Android Recommendations Should Reflect Real Life, Not Just Worst-Case Threat Models

I think phone hardening / harm reduction guide should be one of the very very few places where a guide is kinda of needed.

One of the main things that frustrates people is that when they get into privacy, they view it as an all or nothing game. And that’s where people quit. And I think smart phones, are one of those places that leads them to giving up.

Then they start obsessing over it. You have to establish your own threat models, yada yada, but a lot of people start going down that rabbit hole, get overwhelmed, and just completely give up altogether, instead of just making better choices without having to necessarily be thrown into the deep end head first.

There is nothing wrong with having one lonely single definitive best recommendation. But for a huge portion of the population, that recommendation is extremely impractical. At least it is in its current form. That may change someday.

Take me for example. I would love nothing more than to deGoogle. But because of work, I can’t. I do use Workspace, which has a significantly better privacy policy than the consumer version, that I am the administrator over, but it’s still not ideal. It is, however, what I have to work with. I use Proton for person stuff, as it is not good at all for file on demand work. Plus, no Linux.

As long as people are aware of the absolute best choice, that’s fine. But satan will be throwing snowballs before I ever use GrapheneOS. That is where I draw the line. It requires giving up far too much of what I need, for a bad threat model that I personally don’t have. Again, this is just me personally.

In that case, I’d make the choice of an iPhone in lockdown mode. Going with harm reduction. I’m certainly not going to use something like a Samsung that just throws their own telemetry and bloat all over it, if I wanted Android without a custom ROM, I’d probably just go with a stock Pixel.

The point is there is a correct answer for maximum privacy, and that answer is absolutely Graphene, but phone suggestions need to be practical. As long as the risks are made abundantly clear, I think that is fine.

Usually, when it comes to making choices, we have a good handful of things to choose from. This is one area where the choices are virtually nonexistent. And a lot of people don’t like having to go with some outdated device, to get a benefit they might not even necessarily need.

I also see the disrepancy you bring up. The smartphone OS criteria is a lot more security-focused compared to the desktop/laptop OS criteria. Even though there are security-focused criteria for desktop/laptop OSes—(like “Receives regular software and kernel updates” and “Avoids X11, as its last major release was more than a decade ago”—it is outright admitted in the Linux overview article that there are security downsides. This implies that we give leeway to desktops/laptops OSes (e.g., in order to have people “[a]void telemetry that often comes with proprietary operating systems”^[1]) yet no leeway for smartphone OSes.

However, my gripe with this post is that disrepancies are not a bad thing. I would not, for example, want an open source requirement for file sharing and sync on the basis that it should match with the open source requirement for pastebins. The open source requirement for these tools were chosen to be included in the criteria not for consistency, but because it was concluded to be a good criteria by those who were discussing it. Consequently, the point of this post should not be to resolve any disrepancy, but instead to recommend a change in the criteria and have it stand on its own. You should therefore not make any analogies to the desktop/laptop OS recommendations. That would only clog up discussion for you. The discussion should be technical.

Your goal should therefore be to explain how decreasing smartphone security in the criteria does not result in significantly decreasing smartphone privacy in the recommendations. Or how security downgrades to tools like debloaters or other custom OSes is allowed for XYZ threat models, that we should account for those XYZ threat models on the website, and that those XYZ threat models are not contradictory.

I personally disagree that we should expand the smartphone recommendations list to non-GrapheneOS. At the very least, however, I think it would be nice to centralize or at least synthesize the arguments each of given side to this thread, or some wiki post. That way we aren’t regurtitating the same thing over and over again across the internet. This topic has been discussed throughout the privacy sphere time and time again, so we can comb through some explicit and implicit arguments from these threads:

