Beginner questions

userofgos

polygraph how does the deliberately ungoogled Graphene protect from that?

GrapheneOS is not "deliberately ungoogled" as you say. It is true that there are no Google apps/services installed by default. It is true that GrapheneOS removed all default AOSP connections to Google. However it is not true that the purpose of GrapheneOS is to avoid everything Google. That is for the user to decide.

polygraph I am reading some people recommend using a "fake account" but registering with Google is not possible without a mobile phone number

It has become more challenging to create a burner Google account without a phone number, but it is still possible. As others have reported in other threads, and my own experience, it is possible under certain conditions.

Don't use a VPN, instead connect to a public WiFi (such as one found at Starbucks, McDonald's, library, coffee shop, etc).
Create account from within the Google play store
Set up MFA/2fa code with an authenticator app
And you should have no issues after that

Some may add additional steps such as create a guest profile or user profile beforehand, setup the burner account, log out, and deleting the profile and signing in later after connecting to a VPN on a different WiFi network. Depends on your use case or threat model or preference.

polygraph I read: the ADB software itself is insecure and unsafe.

I don't believe that @Watermelon was claiming the codebase of ADB by itself is insecure and unsafe (though in production use that may be).

It's more likely that the point they were trying to get across to you are the security holes you open your device to by enabling ADB (and more specifically USB debugging).

This tweet thread may provide some insight: https://xcancel.com/GrapheneOS/status/1995687306167218536#m

There are many ways to reduce security in developer options. Using ADB at all reduces security since you're giving immense access to another computer. ADB should be avoided on a production device. There are many dangerous features in developer options beyond using ADB though.

Watermelon

userofgos GrapheneOS is not "deliberately ungoogled" as you say. It is true that there are no Google apps/services installed by default. It is true that GrapheneOS removed all default AOSP connections to Google. However it is not true that the purpose of GrapheneOS is to avoid everything Google.

GrapheneOS itself avoids Google, but it aims to be neutral in letting users use whatever they want on top of it. So in this sense, it's deliberately un-Googled.

polygraph

userofgos GrapheneOS is not "deliberately ungoogled" as you say.

Having to clarify one's words again and again is becoming cumbersome but I guess that's the only way.

It is ungoogled deliberately (intentionally, on purpose), i.e. not by mistake, not by accident, not as a side effect. Even the docs I am repeatedly being referred to say it and even you confirmed it.

However it is not true that the purpose of GrapheneOS is to avoid everything Google.

OK, you are telling me that what I have not said is not true. :)

connect to a public WiFi

Why?

And you should have no issues after that

Except the main one - that I will have to use Google against my will.

Watermelon Note that the labeling of versions as “alpha” or whatever is subjective and up to the software author to decide.

Where can we ask about the actual reason of Accrescent?

The linked post talked about attack surface. Do you know what attack surface is?

Otherwise I wouldn't use the phrase in an earlier post.

ADB [...]

I think it has become clear what you actually meant.

Revliss Again, beware of the legal consequences (no joke) and post your results here before the big Agencies find you ;)

I should have set my nickname to "scapegoat" :)

Watermelon

polygraph APK is much easier

An app (e.g. APK file download) is the only way. (The other way would be a built-in feature in the OS, but that doesn't exist (yet?). (You could try posting a feature suggestion in the Google issue tracker if it hasn't been posted there by someone else already.))

polygraph it seems RethinkDNS might indeed be the way.

I think this app is a specific service rather than letting you use any server you want, so that's why I didn't suggest it above. But it might be worth to try.

polygraph But if one is compelled to return to Google in order to use certain apps, how does the deliberately ungoogled Graphene protect from that?

Firstly, GrapheneOS makes it so the OS never tries to use Google services for any OS functionality even when Google Play is installed. It's really decoupled from the OS on GrapheneOS. There's many people I've seen on this forum who claim they don't have Google Play and they're doing okay without it.

Secondly, I don't recommend this option but you can always try installing Google Play in a separate user profile or inside Private Space. GrapheneOS makes improvements to user profiles:
https://grapheneos.org/features#improved-user-profiles
Apps are sandboxed, but visibility and communication between apps is still permitted. User profiles and Private Space (which is a special user profile) are the current way to segregate apps so they shouldn't be able to communicate with each other. There's still some leaks acknowledged (e.g. the loopback interface) allowing for apps to speak across user profiles, and GrapheneOS is planning both to fix all leaks and to somehow address the segregation problem without requiring use of different user profiles; they've termed this future feature App Communication Scopes but have paused work on this feature temporarily due to various issues related to this feature and because of the mountains of work they have due to external factors like Google and the French law enforcement. App Communication Scopes is one of the most commonly requested feature. Feel free to look it up.

