I’m considering the switch to GrapheneOS, so I watched this interview with one of the members of the GrapheneOS team, and honestly, I feel it was a great general introduction to it and touched on common features and misconceptions.
For those who don’t know, it’s one of the most secure and private mobile operating systems out there. Some things that I took away:
-
They touched upon MAC randomization. I researched a bit on my own about what the need for it is. Apparently, it’s standard practice to randomize MAC addresses when scanning WiFi connections. However, GrapheneOS (and Pixel firmware) are even better at this, as they make sure they don’t leak any other identifiers when doing so. They also allow you to get a new random MAC for every connection that you make (not sure whether this is very useful, as this can cause problems). On a related note, even when WiFi/Bluetooth are “off,” stock Android can still scan in the background to improve location accuracy (by matching visible networks/devices against Google’s database). So basically, even with WiFi/Bluetooth off, Google still knows where you are. In GrapheneOS, this option is off by default.
-
They have their own reverse proxies that they use to talk to Google on your behalf when needed.
-
Apparently, in the USA you can be compelled to provide a fingerprint or Face ID. Courts have ruled this doesn’t violate the 5th Amendment because it’s physical, not testimonial. BUT you cannot be compelled to provide a password/PIN. That’s considered testimonial evidence, protected by the 5th Amendment. GrapheneOS has a two-factor system where, after using your fingerprint, you still need to enter a PIN, so it helps with this. They also have a BFU state after reboot, which is the safest and requires you to enter your full passphrase.
The only thing I missed when switching to GrapheneOS from Android was Google Pay, and that wasn’t that big of a loss.
I just got a phone case that holds my debit card in the back and turned off NFC.
Yeah, as they said most banking apps now work, however, Google Pay doesn’t.
There are alternatives to it like curve pay but I haven’t done the research whether they’re trustworthy enough. EU company I think.
I tried to set up Curve on my pixel 7 with graphene os and it wouldnt let me create an account. After filling in my contact details the app just said “We are unable to verify your identity” even though it never even asked me to show ID (I never reached that screen).
When i emailed Curve customer support (which is terrible btw, theres about 2 months between replies) they just said things like “We cannot offer you an account at this time” and “We were unable to verify your identity” and “We are unable to disclose the reason for denial for security reasons”.
I’m not sure if graphene os had something to do with it.
So just in case if you want to set up Curve maybe create the account first on a non-graphene phone, then log into the app on graphene after the account is already created.
You have to install GrapheneOS’ Google Play (sandboxed) and services for banking and government apps. And you can install Google Play with stock Graphene, it is very easy.
In my country everything is built around this 2FA app that requires Google Play Services. But a phone with GrapheneOS and sandboxed google play should be better in total than just running stock android I guess? I wish I didn’t need google play services, but currently I do.
Yes. The top comment says Google Pay, not Google Play. The sandboxed play API has worked well for me personally.
The threat level for google play services is different in graphene as it runs in what they call an “appbox,” which basically means Google Play is just another app that’s sandboxed like everything else.
Would there be any benefit in running google play services in a private space, or does the sandboxing already provide that separation?
I don’t think so. From what I gathered, the only thing Play Services can see on GrapheneOS is the list of other apps you have installed. That’s it. They can’t see anything else unless you grant access to it. You’re not giving Google root access to your phone, you’re just installing an app that happens to be made by Google, and it’s locked down like everything else.Edit: https://youtu.be/YB01HHFitFA?t=625 I just saw this video apparently apps can still communicate with each other so you might want to isolate if that’s something you’re worried about.