I hear many people say that the Google Pixel is good for privacy, but is it?
I’m asking this because I find it weird, of all the companies, Google having the most “privacy”.
You can install on it a lot of custom ROMs, including GrapheneOS and CalyxOS.
additionally you don’t need to jump across several hops to flash custom roms on Pixel phones (or tablets)
it’s easy as using a web browsermeanwhile custom roms on Xiaomi or Samsung are a huge pita to setup and require almost shady looking korean or chinese (windows) applications
About how Pixel is more private… Pixel ‘only’ has Google’s tracking; other manufacturers have their own tracking, *on top/in addition* to Google’s tracking.
Installed GrapheneOS and adjusted my google settings to track everything they can, then I checked to see how much data that got collected, it is almost nothing.
This is gonna be a foolish and stupid question but how did you check how much data was being collected?
Google take out
Under GDPR you have the right to download the data they have about you, so google has a page where you can do that. That being said I doubt that is everything they track, I’m probably still getting fingerprinted and tracked by ip, but still thats a lot less info collected on me and most importantly that data is less valuable to sell.
There are different aspects.
As has been said, the first one is that with a Pixel, the company manufacturing the phone and providing the OS including all standard apps is just Google. As all parties involved will try to spy on you (generally), having just one involved beats multiple. If you’re using Android, Google will usually be involved anyways, so a pixel is the only device where it’s just Google instead of Google + another party. You get the stock Android experience, without anything forced on top.
Also, Pixels are relatively cheap, come with long update support and quick security updates. Generally, Google is one of the better companies when it comes to security. From the hardware side, Pixels are some of the most secure devices.
I don’t know whether iOS on an iPhone or Android on a Pixel is more private out of the box. From what I know, the difference isn’t too big. However, Android is more secure, as evidenced by higher exploit prices for Android than for iOS.
And Android, especially on a Pixel, gives the user a lot more options to make the phone more private. Not only can you install F-Droid, Accrescent or Obtainium — you can also just completely get rid of Google by opting for an AOSP custom ROM. The best option for privacy, security and usability here is GrapheneOS, which only works on Pixel because they’re the only devices meeting their security standards.
So Pixels at worst are a cheap, long supported, secure Android device with less parties spying on you. At best, they can be fully degoogled, alternatively almost degoogled with great usability (Sandboxed Google Play), extremely secure devices. No matter how much privacy/security you want to achieve and how much resources you want to put into that, for everyone from “I have nothing to hide” to Edward Snowden, Pixels are a great choice. In my opinion, the best.
Commenting from my GrapheneOS Pix6, I actively prefer GOS to stock, and get a sense of disdain or my soul sighing every time I pick up my stock rom Pix6 now.
I bought my girlfriend a Pixel 6A as birthday gift last year and whenever I use it I’m blown away by how smooth and fun everything feels on GOS. Every other Android I use feels so sluggish, blown up and hard to use in comparison
I was explaining today to a close friend that I (anecdotally) have noticed a significant reduction in battery usage on my GOS pix 6.
The whole device feels snappier, more responsive, and I can certainly attest that I got 9+hrs out of this thing at max brightness playing terraria. Can’t say the same for stock rom in the same conditions, while I don’t have the technical knowledge to prove it (and I’m happy to be proven wrong) I’m convinced the majority of my stock rom Pix’s battery is eaten by proprietary software phoning home.
With that said, unless I go out of my way to disable certain privacy aspects of this phone or implement spmit-tunneling on the VPN it’s set to go through, unfortunately many sites/apps break. For these instances I generally use the stock pix. (Eg. Gov services/KDE Connect).
Hey, which app do you house to get emails? I don’t think there is a thunderbird port for Android, is there?
Will I be able to use such an app with Google emails without play services being installed on the device?
K-9 Mail for Android has merged with Mozilla and will eventually be renamed to Thunderbird. Its UI has seen a lot of improvement these past couple of years, and the backend has always been reliable for IMAP (including push notifications).
Thanks. I’ll take a look. Apologies for the late response
Sorry for the delayed response here, however I primarily use a proton address, and I currently have a redirect in place for my Gmail to the proton. My intention is to close the Gmail all together, however that’s not yet possible as I will likely miss important emails in the process, I am (as discovering) updating my email addresses for each service as it becomes known so as to avoid such occurrences.
As it stands, I have GPS on another user profile to add to the security provided by GOS sandboxing, not that I don’t trust GOS devs, I don’t trust GPS not to sneak in somehow.
I hope this answers your query, do dm me if need be for further explanation.
Edit: I cannot speak further as to email clients, as I have yet to perform further experimentation. I do intend to get to it soon, though if you beat me to it, do message me to let me know how you went and what you’d do differently.
Edit pt2.: I have checked, both my pix6’s were from a close batch and manufactured the same month, I suspect due to this battery degradation is not applicable.
