Intro
This post explores the option of using GrapheneOS as an alternative to iOS and Android. The main motivator is the ongoing privacy debate that has gained even more traction as Apple announced their child sexual abuse material (CSAM) protection system. Hear what privacy advocate Matthew Green thinks about CSAM on CNBC.
The question I want to answer in this post is: Is there a viable alternative to iOS and Android for me that values privacy?
tl;dr The disconnection from the Apple or Google ecosystems comes at a significant cost. It will only work if you are willing to adopt a digital minimalism lifestyle and relinquish access to many popular apps.
I have just bought the Google Pixel 5 and installed GrapheneOS on it. The installation is well documented, easy to execute and didn’t cause any complications. Doing this for the first time, it took me roughly 45 minutes from opening the installation documentation website to booting into GrapheneOS 😲.
Once I land on the the GrapheneOS launch screen, my first impression is that it is empty! There are almost no apps installed, except for:
- Calculator
- Camera
- Clock
- Contacts
- Files
- Gallery
- Messaging
- PDF Viewer
- Phone
- Settings
- Vanadium (browser)
This is what I expect from GrapheneOS: a minimal installation, focusing on security and privacy 👍.
Next, I want to install all apps required to replace my current mobile phone and make it ready for daily use.
Apps
First, I need to figure out, how to install apps on GrapheneOS. Its default installation does not ship with the Play Store (duh) or an alternative.
After having spent half a day searching the web, two options seem to be the most popular to install apps:
- Install apps manually
- Use a third-party app repository (more common)
I decide to start with manual app installation. I figure that I would learn more about GrapheneOS this way and would have full control over my apps.
So, where do I get the apps from and how can I verify the authenticity of an app I want to install on my Pixel?
The safest way would presumably be to download the APKs directly from the vendors. However, in most cases, vendors do solely publish their apps via the Play Store. There are exceptions, of course, like Signal from Whispersystems.
That means, I would have to retreat to third-party APK mirrors, such as evozi or APKMonk. Such mirrors fetch the apps frequently from the Play Store and provide them for download.
Downloading apps from a third-party is something I would not encourage anyone to do. It gives an unexperienced user the wrong sense of trust. I am willing to give this option a chance though. Let’s download an APK from a third-party and verify its authenticity.
Despite the fact that I have to take care of the app authenticity myself, this option comes with another significant drawback. Who takes care of updating the app that I installed manually? Well, it’s me! Getting app updates that contain security fixes is imperative and a tedious process that I would have to keep track of constantly.
Update (20. Oct 21): The amazing GrapheneOS developers were well aware of this issue and introduced a concept called “compatibility layer for Google Play Services”. This is promising as it addresses one of the core issues (ecosystems) I mentioned in this post. More information on how this concept affects using GrapheneOS can be seen in this video by Atsanik.
App Authenticity
App authenticity is verified using apksigner, a tool part of the Android SDK.
This means I have to install the following dependencies:
- Java
cmdline-tools(https://developer.android.com/studio)- Android SDK (via
sdkmanagerfromcmdline-tools)
At that point, I can finally get the signature from my downloaded app using:
apksigner verify myapp.apk.
This leads to the next problem. Android uses self-signed certificates to sign
apps. This means that the output of apksigner, a checksum and a fingerprint,
don’t exactly do the job. I must be able to compare the fingerprint I just got
from apksigner to an official source confirming the fingerprint is correct.
But what source will this be? Unfortunately, there is no app-agnostic answer to
this. Again, Whispersystems is a privacy aware organization, so they publish the
fingerprint of Signal on their website. However, this is the exception.
The only option I found during my half a day of researching this topic, was to compare the fingerprint to services, such as Android Observatory or Exodus Privacy:
- Android Observatory:
https://androidobservatory.org/cert/45989DC9AD8728C2AA9A82FA55503E34A8879374 - Exodus Privacy:
https://reports.exodus-privacy.eu.org/en/reports/org.thoughtcrime.securesms/latest/
But then again, those two services are third-parties as well. Why should I trust them? I do not want to discredit those services and I am sure they are doing a great job! But when it comes to security, I stick to the old Russian motto “Trust, but verify”… 🤓.
Despite being down the rabbit hole in order to manually install an app, the process is neither reliable nor secure and thus not an option.
