About a week ago, I finally made the decision to flash GrapheneOS on my Pixel 6. I've been thinking about moving to GrapheneOS for months but was afraid to do so because of missing functionalities or app incompatibility that would result in my Pixel 6 becoming unusable. Even though I could just re-flash stock Android should I encounter those issues, I didn't want to bother.
However, last week, I decided to set aside my fears and made the move to GrapheneOS. Whatever fears or concerns I had about missing functionalities or app incompatibilities were completely unfounded. Flashing of GrapheneOS was really easy, thanks to the instructions they provided on their website. The sandboxed Google Play environment still allowed me to download the key apps I needed, whether it be the mobile game that I'm currently playing or a smart home app (e.g. Ring) or a banking app (e.g. Chase). They all worked as expected, though my banking apps required me to turn on Exploit Protection Compatibility Mode, something that was explained to me in one of the Graphene Discussion Boards. Android Auto was another app that I needed for driving, and thanks to the latest update that was made by the GrapheneOS makers, I had no issues in setting up Android Auto to work with my car. That was a huge relief for me!
That being said, there is one thing that is not working, but it's not that important of a feature for me, and that is NFC. Prior to making the move, I did not use NFC that much for payments, although my car app did have a Remote Key function that relied on NFC. As far as I can tell, it looks like NFC is not usable in GrapheneOS. There's probably a good security and/or privacy reason for this, but I do wish something could be implemented for it, as it can be quite convenient. Again, it's not that important of a feature for me to have right now...more of a "nice to have" feature...but I wonder if the GrapheneOS developers are looking into this.
Anyways, it's only been a week since I made the move. I'm sure more use cases will come up the more I use GrapheneOS, and instead of fear, I find myself excited at testing out more apps and functionalities on the OS. Traveling is one scenario I have not yet tried, but that's because I'm not leaving town to go anywhere. That's one set of scenarios that I look forward to trying out.
If anyone has any other advices or information they have about their experience with GrapheneOS, I would welcome it. And for those who are still undecided about moving to GrapheneOS, I hope this post relieves some of your anxieties or worries about making the transition.
The GrapheneOS team has written extensively on why they advise against the use of Firefox in their Usage Guide.
Everything the Gos team does it's from a Security perspective and nothing more. There is no issue with FF, they are simply stating that of you have extreme security concerns (threat model of avoiding NK nation state actors for example) you should use the browser they spent all this effort hardening and to work specifically with GOS
Rather that if you ever accidently clicked on anything you shouldn't, you would probably be better off if you used vanadium and not Firefox.
I certainly don't disagree, but I do believe the issues of FF are exaggerated. It's a fav amongst the tech community (which includes infosec nerds) for a reason still, and is the baseline for the Tor project and even Mullvads wonderful browser, not to mention LibreWolf.
Don't get me wrong I do use Firefox myself , just not on android. The reason for using FF in onion project is that FF allows proxy needed for Tor. The aim is only privacy , security as a by product. As such they need to take a lot of measures against fingerprinting and remove functionality that others have. So all the projects have their own justification. But using tor browser as intended for daily use would be a real pain.
Agreed on everything. There is a huge cross and or line between privacy and security, sometimes they overlap, sometimes they conflict.
...and Chrome based browsers do nothing for that level of threat actors. Its dev hates Firefox due to a personal grudge against Tor/Mozilla devs. https://lists.torproject.org/pipermail/tor-dev/2019-August/013995.html
You know Tor Browser is based on Firefox, and they specifically recommend against Chrome/Chronium? Use TailsOS and avoid foolishly recommending their stuff for "security" against state actors. They lie about buying $1M Cellebrite kits on YouTube.
https://i.imgur.com/woNxPhx.jpg
You beat me to it! I was gonna mention the same thing. However, I don't think it may be that big of a deal if you use Firefox or some flavor of it. The one term I often hear about GrapheneOS and other AOSPs like it is "threat model", and depending on that model, you may not necessarily be impacted if you decide to use something other than the stock browser.
That's not to say the GrapheneOS developers are wrong in their Usage Guide. I'm sure they looked into this extensively, hence the usage guide.
I personally use both Mull and Vanadium depending on what I'm doing.
I use Mull with NoScript to just browse. If I need JS or need to log in (very very rare), I use Vanadium. This is the compromise I make.
I just wrote a longer comment but it seemed to disappear. I did not find that writeup very easy to understand nor convincing because the underlying message is that Firefox is bullshit?
