Not who you were talking to, but I use GrapheneOS on a Pixel 9. I don’t know if there’s a “lockdown” mode, but I have my phone set up where I can’t use biometrics to unlock the phone, but can use biometrics to log into my apps. As for the website/email based attacks, these are mostly rendered useless with the GrapheneOS subproject Vanadium, which is their security-hardened web browser, that I use by default. (https://grapheneos.org/usage#web-browsing)
I have a bunch of banking apps (chase, discover, american express, citi bank, ally, and my local bank) and while I did need to turn off some of the more extreme safety features for some of those apps (GrapheneOS has a toggle for them on a per-app basis), all of them work without Google Play Services, something I don’t have installed. Some of my other bills apps don’t work even with that setting turned on (student loans, local utilities, home loan, etc.) But I just add a link to their website to my home screen and it doesn’t really change my experience much. Also all my work apps (Slack, proprietary apps) have worked without Google Play Services. However, a bunch of apps do require google play services, and for my use cases most can be replaced with the website link, some can’t. Google Maps is the biggest one, and while I have devised a way to get the great search from Google Maps anonymously through TOR and import the coordinates into CoMaps (FOSS alternative map app), that’s the last part of my phone use that is still a pretty significant inconvenience.
Any app that needs the stricter security turned off gets put in a separate user on my phone, that can’t run in the background, to prevent any shenanigans there as well.
For all my security needs, I haven’t found a mobile OS that does everything I wanted as low-hassle as GrapheneOS, and I’ve tried a bunch.
Wow, thanks for sharing. I appreciate all the practical info. So you tried Calyx, Copperhead etc. too?
The biggest thing turning me off most of these security-oriented roms is having to buy a Pixel. I kind of don’t want to go from one American big tech phone to another.
I haven’t tried copperhead due to the small list of officially supported devices, but I did try calyx. Calyx is honestly pretty close in terms of overall experience, and continues to get better. However, being newer, it lacks the overall polish/stability of Graphene. Also, at the time I tried it, it was lacking the web installer which makes moving to a new OS much simpler, but it has it now. As mentioned before, Graphene has their own web browser, which simplifies startup. Most of my other preferences are pretty nitpicky. Honestly, if I hadn’t already had a pixel phone it probably wouldn’t make too much of a difference, but having the pixel means it’s kind of silly to turn down the extra base-level security Graphene provides. Honestly, given that I won’t need a new phone for at least 5 years, there’s a real chance of me getting the latest fairphone and calyx next, hoping that over that time they tighten things up.
I totally understand your sentiment, and your best bet is probably the fairphone 5 when calyx is released for it, especially since they are committing to 8 years of security updates compared to pixel’s 7.
/e/OS looks interesting too and can be delivered from Fairphone with it pre-installed. I’m kinda lost since there are so many privacy-focused OSes based on AOSP. They could probably achieve more by merging some projects, but I imagine there are different philosophies separating them like in most OSS.
In any case, lots of great info here. Cheers again for the insight.
Not who you were talking to, but I use GrapheneOS on a Pixel 9. I don’t know if there’s a “lockdown” mode, but I have my phone set up where I can’t use biometrics to unlock the phone, but can use biometrics to log into my apps. As for the website/email based attacks, these are mostly rendered useless with the GrapheneOS subproject Vanadium, which is their security-hardened web browser, that I use by default. (https://grapheneos.org/usage#web-browsing)
I have a bunch of banking apps (chase, discover, american express, citi bank, ally, and my local bank) and while I did need to turn off some of the more extreme safety features for some of those apps (GrapheneOS has a toggle for them on a per-app basis), all of them work without Google Play Services, something I don’t have installed. Some of my other bills apps don’t work even with that setting turned on (student loans, local utilities, home loan, etc.) But I just add a link to their website to my home screen and it doesn’t really change my experience much. Also all my work apps (Slack, proprietary apps) have worked without Google Play Services. However, a bunch of apps do require google play services, and for my use cases most can be replaced with the website link, some can’t. Google Maps is the biggest one, and while I have devised a way to get the great search from Google Maps anonymously through TOR and import the coordinates into CoMaps (FOSS alternative map app), that’s the last part of my phone use that is still a pretty significant inconvenience.
Any app that needs the stricter security turned off gets put in a separate user on my phone, that can’t run in the background, to prevent any shenanigans there as well.
For all my security needs, I haven’t found a mobile OS that does everything I wanted as low-hassle as GrapheneOS, and I’ve tried a bunch.
Wow, thanks for sharing. I appreciate all the practical info. So you tried Calyx, Copperhead etc. too?
The biggest thing turning me off most of these security-oriented roms is having to buy a Pixel. I kind of don’t want to go from one American big tech phone to another.
I haven’t tried copperhead due to the small list of officially supported devices, but I did try calyx. Calyx is honestly pretty close in terms of overall experience, and continues to get better. However, being newer, it lacks the overall polish/stability of Graphene. Also, at the time I tried it, it was lacking the web installer which makes moving to a new OS much simpler, but it has it now. As mentioned before, Graphene has their own web browser, which simplifies startup. Most of my other preferences are pretty nitpicky. Honestly, if I hadn’t already had a pixel phone it probably wouldn’t make too much of a difference, but having the pixel means it’s kind of silly to turn down the extra base-level security Graphene provides. Honestly, given that I won’t need a new phone for at least 5 years, there’s a real chance of me getting the latest fairphone and calyx next, hoping that over that time they tighten things up.
I totally understand your sentiment, and your best bet is probably the fairphone 5 when calyx is released for it, especially since they are committing to 8 years of security updates compared to pixel’s 7.
/e/OS looks interesting too and can be delivered from Fairphone with it pre-installed. I’m kinda lost since there are so many privacy-focused OSes based on AOSP. They could probably achieve more by merging some projects, but I imagine there are different philosophies separating them like in most OSS.
In any case, lots of great info here. Cheers again for the insight.