Multiple user profiles have various non-obvious oddities. I recommend having only a single user profile.

Thirdly, in the recent versions, GrapheneOS made it possible to use certain Google-dependent apps without Google Play. They also said they intend to expand this practice. See for example:
https://grapheneos.org/releases#:~:text=2025102300%20release:-,Sandboxed,integration
https://grapheneos.org/releases#:~:text=we%20want%20to%20expand,without%20Play%20services%20installed

polygraph Please correct me, if I am wrong, but I think using Google Play Store requires to register a Google account, i.e. sharing one's personal data with Google. I am reading some people recommend using a "fake account" but registering with Google is not possible without a mobile phone number, which is not anonymous.

This is one of the most commonly repeated complaints on this forum, and people commonly say it's not true and that you can use a public cafe's Wi-Fi or something. Look it up.

polygraph I read about that in the other thread you linked but their page says "Currently in alpha", which doesn't sound "well-tested and secure", right? In that sense, it is not a solution (yet), so what should one do?

This is a healthy practice to beware of alpha software. With that said, Accrescent is already recommended for use and is already working. Due to being small and lacking resources, they've had a few weeks recently where updates were blocked through the app store, but they fixed it. For now, I can recommend Accrescent.

Note that the labeling of versions as “alpha” or whatever is subjective and up to the software author to decide. Nothing prevents them from claiming their solid software is in alpha state. I've seen some software authors doing that, actually. I avoid any other kind of alpha or beta software because I want a bug-free experience; Accrescent is the only exception I can think of.

polygraph When you write "ADB is incredibly insecure and unsafe", I read: the ADB software itself is insecure and unsafe.

USB debugging can be dangerouns - of course, that's not news. It still doesn't mean ADB itself is what you say it is.

~~The linked post talked about attack surface.~~ (Edit: actually not, my bad, but the GrapheneOS team has warned about the attack surface of ADB being huge in other places.) Do you know what attack surface is?

Furthermore, ADB allows immense control over the device, control that can do things that shouldn't be possible on a normal device and aren't tested for. If you want security or stability, avoid it.

userofgos

polygraph Having to clarify one's words again and again is becoming cumbersome but I guess that's the only way.

It is ungoogled deliberately (intentionally, on purpose), i.e. not by mistake, not by accident, not as a side effect. Even the docs I am repeatedly being referred to say it and even you confirmed it.

They way I was approaching my response was in thinking that you may be under the same ideology as those that come from the LineageOS/CalyxOS/ROM's with a deep distaste of anything Google and even the consideration of using Google Play to install apps seems to be an abomination in their eyes. Am I wrong in my assumption (it is just that)?

Watermelon wrote it better here and here Watermelon

polygraph connect to a public WiFi

Why?

Because if you use a VPN, you're more likely to get flagged as a bot. You could also use your home wifi if you're not worried about IP association.

It has become clear to me that no answer is sufficient for you, and it also seems GrapheneOS doesn't meet your needs. So do whatever you think is best, I'll end my responses to you here as it seems you are not acting in good faith and just dismantling and nitpicking every reply folks here have written. Farewell :)

Revliss

Warning. I do not condone doing this for legal reason;
You can unpack the firmware, there are tools for this purpose. I read a blog post about it claiming the baseband code can be crashed rather easily. Decryption is feasible for some versions.

Again, beware of the legal consequences (no joke) and post your results here before the big Agencies find you ;) Some important codes have booby traps when decompiling, I was young the last time I've messed with something like this. Would not recommend, you'd be a target for life.

polygraph

userofgos

If I may suggest, most kindly and respectfully, it would be better to stop trying to read my mind and start reading what I write.

They way I was approaching my response was in thinking that you may be under the same ideology as those that come from the LineageOS/CalyxOS/ROMS with a deep distaste of anything Google and even the consideration of using Google Play to install apps seems to be an abomination in their eyes. Am I wrong in my assumption (it is just that)?

The answer is in my earlier replies:

The priority is security and privacy.
I am against any form of bigoted conformity.

In context:

If there is a way to avoid Google, I would very much prefer it. If for some apps there is not, I understand there needs to be a compromise: either not to use the app, or to use Google Play to install it, or build it from source and install it on each release.

Anyone, please correct me, if I am wrong.

Because if you use a VPN, you're more likely to get flagged as a bot.

I understand. Thank you. I don't use VPNs anyway.

You could also use your home wifi if you're not worried about IP association.

What is the point? The IP address will be revealed while using the app anyway. Using the app is not anonymous too (it is pseudonymous), so what has hiding IP address to do with privacy here? Am I missing something?

It has become clear to me that no answer is sufficient for you, and it also seems GrapheneOS doesn't meet your needs.

