GrapheneOS expert MetropleX joins David Bombal to bust myths. We cover banking apps, notifications, Play Services, and why GrapheneOS is more secure than iOS...

I’m considering the switch to GrapheneOS, so I watched this interview with one of the members of the GrapheneOS team, and honestly, I feel it was a great general introduction to it and touched on common features and misconceptions.

For those who don’t know, it’s one of the most secure and private mobile operating systems out there. Some things that I took away:

  1. They touched upon MAC randomization. I researched a bit on my own about what the need for it is. Apparently, it’s standard practice to randomize MAC addresses when scanning WiFi connections. However, GrapheneOS (and Pixel firmware) are even better at this, as they make sure they don’t leak any other identifiers when doing so. They also allow you to get a new random MAC for every connection that you make (not sure whether this is very useful, as this can cause problems). On a related note, even when WiFi/Bluetooth are “off,” stock Android can still scan in the background to improve location accuracy (by matching visible networks/devices against Google’s database). So basically, even with WiFi/Bluetooth off, Google still knows where you are. In GrapheneOS, this option is off by default.

  2. They have their own reverse proxies that they use to talk to Google on your behalf when needed.

  3. Apparently, in the USA you can be compelled to provide a fingerprint or Face ID. Courts have ruled this doesn’t violate the 5th Amendment because it’s physical, not testimonial. BUT you cannot be compelled to provide a password/PIN. That’s considered testimonial evidence, protected by the 5th Amendment. GrapheneOS has a two-factor system where, after using your fingerprint, you still need to enter a PIN, so it helps with this. They also have a BFU state after reboot, which is the safest and requires you to enter your full passphrase.

  • Pearl@lemmy.ml
    0·
    2 days ago
    • Mac randomization is also on ios
    • Apple provides an ip hiding proxy service
    • ios has BFU where biometric is disabled. And holding power button disables biometric unlock. And nothing is better than just having biometric unlock turned off.
    • Coleslaw4145@lemmy.world
      0·
      2 days ago
      • Apple also collects a massive amount of data on their users. But thats ok apparently as long as they just say “trust me bro”.
    • youmaynotknow@lemmy.zip
      0·
      2 days ago

      Does iOS also provide:

      • Duress password?
      • Scrambled PIN input layout?
      • Storage scopes?
      • Contacts scope?
      • Full permission control on Apple apps like their app store?
      • Hardened segregation of profiles?
      • Fully controllable sandboxing?

      Honest questions. I don’t use anything Apple, but have used GrapheneOS for years.

      • the rizzler@lemmygrad.ml
        0·
        2 days ago

        mostly the answer is no. it has the same permission controls for apple’s own apps as third-party apps, but ofc graphene has a couple more options there too. filesystem access is limited to the file picker and the app’s own data directory, which i assume is a tiny bit more restrictive to the user than storage scopes. the scope concept also exists for contacts, pictures, health, and maybe a few other things. user profiles don’t exist on iphones; i think they might on ipads but i don’t have one. sandboxes are pretty locked down but not controllable by the user. then there’s “lockdown mode” which disables a whole bunch of shit and is supposed to harden your phone to highly-motivated/funded attackers

        • youmaynotknow@lemmy.zip
          0·
          1 day ago

          Yeah, thanks. The more I research and ask knowledgeable Apple users, the more I’m convinced that if GOS did not exist I would either move to iPhone or just get a dumb phone for calls and rely on Linux computers for everything else. In Android, everything outside GOS is worse than stock android, let that sink in 😕

          • the rizzler@lemmygrad.ml
            0·
            1 day ago

            actually i’m thinking of switching to graphene eventually myself. is there anything you can tell me about that?

            • youmaynotknow@lemmy.zip
              0·
              19 hours ago

              Compared to iOS? There’s nothing I can say other than what I’ve researched and asked around, which makes it an acceptable second after GOS. Now, about any other bloat-ridden mobile OS out there, including some claiming to be private, secure or both (yes, I’m talking about e/OS, Iodè, brax and others), it’s incredibly customizable from any standpoint (taste, security, privacy), super fast, ridiculously minimalist, however you can run over 99%of all android apps out there (some may require tweaking, for example, Exploit Protection Compatibility mode, which is how I actually got the Chase app to work, which was the one android app that didn’t).

              You could say that, it’s not just the most secure mobile OS out there, but also the one that allows for more convenience as well (knowing convenience tends to sometimes drop security levels as well as privacy levels). The best part is how you get to choose how you segregate what you allow apps and services across profiles, or even in the same profile.

              Honestly, I tried going back tk stock to see if I was missing out on something, and after less than 24 hours I couldn’t take it anymore, the control I lost by trying was making me anxious.

              • the rizzler@lemmygrad.ml
                0·
                18 hours ago

                that makes sense, thanks. is it still difficult to get tap-to-pay to work on graphene? i try to use cash and i assume most grapheneos users do too so there’s not a whole lot of information on it