This is a comparison of popular Android "ROMs" (or better: AOSP distributions). Please note I'm not affiliated with any of these projects and I am not giving any specific recommendation. If you think anything is factually incorrect, please let me know.
Source: eylenburg.github.io
Last updated: November 2023
GrapheneOS | DivestOS | CalyxOS | IodéOS | /e/ | LineageOS | "Stock" Android | |
![]() |
![]() |
![]() |
![]() |
||||
Based on | AOSP | LineageOS | AOSP | LineageOS | LineageOS | AOSP | AOSP |
Freedom |
|||||||
Free and open source (FOSS)? | Yes | Yes | Yes | Yes | Yes | Yes | No |
Deblobbed? | Yes, somewhat | Yes, extensively | Yes, somewhat | No | No | No | No |
Features |
|||||||
Network controls for appsThe controls on LineageOS-based operating systems are leaky as their approach only disabled direct network access (socket) but doesn't disable indirect access via the INTERNET permission, which provides multiple ways of bypassing them not requiring collusion between apps. This functionality is regularly used by apps with no malicious intent. Collusion between apps is an issue for all kinds of granted access, permissions, etc. and not specific to the INTERNET permission. If INTERNET permission is not blocked though, no collusion is required. | Direct and indirect accessIn addition to blocking indirect access via INTERNET APIs, the GrapheneOS Network toggle also emulates the network being down and avoids running scheduled jobs which require the network. | Direct and indirect access | Direct access only | Direct access only | Direct access only | Direct access only | No |
Network-based location | Emulated default, or Play ServicesEmulated by default (redirect to GNSS-based location), can use sandboxed Google Play via toggles when installed | No | UnifiedNLP | UnifiedNLP | UnifiedNLP | No | Play Services |
System-wide connection/tracker blocking | Private DNS setting, or via VPN app | hosts file, Private DNS, or VPN | Private DNS setting, or via VPN app | iode-snort app, Private DNS, or VPN | Private DNS setting, or via VPN app | Private DNS setting, or via VPN app | Private DNS setting, or via VPN app |
E2E-encrypted phone backups | Yes (Seedvault) | Yes (Seedvault) | Yes (Seedvault) | Yes (Seedvault) | Yes (Seedvault) | Yes (Seedvault) | Yes, but requires Google login |
Notification forwarding from other user profiles | Yes | No | No | No | No | No | No |
Android Auto compatible | No | No | No | No | No | No | Yes |
Google Pay compatible | No | No | No | No | No | No | Yes |
Degoogling (connections to Google) |
|||||||
eSIM activation | Google EUICC (disabled by default) | OpenEUICC | Google EUICC (preinstalled) | Google EUICC (preinstalled) | Google EUICC (preinstalled) | Google EUICC (preinstalled) | Google EUICC (preinstalled) |
Network location provider | Emulated/GNSS default, or GoogleEmulated by default (redirect to GNSS-based location), can use sandboxed Google Play via toggles when installed | n/a | UnifiedNLP | UnifiedNLP | UnifiedNLP | n/a | |
SUPL | GrapheneOS default, Google or none | Google default, or none | Google default, or none | Google default, or none | Google (for now)Once /e/ rebases on LineageOS 20, it will be possible to disable SUPL | Google default, or none | |
PSDS - Google Pixel 6 and laterThe default server used depends on the GPS chipset, e.g. phones with Qualcomm chips (e.g. Snapdragon) connect to a Qualcomm server, while newer Google Pixels with Tensor chips connect to a Google server, and other phones with Broadcom GPS (e.g. Exynos) connect to a Broadcom server. Some ROMs override these settings. Click here for details and which device information are sent. |
GrapheneOS default, Google, or none | Broadcom default, or none | Broadcom default, or none | Broadcom default, or none | Google (for now)Once /e/ rebases on LineageOS 20, it will be possible to disable PSDS | Google default, or none | |
Connectivity check/captive portal | GrapheneOS default, Google, or none | Multiple presets offered | Google, but can be changed | Kuketz.de | /e/foundation | Google, but can be changed | Google, but can be changed |
DNS connectivity check | GrapheneOS default, or Google | ||||||
DNS server fallback | Cloudflare | Quad9 | Cloudflare | Quad9 | Quad9 | ||
Network time | GrapheneOS default, or none | NTP.org poolarbitrary providers and carrier-based time | Google and carrier-based time | NTP.org poolarbitrary providers and carrier-based time | NTP.org poolarbitrary providers and carrier-based time | Google and carrier-based time | Google and carrier-based time |
