Android Recommendations Should Reflect Real Life, Not Just Worst-Case Threat Models

I really appreciate the work PrivacyGuides does. That said, I think the mobile recommendations have an extremity that doesn’t match how we approach recommending laptop/desktop hardware/software— and that mismatch deserves a rethink.

On laptops and desktops we make no recommendations at all in terms of hardware, and there are a number of correct answers in terms of software. We don´t expect everyone to use coreboot or TPM or Qubes. But on Android, there’s only one “correct” answer: Google Pixel + GrapheneOS — and everything else is treated as fundamentally flawed. That’s not realistic for many people. There are many valid reasons someone might want something other than a Pixel, even if they care deeply about privacy:

• They don’t want to give Google money but want to buy a new device
• Pixels aren’t sold in their country
• Pixels are out of their price range
• Graphene doesn´t offer parental control options and pixels are a bad choice for a child’s first device if they are likely to get robbed for having one.
• They need an SD card. (Pixels don’t have one.)
• They need two physical SIM slots. (Pixels don’t offer that.)
• They need a headphone jack. (Pixels don’t have one.)
• They need a tablet with 4G/5G. (Pixels don’t offer that either.)
• They need a rugged device
• They need a very small form factor
• They don´t want to shell out 140€ for a screen repair.
• They want to buy hardware that is modular, ecological, fair-trade, or has hardware killswtiches
• They care more about privacy than security

We can’t brush all of these off as fringe needs. These are common, everyday use cases — and yet the Android guidance in PG doesn’t reflect them at all.

But lets reflect for a minute on the last use case: our Android recommendations seem built almost exclusively around high-end threat models: nation-state adversaries, mercenary spyware, and physical device compromise. That matters — but for most people, the actual risk is not Pegasus or Israeli spyware firms, but surveillance capitalism: surveillance, tracking, data aggregation, ads, behavioural profiling, and the long-term social consequences of the destruction of our democracies from silicon valley technofascism. That doesn’t mean security doesn’t matter; it means that security absolutism isn’t a substitute for meaningful privacy improvements people can make on a much wider variety of hardware.

The PG recommendation framework should acknowledge other custom ROMs, GSIs, and UADNG while pointing out the security advantages of pixels.

I fully expect Graphene fanboys to trash me in this thread. I love GOS and use it myself, and work at a weekly lab open to the public where we strongly recommend it for those most vulnerable to mercenary spyware: activists, lawyers, politicians, human rights defenders, antizionists, or a family member of any of these people. But that is not the reality of a huge part of the population affected by the privacy crisis. But this conversation matters — because the real privacy crisis isn’t just about individual digital security, it’s also about collective security and human security: preventing the slow, normalized collapse of democracy due to surveillance capitalism requires addressing not just the most extreme threat model, but also helping people make better, not perfect, choices about privacy in the real world.

You will be soon able to run GrapheneOS on another device than Google Pixel GrapheneOS: "We have a serious OEM partnership with a large co…" - GrapheneOS Mastodon

• They need an SD card. (Pixels don’t have one.)

which device have it other than fairphone which is non-secure device?

They need a headphone jack

…

This is PrivacyGuides not some other website like PTIO or brax, recommendations need to make sense and not just features that devices have, if so, chinese phones are getting a lot better than your average OEM that is lacking so far in battery tech etc.

The users here are very lazy: they’re content with security best practices and don’t want to test alternative products that focus on comfort. Don’t expect them to brainstorm and develop a new recommendation after the Graphene.

Enlighten us please.

I certainly agree with this. Often when someone posts about privacy or their concerns regarding it, there’s mention made of threat model. To carefully assess what you’re realistically vulnerable to, because at the extreme, every 1% of extra privacy is about 20% more daily annoyance to maintain. Most folks will just give up if they put that kind of burden on themselves, being overall worse. A harm reduction approach seems fit here.

Potentially, we could develop or cooperatively promote guides on securing devices other than a Google Pixel + GrapheneOS. I personally use a Z Flip, and have gone to great extents to lock it down as much as I can, remove unnecessary services, and disable as much advertising & data collection as I can.

Interested to see others’ thoughts on this. Great post.

