Since GrapheneOS is the standard recommendation for a custom ROM on Pixel devices and comes up very often, I figured we should have a thread about it.

For those who are using it, what Pixel device are you running GrapheneOS on and how is the overall experience? What are the things that you like about GrapheneOS and what are things you miss from the factory Android install?

As for me, my curiosity got the better of me and I finally went and installed GrapheneOS on my Pixel 7a using the web installer on Arch Linux and a USB cable.

So far, nothing unexpected and I’ll have to do a bit of exploring of the OS’ security features. The OS works just fine and feels obviously way cleaner and less bloated, the annoying search widget finally went away without having to install a custom launcher. The only thing that scared me a bit in the beginning was the contacts not syncing and some purchased apps not transferring over as the sandboxed Google Play saw the device as a different one but that was solved by giving it permission to access contacts and also waiting for Google Play to do its thing. Google Camera and Google Photos also worked fine without network permissions.

I haven’t tried Google Wallet’s NFC payments yet and I have no hopes for that one to work on GrapheneOS, but that is certainly a feature I will miss.

  • Otter@lemmy.ca
    link
    fedilink
    English
    arrow-up
    16
    ·
    1 year ago

    I like learning about it, but I worry about incompatibility with apps I might need for work and school.

    I might switch to it someday, just not today

        • random65837@lemmy.world
          link
          fedilink
          English
          arrow-up
          2
          arrow-down
          1
          ·
          1 year ago

          It works fine with banking apps, you sometimes have to disable exploit protection for some of them, but not all. Banking apps not working on custom OS"s is more of a side effect of having your bootloader unlocked, or being rooted, not having a custom OS.

  • Hubi@feddit.de
    link
    fedilink
    English
    arrow-up
    15
    ·
    1 year ago

    I have been using GrapheneOS since the Pixel 6 came out and I have no complaints. I get regular updates, the OS is super stable and my phone is free of the pre-installed ad- and spyware.

    I also remember the ridiculously easy and straight forward install, something that I wasn’t expecting since I used to tinker with LineageOS and CyanogenMod way back. It almost feels like a stock rom.

    The additional security features are great, though they come with the tiny inconvenience of not having access to system files (which is obviously by design).

    Overall I couldn’t be happier with it and I’ll continue to use it for as long as I can.

  • KISSmyOS@lemmy.world
    link
    fedilink
    English
    arrow-up
    14
    arrow-down
    1
    ·
    1 year ago

    I don’t understand the decision to only support Pixel phones. I want to degoogle, I’m not going to give Google money for a phone to do it.

    • jet@hackertalks.com
      link
      fedilink
      English
      arrow-up
      12
      ·
      edit-2
      1 year ago

      Thats a excellent point, which goes back on the android ecosystem not scratching this itch itself outside of google.

      in the past they supported a samsung phone, and a hikey device.

      https://grapheneos.org/faq#future-devices

      Hardware, firmware and software specific to devices like drivers play a huge role in the overall security of a device.

      Non-exhaustive list of requirements for future devices, which are standards met or exceeded by current Pixel devices:

      • Support for using alternate operating systems including full hardware security functionality
      • Complete monthly Android Security Bulletin patches without any regular delays longer than a week
      • At least 4 years of updates from launch (Pixels now have 7)
      • Vendor code updated to new monthly, quarterly and yearly releases of AOSP within several months to provide new security improvements (Pixels receive these in the month they’re released)
      • Linux 5.15 or Linux 6.1 Generic Kernel Image (GKI) support
      • Hardware memory tagging (ARM MTE or equivalent)
      • BTI/PAC, CET or equivalent
      • PXN, SMEP or equivalent
      • PAN, SMAP or equivalent
      • Isolated radios (cellular, Wi-Fi, Bluetooth, NFC, etc.), GPU, SSD, media encode / decode, image processor and other components
      • Support for A/B updates of both the firmware and OS images with automatic rollback if the initial boot fails one or more times
      • Verified boot with rollback protection for firmware
      • Verified boot with rollback protection for the OS (Android Verified Boot)
      • Verified boot key fingerprint for yellow boot state displayed with a secure hash (non-truncated SHA-256 or better)
      • StrongBox keystore provided by secure element
      • Hardware key attestation support for the StrongBox keystore
      • Attest key support for hardware key attestation to provide pinning support
      • Weaver disk encryption key derivation throttling provided by secure element
      • Inline disk encryption acceleration with wrapped key support
      • 64-bit-only device support code
      • Wi-Fi anonymity support including MAC address randomization, probe sequence number randomization and no other leaked identifiers

      GOS’s mission is Security and User Agency first. Fuck google doesn’t even fit into their vision statement, it just so happens user agency and fuck google align most of the time.

