Remix.run Logo
CommenterPerson a day ago

Thank you. I have the same worry. I'm not a developer, how could one tell there isn't some built in backdoor in the hardware? There was another HN posting on Graphene and asked the same question there with no answer.

strcat a day ago | parent [-]

The same thing could be said about any hardware. Pixels receive by far the most privacy and security research of any devices. They're by far the most secure Android devices and the only ones providing competitive security with iPhones. They're the only devices with even a reasonable level of security combined with proper alternate OS support. Our hardware requirements are listed at https://grapheneos.org/faq#future-devices. These are very reasonable requirements for industry standard security features, standard updates and the ability for GrapheneOS to use those standard security features. There are other devices with all the major features listed there but not the ability for GrapheneOS to use all of them. Updates are a major issue for all non-Pixel Android devices including the ones advertising lengthy support.

GrapheneOS is working with a major Android OEM towards their future devices providing the expected hardware-based security features and updates, unlike their current devices. The purpose of GrapheneOS is not specifically avoiding Google but if you want hardware from another large tech company to use with GrapheneOS, you'll have that option. The initial goal for these devices is providing a similar level of security and long term support to what we already have with Pixels. In the longer term, we want to have add hardware-based security features unavailable on Pixels or iPhones along with hardening below the OS layer.

For now, Pixels are the only viable option for us to use. We're actively working on changing that but we're not going to simply greatly lower our standards and support devices where we can't adequately protect users. There's no evidence of any backdoor and it's contradicted by how exploits are developed and used. There is plenty of evidence that other devices lack comparable security.

https://discuss.grapheneos.org/d/14344-cellebrite-premium-ju... shows an example where only the Pixel 6 and later / iPhone 12 and later have brute force protection which holds up against the most sophisticated company developing forensic data extraction tools. We have access to more recent documentation showing the same thing.

Why do governments buy exploit tools from NSO, Cellebrite, etc. and develop their own if they supposedly have backdoors in devices? Why would using a device from Samsung or Sony protect against it if they did?