• Budget Android Phones (Discussion and 📊 Poll—Feedback Requested) - Discussions - Techlore Forum
• ~$150 Budget Android Hardware [Suggestions Needed]
• Stock OS vs GrapheneOS - Discussions - Techlore Forum
• De-bloated/De-Google’d Stock OS vs GrapheneOS - Get Advice - Techlore Forum
• Heavily torn on whether to buy a Fairphone with debloated Android or Pixel with GrapheneOS - The Products - Fairphone Community Forum
• Heavily torn on whether to buy a Fairphone with debloated Android or Pixel with GrapheneOS (maximum repairability vs maximum privacy)
• Heavily torn on whether to buy a Fairphone with debloated Android or Pixel - GrapheneOS Discussion Forum
• GrapheneOS/Privacy Roms VS Full Debloating using Canta? - GrapheneOS Discussion Forum
• Thinking about ditching GrapheneOS to get better hardware - Get Advice - Techlore Forum
• LineageOS (Android ROM)
• Is iodéOS the best alternative to DivestOS?
• Planning to get new phone, need recommendation - Get Advice - Techlore Forum

I’m sure there are plenty of other threads, I just can’t find them all.

I also agree with others…

… that this is probably best as a harm reduction guide rather than an outright recommendation. But this doesn’t mean I am not open to there being discussion on the matter.

There’s no need to generate tribalistic feuds. It fuels the fire.

Not really. Most of us would rather pick Linux even though it’s not very secure over macOS, which is so much better in terms of security. The thing with GrapheneOS is that it’s private and secure.

This is not the point of the website at all whatsoever. Even in OP’s disrepancy case, the point isn’t to recommend comfortable smartphones but rather private alternatives for moderate threat models that do not require extreme security.

1. https://www.privacyguides.org/en/os/linux-overview/#security-notes:~:text=Avoid%20telemetry%20that%20often%20comes%20with%20proprietary%20operating%20systems ↩︎

I think I would have agreed with this more two years ago before the development of AI surveillance tools that are available to any government (and presumably non governments) that are able to scrape all data available from smartphones and smartphone apps (which is a terrifying amount of data) with the ease of an internet search. These tools are in the hands of governments that are actively (right now, this is already happening) using them to carry out mass terror and murder against their own populations.

I think you are also missing a key point here in that cell phones are a much more dangerous privacy invasion than computers. You take a computer, then you add a microphone that is essentially always on, you add location that is essentially always on, and both of these can often be accessed, on many mobile OSes, whether you think you have them toggled off or not. Then people carry the phone around with them 24/7. This is arguably the most dangerous surveillance tool that has ever existed. I don’t study the other OSes, because I’ve looked at them before and most of them to my knowledge don’t do much to prevent these things from happening. The security risk IS from Google, not some high-level nation state or Pegasus. Google is the one remotely activating microphones and then handing over all user data and location data to the first person who calls from a government and asks for it.

I see the word “need” in your list of rationale six times. I think it’s safe to say that most of the times you use “need”, the word “want” should be subsituted. The fact that we have allowed the general population to believe that their desires for convenience are worth sacrificing all of our privacy and civil rights for is the exact reason we are in this mess today. It’s gotta stop.

I understand your desire to present info in the spirit of “harm reduction”. I think anything that stops short of kicking big tech entirely out of your OS and ensuring control of your device is likely not harm reduction. I think any solution that stops short of those goals is offering a false sense of security and lulling people back into complacency.

If there was a computer OS that offered the immense security of GrapheneOS alongside its ease of use, I’m sure this website would be recommending that with equal force…but that OS does not exist. GrapheneOS is nearly as easy to use and nearly as fully-functional (arguably more fully functional) as stock Android. Qubes…is not.

You mention working to protect activists, lawyers, politicians, human rights defenders and antizionists from targeted attacks. That is admirable. I think you are really missing the bigger picture though. In America, immigrants (and anyone who looks like they could be an immigrant) (and also lots of people who just care about immigrants not getting murdered in the streets) are ALREADY being kidnapped en masse. These are literal targeted attacks of the worst nature that are possible in part because people are carrying around cell phones that are not properly private AND secure. When ICE is done with immigrants and people who look like immigrants (this is probably at least 100 million people) they are going to move on to queer and trans people. This is not hyperbole, fantasy, or paranoia, this is literally happening right now, and they have been telling us for years this was what they wanted to do, and now they have to do it to remain in power because it’s what their rabid, bigoted voters want.

