Comment by microtonal
2 days ago
Even with Google's changes, F-Droid will continue to work with Android phones that do not use Google GMS.
If you care about your actually owning your device, install something else than stock OS. I would recommend GrapheneOS, since the security of some/most other alternatives is pretty bad.
GrapheneOS works only with Pixel devices, which doesn't make it much useful for the vast majority of Android users.
Indeed. Sadly the reality is that most other Android devices are simply not secure enough. Many Android phones do not have a separate secure enclave (outside Pixel and IISC Samsung flagship and A5x range), so they are vulnerable to breaking PIN-based unlocking, side channel attacks, etc. Besides that they often only provide old vendor kernel trees, old firmware blobs, etc.
So, you have to wonder whether you want such a phone anyway if you care about security and privacy. If you don't care about security anyway, you could as well run /e/OS, etc.
Above-mentioned Samsung phones could perhaps make the cut, but don't support unlocking anymore (and when they still did, would blow a Knox eFuse).
Reduced security has always annoyed me a bit as an argument. Sort of in the same way as signal deprecating SMS because it's insecure.
I get all or nothing when your threat model is state actors. However, for most people, the benefit is just freedom from corporate agendas.
Not everyone needs kernel hardening, or always E2EE (as with signal). Personally I just like the features it provides (e.g. scoped storage, disabling any app including Google play services, profiles etc etc
Its also an easier sell to people who are apathetic to security when the product is just better and more secure, the same way apple does (for whatever their reasons may be).
All that said, I get they're limited in funds and manpower, plus the things mentioned at the end there, so I can only be so peeved they chose a target and stuck with it. They typically cite security as the reason, not those other ones, however.
9 replies →
Perfect really is the enemy of good when it comes to GrapheneOS
2 replies →
> Sadly the reality is that most other Android devices are simply not secure enough.
This seems like a bad reason for not supporting a device. If the device doesn't have a hardware feature then the OS it came with can't be doing it either, and then all you're doing is leaving the user with all of the other security problems in the OEM OS that otherwise could have been improved by replacing it.
3 replies →
Every GrapheneOS proponent I've seen has claimed that other devices are inferior to Pixel security wise, and that's why they're not supported. That always sounded a bit odd to me and certainly seems to have a bit more nuance based on your comment. Thank you for adding some clarity here.
12 replies →
Imagine if the Linux project had this same mentality. Thank goodness they don't.
7 replies →
GrapheneOS is working with a manufacturer to change this:[0]
> We're working with a major OEM and the devices will be the future versions of existing models they have now. The devices will be priced similarly to Pixels. The initial devices will have a flagship Snapdragon SoC for the best security and support time. Snapdragon flagships have significantly better CPU and GPU performance than Pixels. Snapdragon provides high quality Wi-Fi, Bluetooth, GNSS and cellular support as part of the SoC. eSIM and other functionality is also provided by the SoC. Snapdragon has decent image processing functionality included too, and good neural network acceleration.
[0]: https://old.reddit.com/r/GrapheneOS/comments/1o32gpg/deleted...
That "major OEM" seems to be Motorola, i.e. Lenovo.
2 replies →
Huge opportunity for Lenovo/Motorola here who have been the quiet Linux favorite for a while but we shall see if they even bother.
Sounds like a consumer problem for their own choices of vendor lock in
Would love to ditch google and use grapheneOS, however have so many banking and (stupid) outlook for work.
You can check banking app compatibility here:
https://privsec.dev/posts/android/banking-applications-compa...
Even if it works now, how can you be sure the next app update doesn't break it in the name of security?
2 replies →
The outlook app works for me on GrapheneOS, is there something about it that doesn't work for you?
Many banking apps do work on GrapheneOS, the list had already been linked to by others
> Would love to ditch google and use grapheneOS
grapheneOS only works with google phones.
For now[0].
And I don't really think that people mean using google hardware but rather being mined by google software.
May I ask, if you (a) just want to be technically correct, (b) don't see the difference or (c) are trying to make a point I don't understand and if so would be willing to explain?
---
[0] https://piunikaweb.com/2026/02/02/grapheneos-non-pixel-hardw...
I would rather pay a one off ransom to google, than have them harvest all my data and profit from them in perpetuity.
Better yet, you can buy a used pixel phone.
2 replies →
The outlook webapp is quite decent. I've never used their native app, but I've manahed to get by fine with their webapp, even though notifications don't work (I just check it regularily). IIRC K9/Thunderbird also has support for exchange now.
Apparently a lot of banking apps work with the sandboxed Google malwares. Not sure though, I'm not a user (wrong hardware)
Correct. I am using my Dutch bank and credit card apps without any issues. Someone linked the curated GrapheneOS banking list already. If your bank does not support it, you could either contact them. If they require remote attestation, this can be implemented for GrapheneOS as well:
https://grapheneos.org/articles/attestation-compatibility-gu...
If the bank is very hard-nosed about it, you could consider keeping an old iPhone or Pixel (because long security updates) for banking if it is practical to do for you. 95% without big tech is also a big win. Of course, if you need to have it with you at all times, that might not be a worthwhile option.
can confirm. And there are even some pages that list banking and other apps working on GrapheneOS. It's actually very few that don't work with sandboxed Google Play API.
edit: https://privsec.dev/posts/android/banking-applications-compa...
Can you not setup your work email through a regular email client? I thought the days of being locked into Outlook specifically went away with Exchange. Everywhere I've worked since has been able to.
