I just installed Graphene on a new pixel. I've only used it for two days, but I got that same feeling of "finding buried treasure in your backyard" I got when I first installed Linux in 1999. I can't believe this amazing software is free in all senses of the word. It is a TON of work and they got so much right. The security and usability settings give all the grainular control I've known was possible and wanted for a long time.
I see some core team on this thread, so just wanted to say THANK YOU! Awesome job! Keep fighting for the users!
I'm totally the wrong person to offer recommendations on mobile, but so far it works very well for me, but then, I use almost no third party apps, and none of them are Play store only. My only complaint is the hardware (outside of their control).
Happy long term user, great project. Here is a list of Open Source Apps, I use to replace Google stuff:
Aurora Store - Anonymized frontend for Playstore
F-Droid - Open Source App Store
Obtainium - App Store for other sources (e.g. github)
Organic Maps - Open Source navigation (not as good as proprietary ones though)
SherpaTTS - Text to speech for Organic Maps
PDF Doc Scanner - Little Trickster, Open Source document scanner
Binary Eye - Barcode reader
K9 Mail / FairMail - Mail client
LocalSend - Cross Platform File Transfer
Syncthing Fork - Catfriend1 Syncthing fork to sync files
VLC Media Player - media player
KOReader - ebook reader
Voice - Paul Woitaschek, local audiobook player
AudioBookShelf - Remote audiobook player
Immich - image backup
Fossify File Manager - file manager
Substreamer / DSub - Audio streamer for navidrome self hosted server
OpenCamera - Open Source camera app
I wish I had this list from the start... Hope it helps someone :-)
Last I heard, Google discontinued publishing device trees and driver binaries for Pixel devices with their recent changes to their stewardship of the AOSP [0]. Was it something definitive or are they merely delayed? If the practice is being discontinued, what would be the reason why? Doesn't publishing these artifacts create a business case for customer demand for the Pixel devices? Or is there some cost that outweighs the benefits? Is it maintainer overhead?
I didn't bring this up when it was a news story last month because there was a lot of cynicism in the thread, but I am genuinely curious. I am really grateful for both GrapheneOS and Google for creating a phone platform that Just Works for the essential stuff and that I can reasonably recommend to non-technical people!
The main missing feature is password under duress that would open a different “user”. So even if you’re forced to give away your password they won’t get to the real account (some hidden profile or similar).
At least hidden profiles would be good enough for basic protection.
I have used LineageOS [0] for a few years on my old phone, and last year I got a Pixel 4 and I am using Graphene on it. Both systems work well and I am really glad they exist; Graphene gets extra points for its extremely easy installation process. Unfortunately it seems Graphene is already phasing out support for the Pixel 4 [1], so I'll have to switch back to Lineage at some point.
The only technical limitation I have encountered using these ROMs is related to GPS: my position is often lost and I need at least multiple minutes to gain it back (or sometimes it never comes back, depending on where I am). This is likely related to not using Google's location services, even though I have turned on all settings like using WiFi / bluetooth to improve the location accuracy. I tried every advice I found online, without luck. Somehow the issue is a bit worse on Graphene, as my position is lost every time I close the Maps app, but it may be related to the phone and not the OS.
My only problem with Graphene is the ridiculous low number of supported devices, i know I know, security reasons and so on. But I would accept an lower security hardened version but at least have Graphene instead of Google's junk
I am a long time GrapheneOS user, amazing project. One thing that is not clear to me is the support for NFC payments. Las time I checked, NFC payments on Graohene didn't work at all, but I am reading on this thread that some users do manage to pay via NFC? Did Iget this right? Mind explaining how?
I do not use banking apps (I only use banks that allow me to log in via browser using a 2FA which is not a proprietary app, like a FIDO key or other physical dongle), but do I get it right that Revolut would allow me to pay via NFC in this case? Is this something geo-dependent?
Graphene is a fantastic operating system for Pixel devices. Simple, reliable and with plenty of security and privacy features to make you feel warm and fuzzy. System updates are automatic, actual phone functionality is flawless, perhaps the only complaint to be had is the quality of camera, which probably lacks proprietary drivers. Signal works fairly well - even without abusive Google Services installed, making this a perfect daily mobile driver. Much gratitude to the developers of this project.
It's interesting that the only devices complying with the security requirements are Google's.
I wonder if Google actually has an internal version of Android that's more security-focussed. Given that critical engineers' personal devices being hacked should be a security threat that's on Google's radar, it's possible.
