Devices lacking standard privacy/security patches and protections aren't private

GrapheneOS

The article published at https://www.ifixit.com/News/111634/why-the-fairphone-6-should-be-your-next-phone promoting the /e/OS variant of the Fairphone 6 has major misconceptions and inaccuracies. The article promotes a product which is blatantly unsafe due to lack of basic privacy/security patches and protections as being the best option for people who care about privacy. People who listen to it will be significantly worse off on the privacy and security front than if they had bought an iPhone instead.

Fairphone 6 does not keep up with standard Android privacy/security patches and has no secure element to provide working disk encryption for typical users not using a strong password, among other flaws.

/e/OS dramatically reduces privacy and security compared to the Android Open Source Project. It lags far behind on OS and browser patches. It also doesn't keep important standard protections intact.

/e/OS includes numerous non-private apps and services. The Murena voice-to-text service included in /e/OS even sends user speech data to OpenAI with no local option compared to Apple and Google both offering offline speech-to-text support via local models which users can make sure is always used:

https://community.e.foundation/t/voice-to-text-feature-using-open-ai/70509

The article appears to be confusing our sandboxed Google Play compatibility layer with the privileged integration for microG, Android Auto and other Google apps/services in /e/OS:

which is kind of like adding Google Play Services to your phone as a regular user rather than an admin

Our sandboxed Google Play compatibility layer works exactly as the article describes: installing Google Play and other Google apps as regular sandboxed apps. That's not how these things work in /e/OS.

DivestOS, which has been discontinued, had mostly (not fully) unprivileged integration for microG unlike /e/OS and CalyxOS where it's privileged. /e/OS and CalyxOS also have privileged integration for Android Auto and other Google apps/services. If you install Android Auto on /e/OS or CalyxOS, it's a highly privileged app not running in the regular app sandbox and also receives extensive privileged access via special permissions only available to OS components. microG is similar.

GrapheneOS is vastly different from /e/OS. GrapheneOS is a hardened OS preserving the standard privacy and security features and model, then greatly improving both privacy and security on top of that base. /e/OS is not a hardened OS and it greatly reduces both privacy and security compared to the Android Open Source Project. /e/OS doesn't only lag very far behind on OS and browser patches. It also disables or cripples important standard privacy and security protections.

The article implies people can't buy devices with GrapheneOS preinstalled, which isn't right. There are multiple companies including NitroKey selling devices with GrapheneOS installed. This shows where NitroKey sells them:

https://shop.nitrokey.com/shop?&search=nitrophone
https://shop.nitrokey.com/shop?&search=nitrotablet

There are many other companies selling devices with GrapheneOS.

There's a high quality third party comparison between Android-based operating systems at https://eylenburg.github.io/android_comparison.htm with a privacy and security focus.

Android has a new OS release each month. It's a monthly, quarterly or yearly release.

The current release of Android is the July monthly release of Android 16 after the initial yearly Android 16 release last month. Prior to that was the May monthly release of Android 15 QPR2. Android 15 QPR2 came out in March 2025. Android 15 QPR1 came out in December 2024.

Fairphone 6 launched using the initial yearly release of Android 15 from September/October 2024.

Since Android 14 QPR2, quarterly updates are as large as yearly updates. Like many non-Pixel OEMs, Fairphone skips the monthly and quarterly updates. Non-Pixel OEMs are beginning to ship the quarterly updates, but in the past nearly none did.

Providing the latest monthly, quarterly and yearly update is needed to provide full privacy and security patches. Only High and Critical severity patches are backported to older releases in the Android Security Bulletins, often months later. Low and Moderate severity privacy/security patches are almost never backported to older Android releases. Privacy and security improvements not considered bug fixes aren't backported to older releases. Major privacy issues are fixed by newer Android quarterly and yearly releases which will never be backported due to not being considered fixing a bug.

Fixes for important leaks of data to applications, VPN leaks, etc. are rarely backported either due to being considered Moderate severity or a privacy improvement rather than a bug fix. The app sandbox and permission model significantly improves with each new yearly Android release and none of that is backported. Android and iOS provide backports to older releases as a stopgap. Android's quarterly releases go through months of public testing prior to stable release and yearly releases are publicly testing for more than a year. Android's stable releases are not the bleeding edge but rather are the expected baseline unfortunately not provided by most Android OEMs and aftermarket operating systems.

