Cider9986
8 hours ago
It's absolutely insane that phones have online accounts deeply integrated into the OS. You need to give Apple your phone number to download any apps on iOS.
For example:
Say anyone that downloaded IceBlock commited crime, Apple could give the govt everyone who downloaded its phone number, the govt could get the realtime location of everyone based on their phone number from the carrier.
And that's not even mentioning the other problem that nobody can download IceBlock anymore[1].
It's so refreshing for my phone not to ask for any identifying information when I set it up. GrapheneOS is a better software experience than iOS anyway[2].
Phones have great potential to be the most private and secure computers, cell services not withdrawing. And iPhones are one of the most private and secure devices. But, Apple uses that to restrict its users freedom and it makes Apple's users can easily be controlled by any government.
GrapheneOS delivers that dream.
[2] once you install good apps. This is coming from a lifelong iOS user. Not prejudiced against Apple, I use a Mac (without an account) and their Advanced Data Protection is great (when I had an account).
monksy
8 hours ago
I agree with that.. additionaly, I'm finding it to be insane that organizations are trying to force you to have a "audited" phone to interact with them. (I.e. events, businesses, etc)
matheusmoreira
6 hours ago
Remote attestation is not just insane, it's the technology that will end free computing as we know it today.
What good is free software if using it marks our devices as untrusted and gets us banned from every service out there? Gets us ostracized from digital society? Because we "tampered" with the device?
We should be able to run whatever software we want and they should be none the wiser. Instead, we are part of the threat model now. Our devices are now cryptographically attesting that they are corporate owned and that we are under corporate control. It's so disgusting. The future we're heading towards is terrifying. Everything the word hacker ever stood for will be destroyed if this keeps up.
Cider9986
6 hours ago
It can be used for security and used privately [1] but I entirely agree with you, Google's use of it is anti-competitive and terrible.
[1] attestation.app
matheusmoreira
2 hours ago
It's all about who owns the keys and who trusts those keys. If you don't have the keys to "your" computer, then you don't own that computer, you're just renting it from the corporation.
And even if our own keys could be used, who's going to trust those attestations? Nobody. They will trust Google's keys, Microsoft's keys, Apple's keys. Not ours.
preisschild
3 hours ago
Yeah same as TPM and Secureboot. They can improve your own personal security (and thereby privacy) drastically, but it has to be controlled by the user.
myaccountonhn
4 hours ago
You'll probably just need to keep two phones. One hostile spying device that you use for authenticating and dealing with government stuff, and that becomes e-waste every 2 years. Then you have one that you can repair and extend for your own stuff that respects you and your privacy.
collabs
2 hours ago
I am doing this now. I have had a carrier locked iPhone SE 2020 which I only use on Wi-Fi for over five years now. I also have an android phone and I don't install any banking apps on my android phone.
charcircuit
5 hours ago
>What good is free software if using it marks our devices as untrusted
That is not what remote attestation is for. The operating system maintains isolation between apps, so a free software app being installed doesn't mean an app that needs high security is compromised.
marmarama
5 hours ago
I think you've misunderstood. It's not an app problem. The problem is that it makes Free Software OSes unviable. The copy of Android you compile and install yourself - or your copy of desktop Linux where you upgraded the kernel yourself - will never pass remote attestation, and it gives both the attestation provider and software that checks attestation the ability to unilaterally shut out any OS they like with no workaround, even those that do pass attestation.
In a world of deeply untrustworthy Big Tech, and trend of governments, banks and other basic services needed to exist in society relying on apps and in the future, websites that use remote attestation, that is very troubling.
There are better ways of dealing with the bad actors problem, but Big Tech has chosen violence.
floam
4 hours ago
I don’t see how it’s incompatible with open source, just because my development builds aren’t being blessed.
dpark
4 hours ago
It’s not incompatible with open source. It’s incompatible with free software. If Apple or Google or Microsoft or the government needs to “bless” your build, then you have no freedom to actually use your build.
marmarama
4 hours ago
Your "development build" is another person's daily driver.
Case in point: GrapheneOS (or any other custom Android distro) is unlikely to be able to ever pass remote attestation, even a signed, secure boot build with the bootloader relocked, because it's not the original OS for the hardware.
Same goes for any desktop Linux.
inigyou
2 hours ago
GrapheneOS implements its own attestation so you can attest that it's real GrapheneOS. The valid approach they've chosen is to try and get on a level playing field with the big guys rather than destroy the playing field. They have a good argument their OS is very secure, so you should accept its attestation. This is how a user-friendly OS backdoors into the attestation system.
I still think destroying the playing field is better, but less likely to succeed.
matheusmoreira
38 minutes ago
> so you can attest
This isn't about you attesting anything though. It's about corporations attesting that your device is 100% corporate owned. Can't have you running software that impacts their bottom line after all.
