|
 |
 |
 |
 |
 |
 |
| Based on |
AOSP |
AOSP |
LineageOS |
LineageOS |
AOSP |
AOSP |
Freedom |
| | | | | |
| Free and open source (FOSS)? |
Yes |
Yes |
Yes |
Yes |
Yes |
No |
| Deblobbed? |
Yes, significantly |
Yes, significantly |
Yes, minimal |
Yes, minimal |
Yes, minimal |
No |
Features |
| | | | | |
| Network controls for appsThe controls on LineageOS-based operating systems are leaky as their approach only disabled direct network access (socket) but doesn't disable indirect access via the INTERNET permission, which provides multiple ways of bypassing them not requiring collusion between apps. This functionality is regularly used by apps with no malicious intent. Collusion between apps is an issue for all kinds of granted access, permissions, etc. and not specific to the INTERNET permission. If INTERNET permission is not blocked though, no collusion is required. |
Direct and indirect access |
Direct access only |
Direct access only |
Direct access only |
Direct access only |
No |
| Network-based location (without GNSS) |
Opt-in with server choiceNetwork-based location is disabled by default (GNSS-based location is used instead), but if it is enabled the user can choose between the Apple location service or a GrapheneOS proxy to it, or alternatively can use the Google Play location service if sandboxed Google Play is installed |
Yes, using microG location |
Yes, using microG location |
Yes, using microG location |
No |
Yes, using Play Services |
| System-wide connection/tracker blocking |
Private DNS setting, or via VPN app |
Private DNS setting, or via VPN app |
iode-snort app, Private DNS, or VPN |
Private DNS setting, or via VPN app |
Private DNS setting, or via VPN app |
Private DNS setting, or via VPN app |
| E2E-encrypted phone backups |
Yes (Seedvault) |
Yes (Seedvault) |
Yes (Seedvault) |
Yes (Seedvault) |
Yes (Seedvault) |
Yes, but requires Google login |
| Notification forwarding from other user profiles |
Yes |
No |
No |
No |
No |
No |
| Duress PIN (to wipe device) |
Yes, see here |
No |
No |
No |
No |
No |
| Android Auto compatible |
Yes (sandboxed), see hereGrapheneOS has permission toggles to enable the user to provide the least amount of permissions necessary (e.g. wired Android Auto requires only USB access). |
Yes (w/ privileged permissions), see here |
Yes (w/ privileged permissions), see here |
Yes (w/ privileged permissions), see here |
No |
Yes (w/ privileged permissions) |
| Google Pay compatible |
No |
No |
No |
No |
No |
Yes (w/ privileged permissions) |
| Call recording |
Yes |
Only in selected regions, see here |
Only in selected regions, see here |
Only in selected regions, see here |
Only in selected regions, see here |
Depends on regions and manufacturer |
Degoogling (connections to Google)
COLOURSLOGIC FOR COLOUR SCHEME:
RED
- connects to Google, no opt-out
LIGHT RED
- connects to Google by default but function can be turned off (no option of using another provider)
YELLOW
- function is off by default but can connect to Google if needed (no option of using another provider)
LIGHT GREEN
- connects to Google by default but can be changed to another provider
GREEN
- does not connect to Google by default but instead connects to the developer of the operating system (no third party needs to be trusted)
- multiple providers offered and user can decide
- no data shared with any provider
BLUE
- does not connect to Google by default but instead connects to another (non-Google) third party provider
WHITE
- function is not supported |
| | | | | |
| eSIM activation |
Google eUICC w/o data sharingDisabled by default. Unlike the regular Google eUICC management app, it doesn't require Google Play and cannot share data with it. It doesn't communicate with Google servers unless the carrier is hosting with them, which would involve using their servers regardless. |
Google eUICC (preinstalled) |
Google eUICC (preinstalled) |
Google eUICC (preinstalled) |
Google eUICC (preinstalled) |
Google eUICC (preinstalled) |
| Provider for network-based location |
None default, GrapheneOS, Apple, or GoogleNetwork-based location is disabled by default (GNSS-based location is used instead), but if it is enabled the user can choose between the Apple location service or a GrapheneOS proxy to it, or alternatively can use the Google Play location service if sandboxed Google Play is installed |
microG location |
microG location |
microG location |
n/a |
Google |
| SUPL (for Assisted GNSS) |
GrapheneOS default, Google or none |
Google default, or none |
Google default, or none |
None default, or Google |
Google default, or none |
Google |
PSDS/XTRA ("Standard" depends on GPS chipset)The standard server used depends on the GPS chipset, which is usually Qualcomm, Broadcom, or Samsung, or in the case of Tensor chips (Google Pixel 6 and later) they connect to a Google server. Some ROMs override these settings.
