hckrnws

GrapheneOS always strikes me as "perfect is the enemy of good". I don't necessarily need top-notch security features, I've been all right with all kinds of Android phones. The things I'd like are:

- ability to sandbox Google Play and Google Apps so that they live in their nice little Google bubble and have no control over my phone overall

- ability to run all applications sandboxed with fake permissions that I can whitelist for each application and without letting the app know it doesn't have the permissions it wants. Want location? Give the app a location point I've fixed for that app. (Or pass through real GPS location if I've chosen so.) Want contacts? Give the app empty contacts list. Or if I've allowed, give the app the contacts I've whitelisted.

The Android/Google ecosystem is all right in itself, I just want to limit all of it inside a cage that I control. I want the exact same for my browser: I want webpages to run in a highly controlled sandbox with my choice of spoofed environment and permissions instead of assuming any power over my system. Or my Linux desktop where I firejail or sandbox certain proprietary apps outside of my distro's repositories.

GrapheneOS has an OEM partnership with Motorola where they're working on improving their devices to meet our requirements because we won't lower our standards for updates and security features. A lot of work needs to be done for each supported device. There's a massive amount of work bringing the security-oriented, production-quality hardware memory tagging integration from Tensor to Snapdragon. We're working with Motorola and Qualcomm on it. If we simply ported it to many insecure devices we'd need have the time to work on features like this or the power to get an OEM and SoC vendor to work with us on it.

GrapheneOS has Contact Scopes and Storage Scopes for pretending all of the contacts, media and storage permissions are granted with the app unable to access any additional user data without the user explicitly adding it on a case-by-case basis. Unlike the recent iOS feature, apps can't see the Contacts permission group isn't granted and it supports giving less data than the whole contact too. It also supports labels for groups of contacts shared between apps.

Mock Location is a standard Android feature. We're working on a per-app Location Scopes replacement. We're also working on Camera Scopes and Microphone Scopes. We plan to continue down that road covering less major permissions too.

Sandboxed Google Play already works near perfectly with close to 100% app compatibility. It's only apps disallowing using a non-stock OS via the Play Integrity API or to a lesser extent certain other methods which aren't compatible. McDonalds is a major example. X forbids password login but you can use Vanadium to login with a passkey and then use that in the app. ~10% of banking apps do it but not most. We've convinced multiple banks to permit GrapheneOS, and that's going to become MUCH easier now.

This is very useful context. Especially around Contact Scopes etc. It's never made sense to me that iOS shares if the user is choosing to not share their contacts.

Apple seems to basically do privacy-related things to an 80% level but not bothering with getting it totally correct. This makes business sense because the extra 20% is way more difficult, but it's great to see GrapheneOS going all the way.

> We've convinced multiple banks to permit GrapheneOS, and that's going to become MUCH easier now.

I did not know that. That is very interesting.

On that topic, an honest question: what is the killer feature of banking apps that everyone is so hot on? Are we talking like retail banking or money transmitters? I am not using any bespoke banking apps, and I don't feel like I'm missing out, but maybe I just don't know what I'm missing.

What does detract from my GrapheneOS experience is the keyboard. It's just ok. I need swipe typing though, and I haven't found anything even close to gboard glide.

We are talking about banking and pseudo-banking apps with the following typical features:

* A wallet for QR-code based payments backed by a national standard for their content and by the money in your bank account;

* A software implementation of an NFC-enabled credit or debit card, or sometimes with a magnetic strip emulation in addition to that;

* An interface to transfer money to other bank accounts in the same country or abroad, or to convert between local and foreign currency if you have a foreign currency bank account;

* A way to pay common utility bills - in some cases, by scanning the QR code on the bill;

* A way to manage banking and investment accounts - e.g., if you want an extra savings account in Japanese yen with a new debit card attached to it, tap a few times and it's there;

* A chat with bank representatives - for example, to provide supporting documents by photographing them, without ever visiting the bank;

* A second factor (as in 2FA) to approve money transfers initiated from the desktop web browser, meeting the bank standards where TOTP can't meet them (e.g., due to the legal requirement to say what transaction the code is for).

The real problem is that many banks are deprecating their browser-based interfaces and are turning app-only.

> The real problem is that many banks are deprecating their browser-based interfaces and are turning app-only.

What bank does that? If my bank did that, I would find a new bank immediately. That is not OK.

> On that topic, an honest question: what is the killer feature of banking apps that everyone is so hot on? Are we talking like retail banking or money transmitters? I am not using any bespoke banking apps, and I don't feel like I'm missing out, but maybe I just don't know what I'm missing.

For me, the killer "feature" is that I need to generate an auth code on my bank's app to be able to log in to my account and make transfers via my browser (or I can use the app directly). In other words, it's considerably more difficult to actually do (retail) banking without my bank's app.

Got it. That makes more sense, i.e., that you're essentially required to use it rather than getting something in addition.

My bank's killer feature is that they're app-first and web-first because they only have one physical branch in San Antonio. They were one of the first banks in the nation to allow you to electronically represent checks for deposit, and they did that first through their web app and then later through their mobile app.

For the keyboard I recently discovered HeliBoard. You have to add a gboard's library to enable glide typing, but so far I really like it.

https://f-droid.org/packages/helium314.keyboard/

Woah. I've been looking around for months. That's huge. Thanks.

What, exactly, is sandboxed Google play prevented from accessing? Can I feed it a fake location or disable location access? Is it prevented from running in the background 24/7? Can I force it and just it through a VPN? Or is it just blocked from accessing apps and files that aren't in the sandbox? There are many such questions and all could be considered "sandbox".

Sandboxed Google Play receives no special access at all, so you can deny it all permissions if you want, but you should grant network (and maybe notifications) permission for it to actually function.

https://grapheneos.org/features#sandboxed-google-play

Well that's a bit misleading answer. Some apps refuse to work if G services are disabled, so they clearly communicate with them. It would be nice to know what exactly G learned about the phone through those "sandboxed" apps.

It's an Android service. But unlike on regular Android where Google play services have hard-coded special permissions, on Graphene it is an ordinary android service with all the same strict rules applying to it, as to any other service you could write.

So an application of course can use other android services if it declared that, that's why it can see whether it's running or not. But you are in full control whether google play services is installed, and what it can use.

Of course this may break certain apps (Google maps location sharing will probably not work with the location permission denied for play services), which may or may not degrade gracefully.

I denied the contacts permission to the Play Services. It just shows a notification when it tries to access them, which is actually not common at all.

In what ways has the pursuit of perfection harmed the good in their development? (Your words, I don't agree.)

Graphene does everything you're asking, except for the niche fixed location feature you specifically want, which you're welcome to request, or just implement yourself and make a PR.

I'm going to be a bit snarky here, but I always find the entitlement around features in open source software baffling. This isn't a multi billion dollar corporation selling you something. It's enthusiasts making you something (honestly, incredible), for free, in their spare time, outside of their daily jobs. They're doing their absolute best here.

Our approach is why we have a partnership with Motorola where we're working with Motorola and Qualcomm on improving security of the devices to meet our requirements. It takes longer to get things done the way we want but that's part of the purpose of GrapheneOS. For example, it took us longer to have our own network-based location and geocoding but now we have great implementations of both. Our network-based location currently closely matches iOS but is going to have full offline support developed for it. We're working on our own local model text-to-speech at the moment too, although our focus is currently Android 16 QPR3 related work as a higher priority which delayed it. We do plan to overhaul or replace all the legacy AOSP apps, but our priority has been working on things people can't simply replace by installing more apps.

> In what ways has the pursuit of perfection harmed the good in their development?

Their lack of device support means I am still running Google's Android and will continue to be until a GraphineOS-supported device that meets my needs becomes available. This means I'm not just lacking in security, but I'm also stuck with Google and all of their anti-consumer practices.

Running GraphineOS without all the security features they want would be better for me than what I currently have.

When the complaint people have about a product is "I can't use it and I really wish I could", I feel like it's a good problem :-).

> Running GraphineOS without all the security features they want would be better for me than what I currently have.

But then it would be like running LineageOS, which is a great (but different) project. Why not using LineageOS?

And this is somehow harming who?

You're free to fork it to adapt it to your device.

The expectation that the entire project brand must be diluted (by lowering the security) to support you specifically, or you feel wronged, is a little, my apologies -- absurd.

Yes, but do these enthusiasts care at all if it meets some need for the users? I suspect that they do.

And how can they find out how well it meets that need other than receiving (respectful!) feedback?

I don't follow. The poster above my comment complained that graphene os was lacking a list of features is already has, so I corrected that.

> Yes, but do these enthusiasts care at all if it meets some need for the users? ... And how can they find out how well it meets that need other than receiving (respectful!) feedback?

What makes you think they don't? Can you point to any instances of them ignoring the community at large?

You can open an issue in any of the open source repositories and request a feature. Others can vote and comment on it. Or you can discuss it in the very lively forum. All methods used to steer the project towards the desires of the users.

In case you can't find them: https://github.com/GrapheneOS https://discuss.grapheneos.org/

This whole conversation just feels weird and specious to me.

I want them to implement a feature where the phone prints money.

The ability to fake the location on a per-app basis is called "location scopes". It is being worked on, as mentioned here:

https://discuss.grapheneos.org/d/27926-per-profile-location-...

Currently there is a Mock Location feature, but it is globally scoped and not what you asked for.

> GrapheneOS always strikes me as "perfect is the enemy of good".

GrapheneOS, as it ships, is rather bleak but you also need to consider that it is addressing the concerns of a very broad audience. That ranges from people who want to completely get rid of data leaking apps to those who want the apps but expect them to be sandboxed. Shipping two different versions won't really help them. It would only make more work on their end, with the results only reflecting two extremes. You are going to have some people willing to put up with some apps, but not others. You are going to have some people wanting some of those apps feeding fake data, but not others.

It's probably best to think of GrapheneOS as a base system that you build up to serve your personal needs, rather than thinking of them shipping it in a "perfect" state. While a handful of people will be happy with it in its default state, many will install something like F-Droid along with a collection of privacy preserving apps. Many others will install the Google Play Store along with a personally curated list of apps that reflect their needs, providing or denying access to their data as they see fit.

I believe the "build up" approach is the only viable way to handle this situation since we are talking about a group of users who are actively seeking out a third-party OS since they are particular about their needs. This isn't the typical consumer who will (gleefully or begrudgingly) put up with whatever the device vendor feeds them.

Our approach is why we have a partnership with Motorola where we're working with Motorola and Qualcomm on improving security of the devices to meet our requirements. It takes longer to get things done the way we want but that's part of the purpose of GrapheneOS. For example, it took us longer to have our own network-based location and geocoding but now we have great implementations of both. Our network-based location currently closely matches iOS but is going to have full offline support developed for it. We're working on our own local model text-to-speech at the moment too, although our focus is currently Android 16 QPR3 related work as a higher priority which delayed it. We do plan to overhaul or replace all the legacy AOSP apps, but our priority has been working on things people can't simply replace by installing more apps.

i don't understand, doesn't that make graphene the opposite of what that saying refers to? it's a real life project that has almost all of the features you mention while not being lagged down by pursuit of perfectionism?

That relates more to the public rhetoric surrounding Graphene than with how the OS itself operates imo. It's pretty practical and enables (or allows you to enable) everything that a typical Android does, except where Google Play Integrity checks fail, which is not in Graphene's control (e.g Google Wallet payments).

People bill it as making a ton of usability compromises in the name of security, but that doesn't match my experience. The only redeeming observation is that your phone _does_ lean towards secure-er and ungoogled defaults, which _does_ break functionality that a lot of people expect to "just work" OOTB. But it's trivial to restore it, and the upfront effort getting things to work is amortized over the lifetime of the device. It's maybe an hour's worth of work.

The counterfactual world where users need to forumcrawl how to get to secure/private defaults seems worse to me. By contrast, it's pretty easy to recognize when an app isn't working.

I agree with your post, but I wanted to point out one thing:

> People bill it as making a ton of usability compromises in the name of security, but that doesn't match my experience.

When you are talking about something like GrapheneOS, most of the people who are talking about usability compromises aren't worth listening to since they are looking for something that is pretty much the exact opposite of what GrapheneOS is trying to provide. While there are likely some legitimate criticisms in the mix, the compromises required for "works by default, for everyone" are pretty much the opposite of what GrapheneOS is.

It's worth noting tap-to-pay is available via Curve Pay and other options in Europe. We intend to get the Google Pay issue resolved.

I mean, GrapheneOS hits at least 2/3 of your demands pretty well. The Play services are "regular" apps with permissions that you can take away. For contacts and files you get "scopes", i.e. you decide what the app can see, while the app is left to believe that it can see everything there is.

That said, I think the marketing of GrapheneOS could be better. Every introduction of GrapheneOS I've seen paints the image of Graphene being "Absolute security, no compromises", whereas in reality GrapheneOS is the most "Things need to work, no compromises. Then make the rest as safe as possible" custom ROM that I've used thus far (in particular regarding them allowing you to install Google Play, rather than using MicroG).

I would certainly be using GrapheneOS if only I could get one to run on something else than a Pixel.

I have a perfectly good phone whose bootloader can be unlocked and I can install LineageOS or other AOSP installations there but all I'm aware of and I've researched come short on the sandboxing and permissions. I'd be willing to use GrapheneOS without support for specific security hardware (if only they supported that configuration) just for the features mentioned but Pixel phones are just too expensive. I've always been more than happy with a decent low-tier phone and I don't see a technical reason to change that. Nothing wrong with my phone.

> I would certainly be using GrapheneOS if only I could get one to run on something else than a Pixel.

But the whole idea of GrapheneOS is the reason why it (currently) only runs on Pixels. On other phones you can run anything based on LineageOS...

I don't want GrapheneOS to compromise on that: if I didn't care about it, I would use any other alternative. To me it's a bit like saying "I would be using Linux if it was a lot more like Windows" (that's something I often understand when Windows users explain what it would take for them to use Linux). But I, as a Linux user, really don't want Linux to look a lot more like Windows.

Pixel A's are quite affordable. GrapheneOS is open source so if there was a need, people could get it to run on insecure devices that aren't Pixels. Expecting that to be done by GrapheneOS developers who care about security just seems weird.

> Pixel A's are quite affordable

There's first-world, upper-middle-class affordable (~$500) and then there's global affordable (<$250).

I got a Pixel 7 secondhand (but good condition) for the equivalent of about $270. It would have been less but I needed 256 gb of storage.

FTFA: it will run on upcoming Motorola devices as well.

Yes, that's why I was reading this thread :)

Doesn't help with the current situation though but I hope the partnering between Motorola and GrapheneOS is still up and going in a few years when I'll next have to replace my phone.

I'm personally happy with LineageOS on OnePlus stuff, but have you considered getting a Pixel that's 2 gens or so old from eBay? I find old flagships drop in price pretty quick and are often a better deal than a new low-end phone.

Mock Location exists but our Location Scopes feature will largely replace it for non-development use. Camera, Microphone and other scopes features will be provided too. We haven't fully fleshed out what the ones for other permission groups such as Phone will look like yet but it's planned.

Would there be any means of preventing apps from seeing one's phone number, IMEI etc.?

> Want location? Give the app a location point I've fixed for that app.

How do you do that in graphene os?

There's a standard Mock Location feature in Android usable for it. We're making a better per-app Location Scopes feature as a replacement. Mock Location is global which has bad usability.

That's doesn't seem to be a thing [yet]. All I managed to find was this comment from the developer which talks about it (CTRL+F, "location"):

https://news.ycombinator.com/item?id=42536302

There's a standard Mock Location feature in Android usable for it. We're making a better per-app Location Scopes feature as a replacement. Mock Location is global which has bad usability.

That's true. Do those caveats from that older comment still apply? Will apps be able to tell that location is being spoofed when using location scopes?

This is your lucky day!

First is very comprehensively delivered, second is halfway done, halfway in progress.

Good luck!

I'd also like to remove as many apps as I want. If something breaks I'd eat it and re-install the whole system.

