limit--
evacideGrapheneOS is great and I recommend it all the time for Android users who are concerned about spying by governments and law enforcement.
sijmen@evacide It's been on my to-do list since forever, guess it's time to do it sooner rather than later
Marlow@vijfhoek I have found it an extremely easy switch to make, especially with being able to slowly move off Google Play Services because of the Google Play Services mirror.
besselj@evacide it's been my daily driver through most of this year. Would definitely recommend for people who want the privacy and control over their own phone. Google is optional and there's no baked-in AI.
🍂mast0d0nphan🍁 (HAS MOVED)
GrapheneOS@mast0d0nphan @besselj @evacide We have our own compatibility layer rather than using microG. It enables more apps to work without Google Play installed, but the main functionality is being able to install Google Play as a set of regular sandboxed apps providing all the functionality relevant to running other apps. Not all the invasive Google functionality can be used, but everything needed by other Android apps dependent on Google services can be used so it provides near perfect compatibility.
@mast0d0nphan @besselj @evacide A tiny subset of apps ban using a non-Google-certified device or non-stock OS. It's a growing issue though. Mainly impacts a subset of banking apps, maybe around 10% of those right now. A few of those banking apps have been convinced to explicitly allowlist GrapheneOS but the problem is growing faster than we're getting it solved. Play Integrity API is very anti-competitive and anti-security. It allows being years behind on patches, but not a much more secure OS.
@mast0d0nphan @besselj @evacide Most people can use GrapheneOS with minimal sacrifices compared to a regular Android device. However, some people may need to switch banks. Google Wallet and Google Pay also ban using GrapheneOS, but in some regions there are tap-to-pay alternatives which work on GrapheneOS including Curve Pay, PayPal and many European banks. None in the US, so people need to use cash, a credit/debit card or a smartwatch with Garmin/Google Pay. Don't have to give up much else.
confettiarenasabotage@GrapheneOS @mast0d0nphan @besselj @evacide Google Wallet works for adding boarding passes, tickets, etc.
@Canning1452 @mast0d0nphan @besselj @evacide The driver's license part likely won't work due to the Play Integrity API.
varx/tech@GrapheneOS As someone with some security background but well out of the loop on phone OSes... what's the mechanism for this rejection?
Like, is it closer to useragent sniffing or to some kind of signature chain?
@varx Android has support for a very high quality hardware-based attestation system which is fully supported by GrapheneOS but shows that it's not the stock OS. Play Integrity API is a far weaker system which uses the hardware attestation system when available but has a bunch of exceptions including old devices and devices which shipped a broken implementation. Play Integrity "device" integrity level only requires weak software attestation checking a bunch of stuff via a privileged process.
@varx Play Integrity "strong" integrity level requires hardware attestation to show that it's the stock OS on a Google certified device, but they're only using the root-of-trust-based verification, not requiring that it's using the modern remote key provisioning system, etc. It's using the hardware attestation in a very weak way. Nearly all apps using the Play Integrity API only use the "device" integrity level which can be relatively easily bypassed but it's impractical for us to do it.
@varx It's relatively easy to unlock a stock OS device and put a rootkit with a bunch of control over the OS which hides itself from the software attestation including pretending to be another device without hardware attestation support to avoid that being used as it can't be spoofed. Leaked keys can be used to bypass root-based attestation. There are widely available projects providing spoofing of software attestation and using leaked keys which can be purchased for strong integrity passing.
@varx GrapheneOS can't pretend to be the stock OS on an obsolete device as easily. For one thing, we only support using Google Play as regular sandboxed apps with our compatibility layer making them function that way. This breaks a bunch of the checks they do for attestation which require privileged access to work and also check the SELinux domain, etc. of Play services. It may sound like it being a regular sandboxed app makes it easier to trick but that's not really the case at all.
@varx It would be quite pointless to implement. Google has a bunch of fingerprinting included which is not enforced directly but rather used to detect spoofing the software attestation. They can also detect usage of leaked keys. They're able to respond to this stuff happening and shut it down. Play Integrity API basically exists for providing the low level of assurance needed to crack down on stuff like ad fraud. Many power users are bypassing it, but they don't really care about that.
@varx Hardware attestation API can be used in a much higher security way. It supports pinning instead. Attestation API is part of the hardware keystore. Original purpose was proving keys generated by apps in the hardware keystore are actually in a hardware keystore. It includes metadata about the OS verified boot state, version, patch level, etc. passed by the firmware to the TEE / secure element. Apps can generate 'attest' purpose keys and use those for attestation which is how pinning works.
