Hello there! This is my problem: I’m going to buy a new smartphone, and I’d really like to degoogle myself as much as possible. The idea would be to buy a device compatible with LineageOS, but… Supported devices are usually older models, and often there are newer devices with better specs for the same price, that does not support lineageOS. Is seems a shame to buy a device with lower specs than another one just because of software compatibility. So the alternative would be to buy an unsupported device, unlock the bootloader and debloat it as much as possible, flash privileged fdroid and aurora store on it, install microg, etc… What do you suggest me to do? Is the second alternative a viable option? What other steps should I do if I decide to go that way?
Thanks in advance folks!
Edit:
Thanks to anyone for the great answers! I finally decided to buy a pixel 6 (or 6 pro if I find a good deal) and install a custom ROM on it!
GrapheneOS will support it for “only” 3 more years, while other roms like lineageos or divestos will have longer support. What do you suggest? Graphene OS and when support ends switch to another one? O directly use the other one?
Ironically, the best devices for degoogling are Pixels. You can unlock the bootloader very easily and then flash something like GrapheneOS or CalyxOS, and finally even relock the bootloader afterwards for security. Graphene can run google services in a sandboxed mode and Calyx has microG by default iirc.
Thanks for the answer! Sadly pixel devices have no SD card, and it is a quite important feature for me
Why not just buy a usb-c to sd card reader for $8 on amazon? Wouldn’t it be better to comprimise a bit of convenience then installing a less secure / private rom
Out of interest what specifically do you use an SD card for?
probably storing files
deleted by creator
The best option would be a Pixel running GrapheneOS. If you don’t want a Pixel, a well supported device with DivestOS (look for a recent one with a relockable bootloader) would be your best option. Debloating a stock OS isn’t recommended since those apps will come back anyway should the system update. Leaving your bootloader unlocked and rooting your phone as well is detrimental to Android security. Please don’t do that. See a third party OS comparison Also see:
thanks for the answer!
Debloating a stock OS isn’t recommended since those apps will come back anyway should the system update
really? at every OS update they will be brought back? there is no way to prevent that?
Leaving your bootloader unlocked and rooting your phone as well is detrimental to Android security. Please don’t do that.
my option #2 was to unlock the bootloader only to debloat and to flash privileged apps like fdroid, and then lock it again. Would this still be dangerous?
Unfortunately, yeah, see this discussion on stock Android debloating . As for 2, I don’t think you even need that anymore, the new F-Droid basic apps can do automatic update out of the box.
I think system apps are basically baked into the OS/ROM image (probably not the right term, but you know what I mean) which is why you can often only disable them - that’s how they’re there in the first place, they need to still exist somewhere so they come back on a factor reset. Don’t know if a system update would necessarily bring them back though.
Unlocking the bootloader to install a ROM and then re-locking it is fine (I believe that’s what GrapheneOS does at least), just don’t leave it unlocked when you’re done. Root is the big security vulnerability so best not to have it unless you really really need it and are willing to take the risk. I don’t think you need a bootloader unlock for installing any apps though, isn’t fdroid just a normal app install?
I don’t think you need a bootloader unlock for installing any apps though, isn’t fdroid just a normal app install?
I can install fdroid with low privileges, but it will ask for permission at every update and install. Installing it with elevated privileges will allow for background updates, like Google Play does
That isn’t needed anymore, I think F-Droid basic can auto-update apps now. https://f-droid.org/packages/org.fdroid.basic/
I am dismayed at the current scenario of basically nothing but the pixels being supported for rooting (not the fault of the community). Also a bit saddened by how easily everyone has accepted it.
If I don’t go the pixel route, I will probably purchase a cheap OnePlus mobile next year with at least kernel version 5.10. By next year, KernelSU should be more mature, and if you know about KernelSU, you know that passing SafetyNet is not a problem. I’d run microG in the work profile and put my apps there, and also debloat the pathetic excuse of ColourOS (or whatever Oppo uses). Fuckwads couldn’t even keep the damn tool open to unbrick devices (which is why development stopped). By next year I just need to figure out how to install patches with a modded kernel.
