The developer of GrapheneOS is… Interesting, to say the least. Restricts the ROM to a select group of devices, and is very toxic to people who disagree with or even question him.
I understand him though, GrapheneOS without the underlying security hardware is a huge security risk for the end user. It makes people think they get benefits from running a secure os while in fact, they are at the same level as running lineage.
That’s vastly underestimating the hardware on other devices as well as overestimating the danger. There are plenty of software optimizations that can be done to enhance security that work even if the hardware isn’t ideal. Simply ignoring those devices is letting perfect be the enemy of better. Not everyone wants or even can buy a pixel, and that just excludes all of those users (and also sends even more money Google’s way, which I would honestly like to avoid).
There is a lot of people arguing about fine distinctions ITT.
The GrapheneOS leadership (well Daniel) are uncompromising for a reason: this fork will be fundamentally less secure.
You are also right: there are useful features that will improve security on GSI devices. As always choose your threat model.
Hopefully both parties can play nicely.
I think the reason GrapheneOS never did a GSI is because most of their security improvements rely on specific hardware calls that GSI abstractions don’t provide access to. This probably would still be an improvement over lineage though, just not as secure as base Graphene is.
the containerization features alone would make graphene worthwhile over other roms. i hear graphene can pass play integrity attestation inside those too.
It depends. I run GrapheneOS and it can pass everything except the most strict integrity check (which is just that you’re using a custom ROM at all).
In practice most apps don’t have any problems. Google assistant doesn’t really work for me but I’ve seen posts saying people have gotten it working. Google wallet and Google Pay are also explicitly blocked by google, so they will never work.
It breaks the security model. Graphene doesn’t only support Pixel for fun. Pixels have the best security hardware features, unfortunately (until the Motorola device comes out).
I would never use this ROM, personally. At that point I’d just use something like Lineage.
My impression is that Graphene-without-the-features-requiring-Pixel-hardware would still be a much more secure operating system than Lineage (or the other options available).
It ultimately depends on your threat model, but many of the most important security features in Graphene are at the hardware level. Without those, it’s very possible that a bad actor could bypass the rest of the protections, since Graphene is designed with those hardware features in mind.
I saw it already, but those hardware security features also secure the features you mention there. The other features were developed with the hardware security features in mind. Again, without secure hardware, it’s possible for your software to be modified and no longer secure. That’s the broken security model I keep mentioning.
While it could definitely be more secure than other ROMs, security was never tested without the hardware features and thus it could also expose you to attacks because of that. Worse, it could make you assume that you’re secure when you’re really not.
An excellent example is Cerberos. GrapheneOS is able to completely block attacks from Cerberos by disabling the USB port data lanes entirely, something that most (if not all non Pixel phones) are unable to do. Cerberos uses many zero day vectors to break in though the data lanes, and in this case you likely would not be able to block the attack. They’d be able to dump your phone contents and then much of the software security features wouldn’t matter.
Should the world just throw away the billions of non-Pixel devices in use today?
And/or should everyone just give up on improving security at all for the vast majority of phone users who cannot afford Pixels, since they can’t ever be as secure as a Pixel?
Doesn’t GrapheneOS have a lot of benefits besides the 3 pixel-requiring hardening features which are removed in Graphite (and the 3 others which are disabled by default but can be re-enabled on some devices)?
I’m not disputing that those hardening features are worthwhile! Pixels with Graphene are obviously much more difficult to exploit than phones without those features.
But there are billions of non-Pixel phones in the world which aren’t about to be thrown away, and the vast majority of phone users absolutely cannot afford a Pixel. GraphiteOS (if it actually works?) seems to me like it is probably a major improvement over the other options available for them.
I think it’s a lot more than just 3 features removed. AFAIK the whole hardware attestation is based on the Titan chip and you don’t have to trust the devices hardware, because you can cryptographically prove that the software is unchanged. It’s not only about the Auditor app, but the whole integrity of the OS, the boot process and firmware is secured by the Pixel’s hardware or more specific the Titan chip.
And the billions of devices can not be saved by a GrapheneOS fork because they’re mostly missing crucial firmware and generally get no updates anymore. That’s why GrapheneOS is only supporting recent devices and especially Pixel devices because they receive up to 7 years updates.
I’m all into getting people a more secure OS but I fear that a GrapheneOS fork is perceived as a secure OS when it’s actually not. The most important security features are still recent (firmware) updates and hardware attestation, verified boot etc.
Having read the comments I still see two major isssues with this:
This looks like an almost-as-secure-as-GrapheneOS fork, therefore creating a (false) sense of security, because…
GrapheneOS’s security is based on secure hardware (Pixel’s Titan chip) to verify the software. Only having software security without the underlying secure hardware is kind of pointless or at least well… a false sense of security.
