Devices lacking standard privacy/security patches and protections aren't private

ThisOldGuy

especially considering the current perceived invasiveness of Gemini

You don't have to use it.

If someone is Saving up for a pixel, is it better to stay on stock Android or use which of the other OS that claim privacy?

Many non-Pixel devices either don't support using another OS or require crippling security to use one. Most of those aftermarket operating systems greatly reduce security compared to a stock OS still receiving updates. If the stock OS isn't receiving updates, aftermarket operating systems will be missing firmware updates and generally at least most of the driver updates too. If the device is end-of-life, using another OS won't fix it. Providing most AOSP security patch backports without the rest has some value, but it greatly diminishes over time.

If someone had a light use phone as a backup, without needing Google Services, is it better to stay on stock Android or use which of the other OS that claim privacy?

An iPhone is the next best choice for a private and secure smartphone. Most Android devices have atrocious security and so do most aftermarket operating systems. If you need a fallback device for apps banning using anything other than iOS or Google Mobile Services Android, then your best choice is iOS.

I love my pixel and GOS but if it ever bit the bucket, it would be about a year before I could replace it. While it seems none of the options are excellent, especially as my older backup phone also likely doesn't have new security updates anymore, which way would be next best?

You can often find a very cheap used device for GrapheneOS by being willing to buy an older generation device with a scratched up screen, etc. We recommend buying 8th/9th gen Pixels for the full set of security features and 7 years of support from launch, but a Pixel 6a still has official support until after July 2027 and the Pixel 7a until after May 2028.

We published this thread as a response to a recent article promoting insecure devices with /e/OS with inaccurate claims, including inaccurate comparisons to GrapheneOS. The founder of /e/OS has responded with misinformation promoting /e/OS and attacking GrapheneOS.

We made a post with accurate info on our forum in response to inaccurate information, that's all. There's a lot more we could have covered. See https://kuketz-blog.de/e-datenschutzfreundlich-bedeutet-nicht-zwangslaeufig-sicher-custom-roms-teil6/ for several examples such as /e/OS having unique user tracking in their update client not communicated to users.

The founder of /e/OS responded to the post we made on our forum here:

https://mastodon.social/@gael/114874688715085353

Gaël Duval has repeatedly personally targeted the founder of GrapheneOS in response to us posting accurate information responding to misinformation from /e/OS and their supporters.

Contrary to what's claimed in this thread, /e/OS does not improve privacy. /e/OS massively reduces privacy compared to the Android Open Source Project in multiple ways. /e/OS is consistently very far behind on shipping important privacy improvements in new major Android releases.

/e/OS regularly lags many weeks, months and even years behind on shipping important privacy and security patches. They roll back various parts of the privacy and security model, add a bunch of privileged Google service integration and their own privacy invasive services too.

The link posted at https://mastodon.social/@gael/114875028964272029 shows /e/OS shipping the previous round of Chromium privacy/security patches a couple weeks late. It regularly takes them months instead of weeks. They take far longer to ship many of the important driver, firmware and AOSP patches.

The link also shows they're using the wrong Chromium tags for Android and frequently results in missing Android-specific privacy/security patches. Chromium 138.0.7204.97 was a June 30th release for Windows, not Android. The Android tag for June 30th was 138.0.7204.63.

https://chromereleases.googleblog.com/2025/07/stable-channel-update-for-desktop_15.html
https://chromereleases.googleblog.com/2025/06/chrome-for-android-update_30.html

Patches in Chromium Stable channel updates for Android are often only in the Android tags, not the Windows ones.

The current Android release is 138.0.7204.157, with security patches beyond 138.0.7204.63:

https://chromiumdash.appspot.com/releases?platform=Android

These were minor releases of Chromium. It's trivial to incorporate the changes and ship them on release day within hours. Even major releases of Chromium every ₄ weeks are easy to ship on release day because major releases are open source for weeks in advance, unlike Android.

As can be seen by looking back through https://github.com/GrapheneOS/Vanadium/releases and comparing it to the Android release dashboard linked above, we ship the Chromium Stable and Early Stable releases on release day. This is not impressive. Shipping privacy/security patches is the bare minimum.

Our forum post and this thread were both posted in response to inaccurate info about GrapheneOS posted to promote /e/OS. Once again personally targeting our founder with fabricated stories and harassment from their community is what /e/OS has done before and continues doing.