Sorry that doesn’t answer your question since you need a mobile now. I’m just quite annoyed at the state we are in. I really hope linux mobiles take off in the near future and I don’t have to deal with such nonsense.
I am dismayed at the current scenario of basically nothing but the pixels being supported for rooting (not the fault of the community). Also a bit saddened by how easily everyone has accepted it.
Serious question, what the the community not accepting it look like?
More outrage at OnePlus maybe. More discourse in general. I’m astonished at how nobody seems to be batting an eyelid at the Pixel being the only real mobile which can be rooted (and if that’s the case, what’s the point of all the projects? Would you run anything other than Graphene OS on a pixel?)
I dearly wanted the FP5 in the US but they didn’t do it. Quite disappointing. I’m just waiting for KernelSU to mature a bit more and learn how to install security patches on top of a custom kernel. Once I get to that point, I’ll just shut up.
I think people are just all outraged-out these days. (Well, at least for this…) The years and years of outrage about locked phones didn’t get any of the old manufacturers to change their ways and when the option of the pixel showed up, people who care about this were just tired and settled for just voting with their wallet. Or at least that was my experience.
I fear the day when the pixels will no longer be as friendly to “rooters”
Hopefully like https://mobian-project.org/
nothing but the pixels being supported for rooting
Your observation is incredibly US-centric and bullshit. Rest of the world gets to have OnePlus, Motorola, Xiaomi and other phonemakers that allow unlocking/rooting.
If pixel/GrapheneOS is not an option I would recommend DivestOS which supports a very wide range of devices
Here you can filter the search for Custom ROMs by release year. A few current models are already available: https://www.sustaphones.com/ beside Pixels i.e. Xiaomi, 2023, redwood X5 Pro 5G, Teracube 2e, 2022, emerald, Motorola g32, g42, g52, …
this is a very cool website, thanks for sharing!
Google Pixel with GrapheneOS. Nothing matches it.
Fairphone is the bomb diggity
Buying a pixel isn’t the end of the world, but it is still feeding the enshittification beast
A used pixel takes the brunt off of the moral compromise.
No it does not. You just end up manufacturing a whole market for cheapskate Pixel users.
Murena (the company behind /e/ os) also sell smartphones with /e/ os installed. They’ve also partnered with Fairphone if you’re looking for a more sustainable model. I bought the Fairphone with /e/ os a couple of months ago because I was looking for a phone with replaceable parts and it works well. They also sell some refurbished models I believe.
Murena is a weird company. I tried to purchase a cellphone directly from them a few months ago, and they have this weird system on their website that forces you to create a full-blown cloud account with them - complete with email, calendar, file transfer and all - before being able to order anything. And in fact, even after creating the account, I couldn’t even figure out how to order with my brand-spanking new murena.io email.
After fiddling with this for a while, and mostly reflecting on the fact that this company that knows absolutely nothing about me just gave me an email address and a bunch of storage for free at the click of a button, I decided this was all a little too sketchy for my taste and gave up on the whole idea. That’s not how I expect to place an order with a normal company: I expect to have a cart and do a secure pay, not go through this kind of account creating rigmarole.
So, I’m not saying Murena is a bad company. I’m saying be careful with them, because the purchasing process is highly unusual with them.
Interesting, I’ve gone through the process and whilst I do have an account to track the order I haven’t been forced to do anything else. I also use the phone and the app lounge without logging in.
Edit: I just looked at it and I only have a shop account to track the order. No cloud service or email address
I didnt have this experience at all. I think maybe I hit a skip button when they asked me to set up an account.
I got a Fairphone4 from them and it’s been great!
When did you get it? Maybe they changed their web store since I tried to patronize it.
Just a few weeks ago.
Okay, then I guess Murena made their web store simpler or less sketchy-looking. I tried ordering from them around the end of June.
You can purchase a supported model with any company you feel comfortable buying, then install /e/ OS as well. I think you were expecting a more typical purchase experience of a store. Murena should seek for this experience, but yeah, they are a weird company aiming to a weird market, it doesn’t feel that weird to me.