Click here for details and which device information are sent. |
GrapheneOS default, StandardGoogle / Broadcom / Qualcomm / Samsung depending on the device. At the moment, only Google Pixels are supported by GrapheneOS, for which the standard connection is Google (since the Pixel 6), or none |
Standard (excl. Google)Broadcom / Qualcomm / Samsung depending on the device, for Google Pixel 6 and later (Tensor chip) the standard connection to Google is replaced with a connection to Broadcom instead (source) default, or none |
Standard (excl. Google)Broadcom / Qualcomm / Samsung depending on the device, for Google Pixel 6 and later (Tensor chip) the standard connection to Google is replaced with a connection to Broadcom instead (source) default, or none |
None default, or StandardGoogle / Broadcom / Qualcomm / Samsung depending on the device |
StandardGoogle / Broadcom / Qualcomm / Samsung depending on the device default, or none |
StandardGoogle / Broadcom / Qualcomm / Samsung depending on the device |
| Connectivity check/captive portal |
GrapheneOS default, Google, or none |
Google (can be changed)can be changed with `adb` command |
Kuketz.de (can be changed)can be changed with `adb` command |
Murena.io (related to /e/) (can be changed)can be changed with `adb` command |
Google (can be changed)can be changed with `adb` command |
Google (can be changed)can be changed with `adb` command |
| DNS connectivity check |
GrapheneOS default, or Google |
Google |
Google |
Google |
Google |
Google |
| DNS server fallback |
Cloudflare |
Cloudflare |
Quad9 |
Quad9 |
Google |
Google |
| Network time |
GrapheneOS default, or none |
Google (can be changed)can be changed with `adb` command & carrier |
NTP.org (can be changed)Server pool with arbitrary providers, which can include Google-hosted servers or even malicious servers. NTP server can be changed with `adb` command. & carrier |
NTP.org (can be changed)Server pool with arbitrary providers, which can include Google-hosted servers or even malicious servers. NTP server can be changed with `adb` command. & carrier |
Google (can be changed)can be changed with `adb` command & carrier |
Google (can be changed)can be changed with `adb` command & carrier |
| Hardware attestation provisioning |
GrapheneOS default, or Google |
Google |
Google |
Google |
Google |
Google |
| DRM (Widevine) provisioning |
GrapheneOS default, or Google |
Google |
Google |
Google |
Google |
Google |
Google Play Services |
| | | | | |
| Implementation |
GmsCompat (sandboxed Google Play)GrapheneOS does not include Google Play as a preinstalled app, but it includes an open source compatibility layer for users who choose to use it. Users can alternatively install microG on GrapheneOS, albeit GrapheneOS does not support signature spoofing. Not all microG functionality requires signature spoofing, for example FCM works with microG without signatures spoofing to the extent it works without special privileges (e.g. microG needs to use a privileged API to wake apps and keep them awake for a short period of time to handle FCM messages). |
microG |
microG |
microG |
None by default. It's possible to install microG manually (LineageOS supports signature spoofing for microG since 2024). Alternatively, there are ROMs with microG preinstalled or one can add Google apps during the installation process, but this is not officially supported by LineageOS.
