Comment by theK
4 months ago
Did you check the stuff murena has on offer? Most if not all of their phones come with an unlockable bootloader and the OS they come with isn't that bad to start with either.
4 months ago
Did you check the stuff murena has on offer? Most if not all of their phones come with an unlockable bootloader and the OS they come with isn't that bad to start with either.
They are pretty bad when it comes to security:
https://eylenburg.github.io/android_comparison.htm
Does it? If it looks equivalent to "stock" Android but you can do what you want with is, including removing bloatware, then it's arguably more secure and thus a better alternative than most. It might not be the most secure but it's already a step.
Hmm... that looks like a pretty skewed comparison. It's as if somebody took the security features that make Graphene stand apart and compared everything else to them.
No contention that Graphene is safe, but categorizing other OSes as "pretty bad when it comes to security" because they don't copy Graphene is a bit of a stretch.
Eylenburg's site is focused on privacy and security for the comparisons. GrapheneOS is the only privacy and security hardened OS included in the Android-based OS comparison. None of the other operating systems listed in that comparison keep up with Android privacy/security patches or provide significant OS level privacy or security improvements. Many GrapheneOS features aren't listed by the table or are grouped in huge generic categories such as "Hardened system components". An example of a major privacy feature not listed by the table is closing the leaks in Android's standard VPN lockdown mode. GrapheneOS fixes all 5 of the known outbound leaks in VPN lockdown mode, CalyxOS partially fixes 1 of them and the others don't touch this since that's not their focus. It's a privacy and security focused site comparing an OS focused on improving those in the OS layer to ones which mostly aren't.
Operating systems lagging far behind on privacy and security patches are definitely quite bad when it comes to security. For example, the official releases of /e/ for the Pixel 7 are still based on Android 13 and do not include any of the Pixel kernel, driver of firmware patches released from October 2023 and later. Eylenburg's table doesn't put much emphasis on this since it's contained within a couple rows which do not adequately communicate how delayed the updates are and how much that matters.
In addition to the official Android and OEM privacy/security patches, there are also major privacy and security improvements in each major Android release. Android also doesn't backport most Moderate and Low severity patches which are no longer given CVE assignments. Most privacy patches are considered Moderate or Low severity if at all. Many privacy improvements also aren't considered to be bug fixes since they're improvements to the intended design of the system. Only bug fixes considered to have a High or Critical severity security impact are backported. The comparison table could cover a bunch of standard Android privacy/security improvements to emphasize the importance of keeping up with the only actual LTS branch.
2 replies →
I'm going to echo the sibling comment that this comparison conveniently centers on GrapheneOS while conveniently ignoring anything they don't do; for example, a firewall using root is useful, but since they've decided user's can't be trusted with control of their devices that's right out.
Eylenburg's site has comparisons between a bunch of different types of software and services with a significant focus on privacy and security rather than aesthetic customization features, etc.
For the Android comparison, GrapheneOS is the only privacy and security hardened OS included in the comparison. DivestOS used to be included before it was discontinued. An OS not including Google Mobile Services and branding itself as private based on that is a much different thing than a privacy and security hardened OS. Which other Android-based hardened OS could be included in the comparison?
None of the operating systems listed in the comparison include app accessible root access. Giving unconstrained root access to a huge portion of the OS including the application layer including a GUI application for managing firewall rules is not a well secured to implementing it. Managing firewall rules is entirely possible to implement while following the principle of least privilege and not substantially reducing OS security. In fact, Android has standard support for it and all of the operating systems included in his comparison rely on it if you want to do fine-grained traffic filtering.
RethinkDNS is a good example of an app providing support for local filtering via the VPN service app feature without losing the ability to use a VPN. RethinkDNS supports using a WireGuard VPN or even multiple chained WireGuard VPNs while doing local filtering of both DNS and arbitrary connections. It can filter connections based on the results of filtered DNS resolution. That's the approach that's used by Android so that's inherited by every OS in the comparison.
GrapheneOS is the only OS that's listed fixing all of the leaks for standard VPN lockdown feature which is needed to prevent leaks for firewall apps including RethinkDNS based on the VPN service app feature. That's not listed by the table, although it could be and it would make sense for someone to file an issue proposing listing it. Many GrapheneOS privacy and features are not listed by Eylenburg's comparison and a lot of what's listed are under huge categories such as "Hardened system components".
2 replies →
Indeed, and starting at 360€ for a CMF Phone 1 with OS already installed, no tinkering, feels relatively affordable and easy to try.