Graphene OS: a security-enhanced Android build

Original Article ↗ Hacker News Discussion ↗

Trust in Google Hardware and Security Chips

  • Debate over GrapheneOS depending on Google Pixels and proprietary components (e.g., Titan M2).
  • Some argue: if you target Google hardware at all, you’re already placing deep trust in Google, so using their secure element/key storage is rational.
  • Others worry about opaque hardware backdoors, but are reminded that all realistic consumer platforms require trusting at least one large vendor and lots of closed firmware.
  • Baseline view: if Google is in your threat model, smartphones are mostly out; you’d need far more radical sacrifices.

Device Support, Pixels, and Other OEMs

  • Complaints that only Pixels are supported; users want “Graphene-lite” on more devices or on hardware like Fairphone.
  • Project’s response: other Android devices lack required hardware security features, verified-boot openness, or timely firmware/driver patches. Supporting them would be strictly less secure than stock and against project goals.
  • Pixels are chosen for strong hardware security, 7‑year real update support, and unlockable bootloaders without permanent crippling.
  • GrapheneOS says it is working with a major OEM to have non‑Google devices meet its requirements around 2026–2027.

Privacy/Security Model and Features

  • Emphasis that “privacy requires security”: hardened kernel/userspace, Memory Tagging (MTE) on newer Pixels, hardened_malloc, strong sandboxing, and Vanadium (hardened Chromium) all aim at resisting remote exploits.
  • Extra controls: per‑app Network, Sensors, Storage and Contact scopes; sandboxed Google Play without privileged access; Private Space and secondary users for separation.
  • They reject “hidden profile” / plausible‑deniability schemes as unsafe: once adversaries know such a feature exists, they may not believe any password you give, increasing physical risk. They offer a transparent duress PIN that wipes the device instead.

App Compatibility, Payments, and Emergency Services

  • Sandboxed Play Services let most mainstream apps and many banking apps work; some banks and apps still fail due to Play Integrity checks.
  • Google Pay NFC is blocked by Google on all alternate OSes, not just Graphene; some regions can use Curve, PayPal, or bank‑provided NFC instead, or watches.
  • GrapheneOS supports E911; in regions that rely on Google’s proprietary Emergency Location Service, location sharing may not work yet. They plan an open implementation using their own network location system.

Governance, Trust, and Community Controversies

  • Long thread sections debate the project’s history (Copperhead split), the founder’s behavior, and a YouTube drama video alleging harassment.
  • Critics argue: one very central developer holding signing keys is a single point of failure and a reputational risk.
  • Supporters counter: builds are open-source, reproducible, and widely scrutinized; update infrastructure doesn’t allow targeted per‑user malware; many security researchers and derivative projects watch the code.
  • Some participants advocate separating product from personalities and judge by technical quality and update practices rather than online drama.

Attestation, Play Integrity, and Future Risks

  • Concern that stronger hardware attestation and Google’s Play Integrity API could eventually lock out alternative OSes from key apps (banking, messaging).
  • GrapheneOS already supports hardware attestation and is working with some banks that explicitly whitelist it.
  • They characterize Play Integrity as anti‑competitive (it doesn’t even enforce meaningful patch levels) and expect possible regulatory pushback, but acknowledge this remains an open, systemic risk.

Backups and UX Odds and Ends

  • Several users highlight backups as the weakest area: Seedvault is seen as unreliable; a more robust, first‑class solution is repeatedly requested.
  • UX feedback is otherwise positive: easy web‑installer, stable daily use, strong feeling of control. Some rough edges remain (limited swipe keyboard options, no Google‑style call screening, occasional app breakage when tightening permissions).