Third-party App Repository
Fdroid is a great third-party, FOSS app repository. It contains many great apps that can be installed with ease. The trust anchor of these apps lies in the option of having access to the source code and the ability to reproduce the artifacts that get installed on your mobile. That’s not exactly hassle free, simple or a generally applicable approach for the vast majority of mobile phone users. However, it’s technically sound.
Fdroid does not contain all the apps I need. I am still relying on a bunch of apps that can only be found on the Play Store.
There is an option to install apps on GrapheneOS from Play Store in an anonymous
manner. This ability is provided by the Aurora Store.
This third-party app can be installed conveniently via
Fdroid/Aurora. Aurora Store
allows you to anonymously access the Play Store and install free apps from it.
The user experience is great. However, from a security perspective, I still
think it is not optimal, because I am accessing apps through a third-party in order to
install them on my phone. The Aurora Store is open source, therefore the trust level
of this third-party can be verified. However, this is, again, a tedious, manual
process that requires extensive expertise.
The third-party app repository approach is more user-friendly, but at the time of writing this post, even more tedious if verification is required.
I hope that Fdroid and Aurora Store continue to invest in what they are doing and provide better means to verify app authenticity.
Given the two options, I am not satisfied to move on and continue exploring GrapheneOS for daily use.
Update (08. Sep 21): I just stumbled across Aptoide. It might be worth having a closer look at this app repository as well. It has not been in my focus when I initially wrote this post.
Update (09. Sep 21): MicroG is a pretty cool project
that replaces the proprietary Google Services on your Android. However, this
requires App Signature Spoofing which is not allowed on GrapheneOS due to valid
security concerns. MicroG is supported
on LinageOS, CalyxOS, etc.
Update (20. Oct 21): It was brought to my attention that MicroG has had a
security design flaw: GmsCore leaking Google account password on login.
This might be especially relevant to you in case security is one of your primary
reasons to chose GrapheneOS.
Philosophical Aspect
Why am I going through this exercise? What is the motivation to spent that much time on this topic, knowing that most likely any “privacy-sufficient” solution will imply a number of compromises?
I can think of two major examples that animated me to pursue this exercise:
- To get my mortgage approved, I had to send a lot of financial documents to the bank. The bank does not provide a secure file exchange platform, forcing all customers to hand in documents via email. If you’re using a common email provider, such as Gmail, you just have shared your entire financial background with Google. Another example that goes into this category is the fact that many doctors communicate the diagnosis of their patients via email. Again, your very personal health record, even if not complete, is now in the hands of your email provider. This just feels wrong.
- The book
Mindf*ckby Christopher Wylie (ISBN 978-1-9848-5463-6) explains the consequences when institutions with misguided intent get a hold of personal data. The data can be used to exploit and manipulate groups of people in a surprisingly efficient manner and surgical precision.
In my opinion, those two examples belong to different categories of privacy issues. In the first example, the data is highly personal and I assume, it could be used mostly against me. In the second example, data about my behavior or thinking is gathered. In my experience, this kind of data seems to be exploited mainly for mass manipulation.
Example one is of upmost priority to me and I am under the impression that this type of risk can be addressed with moderate sacrifice. For example, by going the “extra mile” and physically appearing in a bank branch office, at a doctor’s office, or by not using Gmail, etc. The second issue, however, seems to require a by far larger sacrifice. It means disconnecting from entire ecosystems utilized by billions of people every day. Despite the personal cost I would have to pay, what do I gain? Mislead institutions that broadly gather personal data for the means of manipulation will still have a large data set of billions of users minus my personal records. My sacrifice would have no impact, but reduces my freedom and productivity. Currently, I think the only efficient way to improve that type of privacy is through public policy.
Thus, it might be just fine to use iOS or Android and install anti-tracker apps. This, of course, is not a solid solution to address the privacy concerns, but a compromise nonetheless.
Summary
Ecosystem wins.
As much as I like GrapheneOS and think that it is a great project, I consider it still a challenge to switch to a “de-googled” mobile phone.
The disconnection from the Apple or Google ecosystems comes at a significant cost. It will only work if you are willing to adopt a digital minimalism lifestyle and relinquish access to many popular apps.