Now, don’t get me wrong, I like the premise of GrapheneOS. The security features it offers are great. However, you’re sacrificing useful hardware features by using it.
Currently, the only phones that support GrapheneOS are Pixels, which lack the microSD card slot, dual sims, and a HEADPHONE JACK! To me, those features are not worth sacrificing for a little extra privacy.
Compared to LineageOS, however, they support a broad range of devices, even pixels. I can look through their supported devices and find one that has a headphone jack, microSD card slot, dual sims, etc. Yes, it’s less private than GrapheneOS, but it’s still more private than stock android or any of those other OEM roms (OneUI for example).
You can still keep some privacy using LineageOS while preserving functionality with projects like MicroG.
Overall, I think for the time being, unless you are really paranoid or live in a anti-privacy area, LineageOS is the better OS to use than GrapheneOS due to still gaining some level of privacy while preserving useful hardware festures. Once GrapheneOS branches out from Pixel phones, I might change my opinion.
The folks behind GrapheneOS have expressed a desire to support a broader variety of devices, but they have hardware requirements that are necessary to support their desired level of security. And Pixels are currently their only real option until they work out the OEM deal they are currently sorting out.
I wish the entire industry would be more security and privacy focused, but that just isn’t the case. I am glad that LineageOS is working to give more options for people that want a more secrure and private version of android though. More options can only be a benefit for users.
It all depends on your threat model.
As far as I’m aware, LineageOS still doesn’t support verified boot, meaning the system remains unencrypted and is more at risk of tampering. GrapheneOS does encrypt many parts of the system, as well as implementing other security and privacy features. This means if your phone was to be taken by police at a protest, or stolen by a thief with some technical knowledge, the LineageOS phone could be easily broken into, whereas the GrapheneOS one wouldn’t.
GrapheneOS adds many additional features to prevent apps from exploiting your system, allows you to disable app network access the moment it’s installed rather than digging around settings menus or using ADB like LineageOS can need, and it’s considered essentially the most secure and private, yet feature complete Android ROM you can get nowadays.
Pixels simply have many more hardware security features than essentially every other OEM, and supporting only Pixels means Graphene’s team can focus on making those work the best. By contrast, LineageOS essentially has to support most phone models, which means sacrificing some stability and security improvements.
From the perspective of privacy, irrespective of security, GrapheneOS will still be better. It’s an OS built with the purpose being privacy at its core, with everything built around that. LineageOS is primarily built to extend the lifetime of devices, with the added benefit that Google Play isn’t pre-installed and given full privileged access by default.
If your threat model is just to reduce data being collected about you by large corporations, LineageOS will probably do an okay job at that. If you want to maximize the amount of your privacy that you protect from both corporations, and any given actor, whether that be someone shoulder surfing to get your pin, or police cracking your phone with a Cellebrite machine, GrapheneOS will always be a better bet, even if it’s just you trying to protect your data from corporate entities.
I will point out, while Pixels don’t have expandable storage, you can always use a dual-port adapter for your phone’s USB-C port to get both charging and audio jack ports at the same time, and you can add multiple SIMs, as long as it’s an eSIM. I’ve had 2 eSIMs on my GrapheneOS-flashed Pixel phones at the same time, and it’s worked fine so far.
In the end, I’d just say, if you just want Google to have less data on you, and you just want less bloatware, and you refuse to get a Pixel because of the aforementioned tradeoffs for you, then just use LineageOS. It’s better than stock. If you care about your privacy all around, and want more hardware and software security features, faster security patches, and more assurances of your privacy, go with GrapheneOS.
You’re not wrong, as there are conscious tradeoffs being made. By limiting GrapheneOS to a specific phone family, it can tighten security. In contrast, LineageOS has to manage issues across a wider range of devices, which limits what it can do. FWIW, GrapheneOS is going to partner with an OEM manufacturer, so I wouldn’t expect it to ever become available for a broad array of devices.
Can someone tell me why GrapheneOS is considered more “private” and “secure” than LineageOS, and how that relates to only supporting the flagship phone line from one of the United State’s larget corporations?
I currently run LineageOS on an old OnePlus model. Before that I only purchased HTC phones because I liked their simple, durable hardware and lack of bells/whistles, until the US blocked domestic sales
to boost sales of US modelsbecause they’re Chinese.GrapheneOS supports Pixels specifically because they have the most hardware security features out of any OEM, which guarantees a lot of security compared to other flagship vendors, because GrapheneOS can utilize them to provide certain security benefits that even Google themselves chooses not to implement on stock Pixel Android.