Apologies for the late response.
Could you explain more about how you’re using GPS whilst it is maintained in a different profile? How does GPS interact across profiles (which I assume is a prerequisite to use Google’s email addresses on one’s mobile)?
Wouldn’t say they’re cheap though. Maybe compared to flagships, but def not to phones most people can afford.
I get a lot of use out of Google wallet. Can that be sandboxed on graphene?
Google wallet is one of the few apps that don’t work on GrapheneOS.
Most banking apps actually do work
However, Android is more secure, as evidenced by higher exploit prices for Android than for iOS.
that could be attributed to market share.
Yeah. I thought it was weird, but the stock Pixel is very secure, and if you install Graphene OS, it is even more so. Additionally, Graphene OS sandboxes The Playstore Apps, and gives you much more control over what the Apps you install are allowed access to. You have to go way out of your way to make it less private than the stock OS, and you pretty much can’t make it less secure than the stock OS.
You can get almost anything that works on the stock Pixel working on Graphene OS except for Google Wallet and the Android drive app. Banking Apps work, Google Apps work (but you might as well try to use alternatives).
I had an iphone for years, but after using Graphene OS for the past 3 months, I can honestly say I’ll do everything I can to not go back.
GrapheneOS on a Pixel 7 is one of the best decisions I ever made. You can sandbox the shit out of all apps and granularly control the permissions in addition to outright cutting off network access to apps that would otherwise be doing background telemetry garbage all the time.
If you’re terminally online and just can’t imagine life without all the first party Google apps, you’ll disagree with me. But otherwise it is a great decision. F-droid and Aurora Store are awesome. (You can still manually install and use stuff like the Google camera app, Maps and others. Just never sign in to first party G Apps, be careful with your permissions etc. and you’ll retain 90% of the functionality while not having the privacy downsides.)
I’ve been using LineageOS+MicroG with very little google software (only maps) and it’s been working great. Any reason I should switch to Graphene? I noticed the main dev seemed to have some disputes and interesting personality characteristics, so I was a bit hesitant to adopt. I also had an irrational “I wouldn’t be surprised if 3 letter agencies are involved” vibe about Graphene, but nothing concrete.
Removed by mod
That’s quite a statement, are you sure about that? The Graphene team has done a considerable amount of work sandboxing the environment of Google Play, both in memory, permission structure, and IO access that MicroG completely blows past. Given how the Graphene sandboxing works, I actually can’t think of a scenario where the statement that MicroG is more private than Graphene sandboxed Google Play. In either scenario you don’t have to log in, so I’d much rather have an environment that has been isolated than tooling that still has tendrils reaching into the main OS itself (MicroG).
Yeah one important key is not logging in. If you use Aurora store to install apps, and don’t log into any Google apps, Google can’t be certain of your identity enough to tie it to your previous Google account. I guess they could probabilistically match you based on stuff like your location in Maps app vs. a previous normie device known to be “you”.
One thing I’d like to test is the implications if you log into Gmail on the hardened Vanadium browser and then log out. I would think it would still be pretty safe on Graphene because Google would have no access to other apps activities on the device and even location requests don’t get routed to Googles geolocation service unless the user specifically turns that back on.
Does the Gmail app work in grapheneOS?
Gmail will work fine, including push notifications, assuming you enable Google Play Services. Using either will of course come at the cost of privacy.
Yes it should although you may not get notifications of emails. I’d use ProtonMail or Tutanota instead anyway.
Yes, it is. I mean, GrapheneOS is the gold standard for privacy&security, but even stock Pixel is a good step up. Think of it like this: on stock Pixel, only Google is tracking you, not Google + Samsung, or Google + Xiaomi. Just Google. It’s guaranteed to be a step up from all other Android phones, stock or not.
Wow the fact that this is considered good is depressing
Technically it is just better than the worst possible case, which is two companies or more spying on you instead of one that was already spying on you. It is still bad but better than the worst case.
Wait since when a monopoly is preferable to a duopoly? As far as I’m concerned if I can’t have 0 companies to spy on me I’d rather have them all fight each others in the data space…
In this case they don’t fight, they exploit your data in different ways and if one of the exploiters isn’t arsed to keep your data secure then everyone gets it and it’s not just corporate actors profiting from you but more harmful actors including scammers using your data.
Install GrapheneOS on it and it will be. Remember, security and privacy are two different things. You can be very secure without being private, and you can be very private without being secure.
Google Pixels by default are pretty secure, but not private, at least not to Google.
I’d argue yes.
I see Google as a known unknown, where as various other Chinese phones are unknown unknowns.
I acknowledge I have western bias, but the propaganda, human rights violations and control of the CCP is well understood.
At the very least Pixel let’s you flash an alternative OS.