I got a Fairphone 4 from them. Works great! Totally degoogled by default.
A while ago I got a Motorola cellphone on on the Lineage compatibility list. I installed LineageOS and that was a pain to set up, but I got it working well. A few months later there was a Lineage update that bricked the phone.
Another alternative is iodeOS. They also sell pre-installed Fairphones and support a few more devices (not as many as eOS) https://iode.tech/de/installation-iodeos/#1611161940311-4fb3b2cf-4d60|sc-tabs-1700424213961
If you have the money and you care about not buying or owning a Google product, and / or you care about repairability, get a FairPhone: you can install
GrapheneOS orCalyxOS on them and they too support relocking the bootloader. It’s not just Pixel phones.Bonus: they have a SD card slot, unlike Pixel phones.
They’re not the speediest or sleekest devices, but that’s not where the interest lies with Fairphone cellphones: they’re mostly designed for long life and easy maintenance, and they’re made by a cool company I want to support personally. And they’re not made by Google, so buying one won’t support Google or the Pixel ecosystem in any way.
Fairphone is not supported by GrapheneOS, here’s a detailed explanation as to why
Ah yes you’re correct. I got confused.
If you have the money
here’s the problem XD I’m willing to pay around 350€, 400 at most, and the fairphone 4 starts from over 500€
Yeah they’re not cheap 🙁 It’s too bad because they’re really decent cellphones. But they’re twice the price of anything equivalent from any of the big manufacturers.
I recommend you purchase a Google Pixel 6a or above (minimum security support ends July 2027) and flash GrapheneOS. (Pixel 8/pro preferred)
Aurora Store doesn’t avoid Google since a lot of the apps from the play store include Google’s SDK and libraries. microG also doesn’t avoid Google as it is still running proprietary Google code and has more privacy/security weaknesses
Sandboxed Google Mobile Services is a much better implementation which is featured in GrapheneOS. The services are not privileged and is treated like any other app. They don’t downgrade privacy or security unlike the other alternatives.
There are much more privacy and security benefits using GOS. Here is a 3rd party comparison between different mobile OS.
microG also doesn’t avoid Google as it is still running proprietary Google code
What proprietary code?
has more privacy/security weaknesses
Source?
microG runs Google Play code just like Aurora Store. It is not fully open source. Here’s more information.. It is still connecting to Googles propriety servers.
microG requires Signature Spoofing and alternative OSes usually ship with microG as a privileged system app. This increases the attack surface as it is not confined by the regular sandbox rules.
Now you’re using a privileged component, which downloads and executes Google code in that privileged unprotected context, and which talks to Google servers because otherwise, how would FCM work for example?
Despite doing both of those things, MicroG doesn’t have the same app compatibility as Sandboxed Google Play despite the extra access it has on your device. Even in some magical universe MicroG worked without talking to Google servers or running Google code (again, in a privileged context), the apps you’re actually using it with (the apps depending on Google Play) have Google code in them.
microG runs Google Play code just like Aurora Store. It is not fully open source.
Neither of them run “Google Play code”.
You can download proprietary apps through the Aurora Store and those on their own might include Google play libraries but that should be painfully obvious.
µG can optionally download and run the proprietary DroidGuard for implementing the proprietary SafetyNet. If you don’t want proprietary software, you should not explicitly enable SafetyNet (I don’t know what app you’d use it with anyways).
That’s a Twitter thread with no cited sources aka. the truthiest information known to man.
It is still connecting to Googles propriety servers.
If you ask it to, yes. That’s one of its explicit purposes.
It obviously must talk to Google servers in order to facilitate things like cloud messaging for example; there is no other way.
It does try to implement many APIs that would ordinarily talk to Google’s servers in regular GMS using alternative methods however and if it has to talk to Google, it does so with the least amount of data possible.
microG requires Signature Spoofing
This is usually only enabled for the µG app itself and nothing else.
ship with microG as a privileged system app. This increases the attack surface as it is not confined by the regular sandbox rules.
