Hacker News

A collegue of mine was tech lead at a large online bank. For the mobile app, the first and foremost threat that security auditors would find was "The app runs on a rooted phone!!!". Security theater at its finest, checkboxes gotta be checked. The irony is that the devs were using rooted phones for QA and debugging.

> It's mind boggingly stupid that they lock down apps like this, when you can just open the thing in a website anyway. I can use my bank on some linux distro...

Not in Spain. I can access my bank's website but I can't do anything without their bank app. Even sometimes they require to confirm my identity using their app in order to access their website.

I have several linux phones but I can only do banking with their app downloaded from Aurora Store in my Vollaphone.

I'd also recommend to slowly migrate to GrapheneOS, getting to know where the boundaries are for specific apps. Once you've got your 'dailies' all up and running predictably, then you're good to go, but it could take a few days depending on how much spare time you have to find said boundaries. Having said that, I turn on most of the higher level security protections, which quite a few apps need exceptions from.

But, yes, you can't tap to pay and it's unlikely you ever will. Banking apps will be hit and miss depending on their (generally hypocritical) paranoia levels.

I pay with a tap-to-pay card, and I have never needed to do banking related things immediately, I've always done it via the bank's website.

I also still have a not-very-old 'normal' android phone for some edge cases - which are few and far between (actually, I think it's usually to cast youtube to the TV since I only have the revanced youtube app on the GrapheneOS device).

P.S. On the use of profiles, I use them to separate work apps and notifications from personal, from sporting club, from X, Y, and Z. Yes, they're a pain in the arse to switch between, but I'd argue it's more of a pain in the arse to have them all jumbled together causing even more notifications, frustrations, and distractions from whatever one should actually be concentrating on in the present moment.

> I can use my bank on some linux distro,

Yes, I've been doing that since 2009 on Ubuntu and Debian but there are several caveats.

One of those banks has its own TOTP device and they won't replace it when the battery dies. It's almost 20 years old now. Then it's the fingerprint sensor on my phone.

The other banks authenticate accesses and many operations with either their app + fingerprint (all of them) or SMS (some of them). So basically I would still need a phone with a blessed OS. I could buy the cheapest one and store it in a drawer, but it's still a dependency on Google or Apple.

GrapheneOS requirement of Pixel devices is a dependency on Google too.

About BankID: There was a regression in the app back in june that broke the app entirely. Back then I emailed the developers complaining about it, and their response indicated that there was no deliberate attempt at breaking BankID on GrapheneOS, and the specific developer who replied to me said he was a fan of the OS.

Biometric login was also confirmed to work around the same time. I can however confirm that it doesn't work on the latest app version. It complains that the webview isn't Google Chrome.

This is probably just an oversight. I will email them again; good chance they'll push a fix to recognise Vanadium webview.

> when you can just open the thing in a website anyway. I can use my bank on some linux distro

Unfortunately not.

I'm in the UK. Two of my personal banks, all four business banks that I need to use, and several credit cards, require authentication using their phone app to confirm login on their website.

None of those I've seen are using TOTP or SMS, for which I could use a general security service. All use their own phone or tablet app. One does something interesting where the website shows a unique QR code on each login, the phone app reads it with the phone camera, and then website login proceeds instantly without clicking anything.

Oh, and some of them also require phone app confirmation for card purchase transactions.

When my last phone's screen stopped working, I called one bank's "phone banking" line (using another phone of course) to make an urgent transaction, and they told me they can't do that, as only service they offer by phone is registering a new phone or tablet. They told me explicitly that it's not possible to login to their web-based banking service without using their app for authentication, and on a registered device.

It's the reason I have my current phone. I had to buy a cheap-ish Android in a hurry from a local shop, in order to proceed with my bank transaction.

Back to the main topic: I love the idea of a properly open source phone, I used to own not one but two Nokia N900s, and I once toyed with the idea of building my own Linux phone from scratch, big project though that is.

But the security ecosystem around logins has changed, and so have the services I depend on. These days I use many bank and other financial-service related apps, and I'm not, in practice, free to switch providers. So I couldn't use a Nokia N900 or modern equivalent any more as my only mobile device. I'd have to carry a second phone as well.

(Banking and other service authentications are also the only reason I have my current passport. I resented having to pay to renew my expired passport, given I had no plans to travel (small children) and the expired passport used to be accepted, but I found some banks, credit cards and even government services increasingly requiring to see a non-expired passport from time to time. When I asked one of them what do they do for the large number of people who don't have one, they simply told me they close those people's accounts and that's ok, they don't need to serve everyone. But that's another story.)

I was the one that submitted the DNB Bedrift app report to the sec dev repo! I contacted DNB but they never responded to my email. I wonder if we can find a dev? I believe that's how the private app got fixed.

Want to use Vipps tæpp so much but I have Nordea for private and they don't allow it on their cards, for whatever godforsaken reason.

Thanks for the Norwegian perspective.

I agree that the locking down is truly stupid. For what it’s worth, the reasoning for locking down mobile apps is allegedly that mobile users are a less technologically competent demographic than desktop users. I do not think so myself, given the difficulty in trying Graphene vs. Desktop Linux.

> I can use my bank on some linux distro, crazy that they trust me

enjoy it while it lasts. hardware attestation requirement for (at least) banking apps is a question of 'when', not 'if'.

> It's mind boggingly stupid that they lock down apps like this, when you can just open the thing in a website anyway. I can use my bank on some linux distro, crazy that they trust me since it is not Windows - the truly secure OS!

I'm worried the day will come when some sites will require, even on a computer, a full-chain verification from the bootloader to the OS, all the way down to the browser. By requiring that each of these elements be digitally signed so that if you're not on a "secure" platform, from the bootloader to the browser, sites such as home banking could restrict access. Imagine not being able to login to your home banking because your linux box is rooted.

Btw, the good old days of modding are gone...

Same with Lineage OS, may daughter has an old Samsung with Lineage on it and the Wallet app doesn't work because the phone's been rooted.

It sorely needs to break free from the lackluster Pixel hardware. The OEM announcement can't come soon enough (and I hope it's Motorola).

I have a few features that I need that I'm not sure if Graphene supports. If you could check that would help!

Can you record phone calls? Do third party voice recorders continue recording even when the screen is locked? Thank you!

> BankID works but not with biometric login

Do you use any authenticator apps such as Okta? My org requires biometrics when using Okta on my phone.