@varx We have our Auditor app and attestation service for using the hardware attestation API with pinning-based security to provide security monitoring of devices:
https://github.com/GrapheneOS/Auditor
https://github.com/GrapheneOS/AttestationServer
Look at https://github.com/GrapheneOS/Auditor/blob/main/app/src/main/java/app/attestation/auditor/AttestationProtocol.java and you'll quickly get the idea of what it can do. We use the secure element keystore (StrongBox). OS verified boot metadata is provided to it by the boot firmware and the OS provides the app package name + signing key fingerprints + version to it too.
GitHub - GrapheneOS/Auditor: Hardware-based attestation / intrusion detection app for Android devices. It provides both local verification with another Android device via QR codes and optional scheduled server-based verification with support for alert emails. It uses hardware-backed keys and attestation support as the foundation and chains trust to the app for software checks.
Hardware-based attestation / intrusion detection app for Android devices. It provides both local verification with another Android device via QR codes and optional scheduled server-based verificati...
@varx See https://grapheneos.org/articles/attestation-compatibility for our guide for app developers on how they can support GrapheneOS even if they insist on using root-based attestation to check devices. Multiple banks including Swissquote implemented this based on our guide. However, it's very hard to convince companies making apps to do this. It's particularly hard when they outsource the development of their apps and lack in-house developers. Developers take the shortcut of just using the Google service API and that's all.
@GrapheneOS Fantastic explanation, thank you.
@GrapheneOS ...also, kind of mind-boggled at just how much expense, inconvenience, and privacy reduction there is just to combat ad fraud. -.-
@varx We think ad fraud is a major factor in why Google cares about it but they also provided it based on apps and financial companies caring a lot about it. Apps use it for anti-cheat, anti-fraud, etc. Banks want to prevent avoid people claiming payments were made without their authorization due to malware, etc. They're trying to protect against users making their device insecure via an insecure alternate OS, rooting the device, granting root access to apps, granting accessibility perms, etc.
@varx Ingress uses it to try to stop people cheating by faking their location.
https://ingress.com/en/news/updating-google-play-integrity-api
We aren't sure if Pokemon Go currently enforces it, but it probably will. We've talked to a couple people there on X and tried to convince them to do https://grapheneos.org/articles/attestation-compatibility-guide. We know one of the main security people at Block (Square, Cash App, etc.) and are trying to get things solved for those apps. Several banks including Swissquote did specifically implement GrapheneOS hardware attestation.
eddy berthier@GrapheneOS @mast0d0nphan @besselj @evacide ☝️This. Been enjoying GrapheneOS since begining of 2025, improved security, user experience and.. blood pressure 😄
But I have a gripe with the AGOV app (swiss govt ID app) which refuses to run on an up to date GrapheneOS, because it finds non stock OSs insecure but runs on a Note 10 that Samsung didn't bother patching since 2023.
All UBS apps run seamlessly though.
But I have a gripe with the AGOV app (swiss govt ID app) which refuses to run on an up to date GrapheneOS, because it finds non stock OSs insecure but runs on a Note 10 that Samsung didn't bother patching since 2023.
All UBS apps run seamlessly though.
Cadmus@evacide Protip: make sure the Pixel phone you buy off eBay has the ability to have its OEM bootloader unlocked.
I bought one that does not allow the option to be selected in developer mode :( it says to connect to the Internet or contact my carrier. My carrier says they cannot unlock it as they did not provide the phone 😞
Kinene⭐🐻
Strypey@evacide
> GrapheneOS is great and I recommend it all the time for Android users
I'm definitely keen to try custom ROMs like GrapheneOS, but the main obstacles for me are;
* getting hold of a device that definitely supports one
* figuring out how to install it without bricking the device
* mobile carriers here are getting very fussy about what devices they'll support
On that last point, NZ probably needs a comprehensive Right to Repair law that obliges carriers to keep supporting the devices people had when we set up our contracts until EoL. I suspect they'd quickly find a way to patch old devices to work properly without the 3G network, if their only alternative was providing a free replacement ; )
(2/2)
Kay 
@Kay
> It may resurface in a smaller form in another term of government
Hopefully it will resurface in a more comprehensive form under the next government ; )
@strypey Fingers crossed. I submitted for a broader law including open sourcing software when a company could no longer provide updates, as has happened with some medical devices.
I am however realistic when it comes to NZ government understanding the issues let alone acting on addressing problems in a sensible way.
The Great Llama 
@strypey @evacide
Your second point is almost a non-issue with Graphene. Having been through the process with other custom ROMs, the steps always felt somewhat fraught. With Graphene, once you've managed to unlock the bootloader (which is trivial if you've bought a bootloader-unlocked phone), you basically plug it into a computer with Graphene's website loaded and hit the button. It does most of the process automatically, and the parts it doesn't do, it walks you through.
