I was thinking about using graphene OS, but I’ve read some lemmy users dislike this OS due to perceived misleading advertising and the pixel 7a you’re supposed to install graphene on because it’s from google (an advertising company).
Another option would be lineage OS, but there is so much false information about this OS, namely compatible phones that simply don’t work with this OS and no support.
what works for you? I want a phone with no google, that doesn’t force me to use the manufacturer’s ecosystem and that won’t show the apps I don’t want or need (on an asus I own you cannot neither get rid nor hide bloatware)
deleted by creator
Stuck on a relatively new Galaxy rn, but if I could install a custom ROM, it would be GNOME shell mobile
I’ve never tried it out but I want to install nethunter if I had a chance because it can run terminal emulators
deleted by creator
I’ve been using Graphene since the pixel 4a, have never considered going back. It works wonderfully.
I like grapheneos, very close to stock android without google shit
- you got bonus settings like the sensors toggle
Lineage is kinda bad privacy and security wise, from the little I know its not fully degoogled
Lineage is kinda bad privacy and security wise, from the little I know its not fully degoogled
My understanding is kinda the opposite:
- GrapheneOS ships with a sandboxed, FOSS Google Play Services which can optionally do a bunch of Google things (use their APIs, login to Google etc.) plus they have some hosted services that can substitute Google services (like geolocation).
- LineageOS basically doesn’t ship with any Google Play style API/frameworks at all. It’s a pure AOSP experience. Any apps on F-Droid work but third party apps (like ones found on Google Play) are hit and miss. If you can just use F-Droid for all of your apps then LineageOS is probably a much more private and secure offering.
- LineageOS for microG is an unofficial fork of LineageOS which includes a FOSS Google Play Services compatibility layer, a bit like GrapheneOS. As far as I know it doesn’t have the same level of sandboxing as Sandboxed Google Play on GrapheneOS.
Both GrapheneOS and LineageOS publish monthly updates with upstream security patches for all supported devices.
Both GrapheneOS use network-provided DNS by default.
Apparently both GrapheneOS and LineageOS connect to connectivitytest.gstatic.com via http as a Captive Portal test by default,althoughh this was as of 2019-2020 and both might have changed since then.
GrapheneOS ships with a sandboxed, FOSS Google Play Services which can optionally do a bunch of Google things (use their APIs, login to Google etc.) plus they have some hosted services that can substitute Google services (like geolocation).
GrapheneOS doesn’t ship with any Google services by default. We do provide an easy and safe way to install the Google Play components if desired, they are run under the same sandbox and constraints as any other ordinary app you install. Because they expect privileged access that they don’t get on GrapheneOS, we add a compatibility layer that essentially teaches them to work under the normal circumstances that is the sandbox. If you don’t want them you don’t have to do anything, they are not present in that case.
LineageOS basically doesn’t ship with any Google Play style API/frameworks at all. It’s a pure AOSP experience. Any apps on F-Droid work but third party apps (like ones found on Google Play) are hit and miss. If you can just use F-Droid for all of your apps then LineageOS is probably a much more private and secure offering.
LineageOS does make connections to Google by default, as does AOSP. GrapheneOS changes those connections while LineageOS doesn’t. They can be viewed here:
https://eylenburg.github.io/android_comparison.htm
Keep in mind, that table isn’t exhaustive. It lists the regular connections AOSP makes and how each OS handles them, but doesn’t include information on any additional connections that occur.
You can absolutely download apps from F-Droid on GrapheneOS, what makes you think you can’t, and how did you conclude that LineageOS is more private and secure?
Both GrapheneOS and LineageOS publish monthly updates with upstream security patches for all supported devices.
LineageOS is pretty commonly behind on updates. As an example, it seems that LineageOS 21 (based on Android 14 QPR1) came out in February of this year.
https://9to5google.com/2024/03/12/lineageos-21-review/
You cannot ship the full security patches without being on the latest version of Android, which is Android 14 QPR3 now. Of course, if the device is EOL, that’s doubtly the case, and no OS can fix that.
