GrapheneOS (written GOS from now on) is an Android based operating system that focuses security. It is only compatible with Google Pixel devices for multiple reasons: availability of hardware security components, long term support (series 8 and 9 are supported at least 7 years after release) and the hardware has a good quality / price ratio.
The goal of GOS is to provide users a lot more control about what their smartphone is doing. A main profile is used by default (the owner profile), but users are encouraged to do all their activities in a separate profile (or multiples profiles). This may remind you about Qubes OS workflow, although it does not translate entirely here. Profiles can not communicate between each others, encryption is done per profile, and some permissions can be assigned per profile (installing apps, running applications in background when a profile is not used, using the SIM…). This is really effective for privacy or security reasons (or both), you can have a different VPN per profile if you want, or use a different Google Play login, different applications sets, whatever! The best feature here in my opinion is the ability to completely stop a profile so you are sure it does not run anything in the background once you exit it.
↫ Solène Rapenne
I switched to GrapheneOS on my Pixel 8 Pro as part of my process to cleanse myself of as much Big Tech as possible, and I’ve been incredibly happy with it. The additional security and privacy control GrapheneOS brings is amazing, and the fact it opted for a sandboxed Google Play Services basically means there’s no compatibility issues, unlike when using microG, where compatibility problems are a fact of life. GrapheneOS’ security and other updates are on par or even faster than the stock Google Pixel’s Android, and the overall user experience is virtually identical to stock Android.
The only downside is the reliance on Pixel devices – it’s an understandable choice, but does mean giving money to Google if you don’t already own a Pixel. A workaround, if you will, is to buy a used or refurbished Pixel, but that may not always be an option either. For me personally, I’ll be sticking with my Pixel 8 Pro for a long time, but if it were to break, I’d most likely go the used Pixel route to avoid enriching Google. For pretty much anyone reading OSNews, GrapheneOS would be a great choice, and if you already have a Pixel, I strongly urge you consider switching.
Does this allow having an equivalent of root in one profile and non-rooted environment in another one so that I can use both apps that require root and apps that won’t normally run on a rooted system on the same device?
It doesn’t work like that, or at least I have never heard of such a ‘configuration’.
But the thing is – with GrapheneOS there are very few usecases for rooting.
If the bootloader is locked back after flashing GrapheneOS, it will happily run a lot of banking apps, without them complaining.
I’m not sure about GooglePay (should work too).
Furthermore GrapheneOS allows you (like almost no other Android) to disable/freeze apps through the normal Settings > Apps
In that state – they can not collect i. e. location, accelerometer-data, etc.
Want to use Flightradar 24?
Install GooglePlayServices and Flightradar24.
Use the app for a while.
Got to Settings > Apps
Deactivate them both.
GrapheneOS is rootable, but strongly discouraged by the people of GrapheneOS.
I recommend the web-installer for GrapheneOS, but primarily for people who use Chrome in Windows.
Reason: the required webUSB-capability of browser is broken in other browsers and also not working if you use i.e. Chromium on Ubuntu which comes as a snap package and cannot properly access USB.
Also USB3-Ports can be problematic, better resort to a USB2-Port if you can.
Agree with lazar, I think you need to figure out if you want root for the sake of it, or if there is really a use case for that and find an alternative. For example, for firewall there is no need on graphene as there is internet permission, but on a regular android you also have vpn firewalls. root is very bad for security and is never going to be officially supported on Graphene.
https://www.reddit.com/r/GrapheneOS/comments/13264di/is_root_possible_with_grapheneos/
balmer,
I have to strongly disagree with this justification. The fact is someone is always going to have root on your device, the only question is whether the owner gets the privilege themselves or not. IMHO the owner deserves root access more than anyone else. Graphene would be just as guilty as the manufacturer for depriving owners of this right. It’s not (or at least it shouldn’t be) up to the manufacturer to impose limits on what features the owner can or can’t use. I’ve needed to use iptables for example.
https://discuss.grapheneos.org/d/4113-arguement-against-gos-firewall-makes-no-sense-to-me
One of the worst things an OS publisher can do to curtail owner freedoms is impose their own policies against our wills. We all say this when it comes to microsoft and apple, grapheneOS should NOT be given a pass on this! They should respect owner autonomy. Of course not everybody needs root and that’s fine, it doesn’t have to be the default and I don’t mind warnings and what not. However the fact that someone else has more control over your devices than you do is a huge problem and the risk of this power being usurped by governments is only increasing for owners who don’t hold the keys to their own devices. Graphene isn’t an exception.
GraphineOS are right to engineer components to be sandboxed, however they are morally wrong for depriving owners of what should be basic ownership rights including root access.
At the end of the day, putting themselves above the owners is par for the course, but they don’t get points for moral high ground.
