• Off Topic
  • Germen Pentester Kuketz: GrapheneOS Review

German Pentester and Security Reasercher Kuketz started a series of articles early this year, with the goal to compare the major custom ROMS

GrapheneOS was the last to be reviewd and the article is finally here.

You can find it here GrapheneOS: The Gold Standard of Android ROMs

You probably have to translate the website somehow as it is written in german.
But here is the summary at least

GrapheneOS sets standards in terms of security and data protection that are unmatched by any other Android system. Nevertheless, the system is not designed exclusively for security and data protection freaks. It offers an alternative for anyone who wants to have more control over their data and free themselves from dependence on Google. If some apps are still dependent on Google Play services, they can simply be installed together with the Sandboxed Play Services in the work profile. This may not be the optimal solution, but it is a significant difference to conventional Android systems where users are constantly monitored.

There is no doubt that GrapheneOS is currently the most secure and privacy-friendly custom ROM or Android system. The icing on the cake would be if the obligation to use a Google device was lifted and GrapheneOS stuck to its plans to launch its own devices on the market. This is actually the only point where I would have something to criticize - complaining at a high level.

    A lot of GOS users are annoyed with the ROM thing. Its not a Read Only Memory. Its a fully fledged OS.

      FlyingRacoon

      Detailed review, thanks for sharing!

      By the way - Mike Kuketz has tested several custom ROMs (LineageOS, CalyxOS, /e/, iodéOS and of course GrapheneOS) and compared them in terms of security, privacy and user-friendliness - these articles are also well worth reading.

      Spoiler alert:

      GrapheneOS sets standards in terms of security and data protection that are unmatched by any other Android system. Nevertheless, the system is not designed exclusively for security and data protection freaks. It offers an alternative for anyone who wants to have more control over their data and free themselves from dependence on Google.

      Thank you, dear GrapheneOS team, for this great operating system!

      Here are the links:

      CalyxOS: https://www.kuketz-blog.de/calyxos-de-googled-geht-anders-custom-roms-teil2/

      Overall, CalyxOS is certainly not a bad custom ROM, but offers a harmonious overall package with which users who want to (significantly) reduce their dependence on Google should get off to a good start. However, one should also take the disadvantages into account: the delayed provision of (security) updates and an external image that does not quite match what the present analysis revealed.

      IodeOS: https://www.kuketz-blog.de/iodeos-datenschutzfreundlich-aber-abstriche-bei-der-sicherheit-custom-roms-teil3/

      Overall, iodéOS leaves a relatively privacy-friendly overall impression. However, you should also take the disadvantages into account: Delayed delivery of (security) updates, Older devices do not receive full security updates from proprietary components such as bootloaders or firmware, iodéOS does not support Verified Boot on every device. iodéOS could be improved in particular by providing (security) updates more quickly. Overall, however, some restrictions regarding security must be accepted. Ultimately, iodéOS is primarily aimed at privacy-sensitive users who want to continue using their (older) devices.

      LineageOS: https://www.kuketz-blog.de/lineageos-weder-sicher-noch-datenschutzfreundlich-custom-roms-teil4/

      Yes, LineageOS supports many devices. Yes, with LineageOS you can continue to operate older devices in particular. But: If you actually want to do without Google or want to receive security updates for your device promptly, you should look for another custom ROM. LineageOS itself is not making any special efforts to break away from Google. To be fair, it should also be mentioned that they never claimed that. The absence of Google Apps or Google Play services does not automatically mean that a custom ROM is Google-free. This requires further steps, which LineageOS cannot do. Ultimately, LineageOS is primarily aimed at users who want to continue using their older devices as they may no longer be provided with the latest Android versions and security updates by the manufacturer. From an ecological point of view, this also makes sense, as most devices still work perfectly in terms of hardware, but often have to give up space due to the consumer orientation caused by capitalism. In the end, that means even more electronic waste - and we can all happily do without that.