Here are the update notes for the Fairphone 6 stock OS:

https://support.fairphone.com/hc/en-us/articles/24463713641234-The-Fairphone-Gen-6-Release-Notes

Here's for the Fairphone 5:

https://support.fairphone.com/hc/en-us/articles/18682800465169-Fairphone-5-Release-Notes

Here's for the Fairphone 4:

https://support.fairphone.com/hc/en-us/articles/4405858220945-Fairphone-4-Release-Notes

You can see for yourself that it's typical for them to have 1-2 months of delay for the security backports to older releases. The yearly updates typically take a year or more. Monthly and quarterly updates aren't provided.

/e/OS is worse than this and unlike the stock OS, misleads users.

/e/OS changes the UI displaying the patch level to one which masks what's actually being provided. They also set an inaccurate Android security patch level ignoring the non-AOSP portion of the patches and part of the AOSP portion of the patches. /e/OS partially shipping the AOSP portion of the patches as providing the full monthly privacy/security patch backports, which isn't what that is. /e/OS also has major issues providing browser updates. Many apps use the OS WebView.

The article presents this conclusion:

this makes the Fairphone probably the best phone for anyone who values their privacy even slightly.

This is very wrong. Fairphone 6 with stock OS has very lacking security due to delayed patches (1-2 months for partial backports, much longer for full Android patches), no secure element, etc. /e/OS has absolutely atrocious privacy and security, not meeting even basic privacy/security standards. You're guiding people to an unsafe option.

iPhone users get a device with far stronger hardware and software security, far better privacy from apps/services and a bunch of well secured services with most of those supporting proper end-to-end encryption via their opt-in Advanced Protection Program. If people get a device with /e/OS, they're missing the most basic bare minimum privacy and security patches and protections. /e/OS has their own invasive services included, and it does still use various Google services too.

Information from the founder of the divested projects on /e/OS insecurity:

Issues with /e/OS: https://codeberg.org/divested-mobile/divestos-website/raw/commit/c7447de50bc8fadd20a30d4cbf1dcd8cf14805a0/static/misc/e.txt

ASB update history: https://web.archive.org/web/20241231003546/https://divestos.org/pages/patch_history

Chromium update history: https://web.archive.org/web/20250119212018/https://divestos.org/misc/ch-dates.txt

Chromium update summary: https://infosec.exchange/@divested/112815308307602739

We published this thread as a response to a recent article promoting insecure devices with /e/OS with inaccurate claims, including inaccurate comparisons to GrapheneOS. The founder of /e/OS has responded with misinformation promoting /e/OS and attacking GrapheneOS.

We made a post with accurate info on our forum in response to inaccurate information, that's all. There's a lot more we could have covered. See https://kuketz-blog.de/e-datenschutzfreundlich-bedeutet-nicht-zwangslaeufig-sicher-custom-roms-teil6/ for several examples such as /e/OS having unique user tracking in their update client not communicated to users.

The founder of /e/OS responded to the post we made on our forum here:

https://mastodon.social/@gael/114874688715085353

Gaël Duval has repeatedly personally targeted the founder of GrapheneOS in response to us posting accurate information responding to misinformation from /e/OS and their supporters.

Contrary to what's claimed in this thread, /e/OS does not improve privacy. /e/OS massively reduces privacy compared to the Android Open Source Project in multiple ways. /e/OS is consistently very far behind on shipping important privacy improvements in new major Android releases.

/e/OS regularly lags many weeks, months and even years behind on shipping important privacy and security patches. They roll back various parts of the privacy and security model, add a bunch of privileged Google service integration and their own privacy invasive services too.

The link posted at https://mastodon.social/@gael/114875028964272029 shows /e/OS shipping the previous round of Chromium privacy/security patches a couple weeks late. It regularly takes them months instead of weeks. They take far longer to ship many of the important driver, firmware and AOSP patches.

The link also shows they're using the wrong Chromium tags for Android and frequently results in missing Android-specific privacy/security patches. Chromium 138.0.7204.97 was a June 30th release for Windows, not Android. The Android tag for June 30th was 138.0.7204.63.

https://chromereleases.googleblog.com/2025/07/stable-channel-update-for-desktop_15.html
https://chromereleases.googleblog.com/2025/06/chrome-for-android-update_30.html

Patches in Chromium Stable channel updates for Android are often only in the Android tags, not the Windows ones.