Some other FOSS apps I use daily:

Aegis - 2FA (https://github.com/beemdevelopment/Aegis)

Breezy Weather - A very good looking weather app (https://github.com/breezy-weather/breezy-weather)

OnlyOffice Documents - MS Office suite replacement (https://github.com/ONLYOFFICE/documents-app-android)

Fossify Calendar (https://github.com/FossifyOrg/Calendar)

Fossify Messages (https://github.com/FossifyOrg/Messages)

Aves - Local gallery with great organization (https://github.com/deckerst/aves)

Termux - Terminal emulator (https://github.com/termux/termux-app/)

Unexpected Keyboard - A unique keyboard that pairs nicely with Termux (https://github.com/Julow/Unexpected-Keyboard)

WG Tunnel - WireGuard client (https://github.com/wgtunnel/wgtunnel)

These are all easily installed through Obtainium: https://obtainium.imranr.dev/

I like Organic Maps because it isn't full of the social things. Every time I open Google Maps it shows that card at the bottom with "what's popular in your area", full of pictures of people's breakfasts and other nonsense. Organic Maps is free of this noise.

Also, the desktop client on Linux is quite useful.

Alternatives for Windows etc. are Cruiser Maps, a Java application (and also available as an Android app).

Due to [0] and [1] I'm using the new fork "CoMaps" now, feature comparison: https://www.comaps.app/support/how-do-the-features-differ-fr...

It's pretty excellent! The improved integration with OpenStreetMaps to provide edits/additions is great. I made my first contribution to OSM via CoMaps.

[0] https://www.comaps.app/news/2025-04-16/1/

[1] https://www.comaps.app/news/2025-04-25/2/

Thanks for this, it's so helpful for people trying out a new platform.

I'd love to have something like this for Linux desktops as well. Maybe a website that has app-lists, where people can then potentially add info about their use cases and reasoning for their choices. Could be a great subreddit!

I tried Omarchy specifically because installed an opionated selection of apps to covered most bases, and it got me started in Arch fairly quickly. I've now completely swapped out all the components so I no longer use Omarchy at all, but it was a great way to get back into desktop Linux after being away for 20 years.

What would sandboxing an app like Google Maps look like? There are definitely situations where a sub-par map app would be detrimental. Obviously it's going to send data to Google, but do I have to sign into an account or will it have some other way of identifying my phone if I used a one-off account just for it?

I like your recommendations mostly, just wanted to point out that Organic Maps has had a falling out with the Open Source community that built it, so I wouldn't use that anymore. The community fork is called 'CoMaps' now.

Grayjay is another good YouTube (and other streaming platform) client made by the company that owns Immich

Voice audiobook player is so nice and simple, a pleasure to use

Graphene is supposedly working with a major OEM manufacturer to have future device support independent of google, on a flagship device. It's been in the works for awhile but it's very exciting.

https://www.androidauthority.com/graphene-os-major-android-o...

Pixels are really great despite being from Google. I hope they will continue to make them unlockable/relockable. As you say they are also surprisingly hard to brick. Here is someone trying to break it intentionally during the GrapheneOS install:

https://www.youtube.com/watch?v=ik0AiO0WtuU

If you don't like giving money to Google, plenty of companies offer refurbished Pixel phones.

I have a Pixel 6a with GrapheneOS. Runs great for years, except for one or two apps that require an "official" Android.

Anyway, I now need to get the battery replaced, because apparently they are dangerous and Google pays for the replacement. Unfortunately, the replacement process requires the stock android to be installed. Meaning, I would need to backup the whole phone, reinstall stock android, then restore everything - and hope the whole ordeal works out.

I've wanted to try this on my old Pixel 5, but it has the dreaded screen/motherboard failure. It appears there is no solution for that short of replacing the screen/mobo, which i've already done once after cracking it.

I tried GadgetBridge because it cannot sync the activity files (.fit and/or .gpx) so I still had to plug the watch into a computer to keep the actual data.

So I ended installing ActivityLog2[0] to do something with the files I had to have on desktop and GadgetBridge was of little use because relying on GadgetBridge without actually syncing the files might make me forget about doing the backup to a device I control (GrapheneOS or a computer).

As soon as GadgetBridge support syncing the files from the watch to the app (or any local folder on Android), I'll install it again and stop doing the manual backups over USB. Syncthing will do it automatically.

[0] https://github.com/alex-hhh/ActivityLog2

Garmin watches seem quite open even without that. I have all my data syncing to influxdb every 15min for a Grafana dashboard and it works great.

In background I also have Withings scale sync the measurements a couple of times a day to Garmin.

I didn't need anything more on my to-do list, but this is intriguing.

Alternatively, consider PineTime, which even offers a choice of the OS it runs: https://pine64.org/documentation/PineTime/

> And once you are on GrapheneOS, break free from your proprietary watch ecosystem and switch to GadgetBridge

Then switch back to Google/Apple after half a year when you discover that you can’t run

- your banking app - any government app - the app required to access large sports events - the pandemic tracking app without which you can’t enter an airport - various other random apps

because they ALL detect that you’re running on a phone with an unlocked bootloader and will flat out refuse to start. And for many of those, there is no legal alternative.

(The extent of this varies depending on where you live, of course.)

I originally wanted to get the Pixel camera app working when I got started with GOS a few years ago, but then I found Open Camera and haven't looked back. Does it do something cool that Open Camera doesn't?

8. External storage works. This is the only mobile OS I've found that has stable support for an External SSD.

I bought a second hand Pixel 7 to test this and an exFat SanDisk Extreme Portable 2TB works with reads/writes perfectly.

> 3. Android Auto works!

Does this require installing google play and other google services to work?

Edit: https://grapheneos.org/usage#android-auto

>4. Android QuickShare works!

Does that require being logged into a Google account? How to ensure Google knows nothing about your shares?

I have Graphene w/ Google Play Services (required for my job) and would love a easy way to share files/info with various devices (incl. iOS/macOS which I remember should work with QuickShare in the future) but will avoid a service that shares data with Google.

wish my yubikey would work with bitwarden

A quick question from potential buyer of next generation of pixel phones, since samsung keeps disappointing hard with their top line - is there any difference in quality between default photo app and what graphene os bundles with?

Pixel are supposed to be very good in photography, part hardware and part software, and my concern would be degradation of that software part. With small kids, there is nothing more important on phone for me than photos/video quality these days (apart from never going into apple ecosystem, I am just incompatible with that company' philosophy).

Or its just about slapping some commercial photo app (like I heard from other photographers is often done on apple to get most out of it, but forgot the name of the app) and not caring about this?

> Being able to install browser extensions in Vanadium.

You can use IronFox - available in Accrescent store that comes with GrapheneOS, and install firefox extensions

You can have a second or third VPN active if you use a work profile and private space

You can use labels for contact scope.

Note to self: look for second hand unlocked Pixel 10 pro!

