If you have a Pixel -> Graphene, if not -> Lineage.
I personally don't care about "security" all that much, my main reason for using Graphene is freedom to use my hardware in any way I wish. This means unrestricted ability to run any program on the phone from any source. Sideloading restrictions don't apply to Graphene, and it is also impossible for state actors to impose things such as client-side scanning of text messages. It's also immune to unwanted AI anti-features.
I use my own "cloud" infrastructure with my phone and I am not interested in using Google's. My Graphene device is configured to route all traffic through Wireguard tunnel and my DNS server. I also use exclusively use my own email server and "cloud" storage for all non-work related purposes. Graphene makes this easy by not leaking any information to Google.
Don't understand your statement about avoiding client-side scanning of text messages. I've always assumed it would be done by the apps themselves, e.g. WhatsApp, Telegram, etc..
That sounds amazing. I aspire to get a setup like yours. I am on a Pixel with the stock OS and I can't stand the way Google is pushing AI into everything on my phone.
I haven't switched it to Graphene OS yet because I read that there are issues with NFC and a few other things. I assume this new phone won't have those problems so I think that will be my catalyst to do a big overhaul.
GrapheneOS wants to make a FOSS Android with the security model that makes it hard for any bad party to break into the phone.
LineageOS wants to make a FOSS Android that respects user's privacy first and foremost - it implements security as best as it can but the level of security protections differs on different supported devices.
Good news is that if you have a boot passphrase, it's security is somewhat close to GrapheneOS - differing in that third parties with local access to the device can still brute-force their access whereas with GrapheneOS they can't - unless they have access to hardware level attacks.
How can LOS's security be somewhat close to GOS if it's worse than OEM? LOS lacks verified boot, hardware security features, it's often behind is security patches.. With "advanced protection" enabled stock OEMs are even more secure, but GOS is even more secure still. When it comes to EOL devices, LOS may be more secure than OEM depending on your threat model.
Nice! Thanks for the link. I noticed they didn't mention MOCOR OS (for the new Nokia 3210), but then I remembered that that's not an Android version. I'll see if they can add it somewhere else.
Unrelated, but this led me to find gnuclad, which may be somewhat externally maintained and is used to create the cladogragms.
It might be important to mention, that Lineage OS is available on a number of the devices abandoned by their original vendors, so sometimes it may be a much better solution to get a Lineage OS onto their former "flagship" which stopped getting updates 18 months after the release.
So if the bootloader can be relocked and not passing Play Integrity scam is not a problem, Lineage may be a better option. Better than nothing, that is.
GrapheneOS is a locked-down, security-hardened system that's good if you need absolutely maximal security (e.g. journalists, activists, folks targeted by state actors). LineageOS is a more of an open system for tinkerers who want to play outside Google's walled garden.
You can have root to control your own device on Lineage, but not Graphene.
It's not really locked down. You can toggle or enable some of the more activist-orientated features. The only limitation I'm aware of is that some apps requiring the strongest Play Integrity setting (ChatGPT, some banks, very few airline apps) just won't work on GrapheneOS.
Graphene OS provides advanced security capabilities and a thorough defense-in-depth approach including a hardened supply chain. GOS aims to provide mechanisms to protect against 0day attacks. For example Celebrite can not open up GOS. GOS relys on hardware support provided by Pixels. Graphene OS works on getting their developments upstream.
drnick1|2 months ago
I personally don't care about "security" all that much, my main reason for using Graphene is freedom to use my hardware in any way I wish. This means unrestricted ability to run any program on the phone from any source. Sideloading restrictions don't apply to Graphene, and it is also impossible for state actors to impose things such as client-side scanning of text messages. It's also immune to unwanted AI anti-features.
I use my own "cloud" infrastructure with my phone and I am not interested in using Google's. My Graphene device is configured to route all traffic through Wireguard tunnel and my DNS server. I also use exclusively use my own email server and "cloud" storage for all non-work related purposes. Graphene makes this easy by not leaking any information to Google.
user2722|2 months ago
blurker|2 months ago
I haven't switched it to Graphene OS yet because I read that there are issues with NFC and a few other things. I assume this new phone won't have those problems so I think that will be my catalyst to do a big overhaul.
zekica|2 months ago
GrapheneOS wants to make a FOSS Android with the security model that makes it hard for any bad party to break into the phone.
LineageOS wants to make a FOSS Android that respects user's privacy first and foremost - it implements security as best as it can but the level of security protections differs on different supported devices.
Good news is that if you have a boot passphrase, it's security is somewhat close to GrapheneOS - differing in that third parties with local access to the device can still brute-force their access whereas with GrapheneOS they can't - unless they have access to hardware level attacks.
akimbostrawman|2 months ago
GrapheneOS is both in terms of security and privacy the best but currently only supports pixel phones.
LineageOS is trying to support as many devices as possible still with lot of google connections and missing security updates.
>Good news is that if you have a boot passphrase, it's security is somewhat close to GrapheneOS
its not anywhere close https://grapheneos.org/features
Itoldmyselfso|2 months ago
https://eylenburg.github.io/android_comparison.htm
worldsavior|2 months ago
the_biot|2 months ago
Is that actually true? It's such a big deal, and I see little to no work being done on this front.
Anyone have any idea what GrapheneOS actually deblobbed?
rolandog|2 months ago
Unrelated, but this led me to find gnuclad, which may be somewhat externally maintained and is used to create the cladogragms.
uneekname|2 months ago
mcsniff|2 months ago
LineageOS has a place for those who care less about security and more about features, "freedom", compatibility, community etc...
I was a LOS user and maintained my own forks for devices, but switching to GrapheneOS was a good decision and I don't really miss anything.
subscribed|2 months ago
So if the bootloader can be relocked and not passing Play Integrity scam is not a problem, Lineage may be a better option. Better than nothing, that is.
ForHackernews|2 months ago
You can have root to control your own device on Lineage, but not Graphene.
arcanemachiner|2 months ago
jasonvorhe|2 months ago
xxmarkuski|2 months ago
For a list of security features see here [0].
[0] https://grapheneos.org/features
preisschild|2 months ago
https://eylenburg.github.io/android_comparison.htm