Hardware attestation provisioning | GrapheneOS default, or Google | ||||||
Google Play Services |
|||||||
Implementation | GmsCompat (Google Play) (optional)GrapheneOS does not include sandboxed Google Play, but it includes an open source compatibility layer for users who choose to use it. Users can alternatively install microG on GrapheneOS, albeit GrapheneOS does not support signature spoofing. Not all microG functionality requires signature spoofing, for example FCM works with microG without signatures spoofing to the extent it works without special privileges (e.g. microG needs to use a privileged API to wake apps and keep them awake for a short period of time to handle FCM messages). | microG (optional) | microG (optional) | microG (optional) | microG | None by default. It's possible to add Google Apps manually during the installation process, but this is not officially supported by LineageOS. Alternatively, there is the LineageOS for microG project that integrates microG in LineageOS. | Play Services |
FOSS? (see tooltips for details) | Google binaries in FOSS sandboxGrapheneOS's sandboxed Google Play compatibility layer is open source, but the Google binaries themselves are proprietary. | Yes, but executes proprietary codemicroG still involves running closed source Google Play code since every app talking to microG does so using the full proprietary Google Play Services library. microG can additionally download and execute proprietary programs from Google for Safetynet support, however, DivestOS blocks the use of Safetynet. | Yes, but executes proprietary codemicroG still involves running closed source Google Play code since every app talking to microG does so using the full proprietary Google Play Services library. microG can additionally download and execute proprietary programs from Google for Safetynet support. | Yes, but executes proprietary codemicroG still involves running closed source Google Play code since every app talking to microG does so using the full proprietary Google Play Services library. microG can additionally download and execute proprietary programs from Google for Safetynet support. | Yes, but executes proprietary codemicroG still involves running closed source Google Play code since every app talking to microG does so using the full proprietary Google Play Services library. microG can additionally download and execute proprietary programs from Google for Safetynet support. | No | |
Sandboxed/unprivileged? | Yes | Yes | No | No | No | No | |
Can be limited to user or work profile? | Yes | Yes | Yes | ? (TBC) | ? (TBC) | No | |
Signature spoofing needed/allowed? | No | Only for Google signature | Only for Google signature | Allowed for any app & signatureClick here for details | Allowed for any app & signatureClick here for details | No | |
Push notifications via Google FCM? | Yes | Optional | Optional | Optional | Optional | Yes | |
Google Play Integrity/Safetynet? | Yes | No | Yes | Yes | Yes | Yes | |
Privacy |
|||||||
Storage scopes | Yes, see here | No | No | No | No | No | No |
Contact scopes | Yes, see here | No | No | No | No | No | No |
Per-app sensor controls | Yes | Yes | No | No | No | No | No |
Per-connection DHCP state flushing | Yes | Yes | No | No | No | No | No |
Per-connection MAC address randomization | Yes | Yes | No | No | No | No | No |
SUPL: IMSI or phone number sent? | No | No | No | No | Yes (for now)This will be fixed once /e/ rebases on LineageOS 20 | No | Yes |
PSDS: user agent sent?May include chipset serial number, device manufacturer and model, carrier, and Android version. Click here for details and which device information are sent. | No | No (device-specific), see here | Partially for Qualcomm chipsChipset serial number is stripped out but other less unique device information remain | Partially for Qualcomm chipsChipset serial number is stripped out but other less unique device information remain | for Qualcomm GPS chips (for now)Once /e/ rebases on LineageOS 20, the chipset serial number will be stripped out | Partially for Qualcomm chipsChipset serial number is stripped out but other less unique device information remain | for Qualcomm GPS chips |
Closed cross-profile package leaks? | Yes | Yes | No | No | No | No | No |
