Is GrapheneOS the most secure OS in the world?

gk7ncklxlts99w1

I wonder how GrapheneOS and pixel compare to other phones and operating systems, including obscure ones and ones probably only used by rich people and spies, etc.

To my understanding, Pixels are the most secure phones from a hardware/firmware perspective, while GrapheneOS provides additional security and privacy on top of that. If we take privacy completely out of the equation here, how does the latest Pixel + GrapheneOS fair against some other phones and operating systems?

Here's a non-exhaustive list of potential competitors. Keep in mind that some of these are probably not available to the public, or obsolete, or focus more on privacy than security. While privacy and security both work hand in hand, I'm mainly focusing on security for my question. And please do not say something like "but privacy and security aren't the same thing", I've heard it all before.

Solarin by Sirin Labs. Super expensive, and uses "Zimperium", some kind of security enhancing technology (probably uses an intrusion prevention system and similar). It's probably marketed to celebrities who can afford it, and likely uses standard security technology like "military grade encryption". Most of the stuff I read about it is security theatre.
Sirin Labs Finney U1. Uses a modified version of Android, and an IPS.
Murena One, which uses /e/OS, a fork of LineageOS. More privacy than security focused?
Purism Librem 5. I'm sure most of you are familiar with this one. I was very close to buying this prior to using GOS, back in 2022, but its terrible track record for actually delivering the product and numerous hardware issues made me decide to use GOS instead, after several years of considering both options. Its main security feature are its hardware switches and (I think?) open source hardware.
K-iPhone. I know nothing about it. Takes iPhone security to the next level. I think iPhones are considered more secure than stock Android.
Bittium Tough Mobile 2
Blackberry. In the old days, these were used widely for security. Not sure about now though. Apparently has ties with Zimperium.

I still think GrapheneOS and Pixel is the best phone/OS you can use as a normal consumer. But I'd be willing to bet there are some phones built by certain agencies that we don't have access to, that might rival GrapheneOS.

Xtreix

gk7ncklxlts99w1 "Most secure OS in the word" is always a tricky statement, it probably is, but the user shouldn't believe that GrapheneOS on a recent Google Pixel is a magical bulletproof fortress, that's not how it works.

The GrapheneOS project account or a project developer are the best members to answer this question, but to give my pinion on the spot, I can say that many mobile devices sold “for security and privacy” are overpriced scams and target a category of customers who think that “high prices + secrets = data security and privacy”, these companies often use a spy agent movie atmosphere in their marketing.

I've never heard of Solarin, Sirin, K-iPhone and Bittium and I wouldn't trust his devices.

Blackberry hasn't been making security oriented phones for years. They used to use a microkernel-based architecture, which was good.

Murena and Purism, bring neither security nor privacy; on the contrary, they massively reduce it as far as I know.

From what I found out in a discussion with a member of the Molly project (hardened fork of Signal), apparently, the only phone to compete, or to have competed, with GrapheneOS on a Google Pixel is the Cryptophone from GSMK but they only sell to companies and are not suitable for use in everyday life, you can't even buy one as an ordinary buyer. I know very little about the Cryptophone so don't ask me questions to find out why and please note that I'm not asserting anything.

Some of these phones, sold at too high a price for their “security”, use operating systems that are in fact modified forks of GrapheneOS.

GrapheneOS

gk7ncklxlts99w1 GrapheneOS is definitely not the most secure OS if you don't limit it to user-facing general purpose smartphone, laptop or desktop OS. GrapheneOS is easily the most private and secure general purpose smartphone OS. The competition is iOS, none of these products. It's certainly more secure than everything you've listed here. iOS and AOSP are far more secure than any traditional desktop operating systems. We would simply say GrapheneOS is more secure than iOS in lockdown mode when looking at the whole picture despite iOS having a more secure base for the kernel for now. iOS has a lot of merits, but these things don't.

