I installed LineageOS and found I couldn't run some google apps. I reinstalled LineageOS with https://opengapps.org added during the install and made the mistake of transferring from my old phone which brought all the google services and everything back to the phone (mostly).
I then installed CalyxOS - much easier install process than lineage. Really liked the defaults. Could not get many apps that relied on google play services though. If I didn't need so many Google-tied apps I would pick this as my phone OS for basic stuff like messaging and browsing.
Installed LineageOS again, found there were a couple apps I could not get working after all (50 different apps installed).
In the end I gave up and re-flashed Google firmware back onto the phone. I spent about 10 hours on all this stuff and simply ran out of time for now. I though I could get away from Google but I didn't realize how much my apps needed Google.
Did you try microg? It's dead simple to install (they publish builds of lineage+microg for any device which has an official lineage build), works out of the box, and I haven't had any compatibility issues.
> I reinstalled LineageOS with https://opengapps.org added during the install and made the mistake of transferring from my old phone which brought all the google services and everything back to the phone (mostly).
I think you have misunderstood what "opengapps" is. Despite the name, it's just a zip that installs Google services and apps (Google framework, play store, etc)
I think they meant that when they ran Google's automatic import tool it reinstalled all the forcefully installed Google apps from the old phone. The difference with lineageos though is that you can uninstall them afterwards.
Having developer for Android, I can tell you that Google pushes their libraries hard and make that as default in tutorials, docs etc so most developers end of depending on play services without realizing that is only one of the many options.
This is done by design to lock developers in and by proxy, lock users to Google flavored Android OS
You can try lineage with MicroG[0][1], it replaces Google services. If you want stores there is the F-Droid store for FOSS app or Aurora Store if you want casual apps.
YouTube can be replaced by NewPipe and these days I'm trying Organic Maps (a layer for OSM with nav and offline maps) to replace Google Maps.
Does WhatsApp still work? I care about privacy and degoogling but I'm not yet quite ready to abandon my social network over it. Currently I use lineageos with the micro Google apps bundle which provides the real Play Store services and WhatsApp still works. I'd be happy to use the replacement if that was still the case.
EDIT: for clarity, by "micro Google apps bundle" I mean the opengapps [1] micro variant.
I use LineageOS+microG and practically all apps not made by Google (WhatsApp, Spotify, PayTM) work as they should. Even for some Google apps, there are good alternatives like YouTube Vanced etc.
Good to know, thanks! I plan to reinstall LineageOS since I stupidly relocked my bootloader last time and can't upgrade without wiping the phone. I'll try out microG this time!
LineageOS isn't designed to be used with a locked bootloader. Most devices supported by LineageOS don't support relocking the bootloader with a custom key, and for the devices that do support it (mainly Google and OnePlus phones), it's not recommended to do this on LineageOS.
Some Android distros, including CalyxOS, are only intended to be used with a locked bootloader, and support over-the-air upgrades without needing it to be unlocked.
Yes I believe it does (I switched to Signal years ago and didn't try WhatsApp for a long time). Many proprietary apps runs great even the ones depending on Google Services.
NewPipe also has an audio-only option. Unlike YouTube Vanced (a mod of the original YouTube app), NewPipe is open source and supports video downloading. I think the main advantages of Vanced over NewPipe are the SponsorBlock integration and the ability to log in to a Google account (if that's what you're looking for).
I tried both, Firefox with ublock and Video Background Play Fix extensions (as someone else pointed out too) is great. But I ended up using NewPipe because I feel it's has a better user experience than the mobile version of the YouTube website (playlist management, audio only, downloading, UI) and it's Open Source.
I still use the Firefox option if newpipe has issues fetching the video (which didn't happened to me for a long time).
You can click share on a Youtube video on Firefox and you'll get the option to send it to New Pipe. My only gripe with New Pipe is that it breaks some times and it doesn't have Youtube's recommendations.
Organic Maps has a better and easier-to-use interface, especially for turn-by-turn navigation while driving.
OsmAnd is much more fully featured, especially if you are using it to contribute data to OpenStreetMap. With OsmAnd Live, you can download hourly updates to OpenStreetMap data, while Organic Maps updates at less frequent intervals. The app supports plugins for additional functionality, including trip recording, Mapillary street view, and various map views (such as nautical and ski views).
There's no harm in having both installed, since they have different strengths.
In OM, we have faster renderer, more compact maps and focus on easier UX for general public. All app’s features are free. And we plan to increase the frequency of map updates, and of course add more features.
Did you guys ever solve the massive TTS problem? I would use Organic Maps if not for this. It's a bit of a safety concern when you need to look at the map all the time.
I agree that OsmAnd is a better option for public transportation and navigation, however, I found that Organic Maps is better at showing stuffs like restaurants/shops etc and more reactive (smoothness, quick to show the map).
I used OsmAnd for quite a long time and just wanted to give Organic Maps a try to see other alternatives. Both are quite promising as replacing Google maps IMO.
SmartTubeNext's interface (which enforces landscape mode) is optimized for Android TV, while NewPipe's interface feels more at home on an Android phone or tablet.
Don't you think it is kind of absurd that you have to buy a device from Google to degooglify it as CalyxOS does not support other devices. How difficult would it be to actually port it to a device already supported e.g. by lineage?
The OS in this case has nothing to do with not being able to be ported to other phones. Google is one of the few who will pay extra to Qualcomm for the ability for users to flash their own signing keys. Lineage does not support one of the most important security feature of any modern smartphone, lockable bootloader and verified boot.
Lineage might be more privacy respecting than Googles Android, but far behind regarding security.
CalyxOS and GrapheneOS are the only real options (because they support relockable bootloaders) if you dont want to use Googles Android.
There's no point in using LineageOS after they dropped PrivacyGuard instead of expanding it. You start going down this road and suddenly you'll have a phone that doesn't pass SafetyNet anymore. You have to use 3rd-party applications and probably a ROM made by a random internet user not affiliated with LineageOS because they drop support for devices all the time. The phone manufacturers bribe ROM developers to do that or they just move on quickly.
MicroG is another really unstable experience. Google bought KaiOS and will buy the next KaiOS too. They moved and continue moving features to their proprietary castle. There's just no way you can win this fight against Google.
Long term the only solution is by some miracle a FOSS phone gets enough popularity for developers to want to make apps for it. I doubt it. My solution is unfortunately using two separates phones. Android and a FOSS one.
Privacy Guard) I was the one who purposely removed it. I spent days ( if not weeks ) trying to get it working properly ( read, it never worked properly and causes many issues we still have tickets for ) futhermore Google basically rewrote the full stack once again, while introducing the, now publicly available in 12, permission hub that somehow gave a better view of permissions and easy access to remove them. We know it removed some more granular ops, but it wasn't worth the effort.
SafetyNet) Nothing can legally pass it unless Google certifies it, we can't do much, only Google can enforce it to be used only for security related reasons
Bribing) I wish I got a single cent from any of the OEM I worked on, name it, Motorola, Asus, Huawei, OnePlus, Xiaomi.
Not once they threatened us to stop working on their devices, and at the same time didn't help at all ( the only outsider is Asus that is willingly to help )
We simply can't continue supporting every device that enters the door, we don't have any real way to improve it, everyone is doing it voluntarily with no expectation, and so do we as project directors.
I don't think anyone is especially happy about the LineageOS shortcomings you point out, but that's why people are working on supporting the mainstream Linux stack on existing hardware.
The LineageOS folks have a very difficult job to do, they must keep up with developments in AOSP while supporting dozens of existing hardware models, each with its own "exciting" quirks. Is it really any wonder that some hardware gets dropped from official support? Usually that just means bugs have turned up which would make LineageOS not fully usable on the hardware, and they don't have the volunteer manpower to address them.
Complaining about SafetyNet and microG is even less understandable, as these will always amount to unsupported hacks and we don't really need them for a usable device. Just get your apps from F-Droid, and you won't have to care about either.
I had not noticed that Lineage dropped PrivacyGuard. Damn, there really is no choice these days.
Lineage is also so frigging annoying how they just drop old phones. They won't even provide the last good build or previous builds. Really bad thinking over there in general I guess.
They do provide source for all devices, which you can just compile yourself. PrivacyGuard was dropped in order to provide compatibility with a loosely-equivalent solution that's included in AOSP, hence in most custom ROMs. Unfortunately, this also means that the supported feature set has regressed, and getting back to parity will take some effort.
If you care about verified boot, you can let your phone boot in fastboot mode and issue a "fastboot boot" command from a trusted device. Combine that with plain FDE, and it's as secure as anything Qualcomm will support out of the box.
I disagree. LineageOS has a legitimate use case, being able to easily tinker with the device. It's certainly not as private or secure, and that doesn't make it a bad option depending on someone's use for it.
im sure your looking at stuff like fdroid. there are definitely sacrifices that have to be made but there are quite a few alternatives to the more popular stuff.
CalyxOS is an awesome project. I have worked with the lead developer a bit over the past few years and it's been such a pleasure. We share some bits of code between our projects here: https://github.com/AOSPAlliance.
If anyone is interested in building their own custom android OS in the cloud (AWS) with same ability to lock your bootloader like CalyxOS, you can checkout my project I've been maintaining for a few years now called RattlesnakeOS: https://github.com/dan-v/rattlesnakeos-stack.
And if you prefer to not build in the cloud, there is also a really great project called robotnix (https://github.com/danielfullmer/robotnix) which provides a way to build many flavors of OS (AOSP, GrapheneOS, LineageOS, etc).
Could you explain why you would build in the cloud? Based on a sibling comment, it sounds like it might be because it’s crazy resource-intensive? I’ve honestly not heard of cloud building before. Is it common for large projects like operating systems?
Yes, building AOSP requires a fairly powerful machine (at least to do it quickly): https://source.android.com/setup/build/requirements. It's definitely possible to do on a local machine with decent specs though.
By my reading, my not-really-a-gaming-desktop could do it in 3 hours, that doesn't seem bad at all.
Now granted, those were heavyweight specs when Android came out in 2007, but I'd figure about half of us probably have a similar box sitting around today, and the other half would just need to beef one up with some additional RAM.
How expensive is it to build android in the cloud? And how are the build times? Is it possible to do it on a local Mac mini instead or will that take too long to build?
From memory, I think LineageOS 17 took roughly 8-12 hours for an initial build and 3.5 hours for subsequent (ccache) builds on an Intel i5-3570K and spinning hard drive. That's not including the initial git clone.
The idea might seem daunting, but assuming midrange hardware and a decent net connection, it's very much doable in under a day without resorting to cloud services.
I would expect it to scale pretty well, at least until you reach the limits of your disk and buffer RAM.
The build process supports the -j option just like make. You can use -j N+1 if you want to keep all your cores busy, or -j N-1 to keep your machine more responsive during the build, or nice and -j 1 if you're in no hurry and your machine has more important tasks. (Actually, I think reasonable defaults for these might already be part of the build scripts, but it has been a while since I looked.)
With rattlesnakeos-stack, it uses spot instances and defaults to a c5.4xlarge which takes about 7-8 hours to build AOSP and Chromium (for an up to date webview) and equates to about ~$1 a build. I typically build on a c5.24xlarge instance which takes about 2.5 hours and costs about ~$2 per build. Unfortunately both AOSP and Chromium are massive projects that require a ton of computing power to build quickly. It's definitely still possible to do on less powerful machines, but it's just going to take a lot longer to do builds.
In order to limit costs, everything is pulled from source on each build and there is nothing cached. This strategy takes advantage of the fact that AWS doesn't charge for ingress traffic and unfortunately puts additional load on Google's servers. I've attempted a few different strategies on caching AOSP and Chromium source trees, but since you have to incur the storage costs on an ongoing basis, it's just not very economical.
You could certainly do it. No point having multiple EBS volumes lying around - just create a snapshot of the volume with the git checkout / build cache after each new build is done.
When you want to build again, create the instance and then recreate the EBS volume from the snapshot and attach it to the new instance. Pull the latest set of changes from the git repo and build with the old cache!
Obviously there are cache purging considerations (e.g. starting from scratch once per week/month) you could optimise as well.
I investigated EBS snapshot as an option, but there were two problems. 1) cost as i mentioned initially - for just AOSP source tree alone you are looking at > 250GB and at a cost of $0.05 per GB you are already at > $10/month and 2) EBS snapshots lazy load from S3 which gives TERRIBLE performance which means you end up with far far slower builds. AWS released a feature "EBS Fast Snapshot Restore" to workaround this issue, but it's extremely expensive.
That's likely the size of the entire checked out tree, which would include all of the files.
I just ran the command here and my AOSP 11.0 checkout is 54GB, minus any git history, since I clone from a local mirror and use '--reference' to avoid having to copy objects.
A lot of the size here is from the various prebuilts, AOSP build is quite self-contained (jdk, clang, etc) and barely uses anything from the host.
If you're unfamiliar with the context: Calyx Institute is a 501(c)(3) with a digital privacy and security mission. For a while they've offered, for a few hundred dollars a year donation, unmetered access to sprint's network. I don't know the details but I think they have retained access to the network through the merger due to some non-profit provision (something like the sprint merger was allowed with stipulation that certain agencies using the network for certain purposes would be grandfathered over). There's apparently more history related to the founder previously running an ISP under gag order, which drives their mission.
Access to the network is only possible through wifi pucks. I asked if I could register the IMEI of my ThinkPad's modem/radio, but they wouldn't allow it citing the usual "we are responsible for the behavior of the devices on the network so you have to use our certified device". Sadly, these phones do not participate in Calyx's data network, they require a traditional carrier. Maybe it's part of their roadmap to eventually offer their data services on these handset form factor devices? But until then, I don't see a huge point. It would be really awesome to say "I get my network access through a privacy oriented non-profit" (:
I purchased this several years ago. I don't regret it because I was buying to support the Calyx mission and not for the access point, but it worked reliably for about a month and then it got QoSed into unusability.
I wonder if the MEID/ESN locking will go away with the sunset of the Sprint network? It should be possible to move the Calyx SIM to any device you like at that point.
> microG replaces some functions of Google Play Services while maintaining much more anonymity and privacy.
I've said it before and saying it again on here for those that don't know: microG breaks the security model on android and adds in package signature spoofing. It's the only way to add a fake Google Play Services without needing to pull Google blobs. This is why projects like LineageOS are against using this method, it weakens overall package security.
However, it is still possible for the tinfoil hat crew to not use Google play services with OS like LineageOS. This will of course break some functionality (apps will have to poll instead of relying on push) but it will not break the security model.
I'd like a different, better set of options to choose from but we don't have it at this time. Most users should probably choose a minimal Google Play distribution if they value things like battery life and working apps while still maintaining protections against spoofed apps.
I've said this in another comment, but I'll duplicate here:
The microG creator goes into more detail about signature spoofing at https://github.com/microg/GmsCore/issues/1467#issuecomment-8...
The concerns usually raised against that are due to the "default" patch included in their repository, which has a specific purpose.