This does increase the attack surface a little. In a world where blindly trusting gigabytes of privileged vendor blobs is the norm however, I don’t think it’s all that significant.
Compared to the hundreds of MiB of regular proprietary GMS code that ships on Android devices, it pales in comparison.
downloads and executes Google code in that privileged unprotected context
As opposed to …running running the entire GMS in a privileged context?
MicroG doesn’t have the same app compatibility as Sandboxed Google Play despite the extra access it has on your device.
You’re comparing apples to oranges. µG replaces GMS, not the tool used to sandbox GMS. You could sandbox it in the same way.
There is no “extra access” that µG has compared to regular GMS.
[if] MicroG worked without talking to Google servers
I don’t know why you keep mentioning this, it was never up to debate.
the apps you’re actually using it with (the apps depending on Google Play) have Google code in them.
Apps that bundle Google Play code have Google Play code inside?!
Start the presses! Notify the President!
A wild revelation, the world must know it!
thanks for the answer! I would gladly do this if only pixel phones had an SD card… Sadly they don’t, and I really need it, so no pixel for me :(
Perhaps you should add this criterion to the start post? Otherwise ten more people will recommend GrapheneOS…
You can always connect a USB stick or card reader with an SD card via USB-OTG
I will recommend you do use a phone that still receives security updates (Not EoL) because I don’t want you to lose out on security just to deGoogle.
If you are strict on having an SD card slot and your phone is still receiving support, you should use StockOS to receive firmware updates as soon as possible. If the phone you decide to get is EoL, the least bad option would be DivestOS (fork of LineageOS)
Is there a reason you need SD storage? Some Pixel devices have onboard storage of 256GB+, so unless the storage needs to be removable, they could still be a good option.
Iirc, there are unofficial ports of LineageOS for newer devices. Also, I’ve been using another system, ArrowOS, in its vanilla form, on a Redmi Note 10 Pro phone I have, and it’s working fine so far, so maybe an alternative for your case if you don’t find a decent phone compatible with LineageOS?
I’m in pretty much the same boat as OP.
I’m seeing that buying a Pixel and then degoogle-ing it with Graphene OS is the way to go. Before I pull the trigger on that, can anyone point me to a good guide on how and when to load Graphene OS? Do I load it after activation with a carrier? Ok to do this before carrier activation?
And what functionality do I have with Graphene OS? Only Fdroid as a store? Can I sideload apps?
I’d really like to hear from some people that have actually done this about what to do and what their experience is with grapheneos. I’m leery of spending hundreds of dollars on a phone that may or may not work as I want.
I am seriously considering doing this but I’ll buy an iphone if I can’t really understand the pixel/graphene path well enough before dropping the $$.
Any YT vids about someone doing this?
https://grapheneos.org has a lot of info. Make sure to buy a phone with an unlocked bootloader. All carriers lock it so buy it used and make sure that its unlocked or buy it directly from Google. You can install all google apps through Aurora store, a Play Store fronrend. You can also install sandboxed Google Play services so your Play Store apps can run and have functionning notifications, as they usualy rely on Play services. Yes you can sideload apps like normal android. Its AOSP without the google stuff. Some videos/channels: https://www.youtube.com/watch?v=vh5xjsE4mU4 https://www.youtube.com/watch?v=igSUmfKTXqU https://www.youtube.com/channel/UCrG6IID2FX7-GxyKtavRhEA https://www.youtube.com/watch?v=L1KZWjZVnAw
Here is an alternative Piped link(s):
https://www.piped.video/watch?v=vh5xjsE4mU4
https://www.piped.video/watch?v=igSUmfKTXqU
https://www.piped.video/channel/UCrG6IID2FX7-GxyKtavRhEA
https://www.piped.video/watch?v=L1KZWjZVnAw
Piped is a privacy-respecting open-source alternative frontend to YouTube.