This has been my experience with Windows too. Airpods connect out of the box on Linux, but on Windows they would stop pairing every couple minutes until I fixed some drivers

Hard to say how it fares against those specific attacks but some of the vulnerabilities that will go out in the mid-2026 on the mainstream handsets are already patched: https://grapheneos.org/releases#2026021200

(it's not magic. All big vendors have these details, just choose to take their sweet time to patch them. GOS has partnered with a major OEM vendor who provides them with access)

Other than the specific patches above, there's a list of generic GOS features: https://grapheneos.org/features#exploit-protection

All in all you're probably much safer.

GrapheneOS themselves dont pretend that their secure from that level of attack, but its about evaluating your own threat level. State sponsered actors aren't burning zero days on the vast majority of people, and you only need to look at how badly several european governments want to ban graphene and similar to see that such exploits aren't even being burned on organised crime. Realistically unless you're a journalist or considered a political target you're gonna be fine with graphene.

GrapheneOS have hardened_malloc which is a huge advantage, I think. It makes the weird machines problem much harder. I would say be very careful, because you can still get previews of images, or old and weird media formats that could be exploitable, and android/GrapheneOS doesn't have the same sorts of policy as say Apple with the iMessage blast door. They control safari, etc.

Android's attack surface seems pretty jagged. For example there is only one webrender engine on iOS, where you can run anything you like on Android/GrapheneOS.

It's quite secure against casual attacks, but a proprietary mobile platform has inherent issues wrt. withstanding even mildly sophisticated attackers, including mercenary spyware services. You still have a huge attack surface from all sorts of proprietary firmware blobs and hardware IP blocks that are running directly on the SoC. It's not clear that it's really worth even trying to secure it as opposed to just treating it like an untrusted toy.

It's just an Android fork. Almost certainly it's equally affected.

That's clearly a Uber problem. I'm also a GrapheneOS and used Uber once -- it worked.

Maybe not being able to use Uber isn't the downside you think it is though. UK centric view but call a cab and pay in cash, you haven't comprimised your security and you're not engaging with an unethical business.

I'm a new GrapheneOS user and stopped using Uber as altogether. Taxis aren't that bad where I'm at, and cheaper than Uber

I regularly use Uber on Graphene OS and have had no issues.

How do you know this was Graphene OS' fault?

No problem here with Uber on GrapheneOS.

Last time I checked you could still book a ride using the website.

Uber works in browser on mobile (and desktop). Last I checked lift did not.

>there was one case that lead me to thinking about ditching grapheneos to this day

Your aim is misplaced: ditch Uber, not GrapheneOS.

What exactly is the risk of getting temporarily banned on Uber? You have to use a different taxi app? As if such a thing even exists?!? Unacceptable!!

Every app on my phone has at least one other app, usually already installed, that can replace it. This wasn't intentional, it just happened naturally. Unless all two or three apps in a category get blocked for me at the same time, this already unlikely situation is barely an inconvenience.

The Pixel limitations has been my main concern as well.

The good news is that they are actively working on developing their own hardware. The bad news is that it’s been delayed. But I’m watching closely.

https://www.galaxus.at/en/page/grapheneos-postpones-pixel-al...

> when I look at one for more than 30mn

That limitation might be doing you a favor, as these things go...

Even if Pixels hadn't PWM a larger screen (or, dare I say, a book) will be an improvement for longer reading sessions.

I'm in the same boat. Bought a 9 Pro XL and had to return it. Hope their OEM will use DC dimming for the screens or have an IPS option.

In the meantime, I use a Motorola G Power 2024 which has IPS. I'm very much a non-expert but made a minor hobby out of trying to de-google it as much as possible.

Never signed into Google with it. Using NetGuard with a whitelist to prevent most of the phoning home. Uninstalled or disabled most built-in apps. The apps I use are installed via either Obtanium or Fdroid. Have Dropbox from Aurora. Use Motorola's private space for keeping some data and apps in a separate, supposedly secure locker.

I'm sure this doesn't come close to GrapheneOS's security level but it's the best I can do within the limitations of this device. It was a fun mini-project. NetGuard is invaluable for this purpose. Almost feels like the phone is truly mine.

Seriously. Especially if you're someone who wants to cut ties with Google.

Seconded. Really hope the new Graphene device does not have terrible PWM. Battery benefit to OLED is great but not if I can't look at my phone.

The whole reason why GrapheneOS is superior to its alternative is because they do all that.

I also with they could support non-Google phones, but that's a problem coming from the manufacturers, not from GrapheneOS.

My understanding is that there are close to half a million GrapheneOS users. And many potential users don't want to buy a Google phone. So it feels like it is starting to become worth considering for manufacturers...

I don't get why Fairphone doesn't look into that. Is it because they are not aware, or is it too hard for them to make hardware that is compliant with what GrapheneOS requires? Hundreds of thousands of devices may not count so much for Samsung, but they must definitely count for Fairphone.

I'm not sure I fully understand this.

Why are GrapheneOS releases dependant on Google releases?

When there isn't a perfect solution, the next best thing is... the next best thing :-).

iirc Graphene is in talks with an unnamed HW vendor to make a grapheneos specific phone. They refer to the vendor as someone who makes phones and you've likely heard of, but haven't given any more info otherwise.

Don't allow perfect to be the enemy of good.

That and blocking the query all apps feature on android

> until we free the proprietary baseband processors and their RTOS

How about Pinephone with its partially freed baseband OS [0] or Librem 5 with its removable modem [1]?

[0] https://github.com/the-modem-distro/pinephone_modem_sdk

[1] https://en.wikipedia.org/wiki/Librem_5

To make things worse it needs a google phone, of all things.

Do you also need the WiFi chip to be fully free?

I've found using separate accounts for Non-Play (default) and Play (exception/escape hatch) to be a very happy medium.

If you want to fight back‚ let convenience take the back seat.

> It also does not have an ad blocker

It does have a network-level ad blocker. What it doesn't have is a blocker which modifies/injects Javascript into pages, which iiuc is the main reason that the blocker doesn't help with ads on YouTube much, or pages which employ similar techniques.

> They recommend against using Firefox.

To clarify: they recommend against Firefox Mobile because it didn't support site isolation until last month's v147 updates. I don't know if the goalpost has moved since, but in any case: there's nothing on Graphene that would prevent you from using Firefox.

> GrapheneOS is based on Android, which is solely developed by Google.

GrapheneOS is based on the Android Open Source Project. It's incorrect to say it's solely developed by Google and it's open source software which we're free to change as we see fit.

> GrapheneOS only supports Google Pixel devices. Thankfully, they are working on partnering with a different manufacturer, but details are still very limited.

No, we already have a partnership with a major Android OEM. It's not something we're working on obtaining and we've provided a fair bit of details including that it will be publicly announced by the OEM in March, that the devices will launch in 2027 and that they'll use a high end Snapdragon SoC which is either the flagship (most likely) or one step below it.

> They recommend using the Google Play Store

No, that's not our recommendation.

