| ▲ | SchwKatze 2 days ago |
| My only problem with Graphene is the ridiculous low number of supported devices, i know I know, security reasons and so on. But I would accept an lower security hardened version but at least have Graphene instead of Google's junk |
|
| ▲ | mbananasynergy 2 days ago | parent | next [-] |
| GrapheneOS community manager here. Google's devices are currently the only ones that meet our requirements (https://grapheneos.org/faq#future-devices). However, we're currently working with another OEM and are hoping to have a device of theirs meet our requirements that can be launched in 2026 or 2027. Nothing set in stone, but we're optimistic thus far. |
| |
| ▲ | benreesman 2 days ago | parent | next [-] | | Extremely happy GrapheneOS user here. Thank you so much for the work you and your colleagues do. Speaking for myself, the adoption of a mobile communication and computing choice that both put me in control of what information I interact with and respects my agency enough to present me with the hard choices about what I do and don't want for myself has been a life-altering upgrade in something midway between "peace of mind" and "outright mental health". Much like you don't hear the sound of a busy city until you go somewhere truly quiet, you don't remember owning your own brain until you evict all of the entities who have been living rent free in it. Keep doing the great work you're doing: it's making people's lives better in dramatically more significant ways than most software. | | |
| ▲ | mbananasynergy 2 days ago | parent [-] | | We really appreciate the kind words! | | |
| ▲ | _blk 2 days ago | parent [-] | | I can only attest to that. Been using it for 3 years on a Pixel 6a. The only thing I'd wish for, is a scrolling PDF viewer. In any case, thank you for all the work so far! | | |
|
| |
| ▲ | Eavolution 4 hours ago | parent | prev | next [-] | | About the OEM, are you working on having devices ship with GrapheneOS, or devices be GOS compatible (i.e. same as the Pixels)? If you're thinking of devices shipping with it, would this fix the issue of Play Integrity/SafetyNet failing? That's the main reason I am running the android on my phone, as my banks don't work with Play Integrity failing and I have to use the app for 3DS. The ability to run GOS without this issue would be huge. | |
| ▲ | tenthirtyam 2 days ago | parent | prev | next [-] | | I can understand the GOS' rationale in choosing only the most secure phones. However, I'm more concerned about privacy, and not so much about security. It'd be great to have something like a "GOS-Lite" which accepts some security compromises in order to bring privacy to more people. (And yes, I understand that lower security means less privacy from targeted attacks but even GOS depends on OEM blobs, right?) | |
| ▲ | zvmaz 2 days ago | parent | prev | next [-] | | If it's a repairable phone like the Fairphone, that would be fantastic. Otherwise, I'm already very satisfied with what you offer. Thanks for you work. | | |
| ▲ | mbananasynergy 2 days ago | parent [-] | | Fairphone do not meet our requirements and haven't really been trending towards meeting them generation-by-generation. It doesn't seem to be something that interests them. The unfortunate thing is that they make security promises which aren't upheld in practice (such as shipping security updates on time), so it doesn't inspire confidence as an OEM you could trust to properly support a device for multiple years. We're hoping that there will be people who will enjoy a device from the OEM we're in talks with - we know that there are many people who for various reasons don't want a device from Google, so this will at least offer an option for people who want to use GrapheneOS on a non-Google device. | | |
| ▲ | hsbauauvhabzb 2 days ago | parent | next [-] | | I got curious and found this: https://discuss.grapheneos.org/d/7208-8y-security-updates-on... At the risk of doing their work for them, that seems like a near ideal partnership opportunity for graphene, so it’s extra sad to see. | | |
| ▲ | mbananasynergy 2 days ago | parent | next [-] | | It's important to note that these "8 years" aren't actually that in practice due to the delays. The latest generations of Pixels (starting with the 8th) have 7 years of actual security updates, which is one year less, but is proper support. Hopefully the industry trends towards that as a whole - buying devices that only get 2-3 years of updates should be a thing of the past. | | |
| ▲ | rjzzleep 2 days ago | parent [-] | | Isn't that related to how expensive it is to get licenses from MTK and Qualcomm for updates? Given that Pixels run on their "own" chip, driver support is probably much easier. |
| |
