In parallel, Google has rolled out its Play Integrity API, which allows developers to limit app functionality when sideloaded, effectively pushing users to install apps only through the Google Play Store.
The issue is even bigger. Even when using Play Store on GrapheneOS with a locked bootloader (which is the recommended configuration by the GrapheneOS project), Google refuses to let apps use the hardware attestation support in the Play Integrity API [1], which blocks certain banking apps, Google Wallet, etc.
It's insane that Google lets Android vendors that have a lot of dubious security practices (months-late security updates, etc.) pass, while an OS that implements more security mitigations than PixelOS and is sometimes faster than Google rolling out security updates is excluded.
The move, developed in partnership with Singapore’s Cyber Security Agency, is designed to prevent fraud and malware-enabled scams.
Time to block the Facebook/Instagram apps then, given https://localmess.github.io ?
[1] https://grapheneos.social/@GrapheneOS/112878070618462132
AFAIK this only applies within Singapore (not sure if this applies to visiting devices) for apps requesting certain permissions (RECEIVE_SMS, READ_SMS, BIND_NOTIFICATIONS, and accessibility) downloaded outside of app stores (F-Droid is fine) and opened directly on the device (adb install is fine).
You can probably bypass the restriction by just disabling Play Protect if you don't want Google to tell you what you can and cannot install, but I'm not in Singapore so I can't confirm if that will work or not. That said, Google has made it impossible to disable Play Protect while on a call, that's probably a smart move.
Based on this article from the Singapore police, the approach doesn't seem to have helped much: https://www.police.gov.sg/media-room/news/20250417_police_ad...
> In some cases, before downloading the malicious APK file, victims would also be guided to disable Google Play Protect that helps to prevent harmful downloads. Once Google Play Protect is disabled, victims would not receive alerts that there is malware introduced into their mobile phones. Victims may also be asked to download Virtual Private Network (VPN) applications from Google Play Store which would facilitate scammers’ connection to their Android device. Scammers would then be able to bypass the banking anti-malware measures and remotely access the victims’ banking accounts with the phished ibanking login credentials.
https://grapheneos.org/articles/attestation-compatibility-gu...
A few months ago they improved their security somewhat by not letting you disable Play Protect while on the phone: https://9to5google.com/2025/01/29/google-play-protect-calls/
You also can't turn off Play Protect if you've enabled Advanced Protection on your account (which also enforces a range of other security measures) but that's fully opt-in and hasn't even been availble to the wide public for all that long.
Because it's irrelevant.
> but if this was driven by a government, does Google really deserve all the blame?
Of course. If the government ordered Google to assist in a genocide against some demographic, and Google goes along with it, it doesn't matter if the government is also evil. Google is evil for playing ball.
And we don't have to speak in hypotheticals. Both Google and Amazon are actively engaging in tech-assisted genocide.
https://www.aljazeera.com/news/2024/4/23/what-is-project-nim...
I have boycotted Amazon for a while now and I'd boycott Google too if it wasn't so pervasive in my professional life.
Just one month ago they found intentionally embedded Kill Switches in chinese provided solar panels [0][1].
Not even complex apps require capabilities of such self-modification, the fact that a DJI drone app, requires such capabilities, is quite suspicious especially as they are heavily involved in PLA Drone Warfare R&D and Capacity building.
[0](https://www.reuters.com/sustainability/climate-energy/ghost-...)
[1](https://www.rickscott.senate.gov/2025/6/sens-rick-scott-mars...)
> Police warn new Android malware scam can factory reset phones; over S$10 million lost in first half of 2023
> There have been more than 750 cases of victims downloading the malware into their phones in the first half of 2023, with losses of at least S$10 million (US$7.3 million).
— https://www.channelnewsasia.com/singapore/android-malware-sc...
> DBS, UOB become latest banks to restrict access if unverified apps are found on customers' phones
> They are the latest banks in Singapore to do so – after OCBC and Citibank – amid a spate of malware scams targeting users of Android devices.
— https://www.channelnewsasia.com/singapore/dbs-uob-anti-scam-...
> 74-year-old man loses $70k after downloading third-party app to buy Peking duck
> “I couldn’t believe the news. I thought: Why am I so stupid? I was so angry at myself for being cheated of my life savings. My family is frustrated and I ended up quarrelling with my wife,” said Mr Loh, who has three children.
— https://www.straitstimes.com/singapore/74-year-old-man-loses...
