<rss version="2.0" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Hacker News: grapheneos</title><link>https://news.ycombinator.com/user?id=grapheneos</link><description>Hacker News RSS</description><docs>https://hnrss.org/</docs><generator>hnrss v2.1.1</generator><lastBuildDate>Thu, 02 Jul 2026 21:32:13 +0000</lastBuildDate><atom:link href="https://hnrss.org/user?id=grapheneos" rel="self" type="application/rss+xml"></atom:link><item><title><![CDATA[New comment by grapheneos in "Android Developer Verification: Threat masquerading as protection"]]></title><description><![CDATA[
<p>> What's wrong with the upcoming partnership with Motorola where they work with grapheneos to get it suppported, but it's not preloaded?<p>It's definitely planned for GrapheneOS to be sold preinstalled on devices, but it will also be possible to buy devices without it and install it yourself with our web installer. The details need to be worked out. The focus is currently meeting the requirements and porting GrapheneOS to the devices.</p>
]]></description><pubDate>Thu, 02 Jul 2026 20:59:10 +0000</pubDate><link>https://news.ycombinator.com/item?id=48767293</link><dc:creator>grapheneos</dc:creator><comments>https://news.ycombinator.com/item?id=48767293</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48767293</guid></item><item><title><![CDATA[New comment by grapheneos in "Android Developer Verification: Threat masquerading as protection"]]></title><description><![CDATA[
<p>It's not accurate, see <a href="https://news.ycombinator.com/item?id=48767176">https://news.ycombinator.com/item?id=48767176</a>.</p>
]]></description><pubDate>Thu, 02 Jul 2026 20:49:29 +0000</pubDate><link>https://news.ycombinator.com/item?id=48767181</link><dc:creator>grapheneos</dc:creator><comments>https://news.ycombinator.com/item?id=48767181</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48767181</guid></item><item><title><![CDATA[New comment by grapheneos in "Android Developer Verification: Threat masquerading as protection"]]></title><description><![CDATA[
<p>> giving the option to completely block attestation and DRM API would be a good start.<p>Blocking access to attestation or DRM will prevent using the functionality of the app depending on it or the whole app unless it's implemented incorrectly.<p>GrapheneOS does provide a toggle to block apps using the Play Integrity API because we found a small subset of apps using it are not yet enforcing providing a result due to being in the process of phasing it in. This doesn't apply to DRM or direct use of hardware attestation. We have a planned feature for blocking access to DRM as an attack surface reduction feature since it can eliminate a little bit of OS attack surface and a significant part of the TrustZone attack surface. Hardware key attestation has almost no attack surface and doesn't provide any info not available other ways.<p>> this is false, the attestation middleman Google server can fingerprint your unique device serial (in-silicon key) whenever it wants.<p>That's not how the hardware key attestation system works. Only key provisioning uses their service and if you don't trust their separation of the provisioning with the frontend, that's fine since we run it through our own frontend by default so they can't connect an IP with the provisioned key which would be the only real privacy issue. That's why they made a point of how they separated the systems for it, but you don't have to trust that on GrapheneOS. If you use a VPN it's irrelevant.<p>> the DRM situation is even worse as ANY app can fingerprint your device serial and I don't mean just the DRM ID. anyone who has a license server certificate can fingerprint the DRM key in-silicon.<p>That's not an accurate description. It's also implemented via our server by default too. If you use a VPN that's not relevant.<p>The MediaDRM ID is also widely misunderstood since it is scoped per-app rather than being global. The best way to address it is our planned DRM toggle.<p>> if you were serious about privacy you would provide the option to completely disable that functionality in grapheneos<p>We disabled DRM provisioning and usage by default in Vanadium years ago and have a publicly visible feature planned for providing a toggle for native apps being able to use it. We don't have unlimited resources to get everything we want quickly implemented.<p>> how many of your users are even aware that google can track them across factory resets (or anyone who has a license server certificate)?<p>You're making attestation and DRM key provisioning sound far worse than it is. It's not fingerprinting and it doesn't give them another way to track users in practice. If services want to share data with Google then they don't need any of this to do it and it doesn't inherently result in anything being shared with them that's in any way useful. We have a planned feature for providing a DRM toggle but it's nearly entirely wanted for security, not privacy, and there are bigger security features to implement. There are many planned privacy features which would make a major impact rather than near zero as this would.<p>Preventing fingerprinting by websites is a very hard problem especially considering things like using timing and performance measurements for it. That's going to be a priority for us. Doing it for native apps would require a massive amount of changes to get anywhere close to websites. We could add 100 features reducing fingerprinting for native apps without accomplishing anything significant. We're focused on privacy features with a larger impact.</p>
]]></description><pubDate>Thu, 02 Jul 2026 20:49:10 +0000</pubDate><link>https://news.ycombinator.com/item?id=48767176</link><dc:creator>grapheneos</dc:creator><comments>https://news.ycombinator.com/item?id=48767176</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48767176</guid></item><item><title><![CDATA[New comment by grapheneos in "Android Developer Verification: Threat masquerading as protection"]]></title><description><![CDATA[
<p>> Linux based mobile OS foundation<p>AOSP is a Linux-based mobile OS. It runs fine on top of standard Linux kernels without downstream changes. Getting rid of the need for closed source userspace drivers for components like a modern Mali GPU can be done with AOSP and will benefit the most people that way. AOSP if many companies and others band together to do it. It could also happen due to government intervention due to Google's antitrust law violations, but that could be done poorly in a way that harms open source.</p>