The submission is a bit old but let me try anyway since I see some user claiming to be Graphene community manager here. Let me first reiterate that GOS is an amazing project and that I am super grateful for your work. That said, I think the #1 missing feature is the lack of a robust backup solution. Las time I checked, there was an ongoing discussion about shipping an ad-hoc backup system for GOS. ANy uodate on this? Thanks!
> ""will never again be closely tied to any particular sponsor or company"". Work on GrapheneOS is supported by a Canada-based foundation created in 2023; there appears to be almost no public information available regarding this organization, though.
If I need to buy a phone made by Google to get away from Google, I'm just not doing it. /e/ doesn't support my current smartphone, either, and postmarketOS is not functional. At this rate, I think we're better off going back to dumbphones.
I am (very slowly) migrating from iOS to GrapheneOS, for the same reasons as OP (privacy, Apple's increasingly user-hostile and developer-exploitative policies).
Apart from migrations concerns, which are not GrapheneOS' fault, the main shortcoming I see is the lack of proper backup/restore, e.g. when switching phones. There is Seedvault, but I've found it unreliable.
A question for strcat / other Graphene developers:
Can you clarify what can one expect from legacy extended support. Will old devices get any more updates? how long, how often, is it just security patches etc..
Does anybody else here see as problematic that this OS supports mostly Pixel, a Google phone?
Over and again people on HN make the following argument: "Google is a company that makes most of its revenue from ads and surveillance. Therefore, you should always assume that Google is spying on you". But somehow when it comes to Pixel people give it a pass?
Prediction: If Pixel isn't already hardwired to phone home and report on your activities, it will slowly become so over time, as Google realizes its interest. You know, as it happened with Android, Chrome, and everything else that Google touches.
I'd install Graphene OS in a heartbeat on my Pixel if they'd add support for Google call screening and feature like Hold for me. Thise features are why I bought my pixel and it's too much of an inconvenience to go without them now. Spam calls have went down significantly and has saved me a lot of time.
Been using it for the past two years and supporting the project. I personally love it but you do have to tinker a bit once in a while so I would hesitate to put it in the hands of my parents (though I bought them pixel just in case). Google Pay not working is mildly annoying (hoping to get PayPal or Curve eventually). Android Auto works but I didnt yet try to make voice commands work. Some app behave weird if you block access to the sensors (though it is nice to be able to do it). Sandboxed google play works great for the most part.
Perhaps a newbie question, but since there's a lot of Graphene users here I thought it'd be best to get a human answer.
I have an old Pixel 5 which I stopped using because Google dropped Google Pay (tap to pay) on it. I moved to a new device (Pixel 9) for daily usage but still have the 5 laying around (due to low resale value).
At the time I moved, Pixel 5 was about 1.5 years (November 2023) beyond Android security updates. I still love the form factor (more than the bigger 9 I use now) and it has much more life left in it. I'd quite like to use this as a backup device for basic utility (camera, phone, SMS, basic read-only web use) and to take with me for runs and travelling.
Would installing GrapheneOS on this device likely make it more secure? Do Graphene releases work the same on all devices, or is it sort of device-by-device basis?
True privacy is such a rare commodity these days. It’s a breath of fresh forest air to enter an OS unwatched, allowing your mind to be free.
Not to get too deep, but contemporary philosophy posits that our phones have become extensions of our brains (not only theoretically, but literally! See e.g. Andy Clark and David Chalmers, “The Extended Mind,” 1998). Our devices have access to profound parts of our lives— our habits, friends, desires, notes, thoughts… With something this fundamental, it’s vital to have privacy.
Thank you, Graphene team, for all the hard work you do.
> Our community manager has provided a response to the recent LWN article on GrapheneOS with important corrections and context.The article had significant inaccuracies about the history of GrapheneOS, our organization and the details of what we provide.[.................]
Really feel a similar sentiment to a lot of others in the comments! I'm enjoying the recommendations other shared here. I _think_ this follows the rules of conduct for HN but let me know, I recently brained dumped about the following on my blog about the general experience setting up GrapheneOS: https://blog.matthewbrunelle.com/i-picked-a-really-weird-tim...
The article mentions the lack of a swipe keyboard, which is an issue for me.
There is an option though: Heliboard with a custom swipe configuration applied (which is apparently sourced from Google, I'm not sure how "grey" that is).
It definitely works as a swipe keyboard, but it's just not as good as GBoard. I will persist, however. I hope that it's learning at least...
I was tempted to use this but when I looked into the team behind it there seemed to be some issues as exposed by Louis Rossman here: https://youtu.be/Dl1x1Dy-ej4.
Instead, I installed CalyxOS and have been using it over a year now and I'm very happy with it. Check it out.
