zlacker

[parent] [thread] 7 comments
1. mbanan+(OP)[view] [source] 2025-07-25 01:13:34
GrapheneOS community manager here.

I would recommend checking out https://eylenburg.github.io/android_comparison.htm for a third-party comparison of these projects. They're not really similar.

CalyxOS downgrades security compared to the Android Open Source Project, often falls significantly behind on standard Android privacy and security patches as is the case right now (they still haven't ported to Android 16 which is required to have the latest patches) and doesn't provide similar privacy or security features.

Features like Contact Scopes, Storage Scopes and our Sensors permission toggle are some of the privacy features includes in GrapheneOS.

Privacy necessitates security. The security provided by GrapheneOS is in order to be able to protect privacy.

replies(3): >>spaqin+sl >>pshirs+Bx >>joemaz+5e5
2. spaqin+sl[view] [source] 2025-07-25 04:57:55
>>mbanan+(OP)
According to the link you provided, it does seem to be ahead of stock Android (assuming AOSP) and LineageOS, disproving your point that it's falling behind.

The point of the OP is not that it would be better than your solution anyway; rather, if you have a device unsupported by GrapheneOS, Calyx would be better than nothing.

replies(2): >>rfoo+eE >>strcat+6X1
3. pshirs+Bx[view] [source] 2025-07-25 07:08:46
>>mbanan+(OP)
> The security provided by GrapheneOS is in order to be able to protect privacy.

But there is still no way to reset/spoof android device ids, and the apps can reliably identify the user after reinstalls.

replies(1): >>strcat+HX1
◧◩
4. rfoo+eE[view] [source] [discussion] 2025-07-25 08:12:35
>>spaqin+sl
> Calyx would be better than nothing.

Depends on your threat model. If Google, low-effort scam apps or being profiled by apps are your only adversary, then that's true. If random threats on Internet or APTs pwning your phone, or being forensic-proof are part of your threat model, then Calyx is strictly worse than stock.

◧◩
5. strcat+6X1[view] [source] [discussion] 2025-07-25 17:36:18
>>spaqin+sl
> According to the link you provided, it does seem to be ahead of stock Android (assuming AOSP) and LineageOS, disproving your point that it's falling behind.

The table shows CalyxOS has substantial delays for important privacy and security patches. It currently doesn't provide the 2025-06-05 patch level. It's better than LineageOS and /e/OS in that regard but still reduces privacy and security through significantly delayed patches. CalyxOS also weakens parts of the privacy and security model through the privileged functionality that's added, which simply isn't covered by the comparison table.

> The point of the OP is not that it would be better than your solution anyway; rather, if you have a device unsupported by GrapheneOS, Calyx would be better than nothing.

On Pixels, CalyxOS is missing current Android privacy/security patches. GrapheneOS doesn't support those other devices due to lack of a reasonable level of security. Each of those extra devices has significantly delayed privacy/security patches and lacks important hardware-based security features. Despite all the marketing about long term support, Fairphone 5 uses Linux 5.4 which is end-of-life in December 2025 with no plans on their part to move to a supported kernel branch afterwards. Earlier Fairphones are stuck on older end-of-life kernel branches. Those devices are missing basic updates and security protections. Those don't provide proper long term support, so if someone does have one it won't be long before it's time to buy another device.

◧◩
6. strcat+HX1[view] [source] [discussion] 2025-07-25 17:39:09
>>pshirs+Bx
Hardware identifiers aren't accessible to user installed apps. ANDROID_ID is a per-app-per-profile random ID. Apps don't need ANDROID_ID to identify that it's the same install due to immense fingerprint surface. If you installed the app in another profile, it would have a different ANDROID_ID, but it would still potentially be able to fingerprint it as the same device based on many things like settings. GrapheneOS does have planned features to improve these things but it's not nearly as simple as making ANDROID_ID per-app-install or making the MediaDRM ID more randomized than the current per-app random value (it was meant to be like ANDROID_ID but they make a mistake that's hard to fix without breaking compatibility so we need a toggle).
replies(1): >>pshirs+KM3
◧◩◪
7. pshirs+KM3[view] [source] [discussion] 2025-07-26 10:18:45
>>strcat+HX1
I understand, but think it won't be correct to make claims about strong privacy while fingerprinting remains possible and as easy as on stock devices.

I agree that GoS did a lot in order to improve privacy (scoping) and it provides unmatched security, but you shouldn't create false expectations.

8. joemaz+5e5[view] [source] 2025-07-27 02:32:49
>>mbanan+(OP)
Why must your team replyguy every single CalyxOS post?
[go to top]