I finally did it. I bought a Google phone and installed GrapheneOS (https://grapheneos.org). So far, after a month of usage, it’s not that bad!
NOTE: If you already know what GrapheneOS is and want to skip ahead to the rant, it’s down below.
First of all, for anyone who doesn’t know, I should clarify what GrapheneOS actually is: It is a custom Android ROM aimed at security and privacy. The way these goals are accomplished are through a number of low-level customizations (hardened malloc implementation) as well as user-visible functions (more on those later).
As far as paranoia goes, this OS is supposed to be the most secure and private there is. Only one downside: This secure and private ROM only runs on Google brand phones. This is ironic, but there is a reason for it: the Google Pixel line is apparently the only phone line that supports overwriteable Android Verified Boot keys. More on that later, also.
GrapheneOS applies multiple security and privacy-enhancing features, as I said, but what are those? Let’s go through those I can think of and use. Note: There is probably more going on under the hood, I’ll be talking only about the stuff I noticed and thought “Hey, that’s sweet!”
GrapheneOS, like other ROMs, is de-googled by default. If you install GrapheneOS, you will be met by a very light OS. Aside from the pure AOSP basics, their own browser (Vanadium), GrapheneOS apps and Auditor app are the only things you will start out with. Honestly, it’s not that bad, since the more lightweight the OS is, the more I can modify later. If you have experience with installing other ROMs (LineageOS, etc.), you will be familiar with what to do.
Now, to somewhat fuck with what I said a paragraph ago: You can have Google Play services! However, this implementation of Google Play services is heavily cut down. In other ROMs, the Google Services Framework has almost unlimited access to all data. All the permissions you can imagine. It makes sense an OEM ROM would support it, but what if some apps need Google Services and you don’t want to give Google unlimited access to your phone?
In GrapheneOS, Google Services Framework can be installed, but only as a regular app. This way, you get Google Play Store, the apps are happy, and you get full control of what these apps get access to. Don’t want Google Play to have network access? Okay. Don’t want file access? Done.
The way I set up my Google Services is on a secondary user. I made two users, one without GSF, and another just for the apps that require Google to function. This way, you can have the best of both worlds. There is also a way to get GSF on the main account, but that may give Google access to more data. I have not tried uninstalling GSF after installing a GSF-dependent app, but I may, one day.
GrapheneOS is the first Android ROM I have had that has Android Verified Boot (AVB) working. In the past, every boot of my phone showed me a screen saying “Your bootloader is unlocked!” and I understood that if someone stole my phone, they could make it theirs quite easily.
AVB works basically like secure boot on laptops (as far as I know). The ROM is checked for a signature, and if this signature checks out, the system boots. If not, you get an error. With custom ROMs, the TPM cannot usually be overwritten, and thus we cannot submit new keys to the TPM to secure a custom ROM boot. In Pixels, the TPM is editable, and thus we can provide a signed ROM and the keys to go with it. Once the keys are present, we can re-lock the bootloader, and at the next boot, the ROM is checked against the new keys.
Now, when I boot my phone, I get another warning, saying “Your phone is booting a different operating system.” No more unlocked bootloader!
My favourite feature (and paranoia fuel) is the auto-reboot feature. Basically, once you turn on your phone, the data is still encrypted. Once you put in your PIN/password, the data gets unlocked. In this state, an adversary may attempt to brute force the PIN, or find a way around the pin to access the unlocked data below.
The way GrapheneOS does it is: If you don’t unlock your phone for a preset amount of time (from 10 minutes to 72 hours), it automatically reboots, putting the data at rest and protecting it from getting downloaded. For you as a user, there is almost no difference. If you use a fingerprint, you’ll have to put in your PIN/password once, and then it’s back to the same old. But if your phone is taken away by an adversary and not successfully unlocked for a long enough time, it will auto-reboot and lock all your precious data.
Now, this auto-reboot would be useless if the attacker can just brute force your PIN/password. Here, again, GrapheneOS comes to the rescue. Every couple of failed logins, the timeout you have to wait before you can try again gets longer. This way, after the 140th failed unlock attempt, you have to wait 1 day until you get another shot. There is not much of a chance you will get there by yourself, but some auto-clicker would have a tough time.