Making it system-only still isn't ideal. It then requires a full OS update to push updates to microg/playservices, cannot just update the app components if vulnerabilities are found in the wild.
I would like if there was stronger privacy laws or antitrust orders that force Google to open their service provider API's so people can choose alternative location/push providers, but this doesn't seem like it will exist soon.
For many users, it's going to be the best usability compromise to use minimal play services and use apps that don't send content over the push networks (signal is like this, element can be configured this way).
> Making it system-only still isn't ideal. It then requires a full OS update to push updates to microg/playservices
It does not, you can update system-apps out of band just fine.
Google does it with Play Services (and many other apps), and we have our microG builds in our F-Droid repos for out of band updates.
In fact, that is one of the big selling point of Play Services - the fact that it gets updated outside of OS updates, which means that you have a recent / the latest version on all devices regardless of their update record.
And therefore anything implemented in Play Services can be used even on older Android versions.
If signature spoofing is confined to apps that I designate as spoofed (such as microg), then I'm okay with it. No security problem as far as I'm concerned.
I'd like to see people make their own apps that don't rely on Google services (or faked Google services) of course, like the Linux ecosystem.
In my experience, LineageOS without gapps or microg is plenty usable. I get all my apps from F-Droid and have for years. I don't feel like I'm missing anything major. I'm sure this won't work for some people, but it's an option worth mentioning.
Also, for this reason I shy away from alternatives to LineageOS which include microg by default. I don't want it.
> This will of course break some functionality (apps will have to poll instead of relying on push)
It seems like what we really want here is for the app to implement its own notifications without going through Firebase. All you need for push rather than polling is an open socket...
I worry that these projects are asking me to either turn the phone into an ipad touch or a dumb phone.
Do push notifications require microg/google? A communications device (as opposed to a media player) that didn't have push notifications would be missing something required, in my use.
It's my understanding that alternatives to google's location services exist.
I'd just like a phone that allows me to chat/use apps/gps (let's put cell service to the side of a second) without being an OS-wide, logged-in, analytics tracker.
The thing which always makes me hesitant about these projects is that they don't receive frequent security audits and not having an expensive brand behind them makes them more at risk to being willing to trash their name at the cost of my privacy and security. I consider these to be a fairly critical part of any project which claims superior privacy and security.
I think about it this way: Should I trust
A. The company which has thousands of developers working on it and wants to avoid their brand being dirtied by failures in security and privacy.
B. The small group of people who have formed an organization which may or may not be another Anom like FBI controlled software.
Don't get me wrong, I absolutely want to pick B, but I consider it much more risky since there are a lot more unknowns around that. At least with A I know what I'm getting (basically a free flow of my info to whichever government asks for it, but cross my fingers they don't ask for it or that A doesn't want too broad of a breach of trust).
Man, stuff like this is so depressing to read. Like this is supposed to be a forum for showcasing new tech, projects, etc. What's the point of having this if people in the industry are going to say, "I don't like it because it's not backed by a trillion dollar company". What will change ?
In offering only two choices, when the reality is far more complex than that, GP sets the tone for the rest of the discussion. There are more options, and a far deeper lake of information to use for drawing conclusions, so the simplification is also insulting, on top of being depressing.
If you have other options or other things that should be considered, then add them. As it is, you seem to be dismissing his absolutely valid concerns without any reason as to why you think they're invalid. I have the same concerns as he does and it's the same reason I don't use custom ROMs. I have no way to know how security conscious the developers actually are.
That's a valid concern and only you can judge for yourself whether something works for you or not. It's open source. Read the code and do your research. Going to some project's thread and saying, "But, what if this is shoddy code or run by the FBI ?" is beyond pointless. Praise can be generous. Criticism needs to be conservative and precise.
That's utterly ridiculous and you're clearly arguing in bad faith.
Let's say I do have the infinite amount of time necessary and the technical expertise to conduct an audit of a custom ROM. Is every single person who's interested in privacy and security required to do their own audit?
If I publish my findings, why should anybody ever believe me? Who am I to tell anybody how safe it is? If you think it's so safe, why don't you do an audit and prove it to those of us with doubts instead of expecting us to do it?
Oh, right. You're operating on faith on these groups of people that you don't know who don't have any processes in place to ensure that what they're doing is safe for their users.
I'm not arguing that you or anyone should use this project. All I'm saying is that this line of questioning is not constructive. Sure, an audit is good, but since this hasn't been audited, what will this line of questioning achieve ? You can go to any project's announcement and pose this type of question, and it doesn't add anything. If you have concrete criticism to add, that's fine. This type of vague insinuation is what's in bad faith here.
Simple answer to a drepressing reality is to say “fuck it”. Build it anyway. If you build it they will come. When Amazon was getting started selling books online - barnes and noble was pretty scary big who would trust paying for something like a book online?? The reality of software is the playing field is always up for grabs. Googles still a great company but how many great engineers are still there? Lot of them have left- still many remain . End rant
That's not really the point though is it? It's more like 'I do like it.. is it sensible to use it?' At least, that's how I read it, and how I feel about such things.
I'd very much like my next phone to run Linux (i.e. be a Pinephone) though.
I like the idea, but it's a deeply frustrating experience right now. Basic table-stakes features I have come to assume from both Android and iOS platforms just aren't there yet.
It's a frustrating chicken egg problem... I want the thing to succeed, but my smartphone is so critical to my day-to-day that I can either wait for it to get better or invest the time into having it suck on toast while I improve it.
Oh I get that, hence 'would very much like my next to be' vs. rushing 'out' to buy one.
I'd also have to figure out some more specifically personal stuff like alternatives or Matrix bridges for apps I 'need to' use to communicate with certain people.
I was hoping to use Pinephone this year, but nope. I have a 7yo phone with better specs, including a 2.5x faster clock. Yes it's an Android, but ... Maybe next year.
Yup, the PinePhone is still being worked on and quite far from being usable as a daily driver. To be fair, the Pine64 folks are also very clear about this.
I like the level of control and ease of reproducible setup that I have on my desktop, and find my (Android) phone frustrating to use in part because it lacks it.
It's not without trying either, I've worked on and off on a terraform provider for Android - currently apps only but with some vague intention to try to manage as much of settings as possible (not much, AIUI). It's just not meant to be used like that though, of course, and I wish Linux was a viable enough option that, at least among nerds already using Linux for work if nothing else, it didn't need to be justified for use on phones.
> Linux doesn't have good answers for the proprietary goodies
It doesn't need to. The feasible short-term target is feature parity with de-googled AOSP roms, which would still make it plenty useful in a "daily driver" scenario.
How far off of AOSP is CalyxOS though? Given that most Android users are running unaudited carrier & OEM modified ROMs that rarely see updates, a ROM that is very close to upstream AOSP is apt to be much more secure.
Nevermind that many of the apps that Google ships as part of Google Play are not receiving security audits outside of Google, Google is not committing to regularly audit their apps or publish the results, and these apps function as black boxes on your phone, with privileges that most other apps do not have.
I think theres good reason to be concerned about investing in an OS which doesn't have the kind of well funded security team capable of actively hunting for APTs with rigor and reacting promptly to zero days once they're found.
It is depressing, but phones are unique in that they need to work flawlessly in an emergency which I think is a factor in preventing people from straying from the path "well-travelled".
This is much to my lament as well, because I would love to feel more free to experiment with phone operating systems and hardware addons.
The reputation of Nick Calyx (worth a look his Wikipedia page), or GrapheneOS team, etc, is so much easier lost than that of, say, Google's Android team.....or iOS security team.
Having said that: Calyx shouldn't be considered much more secure than Android Open Source Project (AOSP). That's where GrapheneOS shines.
Calyx should, however, be considered more private than AOSP, less dodgy & exploitable than Samsung etc Android "enhancements", aka UI/UX bloatware.
Yeah GrapheneOS is security over privacy, Calyx is privacy over security (and has a bit more mainstream appeal with MicroG, supporting push messaging and location services etc).
GrapheneOS has also pioneered a lot of security measures, a lot of which have been added to Android proper (if you see their feature log, a lot of it says "removed because it was introduced in Android"). I wonder if that wouldn't have been the case without them pioneering it.
Finally, the big guys make a lot of mistakes too. Remember the time when you could sudo on macOS with a blank password :) Or that other time when they showed your actual password instead of the password hint. AFAIK, Graphene and Calyx have never made any mistakes even close to that severity.
No. First, there are security measures that wreck privacy, e.g. sending all your data to some company's servers for virus scanning. Routing all your traffic through some filtering VPN provider. That kind of stuff. There are privacy measures that wreck security, e.g. not using personalized user accounts for certain things.
Security is also mostly up to definition, a secure computer system is a system that only does what it is defined to do. What this definition entails is up to the vendor, which isn't necessarily the same definition a user might want for security or privacy.
But generally, there is a large overlap between privacy and security.
> No. First, there are security measures that wreck privacy, e.g. sending all your data to some company's servers for virus scanning. Routing all your traffic through some filtering VPN provider. That kind of stuff. There are privacy measures that wreck security, e.g. not using personalized user accounts for certain things.
Aren't those examples more examples of bad security by introducing single points of failure?
Maybe, but there are more examples along those lines that don't introduce single points of failure.
E.g. very all-encompassing logging is generally good for security, and if the logs are stored in a secure fashion, there is also no security problem created. However, privacy suffers because one might log things one shouldn't log.
In the other direction, file and traffic encryption is good for privacy, and the less "permeable" you make it, i.e. the less readable for admins, system task, scanners, the better for privacy. However, for security, encrypting just for the user's eyes is a huge problem, because you cannot do malware scanning, you cannot do exfiltration prevention. Having users bring their own device into a work network is good for privacy, because those devices don't have central admin access, but bad for security, because same reason.
Yes, they do, and GrapheneOS is heavily focused on both. The purpose of the project and what it provides is being heavily misrepresented by the comment above.
GrapheneOS treats bypasses of privacy features as security vulnerabilities. It offers substantial privacy advantages of CalyxOS and doesn't come with the privacy drawbacks it introduces. See https://news.ycombinator.com/item?id=28095033 (above) for a more in-depth explanation.
I actually praised you here for pioneering important security features into AOSP :) Please don't view my comments as attacks or Calyx fanboi-ism. I'm not using either and I think you're doing great work. I just wanted to highlight the difference in approach as I saw it as a potential user when I was considering buying a pixel phone.
He's not "the GrapheneOS developer", he's the lead developer and one of many developers. It's a collaborative open-source project which has made a production-grade OS and whose contributions have been upsteamed for AOSP.
I think the distinction is such that with a private (but not secure) application, the only person getting my data is a malicious actor.
With a secure (but not private) application, the only person getting my data is the owner of the code & anyone they are willing to share it with (Governments, Ad-tech, etc.)
So if your hard requirement is 'nobody can know anything about what I do with this software' you are correct. However in-practice, security requirements often exist somewhere between the above two scenarios.
Private = not sending data out of my device unless I want it to.
Secure = resistant to someone trying to get into my device.
They do overlap a bit, to be private a device needs some base level of security. But a device can be very secure and still not be private as it's sending data out for analytics, tracking, etc.
GrapheneOS, lacking MicroG in the default install, is therefore more private than CalyxOS. Keeping Google out of the loop entirely is necessary for true privacy.
GrapheneOS doesn't ship integration of proprietary services like CalyxOS, whether that's WhatsApp or Google services.
GrapheneOS does have https://grapheneos.org/usage#sandboxed-play-services providing a way to use Play services in a sandbox with zero special privileges. This doesn't provide Play with any access beyond what it has in the client libraries within apps using it. Many of those client libraries aren't simply thin clients. The Ads library works without Play services. There's a special Lite variant that's actually a thin client: https://developers.google.com/admob/android/lite-sdk.
GrapheneOS does this by implement the missing fallback code Play services should have itself to work without any invasive OS integration.
We believe these services should be on an equal playing field. Google services shouldn't be built into the OS and shouldn't have capabilities not available to a regular sandboxed app. Our views are counter to a whole lot of what CalyxOS is doing which is bundling third party apps/services and giving them special capabilities. For example, they give special unattended installation privileges to Aurora Store and F-Droid.
F-Droid still targets API 25 (Android 7.1) which wouldn't meet the security requirements of the Play Store (API 29+) if it could be uploaded there. It also lacks modern cryptography and signing with full file signing + key rotation. Lots of attack surface too. They give it the ability to do unattended app installations without user consent. If it gets compromised in any way, it can install mimic apps, etc. tricking the user. It could install ancient API level apps with the weakest possible sandbox.
Android 12 will be providing a far safer way to do this, and that's what the in-development GrapheneOS app repository client will be using rather than being granted special privileges by the OS. F-Droid is still using partial file signing without key rotation for app repositories too. It does many things that we cannot accept for an app bundled into the OS.
I did not want to get into this, but you're simply spread falsehoods.
> GrapheneOS doesn't ship integration of proprietary services like CalyxOS, whether that's WhatsApp or Google services.
We do not ship anything proprietary. We ship microG, which is "A free-as-in-freedom re-implementation of Google’s proprietary Android user space apps and libraries." - see https://microg.org/
We ship an integration with WhatsApp in the Dialer, which is entirely open source code. It is based on the existing contacts mechanism (anyone who has WhatsApp or Signal on any Android will see entries for those in the Contacts app - that is what we expose to the Dialer to make it easy to use those to make end-to-end encrypted calls.
In fact, WhatsApp is not listed by default, it only shows up if you have it installed. We believe that end-to-end encrypted calls are important, and while this would leak some metadata, if one has it installed already presumably they're fine with that. The network effect is strong!
In fact, you're the one who's promoting your approach of being able to run the proprietary Play Services - and yet you say you don't ship integration of proprietary services. Which is it? You can't ship Play Services legally anyway.
> or example, they give special unattended installation privileges to Aurora Store and F-Droid.
Aurora Store does not get unattended installation permission, it never has. It can only update installed apps, which is what Google is allowing in Android 12.
F-Droid Privileged Extension is extended, and both that and F-Droid have received security audits in the past which haven't found issues - and the Privileged Extension itself hasn't changed much since then. We're very careful about making any changes there.
It is one thing to give constructive criticism to projects, it's another to attack them directly based on falsehoods.
> I did not want to get into this, but you're simply spread falsehoods.
I'm not spreading any falsehoods.
> We do not ship anything proprietary.
You ship integration of proprietary services including Google services and WhatsApp. You provide them with privileged integration unavailable to other apps.
> We ship microG, which is "A free-as-in-freedom re-implementation of Google’s proprietary Android user space apps and libraries." - see https://microg.org/
i.e. an implementation of proprietary Google services.
> We ship an integration with WhatsApp in the Dialer, which is entirely open source code. It is based on the existing contacts mechanism (anyone who has WhatsApp or Signal on any Android will see entries for those in the Contacts app - that is what we expose to the Dialer to make it easy to use those to make end-to-end encrypted calls.
i.e. integration of proprietary services into the OS in a way that isn't available to other apps.
