Motorola's new partnership with GrapheneOS
112 points by Miaourt
112 points by Miaourt
Happy user of GrapheneOS on a Pixel 10 Pro Fold since a couple of months. Nice to see that the project secures a hardware platform to build upon now when Google seems to do everything in their power to close down Android.
Do you use a second profile or some other method to access apps that require Google services? Banking and financial apps and so on.
I don’t know where the commenter you’re replying to lives, but it’s worth noting this “what about the banking apps?!” thing largely doesn’t impact the US in my experience - almost all of our banks I’ve heard of have entirely functional web apps, we just load up Firefox on our happily rooted phones (lol, if you can find a phone with an open bootloader in this country) and call it a day.
I’m always perplexed to learn how absurd other countries’ banking situations are when it comes to checks notes wanting to see how much money is in your account.
I'm in Finland, and most banks do have fully functional web apps, but here's the kick: authenticating requires a mobile app. Moreover, same bank authentication apps are generally used for as identity verifiers for other websites and services, including government websites. I.e. I need that banking authenticator to login into tax services, municipal healthcare, police, etc.
There are alternatives, but they either cost money as a monthly subscription (around 3 euro per month) OR requires a buggy mobile app ("hightrust.id", with average app store rating of 2.2/5) + government id card. Either way you need a mobile phone.
I believe there are still card readers around that you can use with your government id, but that only works with a desktop/laptop.
Can’t believe I’m preferring the American solution to a problem space the Europeans have worked on, because normally I’m first in line to call my homeland all sorts of disapproving names, but on this one… yeah, sorry, I want nothing to do with the European model you just described. What a disaster. Sorry to hear :(
But do the bank apps actually hard require Play Integrity and whatnot?
Here in Argentina the most I've encountered personally is one fancy wallet app starting to complain about running on a userdebug build (and it stopped complaining after setting the release type property from an adb root shell). And the most popular apps are made to run on whatever old junk people have that predates Play Integrity by a decade.
My credit card company doesn't allow their app to be used, but other than that all my banking needs are just fine. So far, the only real gripe I've had is with Strava not working without the sandboxed Google Play Services.
You can run GrapheneOS without Play Store and Play Services, but without Play Services you don't get push notifications. I've used ntfy and You Have Mail for notifications and that works OK though not perfect.
I just got a Pixel 9 last week and put GrapheneOS on it. Couldn't be happier with it so far. The install was completely painless using web installer. All my apps worked out of the box. Google Store works fine in the sandbox. UX is good, and you don't have any of the crap Google normally loads like all the adaptive services, and all the other junk that runs in the background.
Well well well... It seems that once my Pixel 6 reaches its end of life, my next phone will be a motorola phone then...
My hope is that one day, GrapheneOS will pass the Play Integrity API. This has been more and more triggered by the few closed-source apps that I use on my daily driver. (Whatsapp, Spotify and most of my banking apps) I'm moving away from one of my banks, because 3 months ago, their app decided to stop working with phones that don't pass the strong level of Play Integrity, even though it was working fine on GrapheneOS for 5 years.
I hope that we get enough OS diversity that people stop with the fucking integrity checks.
Unless the signatures are registered by the end user, they're just an end run around open source. They're not checking that I'm running the software I want to run. I don't want to run the vendor's spyware android.
GrapheneOS will never pass the Play Integrity API, given it's not a security check but a "Google Approval" of the Android build signature. App devs just have to change their integrity check a little bit to have a more secure check https://grapheneos.org/articles/attestation-compatibility-guide
It seems that if GrapheneOS is shipping on hardware there is a chance that it will enter Google's approved list. Although IDK if they break some of the requirements.
...of course my GrapheneOS won't pass because I will root it. But it is possible that the stock version would pass when these devices ship.
GOOG doesn't add GrapheneOS to the allowlist because the latter (1) sandboxes Play Services, (2) adds a Network toggle to app permissions, and (3) adds a Sensors toggle too. All 3 are affront to the suits running Play Store (the platform security team is implied to be fine with that).
Anything that even slightly challenges the status quo in this space is a great thing in my book!
For those curious about banking app compatibility with GrapheneOS, here's a nice list that one of the devs is involved with.
I am not sure I will ever forgive Motorola for the Moto X4 I bought.
Apparently I had not researched well enough and it had been released in October 2017 and the last Android 9 security patch they ever brought out was in September 2019, just shy of 2 years.