I'd like to switch phones soonish and was looking at the fairphone 6 with /e/OS but feel deterred by its mid range specs which would probably limit its longevity. I would like to get away from google.
Is waiting for the new pixel and then putting grapheneOS on it a good way forward? Seems weird to pick a google device to get away from that company.
Has anyone else done the same?
Alternatively, there is the iPhone but I do like fdroid and the more open nature of android.
I have been using GrapheneOS en my pixel for almost a year and quite satisfied.
The docs for compilation are neat so I'm running my own build with my own signatures and my own repository of their AppStore for my third party apps that I also build from source.
I run only those apps on the main profile and then keep a private space (set to autokill on lock) for proprietary apps that require Play Services.
My personal favorite feature of GrapheneOS is that we can toggle the network access permission.
In the past, I'd have to root my phone just to be able to install a firewall to do the same.
Big props to GrapheneOS!
Big thank you to the GrapheneOS team! I have been running it for a week now on my 9pro and the user / app sandboxing is great. If there's a way to donate with cryptocurrency or help contribute, let me know!
some things about the UX in this is so bad, which i love because it discourages me from using the phone more. every time i end a phone call i struggle hanging it up. i don't know how to go forward in the browser because the swipe always makes me go back, even when i swipe forward. it's using the ugly material ui components from google. it's great!
all of the privacy and security parts of the UX are good, though.
I think Graphene gets posted here yearly. Having tested a variety of ROMs dedicated to different elements of security, I can attest that Graphene allows the most "normal" phone usage compared to many others. The biggest factor is the sandboxed Google Play Services, which allow you to use a lot of apps that you wouldn't be able to otherwise.
I've used Lineage without MicroG, as a comparison, and that's becoming more-and-more unusable every day some lousy Android developer tethers their company's app to some feature exclusive to Play Services.
It's a shame that Android as a whole is trending towards hardware remote attestation. It's pretty much guaranteed that app developers will eventually start writing their apps so that they refuse to run on anything that doesn't pass Google Play Integrity. Being unable to run WhatsApp or bank apps on GrapheneOS will render it useless as a smartphone operating system. It might not be happening right now but the threat of it looms eternal. My bank could flip a switch somewhere and suddenly my phone becomes useless for the purpose of accessing my bank account.
The Google Pixel requirement also makes me sad. I understand that they have solid reasons why. The problem is Google is incapable of selling their phones worldwide. It's really embarrassing for Google and unfortunate for me.
Maybe my tinfoil hat is on too tight, but I always thought it was interesting that Graphene OS places so much blind trust in a proprietary black box security chip from Google that they pinky-promised to open source but never did.
It is insane the amount of "news" about GOS that somehow get things wrong.
It cannot be coincidence but misinformation on purpose.
On Twitter, GOS team have to often reply with the actual correct information, it is insane man.
Reading some comments here regarding hidden profile, security through obscurity doesn't and will never work.
Add to that the fact that GOS is well known now, those people think that if they were forced to give their phone away, they won't have to disclose the hidden profile??? Newbies!!
I don't wonder why GOS team never bothered to prioritise this.
I have been using GOS for a few years now, it is perfect, full control over everything, the teams support is like no other and full transparency about everything, the release notes are like no other.
GrapheneOS (like all modern AOSP based ROMS) can literally not function with just the open source code. It requires hundreds of binary blobs from the vendor partition of a stock Android ROM, many of which have root access and have not been audited by anyone, including Google, who often lacks source code for them.
Beyond that, the GraheneOS team still controls a single signing keychain for all phones in the wild, which we have to assume is still controlled by Daniel Micay (strcat) as it has not rotated as far as I can tell since he mostly stepped away from public view.
He is without question a brilliant security engineer, but we can't ignore his very public Terry-Davis-esqe history of mental illness. Making -anyone- a single point of failure for a ROM frequently recommended for journalists and dissidents is a bad plan, and especially not someone very prone to believing wild conspiracy theories.
I can't recommend GrapheneOS for any high risk use cases until:
1. they are able to find a device they can run 100% open source code on with no binary blobs
2. The ROM can be full source bootstrapped to mitigate trusting trust attacks.
3. The ROM builds 100% deterministically and is reproduced and signed by multiple team members publicly
4. Threshold signing or a quorum managed enclave issues the final signature only if multiple team members give it signed approvals of a hash to sign.
Until at least those points are covered, the centralized trust model of GrapheneOS is a liability and the central keyholder is at high risk of being targeted for manipulation or coercion.
Honestly there is no good solution to these problems right now, and as a security and privacy researcher my best advice today to potentially targeted individuals is don't carry a phone at all, or if you must carry one, keep it in airplane mode whenever possible and do not do anything sensitive on it. Consider QubesOS or AirgapOS for such things.