> In fact, you're the one who's promoting your approach of being able to run the proprietary Play Services - and yet you say you don't ship integration of proprietary services. Which is it?
GrapheneOS does not include any form of Play services and has no support for the OS using it. If a user installs Play services, the OS detects it and intercepts the attempts it makes to use privileged APIs and instead returns placeholder data.
With microG, the Play services code is still present in each app using it. microG is an additional trusted party, not implementing the same level of transport security or other security checks and does not avoid trusting the Play services code to exactly the same extent.
> You can't ship Play Services legally anyway.
Not actually true. Do you claim that stuff like firmware cannot be shipped too?
> Aurora Store does not get unattended installation permission, it never has. It can only update installed apps, which is what Google is allowing in Android 12.
No, they're allowing it in a more secure, restricted way rather than what is implemented in CalyxOS. Look at the list of requirements for an unattended app update via the Android 12 API.
> F-Droid Privileged Extension is extended, and both that and F-Droid have received security audits in the past which haven't found issues - and the Privileged Extension itself hasn't changed much since then. We're very careful about making any changes there.
Shallow security audits in the past is meaningless. F-Droid is an API 25 app (Android 7.1) with a a metadata signing system with the same weaknesses as Android's deprecated v1 signature scheme and massive attack surface. It bypasses the standard OS security model for determining sources of apps rather than respecting it. This is incompatible with the expected the security model for unattended app updates in Android 12.
> It is one thing to give constructive criticism to projects, it's another to attack them directly based on falsehoods.
I'm not doing that. Rather, that is what you folks have been doing at every opportunity in these threads. I've only posted here to defend us from malicious misinformation being spread by you folks. You're engaging in that yourself and can't claim to be uninvolved.
> GrapheneOS does not include any form of Play services and has no support for the OS using it. If a user installs Play services, the OS detects it and intercepts the attempts it makes to use privileged APIs and instead returns placeholder data.
Isn't that shipping an integration for a proprietary service?
How can you claim that we're the ones shipping proprietary service integrations when we ship an open source implementation, and you're the ones shipping an integration for the proprietary implementation.
I'm done here, there's no point arguing with you, you don't see reason.
> Not actually true. Do you claim that stuff like firmware cannot be shipped too?
It's the sole reason why there exists the concept of flashing gapps are installing other custom ROMs, and that cannot be supported without verified boot.
The other way is what you're doing, which is impressive, not questioning the code / implementation, just the way you're trying to present it here.
>How can you claim that we're the ones shipping proprietary service integrations when we ship an open source implementation, and you're the ones shipping an integration for the proprietary implementation.
Play Services is not integrated into GrapheneOS at all. It only has a few shims that, as strcat explained several times, return placeholder data. Play Services has no special permissions, and using it on GOS is the same as installing any other app.
microG is integrated into your OS. It's a partial reimplementation of proprietary Play Services.
That was for distributing Google apps, not for shipping firmware updates. You're making a false comparison.
As you could see if you had read strcat's comments and the documentation, GrapheneOS doesn't ship Play Services but only some compatibility shims, otherwise Play wouldn't know how to work. Users must manually install Play and associated apps.
microG being disabled but present is still enough for some apps to work, which makes sense given that you can disable Google Play Services on the stock OS.
GrapheneOS has https://grapheneos.org/usage#sandboxed-play-services so our users have the option to use Play services too, in a way that will provide more functionality and avoids losing the security checks and key pinning that are missing in microG. We'll be making it easy for users to install via our app repository rather than bundling Google services in the OS.
Google's Play client libraries are still used on CalyxOS by the apps using Play services. The Ads SDK is a fat library and works without Play services. Only the Lite variant of that has a hard dependency on Play. GrapheneOS isn't giving any additional access to Play when it's installed compared to what the client libraries have available.
WhatsApp is clearly a proprietary service too, and CalyxOS is integrating that into the Dialer app. Signal's server source code is not fully public either and went a whole year without even the incomplete releases that are now available again. Both are centralized, third party services integrated in a special way not available to other apps. Isn't that the problem with Play services? It is from our perspective.
> Google's Play client libraries are still used on CalyxOS by the apps using Play services.
They'd also be used on GrapheneOS, and anywhere else basically.
> WhatsApp is clearly a proprietary service too, and CalyxOS is integrating that into the Dialer app.
The integration is entirely done into the open source Dialer app and generic enough that it could be extended to any apps that have phone numbers. Signal and WhatsApp are simply the most popular amongst those.
It seems to miss my favourite with Lineage - microG enabled, but C2DM disabled, i.e. services present, but no talking to google servers (but maps api, locations and so on still work).
You're able to enable microG on CalyxOS while disabling Google device registration and Firebase Cloud Messaging (the current push messaging service which has replaced the deprecated C2DM). The microG Services Core app behaves on CalyxOS exactly as it does on LineageOS for microG.
No, GrapheneOS is heavily focused on both privacy and security. See https://grapheneos.org/features for a list of the enhancements compared to the latest Android Open Source Project. GrapheneOS offers substantial privacy advantages over CalyxOS. It has a bunch of nice privacy improvements, carefully designed to work against real adversaries. Bypasses of privacy features are taken very seriously and prioritized as security vulnerabilities. GrapheneOS also doesn't integrate proprietary apps/services into the OS. We'd never stick WhatsApp support in the Dialer or ship Google services integrated into the OS in a special way not available to other apps. Services should be on an equal playing ground. That's the real issue with Play services and with iOS too.
GrapheneOS has full MAC randomization, DHCP anonymity and doesn't reuse IPv6 addresses across networks.
GrapheneOS has the Network permission toggle for disallowing both direct and indirect network access. Calyx takes an approach that allows apps to bypass it via APIs gated by the INTERNET permission. It also has other bypasses. They present it as a firewall app with a fancy name, but it's just a UI for the AOSP firewall and it doesn't really work as they present it. https://gitlab.com/CalyxOS/calyxos/-/issues/454 acknowledges the issue but presents an unworkable plan to address it. The approach doesn't work. Similarly, fine-grained filtering of domains/addresses in most firewalls even as a whitelist doesn't work due to DNS acting as 2-way communication via a permitted IP to arbitrary third parties. These indirect forms of access can't simply be ignored.
GrapheneOS has the Sensors toggle to disallow apps from accessing the miscellaneous sensors usable for coarse movement (which can map to location) and audio recording among other things.
It has substantially privacy improvements beyond these things, but they're some nice examples. I strongly recommend looking through https://grapheneos.org/features and keep in mind it does not list AOSP features as most projects would. Avoiding bundling third party apps and services is explicitly listed as a feature rather than listing out integrating proprietary services and assorted apps.
GrapheneOS is also focused on usability, and it's hard to deny that https://grapheneos.org/install/web is a very nice way of performing the install. The fastboot.js library powering it is a project we funded.
> and has a bit more mainstream appeal with MicroG, supporting push messaging and location services etc
Location works properly on GrapheneOS, as do notifications.
Despite being very new, it's already rapidly moving beyond what microG supports. It doesn't require making the security sacrifices of microG by losing the standard security checks and key pinning. It also doesn't make privacy sacrifices: it provides Play with zero additional access. Apps using Play include the Play client libraries. Many of these fully work without Play services installed, including Google's Ads library. That only has a hard dependency on Play services if apps use the Lite variant: https://developers.google.com/admob/android/lite-sdk. The claims about microG privacy/security benefits are not just overstated but backwards. It also only implements a tiny subset of the API.
Sandboxed Play services compatibility layer is another much more broadly application project funded by us, among others.
> GrapheneOS has also pioneered a lot of security measures, a lot of which have been added to Android proper (if you see their feature log, a lot of it says "removed because it was introduced in Android").
We're also implemented a lot of substantial privacy measures. There aren't really distinctions between these things. GrapheneOS helped get substantial app sandbox restrictions into AOSP restricting the information available to apps.
Can you please stop attacking another Android distro under the umbrella of a project (the Calyx Institute) that has done a lot of good for others? It makes you look like an a**hole.
There's plenty of room in this space for multiple visions of what a more-secure, more-private Android OS looks like. There's gradations of privacy and security and some users might prefer your gradient, whereas others might prefer CalyxOS'.
You might try getting your act together and reach across the aisle so the world can benefit rather than this frankly stupid and childish infighting.
And to pre-empt your honestly terrible, "but they started it", I don't see anyone from Calyx giving the mouth you're giving them, repeatedly, in this thread about their product. So please just stop.
No, giving criticism of an OS is not attacking it. You'll see that strcat only responded to places where GrapheneOS was mentioned. You'll see that there was misinformation being spread about GrapheneOS, whether intentionally or unintentionally, that originates from the Calyx community. Just look at their Matrix rooms and what their supporters/influencers say about GrapheneOS.
Bundling a bunch of apps and integrating proprietary corporate services with privileges unavailable to other apps is not privacy, sorry.
If you have the ear of strcat, I urge you to to talk to them about this kind of paranoid conspiracy thinking that leads them to directly accuse me (and others in this thread) of being a co-conspirator in a vast plot to undermine GrapheneOS. It's fantastic thinking and it damages the reputation of what is otherwise a gift to the community.
I have been on Hacker News a long time, posting on everything from sex worker rights to Telegram to Emacs. I don't know about your Matrix room, I've never visited it. I have no interest in impersonating anyone save myself.
> You'll see that there was misinformation being spread about GrapheneOS, whether intentionally or unintentionally, that originates from the Calyx community.
I don't see that anywhere here in this thread. I see a thread that should have been a space for celebrating a cool more-private, more-secure Android project being hijacked because its competitor's lead developer believes themselves to be the target of a conspiracy. A conspiracy that isn't even occurring in the very thread they're engaged in:
> I've only posted here to defend us from malicious misinformation being spread by you folks.
From who? Nobody here is doing this! Especially maliciously.
If you think CalyxOS is implementing a feature that is harming users, you might try and communicate with their community in a cooperative, direct way, rather than this self-destructive crusade GrapheneOS is airing publicly.
I think you and strcat owe everyone here in this thread an apology.
>If you have the ear of strcat, I urge you to to talk to them about this kind of paranoid conspiracy thinking that leads them to directly accuse me (and others in this thread) of being a co-conspirator in a vast plot to undermine GrapheneOS. It's fantastic thinking and it damages the reputation of what is otherwise a gift to the community.
It's not conspiratoral thinking. It's plainly obvious if you go into the CalyxOS Matrix rooms that the leaders often spread misinformation about GrapheneOS or allow it to flourish. They also spread misinformation about CalyxOS to promote it, such as claiming signature spoofing has no security drawback as implemented on CalyxOS.
You don't see other OSes and projects spreading misinformation. Likewise, GrapheneOS doesn't attack LineageOS, /e/, etc. we don't discourage people from using them, except saying that yes, they are insecure, so be aware of that. We don't spread attacks and other projects are free to criticize GrapheneOS for legitimate things.
However, criticizing it for legitimate things is far different from concern trolling in the GrapheneOS rooms, getting banned, and then portraying it in the Calyx rooms as GrapheneOS being toxic, which is a common tactic. You can see this using the Logbot service: just look up "concern troll" in the GrapheneOS rooms, see what comes up, and compare it with the messages around the same time in the Calyx rooms. It's quite evident. Of course, I highly doubt you'll sincerely do that considering you're simply calling us paranoid, but to anyone watching that's what you should do.
>I have been on Hacker News a long time, posting on everything from sex worker rights to Telegram to Emacs. I don't know about your Matrix room, I've never visited it. I have no interest in impersonating anyone save myself.
No one said that you impersonated anyone. The point strcat brought about impersonation was that a person from the Calyx community went and impersonated the Bromite developer, attempting to start conflict between Bromite and GrapheneOS.
>I don't see that anywhere here in this thread. I see a thread that should have been a space for celebrating a cool more-private, more-secure Android project being hijacked because its competitor's lead developer believes themselves to be the target of a conspiracy. A conspiracy that isn't even occurring in the very thread they're engaged in:
CalyxOS isn't particularly secure but that's beside the point. That's not the issue and it's fine to not be security-focused. The issue is that the Calyx community and developers consistently spreads misinformation. Just look at what one of them is doing right now with microG.
>From who? Nobody here is doing this! Especially maliciously.
Says the person calling people paranoid for trying to stop misinformation being spread. You can see what people are doing in this thread whether maliciously or nonmaliciously.
>If you think CalyxOS is implementing a feature that is harming users, you might try and communicate with their community in a cooperative, direct way, rather than this self-destructive crusade GrapheneOS is airing publicly.
And people have, and they get banned from their community.
> The point strcat brought about impersonation was that a person from the Calyx community went and impersonated the Bromite developer, attempting to start conflict between Bromite and GrapheneOS.
The chat logs[0] say different.
I don't see how one person joining a room on Telegram somehow implicates the whole project in some sort of conspiracy to attack / spread misinformation about Bromite or GrapheneOS.
Your comment leaves out the danger of advertising security and privacy when you cripple those things.
All open source projects should be able to take GP's criticism, dev of "competitor" or otherwise — specifically because they're not products — they're public projects.
Both projects should absolutely be encouraged — and steered, if a user knows a better way.
> Your comment leaves out the danger of advertising security and privacy when you cripple those things.
Nobody is doing this. Calyx is taking a measured approach, as they see it, and is making commensurate claims: "CalyxOS is an Android mobile operating system that puts privacy and security into the hands of everyday users." Right on their website.
I am vehemently against absolutisms on security. Where that road goes is straight into a dick measuring contest and it's ugly. You only have to look at Moxie's terrible public behavior to see what the fallout from that approach looks like.
It's a poison in the security industry and it needs to be called out and stopped now. It rewards grown adults for acting like children. It's enough now.
> You only have to look at Moxie's terrible public behavior to see what the fallout from that approach looks like.
Cite Torvalds' absolutism on not breaking userspace, too, while you're at it..
These projects are all forwarding their missions; it's not because they listened to your criticism about being too absolutist on goals they are passionate about.
The "dick measuring" you're seeing is how any niche group quickly scrambles to sift out the "truth". Geopolitics research threads, when airplanes go down mysteriously, new longboard gets released, whatever — the smartest people go back and forth with (at?) each other¹ until some form of consensus is reached, and the "herd immunity" or general knowledge of the community is improved.
¹(sometimes with far less civility than in this case!)
> about being too absolutist on goals they are passionate about.
Not at all what I mean when I say I am vehemently against absolutisms on security. Any claim to superiority on security and subsequent trashing of others is rotten because it's not kind, not compassionate, not conducive to cooperation, the single greatest tool we have as humankind. We don't need more division in this space and we don't need people with a headful of their egos being affirmed for bad human behavior.
There are better ways of being critical of others without being an a**hole in public. That's the thrust of my argument. We'd all do well to hold these people to a better standard of behavior.
It can be plainly see that we were responding to the brigade of attacks from the CalyxOS group involved in spreading misinformation about GrapheneOS across platforms. You're responding to one of them above.