You can disable many system apps via the Settings UI. For ones where the naive heuristics or manual exceptions believe it may break something and have it disabled, you can use ADB. You can also uninstall apps from a profile including Owner with ADB instead of disabling them which is NOT a good idea but you can do it...

> Want location? Give the app a location point I've fixed for that app.

How do I do that? Been using Graphene for many years but did not know this was possible.

You can't; OP was making a list of GrapheneOS wants without realizing they were mostly just describing how GOS works. That bit was the only miss.

There's a standard Mock Location feature in Android usable for it. We're making a better per-app Location Scopes feature as a replacement. Mock Location is global which has bad usability.

Thanks. So, a misunderstanding from the OP and not a feature specific to Graphene?

> We're making a better per-app Location Scopes feature

Cool!

There's a standard Mock Location feature in Android usable for it. We're making a better per-app Location Scopes feature as a replacement. Mock Location is global which has bad usability.

I want to know too.

There's a standard Mock Location feature in Android usable for it. We're making a better per-app Location Scopes feature as a replacement. Mock Location is global which has bad usability.

Sounds like you might not be the target audience of GrapheneOS then?

That's fine. You don't have to be

One thing that annoys me is the ability that my mobile carrier has to just throw ad popups.

Is that something that GrapheneOS fixes?

Wtf‽ I didn't know that was possible.

Your carrier does what now?

I have a pixel 8a with a TIM SIM card and every once in a while I see an ad popup on my phone.

Like a popup how? What kind of dialog is it? It's more likely to be an app that's bundled by your carrier than your carrier MitM'ing ads into your stuff which is kinda what it sounded like

Just a message popup, a window with dark background and some text ad on it.

I did not buy this phone from a carrier, just added the SIM card later.

Really surprised to learn this doesn't happen to others. Always assumed that the SIM card had some special privilege given by Android.

Sounds like your carrier is abusing STK to display ads.

See https://www.browserstack.com/guide/stop-popup-messages-in-an...

Caveat: if they're doing that, then they're almost certainly data mining your data streams (e.g. dns lookups etc.)

I wouldn't feel secure on such a carrier unless I also VPN'd traffic to a reputable provider (Nord, Express, or Proton) and forced DNS over TLS to known servers.

SIM cards can come with apps preloaded. There was a carrier in Mexico that would load a SIM app for Dominos Pizza and you could order a pizza from your phone if you were on that carrier. I learned this because of some carrier certification feedback I had to disposition at one job.

Go to [Settings] » [Apps] » [Special app access] » [Display over other apps] and check if any preinstalled carrier apps or anything suspicious has this permission granted.

Just checked, and only "Phone" and "Google" have this permission.

There are no preinstalled apps, I bought this phone clean on Germany and then added a Brazil's SIM card when I got back.

Could it be that the SIM card has some control over the Phone app?

Apparently this is handled by the privileged STK[1] service. It can launch browser which is I think what's happening.

GrapheneOS presently doesn’t do anything different in this case, they pull it from AOSP without modifications. However you can disable it using the frontend app (SIM Toolkit) as someone pointed out, but as far as I can tell this requires the applet on SIM card to cooperate (offer the opt out).

Otherwise you can disable the STK altogether with ADB but that will also block you out of other SIM card interactive functions, which might not be a big deal however.

Edit: "We plan to add the ability to restrict the capabilities of SIM Toolkit as an attack surface reduction measure. (2022)"[2] and open issue[3].

[1] https://wladimir-tm4pda.github.io/porting/stk.html

[2] https://discuss.grapheneos.org/d/1492-blocking-sim-toolkit-m...

[3] https://github.com/GrapheneOS/os-issue-tracker/issues/875

Can't you just change your carrier?

I would rather have a phone that doesn't let my carrier show random messages whenever they feel like it.

> GrapheneOS always strikes me as "perfect is the enemy of good"... I've been all right with all kinds of Android phones

I fully agree with you. I never received a reasonable reply to this from GrapheneOS fans or developers. Latest attempt: https://news.ycombinator.com/item?id=47182376

>Latest attempt: https://news.ycombinator.com/item?id=47182376

Your Qubes OS comparison doesn't really work because Android distributions need extra work to support each new device, whereas for Qubes OS, they're probably using some virtualization framework that makes it pretty trivial to add support for CPUs without virtualization. There's nothing stopping you from starting a new fork that supports your motorola phone, for instance.

I understand that supporting new phones is a lot of extra work. My only question is whether the developers of GrapheneOS would accept patches from community for such support without full set of security features.

"accepting patches" is still a lot of work and often means taking on the maintenance burden; i suspect that if qubes had to do extra hardware enablement work/maintenance for VT-d-less devices they might've had the same position

Qubes hasn't always shipped Xen patches nearly as quickly as I would like. It's the unfortunate reality of the situation they're in, simultaneously trying to catch up with broad-spectrum device support, with a miles-long HCL with many entries having sub-threads attempting to resolve significant compatibility issues. Don't buy hardware that's too new, don't buy hardware that's too old, certified hardware doesn't necessarily stay certified, and so on. It's a mess.

I love what they're doing and it's my preferred daily driver, but from a security standpoint they're still pushing molasses up a sandy hill.

You keep coming back to this. GrapheneOS accepting community patches with a reduced feature set (hardware security) degrades the nature of the project. It's an absurd proposal.

Fork it, make your own. Not only are they OK with that, they're actively supportive of it.

Criticizing them for not actively supporting the Balkanization and unavoidable dilution of the security and therefore total value of their project makes me wonder whether the strength with which you hold your opinions has any meaningful connection to the extent to which you even understand the subject matter. It's just mind-boggling the things you assert every single time an OS you don't even use comes up.

Your love of Qubes OS (which I share) somehow even increasingly seems rooted in something that just isn't reality. If it were, you'd be able to fairly assess both projects and see the relative strengths and weakneses of both with useful accuracy.

As it stands, you're just spouting harmful noise. Please don't do that.

GrapheneOS is not QubesOS. We have our own approach and goals. Our approach includes heavily focusing on our resources on our mission which includes needing to do a lot of hardware-related work to deploy features like hardware memory tagging. We're actively working with Motorola and Qualcomm on improving their hardware to meet our requirements. We're also going to work with Qualcomm on improving Linux kernel security. It's not part of our mission to support devices where we can't provide our core feature set. It would drain a huge amount of our resources and lead to people buying those instead of devices with real GrapheneOS providing all the features. Supporting devices with less than 7 years of support also isn't very appealing when we have those via Pixels and can have the same for the new devices.

GrapheneOS does support budget devices. Pixel 8a, Pixel 9a and Pixel 10a are budget devices. It's true that they aren't on the low side of budget pricing at launch but they have 7 years of support from launch. Pixel 8a is approaching 2 years old but has over 5 years of support remaining. The only limitation in practice is that Pixels aren't sold officially in enough countries yet, which can be solved by our Motorola partnership. We don't need more than a range of devices fulfilling what most people want which are available internationally. People would still need to go out of the way to buy a device with GrapheneOS support if we supported more than the 20 models we do.

You're also ignoring all of the work we have to do on devices which is already a massive amount with 20 supported models of Pixels. We build specialized releases with minimum attack surface for each with plans to use per-device RANDSTRUCT and other similar features too. We could make most of the OS builds generic as AOSP has support for it but it goes against our goals. We also have to test it on each device ourselves before Alpha. Each device needs to be tested more broadly by our community.

Our goals have never included supported a huge range of devices. It would drain our limited resources and destroy our ability to provide what we do. It would water down what GrapheneOS provides and sabotage our ability to partner with OEMs. It simply doesn't interest us. People are free to use LineageOS but we strongly recommend avoiding the supposed privacy-focused forks of it which are worse at privacy and security. On nearly any device you won't get basic kernel, driver and firmware updates with LineageOS and it's not a privacy or security hardened OS. Their time is largely spent on device support and it massively slows down how quickly they can do updates too. They wouldn't have time to work on the kinds of privacy features we do let alone the security ones. It isn't as if they're not working hard on their project, they just chose different things to work on and we aren't choosing those over what we work on.

GrapheneOS will run on more than Pixels soon. It will start with a regular flagship and then both flip/fold variants. It can then start supporting lower end devices once they improve. The OEM is going to be helping us implement and maintain it which is the only reason it's going to be practical to do it. We already struggle to support as many devices as we do but it's going to be easier on our end to support the ones from Motorola than supporting Pixels due to collaboration.

There it is.

Ahahah.... This thread doesn't show what you think does.

Unfortunately you come out as whining that the project focused on security doesn't want to support insecure hardware.

Go for it, fork, call it, say, ClayOS and have GOS on whatever you want. Why would someone else have to do something that's contrary to the project just because you want to lower the security?

Bizarre. Just fork it mate.

If you feel like you can't get a reasonable reply from anyone on a given subject, it's possible that the subject matter is purely indefensible and everyone but you is wrong about it, or it's possible that there's one constant in all this which you're overlooking.

Anyway, in terms of laptop/desktop security, Apple's doing the best job of anyone on that front at present and is still moving in the direction of improvement. Overall, modern Pixels running GrapheneOS are still the most resistant to a variety attacks, compared to just about any consumer device with any practical value.

Most laptop/desktop hardware architecture is wildly vulnerable in some specific ways that Pixels and iPhones just aren't, and no amount of OS enhancements built on that foundation will fully overcome its limitations. Your refutation to that is typically, "But, Google." I get it. I'm no fan of Google, but their architectural chops on modern Pixels is excellent.

Suggesting in the next breath that people look at the Librem 5 or PinePhone while criticizing the security of GrapheneOS makes me think you might just be completely out to lunch on this one. The Purism project is just not a serious security project in so many ways, and while I appreciate the appeal of hardware switches, the rest of their approach makes the hardware switches and domestic supply chain option and shipping protocols little more than security theatrics. The Librem 5 is so easily compromised that the switches are practically a necessity, I suppose, because the hardware and the software (from the OS to device drivers and--gasp--closed blobs!) just isn't trustworthy. With the clever rhetorical games they play to overstate the reality of the device it's difficult to place any trust in them.

'You shouldn't use this device because Google drove the architecture,' just isn't as compelling to me as, 'you should use this device with outdated drivers, no secure element, no sandboxing, and no IOMMU, no hardware resistance to attacks, baseband isolation that's literally an all-or-nothing affair,' and so on, is a terrible followup recommendation which completely undermines credibility.

You're citing hypothetical weaknesses as a reason to dismiss GrapheneOS while advocating devices with numerous demonstrable weaknesses. The Librem 5 not only isn't very resistant to attacks, it's highly vulnerable to attacks. And then you complain when serious people stop engaging with you. (Not being a serious person, I persist.)

As a former PinePhone user, it's a wonderful effort and I love that they're doing what they're doing, but the device and its software is just completely lacking in security to any real degree. Which is fine, because that isn't the device's reason for being, but we shouldn't overstate its position, which you continually do.

All that said, I genuinely think if you take the time to really fairly understand the situation, you'll find value in GrapheneOS as a project. Whether or not it's for you is another matter, but the only reason I'm bothering to quibble with a faceless stranger on the internet over the issue is because I think the project is one of the most important consumer-device security projects of this era, and I massively hope it succeeds. The planet will be better off for it if it does. And yet, every single time it comes up you make the same lazy dismissals of it, ignore substantive responses, then invariably play the victim when people eventually tire of playing your game.

A broader ecosystem of supported devices is something I very much hope for, and am excited to seem take the step into working directly with one OEM, and I hope for more. The virtualization aspects of their roadmap are exciting, and I expect they'll bring great upstream contributions to whatever hypervisor they choose, as they have for AOSP. Their talks of targeting a laptop which meets their hardware requirements is incredibly exciting, and here's hoping it's a ThinkPad, which seems genuinely possible now.

All this is the most compelling alternative to something like Apple, which, while great at leveraging the advantages of being the behemoth in the market, is too inherently motivated in its pursuit of commercial outcomes to be something I'm likely to want to use.

I lack any real hope that you'll come around on this one, but if you're going to play the game of linking to prior discussions to settle an argument, at least I now have a comment to link to, too. Thanks for fueling my future efficiency.

Oh wow, sir or madam, I adore your dedication and persistence.

Thanks for your extended reply, but many of your points are strawman. I never suggested that Librem 5 or Pinephone were seriously more secure than GrapheneOS. They may be more secure in small ways, depending on your threat model, like avoiding Google or allowing to use the kill switches. However I explicitly said more than once that I would be happy to use GrapheneOS on a more libre hardware (Librem 5), even if the security may be lower. Some people value an additional bit of freedom more than cutting-edge security.

> You're citing hypothetical weaknesses as a reason to dismiss GrapheneOS

Where did I say this? I do not dismiss GrapheneOS, and I do wish them success. I agree this is a very important project (and I upvoted all their recent posts for more visibility). I just feel that some of their decisions harm them more than they think, which is the reason for my parent question.

I suggest Librem 5 or Pinephone in my HN replies whenever I see people caring about mobile freedom more than about immediate security, which GrapheneOS provides. I do not suggest those phones as a more secure replacement of GrapheneOS devices.

> we shouldn't overstate its position, which you continually do

I do not see where I am doing this, see above. And I certainly didn't do it in my parent comment.

> Their talks of targeting a laptop which meets their hardware requirements is incredibly exciting

I have no idea how anything can be more secure than Qubes OS. I never received a reasonable answer to this question. And yes, virtualization (i.e., compartmentalization) is the best way to achieve security, in my opinion.

> in terms of laptop/desktop security, Apple's doing the best job of anyone on that front at present and is still moving in the direction of improvement

This is not even funny, given how many vulnerabilities are constantly being found in MacOS. You should just compare that with Qubes OS, which I use.

And I appreciate that you wish them success and think it's important. If you think so, please try to better understand the nature of what it is you're criticizing. If you're repeatedly met with push-back from numerous individuals but can't evolve in your understanding, you have to start asking yourself harder questions.

They aren't strawman. You pop up in Graphene OS threads like clockwork and recommend other devices. You say, "but Google hardware." I get not wanting to contribute to Google financially, I get not wanting their logo on a device, I get the general discomfort with anything Google. But it's akin to people being so anti-Google that even when Firefox on Android lacked nearly any sandboxing whatsoever and had downright reprehensible security practices, they'd continue to use Firefox on Android when visiting untrusted websites, because, well, at least it's not Google-adjacent. It's completely irrational and unjustifiable on anything but a totally emotional level.

You conflate privacy with security here, "They may be more secure in small ways, depending on your threat model, like avoiding Google," and yet you don't articulate any demonstrated connection between using Google hardware with GrapheneOS and Google's ad tech business. The closest thing there is needing to connect to Wi-FI to unlock the bootloader, but that's easily addressed. You cite a hypothetical backdoor that Google may have placed in the hardware, but unless you're physically examining every chip running every OS (and there are several) in every device you own (even the ones you think you've disabled the MIE on), you simply can't know that. You have to account for that, but you talk about it in ways that imply a project which accounts for it better than others hasn't, while one that inherently can't, has.

When they announce Motorola support, you're still on about avoiding Google. They literally can't win with you.

If you think their decisions harm them more than they think, but can't understand the basic factors at play, it's hard to take your determinations seriously. Good governance of a complex project is hard, and people snipe from the sidelines with virtually no understanding of what the actual situation is. By all indications the project is incredibly well run in all ways that practically impact eventual end-user security.

If you have no idea how anything can be more secure than Qubes OS, consider Qubes OS running on hardware with excellent security features, and the two being tightly integrated. There's your reasonable answer. That is literally the roadmap for Graphene OS. A hypervisor-based OS that's useful for end-user purposes by carefully layering on functionality to make a hypervisor-based OS some degree of usable.

The less reasonable reasonable answer is that you'd have better security if you ran Xen itself, as everything Qubes adds to make it usable potentially weakens it. It's just the nature of the beast.

It wouldn't surprise me if GrapheneOS lands on Xen for all the same reasons Joanna landed on Xen, and they end up contributing massively upstream to Xen security largely by tightly integrating it with said hardware. But I'm sure other patches will flow upstream with whatever project they choose, because their security chops are that good.

