Choose your phone!
Your options are:
- company that seeks rent on every transaction that happens through the phone
- company that tracks your location, habits and usage to build detailed profiles on you to inform advertising
- custom ROMs that can’t run your banking app
@josh @stevenimpson sure, but knowing it exists, installing it, and then maintaining it are all things well outside the skill of most users.
You're not wrong, it's just a niche option for edge case users.
@trib @josh @stevenimpson
Also, GrapheneOS works exclusively on devices produced by a company the whole business model of which is "tracking your location, habits and usage to build detailed profiles on you", so even if you are willing to invest time into not partaking in all that personally, you are still supporting it with your money.
- replies
- 1
- announces
- 1
- likes
- 1
@Hyolobrika
Wow, it even supports the Android phone I have!
Unfortunately only a 12.1-based ROM. Right now I have an AOSP 12.1-based ArrowOS on it, without PlaySevices and most Google stuff anyway. And as it also has Sailfish and Ubuntu Touch, I won't be able to use it with locked bootloader, not that I'm interested in that aspect of security anyway.
So for me it's probably not worth it, but looks interesting nonetheless!
@trib @stevenimpson I don't think it's hard to install or hard to run updates so I can't agree with that.
Edit: it literally installs via Google Chrome (via WebUSB) tells you everything to do on the device too.
Updates are handled like normal.
Edit2: @GrapheneOS is the fediverse account for the project.
@josh @trib @stevenimpson @GrapheneOS
"You need a USB cable for attaching the device to a laptop or desktop."
Who even has a "laptop" or a "desktop" nowadays? We all just use phones. Why do you need a USB cable? You want me to find two cans and some string too? My phone connects with WiFi or Bluetooth and charges wirelessly, I don't use cables. It's not the 1990s anymore. Why can't they bother to get that install working directly from the phone like an app store?
@geoffl @josh @trib @stevenimpson
Installing GrapheneOS doesn't require a laptop or desktop. It can be installed from any Android device including a phone or tablet to one of the supported devices. You need two devices because the security model requires having both control over the OS to enable OEM unlocking and then physical access to the device for unlocking, flashing and locking it via USB with on-device confirmation for both unlocking and locking. OEM unlocking is disabled in the new OS.
It's easy to install GrapheneOS and only requires pushing a few buttons in a Chromium-based web browser on Windows, macOS, ChromeOS, other desktop Linux variants, Android, etc. to install onto one of the supported devices.
Nearly everyone can do this without much trouble. People can buy devices with GrapheneOS preinstalled for them though. There are a bunch of companies selling them including some well known ones.
There's no extra maintenance and it's easy to use.
You can look at the install process here:
https://grapheneos.org/install/web
For users on Windows, the hardest part used to be needing to install a driver to connect to the device but that's not required anymore on up-to-date Windows 10 or Windows 11.
You just push some buttons on the phone and in the web browser.
There are rare cases of apps which disallow using a non-Google-certified OS but we're in contact with the EU Commission about this and hope to get it solved.
@GrapheneOS @josh @trib @stevenimpson The prerequisite of a laptop or desktop is literally stated on your website. It's apparently so easy you don't know how to tell people how to do it.
@geoffl @josh @trib @stevenimpson
Android is listed as a supported OS for the web installer:
https://grapheneos.org/install/web#prerequisites
You can install it from another tablet or phone. It needs to be an Android tablet or phone rather than iOS because Safari doesn't support WebUSB and they don't allow other browsers to support WebUSB either. We'd like to support using iOS but it isn't up to us.
@geoffl @josh @trib @stevenimpson
This was written as part of trying to deal with USB connectivity issues with laptops and desktops which are rarely an issue with phones where people are using a USB-C to USB-C cable. Phones have much more reliable USB support unless the port or cable is physically damaged. USB-C to USB-A cables are often problematic. We had to write all of this because of general USB issues. The current gen web installer is much more tolerant of poor USB connections though.
@geoffl @josh @trib @stevenimpson
The web installer does work from another Android device including a tablet or phone and it's listed as supported below. We can change the wording there.
The devices require unlocking, installing another OS and locking again via a USB connection. It's not possible to change the OS with an app on the phone due to the security model. An app can't trigger unlocking, overwrite firmware/OS images, flash a verified boot key to the secure element or trigger locking.
@geoffl @josh @trib @stevenimpson
The wording for the paragraph covering needing a reliable USB connection has been improved. We removed the mention of a laptop or desktop for both the web installer and CLI install guide. It explicitly mentions that it can be done from another Android phone or tablet for the web installer. It should probably be split out into a short paragraph above explaining that a device able to run the web installer (or the CLI tools for the CLI install guide) is needed.
