/e/OS is not fully degoogled, as DNS connectivity checks, hardware attestation provisioning, and eSIM activation all go through Google.
It is often many weeks or months behind on security updates, especially in the WebView, which makes it easy to exploit.
It doesn’t support bootloader locking on many devices, and if you lock the bootloader on a phone that does support it, it could brick if /e/OS is on an older security patch than the stock ROM was.
It doesn’t use a lot of the hardening in GrapheneOS such as hardened_malloc which prevents memory corruption exploits, even if the hardware supports it.
And finally, /e/OS’s text-to-speech sends what you say to OpenAI, despite local options being available.
If you want a properly secure Android phone, the best option is GrapheneOS, however it only supports Pixel phones and future Motarola phones due to its high security requirements.
If you can’t get a Pixel then iOS in lockdown mode is the next best option, however if you can’t replace your phone, LineageOS is much worse than Graphene although it is still much better than /e/.
Sorry but this sounds again like the typical e/Os bashing from GrapheneOS users.
Those two system are not the same. One is focused on security and the other on privacy.
Yes I know about the issues of e/OS, but it is still better than using Google or Apple.
For me personally I moved cause I don’t want to support american companies. So Graphene was no option, as I would need to give google some money or buy one 2nd hand. But Pixels are still quite expensive compared with others.
Why do you always need to attack other systems, they can coexist. We should be happy people have more options to break free from Big Tech companies.
There is no privacy without security. Android is one of the most widely exploited OSes and every month a dozen or more critical severity vulnerabilities are patched. Being 1-2 months behind on security patches is inexcusable for a privacy project.
Are those vulnerabilities ever exploited? The stats I’m seeing say that 30% of users run outdated Android version. Most attacks are malware apps installed from Play Store and mobile phishing sites. Yes, you have 0-click vulnerabilities but is anyone really setting up spoofed BT devices in public places? I think the risk of getting your phone taken over this way is extremely low, specially if you’re doing basic things like disabling BT when not in use. Tracking on the other hand is extremely common. Most non-open source apps will connect to multiple analytics and tracking APIs. I care more about controlling those connections than about theoretical attack using some 0-day exploit. GrapheneOS doesn’t have good tools to monitor and block trackers. /e/ and iode do.
So you’re excusing lazy patching with improbability? Personally, I wouldn’t bet my privacy and security on a criminal’s lack of motivation.
It’s like eating candy from a bowl in which 5 are poisoned and 5000 are harmless. It’s improbable for you to pick a poisoned candy but because the consequences of choosing wrong are so perilous, I wouldn’t choose at all or choose a bowl with less poisoned candy.
Yes it does. Rethink has (in addition to other awesome features) a local DNS blocklist option which you can configure to automatically block almost all telemetry apps send.
Of course I am. I’m not paranoid. You always prioritize the risks. Looks like you’re worried about highly motivated hackers targeting you specifically. That’s ok, you’re probably basing this on some sensible risk assessment and you concluded that you’re a potential target for state level actors or criminals. Maybe you’re a political activist or just very rich. I’m neither so I’m not really worried about someone targeting me specifically. I’m worried about malware (I don’t install apps from random sources) and phishing (I don’t click on random links). If you’re worried about extremely unlikely attacks you’re either wasting time or treating this as a hobby.
DNS blocklists are not enough. iode and /e/ offer more fine grained control and monitoring. You can permit some connections temporarily or permanently for specific apps only. Not to mention other features GraphenOS is missing like pattern unlock, backups or navigation shortcuts. Sacrificing all this just to be protected from very unlikely attacks is simply not worth it.
Not really, no.
Not patching security vulnerabilities leaves you open to not just targeted attacks but also wide spread attacks, which also use the same exploits that nation states use. Just look at the recent Coruna debacle.
Let me bring another analogy. You live in a town where theft and burglary is rampant. You have a lock on your front door but the lock is based on a legacy design which is not hard to pick. Sure, no one has broken into your home yet but if you keep using an antiquated lock, it’s a matter of when not if. And it’s not like only rich and important people’s houses are broken into. Everybody who’s vulnerable can and eventually will get attacked. If I had to choose between risking burglary and paying a little extra for a better lock, I’d choose the latter.
I don’t have to be a political activist to take measures to protect myself online nor rich to afford a used Pixel.
To each their own, I guess.
So you mean like OpenSnitch? If so, Rethink also has that.
EDIT: grammar
Even coruna was specifically targeting crypto wallets. Some articles say it was a ‘broad scale’ attack but I can’t find any info about how it was distributed. Anyway, if you’re using crypto wallets you have to be more careful. Traditional banking is protected by TFA and very often additionally insured. Again, risk assessment.
Oh, and I tried Rethink but it works as a VPN so you can’t use other VPN apps with it. The app iode has can be used with any other VPN.
I think you might not understand the meanings of privacy and security.
These are two different things, you can have privacy without security and the other way around. Having both is the best case.
As @ExLisper@lemmy.curiana.net said, some people care more about all those app trackers rather than have a full secure phone.
If there would be the one solution 100% privacy and security and available for most phones I would instantly use it. But it is not available yet.
If you are happy with Graphene OS good for you, but keep in mind it might not be what everyone is looking for.
I still dont understand /e/OS. Just use LineageOS. It supports all the same devices and doesnt lag as far behind. You can choose to run an insecure OS if you like (see: all Windows 10 users) but definitely don’t recommend it to others.
You cannot have privacy without at least basic security. Targeted attacks are not the most common kind of attack by long shot. Threat actors scan for vulnerable devices and use automated scripts to execute attacks. Android is one of the most exploited targets. With an outdated OS your browser could be exploited and used to get a sandbox escape, possibly chaining it into root escalation. It all depends on the vulnerabilities found and the longer you wait the more likely for the “stars to align” for the perfect attack. Look at CVE-2025-48593 for an example, zero-click RCE. In recent memory there was also a zero-click RCE utilizing specially crafted MMS, meaning an threat actor could send messages to all phone numbers and try the attack in mass.
/e/OS is by far the most behind on updating security patch levels of the AOSP ROMs (at ~2 months), iode is ~1 and everything else is better than those two.
Privacy without security is not real privacy, it is a mirage.
Security without privacy is like a fortress with cameras inside, a known threat (eg. Gapps Android).
Privacy with security is like a fortess with no known threats at all (eg. AOSP with timely security patches).
Privacy without security is like a fortress where some of the locks have rusted through and if someone tries they can open the doors. It is like replacing the walls with cardboard. “No one can spy on me now” you say in your cardboard castle.
As I said good for you, if you found your solution.
So where did I recommend it to others. I just said why I chose it.
I am fine with waiting for the security patches and the comparison to Win10 does not work, as this version does not get any security patches at all anymore.
I will keep sitting in my cardboard fortress and will wait until someone finds me.
I think you replied to the wrong comment but you said the right thing :)
To me it shows me that I replied to the right comment. I just tagged you, as I agreed with what you said in your comment below.
Ok, I guess no one tagged me before. TIL.