    • RealHonest@lemmy.one
      link
      fedilink
      English
      arrow-up
      3
      arrow-down
      8
      ·
      1 year ago

      Yeah and most install google play anyway. It’s literally a stock Pixel phone with missing features.

      • Redoomed@lemm.ee
        link
        fedilink
        English
        arrow-up
        12
        ·
        1 year ago

        literally a stock Pixel phone with missing features

        Does the stock Pixel operating system have a network permission toggle that can limit any app’s access to the internet pre- or post-install?

        Does the stock Pixel OS have storage scopes or contact scopes, both of which give you granular control over what data an app can see/access?

      • z00s@lemmy.world
        link
        fedilink
        English
        arrow-up
        6
        ·
        1 year ago

        Most? What’s your source on that?

        The point is that you can if you want to, but you don’t have to; you’re free to choose.

      • AlmightySnoo 🐢🇮🇱🇺🇦@lemmy.worldOPM
        link
        fedilink
        English
        arrow-up
        5
        ·
        1 year ago

        Just like you can have Linux and proprietary stuff like Steam on it. It isn’t really contradictory, the whole issue is about choice and controlled privacy. When you install an app through the Sandboxed Google Play, you not only don’t have to deal with the Play background services anymore, but as Redoomed mentioned you also get more fine-grained control of what the installed app can and cannot do. Even proprietary stuff should be more secure in theory since among other things they reroute malloc calls to their hardened versions.

        With the factory Android install you don’t have that much control and you can see that on the first boot as you’re from the start stuck with the ugly Google search bar on the home screen with no way to remove it other than installing another launcher.

      • jet@hackertalks.com
        link
        fedilink
        English
        arrow-up
        4
        ·
        1 year ago

        Most? I’m curious how you get this data, since the entire point of GOS is to keep usage data private.

  • WagnasT@iusearchlinux.fyi
    link
    fedilink
    English
    arrow-up
    11
    ·
    1 year ago

    still using my pixel 3a XL, graphene was great until suddenly it wasnt. As soon as google drops support for the device you’re on your own. Most of the apps still get updated but the OS no longer gets security updates, which is understandable but unfortunate.

      • jet@hackertalks.com
        link
        fedilink
        English
        arrow-up
        5
        ·
        edit-2
        1 year ago

        This is just to give people an opportunity to move off of the device.

        Once this happens, and the phone is no longer getting hardware security patches, graphene OS and calyx OS both drop support for the device, with the exception of fair phone… were they pretend they’re getting hardware security patches but they’re not. That’s a separate discussion

        For a device with no hardware security patches, you can run lineage OS, with an unlocked bootloader which isn’t great… or divest OS DOS… which locks the bootloader, but strips out a lot of the Google services. It might be a more extreme environment than you want, lineage might be the sweet spot of usable but not secure.

      • random65837@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        arrow-down
        1
        ·
        1 year ago

        True, but the downsides of Calyx could possibly be worse than an unsupported GrapheneOS. If you weren’t going to push it too far, I’d just stay on Graphene, but I never let my phones hit EOL either.

    • jet@hackertalks.com
      link
      fedilink
      English
      arrow-up
      4
      ·
      1 year ago

      I have a pixel 3A as well, and I went through this exact same thing. My only complaint with graphene OS in this scenario is they should have pop-up notifications when support is being discontinued, so that you know you need to start migrating.

      I only really noticed when I thought, hey I haven’t installed a operating system update in a long time… That’s not great.

  • warmaster@lemmy.world
    link
    fedilink
    English
    arrow-up
    9
    ·
    1 year ago

    Google Pay incompatibility is certainly a tough pill to swallow. Other than that is Google Maps working fine ? What about Android Auto? I’m definately interested to go this route.

          • vodka@lemm.ee
            link
            fedilink
            English
            arrow-up
            8
            ·
            1 year ago

            Android Auto can’t work with sandboxing, it basically needs to run as root and get full access to absolutely everything on the device.

            I’d not expect it to work ever, unless someone spends significant time reverse engineering it.