The current Android release is 138.0.7204.157, with security patches beyond 138.0.7204.63:

https://chromiumdash.appspot.com/releases?platform=Android

These were minor releases of Chromium. It's trivial to incorporate the changes and ship them on release day within hours. Even major releases of Chromium every ₄ weeks are easy to ship on release day because major releases are open source for weeks in advance, unlike Android.

As can be seen by looking back through https://github.com/GrapheneOS/Vanadium/releases and comparing it to the Android release dashboard linked above, we ship the Chromium Stable and Early Stable releases on release day. This is not impressive. Shipping privacy/security patches is the bare minimum.

Our forum post and this thread were both posted in response to inaccurate info about GrapheneOS posted to promote /e/OS. Once again personally targeting our founder with fabricated stories and harassment from their community is what /e/OS has done before and continues doing.

/e/OS targeted the founder of DivestOS in a similar way and /e/OS supporters directed a massive amount of harassment towards him. It played a significant role in DivestOS being discontinued. /e/OS will not achieve the same thing targeting our founder and should stop doing it.

/e/OS is extraordinarily insecure and non-private due to lagging so far behind on patches and crippling Android Open Source Project privacy/security protections. Selling many devices many months or even years of missing Critical severity patches and hiding it in the UI is wrong.

Murena's services are not nearly as private as claimed and not at all on the same level as serious options such as Proton's software suite. Many of their services recently went down from early October 2024 through March 2025:

https://community.e.foundation/t/update-on-murena-io-service-outage/61781

It's somehow a paid service.

Lack of secure element throttling for disk encryption means users with a typical 6-8 digit PIN or basic password will not have their data protected against extraction. Brute forcing the PIN or password set by the vast majority of users is trivial without secure element throttling. Users are not informed they're not going to have working disk encryption without a strong passphrase on Android devices lacking this feature. Pixels and iPhones provide a high quality secure element providing this and other important functionality. Samsung devices from the past several years at least have a basic secure element providing some of the protections.

someone27281

GrapheneOS

I have a question, What is the general situation of Non Pixel but mainstream OEM (the Samsungs, Oneplus etc..) in regards to device security? Would that be acceptable even as a bare minimum?

It'd be nice if you wrote an article diving deep into this situation, since most regular people don't have GrapheneOS right now.

Byteang3l

GrapheneOS I know the odds of graphene ending up on iphones are probably extremely low but would you consider them officially zero? Or is there some minute possibility?

Killjoy

GrapheneOS

Non-Pixel OEMs are beginning to ship the quarterly updates, but in the past nearly none did.

Interesting that some are finally going to do this. Which OEMs are you talking about?

Fay_Wilmont

GrapheneOS Lack of secure element throttling for disk encryption means users with a typical 6-8 digit PIN or basic password will not have their data protected against extraction. Brute forcing the PIN or password set by the vast majority of users is trivial without secure element throttling. Users are not informed they're not going to have working disk encryption without a strong passphrase on Android devices lacking this feature. Pixels and iPhones provide a high quality secure element providing this and other important functionality. Samsung devices from the past several years at least have a basic secure element providing some of the protections.

This paragraph raises some questions for me and I would like to know more.

Do most smartphone manufacturers not include secure element throttling?
How can we know if they do or don't?
Does the lack of secure element throttling mean one can endlessly guess PINs or passwords through the Android lock screen user interface (e.g. with a USB device acting as an external keyboard), or does it mean unthrottled guessing is only possible by directly accessing the chip?
And would directly accessing the chip require very expensive equipment, or can it be easily done by anone who knows how to wield a soldering iron?

Users are not informed they're not going to have working disk encryption without a strong passphrase on Android devices lacking this feature.

Do you mean these devices will not encrypt the user's data at all without setting a strong passphrase, or that the encryption is not resistant to brute force attacks?

When coming up with my smartphone lock credential strategy, the fact that guessing is throttled, and the time it would take to guess half of all possibilities of a truly random credential was taken into consideration. I'd like to know if I need to revisit my assessment. Any insight would be greatly appreciated!

ThisOldGuy

This is excellent and immensely helpful. Thank you for taking the time to write a layman's explanation.

