A significant part of the de-Googling experience is finding ways to
replace a smartphone vendor’s bloated, data-siphoning firmware with
something more acceptable. While at one time the main focus of Android
‘custom ROMs’ was hacking and customization, the projects that have
survived to the present day seem to focus more on improvements to
privacy and security. Consequently, interest in this area may actually
be increasing a little, with new and updated firmwares becoming
available on a regular basis.
In this article I compare three open-source Android-derived
firmwares: Lineage OS, ∕e∕OS, and Graphene OS. There are others; I’m
focusing on these three because I have most experience with them.
Despite what their proponents sometimes claim, these firmwares have
more commonalities than differences. All are derived from the Android
Open-Source Project (AOSP), so they look similar, and offer similar
features. You’ll need the same tools and skills to install them all.
However, the differences are significant, and may not be obvious on
casual inspection.
I’m trying to be unbiased here, because I recognize that we all have
different views on what makes for the best compromise between privacy,
security, and convenience. However, I do have an opinion on which is
best, at least for me, and I can’t help my preference being somewhat
visible.
I’ll start with Lineage because it’s the oldest of the three and, in
some sense, the ancestor. Then I’ll review ∕e∕OS and Graphene, largely
in comparison with Lineage.
Lineage OS
Lineage OS is one of the best-established alternative Android
firmwares, dating back to Cyanogen, the first really popular ‘custom
ROM’. A standard installation is quite minimal, and doesn’t include
Google Play Services, or even a substitute for it like MicroG. You can
install these things later if you wish. In its basic form, Lineage is
snappy in use, and allows pretty good battery life, because there’s
little going on to drain the battery.
The set-up process for Lineage starts with installing a custom
recovery application (which means first unlocking the bootloader, which
in turn means erasing all data), and then using the custom recovery to
install the rest of the system. In general, getting the custom recovery
loaded is the tricky part of the process, and the method differs between
devices. An increasing number of handsets doesn’t allow the bootloader
to be unlocked at all, which is showstopper for the installation of any
firmware, not just Lineage.
Nevertheless, Lineage still supports a good range of handsets – even
more if you’re willing to use out-of-date builds. Of course, this isn’t
encouraged, but an out-of-date Lineage might still be more up-to-date
than anything provided by the handset vendor. I’ve used Lineage
successfully on Samsung, Sony, Google Pixel, and NVidia devices, both
phones and tablets.
Although it has little that can be called ‘bloat’, Lineage is not a
bare-bones installation. It includes a camera app, gallery, music
player, contact manager, and calendar. It’s probably fair to say that
better, open-source replacements exist for all these built-in apps,
although there’s nothing in particular wrong with any of them.
Lineage’s basic user interface will look more familiar to some
handset users than others. It’s much like the stock interface on the
Google Pixel range, and very different from Samsung’s “One UI”. You get
some control over styling and themes, but not as much as in some earlier
firmwares.
The Lineage maintainers are not, so far as I know, associated with
any providers of on-line services, like email and calendar. You’ll need
to find those services for yourself, if you need them, and install
whatever apps you need to use them. There’s no Google Play store, of
course, but you can install F-Droid or another alternative store from
its APK, and then use that to install other apps.
With no Google services, or any way to fake them, commercial apps
often struggle on Lineage. Lineage might be a bad choice if you need to
use subscription apps, or those that are funded by Google’s advertising
infrastructure. Of course, you might struggle even to install such apps,
without access to the Google Play store.
If you want to root your Lineage installation, it’s not difficult:
just boot into the Lineage custom recovery, and then use
adb sideload to push the Magisk installer from a computer.
The Magisk app can then do the rest of the work. This process takes less
than ten minutes. Of course, rooting reduces the compatibility with
commercial apps even further, so the benefits need to outweigh the
costs. Although Lineage is popular with tinkerers and enthusiasts, its
maintainers are increasingly trying to present their platform as a
mainstream one, and are no longer very supportive of users modifying
it.
Lineage has a few, well-documented privacy weaknesses. Most
obviously, it uses the Chromium WebView implementation, which is
slightly leaky. I don’t regard these minor leaks as highly troublesome,
but ∕e∕OS and Graphene plug them anyway.
Apart from these minor issues, Lineage is reasonably good at avoiding
leaks of personal data, so long as you don’t install apps that do this
anyway. It’s not so good at low-level security. It does little to
sandbox or virtualize apps at the kernel level, for example. There’s no
‘attestation’ mechanism, to verify that firmware hasn’t been tampered
with. If you’re worried about ‘evil maid’ intrusions, or even about apps
that try to interfere with one another, Graphene might be a better
bet.