I can understand this point of view for a closed source operating system running on a device with a locked bootloader, but for this case I think it doesn’t make any sense, sorry. If you have a Pixel device nobody has any say on what you run or don’t run on your device. You have the complete ability to change the software for something others have made available, develop or modify it yourself or pay someone to develop it for you if you feel like it. What nobody owes you is having feature x that you like in a software that they make on their spare time and make available to you for free.
But anyways, in case you missed the link, you have root access through adb, but it is not available thorugh UI because that is impossible to secure. I think it is completely fair that a security focused OS does not support a feature that compromises the security of their users.
balmer,
It doesn’t follow that owners should be denied root on their own devices.
Quoting your link “This is not what people are referring to when they talk about rooting on Android, they are referring to granting root access to apps via the UI not using it via a shell.”
A root shell on the phone would be a good start. Flipping UI bits to enable ADB with root is not really more secure than UI bits to enable the owner to have root. These questions were asked here that were never answered.
https://discuss.grapheneos.org/d/4457-root-privileges-adb
I don’t think GrapheneOS is a bad OS, but the fact remains they are just as guilty of squashing owner rights as the mainstream corporations.
GrapheneOS are entitled to make an OS that doesn’t offer owner root, but then they need to own the fact that they are against owner rights. It rubs me the wrong way when people want to pretend they are better than google or apple or microsoft or other corporations while following in the same owner restriction footsteps. The incremental loss of freedoms taking place on technology is also on grapheneOS’s hands, unfortunately.
“We are taking away your access for your own security” isn’t a new argument. It’s the goto excuse used by anyone wanting to take away other’s rights. Sometimes this may be morally justifiable when there is grave danger. to the public. But for a mobile phone OS I call BS. By all means warn owners of the potential risks, but when you deliberately aim to take away control from informed owners when their own hardware is at stake, that is not morally justified and you’ve lost the high ground.
I don’t mean to be a jerk about it. GrapheneOS is a good project, but they could do better on owner rights.
To be clear, I do like GrapheneOS overall, we need projects like this and I am rooting for them to succeed (like my pun?). I just think that depriving owners of root is the wrong side of the rights debate to be on.
I appreciate that being critical without offering any solutions was not helpful on my part, so let me try to correct this. Instead of fighting owners who want root, there might actually be a great opportunity for grapheneOS to innovate here. Creating secure root environments like Temcat asked about isn’t all that far fetched. Using a single kernel, look at the way OpenVZ lets you spawn isolated containers. These containers can have root while remaining securely isolated from each other! grapheneOS could be the one to do this on mobile and it would set an innovation bar that others may follow while not punishing users who desire root access.
This seems like a better path forward than platforms that force restrictions on owners who don’t want the restrictions. I could get behind this, could you?
I think the multi-profile workflow is very tiring. For most people, a private space or a work profile set up with Shelter, or both, might be an easier way to achieve separation of apps and data while not creating the friction of having to constantly switch profiles.
>hardware has a good quality / price ratio.
Not sure about that. I got a good deal on my Pixel 8 but I have to say that the hardware is crap. No SD card, no headphone jack – of course, that’s standard now, because they want you to buy their cloud storage and Bluetooth headphones. But the battery life is really bad when you’re on a cellular network (fine on Wifi) which is a well-known “bug” with the crappy modem the Pixels 6-9 use. My old Samsung S10 (from early 2019 I think) was overall a better piece of hardware than the Pixel 8 (from late 2023). And of course for gamers who need CPU, GPU and RAM, all those gigantic but cheap Chinese phablets give you great bang for the buck.
I have to say it was painful for me to buy a Pixel Tablet for that reason. Being the only tablet supported by Graphene was the only reason I picked this over an iPad at this price.
We have GOS on my wife’s Pixel 4a which just ran out of support from GOS. We never leveraged the multiple profiles. She just used it like a normal user, we minimised use of non-Froid apps where possible. It’s been very good with no real issues. When my Pixel 6 came out CalyOS was first to release a rom so went with this and it’s been quite a similar experience however I opted for microG. Again, I use mostly Fdroid apps apart from Teams, Zoom and MS Auth in a work profile that I only enable when I need to. I’ll replace hers and mine with Pixels again. Unsure if I will choose GOS or CalyxOS (or equiv) but it will absolutely have to be as G00gle free as possible.
GrapheneOS was quicker to support the pixel 6 than CalyxOS. We also still support the 4a by the way, albeit in extended support because it has reached end-of-life quite a while ago already.
GrapheneOS and CalyxOS are very different. GrapheneOS is a hardened OS with substantial privacy/security improvements:
https://grapheneos.org/features
CalyxOS is not a hardened OS. It greatly reduces security vs. AOSP via added attack surface, weakened security model and slow patches.