GrapheneOS could be the most secure operating system to ever exist, it doesn't matter to the corporation because it's still under your control. When they say "security", they mean "the corporation's security against the user", not "the user's security against the hostile world out there".
HybridStatAnim8
38 minutes ago
GrapheneOS doesnt implement its own attestation. It simply inherits the existing, generic attestation system provided in the android open source project. Any fork of AOSP can provide this, the keys would just need to be whitelisted per OS.
charcircuit
2 hours ago
You can apply my same comment 1 layer up.
The hypervisor maintains isolation between operating systems, so a free operating system being installed doesn't mean an app that needs a high security operating system is compromised.
matheusmoreira
2 hours ago
Then why can't we install whatever we want on "our" devices?
charcircuit
2 hours ago
Because you are buying a device without the feature of installing a custom OS. If you want a feature, buy a device offering it.
matheusmoreira
42 minutes ago
The whole point of this discussion is the trend towards societal scale denial of that feature by both market forces and governmental forces.
There is no such a thing as "just buy a different device" when this "different device" is actively discriminated against to the point it's a paper weight. I wouldn't be surprised if remote attestation becomes necessary to even get an internet connection in the future.
andai
8 hours ago
What is that? I don't seem to be finding anything relevant on Google.
monksy
7 hours ago
We're running into situations where the usage of smart phones and apps are becoming mandatory for using services.
For example: The UK has a digital ID requirement which is required for you to be employed in the UK. Additionally the EU digital identity services have a hardware/software attestitation that is required to run their apps. (Many of those which 3rd party software can't run).
Another example of this is the Australian eTA - (Everyone has to have a visa to visit Australia.. but the real only way to get a visa* is you have to get an electronic travel authorization which only works via an App)
https://grapheneos.org/articles/attestation-compatibility-gu...
Apps that ban graphene-os being used:
myGov (Australian government app)
gov.br (Brazilian government app)
Ticketcorner
Authy
Chyrpe Dating
TextNow
mada Pay (Saudi NFC payment app)
McDonald's (International app used for many but not all countries not including the US)
Dott
My SEAT (Connectivity for SEAT cars)
SwissID
Volkswagen
BKK Faber-Castell & Partner
TK-Doc
TK-Ident
TK-App (Blocks access to TK-Safe, TK-GesundheitsMessenger, fingerprint login)
IO (Italian government app which uses it to gate access to the digital wallet feature)
PosteID (Italian postal service’s app used to access the national digital identity system "SPID")
Singpasssubscribed
5 hours ago
> The UK has a digital ID requirement which is required for you to be employed in the UK.
That's untrue.
There was a strong push towards the digital ID from the current administration, but it was abandoned 6 months ago.
What you likely mixed up with digital ID is the old digital visa scheme, mandatory for all non-UK citizens to prove right to work.
Re: your app list: looks a little bit eclectic, so it's worth mentioning most of the apps don't ban GoS specifically, but enforce Google play strong or device integrity pass, which GoS doesn't pass.
Some trip on some exploit protections, like secure app spawning, but these can be turned off per app in the latest releases based on Android 17.
anonzzzies
6 hours ago
GrapheneOS and others should have lobbyists or rather lawyers and lawmakers to fight for using secure systems to mandatory be allowed for these. Sure, there must be some type of OS guarantee, but that should not be exclusive to Google and Apple. And indeed browsers with otp/authn devices (not one per service but yubi/thetis type of thing as those can be made sovereign for a large part); when an OS is not allowed, the browser and app should be mandatory allowed with such a device as that is, actually, more secure than the original device as it is an external encryption and encryption key source the hacker cannot reach.
Cider9986
6 hours ago
Us users might be effective as well. Hopefully anti-trust law catches up and bans play integrity. They are probably going to spend their money improving features and experience to get more users. There's threads on the forum dedicated to sending emails to Volkswagen to get them to support Grapheneos and it may be working.
z3t4
4 hours ago
This sucks. The solution is to buy the cheepest iPhone and use it just for the goverment services.
MYEUHD
an hour ago
The cheapest new iPhone is €720 (iPhone 17e)
gib444
2 hours ago
> The UK has a digital ID requirement which is required for you to be employed in the UK.
False
In fact I can't think of a single Government service or legal requirement that requires a smartphone in the UK.
In the past year I have applied for a passport, applied for benefits, opened a bank account, passed through border control, filed a company tax return, closed down a business, helped someone else claim for benefits, made police reports, filed a case with the small claims court, paid my council tax, received an incone tax refund, travelled on public transport extensively, hired a car.
All had alternatives as far as I can recall.
Quite a few were done online just with a computer and optionally a phone number
And based on prior discussions here I have to point out that "require" doesn't mean "ok but the alternative is kind of inconvenient"
andwur
8 hours ago
Likely referring to Android's Play Integrity/hardware attestation API (good explainer from GrapheneOS [1]) that is practically used to restrict what devices/brands/Android builds an app will allow itself to be run on.