| ▲ | strcat 2 days ago | parent | prev [-] | | Fairphone devices have 1-2 month delays for partial security patches. They have a year or more of delays for new major releases. Their recent Fairphone 5 uses the Linux 5.4 LTS branch going end-of-life in December 2025 with no plan to port to a new LTS branch. Their past devices use end-of-life Linux kernel branches. They do not provide the expected security patches even shortly after release. They aren't doing the bare minimum and aren't even compliant with recent EU regulations for device updates. Google provided resources for the Linux kernel to extent LTS support for 6 years for their 5 year guarantee with the Pixel 6. It ended up not being needed since Pixels began moving to newer Linux LTS branches. The official Linux kernel LTS support is back down to 2 years. The 6 years was meant to benefit all Android devices but it proved to be too difficult to do well and it makes more sense to invest a far smaller amount of resources moving to new LTS branches. Fairphone presents providing an Android OS release 3 years after it was released as providing 3 more years of extra support compared to an OEM releasing it in the month it was launched as their final update. That doesn't make sense. They've repeatedly had blatant security flaws such as using publicly available private keys for signing the OS on the Fairphone 4. These issues are downplayed rather than being acknowledged. There are important security features missing, but the main issues are the lack of proper updates and their approach to security flaws being reported and discussed. Many Android OEMs are a better fit for a partnership with us and we're working with one. https://discuss.grapheneos.org/d/24134-devices-lacking-stand... is a better thread about this than the one you linked. | | |
| |
| ▲ | mixmastamyk a day ago | parent | prev [-] | | Why would their OS patches effect your different OS? It would be hardware you're supporting, no? |
|
| |
| ▲ | orbisvicis 2 days ago | parent | prev | next [-] | | I'm working my way down your requirements. > Hardware memory tagging I had to Google this. Is this like a fine-grained version of mprotect, i.e. associated permissions with each tag? Or are you only interested in the memory safety benefits? Regardless, why target requirements that even most desktop computers don't meet? | | |
| ▲ | transpute 2 days ago | parent | next [-] | | MTE is an Arm v9 feature subset of CHERI, https://news.ycombinator.com/item?id=30007474 | https://armor.ch/mte/hw https://discuss.grapheneos.org/d/8439-mte-support-status-for... > Hardware memory tagging is going to provide a massive increase to protection against remote exploitation for GrapheneOS users. It's the biggest security feature we'll be shipping since we started in 2014. | |
| ▲ | strcat 2 days ago | parent | prev | next [-] | | > Is this like a fine-grained version of mprotect, i.e. associated permissions with each tag? It provides the ability to tag 16 byte granules of memory with 4-bit tags where only pointers with the correct tag can access the memory. This provides an approximation of memory safety very useful for security. As an example of how it gets used, our implementation of the system allocators via hardened_malloc tags each allocation with a randomly generated tag excluding the adjacent random tag values and previous random tag value for the slot. It has the standard setup of a single statically reserved tag (zero) used for free memory but adds 3 more dynamic exclusions. This provides deterministic detection of small overflows, linear overflows, many forms of use-after-free and fallback to probabilistic detection of other spatial (bounds) or temporal (use-after-free) memory safety issues. We use a lightly modified variant of the standard MTE integration for PartitionAlloc in our Vanadium browser, but we plan to improve it to match hardened_malloc. We use the standard Linux kernel implementation for the internal Linux kernel allocators which needs a lot of improvement. > why target requirements that even most desktop computers don't meet? Desktop computers are far less secure than an iPhone or a Pixel with the stock OS. GrapheneOS exists to provide a higher level of privacy and security than those. GrapheneOS is primarily aimed at mobile devices which are almost entirely 64-bit ARM. Hardware memory tagging (MTE) is a standard ARMv8.5 / ARMv9 feature provided by every standard ARMv9 Cortex core. MTE is only missing with custom CPU cores or cache while cutting this corner. Pixels are not the only devices providing MTE. Exynos and MediaTek have provided it and Snapdragon should be providing MTE starting at the end of this year. The only reason Snapdragon is late to the party is due to their custom cores/cache. We're currently working with a major Android OEM towards multiple of their future devices meeting all of our requirements and providing official GrapheneOS support. They view all of our officially listed requirements as completely reasonable and a target they can meet for their next generation of devices. The