You don't see LineageOS, /e/ or countless other operating systems constantly spreading misinformation about GrapheneOS. It's only CalyxOS. Others are not doing this. I' not sure why you folks can't resist the urge to attack us with false claims any time either OS is mentioned anywhere.
All you've done is expose your paranoia with this (and the other down thread) comment. I'm not affiliated with the vast conspiracy you've concocted in your head.
I'll tell you what though: I see people who think they can throw their clout around (DevOps Engineer from Denmark, hi) every day in my line of work. I make a habit of telling them they better act like adults if they hope to cut it.
Look through my comments history and you'll see I don't take kindly to people like Moxie, like you, thinking you get to push people around because you think you're better. That time is over. You can lord over your tiny fiefdom all you want but the rest of the industry is done taking it.
The future is human cooperation and dignity, not this paranoid, egoic trip you're wrapped up tight in.
I suggest you work together with the broader community and don't fall into useless, divisive attacks on people engaged in the shared enterprise of a more-secure, more-private OS.
> They present it as a firewall app with a fancy name, but it's just a UI for the AOSP firewall and it doesn't really work as they present it.
There is no AOSP Firewall, this is all based on code which originated in LineageOS, and we've been maintaining and extending it since about a year now. We make changes, send patches back upstream (LineageOS), and are talks in that developer.
The bypass is serious, we're looking into it and will have a working patch available shortly. It will work.
We do not muck around with the INTERNET permission and change the android permission model since that has known to crash apps, we did evaluate it before putting effort into this.
The beauty of doing this network side is that apps are unaware and keep working, unlike some apps which crash when you take away their INTERNET permission - that is why we didn't go with that approach.
What use is a toggle if it crashes the app and makes it unsable.
> The fastboot.js library powering it is a project we funded.
Remember the time when you could sudo on macOS with a blank password :)
Apple paid out a lot of free sandwiches on that one [0] Internationalization on that command was a mess though. Defaults were based on OS settings and the flags to override were based on a combination of country & postal code rather than the localized name of the ingredient.
So, if I didn't want the default of an American cheese sandwich on white bread with mayo, I had to research each bread, meats, and cheese lineage to get, for example, provolone using the switches -c IT -r 26100. It got worse if you wanted multiple cheese types.
In the end I just aliased a bunch of options. My favorite was meatloaf w/ swiss cheese... I have no idea where Apple sources their meatloaf for the US region, but I haven't had anything like it since. The cafeteria staff at Apple HQ have stopped taking my calls.
Calyx has more focus on functionality and privacy rather than security. On Graphene, security is always priority #1.
For example: Calyx provides MicroG. This means you can talk to Google Play services, though in a better, more privacy-conscious way. MicroG is an open implentation of Google Play Services.
However, MicroG requires signature spoofing: You need to install a fake Google certificate so that it can trick official apps into thinking they're talking to Google Play Services directly. This could technically be abused, though Calyx takes lots of precautions to prevent that. GrapheneOS with their security-first approach don't deem this worth the risk. So with apps requiring play services you don't get push messages and network-based location checks, among others.
So, do you want an allround phone to use everyday (and use things like Uber, Facebook, etc) but more private and secure than AOSP, take Calyx. Do you want security over everything and are willing to compromise a bit on functionality and app compatibility (some apps will refuse to run without google play), pick Graphene.
I made it a privileged permission because that's a standard Android thing to gate things (such as reading of IMEI) - My thought process being that if you somehow managed to get around privileged permissions, we have much bigger problems than signature spoofing.
Yeah I agree, it's a good compromise and I definitely use MicroG despite that (though not on Calyx but Lineage for MicroG, as I don't have a Pixel phone). I think the Calyx precautions are more than adequate. And better than Lineage's.
I just wanted to highlight the difference in focus, GrapheneOS will always pick the security side when a compromise needs to be made. Another example is the "We don't lie about security features" stance about SafetyNet. Even though a GrapheneOS phone is arguably more secure than a random manufacturer-modified Android rom. I agree that signature spoofing has an unnecessarily bad name. Probably because some mainstream roms like Lineage eschewing it. Personally I think it's a great tradeoff between privacy and functionality.
This is the trade off that I hate having to make, and I'm glad to see something like Calyx here.
I want a phone that respects my privacy and is secure, but I also want to use apps like Google Photos (my favorite app that I use more than anything, aside from Firefox), Lyft, Netflix, Slack, banking apps, airline apps, and, critically, Google Pay.
I get that using many of those apps might increase my exposure to tracking and privacy leaks, but I just want an OS behind them that I know I can trust in isolation, and that may have measures in place that at least try to mitigate some of the worst privacy abuses from the apps. (And if it can't always succeed at that, that's fine, I'll live.)
Meanwhile, my only real choices are stock Android, which I know I can't trust to protect my privacy (since Google's business model depends on that), and iOS, which will treat me like a child and not let me do what I want with my phone unless Apple approves. (I'm also really concerned about the privacy implications of Apple's plan to do client-side scanning for CSAM material, assuming that's true.)
So I just don't feel like there's anything out there right now that will let me run the apps I want, that is built in top of an OS that I feel I can trust. Calyx seems to be one of the few I've seen that looks like they're actually trying to be that.
I feel similarly. However I could probably drop Netflix, Slack (at a push), Google pay (painful) if I could find a replacement for Google photos, it's been too valuable in recording my life memories. The Apple CSAM story gave me a kick to think I don't want to be sending photos in the plain to Google either.
Alternatives seem to be Owncloud and Nextcloud, which have hosted options. I don't really want to self host but nice to have the option. Does anyone have experience with their android apps for photo storage as compared to Google photos? In particular autobackup and image scaling/compression would be nice.
I use ProtonMail and have started fiddling with their new calendar offering, I was half hoping they might have some encrypted storage service in the offing...
Note that the GrapheneOS developer has indicated they are working on getting the Google Play Services apps to run sandboxed like normal apps, without extensive system permissions. This could be quite promising.
Oh wow, this is actually amazing. I'm really impressed with the work the GrapheneOS folks are doing. Ah, damn, it looks like they've dropped support for the Pixel 2. I have a Pixel 4 as my daily driver, but I'd prefer to try it first on a phone I don't use all the time. Ah well. Perhaps the 4 will still be supported whenever I get my next phone :)
You can still download the Pixel 2 images via getting the version from https://releases.grapheneos.org/walleye-testing if you really want to use it. There may be a final extended support release, but it's very insecure at this point and we won't be making those extended support releases for much longer.
At some point, the new hardware has been changed for good reason — exploits have been discovered!
Upgrading to a new-to-you few-hundred dollars Pixel every 2-4 few years isn't anywhere close to the expense of a new $600-$900 phone every 1-3yrs, the way people used to (and the way iPhone users still seem to).
I agree, this is my stance as well,. Though I don't think Calyx tries to limit tracking on installed apps. I would recommend using something like TrackerControl to limit those.
TrackerControl doesn't encrypt your DNS queries, though. You'd need to proxy DNS requests to another app like http://github.com/ch4t4r/Nebulo which supports DoT / DoH3 / DoH for that.
(disclosure: I co-develop a FOSS TrackerControl alternative)
TrackerControl has a tad better UX; is built on top of the super-stable NetGuard and hence inherits its flaws and merits.
For instance, it does not support DoH/DoT/DNSCrypt.
It also leaks DNS connections over TCP (this happens when a DNS question or answer payload is too big to fit in a single UDP packet). In fact, all userspace DNS clients on Android I have taken a look at, leak DNS queries over TCP.
TrackerControl does not trap all packets over port 53, which RethinkDNS does by default.
TrackerControl isn't geared towards bypassing censorship. RethinkDNS can bypass stateless firewalls employing a similar trick to GreenTunnel, and we plan to implement a couple more such mitigations.
Unimplemented but soon, RethinkDNS would let users block connections if apps don't resolve DNS with a resolver of their choosing.
There's three of us working on RethinkDNS full-time, so it is likely to see feature development at a faster clip than TrackerControl and NetGuard (the latter's been put under maintanence mode by its original developer).
> Calyx has more focus on functionality and privacy rather than security.
That's not true. GrapheneOS is heavily focused on privacy and offers much better privacy than CalyxOS. See https://grapheneos.org/features for the privacy and security features offered beyond AOSP. Unlike CalyxOS, we aren't listing AOSP features as our own.
CalyxOS has a leaky firewall which apps can bypass and a leaky VPN tethering implementation. GrapheneOS has a Network toggle without those leaks and prefers the approach of fine-grained VPNs rather than using the same tunnel for everything. We want real per-profile VPNs rather than making more devices use the same VPN, especially in a leaky way.
> For example: Calyx provides MicroG. This means you can talk to Google Play services, though in a better, more privacy-conscious way. MicroG is an open implentation of Google Play Services.
GrapheneOS has https://grapheneos.org/usage#sandboxed-play-services which is able to provide much better app compatibility, far more functionality and without the privacy/security sacrifices of microG. microG lacks the same security checks and key pinning of Play. It doesn't avoid trusting Play because the apps using Play are using the Play client libraries. microG is an additional trusted party.
> This could technically be abused, though Calyx takes lots of precautions to prevent that.
They simply limit it to microG and the Play services signature, which was our suggestion. That isn't taking a lot of precautions. It is abused because apps are tricked into giving their data to an app without the same security model/checks and key pinning (microG) is
> GrapheneOS with their security-first approach don't deem this worth the risk.
> So with apps requiring play services you don't get push messages and network-based location checks, among others.
Push works fine with many apps without Play. GrapheneOS has support for using Play in a sandbox.
> So, do you want an allround phone to use everyday (and use things like Uber, Facebook, etc) but more private and secure than AOSP, take Calyx.
Those apps work fine on GrapheneOS. CalyxOS isn't more private and more secure than AOSP. CalyxOS includes a lot more proprietary services (Google, WhatsApp, etc.) than AOSP. For the most part, they're making changes which quite easily hurt privacy and security.
> Do you want security over everything and are willing to compromise a bit on functionality and app compatibility (some apps will refuse to run without google play), pick Graphene.
This is a highly inaccurate portrayal of what GrapheneOS provides and the decision making process. GrapheneOS values privacy and usability very highly. It balances those with security.
What really defines GrapheneOS is that we aim to implement things in a proper way that cannot be bypassed by adversaries. A privacy feature that's simply worked around is not much of a privacy feature.
While I really appreciate your work on GrapheneOS (and I will be checking out the sandboxed Google Play Services feature), I don't think it's very good form to heavily promote your OS in a discussion about a different OS, especially in such an adversarial way. There's room in the FOSS space for both GrapheneOS and CalyxOS.
Please look at the comments being replied to from that user in this thread. They're spreading misinformation about GrapheneOS in order to promote CalyxOS. This isn't something isolated but rather than community is highly hostile towards our project and has been heavily involved in harassment of our developers, raids on our community and coordinated spreading of misinformation. Every time GrapheneOS or CalyxOS is mentioned, the CalyxOS community and project are there pretending GrapheneOS doesn't care about privacy and functionality/usability. We're only responding to the comments where this is being done. We didn't jump into this thread but rather they're choosing to attack us and bring us into it.
This looks like a messy dispute, so I'm not going to step in. The FOSS community is outnumbered by those who prefer closed source software, and it's a shame to see infighting between two projects that, despite their differences, both counter the Google/Apple duopoly on mobile device platforms. I hope the GrapheneOS and CalyxOS communities can find a way to reconcile.
> has been heavily involved in harassment of our developers, raids on our community and coordinated spreading of misinformation
I'd be interested to see how you draw this conclusion. I have been in the CalyxOS rooms for quite a long time and have never seen anything of the sort. In fact, when GrapheneOS is mentioned, users are told to change the topic.
People can see for themselves the misinformation being regularly spread about GrapheneOS by the CalyxOS community whenever either CalyxOS or GrapheneOS is brought up. The raids on our channels are a well known fact and those people are openly welcomed in the CalyxOS rooms, even those who have publicly told me to kill myself on multiple occasions. Nick himself has been heavily involved in this behavior. I don't think someone who is involved in the community perpetrating these attacks is a good source on what has been happening. He justifies his support for these people by saying they have an open channel with free speech.
> In fact, when GrapheneOS is mentioned, users are told to change the topic.
Yes, people get banned when they defend GrapheneOS from attacks. Nothing is done when they spread misinformation about it as long as they don't do it too blatantly. Action is quickly taken if someone there tries to counter it.
> The raids on our channels are a well known fact and those people are openly welcomed in the CalyxOS rooms
You've said this a number of times, but you've yet to provide any material evidence this has taken place.
From what I've seen as an impartial bystander, the CalyxOS community doesn't want anything to do with you or your (frankly hostile) community.
I've taken the liberty of doing a little digging and asking around, and it looks like you've even tied in CalyxOS to the recent Bromite impersonation incident. Judging by the chat log you shared on GitHub, it looks like the user was told to change the topic.
I really don't think it's appropriate to be downgrading and "attacking" (as you so vehemently protest) open-source projects like CalyxOS with similar goals. It's a shame such hostility is taking place, when both Calyx and Graphene are doing excellent work in the privacy sector.
I specifically avoided commenting on the comparison threads solely to not have to see this. You will not find me doing that anywhere, anytime (unless perhaps when we were on good terms)
I've done that all this time, the only time I comment on something is when somebody asks us to integrate it into CalyxOS, and that's only within our context.
You're the one here who're responding in a hostile manner, and doing exactly what you're accusing us of. Please stop.
Sorry if I misunderstood some of the differences, but I was trying to simplify it and trying to be helpful by explaining what I read about both.
I'm not trying to promote either, and I don't use either as I don't have any pixel phones. However I thought of buying one and as such I looked into the differences.
I didn't realise you now had sandboxed play services, but to be honest I would trust MicroG a lot more than Google, even if it's sandboxed :) The only way I'd want to interact with Firebase is for push notifications, I prefer MicroG's way of handling location by the way, with its location plugins pointing to really open sources. Play Services are still closed-source google components that I don't want on my phone.
I was not saying that you don't care about privacy. I just wanted to express that I generally see GrapheneOS pick the security side over privacy if there is a choice to be made between both (and only then). And with privacy I mainly mean big data tracking from the likes of Google.
I didn't mean to attack you at all. I have no side in this conflict and I'm sorry you feel that way. See also how I said in my original post that GrapheneOS has security as Priority #1. How is that a bad thing??
If you look at my other posts you will see I praised you for promoting security features that were incorporated into AOSP after you had initially developed them. I was just trying to present the situation as I understood it. I didn't realise it was so adversarial.
I'm sure you didn't do it intentionally, it's just that what you said is a common piece of misinformation spread about GrapheneOS. It's understandable that you'd think that given how much it's repeated and considering that many people got duped too.
>I would trust MicroG a lot more than Google, even if it's sandboxed :)
This is the reason that GrapheneOS sandboxes it. You can disable permissions however you'd like, nothing stops you. You don't want it to send certain data? Then don't give it that permission. Disabling INTERNET will prevent it from sending anything (it's used to privilege, so it likely won't use another app to bypass, but you can use a different profile anyway).