]]></description><pubDate>Thu, 02 Jul 2026 20:26:37 +0000</pubDate><link>https://news.ycombinator.com/item?id=48766918</link><dc:creator>grapheneos</dc:creator><comments>https://news.ycombinator.com/item?id=48766918</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48766918</guid></item><item><title><![CDATA[New comment by grapheneos in "Android Developer Verification: Threat masquerading as protection"]]></title><description><![CDATA[
<p>System administrators of a traditional Linux distribution assemble their own OS out of their package and configuration choices. There isn't a well defined standard base OS. That's part of what makes it the traditional approach and is inherently incompatible with the privacy and security approach of AOSP or iOS in many ways.<p>Linux distributions use different implementations of init systems, shells, command-line tools and nearly everything else. Ubuntu uses glibc, systemd and Rust uutils coreutils. Alpine uses OpenRC, Musl and BusyBox as the defaults. Debian uses glibc, systemd and GNU coreutils as the defaults but supports other choices of init system. Each has their own variants of the projects they each package with different versions, patches compile-time configuration and default runtime configuration.<p>Using systemd, Bash, etc. on an OS Debian is a choice for the system administrator rather than the OS being defined that way. Even if people swap out major components for ones which aren't officially supported, it's not generally regarded as not using the distribution anymore. It's a far different approach than defining a standard base OS, developing that together as a whole with user installed packages and configuration changes are solely on top of that.<p>The higher up you go in the software stack, the more different things are across operating systems. The Debian installations across different machines are a vastly different OS with far different components and configuration. There are default sets of packages and configurations but not a standard base OS shared across each machine. Swapping out components and changing the configuration isn't making it not Debian and is pretty much required.<p>A huge portion of server Linux uses musl and BusyBox due to Alpine.<p>Embedded Linux has always heavily used different software stacks. Android wasn't much different in that regard on mobile. Android runs fine on standard Linux kernels without any mandatory downstream changes. It was never the only distribution making changes to the kernel regardless.</p>
]]></description><pubDate>Thu, 02 Jul 2026 20:12:50 +0000</pubDate><link>https://news.ycombinator.com/item?id=48766736</link><dc:creator>grapheneos</dc:creator><comments>https://news.ycombinator.com/item?id=48766736</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48766736</guid></item><item><title><![CDATA[New comment by grapheneos in "Android Developer Verification: Threat masquerading as protection"]]></title><description><![CDATA[
<p>> prioritised privacy<p>Privacy depends on privacy patches/protections and on security patches/protections. They do the opposite of taking it seriously from the hardware through the software.<p>None has anything close to the privacy or security of AOSP or iOS. Librem 5 is the direct opposite of hardware prioritizing privacy and security. It doesn't provide basic firmware updates, uses a bunch of extremely low security components and brings the awful privacy and security of a desktop OS to mobile on top of that. It's the opposite of how you're describing it. Purism's devices also aren't open source as they claim but rather are closed source hardware with closed source firmware. They only pretend it's open hardware and firmware by not shipping the closed source firmware with the OS, which leaves users without crucial privacy/security protections. The components don't have proper updates available regardless due to their hardware choices but they don't ship what is available and prevented doing it for some components.<p>> They target devices made with the intent of running linux, but also have a few ports to android devices.<p>AOSP is a Linux distribution. Linux doesn't mean glibc, systemd, GNU coreutils and GNOME. If you mean GNU/Linux or bringing systemd to mobile then that's what you should say.</p>
]]></description><pubDate>Thu, 02 Jul 2026 20:02:34 +0000</pubDate><link>https://news.ycombinator.com/item?id=48766608</link><dc:creator>grapheneos</dc:creator><comments>https://news.ycombinator.com/item?id=48766608</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48766608</guid></item><item><title><![CDATA[New comment by grapheneos in "Android Developer Verification: Threat masquerading as protection"]]></title><description><![CDATA[
<p>There isn't a standard Linux distribution. Those operating systems have drastically worse security than a decent server distribution or the mainstream mobile Linux. Traditional Linux distributions don't have a standard set of core components or configuration so system administrators are assembling their own OS and the differences in security are vast. It's extremely rare to deploy anything close to the level of iOS and AOSP security but it's an entirely different environment on a server. Running a few server applications in weak sandboxes is far different than using a bunch of apps including an enormously complex web browser with a GPU, cellular, Wi-Fi, Bluetooth, NFC, etc. There's also no serious attempt by almost anyone to defend Linux servers and desktops against physical attacks with the disk encryption only even attempting to provide protection for data before the encryption passphrase is entered, not after.<p>Those ports of desktop Linux to mobile don't have a proper privacy/security model for running applications. They don't have anything close to modern exploit protections or hardware-based security features crucial to protect against increasingly sophisticated and widespread exploits. AOSP is a Linux distribution with drastically improved privacy and security compared to a traditional desktop Linux traditional. GrapheneOS starts from there and improves privacy and security much further.</p>
]]></description><pubDate>Thu, 02 Jul 2026 19:52:11 +0000</pubDate><link>https://news.ycombinator.com/item?id=48766480</link><dc:creator>grapheneos</dc:creator><comments>https://news.ycombinator.com/item?id=48766480</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48766480</guid></item><item><title><![CDATA[New comment by grapheneos in "Android Developer Verification: Threat masquerading as protection"]]></title><description><![CDATA[
<p>> Usability-wise, they are no match for Android and iOS—or even versions of them from five years ago.<p>They're also no match for the privacy or security of iOS or AOSP. They're bringing the lack of privacy/security model and protections on desktop operating systems and hardware to mobile. It's a massive regression for privacy and security despite being marketed in the opposite way.</p>