Also, what kind of banking are people doing that requires an app? I genuinely don't know what it could be.
> Also, what kind of banking are people doing that requires an app? I genuinely don't know what it could be.
Close to every bank in the EU requires their user to have an app, for MFA (both for logging in and for validating transactions - transfers, payments). They use the smartphone's TPM. I have yet to see one that allows you to use your own MFA app.
The few I've seen that don't require it will validate the same through text messages (not everyone has a smartphone); though if you associate their app even once, you're screwed - the app it is from now on.
6 replies →
It's way more comfortable to login with fingerprint and not going through a longer login to the website.
Especially since in many countries it requires a national e-ID that is an app on your phone.
It's nice to have widgets.
Theres e/OS where you can have a locked bootloader with some phones
Why do people need banking on their phones though? Banks have websites too.
> Why do people need banking on their phones though? Banks have websites too.
2FA. I was a smartphone hold-out for longer than anyone I know, but banks mandating 2FA with no options for doing it in a standards-compliant way or any way that doesn't involve the app stores was what finally broke my resistance.
This is asked again and again. Apparently you guys in the USA or in other parts of the world are still lucky, but in Europe banks must be compliant with regulation that more or less force them to do 2FA through their app with the biometric authentication of either an Android or an iOS phone. There are other ways (eg giving a hardware OTP generator to customers,) but apps are the cheapest solution.
5 replies →
My bank has no website or physical branches. They’re mobile-only, but their app is leaps and bounds ahead of the competition.
I don't much like the official Outlook app. Been using Nine for ages, it does everything I've needed.
AFAIK every popular Android phone uses a qualcomm modem chip with a separate OS that has complete access to ram. NSA most certainly has a backdoor there and such complete access to any Android phone. This was common knowledge after the Snowden stuff. I don't think this has changed at all since. Only few niche phones (pinephone) separate these systems or have a hardware switch to disable the cellular system.
>I don't think this has changed at all since.
There is common knowledge to suggest that it is not the case (or maybe is no longer the case):
>Mainstream smartphones do not provide DMA access from the baseband to the application processor's memory... Yes, getting baseband access then lets you monitor regular voice and SMS comms. But no, it does not instantly compromise the AP so using the Signal app would still be secure. https://news.ycombinator.com/item?id=10906488
>Apple mitigates baseband processor vulnerabilities by putting it behind what's essentially an IOMMU. https://news.ycombinator.com/item?id=29440154
>This is false FUD that keeps being repeated. It's not true. No iPhone ever has had a baseband with DMA access to my knowledge, and modern Qualcomm devices have advanced IOMMU systems to firewall away the baseband from the rest of system memory. I'm sure some phones somewhere existed where the baseband was privileged, but it's not the norm. https://news.ycombinator.com/item?id=30393283
>Connecting a cellular radio via USB provides far less isolation than the approach of a tiny kernel driver connected to an IOMMU isolated cellular radio on mainstream devices. USB has immense complexity and attack surface, especially with a standard Linux kernel configuration. Forensic data extraction companies mostly haven't bothered using attack vectors other than USB due to it being such a weak point. Many of the things people claim about cellular radios in mainstream smartphones are largely not true and they're missing that other radios are implemented in a very comparable way. https://news.ycombinator.com/item?id=46841004
> NSA most certainly has a backdoor there and such complete access to any Android phone.
Citation needed?
> This was common knowledge after the Snowden stuff.
Not to me, it isn't? As far as I'm aware, most of the Snowden stuff were centered around PRISM, which allowed widescale wiretapping of internet backbone, as well as agreements with big cloud providers to allow tapping into their data.
I haven't seen anything indicating that there was widespread compromise of personal computing devices at such a deep level of the root of trust. I haven't seen any indication that the NSA has a backdoor in the earlyboot CPU of any device, whether that is the Qualcomm boot processor, the Intel Management Engine or the AMD Platform Security Processor (which all have similar capabilities and hidden firmware).
If I missed anything/have links to research into these backdoors, I'd like to see them!
The backdoor is that those are all US companies and the NSA can force them to comply.
This piddly open source effort pales in comparison to what we should really be doing:
Horizontally splitting Google into multiple companies.
Not division via department splits, but equal partitioning across the company into multiple horizontal businesses that compete on the same offerings.
The EU and next DOJ/FTC need to force this.
I agree, but the probability that this is going to happen anytime soon is near-0. The current US administration is not going to rein in the tech broligarchy and if they did, it would be done out of spite and the pieces wold sold to administration-aligned oligarchs (e.g. Ellison), which might end up being worse.
The EU is not going to force this, because it has enough fights to pick with the US, and this is not the hill that they are willing to die on. It would be far more likely for them to financially support an AOSP-based OS.
The EU simply is not (and should not) be able to split up google who operate international. But they can regulate the EU market and declare that a monopolist cannot operate there as a monopolist and introduce any arbitary rule achieving it.
1 reply →
Not sure if you know this, but both Biden and Trump (in his previous admin) had their DOJ file lawsuits against Google. "United States v. Google LLC," which was filed in 2020 and focused on Google's dominance in search and advertising markets. A separate case was filed in 2023 targeted Google's monopolization of digital advertising technologies. The State of Texas also sued them in 2020.
Google lost all three cases. The DOJ in all three recommended the company be broken up, but the judges disagreed. If you want to blame someone, then blame the judges, not the current admin or Bidens DOJ - both of whom said Google should be broken up.
1 reply →