            • Retriever0036@lemmy.world
              link
              fedilink
              English
              arrow-up
              6
              ·
              edit-2
              1 year ago

              The devs are currently working on Android Auto support! They are testing it and it should be released in a few releases I can’t find the right the link. But they also did announce it on twitter: https://twitter.com/GrapheneOS/status/1721263825192726737?s=19

              I shared the literal quote from the grapheneos devs with a buddy, but didn’t save the url: “Android Auto support for sandboxed Google Play has been implemented in a feature branch and is being tested”

              You can find multiple Quotes by the devs in their discord / matrix channels, just search for Android auto Last reply was an hour ago saying support is coming “very soon”

              • vodka@lemm.ee
                link
                fedilink
                English
                arrow-up
                3
                ·
                1 year ago

                Neat! That’s a massive undertaking considering how much stuff needs to be shimmed to protect privacy, surprised anyone bothered! But I guess someone on the team must have bought a new car recently and want it working.

            • random65837@lemmy.world
              link
              fedilink
              English
              arrow-up
              2
              arrow-down
              2
              ·
              1 year ago

              Somebody did, I think the scripts are on XDA, but doing so would be incredibly stupid and id assume it would die again with a system update.

  • heleos@lemm.ee
    link
    fedilink
    English
    arrow-up
    8
    ·
    1 year ago

    I tried it out on my Pixel 8 Pro but I’m back on stock. I’m trying to be more privacy focused, but I use a lot of Google apps still, so I had almost everything enabled from Google anyways, so I might as well stay on stock for now. It was neat, but I didn’t notice any battery improvements, which is also what I was looking for

  • jacktherippah@lemmy.world
    link
    fedilink
    English
    arrow-up
    6
    ·
    1 year ago

    GrapheneOS is amazing. So many privacy and security features. I finally feel in complete control of my phone. It’s not only secure and private, it’s also smooth and stable too, much more so than the buggy mess that is stock Pixel OS. And did I mention that it updates faster than stock OS!? It’s also far more stable than every other alternative OS on every other phone I’ve had. I loved it so much I sent my first 5$ to a FOSS project ever LOL. This is my endgame OS and I’m never using anything else ever again.

    • mellejwz@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      I also like it, but installing apps takes such a long time and auto updates don’t always work. When you open aurora store or f-droid you’ll get a dialog to allow an app to install. Battery drain was also higher than on stock. Not sure why that is, even without Google apps.

      • random65837@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        arrow-down
        3
        ·
        1 year ago

        It takes longer because of the security, which you can disable, but that would be stupid. Unless you constantly install apps all day, hardly an issue.

        You could also give play store a bunch of permissions that it doesn’t need, and it would update “normally”, but again, that would defeat the entire purpose of taking all the per.iaaik s from it in the first place.

        • mellejwz@lemmy.world
          link
          fedilink
          English
          arrow-up
          2
          ·
          1 year ago

          I wasn’t able to find those settings. It’s also not for installing new apps, but more for updates. You’ll have to check for updates manually because of it. It also wasn’t for the Play Store, but for F-Droid and such. I do think I’ll install it again at some point, but I do use some Google services like the photo’s backup and app backup. If I can find alternatives for that I will try it again.

          • random65837@lemmy.world
            link
            fedilink
            English
            arrow-up
            2
            arrow-down
            3
            ·
            1 year ago

            It’s the exploit protection and native code debugging options that slow the installs down (updates are still installs), but again, disabling them would be a terrible idea. The only reason disabling them is an option is for troubleshooting purposes and shouldnt be done otherwise.

            Ente is a great E2EE zero knowledge photo backup solution that’s multi platform and fairly priced. Immich, while still pretty new is a self hosted solution that’s a near clone of Google Photos, allowing Google to either back up your photos, which may or may not have metadata attached, or your contacts especially, should be given further thought if privacy is a concern of yours. Many email providers offer CarDAV/CalDAV solutions for that, you can self host radicle to back them up, or just manually do it and sync the backup folder somewhere. Going to Graphene and then syncing highly personal things…to Google, doesnt make a ton of sense. That’s your call though.

            • mellejwz@lemmy.world
              link
              fedilink
              English
              arrow-up
              2
              ·
              1 year ago

              Yeah I’m trying to go Google-less on my phone (I’ll still use Youtube and such on my tablet), but I didn’t really think about all that’s synced with Google. I’m testing different solutions, but I haven’t found a solution for all of it, thanks for the suggestions!

  • BadEngineering@kbin.social
    link
    fedilink
    arrow-up
    6
    ·
    1 year ago

    I’ve been running Graphene on my Pixel 6 pro for about a year now and it’s been pretty great. I have had a couple bugs here and there but nothing a quick restart wouldn’t fix. I can honestly say I don’t really miss any of the google stuff, I’ve switched to FOSS apps for pretty much everything ,except for what’s required for work.