> recommend against using F-Droid

We recommend against F-Droid due to it being an unnecessary middleman between users and app developers which does not truly reduce trust the app developers. F-Droid apps are consistently out-of-date and often lag months being on important privacy and security fixes. F-Droid consistently makes problematic undocumented changes to apps including rolling back dependency updates. F-Droid is known to use highly outdated build infrastructure which is very poorly secured. They have a bunch of bad security practices throughout their approach and have made it clear it isn't a priority for them. They've repeatedly said they don't believe app sandboxing is useful and much more than that. Many open source apps including Signal and WireGuard have asked to have their apps omitted from F-Droid due to the security and trustworthiness issues with the project. That's not at all something specific to GrapheneOS.

> Their Vanadium web browser is based on Chromium, which is controlled by Google.

Chromium is an open source project which is collaboratively worked on by multiple projects using it as the basis for their browsers. That includes Microsoft who implemented the WebAssembly interpreter available in the upstream Chromium codebase which is used by Vanadium but is dead code in Chrome and regular Chromium builds since it was added for Edge.

> It also does not have an ad blocker

No, that's not true. Vanadium has a default enabled ad blocker which uses EasyList, EasyPrivacy, EasyList's Adblock Warning Removal List and also selectively activates a whole bunch of EasyList affiliated language/regional lists based on the currently active languages. This approach avoids adblocking being used for fingerprinting, avoids greatly weakening site isolation sandboxing as extensions do and is much higher performance which is important on mobile. It very clearly has ad blocking and a per-site toggle for it.

> or support extensions

Extensions greatly weaken site isolation and give third party code without verified boot extensive access to website content similar to dangerous Android accessibility service apps. Very few extensions are focused on privacy and security in a similar way to GrapheneOS and would compromise what we're trying to build. It's not the approach we want to use in Vanadium. If you want to use extensions then you can use a browser with them but it doesn't fit into what we're building with Vanadium where we want to implement features ourselves in a very private, secure and robust way which cannot be done with extensions. Extensions fundamentally reduce security including because they used a shared process across all isolated websites which inherently reduces isolation. Few extensions take this seriously, even the ones focused on privacy. They commonly add leaks between sites. There are plenty of other browsers available but ours is aiming for a standard of privacy and security which cannot be achieved with extensions.

> They recommend against using Firefox.

Firefox's Android app has atrocious privacy and security. A browser without even basic content sandboxing let alone sandboxing with full site isolation. That's combined with major other major security deficiencies and it isn't something we could recommend using. Recommending against it doesn't mean people can't use it...

You'll still be using Vanadium as the web content engine within apps using the WebView such as email clients rendering HTML email and many more. Many people have a misunderstanding of what the WebView is and confuse it with custom tabs which are provided by the user's selected default browser rather than the WebView used within other apps.

> This is not a criticism of the GrapheneOS project or developers.

How isn't it criticism of GrapheneOS? Regardless, Vanadium does have an adblocker and we don't specifically recommend the Play Store as you said. The biggest issue is that what you're saying about what we prioritize, advise or provide isn't accurate.

> I understand that security is the biggest priority of GrapheneOS

Privacy is the biggest priority of GrapheneOS and privacy depends on security. GrapheneOS is a privacy project.

> It is more directed towards the GrapheneOS community that often blindly recommends GrapheneOS as the only option and treats any alternative as inferior and not to be considered.

Our project and community regularly recommends iOS as an alternative which provides far better privacy and security than non-GrapheneOS options. Most other options have very poor privacy/security including lacking even basic privacy/security patches and protections. Similarly, our project and community regularly recommends using macOS for better privacy and security than either Windows or desktop Linux. What you're saying are blind recommendations are anything but that but rather very well informed information provided by the GrapheneOS project.

> Most users do not need security at all costs.

GrapheneOS is not about security at all costs and this misconception which regularly comes up that it's about security rather than privacy is completely wrong. Many projects failing to provide decent privacy treat it as if privacy is solely about which apps/services are bundled rather than needing to provide privacy patches, privacy protections and solid security to protect that from being bypassed. Much of what GrapheneOS provides are privacy features such as Contact Scopes, Storage Scopes and the Sensors/Network toggles along with much more. The security protections it provides exist to protect privacy. Why else would the security protections be there other than to protect privacy? It's not a separate thing from privacy but rather is a huge part of providing it. There's no other reason for us to work on security than protecting privacy. It doesn't make sense to say we work on security instead of privacy.

Most users do need basic privacy/security updates and protections. Failing to keep up with basic updates and misleading users about it is a severe issue. There isn't any major non-GrapheneOS AOSP-based OS that's doing the bare minimum of keeping up with updates.

> Especially among the free and open source enthusiast community, freedom and user control are often prioritized. There should be more awareness and discussion about what the user wants and whether that actually aligns with the security-first goals of GrapheneOS.

You aren't accurately representing what GrapheneOS provides, our approach or our priorities. People can see for themselves from the detailed article that it provides a highly usable and compatible system with a huge amount of user choice. People can choose from a wide range of approaches based on their privacy and security goals. It doesn't impose choices on people. You treat it as if people are forced to use Vanadium when it's another choice of browser which people have on GrapheneOS but not elsewhere. GrapheneOS users have more choice among browsers and the one we have DOES provide ad blocking contrary to what you said. GrapheneOS users can use F-Droid despite us recommending against it due to the major security deficiencies. Providing well informed recommendations with detailed explanations does not in any way hinder user choice but rather informs people so they can make better choices. Our recommendations not aligning with your personal beliefs or preferences doesn't mean we're somehow reducing user choice.

I contacted my bank, insisting that GrapheneOS is one of the most secure OS on the market and therefore should be supported if they actually care about users' security (it's actually far more secure than all the old, far less secure but Google-approved devices out there). They acknowledged an fixed their app, one of the most popular in France.

Still missing Android Pay but that's due to Android Pay being closed. I wish banks would do something and support NFC payment systems that don't require the device to be controlled by Google (how can we be okay with this?!)

"Banking Applications Compatibility with GrapheneOS" https://privsec.dev/posts/android/banking-applications-compa...

What about the small matter of having to purchase a Google phone in the first place?

Yup, also Google Pay doesn't work, though there are other providers which work fine (Curve Pay I think works in all of EU), but it just made me carry my wallet everywhere and I understood I don't mind that at all.

Author is installing Google Play Services it seems, wouldn't that work around this?

In any case, for me this also sort of defeats the purpose: I'd rather break free from Google and Apple, not just (stock) Android and iOS.

Does anyone know if HSBC's UK app works on it? I've seen inconsistent reports that it does and doesn't.

Edit: ignore this - there's a list elsewhere in this thread!

yep - tried GrapheneOS for the first time today and my banking app detected that the phone was jailbroken.