The fact that it isn’t usually possibly to relock the bootloader
after installation is seen as a weakness by some authorities, but I’m
not overly concerned about this. If I were a vulnerable person, or
likely to be a target, I might feel differently.
Lineage’s main venue for support and discussion is on Reddit,
unfortunately. There’s an IRC channel on Libera.Chat which is reasonably
responsive, but not particularly helpful, and not at all polite.
All in all, Lineage is a good choice for a technically-sophisticated
person who wants a privacy-sparing, bloat-free smartphone that isn’t too
hampered by the side-effects of low-level security hardening. It’s
particularly appropriate if, like me, you use only apps that do not
require any Google services.
∕e∕OS
∕e∕OS is a derivative of Lineage that aims for simplicity, and also
plugs some of the minor privacy holes. ∕e∕OS is closely associated with
Murena, a commercial provider of PDA and email services. In fact, when
you install ∕e∕OS you’re encouraged to create an account with Murena
(more on that later). Because of the Murena association, ∕e∕OS is less
minimal than Lineage, providing some apps that not everybody will want.
Some of these are associated with Murena’s services while some, like the
email client, are more general. However, the general apps are
unimpressive compared to other, open-source alternatives, and you’ll
have to root the device if you want to expunge them completely.
In addition, ∕e∕OS includes MicroG, which is a privacy-sparing stub
for Google’s services. The tight integration with MicroG won’t suit
everybody, but there’s no denying it makes it easier to install
commercial apps.
Installing ∕e∕OS is exactly the same as installing Lineage, for
better or worse. In fact, the custom recoveries of Lineage and ∕e∕OS can
install one another’s systems.
Because ∕e∕OS is derived from Lineage, it’s a bit less up-to-date,
and is slower to get security patches. On the other hand, specific
handsets remain supported for a bit longer with ∕e∕OS than with Lineage.
Apart from fixing the small privacy leaks in Lineage, ∕e∕OS doesn’t seem
to offer much extra in the way of security hardening.
In use, ∕e∕OS looks just like Lineage, except for the extra app icons
in the launcher. It’s just as fast and, in my tests, offers similar
battery life.
The connection between ∕e∕OS and Murena is an interesting one and, in
fact, Murena sells smartphones with ∕e∕OS pre-installed. Many people
will find it helpful that a de-Googled handset has easy access to the
kinds of services that Google would otherwise provide, but others worry
about the potential conflict of interests. Murena professes a strong
commitment to privacy, and does not sell its customers’ data to
advertisers. So I’d certainly trust it more than Google.
Of course, because Murena can’t monetize your personal data, it
charges for its services, but a subscription is not particularly
expensive. A bigger concern I have is that Murena is a small company,
and may not have the resources to support an expanding user base.
∕e∕OS looks like a good bet for somebody who wants a modest
improvement in privacy and substantial reduction in bloatware over the
vendor’s firmware, and is likely to buy supporting services from Murena.
I can see how, if you’re not a geek, ∕e∕OS with Murena might be a
relatively painless entry into the de-Googled lifestyle.
So far as I can see, on-line support for ∕e∕OS is intertwined with
Murena. Their forum is easy to use and, unlike the Lineage folks,
Murena’s staff are both polite and helpful. I presume they’re being
paid. However, it takes a long time (perhaps days) to get a response to
a technical question. So, for very different reasons, support for Murena
seems to me little better than support for Lineage.
Graphene OS
While Lineage and ∕e∕OS have a good deal in common, Graphene is
rather different. The differences start with the installation process.
Graphene’s installation is similar to the one Google provides for
(re-)installing stock Android images: there’s a script or batch file
that runs a bunch of fastboot commands to install the
entire software set – there’s no specific custom recovery. Provided you
have the necessary tools, and you’ve unlocked the bootloader on the
device, the actual installation of Graphene is trivial – just run a
script and wait.
Graphene also offers a web-based installation process, but it doesn’t
work with any web browser I use, so I didn’t test it.
Unlike Lineage and ∕e∕OS, Graphene supports only a small number of
handsets, currently Google Pixel 6-9. The maintainers say that only
these handsets have the hardware-level security features they require,
and I have no reason to doubt this, although I don’t understand the
technical issue.
Graphene supports relocking the bootloader on the few supported
devices and, in fact, this is advised.