Qubes OS also lacks resources. They're supporting a massively bigger variety of hardware with a comparatively tiny user and donor base. By all indications their finances are nowhere near sufficient for what they really need to do. The project is as good as it currently is almost entirely down to the incredible efforts by a very small number of amazing people. If nothing else, the speed at which they can iterate and evolve is highly constrained. Remove 1-2 key players from the equation and the project almost invariably collapses. That alone is constitutes a definite security vulnerability.

Re: Apple, I'm talking hardware security. But even when you factor the software in, for a portfolio of consumer operating systems used by a billion and a half normies who expect it to do every normie task under the sun with very little frictional security overhead, Apple does a great job at security.

Edited to add:

> I would be happy to use GrapheneOS on a more libre hardware (Librem 5), even if the security may be lower. Some people value an additional bit of freedom more than cutting-edge security.

OK, but that's a nonsensical wish at best. There are other AOSP forks out there that would meet your needs. Buy a non-Google Android phone and load another AOSP fork. Or, fork GrapheneOS and modify it to meet your needs, thought that would be a largely pointless exercise. Repeatedly criticizing the project every single time it comes up for not wanting to completely change its fundamental nature in an ill-defined attempt to satisfy your inclination is a real head-scratcher.

I don't want to gush about this too much, but it's SUCH a big deal. Graphene has languished with hardware support for so long - they basically only had Pixel devices as first-class citizens, which are not bad devices per se, but it's hard when you're spending most of your time doing something without the manufacturer's support.

There is a very real possibility that we end up with devices that can play modern mobile games at high frame rates on a secure, privacy-focused mobile OS, which is a huge step towards general adoption of something like this as a daily driver.

This is such a strange comment that is full of contradictions. Pixels are supported because the manufacturer supports alternate OSes. I don't get what languishing means here. Pixel hardware lags behind the latest Snapdragon hardware, but it's not something that average people know or care about. So, you can gush all you want, but I don't see why it's a big deal. It's great that they found an OEM and it's great for the overall health of the project, but not because of gaming or the latest Snapdragon.

Does pixel support alternate OSes or it just doesn't get in the way of custom firmware developers?

And for the gaming aspect, there is a huge market for mobile gaming, specially in Asia, so having a manufacturer like Motorola adopting GrapheneOS as a first class citizen will improve the chances that high performance applications will have better performance in such OSes which is a big win.

The Google Pixel has first-class support for alternate OSes (not custom firmware like a Chromebook). The OEM has to go out of their way to support avb_custom_key as mentioned in https://android.googlesource.com/platform/external/avb/+/mas... and I believe the GrapheneOS founder strcat was heavily involved in helping Google design this feature and flow for Android Verified Boot.

i mean, that sounds like a subjective distinction, but it lets you unlock the bootloader and then re-lock it with your own keys so eh..?

If you conceive a device to be shipped with a specific OS that's a completely different relationship with the developer than just giving the keys to the kingdom and wishing good luck, so I hardly think this is subjective

they used to publish a buildable AOSP tree for the device which is no longer the case

Lets hope those Motorola devices will be smaller then current Pixels.

Since ~2023 all Motorola phones with Snapdragon SoCs (the ones most likely to support MTE as needed by GrapheneOS first) have been larger or equal to 6.5" screens.

I do hope however having a Snapdragon device will be beneficial to having postmarketOS support.

For now having Android-type OS on a daily driver is a must, but for older devices (thinking of 10 years time) I'd like to explore an OS which doesn't depend of Google open-source drops and delayed security open-source drops, which is the situation for ROMs without an ODM partner.

Do you mean to say that postmarketOS is somehow better on non Pixel devices? I would assume that Pixels are closest to upstream and have the longest software support life in Android world.

pmOS runs well on a couple OnePlus phones (6, 6T). For whatever reason the Snapdragon 845 and 865 have decent mainline support. I expect the OnePlus 8T to join the prior list of phones in the near future. You can similarly look at which gaming handhelds are supported by ROCKNIX and what SoC they use to get an idea for which ARM SoCs have decent mainline support. I expect the vast majority of phones and other ARM devices to not be very well-supported. RockChip is usually the safest bet, but I've been pleasantly surprised with some Snapdragon stuff.

"general" people really play actual games on phones? I thought the general public at most played with time waster freemium games

I wouldn't consider gachas to be "actual games" (sue me), but yeah, they do tend to have way more complex gameplay and graphics than the timewaster freemium games of yore. Genshin Impact is essentially a single-player MMO, it has an open world and lots of characters and different weapons etc etc.

still wouldn't bet the general phone audience find those games to be the the deciding factor in a phone

I think it would be on par with camera quality— really important to some, bot not a huge deal for most.

Good enough quality screen for solid video media performance, generally, would be an absolute must I imagine.

The "general phone audience" is some 5 billion people. If even 10% of them want to play games, on what is in the current year likely to be their primary if not only computer, that's already a market segment of 500 million. It wouldn't honestly surprise me if the number is closer to 15 or 20%, mobile gaming is extremely popular.

i would be surprised if it was more than 1-2% for those "graphic intensive games"

normies use consoles, sometimes PCs

my personal beef, after a camera that gets decent photos in low light, would be an accurate GPS that doesn't crap out after half an hour

I think a lot of HN users, living in our own PC-oriented bubble, may not have realised the world has completely passed PCs by and that smartphones are the personal computers of the current generation. While PS5 and Switch each have about 100-150 million in sales, there are an estimated 3 billion mobile game players. Are a majority of those "mobile game players" playing Flappy Bird, sure. But again, even 10% of that number being interested in "real games" would outnumber PS5 and Switch players combined. Fortnite and PUBG each have hundreds of millions of active users, most are on console but around 20% appear to be on mobile from a quick search. Genshin Impact also has tens of of millions MAU, a non-neglible percentage of which are mobile players. There are hundreds of millions of people for whom being able to play 3D games on their phone matters.

Anecdotally,

In public transport I see almost as many people playing games on their phones as those watching videos.

And yet Apple was at some point called one of the largest gaming companies in the world by revenue

https://www.cnbc.com/amp/2018/06/05/apple-one-of-the-biggest...

mobile has been the largest gaming market for years now, wdym?

The key enabler is the camera. Manage a flagship level result in a Motorola, that’s the main reason people pay for High end devices nowadays.

I’m seeing enthusiasts go out of their way to get vivos and xiaomis now that they are surpassing the western counterparts based solely on that.

I think it’s doable, pixels did it with meh hardware for years. But I’m not sure if there’s enough overlap between people who care about selfie quality and open source enthusiasts.

Motorola Signature and Motorola Razr Fold are ranked above the Pixel 10 Pro on https://www.dxomark.com/smartphones/. Pixels have fantastic camera hardware and software which is fully functional on GrapheneOS which isn't something we need to lose on a Motorola flagship. There will be much better CPU and GPU performance via Snapdragon too. The compromises are mostly in terms of getting some security improvements while losing others but we'll still be able to meet all of our official security requirements.

I haven’t been able to see actual results that match those tests in the Motorolas sadly. Maybe it’s more accurate in technical terms but I haven’t found good results in practice.

>Pixels have fantastic camera hardware and software which is fully functional on GrapheneOS which isn't something we need to lose on a Motorola flagship.

This is very interesting to me! Does graphene OS manage to keep google’s processing? How does that work?

Pixel camera app is fully supported by GOS, you just install it from Play store (or from other sources). If you don't have Google Photos installed the last photo preview won't work, but you can install a 'shim' app that fixes it without need for Photos app: https://github.com/lukaspieper/Gcam-Services-Provider

https://grapheneos.org/usage#pixel-camera

I'm not holding my breath but it would be amazing to have root and be able to tap to pay without constantly playing cat and mouse with google.

Unfortunately from what I read a couple of times, including a month or so ago, GrapheneOS discourages and doesn't support rooting the phone for security reasons that seem vague to me and don't appeal to my need to actually own my phone and OS. You could still root it with some third party tools from what I know, but not having root as the default makes it less of a secure FOSS OS and more of a closed down toy.

As for payment apps and other crap that refuses to run if I, the owner and administrator of my own device, don't have admin access, I would just refuse to run it. What's next - websites refusing to work if I have root on my Linux desktop?

LineageOS also discourages and doesn't support replacing the core of the OS with a rootkit providing persistent app accessible root. GrapheneOS is no different from LineageOS in that regard. People do this with GrapheneOS regardless of our strong recommendation not do it. Our reasons for discouraging it aren't vague. It very directly harms the security model and is not a good approach to implementing any of the features hacked together through it. Those features should be properly implemented to fit within the overall approach taken by GrapheneOS. Giving root access to a huge portion of the OS harms security even if you never use the feature. It does not mean you can't do it, we only recommend you don't.

I agree that the features should ideally be provided by the base system so that the user does not have to "hack them in" with root-powered apps. But the reality is that most Android "distros" simply do not support the features that I would consider basic functionality. I mainly root for three reasons:

- Backing up all app data via Neo Backup. Android has an auto-backup feature that backs up app data to the user's Google Drive, but unfortunately the app developer can simply opt out of this, and the user cannot do anything about it. This means that app data may be lost when migrating to a new phone, as the app data is stored in directories that are not accessible in the filesystem without root.

- High-quality call recording via Call Recorder. For some reason, some (most?) phones do not allow apps to access the raw incoming audio stream. Non-root apps have to rely on capturing the other end through the microphone, which is horrible.

- /etc/hosts-based ad blocking while using a VPN via AdAway. DNS-based ad blocking is possible via apps like AdGuard, which use a local VPN to accomplish this. Unfortunately, Android only allows one VPN connection at a time, which means that without root I would not be able to use a VPN for any other purpose while simultaneously blocking ads.

---

I have no experience with GrapheneOS, so I'd be interested to hear if these features are possible on it without rooting. If not, can I request these features somewhere?

Rooting is a very bad idea. https://madaidans-insecurities.github.io/android.html#rootin... But GrapheneOS is fully open source and provides great build instructions, so you can always make your own build and add whatever features or privileged apps you like within the standard AOSP frameworks for privileged apps with system integration.

> Backing up all app data via Neo Backup

GrapheneOS includes Seedvault by default. https://grapheneos.org/features#encrypted-backups

> High-quality call recording via Call Recorder

Call recording is built into the Dialer app on GrapheneOS. https://grapheneos.org/features#encrypted-backups:~:text=Cal....

> DNS-based ad blocking is possible via apps like AdGuard

DNS-based blocking can also be accomplished by using Android's native Private DNS feature with a resolver that blocks ads. You could even host your own on a VPS if you are more comfortable running name resolution and DNS-level adblocking on infrastructure you control.

The RethinkDNS app also lets you use DNS-level adblocking and a VPN at the same time. https://grapheneos.org/faq#ad-blocking-apps

> I have no experience with GrapheneOS, so I'd be interested to hear if these features are possible on it without rooting.

I recommend giving https://grapheneos.org/features a read.

> If not, can I request these features somewhere?

Check out the issue tracker on GitHub: https://github.com/GrapheneOS/os-issue-tracker/issues

Yeah, this is the deal breaker for me as well. The fact that I own my device is non-negotiable. It is the reason I left the stock OS and I'm not going back. The idea that I can't access my own files if an app doesn't explicitly give me access is wild to me. I understand there are security risks of a root permission but it is important to have that fallback when you need it and the existing permissions aren't sufficient.

The "access your own files" thing is so insane! Hard to describe my feelings [negative] when I found out that all of my voice notes were in the voice recorder and the easiest way to get them out was to manually send each one to myself over discord. Google helpfully mentions that you can just "download them through google takeout" and doesn't leave any option for people who don't just give all their personal data to google.

I use a FOSS voice recorder app from F-Droid. It's just called "Voice Recorder" with an orange icon. It does exactly what it says, records audio from your microphone, lets you play them back. They're just files on the device.

Anytime I need a "simple" utility, I check f-droid first to get the one-trick-pony app over spyware from the play store.

Other utilities I use are: WorkTimer: pomodoro app DiskUsage: self explanatory Http Request Shortcuts: setup home screen app shortcuts that run http requests

Yeah I swapped to using the f-droid version after that debacle, though the one i use has a green icon. XD

LineageOS also discourages and doesn't support replacing the core of the OS with a rootkit providing persistent app accessible root. GrapheneOS is no different from LineageOS in that regard. People do this with GrapheneOS regardless of our strong recommendation not do it. Our reasons for discouraging it aren't vague. It very directly harms the security model and is not a good approach to implementing any of the features hacked together through it. Those features should be properly implemented to fit within the overall approach taken by GrapheneOS. Giving root access to a huge portion of the OS harms security even if you never use the feature. It does not mean you can't do it, we only recommend you don't.

LineageOS provides ADB root access in stock builds. Sure, it isn't as convenient as some su apps but at least I can use ADB to access every file on the device. It probably also improves the attack surface compared to a su app.

> It very directly harms the security model

What do you mean by this? You mean that it is a "god permission" that bypasses other permissions? If so then yes, with great power comes great responsibility and it shouldn't be used lightly.

> and is not a good approach to implementing any of the features hacked together through it.

Maybe not, but is there an alternative? What is your recommended way to access all files of any app? This is my primary use case. Modification would also be valuable but I would be ok with read-only access.

> Giving root access to a huge portion of the OS harms security even if you never use the feature.

Can you explain why root access must be given to a huge portion of the OS? Why can't it be limited to specific apps or features (like ADB shell)?

> It does not mean you can't do it, we only recommend you don't.

Of course. It is your right to recommend whatever you want :)

It's pretty easy to make your own `userdebug` build of GrapheneOS using their official build instructions

That's what I do to get `adb root` and full file system access.

> [I want root,] The fact that I own my device is non-negotiable.

I read that a lot, and I agree that I want to own my device. But that does not mean that I should have root access on the OS I choose to install on it.

Owning my device means that I should be able to install whatever OS I want. It does not mean at all that OS developers must do whatever I tell you to do.

Yes, that is why it is a deal breaker. I'll choose to run a different OS. I didn't say that GrapheneOS must support root. Just that I won't run it if they don't.

And I'm fine with you wanting root on the device you own. But you were implying that not having root means that you don't own your device. I disagree with that. You can totally own your device and not be root.

I think it is important, because I read a lot of comments that imply that "owning their device" means "owning the developers". And that's a wrong fight.

The real fight is that it should be illegal to prevent me from installing my preferred OS on a general-purpose computer.

Fair enough. Owning means having a choice. The unlockable bootloader enables that. But for me the choice of OS will be one that lets me access all files on the device should I need to.

What should that support look like? Maybe have a userdebug build already built and available? I don't include a root account on hardened container images for some of the same reasons they cite. So including it for everyone and creating a way to activate it is suboptimal for people who don't want that trade off. A parallel build pipeline seems the most reasonable to me?

Yeah, I would be fine with a different build stream. I do think it could be sufficiently secure in a single stream but it will always be increased attack surface so the safest option is to do separate builds.

I also don't include a root account in my container images, but you probably have a root account on the sever that runs them in case you need to debug something. But you can probably also build and deploy a new container. At the end of the day you almost always want some last-resort way to access the data stored in case something goes very wrong. Whether that is for backups, "hostile" data export or for other reasons it is important to me.

I don't actually. Devs don't get root at my employer. Even on a vm. I have rootless podman, and can be root in a container. Even our gitlab instances don't have any privileged runners. So kaneko etc.

Hm, what do you mean? What app has to let you access your files? Is this Graphene-specific?

There's nothing GrapheneOS-specific about it and it doesn't prevent rooting. LineageOS doesn't officially support it any more than GrapheneOS does. It doesn't stop people doing it for either. Our recommendations aren't law.

Any files created by apps in their main data directories are inaccessible on most distributions of Android (I think it is actually required to be Google certified). The exception is apps that go out of their way to store files in user accessible directories or provide a feature to export or share data out of the app.

By rooting your device you can access the app data directories as you wish.