  • jet@hackertalks.com
    link
    fedilink
    English
    arrow-up
    5
    ·
    edit-2
    1 year ago

    pixel 7a - GOS - everything just works, just like stock android. No real change in experience, nothing i miss (gpay doesn’t work in my country anyway for tap to pay), running the sandboxed google play and you would never know its not stock.

    The network permissions are nice, the multiple accounts are nice. Honestly, I don’t see any downside.

    Two things would make it even better:

    • being able to share a vpn with tethered devices (calyxos and lineage can do this) - this is absolutely a killer feature and replaces a travel router
    • Work profiles for every account (calyxos has this), so that your second account can also have a work profile, not just the owner account.
  • Sleestak_Chaka@lemm.ee
    link
    fedilink
    English
    arrow-up
    4
    ·
    1 year ago

    I use it on my Pixel 7. Don’t miss anything from stock Google. Your usage will vary depending on your needs.

  • Synapse@lemmy.world
    link
    fedilink
    English
    arrow-up
    3
    ·
    1 year ago

    I use it on Pixel 7 and my partner on Pixel 6a. I miss Android auto sometimes, but I would use it maybe twice a year so it isn’t a big deal to me. Otherwise it’s great, I had no trouble using NFC paiment and apart from android auto, every single app i’ve tried worked without issue.

      • random65837@lemmy.world
        link
        fedilink
        English
        arrow-up
        3
        arrow-down
        3
        ·
        1 year ago

        They’ll work if they don’t have a Google pay dependency. Most banks don’t run their own NFC wallets anymore, at least not in the US minus some small banks. My credit unions used to, then they changed it. It’s was too easy for them to be a frontend for Google pay than to build their own app from the ground up.

          • random65837@lemmy.world
            link
            fedilink
            English
            arrow-up
            2
            arrow-down
            2
            ·
            11 months ago

            Most likely, but even if it worked correctly via Google pay, you really want you purchases running through Google?

              • random65837@lemmy.world
                link
                fedilink
                English
                arrow-up
                1
                arrow-down
                3
                ·
                11 months ago

                That’s nice, but still not worth Google processing your payments and knowing what you buy and where.

                Nice generational hack, because most retail is the younger crowd, I’ve lost track of how many times I wanted to set up something on a privacy card, or make a purchase on one where I know it’s not gonna happen naturally, so I pull up the privacy card on the screen, tap it to the terminal a couple times and then go “WTF is wrong with my phone” , can you type this in? With a pic of the card on the screen, the young ones will just take the phone and type it in 8/10x. They dont think twice about it, totally normal to them. Not good for a quick purchase at a convenience store or anything, but bigger purchases in stores its handy. Plus I use a lot of the store apps (mainly grocery and wholesale clubs, then link privacy cards to them. Since you can give any names and zip codes with those, all the acct info on them is bullshit info and it works great.

    • Sleestak_Chaka@lemm.ee
      link
      fedilink
      English
      arrow-up
      4
      ·
      1 year ago

      Android Auto is in the works and it is one of the teams priority. They know it holds many back from installing.

      This was from one of their social posts. Can’t recall if it was Bluesky, Mastodon or other.

      • Synapse@lemmy.world
        link
        fedilink
        English
        arrow-up
        3
        ·
        1 year ago

        Yes, I saw it too. I guess they still need time for this feature. It doesn’t sound like a very trivial fix, at least not without compromizing on security and privacy.

      • AlmightySnoo 🐢🇮🇱🇺🇦@lemmy.worldOPM
        link
        fedilink
        English
        arrow-up
        1
        ·
        11 months ago

        I think he means Google’s anti-spam solution for calls and text messages and he’s right, I’ve also been getting some spam recently that I wasn’t getting before moving to GrapheneOS. I’m not sure if there’s a good FOSS solution for that? There’s also the option of just installing Google’s phone and messages apps but that kind of defeats the purpose.

  • ThrowawayPermanente@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    3
    ·
    1 year ago

    Pixel 5a, been using it for 3 years. It’s great. But don’t put anything you need to receive notifications from in a different profile or you’ll never see them.

  • nodsocket@lemmy.world
    link
    fedilink
    English
    arrow-up
    2
    ·
    11 months ago

    It’s an excellent improvement on the stock OS. Fixes all the reasons why I hate smartphones with zero sacrifices on usability.