For example, Pixels support memory tagging (protects the integrity of apps and the OS), have the hardware required for a solid verified boot integration (which allows the whole OS to be encrypted), randomizable MAC address, ability to disable USB at the hardware level, debugging features not being available when the device is locked, and a metric ton of other things.
GrapheneOS’s team was not able to find a single other manufacturer that met these standards, which is why they’re now working with an unnamed large OEM vendor to create a phone that will meet those specs, to be released “soon.”
Pixel phones also have pretty fast and easy AOSP and security patch releases, because since Google develops Android, they also develop public builds for their phones first, which means stock android will work best on a Pixel, whereas it might take a little extra work to function on a Samsung. This means GrapheneOS can push feature and security patches fastest compared to ROMs that support other phone models.
A good example of this in action would be the leaked docs from Cellebrite, which is the company that provides the U.S. government with the hardware and software necessary to break into phones.
For Pixels with GrapheneOS installed, Cellebrite can’t break into them:
- Before first unlock (if your GrapheneOS patches are up-to-date, which they should be)
- After first unlock (also if your patches are up-to-date)
- With a PIN brute-force
Contrast that with phones from other vendors, or Pixels with stock android, and…
Cellebrite can break into the vast majority of them, even before first unlock. LineageOS doesn’t support most of the software or hardware security features that GrapheneOS does, and as far as I know, still doesn’t even support verified boot, which means that extracting all user data from a LineageOS phone before first unlock would be fairly easy, whereas doing so from a GrapheneOS phone before first unlock would be near-impossible.
Thank you so much for going into detail! That’s exactly the kind of features breakdown explanation I was hoping for.
Interesting that it’s Google of all companies implementing this stuff on their phones. Seems too coincidental to be accident. Maybe they have a security zealot in an executive position at Android, or maybe there’s a power clash of some sort between them and law enforcement. Or maybe it’s as simple as the government wanting a line of secure devices that they don’t have to worry as much about taking abroad and Google was the contractor of choice. I’m too cynical to believe that they’re doing it out of concern for their users under legal duress.
No problem, glad I could help! I’d like to think I’m pretty knowledgeable about GrapheneOS since I’m kind of a big privacy nerd, (though I could never match the nerd-iness of the actual GrapheneOS developers, they’re on another level with this kind of thing) so if you or anyone else has any questions about GrapheneOS, feel free to ask me those too!
To address the rest of your comment, I’m not sure I’d personally go so far as to say it’s because of any kind of “power clash” or government needs. It just boils down to PR and profit. I get being cynical, and I’m sure there’s an extent to which it could be true, but I just doubt it given the other reasons they have. After all, I think we both know Google cares more about profit than they do any kind of morals or government feud
For example, GrapheneOS has memory tagging enabled by default, because it’s a feature that’s possible with some of the newer Pixel processing units. Google does not enable this on regular Pixels… unless you go to Developer Options > Memory Tagging Extension, and change it.
It’s there not necessarily because Google really just cares so much about it for the reasons you mentioned, but just because it can allow developers to prevent certain vulnerabilities without too much additional work on their part, and that means it’s both easier to develop apps, and there’s less vulnerabilities Google has to worry about being reported.
Google doesn’t have to add these features for any reason other than protecting themselves from bad press if their phones are hacked, and developer purposes. It’s one thing for a company like Samsung, Motorola, LG, etc to have a vulnerability exposed in their phones, but they also don’t develop Android.
So if you have the headline “Hundreds of Motorola phones vulnerable to [exploit most people will never understand]”, it’ll blow over easy. But if you have “All Google Pixel phones vulnerable to [exploit most people will also never understand]”, and the article is also saying things about how it raises concerns about Android security as a whole, then it’s just a bigger PR deal.
Not to mention that most developers are working on Pixels when they make apps, which means if they want to test any possible security features available from any Android vendor, they can kind of just rely on Pixels to have all of them in one place.
Like if you want to test how your app could use a phone’s TPM module, you don’t need to go out and pick a specific model of Samsung that happens to have it, you just use a Pixel.
If you need to test for memory leaks, you use a Pixel with memory tagging.
If you need to test accessory compatibility with a USB-C port that suddenly disables all connections, you use a Pixel with a hardware-disable-able port.
If you need to develop an app that can rely on separate phone hardware to externalize random number generation, you use a Pixel with a TPM component.
Essentially to just shorten all that down into what I suppose I probably could have just said from the beginning: Google adds all of these security features because it’s good for press (when they prevent vulnerabilities from happening), and it’s good for profit. (when developers turn to their phones to make apps, and thus make apps for the whole Android ecosystem faster & safer, and make apps that conveniently work best on Pixels)