> Singapore Android users to be blocked from installing certain unverified apps as part of anti-scam trial
> "Based on our analysis of major fraud malware families that exploit these sensitive runtime permissions, we found that over 95 per cent of installations came from internet-sideloading sources," it added.
— https://www.channelnewsasia.com/business/anduril-secures-305...
> CNA Explains: Are Android devices more prone to malware and how do you protect yourself from scams?
> Why are scammers more likely to target Android users? How do you spot a fake app and what should you do if your device is infected by malware?
— https://www.channelnewsasia.com/singapore/android-malware-sc...
> Nearly 2,000 victims fell for Android malware scams, at least S$34.1 million lost in 2023
> In 2023, about 1,899 cases of Android malware scams were reported in Singapore. The average amount lost was about S$17,960.
— https://www.channelnewsasia.com/singapore/android-malware-sc...
> Android users in Singapore tried to install unverified apps nearly 900,000 times in past 6 months
> These attempts were blocked by a security feature rolled out by Google six months ago as part of a trial to better protect users against malware scams, which led to at least S$34.1 million (US$25.8 million) in losses last year with about 1,900 cases reported.
— https://www.channelnewsasia.com/singapore/android-users-inst...
> Pang is just one of tens of thousands of Singaporeans to fall foul of scams last year, who lost a total of S$1.1bn, according to police, a 70 per cent increase on the previous year. The true figure could be even higher, according to the Global Anti-Scam Alliance, which estimates that more than two-thirds of Singaporean victims did not report their experience.
> This is a small part of a global criminal enterprise worth an estimated $1tn, but Singaporeans, affluent, digitally advanced and compliant, are particularly vulnerable to these scams. As one person involved in the recovery of assets put it: “They are rich and naive”.
The Web installer [0] is not really approachable to a normal Android user. The instructions are dense, loaded up with warnings about dozens of edge cases that are discussed in jargon that would intimidate even relatively tech-savvy users:
What's USB passthrough? Did I install my browser through Flatpak or Snap? How would I know? Did I need to understand the paragraph explaining in detail how carrier models lock users in? There's a bunch of stuff in there about Linux... do I need Linux? What's a sha256 hash and do I need to care?
It's not that this is impossible for non-IT-folks to grasp, but there's no chance that my parents are installing this on their phone.
https://zimperium.com/blog/the-hidden-risks-of-sideloading-a...
Huh? Banking apps not working on GOS are a rather rare exception (which I have not run into ever and I use several), and streaming apps work just fine. I "only" use Netflix & Amazon Prime but other people attest[0] to Disney+, Paramount, Max, and SkyGo working, too – even without Google services.
[0]: https://discuss.grapheneos.org/d/20256-streaming-apps/6
FWIW, GOS is an excellent project, but I don't think it's a good fit for non-technical users. But there's nothing stopping someone from creating a distribution of it with a preconfigured Google Play sandbox, some sane defaults and applications, to provide technical support, and to streamline the installation process, or even sell devices with it preinstalled. As long as that entity is trustworthy, it would be a good alternative for people who want to leave the Google/Samsung/etc. ecosystem, but don't have the technical knowledge or want to bother with installing and configuring GOS themselves.
I sideload a glucose monitor app that's not available through Playstore (it's FOSS and health is a tricky area with liability).
It's a fantastic app and the ability to sideload it is a major reason I use Android over iOS.
I also sideload a patched app of the Dexcom glucose reader OEM's shitty app to allow the data to be read by the better (sideload) FOSS app.
https://github.com/NightscoutFoundation/xDrip
https://www.patreon.com/byod/about?
Ok I'm not an ordinary person, I guess, but if I was I'd still use those apps and I know people who are ordinary and do so.
The TL;DR: Arch gets harder year over year as the number of ways to setup/options for each piece of your system grows. Hell, even picking a bootloader among 10 options is confusing. A guide that just at least says "This is common for X, this for Y, the others are interesting and may be worth trying. If you don't want to investigate now, use X" Is DESPRATELY needed.
I tried to have that on my site, and a pretty high level arch forum admin came buy and told me to delete my website and made a PR just deleting the page. It was honestly one of the most rude and hateful interactions I've ever had online.
The actual way to stop the scammers would be to sanction their host countries into oblivion: India, Philippines and Myanmar are big in targetting English speaking countries, and Turkey when it comes to German speaking countries. Scammer Payback alone has made so many complaints with very little follow up from local authorities, partially due to open corruption. Either these countries clean up their act or they get dropped from SS7 (phone) and the Internet. But I see no way of this ever happening.
