This is a comparison of popular Android "ROMs" (or better: AOSP distributions). Please note I'm not affiliated with any of these projects and I am not giving any specific recommendation. If you think anything is factually incorrect, please let me know.
Source: eylenburg.github.io
Last updated: 19 April 2024
GrapheneOS | DivestOS | CalyxOS | IodéOS | /e/ | LineageOS | "Stock" Android | |
Based on | AOSP | LineageOS | AOSP | LineageOS | LineageOS | AOSP | AOSP |
Freedom |
|||||||
Free and open source (FOSS)? | Yes | Yes | Yes | Yes | Yes | Yes | No |
Deblobbed? | Yes, significantly | Yes, extensively | Yes, significantly | Yes, minimal | Yes, minimal | Yes, minimal | No |
Features |
|||||||
Network controls for appsThe controls on LineageOS-based operating systems are leaky as their approach only disabled direct network access (socket) but doesn't disable indirect access via the INTERNET permission, which provides multiple ways of bypassing them not requiring collusion between apps. This functionality is regularly used by apps with no malicious intent. Collusion between apps is an issue for all kinds of granted access, permissions, etc. and not specific to the INTERNET permission. If INTERNET permission is not blocked though, no collusion is required. | Direct and indirect accessIn addition to blocking indirect access via INTERNET APIs, the GrapheneOS Network toggle also emulates the network being down and avoids running scheduled jobs which require the network. | Direct and indirect access | Direct access only | Direct access only | Direct access only | Direct access only | No |
Network-based location | Emulated default, or Play ServicesEmulated by default (redirect to GNSS-based location), can use sandboxed Google Play via toggles when installed | No | UnifiedNLP | UnifiedNLP | UnifiedNLP | No | Play Services |
System-wide connection/tracker blocking | Private DNS setting, or via VPN app | hosts file, Private DNS, or VPN | Private DNS setting, or via VPN app | iode-snort app, Private DNS, or VPN | Private DNS setting, or via VPN app | Private DNS setting, or via VPN app | Private DNS setting, or via VPN app |
E2E-encrypted phone backups | Yes (Seedvault) | Yes (Seedvault) | Yes (Seedvault) | Yes (Seedvault) | Yes (Seedvault) | Yes (Seedvault) | Yes, but requires Google login |
Notification forwarding from other user profiles | Yes | No | No | No | No | No | No |
Android Auto compatible | Yes, see here | No | No | No | No | No | Yes |
Google Pay compatible | No | No | No | No | No | No | Yes |
Degoogling (connections to Google) |
|||||||
eSIM activation | Google eUICC w/o data sharingDisabled by default. Unlike the regular Google eUICC management app, it doesn't require Google Play and cannot share data with it. It doesn't communicate with Google servers unless the carrier is hosting with them, which would involve using their servers regardless. | OpenEUICC | Google eUICC (preinstalled) | Google eUICC (preinstalled) | Google eUICC (preinstalled) | Google eUICC (preinstalled) | Google eUICC (preinstalled) |
Network location provider | Emulated/GNSS default, or GoogleEmulated by default (redirect to GNSS-based location), can use sandboxed Google Play via toggles when installed | n/a | UnifiedNLP | UnifiedNLP | UnifiedNLP | n/a | |
SUPL | GrapheneOS default, Google or none | Google default, or none | Google default, or none | Google default, or none | None default, or Google | Google default, or none | |
PSDS - Google Pixel 6 and laterThe default server used depends on the GPS chipset, e.g. phones with Qualcomm chips (e.g. Snapdragon) connect to a Qualcomm server, while newer Google Pixels with Tensor chips connect to a Google server, and other phones with Broadcom GPS (e.g. Exynos) connect to a Broadcom server. Some ROMs override these settings. Click here for details and which device information are sent. |
GrapheneOS default, Google, or none | Broadcom default, or none | Broadcom default, or none | Broadcom default, or none | None default, or Google | Google default, or none | |
Connectivity check/captive portal | GrapheneOS default, Google, or none | Multiple presets offered | Google (can be changed)can be changed with `adb` command | Kuketz.de | Murena.io | Google (can be changed)can be changed with `adb` command | Google (can be changed)can be changed with `adb` command |
DNS connectivity check | GrapheneOS default, or Google | ||||||
DNS server fallback | Cloudflare | Quad9 | Cloudflare | Quad9 | Quad9 | ||
Network time | GrapheneOS default, or none | NTP.org (can be changed)Server pool with arbitrary providers, which can include Google-hosted servers or even malicious servers. NTP server can be changed with `adb` command. & carrier | Google (can be changed)can be changed with `adb` command & carrier | NTP.org (can be changed)Server pool with arbitrary providers, which can include Google-hosted servers or even malicious servers. NTP server can be changed with `adb` command. & carrier | NTP.org (can be changed)Server pool with arbitrary providers, which can include Google-hosted servers or even malicious servers. NTP server can be changed with `adb` command. & carrier | Google (can be changed)can be changed with `adb` command & carrier | Google (can be changed)can be changed with `adb` command & carrier |
