Now, don’t get me wrong, I like the premise of GrapheneOS. The security features it offers are great. However, you’re sacrificing useful hardware features by using it.
Currently, the only phones that support GrapheneOS are Pixels, which lack the microSD card slot, dual sims, and a HEADPHONE JACK! To me, those features are not worth sacrificing for a little extra privacy.
Compared to LineageOS, however, they support a broad range of devices, even pixels. I can look through their supported devices and find one that has a headphone jack, microSD card slot, dual sims, etc. Yes, it’s less private than GrapheneOS, but it’s still more private than stock android or any of those other OEM roms (OneUI for example).
You can still keep some privacy using LineageOS while preserving functionality with projects like MicroG.
Overall, I think for the time being, unless you are really paranoid or live in a anti-privacy area, LineageOS is the better OS to use than GrapheneOS due to still gaining some level of privacy while preserving useful hardware festures. Once GrapheneOS branches out from Pixel phones, I might change my opinion.
GrapheneOS supports Pixels specifically because they have the most hardware security features out of any OEM, which guarantees a lot of security compared to other flagship vendors, because GrapheneOS can utilize them to provide certain security benefits that even Google themselves chooses not to implement on stock Pixel Android.
For example, Pixels support memory tagging (protects the integrity of apps and the OS), have the hardware required for a solid verified boot integration (which allows the whole OS to be encrypted), randomizable MAC address, ability to disable USB at the hardware level, debugging features not being available when the device is locked, and a metric ton of other things.
GrapheneOS’s team was not able to find a single other manufacturer that met these standards, which is why they’re now working with an unnamed large OEM vendor to create a phone that will meet those specs, to be released “soon.”
Pixel phones also have pretty fast and easy AOSP and security patch releases, because since Google develops Android, they also develop public builds for their phones first, which means stock android will work best on a Pixel, whereas it might take a little extra work to function on a Samsung. This means GrapheneOS can push feature and security patches fastest compared to ROMs that support other phone models.
A good example of this in action would be the leaked docs from Cellebrite, which is the company that provides the U.S. government with the hardware and software necessary to break into phones.
For Pixels with GrapheneOS installed, Cellebrite can’t break into them:
Contrast that with phones from other vendors, or Pixels with stock android, and…
Cellebrite can break into the vast majority of them, even before first unlock. LineageOS doesn’t support most of the software or hardware security features that GrapheneOS does, and as far as I know, still doesn’t even support verified boot, which means that extracting all user data from a LineageOS phone before first unlock would be fairly easy, whereas doing so from a GrapheneOS phone before first unlock would be near-impossible.
Thank you so much for going into detail! That’s exactly the kind of features breakdown explanation I was hoping for.
Interesting that it’s Google of all companies implementing this stuff on their phones. Seems too coincidental to be accident. Maybe they have a security zealot in an executive position at Android, or maybe there’s a power clash of some sort between them and law enforcement. Or maybe it’s as simple as the government wanting a line of secure devices that they don’t have to worry as much about taking abroad and Google was the contractor of choice. I’m too cynical to believe that they’re doing it out of concern for their users under legal duress.
No problem, glad I could help! I’d like to think I’m pretty knowledgeable about GrapheneOS since I’m kind of a big privacy nerd, (though I could never match the nerd-iness of the actual GrapheneOS developers, they’re on another level with this kind of thing) so if you or anyone else has any questions about GrapheneOS, feel free to ask me those too!
To address the rest of your comment, I’m not sure I’d personally go so far as to say it’s because of any kind of “power clash” or government needs. It just boils down to PR and profit. I get being cynical, and I’m sure there’s an extent to which it could be true, but I just doubt it given the other reasons they have. After all, I think we both know Google cares more about profit than they do any kind of morals or government feud
For example, GrapheneOS has memory tagging enabled by default, because it’s a feature that’s possible with some of the newer Pixel processing units. Google does not enable this on regular Pixels… unless you go to Developer Options > Memory Tagging Extension, and change it.
It’s there not necessarily because Google really just cares so much about it for the reasons you mentioned, but just because it can allow developers to prevent certain vulnerabilities without too much additional work on their part, and that means it’s both easier to develop apps, and there’s less vulnerabilities Google has to worry about being reported.
Google doesn’t have to add these features for any reason other than protecting themselves from bad press if their phones are hacked, and developer purposes. It’s one thing for a company like Samsung, Motorola, LG, etc to have a vulnerability exposed in their phones, but they also don’t develop Android.
So if you have the headline “Hundreds of Motorola phones vulnerable to [exploit most people will never understand]”, it’ll blow over easy. But if you have “All Google Pixel phones vulnerable to [exploit most people will also never understand]”, and the article is also saying things about how it raises concerns about Android security as a whole, then it’s just a bigger PR deal.
Not to mention that most developers are working on Pixels when they make apps, which means if they want to test any possible security features available from any Android vendor, they can kind of just rely on Pixels to have all of them in one place.
Like if you want to test how your app could use a phone’s TPM module, you don’t need to go out and pick a specific model of Samsung that happens to have it, you just use a Pixel.
If you need to test for memory leaks, you use a Pixel with memory tagging.
If you need to test accessory compatibility with a USB-C port that suddenly disables all connections, you use a Pixel with a hardware-disable-able port.
If you need to develop an app that can rely on separate phone hardware to externalize random number generation, you use a Pixel with a TPM component.
Essentially to just shorten all that down into what I suppose I probably could have just said from the beginning: Google adds all of these security features because it’s good for press (when they prevent vulnerabilities from happening), and it’s good for profit. (when developers turn to their phones to make apps, and thus make apps for the whole Android ecosystem faster & safer, and make apps that conveniently work best on Pixels)