]]></description><pubDate>Thu, 02 Jul 2026 19:46:10 +0000</pubDate><link>https://news.ycombinator.com/item?id=48766421</link><dc:creator>grapheneos</dc:creator><comments>https://news.ycombinator.com/item?id=48766421</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48766421</guid></item><item><title><![CDATA[New comment by grapheneos in "Android Developer Verification: Threat masquerading as protection"]]></title><description><![CDATA[
<p>> Waydroid is a container-based approach to boot a full Android system on regular GNU/Linux systems running Wayland based desktop environments (like PureOS).<p>No, it's only a partially working form of Android with the privacy/security model largely disabled and poor app compatibility. Waydroid is based on an ancient release of Android and disables the SELinux-based privacy/security model. It doesn't contain apps from each other and has far less protection for the Linux kernel from the apps. It has poor app compatibility and isn't a good approach to running Android in another OS. ChromeOS made a proper better Android container not losing the privacy/security model but migrated to using hardware accelerated virtual machines. It makes a lot more sense to use a VM since current era smartphone hardware fully supports it.<p>> PureOS also provides convergence via Phosh. Convergence means here that the same app can be used on a phone and on a big screen, the GUI adjusts to the available screen size.<p>Android Open Source Project has a desktop mode. It has a hardware-based virtualization layer for running desktop Linux applications too including GPU acceleration support.<p>> Phosh aims to provide a daily-usable, robust and easy to use graphical user environment for mobile devices running mainline Linux.<p>Android runs fine on mainline Linux. It doesn't require special kernels. That's tied to specific hardware rather than Android.<p>PureOS has far worse privacy and drastically worse security compared to iOS or AOSP. It's bringing the traditional atrocious privacy and security of desktops to mobile. Librem 5 also combines that with extraordinarily insecure hardware missing basic firmware updates and security protections. As a whole, these make it drastically easier to exploit devices. That includes going back to disk encryption which doesn't work for the average user due to them not using a strong passphrase and not protecting against data extraction with physical access unless the device is turned off.</p>
]]></description><pubDate>Thu, 02 Jul 2026 19:38:16 +0000</pubDate><link>https://news.ycombinator.com/item?id=48766330</link><dc:creator>grapheneos</dc:creator><comments>https://news.ycombinator.com/item?id=48766330</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48766330</guid></item><item><title><![CDATA[New comment by grapheneos in "Android Developer Verification: Threat masquerading as protection"]]></title><description><![CDATA[
<p>> It doesn't solve the current issue<p>These operating systems aren't compatible with most of the apps and services people want to use. It's going to become much worse. The compatibility layers several provide have extremely poor compatibility combined with disabling the Android security model and app sandbox. Apps running in those compatibility layers are much less contained with less isolation from the Linux kernel, not more.<p>Aside from that, many people care about privacy and security. Each of those operating systems is far less private and drastically less secure than the Android Open Source Project. None has a truly complete and working app sandbox or permission model. None uses modern exploit protections. None has serious hardware-based encryption features needed to protect against data extraction. They're not serious alternatives to an iPhone from a privacy and security perspective as an AOSP-based OS on decent hardware can be.<p>> but in case we don't manage to push back on this<p>It's a warning that's being added to Google Mobile Services operating systems. It doesn't negatively impact other operating systems based on the Android Open Source Project.<p>> various actual linux OSes for mobile<p>Linux doesn't mean GNU/Linux or systemd/Linux. It doesn't at all imply using glibc, systemd, GNU coreutils, Bash, GNOME, etc. Distributions using different userspace components including several of the ones you've listed are still Linux Android-based operating systems including AOSP and GrapheneOS are Linux distributions. Alpine doesn't use glibc and SailfishOS has a lot of their own mix of open and closed source software. Using a typical desktop Linux userspace stack isn't what makes it Linux and there's also not a lot of consistency in what's used on desktops regardless. A Linux distribution not using musl, glibc, GNU coreutils, etc. is still Linux.<p>> There are many more linux mobile OSes, but as far as I know these are the main ones. There might also be some inaccuracies on this post, I tested some of these a long time ago, and I never actually run the last 2.<p>AOSP-based mobile operating systems are Linux distributions.</p>
]]></description><pubDate>Thu, 02 Jul 2026 19:29:23 +0000</pubDate><link>https://news.ycombinator.com/item?id=48766235</link><dc:creator>grapheneos</dc:creator><comments>https://news.ycombinator.com/item?id=48766235</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48766235</guid></item><item><title><![CDATA[New comment by grapheneos in "Android Developer Verification: Threat masquerading as protection"]]></title><description><![CDATA[
<p>> and they are legally allowed to fingerprint grapheneos and block Play functionality.<p>No, and you also don't understand how the Play Integrity API is implemented.<p>Google has a bunch of monopolies tied to Android. Antitrust laws put limits on what they're allowed to do which Google has been egregiously violating for many years.<p>Google isn't legally allowed to pull a bait and switch with Android by changing it away from an open platform and open source project. They used Android being both of those things to build and expand monopolies in a bunch of areas. The way Google exerts control over OEM partners with Google Mobile Services licensing has already been found to be illegal in multiple countries and they're in the process of losing more court cases over it. South Korea found their terms to be highly illegal and Samsung is already largely free from their restrictions.<p>Play Integrity API enforces the Google Mobile Services licensing model. The licensing model and terms are highly illegal in countries with decent antitrust law. It has already been found to be illegal by the courts in multiple countries. EU and US have particularly strong laws where they're egregiously violating and that's going to have consequences.