A question as old as time, I know.
I’m getting away from Google and I’ve done the easy stuff: CoMaps, Proton mail (I know, not the best move), aveslibre, etc. I currently don’t have the time (or the knowledge base) to learn how to self host, but hopefully that will replace Drive and such in the future.
But I digress. I’m looking at a new OS for my phone. I’m currently in a contract with a phone that is incompatible with alternative OSs. Graphene needs a Pixel. Used, they’re $150-400. /e/OS will run on a Motorola or whatever and those are like $80.
There’s also the option of going full Fairphone with /e/os and I like that idea in the future.
The internet people tell me that Graphene is the best due to ease of installation, privacy, and security.
I don’t need a lot of security. I just want Google to stop suckling all that sweet, sweet data from my teat.
What are your thoughts?
From the official GrapheneOS response to exactly this same debate, it seems that the issue is MicroG’s reliance on having signature spoofing enabled. Which is a security hole that can be exploited by anyone, not just MicroG, as it allows anything to masquerade as Google Play Services to an app that wants to use it.
https://discuss.grapheneos.org/d/4290-sandboxed-microg/11
Yes, Google Play Services is closed source and contains functionality that would be considered “spying on the user”, and “malicious”. But that is the same for any closed source app; you can’t prove it isn’t trying to spy on you or compromise your device. What you can do is rely on the App sandboxing and fine grained permissions control that GrapheneOS allows to disable such functionality if it exists.
Of course, if even having a closed source app on your device is too much, then honestly you wouldn’t even be using MicroG as you wouldn’t want any apps using Google’s proprietary libraries for accessing Firebase or other proprietary services anyways…
So, GrapheneOS offers the most sane approach in my opinion, without opening any security holes. By default the entire OS (not talking about pixel firmware blobs, just the os and kernel drivers) are open source and you can use only open source Apps via Fdroid, Accrescent, direct with Obtainium, etc. But for the average user enabling sandboxed Google play and managing its permissions is the best compromise between security and privacy.
Being open source is not the only benefit of MicroG. It massages some (many) of the queries, removing as many bits of identifying information as possible. It lets you replace Google Location services with BeaconDB. And some other stuff.
These are all privacy wins. Practical ways to maintain as much of the functionality as possible, as much of the convenience, while minimizing the amount of information that is sent to Google (among others).
They come with a compromise in security. So this comes down to threat modeling. To use the naming from privacyguides.org, is your model includes “surveillance capitalism” but not “targeted attacks” then MicroG might even be better.
e/OS, while far from perfect, also adds a feature that blocks requests from tracking services using a blocklist. You can get that in 50 other ways, but this one does not drain my battery at 3x the speed, so I like it.
I do not claim that /e/OS is “better” than GrapheneOS, just that other ROMs can be a very good choice, depending of the user.
There is a reason why GrapheneOS is the golden standard, and if I were a journalist or activist in many parts of the world I would definitely stick to that and only that.
But that is why threat modeling exists. My threat model allows me a little more latitude, so I am not restricted to buying Pixels in an era when Google seems to be slowly undermining GrapheneOS, and I can choose a different manufacturer with better ethics. Among other things.
Of course, no question that with threat modeling you can arrive at /e/OS being an acceptable choice. However threat modeling is difficult and the devil is in the details, which is why I’m responding (mostly for the benefit of other readers of this thread) to provide the GrapheneOS side of things and avoid the impression that /e/OS offers unique or generally superior features in the areas we are discussing.
Here is GrapheneOS’s network location implementation details. https://grapheneos.org/features#network-location
First a technical thing which is not obvious to me.
I understand that the general, non-proprietary Android system service would uses a privacy preserving service like BeaconDB. From what I understand, Google offers an alternative, proprietary, location API in its Play Services. Is that one also prevented from giving your location to Google of you’re using Sandboxed Google Play?
It’s an honest question. I assumed that the provider option I had in MicroG was exactly for that purpose, but I could be wrong.
Next, a small rant.
Bloody hell, I really do appreciate your politeness, but how is it that every damn article about privacy starts with threat modeling, but every discussion about privacy ends with “yeah but if your threat model does not require QubesOS you’re doing it wrong”?
(I use Arch BTW)