I wonder what exactly advantage these options provides. If you are trying to bandaid your device, it is totally fine cause you are trying to control the damage.

However, if you are shopping a new device, your aeguments are a very tough sell.

PG could provide a matrix to list out and briefly compare the options, but its not gonna look nice.

Pixels not being widely available or too expensive is common though.

This dualism of pixel = secure vs. everything else = insecure is what I’m arguing against. I don’t think it’s that simple, otherwise there would be headlines about every person who has a (insert some phone brand here) getting their bank account emptied.

I’m not recommending we select hardware based on the feature set, but instead recognize that by narrowing our criteria to only include the most secure software, we miss entire swaths of the population who may have other needs but still want the privacy advantages a custom ROM (or even debloating) will give.

Other Android based OSes (they aren’t ROMs) have been recommended when they met criteria. DivestOS was listed until they discontinued it in Dec. 2024. If you know of any other that meet the (fairly basic) criteria I suggest you open a PR or link them in your thread.

The issue is moreso with Android, not PG imo. Google Play Services is built into the OS with elevated permissions, constantly broadcasting your data in a fashion you have no control over. It cant be turned off while retaining basic functionality

I sympathize & agree that Google Pixel & GOS is not a universal solution, and many will want or need stock Android. But stock Android is just really, really, really bad for privacy. Recommending it as an acceptable privacy solution feels incredibly misguided

I think Lineage is the only surviving, serious alternative ROM. I dont think it meets our minimum criteria. I would need to double check that for certainty

I believe PG have recommended other Android custom OS before such as Calyx or Lineage, or both. I think the argument against them now is there are more security trade-offs for little privacy gain, and they don’t have predictable roadmaps compared to GrapheneOS (Calyx halting development is a recent example). DivestOS was also recommended until it was discontinued. PG has catered to different Android users before, and I think the general recommendation now is to get the best Android device you can get with your budget that continues to receive security updates, and stick with stock Android instead of custom OS (debloating using ABD, but you have to know what you’re doing).

EDIT: LineageOS doesn’t support bootloader locking apparently, which is one of the criterias.

How anyone can call getting rid of pervasive system-wide spyware and bloatware in every stock android device (even pixels) “little privacy gain” is beyond me. it’s an enormous step forward for reclaiming user privacy.

The custom ROM hardware wiki lists more than a dozen custom Android OSs, many of which like iodé, crdroid, bliss, and lineage are very well alive and kicking.

The problem is, the criteria are far too narrow, they exclude 99% of the hardware for security reasons, not for privacy reasons. That’s the central point of the argument I’m putting forward. It’s akin to telling people to only buy the few laptops that have secureboot, and then only install Qubes - that ignores that even if you install linux without FDE, you still get enormous privacy advantages. And since privacy is a group phenomenon, not an individual one, any step forward on anyone’s part is step forward for anyone they communicate with.

With LineageOS for example, it doesn’t support bootloader locking, which is a huge security trade-off. It means any apps installed within LineageOS could potentially modify your OS. Is it worth it for better privacy? It would be far safer to debloat your Android device using ABD. This option also doesn’t narrow down your phone choices either. iodéOS doesn’t support Verified Boot on every device, so that’s another difficult option to recommend.

Five years of hardware support, a secure element, sold in stores, and supports a recommended custom OS are too narrow??? Pray tell what you think the criteria should be.

I think OP is arguing the phone criteria in conjunction with alt distribution criteria makes device choices too narrow. Because one of the criteria is “Must support at least one of our recommended custom operating systems”, which is currently GrapheneOS only. Their argument is other OS are viable for privacy and PG are leaving out non-Pixel Android users with their recommendation.

Even more so, if we want privacy to become an expectation among people who aren’t willing to buy-in to the tune of acquiring an entirely new and very specific device, along with installing and using a far less accessible OS, we are going to ensure that most people never even dip their toes into thinking about and protecting their own privacy.

That’s because everything else is. Should we deny reality just because only 1 thing fits the criteria? The situation with phones is probably the worst out there, second only to the browser situation. A phone hardening and opsec guide would be useful but I don’t think it should be recommended.

What other OS is viable? Are you talking about the stock OSes? That would fall under a harm reduction guide rather than a recommendation.