Thank you. I wouldnt have known this if it wasn’t for this post. I’ve never seen these sites. Good post.

This does not solve the Play Integrity API issue. This would make app compatibility even worse lol.

Only a few apps enforce Play Integrity so it is still the best option for a casual user. Cash App enforcing it is my biggest hurdle.

Thats so wack

Nostr is awesome. I’m hoping it grows much further.

You can always connect a USB stick or card reader with an SD card via USB-OTG

I will recommend you do use a phone that still receives security updates (Not EoL) because I don’t want you to lose out on security just to deGoogle.

If you are strict on having an SD card slot and your phone is still receiving support, you should use StockOS to receive firmware updates as soon as possible. If the phone you decide to get is EoL, the least bad option would be DivestOS (fork of LineageOS)

Again, I would advise not using an EoL phone.

microG runs Google Play code just like Aurora Store. It is not fully open source. Here’s more information.. It is still connecting to Googles propriety servers.

microG requires Signature Spoofing and alternative OSes usually ship with microG as a privileged system app. This increases the attack surface as it is not confined by the regular sandbox rules.

Now you’re using a privileged component, which downloads and executes Google code in that privileged unprotected context, and which talks to Google servers because otherwise, how would FCM work for example?

Despite doing both of those things, MicroG doesn’t have the same app compatibility as Sandboxed Google Play despite the extra access it has on your device. Even in some magical universe MicroG worked without talking to Google servers or running Google code (again, in a privileged context), the apps you’re actually using it with (the apps depending on Google Play) have Google code in them.

I recommend you purchase a Google Pixel 6a or above (minimum security support ends July 2027) and flash GrapheneOS. (Pixel 8/pro preferred)

Aurora Store doesn’t avoid Google since a lot of the apps from the play store include Google’s SDK and libraries. microG also doesn’t avoid Google as it is still running proprietary Google code and has more privacy/security weaknesses

Sandboxed Google Mobile Services is a much better implementation which is featured in GrapheneOS. The services are not privileged and is treated like any other app. They don’t downgrade privacy or security unlike the other alternatives.

There are much more privacy and security benefits using GOS. Here is a 3rd party comparison between different mobile OS.

security theater

AOSP does get security updates first because GrapheneOS is based on unmodified AOSP. They are quick to port over updates though and they have extra features like hardened malloc and better user profile support.

Non pixel phones aren’t secure because GrapheneOS doesn’t support them. They aren’t secure because they either don’t have secure elements, broken verified boot, or don’t properly support alternative operating systems. This makes phones like OnePlus, Fairphone, etc not secure enough for GrapheneOS.

DivestOS I would say is the least worst option when it comes to supporting EoL phones. They’re at least honest about what they do and don’t provide unlike what other OSes do. On their website, they tell you they aren’t a secure OS and they can only try their best to reduce harm on an EoL device. DivestOS Security.

The only secure phone operating systems are either grapheneOS or stock. All the others usually are behind security updates.

For migration, I would just use a USB C drive and transfer files.

End of Life date was 4 weeks ago 😔

Android System Webview allows apps to display browser windows in the app rather than taking you to your web browser app. On Android, chromium is used for webview. If you use Firefox as a default browser, the remote attack surface increases because they’re two different browsers with different security issues.

Site isolation enforces security boundaries around each site using the sandbox by placing each site into an isolated sandbox. Firefox doesn’t have that feature so they’re vulnerable to attacks like Spectre.

I haven’t been using Firefox for Android because I heard they don’t have a WebView Implementation so the firefox browser has to be used beside the Chromium WebView meaning there’s an attack surface of two browser engines. I also heard that the Firefox sandboxing and site isolation isn’t very good between websites.

I’ve been using Vanadium WebView and browser because of that.

Yeah a lot of substantial improvements have been made to GrapheneOS in the last couple of years to expand app compatibility. There’s Sandboxed Google Play now, as well as things like the exploit protection compatibility mode toggle so that people can use apps with memory corruption bugs which are caught by hardened_malloc if they wish to. Back in the day, apps with memory corruption would crash and there would be no way to use the until they fixed their app. They now have a toggle to disable hardened_malloc per app when you want to use it regardless.

You cant change the OS on Samsung devices

How is GrapheneOS overkill? Its identical to the stockOS but hardened for privacy.