Of course that is highly depdendet on the bank used, but so far none of my banking apps didn't work!

If you are using a rather popular banking app, chances are high that it has been discussed in the GrapheneOS forum.

Anyway, with google play services installed, mine have worked out of the box.

Definitely one of the best features to have this in the native UI, though it's also possible in other ways

If anyone wants this without GrapheneOS: https://f-droid.org/packages/dev.ukanth.ufirewall

If anyone wants this without GrapheneOS and without root: https://f-droid.org/packages/net.kollnig.missioncontrol.fdro...

There's a huge open source app ecosystem for Android and it has the best support of any major platform for well integrated web applications. There are a bunch of alternatives for getting apps including getting them directly from the developers which has been automated without needing an app store. The linked post talks about using Obtainium for getting apps more directly from developers when possible.

Was WebOS really that much about openness? Are you not thinking of FirefoxOS/B2G?

What binary format?? Go read facebook's "source code", is that any more open than a random apk? If anything, apks decompile quite well.

Android is a Linux OS and is eons ahead anything that would sit on top of "GNU/Linux" userspace.

Why start from scratch?

While I respect the Linux on Mobile work, I believe that AOSP is a lot better, with a much better security model.

Remember that GrapheneOS is not Android: it's an AOSP-based OS.

what happened to Sailfish? the successor of meego et-al

It is finnish, anyone knows how are they going?

i used that for 2 years, it's linux+kde bottom to top, a terminal + shell is a builtin, though only supporting 5+ years old Sony phones got tiresome.

Still.. it seems the only one that's usable enough apart of the duopoly. May have to switch to it again.

Your "perfect" is a massive enemy of the "good" that is GrapheneOS compared to using stock Android.

They are working with a partner to create their own hardware to run GrapheneOS on.

GrapheneOS claims to be a lot more secure, having additional hardening. See https://eylenburg.github.io/android_comparison.htm - keep in mind that it is not an independent comparison, the Graphene guys directly feed what this table is supposed to say in the issue tracker, https://github.com/eylenburg/eylenburg.github.io/issues/. But it gives a good representation of the state of the ROMs according to Graphene.

In regular use, main difference will be that /e/OS comes with access to the alternative cloud service that project provides. It uses the default FOSS solution microG for google api compatibility, unlike GrapheneOS with their sandbox approach. /e/OS sets on AppLounge to install and upgrade both play store or F-Droid apps. Graphene has a small curated app repo instead.

I'd never use GrapheneOS since I don't trust the project. /e/OS is also not my favorite since it feels like it is developing slowly, having had issues with outdated software versions - though it does work well in practice. Have a look at iode for an alternative.

I have been using /e/OS for 5 years, and also GOS. My take is:

- If your phone is supported by GOS, you should go for GOS.

- If your phone is not supported by GOS, you should look carefully and compare between /e/OS and Stock Android.

I had a Fairphone 3, and after 5 years, /e/OS was outdated by 4 years w.r.t. the manufacturer updates. In other words, Stock Android coming from Fairphone was more secure than /e/OS on that Fairphone.

In my experience, /e/OS has a tendency to claim that they support everything, but they just can't, there is too much. And then they complain when GrapheneOS criticises the fact that some /e/OS users believe their phone is well supported but actually isn't. And GrapheneOS is not wrong: I realised I was in that case after 4 years with /e/OS.

Consider this (by Graphene OS): https://discuss.grapheneos.org/d/24134-devices-lacking-stand...

/e/OS community talking about it: https://community.e.foundation/t/article-from-grapheneos-abo...

And then maybe this: https://eylenburg.github.io/android_comparison.htm

Hope that helps.

GOS creates a complete bunker of a phone that can provide defense against pretty much all but the most dedicated state level actors. If you're worried that someone would steal your phone specifically to target you, Graphene will protect against that. Securitywise it's hard to argue against them, although GOS tends to sacrifice usability in favor of security, which leads to odd decisions. Their device depreciation timeline is also pretty aggressive and really just matches that of the Pixel. (You're also buying the Google phone... to not want Google in your life; this bizarre paradox will always be strange). It's not exactly a recommendation for long-term support. Worth noting however is that usage of GOS is also seen as a signal in and of itself for the authorities that you may have something unsavory to hide, so using it stands out in that regard; some law enforcement officers (I think it was in Spain?) have said that the OS is popular with organized crime. GOS obviously denies the connection and they're probably honest in that the OS isn't deliberately designed for criminals, but it's worth noting at the very least. (Basically GOS is the paradox where someone trying their hardest to be anonymous ends up standing out way too much from the crowd and drawing attention to themselves.)

/e/OS (and similar "non-LineageOS" ROMs really) instead focus more on de-Googling. They're still generally security focused, but the priority is less "someone's after you" and more "corporate surveillance is kinda scary innit". The aim is less to avoid someone actively trying to drain your phone of data and more to prevent your phone from passively sending everything it can possibly find to the Big G's ad machine (as well as whatever other trackers get snuck into apps.) Because of this, they usually have better depreciation timelines and support a lot more devices compared to GOS who only support the Pixel line (which is an increasingly awful set of phones truth be told); their scope is much smaller.

Finally, it's worth noting that the GOS community is absurdly toxic to anyone doing anything privacy-related that isn't under the banner of GOS. It's extremely maximalist, tends to get very upset at other projects whenever they get attention (see sibling reply to this, where they pretty much melted down because an outlet dared to recommend a Fair phone+/e/OS) and the projects official channels have generally encouraged this sort of behavior. It doesn't really damage the software itself, but it's worth considering.

GrapheneOS is a privacy and security hardened OS. It preserves the standard privacy and security of the Android Open Source Project (AOSP) along with keeping up with the updates. It builds major privacy and security improvements on top of that. /e/ is the direct opposite and reduces privacy and especially security compared to AOSP. /e/ doesn't keep up with updates, has huge delays for important privacy and security patches along with reducing privacy and especially security in many other ways. GrapheneOS is a much more widely used OS with much more testing and provides much broader app compatibility. Unlike /e/, GrapheneOS only connects to GrapheneOS services by default and provides a high level of control over it. /e/ still uses a bunch of Google services by default and gives extensive privilege access to Google apps/services. Our approach is that Google apps/services are an optional thing people can install which do not receive any special access and can't do more than other regular apps since they're installed as regular sandboxed apps on GrapheneOS via our Sandboxed Google Play compatibility layer.

A common misconception is that people believe GrapheneOS is less usable than much less private and far less secure options but it's the other way around. GrapheneOS provides nearly perfect app compatibility when taking into account the per-app exploit protection compatibility toggle and sandboxed Google Play. Nearly the only apps not working on GrapheneOS are ones banning any alternate OS and a larger number of those work on GrapheneOS than elsewhere due to a subset specifically permitting GrapheneOS due to far higher rather than weaker security. Apps have legitimate reasons for being concerned about the poor security of many alternate operating systems but they're wrongly grouping it all together as if GrapheneOS.