Solarin by Sirin Labs

We don't have all of the details but we're confident it's less hardened than GrapheneOS and focused more on performative things such as the IDS you mention.

Murena One, which uses /e/OS, a fork of LineageOS.

Highly insecure hardware and software. Massively worse than the Android Open Source Project. Neither good for privacy or security. It lags so far behind on patches and rolls back security so much along with having a bunch of poorly implemented, privacy invasive services as part of it.

Purism Librem 5

These are highly insecure devices without basic security patches and security features implemented. The OS doesn't have a basic application security model or other protections. Audio recording kill switch isn't implemented correctly and that's the one which could be more than a near useless frill.

K-iPhone

Looks like an iPhone with device management and other apps set up. Very sketchy. Just compare to a regular iPhone instead, it's the same hardware and OS, and avoids all the sketchy stuff.

Blackberry

They don't make smartphones anymore. They licensed out their brand to others to make highly insecure ones without proper support. Their hardening was less impactful than the security features missing from not having the major OS upgrades. Their Android smartphones were much less secure, not more secure. Whether or not their prior OS was secure is an open question since it didn't get much research. Using a microkernel is very good in theory, but it can be less secure in practice.

JollyRancher

gk7ncklxlts99w1 I wonder how GrapheneOS and pixel compare to other phones and operating systems, including obscure ones and ones probably only used by rich people and spies, etc.

GoS on a Pixel 9 is the most secure computer that the general public can get.

It beats most bespoke devices as well.

As for spies? Well both Apple and Google have strong relationships with the US NatSec establishment. One could surmise that the have bespoke iOS/Android versions that are signed with the official keys and on the surface would present as vanilla devices but in reality have all kinds of security, privacy, and intelligence gathering features that would never see the light of day.

DeletedUser237

gk7ncklxlts99w1 the most "secure" OS is the one that's turned off and hurried 100m in the ground. Problem is it's unusable.

Even air gapped systems can be infected with malware. It's not he system that's the problem, it's the human factor.

Hesao

GrapheneOS Have you read this article on iOS 18 secure exclaves (only for iPhone 16 & M4 iPads)? If it’s of any interest

It seems like it could possibly improve iOS security quite a bit:
https://randomaugustine.medium.com/on-apple-exclaves-d683a2c37194

kebab_definite

user0

GrapheneOS how does ipados compare?

user0

There is no such thing like most secure OS, it is always cat and mouse game

DeletedUser227

The fact that dev account confirms that GrapheneOS is most secure smartphone OS in the world (with close competion being iOS which is by far not as private) is all I need to know.

Xtreix

DeletedUser227 I hadn't thought about iOS, probably because I don't use an iPhone, but iOS deserve credit for security.

andrej567

most secure os is probably on a cellphone with battery taken out.

I believe Graphene OS is somewhere at the top of the list.
I wonder what top politicians use, if it is something a regular person can buy or something proprietary, or it's something "normal" with extensions..

Xtreix

andrej567 most secure os is probably on a cellphone with battery taken out.

This makes the device unusable.

andrej567 I wonder what top politicians use, if it is something a regular person can buy or something proprietary, or it's something "normal" with extensions..

It's a mix of all three for all I know, but don't think the data protection habits of someone who works for a government is an example, I remember a study from Proton that showed a lot of politicians aren't concerned enough about protecting their data, many use SMS and Telegram, also WhatsApp (the least worst of its three).