I think a lot of people on this forum aren’t acknowledging the actual magnitude of risk that exists in the world today (at least in America and other equally autoritarian and genocidal countries). This risk is real and it is already here for hundreds of millions of people. We need to stop telling people that switching from Google to Proton or that debloating their Android device (lol) is going to save them from being spied on and potentially persecuted in really severe ways. It’s not. What is needed is a complete overhaul of the way we interact with technology as a whole society as well as an evaluation of “needs” vs. desires that got us here in the first place.

This post seems to just disregard criteria and would prefer PG just make recommendations based on vibes

The disconnect I have with your argument is every mobile OS that is not GrapheneOS (with the exception of maybe the still very experimental linux OSs out there) is a significant step down from a privacy perspective. You’re framing this like the only advantage of GrapheneOS is security, but that is simply not true. GrapheneOS is the only android based mobile OS that has actually done its due diligence to disable or replace essentially all connections to Google. There is no getting around that.

There is much more room on the desktop side of things for many different recommendations for different threat models because it’s incredibly rare for linux operating systems to spy on you. You’re not giving up anything major from a privacy perspective by using fedora workstation instead of secureblue for example. You only lose security. If you switch from GrapheneOS to LineageOS or IodeOS or whatever, you lose a lot of both privacy and security, regardless of your threat model.

You have literally described Fairphone

I wish there was a minimally secure and private alternative based on Android. When other non-Pixel devices compatible with GrapheneOS come out, I’ll be the first to buy them. Even though my personal strategy heavily emphasizes progressively moving away from using American technology, I can’t overlook all the disadvantages that other manufacturers and OSes have.

Many of the less expensive Android phones don’t receive security updates for long enough, and I’ve never felt comfortable recommending such devices to friends, even if they don’t seem to have an extreme threat model. The Pixel 8 (supported until October 2030) and 8a (supported until May 2031) can be found used or refurbished for around $200 USD, this is great value and I’ve recommended used Pixels to friends multiple times.

Even if they’re not going to install Graphene, Pixels offer great advantages over new “budget” Android phones, many of which come with excessive bloatware. If they ever decide to install a custom ROM (hopefully one that supports verified boot) it’s relatively easy to do on a Pixel.

I do not feel this thread is valuing the importance of security in achieving privacy highly enough

There is no privacy without security. Your alternate android OS is functionally useless if an arbitrary bad actor can penetrate it, regardless of its privacy features. There are exceedingly few mobile phones on the market with adequate hardware security, and even fewer alternate OSs that meet bare minimum security standards. Hence, the current GOS status quo

Nothingburger takes.

“please trust us bro” takes from the GrapheneOS team mean nothing as its been a year and they still haven’t revealed who that OEM is, until they do it’s not worth mentioning

having hardware requirements does not mean a complete abandonment of security principles

Sony Xperia, Sharp Aquos, Leica Leitz, etc.
and please do tell us what a “non-secure” device is.

1 day old account making antagonistic statements across forum topics.

During which they have been clear it will come in late 2026, and now 2027, with an announcement soon this year. Do you have a problem with clear communication?

Yes, having hardware requirements is not complete abandonment of security principles, it is in fact the complete opposite. It is having security principles.

Which of them meet the other requirements?

Something that does not meet the minimum requirements

Every fortnight someone makes this topic as if Privacy Guides or others are getting kickbacks from someone for selling GrapheneOS.

Are there similar topics railing against the advice to only use locks made of solid steel and not lego plastics that are easily assembled and modified and colorful and other wonderful things that people totally cannot live without for securing a closed door?

This fallacy is extremely common on PG. Saying “there’s no privacy without security” flattens the fact that security exists in layers, not absolutes. By that logic, if you don’t have military-grade defenses, you might as well be using a public forum for intimate comms. Security is largely an individual condition, while privacy is largely a collective reality. Even having the best personal security doesn’t protect you from living in a society where mass surveillance, data extraction, and privacy erosion affect everyone. Let me restate the obvious: Not everyone is going to get a pixel, and privacy recommendations should take that into account.

