I’ve only heard of GrapheneOS (and that authy is insecure in the same breath, so I need better 2fa apps).

The biggest thing I can think of that I don’t want to lose is the Motorola gestures. I constantly chop to open my flashlight and twist to open my camera.

Besides that, I have never touched the rom before, and I have both wells Fargo and discover banking apps I use semi-regularly. The banking apps I could probably move to just doing their actions on the website, but that difficulty is something I would like to be aware of going in.

I also use Mihon (successor to Tachiyomi) so problems with that and solutions would be nice.

  • kyub@discuss.tchncs.de
    link
    fedilink
    English
    arrow-up
    1
    ·
    5 months ago

    Long-time GrapheneOS user here.

    Can’t say anything about Motorola gestures.

    Banking apps MIGHT not all work on GrapheneOS, if unsure check first, or ask on the GrapheneOS forum. I forgot the reasons but it’s probably something stupid like the banking app blocking any non-“Google-sanctioned” Android versions via the Play Integrity DRM kind of feature. It sucks, especially because GraphneOS is way more secure and private than any commercial Android, but what can you do, bad decisions are being done all the time.

    GrapheneOS is my recommendation, it’s easy to install and can be used by tech-illiterate people as well because almost none of its security and privacy enhancing features require any special configuration work from the user or require advanced knowledge, it all happens mostly in the background with good default settings. Even for tech-savvy people this has the advantage of not requiring any tinkering or maintenance work, it feels like using any proprietary Android, just hardened and much more privacy-friendly.

    You should still maybe be aware of these potential minor issues:

    • Some apps might refuse to work on any “unsanctioned” Android version via the Play Integrity thing, but so far this seems to be very rare (thankfully). If you find any, make sure to tell the developers that they should stop doing that.

    • Some apps might simply require Google Play services to be installed. On GrapheneOS, you can install them via the “Apps” app, and they will be slightly less terrible than they are on any other Android because they won’t run with full system rights, but instead they’ll be sandboxed and can be completely shut down by using the standard permissions system, which the user is blocked from doing on proprietary Android systems. But then again, if you must use them, then of course they’re going to require Network permission and they’ll use that to phone home to Google, as they always do on standard Androids as well. So it’s not recommended to install any proprietary apps from Google on top of GrapheneOS. Even though on Graphene, the amount of things an app is allowed to do is more limited compared to the huge amount of data an app can read and phone home on a propreitary Android system.

    • Some apps include certain widgets like Google maps which, again, require the respective app or Play services app to be installed as well. Depending on how these apps are written, they might simply fail completely when this dependency is not there. But so far, I’ve had luck, and some apps I’ve used which integrate a Google maps widget still worked without it. So it depends on the app and the quality of its developers.

    • When not having the Google play services installed (default), you won’t have access to Google’s push notification system in the cloud. Some apps, even some privacy-respecting apps like Signal, rely on that. Signal will work without, but then it uses a power-inefficient alternative based on websockets instead, which means Signal without Google play services drains your battery faster than it would otherwise. There are ways around this by using the Molly fork of Signal (Signal is open source and there is at least this one fork often being used as well) with the open source app “ntfy” and an either self-hosted or a privacy-respecting ntfy server instance somewhere to go along with it, which will then act as your own push notification server in the cloud. So you don’t need to contact Google’s stuff for that, and less connections overall to Google equals more privacy overall.

    • If you do decide to install the Google play services app on Graphene, make sure to allow it to run in the background. But, again, it’s not recommended to use any proprietary Google apps/services.

    • Once you have Graphene installed, be sure to use its integrated browser called Vanadium (a hardened Chromium fork) to download and install an “app store” of your choice. When I first started out, I installed the F-Droid apk first, then from within it Aurora as a Play Store client. Giving me access to a lot of open source and Play Store apps, respectively. F-Droid unfortunately has some potential disadvantages, which is why I recommend using Obtainium instead of the F-Droid client (you’ll still access the F-Droid repository sometimes because some APKs of open source apps are only hosted there, but at least you’ll avoid potential issues with the F-Droid frontend application then). Using Obtainium instead of F-Droid will be slightly more work at the beginning when compiling your needed open soruce applications, but afterwards it’s just as easy.

    • Make sure to configure a privacy-friendly and ad/tracker-blocking DNS server, as well as something like RethinkDNS or NetGuard Pro to control which apps are allowed to contact which hosts/IPs. Otherwise, while Graphene itself won’t violate your privacy, many apps will still do that (especially proprietary apps often contain several trackers).

    • If you need tutorial videos on how to install or initially configure Graphene, or Obtainium, watch the youtube channel “Side of Burritos”, excellent content.

    If any of that sounds scary, it shouldn’t be. Most of these issues are really minor and it’s unlikely that you’ll be too negatively impacted by any of it, so give Graphene a try without Google services. There are great open source apps out there for all sorts of functionality. Just felt I should mention any potentially small pitfalls.

    Other Android variants or ROMs are inferior to GrapheneOS in terms of security and privacy, unfortunately, so it’s best to buy a cheap Pixel (8th generation recommended due to strong hardware-based security) and install Graphene on it. Otherwise you’ll miss out on Graphene’s very strong security and privacy features. There are some other privacy and security oriented Android variants like Calyx or /e/OS or things like that, or even LineageOS, but they all, again, don’t reach up to Graphene’s level of security and privacy.

    HTH