There was an attempt in my country to make a supposedly security-oriented phone for government use, another bullshit you ask mebut it didn't convince because it was too difficult to use and too impractical for everyday use.

andrej567

Xtreix "This makes the device unusable."
The idea was that todays cellphones are so complex, that there is always a possibility for vulnerability. And if you install various apps it gets worse of course. A dumb closed system where you can dial and answer calls with some hardware voice encryption would be probably safe.. But you may need to automatically rotate/update encryption keys or at least sync contacts which opens a path for vulnarabilities...

gk7ncklxlts99w1

andrej567 the point you're making is moot

The devs of GrapheneOS are aware that reducing permissions leads to a more secure OS. Something that has less lines of code allows for less chance for vulnerabilities, and its easier to maintain, less chance for things to break. Of course the most secure OS is one that is effectively a brick - but that would not be an operational system. Dumbphones could be cited here as an example if it weren't for the fact that you probably use it to do SMS and calls, which are incredibly insecure compared to say, Signal. If you use a dumbphone and never insert a SIM card, and never enable bluetooth, you could say it's pretty secure but also pointless for anything other than playing snake.

TrustExecutor

JollyRancher
Thrilling to think about it! I hope there is some information leak one day.

Murcielago

JollyRancher

As for spies? Well both Apple and Google have strong relationships with the US NatSec establishment. One could surmise that the have bespoke iOS/Android versions that are signed with the official keys and on the surface would present as vanilla devices but in reality have all kinds of security, privacy, and intelligence gathering features that would never see the light of day.

Theoretically, many things are possible and conceivable - do you have any reliable sources or evidence to support this theory?

gk7ncklxlts99w1

JollyRancher

Is Pixel 9 known to have any security improvements over previous generations?

JollyRancher

Murcielago
One could surmise that anyone who had reliable sources or evidence of that would be bound by various laws & regulations dealing with classified information and thus highly advised not to provide that information to anyone not cleared for it.

In the event that I theoretically had such evidence, I certainly wouldn't provide it.

Note the "surmise" in my post, it exists for a reason.

Murcielago

JollyRancher

One could surmise that anyone who had reliable sources or evidence of that would be bound by various laws & regulations dealing with classified information and thus highly advised not to provide that information to anyone not cleared for it.

It is certainly not easy to leak such information but thanks to brave people risking a lot it happens.

The last prominent example I can think of off the top of my head:

U.K. orders Apple to let it spy on users' encrypted accounts

Someone leaked the info and now it's being widely and publicly discussed.

In the event that I theoretically had such evidence, I certainly wouldn't provide it.

In that case, i think it would probably be safer for you not to post this (not even disguised as a vague assumption) in the forum (those actors who can do what you are suggesting would probably also be able to tell exactly where you are right now and be knocking on your door in the next few minutes).

More helpful for everyone (and probably also safer for you- protection through public exposure) would be to (secretly) make it public with evidence of this so that it can be widely discussed and we as a society can fight back.

Note the "surmise" in my post, it exists for a reason
.

I noticed and really appreciated it.

Look I can't prove you wrong (which holds true to many assumptions about what might happen im the world). I just think that pure conjecture without any proof doesn't offer much value and could even lead to wrong decisions:

In this specific case (just an example) your assumption could lead people to the - based on the current facts- false conclusion that swapping a up to date iPhone or a Google Pixel (due to arguing

both Apple and Google have strong relationships with the US NatSec establishment

for a Purism Librem 5 would be a good idea to protect against the threat you "surmised".

grayway2

IOS is secure but was also compromised several times before apple introduced "lockdown mode"

Lockdown mode was probably already bypassed but we just don't have any public proof.

As for me, the most impressive hacking of iOS was against the Kasperksy team : https://arstechnica.com/security/2023/12/exploit-used-in-mass-iphone-infection-campaign-targeted-secret-hardware-feature/

A company who talks about military grade encryption technology cannot be serious about security. So for me Solarin is just a scam like NordVPN. Also the company is from Israel (Cellebrite, Pegasus ect.)

Even for free I don't want it

GrapheneOS

grayway2

IOS is secure but was also compromised several times before apple introduced "lockdown mode"

The claim that it isn't regularly exploited in ways that work with lockdown is false.

Lockdown mode was probably already bypassed but we just don't have any public proof.