/e/ lags weeks, months and even years behind on providing updates for drivers, firmware, the Linux kernel and more. They miss a large portion of the monthly Android security bulletins which are a limited subset of the patches in the first place but then claim to provide the latest patch level despite many of the required patches being missing.

/e/ has a supposedly private speech-to-text sends data to OpenAI and their own servers without obtaining explicit user consent to share sensitive data with a third party.

https://community.e.foundation/t/voice-to-text-feature-using...

They say the data is anonymized based on passing it through their own servers before OpenAI but OpenAI is receiving all of the user speech data under their usual terms of service enabling them to store and leverage it.

Fairphone lags significantly behind on OS updates and patches with only a small subset of what should be provided being shipped. Their hardware omits important security protections required by GrapheneOS which it uses to protect users against widespread commercial exploit tools. Fairphone doesn't provide upstream Linux kernel updates in practice which is a massive omission for their updates. Fairphone 4 has an end-of-life 4.19 kernel branch and the Fairphone 5 despite not being very old already has an end-of-life 5.4 kernel branch. Neither was providing the LTS revisions prior to end-of-life so from their perspective nothing really changed but it means it's a huge task for an alternative OS to provide basic updates since they'd need to port everything to a newer kernel branch.

/e/ does not provide similar privacy features to GrapheneOS such as Contact Scopes, Storage Scopes, Sensors toggle and much more. It focuses on bundling things which can be provided with apps such as RethinkDNS on GrapheneOS with a higher quality implementation. GrapheneOS delegates as much as it can to apps while focused on the core OS. If a feature can be done better with an open source app, we'd rather leave it up to that app and many provide privacy and security protections which apps cannot. For the most part, apps can't improve OS privacy and security. Enumerating badness via blocklists which cannot block anything that's dual purpose functionality is also a very weak approach to privacy which is increasingly less useful. The most privacy invasive behavior of apps is nearly all done through their own services which also provide their functionality. Among other things, /e/ uses this system for labeling app tracking and permissions which is incorrect and misleading as shown by this example:

https://reports.exodus-privacy.eu.org/en/reports/com.faceboo...

Facebook clearly doesn't have no tracking but rather this system only detects a small number of specific third party libraries they've decided are trackers. Those choices are often very questionable such as portraying even opt-in crash reporting as tracking because it used a third party library on their list. Meanwhile, Facebook's lite app supposedly has no trackers. The permissions list is thoroughly inaccurate and not how Android permissions work. The core permissions are opt-in with apps having to request them so listing those as if they're granted on install and mandatory due to being possible to grant is incorrect. Most of the rest have special access toggles which are opt-in for the sensitive ones or other toggles such as the battery optimization mode where Restricted stops apps starting themselves and delays those things until it's run by another app or the user.

Privacy requires providing privacy patches and strong privacy protections. It also depends on security which means providing security patches and strong security protections. GrapheneOS is heavily focused on all of that rather than simply treating not having bundled Google apps and services as meaning a private OS. There are also worse things for privacy than Google apps and services. /e/ sending speech data to OpenAI vs. Apple doing the processing locally as we've it implemented for GrapheneOS is a good example. Google at least has partial local speech-to-text support and a better privacy policy than OpenAI for the cloud portion. Avoiding Google apps/services is not the same thing as providing strong privacy.

The main difference is that GrapheneOS prioritizes security hardening first and foremost (above usability or compatibility). /e/OS focuses on privacy (i.e. reducing data leakage to adtech) and usability over security.

To put it concretely, GrapheneOS recommends running all the proprietary Google apps in a locked "sandbox" so they can't read data on the phone outside the sandbox -- but obviously Google still gets to see everything you do in their apps. /e/OS tries to provide [largely but not entirely FLOSS] alternatives (e.g. their own Maps app, their own email, their own calendar) that make your phone usable out of the box without Google software.

Read this:

https://eylenburg.github.io/android_comparison.htm

In short, GrapheneOS is vastly superior.

It should probably be "break free from Google and Apple"?

GrapheneOS is not Android. It's AOSP-based.

> Also, RCS works very inconsistently (been without it for months), seems to be Google's fault.

The best thing would be to switch to Signal (Molly) for texting.

Are you in the US? I get the impression that iMessage and RCS are only big there. Almost nobody uses them here in Europe. (It's mostly WhatsApp where I live and Signal is slowly getting more popular.)

As an aside, from the latest release notes: Sandboxed Google Play compatibility layer: add toggle for granting Play services access to ICC auth in order to support RCS with carriers requiring it for RCS in Google Messages including T-Mobile (see RCS usage guide)

https://grapheneos.org/releases#2026021200

https://grapheneos.org/usage#rcs

The RCS issue is why I switched back to iPhone, reluctantly.

If anything, iOS seems buggier and less reliable, but I know (and am related to) a lot of people who insist on using iMessage/RCS, and I can't be missing messages.

Pixels are the only devices providing the required updates and security features. These requirements are listed here:

https://grapheneos.org/faq#future-devices

GrapheneOS is partnered with a major Android OEM working on improving their future devices to meet our requirements. The first devices with official GrapheneOS support from them are planned for 2027. It takes time and resources to make reasonably secure devices. Future generations can improve further including adding hardware-based privacy/security protections unavailable on Pixels.

They are the only Android phones that have the proper security primitives to build a secure OS on top.

If something truly unacceptable happens, you still have a while to switch to something else, in the meantime you will still have a working system.

That's pretty unavoidable at that level unless you are able and willing to build your own phone hardware, OS, and all the apps you need.

> For me the biggest concern is that while you may be able to use and run your own device, you will be locked out of most propietary services.

Although this is not the case, moving away from proprietary services (and self-hosting your own) is an important goal in itself. See for instance the recent controversy regarding Discord's age verification.

I only use Firefox. It has been years since I ran into a chrome only website. Though recently I ran into an edge only websit on my corporate network, not even sure how that happens.

This might be one of those things were if there is big enough user base, companies will start to take it seriously.

Here's a community maintained list of apps and whether or not they work:

https://privsec.dev/posts/android/banking-applications-compa...

This is linked to from the Banking Apps section on GrapheneOS docs: https://grapheneos.org/usage#banking-apps

Sample size of 1: my UK banking apps all work fine.

Well i do use banking and netflix on graphene os on my pixel 8a and everything works perfectly

All Swedish banking apps I've tried works great. Including BankID, swish, Sparbanken, Nordea, LF, Revolut and more.

I've had less issues than with CalyxOS for example, where more apps broke.