I talked about the possibility of having Google Services Framework installed on a secondary user. But that might eat resources, RAM, and drain battery life. The feature that GrapheneOS added to regular Android is one that can be seen in enterprise settings: You can shutdown a user account. When I want to use GSF, I switch to the second user. Once I am done, I hold the power button, and use the option “End session” to shut down and disable the account. That way, the user data on the second account is put to rest and no Google Services are running in the background while I do my super-secret stuff (i.e. shitposting on Mastodon).
Lastly, one feature I found in GrapheneOS (and didn’t see before in Android 12) is an automatic timeout for WiFi and Bluetooth. It works similarly to the way you can set your hotspot to turn off if no device connects for X minutes. If I go out of the house and my phone loses connection to WiFi, after 2 minutes, it automatically turns off, so I don’t have to think about it and get airodump’d by some asshole on the subway (asshole = probably someone like me). Same for Bluetooth. I have both set for 1 minute timeout, so when I get home, I turn on WiFi, and it connects. Once it disconnects, it searches for 60 seconds and then turns itself off. If I turn off my Bluetooth headphones, after a minute, I have to unlock my phone and turn it back on again.
I told myself that if I’m going to go for a paranoid Android ROM, I might as well go full paranoid. I bought the device for cash, in a place I wouldn’t go to. I couldn’t stop at a café to do the whole setup thing, so I brought it home but didn’t turn it on. I got some strange looks from the girlfriend, but I did not cave in. I planned to go to a different city, set it up somewhere innawoods and then come back with a clean device.
Luckily, the chance to get somewhere new came the very next day. A friend asked me to help him move. I never heard of the village, certainly wasn’t tied to it in any way. After we were done moving, I gave my buddy the car keys, and installed Graphene on the way back. The installation is surprisingly straightforward, even by custom ROM standards. You download a zip file, check a signature, decompress it and setup-all.sh. That’s it.
The checking a signature is not really extremely important if you’re not in the privacy camp, but useful if you want to check the integrity of the file and the fact that it came from GrapheneOS developers themselves. I did the check and, surprise, surprise! All was well. (This paragraph will be retracted once my phone turns out to be a CIA/NSA listening device.)
The setup script does everything for you, automagically. However, even though GrapheneOS devs did their best to make the process as straightforward as possible, it wouldn’t be me if I didn’t encounter some snags:
- OEM Unlock: I had to update the phone before I could enable OEM unlocking. Luckily, it wasn’t too difficult.
- Fastboot unlock: it took a couple of tries and required downloading a specific version of ADB. This one’s purely on me, I didn’t prepare beforehand and that’s what I got.
- Temporary folder: By default, the installation uses the /tmp folder to store any temporary data. In my case, the /tmp folder was not large enough for the files, so I had to reassign my temporary folder to a filesystem that was large enough.
All this on a 90-minute drive home, with a laptop, bag, two phones (old and new) and my friend carving out curves like a pirate. All in all, a fun experience. The phone itself is not that bad, considering it’s only 6GB of RAM. The battery lasts all day, I have good overview, and the defaults are forcing me to use my phone with more awareness, while helping me maintain some modicum of privacy and security. An artists rendition of my ride home can be seen below:
At the end, I should mention why I did not go for the second big choice of secure operating system: CalyxOS. Some may prefer it, and I’m not one to tell you one is objectively better than the other (I only have second-hand experience with Calyx while installing it on a FairPhone4).
There were several reasons I chose GrapheneOS:
- We have history. My first secure OS was CopperheadOS, while it was still an open-source project run by Daniel Micay. The Nexus 5X may have been my favourite phone, in part for that reason. The other was that I could disassemble it easily and get the camera modules out with no issues.
- CalyxOS did not impress me with the whole application/service pack it provides. While they may offer a better service, I wouldn’t know. The fact that they put all this work into a product makes me feel… dissuaded, for some reason.
- If I’m going to be paranoid, I might take my OS from someone who is equally and likely more paranoid than I am. Daniel Micay strikes me as the sort of person who cares about their own privacy.
- The speed of updates. GrapheneOS amused me when in 2022, when an update came out for AOSP. The reason for my amusement was that GrapheneOS was able to implement the update and push it out to users faster than even Pixels running stock Android OS.
I will not address the drama surrounding GrapheneOS and Calyx, but I must say that my personal decision was based mostly on the fact that I’ve known GrapheneOS longer, and I’m more willing to buy a specific phone for a project I have used in the past, or developed by someone whose work I’m familiar with.
Well, this is it! Once all my apps break and the phone bricks itself, I’ll let you all know. I don’t assume it will happen unless I try something, but you never know!