I’m open-source; check me out at GitHub.
deleted by creator
I’d really like to hear from some people that have actually done this about what to do and what their experience is with grapheneos. I’m leery of spending hundreds of dollars on a phone that may or may not work as I want.
I’ve done this, here’s my takeaways:
On the install:
- The install guide is long and detailed, and it felt important to take my time and do every step exactly as it says.
- In spite of the length of the guide, I was done with my install in about 45 minutes. I spent about 30 of those minutes sipping coffee and reading on my Kindle while my phone applied updates automatically. -By the time the install finished, my feeling was “that was it? I feel like I clicked like 4 links and it did everything.”
On owning it:
- My $300 GrapheneOS Pixel 6 is substantially more responsive than my previous $1000 phone. I migrated to a 3 year old phone and if feels like a big upgrade.
- My camera opens quickly, snaps pictures quickly, and is ready to snap another picture, quickly. This shouldn’t be a big deal, but some of your with $1000 Android phones know what I’m talking about. I’ll die on the “this should never have been hard in the first place” hill. But in the meantime, the responsive camera is the most important quality of life upgrade I got from GrapheneOS.
- Installing apps from Aurora, with it’s privacy insights, was very eye-opening for me. I mention this mainly for context on my next point.
- App compatibility has not been an issue for me; but I quit using certain really invasive apps when I saw their tracking details in Aurora store. (Cough - Paramount Plus - cough)
- I’ve heard bank apps can be a challenge, but mine works perfectly. I now love GrapheneOS enough that I am realizing I will move my money if that changes.
I did a bit of searching, maybe used the wrong terms, but is there a list somewhere with Banking Apps compatible with Graphine or Lineage that you know of? It’s literally the only thing holding me back…
I, too, have searched for such a list and not found it.
The stores I have on my GrapheneOS pixel 7a: F-Droid + droidify, Aurora store, and the Google Play store as well for some official apps I cannot do without. Between these, there isn’t an app that I couldn’t find or install.
I bought my pixel second hand, to not put more money in Google’s pocket, and to avoid any carrier locking. Not sure how that will impact the installation, but it might. Best to investigate that matter.
I have to mention: I still cannot believe how easy that installation was. I rooted my previous phone and put lineageOS on it, which was such a tedious procedure back in the day, I really dreaded installing GrapheneOS. But that web interface, detecting everything and guiding me along was pure heaven. I hope that’ll become the default for any custom installs.
Interesting. Thanks for this info.
Google Play? So you degoogled and regoogled?
:)
I too, degoogled and then regoogled.
The Google Play framework service is very sandboxed on GrapheneOS. Most stuff just works, and - as long as all went to plan, which it seems to - the invasive stuff fails silently or with a harmless error message.
It’s been a better experience than I expected!
For the most part, Google has no idea what apps I’m even installing, beacuse I get free apps without login through Aurora.
For the apps that are important enough to me to purchase through Google Play, Google knows I bought and installed them. But even those are talking to GrapheneOS’ sandboxes Google Services Framework. For the most part, nothing changes in how I use those apps, beacuse the sandboxes framework drops and reports ‘success’ on unsupported framework calls, and the vast majority of apps I have used just move on.
The exception has been anything that only supports Google’s auth layer. I like Google’s auth layer, but I don’t use it anymore. So those apps I can’t use at all. I don’t expect it to work well on GrapheneOS, but I haven’t honestly tried.
At least it’s sandboxed now ;)
I’m a GrapheneOS user. You can use whichever store you like. Sideloading works too if you want to get stuff directly from GitHub, for example.
If you use esim, probably better to activate before flashing GrapheneOS. Otherwise, doesn’t matter imo.
I’d suggest you take a look at the discussion forum. You can ask questions there or just browse and you can probably learn a lot about GrapheneOS there. Also the homepage has tons of info, of course.
deleted by creator
Regarding your edit and GrapheneOS support - they will definitely support the pixel for as long as Google are providing official support, though they have then continued support in the form of security patches for much longer than that for older devices. No guarantees of exactly what will happen in the future but you’re probably best of using GrapheneOS for now and then in three years time seeing what the state of things are. Things change quickly in technology, maybe you won’t need to move anything, maybe you’ll want a completely new phone by then!