Hardware attestation provisioning | GrapheneOS default, or Google | ||||||
DRM (Widevine) provisioning | GrapheneOS default, or Google | DRM not supported | |||||
Google Play Services |
|||||||
Implementation | GmsCompat (sandboxed Google Play)GrapheneOS does not include Google Play as a preinstalled app, but it includes an open source compatibility layer for users who choose to use it. Users can alternatively install microG on GrapheneOS, albeit GrapheneOS does not support signature spoofing. Not all microG functionality requires signature spoofing, for example FCM works with microG without signatures spoofing to the extent it works without special privileges (e.g. microG needs to use a privileged API to wake apps and keep them awake for a short period of time to handle FCM messages). | microG | microG | microG | microG | None by default. It's possible to install microG manually (LineageOS supports signature spoofing for microG since 2024). Alternatively, there are ROMs with microG preinstalled or one can add Google apps during the installation process, but this is not officially supported by LineageOS. | Google Play Services |
Optional? | Yes (not preinstalled) | Yes (not preinstalled) | Yes (preinstalled but opt-out) | Yes (preinstalled but opt-out) | No (preinstalled without opt-out) | No (preinstalled without opt-out) | |
Sandboxed/unprivileged? | Yes (regular app sandbox) | Yes (regular app sandbox) | No | No | No | No | |
Can be limited to user or work profile? | Yes | Yes | Yes | ? (TBC) | ? (TBC) | No | |
Signature spoofing needed/allowed? | No | Only for Google signature | Only for Google signature | Allowed for any app & signatureClick here for details | Allowed for any app & signatureClick here for details | No | |
Push notifications via Google FCM? | Yes | Optional | Optional | Optional | Optional | Yes | |
Google Play Integrity/Safetynet? | Passes Basic Integrity only, see herePasses MEETS_BASIC_INTEGRITY but not MEETS_DEVICE_INTEGRITY or MEETS_STRONG_INTEGRITY which require a certification from Google. | No | Passes Basic Integrity onlyPasses MEETS_BASIC_INTEGRITY but not MEETS_DEVICE_INTEGRITY or MEETS_STRONG_INTEGRITY which require a certification from Google. | Passes Basic Integrity onlyPasses MEETS_BASIC_INTEGRITY but not MEETS_DEVICE_INTEGRITY or MEETS_STRONG_INTEGRITY which require a certification from Google. | Passes Basic Integrity onlyPasses MEETS_BASIC_INTEGRITY but not MEETS_DEVICE_INTEGRITY or MEETS_STRONG_INTEGRITY which require a certification from Google. | Yes | |
Privacy |
|||||||
Storage scopes | Yes, see here | No | No | No | No | No | No |
Contact scopes | Yes, see here | No | No | No | No | No | No |
Per-app sensor controls | Yes, see here | Yes | No | No | No | No | No |
Per-connection DHCP state flushing | Yes | Yes | No | No | No | No | No |
MAC address randomization | Per connection, see here | Per connection | Per network | Per network | Per network | Per network | Per network |
SUPL: IMSI or phone number sent? | No | No | No | No | No | No | Yes |
PSDS: user agent sent?May include chipset serial number, device manufacturer and model, carrier, and Android version. Click here for details and which device information are sent. | No | No (device-specific), see here | Partially for Qualcomm chipsChipset serial number is stripped out but other less unique device information remain | Partially for Qualcomm chipsChipset serial number is stripped out but other less unique device information remain | Partially for Qualcomm chipsChipset serial number is stripped out but other less unique device information remain | Partially for Qualcomm chipsChipset serial number is stripped out but other less unique device information remain | for Qualcomm GPS chips |
Closed cross-profile package leaks? | Yes | Partially | No | No | No | No | No |
Closed device identifier leaks? | Yes, see here | No | No | No | No | No | No |
Metadata stripping for screenshots | Yes, see here | Yes, see here | Yes, see here | No | No | No | No |
EXIF metadata stripping for photos | Yes, see here | No | No | No | No | No | No |
Security |
|||||||
Verified boot (if supported by device)? | Yes, incl. system app updates | Yes, but excl. system app updates | Yes, but excl. system app updates | Yes, but excl. system app updates | w/ test keys; excl. system app updates | No | Yes, but excl. system app updates |
Hardware-based security verification | Yes, see here | No | No | No | No | No | Some devices, see here |
System app downgrade protection | For updates and boot, with fs-verity | For updates and boot | For updates (incomplete) | For updates (incomplete) | For updates (incomplete) | For updates (incomplete) | For updates (incomplete) |
Secure application spawning? | Yes (exec) | Yes (exec) | No | No | No | No | No |
Hardened memory allocator? | Yes | YesPatches taken from GrapheneOS | No | No | No | No | No |
Hardware memory tagging? | Yes, if supported by device | No | No | No | No | No | No |
Hardened kernel? | Yes, highest | Yes, high (device-specific)Patches taken from GrapheneOS | No | No | No | No | No |
Hardened libc? | Yes, highest | Yes, highPatches taken from GrapheneOS | No | No | No | No | No |
Hardened webview? | Yes (Vanadium) | Yes (Mulch)Patches taken from GrapheneOS | No | No | No | No | No |
Hardened SELinux policy? | Yes | No | No | No | No | No | No |