| Google Play Services |
| Optional? |
Yes (not preinstalled) |
Yes (preinstalled but opt-out) |
Yes (preinstalled but opt-out) |
No (preinstalled without opt-out) |
No (preinstalled without opt-out) |
| Runs in standard app sandbox? |
Yes |
NoRuns in the `priv_app` SELinux domain instead of `untrusted_app`, which gives it access to internal system APIs and data along with it being much less isolated. |
NoRuns in the `priv_app` SELinux domain instead of `untrusted_app`, which gives it access to internal system APIs and data along with it being much less isolated. |
NoRuns in the `priv_app` SELinux domain instead of `untrusted_app`, which gives it access to internal system APIs and data along with it being much less isolated. |
NoRuns in the `priv_app` SELinux domain instead of `untrusted_app`, which gives it access to internal system APIs and data along with it being much less isolated. |
| Can be limited to user or work profile? |
Yes |
Yes |
? (TBC) |
? (TBC) |
No |
| Signature spoofing needed/allowed? |
No |
Only for Google signature |
Only for Google signature |
Only for Google signature |
No |
| Push notifications via Google FCM? |
Yes |
Optional |
Optional |
Optional |
Yes |
| Google Play Integrity? |
Passes Basic Integrity only, see herePasses MEETS_BASIC_INTEGRITY but not MEETS_DEVICE_INTEGRITY or MEETS_STRONG_INTEGRITY which require a certification from Google. |
Passes Basic Integrity onlymicroG v0.3.6.244735, which is part of CalyxOS since 2024-12-31, passes MEETS_BASIC_INTEGRITY but not MEETS_DEVICE_INTEGRITY or MEETS_STRONG_INTEGRITY which require a certification from Google. |
No but basic integrity expected soonmicroG v0.3.6.244735, released on 2024-12-23, passes MEETS_BASIC_INTEGRITY, but the latest release of IodeOS was on 2024-12-18. This needs to be updated once microG is updated in IodeOS. |
No but basic integrity expected soonmicroG v0.3.6.244735, released on 2024-12-23, passes MEETS_BASIC_INTEGRITY, but the latest release of /e/ was on 2024-12-17. This needs to be updated once microG is updated in /e/. |
Yes |
Privacy |
| | | | | |
| Storage scopes |
Yes, see here |
No |
No |
No |
No |
No |
| Contact scopes |
Yes, see here |
No |
No |
No |
No |
No |
| Per-app sensor controls |
Yes, see here |
No |
No |
No |
No |
No |
| Per-connection DHCP state flushing |
Yes |
No |
No |
No |
No |
No |
| MAC address randomization |
Per connection, see here |
Per network |
Per network |
Per network |
Per network |
Per network |
| SUPL: IMSI or phone number sent? |
No |
No |
No |
No |
No |
Yes |
| Qualcomm XTRA: user agent sent?Only relevant for phones with Qualcomm GPS chips. Doesn't apply to Broadcom or Samsung. May include chipset serial number, device manufacturer and model, carrier, and Android version. Click here for details and which device information are sent. |
No |
Partially (for Qualcomm chips)Chipset serial number is stripped out but other less unique device information remain |
Partially (for Qualcomm chips)Chipset serial number is stripped out but other less unique device information remain |
Partially (for Qualcomm chips)Chipset serial number is stripped out but other less unique device information remain |
Partially (for Qualcomm chips)Chipset serial number is stripped out but other less unique device information remain |
for Qualcomm GPS chips |
| Closed cross-profile package leaks? |
Yes |
No |
No |
No |
No |
No |
| Closed device identifier leaks? |
Yes, see here |
No |
No |
No |
No |
No |
| Metadata stripping for screenshots |
Yes, see here |
Yes, see here |
No |
No |
No |
No |
| EXIF metadata stripping for photos |
Yes, see here |
No |
No |
Available as option |
No |
No |
| Location tagging for photos |
Opt-in |
Opt-in, see here for more info |
Opt-in |
Opt-in |
Opt-in |
Opt-out |
| Tracking through Android Advertising ID? |
Not part of the systemif Play Services are installed by the user, the Advertising ID can be deleted in settings |
Randomized IDmicroG will generate a random advertising ID for each request |
Randomized IDmicroG will generate a random advertising ID for each request | Randomized IDmicroG will generate a random advertising ID for each request |
Not part of the systemif microG is installed by the user, it will generate a random Advertising ID for each request; if Play Services are installed by the user, the Advertising ID can be deleted in settings |