Apparently both GrapheneOS and LineageOS connect to connectivitytest.gstatic.com via http as a Captive Portal test by default,althoughh this was as of 2019-2020 and both might have changed since then.
I don’t know if this was the case in 2019, but it certainly isn’t the case now. On GrapheneOS, you have the choice of using the GrapheneOS server for the internet connectivity check, changing it to Google’s server or even disabling it altogether.
You can absolutely download apps from F-Droid on GrapheneOS, what makes you think you can’t, and how did you conclude that LineageOS is more private and secure?
I never said that GrapheneOS couldn’t download apps from F-Droid. I didn’t mention GrapheneOS being able to use F-Droid in my dot points but that was just an oversight, not intenttional.
GrapheneOS doesn’t ship with any Google services by default. We do provide an easy and safe way to install the Google Play components if desired, they are run under the same sandbox and constraints as any other ordinary app you install.
The problem with this is that so many apps use Google Play Services. If I didn’t want a phone that used Google, I wouldn’t use an OS that bent backwards to make it work.
The sandbox model is OK in theory, except when your bank app asks for permissions for microphone, camera, contacts and files, and refuses to start without them.
The app model is a bit broken IMO and GrapheneOS both enables and perpetuates it.
LineageOS is pretty commonly behind on updates. As an example, it seems that LineageOS 21 (based on Android 14 QPR1) came out in February of this year. You cannot ship the full security patches without being on the latest version of Android, which is Android 14 QPR3 now.
I might be being a bit naïve here, but Android 14 came out in October, 4 months prior to LOS 21, which is not particularly long. Android 13 is still supported by upstream. This sounds a bit like running RHEL or Debian vs bleeding edge Arch, no? It’s a common debate whether RHEL systems are constantly out of date, the counterargument being that vulnerabilities are often found in new software versions. Without real statistics about security vulnerabilities over time it’s difficult to make an informed decision about software version policies.
LineageOS does make connections to Google by default, as does AOSP. GrapheneOS changes those connections while LineageOS doesn’t.
That is excellent, I’m glad to hear GrapheneOS is changing some of the defaults to be a bit better.
The problem with this is that so many apps use Google Play Services. If I didn’t want a phone that used Google, I wouldn’t use an OS that bent backwards to make it work.
GrapheneOS doesn’t “bend backwards” to make apps relying on Play Services work. Sandboxed Google Play is highly compatible and all you need to do is install the apps, just like you would any other apps. The argument that since many apps require Google Play Services, you should use stock OS where they have privileged access rather than being sandboxed doesn’t make a lot of sense.
The sandbox model is OK in theory, except when your bank app asks for permissions for microphone, camera, contacts and files, and refuses to start without them.
The app model is a bit broken IMO and GrapheneOS both enables and perpetuates it.
Apps installed on operating systems that don’t have a sandbox and thus a permission model get access to straight up everything. Your scenario is exactly why GrapheneOS features contact and storage scopes; as an alternative to the regular permissions for more granular control. You can grant an app only a subset of contacts/files or nothing at all, the app won’t complain since on its end, everything’s been supposedly granted. There are more planned features to address other permissions in a similar way. Furthermore you could put it in its own little box via a secondary profile (you can have up to 32), and have that only run when you need it.
I might be being a bit naïve here, but Android 14 came out in October, 4 months prior to LOS 21, which is not particularly long. Android 13 is still supported by upstream. This sounds a bit like running RHEL or Debian vs bleeding edge Arch, no? It’s a common debate whether RHEL systems are constantly out of date, the counterargument being that vulnerabilities are often found in new software versions. Without real statistics about security vulnerabilities over time it’s difficult to make an informed decision about software version policies.
4 months without proper patches to known vulnerabilities is very long. Previous versions of Android aren’t properly supported; they only receive a subset of patches, not nearly everything. In fact, not even Android 14 is currently getting full patches. At the time of writing, for a device to be properly patched, it must be on Android 14 QPR3. It’s why we put great care in porting everything over as quickly as possible. You don’t have to make guesses about vulnerabilities, you can simply look at all of the known vulnerabilities that haven’t been patched yet, or will never be patched, in previous Android versions. It’s not a matter of “what if”, it’s what’s actually happening.