Basically every Chinese phone has a great custom rom support
Xiaomi phones used to be good for custom ROMs, but now they try to stop you unlocking the bootloader by making you wait an unreasonable amount of time after first registering the device with them before you can unlock. Many of the other vendors are even worse.
So from that perspective, Pixel devices are not a terrible choice if you are going to flash a non-stock image.
Waiting a bit has been normal for years already. And it’s not a big deal at all. It’s to stop reselling the phones
Wait times are as high as 2 months (depending on how old the phone model is, etc…), and even as a regular Xiaomi customer, their support never seem to allow anyone to skip the wait, even if for example they broke their old phone and want to set up a new one like the old one (ask me how I know). During that period, MIUI is like a data collection honeypot, sucking up your PII and serving you ads.
It might be ‘normal’ now to Xiaomi customers to wait to be able to unlock the phones that they have paid for and own (perhaps in the same sense someone in an abusive relationship might consider getting hit ‘normal’ because it has been happening for a while), but the idea that the company who sold you the phone gets some say on when you get the ‘privilege’ of running what you like on it, and make you jump through frustrating hoops to control your own device, is certainly not okay.
If they just wanted to stop reselling phones with non-Xiaomi sanctioned malware / bloatware added, making the bootloader make it clear it is unlocked (as Google does, for example) would be enough. Or they could make a different brand for phones that are unlocked, using the same hardware except with a different logo, and let people choose if they want unlocked or walled garden.
However, they make money off selling targeted ads based on information they collect - so I’m sure that they probably don’t want to do any of those things if they don’t have to, because they might disrupt their surveillance capitalism.
Ok, wall of text aside. Now I’m sure you’re bsing. It’s never been 2 months or even longer. Literally every Xiaomi or Poco is that you register and then you wait 1 week and then unlock with the pc. No weird ass wait times. You don’t even have to use it. I have done this for like 8 models old and new already. The Mi unlock app doesn’t even have software for other times.
Also the bootloader does display that it’s unlocked. But even with a ‘warning’ most people wouldn’t care and that’s what Xiaomi still wants to prevent.
Here’s another source about 2 month wait times sometimes, if you don’t believe me: https://www.xda-developers.com/xiaomi-2-month-wait-unlock-bootloader/. It has never personally been 2 months for me, but it has been over a week before for me, and their support team refused when I asked nicely to shorten it despite the fact my daily driver phone was broken and I couldn’t restore my LineageOS from backup - I just had to wait. That’s why I don’t buy Xiaomi stuff any more.
The wait time is determined by their servers, which sends a cryptographically signed certificate specific to the serial number of the device that the bootloader reads. The key to sign the certificate stays on their servers, and the client just calls to the server, and either gets a response saying to wait for this much longer, or containing the certificate. Xiaomi explicitly call it ‘apply for unlocking’ (e.g. see the title of https://en.miui.com/unlock/index.html), as in, they think it is their right to decide who gets to decide what runs on my hardware I’ve bought from them, and us mere consumers must come begging to them and ‘apply’ to unlock.
You don’t even have to use it
The bootloader is designed not to boot anything except MIUI without the certificate from the unlocking tool. While there are open source clients (like https://github.com/francescotescari/XiaoMiToolV2) they still work by calling Xiaomi’s server to get the unlock code, so if you want to run anything except Xiaomi’s MIUI (which is a bad idea from a privacy perspective), you kind of do have to use it (at least their server). The only way around it would be if someone found a vulnerability in the bootloader or the processor itself that allows for the ‘treacherous computing’ aspect of the boot to be bypassed without the certificate - and as far as I’m aware there isn’t a reliable approach yet for that.
And rootkits on the chips. If not now then when.
Here’s your tinfoil hat
Graphene only supports Pixels officially because of how easily you can unlock the bootloader
That’s not the only reason, you can also unlock the bootloader of a FairPhone very easily and they’re still not supported.
it’s because of the Titan M chip, not because of ease of bootloader unlocking. Pixel’s have much higher hardware security with only iPhones and their secure enclave matching it afaik.
Not the stock os. You need to flash something else and relock the bootloader to take advantage of the pixel
Google Pixel hardware is focused on providing a private relationship between the user (your data and behavioral patterns) and Google.
Depending on your threat model you can flash custom roms to enhance your privacy and security posture.
A lot of folks here seem to be of the “…just flash GrapheneOS and you’re good…” crowd but it’s not that simple and there are trade-offs that impact usability and user experience.
There are a lot of interesting projects out there to choose from. Best advice is to work-up your real world threat model and do your reasearch.
You may find Louis Rossman’s experience with GrapheneOS relevant: https://www.youtube.com/watch?v=4To-F6W1NT0&t=1
Here’s a few links to help get you started - there are many android projects. I am not affiliated nor am I explicitly endorsing any of these projects.