/e/OS targeted the founder of DivestOS in a similar way and /e/OS supporters directed a massive amount of harassment towards him. It played a significant role in DivestOS being discontinued. /e/OS will not achieve the same thing targeting our founder and should stop doing it.

/e/OS is extraordinarily insecure and non-private due to lagging so far behind on patches and crippling Android Open Source Project privacy/security protections. Selling many devices many months or even years of missing Critical severity patches and hiding it in the UI is wrong.

Murena's services are not nearly as private as claimed and not at all on the same level as serious options such as Proton's software suite. Many of their services recently went down from early October 2024 through March 2025:

https://community.e.foundation/t/update-on-murena-io-service-outage/61781

It's somehow a paid service.

leafnose Fairphone makes inaccurate claims about the long term support, privacy, security and updates for their devices. Apple and Google also market the fact that they use a lot of recycled materials and supposedly care about the ethics of their supply chain. Since we can so clearly see they're not telling the truth about privacy, security and updates, why should we believe what they claim about the rest?

leafnose Fairphone's products do not receive proper updates and long term support, despite being heavily marketed as if they do. They're partnered with Murena and promoting /e/OS which is a blatant scam and heavily involved in attacks on the GrapheneOS project. Can you explain how Murena spreading misinformation about GrapheneOS including fabricated stories about our team with the aim of directing harassment towards them is ethical and fits with how Fairphone presents themselves as a company?

Since the Foxconn suicides media coverage, they would be pretty ill-advised not to claim having ethics. The roots of this claim, however, are not the same as those of Fairphone.

Fairphones are largely designed and manufactured by T2Mobile in China. Do you claim that this company has better ethics than Foxconn? What is the basis for the claim?

These two companies have certainly not the same credibility as Fairphone regarding those matters.

Fairphone doesn't have much credibility as a whole, particularly with their blatantly false claims about updates, privacy and security combined with being partner with a company (Murena) blatantly scamming people. Murena has also been engaging in spreading misinformation about GrapheneOS and personal attacks on our team for years. Their founder has supported harassment content from Kiwi Farms. What's ethical or credible about this behavior? Their response to this thread we published was more misinformation and also more personal targeting of our team members. That's the leader of Fairphone's /e/OS and Murena partners. Fairphone responded by providing a substance free corporate speak statement standing behind Murena and trying to mislead people by talking about Android enterprise requirements which is a Google effort to pretend many Android devices are more secure than they are. Fairphone doesn't even follow those recommendations despite implying they do, only the bare minimum and not even that.

As I said, I’m the first one to regret the lack of coherence, and I don’t want to debate this point too much, but the claims regarding privacy and security seem to be pretty mild on the Fairphone website (at least on the following pages):

Fairphone's site has egregiously inaccurate claims about updates, privacy and security.

Security doesn’t even seem to be a subject. Your explanation on this thread has been duly noted, however, when I look at the comparison you linked, I’m more under the impression that GOS is top-notch while /e/ is not really standing out from the crowd. Why not simply say that among all Android-based OS’s, only GOS is being expertly and uncompromisingly crafted and maintained?

The comparison table we linked primarily compare added privacy and security features along with what's done with the standard Android Open Source Project connections. It mostly doesn't cover rolling back privacy and security features. It doesn't cover the services added beyond the AOSP ones such as how /e/OS is sending user data to OpenAI and other services. It doesn't cover telemetry such as /e/OS generating and sending unique identifiers for update checks. /e/OS is dramatically worse than the other options listed there. The table does have 2 rows about patch delays showing how long ASB patches and further security patches are delayed. However, that only provides a baseline best case for the devices where the operating systems have the least delay.

I’m under the impression that most Android phones sold around the world are a danger, why not simply invoke Hanlon’s razor? (I’m obviously not talking about smearing campaign and harassment.)

Fairphones are worse than typical Samsung and Motorola phones.

That being said, my subject was Fairphone, not its partner…

Fairphone directly responded to this thread with a substance free statement standing behind Murena and trying to mislead people. It's very relevant to them.

Nature protection, fair sourcing, low pollution and humane raw material extraction, and slave free sourcing are serious subjects, as are privacy and IT security.

Things they claim to do, just like they claim to provide a level of privacy, security and updates they do not provide.