Closed device identifier leaks? | Yes, see here | No | No | No | No | No | No |
Metadata stripping for screenshots | Yes, see here | No | Yes, see here | No | No | No | No |
EXIF metadata stripping for photos | Yes, see here | No | No | No | No | No | No |
Security |
|||||||
Verified boot (if supported by device)? | Yes, incl. system app updates | Yes, but excl. system app updates | Yes, but excl. system app updates | Yes, but excl. system app updates | w/ test keys; excl. system app updates | No | Yes, but excl. system app updates |
Hardware-based security verification | Yes, see here | No | No | No | No | No | Some devices, see here |
Secure application spawning? | Yes (exec) | Yes (exec) | No | No | No | No | No |
Hardened memory allocator? | Yes | YesPatches taken from GrapheneOS | No | No | No | No | No |
Hardware memory tagging? | Yes, if supported by device | No | No | No | No | No | No |
Hardened kernel? | Yes, highest | Yes, high (device-specific)Patches taken from GrapheneOS | No | No | No | No | No |
Hardened libc? | Yes, highest | Yes, highPatches taken from GrapheneOS | No | No | No | No | No |
Hardened webview? | Yes (Vanadium) | Yes (Mulch)Patches taken from GrapheneOS | No | No | No | No | No |
Hardened SELinux policy? | Yes | No | No | No | No | No | No |
Additional hardening | Highest, see here | Medium, see here | No | No | No | No | No |
Secure TLS for SUPL? | TLSv1.2 if supported by deviceOlder Pixels with Qualcomm chips only support TLSv1.1 | TLSv1.1 or TLSv1.0 | TLSv1.1 or TLSv1.0 | TLSv1.1 or TLSv1.0 | TLSv1.1 or TLSv1.0 | TLSv1.1 or TLSv1.0 | TLSv1.1 or TLSv1.0 |
Fallback DNS server with DNSSEC? | Yes | Yes | Yes | Nouses Quad9's unsecured endpoint (9.9.9.10) with provides no security blacklist and no DNSSEC | Yes | Yes | Yes |
Secure connection to network time server? | HTTPS via GrapheneOS server | NTP w/o NTS and carrier-based timeinsecure because cellular networks lack proper authentication | NTP w/o NTS and carrier-based timeinsecure because cellular networks lack proper authentication | NTP w/o NTS and carrier-based timeinsecure because cellular networks lack proper authentication | NTP w/o NTS and carrier-based timeinsecure because cellular networks lack proper authentication | NTP w/o NTS and carrier-based timeinsecure because cellular networks lack proper authentication | NTP w/o NTS and carrier-based timeinsecure because cellular networks lack proper authentication |
Updates |
|||||||
Security update speedClick here for details | <2 days | 1-3 weeks | ~1 week, sometimes longer delays | ~1 month, sometimes longer delays | ~2 months, sometimes longer delays | 1-2 weeks, sometimes longer delays | Depends on phone vendor |
Partial security updates (ASB) after EoL datemissing most driver and firmware patches after the phone's end of life date | ~1 year | Several years | 1-3 years | Several years | Several years | Several years | By definition: No |
Number of Android versions supportedOnly the latest major release of AOSP has full security patches. Most privacy fixes are in fact only included for the new OS versions, not in the security patches. The ASB patches patches rarely include fixes for permission model / sandbox flaws resulting in privacy leaks since they're given Moderate severity and often require invasive changes including potential compatibility breaks. | Usually 1 Android version | 7 Android versions (incl. backports) | Usually 1 Android version | Usually 1 Android version | 2-3 Android versions | Usually 3 Android versions | Usually 3 Android versions |
Webview update speedClick here for details | <2 days | <2 days | <1 week, sometimes longer delays | <2 weeks | Several weeks/months | <2 weeks | Depends on phone vendor |
Supported devices |
|||||||
Asus | No | Older devices only | No | No | Older devices only | Older devices only | Yes |
Fairphone | No | Yes | Yes | Yes | Yes | Yes | Yes |
Yes | Yes | Yes | Older devices only | Yes | Yes | Yes | |
Motorola | No | Older devices only | No | No | Yes | Yes | Yes |
Oneplus | No | Older devices only | No | Older devices only | Older devices only | Older devices only | Yes |
Samsung | No | Older devices only | No | Older devices only | Older devices only | Older devices only | Yes |
Sony | No | Older devices only | No | Older devices only | Older devices only | Older devices only | Yes |
Xiaomi | No | Older devices only | No | Older devices only | Older devices only | Older devices only | Yes |