Privacy Cookbook - Chapter 5.9.4 - Cellphone Security - CalyxOS or GrapheneOS?
source link: https://decentralize.today/calyxos-or-grapheneos/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Privacy Cookbook - Chapter 5.9.4 - Cellphone Security - CalyxOS or GrapheneOS?
More than a few people around me are waking up and realising that the simple cellphone is the weakest link when it comes to privacy.
I've reported about GrapheneOS in the past and use it as my personal daily drive.
Privacy AdvocateDecentralize.Today
Lately, reading privacy blogs and following other privacy oriented individuals on Mastodon and the like, CalyxOS has beeen creating a buzz, so I also covered that in a previous Privacy Cookbook entry.
The question I 've been getting most lately has been "can CalyxOS or GrapheneOS be the daily drive for everyone or just for privacy freaks, and if so, which would be the better option?"
Well, to be fair, both are Android operating systems, so if you like that then you are half way there. The big question you need to answer is are you ok with a Pixel phone (the irony is stunning… get a Google phone, so you can ungoogle your life).
Phone Support
CalyxOS
Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a and Xiaomi Mi A2
GrapheneOS
Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL and Pixel 4a
Google Play Services and Play Store (with privacy in mind)
The next question is "do you need Google Play Services and the Google Play Store?" If so CalyxOS is the more obvious pick as microG can be selected during the installation plus you can also select Aurora Store which will give you the opportunity to download from the Google Play Store, totally anonymously. It won't allow you to download paid apps in anonymity but you can use your Google account to download via the Aurora Store, I do recommend signing back out after downloading your apps.
CalyxOS also offers other applications like Signal, F-Droid etc, to be pre-installed during the setup which makes it easier for people who are just switching from a regular Android phone to a privacy-focused phone.
GrapheneOS, on the other hand, does not offer a microG option and Google Play Services won't work. Whilst that is a plus on the privacy side, it is a big minus if you need those services. Keep in mind, of course, that you can install the Aurora Store and download all apps just as you would with the Play Store, the difference is that you might get warnings of Play Services not being installed and some of the apps not working.
I have, however, not seen this on any of the apps I am using except ProtonMail which doesn't send notifications as it relies on the Google Cloud Service for push and Nextcloud Talk which faces the same issue. I know ProtonMail and Nextcloud Talk are both privacy-focused apps, but they do not bother to have an interval email/messaging checking option or run in the background like Signal or Telegram when you do not have Google Cloud…sad but true!
So, when it comes to Google services related apps, and you really need them, then CalyxOS could be your daily drive. You won't miss much or even realise that you don't have Google Android…apart from not getting customised ads or being tracked as much.
Let me say this again, download F-Droid and use the open-source apps it offers over Google (Aurora) and its tracker ladened apps.
Hardening and Security
Both CalyxOS and GrapheneOS only work on devices with a verified boot. This means the boot-loader is locked and can’t be manipulated, for example, as with an Evil-Maid attack
GrapheneOS will only boot when you have a verified boot and therefore no manipulation in the code, via ADB etc.
CalyxOS and GrapheneOS picked the Pixel models because fingerprints and Face unlock both get verified on the device via the Titan-M-Chip. This chip also verifies that the boot-loader is not manipulated, it also checks for Brute-Force attacks and another great option is via Android-API private keys and passwords that can be encrypted directly on the Titan-M Chip.
GrapheneOS goes the extra mile and hardens the Kernel and also has its own malloc development.
Unlike CalyxOS, GrapheneOS also comes with a hardened browser called Vanadium. It is Chromium-based but is heavily hardened and has everything Google removed from the browser itself. Similar to Bromite, yet one level up, and optimised for the Graphene operating system it also includes the WebView component.
GrapheneOS comes with its own PDF-viewer and an onboard encrypted backup solution called SeedVault (which was originally part of the CalyxOS first), so, you have this option on both operating systems.
Pixel Phones provide baseband isolation, in other words, the mobile and Wi-Fi band is separated from the actual OS, which makes the possibility of attack way less likely:
“Activating airplane mode will fully disable the cellular radio transmit and receive capabilities, which will prevent your phone from being reached from the cellular network and stop your carrier (and anyone impersonating them to you) from tracking the device via the cellular radio. The baseband implements other functionality such as Wi-Fi and GPS functionality, but each of these components is separately sandboxed on the baseband and independent of each other. Enabling airplane mode disables the cellular radio, but Wi-Fi can be re-enabled and used without activating the cellular radio again. This allows using the device as a Wi-Fi only device.”
Metadata and Telemetry
GrapheneOS has a slight advantage over CalyxOS, yet neither are perfect.
CalyxOS uses Google's DNS-Servers pre-configured, GrapheneOS goes with Cloudflare as a fallback pre-configured, both solutions are horrible ideas when it comes to privacy. The good news is that on Android you can always change your DNS in Settings and make your entire experience encrypted and using a trusted DNS server.
Captive-Portal-Check
After the first boot the Captive-Portal-Check kicks in, which uses Google to do so, see:
connectivitycheck.gstatic.com
GrapheneOS addresses this, although sadly not 'out of the box':
“We have our own connectivitycheck.grapheneos.org server as an alternative to using the standard URLs. This can currently be enabled by users interested in using it via the developer tools. Providing a toggle in the Setting's app for using connectivitycheck.grapheneos.org as an alternative is planned. The option to blend into the crowd with the standard URLs is important and must remain supported for people who need to be able to blend in rather than getting the nice feeling that comes from using GrapheneOS servers.”
The Vanadium Browser is hardened but still checks clientservices.googleapis.com and accounts.google.com directly after the first start. Not a fan of this, but the browser itself is excellent. I have all Google APIs and all Google related websites blocked DNS wide, so it really doesn’t need to affect you.
Worth mentioning at this point is that CalyxOS comes with Android 10, GrapheneOS is alreadyon Android 11.
So, as a recap, first things first, regardless of whether you use CalyxOS or GrapheneOS or any other Android or even iOS-based operating system, change your DNS. I love NextDNS which filters all trackers and ads and just give you a great experience.
However, DNS is the first thing you should change on your device. The second is a decent firewall and I recommend NetGuard for this. It won't allow you to use a separate VPN and really closes down, thanks to the lockdown feature, the internet to apps that are not supposed to have internet access.
If you like to use an VPN to make sure your ISP does not see your internet traffic I recommend iVPN, ProtonVPN or Mullvad. All the official apps will respect your private DNS setup, so even if you use a VPN to hide traffic from your ISP, you'll still have the encryption and possibly the ad and tracking filters from your trusted DNS provider.
Overall, it comes back to what you need orwant. CalyxOS has a more standard Android feeling as even Google Services are working, thanks to MicroG, yet still respect privacy.
GrapheneOS, however, gets faster security patches vs CalyxOS at just once a month and GrapheneOS really has the advantage in hardening.
Coming back to the question "could either of the two be a great daily drive?" It sure is for me, and if you are really concerned about privacy and want a phone that doesn't just claim to care about your privacy, then any of the two operating systems are a great pick.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK