- cross-posted to:
- [email protected]
- cross-posted to:
- [email protected]
I’m considering the switch to GrapheneOS, so I watched this interview with one of the members of the GrapheneOS team, and honestly, I feel it was a great general introduction to it and touched on common features and misconceptions.
For those who don’t know, it’s one of the most secure and private mobile operating systems out there. Some things that I took away:
-
They touched upon MAC randomization. I researched a bit on my own about what the need for it is. Apparently, it’s standard practice to randomize MAC addresses when scanning WiFi connections. However, GrapheneOS (and Pixel firmware) are even better at this, as they make sure they don’t leak any other identifiers when doing so. They also allow you to get a new random MAC for every connection that you make (not sure whether this is very useful, as this can cause problems). On a related note, even when WiFi/Bluetooth are “off,” stock Android can still scan in the background to improve location accuracy (by matching visible networks/devices against Google’s database). So basically, even with WiFi/Bluetooth off, Google still knows where you are. In GrapheneOS, this option is off by default.
-
They have their own reverse proxies that they use to talk to Google on your behalf when needed.
-
Apparently, in the USA you can be compelled to provide a fingerprint or Face ID. Courts have ruled this doesn’t violate the 5th Amendment because it’s physical, not testimonial. BUT you cannot be compelled to provide a password/PIN. That’s considered testimonial evidence, protected by the 5th Amendment. GrapheneOS has a two-factor system where, after using your fingerprint, you still need to enter a PIN, so it helps with this. They also have a BFU state after reboot, which is the safest and requires you to enter your full passphrase.
Good luck!
First thing I’d recommend you do when you get it set up is literally just go through every single settings menu and see if anything catches your eye. There’s a lot of random settings that GrapheneOS adds that can be very useful. Some of these might not be visible at first glance. (for example, when you’re installing an app, a popup will appear asking if you want to grant the app network access when you install it, and if you toggle it off, that app can’t talk to the internet at all, not for ads, telemetry, or anything at all.)
Just be aware that some features that Google implements on stock Android aren’t available, because they’re not part of the Android Open Source Project (AOSP)
Things like Google’s Find My Device features, some of the extra lock screen customization (e.g. custom clocks other than just simple color changes), automatic music recognition, (e.g. Shazam but built into the OS and running in the background for some reason), etc.
One thing I haven’t understood properly I feel is how notifications work. They talked there’s basically 3 ways of sending notifications on android. FCM (googles system) , websockets, unifiedpush. Most apps use FCM so you need play services installed to get notifications, right?
How does that work through profiles though? Some commenter in this thread said you can forward them from another profile if that profile is running in the background? But if I have google play services installed on profile B but not profile A? Do I have to install them on every profile?
I may not fully understand how profiles work yet.
Not all, and especially not 99% of FOSS alternatives. Many apps simply fallback if they can’t reach Google’s system service. For example, all my banking apps worked fine without play services, could send notifications, etc. Discord even sent relatively up-to-date (with a small delay) notifications… but one day, it stopped doing that, and now Discord requires (sandboxed) Play Services to send me notifications.
It’s a bit of a mixed bag, but the vast majority of apps I’ve used seem to have fallbacks, excluding most games, and a larger percentage of banking apps compared to other ones.
Think of profiles as just your regular user experience on the phone, just on a separate account that can do all the same things but is totally isolated, without shared app data, settings, etc. The user experience is like having two completely separate phones, just with the same cellular network, OS version, and it’s running on the same hardware. (oh, and only your primary (default, one you start out with) profile can manage all the other profiles. It’s sort of like the default “admin” account of the phone)
Everything is isolated, unless you tell GrapheneOS to connect the two in some way, the only way I know of currently being… Notifications!
Now imagine that if you’re on Profile B, and Profile A gets a notification. You just get a notification saying “Profile A has a notification” with a button saying Switch to Profile A.
Simple as that. Profiles run in the background as long as you’ve unlocked the profile at least once since the phone’s last restart, and any corresponding notification services on each, even though they’re isolated to their own profiles, will just cause the system to send a notification to whichever profile you’re on saying there’s a notification available.
If I have Play Services installed on Profile A, and an app sends a notification through it, it doesn’t matter if Profile B has Play Services, because the system is just picking up that a notification is detected on Profile A, and letting me know on Profile B.
Lemme know if you have any more questions. I’ve been daily driving GrapheneOS for a while now and have a current install on my phone, so I can help explain any specifics of most features it has that you’re curious about.