Your second point is almost a non-issue with Graphene. Having been through the process with other custom ROMs, the steps always felt somewhat fraught. With Graphene, once you've managed to unlock the bootloader (which is trivial if you've bought a bootloader-unlocked phone), you basically plug it into a computer with Graphene's website loaded and hit the button. It does most of the process automatically, and the parts it doesn't do, it walks you through.
@TheGreatLlama
> which is trivial if you've bought a bootloader-unlocked phone
Buying exactly the right version of the right device does seem to make it easier. But you know what would be even better? Being able to buy a device with a non-spying OS as the default OS, from a retailer in my country, guaranteed to work with our cell carriers.
@strypey @evacide
You'll get no argument from me! Not really the world we've built at the moment, unfortunately.
For what it's worth, I've bought my last two phones used through Swappa. They let you search specifically for OEM unlocked phones and claim to stand by that. Some of the other second hand markets may have similar options, that's just the one I used.
nicole mikołajczyk @ sesja linuksowa ➡️ piwo ➡️ gpn
Surillya @evacide GrapheneOS sounds great, at the same time I don't wanna give up always having the newest beta updates, and my phone will still get updates for like 5 years... Maybe after support ends 
@evacide @GrapheneOS Nvm, y'all convinced me. I just hope that my RCS, wifi calling and esim will still work
@evacide GrapheneOS is the sane way to do phones.
FSF is a bit too idealist to think that replicant will ever go anywhere without huge changes in people's thinking. Too much of an uphill battle in 2025 and especially ever since 2015
Anonymoose@evacide I’m absolutely disconnected from the Android side of things, but looking to move to it. If you don’t mind the question : Is Graphene specific to Pixels, or does the security extend to all Android phones?
@AnonyMoose GrapheneOS currently only runs on Pixels.
@evacide Gotcha, thanks for that. 👍
Vendetta@evacide I recommend Google Pixels with #grapheneos to everyone I talk about phones. There are barely any drawbacks due to project's maturity and even if you do not care about #privacy, it's more secure than stock android and offers all the same features. We need it to become available on more phones and become more mainstream. The only issue is reliance on Google for further device support and development. If GrapheneOS did not exist, I have no idea what phone I would choose as neither iOS nor stock android offer anything close.
Fedix 
@realFedix @evacide I agree partially. Revolut is the only app out of all my services that keeps failing and it is annoying. But it's an example of the ridiculous state of affairs and fault of #revolut that it fails. Nothing to do with GrapheneOS or any technical failures. One company decided to specifically block the OS for no legitimate reasons. If GrapheneOS becomes more mainstream, the issue disappears. So the solution is promotion of #GrapheneOS and continuing to demand its support rather than not using it.
I am looking for alternative banks apps because of that, replacing Graphene is not an option.
I am looking for alternative banks apps because of that, replacing Graphene is not an option.
Darkmm (free 🇵🇸)@vendetta @realFedix @evacide Private space > play store > Revolut app working fine for me. #grapheneos
@mrakmm @realFedix @evacide I am guessing you are logged in to the google account? I am trying to avoid any association with Google. If no solutions, it might be needed.:/
Jaap-Henk Hoepman 🟥 ⬜️ 🟩 ⬛️@vendetta @evacide “The only issue is reliance on Google for further device support". This is the main reason that has stopped me from moving over to Android alternatives like GrapheneOS (the other being it does not support tablets that can be used for daily note taking with a pen). It makes switching fragile, as there is a riks you enter stillborn ecosystem. (1/2)
Strict laws for enforcing interoperability are needed (does the DMA cover this?), ensuring also that Google cannot mess with the Play Store to prevent future apps from working on deGoogled phones (2/2)
@xot It's fair and I am also slow adopting most apps or services due to longevity concerns. I do hope and suspect that #grapheneos is here to stay as it keeps growing and gaining legitimacy. Therefore, I would put trust in the team and reputation. With a new partnership with a major OEM, it keeps on developing. It's one project I actually have faith in surviving the #privacy onslaught.
InterestingMoo@evacide of course there are other less obvious benefits. Like increased battery life and de #enshittification / bloatware. Control your phone and apps the way you want to.
Lilka Noć
EloPupThe only thing that bugs me is that I have to give G00gl3 of all companies money to get a smartphone I can run without G00gl3.
Ough 😞
@EloPup @evacide There aren't yet other devices meeting our hardware security requirements. Pixels are the most secure Android devices and the only ones combining proper updates with proper support for another OS. They're also the only ones combining providing the hardware-based security features we need with support for using all of those with another OS. We're working with a major OEM towards some of their future devices meeting our requirements, hopefully at least one in 2026 and then more.
I‘m fully aware that you guys made a conscious and well thought-through decision with regard to the hardware, there was no criticism implied :).
Was just pointing out the irony 😅.
But fully appreciate what you guys are doing, it’s important in many many ways!
Thx for that, and also for the answer here :).
Cheers!
Douglas