<p>Play Integrity API is primarily based on hardware attestation, which is not fingerprinting. The strong integrity level fully requires hardware attestation and services using it are migrating to enforcing that. Device integrity level requires hardware attestation for devices known to have a working implementation which is a major loophole but it's gradually being closed. Play Integrity API also has many software checks.<p>Play Integrity API software checks require having an immense amount of privileged access which means it's not very compatible with sandboxed Google Play without an immense amount of work which would achieve nothing. Tricking all the software checks won't make it start permitting GrapheneOS. It's not feasible to pretend the device is one without hardware attestation while avoiding it being detected that it's being faked. None of this can be feasibly bypassed in the long term without it repeatedly breaking and becoming increasingly impractical to bypass. Many apps already require hardware attestation via the strong integrity level and eventually Google will close the loopholes for the device integrity level.<p>> maybe once that happens grapheneos will finally take anti-fingerprinting seriously<p>It isn't fingerprinting and no amount of anti-fingerprinting will bypass it. Hardware attestation exists and it provides the device model and OS. It's also easy for apps to detect those in many ways. Apps can just look at their own memory and see the OS libraries loaded into them. The only way to pretend to be the stock OS even without hardware attestation would be making essentially no changes to anything since apps can look at a lot of OS libraries, etc.<p>Running apps in VM wouldn't solve anything either and will only work for apps which don't try to detect being in a VM and don't use hardware attestation or the Play Integrity API. We'll still need to support running apps on bare metal once we have VM isolation features since one of the main things apps doing these anti-tampering and attestation checks is trying to block is being run in a virtual environment.</p>
]]></description><pubDate>Thu, 02 Jul 2026 19:11:55 +0000</pubDate><link>https://news.ycombinator.com/item?id=48766025</link><dc:creator>grapheneos</dc:creator><comments>https://news.ycombinator.com/item?id=48766025</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48766025</guid></item><item><title><![CDATA[New comment by grapheneos in "Android Developer Verification: Threat masquerading as protection"]]></title><description><![CDATA[
<p>GrapheneOS uses all of the standard Android security features including hardware-based security features. It also adds major security improvements including features heavily based on hardware security features which are either entirely unused or barely used by AOSP or the Pixel OS. Heavily using hardware memory tagging, integrating our USB protection with the USB controller and other features are core parts of what makes it GrapheneOS. An incomplete port without all the standard security features or the GrapheneOS added security features isn't GrapheneOS.<p>GrapheneOS closely follows along with Android releases, Linux kernel LTS revisions and driver/firmware updates. It had an experimental release based an Android 17 after only 2 days of it being released earlier this month. It quickly made it through our testing process with many regressions resolved to our Stable channel. This is part of what makes it GrapheneOS and an incomplete port to another device without the same updates wouldn't be GrapheneOS.<p>GrapheneOS is open source. People can make an incomplete port of GrapheneOS to other devices using their own project name. It's not a port of GrapheneOS to another device without having all the features and updates.<p>We phase in new hardware requirements for standard security features and the older generation devices without those are eventually gone. Adding a new device without hardware memory tagging would be far different than still supporting 6th/7th gen Pixels without it since we strongly recommend against buying those devices anymore and they're going to end up end-of-life.</p>
]]></description><pubDate>Thu, 02 Jul 2026 18:53:28 +0000</pubDate><link>https://news.ycombinator.com/item?id=48765793</link><dc:creator>grapheneos</dc:creator><comments>https://news.ycombinator.com/item?id=48765793</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48765793</guid></item><item><title><![CDATA[New comment by grapheneos in "Android Developer Verification: Threat masquerading as protection"]]></title><description><![CDATA[
<p>The main issue is that OEMs make too many device models with unnecessary variations for carriers/regions and make too many changes to AOSP. It's extremely hard for them to properly maintain all of it.<p>Qualcomm offers up to 8 years of updates from platform launch. Getting around 7 
years of updates requires OEMs to use the latest and great platform combined with paying Qualcomm a lot of money for long term support. It may cost a million dollars or more for each year of support. OEMs also need similar support for other components but that mostly means choosing decent components.<p>Providing proper updates has a cost most OEMs haven't been willing to pay. Pixels and Samsung flagships have been the exceptions. Samsung doesn't properly update most devices, only flagships, and it's still worse than Pixels in important ways. Samsung has also been closest to having all the hardware-based security features we need but doesn't let us use a lot of those due to crippling devices if they're ever unlocked.<p>Our partnership with Motorola Mobility partly involves them improving their devices to meet all of our requirements which was already largely happening. It also requires porting GrapheneOS to their devices and fully supporting Snapdragon again including having hardware memory tagging support on it for the first time. No one is currently using hardware memory tagging in production on Snapdragon let alone for the entire kernel and userspace as we do so it's going to be a lot of work. Motorola is going to be helping with all of this. They're also going to provide us more minimal hardware support code without unnecessary changes not needed for AOSP / GrapheneOS. A bunch of GrapheneOS features need to be ported and the device support code needs to be made compatible with our changes too including but not limited to fixing memory corruption bugs.</p>
]]></description><pubDate>Thu, 02 Jul 2026 18:37:40 +0000</pubDate><link>https://news.ycombinator.com/item?id=48765627</link><dc:creator>grapheneos</dc:creator><comments>https://news.ycombinator.com/item?id=48765627</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48765627</guid></item><item><title><![CDATA[New comment by grapheneos in "Android Developer Verification: Threat masquerading as protection"]]></title><description><![CDATA[