Yes, but can be deleted in settings |
Security |
| | | | | |
| Verified boot (if supported by device)? |
Yes, incl. system app updates |
Yes, but excl. system app updates |
Yes, but excl. system app updates |
w/ test keys; excl. system app updates |
No |
Yes, but excl. system app updates |
| Hardware-based security verification |
Yes, see here |
No |
No |
No |
No |
Some devices, see here |
| System app downgrade protection |
For updates and boot, with fs-verity |
For updates (incomplete) |
For updates (incomplete) |
For updates (incomplete) |
For updates (incomplete) |
For updates (incomplete) |
| Secure application spawning? |
Yes (exec) |
No |
No |
No |
No |
No |
| Hardened memory allocator? |
Yes |
No |
No |
No |
No |
No |
| Hardware memory tagging? |
Yes, if supported by device |
No |
No |
No |
No |
No |
| Hardened kernel? |
Yes, highest |
No |
No |
No |
No |
No |
| Hardened libc? |
Yes, highest |
No |
No |
No |
No |
No |
| Hardened webview? |
Yes (Vanadium) |
No |
No |
No |
No |
No |
| Hardened SELinux policy? |
Yes |
No |
No |
No |
No |
No |
| Android Runtime JITJust-In-Time compilation/profiling |
AOTAhead-Of-Time compilation w/o profiling |
Interpreter/JITJust-In-Time with profiling |
Interpreter/JITJust-In-Time with profiling |
Interpreter/JITJust-In-Time with profiling |
Interpreter/JITJust-In-Time with profiling |
Interpreter/JITJust-In-Time with profiling |
| Dynamic code loading prevention for appssee here for details |
System, opt-in for non-system apps |
None |
None |
None |
None |
None |
| Additional hardening |
Yes, see here |
No |
No |
No |
No |
No |
| Secure TLS for SUPL? |
TLSv1.2 |
TLSv1.1 or TLSv1.0 |
TLSv1.1 or TLSv1.0 |
TLSv1.1 or TLSv1.0 |
TLSv1.1 or TLSv1.0 |
TLSv1.1 or TLSv1.0 |
| Fallback DNS server with DNSSEC? |
Yes |
Yes |
Nouses Quad9's unsecured endpoint (9.9.9.10) with provides no security blacklist and no DNSSEC |
Yes |
Yes |
Yes |
| Secure connection to network time server? |
HTTPS via GrapheneOS server |
NTP w/o NTS and carrier-based timeinsecure because cellular networks lack proper authentication |
NTP w/o NTS and carrier-based timeinsecure because cellular networks lack proper authentication |
NTP w/o NTS and carrier-based timeinsecure because cellular networks lack proper authentication |
NTP w/o NTS and carrier-based timeinsecure because cellular networks lack proper authentication |
NTP w/o NTS and carrier-based timeinsecure because cellular networks lack proper authentication |
| Can disable USB-C and pogo pins data?See here for details: [1], [2], [3] |
Default (while locked), see here |
No |
No |
No |
No |
No |
| Can disable USB-C charging?See here for details: [1], [2], [3] |
Opt-in (after boot), see here |
No |
No |
No |
No |
No |
| Can disable USB connections?See here for details: [1], [2], [3] |
Default (while locked), see hereHardware and software |
Default (while locked), software onlyIncomplete implementation. Can only disable high level software attack surface. Cannot disable USB until after early boot. Lacks a way to block new USB connections without ending existing connections. The mode for disabling USB connections while locked continues allowing new connections until existing connections end, including a connection through another method such as a pogo pins USB connection to a stand. |
? (TBC - like Lineage or stock?) |
? (TBC - like Lineage or stock?) |
Opt-in, software onlyIncomplete implementation. Can only disable high level software attack surface. Cannot disable USB until after early boot. Lacks a way to block new USB connections without ending existing connections. The mode for disabling USB connections while locked continues allowing new connections until existing connections end, including a connection through another method such as a pogo pins USB connection to a stand. |
Device admin APIRequires installing a device admin app like Sentry. Can only disable high level software attack surface. Cannot disable USB until after early boot. Lacks a way to block new USB connections without ending existing connections. |
| Auto-reboot timer for locked devices |
Yes |
