Observation about the GrapheneOS/Google Pixel smartphone platform and community

So I’ve been running GrapheneOS on a Google Pixel 4A for well over a year now in hopes of having found a relatively secure phone, as GrapheneOS is marketed as the most secure and private smartphone OS available.

Graphene only runs on the Google Pixel however (owing to it’s supposedly superior hardware security mitigations), and while I do think that the OS itself is solid, certainly more so than stock Android and probably iOS too, I have always been skeptical about the idea that Google of all companies would build a device that could be configured to offer real security and privacy. That would seem to go directly against their entire ethos, which has basically been the antithesis of privacy.

I have often visited the official GrapheneOS chat channel on Element, and have found it to be useful with alot of very knowledgeable and helpful members there willing to answer questions about installation, configuration etc, and they also have an off topic forum for general tech and security related chat.

Something interesting I have noticed on several occasions though, is that anyone who starts to really publicly question the security of Graphene or the Google Pixel there gets reprimanded quickly, and often ousted entirely from the forum. Any mention of the Snowden disclosures or Prism program will result in an instant ban from the mods. Like they must literally have keyword alerts set up, as ridiculous as that is. I’ve personally been banned there for making statements as benign as “I trust GrapheneOS, but Google, not so much” and “Do you all really believe that Google would build a phone that is truly secure and private? I don’t”.

Given the disclosure and nature of the Prism program, which showed that basically every major tech company was working directly with the NSA to share user data and sometimes even add backdoors to their own products, I think this topic is highly relevant to the discussion of smartphone security. The fact that I and several others on multiple occasions have been swiftly banned from that community for merely bringing this up really makes me question GrapheneOS. I think I need a Librem phone lol.

Hi @rh-evolution, welcome to the Community! Indeed, I noticed that, too. Very recent discussion can be found here: https://news.ycombinator.com/item?id=30761376. GrapheneOS people often accuse the other side of bad faith which does not increase my trust in them. I admit that I’m no expert in security and I don’t even understand all their explanations sometimes. I guess they could make them more clear for bystanders…

I hope more people switch to GNU/Linux phones as a result As a bonus such people get freedom, which is not possible to get with Google phones.

I hope more people switch to GNU/Linux phones as a result …

GNU/Linux phones certainly offer more Freedom from my perspective.

However, the typical GNU/Linux distribution is far from being secure. Most distributions put far too much trust on the openness of the code. That’s not saying that GNU/Linux can’t get there, but in terms security features of the OS, AOSP is far better. The issue with AOSP and/or Android is that it’s too tempting to install applications that you shouldn’t trust.

GrapheneOS people often accuse the other side of bad faith which does not increase my trust in them.

You underestimate how much they’ve been harassed. Amos is only one of several who have tried to push Purism/Librem5.

I guess they could make them more clear for bystanders…

It’s true. But I think it’s fair for them to expect the bystanders to try to understand the answers already provided. Amos might not be acting in bad faith, but I have found that his tendency is to accuse them of being wrong to try to get them to explain themselves more. That could be viewed as harassing and “bad faith”. He has annoyed me quite a few times with that approach ( as well as his “wall of text” quantity-is-better-than-quality discussion).

You don’t need to go after the guy in an unrelated thread by itself, but much less when it’s driving someone else’s off-topic.

The link to “often accuses” that I copied from the previous poster was a link to Amos’ conversation. Doesn’t that make it relevant? I was adding context about why strcat might reply as he did. Here’s the parent post to the link @fsflover posted https://news.ycombinator.com/item?id=30769589 .

Indeed. So the bottom line is whether it is open source.

If you can download the complete source code for GrapheneOS and anything else needed to use the phone, and build from source, then it is probably OK and it is at least verifiable in principle.

If you can’t then, for the pieces for which source code is not available, you are taking it on trust. You are trusting that a backdoor is not being hidden in one such piece.

In fairness to “every major tech company”, they may not have been doing this voluntarily. With a gun to your head, you too might do things that you don’t want to do.

Frankly, I wouldn’t trust Google even when they don’t have a gun to their head. Their business model is, as you say, antiprivacy (in the sense of antimatter i.e. when Google and privacy come into contact, they mutually annihilate, with the production of large amounts of dangerous radiation).