Opinions about the GrapheneOS maintainer aside, there are real reasons why device support has been limited to Pixels (note recently announced intentions to support Motorola devices). As long as you understand what you will/won’t be getting with this fork (can it be decrypted BFU/AFU with a cellebrite device?) in comparison to GrapheneOS, then power to you. I recently switched to GOS after years on LineageOS with microG. I do miss my OnePlus hardware, and Graphene took some getting used to. But I do feel comfortable that I’m running the most secure phone now.
Officially yes, but I suspect he is still behind the official social media accounts. Their tone is unchanged and I recently got blocked by the GOS account on Bluesky and immediately by Micay’s account as well.
I’m asking this because I’ve heard about GSI ROMs before and if I’m not mistaken it can run in almost any device, but you might face issues like wi-fi, gps, sensors, bad battery optimization. Which makes it not worth it.
But I wonder if I the ROM can be built using the source code of each device, just like building LineageOS for a given device, for example. Then these issues would be fixed.
It’s all just guesses because I’ve never built any custom ROM for my device, but I read people talking about it on my device groups.
You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: [email protected]
DROID DOES
Welcome to the Android community on Lemmy. Here you can participate in amazing discussions and events relating to all things Android.
5. Engage respectfully: Harassment, flamebaiting, bad faith engagement, or agenda posting will result in your posts being removed. Excessive violations will result in temporary or permanent ban, depending on severity.
6. Memes are not allowed to be posts, but are allowed in the comments.
7. Posts from clickbait sources are heavily discouraged. Please de-clickbait titles if it needs to be submitted.
8. Submission statements of any length composed of your own thoughts inside the post text field are mandatory for any microblog posts, and are optional but recommended for article/image/video posts.
But why?
The developer of GrapheneOS is… Interesting, to say the least. Restricts the ROM to a select group of devices, and is very toxic to people who disagree with or even question him.
I understand him though, GrapheneOS without the underlying security hardware is a huge security risk for the end user. It makes people think they get benefits from running a secure os while in fact, they are at the same level as running lineage.
That’s vastly underestimating the hardware on other devices as well as overestimating the danger. There are plenty of software optimizations that can be done to enhance security that work even if the hardware isn’t ideal. Simply ignoring those devices is letting perfect be the enemy of better. Not everyone wants or even can buy a pixel, and that just excludes all of those users (and also sends even more money Google’s way, which I would honestly like to avoid).
There is a lot of people arguing about fine distinctions ITT.
The GrapheneOS leadership (well Daniel) are uncompromising for a reason: this fork will be fundamentally less secure.
You are also right: there are useful features that will improve security on GSI devices. As always choose your threat model.
Hopefully both parties can play nicely.
so that many non-pixel devices can have an OS with most of the benefits of GrapheneOS?
I think the reason GrapheneOS never did a GSI is because most of their security improvements rely on specific hardware calls that GSI abstractions don’t provide access to. This probably would still be an improvement over lineage though, just not as secure as base Graphene is.
Wait… an improvement over Lineage ? That alone makes it worth existing in the first place.
At first I thought, Graphene OS without it’s features… Why? But what you say sounds like it actually makes sense.
the containerization features alone would make graphene worthwhile over other roms. i hear graphene can pass play integrity attestation inside those too.
It depends. I run GrapheneOS and it can pass everything except the most strict integrity check (which is just that you’re using a custom ROM at all).
In practice most apps don’t have any problems. Google assistant doesn’t really work for me but I’ve seen posts saying people have gotten it working. Google wallet and Google Pay are also explicitly blocked by google, so they will never work.
It breaks the security model. Graphene doesn’t only support Pixel for fun. Pixels have the best security hardware features, unfortunately (until the Motorola device comes out).
I would never use this ROM, personally. At that point I’d just use something like Lineage.
My impression is that Graphene-without-the-features-requiring-Pixel-hardware would still be a much more secure operating system than Lineage (or the other options available).
It ultimately depends on your threat model, but many of the most important security features in Graphene are at the hardware level. Without those, it’s very possible that a bad actor could bypass the rest of the protections, since Graphene is designed with those hardware features in mind.
see my other comment in this thread
I saw it already, but those hardware security features also secure the features you mention there. The other features were developed with the hardware security features in mind. Again, without secure hardware, it’s possible for your software to be modified and no longer secure. That’s the broken security model I keep mentioning.
While it could definitely be more secure than other ROMs, security was never tested without the hardware features and thus it could also expose you to attacks because of that. Worse, it could make you assume that you’re secure when you’re really not.