[1] https://stackoverflow.com/questions/21692646/how-does-facebo...
In countries where Android is popular and iPhones are expensive, Commentary (Jieshuo) screen reader is a popular and arguably much better alternative to TalkBack, the built-in Android screen reader. Because it's a Chinese app and there's no major conglomerate behind it, it's not on the Play Store.
Because it needs to be able to read all screen contents and drive the entire system UI (that's literally what a screen reader is for), the permissions it requests are quite intrusive. Blocking it from accessing sensitive apps would entirely defeat its purpose, after all, if you need a screen reader in the first place, one that doesn't work in banking apps will be pretty useless to you.
Googlers will probably point to Webaim[1] and say that nobody uses the app so it's not a problem, entirely forgetting that Webaim is mostly filled out by well-off English speakers. If you look at data sources that better represent the global population at large, like the Yandex user survey, you will see something very different.
https://forums.puri.sm/t/nine-months-librem-5-as-my-only-pho...
https://forums.puri.sm/t/a-l5-review-1-week-to-my-ready-to-s...
Tl;dr: calls and texts work fine, battery life is not as good as Android/Apple but usable. Also you can replace the battery on the go.
If you don't want to interact, you don't have to comment or engage.
> Maybe they want a circle for themselves, as a basic human need?
But yeah, I think there is a problem now that the majority of communities have no ability to self filter and self form hierarchies. Without this, noob voices tend to drown out experts and frankly, noobs begin to believe they are experts. I'm sure we've all seen the typical CS stereotype of "read first line of wikipedia article, assume I know the rest" type of person...
[0] https://web.archive.org/web/20130116090332/https://wiki.arch...
[1] https://www.reddit.com/r/archlinux/comments/4z7z0i/the_begin...
But given how things are now, I'd highly recommend https://endeavouros.com/ if you're doing standard things (good with Nvidia GPUs)
I will keep installing Void and Arch on my own systems, however.
Thanks for the suggestion!
BTW, according to the archive.org you sent me, Begginer's Guide indeed turned out to be the Installation Guide: https://web.archive.org/web/20200708051126/https://wiki.arch...
(I just selected a newer version from your link).
So I think it indeed was the Beginner's Guide, or even the old version of Installation Guide that I really liked, it had all the things you need to get it up and running. Now everything is in its own wiki page and it is really annoying when I just want to use links in one or two tty and do the installing from tty1.
GrapheneOS and /e/OS are very different operating systems. GrapheneOS is a hardened OS with massive privacy/security improvements and a far different appropach to mainstream app compatibility. GrapheneOS can be purchased preloaded on devices including from companies like NitroKey, so that is not something that's a difference between them. GrapheneOS is based on AOSP directly, not LineageOS.
https://eylenburg.github.io/android_comparison.htm is a third party comparison between different alternate mobile operating systems. It could include many more privacy/security features but it's a good starting point.
https://grapheneos.org/features provides an overview of what GrapheneOS provides. It doesn't cover all of the features but it covers a lot of them.
/e/OS lags very far behind on shipping Android privacy/security backports, lags a year or more behind on shipping standard privacy/security patches and does not keep the standard Android privacy/security model or features intact. Like LineageOS, /e/OS mainly supports devices without proper non-stock OS support and without firmware/driver patches. For the few devices they support which do provide those updates, they are much worse than LineageOS at shipping them to users. They don't use standard hardware-based security features even when they're made available to an alternate OS. /e/OS is not a safe option because going months or even years without critical browser engine and OS updates is a serious problem. It is not an academic or theoretical issue. They are failing to patch critical issues and some of those are known to be exploited in the wild.
You can run nearly all Play Store apps on GrapheneOS, but not /e/OS with the much more limited and less secure microG approach. https://bsky.app/profile/grapheneos.org/post/3lamcjfv5r22s explains the difference in approach. Of course, their approach certainly provides dramatically more mobile app compatibility than using the desktop Linux stack on mobile as is being proposed in the original post.
The post from Purism is highly inaccurate and is inventing issues which are not real issues along with presenting a product which massive reduces security and app compatibility as somehow solving those things. Dropping mainstream app compatibility and support for the main open source app ecosystem entirely hardly solves a tiny number of apps enforcing using the stock OS.
There used to be two guides. They kinda merged them, so the install guide got better but the noob guide got worse. Here's the comparison...
Beginner's (relink): https://web.archive.org/web/20130116090332/https://wiki.arch...
Old Install: https://web.archive.org/web/20130116102330/https://wiki.arch...