>Play Services are still closed-source google components that I don't want on my phone.
microG is just a reimplementation (a partial one) of Play Services. The privacy benefits are negligible.
>I just wanted to express that I generally see GrapheneOS pick the security side over privacy if there is a choice to be made between both (and only then). And with privacy I mainly mean big data tracking from the likes of Google.
I'm guessing you're referring mainly to microG.
Privacy is not just not sending data. It's far more than that. It needs to be able to blend in with others, and needs a certain decent level of security to avoid simply bypassing privacy features through vulnerabilities.
microG doesn't protect data in transit even close to the way Play Services does. How do you expect to have privacy when apps can simply intercept microG data?
Signature spoofing as microG needs, ruins the security model. It bypasses signature checks by apps. Even in CalyxOS's slightly less bad implementation, vulnerabilities in microG can be used to break out of the sandbox. How do you expect to build a security model on this? Vulnerabilities in microG are very likely, considering how the project disregards security.
How do you expect privacy with such little security? You'll not have any privacy if an app can bypass your privacy features.
It also only reimplements a portion of the APIs and breaks when apps need new ones. How is it supposed to keep up with the APIs anyway? It's tens of thousands of lines of code. It's certainly not a viable option.
Using Play Services as a sandboxed app, on the other hand, avoids this. It doesn't require the microG patch which erodes security, it protects data in transit, and it actually gets the majority of APIs and functionality working. The only functionality that doesn't work is SafetyNet attestation and functionality which depends on privilege. SafetyNet enforces using the stock OS, so you'll never get it with microG. Privileged functionality would need invasive OS integration.
It's clearly a much better solution that preserves the security model. It does it right.
GrapheneOS also optionally blends in with stock Android users. This isn't a bad thing and increases privacy. Connections made are just things like connectivity checks, nothing special.
Besides, CalyxOS isn't particularly good for this either. Their Netguard firewall that they bundle doesn't implement it properly and apps can still bypass it. They aggressively integrate Google services, and have Facebook integration as well.
Correction: because of CalyxOS' implementation of microG, signature spoofing can't easily be used to break out of the sandbox. Sorry to those whom I inadvertently misled. The fact remains that microG is still an insecure implementation that doesn't implement proper security or transit protection and disregards security.
> There's room in the FOSS space for both GrapheneOS and CalyxOS.
I doubt strcat disagrees with that. He's responding to specific statements comparing GrapheneOS and CalyxOS. I don't think we would have seen those comments if nobody had mentioned GrapheneOS.
> CalyxOS has a leaky firewall which apps can bypass and a leaky VPN tethering implementation.
We're working on fixing the one bypass. I don't know what you mean by leaky VPN tethering implementation.
We have a patch (from LineageOS) that allows tethered devices to connect over the VPN. By default in AOSP a tethered device ignores the VPN.
Wouldn't this be the opposite of leaky? It prevents leaks, especially when you have always-on VPN enabled.
> GrapheneOS has a Network toggle without those leaks and prefers the approach of fine-grained VPNs rather than using the same tunnel for everything.
We evaluated the network toggle and found it to cause crashes in apps when the permission got taken away from them unexpectedly, which is why we've gone with the solely network-level implementation.
We also do not have anything that'd make you think 'use the same tunnel for everything'. Multiple users work just fine, and in fact we now have a built-in work profile feature which lets you run another VPN in that (since that's how Android works) out of the box.
> CalyxOS includes a lot more proprietary services (Google, WhatsApp, etc.)
We do not include any proprietary services. We have microG which is open source, and the WhatsApp integration is done in open source code in the Dialer, it does not rely on anything proprietary.
In fact, you're the one who's brought up your play services approach which involves running the proprietary binary. Don't you see the irony?
Like I said in my post below I didn't mean to attack you. I don't even use either Calyx nor GrapheneOS.
> That's not true. GrapheneOS is heavily focused on privacy and offers much better privacy than CalyxOS. See https://grapheneos.org/features for the privacy and security features offered beyond AOSP. Unlike CalyxOS, we aren't listing AOSP features as our own.
I simply wanted to explain that you will always pick the security side if a balance has to be made between security and privacy. I don't mean this as a bad thing. It's a good point and a good differentiator between both IMO.
> GrapheneOS has https://grapheneos.org/usage#sandboxed-play-services which is able to provide much better app compatibility, far more functionality and without the privacy/security sacrifices of microG. microG lacks the same security checks and key pinning of Play. It doesn't avoid trusting Play because the apps using Play are using the Play client libraries. microG is an additional trusted party.
I don't agree with this. I would not want any google play stuff on my phone, sandboxed or not.
> Those apps work fine on GrapheneOS. CalyxOS isn't more private and more secure than AOSP. CalyxOS includes a lot more proprietary services (Google, WhatsApp, etc.) than AOSP. For the most part, they're making changes which quite easily hurt privacy and security.
Does Calyx really include WhatsApp out of the box? That would indeed be a very negative point for me. As I mentioned I haven't used either.
> This is a highly inaccurate portrayal of what GrapheneOS provides and the decision making process. GrapheneOS values privacy and usability very highly. It balances those with security.
As far as I understand your website you do always pick security if a tradeoff has to be made. I don't think this is a bad thing. I think it's a good option. It's just not the choice I would make but it's nevertheless a good stance for those who care about security the most.
Anyway like I said in my other post I'm sorry you view my post as an attack. If you look at my other posts you will see I praised you for promoting security features that were incorporated into AOSP after you had initially developed them.
> Does Calyx really include WhatsApp out of the box? That would indeed be a very negative point for me. As I mentioned I haven't used either.
We do not, we would never ship a proprietary app like that.
What we have is a small patch to the open source Dialer / Phone application that lets you make WhatsApp calls directly.
It only shows WhatsApp as an option if you have it installed already, if you don't you won't see it, we don't want to promote using proprietary services.
This was done after a lot of back and forth with our UX team.
GrapheneOS has the substantial privacy and security features documented at https://grapheneos.org/features. This is a list of differences from AOSP. We've landed assorted privacy/security upstream in AOSP and AOSP upstream projects like the Linux kernel. Those features are NOT listed on that page, because they aren't differences from AOSP anymore. We're confident enough in our ability to implement substantial improvements that we can land features upstream.
GrapheneOS has an easy to use web installer: https://grapheneos.org/install/web which is based on the fastboot.js library created with our funding.
We also now has a sandboxed Play services compatibility layer implementing a no compromises approach to providing app compatibility:
This will provide much more functionality than microG with better security and without sacrificing privacy by not giving Play any additional access than it has via the client libraries used by apps. It runs as a normal, sandboxed app and we provide fallback code for it to work that way. We return placeholder values for most of the privileged APIs and implement certain APIs like dynamite modules in an unprivileged way.
No need to bypass security checks in apps as has to be done to make microG work. That's a problem because microG doesn't uphold the same security model and checks as Play services. For example, it's not pinning component and server keys for important cases.
GrapheneOS currently has a much more barebones fresh install, but it's easier to install due to the web installer. The barebones installer is by design. We don't bundle proprietary services. We also don't bundle 3rd party apps and services unnecessarily rather than leaving it up to the user. We'll be providing a first party app repository with modern metadata signing, key rotation, delta update, stable/beta release channels, etc. within the next few months to make it easy for users to install an initial set of apps. High standards will be applied to the apps we choose to build for our repository.
Play Store requires API 29+ at the moment and that will be required to use the much safer unattended upgrade approach in Android 12 as opposed to the risky approach used by the Play Store, Aurora Store and F-Droid. We'll likely require API 30+ though.
F-Droid itself if API 25 (Android 7.1). The API level is the privacy/security level of an app. API 28 introduces a much stronger SELinux sandbox with per-app SELinux MLS domains protecting the app from others and other apps from it. There are many other improvements, with each API level making things better. For apps not distributed via the Play Store, this is a simple health check to see how much an app prioritizes privacy and security compared to simply getting it working.
I trust people with money as their motive about as much as I'd trust a serious alcoholic to hold on to a bottle of booze for me without taking a sip. Might not be a popular opinion but it is my 2 cents to spend.
Could a someone at an open source project slip in an obfuscated backdoor in some esoteric area of the OS? Of course. But the risks of being found out are so much higher, after the fact that all changes at an open source project are logged, diffed, and public (normally), even if only 10% of the userbase looks at the code, runs packet capture or an SSL bump on the network traffic, etc, that is 10% more than for products by Microsoft, Apple, Google, and unlike an insider with access who discovers something highly questionable at a massively powerful corporation, an open source project has almost no leverage to compel them to keep their mouth shut, meanwhile the risk for developers of an open source project that does something like that (even if they aren't in the know) is total loss of trust, forever.
Couple all of that with targeting a highly technical audience (drug kingpins looking for secure comms are more c-suite than engineers, they are still caught up on a good sales pitch more than hard technical details e.g. Anom ) and you'd be fairly stupid to try to pull the wool over their eyes and expect it to not eventually get discovered.
... But they are also heavily incentivized to know where your booze is, care for your booze, and make sure it doesn't get stolen or poisoned. Because if something happens to you, where are they going to get the sip?
> ... But they are also heavily incentivized to know where your booze is, care for your booze, and make sure it doesn't get stolen or poisoned. Because if something happens to you, where are they going to get the sip?
Where else are customers going to go? All phones in stores right now run OSes from either Apple or Google. Both companies can forsake their customers' trust and people will still buy phones that run their software.
That incentive doesn't really exist in a market that's ruled by a two company mobile operating system cartel.
This is why I see projects like postmarketOS, Mobian and Debian Mobile as having a lot more potential. Let's be clear about this, these projects are not practically usable right now in a "daily driver" sense, even compared to a simple AOSP-based custom ROM. But they have the right goal in place - sharing a single, unified code base across our mainstream and mobile OS's.
IMO the free software group at least is auditable.
I wish Replicant was able to catch up. Having blobs at the baseband is awful, but having the baseband accessing all RAM is just game over for privacy. There isn't what to trust in that setting.
Anyone who has managed a product security program will tell you that's it's impossible for small groups to keep up with the complexity and attack surface of products like android.
From a consumer perspective, going with A and trusting the company is by far the safest option.
Meh. Given the option of a secure but adversarial OS and less secure but open one, I will always pick the latter. Then at least there is a fighting chance my data stays mine.
You're missing the other 'halves' of the problem. Insecurity is a business and it's not profitable for companies like NSO to make their "solutions" compatible with non-mainstream devices.
Sorry to be a pedantic but: Two People created CopperheadOS, one of them now works on GrapheneOS. The security mitigations developed for those were incorporated upstream into Android, decreasing the attack surface.
> Two People created CopperheadOS, one of them now works on GrapheneOS.
No, that's not true. GrapheneOS is the continuation of the project by the original development team. There aren't any developers who stuck with Copperhead. The project was created 1 year before Copperhead existed as a company.
> The security mitigations developed for those were incorporated upstream into Android, decreasing the attack surface.
https://grapheneos.org/features is a list of the current features differentiating it from AOSP. It doesn't list the many things we've gotten into upstream projects, since they aren't differences anymore.
See grapheneos.org/history/copperheados and verify it for yourself using Github graphs and other resources.
A better description would be "One person handled development of the project and other person CEO'd the sponsor company. The CEO attempted to hijack the project and the developer eventually resumed the project under the name GrapheneOS."
I can appreciate that but option A actors are now in full dictator mode with respect to how they are willing to breach privacy and monetize their users.
May i suggest to you to check out what the (strange name i know) /e/ foundation is doing? Not a trillion dollar company by any means but still worth taking a look at IMHO. Builds on LineageOs MicroG, Google free. You can even buy phones from them with the OS preinstalled, Fairphones, refurbished older Samsung Galaxy S and a GigaSet are offered. A good site (once Show HN) to find phones supported by this and other ROMs is https://sustaphones.com
I don't use Calyx to protect myself from state surveillance. I assume state actors can easily access anything and everything I do on internet connected devices. I use Calyx to protect myself from Google collecting data on me, profiling me, and turning me into a sheep on their attention economy farm.
I know people who made it to the final rounds of interviews at Calyx. They are the real deal. I don't think much of anything could get them to compromise their values about privacy [0].
Might they miss something because they're a smaller team? Yeah, maybe. Will they sell out? I don't think so.
A. While it is hard to say something about A having thousands of developers (just having more eyes on everything they're doing), it's not infallible, nor does it strictly mean they want to 'avoid their brand being dirtied'
you cannot be certain, but at least the code has the chance to be publicly scrutinized. This is not the case at all with google binaries, so you have a net, objective gain.
Custom verified boot needs to be supported in hardware. But with most devices, you can use "fastboot boot" from an external device to start from an image that you trust.
Indeed, but in return it only supports pixel phones, sadly (considering they're not great value for money for custom rom purposes, and most of their added value is lost when running a custom rom)
Well, Google packages the pixel phones with their latest OS updates and pixel specific features like Gcam. By running a custom ROM you lose those. Its cameras mainly perform so well because of the big AI farms at Google.
There was a time I would have gone with B), but I've been burned by too many "companies" with almost nothing to lose suddenly becoming malware or some other exploitive.
This new wave of privacy branding, without 3P verification, open sourcing, or even means of recourse seems to be the new frontier for these used car salesman "trust me, it's private" pitches.
> Should I trust: A. The company which has thousands of developers working on it and wants to avoid their brand being dirtied by failures in security and privacy.
If you're hoping market forces would keep companies competitive and secure, well, people don't have much of a choice when it comes to mobile operating systems. Free market dynamics that should correct this problem don't really come into play when a two company cartel has 99.7% of the mobile operating system market nearly split in half between them.
> A. The company which has thousands of developers working on it and wants to avoid their brand being dirtied by failures in security and privacy.
They don’t seem to be too much concerned about failures in security and privacy… Their entire business is based on dismantling of privacy, why should they be trusted more than companies that have alternative business models?
To say that trillion dollar companies are less likely to fail at security/privacy because all their decisions take into consideration the hypothesis of reputation damage seems simplistic. They also have the money to pay for damage control.
> The thing which always makes me hesitant about these projects is that they don't receive frequent security audits and not having an expensive brand behind them makes them more at risk
Why are you looking for alternatives ? or are you even
That attitude will lead to you being a slave for Apple or Microsoft or Google for your entire life. They won't change their ways. You won't have privacy there.
> The thing which always makes me hesitant about these projects is that they don't receive frequent security audits and not having an expensive brand behind them makes them more at risk to being willing to trash their name at the cost of my privacy and security. I consider these to be a fairly critical part of any project which claims superior privacy and security.
Lets keep using known flawed alternatives instead?
