I would just be careful about the guarantees we claim open-source software brings.
I agree. It is unfortunate that, for whatever reason, as long as some software is licensed under an OSI-compatible license, some people take this to mean the software is safe, secure, and respects their privacy. This is the wrong assumption to make. The only assumption you can make about free software is that neither the original developer nor the publisher is in control; you are. You can examine and change anything about that software, and you can share your modified versions without fear. This is the one, fundamental thing free software has always been about—freedom.
It just so happens that most developers willing to release their software under a free license tend to respect their users. Whether you consider Google to be one of those developers is up to you.
So I agree with you that
open source does not mean privacy-friendly, but I want to be careful not to equate free software with proprietary software because these privacy and security guarantees are not met. I don't agree with the perspective that a privacy community should care only about the intrinsic privacy/security achievable with the currently available software. Free software has other attractive properties for those in a privacy community which should not be so easily disregarded, such as sovereignty, which is related to privacy in the same way security is related to privacy.
I think we can rather say that given time and skill and the right environment (laws involved permitting) any local application can be almost effectively open source.
Open source does not only mean that the source code is available. There is a term for that—source-available. An example of a source-available program is TrueCrypt. Another example is Microsoft Windows. I assume you mean to refer to Free Software when you say you would prefer people choose to develop and use open-source software, which comes with four freedoms merely predicated on access to the source code.
The Open Source Definition is similarly very exacting about what qualifies as "Open Source", which is why they applied for a trademark for the term in 1998 (though they were not granted it), because they did not want anyone to use the term "Open Source" to refer to something which did not meet that definition.
Some software, like the Adobe Creative Suite, uses complicated mechanisms to obfuscate the running code and to prevent the user from disassembling the code. As you observe, with the right amount of time and right amount of skill, any software can be disassembled, but modification is made far more difficult without the original source code. Additionally, this is illegal under the DMCA, because it qualifies as copyright circumvention. You may face penalties even if you do this for security research: https://www.eff.org/deeplinks/2021/06/dmca-security-researcher-statement
Another aspect of free software worth mentioning is that it is not possible to encumber it with DRM.
Perhaps I emphasized the importance of access to the source code in determining the behavior of software too much. Access to the source code is most useful for changing this behavior, rather than determining it (though it can certainly help to more accurately determine what's going on). For further reading on the subject of free software and security, I found Seirdy's post enlightening: https://seirdy.one/posts/2022/02/02/floss-security/
This is off topic for this thread though, so where we can we need to relate back to mainstream apps.
I would say:
- GrapheneOS is free software.
- Most mainstream apps are not free software, but privacy-wise, because these apps are connecting to a server somewhere, using a free software client to access the service will likely not improve your privacy by much, if at all.
- The biggest privacy improvement GrapheneOS offers is the ability to cut Google out of the picture. By sandboxing their apps, this means they learn less about you in many cases. Being able to trust your operating system is a large improvement over needing to trust a proprietary version of Android that is known to act against your best interests.
- The ability to turn off Network and Sensors permissions for apps which don't need them is a more powerful guarantee over the proprietary version of Android. With access to your Sensors, even without the Location permission, apps could determine details about your location quite accurately using this permission. Most apps don't need this permission.
- GrapheneOS has developed free software replacements for a lot of your default apps, like its PDF reader and Camera, which respect your privacy. You likely won't need to use proprietary replacements for them.
- Storage Scopes.
Instead of granting storage permissions, users can enable Storage Scopes to make the app assume that it has all storage permissions that it asked for
- The security improvements alone are worth it.
- If you use the same privacy-invasive apps, these bad actors will collect a similar amount of information about you. Google Maps, for example, is a big one. Not much is different on GrapheneOS. Maybe try out Organic Maps to see if it serves your needs.
The only reason not to use GrapheneOS is lack of compatibility with some financial apps (I doubt these apps will ever support a non-Google operating system with SafetyNet), or if Android Auto is something you desperately need. I'm not aware of anything iOS does better in the privacy department.
So, yes, perhaps using privacy-invasive apps will still be privacy-invasive for reasons GrapheneOS can't control, but no other phone operating system offers stronger privacy guarantees.