@GrapheneOS @geoffl @josh @stevenimpson see, this is what my OP was about. Normals don’t have the faintest what any of this thread today is about. Only we nerds do.
@trib @geoffl @josh @stevenimpson
They don't need to understand anything we wrote there. They only need to be able to follow basic instructions for the web installation, which has gotten simpler for the newer devices.
The guide doesn't assume people know any of these things and guides them through it without them needing to understand it. There's also great 24/7 support for installing available for free.
If people don't feel confident doing it themselves, they can purchase a device with it.
@trib @geoffl @josh @stevenimpson
The main issue people used to have with installing was Windows users needing to install a driver, which is no longer needed thanks to Microsoft finally shipping a driver for this as part of Windows 10 and 11.
Many very non-technical people have successfully done the GrapheneOS web install and are happily using it. Some of them needed help, but mostly to deal with two operating systems issues that are now resolved (Windows driver and fwupd bug in Linux).
@GrapheneOS @geoffl @josh @stevenimpson that is an *extremely* technocentric perspective.
People who are not significantly technologically adept can barely comprehend what a URL is, or a browser, or even that there is an OS option for their phone.
They certainly aren’t going to take their Android device, think “is there an alternative?”, and go looking. They’re definitely not heading into their nearest telco shop and asking for a GrapheneOS device.
These are absolutely options only for deeply technical people. And that’s fine if that’s your target market. If you want deep and volume penetration into average-user-land, then UX, service design, content writing, marketing, and even the design of the OS itself at the functional level need to be targeted at the absolute lowest common denominator. Basically, everyone’s non-tech grandma.
Your first hurdle imo as a service designer and UXer is that people aren’t even aware that alternatives exist, let alone that they might be an option. People want to go to the telco shop, buy a phone, take an hour to set up email and download their favourite apps, and away they go.
@trib @geoffl @josh @stevenimpson
It's our experience based on our community and helping thousands of people install the OS who were very non-technical.
Nearly everyone asking for help with installation in our chat room, forum or elsewhere ends up successfully installing it. Most of them were capable of doing it on their own and just needed someone to reassure them they were doing it correctly.
The install guide has been heavily modified based on feedback from non-technical people using it.
@trib @geoffl @josh @stevenimpson
We rewrote the web installation to take advantage of the new Windows 10 and 11 driver to avoid the hardest part of the installation for non-technical people installing from Windows.
We get a lot of feedback if there's any part of it that's difficult because we recommend people ask for help in our chat room or the forum if they aren't comfortable using the chat room.
Lots of non-technical people look into privacy, learn it exists and successfully use it.
@trib @GrapheneOS @geoffl @stevenimpson There's literally people selling GrapheneOS preinstalled devices on Gumtree and Facebook marketplace now.....
@josh @trib @GrapheneOS @stevenimpson Buying a device that isn't running stock firmware from Facebook marketplace sounds like a great way to end up with a pocket full of malware. No way I'd be using that for banking.
@geoffl @josh @trib @stevenimpson
The verification process at https://grapheneos.org/install/web#verifying-installation can be used even if you didn't install the OS yourself. If someone buys a device with GrapheneOS preinstalled, we strongly recommend wiping it from recovery and performing the standard verification process documented in the install guides.
How does @GrapheneOS accomplish that your backing app is working on your phone? Or were you simply lucky?
On LineageOS my banking app told me Android version we too old (or unsupported)
I always wondered if it isn't possible for open firmwares to provide a fake OS identification to certain apps?
@realn2s @josh @trib @stevenimpson
Play Integrity API is sometimes used to check for a Google certified device. It uses a bunch of methods to check for Google certified OS/device at a software level but doesn't enforce most of them. They detect spoofing happening at a large scale with the checks they don't enforce and block it. It also has a higher tier of verification based on hardware attestation which can't be spoofed but rather requires leaked keys from exploited devices they can revoke.
@realn2s @josh @trib @stevenimpson
Overall, only a very tiny number of apps use the Play Integrity API. Very few apps outside of banks and financial services use it. We're actively working towards getting regulatory action to force Google to permit using GrapheneOS for the Play Integrity APi. They have no legitimate anti-fraud or security reason to ban using GrapheneOS and are completely capable of permitting it via the hardware attestation API which is fully supported by GrapheneOS.
@geoffl
Who *doesn't* have at least a laptop?