Most of this is right, but needs some things corrected.
LOS is kept up by individual maintainers of the devices, and so it can cover more of them. But that also means you expand your attack surface to lineage, maintainer, microg, etc. And that’s just on supported devices. Unofficial devices are even more wild-west, having much delayed releases, OS updates, security updates, everything.
Not only that, but Lineage requires that you unlock your bootloader and often have your phone rooted to be able to do everything. This introduces special points of insecurity and possible issues in the future.
GOS is from a single source, for a single line of phones, and uses a designed method to load cryptographically signed ROMs onto the device, and then validate updates using the same method. The Play Services are sandboxed and disabled by default, so you can just never use them if you want. Overall, this makes for a more cohesive device. One that is more private and more secure. Especially so, when you can buy a new Pixel device and have guaranteed updates for as long as Google will do so for the same device.
the play services are not installed by default*
Thank you, I missed that
PureOS
I use GrapheneOS. Can’t go back!
Ι use Murena’s e/OS, I like the iphone-likeness of it. It works.
just so everyone is aware grapheneos only support’s pixels because it is specifically designed for taking advantage of the hardware security features found in google’s tensor and titan chips. and thus installing it on another phone would kinda miss the point (and vastly increase the scope of the project)
google is also basically the best company when it comes to phones for custom roms, as they provide stock images, a simple bootloader unlocking process (that doesn’t void your warranty as far as i can tell), and generally the aosp and software support that comes from being the phone of the developer of android.
Also because the google pixel its bootloader can be relocked without much trouble. that is a big part of why GOS only supports pixel phones.
Would like to know too! I use a proprietary OS for now and want to jump ship with my next phone.
No OS is perfect, as you likely do have to use a proprietary modem and some proprietary apps, but CalyxOS works well for me on my Fairphone 4. I like the base install being as free as realistically possible on a modern Android phone, especially replacing Google apps with microG. Just don’t enable SafetyNet if you don’t want it to run (sandboxed) Google blobs. That API is deprecated anyways.
The experience is smooth, free and I get a repairable phone without having generative “”“AI”“” shoved down my throat. A win on all fronts in my opinion.
I use proprietary AOSP because I require online banking :(
Couldn’t you use the website?
Used pixels are surprisingly cheap for how well they hold up over time, and graphene works well.
I totally agree. Used pixels are superb with grapheneos. Syncthing is what i use ad a backup. I think the problemi is that google stops releasing updates after 5 yearss old units don’t get updates I think. I have the 5th June build and it reports a security update of December 2023.
Which generation would you recommend? As used.
I like the 7. IIRC, the 6 had reliability issues, and the 5 was only available in a smaller size.
I miss my pixel 5 :(
Thanks.
I’ve been using a 6 since it’s release, it’s been solid for me. The 7 is slightly sleeker/smaller but they’re almost identical in performance.
7a would be the best balance between cod and expected support timeframe
If you want updates, may be go for gen 6/7. 5a won’t be receiving updates after August 2024.
Thanks
If you don’t live in the EU. Here you get a better new phone from xiaomi/motorola/oneplus than a pixel for the same price. Yes, I get grapheneos and relockable bootloader, but used things are too expensive here. If you need a cheap phone, buy a cheap phone (fuck EU’s import regulations).
I don’t know what you are on about, but if brand-new Pixels are too expensive for you (although their price is uniformed to the US one), you can easily find them second-hand.
That’s the point. You can’t import anything to EU without paying a 20% import tax ±5€ depending on the import. This makes the used device market prices in EU inflated.
Why would you import used devices from the US in the first place? People sell them in Europe too.
Most of the market was from UK (where we all know what happened) plus taxing imports inflated the EU market.