2 part question tho, if you have the time, especially considering the current perceived invasiveness of Gemini.
If someone is Saving up for a pixel, is it better to stay on stock Android or use which of the other OS that claim privacy?
If someone had a light use phone as a backup, without needing Google Services, is it better to stay on stock Android or use which of the other OS that claim privacy?

I love my pixel and GOS but if it ever bit the bucket, it would be about a year before I could replace it. While it seems none of the options are excellent, especially as my older backup phone also likely doesn't have new security updates anymore, which way would be next best?

GrapheneOS

ThisOldGuy

especially considering the current perceived invasiveness of Gemini

You don't have to use it.

If someone is Saving up for a pixel, is it better to stay on stock Android or use which of the other OS that claim privacy?

Many non-Pixel devices either don't support using another OS or require crippling security to use one. Most of those aftermarket operating systems greatly reduce security compared to a stock OS still receiving updates. If the stock OS isn't receiving updates, aftermarket operating systems will be missing firmware updates and generally at least most of the driver updates too. If the device is end-of-life, using another OS won't fix it. Providing most AOSP security patch backports without the rest has some value, but it greatly diminishes over time.

If someone had a light use phone as a backup, without needing Google Services, is it better to stay on stock Android or use which of the other OS that claim privacy?

An iPhone is the next best choice for a private and secure smartphone. Most Android devices have atrocious security and so do most aftermarket operating systems. If you need a fallback device for apps banning using anything other than iOS or Google Mobile Services Android, then your best choice is iOS.

I love my pixel and GOS but if it ever bit the bucket, it would be about a year before I could replace it. While it seems none of the options are excellent, especially as my older backup phone also likely doesn't have new security updates anymore, which way would be next best?

You can often find a very cheap used device for GrapheneOS by being willing to buy an older generation device with a scratched up screen, etc. We recommend buying 8th/9th gen Pixels for the full set of security features and 7 years of support from launch, but a Pixel 6a still has official support until after July 2027 and the Pixel 7a until after May 2028.

raccoondad

GrapheneOS If you need a fallback device for apps banning using anything other than iOS or Google Mobile Services Android, then your best choice is iOS.

Question: How would you say factory stock Pixel OS compares to iOS in terms of security?

Dumdum

raccoondad
https://grapheneos.social/@GrapheneOS/114824836367895978

Stock Pixel OS and AOSP itself aren't far behind iOS but iOS is at least a bit ahead.

linuxaki88

someone27281

I like this one for that you asking. It has good points on privacy and security for every OEM (sorry for youtb link, use tor for watch!):

https://www.youtube.com/watch?v=lb1BbT5fpwA

orydeatemi

someone27281 Would that be acceptable even as a bare minimum?

The answer to your question is that if security matters to you, in that situation, you should get an as recent as possible iPhone.

de0u

someone27281 What is the general situation of Non Pixel but mainstream OEM (the Samsungs, Oneplus etc..) in regards to device security? Would that be acceptable even as a bare minimum?

The requirements are here: https://grapheneos.org/faq#future-devices

At present Samsung doesn't meet some of them, OnePlus doesn't meet more of them, etc.

In general some platforms have solid security hardware but don't allow third-party operating systems to use it, and many just don't have solid security hardware.

Solid security hardware doesn't show up in comparison charts or (as triggered this thread) in many phone reviews. Part of the problem is that anybody can say "security", and some journalists will just repeat the claims without fact-checking, so then the claims seem like facts.

orydeatemi

Byteang3l I hope that @GrapheneOS will spare me their wrath for answering this one in their stead: the odds of Apple allowing that are about as high as you winning the Powerball, the EuroMillion and Spanish Christmas Lottery, multiple consecutive times in a row.

Byteang3l

orydeatemi of course apple wouldn't give permission, but it's not needed. There's now unencrypted iphones "thanks" to Europe, so I wasn't sure if there was a vector there. Hence why I said I knew it was minute but asked if it was zero? Only asking because I've seen videos of the herculean task of flashing android on an iphone.

de0u

Byteang3l There's now unencrypted iphones "thanks" to Europe [...]?

Can this claim be supported by citing a source?

