We've become aware of another company selling devices with GrapheneOS while spreading harmful misinformation about it to promote insecure products. We're making our usual attempt at resolving things privately. However, we need to quickly address what has been claimed regardless.
Downloading and installing an app followed by entering sensitive data into it or granting it powerful permissions isn't a vulnerability/exploit. Accessibility service access can't be directly requested but rather has to be granted via Settings app in the accessibility section.
Accessibility service access is extremely powerful and essentially gives the same control available to the user to the app. This is explained with clear warnings. It's also not possible to enable it for an app not installed from a modern app store without an extra hidden menu.
Apps not installed through a modern app store have extremely dangerous settings including accessibility service access restricted. Users have to navigate to a semi-hidden menu to enable this. UI doesn't explain how to do it. It's a higher barrier than simply phishing info, etc.
Accessibility services are required by many users and the feature can't simply be removed. It's possible to disable this and other dangerous features for end users via a device management app. This is the right approach if you have a userbase you want to protect from themselves.
If you purchase a device with GrapheneOS, we strongly recommend booting it into recovery and wiping data before using it. Next, verify it's running genuine GrapheneOS:
https://grapheneos.org/install/web#verifying-installation
Due to complete verified boot, wiping provides the same assurance as a fresh install.
Our web installer is very easy to use. If you're able to use a web browser and follow basic instructions, you have the skill set required to install it:
https://grapheneos.org/install/web
However, if you do buy a device with GrapheneOS, you can verify it's the real deal without malware.
Simply going to a mainstream local business and purchasing a device to install GrapheneOS is the most secure way to obtain a device.
Consider the risk of buying a device from a company marketing to cryptocurrency users, and at least follow our wiping and verification advice.
Purchasing a device with malware installed is something we defend against. We provide a way to block this through verified boot and the verification process recommended on the site. Can't prevent something like replacing battery with one including a standalone tracking device...