@josh @trib @stevenimpson @GrapheneOS
@cestpasgrave @geoffl @josh @trib @stevenimpson
GrapheneOS can be installed from a tablet or phone. Those instructions were mainly for helping people with USB issues on laptops/desktops which is why it was phrased that way. We've updated the wording to avoid implying that a phone or tablet can't be used to run the web installer. It already listed that as supported but we've made it clearer for the earlier part of the instructions.
@josh @trib @stevenimpson @GrapheneOS GrapheneOS -- and any custom ROM for that matter -- are way, way, way outside the capabilities of a "regular" user to install. That's not on the developers of GrapheneOS. It's a great project!
Choice is great, but the only way to bring privacy and security to the masses is to make it the default. Google didn't pay Apple billions to keep it the default on Mac for no reason after all.
@jones @josh @trib @stevenimpson
GrapheneOS isn't a custom ROM and we don't use that inaccurate jargon because it makes it sound arcane and complex.
GrapheneOS is very easy to install via https://grapheneos.org/install/web and many non-technical people successfully install it every day.
People can also purchase devices with GrapheneOS installed on them already, but nearly anyone can install it themselves with the web installer if they can follow basic instructions. There is great 24/7 support with it.
@jones @josh @trib @stevenimpson
Try the web installer for yourself.
We can remove a lot of the info there once we no longer have legacy extended support for 4th generation Pixels. People don't need to install a Windows driver for current devices.
The install process involves enabling a setting on the phone in the GUI, holding volume down during a reboot and then pushing some buttons on the site. Unlocking and locking require approving it on the device it's being installed on.
@josh @trib @stevenimpson @GrapheneOS By virtue of the fact that you have a social media account of any sort and use it to talk to other people, you are more computer-fluent than roughly 70% of the adult population (https://www.nngroup.com/articles/computer-skill-levels/).
Think about how ridiculous it would sound if Simone Biles said something like "I don't think it's hard to do a backflip, so I can't agree that people might have trouble with it".
That's basically the disparity level here.
@josh @trib @stevenimpson @GrapheneOS "I don't get why you're having trouble with this - just shoot the 3-pointer. It's not that hard." --Michael Jordan, from the universe where basketball skills are as socially relevant as computer skills are here
@dave_cochran @trib @stevenimpson @GrapheneOS I'm struggling to understand why you all are piling on with the flame wars and trolling with someone who is trying to help?.... It says more about you people writing novels with statistics than others providing help via Mastodon.
@josh @dave_cochran @stevenimpson @GrapheneOS not at all, Josh. What a few of us (folks who spend time in the land between tech competency and the rest of the population doing things like user research, UX, and service design) are attempting to point out is that while Graphene is an awesome project and laudable in many ways, believing that a significant proportion of the population could up and switch their Android devices over to GrapheneOS is kind of blinkered.
There are so many hurdles to this when the majority of the population barely understands what a browser is, how their phone even *has* an OS, let alone that it's within their power to make these choices.
It's not a pile-on, but a few folks with the right kind of design experience pointing out the hurdles.
I understand the defensiveness and wanting to stand by the product, which I agree with as a stance. I also admire the product itself. But a 20-plus-year design career has shown me that this is the case. I've had many variations of this conversation with technologists over the years who are as baffled as some in this conversation that the population is as low-skilled as they are.
Tech companies often struggle with this, but I think it's still worth pointing out to them and to try to increase the level of work focussed on the very low-skilled.
@trib @josh @dave_cochran @stevenimpson
People can purchase devices with GrapheneOS and there are many non-technical who do that or install it themselves. There's a community of people around it helping non-technical users answering their questions and giving them advice. Using GrapheneOS doesn't require knowing how to install an OS and the UI isn't much different than the stock Pixel OS which is the easiest of any Android-based OS to use. Sure, there are a few extra toggles, etc.
@trib @josh @dave_cochran @stevenimpson
People can simply use Google Play on GrapheneOS and use it as a regular Android device. They don't need to understand what it means for Google Play to be regular sandboxed apps on GrapheneOS. They can use it just like the stock Pixel OS.
It is very easy to install but that's not a requirement to using it. Many non-technical people do install GrapheneOS. We have a lot of experience providing support to them and know what people actually struggle with.
@trib @josh @dave_cochran @stevenimpson
The main issue people had installing GrapheneOS was getting a Windows driver and Microsoft has fixed this problem. The next main issue is that there are many low quality USB-A to USB-C cables and other USB problems on Windows and desktop Linux computers. The easiest solution is often just getting people to install from an old Android phone or tablet instead of fixing a desktop setup.