It was an ongoing debate on reddit that came up a couple times. I personally use both Mull and Vanadium. I just use noScript with Mull more for usability than anything else.
I'm not technically knowledgable enough to weigh in on the validity of the argument, I just posted it for those who were wondering why.
Here is a reddit discussion via libreddit where you can read a more at length discussion on it.
And another one.
I don't really feel like they explained much in terms of why just a lot of detail around what they believe. The tldr seems to be that Firefox isn't truly secure but Google's work is.
All the talk about Tor also seemed to go back and forth between "this is the best and that's why we use that approach" and "it's not very good but will be eventually".
Nothing they wrote was clear to me honestly. I do find it hard to believe that Firefox is inherently insecure and that the extensions many rely on for privacy reasons are all bullshit security theatre...
Sandboxing is crap on Firefox (specially on android) . Google is really fucking good at security since they are well a huge multinational behemot. They know security. Security =/ privacy. When you are using android you are using Chrome webview no matter what browser you are using. So just piling on stuff instead of replacing things won't be a good security practice.
Also the Google parts are optional , you don't need Googles stuff to use chromium. Just like vanadium does.
Regarding webviews -- am I right in thinking that webviews are simply a frame within another app that acts as a web browser? I've been under the impression that since I disabled chrome on my android phone and that the upper right menu offers to open in FF, those are using FF. I guess I'm wrong?
Well you say the Google parts of chromium are optional, but that's more just tracking and sign in stuff. Google is the major player in the chromium codebase, no? They have some fantastic engineers but it still sort of has the stink of Google on it, if nothing else due to the web standards supported which is steered by Google business decisions. That's mainly why I don't want to use it. I want other browsers to exist. That and mobile ff extensions are fantastic from a user perspective
I'm no expert but webview is used anytime remote content is loaded I believe. Certainly you can open links in FF but webview is always there , and not so obvious things always load that way. Webview is baked inte the OS itself. No matter how much you degoogle. Bromite had another webview based on chrome but that's all the alternative that exist as far as I know.
Chromium is still Foss. Google might have a stink and definitely tries to influence on the Foss part. But when it comes to vanadium I have no question about that everything is under a magnifying glass.
As I wrote elsewhere , all projects have their place and I do use FF, just not on android. I would be really happy if FF on mobile would be able to compete but I don't see that happening until we have full Linux phones (that actually does everything android does)
https://www.androidauthority.com/what-is-android-system-webview-3267814/
I appreciate your response. However, upon reading that article, it seems the truth is somewhere between our two understandings. WebView is no longer baked into the OS:
What I said about an app displaying content using Firefox is also true in some cases. You can see in this screenshot of the article that Firefox is being used in the manner I described (and the selected text describes):
I have often noticed that "powered by Firefox" text, so I guess that's where my assumption came from.
I don't doubt at all that certain apps, specifically Google built ones, still require/use the google WebView, but that's not every app. Boost for Lemmy for example, in my screenshot, uses the custom tab feature which can use Firefox. I am tempted to disable the Google WebView app just to see what happens... I am guessing Google-built apps like Gmail will crash. I wish "custom tabs" were adapted in a manner that Firefox could always be used, but I doubt Google would make that a thing.
At least they do have the custom tab feature, something apple would never do, maybe not even if the friggin EU forced them to. They seem to be weaseling out of some other EU regs, anyhow.
But back to GrapheneOS. Given that Google apps are sandboxed and almost discouraged in that OS, I'm still not sure I understand the specific guidance against Firefox.
Edit: yeah disabling the WebView app causes Gmail to crash horribly and even K9 mail, made by Mozilla, responds the same way. :'(
So.. Firefox is a scam and Google's browser isn't? I didn't really understand that writeup
Tor Browser is based on Firefox/Gecko, and they advise against Chrome/Chromium because it is horrible. That should give you a clue about how garbage GrapheneOS and anything those people advise really is.
The reason why Firefox is not recommended by GrapheneOS is because its (sole) "lead developer" has a personal grudge against Mozilla developers. This personal sentiment did not exist before August 2019 for a mysterious reason. ╮(︶▽︶)╭ https://lists.torproject.org/pipermail/tor-dev/2019-August/013995.html
If you have 1 problem (chrome) and you add another problem (Firefox ) how many problems do you have?
And I can't get any reference to anyone calling Firefox a scam?