If you are fine with centralized control of a phone, and fine with binary blobs controlled by random corpos having God access to your device, but would prefer to eliminate as much proprietary corpotech bullshit as possible, then I would suggest considering CalyxOS which is at least run by a former LineageOS maintainer with a great reputation.
As a long time GOS user I just want to remind what a joy it is to see my very old phone outlive flagships due to the lack of bloatware. I upgrade phones just for a single reason: it has been physically hit so hard over the years that it stops being physically functional.
The one thing that prevents me from switching my Pixel over is the lack of support for emergency services to see your location if you call the emergency number. I know this because I called twice while having GrapheneOS installed.
I do some watersports and always take my phone with me, so letting emergency services see my location is good for my safety in case I ever got into trouble on the water. I also have a PLB, but I like to have two devices for redundancy, as is best practice.
What if all this hype about GrapheneOS was actually deliberately invented by the CIA so that everyone who has something to hide would install a beacon with a backdoor on themselves? adjusts tinfoil hat
While a big proponent of this, to my mind, it seems a bit counterintuitive to place your trust in a community who will probably cannot be held into account once some bad actor slips into their ranks, creates a bad patch and empties my bank account.
Graphene OS: a security-enhanced Android build
(lwn.net)689 points by madars 24 July 2025 | 508 comments
Comments
I see some core team on this thread, so just wanted to say THANK YOU! Awesome job! Keep fighting for the users!
I'm totally the wrong person to offer recommendations on mobile, but so far it works very well for me, but then, I use almost no third party apps, and none of them are Play store only. My only complaint is the hardware (outside of their control).
I didn't bring this up when it was a news story last month because there was a lot of cynicism in the thread, but I am genuinely curious. I am really grateful for both GrapheneOS and Google for creating a phone platform that Just Works for the essential stuff and that I can reasonably recommend to non-technical people!
[0]: https://news.ycombinator.com/item?id=44259921
At least hidden profiles would be good enough for basic protection.
They have this which wipes your device, but you can get killed under duress. https://discuss.grapheneos.org/d/14722-using-duress-password...
The only technical limitation I have encountered using these ROMs is related to GPS: my position is often lost and I need at least multiple minutes to gain it back (or sometimes it never comes back, depending on where I am). This is likely related to not using Google's location services, even though I have turned on all settings like using WiFi / bluetooth to improve the location accuracy. I tried every advice I found online, without luck. Somehow the issue is a bit worse on Graphene, as my position is lost every time I close the Maps app, but it may be related to the phone and not the OS.
[0] https://lineageos.org/
[1] https://grapheneos.org/faq#supported-devices
I do not use banking apps (I only use banks that allow me to log in via browser using a 2FA which is not a proprietary app, like a FIDO key or other physical dongle), but do I get it right that Revolut would allow me to pay via NFC in this case? Is this something geo-dependent?
I wonder if Google actually has an internal version of Android that's more security-focussed. Given that critical engineers' personal devices being hacked should be a security threat that's on Google's radar, it's possible.
Apart from migrations concerns, which are not GrapheneOS' fault, the main shortcoming I see is the lack of proper backup/restore, e.g. when switching phones. There is Seedvault, but I've found it unreliable.
Can you clarify what can one expect from legacy extended support. Will old devices get any more updates? how long, how often, is it just security patches etc..
Thanks for you hard work!
Over and again people on HN make the following argument: "Google is a company that makes most of its revenue from ads and surveillance. Therefore, you should always assume that Google is spying on you". But somehow when it comes to Pixel people give it a pass?
Prediction: If Pixel isn't already hardwired to phone home and report on your activities, it will slowly become so over time, as Google realizes its interest. You know, as it happened with Android, Chrome, and everything else that Google touches.
I have an old Pixel 5 which I stopped using because Google dropped Google Pay (tap to pay) on it. I moved to a new device (Pixel 9) for daily usage but still have the 5 laying around (due to low resale value).
At the time I moved, Pixel 5 was about 1.5 years (November 2023) beyond Android security updates. I still love the form factor (more than the bigger 9 I use now) and it has much more life left in it. I'd quite like to use this as a backup device for basic utility (camera, phone, SMS, basic read-only web use) and to take with me for runs and travelling.
Would installing GrapheneOS on this device likely make it more secure? Do Graphene releases work the same on all devices, or is it sort of device-by-device basis?