People struggle more choosing where to get apps and which apps to use.
@trib @josh @dave_cochran @stevenimpson
We've been heavily working on polishing up the web install anymore and soon a bunch of the text on the page can be removed once the oldest legacy extended support devices are gone.
We made a new setup wizard for a nicer out-of-the-box experience with the standard gesture tutorial offered at the end. It also now stops people leaving the device unlocked.
We renamed the app store from Apps to App Store and put it on the home page, which helps a lot.
@trib @josh @dave_cochran @stevenimpson
We expect most new users will at least start out using sandboxed Google Play through our App Store. They can also use the Accrescent app store from there. People can simply use it similarly as they would use any Android device with Google Play.
We see many non-technical people successfully using GrapheneOS whether or not they installed themselves. Main issue stopping people succeeding is wanting to do too much at once and entirely leave mainstream apps.
@trib @josh @dave_cochran @stevenimpson
If people start out using sandboxed Google Play, they don't need to make many sacrifices or adapt to many new things as long as they were Android users before. iOS users switching to Android is almost entirely the regular difficulty they would have switching to a Pixel with the stock OS too. It's not what they're used to and the GrapheneOS differences hardly even play a significant role.
Lots of non-technical users find the minimalism helpful.
@trib @josh @dave_cochran @stevenimpson
The stock Pixel OS having a whole bunch more apps and services, pushing people towards them with a layered setup wizard, prompting people to use features or apps, etc. is in a lot of ways more intimidating than using GrapheneOS which stays out of the way.
GrapheneOS has a much less technical audience overall than you think. There are people who had no issue installing it but couldn't figure out using Matrix to ask questions and we have other options.
@GrapheneOS @trib @josh @stevenimpson define "non-technical" please?
@GrapheneOS @trib @josh @stevenimpson like, which category are we talking about from the list below?
“Delete this email message” in an email app is a reasonable ask
“Find all emails from John Smith.” is a reasonable ask
"find a sustainability-related document that was sent to you by John Smith in October last year.” is a reasonable ask
"find out what percentage of the emails sent by John Smith last month were about sustainability.” is a reasonable ask
@dave_cochran @trib @josh @stevenimpson
Someone who can successfully use a Pixel with the stock OS can use a Pixel shipping with GrapheneOS without much more difficulty. It's nearly the same beyond them opening the App Store and installing Google Play before they use that to get their mainstream apps. We've smoothed out that process quite a lot.
If someone can't use the stock Pixel OS, then sure, they can't successfully use GrapheneOS. Some things are simpler in GrapheneOS not harder though.
@GrapheneOS @trib @josh @stevenimpson this isn't a pedantic question, btw - i'm asking because I am, and I'm pretty sure @stevenimpson was, talking about people who wouldn't even understand what "sandboxed" means in this context.
So if we're talking about different groups, it would be helpful to know that before going crazy nutso with the discussion :)
@dave_cochran @trib @josh @stevenimpson
People don't need to know what sandboxed means and the term isn't used in the OS. They open the App Store, see Google Play and install it. If they don't understand what Google Play is, they're going to struggle even more to use the stock Pixel OS with the much higher number of apps/services, confusing prompts, post-setup wizard, tips, etc. Using Google Play is the same as the stock OS beyond an extra prompt when installing an app through it.
@GrapheneOS @geoffl @josh @trib @stevenimpson That could be a problem if you want to migrate from iOS to Graphene. I don’t own an android device, neither tablet nor smartphone. So it might be difficult to install. I also had another discussion a few days ago: What if I‘m using GrapheneOS and want to sell my pixel after three years? Can I easily reinstall Android? I could not answer….
@doerk @geoffl @josh @trib @stevenimpson
It's easy to reinstall the stock Pixel OS with their own web installer and we provide instructions for this.
@cestpasgrave @geoffl @josh @trib @stevenimpson @GrapheneOS Neither of my adult children own a "real" laptop. Or a desktop.
The closest one has is a steam deck, the other has a chromebook.
Even amongst the fairly technical millennials the owning of a real computer is becoming rarer.
I'm glad Graphene can install via browser.
@Longplay_Games @cestpasgrave @geoffl @josh @trib @stevenimpson
Our web installer means it can be installed from any device with WebUSB support. It's unfortunate that Firefox refuses to implement WebUSB despite pioneering an earlier approach on FirefoxOS. People can use a Chromium-based browser on essentially any platform with Firefox. Safari is a bigger limitation because it means no option at all on iOS, particularly since iOS doesn't allow an alternative or using USB without Apple approval.