Ah, you mean /data/data, I see, thanks. I forgot as I've usually had rooted devices (until they stopped Google Pay working).

>but not having root as the default makes it less of a secure FOSS OS and more of a closed down toy.

I don't get it, it's "less of a secure FOSS OS" to not have root by default, but it's secure to run random apps as root and breaking android's security model? What's the threat model here?

Those "random apps" are foss terminal emulators and other various foss apps I explicitly installed.

As far as I know, root and tap to pay are pretty much mutually exclusive, at least if you meant Google Pay? Unlocked and rooted devices do not pass remote attestation. And it's not just something you can fake when you have root, since it is anchored in hardware (the attestation certificate chain is signed by a hardware-backed key and contains the verified boot state and verified boot key).

I can tap to pay with google pay on my rooted pixel while the spoof key isn't blacklisted, IIRC it uses dumped credentials extracted from other devices but I can reliably spoof Play Integrity and SafetyNet. It would be nice to not have an adversarial relationship with my things for once.

"While the spoof key isn't blacklisted" is the critical bit. Soon, all the keys will be, as these old devices age away from being too common to blacklist.

GrapheneOS doesn't give you root access, citing security issues it introduces. You could re-compile your own copy with root access, though not sure if we'll then be back to some non-certified OS that can't make payments...

Yikes. Nevermind. The whole phone security model is one of the worst things to happen to computing, the concept that you shouldn't own your device for safety is so fucked.

> the concept that you shouldn't own your device for safety is so fucked.

That's not it. The concept is "if you choose to install this particular OS on the device you own, then it comes with this particular security model". That's totally fine. If you own your device, you can run Linux on it and you'll have root access.

"Not owning your device" means "not being able to install the OS you want on it". I want to own my device, obviously. But it does not mean that I own the developers of every OS in the world and that they should do whatever I tell them to do, for free.

I mean sure but I should be able to have DMA on some level, like I should be able to rootkit whatever software on my device, because it's on my device.

A non rooted device is NOT really my device, just seems like a leased device.

If we want to use banking app we have to use a non-rooted/leased device. That is what is really messed up. Personally I only use bank now that has website for banking. If they don't have a web site only app, then it is a red alert for the company.

I think is great, if there are no ramifications when skilled people unlock it.

There's just too much hacking going on, malicious behaviour, to allow uneducated masses to have root on a phone. I've seen so many people just not understanding the outcome of their actions. You'd get people rooting because some shady app lied about why, and just wanted control.

And we don't need more botnets. And it's why banks sometimes throw a fit.

So if a recompile does the trick, and no downside, then it'd be fine.

Android is not UNIX, and that's a good thing. The root account was a historical mistake and not having access to it doesn't mean you don't own your device. That mindset is just trying to project how things worked with a half century old operating system with how modern operating systems work.

What a disgusting take. It's actually so depressing to see anyone say this, presumably sincerely. It's how all the modern operating systems I use work.

It's what makes computers so wonderful and powerful, you can just have it do whatever you want. Turning that into "whatever google decides i should be allowed to do" is not gonna lead us to a bright future.

With Turing completeness you can do whatever computation you want. If you want to go outside of Turing completeness and starting interacting with the real world or other apps that is when security models need to exist. There isn't a reason to allow a program to act however it wants. Why should we allow for programs to secretly spy on a user's mic with no visual indication. It's okay to bound what is possible with a device. This already happens in practice with other operating systems. Redhat can still be useful even if you don't have permission to write new CPU instructions (only Intel and Amd have they signing keys to add new instructions). Sure Intel may be limiting what you can do, but it still is a useful machine without it that many people successfully use and gain value from every day. Even as a smaller example root on Linux has limits on how it can interact with the kernel. It may be root, but there are still limits on what it can do without loading a kernel module to modify things. If you want a less secure operating system where things are less secure like allowing the user to be spied on you can make your own, but the average person wants to have a secure device.

>You could re-compile your own copy with root access, though not sure if we'll then be back to some non-certified OS that can't make payments...

GrapheneOS is already non-certified, for most apps that care, because it can't pass STRONG_INTEGRITY with play protect.

it's quite a big deal Motorola will have officialy devices with unlockable bootloader now that Samsung is ditching it and Xiaomi is making unlocking almost impossible, Sony reintroduced it but has probably the worst VFM in the market, so having Motorola with pretty good VFM (better than Pixel outside US) is big news, though they don't really make smaller phones and I'm worried about camera quality or gcam stability

> There is a very real possibility that we end up with devices that can play modern mobile games at high frame rates on a secure, privacy-focused mobile OS, which is a huge step towards general adoption of something like this as a daily driver.

This might be true, but the priorities are depressing.

If anyone from Motorola is reading this: Please add a smaller device to your Portfolio, about max the size of a Pixel 8. I'm not hoping for an audio jack any more but at least small it could be.

All in all: Thank you for making this possible.

The small form factor phones simply do not sell. Some great thoughts on the topic:

* https://www.youtube.com/watch?v=iR9zBsKELVs * https://www.youtube.com/watch?v=vZdbbN3FCzE Not about small form factor, rather enthusiast phones don't last

Currently running a Sony Xperia 5 V which farm factor is acceptable, and still will get a number of months of updates. And the winning point is that the bootloader can be unlocked and is supported by LineageOS.

The issue of "enthusiast phones" is not the same as for small phones. The problem that MKBHD is describing is that a company that starts as an enthusiast phone can not grow by getting the niche larger, so they need to start competing in the "average consumer" market. But a large, established company like Motorola and Samsung can for sure segment their product line to serve a particular demand.

I think the issue of small phones is that, while there people saying they would buy if it was available, no one is saying "I would buy one small phone at flagship prices, even if they don't have flagship features".

I suspect there's a large overlap between people who want a small phone and people who only upgrade their phone when there's a pressing need. I am in both groups.

The root cause is that the phone is not a primary device for me. It's what I use when bringing a PC is too much trouble.

I'm not necessarily asking for a "small" phone as in 4.5" or less.

I'd like to have an Option around 6" and 150x70x9mm, which is not really small. Surprisingly the Pixel 8 has a smaller footprint than the Pixel *a variants while having a bigger display.

So my request would be a device around the size of the Pixel 8, having a similar battery size and if possible a headphone jack at a reasonable price point (350 bucks).

I consider the pixel 8 as really solid device for graphene OS.

They don't even need to fix the longpress for headphone remotes... Just a device that is the right size.

> The small form factor phones simply do not sell.

And still in every phone topic people complain about phones being too big... I'd love to have a smaller affordable smartphone.

Same here. And I have a friend who keeps his small IPhone because they stopped building smaller phones, too. There is a demand, maybe not that big.

For me, I want to be able to operate the phone with one hand, and the large screen makes it difficult to reach all the spots on the screen even with large hands. I do operate my Fairphone 5 with one hand, but it is super awkward and at some point, the phone will fall into a gully because I cannot hold it tight while navigating.

And I wouldn't mind 2mm more thickness if this means the cameras are flush with the back and the battery is larger.

> There is a demand, maybe not that big.

Whenever I see this when talking about small phones, I'm reminded of the stats, where the iPhone minis were a small proportion of iPhone sales but still by themselves outsold most manufacturers.

https://news.ycombinator.com/item?id=39104057

my sm-a260f is too smoll

I was in the same boat and literally this week bought a Pixel 8. It's a 2 year old phone but with the extended support period that's no longer a problem, and being old means you can get it new for about €300 or refurbished for even less.

The other option is the Samsung S2x line, which you can apply the same strategy to.

[dead]

I watched the first video. One point they didn't mentioned is that their android example of the "last small flagship phone", asus zenfone 9/10, is about the same size as an iphone 12/13, not the mini.

Do regular iphones sell well? If so, the small flagship phones are not dead, because iphones are not dead. If iphones are not counted as small phones, then the small android flagship phones are dead long time ago.

I run a Xperia 10 V. Great phone, great form factor, easy to unlock. It runs for days, almost a week, on one battery charge. Sony is doing something right here.

I got the same or similar but let's not kid ourselves that this is in any way small. It would have been giant by 2015 standards. That's how much the overton window has shifted.

> small form factor phones simply do not sell

Are we really sure "nobody actually wants it"? I need to help my family select the smallest possible phone every time. Meanwhile choices are dwindling and the remaining 2 models are either overpriced or outdated and so I need to tell them it's better to take a (whatever currently goes for) "medium sized" model, which shifts upwards every time I/they need a new one. No wonder that people don't buy small phones anymore if they don't exist

I don't buy this nonsense about small phones being a niche when so many people are actively seeking them out, both online and offline in my practical experience

It's just harder to make, heat dissipation or battery will be restricted, doubly so if you're a niche manufacturer without a big budget, or one who tries to keep it repairable and needs the extra space for screws. So I can understand that Fairphone doesn't release a small model (even if it means I simply cannot use it: I actually put my money down and bought one, but sadly had to sell it onwards after a few weeks of trying) but for Graphenorola I'm not sure that restriction exists. It may just not please everyone if the chip is underclocked for heat and battery efficiency reasons and so they're not likely to. Doesn't mean there's no market for a small variant for any manufacturer that has more than one device on the market

My mom's and my current phone (same model) is what I'd call medium sized (per 2019 standards, when it was new) and the battery life sucks, but I'd buy this model again anyway if it came out with a ≥2025 SoC because I can actually use it unlike nearly any other phone on the market. Not properly reach the top, but at least the left side so that'll have to do

>And the winning point is that the bootloader can be unlocked and is supported by LineageOS

Don't banking, security and payment apps detect the unlocked bootloader and prevent them from working on lineageos? At least that's what happened to me after i flashed lineage on my old tablet.

Because then what's the point of a smartphone if it can't do banking, payment, shopping, ticketing, etc? Use it as a gimped pocket web browser and ebook reader? There's not gonna be any mass market adoption for such "smartphones" until they can run all apps out of the box like vanilla androids and IOS phones.

Your average consumer isn't gonna wanna fuck around with signing keys and bootloader relock. Hell, even this tech savvy HN user doesn't want to do that because he has better things to do with his time. The days from my childhood when I always rooted my Android phone, installed custom ROMs with custom kernels, magisk, titanium backup, cerberus to make the phone "my own" are long behind me.

There is the option to register the signing key of the ROM with the bootloader and then relocking it, thereby making those apps happy again.

The biggest issue is that there is a different way to do this for every device, so most custom ROMs don't bother. It's relatively simple and automatable for Pixel devices, so the GrapheneOS installer takes care of it. e/OS/, which is based on Lineage, allows this for some devices, iirc.

DivestOS supported it, too. Probably the closest thing to LineageOS with a relockable bootloader (and it worked with microG!).

(at least on pixels and apparently this future motorolla,) it can be re-locked, so it passes the integrity check; however there is an additional layer that needs google signing keys, which of course means you can't pass that one if you can't ship the keys

funnily enough my banking app works but the mcdonalds app doesn't, lol

Mcdonalds decided it's "unsafe" to run their app in private space of Android. In literally the most locked down part :) Marketing must have gotten a nice bonus for that mental effort.

I can run banking apps like that, corporate apps like that, but I can't show a QR code to order happy meal.

You can't even use the McDonald's app if you have an overlay. I use KineStop and in the car I'm already choosing what to order and I can't click anything until I turn off KineStop...

In comparison the Burger King app works without problems and is very fast.

I've read about a few incidents where people could order for free or below cost so I'm not surprised their app developers are a little paranoid.

Could be related.

It was likely their management doing random shit to fix it. Instead of fixing real problem, which was bogus campaign rules. Reddit was full of people abusing their app discounts and ordering insane amount of food for free. It was well described.

None of that was due to app security holes. It was an issue in their promotional campaign. It was still working after those "secure" app limitations appeared.

if you can order for free or below cost doing anything in the app, you are not paranoid, you are directly stupid, is like being able to modify the shopping cart total in the browser and the server accepting that as the correct price. Everything should be server side validated where you have the full control of it.

Tell that to marketing types running coupon campaigns not realizing coupons are essentially money...

[dead]

So you can send a remittance for $1m but not order fries. It believes that health is wealth.

Switch to a bank that offers a fully functional web or Android app, as opposed to only allowing Google Android

Not possible in Finland. :( I'm using the one bank (OP) that used to allow rooted devices to use their app, but even they eventually blocked it via SafetyNet.

I'm all in favor of voting with your wallet, though easier said then done when your mortgage, long-term saving accounts, etc. are tied up with your bank account.

That said, my banking and credit card apps work fine on GrapheneOS.

What we need is a way for the OS to trick banking apps into thinking they are running on the platform they expect.

You cannot, the OS does not have that level of access. Attestation is anchored in a (typically) non-replaceable bootloader and trusted execution environment, both of which the OS does not have access to. A remote server can verify that the attestation chain is signed by a hardware-backed key and contains the verified boot status and verification key. If you would change this information, it would be detected by the remote server, since the signature would not be valid anymore.

Ironically I always find when these new devices like the fairphone come out, I'm disappointed and don't buy it because the screens are actually too small. They tend to focus on an unuseable middle point (probably in an attempt to please everyone).

All the flagships have huge screens, the big guys would have paid millions on market research, I can't understand why they arent just trying to achieve flagship parity (in terms of specs not price or software). No one is going to say it's unreasonable and they save themselves the market research

Oh, the guy who is still mentally on the level when he started his channel. And these shenanigans.... putting a phone in a mini coffin. sigh

Why it has to be a flagship? Sell them cheap. It's like AAA game makers cry about ballooning costs, and they make 60 hour games that literally nobody plays through....

> The small form factor phones simply do not sell.

yeah, clearly nobody buys Samsung Galaxy S series for years, they are like the least popular Android phone model... /s

I'm running Pixel 6a (which was followed bu successors with worse screen:body ratio for years and only now the new Pixels finally matched and slightly improved the ratio, what a progress), but considering all the HW issues (baterries and displays) with Pixels I'd rather avoid it, the worst case will buy as next phone Xiaomi and hopefully somehow unlock it, if there is no suitable Motorola

edit: added HW issues explanation since I am rate limited on comments

yeah pixel used to be great. probably the best phone I ever owned after iPhone SE was a Pixel 3a.

till I got the abomination that was a pixel 6a. fucking overheated - then finally battery exploded. Other pixels suffer the same problems as well - overheating n display being finnicky.

What are the HW issues with Pixels?

> yeah, clearly nobody buys Samsung Galaxy S series for years, they are like the least popular Android phone model... /s

I don't think the smaller Galaxy S models are what people generally mean when they talk about small phones, those are still much bigger than the iPhone Mini was.

https://www.phonearena.com/phones/size/Samsung-Galaxy-S26,Ap...

it's literally one of the smallest Android phones with good specs

here you have filtered Android phones since 2020 under 71mm with OIS camera

https://www.gsmarena.com/results.php3?nYearMin=2020&nWidthMa...

it's basically just Samsung S series, Pixels, overpriced bad value Sony and few exotic/abandoned phones (Asus is done with phones, they had always horrible SW, Xiaomi only model 12 many years ago, Meizu not available outside China)

The whole Moto G series has audio jacks, at least as of a year or so ago. I hope that Graphene makes it to those affordable models. I don't need high end cameras or AI on my phone. In fact AI is quite unwanted.

I think I went through the first ~3 or so generations of the Motorola Moto G, and they were great for the price, besides the fact that each generation it got bigger and bigger, defeating the original motivation I bought them in the first place. Eventually the iPhone 12 Mini was released and I moved to iPhone at that point.

I also hope that the new GrapheneOS device from Motorola will be in the "smaller" size factor so it actually fits in my (apparently) tiny hands, but to be honest I'm probably getting one regardless, as iOS gets worse and worse every time I update it.

Lol, no, according to graphene, an aux jack is a security problem. So is a microsd. But the hole punch with the camera pointed at your face, that's just fine.

When my current phone dies, I'm basically returning to a dumb phone with a removable battery. Now that Xperia dropped open source, every phone out there is terrible and I just don't want any of them. Anything that would support a ROM has features to make my skin crawl.