Because for the last ten years, Fairphone has been put under the spotlight, and as far as I know, no scam whatsoever has been uncovered. In the meantime, it gained recognition, prizes and labels (it’s the only Blauer Engel and TCO certified smartphone) – some environmental prizes and labels may be BS, but that doesn’t seem to be the case here.

Certifications are very easy to game and are heavily based around self-dealing and money being paid. Fairphone chooses to market their company this way. They also market it providing privacy and updates it doesn't provide. You'll need to provide some actual proof.

I think we can reasonably believe their claims:

We do not and have little reason to believe them.

Regarding Foxconn suicides, I’ll let you draw your own conclusions when comparing Apple Progress Reports around 2010 with what actually happened:

Where's the evidence T2Mobile is so much better than Foxconn today?

Casting doubt on Fairphone’s environmental and labour claims, the way you did, was not appropriate. I hope you’ll agree.

Fairphone spreads misinformation about their products and supports spreading misinformation about GrapheneOS. They support harassment towards our team. They're not ethical or honest. Their claims should not be trusted. Raising doubts about their unsubstantiated marketing claims is entirely appropriate. We just had direct experience with iFixit marketing their products for them with misinformation and that looks very fishy. It draws into question the repair score from iFixit and lots of other accolades Fairphone boasts about when there's so clearly an extreme level of bias perhaps indicating corruption.

Understand, however, that the fair in Fairphone is related to the concept of fair trade which involves social and environmental standards, like avoiding child labour and mercury poisoning in artisanal and illegal gold mines, not this kind of BS on social networks. But any decent company would condemn swatting…

They're supposed to be sustainable but yet lack proper updates and long term support. They're marketing their products as having privacy and security they don't provide. You can see the response they gave to the Android Authority story for yourself.

Now, did you formally present the facts that you’re denouncing to Fairphone?
Have Fairphone been duly informed? Did you get a response?
Did you let Fairphone a chance to comment on their partnership with the Murena and the e Foundation before implying that Fairphone is being dishonest in its commitments?
Are you expecting a positive outcome and good relations with other actors in the industry?

Fairphone is consistently dishonest in their claims about updates and security for their stock OS. It's unsurprising for them to be partnered with blatant scammers and to be peddling false marketing on their behalf. Their partners have been spreading misinformation about GrapheneOS and making personal attacks on our team. It's their responsibility, not ours. Fairphone has repeatedly ignored communications from us and stonewalled people wanting information about things like the Fairphone 4 having an entirely broken implementation of verified boot using publicly available private keys intended only for testing. It looks very much like Fairphone took a shortcut for supporting /e/OS which compromised the security of their devices as a whole. They still appear to be taking similar shortcuts with the current devices. Their response is stonewalling and giving the kind of responses you can see they gave to Android Authority. Not much of an ethical company.

Also, the facts that you’re denouncing are serious, the ones you’re accusing of calumny are under the EU jurisdiction. I’m personally not a fan of never-ending mutual accusations on social networks and forums…

Regulatory and legal action against them within the EU and elsewhere is on the table.

@leafnose Do you think that Fairphone has not seen the founder of /e/OS repeatedly making personal attacks towards our founder and referencing harassment material on his accounts? If they haven't done basic due diligence about their partners and choose not to look into things we've repeatedly brought up, that's on them. Fairphone being partnered with scammers and pushing false marketing for them eventually makes them into scammers too. They're pretty close to that in our eyes even based on their own false marketing.

We will be responding to the responses from both Fairphone and Murena.

/e/OS has made another highly inaccurate response to what we posted, which has at least initially fooled Android Authority. We posted an initial response to Android Authority's coverage, but we'll be making a much more in-depth response and posting a new thread covering everything with more details and references:

https://x.com/GrapheneOS/status/1947794983546695704
https://bsky.app/profile/grapheneos.org/post/3lulmrq4sbs24

Information from the founder of DivestOS on /e/OS insecurity:

Issues with /e/OS: https://codeberg.org/divested-mobile/divestos-website/raw/commit/c7447de50bc8fadd20a30d4cbf1dcd8cf14805a0/static/misc/e.txt

ASB update history: https://web.archive.org/web/20241231003546/https://divestos.org/pages/patch_history

Chromium update history: https://web.archive.org/web/20250119212018/https://divestos.org/misc/ch-dates.txt

Chromium update summary: https://infosec.exchange/@divested/112815308307602739