A basic installation of Graphene doesn’t look much different to ∕e∕OS
or Lineage, except that it’s even more bare-bones. There are few
built-in apps, not even a calendar. It does have an app store, however,
with access to a small number of apps. Of course, you can still use
alternative stores like F-Droid.
Graphene provides a high degree of security hardening, and has
auditing and attestation services. I would expect it to be pretty
resistant to ‘evil maid’ attacks, and offer fewer opportunities for
rogue apps to grub around in your data.
Graphene’s approach to Google Play Services is completely different
to that taken by ∕e∕OS.
Rather than replacing Google services with an alternative like MicroG,
Graphene allows a user to run the real Google Play Services
(and the Google Play store) in a privacy sandbox. This means that the
permissions allowed to Google’s services can be turned on and off, just
as they can for a regular app. Google services can’t leak private data
without network permission, for example.
As I only use apps that have no dependence on Google’s services, I
can’t comment on whether the Graphene approach, or the use of MicroG, is
better. I seem to be alone in my reticence, however: disagreements
between supporters of Graphene and MicroG are often loud and
acrimonious, with each side hurling abuse at the other on social media.
Not very edifying, since we should really be on the same side.
I have mixed feelings about Graphene’s security hardening. On the one
hand, there’s no doubt that a smartphone is a potential target,
particular when it’s effectively connected to the public Internet. We
hear stories all the time of rogue apps inserting malware into handsets,
some of which is disturbingly hard to remove. The security hardening,
regular patch schedule, attestation features, and bootloader relocking
does mean that Graphene has some chance of being recognized as
trustworthy by paranoid apps, particularly those involved with banking
and payments. That’s unlikely to be the case with Lineage or ∕e∕OS.
On the other hand, Graphene’s hardening does have side-effects, which
may be minor irritations or show-stoppers, depending on your needs. For
example, on my Pixel handset, the push-buttons on my USB-C headset have
no effect under Graphene, regardless how much I fiddle with the
settings. These controls work fine with Lineage and ∕e∕OS, but Graphene
has additional hardening associated with external ports. For many
people, of course, this will just be a minor irritation, but it’s one of
many niggles I had with Graphene, that I didn’t have with other
firmware, that can be attributed to the increased hardware security.
If you’re an undercover journalist reporting on an oppressive regime,
you’ll likely find these irritations worth living with. Similarly, you
might find that fussy banking and payment apps work better with Graphene
than with the other platforms, although comments I’ve read suggest that
the theoretical improvements in this area are often not realized.
Unlike Lineage, Graphene was never a tinkerer’s platform. The
maintainers discourage any kind of modification, and rooting in
particular. You pretty much have to swallow it whole, whether you like
the taste or not. That’s inevitable, I guess, if you want to provide an
operating system that is tolerated by banks.
Graphene has a lively and accessible discussion forum of its own, and
another on Reddit. Unfortunately it’s managed, and somewhat populated,
by a community whose rudeness and arrogance is notable even in the weird
world of niche open-source projects. It’s not unheard of for the
moderators to delete posts that are critical of Graphene, or ban users
who post such things.
Graphene would suit somebody who really has a good reason to think
his smartphone will come under sustained, expert attack, or who really
wants to run commercial apps, and has the expertise to use Graphene’s
framework to do that safely.
If you care about personal privacy, any replacement firmware
will be an improvement over what a smartphone vendor provides. The
trick, for most people, will be balancing the competing needs of
privacy, compatibility, and convenience. Graphene ought to score highly
in both privacy and compatibility, but it only supports a few devices,
and its security hardening can make it quirky. ∕e∕OS scores for
convenience and support if you’re a Murena customer, but has little to
recommend it over Lineage otherwise, in my view. Lineage probably
remains the geek’s choice, despite the maintainers’ increasing disdain
for tinkering with it.
Using any replacement firmware will be inconvenient if you’re tied to
Google’s services, as many of us are. You can try to continue to use
those services, but in a less privacy-crushing way, and Graphene and
∕e∕OS purport to offer some help with that. However, I think you’d need
to be both knowledgeable and careful to use Google Services, even in
these restrictive environments, without inadvertently sacrificing
privacy. To my mind, if you want to de-Google, you have to find
replacements for Google, not ways to appease Google.
One final point: none of the firmwares I’ve mentioned will
maintain your privacy if you run a bunch of data-harvesting apps. You
may be able to keep your data out of Google’s hands, but is it worth
doing that, if you’re giving it to everyone else?