Privacy and security are overlapping but separate concepts.

Also, does Google offer a warrant canary for this hardware/software?

Open source is great, but from what I have read of the Snowden material, much of the modern surveillance capabilities lie in compromising the hardware the OS runs on, allowing persistence that can’t be gotten rid of without switching to an entirely new device, hence my skepticism about the Pixel. The consistent overreaction of the higher up folks over at Graphene to the mere mention of this topic is kinda odd in and of itself.

@Privacy2

These are two links. Perhaps the developers could link to their website with relevant answers more often, additionally attracting new people, instead of writing walls of hard-to-understand text. Just a suggestion in the hope to help.

When one spends huge amount of his/her free time on a project like GrapheneOS, this project becomes like a baby, like a part of the own identity. And it would be psychologically devastating if it turns out to be wasted time because of the choice of hardware. This could push people to overreact to criticism and to take the topic too personal and to react irrational.
I wish a world where we could have a choice other then iOS and Android. And as this is a huge task, it is in my oppinion counterproductive when(or if) the teams around Librem, PinePhone, Graphene, FairPhone, Pro1x, Cosmo, ect compete against each other instead of uniting towards the goal.
Competition is good. But it is good at a later stage. Not now when the projects are so far from being real candidates to break the bipoly GoogleApple.
It would have been so cool if someone would come up with 1 billion USD and creates a high quality consumer ready open source repairable upgradable smartphone manifactured in democratic countries. Problems like the modem and wifi-card are most likely solvable if there are enough money on hand.

I have never used GrapheneOS, but from what I have read about it, I don’t think that you should have security/privacy concerns about using a Google Pixel with GrapheneOS, any more than using any other AOSP phone. Rather than something nefarious with Google, I suspect that the GrapheneOS lead developer simply can’t deal with criticism and normal debate, so it gets banned on their forum. You might want to consider installing CalyxOS if this behavior bothers you. (His behavior toward me, Debian, Techlore, Signal, Matrix, CalyxOS, Mozilla, Purism, Pine64, Linux kernel, etc. is a separate issue.)

I own both the Librem 5 USA and PinePhone Beta and I enjoy using them. They are definitely a work in progress in terms of their software, but you will get lifetime software updates, so I don’t see a problem in buying them now and waiting as the software improves. At any rate, if you order the L5 today, Purism is saying at 52 week wait time, and I expect that most of the big software issues like suspend-to-RAM and auto-focus on the camera will be resolved in the next year. However, it will probably be many years before the Phosh mobile environment will be a full replacement for Android/AOSP. You also aren’t getting very powerful hardware. See my benchmarks for the two Linux phones: https://amosbbatto.wordpress.com/2021/12/10/comparing-l5-and-pp/

If you are specifically concerned about security, there are pros and cons to using AOSP vs Linux. The community FAQ has some info (which should be updated): https://source.puri.sm/Librem5/community-wiki/-/wikis/Frequently-Asked-Questions#43-how-secure-is-the-librem-5-compared-to-an-android-phone

My personal take is that Linux phones are the better choice in terms of privacy, but they currently lack many of the security features found in AOSP, such as verified boot, good sandboxing of apps and using a separate UID for each app. The tradeoff is that you are running in an ecosystem where little malware and spyware exists and you get recent kernels which can be upgraded, whereas the manufacturers generally don’t provide updated drivers for Android phones, so it is often not possible to upgrade the kernel in AOSP phones.

For example, the Pixel 3a using GrapheneOS is still running Linux 4.9 (first released in Dec. 2016), because Qualcomm hasn’t released new drivers and Google will stop providing regular security updates after 3 years, so you have to buy a new phone every 3 years. Google says that the new Pixel 6 will get 3 years of Android upgrades and 5 years of security updates, so that is better than before, but it is unclear whether Google will provide kernel upgrades for the Pixel 6 or not. I think it likely that Google will use Samsung’s Exynos kernels which upgrade Android on top of the same kernel version, which is why they say that the Pixel 6 will get 3 years of Android upgrades, but 5 years of security updates, because each version of Android supports three different LTS kernels and gets 2 years of security updates.