<p>> Your very rigid view of the world is so distorted to the point of being absurd. You know damn well that the vast, vast majority of spying on Android is done in userspace.<p>Most local privilege escalation (LPE) attacks used to escape the app sandbox, browser renderer sandbox or other sandboxes are done with kernel exploits. There are plenty of LPE vulnerabilities in AOSP userspace code but plenty in the userspace driver and HAL code too. It's definitely the kernel ones which are used most in practice. There are an endless stream of serious Linux kernel vulnerabilities and regularly patching the kernel is crucial to privacy/security.<p>Nearly all data extraction attacks are currently done with Linux kernel USB exploits and will likely need to switch to Linux kernel radio and other driver exploits when the USB attack vector is unavailable. If you care about privacy then you probably care about protecting your data from someone who obtains your device. That heavily depends on both hardware-based security features and security updates for the firmware, kernel, drivers and HALs in addition to the AOSP portion of userspace.<p>Disk encryption doesn't truly work on most Android devices for the majority of users because they're missing Weaver throttling support in hardware so a random 6 digit PIN can be easily brute forced once an attacker gets control over the OS. Most users don't use a strong passphrase so Weaver is critical for them. A software rate limiting implementation doesn't hold up to serious attacks.<p>> A good OS that allows you to remove permissions from apps and further isolate things does a lot for privacy.<p>Privacy depends on patching privacy vulnerabilities and shipping the standard current generation privacy protections. Android 17 without our improvements has a decent permission model and app sandbox. That's not the case if there are a bunch of privacy holes in the kernel, missing privacy features due to an outdated kernel and privacy holes in the drivers/firmware too such as tracking via Wi-Fi identifiers other than the randomized MAC.<p>Privacy also heavily depends on security. That's why GrapheneOS puts so much work into security rather than only privacy features. Having a nice privacy model doesn't do any good if adversaries can exploit the OS remotely, from a malicious/compromised app or another way. It doesn't provide any protection for users against many widespread attacks. Play Store regularly catches and bans a lot of apps which use LPE vulnerabilities to take over people's devices. Far more happens via distribution methods without app store review or scanning systems.<p>We heavily improve privacy with features like Contact Scopes, Storage Scopes, Sensors toggle, Network toggle and other changes. These improvements aren't anywhere close to the highest priority on a device missing crucial privacy and security patches. It's better for someone to have a stock Android device with decent updates than a partial port of GrapheneOS with many of the privacy and security features miss<p>> I respect your desire to refuse supporting anything but pixels, but please don't pretend that alternate OS on old devices don't improve privacy and security.<p>Using those devices with LineageOS has nowhere close to reasonable privacy or security. You're missing years of Linux kernel patches, not only patches for the drivers, firmware and HALs. Not patching Linux for years is definitely important and it's not hard to exploit it if it's not getting basic updates, especially without having a lot of kernel hardening. Linux kernel exploit protections are far weaker than Android userspace exploit protections. It's the softer target and has far more privileges so that's what gets targeted. It has massive attack surface for apps despite the massive attack surface reduction done by Android. Android's standard exploit protections including attack surface reduction for the kernel are drastically better in the latest stable releases. It's not only the privacy/security patches which are important but also the standard privacy and security improvements.<p>The purpose of GrapheneOS is not making a highly insecure device somewhat less insecure while also making it less secure in other ways by losing verified boot and other security features.<p>GrapheneOS certainly doesn't refuse to support anything other than Pixels. We have an official OEM partnership with Motorola Mobility. We're working with Motorola on multiple devices meeting our requirements and providing official GrapheneOS support which should be available in under a year. You're claiming we aren't doing one of the major things we're actively working on and have announced with Motorola. We're also open to working with other OEMs once we have more resources available. It's not an exclusive partnership, but we're very busy and don't want to spread ourselves too thin.<p>So far, no other OEM has been both willing and able to make devices meeting our requirements so far. Samsung could do it but currently doesn't allow another OS to make use of many important security features right now since. Samsung permanently cripple devices if they're unlocked and locking it again with the stock OS doesn't restore all the functionality including security features, but even more security features are missing for an alternate OS than what's permanently disabled. They also make it extremely difficult to properly support their devices. They're welcome to change all of this and we could support their devices in the future.</p>
]]></description><pubDate>Thu, 02 Jul 2026 18:34:19 +0000</pubDate><link>https://news.ycombinator.com/item?id=48765588</link><dc:creator>grapheneos</dc:creator><comments>https://news.ycombinator.com/item?id=48765588</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48765588</guid></item><item><title><![CDATA[New comment by grapheneos in "Android Developer Verification: Threat masquerading as protection"]]></title><description><![CDATA[
