GrapheneOS is amazing.
Published on: 2020-09-29
I am not a fan of buying new phones every year. I have been using a HTC 10 since around 2016, and it has served me well so far thanks to custom roms that prolonged its life. The main problem with old phones is security related though, as most manufacturers simply stop patching their firmware at some point (HTC released the last firmware update for this phone in 2018 [version 2.41.401.41]).
I always kind of ignored the issue, since I convinced myself that my threat model does not involve state actors or drive by exploitation, but rather tracking and fingerprinting. I ran the phone on LineageOS and MicroG in order to get the Google spyware off it - but that has its own problems, namely:
- LineageOS uses userdebug builds, which means it also by default enables a lot of debugging attack surface.
- It exposes the root user via adb, which is exactly as scary as it sounds.
- It requires an unlocked bootloader in order to not brick your phone, which makes threat persistance easier.
- It does not offer any sort of rollback protection and as such it is possible to exploit vulnerabilities that have been dealt with by a certain patch level.
Note that this is not an attack on the guys at LineageOS - but I started wondering what a more ideal solution would look like. Thats when somebody on reddit mentioned GrapheneOS. I wont quote their security model here, but in short they take it very seriously, go check it out. GraphaneOS runs only on Pixel devices, which is the reason I got one a few days ago. I only use fdroid as an appstore, and everything I install must be open source. I'd recommend you do the same, it's worth it. Do not forget to re-lock your bootloader after install!