It sounds bizarre to me that an analog aux port is a security problem and that bluetooth audio is not, or that the phone's built in microphone is not. I never want to use bluetooth and tbh I've sometimes wanted a phone with no microphone, so that if I wanted to make a phone call I'd have to plug in my wired headset. That gets rid of the microphone as a listening device.

Their hardware requirements do not say this, where'd you get that idea? Graphene has stated they'll work with the Motorola team on supporting their devices, starting with the successors of the Razr foldable and the signature line, but there really hasn't been any talk about how additional peripherals like aux would be a no-go. USB is also a security concern, which is why they give you the option to disable it outright, disable data or disable until after-first-unlock. I don't see what would keep them from implementing this for aux, although since it's unidirectional I'm not sure if it even makes sense to compare aux to USB. They've supported pixels with aux ports in the past, and I don't think it's inclusion would be a blocking criteria. The comment about the camera is also kinda misguided. They zero out the camera input if you disable it, unlike traditional android. You can have a camera toggle in your quick settings and keep it disabled literally all the time. Enabling it when you bring up any camera related app takes either pin or biometrics, having the hardware here really shouldn't be a concern since you can look at how the code handling it works yourself. I'm not trying to convince you to use a pixel or a Motorola phone, do what you want, but at least be informed about stuff like this when you state things as if they are facts.

> I don't see what would keep them from implementing this for aux, although since it's unidirectional

No electric circuit is unidirectional. Beyond the pause/play and volume commands that it supports (edit: and mic as mentioned in a sibling comment), Graphene would probably reason it's an easy way to externally read voltage levels and so an unnamed entity can mount side channel attacks with backdoored headphones

> since it's unidirectional I'm not sure if it even makes sense to compare aux to USB

Most phone aux support microphones and acting as an antenna for FM radio reception. I don't see how either could be used for a security exploit however.

>but there really hasn't been any talk about how additional peripherals like aux would be a no-go.

It's water under the bridge. You're NEVER getting a Graphene phone that supports a microsd. It won't happen. The AUX jack, you will biligerently be told to get a USB DAC or otherwise you are an old man yelling at clouds.

Graphene and Motorola will work together by happy accident. Tell ya what though, if they make a GrapheneOS phone with 3.5mm, dual sim, microsd, and >no notch or hole punch< and I will buy it. I won't even care how much it costs. All the Xperias I've owned were among the most expensive phones on the market.

It's unlikely for the Razr line to support microsd since those are foldables, and flagships like the signature line generally tend not to, but nowhere on their hardware requirements list does it say that a potentially supported device cannot have a microsd card slot, thats just wrong. There is nothing about a memory slot that would make the phone less safe inherently, they already support USB drives, internal emmc memory isnt that much more crazy than that, right? I just think its super weird to be like preemtively mad at them for an imagined aversion to supporting hardware that doesnt exist. I get that the people involved with the project can be a little prickly when you ask them for advice about stuff, but what do you expect them to do here? They support the devices they do not out of some sort of adherence to a skewed model of security, they actually genuinely need the hardware to be able to do all of the things they ask for, which currently literally only the pixel line offers. If a manufacturer like Sony who tends to do aux, microsd slots and no holepunch cameras were to adapt to their hardware standards (https://grapheneos.org/faq#future-devices) there would likely be an effort by people to get these supported, its not the lack of will from the devs, its the lack of support from phone manufacturers that has kept the line of supported devices constrained to pixels.

why do you say "according to graphene?" have they said those things? or do you just mean the currently supported devices don't have these

It's a shame that modern banking (and communication with my family) needs a smartphone.

Does it? My banking works in any browser that supports javascript, and chatting has been possible on desktops (and laptops etc.) longer than it has on phones

> When my current phone dies, I'm basically returning to a dumb phone with a removable battery.

Why not a smartphone with the jack, microsd, and a hardware kill switch for camera?

I haven't found a >=2025 phone (I started looking in the summer) with a headphone jack that I can actually use more conveniently than a tablet. Everything now requires two hands, not counting warrantyless china phones like the jelly star, or ones with a chipset that would have been considered fast in 2018

As for the camera, a webcam sticker seems much more convenient than needing to mess with the hardware internals

> haven't found a >=2025 phone

Why such a restriction?

> or ones with a chipset that would have been considered fast in 2018

https://puri.sm/posts/the-danger-of-focusing-on-specs/

> webcam sticker seems much more convenient

Except there is also a microphone.

> than needing to mess with the hardware internals

What do you mean? My phone has a convenient, external hardware kill switch. No messing with internals is necessary.

> Why such a restriction?

Sorry, that wasn't clear: I meant any phone that I can purchase as of 2025. I was looking for several months and made a decision about 2 months ago. A second-hand Pixel was a big compromise but I don't see another option

> https://puri.sm/posts/the-danger-of-focusing-on-specs/

Do you also have thoughts to add or am I supposed to read and respond to 2000 words of material here?

The reason I'm looking at specs is not because I have no idea what I need. Not sure if there's another possible reading or if the link insinuates that. The software I use (e.g.: OsmAnd) is noticeably faster on more modern systems and was downright sluggish on my previous phone. I could buy my current chipset again, it's doable for now, but neither fluent nor future-proof. The chip's inefficiency also means it's completely empty after 2.5 hours of use (while I'm out mapping, taking notes, recording positions and sometimes pictures, listening to music... I ask a lot of the battery), whereas newer chips can do the same work with less energy

I also need a modern chipset for accurate GNSS. The phone I get from work has dual-frequency GNSS and makes razor sharp traces which are much more usable for my mapping hobby, especially in urban or forested areas or behind coated windows like trains or cars (car navigation isn't that niche, my current phone does a pretty poor job at that)

But yeah, let's not focus on specs. Who cares about any of this right? That's what I'd say if I sold a really basic phone

> Except there is also a microphone.

Respond to the person above. Hardware toggles wasn't my argument but theirs. Great that your librem has this but the thread is about GrapheneOS

Edit: lol that was yourself. You posted about a camera toggle, not me or anyone else

> Do you also have thoughts to add or am I supposed to read and respond to 2000 words of material here?

The idea is that relatively low specs do not necessarily mean low performance. It depends on the software a lot. For example, SXMo provides a smooth experience with maps and Youtube even on a Pinephone. The battery life may be a problem though.

> the thread is about GrapheneOS

The subthread you started is about a phone "with a headphone jack that I can actually use more conveniently than a tablet", so I thought I could intervene with some other options. I might be wrong though.

Modern dumb phones are just smartphones with a dumb UI.

Citation needed. A lot of dumb phones still only support 2g, for example, and you need to watch out that you don't buy a model that won't work anymore when carriers take that off the air. No smartphone hardware has that issue

I was thinking the same thing. My smartphone is reaching the end of its life, and I really like something smaller.

Also Motorola, make this phone available in the US: https://m.gsmarena.com/motorola_edge_50_neo-13224.php

It's the smallest phone available with a real telephoto lens. I think it was only available in India, but I got one on eBay because it has those two features (not huge with telephoto) I was looking for. I moved to it from a Pixel 6a because I refuse to go any bigger in physical size.

+1 from me.

Motorola has such great quality/price ratio and the user experience is decent. There's still some nagging and such but overall it's much better than the competition.

But I still can't get over my old iPhone 6. That phone size was just perfect. Easy to hold and do everything with one hand, easy to fit into any pocket.

I really want an Android like that. I don't need 3 cameras and bunch of other nonsense.

Check out their Razr Plus or Razr Ultra. The external display is 4" and fully functional, and it unfolds into a full-size phablet for when you need that. I'm a small-phone-liker and I've found it to be a great device, I'm very happy with mine.

That's "small"? Here I am with my 5.2" Xperia XA2 thinking I'll be forced to go back to dumbphones in the future... along with many others, I guess.

No, it's not small, but it's afaik the smallest model you can find that's still unlockable and runs any ungoogled OS

> I'll be forced to go back to dumbphones in the future... along with many others, I guess.

Going back to a dumbphone for me would mean changing my outdoor hobbies (like contributing to openstreetmap), so I'll take my losses and continue on a smartphone, but I share the sentiment. Power to you if you do it!

Would a flip phone suffice?

wouldn't trust a flip phone with a display fold. i want small, thin and light.

Not sure how I feel about this. Motorola seems to be the exclusive provider of encrypted cellular networks and associated devices to the Israeli military [1][2].

I'm under the impression that basebands still require a proprietary/binary blob, basically rendering the security features of the underlying Open Source OS useless, since it sits between the user and outside connectivity.

How can GrapheneOS ensure that there are no hidden backdoors (ie: Pegasus-like spyware, which was created by ex-IDF soldiers via NSO Group), etc, in the baseband?

[1] https://www.whoprofits.org/companies/company/3808

[2] https://www.motorolasolutions.com/newsroom/press-releases/mo...

In the same way they can(not) do it on Pixel phones - and I would be surprised if Google was not already cooperating with the state actors. You do what you can. Even open source drivers (which are not gonna happen when operating within tightly regulated radio bands) won't help if there's a hardware backdoor.

The way I see it, I don't have much direct control over the actualities of that kind of nation-state spying stuff. However:

1. I can direct my consumer-dollars towards the vendors that promise to respect ownership and privacy in general, and they will also have the most to lose if they are caught enabling spying.

2. Defense in depth. Security features generally add to the spying's difficulty, expense, or risk of detection, and that in turn decreases the incentive for abuse.

Ah nice so leave the phones in another room

Easy but for missing Step 1 of “Colocate with friends and business partners”

Just only ever speak in a language of your own invention that uses both cryptographic and steganographic techniques which you invented while colocated, maybe.

I can't wait until we're all mentats each speaking our custom encrypted pidgin. That will surely help with communication and world peace!

Not your keys, not your speech!

I personally am more afraid of what "someone" can convince other people to do rather than listening to me. Sadly there are enough people that are easily manipulated that probably the "smarter" people are completely ignored.

If I would be to place a bet I would place it on mass propaganda targeting people below average - it might be simpler, easier and cost effective. So lots of this talk about "encryption", "privacy" might be in fact great for those "actors": smart people worry about their precious technology and principles, while "they" talk to "the masses".

Motorola phones are made by Motorola Mobility, not Motorola Solutions.

Motorola Mobility is largely owned by the Chinese government.

The Chinese government is not gonna share your data with Israel/USA.

https://news.ycombinator.com/item?id=47215079

Israel has sold nuclear US state secrets to China. Don't hold your breath. https://www.military.com/defensetech/2013/12/24/report-israe...

Serves them right for giving confidential equipment to terrorists.

The key quote in this article is:

"Israel has a long record of getting U.S. military technology to China. "

true, they want it for themselves

If you're not in country X which spies on you, but you live in country Y, is it preferable to have country X or Y to spy on you, given one is further away and cannot really impact your daily life, compared to the other country?

Motorola Solutions != motorola mobility

Ill leave you to investigate how != they are

This. I know some people who work for the former and they are always having to say "no, I don't work for that Motorola". The shared name is entirely historic.

Mobility is in Merchandise Mart, Solutions is in Schaumburg.

Used to be anyways. (My office was a floor below in the mart)

I did. There's long term patent cross-licensing agreements between the two companies. Motorola mobility may be a separate company now, but they didn't start from scratch.

The mororola mobility is a Chinese company with Chinese management. They bought the brand and the patent portfolio. They sure as hell are not supplying Israel or NSA.

> they didnt start from scratch

> long term patern cross licensing

> israel

> pegasus

Basically lots of judgment based off of superficial facts with little understanding of implications and the actual consequences of those facts.

Well, you sure showed me.

They did. You're nitpicking to not lose face while you could have easily say "OK, didn't know they were separate brands" and we'd all move on with our lives.

Let me give you another perspective - you cannot fight a foreign state that wants to hack your device and access your personal data. Even Apple iPhones, who often taut how "secure" their devices are, remain vulnerable to state spywares. A secured device, at most, will protect your data from the police or lay cracker or malware, who lack the means to use more sophisticated methods to access your data. When Android forks (like Lineage OS or Graphene OS) advertise that their Oses are more "secure", with better "data protection", what they mean is that their OSes try and prevent data leakages to the OS vendors (like Google or Apple or other BigTech) or to online services integrated with the OS or through system and user installed apps. In other words, "privacy and security" primarily means that they try and prevent surveillance capitalism.

Actually Graphene has been shown to be resilient (uniquely) to some of the forensic tools used by governments.

Probably because nobody targeted them yet.

cellbrite specifically has grapheneos in its support matrix.

Which demographics do you think run GrapheneOS as a daily driver other than people who have shit to hide? They've definitely been targeted.

...apparently most of HN, judging by these recent threads?

Yeah, I hide that I’m using apps from other spyware apps.

What of it?

None of it matters. If the device has a SIM card (virtual or physical), it will execute commands sent over the network. It's required by the GSM/LTE standards. The best you can hope for is to have separate SoC for the OS and separate SoC for the GSM/LTE connectivity, but that means double the power consumption.

See presentation at DEFCON21 about SIM cards: https://www.youtube.com/watch?v=31D94QOo2gY

defcon21 is from the pre-snowden world (2013), for anyone else wondering. Mobile landscape (our reliance on them, the central role they play in our lives) back then was a little bit different and indeed I'd not be surprised if most models support that the carrier can remotely read out any memory location or something

Will Graphene not require Moto to offer an IOMMU like Pixels do?

They already have it and it isn't part of what needs to be developed. Qualcomm does that for them.

Ya, I believe that's the correct answer. I believe there is an IOMMU or equivalent on modern phones to prevent those doubts binary blobs bring.

> Not sure how I feel about this. Motorola seems to be the exclusive provider of encrypted cellular networks and associated devices to the Israeli military [1][2].

makes me feel good about it.

You're confusing Motorola Mobility with Motorola Solutions. These haven't been part of the same company since 2011. We would happily support devices from Motorola Solutions with their collaboration too but have no contact or partnership with them as they're an entirely different company. We want to support more devices meeting our requirements and if people have issues with one of the choices due to their opinions on geopolitics they can use another.

what exactly makes you feel good about a privacy black hole with the worlds foremost anti privacy captain at the helm ?

The opportunity to be blown up by your phone upon a trigger pulled by mossad. Obviously.

You're confusing Motorola Mobility with Motorola Solutions. These haven't been part of the same company since 2011. We would happily support devices from Motorola Solutions with their collaboration too but have no contact or partnership with them as they're an entirely different company. We want to support more devices meeting our requirements and if people have issues with one of the choices due to their opinions on geopolitics they can use another.

Are you a terrorist? No? Then you have nothing to worry about :)

This is a fallacious argument that has been thoroughly debunked countless times, and frankly it has no place on a platform where we expect a baseline level of digital literacy. Privacy isn't about hiding crimes, it's about limiting how much power one government has over you. History has shown stuff that’s totally fine today can be treated like a problem tomorrow. A surveillance system built under a “good” government can be handed to a shady one.

If you have anything to hide you have nothing to fear, eh?

Former Mossad Chief Yosi Cohen bragged about having booby trapped and otherwise compromised devices in pretty much every country. [1]

[1] https://the307.substack.com/p/former-mossad-chief-brags-that...

You're confusing Motorola Mobility with Motorola Solutions. These haven't been part of the same company since 2011. We would happily support devices from Motorola Solutions with their collaboration too but have no contact or partnership with them as they're an entirely different company. We want to support more devices meeting our requirements and if people have issues with one of the choices due to their opinions on geopolitics they can use another.

all technology companies are to some extent in cahoots with secret agencies. but israel has no room for mistakes, they only work with the best. no doubt they will ask for backdoors. but no phone is safe from governments anyway - grapheneos or not.

Perhaps you may be interested in Librem 5 or Pinephone, both of which have hardware kill switches for modem and available schematics. The latter even has most of the modem software freed.

Those devices have atrocious security at a hardware, firmware and software level. Their microphone kill switch also doesn't prevent audio recording. They aren't open hardware despite many attempts to mislead people with the marketing.

> The latter even has most of the modem software freed.