      DivestOS: https://www.kuketz-blog.de/divestos-datenschutzfreundlich-und-erhoehte-sicherheit-custom-roms-teil5/

      Overall, DivestOS leaves an extremely privacy-friendly impression. And DivestOS also scores points when it comes to security - although it must be mentioned that not every device supported by DivestOS is anymore provided with manufacturer updates for the proprietary components. However, if you use a current device like a Google Pixel 7a, you are on the safe side with DivestOS for the coming years. Probably only with GrapheneOS will you find greater efforts in terms of security. Ultimately, DivestOS is not only aimed at users who want to continue using their older devices because they may not receive support from the manufacturer for the latest Android versions and security updates. It is also aimed at those who value privacy and security (assuming they have a recent device). Overall, DivestOS sets the bar pretty high.

      /e/: https://www.kuketz-blog.de/e-datenschutzfreundlich-bedeutet-nicht-zwangslaeufig-sicher-custom-roms-teil6/

      When it comes to data protection, /e/ performs quite well. However, when it comes to security, you have to turn a blind eye and hope that everything goes well. Not only is the delayed delivery of security updates (6 weeks or more) worth mentioning, but above all the slow updating of the WebView components. If no updates are provided here for over 6 months, one can speak of a significant security risk. Summarized: (Severely) delayed delivery of (security) updates and the WebView components. Older devices do not receive full security updates from proprietary components such as bootloaders or firmware. No Verified Boot support except for very few devices. /e/ is primarily aimed at privacy-conscious users who want to continue using their older devices as they may no longer be provided with the latest Android versions and security updates by the manufacturer. However, you should be aware that security gaps can also undermine data protection if exploited by an attacker. Focusing solely on data protection is therefore no guarantee that this is actually guaranteed. Additional measures are required, including an up-to-date system that receives timely security updates. There is still a lot of catching up to do with /e/.

      GrapheneOS: https://www.kuketz-blog.de/grapheneos-der-goldstandard-unter-den-android-roms-custom-roms-teil7/

      GrapheneOS sets standards in terms of security and data protection that are unmatched by any other Android system. Nevertheless, the system is not designed exclusively for security and data protection freaks. It offers an alternative for anyone who wants to have more control over their data and free themselves from dependence on Google. If some apps still rely on Google Play Services, they can simply be installed together with the Sandboxed Play Services in the work profile. This may not be the optimal solution, but it is at least a significant difference from conventional Android systems, where users are constantly monitored. There is no doubt that GrapheneOS is currently the most secure and privacy-friendly custom ROM or Android system. The icing on the cake would be if the requirement to use a Google device were lifted and GrapheneOS stuck to its plans to bring its own devices to market. That's actually the only point where I have anything to criticize - complaining at a high level.

      Kuketz isn't really a pentester. He is now a lil bit better than he used to be in the beginning regarding his blog. In the beginning he wrote a lot of Bs. I would not recommend taking any information from him.

        FlyingRacoon The icing on the cake would be if the obligation to use a Google device was lifted and GrapheneOS stuck to its plans to launch its own devices on the market.

        He doesn't understand the concept of "economies of scale" in tech.
        There is no way for a small company to offer a device with the same specs, price, and 7 years of software
        updates like the new Pixels. Add to it the supply chain and various legal requirements and you will end up
        with a gimmicky junk like "Fairphone" which doesn't add any meaningful value to anyone.

          23Sha-ger To be fair, he is just writing that off the back of an actual post GOS made about a potential phone/partnership in the works. That may or may not come to pass, but it's not something he invented, and so a little unfair to lay that at his door.

          sonicbackdrop

          The "8 years" is a fake promise by them. They are not able to deliver platform patches
          and security updates without the actual hardware vendor.

          https://discuss.grapheneos.org/d/2084-fairphone-4-support/4
          https://www.reddit.com/r/GrapheneOS/comments/10b5x4n/has_anyone_managed_to_install_grapheneos_on_a/j67pbny

          Daniel explained in that reddit post why such concept phones are garbage, full of empty promises.

            Nuttso To be fair, his review is nearly 100% a privacy check.
            He doesn't really test GOS' security, he's just valuing the security of different OS in reference to the release time of official security updates.
            "German pentester" in my opinion is a wrong chosen title for Mike Kuketz, as he doesn't provide pentest results.