I’m thinking about buying a degoogled Android phone to replace my iPhone. The main things I want are:
* Spotify needs to work over Bluetooth in my car
* WhatsApp needs to work (preferably with push notifications)
* I need the Fitbit app to work so my watch can show push notifications from my personal apps
* a network-based location provider to be consumed by my personal apps (I’m working on a personal data and automation suite that relies on frequent smartphone location updates)
Is this something that can be done with CalyxOS on a Pixel? Can other Android flavours like GrapheneOS or LineageOS do this?
And aside from Android, how far along are other “mobile linux” smartphones for use as a daily driver with regards to the above points?
> Can other Android flavours like GrapheneOS or LineageOS do this?
There's a separate question you're missing: what your Google Services situation is
Distros like Lineage come without Google Services; if you want them, you install them yourself
"gapps" is the official one. It's straight Google everything. Lineage OS + gapps will give you a very clean and nice Android experience if you don't care about Google collecting your data.
If you do care about that, you have two options:
1) go without Services entirely (most apps will have problems; if you're lucky they just won't send push notifications or be able to use your location, if you're unlucky they will be flat out broken or crash)
2) use microG, which is an unofficial non-Google replacement masquerading to the rest of the system as Google Services. I've heard mixed things about how well it works, but that appears to be what CalyxOS comes with. You can install it on Lineage, but I don't know what extra hoops may have to be jumped through. Note that it's also walking a fine line with Google and I could see them intentionally breaking it at any time down the road. Depend on it at your own risk.
I care about privacy and I would not buy a degoogled Android phone today. I switched to iPhone a few years ago after roughing it without Google Services for a year and a half. It was fairly awful.
I once had to return some headphones because the app that went with them simply wouldn't work.
I had to use a combination of the Google Maps web app and OSMAnd (which was just atrocious) for navigation, which basically meant I didn't really have navigation.
Slack wouldn't send me push notifications.
I couldn't use my banking app.
Even Signal struggled to run in the background/send me notifications.
It was basically back to the iPhone 1 days where your phone could text, call, web browse, take pictures and play (local) music. Though even the iPhone 1 had a functioning Maps app.
If I can't use my banking apps, Lyft, Google Pay, Photos, Maps, etc. with a particular mobile OS (with all features working), then it's unfortunately not for me.
It seems like most of the Android alternatives throw the baby out with the bathwater. I get that making a trusted OS based on Android is hard, especially with Google having moved so much core functionality into Play Services, but the value I get out of my phone is mostly from mainstream apps, using mainstream features (like push notifications and location services). If those don't work, to me it's not really a useful device.
I get that a lot of these apps aren't particularly privacy-oriented, but to me, my main concern is that there are a lot of Google-owned core components to the OS and userland that actively subvert my privacy. I'd really like to think there's some middle ground on Android where I can trust the OS and userspace core, and still run the apps I usually run.
GP seems to be describing a flavor of Android that does not have microG or Google Play Services.
CalyxOS has microG, and I have no problems getting timely notifications on Signal or Slack, nor do I have any issues using Lyft, Google Maps, Google Photos, or any of my banking apps on CalyxOS (or LineageOS for microG). The only exception on your list is Google Pay, which I don't use because it is extremely privacy-invasive (gives Google all of your transaction data). In my opinion, CalyxOS is a very practical OS that balances convenience with privacy.
> If I can't use my banking apps, Lyft, Google Pay, Photos, Maps, etc. with a particular mobile OS (with all features working), then it's unfortunately not for me.
These are proprietary apps, so it's a bit unrealistic to expect that they would support a free OS.
I'm not asking for official support from the app developer, just knowledge that they "happen to" work on an alternative Android-based OS. Which they should, if all the APIs they depend on are there (including the Play Services ones, via microG or whatever). If they specifically look for "non-blessed" Android variants and deliberately fail to work, that's a shame, but if it's an app I need, that rules out that OS for me, unfortunately. That's just the reality of the situation.
True. Mine run over bluetooth just fine. The app enables configuration, checking for firmware updates and a hearing test which creates a custom equalizer setting to counteract individual deficiencies.
X >will give you a very clean and nice Android experience if you don't care about Google collecting your data.
I must be confused here, but isn't the whole point of installing any OS besides Android on an Android device preventing google from collecting your data? Why else would anyone deal with a non-standard OS?
Not sure why nobody was is here's comment is greyed, but yep I'm in the same boat - LineageOS works fine and am using Spotify and Audible without any issues. There are some apps that haven't worked, buy I'm fine with that.
heres what i do and it works great: use the regular google build of android BUT on a fresh install, disable all google apps sans chrome, use it to install fdroid, then uninstall that, from there use TrackerControl to prevent google and others from phoning home, use the aurora store for apps, use organicmaps for maps, signal for sms florisboard for keyboard, etc. you'll have a google-free experience which you can exit for 10 minute periods using the button on the trackercontrol dialog, and things like google pay and notifications will still perform quite well. I've been using this for a year and loving it
I would also like to hear more on this, a quick look at TrackerControl's readme tells me it mainly functions as a blocklist. Which (I would think) the moment you turn off tracker control to use google maps (or whatever play services app you wanted to use for a moment), said app will send a flood of queued location data that it has been collecting in the background if allowed.
I suppose that setup could work if the user is disciplined about not letting apps that use play services run at all when not in active use, but at that point I don't see the advantage to using tracker control at all.
> the moment you turn off tracker control to use google maps...
No, it works per app. I'm also a TC user, it's quite great. Per app you tell it whether it should allow talking to various motherships. You can toggle on broad categories (for a given app) or also more fine-grained. It also logs which services applications tried to contact, so I can see that Spotify that I pay for is trying to send god knows what to Facebook (and that TC blocks it).
It takes a bit of setup because a ton of apps talk to a ton of centralized services (Aurora store and Newpipe obviously need to talk to Google, for example), but after that I'm a lot less bothered by apps including the Facebook sdk or something because it'll be stopped anyhow.
I'm waiting for the day that apps/websites stop telling your phone/browser to rat on you and they start doing it server-side. Lot less gdpr trouble because nobody can check what you're doing and goodbye blocklists. But so far it seems things don't yet work that way.
Played with TC for an hour or so this evening, and what I stated above (possibly poorly) still stands.
I chose google maps in particular, because it is an application that requires telemetry data to function; but it is reasonable for an individual to not want to be tracked when not using google maps.
If I block infinitedata-pa.gogleapis.com, maps will not function, but google maps will continue to collect telemetry data on my phone if it is running and has permissions. It will save that collected data until a user unblocks essential monitoring in order to use maps (Unless the user clears cache/data, or uninstalls maps, before unblocking).
That is the case I am pointing out, tc is a stopgap (and a welcome/useful one) but it does _not_ provide users a way to prevent _collecting_ of telemetry data to be sent off the device. It just delays the sending until the applications use is more valuable than the users privacy.
Edit: Things that could help with that:
1. Physical kill switches for radios (I know, that's not going to happen from any major arm cpu maker, the SOC is integrated, but it's the most practical solution.).
2. Granular permissions settings for androids network location provider. As an example, A permission that if app is running in the background send spoofed location data back (Once again, it's not that simple telemetry data is coming from many sources, I'm just listing what solves the problem.).
Pixel 6 is right around the corner, however it'll take a few months for us to get it all going (getting the phone, porting Android 12, making changes for Pixel 6)
I have been using LineageOS on Xperia XZ2 Compact for about a year with a smaller bundle of official Google Play Services.
Almost everything works fine! Some apps didn't like it or detected root but Magisk + MagiskHide helped to hide root for those specific apps. Even Google Pay works with basic SafeNet attestation - that required "MagiskHide Props Config" Magisk extension and selecting a proper fingerprint.
The only problem encountered was that I couldn't connect PS4 controller and use it as an input device. Probably a driver issue related to bluetooth but other bluetooth devices I use work normally.
Optional F-Droid privileged extension makes F-Droid able to install F-droid app updates automatically like Play Store does.
For you first two questions: Spotify will work with Bluetooth, and WhatsApp will have eventual notifications (real-time if the app was recently opened, up to seven hours later otherwise, at least on my device)
Sure, "a bit", but I don't think a phone that is entirely broken except for a few open source apps that don't do useful day-to-day things (like order me a Lyft, let me do my banking, pay for stuff at a cash register, navigation, etc.) is all that useful.
My ideal would be to have a base OS and core standard library that I can trust, and then I get to choose what apps I run on top of that. Sometimes I will choose to install an app that doesn't have a great privacy track record, but I will rely on apps like TrackerControl, Blokada, and Bouncer to mitigate my exposure somewhat. It won't be perfect, but we don't live in a perfect world where there are feature-identical, privacy-respecting clones of the mainstream apps. Until that time, I can decide what are acceptable risks to my privacy.
Unfortunately, I don't have that choice right now: either I live with the privacy minefield that is Android (as I do, and try to mitigate privacy leaks as well as possible), or the nanny state that is iOS (which I -- for now -- consider the greater evil).
Is there a specific reason for this? Does the Fitbit app rely on Play Services?
I don’t care too much for on wrist calls or anything like that. I just want to use the Fitbit app to sync stats and mostly display notifications from WhatsApp and my personal apps.
I should have know that. Now I understand what you meant in your first comment.
As long as the app doesn’t rely on Play Services it shouldn’t be a problem. By “degoogled” phone I mostly mean taking Google out of the critical (privileged) path in the OS for software and app updates.
> Why not use open protocols like DeltaChat, Matrix or XMPP instead?
Because Signal and WhatsApp are text/messanger replacements and Matrix is a slack/discord replacement? I'm not sure why there's the constant Signal vs Matrix battle here on HN, I see them as different tools doing different things. I'm not going to create or get all my friends to join a server with Matrix. Or even coworkers or random acquaintances I meet. But I can get their phone number and quickly communicate with them on Signal/WA. I don't see why Signal and Matrix have to be in competition. Just the same way I don't see Slack/Discord in competition with Text Messaging or FB Messenger.
I don't see why they would complement themselves, and especially why you put Matrix into the slack/discord corner: Matrix is a protocol that is not designed to a specific use case.
Calyx VPN uses the same tech stack as Riseup VPN, which are branded versions of the Bitmask client - CalyxOS is a part of the Calyx Institute family. You can instead use the Bitmask client from the F-Droid repo and choose to connect to either service with the same app (rather than using branded apps for each service).
Curious, does anyone know what's their business model to monetizing the "free" VPN service? How do they make their money back or is it a donation kind of thing?
The tech stack matters far less than the trustworthiness and competence of the operators running it. And the hard part with VPN services is that it is very difficult to prove those things to others.
> Why not use open protocols like DeltaChat, Matrix or XMPP instead?
I can give you an answer for Matrix and it's usability. It's difficult to onboard users, at least it was ~a year ago. I wouldn't want to expose my non-tech friends to that.
Calyx made an effort to sponsor and integrate the backup tool Seedvault (https://calyxinstitute.org/projects/seedvault-encrypted-back...) into their ROM - and other AOSP distributions benefit from this effort. Handhelds are tethered devices, its essential to have contacts and precious photos stored at a second place (online or offline) and easily restored or used when changing devices. A user friendly full backup solution not requiring root access of some sort was missing to date.
Does Seed Vault backup the whole device? Last time I used it, I found out that apps can opt-out of being backed up, along with their settings. In other words, every app i installed didnt get backed up :(
As if an app should have any say about if it can be backupped or not. 'Muhh security model'. If your security model includes letting apps randomly deprives me as a user of backups of my own phone , it's just another creepy google-bigbrother-wannabe.
https://github.com/seedvault-app/seedvault/issues/165 this is the issue, and it seems they are working on it. Good. What I didn't understand is why one would need to fake some Device2Device transfer, when one could just as well patch the root cause. It's open source after all.
As someone who knows quite little about Android (currently in the Apple ecosystem, but considering jumping ship): When you use these privacy-focused Android versions without Google Play, is there a consistent way to get apps from the Play store to run on there? (e.g. download the APK from somewhere and sideload it). I'd really like an OS that doesn't spy on me, but there's e.g. some goverment ID apps, transit apps and so on, that I'd really not like to have to give up.
A lot of apps rely on google play services. It mostly depends on how much of google play services an app requires as to whether it'll work on a degoogled phone or not.
CalyxOS includes microG, which solves the compatibility issue for some of Google Play Services' most essential features, including push notifications, better geolocation, and map rendering. microG also keeps Google's in-app ads disabled.
The gp mentioned government id apps specifically. Those along with banking apps are the ones I've heard having the most trouble without actual google play.
There are third-party clients for the Play Store (Aurora store being a good example). Aurora store uses anonymous accounts to download the APKs directly from Google. That being said, just because you can install the application doesn't mean it will actually work without Play Services installed. I've had quite a bit of luck with random applications I've installed (interestingly most Google apps like Gboard, Photos and GCam work fine offline and without Play Services), however YMMV.
Aurora store does NOT let you download paid apps. If you have paid for a app, you can sign into that account in aurora store and download the app you bought. However, the paid app will most likely not work as most apps use a SDK provided by google for verifying purchases in a app. This SDK heavily relies on google play services. And secondly, using a 3rd party store like aurora does violate googles use agreement which means google could ban your account if you sign into it from aurora. I would highly advise to not use a google account you care about with aurora.
Nah, Aurora only works for snagging free apps from the play store via a proxy account- you're thinking of another well-known APK download site starting with an A, one which allows users to create their own 'app stores' (ie. repositories) and is rampant with piracy. I'm sure it comes in handy for kids with more tech--savy-ness (enough to avoid the malware!) than literal cents.
> you're thinking of another well-known APK download site starting with an A
Aptoide. I have seen pirated paid apps on Aptoide, but any app marked as "verified" is not pirated (as in, it's available free of charge elsewhere) and the app's signature on Aptoide matches the app's signature on Google Play. Everything in the main "apps" repository and some apps in other repos are verified.
Aptoide is useful for downloading older versions of Android apps, especially when APKMirror doesn't have an entry for the app.
Fun fact: Aptoide is open source and F-Droid is actually a fork of Aptoide.
One of the most popular ways is to use the F-Droid repositories, which if you know a little Linux concepts it's like plugging in another software repository to the same package manager. (see f-droid.org) It can be confusing though because F-Droid is both an app, and the name of the primary software repo which is pure FOSS software (no ads, no trackers).
The F-Droid app supports adding more repositories (think like apt/yum/dnf on Linux) easily, so you can source software from anywhere which runs their own repository. One of the most popular "other" repos is Izzy (apt.izzysoft.de/fdroid), and there is an alternate project called "microG" which can allow you to use Google Play store apps (microg.org/fdroid.html). microG is how you will get your Google Play apps onto the device, usually (there are other solutions besides microG out there however).
The CalyxOS install ROM includes F-Droid (app and repos) and offers to install microG for you on your first boot (as well as some other opt-in stuff). Calyx runs their own F-Droid repo which is pre-added to the app so you get updates from them as well (think the built-in apps most smartphones have).