purpose of GrapheneOS is providing a high level of privacy and security, not making security less bad for devices people already have. Hardware and firmware security matters quite a lot and software security depends heavily on hardware-based security features including MTE. Nearly all GrapheneOS users buy a device to use GrapheneOS and that would still be the case if we supported several other devices. The vast majority of Android devices lack proper security patches for drivers/firmware, are missing important hardware-based security features and don't provide serious support for using another OS where the security features can be kept intact. Samsung's flagships are closest to meeting our requirements after Pixels but do not allow another OS to use verified boot, important secure element features and more. Samsung permanently cripples their devices if they're unlocked and voids the warranty, unlike Pixels. The reason we're working with an Android OEM is because existing non-Pixel devices don't provide a base we can use to provide what GrapheneOS offers. It would be missing huge parts of the core features elsewhere and would be worse in significant ways than the stock OS. It would go against what we're trying to achieve to have people buy devices we can't properly secure. Long term support for drivers and firmware is also important because people use devices more than 3 years from launch in practice. Pixels get 7 years of proper support from launch, which is unique. A couple OEMs market their devices as having similarly long support but the updates are significantly delayed and far less complete. We've had numerous opportunities to work with OEMs where they weren't able to provide our requirements. We simply aren't interested in having a far less secure device with GrapheneOS as the stock OS. We expect our requirements to be met, and we think the OEM we're currently working with is fully capable of providing what we need. It will hopefully be available in 2026 or 2027. The initial goal is not doing better than Pixels, just providing a competitive alternative for people who want to use GrapheneOS on another brand of device. | |
| ▲ | 2 days ago | parent | prev [-] | | [deleted] |
| |
| ▲ | cromka 2 days ago | parent | prev | next [-] | | I really hope it's the Nothing Phone you're talking to. | |
| ▲ | leke 12 hours ago | parent | prev | next [-] | | This is great to hear. I hope the ORM has a budget model graphene can run on. | |
| ▲ | nicman23 2 days ago | parent | prev [-] | | that is great but i hope it is not a small run with a 200+ price as happens with the various linux phones. |
|
|
| ▲ | bubblethink 2 days ago | parent | prev | next [-] |
| What's ridiculous about it ? There are now 4-5 gens of Pixels with their major/minor bumps too (A series, pro, etc.). There's enough variety at different price points for everyone there. |
| |
| ▲ | konstantinua00 2 days ago | parent [-] | | 4-5 versions of the same phone in the gigantic sea of possible devices | | |
| ▲ | bubblethink 2 days ago | parent [-] | | The other devices don't meet the criteria. Be happy that Pixels are supported, for Google seems to closing down Pixel OS too, making this whole effort rather difficult. | | |
| ▲ | konstantinua00 2 days ago | parent [-] | | > The other devices don't meet the criteria you got it wrong way around the CONSUMER criteria is "we want better independent security ON DEVICES WE ALREADY OWN" complaints like in this thread are symptoms of unfullfilled demand - and they can't be solved by saying "oh gosh, what a stupid demand that doesn't agree with our supply" | | |
| ▲ | homarp 2 days ago | parent | next [-] | | car analogy:
I want my gazoline car to have hybrid engine. For free. vendor: not possible you: unfulfilled demand me: the way I see it, you get a product for free if you fulfill certain conditions. If not, you buy these conditions. | | |
| ▲ | Attrecomet a day ago | parent [-] | | What a bad analogy, acting as if the extra security could only be an all-in. | | |
| |
| ▲ | cwillu 2 days ago | parent | prev | next [-] | | Nobody said it was stupid, but you wanting something doesn't make it a requirement for a project with different goals. | |
| ▲ | rambambram 2 days ago | parent | prev [-] | | I was going to type something, but upon a second read I see you say 'consumer' instead of 'customer'. Fair enough. |
|
|
|
|
|
| ▲ | const_cast a day ago | parent | prev | next [-] |
| The maintenance burden would be wayyy higher and the satisfaction with the project would plummet. It's a catch 22. Support other devices, the software won't work as well or reliably or maybe buggy - users get pissed off. Spent the time to make it not buggy on other devices = now you're doing mor dev work than even Google. |
|
| ▲ | crossroadsguy 2 days ago | parent | prev | next [-] |
