordingly. Those are important issues and sound like bad practices.

                Also interesting infos on the differences between pixel OS and grapheneOS, I saw some discussions on fonts etc, which are also pretty difficult.

                You are doing a really great job, I admire your work.

                GrapheneOS There are some rare cases like Organic Maps where we could talk make it available in our own App Store with a changed app id and icon so it doesn't conflict with the developer builds, and just leave it pointing to their site, etc. inside the app.

                What changes can be made to Organic Maps that would warrant a GrapheneOS build?

                  GrapheneOS Mullvad's app is the only one meeting our standards...

                  It used to just be Wireguard that was recommended, which I guess as of this commit that is no longer the case. What changed? And is Wireguard still preferred over Mullvad, or is Mullvad "good enough" now?

                    Dumdum Here's a couple quotes from the project's X account that I think mostly answer your question:

                    ProtonVPN is unfortunately not the only app with memory corruption bugs uncovered by MTE. Mullvad is the only WireGuard-based VPN we're aware of that has done significant work to fix the issues. The official Android WireGuard app has memory corruption caught by MTE.

                    X Link | xcancel link

                    Mullvad is a good option tested on GrapheneOS by the developers including testing compatibility with our usage of hardware memory tagging on 8th/9th generation Pixels. Official WireGuard app is mostly fine but has unresolved invalid memory accesses caught by memory tagging.

                    X link | xcancel link

                    And here's where Mullvad fixed the MTE issue: https://github.com/mullvad/mullvadvpn-app/pull/6727/files