Compatibility with Android apps is also much different. GrapheneOS provides our sandboxed Google Play compatibility layer:
https://bsky.app/profile/grapheneos.org/post/3lamcjfv5r22s
Can run nearly all Play Store apps on GrapheneOS, but not CalyxOS with the far more limited and less secure microG approach.
https://eylenburg.github.io/android_comparison.htm is a third party comparison between different alternate mobile operating systems. It could include many more privacy/security features but it’s a good starting point.
https://privsec.dev/posts/android/choosing-your-android-based-operating-system/ is an article with more long form comparisons between the operating systems.
spring-onion,
I don’t like the limited hardware options, I acknowledge it’s really hard to support a wide variety of devices given the lack of standardization and the inability to boot a mainline kernel across them. As much as I wish things just worked as well as x86, it just doesn’t and probably never will. None of this is ideal but it’s certainly not grapheneOS’s fault.
I’ve experienced microG compatibility problems myself. In most cases people can run google services in place of microG and obviously GrapheneOS can do that too, however this kind of overlooks the motivation for using microG in the first place. One of the big reasons for choosing to run an alternative OS is not running google blobs and being tracked by google. We don’t want a google account and don’t want to run google’s proprietary blobs on our phone. Sandboxing the blob is better than nothing but it would be much better to have a FOSS implementation of it, which is why some prefer microG. Having binary google dependencies kind of sucks, but I do appreciate how difficult it is to completely kill them off. For better or worse they have very long tentacles to force projects to make these kinds of compromises. In terms of FOSS, I’m a proponent of microG, but compatibility-wise google blobs have the advantage.
Personally I still find myself wanting to ban google blobs on my devices, but once again neither choice is ideal. It’s a pragmatic compromise and we have to ask what we value more?
GrapheneOS user here too, since 1 month. I like it a lot sofar. I had some questions and they were very quickly answered on Telegram by GrapheneOS team members. The OS itself is great, just maybe a bit monochrome in design but I guess all is adjustable.
However I do echo the sentiment of Alfman here about MicroG. For me it’s all about avoiding Google and to this day I don’t understand what a sandboxed Google Play Services means. I use it for my banking app but does this still mean that it’s sending home data to Google about the other apps?
If you mention MicroG in the Telegram channel, within 1 minute you get this canned reply that GrapheneOS is more secure and you shouldn’t be using MicroG, totally ignoring the reason why people like to use MicroG rather than a sandboxed Google app.
My plan is to research it a bit better and if necessary remove the sandboxed Play Store and use MicroG again.
Or maybe switch back to e.foundation when they support my Pixel 8a as for me privacy is more important than the ‘we are secure and hardened’ message from GOS.
For the rest, it’s a very very good experience, all my apps I want to use, work.
> A main profile is used by default (the owner profile), but users are encouraged to do all their activities in a separate profile (or multiples profiles). [proceeds to describe ¡7! different profiles]
I’ve been using Graphene for almost 2 years and it is the first time I hear this. To be fair profiles is a feature of vanilla Android, and it is a PITA to use. I use a separate profile for apps that need google play services and my work apps (VPN included), which would be something like the shit profile. Since Android 15 I’ve also been using the private space which is wonderful to run proprietary apps, and I have my banking, investing and gaming apps on a basic iphone, so I’m not new to compartimentalization. But this is madness, and can only come from a Qubes developer.
Good day! GrapheneOS team member here. We would absolutely be down to support other devices too, but at this point of time nothing other than pixels come close to fulfilling our requirements. The crucial, well implemented hardware security features are a big factor, they have an overall excellent update frequency and also fully support 3rd party operating systems with no downsides or strings attached.
If you would like to read in on the details on what exactly these requirements are, we’ve laid them out here: https://grapheneos.org/faq#future-devices
Why are the hardware security features crucial? And what features do you have in mind?
Most people switching away from stock Android are doing it privacy and control. I am with Alfman on that – no root, no control. If GOS doesn’t allow root access it is not better than stock roms. Security is only important to the degree it supports privacy (sandboxing etc). I would add disk encryption but that is a nice to have, not a must.
To me it looks like GOS is misreading what their users want.
Thom, if you have the chance, I’d love to hear your thoughts on the Librem 5/Liberty Phone.
I’ve been daily driving one for a year and a half now, and I am very happy.
The reviews on the Internet are very old and outdated and, if you past through the rage in the forums, the device has been super.
I use Waydroid to get MFA from my bank, oddly, NewPipe is the superior way to watch YouTube.
After a quick ZRAM configuration tweak, Firefox config to act like a mobile device and creative partitioning/mounting to get my internal storage expanded with a 1TB SD drive, it is really the first phone that got me excited about phones in ages. It was very easy to put together some scripts for home automation (and Cameron Kaiser’s Python scripts for the Philips Hue system), having the full desktop Firefox has some advantages for development ….
It is just fun!
It won’t be the best gaming or media player device, but it is just amazing to be able to get it to do SMART things without having to subscribe to a single online account.