            He is a serious and long-standing certified data protection officer.
            So I think the correct term is privacy activist.

            23Sha-ger
            I thought they could deliver firmware updates to the Fairphone 5 for a long time, because of them using an IoT component for SoC?

            Regardless of his job title or qualifications - in my opinion, the blog posts offer a good starting point for people who are considering installing a custom ROM.

              16 days later

              Murcielago agree. Also he writes in very low barrier language and links everything.

              The tests where privacy only, but really good.

              bayesian
              ROM means Read-Only Memory and is used in Android as such.
              The ROM is the part of your system that is: able to run on its own, write protected and thus not changeable.
              Many/All manufacturers implement a way to bypass Linux' restrictions/file system permissions to be able to update their ROM ie. write to /system.
              The normal user is not able to write to that /system partition, which is independent form the /data partition, where all your apps and data is stored (/data is not needed to run Android).
              The only thing those two partitions share is (not always) the same hardware/memory chip.

              The contents stored on /system contain all software needed to run Android on that specific device including: drivers, configurations, scripts, applications, frameworks etc.
              They are read-only for the user and only writable after remounting as a system user or superuser/root.
              Therefore ROM can be considered a valid and correct term for the Android system's /system partition/ROM partition.

              In other words, both OS & ROM are technically correct and this repeated meme needs to die. NOBODY in the history of referring to Android has ever used ROM to refer to Read Only Memory. However, the GrapheneOS image does in fact contain sections of ROM otherwise anybody could install or delete anything they felt like as if it was Windows 95 allowing users to delete System32 files

                6 months later

                I would like to thank Kuketz for the persistent GrapheneOS advertising. Now I am also a happy user.
                I am amazed at the depth of technical knowledge here in the forum. I have never experienced this anywhere else.

                Thanks Kuketz for the GrapheneOS recommendation

                N3rdTek The contents stored on /system contain all software needed to run Android on that specific device including: drivers, configurations, scripts, applications, frameworks etc.
                They are read-only for the user and only writable after remounting as a system user or superuser/root.
                Therefore ROM can be considered a valid and correct term for the Android system's /system partition/ROM partition.

                Then macOS is a ROM, Windows 11 is a ROM, Debian is a ROM, Arch Linux is a ROM, Raspberry PI OS is a ROM? Last week I upgraded my Ubuntu ROM?

                What about operating systems that run on phones, and can execute some Android binaries, but are not actually Android variants, such as Sailfish OS? Should that be called a "ROM" because it can execute some Android binaries, or because it runs on phones, or for some other reason?

                N3rdTek In other words, both OS & ROM are technically correct and this repeated meme needs to die.

                I doubt that either the "ROM community" or the GrapheneOS community will crush the other in a linguistic sense.

                Somehow the Android modder community decided to call their OS images "ROMs". Ok, but both before and after they started doing that lots and lots and lots of people weren't doing that and still don't do that. I don't think humanity would move forward if everybody agreed to replace all uses of "OS" and "system image" and "system partition" with ROM.

                Probably the Android modder community will keep on referring to operating systems, and system images for those operating systems, as ROMs. And probably the GrapheneOS developers will keep objecting to GrapheneOS and GrapheneOS system images being referred to with that term. Whether or not it is "technically correct" to refer to macOS as a ROM, Mac users don't generally do that. Likewise, whether or not it is "technically correct" to refer to GrapheneOS as a ROM, GrapheneOS users don't generally do that. And, as background, the practice of the Android modder community is not the standard or normative practice when most users of most operating systems refer to those operating systems.

                When I was looking for an alternate ROM (as some say) to install, I looked at several. The first one was LineageOS, it really didn't convince me at all. I then came across CalyxOS, and it seemed promising but it didn't quite feel right to me, so I kept looking, and that is when I came across GrapheneOS. The pages were interesting enough to keep my attention, and well, I kept reading, and decided that GoS was for me. It was exactly what I was looking for in terms of a hardened OS. I had a Pixel 5 for about a year and then some thieves stole it from me while I was eating at a restaurant outdoors. I finally bought a Pixel 8 now, and of course I installed GoS on it immediately.