An excellent example is Cerberos. GrapheneOS is able to completely block attacks from Cerberos by disabling the USB port data lanes entirely, something that most (if not all non Pixel phones) are unable to do. Cerberos uses many zero day vectors to break in though the data lanes, and in this case you likely would not be able to block the attack. They’d be able to dump your phone contents and then much of the software security features wouldn’t matter.
Should the world just throw away the billions of non-Pixel devices in use today?
And/or should everyone just give up on improving security at all for the vast majority of phone users who cannot afford Pixels, since they can’t ever be as secure as a Pixel?
But those benefits rely on the Pixel’s hardware. This is contradictory.
Doesn’t GrapheneOS have a lot of benefits besides the 3 pixel-requiring hardening features which are removed in Graphite (and the 3 others which are disabled by default but can be re-enabled on some devices)?
I’m not disputing that those hardening features are worthwhile! Pixels with Graphene are obviously much more difficult to exploit than phones without those features.
But there are billions of non-Pixel phones in the world which aren’t about to be thrown away, and the vast majority of phone users absolutely cannot afford a Pixel. GraphiteOS (if it actually works?) seems to me like it is probably a major improvement over the other options available for them.
I think it’s a lot more than just 3 features removed. AFAIK the whole hardware attestation is based on the Titan chip and you don’t have to trust the devices hardware, because you can cryptographically prove that the software is unchanged. It’s not only about the Auditor app, but the whole integrity of the OS, the boot process and firmware is secured by the Pixel’s hardware or more specific the Titan chip.
And the billions of devices can not be saved by a GrapheneOS fork because they’re mostly missing crucial firmware and generally get no updates anymore. That’s why GrapheneOS is only supporting recent devices and especially Pixel devices because they receive up to 7 years updates.
I’m all into getting people a more secure OS but I fear that a GrapheneOS fork is perceived as a secure OS when it’s actually not. The most important security features are still recent (firmware) updates and hardware attestation, verified boot etc.
Having read the comments I still see two major isssues with this:
This is actually quite a good read and pinpoints the issue. (Sorry for the Reddit-link though.) https://www.reddit.com/r/GrapheneOS/comments/1s8q534/response_to_a_post_about_grapheneos_on_another/
Oh they fixed 50% of the problems with Graphene! Now if they can only do something about the toxic behaviour of the dev behind the og…
Opinions about the GrapheneOS maintainer aside, there are real reasons why device support has been limited to Pixels (note recently announced intentions to support Motorola devices). As long as you understand what you will/won’t be getting with this fork (can it be decrypted BFU/AFU with a cellebrite device?) in comparison to GrapheneOS, then power to you. I recently switched to GOS after years on LineageOS with microG. I do miss my OnePlus hardware, and Graphene took some getting used to. But I do feel comfortable that I’m running the most secure phone now.
Oh man this is great. Maybe some smart folks get it working with Sony Xperia 1 Vii and I don’t have to worry about the sideloading restriction bs.
I wonder what the Graphene owner’s calm and reasonable response to this will be?
Explain?
Daniel Micay, GrapheneOS project lead, has a, shall we say, less refined approach to public relations
Tap for spoiler
He’s a complete schizo when talking about anyone he perceives as disagreeing with him.
To be fair it’s kinda reassuring, if they had a professional PR team I’d be suspicious it’s a government honeypot.
Of course that could just be what they want us to think.
Or what they want you to think they want you to think they think. Good luck sleeping tonight. Lol. ;-)
Didnt he step down from PL position back in 2023?
Awesome, thank you.
He stepped down a while ago no?
Officially yes, but I suspect he is still behind the official social media accounts. Their tone is unchanged and I recently got blocked by the GOS account on Bluesky and immediately by Micay’s account as well.
Ugh thats a shame… guess im not too shocked about him not leaving… Its a shame great projects like this also involve toxic people 🙄
I would love to know, but he blocked me everywhere.
Can this be installed in any device?
Reading that FAQ I get the impression that it should/could run on a very large number of devices, but maybe there is some caveat I’m missing? 🤔
I’m asking this because I’ve heard about GSI ROMs before and if I’m not mistaken it can run in almost any device, but you might face issues like wi-fi, gps, sensors, bad battery optimization. Which makes it not worth it.
But I wonder if I the ROM can be built using the source code of each device, just like building LineageOS for a given device, for example. Then these issues would be fixed.
It’s all just guesses because I’ve never built any custom ROM for my device, but I read people talking about it on my device groups.
It’s a Poco F4 GT (codename ingres).
it may or may not work properly, but in my experience GSIs tend to work well enough.