Nostr Web Client

Thank you for sharing. I may attempt this again eventually.

It is fantastic to hear you're considering GrapheneOS for your device. Please if you have any questions at all reach out to me and I will be more than happy to provide any up to date information/answers that you might have, should the documentation on our site not cover it.

Just as an FYI...

GrapheneOS and CalyxOS are much different. GrapheneOS is a hardened OS with substantial privacy and security improvements:

https://grapheneos.org/features

CalyxOS is not a hardened OS. It substantially reduces security. It recently went 2 months not shipping standard security patches.

Compatibility with Android apps on GrapheneOS is also much different. GrapheneOS provides our sandboxed Google Play compatibility layer:

https://grapheneos.org/usage#sandboxed-google-play

Can run the vast majority of Play Store apps on GrapheneOS, but not CalyxOS with the problematic microG approach.

CalyxOS is closer to LineageOS they both share the same issue above and they both always use multiple Google services too while giving them privileged access even if users don't use microG. It would be wrong to imply they don't use Google services. microG is of course an implementation of Google services. GrapheneOS doesn't use Google services by default.

To clarify further they always use Google services even without microG. They use Google for connectivity checks, network time, attestation key provisioning, SUPL, DNS fallback (LineageOS only), PSDS (Pixel 6 and 7), eSIM activation and more enabled by default.

https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/ is a 3rd party article explaining some of the substantial differences between GrapheneOS and CalyxOS. It's a common misconception that they're similar. CalyxOS is far more similar to LineageOS than GrapheneOS. There are many other alternate OSes available.

https://privsec.dev/posts/android/choosing-your-android-based-operating-system/ is another article about privacy and security differences between alternative Android-based operating systems.

PrivSec also have a community resource for banking apps that work on GrapheneOS that can be contributed too, make sure to check the issue tracker too for submissions that might not be on the list yet.

https://privsec.dev/posts/android/banking-applications-compatibility-with-grapheneos/

Reply to this note

Please Login to reply.

Discussion

e76e7052... 2y ago

Thanks! I am leaning toward graphene. :)

Brisket 2y ago

Thanks for your detailed response Metroplex!

I'll be taking a look at the links you posted.

It's great to see you on Nostr.

💪🤙

nobody 2y ago

This is awesome. I will have to go through some steps to get off a proprietary 2FA app before I can try again. Thankfully I already moved to a private vaultwarden instance for passwords, so I'll be able to move 2FA there.

e76e7052... 2y ago

So, I’m reading through https://grapheneos.org/faq#security-and-privacy and see “the baseband is isolated on all of the officially supported devices” … were GrapheneOS Pixels effected by the Samsung baseband remote code execution vulnerabilities Project Zero disclosed earlier this year?

MetropleX [GrapheneOS] ⚡🟣 2y ago

All Pixels were however, once an attacker has taken over a baseband via a remote code execution exploit, they could potentially have another exploit for the OS. Hardening the OS including drivers against exploitation from hardware components is often overlooked. Drivers can accidentally trust hardware.

GrapheneOS can't directly harden the firmware/hardware itself, but we do harden the OS against being taken over from compromised firmware/hardware in these situations.

Therefore on the OS level it was mitigated against yes.

Then once the patches were available we rolled them out instantly.

Something you need to be aware of though is while this particular exploit received a lot of attention, things like this are commonly found in security bulletins and updates and can only deal with known knowns not known unknowns. The latter requires constant vigilance and GrapheneOS goes a long way in ensuring best protection from them. We are not currently aware of any in rhe wild vectors compromising the OS.

MetropleX [GrapheneOS] ⚡🟣 2y ago

It is that very isolation via IOMMU that enables this.

e76e7052... 2y ago

Thank you for this great response. I really appreciate it. I think you’ve convinced me to try graphene as my next phone OS. 🖤🔒

Cyphernomad 2y ago

I’ve been running it for about a year now and I like it.

e76e7052... 2y ago

Cool! What did you use prior to GrapheneOS?