GrapheneOS is great and I recommend it all the time for Android users who are concerned about spying by governments and law enforcement.
GrapheneOS is great and I recommend it all the time for Android users who are concerned about spying by governments and law enforcement.
@GrapheneOS As someone with some security background but well out of the loop on phone OSes... what's the mechanism for this rejection?
Like, is it closer to useragent sniffing or to some kind of signature chain?
@varx We have our Auditor app and attestation service for using the hardware attestation API with pinning-based security to provide security monitoring of devices:
https://github.com/GrapheneOS/Auditor
https://github.com/GrapheneOS/AttestationServer
Look at https://github.com/GrapheneOS/Auditor/blob/main/app/src/main/java/app/attestation/auditor/AttestationProtocol.java and you'll quickly get the idea of what it can do. We use the secure element keystore (StrongBox). OS verified boot metadata is provided to it by the boot firmware and the OS provides the app package name + signing key fingerprints + version to it too.
Hardware-based attestation / intrusion detection app for Android devices. It provides both local verification with another Android device via QR codes and optional scheduled server-based verificati...
@varx Ingress uses it to try to stop people cheating by faking their location.
https://ingress.com/en/news/updating-google-play-integrity-api
We aren't sure if Pokemon Go currently enforces it, but it probably will. We've talked to a couple people there on X and tried to convince them to do https://grapheneos.org/articles/attestation-compatibility-guide. We know one of the main security people at Block (Square, Cash App, etc.) and are trying to get things solved for those apps. Several banks including Swissquote did specifically implement GrapheneOS hardware attestation.
@evacide Protip: make sure the Pixel phone you buy off eBay has the ability to have its OEM bootloader unlocked.
I bought one that does not allow the option to be selected in developer mode :( it says to connect to the Internet or contact my carrier. My carrier says they cannot unlock it as they did not provide the phone 😞
@evacide
> GrapheneOS is great and I recommend it all the time for Android users
I'm definitely keen to try custom ROMs like GrapheneOS, but the main obstacles for me are;
* getting hold of a device that definitely supports one
* figuring out how to install it without bricking the device
* mobile carriers here are getting very fussy about what devices they'll support
On that last point, NZ probably needs a comprehensive Right to Repair law that obliges carriers to keep supporting the devices people had when we set up our contracts until EoL. I suspect they'd quickly find a way to patch old devices to work properly without the 3G network, if their only alternative was providing a free replacement ; )
(2/2)
@Kay
> It may resurface in a smaller form in another term of government
Hopefully it will resurface in a more comprehensive form under the next government ; )
@strypey Fingers crossed. I submitted for a broader law including open sourcing software when a company could no longer provide updates, as has happened with some medical devices.
I am however realistic when it comes to NZ government understanding the issues let alone acting on addressing problems in a sensible way.
@TheGreatLlama
> which is trivial if you've bought a bootloader-unlocked phone
Buying exactly the right version of the right device does seem to make it easier. But you know what would be even better? Being able to buy a device with a non-spying OS as the default OS, from a retailer in my country, guaranteed to work with our cell carriers.
@strypey @evacide
You'll get no argument from me! Not really the world we've built at the moment, unfortunately.
For what it's worth, I've bought my last two phones used through Swappa. They let you search specifically for OEM unlocked phones and claim to stand by that. Some of the other second hand markets may have similar options, that's just the one I used.

@evacide GrapheneOS is the sane way to do phones.
FSF is a bit too idealist to think that replicant will ever go anywhere without huge changes in people's thinking. Too much of an uphill battle in 2025 and especially ever since 2015
@evacide for a second i read "celebrity phone hacking"
And i was gonna post...
Damned Liam Neeson we've been over this already.
The only thing that bugs me is that I have to give G00gl3 of all companies money to get a smartphone I can run without G00gl3.
Ough 😞
I‘m fully aware that you guys made a conscious and well thought-through decision with regard to the hardware, there was no criticism implied :).
Was just pointing out the irony 😅.
But fully appreciate what you guys are doing, it’s important in many many ways!
Thx for that, and also for the answer here :).
Cheers!