The problem was that I bought it a bit later than that, so for the whole time I never got a single security update. I have later switched to a Pixel because of the longer update times.
And JFTR, the phone hardware is still working fine to this day, I am using it as my alarm clock/weather display/bedroom browser phone - but I felt bad enough about the state of security that I bought another one. (Never got around to switch to GrapheneOS because I didn't dare to lose my access to 2FA and banking app, but that's a different problem).
I wonder if we can expect GrapheneOS support on older, cheaper devices like a 2024 Play. Part of the reason I have never looked more extensively at GrapheneOS is that I have no desire to spend the $400 - $700 USD it would cost me to get a used Pixel 8, 9, or 10 to experiment with and possibly break, when I have a $125 USD daily driver. My understanding is that GrapheneOS is Pixel-locked due to the hardware opportunities, but could this new long-term partnership result in making older, cheaper Motorola devices a viable option?
Probably in years to come when whatever the first Motorola phones that support GrapheneOS hit the used market. I don't think there are plans to backport to existing Moto phones
Used Pixels are not so expensive unless you are buying directly from Google (or you only will buy the pro variant). But perhaps you have a reason I am not aware of to avoid other sellers?
My numbers were pulled from a cursory search on eBay, so as far as I can tell, they're pretty accurate. Dropping $300+ USD on a device that may or may not workout for me is a financial risk I'm not buffered against, so if that sounds like low money to you, we are just in different earnings brackets.
I have been searching more than cursorily (is that a word?) for a replacement phone myself. We probably are in similar earnings brackets since we're both looking on ebay, but I'm just less concerned about getting a lemon when buying refurb. At least, I'm somewhat confident in being able to know immediately if I got a lemon.
I've had a couple good experiences with Swappa as an alternative to eBay. It's worth comparing at least, and it feels like less of a gamble.
How do people install apps on GrapheneOS? I'm building an app currently and I've made sure not to require any Play Store APIs but my primary distribution channel will still be the Play Store. Are most people still installing apps through Play Store on these devices or is there an alternative app store?
The most popular alternative store is F-Droid. App apks can also be distributed elsewhere, like Github, and installed/updated using Obtainium. The latter works particularly well if the apk signature is published so that the release can be verified using AppVerifier. Lastly, there's also Accrescent.
I looked into F-Droid but it seems they will only carry open-source software, which I can understand but I have no plans of open sourcing what I'm building.
However it looks like Accrescent and Obtainium should support my use case.
I've more recently become aware of itch.io as another platform for selling apps, and apparently you can either use it from Obtainium or an open source app called Mitch.
Accrescent, notably, can be installed directly through GrapheneOS' first-party apps store. Upstream recommends it over F-Droid IIRC, even if F-Droid is still quite popular.
There is a built-in app store for just bundled app updates, sandboxed Google apps, and installing the other app store they endorse, Accrescent. Accrescent is secure but not very good, and does not have very many apps. Probably most people install apps via the Play Store if they have the sandboxed Google Play Services installed. Many people also use F-Droid, even though the GrapheneOS developers dislike it. There is also Obtainium, for installing things directly from Github.
You can install play store apps without the play store by using Aurora, IIRC.
There's no alternative app store for paid apps with any significant market share in the west (epic runs one, never used it).
Probably there are alternate app stores in Russia, China, etc?
My Pixel 8 that I got specifically to run GrapheneOS is my first non-MotoG phone in the last 10 years or so. I'm really happy to see that Motorola is GrapheneOS's OEM partner.
I wonder if this somehow similar to what drived drove Steam to invest on Linux; Motorola may want to have a backup OS in case Google somehow "restricted" the use of Android on Motorola phones
I was about to ask why Motorola Mobility would care to hedge against Google since Google bought them back in 2012, but it turns out they sold Motorola Mobility to Lenovo in 2014.
combining GrapheneOS’s pioneering engineering with [...] Lenovo’s ThinkShield solutions
That makes it sound like they're going to install bloatware on GrapheneOS... I'd be quite surprised Graphene would associate with that, so hopefully it's just marketing fluff.
From the [slides](https://s7d1.scene7.com/is/content/Lenovoassetsprod/ThinkShield%20Extended%20Solution%20Guidepdf?refId=6442d163-51ba-4f90-a81b-fe1fcecde368} it looks like it's just their name for reasonably low level attestation, signing, hardening, etc.