[1] https://grapheneos.org/articles/attestation-compatibility-gu...
LoganDark
7 hours ago
I miss the days when iOS jailbreaks allowed you to completely circumvent basically all DRM because the trust in Apple was so high that you could just assume a device is secure. Contrast that with Android, which has always had invasive attestation mechanisms because of widespread mistrust in OEMs. On iOS, sometimes you had individual apps trying to check for jailbreak but that was it
realusername
6 hours ago
Apps trying to check for jailbreak is still a thing on iOS and as you would expect, it's jank and can trigger on stock iOS if you are unluky
preisschild
3 hours ago
> that organizations are trying to force you to have a "audited" phone to interact with them. (I.e. events, businesses, etc)
Even worse, GOVERNMENTS do that. EU Governments basically forcing you to give Google (via the Google Mobile Services rootkit) or Apple (and via the cloud act also the Trump Admin) access to your entire phone (including all of your saved personal data) to use the govt eID system...
inigyou
2 hours ago
Use the old-school ID system.
roysting
an hour ago
> organizations are trying to force
If it were only that and we actually had “free market capitalism” and “competition” you could simply choose, but leering and steering these “organizations” is the treasonous and inherently illegitimate government, which is increasingly indistinguishable from private corporations, mostly because it’s the same pool of people, which are reflexively moving us all towards a common focal point of a form of tyranny similar to hereditary oligarchy and/or serfdom.
ablob
4 hours ago
Don't phones have identifiers outside of phone number anyway? I feel like you have to trust the hardware/os vendor anyway. So if you don't trust apple to not misbehave, maybe not getting an iphone is better than chasing the whole phone-number idea.
Cider9986
4 hours ago
Your comment isn't super clear to me, let me know if I misunderstood anything.
Yes there are still identifiers when using cellular data service, but they aren't connected to your phone number that you give out. Phone number gets a determined threat actor real time location, which is what I explained. Threat actor gets location from any carrier identifier. Cellular was built in a terrible way for privacy and security.
Android doesn't let apps see hardware identifiers if that's related.
Yes you're correct about having to trust Apple, but my point is that the way Apple is collecting all this extra info allows them to be compelled to hand it over. It's not about trusting Apple, it's about them following the law, which they will do.
pjerem
6 hours ago
I’m on the edge of migrating from my iPhone to a Pixel with GrapheneOS.
But there is ONE feature I love on iOS and it’s the Live Photos. I feel like it’s an amazing way to keep family memories. Do you know if it exists on GrapheneOS?
mschild
6 hours ago
Natively it doesn't.
There are 3rd party camera apps that support it, but you'd have to download them separately. GrapheneOS camera app is fine but nothing outstanding. It will give you decent pictures but don't expect any fancy upscaling or editing features.
4gotunameagain
4 hours ago
But you can install google camera without giving it network permissions.
aucisson_masque
6 hours ago
Only in Google camera, which is usable on grapheneos: You get a live shot feature, it ain't exactly the same tho, look into that.
I run pixelos and the amount of stuff I miss from iphone is staggering, the difference between pixelos/grapheneos isn't as big as the difference between iphone/pixel.
Cider9986
6 hours ago
Hmm, don't really miss anything from iOS besides tap the top screen to go to top of page. Also Apple Notes is great.
No back button on iOS is madness and also the Android rotate screen integration is way better than iOS.
aucisson_masque
6 hours ago
It's mostly the app. Nothing come close to apple notes or reminder for instance.
Even safari... On Android, you get chromium that doesn't have any extension or Firefox that has incredibly frustrating UI and doesn't work well on some website.
Cider9986
5 hours ago
I can understand extensions but I like Vanadium a lot more than Safari. Reminders is hard to replace unfortunately. Overall I like android apps a lot more though. Once you find the right ones.
k4rli
6 hours ago
Obsidian might be even greater for notes. Looks beautiful, and it's super immersive on OLED especially. Worth trying for sure.
Tap to scroll might be possible to get also. Haven't felt need for it when it takes a few regular scrolls anyway.
Cider9986
5 hours ago
Thanks for the rec, I'll try it it. I like the open nature with markdown but when I tried on Mac it was a bit confusing.
Cider9986
6 hours ago
Yes, I have it and I use Google camera and Google photos. Not sure if default camera and gallery have it.
izacus
an hour ago
I mean... your sentiment is in the right place, but Android phones (non-GrapheneOS) can be used without Google account just fine.
Yes, you need to use F-Droid & Co. to get apps (just like on Graphene), but otherwise they're functional and many people are actually using them like that.
tonyhart7
3 hours ago
well you cant blame apple for that since Government can literally force your company to doing shit like this