My understanding is that Apple has been forced to enable third-party app stores to install apps on European-owned iPhones, which is very different from requiring Apple to allow the installation of third-party operating systems to replace iOS. It's just not the same thing.

someone27281

de0u I was asking about security outside the GrapheneOS scope, from the POV of a regular individual

Imagine a world without GrapheneOS, then how is the security landscape of mobiles?

privacyisconsent

de0u

I may be misremembering but I think there have been at least two projects aiming to shed some light on hardware security feature support across the Android ecosystem including https://www.android-device-security.org/ but I haven't seen them referenced in many other places so they probably didn't get much visibility. The one linked is also quite out of date. I do wish these projects had more visibility and support.

Byteang3l

de0u there's tons of sources citing that iphone caved on encryption on European devices and videos of people installing android on iphone. I didn't mean to imply they were related if that's how it came off, just that both occured.

After reading a less misleading article the encryption they stopped supporting was specific to icloud and not for the device. I stand corrected on that one. With Europe being Europe, neither possiblity really surprised me. But this threads been derailed enough so I'll bow out.

orydeatemi

Byteang3l there's tons of sources citing that iphone caved on encryption on European devices

If I'm not mistaken, Apple (not "iphone") caved on iCloud E2E in the UK, which of course has not been part of the EU ever since they voted for Brexit.

One thing that might have gotten your wires mixed up is that Apple is blocking features in Europe because they consider that Euro law would force them to reveal user data to third-parties if they did.

There is, indeed, a bit of a fight over encryption in general over at the European Commission, but it's not settled yet and isn't slated to be implemented before 2030.

Byteang3l videos of people installing android on iphone.

If there are any iPhones more recent than almost 10-years old iPhone 7, I'd be curious to see them.

LamaSinge

I usually find your messages really clear and find it hard to understand how you can so often receive criticism that you've taken care to explain several times. However, I don't find this message very clear; especially on the distinction between privacy and security.

You point out that these devices don't receive security patches quickly, and I agree that a private device should be secure, but in what way have these devices specifically reduced privacy as such? more to the point, I don't find it convincing that the improvements exemplified by the monthly updates, which take 1-2 months to come (not years), allow us to conclude that there has been a significant regression in privacy on these OS compared with AOSP, because I imagine that e/os still offers some interesting features (?)

Thanks again for this great project and your work.

samanthacarter

so they wrote an article claiming that degoogling a fairphone is good for privacy and then require signing into either Google or facebook to comment? Yeah, they seem like ones to take privacy advice from.

GrapheneOS

The founder of /e/OS responded to the post we made on our forum here:

https://mastodon.social/@gael/114874688715085353

Gaël Duval has repeatedly personally targeted the founder of GrapheneOS in response to us posting accurate information responding to misinformation from /e/OS and their supporters.

https://chromereleases.googleblog.com/2025/07/stable-channel-update-for-desktop_15.html
https://chromereleases.googleblog.com/2025/06/chrome-for-android-update_30.html

Patches in Chromium Stable channel updates for Android are often only in the Android tags, not the Windows ones.

The current Android release is 138.0.7204.157, with security patches beyond 138.0.7204.63:

https://chromiumdash.appspot.com/releases?platform=Android

https://community.e.foundation/t/update-on-murena-io-service-outage/61781

It's somehow a paid service.

de0u

someone27281 I was asking about security outside the GrapheneOS scope, from the POV of a regular individual. Imagine a world without GrapheneOS, then how is the security landscape of mobiles?

I believe the GrapheneOS project account, at the top of this thread, described iPhones and Pixels in one class, with other Android devices behind. That matches my (very inexpert) understanding. So, short answer: if you are focused on security, and for some reason you can't run up-to-date GrapheneOS on an in-support Pixel (ideally the 8 series or better), an up-to-date in-support iPhone is probably the next best thing.

After that, I have a vague sense that a recent flagship Samsung device might be next, but I believe I've read that Samsung issues updates more rarely for older devices.

Another way to look at it is that every now and then there is a leak of information about which phones can be exploited by Cellbrite or similar companies. For a while now, an in-support Pixel running GrapheneOS has not been unlockable, and sometimes a recent, up-to-date iPhone is also not unlockable. That's all, in the leaked materials I've seen posted here. According to that, again, there are two kinds of device that are not readily unlockable, and after that everything else is readily unlockable.

I think people hope to hear that there a lot of "actually pretty good security" phones to choose from. That would be nice, but at present I don't think it's true.

What is "acceptable as a bare minimum" depends on who is considering accepting a device.