The existence of alternative operating system doesn’t improve the security. It is only a possibility. To demonstrate the improvement, one needs to examine the actual alternative OS. Including secure vulnerabilities that it brings with itself.
What is the improvement exactly? Say, I have a regular Android phone with stock bootloader. How is the above more secure than booting a regular phone? The only purpose of having a signed bootloader is that firmware can verify the signature. Then it is either booted, or not.
Broadly the “high level tangible requirements” you want could be:
Does it make it harder for people who take your phone from getting into your data?
Does it make it harder for random apps and websites to compromise your phone?
Does it make it harder for random people to track you/your phone?
Does it make it possible for you to use a phone for more than 2 seconds before it’s outdated and n-days start piling up without being patched?
A proper implementation of verified boot covers 1 (e.g., preventing downgrade attacks properly, showing a hash you can check to ensure someone hasn’t replaced the OS and so on)
Most of the silicon-based features like PXN, BTI/PAC and so on cover 2 (exploit prevention/mitigation) and partly 1 (e.g., hardware secure element being capable of rate limiting pin/password attempts)
Proper patching (i.e., timely ASB patches) and longer term support covers 4 and to a lesser extent 1, 2
I’ll leave the rest as an exercise for the reader, as it’s pretty self-evident if you understand a bit about security. I would guess that the Graphene devs were probably considering these kinds of requirements when coming up with the big list of more granular requirements, but we don’t have to all agree to the same conclusion GOS got to, we could go point by point and determine what’s most important. Though, people don’t agree on what the requirements are and how they should be met (this thread being a great example of it).
Personally, I think the absolute minimum requirement for security is verified boot with rollback protection, a secure element that ratelimits passcode/password attempts, patches that aren’t five billion years late (lol fairphone), and software+hardware designed to mitigate at least the lowest hanging fruit of exploits. And for privacy, the minimum requirement should be an OS that doesn’t shove ads in your face and try and track your every move nor let other apps do so. This rules out most things that aren’t Pixels with GOS, Divest, or Calyx, or iPhones with an MDM applied
If I am remembering this thread right, the verdict was (in case you are inclined to trust speakers who are obviously no experts in this area) that for $150 there is none (brand new). I can’t subscribe to this since IMO those evaluating proprietary hardware and firmware are way over their heads.
If something like $300 for new Pixel 6a is too much for you, why not get a used one? Put GrapheneOS on it and you will definitely feel more secure. Will it make any real difference for average Joe? I’m not sure.
I had bookmarked this thread a while back hoping there would be some findings. Coming back to it months later, there are far too many replies for me to go through with the limited time I have. I was just wondering, has anyone found any “budget” Android phones that offered the best (note, “best” being a relative term) security? Or was it too good to be true?
I think the best budget phone for security was deemed to be a new cheap Samsung? (Long update schedule etc), like a Galaxy A15? Not particularly private though.
If my threat model doesn’t take into account lock screen security or physical brute force attacks of PINs, is a random cheap EOL device with DivestOS compatibility fine (edit: i.e. pixel 4a) ?
I need decent hardware specs (6 GB RAM+) for it to work well with newer android for a decent amount of time, and it must not be vulnerable to RCEs, privilege escalation, or sandbox escapes.
RCE (Remote code execution) and Privilege Escalation attacks are anyways very rare and hard to do as long as you use common sense (like not granting device admin permission) and trusted applications. Standard AOSP security model is nothing to laugh at, and even stuff like GOS relies heaving on it.
Relevant Copypasta
I’d just like to interject for a moment. What you’re refering to as GrapheneOS, is in fact, AOSP/GrapheneOS, or as I’ve recently taken to calling it, AOSP plus GrapheneOS. GrapheneOS is not a full operating system unto itself, but rather a secure modification of a fully functioning AOSP system made useful by the Pixel hardware, AOSP utilities and vital system components comprising a full OS as defined by me.
Many phones users run a modified version of the AOSP system every day, without realizing it. Through a peculiar turn of events, the version of AOSP which is widely used today is often called Google’s Android, and many of its users are not aware that it is basically the AOSP system, developed by the AOSP Project.
There really is a GrapheneOS, and these people are using it, but it is just a part of the system they use. GrapheneOS is the modification: the program in the system that allocates the machine’s resources to the other programs that you run. The modifications is an essential part of a secure system, but useless by itself; it can only function in the context of a decent security model. GrapheneOS is normally used in combination with the AOSP operating system: the whole system is basically AOSP with GrapheneOS added, or AOSP/GrapheneOS. All the so-called GrapheneOS distributions are really distributions of AOSP/GrapheneOS!
So if you are looking to run Pixel 4a for a short time as you save up to upgrade to a newer phone, I think running it with Divest OS and using common sense shouod be good enough to get you by. But remeber this is harm reduction not elimination. Try upgrading as soon as you can.
And for the people who scoff at usefulness of hardware security would do well to remember that in many countries now (especially in the EU) your phone is your digital ID. Anyone able to bypass its security also gets access to your social security and banking information, can do digital payments, can spoof you in front of authorities. There are already people and state actors who target masses of people with low financial resources and steal their identities through scams, attacks, etc. for more nefarious purposes.
I dont think we should be downgrading recommendations on the basis of cost, otherwise the slippery slope may lead to justifying free VPNs, storage, etc.
I was going to ask how it’s any worse than desktops, but I guess phones these days must ship a lot of nonfree kernel drivers to support their hardware.