Pinephones have entirely closed source baseband firmware. They use a highly unusual cellular radio which includes both an incredibly outdated Qualcomm baseband processor with atrocious updates and security combined with an extremely outdated proprietary fork of Android running on an extra CPU core which isn't present in any mainstream smartphone. It's only replacing the unusual extra OS which has been done. That whole component doesn't exist on other smartphones and the only reason it's possible to replace it is because the whole radio has absolutely atrocious security. The radio is connected via a far higher attack surface USB connection providing far less isolation for the OS and the USB connection can be used to flash the proprietary Android OS via the fastboot protocol. The baseband firmware itself doesn't have any replacement available.

> Pinephones have entirely closed source baseband firmware.

> The baseband firmware itself doesn't have any replacement available.

Same with the Google Pixels and their Samsung Exynos modem. Neither you nor GrapheneOS users have any idea at all what's going on in their cellular transceivers. What will it be for the upcoming Motorola phone?

Hi daneel, what would you like GrapheneOS to do while you develop your own formally verified, open hardware, open source firmware/OS baseband processor they can use? Sit on their hands doing nothing or making the best of the least worst options currently available?

The Pixels already are the best of the least worst options currently available. Anything new must categorically bring improvements, and the closed source firmware of the Pixels is a pressing point.

> Neither you nor GrapheneOS users have any idea at all what's going on in their cellular transceivers

Pixel has an IOMMU - are you implying that’s being defeated, or that you weren’t aware of it?

Neither. It's great that the Pixels' baseband ACPU doesn't have free reign in system memory, but if we're gonna underline the deficient state of the cellular modem in the Pine Phone we should also remind ourselves that the firmware situation with the Pixels is an almost equally sore thumb.

Security theater, it has absolutely no use. If you can't trust your hardware that it won't actively listen to the microphone without your knowledge and permission then what are you even doing with that device?!

I do trust my device. However in specific circumstances where privacy may be critical, an additional protection might save me even from a state-sponsored attack.

I'd say you're paranoid. Nobody cares about you, and they won't invest billions just so they can see your hot nude pictures. There are much easier ways to get information out of a phone, no need for a backdoor.

If there were ever any backdoor in some phone, it would have been found. No smartphone company is gonna take that chance that someone will find their backdoor, it will literally kill the company.

Sometimes you become a target purely by chance. You may witness something you should not have seen, are at the wrong place at the wrong time, the "algorithm" glitches and increases your "thread level" by 5000%. In most of these situations preparations like running graphene os can be quite the boon.

Or think of friends and family. When they become the target, you are prepared, you have the knowledge and tools ready, you can be the guide that helps them navigate a hostile digital world.

Whether parent is paranoid or not, Pegasus literally is used to spy, just because the state might not care about his hot nude pictures does not mean they don't care about other phone usage.

"While NSO Group markets Pegasus as a product for fighting crime and terrorism, governments around the world have routinely used the spyware to surveil journalists, lawyers, political dissidents, and human rights activists."[0]

Information these they can be much as powerful as a bomb, for example, I could learn more about your calls and discover that you do something immoral but not illegal and use it to blackmail you.

0.https://en.wikipedia.org/wiki/Pegasus_(spyware)

As if spying on “governments around the world have routinely used the spyware to surveil journalists, lawyers, political dissidents, and human rights activists” wasn't already alarming, Pegasus has also been used to spy elected officials.

A recent court case investigating spying on 37 elected representatives [1] (including the prime minister, three ministers, and regional politicians) had to be closed in 2023 and again in 2026 “for lack of cooperation of the Israeli government”.

[1] https://www.rtve.es/noticias/20220510/pegasus-espiados-sanch... (spanish) [2] https://www.rtve.es/noticias/20260122/juez-archiva-caso-pega... (spanish)

I'm guessing you missed out on the Snowden revelations? Or the news articles about federal agents literally laughing at private dick pics.

And your second paragraph seems to go on the premise that the average person care if there is a backdoor.

I don't know why you wouldn't take security seriously, when even the US government is telling everyone to be careful where they supply their devices because of spying. Just don't trust them to point the finger the right way.

The UK government is known to spy on anti genocide protestors.

The US government is known to spy on anti ICE protestors.

If you have an opinion your government doesn't like, or a potential future government doesn't like, there's a good chance you have or will be spied on.

Perhaps you lack a single opinion worth caring about, but most people do not.

I'd say you aren't smart or are a shill.

> Nobody cares about you

This is such a low-iq argument I cannot even. Yes, nobody cares about OP, you, me, whatever - until they do. Not to mention general harvesting for profiling and propaganda reasons.

General: What do people in this city/country/region/etc are thinking - This is the main one where the data is used and collected, then grouped. It is extremely powerful information for targeted agenda whichever it might be.

Targeted: Oh, you or someone from your close ones went to a political protest? Too bad we have all this information to put you and your family in jail - This is where suddenly they will care about you, even when it is NOT YOU but someone from your close circles were the ones upsetting them.

And I'd say you don't understand how state-sponsored tracking and spying operates

I'm glad to hear that. That means these devices will be a popular target, perhaps the popular target for alternative operating systems both Android-based and non-Android Linux.

Historically Moto devices have already had eg. pretty good lineageos support ( https://wiki.lineageos.org/devices/#motorola ).

with the advent of AI assists, I can't wait for people to start hooking up SoCs, GPUs, and other components burdened by proprietary driver and firmware to logic analyzers, and letting AI have a crack at it. I wonder what'll happen - this might well be the end of proprietary blobs, and I'm here for it.

That would be wonderful but cracking proprietary blobs which may be and probably are encrypted, would take massive amount of time, and later rework could take a lot of tokens and broken SoCs. Nowadays electronics are driven by software so one bit off and voltage can get 9V instead of 3V for example

the end of proprietary blobs has to be the oddest set of words that excites me

Oh, This might be one of the few ideas I approve AI use of.

Cursor spent like Million dollars on creating a browser which people were able to make later with a 200$/100$ subscription in the same amount of days as cursor with human assistance.

I don't think that this can be "autonomous", we assumed that making browsers could be autonomous process but it wasn't. That was the take I took from it all.

Will this be an example of autonomous tho? I think we still need a human experienced with reverse engineering in the loop but it might significantly improve their workflow

I wish if cursor, instead of having burnt million $ to something worthless essentially, Could have atleast done this experiment.

If true. And I put a big if on that.

I WILL be buying their flagship model.

My go to for Graphene has been used Pixels from eBay. Because I can’t give money to Google in good conscience.

Doesn't buying a used pixel encourage the sale of new pixels by demonstrating a healthy resale value?

I don't think the market of people buying used phones for the purpose of graphene is going to make a dent in profits for Google. It raises resale value maybe by say, $0, considering the price is set by the average consumer

Well then buying them directly from Google would have no effect either.

Except that Google would then get the profits

It's not about Google, it's about OP's personal values

But if you think buying on the secondhand market doesn't impact the market, why do you think buying from the OEM does?

It's one phone's worth of demand either way.

I never considered resale value when buying a phone. Is that really something people look for?

I often hear resale talk from iPhone buyers.

How much of that is self-justification for convincing themselves to buy something expensive?

that depends what you consider a healthy resale value, I bought my Pixel 6a with no issues for 100EUR :-) (and not because I care about Google's business, I don't have gapps in my phone, I just like good deals/VFM)

Didn't know more people are doing this. I am also using a used Pixel 4a which I got from eBay. Still has good battery. I don't see any reason to upgrade any time soon.

Speaking of battery, veeeeery soon phones will have mandated replaceable batteries in the EU. I'm just hoping my current moto (a $99 job perfectly adequate for absolutely everything I do) survives until then.

Aside: I've noticed over the years that phones die in one of the following ways: - too fast charging (battery dies, charge controller dies) - usb port dies - screen broken - all sorts of falls

A lether folio case, gorilla glass, and a Qi charging adapter solve all of those problems (the charging adapter also limits the current by virtue of being inefficient). It has a magnetic connector (it's a simple two-pin job and it doesn't have any issues) - in the rare occasion I want to charge up real quick, I can still hook up directly via usb c, and meanwhile the port is stuffed with the converter's plug which prevents it from accumulating dirt and fluff.

I'm glad to say that even despite many falls, some directly onto the screen, the phone itself still works very well, even if the case and glass protector are obviously ragged.

I hope once unlockable Moto's come around I'll be able to keep that one for a long while as well.

When you say replaceable, do you mean repairable or swappable? Like, does it need to be done without tools (probably takes <1 minute) or would it take me 2 hours with a load of tools (no change from today) just that there's a legal requirement for them to be commercially available?

Fwiw, besides people that crack the screen I have not seen any of the failures you've mentioned. The only phone I saw someone replace, for reasons other than software support, was myself because the gnss chip was cooked after 3 years (would track me perfectly, like if I step to the right it would notice, but with an offset of hundreds of metres so I'm in another town). All other phones I've owned are still perfectly functioning (the oldest Android phone I have, 2012, has a more reliable battery than my daily driver!), I don't use any case or screen protector. They're just software-wise obsolete because no updates and developers require the newer android apis

well, it isn't receiving security updates https://grapheneos.org/faq#device-support

imo the RAM bloat/overly aggressive OS. on a similar aged device without zswap I couldn't run more than one maybe two things without the OS killing everything in the background. I think it was better before I got stuck updating to 15

Security patches.

and support for hw memory tagging :p

You should really try to buy any phone used if you can, whether Pixel or Google or not.

Why?

For the environment? To reduce e-waste? And you'll almost certainly save substantial money too.

How good is it for the environment / e-waste? If you buy a used phone every year from someone buying a new phone every year, it means that you both use one phone every two years, right? It's a lot worse than buying a new phone and keeping it for 8 years.

If I said "I buy new phones regularly, but I sell them in second hand, for the environment". Would you consider I actually make an effort for the environment?

> If you buy a used phone every year from someone buying a new phone every year, it means that you both use one phone every two years, right? It's a lot worse than buying a new phone and keeping it for 8 years.

Because when someone says "buy used" they're obviously telling you to buy the antiques your grandma used to love back in the day on an annual basis. Anything newer than that especially from the last year or two would be new and insane to consider, especially if you keep it more than a year. You really owned me with the flawless argument there.

I don't understand what you say, but you sound like you did not like my question.

I was merely pointing out that "buying used" is not necessarily better than "buying new but keeping for 8 years". Many people "buy used" but often.

I too have been buying used Pixels, mostly for environmental reasons. But from a local shop phonebot. Got 3 phones from there, no issues at all.

Buying used introduces such a big supply chain risk. I stay safe by buying direct and asking the NSA not to open the shipment in the order notes.

(y’all know this one https://arstechnica.com/tech-policy/2014/05/photos-of-an-nsa... )

What is the supposed threat model here?

Mr. Rich Guy sells me his personal device he used in the previous year because he wants new shiny phone, but he may have the very slightest chance of being a super evil genius? The government selling tampered phones on ebay, when they could just.. go directly to vendors and put their backdoors directly into new phones/software?

Sorry for the light snark, but this attack vector seems way too complicated for not much benefit. Unless you are some very VIP person being personally targeted.

Does anyone know where I can read more about which devices will be supported? GrapheneOS website devices FAQ doesn't list any Motorola devices, and the press release doesn't have much either.

As I understand that situation, GrapheneOS developers are super picky about hardware they want to support. So out of all android phones they decided to support only Google Pixel because only these phones provide good enough hardware support for security features they want to provide.

So likely no existing Motorola phones are good enough and only new ones, developed in collaboration with GrapheneOS developers, will be suitable.

They said on Twitter that future devices in the Razr (foldable) and signature line will be supported. The current devices by Motorola do not fulfill their hardware requirements, so no need to buy one yet. This is speculation on my part, but its not unthinkable that non-flagship support could happen eventually, although mid tier SoCs generally don't have the hardware required to support graphene (hardware memory tagging, sufficiently open secure element, etc), so in the medium term, it's unlikely that anything but the flagships will be supported by graphene.

Future Motorola devices (or maybe a subset of them?) will support GrapheneOS

> We're collaborating on future devices

https://grapheneos.social/@GrapheneOS/116159602850585685

There's no details yet, but I was reading it won't likely emerge until 2027 so ostensibly these will be models that are yet to be announced. Might even be models dedicated to grapheneos (and other open source roms as they mentioned here)

I'm pretty sure strcat was saying on a previous thread that it will only be future models, so nothing in their current line up in guaranteed to be compatible.

This project is in hype stage. No work seems to have been done, yet.

Samsung had something as ambitious years ago, but it went nowhere https://www.xda-developers.com/samsung-promised-make-old-pho...

Stay tuned

The enterprise angle makes more sense than consumer. Regulated industries and gov orgs need auditable device stacks, and Pixel being the only viable GrapheneOS hardware was always a fragile dependency for a security-first product. The real question is whether Motorola executes at the hardware partnership level or whether this is a marketing play. 2027 will be telling.

Better marketing is impossible, Motorola has just positioned itself as a very strong buying option.

In the land of the blind, the one-eyed man is king.

Thank god (or China) for not needing Google devices for Graphene in the future! Motorola devices are 10x more affordable in my country, as Pixel phones aren't even officially here and must be imported with high taxes, while Motorola has official stores and even builds phones locally!

With Motorola being owned by the Chinese company Lenovo can these new devices be used in secure environments? I remember when Lenovo took over making ThinkPads they were banned in some secure environments because of Lenovo links to CCP.

At this point in time, esp. given the raving lunacy of the US White House, those of us outside the "West", wonder the same thing about US companies.

Honestly I’d prefer Chinese backdoors over western ones. China is still a land far far away and I couldn’t care less about what they’d do with my data, unlike western alphabet boys who could freeze my accounts and assets for ”wrongthinking” in the future.

THIS so much! I'm more at risk from the US and my own (UK) government than the Chinese, and in answer to the questions below: - No I don't know anyone from or in China - I'm highly unlikely to go anywhere near China (or fly over it, around it) - I'm poor

So unless my local Chinese takeaway is classed as Chinese soil, I'll more than happily buy my phone from there

Most phones are already made over there anyway so know knows what kind of backdoor, listening devices are coded into the chips they put into 'Western Company's' phones.

Just make sure you don't have any family in China and don't plan to transit through HK anytime in the future.

One has to be careful when flying. Your flight's origin or destination might not be in China, and may not even be through Chinese airspace, but if there is an in-flight emergency, an airport in China might be the closest landing spot.

Occasionally, they'll "stage" an in-flight emergency, forcing a landing in China and arrest you.

The US invented it.

This isn't something the average random GrapheneOS user needs to worry about.

Doing this has a non negligible political cost. They would only do it for a high value target. If you're that person, you're presumably aware.

The person(s)* this has happened to, was/were not aware.

* I only recall one news report of this happening years ago.

Iphone is made by Chinese companies too. Same with Tesla. A lot of those components made by purely Chinese companies and yes can be trace to individuals who are CCP. It is extremely hard to source another purely away from any Chinese connections. If you say the main company is USA, you seems to ignore how the pager exploding setup was done. Go into any IT rooms in USA and you audit it as zero from China even if you ignore Taiwan as recognized by American law as part of China. We can't buy anything truly made non-China. Even F35 has some components (and that is official, unofficial we dont know) made in China. Google want to sell Motorola to American companies, not even Pentagon or NSA bother back then. Think about it, how hard to engineer a backdoor exactly same components (say capacitor) or motors during shipment for those phones.

The true reason you can't trust a Chinese company, and other countries can't trust US companies, is the Western patent regime that allows various companies to sit on patents for absurd amounts of times, preventing others from selling you completely clean hardware on which every piece of software can be replaced.

Good point. It's a good thing that, say, Google is notoriously independent from the US government, and has never had any ties to it whatsoever.

You might want to add /s tag to it.

This isn't Reddit.

No worries, the team Literal is alive and well on HN..

[dead]

The whole point about having an open platform from boot is you don't have to trust it. You run your own code from first power on.