| I actually like Graphene's focus in Pixel. It is available in a lot of countries unlike Fairphone - via Pixel of course. So Graphene is actually not limited to the developed/western world. As for not supporting other devices, I believe the reason could be the team size and the fact that the fragmented Android world is known for unique shenanigans of every OEM. Besides Google's update/upgrade cycle is another reason it is an appropriate choice. |
| |
| ▲ | beeflet 2 days ago | parent [-] | | por que no los dos? | | |
| ▲ | gf000 2 days ago | parent [-] | | Because as mentioned, Fairphone has lackluster hardware security. You can have the best alarm system in the word, if you leave the back door open and anyone can just walk in from the street. | | |
| ▲ | beeflet a day ago | parent | next [-] | | Okay, but the danger of vendor lockout is very great because gOS only supports one brand of phone. The justification for limiting support to pixels is that it has trusted computing features, but these are made unnecessary by having a long password. You could just have some disclaimer on the grapheneOS site that says something like "Works best with pixel phones" or have some long password requirement on non-pixel phones | | |
| ▲ | gf000 a day ago | parent [-] | | > but these are made unnecessary by having a long password. Yeah, that's completely how security works... | | |
| ▲ | beeflet 2 hours ago | parent [-] | | It is. The idea behind using a embedded trusted computing device in this fashion is that you can store a AFU encryption/decryption keys in the trusted computing device and lower-entropy password like a 4-digit pin or biometrics, with the trusted computing device preventing a brute force attack. But this is unnecessary if your encryption password has enough entropy in the first place, because it cannot be brute forced. This is the security model of most linux distros that use full disk encryption with LUKS. And android already lets you do this, it is just less convenient. I use grapheneOS with a high entropy BFU password and a low entropy biometric AFU fingerprint. My linux setup works in the same way. The BFU password is the only "real" password that secures you and encrypts your data. The AFU password is a just temporary screen lock that is vulnerable to side channel attacks because the decryption keys are still in memory. |
|
| |
| ▲ | bornfreddy a day ago | parent | prev [-] | | Meh. Not all people have the strictest security (and privacy!) requirements. While it is admirable that GOS strives for perfection, I would be more than happy with a less secure, but repairable phone, such as Fairphone. So just give me that alarm system for my tent, please. It will do fine for my case. | | |
| ▲ | mbananasynergy a day ago | parent [-] | | We don't really strive for perfection. Pixels aren't really perfect and there are numerous suggestions we could make today for Pixels to drastically improve their hardware. Our requirements are in some way below what even Pixels provide today. Our requirements are not at all exotic or outlandish, the fact that most OEMs don't meet them says more about how far behind most OEMs are, rather than our standards being unrealistic. We've also been told that they're not unrealistic in practice from numerous OEMs who want to build a device that meets our requirements. It is also important to note for Pixels specifically that since the 8th gen Pixels, they receive 7 years of support. Additionally, they partner with iFixIt to provide official replacement parts for the duration of the device's life. I'd say that's pretty sustainable, especially when you consider that the Fairphone doesn't actually provide proper support for the amount of years they claim, since they have consistent delays in providing patches. | | |
| ▲ | bornfreddy 14 hours ago | parent [-] | | Ok, fair enough, if we are looking at software side of "repairs" (updates). However I'm talking about hardware side of things - with Fairphone I can remove and replace the battery by myself (or even carry a spare if I choose to), while e.g. in the newest Pixel, 9a, the battery is glued in place. As for the requirements, I will take your word for it. And I do appreciate that you put the emphasis on security as it is often overlooked. I guess what I'm saying is that having control over my phone (as opposed to BigTech or apps having the control) is for me a much higher priority goal than just security by itself. Hardware reparability is (again, for me) a close second. Anyway, I hope you find a good partner for the phones, and I'm curious to see what you come up with! |
|
|
|
|
|
|
| ▲ | beefnugs 2 days ago | parent | prev | next [-] |
| Sounds like google is going hostile to the project, so if enough of us miss it i guess we will have to work on new hardware support |
| |