Simply not true. My interest in the system is ongoing and I have thanked multiple times for the answers. I have also explicitly confirmed that only part of one question remains unanswered for which I opened a separate thread. I am considering Pixel 10 devices, as I see the battery is much easier to replace, so I am waiting to see when it will be officially supported.

So do whatever you think is best, I'll end my responses to you here as it seems you are not acting in good faith and just dismantling and nitpicking every reply folks here have written. Farewell :)

According to the code of conduct, community discussions should be about features and code, not the individuals involved. If you feel any of my posts violate any rule, you can report them rather than post mala fides remarks.

userofgos

polygraph If there is a way to avoid Google, I would very much prefer it. If for some apps there is not, I understand there needs to be a compromise: either not to use the app, or to use Google Play to install it, or build it from source and install it on each release.

Understood, I wasn't trying to attack you, apologies if it seemed that way. Guess I've just been accustomed to a certain group of individuals that have an all or nothing perspective and aren't willing to compromise. I see I was wrong in my assumptions (that's what there were afterall). :)

polygraph What is the point? The IP address will be revealed while using the app anyway. Using the app is not anonymous too (it is pseudonymous), so what has hiding IP address to do with privacy here? Am I missing something?

I'd say the point is entirely dependant on your threat model. Some may be okay with IP association but don't want to use an already exiting Google account that has years of data collect from Gmail, Google searches, Ad tracking, Youtube watch history, etc. I never said the account would be anonymous, I believe I used the term "burner", so you're correct that it is a Pseudonymous account.

polygraph Simply not true. My interest in the system is ongoing and I have thanked multiple times for the answers. I have also explicitly confirmed that only part of one question remains unanswered for which I opened a separate thread.

I stand corrected.

polygraph If you feel any of my posts violate any rule, you can report them rather than post mala fides remarks.

I wasn't saying you violated the rules. I guess I was just reading too much into your responses and took it too personally. My apologies :)

Novalissoide

polygraph how can a fellow ReplicantOS user even begin rationalising having taken up all this vast support-thread space, we were supposed to be immutable warriors, not narcissistic trolls..

polygraph

userofgos

Thank you for the feedback. I am really happy to see the positive turn.

hemingway As a privacy and freedom lover myself, I ultimately expect to be forced to use a fully stock phone for google-reliant apps I cannot do without (banking, etc.) and a separate, degoogled phone running FOSS-only apps as my daily driver. GOS ticks both boxes at least for the moment.

I have thought about the same. Unfortunately, the problem with using a separate phone is that stock Android is not as secure as Graphene, so it is kind of strange to dedicate a less secure device for something as important as banking.

OTOH, I have been reading that not all banking apps work in GOS, so I wonder if after buying these expensive phones I won't be in the situation to not be able to use certain apps, i.e. the tick is still blurry to me.

hemingway

polygraph

To answer what appears to be the core of your question:

GOS does offer many security and privacy improvements over stock (more info on this on the features page of the website) but it does also make several decisions for you, such as using Vanadium, and it does not offer as much freedom as some custom ROMs when it comes to changing these decisions (such as uninstalling system apps, though unlike other ROMs you have the option to disable many system apps).

Yes, you could theoretically build your own fork and configure it to your liking but that takes copious amounts of time and effort, especially for things like removing Vanadium (since this would likely break all apps that depend on it to display webpages as the sole, afaict, unchangeable Webview implementation).

I see GOS as a compromise for people that prefer a degoogled phone but recognize that this excludes them from apps that refuse to work on anything else. A defanged version of the Google services framework that most such apps rely on can be run in a sandbox in GOS, heavily restricting the free reign it enjoys as a system app on other googled phones.

GOS is not completely free of disadvantages however. A rising number of apps are currently onboarding the Play Integrity API, effectively refusing to run on any custom ROMs including GOS (many banking apps for e.g.). It still remains to be seen if enough app developers will opt for the custom-ROM-friendlier Android hardware attestation going forward.

As a privacy and freedom lover myself, I ultimately expect to be forced to use a fully stock phone for google-reliant apps I cannot do without (banking, etc.) and a separate, degoogled phone running FOSS-only apps as my daily driver. GOS ticks both boxes at least for the moment.

userofgos

polygraph I have been reading that not all banking apps work in GOS, so I wonder if after buying these expensive phones I won't be in the situation to not be able to use certain apps, i.e. the tick is still blurry to me.

Not sure if you're already read through the website on this. It goes into detail about why some apps don't work, some workarounds, and a third party comparability list. If your bank isn't listed there, you can create a new thread and ask if anyone has issues with it, most often there's someone that uses the same bank and is able to report if it's functional.

Check the list below first to see if your back is there:

Novalissoide

polygraph I should apologise for talking like my latest comment, I'm sorry, sometimes ones thinking gets too drastic. 🧘

« Previous Page