For example at a time where my Pixel 7 was available for 500$ (466€) in the USA + 100$ trade in (93€) for my Galaxy S8 = 400$ = 373€ it still was 620€ in Austria on Amazon, the only way to buy it because Google did not offer it through their Google store here and normal stores didn’t go below 650€. I could’ve gotten 20€ trade in for my old phone = 600€. 60% more than in the USA at the same time.
Used market basically didn’t exist because Pixels generally were a bit overpriced
Doesn’t it seem that this problem is caused by Google not operating the markets in the same way?
Yes, but Persen’s point still stands.
(And Pixels also have way less features here, the only advantage they give is access to GrapheneOS, great camera and AI photo editing)
Which features do the lack?
US-only:
Call screening
Hold for me
Direct my call
Wait times
Call transcription
Answering calls with text to speech
Emergency calls on crash
English-only:
Speaker labels for Google recorder transcripts
Google recorder transcripts generally don’t work well in other languages, but at least the option to get a subpar transcript exists
Probably missed some
GrapheneOS is perfect. Pixel phones are Google hardware yes, but works like a dream once GOS is installed. NO MORE GOOGLE !!! Frequent OS updates, love it
I loved it too until I forgot my wallet one day. It’s the one thing I had to go back to stock Android for because I forget everything but my phone constantly.
Low-tech solution: keep your bank card in your phone case
You can’t pay with the phone with GrapheneOS?
I’m afraid not. You can have Google Wallet installed but you can’t have bank cards on it on GrapheneOS.
Edit: this link for more context
Ty. Saving others some time:
Contactless payments work fine on GrapheneOS. It’s not like there’s something fundamentally incompatible about them. It just so happens that the most prevalent implementation (Gpay) requires a Google certified OS. The options right now are as follows:
People find alternatives (such as their bank) which provide this without using Gpay and don’t require a certified OS themselves.
This is implemented, which would at least temporarily allow people to use apps that require a certified OS on GrapheneOS: https://github.com/GrapheneOS/os-issue-tracker/issues/1986
Apps currently requiring a Google certified OS whitelist it as per https://grapheneos.org/articles/attestation-compatibility-guide (though it is of course very unlikely that Google themselves would do this)
But:
Barclays in the UK is only one example of contactless payments working without Google Pay, there are other banks in France for example for which we’ve had reports of similar contactless payment systems working. They exist; though I’m under no illusions that they’re prevalent, since I imagine from their POV, implementing Google Pay is much easier and maintainable.
On the spoofing CTS checks thing, I did not mean to insinuate that you or some other user would be the one to implement this. When I said “an option is for this to be implemented”, I meant the development team adding it to GrapheneOS. The issue is currently open and was opened by someone on the development team, so it’s not a feature that the team has ruled out. As with everything on GrapheneOS, though, the best way to approach it has to be determined, which can take time.
On your 3rd point, lobbying Google to whitelist GrapheneOS by using that guide is realistically never going to happen. Other OEMs that have to go through certification and pass CTS (compatibility test suite) which GrapheneOS doesn’t (because it adds things like new permissions which deviate from the compatibility goals that Android has set) would be outraged if that ever happened. In fact, I would wager that it would be a much more realistic scenario for someone to invest millions into funding a company that provides an alternative to Google Pay without puttng it behind a CTS check, rather than Google ever whitelisting GrapheneOS.
When someone says “contactless payments don’t work on GrapheneOS”, it’s not immediately clear to everyone that what is meant by that is “there aren’t good options for people to use right now” and I wouldn’t want someone to think that contactless payments are fundamentally incompatible with GrapheneOS, or that it breaks them somehow. Contactless payments via Gpay on GrapheneOS don’t work as of right now for the exact same reason why the McDonalds app in some countries (I kid you not) doesn’t. SafetyNet / Play Integrity API and their ctsProfileMatch and MEETS_DEVICE_INTEGRITY checks accordingly.
Didn’t know about Barclays! Thank you for educating me.
No, Google Wallet doesn’t pass the security check.
Which is weird because I thought Graphene can pass attestation. I can pass it and use Wallet with Magisk on an unlocked bootloader, not sure what’s preventing on Graphene.