Great, I’ll do this then! Thanks man
No worries, I’m by no means an expert but I’ve been using it for a couple of years and I’m happy to try and answer any questions!
Thanks to anyone for the great answers! I finally decided to buy a pixel 6 (or 6 pro if I find a good deal) and install a custom ROM on it! GrapheneOS will support it for “only” 3 more years, while other roms like lineageos or divestos will have longer support. What do you suggest? Graphene OS and when support ends switch to another one? O directly use the other one?
I have the P6. It’s an all around good phone. Don’t forget to look at GSI ROMs. All recent devices handle those. I can and eventually will install LineageOS on my Galaxy Tab S8 and have it on my old Tab low end tablet.
I’ve never heard of GSIs and it seems really interesting! I’ve found nothing about it on the LOS website, is it something “unofficial”?
Since devices that came with Android 10, all devices are expected to adhere to a standard Android interface. The GSI stands for generic system image.
Given a particular Hardware platform and drivers any GSI should run on any matching Hardware.
I know that Andy Yan’s LineageOS GSI works on my sm-t510 (a64 variant) and from user testimonials, it also runs on the sm-x720 (arm variant, TAB S8).
I linked the forum section that contains the thread for his and many other GSIs.
Thanks for the answer!
The number of “GrapheneOS + pixel” astroturfers is astounding. The shills are persistent.
Just because a lot of people are saying it doesn’t mean they’re astroturfers, GrapheneOS isn’t even a company with an advertising budget, it’s just an open source project! Do you go to the Linux community and accuse the people using Arch of being shills?
I have investigated and covered the “security” cult in FOSS community and GrapheneOS for the past 5 years. They are the slimiest, dirtiest tech related group on the internet that projects and crybullies its way with everything.
https://old.reddit.com/r/privatelife/comments/ug9qnc/writeup_criticism_of_rprivacyguides_grapheneos/
A lot of you fall for the snake oil AOSP fork and preach their marketing.
Appreciate the very, very detailed response, but I’m just a guy who wants a secure device, I don’t really want to go down this red-string rabbit home or join anyone’s side in this shit-flinging match!
There is no rabbit hole, everything is presented with solid evidence and proper notes. And it should take a couple hours for all of this to be read, if you wanna spend a weekend or a night. I say that is reasonable for 5 years, and a very nice way to enlighten yourself with the danger “security zealots” present towards degoogling/decorping, whitewashing Big Tech evils, our privacy and tech freedom concerns. They are arguably the most prominent, yet covert Big Tech shills you will find in privacy community, and I am one such non-conspiratorial non-nutjob privacy person who took the pain to do this, because nobody else did.
I would like you to go through these parts in second link, it is very interesting regarding security claims.
GRAPHENEOS ALTS CLAIM CELLEBRITE KITS CANNOT EXFILTRATE DATA FROM PIXELS ON YOUTUBE COMMENTS
GRAPHENEOS MATRIX CHAT TELLING PEOPLE TO FLY TO OTHER COUNTRIES TO GET A PIXEL IF NOT AVAILABLE DOMESTICALLY
Also going through this comment chain might help regarding seeing if their security even means anything compared to other AOSP forks. Takes 10 minutes.
Wow, I didn’t expect you to be on lemmy. I was subscribed to your privatelife subreddit when I was on reddit. Do you have anything similar on lemmy?
c/privatelife, but it is a little inactive for now. My current goal is to get Lemmy’s momentum stronger than now. In the past 3 years, I silently helped crush raids, trolls, mod c/privacy and c/technology here on lemmy.ml, helped r/piracy and r/datahoarder migrate. Helped shape up rules and stuff, mostly the non- code development stuff to bolster Fediverse (someone sent me here back then) and to keep admins’ workload lighter.
While c/privacy is not made by me, I try to shape it up in similar ways as privatelife, so that all the privacy community problems and astroturfing that used to happen on reddit no longer happens here.