CalyxOS https://calyxos.org/
LineageOS https://lineageos.org/
HavocOS https://havoc-os.com/
ResurrectionRemix https://resurrectionremix.com/
DerpFest https://derpfest.org/
PixelExperience https://wiki.pixelexperience.org/
GrapheneOS https://grapheneos.org/
Yeah the developer is very dramatic, but the project itself is still amazing. He did step down from lead, but the dude is a genius programmer. I’m still very confident on having it on my phone. I was using CalyxOS before, which I really like, but the sandboxed play services were a really killer feature for me on GrapheneOS.
With GrapheneOS on it yes, except if the hardware secretly sends data .-. Without, no.
It’s one of the better options.
For a start, even if you run it stock, it’s somewhat on par with the iPhone (depending who you ask). You’re trusting one company with your data, Google. You’re not trusting Google AND Samsung, or Google AND Huawai. It’s just Google. Plus Google does offer good security, so your data/device is pretty secure. In comparison to Samsungs Knox… while better than a lot of other Android security stuff, is kinda bad.
Though, the real privacy win for the Pixel, is it DOES allow you to modify it. You can remove Google’s version of Android, and change to Calyx or Graphine OS. Both of which are fantastic options, that allow you to really lock things down.
Google claims to do some processing on their own tensor chip locally so it might reduce some data being sent to Google, but it doesn’t limit them from tracking you. With Pixel, you are only being tracked by Google and not Samsung or other manufacturer
Not sure how I should feel about that. It’s highly likely any party engaged in tracking activities will try to grab as much data as they can. So a non-Google device seems like it would be doing twice the amount of data collection.
But considering Google also controls the hardware design of the Pixel, it wouldn’t surprise me if they have some additional tricks up their sleeve.
What we really need is a full open-source phone, including firmware. Maybe we’ll get there one day.
A part of that is due to the fact that you now only have one company to worry about collecting data, rather than both the manufacturer(think Samsung) and then Google too.
They also play the best with options like Grapheneos or Calyxos
Just install GrapheneOS. The only things that don’t work on it are Google Pay and Android Auto.
I sorely miss the hardware features from my previous phone, like a notification LED, MicroSD card slot and headphone jack, but I can’t go back to a phone where I can’t re-lock my bootloader after installing a custom ROM like CalyxOS or GrapheneOS.
MAC address randomisation is pretty neat too.
I can’t go back to a phone where I can’t re-lock my bootloader after installing a custom ROM
Is this something that only certain models of phone are capable of doing? Or is it a new Android/hardware feature that only new phones have?
It requires a flashed rom with a valid (key signature? Crap, forget what it’s called).
If you flash an unsigned kernel and try to boot lock, it’ll brick.
I get from an absolute security perspective why this is deemed important, I just feel there’s a bit too much focus on it, as if an unlocked bootloader is really that insecure. It would still take tremendous effort to get the encryption key for storage, so it’s pretty effectively secure still.
With unlocked bootloader you can dump the data and brute force the password. With locked bootloader on pixel devices, you can’t even do that.
From what I’ve read, that doesn’t really work - you’d need the encryption key, not the pin/password, because of how the encryption platform works.
Again, it’s been a while, and this isn’t my field. I just remember being properly surprised at how little I understood - that the pin/password are merely keys to accessing the encryption key, and it’s all tied together in validating during hoot. Like you can’t image the system and drop it in another phone if it’s been encrypted, even if you have the pin - the encryption system on the different hardware would calculate things incorrectly (I did this once, dropped an encrypted image on a duplicate phone. That was fun trying to figure out why it wouldn’t work).
There’s more to the puzzle that’s frankly above my pay grade, but last time I read about how to get into an encrypted phone, (even boot unlocked) required the expertise and tools of certain types of folks. Not your average “haxxor”.
Granted, that expertise and those tools are getting closer to us every day…
I thought the security chip was being disabled when unlocking the bootloader but apparently it just skips image validation.
So basically you can flash anything (which kinda is what you want). You could theoretically also modify the system files to being able to bruteforce your pincode.
Unlocking the bootloader also makes your device less secure in other ways. When there’s a root exploit in Android verified boof safes you from it being exploited.
Good point about root exploit. It’s a potential.
Thing is, every Linux server and windows box suffers the same risk… But we don’t hear “the sky is falling” about those… Because it’s considered a measured risk and security is layered. As it should be.
Hell, people still run windows laptops unencrypted today - which is far worse than an unlocked bootloader on Android.
But you also don’t usually safe your whole identity to the cloud
It’s specific to the bootloader of a given device. Most devices don’t seem to support being locked with custom OS images using self signed keys.
like a notification LED, MicroSD card slot and headphone jack
Ah, another Galaxy S9?
An Asus Zenfone 6. Still ended up being a regrettable purchase for other reasons.