If you buy the Pixel 6, I suspect that you will get this:
AOSP 12 with Linux 5.10
AOSP 13 with Linux 5.10
AOSP 14 with Linux 5.10 + two years of security updates

Yeah but it’s been well established that the NSA has near complete backdoor access to iPhones. If that is true there is no possible way they don’t have similar implementations for Android, and if so it is at the hardware/firmware level as they’re not going to bother with anything that can be mitigated by a fresh install of the OS.

I’ve also read that the real reason Huawei was banned is because their devices actually have hardware integrity and don’t contain any backdoors. Not sure of the veracity of that.

You mentioned you don’t use Graphene. Do you use a Librem or? I wish it wasn’t $1,300.

Huawei don’t contain any backdoors put there by the US government.

FTFY.

According to the Snowden revelations, Google, Apple, Microsoft, Yahoo!, Dropbox, etc. gave the NSA access to their backends under the PRISM program. After the Snowden revelations, PRISM access appeared to have ended with both Google and Apple. Both Google and Apple made a point to start encrypting a lot of stuff and they made public statements opposing the NSA spying on their customers. I do think that Apple stopped collaborating with the NSA, as is evidenced by the 2020 DoJ lawsuit against Apple to unlock an iPhone. With Google, I’m less sure, since we haven’t seen similar DoJ lawsuits against Google, but maybe the US government doesn’t need Google’s help to access Android phones. Google had very tight connections with the Obama administration, but so it is possible that Google worked out some agreement with the US government, but it seems really risky from a business perspective for Google.

This could be just a theater. AFAIK that iPhone was finally unlocked and nobody knows how. See also: one, two, three.

Correct, even now after Daniel Micay has supposedly left - this faceless developer that no one knows directly who somehow has all day and night to fight dissenting opinions on all platforms for years consecutively - the censorship has not stopped. It really makes you wonder if GOS is merely another honeypot. Snowden saying it is the only thing to use is yet another clue into it being a honeypot.

How difficult is it to verify this very complicated code base? The users don’t really have root-of-trust, and GOS can push any new updates to you remotely - while of course they claim unique devices cannot be singled out.

It really is amazing how much effort they have put into squashing all critique and somehow never care to show their faces even when YouTubers with millions of followers promote them. Do we know the real identity of anyone with admin-level GOS repo access?

On the other hand, the GOS devs have a point about no other phone hardware having good enough security features to bother making a secure OS for… Purism et al really need to get on it regarding a sort of OpenTitan chip to thwart efforts to decrypt via physical access.

There was also a claim of a bunch of Google engineers contributing code to GOS, but I’ve not been able to verify that completely.

I purchased a Google Pixil phone while waiting for my Librem 5 to arrive, and installed GrapheneOS on to it. It feels counter-intuitive that you need to make a new deal with the devil as a means to escape from a previous deal with the same devil. GrapheneOS only runs on Google phones.

By the time that you’ve finished installing apps and securing them from access by Google and others in GrapheneOS, you’re pretty much as isolated as you are on a Librem 5. With graphineOS, I compare my phone to a house. Using a traditional Google phone, it’s like buying a house with no doors. Anyone can come or go to and from your home. With a GrapheneOS phone, it’s like you have doors that hold back a crowd of people who you can hear pounding on the door 24/7, trying to get in. As long as you use Android apps, you’re always going to have people pounding on the door. Some of them will get in. The “creepy” factor is always there when you have Android apps, even on GrapheneOS. You may succeed in keeping most of the snoops out. But you know that they’re still there trying as hard as they can, to get in. It’s that same devil that keeps most of them out for you.

With the Librem 5, you have no deal with the devil. No one has any valid claim against your privacy. For the most part, no one knows you’re there. Those that can see you have no hooks in to you or your private information. Anyone who gets in (if they even can get in) is breaking the law. You don’t even have an “advertising ID” on your Librem 5. I doubt that a complete Android/Apple-like experience will be possible in any healthy way until everyone has a Librem 5 or Pine Phone, and then using those phones to create new social eco-systems and business systems under new terms and conditions that include the use of opensource agreements that keep snoops and advertisers out of that eco-system, by contract and force of law.