Hello there,

I know that choosing GrapheneOS comes down to a personal decision, threat model, willingness to invest time etc.

However I am looking for your opinions given my situation and use case to take an educated decision.

I am a privacy and security conscious person, certainly more than the average user. I am not interested so much on anonymity. Currently I use iOS, simply because they offer better security/privacy than Android, and I do not use any google service. I think their hardware encryption is good and complement this with the use of ProtonVPN, ProtonMail and aim for compartmentalism when possible while trying to keep a certain level of convenience. I also use Signal. In net I keep iOS updated with all recommended settings for privacy and then I aim for 3rd party apps such as proton to limit the information Apple has on me.

I was thinking using GrapheneOS To bring it to the next level. My main concern is the complexity (eg I hear about sandboxing, profiles, not being able to receive notification on ProtonMail and such) that would significantly compromise user experience compared to iOS vs its privacy gains. Another thing that concerns me is security. In my mind apple would be faster to patch security fixes than Graphene, then again I am not so sure about this.

Thanks for the opinions.

  • [deleted]

  • Edited

Sandbox Google Play Services work flawlessly on my Pixel 6a, no issues and no complaints about it :) No need for a separate user profile for Sandboxed Google Play Services, but many prefer this approach.

About security updates, GrapheneOS in some cases even push security fixes before google.

PDF: Google Data Collection

The only times GrapheneOS phones home is every 4 hour to check for software updates, and 6 hours for the ''app'' app to check for app updates, this can be configured in the ''app'' app settings.

    In net what I would need to use in my phone for:

    • my banking apps (I already checked and they are compatible today)
    • all proton apps
    • messaging like signal (I guess WhatsApp doesn’t work)
    • Open maps for directions
    • a secure browser
    • Yubico Authenticator (does this app work ?)
    • less critical but other convenience apps such as the ones to check my local train times, Philips hue and lesser important things.
      • [deleted]

      • Edited

      [deleted]

      Could you elaborate on day to day use what it means to use the apps in that sandbox envirntment ? I mean the trade offs when it comes to convenience and usability vs a native app. Just for me to better understand in practical terms.

      Thanks

      • [deleted]

      • Edited

      [deleted]

      It might differ for you, but I have no issues.

      • My banking app works without Google Play Services, well it complains on startup about SMS/Phone permissions, but works without it.
      • Proton apps should work without Google Play Services.
      • Signal works without Google Play Services.
      • There are many great FOSS maps apps around, I like organic Maps, Open Street Map, etc.
      • I have never used the Yubico Authenticator, as I don't yet own a Yubico.
      • Apps for local trains, buss ticket apps, etc., should work with Google Play Services installed.

      Sandboxed Google Play Usage

      Hey there! First of all, welcome to the forum. :)

      I think that it is tough to give a yes/no answer here, and also do note that I've used GrapheneOS for years at this point, so my answer can be biased.

      With that said, it sounds like you've got a pretty sweet deal going. iOS is quite secure in general, and if you're using an iPhone that's still supported, it's a very good choice (certainly a much better choice than most Android devices, to be honest). If I were to recommend a phone/OS combo to someone who's not interested in learning new things and I'd just like them to have a functional secure device, I'd suggest an iPhone every single day of the week.

      However, the fact that you're here tells me that you'd be open to learning new things and adjust accordingly, so let's dive in to see if switching over is worth it for you.

      Let's address your main concerns, which as I understand it as are as follows:

      1. You think GrapheneOS comes with a significant usability compromise.
      2. You think GrapheneOS may be too complex for someone not willing to spend a significant amount of time learning how to use it.
      3. You think GrapheneOS cannot possibly be able to keep security updates in check as quickly as Apple could, due to its team being smaller.

      1. GrapheneOS is highly usable. Before Sandboxed Google Play (that was almost a couple of years ago now - time flies!) and things like the Exploit Protection Compatibility Mode toggle (which disabled some hardening for the specific app you enable it for in case it is crashing due to something like a memory corruption bug which would make it crash to protect you), there were some pain points. Apps that needed Google Play Services for some or all functionality wouldn't work or said functionality wouldn't work, and you just had to deal with that. Buggy apps with memory corruption issues would crash due to hardened_malloc with no other options. What if that app was your banking app or an equally important app? Well, you don't have to care or worry about that anymore. In terms of app compatibility, pretty much the only stragglers are apps that require a Google certified OS to work. That's an explicit choice by the apps and there's not much we can do, though we do have a guide for those developers to be able to whitelist GrapheneOS when they do that, which you can find here:

      https://grapheneos.org/articles/attestation-compatibility-guide

      Really those, these apps are very much the exception to the rule. Notable things that currently won't work due to that is Google Pay NFC payments, for example. NFC payments work great, and if you have another app which doesn't use Google Pay and doesn't gate its system behind those checks, you can use it, but Google Pay is currently a no-go, unless we spoof those checks, which would only be a temporary solution because in the future they won't be spoofable anymore. It can be problematic to work around apps not wanting to work on GrapheneOS in a way that's only temporary and have people using the OS rely on them, only for those apps to be pulled under their feet down the line.

      Furthermore, you mentioned some specific examples, so I want to quickly address those:

      • Sandboxing: all apps are sandboxed by default. That's the same as Stock Android, and the same as iOS. You don't have to "sandbox" apps yourself.

      • User profiles are very useful to compartmentalize your usage and bring some benefits, but they're in no way necessary, and in fact, I'd wager a guess that most GrapheneOS users don't really use them all that much.

