With my utmost respect to the other posters and their suggestions, I only say this from my perspective.

Don't let security be the determining factor for you. Instead consider which hardware and what software options you will have, and how "robust" the privacy is. I don't know how much better that one plus phone is compared to a pixel. Nor do I know any of the features and privacy elements of DivestOS. But I can tell you after I considered a number of OSes, what made me go with graphene wasn't mainly the security ( that was a bonus). It was the the price to start, software compatibility and the amount of flexibility it offered. Because of its Sandboxed Play, it means I will not run into future "FORCED TO HAVE" apps not working.

GrapheneOS has:

  • Total google independence
  • Sandboxed google play (strong app compatibility) (even MicroG an option - not recommended)
  • Profiles (separate contacts, apps, multiple accounts running at same time, saparate VPNs)
  • Very "robust" privacy
  • Total network denial to individual apps (huge deal, makes a big difference - not available on any other OS)
  • Sensor denial to apps
  • Original phone camera app working (no compromise in camera quality)
  • mac randomization
  • top of the line security (better than stock)
  • Updates
  • 5 or more years of life
  • More setup required at start

The pixel has these issues though: (6a)

  • No phone jack
  • touch registration not 100% all the time.
  • no external memory
  • storage only 128

Anyway, Consider whats important to "YOU" and think of the future, your wallet, and realism. Actually really think of your app needs and their compatibility and your privacy goals. Don't fall for "better hardware" hype-trains either.

I'm blown away how close this phone is to a non-privacy phone and little compromise there is. I'm glad I didn't go with some of the other systems.

The permissions denial part is a huge point, also the maintenance with the swift updates and all, and I'd add community and support/discussion channels being important too.

I'm also curious about any possible remote access cos of an unlocked bootloader tho!

[deleted]

No. But I am questioning if this attack vector is possible. I'd love to be wrong, but can't see how an unlocked bootloader is vulnerable to anything but a physically present attacker.

    Graphite

    The main threat model for verified boot is a remote attacker compromising the device. It prevents them modifying the OS or directly persisting with root/system level access. Factory reset purges their access.

    The purpose of preventing them directing persisting privileged access is to force them to exploit the OS again at each boot, which makes their control much more fragile and much easier to detect. It combines well with reduced trust in persistent state and hardware attestation.

    https://nitter.lacontrevoie.fr/GrapheneOS/status/1621463829229047810

    kopolee11

    Thanks. That's specifically for Verified Boot.

    I have not tested this out myself, so I don't know. Once you unlock the bootloader, are you saying verified boot is completely disabled? Or is it just that verified boot continues to work, but can now be bypassed with physical access to the device?

    Thank you for the information. I'd love to know the details.

      Graphite

      Locking the bootloader is important as it enables full verified boot. It also prevents using fastboot to flash, format or erase partitions. Verified boot will detect modifications to any of the OS partitions and it will prevent reading any modified / corrupted data. If changes are detected, error correction data is used to attempt to obtain the original data at which point it's verified again which makes verified boot robust to non-malicious corruption.

      https://grapheneos.org/install/web#locking-the-bootloader

      Graphite Verified boot is not enforced with an unlocked bootloader. Being able to lock the bootloader is the bare minimum to ensuring that the device is reasonably secure, and it is very unfortunate that locking the bootloader has become synonymous with physical threats, when that is simply not true. The entirety of the security model depends on the bootloader being locked, so that verified boot can be enforced, and you go from there. It does not stop at physical access at all.

      Ok, thank you. I think I understand better now. Verified boot, which is extremely important even against remote attackers, is wholly dependent on a locked bootloader. And an unlock bootloader makes the device vulnerable to more than just physical attacks, because it disables verified boot.

      Thanks for taking the time to clarify.

      2 months later

      steadfasterX While it was possible to relock the bootloader of older OnePlus devices, verified boot was done in a completely insecure way. They attempted to fix this on newer devices by completely removing support for alternate operating systems.

      intelligence Those claiming that unlocked bootloader is more susceptible to remote attacks is missing a key piece;

      I don't believe people are claiming this. I believe they are stating that a locked bootloader and verified boot are a better defense against persistence. In other words, two similar devices with one locked and the other unlocked are similarly susceptible to remote compromise; however, the locked device with verified boot will be more resistant to persistence.

      intelligence if somebody is able to compromise the device to the extent where they can take advantage of the unlocked bootloader, they will be able to install their own avb key or some other trickery as well. In my opinion, trusting a locked bootloader to provide you with ANY additional security is giving you a FALSE sense of security.

      My understanding of a locked bootloader is that it would actually prevent the loading new signing keys. Or, that it would at least detect the tampering at reboot. So, in this case, the locked bootloader would provide additional security over an unlocked bootloader.

      Do you have any reference material on any existing proofs of concepts or exploits that installed their own key and signed images that bypassed a locked bootloader?

      Confusing. Seems like comments are being deleted.