<p>> copy your response<p>To avoid writing the same thing a 2nd time without forcing people to use a link and lose their place where they were reading.<p>> barely answers the question<p>We fully answered the question by explaining why we currently have to use Pixels and why we won't depend on Pixels anymore in less than a year. You're ignoring our explanation of our Motorola Mobility partnership. It explains why we need the partnership instead of adding support for devices without it too.<p>> But you answered with your text about how other smartphones don't have important "hardware-based security features".<p>No, we explained most devices don't even allow another OS and many of the ones which do cripple functionality including security so we can't support those. We also explained we need firmware, kernel, driver and HAL updates for a reasonable amount of time. We need the hardware-based security features we use to implement the core protections provided against attacks. It wouldn't be GrapheneOS without solid protection against remote attacks, apps and data extraction. We linked to <a href="https://grapheneos.org/faq#future-devices" rel="nofollow">https://grapheneos.org/faq#future-devices</a> which lists out what we need. It's strange to ignore updates or put scare quotes around something we provided a detailed explanation for in the linked content.</p>
]]></description><pubDate>Thu, 02 Jul 2026 18:12:49 +0000</pubDate><link>https://news.ycombinator.com/item?id=48765321</link><dc:creator>grapheneos</dc:creator><comments>https://news.ycombinator.com/item?id=48765321</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48765321</guid></item><item><title><![CDATA[New comment by grapheneos in "Android Developer Verification: Threat masquerading as protection"]]></title><description><![CDATA[
<p>> without preinstalls<p>GrapheneOS has an official partnership with Motorola Mobility which is improving their next generation devices to meet our requirements and helping us port GrapheneOS to those. GrapheneOS will be officially supported on those devices with Motorola Mobility providing us with the stripped down hardware support code we need to support their devices with proper firmware/driver/HAL updates.<p>A bunch of companies are already selling devices with GrapheneOS installed. Those companies can start buying the future Motorola devices supported by GrapheneOS and doing the same thing with those which they already do with Pixels. Motorola can also specifically sell devices to other companies to sell with GrapheneOS with official support from Motorola.<p>> prohibiting OEMs from making or partnering with "non Google approved" OSes<p>It has been challenged in court and ruled to be illegal in South Korea and elsewhere. Regardless, it's only an inconvenience and can be worked around. Even if Motorola can't sell devices with GrapheneOS in many countries themselves, those can still be sold by other companies and Motorola can sell devices to those companies at wholesale rates where they can match the price of the non-GrapheneOS devices. Other than Google, most OEMs aren't directly selling most of their devices anyway.</p>
]]></description><pubDate>Thu, 02 Jul 2026 17:59:54 +0000</pubDate><link>https://news.ycombinator.com/item?id=48765159</link><dc:creator>grapheneos</dc:creator><comments>https://news.ycombinator.com/item?id=48765159</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48765159</guid></item><item><title><![CDATA[New comment by grapheneos in "Android Developer Verification: Threat masquerading as protection"]]></title><description><![CDATA[
<p>> every app installed is known to the proxy since each app has a unqiue key<p>No such proxy exists in GrapheneOS. GrapheneOS does not intercept or proxy connections made by Google apps or other apps.<p>GrapheneOS doesn't include Google Mobile Services. Sandboxed Google Play is not part of GrapheneOS. Users can choose to install Google Play services, Google Play Store and other Google apps on GrapheneOS. Unlike a standard GMS Android device, those are installed as regular sandboxed apps with no special access. The feature provided by GrapheneOS is a compatibility layer coercing those to run as regular sandboxed apps if installed by users. It doesn't involve intercepting or proxying any connections.<p>> location data is proxied<p>Location request rerouting is an entirely local feature of the sandboxed Google Play compatibility layer. By default, it replaces the Google Play location library used by many apps with another implementation using the local OS location service instead of the local Google Play location service. This isn't intercepting or proxying connections.<p>Google Play has an optional network-based location service that's opt-out for a GMS Android OS although it's opt-in for sandboxed Google Play and people would also need to grant the required permissions to Play services which aren't normally needed.<p>GrapheneOS has an opt-in network-based location using Apple's service either directly or via a proxy. We'll also eventually have our own service with offline database download support as another option. We have to build our own database to use for this first.<p>You're misunderstand what location request rerouting means. It reroutes apps which normally request location from Play services to ask the regular Android location API for it instead. This doesn't involve servers other than optional network-based location for apps which support using the network or fused providers. Network-based location is opt-in for GrapheneOS.<p>> They mention no proxy of RCS data, but in theory, an RCS message requires location data. So, the proxy knows when a message is sent and received, at a minimum.<p>GrapheneOS doesn't proxy things in the way you claim in the first place. It doesn't proxy any connections involving carriers and doesn't proxy any connections made by Google apps. It doesn't come with Google apps and those would need to be installed by users.<p>> So, based purely on the FAQ, if you use the sandboxed services and enable RCS, Graphene knows every app you install and has your location data, but they erase it after a couple of weeks.<p>This is all completely untrue. GrapheneOS doesn't include with sandboxed Google Play. Sandboxed Google Play compatibility doesn't make any connections to GrapheneOS servers. It doesn't proxy anything through our servers. RCS via Google Messages doesn't involve our servers either.<p>You're misunderstanding our approach to all of these things. Location request rerouting means replacing the local Play services location API for apps using it with the OS location API. That means asking the OS for location rather than Play services. That isn't a connection to a server. It means that by default, apps using the Play services location SDK will work without Play services needing to be granted Location access based on the OS satellite-based location. If users enable network-based location for the OS location service then it will work for apps normally using the Google Play network or fused location providers. It's an entirely local compatibility layer as with the whole rest of it. Sandboxed Google Play compatibility layer has 0 connections to our servers and there's no reason it would need to connect to our servers.</p>