Netflix and almost all banking apps work fine.

https://grapheneos.org/articles/attestation-compatibility-gu...

https://privsec.dev/posts/android/banking-applications-compa...

I am really hoping that other phone manufacturers will eventually realise that and start making phones that can be supported by GOS.

They are working with a partner to provide their own hardware to run GrapheneOS on. Maybe they will have more than one model.

Where is it? I had a really hard time finding the irony.

The article directly answers your questions, specifically in the “what is GrapheneOS?” section.

For the end user, breaking free from Google means exiting from Google’s services surveillance system wherever possible. It doesn’t mean complete elimination of the use of source code written by Google employees.

GrapheneOS is really the most private option of all viable daily drivable smartphone operating systems available, because your only other options generally involve Apple and Google services dependency.

You can use GrapheneOS and never send any user information to Google, that’s how you “break free.”

I use the PayPal app with Tap-to-pay on GrapheneOS and I haven't been banned.

But of course that's entirely up to how their algorithm happens to feel about you.

I'm happy with grapheneOS as a daily driver. Can you elaborate on being banned from paypal so I don't do the same ?

I mean you're not degoogling yourself if you put all your transactions through a google server. Cash if possible, card if not.

(Also it is possible to do these things if you root your phone, but caries its own risks and I wouldn't recommend. Ending your dependency on third party processors is probably the best outcome)

If you don't use the paypal app, you should be fine, right?

> I had a Pixel 6a with Graphene OS for a year before the phone started to glitch and eventually die. It ran pretty hot; sometimes it was hard to even hold the phone in my hands without burning myself.

This sounds like your phone may have been one of the Pixel 6a models with a defective battery[1]. It was a major problem for which Google pushed out an update that nerfed the battery life. There is a tool online where you can check if your particular 6a was one with a battery from the bad production batch[2].

But that unfortunately doesn't help if you are in Brazil where, as you say, Pixels aren't officially sold and import/export controls tend to make tech warranties useless in practice.

[1] https://www.lifewire.com/pixel-6a-battery-overheating-warnin...

[2] https://support.google.com/pixelphone/answer/16340779?hl=en

Yeah Pixels are poor quality. Mine developed the common pink vertical line display issue after 18 months

The flag ship should not be more than $500

Huh, and here I thought Google was one of the few manufacturers left that simply support it on their hardware. So it depends on some cloud service being alive.

Do you know if it's the same for Fairphone or Shiftphone? Or is there another manufacturer that doesn't require this?

I've recently bought a new phone so it's not relevant for me anymore but when I next go looking, it can factor into it. As it was, I had Google marked in my spreadsheet as the most accessible unlock method together with brands like Oneplus and Fairphone

It is just Android. If you're familiar with the usual Material styling of Android, you're familiar with what Graphene looks like.

It looks about the same as stock android.

~6 months here. In my case, it became almost a full daily driver ( putting corporate spyware on it would kinda defeat the purpose ). It is by no means perfect, but I can recommend it ( and I could not do the same with other phones that should have been better on paper -- linux phones like pinephone or purism ).

Same. Not only has using it been no trouble, but having a barebones core app selection, a few picks from F-Droid, and using the browser for the rest makes my phone feel refreshingly under my control. It lasts for 3-4 days of low usage to boot, when nothing is phoning home constantly.

Like others have said, you can use Youtube without Google account. Moreover, you can give Google the middle finger by using uBlock Origin or viewing though a third party client like VacuumTube. Also don't forget the shorts filter recently featured on HN to remove those annoying portrait format videos.

GrapheneOS is very usable as a daily driver. Nearly every Android app can be used on it and there's a huge ecosystem of open source Android apps. You should read the whole linked article which explains in depth how someone new to using it set up their device. They chose a certain way of doing it to balance their priorities. Only a tiny portion of apps can't be used on GrapheneOS which are mostly a subset of around 15% of banking apps which ban using a non-Google-certified OS in a way we can't easily work around. Most banking apps do work and extremely very other apps are unavailable. Google apps and services aren't used by GrapheneOS by default but can be installed as regular sandboxed apps.

You don't need a Google account to use YouTube and can use it via the browser, NewPipe or several other alternatives rather than their app.

The linked article covers someone's first experience with it with a lot of detail. They're using it as their daily driver with mainly open source apps and separate profiles with mainstream apps they still need. They're using those with much better privacy protections including having sandboxed Google Play in those profiles for using mainstream apps rather than regular highly privileged Google Play heavily integrated into the OS and not running with the standard app sandbox or privileges.

As someone who doesn't have a Google account, I can use YouTube just fine on my GrapheneOS phone using apps like NewPipe.

Why do I need a Google account for Youtube? It seems I can watch nearly any video I want without logging in. Moreover there are anonymity proxies like Invidious.

No, that's a misconception. GrapheneOS has only ever supported devices where the cellular radio is isolated from the OS and unprivileged. It does not have access to memory it hasn't been permitted to access by GrapheneOS. Wi-Fi, Bluetooth, NFC, UWB, etc. are isolated components too. Our hardware requirements are listed in our FAQ and require proper isolation for radios:

https://grapheneos.org/faq#future-devices

8th, 9th and 10th gen Pixels provide our full set of requirements with 7 years of support from launch. 6th and 7th gen Pixels are missing the ARMv9 security features including the extremely important hardware memory tagging (MTE) feature we heavily use to protect against exploitation. Even the first devices we supported back in 2014 including the Nexus 5 had isolation for the cellular radio but similar isolation for Wi-Fi/Bluetooth started with the Nexus 5X.

They are working on getting their own hardware.

And the 50% of banking apps still wont work because it wants an android signed by google.

And no tap to pay.

Hopefully the new EU banking system will work on Graphene and Ill switch back

I tried Ubuntu Touch and Droidian

https://blog.tomaszdunia.pl/ubuntu-touch-eng/

https://blog.tomaszdunia.pl/droidian-eng/

You're confused. GrapheneOS is not Android, it's an AOSP-based OS.

> I'm not sure it's really breaking free when the first task to do is intall Google Play Services so your banking app works.

sandboxed Google Play Services. It's an important difference.

You could buy a used Pixel. Also, they are working with a partner to create their own phone hardware.

This statement implies ignorance to the reasons the project selected Pixel devices.

Some banks force you to validate transfers on your phone; unfortunately its not the user who decides

Depositing checks by taking a picture of them.

There are multiple options for tap-to-pay on GrapheneOS in the UK and European Economic Area. It depends on where you are.

GrapheneOS isn't rooted. Did you mean that your corporate MDM app doesn't run on non-certified OSes?