Yes, with flaws (no proper BFU state)CalyxOS has a disabled-by-default port of an older GrapheneOS implementation of the auto-reboot feature, which was determined to not be as robust due to being able to bypass it by crashing `system_server`. It also lacks the memory clearing required to get the device properly back at rest for reboots. Therefore it can't return the device to a proper BFU (before first unlock) state like the GrapheneOS and iOS implementations. |
No |
No |
No |
No |
| 2-factor fingerprint unlock |
Yes (fingerprint + PIN), see here |
No |
No |
No |
No |
No |
Updates |
| | | | | |
Security update speed (AOSP subset of ASB)It doesn't include information on how the device-related patches in the 2nd half of each ASB (Android Security Bulletin) get shipped, if they do at all. It's also missing the fact that full security patches require the latest monthly/quarterly/yearly updates. Additionally, you need to keep up with the vendor's releases which means falling behind on quarterly or yearly releases results in missing many of the High/Critical severity patches for Pixels or another device launching the new quarterly/yearly version in a reasonable time. The issue is that this heavily varies by device. Pixels require the alternate OS to always keep up to ship updates. Some other device ship yearly updates quickly too. Devices not shipping the latest OS release make it harder for the alternate OS to do it but it is possible, especially if they don't build the vendor image, etc. If the vendor doesn't ship the releases, then the firmware/driver code used from them will be missing the patches. For example, Fairphone is consistently 1 or 2 months behind on the Android Security Bulletin patches so CalyxOS, LineageOS, etc. on it is at least that far behind at all times for the non-AOSP half of the ASB. This is one of the reasons why GrapheneOS currently only supports Google Pixel devices. Every other OEM doesn't ship the monthly/quarterly updates and typically has major delays for yearly updates. Most also do a bad job shipping the backported patches.
Click here for update speed data |
Usually same day |
Days to weeks |
2-4 weeks, sometimes longer |
1-2 months, sometimes longer |
1-2 weeks, sometimes longer |
Depends on phone vendor |
| Full patches on fully supported devicesRequires 1. being on the latest OS release (as Android doesn't backport all security patches), 2. shipping all the vendor code |
Several days |
Weeks to months |
Several to many months |
Many months to over a year |
Several to many months |
Depends on phone vendor |
| Partial security updates (ASB) after EoL datemissing most driver and firmware patches after the phone's end of life date |
until 5 years from launche.g. 2 years of extended support for 4th and 5th generation Pixels |
1-3 years |
Several years |
Several years |
Several years |
By definition: No |
| Number of Android versions supportedOnly the latest major release of AOSP has full security patches. Most privacy fixes are in fact only included for the new OS versions, not in the security patches. The ASB patches patches rarely include fixes for permission model / sandbox flaws resulting in privacy leaks since they're given Moderate severity and often require invasive changes including potential compatibility breaks. |
Usually 1 Android version |
Usually 1 Android version |
Usually 1 Android version |
2-3 Android versions |
Usually 3 Android versions |
Usually 3 Android versions |
| Webview update speedClick here for details |
<2 days |
<1 week, sometimes longer delays |
<2 weeks |
Several weeks/months |
<2 weeks |
Depends on phone vendor |
Supported devices |
Hardware requirements | Hardware requirements | | | | |
| Asus* |
No |
No |
No |
Older devices only |
Older devices only |
Yes (ZenUI) |
| Fairphone |
No |
Yes |
Yes |
Yes |
Yes |
Yes |
| Google |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
| Motorola |
No |
Yes |
Yes |
Yes |
Yes |
Yes |
| Oneplus |
No |
No |
Yes |
Older devices only |
Yes |
Yes (OxygenOS) |
| Samsung* |
No |
No |
Older devices only |
Older devices only |
Older devices only |
Yes (OneUI) |
| Sony |
No |
No |
Yes |
Older devices only |
Yes |
Yes |
| Xiaomi |
No |
No |
Older devices only |
Older devices only |
Yes |
Yes (HyperOS) |
| * these manufacturers don't support bootloader unlocking anymore for all or most of their new devices. "Older devices only" = no devices released since 2023. |
| | | | | |