Android Runtime JITJust-In-Time compilation/profiling | AOTAhead-Of-Time compilation w/o profiling | Interpreter/JITJust-In-Time with profiling | Interpreter/JITJust-In-Time with profiling | Interpreter/JITJust-In-Time with profiling | Interpreter/JITJust-In-Time with profiling | Interpreter/JITJust-In-Time with profiling | Interpreter/JITJust-In-Time with profiling |
Additional hardening | Highest, see here | Medium, see here | No | No | No | No | No |
Secure TLS for SUPL? | TLSv1.2 if supported by deviceOlder Pixels with Qualcomm chips only support TLSv1.1 | TLSv1.1 or TLSv1.0 | TLSv1.1 or TLSv1.0 | TLSv1.1 or TLSv1.0 | TLSv1.1 or TLSv1.0 | TLSv1.1 or TLSv1.0 | TLSv1.1 or TLSv1.0 |
Fallback DNS server with DNSSEC? | Yes | Yes | Yes | Nouses Quad9's unsecured endpoint (9.9.9.10) with provides no security blacklist and no DNSSEC | Yes | Yes | Yes |
USB data line control?See here for details | Yes, with enhanced controlsGrapheneOS provides a USB port control feature with modes for Off, Charging-only, Charging-only while locked, Charging-only while locked except before first unlock (default) and On. This disables USB gadget mode, USB peripherals and USB alternate modes but also disables USB at the USB controller level in hardware to truly disable the data lines. It blocks connecting new devices as soon as the device is locked for the modes relating to unlocking. As soon as the devices connected while locked are disconnected, it gets disabled. It also has the special Off mode for even disabling charging while the OS is enabled to disable the separate USB-PD related data lines and protocol too. That's also at a hardware level. The default allows USB in BFU to support desktop usage, accessibility devices, etc. The expectation is that most users can switch it to "Charging-only while locked" if they don't need that and "Charging-only" if they don't use USB or at least while they aren't using it. "Off" mode is a special mode for high security situations and can be used to do things like disabling USB completely when leaving your home and then turning it back on to "Charging-only" when you get back. This is much different than the standard Android feature. | Standard AOSP controls | Standard AOSP controls | Standard AOSP controls | Standard AOSP controls | Standard AOSP controls | Standard AOSP controls |
Secure connection to network time server? | HTTPS via GrapheneOS server | NTP w/o NTS and carrier-based timeinsecure because cellular networks lack proper authentication | NTP w/o NTS and carrier-based timeinsecure because cellular networks lack proper authentication | NTP w/o NTS and carrier-based timeinsecure because cellular networks lack proper authentication | NTP w/o NTS and carrier-based timeinsecure because cellular networks lack proper authentication | NTP w/o NTS and carrier-based timeinsecure because cellular networks lack proper authentication | NTP w/o NTS and carrier-based timeinsecure because cellular networks lack proper authentication |
Updates |
|||||||
Security update speedClick here for details | <2 days | 1-3 weeks | ~1 week, sometimes longer delaysquicker updates in optional "security express" update channel | ~1 month, sometimes longer delays | ~2 months, sometimes longer delays | 1-2 weeks, sometimes longer delays | Depends on phone vendor |
Partial security updates (ASB) after EoL datemissing most driver and firmware patches after the phone's end of life date | until 5 years from launche.g. 2 years of extended support for 4th and 5th generation Pixels | Several years | 1-3 years | Several years | Several years | Several years | By definition: No |
Number of Android versions supportedOnly the latest major release of AOSP has full security patches. Most privacy fixes are in fact only included for the new OS versions, not in the security patches. The ASB patches patches rarely include fixes for permission model / sandbox flaws resulting in privacy leaks since they're given Moderate severity and often require invasive changes including potential compatibility breaks. | Usually 1 Android version | 7 Android versions (incl. backports) | Usually 1 Android version | Usually 1 Android version | 2-3 Android versions | Usually 3 Android versions | Usually 3 Android versions |
Webview update speedClick here for details | <2 days | <2 days | <1 week, sometimes longer delays | <2 weeks | Several weeks/months | <2 weeks | Depends on phone vendor |
Supported devices |
|||||||
Asus* | No | Older devices only | No | No | Older devices only | Older devices only | Yes (ZenUI) |
Fairphone | No | Yes | Yes | Yes | Yes | Yes | Yes |
Yes | Yes | Yes | Older devices only | Yes | Yes | Yes | |
Motorola | No | Older devices only | Yes | No | Yes | Yes | Yes |
Oneplus* | No | Older devices only | No | Older devices only | Older devices only | Older devices only | Yes (OxygenOS) |
Samsung* | No | Older devices only | No | Older devices only | Older devices only | Older devices only | Yes (OneUI) |
Sony | No | Older devices only | No | Older devices only | Older devices only | Older devices only | Yes |
Xiaomi* | No | Older devices only | No | Older devices only | Older devices only | Older devices only | Yes (HyperOS) |
* these manufacturers don't support bootloader unlocking anymore for all or most of their new devices |