Conflating security and privacy two ignores how systemic privacy loss harms even the most “secure” individuals, and completely misses how for many people degoogling any device they can is a huge step forward in terms of privacy. It may come with a few security tradeoffs that largely means it will be more vulnerable to mercenary spyware, cellebrite, things like that. But that is placing the bar too high (for non-vulnerable populations). You could arbitrarily raise it one point, which would mean you should toss anything in the bin that isn´t an iphone 17, because not even the latest pixel matches it for memory tagging, but that would be absurd.

The PG criteria for mobile devices is not about a lock that anyone with a bumping key can open. The criteria are about preventing military-grade attacks. GrapheneOS rails against the security of e/OS, iodéOS, but i have yet to see them data-dump the contents of someone’s phone. Should be easy to do if the locks on their rivals are so trivial.

It’s about preventing bargain bin stock malware and exploits as well as targeted attacks. Military-grade isn’t a type of attack really it doesn’t mean anything.

They make an OS they don’t make exploits (maybe they do sometimes I’m not sure). There’s plenty of published CVEs and malware for Android if you want to look into it, mainly malware targeting regular people in mass campaigns.

@brinerustle you keep missing the point. Why would privacy guides recommend a device that harms a users privacy?

It’s one thing to say:
”if you’re stuck with X, do Y to be more private”

It’s a completely different thing to say:
”if you’re looking for a new device, we recommend [insert non-grapheneos phone here] ” (which btw, is the purpose of ‘Hardware → Mobile Phones’ (getting a new device))

The reality is that all other options are currently terrible for privacy and should not be recommended by any privacy-conscious person. Being annoyed at the lack of options doesn’t change this basic reality.

No, the criteria is about easy to obtain exploits that are used everyday on unsuspecting people with no backups, no opsec, no idea what security even is, to ensure they don’t have to walk around on eggshells to have some semblance of safety.

If you think it is military grade, just go on telegram forums that sell these exploit chains as SaaS for stalkers, harassers, etc. This is all public, and happening regardless of your awareness of its existence.

Maybe it is because they are people with principles who are not just copying scripts from the internet and exploiting people for fun, and actually believe in safety for all. Them not being a malware vendor or a pen tester for free for insecure shovelware is not a point against them.

You again assume your lack of awareness implies lack of existence. These data exploits exist, are widely available on markets, and are deployed every day. It is a very weird posture to adopt where “I don’t see it so it doesn’t exists” is a valid argument.

Was Signal inexploitable before they somehow got their hands on a cellebrite device? Did prism not exist before snowden revealed it?

This is the outcome of every similar thread: Lack of awareness, lack of technical arguments in support of other OS or against GrapheneOS, and then eventual descent into FUD and “why don’t they spend their limited time pentesting all software I like to prove to me that it is insecure”.

I am not sure if this is a productive use of forum, maybe the moderators can have a mega thread to contain all these instances.

Yes, it does seem like some astroturfing is happening with all these new accounts basically saying

”please compromise on your principles so that the Google Pixel isn’t the only recommended hardware”

Why even go down this ‘lesser of two evils’ road if GOS exists and is secure and private?

If you think it’s scaring away the normies, then let’s create a harm reduction guide for their existing devices as countless people have already stated

Also go away if you’re just going to be condescending

Because not everyone can have a Pixel device (too expensive, not available in the country, lacks of features that are needed).

If you think it’s scaring away the normies, then let’s create a harm reduction guide for their existing devices as countless people have already stated

It is not only about guides. It is about the wiki, how people recommend what in the forum, KB and the official recommendations.
But such things would be a good start.

I will confine my interpretation of your comment within the scope of this thread.

Are you suggesting,

1. Using abb to flash other Custom Roms is easy enough for
2. Other custom roms in general provides on good enough usability, stability and support, to meet the expectations and match the experience of
3. using adb plus a third party tool, also having to preview / customize the commands / scripts , list of changes for debloating is easy and friction-free enough for
4. Alternative commercially available OS (like /e/OS as you mentioned) provide tangible privacy advantage against the still privillaged GMS for
5. Other services, such as email, messaging, storage, etc. If those service claims themselves to be private and secure, however there is no E2EE and had plenty of data breaches (so they are not selling your data, they are good guys), but they are free to use and enable plenty nice features such as automations, integrations, etc. Are you going go recommend those services to

your suggested group of people? Are you serious?