This is a completely inaccurate claim and we've provided such examples ourselves as have others. There are many examples of devices with lockdown being exploited. It greatly reduces the attack surface of Safari and and especially Apple messaging services but doesn't do a whole lot beyond that. It doesn't enable a bunch of advanced hardening features.

gk7ncklxlts99w1

grayway2

How is NordVPN a scam? Just because it mentions military grade encryption, does not make it a scam. All that says is their marketing is vague and deliberately sensational to get you to buy their product. That doesn't equate to scamming.

grayway2

GrapheneOS As you said, it greatly reduces attack surface of Safari and Apple messaging services.

Lockdown mode successfully blocked attempts from NSO group : https://citizenlab.ca/2023/04/nso-groups-pegasus-spyware-returns-in-2022/

From that article : https://citizenlab.ca/2023/09/blastpass-nso-group-iphone-zero-click-zero-day-exploit-captured-in-the-wild/

If lockdown mode was "on" it would stop the attack because in that case it was using an exploit through iMessage.

By the end of 2023, Apple said that they were not aware of any successful attack against individuals using lockdown mode : https://techcrunch.com/2023/12/07/apple-says-it-is-not-aware-anyone-using-lockdown-mode-got-hacked/

So since then, I did not find real public proof of devices running last iOS update + lockdown mode on being exploited remotely.

I'm not saying it's a bulletproof but I do not see the "many examples of devices running lockdown being exploited"

I do not count AFU exploit with physical access of the device because I'm specifically talking about exploitation through remote.

ignoramous

grayway2 By the end of 2023, Apple said that they were not aware of any successful attack against individuals using lockdown mode : https://techcrunch.com/2023/12/07/apple-says-it-is-not-aware-anyone-using-lockdown-mode-got-hacked/

So since then, I did not find real public proof of devices running last iOS update + lockdown mode on being exploited remotely

Apple would say that because why won't they. They're a marketing-oriented company, first and foremost.

CitizenLab (Canada) is more humble in its assessment (in the same blog post you shared):

Given that we have seen no indications that NSO has stopped deploying PWNYOURHOME, this suggests that NSO may have figured out a way to correct the notification issue, such as by fingerprinting Lockdown Mode.

GrapheneOS It doesn't enable a bunch of advanced hardening features.

Yep. Inexplicably, iOS' Hardened Runtime remains opt-in, instead of turning it ON in Lockdown Mode for all apps.

DeletedUser227

grayway2 what percentage of iOS users know/understand what lockdown mode is, let alone use it? I don't have the statistics, but I have good guess, very small. So a lot of devices WILL get exploited in AFU.

GrapheneOS

grayway2

By the end of 2023, Apple said that they were not aware of any successful attack against individuals using lockdown mode

Apple is not aware of their devices being exploited in general, and hardly anyone uses lockdown mode, so why would they be aware of that happening? It's a marketing claim with very little substance behind it. Safari is regularly remotely exploited with lockdown enabled, as are the OS and other apps. Lots of real world, publicly available evidence proves you completely wrong. Apple is using misleading marketing by claiming they aren't aware of something which they would realistically have no way of being aware of in the first place especially considering they aren't really trying to find it themselves. It's as worthless as it would be for us to say we have no evidence of there ever being a successful remote exploit in the wild against GrapheneOS with any configuration. That is true but we don't say nonsense like that because we know it's highly misleading and marketing GrapheneOS that way would be dishonest.

grayway2

DeletedUser227 Lockdown mode does not prevent AFU exploit of Iphones with physical access.

Lockdown mode is to prevent access over-the-air from malicious actors. Lockdown mode does not protect you, if your iPhone is already compromised.

Hesao

kebab_definite iPadOS is basically iOS, but without standalone support for SMS and phone calls and some different features like stage manager, that I doubt would be exploited.

user0

kebab_definite ipados is secure, but there always is BUT
It is not private. And can be exploited with all sorts of pegasuses
GOS is as private as possible and secure.
BUT
It does not have (no os does) protection from zero days or idiot user.