Is it possible that it's backdoored, have a secret opcode / management engine? Probably, but that goes to everyone, as it's not practical to analyze what's in the chip (unless you're decapping them and all)

I don't know what secure environments you're talking about, if it's an airgapped system then you should be secure even when what's inside 'tries to get out'.

Korean and western made stuff guarantee to have such thing. CNC devices in Russia stopped working. Even NVIDIA gpu has back door according to China and NVIDIA had to settle this matter behind the scene with China government. At this point, your phone is 100% backdoorable by western government. The only thing protect you is you are non-threat and too small to be bother with.

Is there documentation that GrapheneOS Pixels or iPhones are backdoored by governments to the extent that any person can be targeted?

No? Okay.

Depends on what environment you mean. Chinese secure environments would see a Chinese OEM as an advantage vs. Google Pixels. In the US yeah you'd want a Pixel.

European tech is in shambles and everyone else is barely holding it together outside of tech.

> Lenovo originated as an offshoot of a state-owned research institute.

From Wikipedia: https://en.wikipedia.org/wiki/Lenovo

That's the entire point of verified boot with custom keys, you don't need to trust Motorola or Lenovo. You can control what runs from the first boot, the threat model for a compromised supply chain is different from a backdoored chip. If you are worried about the latter that applies to every manufacturer including Google & Apple.

what does "secure environment" mean?

Not OP but I guess it’s where the threat model includes worrying about the foreign government actors. Like US infrastructure, government contracting or some major tech companies.

Damn I would love to buy it. In the past I tried different mods trying to get rid of google, the problem was always the same, lot of little annoyances making it very painful for daily usage. A de Googled phone without annoyances and security would be very cool.

Another interesting thing is that I haven't had any reason to buy a new phone in a very long time so we are probably in a time where the hardware is commodotized enough for motorola to be able to ship exactly what I need.

Never thought I would have think of routing for Motorola in 2026 but you never know!

While it's nice to have somewhat of a choice between terrible and bad, we need a Linux based OS that doesn't depend on Google at all.

While I'm at it, I don't trust GrapheneOS. The devs injecting certain types of politics into the project.

But it's better than both Apple and Google who both are known to spy and have tons of backdoors.

The only thing that keeps me from switching to GrapheneOS on my Pixel 10 pro is satellite SOS which isn't supported on GrapheneOS. It's something important to me as I do mountain sports and in some locations there is no network signal.

I know that in the US Verizon and Tmobile customers have access to satellite connectivity and it's possible to get this feature working on a GrapheneOS phone if you are one of their customers, but I am in Europe and European providers don't provide satellite connectivity.

One of the greatest things I miss from Samsung after some time with GrapheneOS is the dex.

The current provided desktop mode is rudimentary, and mostly working. But it has so much potential. We could have all in one device with us, and just plug that into an usb-c dock. Or watch things on big screens in hotels if a mouse emulation on touchscreen like samsung would be supported.

Or, as Samsung already has created this, maybe that could be somehow ported to GrapheneOS via some 3rd party patcher? I'd really like to use samsung clock and gallery, as well, as those are quite a lot better than AOSP ones.

I like GrapheneOS, and the promise of it. Just a few minor things and it would be awesome instead of really good.

> The current provided desktop mode is rudimentary, and mostly working. But it has so much potential. We could have all in one device with us, and just plug that into an usb-c dock.

An acquaintance at a local hackerspace has no laptop, just a Fairphone 5 and a device that looks like a laptop but is really just an external screen and keyboard. He connects his Ubuntu Touch phone and uses that as a laptop, developing software on it etc.

It's not perfect as a phone (Android apps work rather well from what I've seen (I think the emulator is called Waydroid), but e.g. passing through Bluetooth is an issue so there are limitations) but maybe that's an interesting option for you as well

Motorola was the only one that had something similar AFAIK (Moto's Ready For)

Though I'd expect that all efforts focus on the new Android Desktop Mode now, and then Samsung Dex turns into something akin to what OneUI does with Android, instead of being its own thing

The biggest argument for me to buy one of these phones - when they actually arrive - next to running GrapheneOS, will be whether these phones, like all others, are way too big to use with only one hand. Like, I don't have a lot of requirements. Just make it run GrapheneOS and let it be >6 inches. I'll immediately buy it.

Larger than 6 inches, got it!

Assuming you meant < 6 inches I'm all for it as well, it would be another incredible usp for these devices.

The initial supported devices will be flagships. They have regular, fold and flip variants of the flagships. The main advantage of flip phones is better one-handed use.

This is great to hear, I've been wanting a flip phone for a while. GrapheneOS on a Moto Razr would actually be incredible. Thank you for all of your hard work and being active in this thread. I'm looking forward to getting my hands on a Motorola with GrapheneOS :)

I will be ordering one as soon as they release evenn if its a downgrade, because I want to see this succeed.

I also am willing to suffer lower specs in short term if it benefits me in the long run.

There are a couple of apps I use that I kind of need: jb4 and Mando ECS (both for my car). Would be nice if they worked - anyone know?

My S21 FE 5G is still fine (for now), going on 3 years. But I'm sure Samsung will cripple the battery life at some point..

It depends, but it is promising.

If devs can have access to all of the hardware and related documentation and source code, then this is to become very good news.

PCs became popular and widespread because of that: openness.

You know what would be good for security:

Having physical disconnect switches (Bluetooth/Wifi, Modem, Power, Microphone/Speaker), and integrated lens cover like Lenovo laptops (at least for the front camera whereas a case can cover the rear cameras).

On a side-note:

Triple active SIM would be amazing, but one can dream. I would love to have a phone that has an active AT&T, T-Mobile, and Verizon SIM at the same time.

  > You know what would be good for security: Having physical disconnect switches

It depends on how durable they make the switches. Lightswitches, for example, tend to be durable.

Light switches do not go with hundreds of thousands of people to the beach, the desert, left in hot cars, rained on, sat on, dropped, pressed against sweaty facts, etc.

the smaller something of that type is, the harder to make it durable (I think)

Also a disconnect switch for the telco signal. Yet in my experience, even when turned off, a phone may send out a signal periodically anyway for tracking / triangulation purposes.

However to avoid that, removal of the battery is required. A disconnect switch for power would do the same?

I think moving to micro-PCs is the answer, and then having an add-on to get a telco-signal. Why trust Motorola? Start at grass roots where possible. Everything needs to be open-source and based on open standards. No trojans, telemetry or remote overrides.

Maybe the product is an adapter case for a Pi that adds a screen, battery, antenna and whatever else is required to make it a smartphone alternative?

Also, looking forward to Mecha Comet.

> switch for the telco signal

Sorry, that's what I meant when I said Modem.

> A disconnect switch for power would do the same?

I would think so. I don't necessarily care about removable batteries because I use a portable power bank. Why carry an extra battery that only works for one device, when I can carry a "battery" that works for many devices?

I wholeheartedly concur (see also: Linux phones), but what about device attestation requiring iOS or Google Play Integrity? That's my main worry, as age verification seems poised to making us dependent on those.

Example: the EU Digital Identity (EUDI) wallet, discussed in multiple GH issues e.g. https://github.com/eu-digital-identity-wallet/av-doc-technic...

  I think moving to micro-PCs is the answer

This is the most cost-effective mini PC right now, that I've found. Also, one of the smallest.

https://www.aliexpress.com/item/1005005575993915.html

I'm not so fond of it because it has a fan. But if you could use it at home, and then had a "phone conversion housing" you could attach it to a belt and have a smartphone. Run wired earbuds out it. Have a trackpoint nub.

Here is a $15 screen. https://medium.com/@lee.harding/building-a-real-time-hn-disp...

There's something elegant about only requiring 1 computing device for everything. Even put it in the car!

It's what Steve Jobs would want.

The power draw looks like it's at least 4W with a max of maybe 45W. That's maybe 7 hr with a 10000 mAh battery assuming it's sleeping the entire time and not really doing anything. Not very practical for people used to a small phone lasting all day without a charge.

Just get a SIM from another country and use roam like at home. I can use any network here as though it's my home network.

The provider isn't required to support this (they can give me 2 weeks' notice any time) but I use very little of my subscription (the smallest one they have) so I assume they're happy with the deal and don't have to pay the roaming carriers much

> I would love to have a phone that has an active AT&T, T-Mobile, and Verizon SIM at the same time.

If you are not aware, US Mobile offers a Super Carrier package that one account can use all three. https://www.usmobile.com/networks

I don't use them, only read about it on r/nocontract.

That's interesting, but it doesn't allow you to use all three at the same time unless you have a phone that can have three active SIMs.

Stored SIMs/eSIMs is not the same as active SIMs/eSIMs.

Triple active SIM would be amazing, but one can dream. I would love to have a phone that has an active AT&T, T-Mobile, and Verizon SIM at the same time.

You can fit several esims on one of these adapters AIUI.

https://jmp.chat/esim-adapter

That doesn't allow you to have all of them active at the same time. You can already store multiple eSIMs in newer Pixel and iPhones (you just cannot use more than two SIMs/eSIMs at a time).

Stored SIMs/eSIMs is not the same as active SIMs/eSIMs.

i'm surprised this works, in the sense that there aren't tons of technical safeguards and/or lawsuits getting in the way of someone doing this

Google Fi will auto-switch between AT&T and T-Mobile but not Verizon, AFAIK.

Fi launched with Sprint and T-Mobile roaming and added US Cellular, but is presently T-Mobile only. I don't think AT&T has ever been a supporter carrier.

That's just security theater. If you can't trust the very CPU/OS that it only uses the camera/microphone when the notification is on, then what are you even doing with that device?

Removable battery

They are not a major OEM, but the Hiroh phone is going to offer hardware cutoff switches and and a de-googled OS: https://www.notebookcheck.net/Murena-taking-pre-orders-for-t...

Given that Google has said they'll be delaying source code release for Android to every X months intervals (iirc), how is GrapheneOS planning to handle security updates? Will they just be Google's binary blobs?

Graphene already uses binary blobs (though one can disable them if they want). Info at [0].

[0] https://discuss.grapheneos.org/d/27068-grapheneos-security-p...

this isn't quite right. the blobs are produced by GrapheneOS and are reproducible once the source code embargo lifts.

Whoops, nice catch - comment edited.

Isn't that about feature releases? My understanding was that security patches are separate from this

edit: looked up the announcement https://www.androidauthority.com/google-android-development-... but it doesn't even mention the word security. I don't know enough about the manufacturer side of things to say whether this means there's also no security updates while they work on new features

Motorola is a partner that has access to Android source sooner.

It would be amazing if GrapheneOS would distribute rooted versions of their OS with locked bootloader

Persistent app-accessible root greatly regresses OS security and breaks the verified boot security model. We're definitely not going to increase the number of build variants from 40 to 80 in order to provide an insecure option which would take away from efforts to properly implement features instead of doing it via hacks using apps running commands as root. If you want it you can make your own builds with it instead of us doubling the number of builds and deltas we need to make. Most of the people doing it are modifying the official builds and resigning them. Anyone who can understand the consequences of app-accessible root is capable of doing that.

Are there more security disadvantages besides the obvious when giving one app like Termux root access? The obvious being that you trust Termux and all binaries running in it with total access to your system.

I am mainly looking to access my filesystem. Currently a lot of things I want to do (backing up app data, scripting, mounting network drives) are hobbled by the bad wrappers around the same.

I know this might be out of scope, but is there any plan to re-enable direct filesystem access in a more secure way? Even via ADB it would be useful. It just seems like madness to me that a lot of basics tasks are impossible or incredibly convoluted, because everything has to go through weird wrapper interfaces and Java/Kotlin code someone has to write (instead of just using the filesystem and OS which is right there).

Thanks for the great work by the way.

I get that but the core issue is not inconvenience but the fact that also doing that still locks you out of applications that many people call essential (tap2pay, banking, streaming, other various apps relying on Play Integrity).

Google is actively locking down the ecosystem in that regard and it would be amazing having a company that caters to people that are savvy AND would like to still be attested for integrity tests (assuming Google would be OK with that, but as mentioned in another comment unlikely)

I don't think they will ever do that. If they want to compete with Android, they need hardware attestation [1], which requires that they get recognised as a trusted Android alternative.

If they distributed rooted versions, then banks and the likes would not be willing to trust them.

[1]: https://grapheneos.org/articles/attestation-compatibility-gu...

That would be as big as Signal stepping away from the phone number requirement. Sadly I've lost hope on both of these, no idea why obviously good things (I'd say pro choice if it didn't have another connotation) are always such a no-go

Persistent app-accessible root greatly regresses OS security and breaks the verified boot security model. We're definitely not going to increase the number of build variants from 40 to 80 in order to provide an insecure option which would take away from efforts to properly implement features instead of doing it via hacks using apps running commands as root. If you want it you can make your own builds with it instead of us doubling the number of builds and deltas we need to make. Most of the people doing it are modifying the official builds and resigning them. Anyone who can understand the consequences of app-accessible root is capable of doing that.

Hi strcat, we had this conversation often enough that I'm starting to recognise the username. It's the same every time: Graphene argues it's dangerous, tech-savvy users want it but aren't necessarily interested in the upkeep (even if they're technically capable of making such a build), plus missing security patches (part of the point of this OS, otherwise you can use Lineage or whatever), and Graphene is under no obligation to provide anything to anyone. Same arguments today as they were from the start except now maybe the security patches' embargo time makes it even more hostile to do custom builds by power users

"Every time someone makes the same unreasonable demand of you, you offer the same explanation of why their demand is unreasonable."

Read what I wrote, "demanding" was addressed (though with the word obligation, functionally the same here):

> and Graphene is under no obligation to provide anything to anyone.

And here I thought it felt repetitive between (sub) threads

You say you understand that they're under no obligation to do anything, you already knew their reasoning, yet you still wrote a comment [seemingly] complaining about it. Was there a different purpose to it?

Removing access of users to their device is not security. At least not when users do not want this.

Your choosing to frame it that way is, at best, fraught.

Yeah, I would install this in a heartbeat. I am very close to building myself but manually updating the phone every week or two is a big effort. I could use one of the third-party OTA builds but that is extending trust much more than I need to.

Is there an overview somewhere of stable third parties that do these builds? I might want to use one of them and didn't know this was a thing. Not having access to my own data is the only reason I haven't installed the OS yet

The problem is that even if you build this yourself, and sign it with your keys, the signature of the builds will not lead to positive hardware attestation. This, as noted by @palata, is required for passing Play Integrity Checks, and in turn is the requirement for using banking, tap2pay & co.

It's really a bummer that Google probably won't certify pre-rooted devices. It would obviously only do harm to them and not fit into the scheme of our big tech companies pushing anti-circumvention laws, but some high-spirited side inside of me still has hope.

I'm not using those. Would be cool if I could access my own data and lie to software vendors about that, but I'm not very interested in playing that game every time they release another update for the detector. I'd rather use free software and have a free device. The apps I use currently on Android have no problem with root

Would be super dope if they brought back headphone jack Google teased Samsung over then a year later removed entirely. I haven’t even once considered GrapheneOS since I refuse to go without basic I/O.

I would love to see devices with a non-destroyed (corners cut off, random hole for the front camera) screen.

You still get the same rectangular screen size for a given size of phone body, unless you want no front camera and sharp square corners. You still get an entire 16:9 screen area in the middle of a rounded corner screen, just with extra screen replacing the bezels on each end.

I'm fine with rounded corners. But I would also like a phone without a selfie camera. I just don't ever use it. If my phone can spy on me then that's the only use the front camera has ever had.

just put a sticker on it

Still lost screen real estate

I much prefer maximizing screen to body ratio, even if some sacrifices have to be made: rounded corners and punchhole cam.

I'm also pretty sure rounded corners are stronger on impact.

Can anyone from Motorola confirm that the form submission and time delay requirements will be removed?

> We'll likely be able to make hardened builds of firmware and drivers which can be released in an official way for easy builds without needing to extract anything from the GrapheneOS or Motorola OS factory images.

That's great to see. I'm getting flashbacks of doing the "find the blobs" game years ago with LineageOS.

