Hey folks,
Been in IT for a long time, pretty deep into DevOps and related security processes over the past few years, now I'm moving toward a full-on DevSecOps/Security Engineer role. I’m thinking about putting GrapheneOS on my Pixel 9 Pro XL, but I don’t want my privacy hardening efforts to end up introducing actual security gaps.
The first part is organisational/adminstrative. In some organisations, security teams look sideways at custom ROMs, especially on GrapheneOS, you know, in the EU GrapheneOS has a bit of a reputation, some people see the phone and figure you’ve got scales and small plastic bags in your backpack too. Well, most of such companies hand out their own devices, but I’d rather not carry two phones if I can avoid it. I’d love to hear from anyone who’s been in security roles and dealt with BYOD+GrapheneOS
The bigger part is how does GrapheneOS really hold up in practice when security is the only priority? I’m aware of some points people raise, like app compatibility modes that can weaken protections, not all hardening being enforced systemwide and the recent shift to a generic build process from Google that could affect patch turnaround. And one of my biggest worries is the human factor. The project leans heavily on a very small core team you already know that one of lead dev was drafted for military service. With so few people holding the keys, any problem like conflict or even compromise could have a serious impact on updates, patch speed, and trust chain.
Thanks in advance for any on-topic answers.