| ▲ | mbananasynergy 2 days ago | parent [-] | | GrapheneOS community manager here. Google did make it harder to support Pixels, but we're still doing it and plan to continue supporting new Pixels provided they keep meeting our requirements. At the same time, we're in communication with an OEM to have some of their devices have official GrapheneOS support, so we're moving towards redundancy. |
|
|
| ▲ | metalman 2 days ago | parent | prev [-] |
| https://calyxos.org/
does a few other devices, seems aimed strait at true privacy |
| |
| ▲ | mbananasynergy 2 days ago | parent [-] | | GrapheneOS community manager here. I would recommend checking out https://eylenburg.github.io/android_comparison.htm for a third-party comparison of these projects. They're not really similar. CalyxOS downgrades security compared to the Android Open Source Project, often falls significantly behind on standard Android privacy and security patches as is the case right now (they still haven't ported to Android 16 which is required to have the latest patches) and doesn't provide similar privacy or security features. Features like Contact Scopes, Storage Scopes and our Sensors permission toggle are some of the privacy features includes in GrapheneOS. Privacy necessitates security. The security provided by GrapheneOS is in order to be able to protect privacy. | | |
| ▲ | spaqin 2 days ago | parent | next [-] | | According to the link you provided, it does seem to be ahead of stock Android (assuming AOSP) and LineageOS, disproving your point that it's falling behind. The point of the OP is not that it would be better than your solution anyway; rather, if you have a device unsupported by GrapheneOS, Calyx would be better than nothing. | | |
| ▲ | strcat a day ago | parent | next [-] | | > According to the link you provided, it does seem to be ahead of stock Android (assuming AOSP) and LineageOS, disproving your point that it's falling behind. The table shows CalyxOS has substantial delays for important privacy and security patches. It currently doesn't provide the 2025-06-05 patch level. It's better than LineageOS and /e/OS in that regard but still reduces privacy and security through significantly delayed patches. CalyxOS also weakens parts of the privacy and security model through the privileged functionality that's added, which simply isn't covered by the comparison table. > The point of the OP is not that it would be better than your solution anyway; rather, if you have a device unsupported by GrapheneOS, Calyx would be better than nothing. On Pixels, CalyxOS is missing current Android privacy/security patches. GrapheneOS doesn't support those other devices due to lack of a reasonable level of security. Each of those extra devices has significantly delayed privacy/security patches and lacks important hardware-based security features. Despite all the marketing about long term support, Fairphone 5 uses Linux 5.4 which is end-of-life in December 2025 with no plans on their part to move to a supported kernel branch afterwards. Earlier Fairphones are stuck on older end-of-life kernel branches. Those devices are missing basic updates and security protections. Those don't provide proper long term support, so if someone does have one it won't be long before it's time to buy another device. | |
| ▲ | rfoo 2 days ago | parent | prev [-] | | > Calyx would be better than nothing. Depends on your threat model. If Google, low-effort scam apps or being profiled by apps are your only adversary, then that's true. If random threats on Internet or APTs pwning your phone, or being forensic-proof are part of your threat model, then Calyx is strictly worse than stock. |
| |
| ▲ | pshirshov 2 days ago | parent | prev [-] | | > The security provided by GrapheneOS is in order to be able to protect privacy. But there is still no way to reset/spoof android device ids, and the apps can reliably identify the user after reinstalls. | | |
| ▲ | strcat a day ago | parent [-] | | Hardware identifiers aren't accessible to user installed apps. ANDROID_ID is a per-app-per-profile random ID. Apps don't need ANDROID_ID to identify that it's the same install due to immense fingerprint surface. If you installed the app in another profile, it would have a different ANDROID_ID, but it would still potentially be able to fingerprint it as the same device based on many things like settings. GrapheneOS does have planned features to improve these things but it's not nearly as simple as making ANDROID_ID per-app-install or making the MediaDRM ID more randomized than the current per-app random value (it was meant to be like ANDROID_ID but they make a mistake that's hard to fix without breaking compatibility so we need a toggle). | | |
| ▲ | pshirshov 12 hours ago | parent [-] | | I understand, but think it won't be correct to make claims about strong privacy while fingerprinting remains possible and as easy as on stock devices. I agree that GoS did a lot in order to improve privacy (scoping) and it provides unmatched security, but you shouldn't create false expectations. |
|
|
|
|