Not to get too deep, but contemporary philosophy posits that our phones have become extensions of our brains (not only theoretically, but literally! See e.g. Andy Clark and David Chalmers, “The Extended Mind,” 1998). Our devices have access to profound parts of our lives— our habits, friends, desires, notes, thoughts… With something this fundamental, it’s vital to have privacy.
Thank you, Graphene team, for all the hard work you do.
Corrections/elaborations on some points : https://lwn.net/Articles/1031454/
Source: https://grapheneos.social/@GrapheneOS/114914602970489632
> Our community manager has provided a response to the recent LWN article on GrapheneOS with important corrections and context. The article had significant inaccuracies about the history of GrapheneOS, our organization and the details of what we provide. [.................]
There is an option though: Heliboard with a custom swipe configuration applied (which is apparently sourced from Google, I'm not sure how "grey" that is).
It definitely works as a swipe keyboard, but it's just not as good as GBoard. I will persist, however. I hope that it's learning at least...
Not "pixel compact", but the size of an iPhone mini.
Instead, I installed CalyxOS and have been using it over a year now and I'm very happy with it. Check it out.
Is waiting for the new pixel and then putting grapheneOS on it a good way forward? Seems weird to pick a google device to get away from that company.
Has anyone else done the same?
Alternatively, there is the iPhone but I do like fdroid and the more open nature of android.
The docs for compilation are neat so I'm running my own build with my own signatures and my own repository of their AppStore for my third party apps that I also build from source.
I run only those apps on the main profile and then keep a private space (set to autokill on lock) for proprietary apps that require Play Services.
What about Graphene ? Can I get 5 years of updates without needing to wipe the phone ?
The only real option for privacy and security which isn't swiss cheese.
all of the privacy and security parts of the UX are good, though.
I've used Lineage without MicroG, as a comparison, and that's becoming more-and-more unusable every day some lousy Android developer tethers their company's app to some feature exclusive to Play Services.
The Google Pixel requirement also makes me sad. I understand that they have solid reasons why. The problem is Google is incapable of selling their phones worldwide. It's really embarrassing for Google and unfortunate for me.
Unfortunately my home server, which I was using for backups, was flooded and before I replaced it my phone died and I lost a lot of data...
Reading some comments here regarding hidden profile, security through obscurity doesn't and will never work. Add to that the fact that GOS is well known now, those people think that if they were forced to give their phone away, they won't have to disclose the hidden profile??? Newbies!!
I don't wonder why GOS team never bothered to prioritise this.
I have been using GOS for a few years now, it is perfect, full control over everything, the teams support is like no other and full transparency about everything, the release notes are like no other.
I really hope this project will never die.
Beyond that, the GraheneOS team still controls a single signing keychain for all phones in the wild, which we have to assume is still controlled by Daniel Micay (strcat) as it has not rotated as far as I can tell since he mostly stepped away from public view.
He is without question a brilliant security engineer, but we can't ignore his very public Terry-Davis-esqe history of mental illness. Making -anyone- a single point of failure for a ROM frequently recommended for journalists and dissidents is a bad plan, and especially not someone very prone to believing wild conspiracy theories.
I can't recommend GrapheneOS for any high risk use cases until:
1. they are able to find a device they can run 100% open source code on with no binary blobs
2. The ROM can be full source bootstrapped to mitigate trusting trust attacks.
3. The ROM builds 100% deterministically and is reproduced and signed by multiple team members publicly
4. Threshold signing or a quorum managed enclave issues the final signature only if multiple team members give it signed approvals of a hash to sign.
Until at least those points are covered, the centralized trust model of GrapheneOS is a liability and the central keyholder is at high risk of being targeted for manipulation or coercion.
Honestly there is no good solution to these problems right now, and as a security and privacy researcher my best advice today to potentially targeted individuals is don't carry a phone at all, or if you must carry one, keep it in airplane mode whenever possible and do not do anything sensitive on it. Consider QubesOS or AirgapOS for such things.
If you are fine with centralized control of a phone, and fine with binary blobs controlled by random corpos having God access to your device, but would prefer to eliminate as much proprietary corpotech bullshit as possible, then I would suggest considering CalyxOS which is at least run by a former LineageOS maintainer with a great reputation.
Cops say criminals use a Google Pixel with GrapheneOS – I say that's freedom
https://news.ycombinator.com/item?id=44658908
Cops in [Spain] think everyone using a Google Pixel must be a drug dealer
https://news.ycombinator.com/item?id=44473694
ICEBlock, an iOS Exclusive
https://news.ycombinator.com/item?id=44672521
I do some watersports and always take my phone with me, so letting emergency services see my location is good for my safety in case I ever got into trouble on the water. I also have a PLB, but I like to have two devices for redundancy, as is best practice.