Motorola reps reading this : I almost bought the Motorola Signature, but changed my mind after hearing of all the adware and crapware that you continuously install on your devices.

If you want to invest into software, this should be #1 of your list.

So, what is Motorola's incentive here? I love it, but why are they pursuing this? It's an enterprise / government play around auditable privacy and security?

They know their software and update story sucks, so partnering with a company which promises to handle all that and they have an existing audience means they'll sell a lot more of that model.

GrapheneOS currently has like half a million users and growing. And many of those users would love to not be forced to have a Google Pixel (even if those are really good phone).

The question for Motorola is: "given the cost of meeting GrapheneOS' requirements, how many more devices will we sell?". Hundreds of thousands of devices is not nothing, I guess. Plus they get free consulting from the team building the most secure phone OS out there.

I really don't understand why smaller smartphone manufacturers didn't fight before for that. Say Fairphone: I don't know about today, but a few years ago they finally got profitable by selling something like 200 thousands units a year. If they had designed a phone to be supported by GrapheneOS, that would surely have increased their sales quite a bit. Now that ship has sailed, GrapheneOS will be focused on Motorola for a few years.

My guess is that this is a great way for them to standout, fill a niche, and get tons of free advertisements in order to gain back some of their Android market share.

Motorola has effectively lost in the Android market and are on downward spiral into irrelevance (already there?), so they have to do something different.

Add to that existing grapheneos users at best only care about good enough performance and a good camera, the selling feature is security and so a lot less overhead to market such a phone. Those who want the latest features will continue to buy pixels, Samsung, and iphones. The only thing I feel is missing from the picture at a quick glance is a tablet for the few who want a secure tablet device.

"Those who want the latest features will continue to buy pixels"

My friend the GrapheneOS supported devices list is nothing but pixels, including the very latest models. It'll be good to have more supported devices.

https://grapheneos.org/faq#supported-devices

Digital sovereignty. Europe is a big market and Motorola could gain traction this way

Sell devices who want to get out of the grip of US software monopolies. This is not unpopular in the rest of the world.

Why doesn't someone collaborate with pine64? Chasing after any flavour of android is going to be an exercise in masochism

Grapheneos has well established its role in the android ecosystem. Having developed and upstreamed features that have as a whole, improved the security of android.

Pine64 has targeted a very different market around extensibility and hacker/maker mindset. However while their phones have a lot of potential, security measures are half baked (microphone cutoff switch doesn't actually cut off the microphone), performance mediocre, and demand missing. While I love my pinephone pro, its not a dailiable device. A phone that cannot access common services like your bank account are non viable for 99% of users.

Plain Linux on phones is still quite bad. It's not unusable like it was a few years ago, but it's still not good enough to gain any traction. Jolla is trying, desperately, and it's not working, even with the ever growing anti-American sentiments.

For Motorola to partner with one of the Linux phone projects, someone would have to invest significant resources in mainlining the drivers, replacing blobs with open source drivers where feasible, and maintaining that code when new upstream firmware and drivers make it downstream with patches and fixes. Looking at postmarketOS, you can see it takes years of community effort to port a device to the point of becoming useful. Once the software is done, the hardware is outdated enough that Motorola won't be making any money on sales any more.

In theory all of this would be a lot easier if Qualcomm, MediaTek, and the other SoC manufacturers would take the burden of mainlining drivers upon themselves the way Intel and AMD do. With the recent high-end Qualcomm chips, the company does seem to put in some effort, but these companies simply don't care about Linux support.

GrapheneOS is an Android fork so of course they're partnering with an Android company. They also don't have the capacity to maintain their own kernel + security patches + drivers, which is why they rely on upstream maintenance (from Google, historically) with their own Android-level improvements to remain secure.

Because, and I really mean no offense to them, their phones fucking suck. Like, dogshit slow hardware with terrible drivers and a modem that barely works with last gen tech.

Their most advanced phone is based on a >10 year old SoC, that wasn't even that good when it was first released.

And even then they still don't live up to their promises, it is still not open hardware - there are a bunch of proprietary firmware, but especially silicon on these devices.

Apps. Any phone without access to the Android or iOS ecosystem is doomed to fail.

The only solution would be an emulation layer.

Like Waydroid or Appsupport (only on SailfishOS) :p

This is great news - would love to run Sailfish OS on it. Wonder if it can dual boot?

SailfishOS doesn't use the security features which are being worked on and doesn't keep up with kernel, driver and firmware updates. It doesn't use secure elements, verified boot or hardware memory tagging so it doesn't need the work being done on those things. They don't have similar requirements for hardware and have little use for what's being worked on for these devices.

The portions of SailfishOS specific to it are largely closed source including the user interface and application layer. It isn't possible to fork the overall operating system. It has much worse privacy and drastically worse security than the Android Open Source Project even without taking the GrapheneOS improvements into account. It's in an entirely different space and this has no connection to it.

Will this help running Linux mobile OS'es on Motorola phones, like postmarketOS?

If I buy a recent Motorola device, will it be possible to upgrade to Graphene in the future? I'm looking for a new device right now.

Unlikely. The reason graphene doesn't run ön non-pixels even today is that it depends on certain hardware features that most vendors (beside Google) lacks.

I wouldn't think this applies to Motorola.

No, the devices GrapheneOS supports won't be out until 2027 (and may only be the flagship models?)

Hopefully those Motorola devices will be smaller than Pixels.

The initial supported devices will be flagships. They have regular, fold and flip variants of the flagships. The main advantage of flip phones is better one-handed use.

I wonder if I'm gonna be able to flash my existing Edge 70.

Unlikely, current devices do not have the required security features. The plan to support some devices of the 2027 lineup.

Do we know if there there be Widevine L1 keys that aren't deleted on unlock? (Certain phones restore access to L1 on bootloader relock, as long as AVB passes, including with custom keys.)

Well, I'll surely be buying a Motorola device when GrapheneOS support lands.

I've been running on several half-working recent android ports to my Xiaomi Mi 9t for many years now.

If I can get a modern phone, modern android, my privacy preserved and a hackable phone (to the extent an unlockable bootloader allows, which isn't a given nowadays, I especially hate how Xiaomi does it), I'm 100% sold.

We'll see when it comes out I guess!

Isn't this just basically what you get out of the box on GrapheneOS?

Yeah I think the message is really "Motorola will meet the requirements of GrapheneOS in the future".

I think Pixel phones are also unlockable/relockable?

Samsung did restrict side-loading recently,

- https://news.ycombinator.com/item?id=47202808

I'm sure that Google will do something like that as soon as it faced the US's carrot and stick they signed-up for.

That's not really sideloading, though. The stock recovery doesn't let you install apps or anything like that, it's meant for loading official versions of Samsung operating systems onto devices that got corrupted somehow.

You can probably try to use the stock recovery to flash a custom ROM, but I doubt it'll work. Custom ROMs rely on tools like TWRP or LineageOS Recovery for a reason.

This is how you can install GrapheneOS on these. Also, if you're wondering how does the security of something like this work: if you change the boot hash then the phone forgets all the hardware-stored secrets, for example the disk encryption keys.

Whatever this device is is at the top of my list for my next phone.

please remake the motorola flipout, please remake the motorola flipout

Looks like a shoo-in for my next phone!

I hoped they would have gone with HMD or BlackBerry.

Why? Multiple times in the last 8 or so years I've considered both Nokia (HMD) and Motorola. Looking at reviews and specs I decided every time in favor of Motorola, despite liking the design of Nokia's more, and didn't regret it.

I was secretly hoping Framework would have produced a phone that would collaborate with GrapheneOS. I know it is a stretch, but one can dream.

I wish Framework would release one of its regular laptops, beefy battery and all, except it runs Android (on an ARM processor of course).

I mean, they already have RISC-V.

https://frame.work/se/en/products/deep-computing-risc-v-main...

Related:

Motorola announces a partnership with GrapheneOS

https://news.ycombinator.com/item?id=47214645

Even though there doesn't seem to be huge mainstream consumer demand for this (although I actually question how well consumer demand for privacy and customization can ever be ascertained when the price signals are corrupted by a market where the winning players are essentially chosen by the state, as is arguably the case with both TSMC and Qualcomm), it still feels like the world simply couldn't go on with both iOS and Android become caged, cheapened, fragile shadows of the visions we once had for them (particularly AOSP).

I think we can only expect the demand for privacy to grow into the future given that people tracking in a trenchcoat schemes are popping up everywhere through governmental and private efforts trying to gather data for ads and control.

Not to be flippant but who cares? People don't know there's an option. I've run Graphene for years and will gladly pay a premium for it. Beyond the bolstered security the battery life is exponentially better than a default Android device because of all the constant background traffic that Google doesn't allow any control over that you instantly have a choice with on GrapheneOS.

And as soon as you start showing these things to people they do start to care and ask how. So the fact that the mainstream is ignorant and doesn't care enough yet doesn't matter because it's very likely a much larger segment of users will care when the tech evangelists they trust stop using IOS and Google Android. That's how these things started and that's how they could very well play out in this scenario as well.

Yes, I agree in full. Did you think I was taking a position contrary to this one?

Not all markets are trendy B2C stuff. The Motorola press release specifically mentioned B2B/corporate sales where security is important and there's plenty of government, journalist, non-profits/activists, etc usecases on top of the usual corporate locked-down environments like banking.

Can't wait to see the Sailfish/Motorola crossover, honestly.

This is huge and amazing!

Does this have more security, Please let me know share the details

I run a SM-A260F and a SM-T225N wdy think ?, theyre both unsupported even though they have great potential (the first one is very used in my country)

I think this is great news, but I thought GrapheneOS considered unlocked bootloaders to be a terrible security risk? What's changed?

It has always been a hardware requirement to be able to unlock the device, install GrapheneOS and lock the device again. Verified boot has been a requirement since it was introduced for Pixels and the is main benefit of locking the device. There are additional security features enabled by verified boot. The overall hardware requirements are listed at https://grapheneos.org/faq#future-devices.

Unlocked baotloaders are mandatory to install graphene, but so is the ability to re-lock the bootloader.

Not if it comes preinstalled though. Isn't that the point of the partnership?

Doesn't seem to be, announcement only talks about GrapheneOS compatibility.

You always have to temporarily unlock your bootloader to install graphene.

The key point is being able to lock it again after installation.

Does anyone know how many binary blobs chips in Motorola will have?

A physical keyboard device with GrapheneOS would mog

The future is now (or 2027)! 4" screen and hardware keyboard and graphene!

https://www.clicks.tech/en/products/clicks-keyboard-for-moto...

I cannot overstate my excitement.

Just buy a keyboard case for it, no need for permanent attachment. Or carry a tiny bluetooth keyboard in your pocket:

https://www.amazon.co.uk/dp/B0FWC8G2Q8/

Ah, Doohoeek, a time-honored, trusted brand.

I'd rather buy from Doohickey.

Hopefully it gets a port to the Clicks Communicator. From what I understand the bootloader will be unlockable.

Is this feature gonna be on All phones including Low-end/mid-end (4-8Gb ram) and their flagship phones?

It's gonna be huge if that's the case because Pixel's here are expensive, their second hand prices are in "non-global" countries[0] and you have to pay a premium. Also I live in world's largest second-hand phone market and it can have its worries as well.

You can't say to anyone who wants privacy, oh just buy a second-hand pixel. It's just not that easy.

But if Motorola can launch multiple phones and there are always gonna be some deals one way or another (with cards) and as motorola phones are pretty competitive in price, Finally we can have phones worldwide where privacy isn't charged extra.

I have spent some hours looking at online second hand phone stores to find but due to its somewhat rarity, I always feel like being frugal, I am just paying extra for privacy and so I am really happy with decision from motorola using their supply chain of phones and partnering up with Graphene.

I was gonna buy a phone for myself, I was thinking a second hand pixel phone but given the things I said earlier at this point, I might as well wait for a few more months to get the moto phone.

I just hope that they launch an affordable phone with grapheneos. I really don't care about specs as I have been able to live my life with 7 year old motorola phones too in 2026 for sometime.

I will definitely recommend my family Motorola phones in the future and slowly convert everyone to motorola if motorola releases an affordable phone with actual privacy.

[0]:https://www.xcitium.com/blog/news/why-is-google-pixel-not-gl...

graphene has said only flagships at first, but eventually they hope to end up on lower tier devices.

Looks like I might have to wait for sometime then but still I am pretty excited about it yea!

I think banking apps especially the ones in UK, won't work on this device.

NatWest and Monzo work fine on my Pixel 9a running GrapheneOS. Community maintained list of supported banking apps here:

https://privsec.dev/posts/android/banking-applications-compa...

Google Wallet is not supported at all.

Curve works and you can set that up as a replacement for Google Pay.

with avbroot ?

I didn't have to do any resigning or repacking apks. It just worked installed from the play store.

As domh mentioned, some (not all) banking apps do seem to work well at the moment. My concern would be that what works today may not work tomorrow. My HSBC app seems to get more crippled with every update and it wouldn't surprise me at all if a future update rendered it unusable on GrapheneOS (which is the main thing stopping me from moving to it).

It's probably a pipe dream but I do hope that someone like Motorola officially supporting GrapheneOS will make businesses take support somewhat seriously. If nothing else you sound less like a crazy person when you tell your bank's customer support "I bought a Motorola phone and now your app doesn't work" than "I flashed a custom ROM to my Pixel and now your app doesn't work".

90% of banking apps work on GrapheneOS. Curve Pay works for tap-to-pay.

https://privsec.dev/posts/android/banking-applications-compa... has a UK section.

Banking apps will be catastrophe in the future. Petition your bank, you want to use PC web app with certificate authentication.

If they don't support it -> notify them and change bank. Enough people doing this, something will change.

Good luck with that. Of all the things people don't really care about, I think that might be at the far end of the list.

Certification authentication is neat technology in principle, I use it internally, but in my experience anyone who recognizes it also hates it passionately. It's the thing that seemingly stops working every time their taxes are due, courtesy of terrible government software.

If I started telling people that they should be demanding certificate authentication from their banks, they'd probably think that I escaped an asylum.

Hello Moto!

This whole thing feels like a subversion, instead of having graphene independent from devices and widen the attack vector, now the spooks can just focus on the “supported official device” only. That being said, the hardware isn’t open source (cell modem is enough to expose you), some binary blobs for the firmware aren’t open source, motorola is a US company with all what that means, if you are after anonymity or even privacy, I would stay away from it entirely, you will be like a person putting a full mask on while on public, except that mask is scanning your face in real time. You will stand out like a sore thumb, your best strategy is blending in, so the automated systems scanners won’t flag you and thus put you under further monitoring.

The timing is super weird too, when all corporations are pushing for digital ID, are actively lobbying to deanonymize the users, cooperating with gov too to have a smooth pipeline for such process, and motorola the known company of having defense contracts, are suddenly caring about open source privacy?! Cmon

>This whole thing feels like a subversion, instead of having graphene independent from devices and widen the attack vector, now the spooks can just focus on the “supported official device” only.

Graphene is currently only supported on Pixels, so not sure what you mean by that.

>motorola is a US company

Motorola is owned by Lenovo, a Chinese company.

You can't have secure software running on arbitrary insecure hardware.

Lots of speculation, correlation and not a lot of reasonable conclusions.

The only speculation part is the timing, the rest are facts, only a naive will think a smart phone is ever private or anonymous. Your phone has a unique ID tied to the hardware that can ID you, your cell modem isn’t open source and is equipped with builtin high accuracy GNSS, plus other hardware and its non open drivers that can be exploited, among many attack vectors that are easily exploited on modern smartphones. This issue isn’t unique to phones too, many modern laptops are also part of it, TPM and plenty of hardware that aren’t really open, the only exception is a laptop can be used in an air gapped environment, not really the case with a smartphone, because assuming you managed to do so, it defeated its purpose to start with.

The conclusion here is if you are after anonymity then you should ditch your phone entirely, having a “secure OS” won’t provide such goal but it might bring more attention to you than using of-the-shelf average phone.

Jesus Christ...

[dead]