]]></description><pubDate>Thu, 02 Jul 2026 17:56:13 +0000</pubDate><link>https://news.ycombinator.com/item?id=48765101</link><dc:creator>grapheneos</dc:creator><comments>https://news.ycombinator.com/item?id=48765101</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48765101</guid></item><item><title><![CDATA[New comment by grapheneos in "Android Developer Verification: Threat masquerading as protection"]]></title><description><![CDATA[
<p>> Graphene proxies all the Google services connection. They take over the connections that would go to Google. They then, supposedly, only forward the ones you wish.<p>GrapheneOS doesn't include Google Play services. Unlike LineageOS, GrapheneOS replaces all of the standard Android Open Source Project (AOSP) connections with our own servers. Also unlike LineageOS, GrapheneOS adds toggles for these connections providing a way to disable the ones which didn't already have a way to do it. See <a href="https://eylenburg.github.io/android_comparison.htm" rel="nofollow">https://eylenburg.github.io/android_comparison.htm</a> for a comparison across AOSP-based operating systems covering what's done with most of the standard AOSP connections. It doesn't cover everything such as the Certificate Transparency (CT) log list downloads added in Android 16 which are now used by default for enforcing CT for apps targeting Android 17.<p>> Graphene proxies what would go to Google on regular Android.<p>GrapheneOS doesn't include Google Play services. It has a compatibility layer enabling running Google Mobile Services apps including Google Play services and Google Play Store as regular sandboxed apps, but it doesn't come with those. Users can choose to install those in specific profiles.<p>> I am getting downvotes on this, but that is how their Google Play sandbox works. It is proxied on their server, not your phone.
>
> A non-Google copy of your Google pointed traffic is made. That is a fact. It is identifiable to you or they could not individually forward this or that. That is a fact.<p>GrapheneOS doesn't include sandboxed Google Play. It does not come with it. It's possible to install those apps on GrapheneOS and it provides a compatibility layer to make it work. The compatibility layer doesn't involve proxying anything to our servers.<p>> Extricating from Google is the answer. Not relating your RCS chats et al through a third party then to Google then to that third party and back to you.<p>No such thing exists in GrapheneOS. It doesn't include any Google apps and doesn't proxy any of the connections made by Google apps elsewhere if people install them.<p>GrapheneOS has low-level support for RCS but doesn't have an RCS app yet since the only one for Android which exists in practice anymore is Google Messages and Google apps aren't included in GrapheneOS. Google Messages can be installed by users on GrapheneOS and set as the SMS/MMS/RCS app instead of using our fork of AOSP Messaging but that's definitely not a default. We'll have our own RCS implementation in the future in our fork of AOSP MEssaging.<p>> They wrote an article on it a while back.<p>No, and it's definitely not how sandboxed Google Play works for people who choose to install it.<p>It sounds like you're misunderstanding what our sandboxed Google Play compatibility layer handles location requests made to Play services. For users who install sandboxed Google Play on GrapheneOS, our compatibility layer redirects apps requesting location from Play services to request it from the OS instead. This doesn't involve making any connections, it happens locally on the default. By default, only GNSS (satellite-based location) with A-GNSS (SUPL and PSDS) is used.  GNSS is a receive-only system. We add toggles for configuring SUPL and PSDS with choices between GrapheneOS, Google or Off. PSDS are static database downloads covering the whole world so that's just another form of update download. We also add a toggle for opting into our network-based location implementation which uses Apple's service either directly or via a proxy. You seem to be confusing our location request redirection with intercepting connections and running those through our services which isn't what it involves at all. Our location request redirection avoids needing to grant Location access to Play services by making it use the standard Android OS location service instead as many apps already do. There's a toggle for this in case someone actually wants to use Google's location service with their network-based location instead of Apple such as if the Apple data for their area is awful.<p>> Graphene with Google Services is like calling up an Intel Agency and signing up to use them as your VPN.<p>GrapheneOS doesn't include Google Mobile Services, and our sandboxed Google Play compatibility layer doesn't work that way at all.<p>> Without Google Services, it is a way to degoogle a phone with an SD card slot and 3.5mm phone jack if Motorola continues on track, but I would prefer regular Lineage support than Graphene for that purpose in case the middle man aspect expands to non-Google Services apps later.<p>There's no such man-in-the-middle system in GrapheneOS as you claim. LineageOS does not replace the Google servers for all of the standard AOSP services as we do and doesn't provide similar settings to control all of those. GrapheneOS does not intercept/redirect Google services used by Google apps as you claim. It doesn't come with Google apps as you're describing either.<p>> I want straight no-google android with the chipset drivers so that calls and sms/mms messages work without Google getting a copy of every message sent and received, and I want it on phones with sd card slots and 3.5mm headphone ports.<p>GrapheneOS only includes support for using SMS/MMS via the carrier. There's no involvement from Google unless Google is your carrier or your carrier is using GCP to host their servers or something similar. Using Google's RCS services would require that you go out of the way to install Google Messages after first going out of the way to install sandboxed Google Play followed by setting Google Messages as your carrier-based messaging app and granting the required permissions to use RCS (Phone permission for Google Messages and Play services along with the ICC authentication toggle in the sandboxed Google Play settings).<p>You're talking about it as if us supporting installing these apps as regular sandboxed apps somehow makes that the default approach. That's not how any of this is supported at all. You have to go out of your way to install sandboxed Google Play or especially Google Messages. Those don't come with GrapheneOS.<p>GrapheneOS does not include Google Mobile Services or Google Messages. It does not intercept or proxy connections made by Google apps installed by users. None of that is part of how it works.</p>
