cross-posted from: https://slrpnk.net/post/15995282
Real unfortunate news for GrapheneOS users as Revolut has decided to ban the use of ‘non-google’ approved OSes. This is currently being posted about and updated by GrahpeneOS over at Bluesky for those who want to follow it more closely.
Edit: had to change the title, originally it said Uber too but I cannot find back to the source of ether that’s true or not…
Too bad it only runs on Google’s phones…
It’s only officially supported on google phones because sadly those are the only ones that are not modified to fuck which makes installing and supporting other OS’es way too much work.
Giving google money once for a device is not a problem from a privacy or security standpoint.
That’s correct, but not the reason grapheneOS chooses only pixel phones. It’s the level of hardware security features.
Also unlockable and presumably has well working builds. It’s not just graphene, but just about every Android project it there that’s best supported on pixels. Other manufacturers have a crazy variety of locking schemes and required tools. Each one is a nightmare to support.
For GrapheneOS, it’s primarily that it’s re-lockable. That’s why other unlockable phones aren’t supported.
The GrapheneOS install process sets new OS signing keys so you can lock the phone again and get full verified boot. However, most manufacturers haven’t implemented this feature.
Yes, that cuts the list down even more.
What do you get, app/feature wise for verified boot vs. Play integrity app? Does it increase the amount of apps that work on it?
No, Play Integrity intentionally checks if it’s a Google-approved key. Android itself has an API to check verified boot and gives info on the signing key - most devs just want to know verified boot is working.
I feel Play Integrity has a short life ahead of if competition authorities realise how exactly it works. “Anti-competitive” is the first thing policy-minded folks think when I explain the API to them.
Hope you’re right, because it basically spells the end of customizing.
I would guess that it allows to detect tampering if you have to give your phone to the security officers and they do or don’t do something with it without you present. I heard of such occurrences on the border, but this happens in other places and countries, too. Not sure if locked bootloader would help, though
Second hand, no money for them
Wish they’d at least support Fairphone.
If Graphene reached out to them I bet Fairphone would even actively work with them to make it an official OS option.
Fairphone would need to substantially modify their hardware to make that work
In the EU almost every phone has an unlockable bootloader, there just isn’t any roms or custom recoveries for a lot of them.
Right? Have to pay google for the privilege
You can always buy a second hand one
Someone installing graphene os for security shouldn’t be trusting random second/third/etc hand hardware lol
There is absolutely no problem with that. The phone is wiped and encrypted when you flash graphene, and it does an integrity check every time it boots.
Hypothetically the hardware could have been modified, but that would take some insane level of a determined attacker to be fabricating modified pixels just to sell them on the used market.
Yes, this would only be a concern for targeted attacks by state actors, in which case not even buying new would be safe.
Thinking about it, in such a scenario buying used may even be safer
It also comes with a hardware auditor, although you need another trusted graphene phone to use it. I don’t know about the details, but sounds very hard to mess with it.
Nothing too hypothetical nor an “insane” level of work. Didn’t Israel do just that with some beepers to blow up children?
Shouldn’t trust anything then. They could intercept your new phone and modify it. They did it for switches. But your not worth it for “them”.
Your options are:
Apple phone
Bloated android phone like Samsung etc.
Chinese android phone (xiami etc)
Google phone with Android
Google phone with graphene. This still looks like the best of those options.
Or no phone? I guess people are hardcore enough that will be the option.
Edit: I stand corrected.
Fairphone? Swiftphone? eOS? Linuxphone? PostmarketOS etc?
Is swiftphone its own thing or did you mean shiftphone? I kinda want the shiftphone 8 myself even if they only ship to neighboring countries of mine.
Ah sorry, you’re right. I meant shiftphone.
There’s always package forwarding. I’m about to find out how bad an idea that is.
I use cheap motorola phone with lineage OS, add that to your options
I don’t think LOS has any privacy/security improvements over the stock android?
(IIRC) it’s even worse than stock because you can’t lock the bootloader after installation.
Though if your phone isn’t getting official updates, it’s probably safer with LOS.
There’s also the Lineage-based DivestOS that attempts to keep up with more security updates, and relocking the bootloader in phones that support it.
https://divestos.org/
Yeah, I myself am using CalyxOS, because DivestOS doesn’t support the Fairphone 5 unfortunately. CalyxOS also has relocking.
Calyx also comes with MicroG, right? So mitigates many problems with a bit more Google.
And Fairphone 4 here, partly for Divest (had it on Oneplus 6 before this and just used to it), partly because of a good deal for a barely used one.
(IMHO) CalyxOS is a good balance between security and usability. Better than LineageOS, worse than GrapheneOS (and DivestOS).
That’s a problem with the phone manufacturer, not with Lineage.
Physical access is game over anyway?
Xiaomi has the biggest custom ROM scene out there btw despite them trying their hardest to stop bootloader unlocking. You really don’t need to have a company supporting unlocking to make ROMs for them. If they outright block it then that’s an issue.
I read somewhere that on some xiaomi phones in china you need to request it, https://github.com/melontini/bootloader-unlock-wall-of-shame/blob/main/brands/xiaomi/README.md
My friend just got a new Xiaomi phone. He tried unlocking it a few days ago and got “try again in 168 hours”. That happened in Europe. It’s an absolute mess nowadays, I remember when they started blocking you from unlocking the bootloader. First you had to wait 24 hours, then 3 days, now it’s an entire week. You also need to make sure you’re logged into your Mi Account on both phone and PC and do even more weird fuckery to ensure the process actually go through. Meanwhile, on GOOGLE Pixel devices you just type one command after you enable oem unlocking in settings and reboot into fastboot mode. Crazy.