Nit rebuttal: I was referring to the F-Droid repository which I thought was clear from context. These elements are scanned for and apps called out (tagged) should they contain something not-free, even connecting to network services like Reddit or Twitter. The are referred to as Anti-Features: https://f-droid.org/en/docs/Anti-Features/
Trivia: by default (unless it has changed upstream), the F-Droid app defaults to "Include anti-feature apps: Off" in the Settings. The user must go in there and manually opt-in to see all the anti-feature apps on the mobile client.
It doesn't actually hide apps with "anti-features", you can still see them by default. The only thing it does is hide the description and install button of apps with "anti-features" in the search screen. It seems like a half-baked feature.
That's true, but the date of the most recent release is clearly shown, and it's easy to avoid the unmaintained ones. Also, F-Droid most likely has newer alternatives for the kind of app you're looking for.
You are always able to add playstore in. But of course this comes with some cost to privacy.
There's also other app stores like f-Droid. Usually these are populated with the same apps but often there are ones you are going to have a harder time getting.
Does anyone know if there's a way to do a sandboxed playstore? Like you can use it to download the apps and update (assuming this won't be automatic) but that it is contained otherwise?
I use f-droid for most of my standard apps (note-taking, calendar, etc) - and since I am not using gmail, those suite of apps are useless to me. I use firefox for my browser, and use the client provided by my email provider.
The worst thing is basically not having Google Maps because while fdroid does work, it is not condusive to 'just looking things up real quick'. It's more of a 90's GPS where you pull over, take 5 minutes to look up what you want and navigate there.
The other issue I have is I don't get push notifications from CalyxOS, and I don't know why. Messages are received, but my phone won't show me unless i unlock the screen - and then I get alll the notifications at once. If I don't interact with the notification, it will do it again the next time I use my phone.
otherwise it's been fine. I am using a google pixel 3.
> The worst thing is basically not having Google Maps because while fdroid does work, it is not condusive to 'just looking things up real quick'.
If you're okay with a closed source navigation app, Magic Earth strikes a balance between Google Maps and FOSS apps such as Organic Maps. Magic Earth uses OpenStreetMap data but layers its own address search on top of it to cover addresses and landmarks that are not available on OSM.
Google Maps does work on CalyxOS and so does its most fully-featured proprietary competitor, HERE WeGo. But if you only want to use free and open source software, I understand.
> Messages are received, but my phone won't show me unless i unlock the screen - and then I get alll the notifications at once.
Is your device configured to hide notifications when locked? See "Control how notifications show on your lock screen":
> Is your device configured to hide notifications when locked? See "Control how notifications show on your lock screen".
Yeah it's a bug with push notifications I think. I don't care - I think it's a great feature because if I don't hear the buzz, I won't look until my brain decides to check my phone, which can be a long time.
I am looking to move towards a Punkt MP-02 for my next device, but the fact that it's not an open source device that I trust... I hesitate.
There are sites like APKPure that mirror the Play store. That particular site also has an app of their own that functions as an app store, which will install from their catalog.
Of course, you're just moving your trust from Google to this other third party, it's up to you if you consider that wise.
Use the Aurora Store app (you can keep this updated via the F-Droid app), it's a client for the Google Play Store so it'll allow you to update those apps through it.
ive been trying that it the last while with an old phone where i didn't bother logging into google when i reset it. i just use tasker on my main phone to extract the apk for the current app and save it into to my syncthing folder and sync it across that way. but there are other apps that will let you extract the apk's as well.
so far only one or two have worked unfortunately but most do
I have been using LineageOS without google replacement libs for about a year. There is a huge amount of comments here, which is interesting in itself - clearly there is a lot of interest in de-googled Android. I worry about fragmentation, eg: if there are too many options will they get diluted without the larger user base. Many apps won't work without google libs. I would like to think that this puts pressure on app builders to not just blindly require google libs, but the reality is without a significant user base wanting it, the tradeoff will always side with the majority. Interestingly WhatsApp works fine - presumably because using your competitors libs is seen as a no-no. FB are no angels here, but I need WhatsApp for family chats.
WhatsApp still works on a 9 year old Android I still have. Remember that a large part of the world doesn't have fancy phones, and WhatsApp needs to work on all kinds.
In fact, it's easier to install WhatsApp with severely limited permissions, while I just couldn't install the supposedly much more private Signal without giving it SMS access.
I don't know if they have this, but a good feature a privacy centric android experience would be, to have a simple accessible log of what app accessed what using which permission.
The code for this was already present in AOSP, Google simply had it disabled / reverted in their builds. We just bring it back like many other Android ROMs.
I'd worry that translating this to an end-user-relevant concept of security would lead to a lot of scares, though.
Probe all the files in a directory to see which ones are “yours”: “What? Why is it accessing all the files? So suspicious!”
Require a specific name pattern or something: “I never have to remember to do this on the other apps…”
There's a lot of these tradeoffs that in human life are resolved through reference to all sorts of subtle human things that the machine knows not of. We're at this liminal point where “app” software is given a bare form of “agency” from a social perspective as an extension of its developer, but it doesn't have the intelligence to negotiate over it much (and I think that's behind some of the model-simplification pressure that's encouraged heavy vertical integration).
I've been using MicroG+Lineage for a few years now. No complaints from me, but I don't use a ton of apps. Not sure what the advantage of CalyxOS would be over my current setup (especially considering Lineage has a much better catalog of supported devices)
If you are not using root, CalyxOS lets you relock your bootloader with the developer key, which increases the security of your device by preventing other operating systems from being booted or flashed onto your device (until you choose to unlock the bootloader again, which requires you to enter your lock screen password and would wipe the device data). CalyxOS only supports devices with bootloaders that can be relocked with a custom key.
CalyxOS has a handful of apps that exist in the image that you can optionally install. I would assume it's one of those. I run CalyxOS and don't and never did have WhatsApp installed.
Unsure. It seems that they have Signal installed by default, but not WhatsApp. However, if you install WhatsApp you can make a WhatsApp call directly from the dialer I think?
LineageOS + microG here, on a motoX4. It's been the phone I use every day for about a year. My wife has the exact same setup, and generally gets along fine with it. FDroid has _most_ of the stuff we want. Some apps just aren't available there, so we end up using the Aurora store for those, with Warden used to scan those apps and stub out as much tracking code as it can. It's all about compromises, especially for others.
Self-hosted NextCloud replaced Drive/Dropbox, and with some plugins it also does phone/location tracking, secure messaging and video calls, TODO lists, and some more. Self-hosted PhotoPrism replaces Google Photos.
The phone experience hasn't been bad. One thing that came up initially is that most of the open source apps aren't as "pretty", and the UX just isn't as good. I don't care about it too much, and I'm fine with overall using the phone less anyway. The issue that comes up on a regular basis is the Google Maps replacement. OSMand is a great app, but like someone else mentioned it's more of a "look up the address and type it in" experience than a "show me all Thai restaurants in the area" experience. IMO small price to pay, I've been using GPS much less, and I've gotten much better at navigating with my "mental map".
I've used LineageOS without Google services for about a year now. The only big missing feature I've found is notifications which in some ways is quite freeing and makes me check my phone a lot less.
LineageOS (and perhaps other ROMs) have the option to disable all networking features for apps, so I actually still use Google Camera, Google Photos (as an offline gallery) and Gboard (again all offline) and the majority of features just work. They don't complain about missing Google Services, nor about the missing internet connection.
There are great alternatives to apps like YouTube (NewPipe), Maps (OSMand), Chrome (Chromium, or I use a browser called Privacy Browser on F-droid) and I have tried apps like Spotify and they too work without Google services (although I guess some features might be lacking).
F-droid is an amazing service and has many FOSS alternatives to apps. I found myself today recompiling my browser application to fix some small bugs which just made me sit back in my chair and think "that is so cool"!
I think making the change can be gradual (for example switching to LineageOS for MicroG to get a subset of working Google services) before fully de-Googling, but the change is definitely possible (and easy) to make.
I use LineageOS for microG [1] and I'm planning to move to GrapheneOS once the Pixel 6 gets released (since it finally has guaranteed 5 years of kernel updates).
LineageOS is superb for getting rid of stock OS bloatware and spyware and I have an experience on it that's better than stock Android. However it doesn't have hardened security like GrapheneOS, which is why I want to move to that later. On the other hand microG is needed for push notifications and maps APIs, which GrapheneOS doesn't support so I'm not sure how the fallback options of some of my currently used apps will fare on it.
If microG turns out to be necessary for my workflow then I'll get CalyxOS instead, since it includes microG and is somewhere between LineageOS and GrapheneOS in terms of security.
From the sounds of it, the Pixel phones have the widest support across the different options here, so the Pixel 6 might end up being my first Android phone purchase in a while.
I am daily driving GrapheneOS for over a year now as my only phone on a pixel 3a and I like it quite a lot. Here's how I handle stuff and what limits i encountered. Keep in Mind that you have to rethink your app usage aswell, meaning testing a lot of apps from F-Droid to see what works for you. You average FAANG Privacy Invasion App dejour propably won´t work and i´d be wary of hardware requiring an app to be used if you go all in.
1. E-Mail: Using Fairmail from F-Droid (paid version though) is great for GMail and most other Providers. Notifications are usually faster than G-Mail in the Browser.
2. WebBrowser: Using Fennec from F-Droid with Adblock. The Chromium Version integrated in Graphene is propably more secure though. But adblock is life...
3. OsmAnd from F-Droid for Navigation. Works well enough, UI is clunky though. But Offline Maps are pretty sweet to have.
4. Most Messengers work, Notifications are spotty sometimes. Telegram Signal, Element, Threema all do fine though Element sucks battery life down to unaccaptable levels. Haven´t and won´t test whatsapp.
5. OpenCamera + Nextcloud is good for Cloudsyncing and Camera.
6. Password Management with AndOTP and KeePassXC is sweet and integration of the fingerprint sensor is really useful. Useful enough that i miss it on my desktop linux
7. Paypal App works, my Banks app work but YMMV.
8. Biggest annoyances are local german Taxi Apps. They all don´t work but i was able to work around it using a website. Still can´t pay via app.
...Well i don't use my phone for much more than that.
Battery Life is great, Security and Privacy is also good. You can lookup App Compatibility to a degree here: https://plexus.techlore.tech/
I'm using GrapheneOS on a second device for various reasons. The biggest issue for me is that not all apps work / run. However, I have limited app requirements, so that is fine. If you want to run all social networks, Uber, Lyft, and so on, there might be the one or other that doesn't work (I didn't try them all). However, you can always use the mobile web offering I guess.
In terms of classical smartphone features, I know what I don't get out of the box due to the lack of Google Services (Assistant, Picture Sync, etc). That wasn't an issue for me as it is a secondary device.
GrapheneOS now has https://grapheneos.org/usage#sandboxed-play-services providing the ability to install Play services in a sandbox. The core functionality is already working in the Stable/Beta channel releases. You can install it in a dedicated profile to avoid apps in other profiles being able to use it.
GrapheneOS is fine with people using Google apps and services but not integrated into the OS and they should be on the same level as other apps and services without any special privileges/access. We're working on making this a reality. Google could implement the fallback code paths we're providing for Play services themselves. All we're doing is teaching it to do what it should already know how to do. Perhaps a regulator can force them to unbundle their services and make them usable anywhere.
Not the person you asked, but my banking app works but occasionally will crash when I go to certain parts of the app. I'm not sure why.
Other than that Discord, MS Teams, and ProtonMail all work fine with the exception of push notifications (I disable those anyways, so this isn't a concern of mine).
I've been using /e/os [1] for a while and I am very happy with it. It has microG integrated so any apps that rely on google play services should still work.
[1] https://e.foundation/
I hardly use any apps that are not foss, really I just need slack and whatsapp, and they work well (push notifications etc) so microG works well for me (I don't think these 2 apps would work fully without microG but never tested that). Banking apps I don't use, and they probably wouldn't work, but hey, websites are still a thing.
CalyxOS on a Pixel 5 with microG for the past month. The only two problems I've had have been that I can't install the CapitalOne app and I can't install any paid Google store apps. I have a backup Android phone (Unihertz Jelly 2) with LineageOS and Google Play Services / Play Store installed, which I haven't had any issues with at all. I don't use Google Pay, Google Assistant or Google Maps. Those three apps are my biggest pain points, but a sacrifice I'm willing to make. I do use Garmin Pay on my Garmin watch and the Google Maps web app.
It used to be that iOS was the recommended phone OS if you were looking for the best combination of privacy and security. Even Daniel Micay (the lead developer of GrapheneOS) thought so, 2 years ago [0]. But these ROMs are looking much more mature these days. Anyone have thoughts on how CalyxOS and GrapheneOS compare to iOS in the present day?
To my knowledge, GrapheneOS has become the leader of the mobile security space while CalyxOS remains more-or-less on par with iOS. This all depends on your security model, though. There are tradeoffs everywhere.
It is asking a lot, but this would be nice: if the developer organizations behind CalyxOS and GrapheneOS could sell new phones with software installed, sort of like System 76 for Linux laptops.
I made the mistake of purchasing a DOOGEE phone a few months back.
Won't touch it now that I realize the OS is completely hijacked by whatever chinese company produced this not-half-bad phone. (It goes so far as adding a watermark of the company logo to every photo I take! Sure I can disable it but I just don't feel right putting anything of value on there.)
What would happen if I tried installing CalyxOS on it? Or another android compatible operating system?
It's not listed as compatible on any alternative android OS that I can see at least.
Not recommended. Downloads are tailored to specific device models, and installing an operating system image intended for a different device model would not work and could brick your device.
DOOGEE phones are not supported by LineageOS, and there is unfortunately hardly any developer focus on this brand:
> 1) What would you say are your unique differences from LineageOS and GrapheneOS?
We do borrow a lot of code from other projects and try to send any fixes / improvements back to them.
We try to provide an OS designed to ensure maximum usability and flexibility, so that you have an array of choices available to ensure your privacy and security.
You can choose to disable it (which still has benefits), keep it enabled, or even login a Google Account. There's even a fourth option where you have it enabled but without the notifications / communication with Google servers, where it's still useful for some app compatibility, and things like location providers and exposure notifications.
> 2) What big goals/projects are planned for the future?
Our biggest goal has always been expanding the reach of the project. We want to support cheaper phones which are widely available in the world.
We also have a bunch of features in the works or planned for the future - Panic trigger improvements, built in ad/tracker block (without losing the ability to use a VPN), and more. Most of it is documented as https://gitlab.com/groups/CalyxOS/-/epics
> 3) Where do you see Android as a platform in 5 or 10 years? Any predictions or notable obstacles?
We will be at S now, which means we'll be at Z in 7 years. What happens then?
Kidding aside, I'm always excited by watching the changes Google is doing (some of it is done in the open, through AOSP at https://android-review.googlesource.com/ - you see lots of Rust here nowadays, I need to learn that)
Fuchsia is also going to be interesting, they must have something planned.
> 4) What do you think of mobile Linux distributions?
I have massive respect for them given the work they're doing. I always see at it this way - we're working on Android, and especially on the Pixels - all the hardware is there working for us, so we can focus our efforts on improvements in other areas.