GrapheneOS has the same camera features and quality as the stock Pixel OS within the same apps. You can use Pixel Camera on GrapheneOS even without sandboxed Google Play in the same profile if you want the full feature set. If you want extremely good cameras, the Pixel 10 Pro and Pixel 10 Pro XL are the best choices. Those provide the highest quality image sensors among the available supported devices and the Pro mode in Pixel Camera. See https://www.dxomark.com/smartphones/ for how those compare to other devices. Our own Camera app will be heavily overhauled to narrow the gap more with the Pixel Camera app but you can already use that especially if you care a lot about this.

You can run the proprietary Pixel camera software on GrapheneOS just fine (properly sandboxed).

GrapheneOS only works on Pixel devices so it only targets a very limited set of Android camera hardware.

From a quick look online it may be the Pixel 8 https://www.gsmarena.com/google_pixel_8-12546.php at 150.5 x 70.8 x 8.9 mm based on recommended devices.

Maybe an old Pixel with an old version of GrapheneOS, but at that point you're losing most of the security benefits and, depending on your goals, you may be better served with a small phone running a different OS

They are working with a partner to get their own phone hardware.

You can use GrapheneOS with the Google Pixel lineup, or in particular the Pixel 10 Pro XL [1].

GrapheneOS supports Android's Quick Share, which (on the Pixel 10 family) is compatible with AirDrop [2].

[1] https://grapheneos.org/faq#supported-devices

[2] https://blog.google/products-and-platforms/platforms/android...

It is not. GrapheneOS is AOSP-based.

But yeah, same binary blob issues for firmwares, but Linux on Mobile has the same issues.

https://www.kuketz-blog.de/grapheneos-der-goldstandard-unter...

I can understand the frustration, but it wouldn't be right to say they 'restrict themselves to Pixels'. They believe strongly in a standard for privacy/security of people's personal devices, and unfortunately only Pixels are close to meeting those standards. It's not even like Pixels are their ideal device.

I feel the frustration should be targeted at OEMs that don't meet very reasonable requirements like minimum 5 years of monthly (timely) security updates.

People seem to fondly remember the Microsoft phones. If they made them now though, I can't really imagine what sort of Copilot-filled abomination they would be.

Yeah that's not actually good. As much as I'd never use anything from Microsoft, having less diversity is not a step in the right direction.

I heard that Windows on phones is about to make a return later this year, thanks to NexPhone.

900+ donors on github (https://grapheneos.org/donate#github) is not *too* bad, but likely not enough to cover a full salary.

You can install Google Apps as a regular set of user apps rather than a system-level admin monstrosity, and it mostly works - Play Store included.

Whether or not that defeats the purpose is an exercise left to the reader.

You're not the first to notice! It's called the network effect

Break free from Google by buying their hardware and be dependant on them to actively support the device. Things are absurd at this stage. I guess there is different motivations behind mobile OSes.

Because google actually cares about hardware and software security. Read the FAQ: https://grapheneos.org/faq#supported-devices

I believe (as it's open source) there is nothing impeding anybody else to compile grapheneOS in a samsung S10, which would not be as secure, but should still work as any lineage

However I haven't seen anybody try

Because phones have device-specific code. Effectively, each single model is running its own fork of Android. Naturally, Google has no incentive to change this - it makes it difficult to update (planned obsolescence) and install other software (like GrapheneOS).

No, I also click away articles in that font style if it's not exceptionally interesting or relevant to me

In this case, reader mode fixes it (your browser probably has a button built in)

If you're tech-literate enough to find the bootloader unlock, I find that a strange statement. Could $colleague be anymore specific?

You might want to reconsider trusting your colleague's technical opinions.

You'd be pleased to hear, then, that "break free from Google and Apple" is not Graphene's mission statement, because this is a blog.

GrapheneOS is based on the latest release of the Android Open Source Project (AOSP) which is Android 16 QPR2. It looks nearly the same as the stock Pixel OS also based on the same AOSP release. The main UI differences are user-facing portions of the many privacy and security features added by GrapheneOS. There are minor differences such as the stock Pixel OS having a few different fonts than AOSP. The main thing to show would be the UI for features such as Contact Scopes, Storage Scopes, per-app exploit protection controls, etc. It looks like the stock Pixel OS without the Google app/service integration not present in AOSP with added privacy and security controls.

There are many useful videos about GrapheneOS here:

https://www.youtube.com/@sideofburritos/videos

Any of the videos older than December 2025 will be prior to Android 16 QPR2 so the overall UI will be outdated. That's part of why we don't focus on screenshots or videos because many would need to get updated every 4 months. We'd mainly be using them for our own features which often improve more frequently than that.

You can use a different keyboard than the default AOSP keyboard with more modern features including but not limited to swipe typing. We plan to replace AOSP keyboard with a fork of a more modern app but there isn't yet one meeting the functionality requirements which is under a license we can use. FlorisBoard is what we have plans to eventually use, although it might not be what we end up using.

Check out FUTO Keyboard, It has swipe-typing feature.

Answered 2h ago before your comment: https://news.ycombinator.com/item?id=47047720

Saving a click, it looks like any bare Android without vendor customisations. You just get extra settings like turning off network per app

I don't disagree that some screenshots might be good marketing

You can bypass Play Store restrictions on app installs by using Aurora Store. There's a high chance your banking app can be used but it may require toggling the per-app exploit protection compatibility mode. Most banking apps work on GrapheneOS. X is one of extremely few apps disallowing using a non-Google-certified OS but it only partially disallows it in their store listing which can be worked around and for regular password login. Login is still possible to X via a passkey or Google login. X should stop doing that but they're quite understaffed and did this as a misguided anti-spam measure.

Fairphone is far from meeting the update and security requirements for GrapheneOS. It isn't a viable platform for a hardened OS to use and isn't likely to ever become one due to security being very far from a priority for them.

GrapheneOS has a partnership with one of the largest Android OEMs. They're going to be announcing it in March 2026. Devices meeting all of the update and security requirements from them with official GrapheneOS support are planned for 2027. We don't expect future Pixels to prevent installing GrapheneOS but we'll be fine if they do. We'd still like to keep supporting new Pixels but they'll become a secondary option in the future since there will be devices with official support.

Try a social media that is not antisocial. HN, Mastodon, Tildes, various forums... lots of communities and tech content are available in browsers or via open source apps

I'm not aware of any that bans you when not using an allowlisted OS, so maybe it was something else that caused this shadowban, or (more likely) that's just my bubble

I love the ability to block apps from accessing the network. There is no reason apps like the keyboard, camera, or other offline apps and games need access to the internet.

I commented elsewhere but GrapheneOS on Pixels actively siphon resources from Google and is arguably a good protest against google.

They subsidize Pixel hardware (to incentivize users to adopt their spyware OS), you (buying used obviously) take their subsidized hardware and do not repay them by using their spyware, replacing it with Graphene. Only google loses. Their hardware is technically very good otherwise (in fact no other hardware fits the strict graphene security requirements).