      • Proton Mail requires Play Services to deliver notifications. As such, you need Sandboxed Google Play for them to provide you with those. That's not a deficiency/weakness of GrapheneOS. The app is choosing to utilize Play Services for this, and GrapheneOS provides you with a secure way to use Play Services within the regular app sandbox that all other apps you install reside in (Sandboxed Google Play is optional).

      Additional reading:

      https://grapheneos.org/features#sandboxed-google-play
      https://grapheneos.org/usage#bugs-uncovered-by-security-features

      1. GrapheneOS is not complex. For the most part, it works exactly like any other Android device would. The features page explains what GrapheneOS adds/changes over AOSP. Other than that, you're getting the same thing you'd get on other phones in terms of complexity (which means, not complex at all).

      Great care is taken to ensure that new features we add (like Storage Scopes and more recently Contact Scopes - features which allow you to grant granular file/contact access to apps while the apps think they have access to everything) are easy to use and intuitive, so I wouldn't call those daunting or complex. Our documentation hopefully helps too!

      1. GrapheneOS is a privacy and security focused project. Shipping security updates as quickly as possible is the bare minimum. Not only does GrapheneOS ship new security updates for its supported devices very fast, but it is sometimes even ahead. https://grapheneos.org/features#more-complete-patching provides some information about that; particularly:

      We're able to quickly and safely ship the latest Linux kernel LTS point releases on devices with GKI (Generic Kernel Image) support including the 6th and 7th generation Pixel phones. At the time of writing on 2023-02-23, GrapheneOS is using the latest Linux 5.10 GKI LTS release (5.10.168) for 6th and 7th generation Pixel phones. The stock Pixel OS is on Linux 5.10.107 from 2022-03-19 with a small number of additional patches backported. This means GrapheneOS provides hundreds of relevant kernel patches including many security patches not yet included in the stock OS. It's possible for us to stay several months ahead due to their approach of moving to new LTS releases only in quarterly releases after a long freeze and testing process.

      Furthermore, GrapheneOS' approach has always been to ensure that its patches/changes are minimal, very well coded, and highly portable. This is important because it is of utmost importance for the team to be able to port to new Android versions on time. Other alternative OSes out there bloat their OSes with a lot of frills which come to bite them when it's time to move fast, and they fall behind. GrapheneOS doesn't.

      I hope that this gives you some food for thought - if you have any follow-up questions, or need anything else, please let us know.

        matchboxbananasynergy

        Thanks so much for the detailed answer, it gave me some food for thought. A good starting point for me might be to get a second a pixel phone to try it before a full transition.
        I have another question which is more in practical terms.
        Let’s say I am using that ProtonMail app with notifications that require the google play service access in GrapheneOS. In practical terms what would be the difference to open and check emails in this app in GrapheneOS vs how it is currently on a iOS native app? (Click and access and banner notifications). Another question in this use case, how much more private is using this app in the graphene OS environment vs today on iOS?

          [deleted] Thanks so much for the detailed answer, it gave me some food for thought. A good starting point for me might be to get a second a pixel phone to try it before a full transition.

          If you're just dipping your toes, I'd suggest getting a Pixel 6a. It's a supported device with lots of life in it still (supported until 2027) and can be found for relatively cheap, especially used (make sure it can be unlocked!)

          [deleted] Let’s say I am using that ProtonMail app with notifications that require the google play service access in GrapheneOS. In practical terms what would be the difference to open and check emails in this app in GrapheneOS vs how it is currently on a iOS native app?

          There wouldn't be much of a difference. You'd get a notification, press on that notification, and it would open the app.

          [deleted] Another question in this use case, how much more private is using this app in the graphene OS environment vs today on iOS?

          Well, I don't know how the iOS app is, but using Proton Mail as a specific example, I can tell you how using an app like Proton Mail on GrapheneOS is more private than using it on Stock Android.

          In Proton Mail, when you want to attach a file, the app brings up your system's file manager, you pick a file, and Proton Mail sees that file, and that file only, to attach it to your e-mail. However, if you receive an attachment, the moment you try to download it, Proton Mail will ask you to grant it access to your files. There's no reason it should do that, it could let you download it without that, or bring up the file manager to allow you to select a folder to save the file in, and it wouldn't only have access to that specific folder.

          On Stock Android, you can choose to just not downlad/open attachments, or grant Proton Mail storage permissions. That's not the case on GrapheneOS due to storage scopes. Instead, by enabling storage scopes, Proton Mail thinks it has all possible storage permissions it asks for, but can only see files that it itself created, and nothing more. You can also grant it access to specific files/folders if you so choose, so that it can see those.

          If you want Proton Mail to access your contacts, you have to grant it the contacts permission on Stock Android. It's all or nothing on Android. Not the case on GrapheneOS (this was actually shipped in the latest version, but has been in development for a while). On GrapheneOS, by using contact scopes, you can only grant Proton Mail access to some of your contacts, or to specific label(s) of contacts (essentially, what that means is that you create a label e.g. Friends, and add all of your friends to that label).

          I think you might be noticing a trend here; control. GrapheneOS is about privacy and security. A lot of that comes in the form of under the hood hardening, but a lot of it is also easy-to-use features like the ones mentioned above that allow you to give apps the least amount of information.

          4 months later

          matchboxbananasynergy NFC payments work great, and if you have another app which doesn't use Google Pay and doesn't gate its system behind those checks, you can use it

          Old post, but do you have an idea of any alternatives? I assume something like this can't really exist in the open source world but I have nothing to base my thoughts on. I mean, if there was a GOS compatible open source payment system that was as flexible as Apple/Google Pay whilst being as widely accepted, I feel I would know about it already! But I suspect (unfortunately) that's not what you're implying.