Linux on mobile has to spend a lot of time catching up to just the basics (getting phone calls working for example).
There are pros and cons to both, it entirely depends on your use case to see what fits.
An early release of this is already available in the Stable/Beta channel releases. Our hope is that more projects take interest and collaborate on making a much more broadly compatible alternative to microG with the same security sacrifices it makes.
The trouble I have with AOSP of all flavors isn't lack of Google Services, it's lack of access to the app store.
I can do fine without Google Services, but I occasionally need an app that's just not available on F-Droid, and Google is doing their level best to make it harder to get APKs any other way. You used to be able to download them from the store; no longer possible. They've announced some other package format, support for which I assume won't be released to AOSP.
They're locking Android ever closer in to their store, and it makes any alternative Android distribution ever more dependent on Google.
> Google is doing their level best to make it harder to get APKs any other way. You used to be able to download them from the store; no longer possible.
They are making it easier with Android 12 by letting third-party stores do automatic updates without user interaction, not harder.
It has always been the case that OEMs need to bundle Play Services in the OS and that you need an account to access Google Play. Some OEMs like Samsung and Huawei bundle their own store, "the store" isn't a thing. Raccoon, Yalp Store, Aurora Store, etc. to access Google Play have always existed too.
> They've announced some other package format, support for which I assume won't be released to AOSP.
It's not a new format, it's open source and Aurora Store and other stuff supports it just fine. It's not locked to Google Play.
It doesn't answer your real question, but still, I'll try to make a summary:
All of CalyxOS, LineageOS, LineageOS for microG, GrapheneOS and /e/ are Android distributions (based on the open-source part of Android, with some modifications and additions)
Purism (brand name) Librem 5 (model name) is an opensource smartphones that reduces black boxes to closed areas, while on most smartphones black boxes like modem share RAM access, using a brand new GNU/Linux (so not Android) smartphone OS.
microG is fundamentally simply an opensource Android app, that replaces some small parts of Google Services (which are very big unauditable closed-source Android apps), so apps requiring Google Services may have a chance to work without Google services. However microG requires a bit more permissions than a standard app, that's why there needs to be a "LineageOS for miroG" to support microG.
Now, between CalyxOS, /e/, LineageOS, and GrapheneOS:
- LineageOS targets devices support. LineageOS supports many devices officially, and provides infrastructure to support many more unofficially. They also include many features, but it doesn't feel like they have a specific orientation, and they are happy to integrate with Google apps. They are the very core of Android community original development.
- GrapheneOS is security first and foremost, no matter the cost to usability (their philosophy there does seem to evolve to open to more users recently). They do (great) security original development.
- /e/ is market first. They focus on having the best experience to the user, and try to reach as many users as possible. They have very little original development, their value is mostly in communication, and providing a "cloud" account.
- CalyxOS is targeting a good private user-experience. This goes both by having good usable defaults, and filling gaps. They have nice original developments in making Google-less more usable.
An additional note: Android is natively much more private (1) and secure (2) than GNU/Linux. This is the reason /e/ is considered okay privacy-wise, by simply removing Google and OEM apps, you make Android much more private.
(1) Except if you have Google apps or OEM apps, which can access all your data. But your data is pretty safe from other people.
(2) except that kernel upgrades are often lagging behind
> An additional note: Android is natively much more private (1) and secure (2) than GNU/Linux.
Not so. There's nothing stopping you from using containerization in GNU/Linux to sandbox any potentially malicious programs, as AOSP does. It's just that running a fully Free desktop means you generally don't have to do this in the first place!
Purism's Librem runs GNU/Linux, not Android; microG is a free replacement for Google bits in Android (Google "services", including location services from other sources); LineageOS is a non-privacy focussed, somewhat de-Googled Android; /e/ is a privacy and free software focussed derivative of LineageOS with a larger set of supported hardware; GrapheneOS is a security-focussed (not privacy-focussed) version of Android with rather limited hardware support. It's not clear to me what the fundamental difference is between CalyxOS and /e/ other than hardware support and what's built-in.
Something like this seems a lot easier to set up than the hoops I ran through to get my Xaiomi Redmi K20 Pro running Havoc OS + microG. I wish it were more straightforward to get more device compatibility for builds. With GNU/Linux I pick my CPU architecture and I'm good to go. With a project like this, I, given my Android proficiency, should wait who knows how long to get a compatible build. But why a separate build for every device?
Previously Android phones were allowed to be released each with modified unique kernels. All new phones which ship with Android 12 however must use the same generic Android Common Kernel, and any device-specific drivers are then attached via kernel modules.
So basically from September-ish all future Android phones should be able to boot off the same image, or at least a Generic System Image.
microG as a semi-Play Services experience is fine, the only issue I have is that most network-based geolocation backends tend to be hit or miss. I usually have to enable the Apple location service if I need a fast geolocation.
Some apps (especially banking and governmental apps) refuse to start at all. With microG (https://microg.org/) you can run a wide range of apps though. It's quite bearable, especially if you aren't an app junkie that downloads every app promising a discount on that new store you're purchasing from.
I just transferred from Android to iPhone today. I wouldn't bother to use these alternative Androids, because I don't trust 3rd party app stores. There are banking, authenticator, and other essential apps I will never download from a 3rd party app store.
Not even an app store that distributes only open-source software (eg F-Droid)? Considering the reputation for scams and malware on 1st party app stores I could never understand this perspective.
Comparing just CalyxOS to /e/, both include microG as a substitute for Google Play Services. That's the main feature they have in common.
Some of their differences:
- CalyxOS's upstream is AOSP, while /e/'s upstream is LineageOS.
- CalyxOS is intended to be used with a locked bootloader, while /e/ is mostly intended to be used with an unlocked bootloader. (As an exception, /e/ supports a locked bootloader for the Fairphone 3, but I'm not sure if there are any other models that work the same way. /e/ install instructions for Fairphone 3: https://doc.e.foundation/devices/FP3/install)
- CalyxOS supports a few devices, since the project only considers devices that support relocking the bootloader with a custom key and have a monthly security update schedule from the manufacturer. /e/ supports a much larger number of devices.
- /e/ integrates its optional open source cloud service, ecloud, which includes email, calendar, contact, photo, and file hosting. CalyxOS does not offer an equivalent first-party service.
I'd argue that it's more akin to Ubuntu relying on Debian for updates, or Microsoft's Edge / Brave Browser / one of the many other forks relying on Google for Chromium / Blink updates.
The one distinction is in addition to the open source code comparison here, we also use some proprietary bits from their updates, which are needed to get the phone booting and basic hardware working.
That is a limitation of Lineage only because they choose to cater to users who want root (which usually modifies /system) and to support flashing Google Apps.
Why would having root itself rule out secure boot? It's just that they refuse to offer root themselves, and only as a result of that refusal one has to use system modifications to gain root. In a sense this is the opposite of your claim: they do explicitly not cater to root users.
And what the hell? Root with verified boot? That's like having the most secure castle while leaving the door open for anyone, you can't have both worlds.
Note: our root implementation was apparently affected by some vulnerabilities ( never disclosed to us ), meaning I tried to lower the attack surface to minimum, but not knowing I did anything helpful we just couldn't leave it there.
Root doesn't mean you give root permissions to any dumb app. I implied proper permission management and authorization, of course.
Then it's just like a secure castle where the user can go into all of the rooms, to some with a special key. You don't have to go into those rooms, but you have the option to at any time.
And, depending on the implementation, you may change the special room, but if you return after the next reboot, it will be reverted back.
Actually, the castle analogy goes further: Unfortunately, many seem to interpret "verified boot" and "most secure" as "protects the dumbest user from shooting themselves in the foot on purpose by locking them into that castle.
That is exactly where the recent apple scandal is coming from: The user is subservient to the OS vendor, and the OS vendor can abuse the user as they please.
Security is very important. Why? In order to not be exploited by strangers (criminals, spys...) against my interests. If security enables exploitation against my interests (by whomever, be it the OS vendor, the movie industry, or the government), it is not the security I want.
This one OS is different than all the other evil ones? That's what Apple said before...
If you're rooted your security is way lower. Simple as that. Rooting can be used against you, it can lead to exploitation, and likely has been.
Note: you can have secure boot without root and using your own Android build, such as CalyxOS. Not rooting doesn't imply using the stock firmware, never has been.
I honestly don't understand why it should be "Simple as that"? If you have the phone rooted, as long as you don't grant root to any application, why should it be less secure than if you hadn't rooted it?
(assumed everything else the same, specifically the rom supporting verified boot with root)
Then, by granting root permissions to apps, of course the attack surface gets larger, but this is a thing you control yourself.
Your note was always understood. Of course not rooting doesn't imply using the stock firmware. It however implies that you are submitting to a different master. Who may be different, and maybe a bit more lenient than Google/Samsung/whoever, but that other master will still enforce any dumb app's will against you.
Verified boot is only enforcing on -user builds.
Lineage ships -userdebug builds.
Furthermore Lineage's official root addon writes to /system. You can't have any additional changes to system or else verified boot won't boot.
You can't have it both ways as it stands.
That isn't to say they are incompatible, you can compile-in root support before the system hashes are generated and then you can have a locked bootloader with verified boot with root support.
But you cannot make any additional changes to /system with that root power afterwards.
The only way to preserve verified boot with Magisk is for the bootloader or recovery image to have Magisk compatibility built-in prior to signing. I don't think any flavor of Android that supports verified boot is currently doing this.
Silence is sadly no longer maintained, but it still seems to work for now. I will eventually replace it.
Re Mozilla: I do state on my browser comparison page that Chromium browsers are more secure. Also the Bromite repository is included in F-Droid by default on DivestOS.
It would help if you'd put the supported devices right up on the front page. It saves much time for most visitors and doesn't end up in frustration if people get them on the second step.
That is the irony. Only pixel hardware provides one step OEM unlocking in US. All other devices are carrier locked and have restrictive unlocking process.
Samsung/Motorola/ etc. should release OEM unlocked devices not just carrier unlocked that can be purchased directly from their online stores.
This will make adoption easy for these open Android projects.
Most of the de-Googled or Linux based mobile OSes have their installation restricted to Pixel phones. Why? Is there any option for old Motorola phones?
Because those are the phones that are supported in the upstream Android Open Source Project (AOSP), which these OSes are typically based on. Other phones, even ones that to a great job of publishing their sources (like Sony's), have their support living outside of AOSP. And older phones get dropped from AOSP, the original Pixel was dropped in Android 11. So, by only targeting the devices that AOSP supports these OSes can focus on the interesting part of building the OS, rather than getting bogged down with hardware support.
The other aspect to this is that you can install a custom OS on the Pixels and still re-locked the bootloader, which means you get Verified Boot and all the security guarantees that brings.
You actually couldn't do that with the original Pixel (which until recently, Android 11, these custom derivatives tended to support). You'd get a warning screen every boot about how the OS has been modified.
You definitely could, we used to support it in a previous iteration.
This was also possible on the Nexus devices, although the oldest I've tried it is the Nexus 6P.
It just worked slightly differently on those, nowadays you enroll the public key by flashing it to the device, on those (Pixel 1, Nexus) you used to have the public key embedded in the kernel.
Unless I'm mistaken, the Pixel 1 blindly accepts whatever pubkey is embedded in the kernel, but displays the warning screen on boot if it's not Google's pubkey (to clarify, not a click-through screen, just a temporary splash screen). I guess yeah it's technically Verified Boot, but if it just accepts any key you throw at it, then the security guarantees are a lot less. You can't tell it about your pubkey to get the scare screen to go away, and you can't tell it to block other keys to get the security guarantees.
Telling even the newer devices about your pubkey doesn't get the scare screen away. You see a Yellow Verified Boot warning meaning the OS is signed and verifies but with a custom set of keys.
When you lock the bootloader you block other keys, since fastboot is pretty much disabled when you do that, and the only way to install something would be via OTA updates which would have to be signed with your custom keys.
I guess maybe if you're able to get a root exploit and replace the boot image? Not exactly sure what would happen then, need to try.
having to buy a pixel phone for this is too expensive for the 2,5 world countries folks anyway. Unfortunately, it won't become popular if brands like xiaomi don't work with this kind of software, and I know there are many reasons why it will never happen.
I am as a rule wary of anyone who decides to offer me "privacy" as a USP of their products, I didn't pick up the phone or laptop to get more privacy, but to share more data. Moreover, the iron law of oligarchy seems to suggest that those who are excessively concerned about my data must need it more.
Not recommended. Downloads are tailored to specific device models, and installing an operating system image intended for a different device model would not work and could brick your device. If your device is supported by LineageOS but not CalyxOS, LineageOS for microG is an alternative OS that might work for you:
Even with the most secure alternative Android, you always have blobs from the original manufacturer that you have to use for some hardware-related critical functionality. And of course, the baseband that usually has full access to device's memory using DMA.
That's where the backdoors go, I'd suspect.
In this regard I'd trust Xiaomi way less than Google.
However, Google phones have been subpar for a long time. E.g. the storage was too small and non-extendable. Makes sense from a Google point of view, as you're supposed to store everything into their cloud. But not well suitable for offline-first and privacy-first.
Since Microsoft now supports Android apps, you can expect ungoogled android to become more popular since more apps would be written which dont need play store
yes and no.
first of all: which services does Amazon provide that would make an app dependent on them in the same way it might be on Google services? does Amazon have its own system for push notifications? for weather data? for syncing contacts?
secondly: it has been confirmed that Android apps will be able to be sideloaded. a Microsoft employee tweeted about it but I can't really find the post right now
Microsoft might implement Amazon Device Messaging in Windows 11.
> secondly: it has been confirmed that Android apps will be able to be sideloaded. a Microsoft employee tweeted about it but I can't really find the post right now
There are some people and organisations you can never keep out. It doesn't matter what software you use.
You may stand a good chance of keeping the average snooper out, and for that you need to trust the software provider. So it ultimately comes down to who you trust more to keep your stuff moderately secure.
If you don't want anyone (but yourself) to have access to your information then don't store it digitally.
So who do you trust more, Google or random people on the Internet? Neither are an ideal choice, because there isn't one.
It has been years since I have used Android (and F-Droid), but I always thought F-Droid was pretty heavily curated and had a sane security model [1]. Why do you say it is for distributing viruses?
I installed LineageOS and found I couldn't run some google apps. I reinstalled LineageOS with https://opengapps.org added during the install and made the mistake of transferring from my old phone which brought all the google services and everything back to the phone (mostly).
I then installed CalyxOS - much easier install process than lineage. Really liked the defaults. Could not get many apps that relied on google play services though. If I didn't need so many Google-tied apps I would pick this as my phone OS for basic stuff like messaging and browsing.
Installed LineageOS again, found there were a couple apps I could not get working after all (50 different apps installed).
In the end I gave up and re-flashed Google firmware back onto the phone. I spent about 10 hours on all this stuff and simply ran out of time for now. I though I could get away from Google but I didn't realize how much my apps needed Google.