]]></description><pubDate>Thu, 02 Jul 2026 17:44:36 +0000</pubDate><link>https://news.ycombinator.com/item?id=48764926</link><dc:creator>grapheneos</dc:creator><comments>https://news.ycombinator.com/item?id=48764926</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48764926</guid></item><item><title><![CDATA[New comment by grapheneos in "Android Developer Verification: Threat masquerading as protection"]]></title><description><![CDATA[
<p>> Read their terms.<p>There are no such terms. In a comment further in this thread, you linked to inaccurate posts from an anonymous user on the Privacy Guides forum as your sources.<p>> They still run everything through Google services.<p>No, this is completely untrue. GrapheneOS doesn't have any mandatory connections in the first place.<p>> They are essentially a man in the middle to Google services.<p>No, GrapheneOS is a privacy and security hardened mobile OS. It isn't a proxy service and doesn't have any mandatory services. It does not come with Google Play services.<p>> I read their terms to mean that they could snarf everything that every graphene device would normally send to Google because they are "anonymizing it" before sending it to Google.<p>There are no such terms despite what's claimed in the incorrect anonymous posts you read.<p>> What we need is Android like Lineage that works on more devices than Pixels and simply have it without Google services at all.<p>GrapheneOS doesn't add a single Google service compared to the Android Open Source Project (AOSP). It replaces all of the standard AOSP default connections with our own servers by default. It also adds settings to control each of the connections. These settings mostly have a choice between GrapheneOS server, Standard (Google) server or Off.<p>LineageOS doesn't provide replacements for the Google services pr toggles for user control. This is covered in the third party comparison at <a href="https://eylenburg.github.io/android_comparison.htm" rel="nofollow">https://eylenburg.github.io/android_comparison.htm</a> which provides an overview of what's done with most of the default AOSP connections. The table doesn't cover all the standard connections, but GrapheneOS does deal with all of them by replacing the standard servers and provides settings to control the connections.<p>We add opt-in services for geocoding and network-based location as an alternative to the Google service. We host geocoding ourselves with Nominatim using the standard OpenStreetMap, Wikipedia and other supplementary data. Our network-based location service has a choice between Apple or our proxy to Apple but we plan to build our own database to host it directly.<p>SUPL which is a limited form of network-based location has a choice between our proxy to Google, Google or Off. SUPL can be fully replaced by enabling network-based location and leaving the default enabled static global PSDS database downloads enabled. We'll be hosting our own SUPL server using our network-based location database once the much easier to build subset of the database for cellular towers is ready for use.<p>Google certified devices use Google's hardware key attestation root and service so supporting that inherently has to use either a proxy (our default) or their server including for a non-Android-based OS running on the same hardware which wants hardware attestation support to be functional. That's tied to the hardware ecosystem based on certification, not software. Non-Google-certified devices will use a different service for attestation key provisioning, either hosted by GrapheneOS or a proxy to the service by the hardware provider or certification authority.</p>
]]></description><pubDate>Thu, 02 Jul 2026 17:18:39 +0000</pubDate><link>https://news.ycombinator.com/item?id=48764538</link><dc:creator>grapheneos</dc:creator><comments>https://news.ycombinator.com/item?id=48764538</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48764538</guid></item><item><title><![CDATA[New comment by grapheneos in "Android Developer Verification: Threat masquerading as protection"]]></title><description><![CDATA[
<p>Our requirements are for industry standard privacy/security patches and protections. We haven't set a high bar but rather have very reasonable requirements. There's nothing puritanical about requiring what we do for a privacy and security project.<p>Most people don't have a device permitting using another OS at all or without crippling functionality including security. They need to buy a device to use another OS as a production quality daily driver. The vast majority of GrapheneOS users bought devices to use GrapheneOS rather than using GrapheneOS because it was available for a device they bought without considering it.<p>We don't want people to buy devices which will stop getting privacy/security patches for the firmware, kernel, drivers and HALs after 2-3 years and are missing important security protections. If we support a device then people are going to buy it to use GrapheneOS. Few of the people who end up using it are going to be people who already had it.<p>We don't want to have a watered down form of GrapheneOS without the core protections including what we build with hardware memory tagging. Older devices which we discourage buying not providing all the current requirements is much different from adding new devices without those. Our recommended devices (Pixel 8 and later) provide all of the current requirements and we strongly discourage buying older devices without enough support time remaining or the current protections.<p>We have a serious OEM partnership because we stand by our requirements and haven't watered down GrapheneOS. An OEM working with us to improve their devices to meet our requirements and helping port GrapheneOS to those with full functionality is only possible because we don't poorly support anything able to run another OS.<p>GrapheneOS is open source and others are free to make incomplete ports to other devices under a different name. Many individuals and companies have done this and it hasn't gained any significant interested. It doesn't provide what GrapheneOS does and the expectations of our audience are much higher. Our audience doesn't want a device with 2-3 years of delayed security patches for the firmware, kernel, drivers and HALs follow by end-of-life.</p>
]]></description><pubDate>Thu, 02 Jul 2026 15:07:26 +0000</pubDate><link>https://news.ycombinator.com/item?id=48762803</link><dc:creator>grapheneos</dc:creator><comments>https://news.ycombinator.com/item?id=48762803</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48762803</guid></item></channel></rss>