Good budget(ish) switch to get a good phone, privacy, security, and AOSP experience.
Great value my ass, I can barely get a used pixel 8a for 300€ in the EU. Redmi 4x from 2017 costed 160€ new and had all the features of phones at the time (except NFC). I'm still considering a pixel just for GrapheneOS, just because it's that good compared to LOS, I use on the Redmi.
I'm sure it's a good value for some. I just use the super budget phones. They work fine and have more stats than I ever need.
With this question asked, I'd like to build on it and ask what options exists outside the realm of google given their recent bullshit.
For those who know, tell me about the pine phone, fair phone, anything else like this.
When google fucks shit up in the near future, I would very much like to hold on to the ability to side-load apps using obtainium and f-droid indefinitely. Are the pine phone/ fair phone reasonable for this? What pros and cons am I looking at?
You should never buy a phone that's rooted out of the box, no matter what the company promises. Never.
Rooted
Why would you do that?
I may have terms mixed up. I want to be able to have full control of any software.
Flash TWRP and you'll have access to a root shell in an recovery.
Graphine os, am not sure if its rooted.. But eather way i think its the best one for privacy.
It is not rooted, that would break the GOS security model
rooted
Root is always a security risk, you really should not. (GrapheneOS comment (on Reddit) about rooting.)
out the box
None, probably. Refer to Bootloader Unlock Wall of Shame instead to check which companies do not restrict bootloader unlocking. See here for a list of devices where the bootloader can be locked with custom AVB Keys.
security risk
All those rooted concerns are true for desktop Linux / MacOS, and they still ship with sudo. If I can't rm -rf the root partition then its not really my device.
The bootloader wall of shame is nice.
Android does not have the same security model as desktop Linux. I made a comment about this above (which you probably can't see due to .world being defederated with who I replied to), but if you don't want to go to my comment history, it's summed up as three or so main issues.
Rooting breaks OTA updates since it modifies your partition hash, meaning rooted users tend to leave security holes open way too long. Android does not have a package manager for you to be able to update these issues individually.
Android does not expect users to have root access, so they do not even consider it in the design. Android sandboxes apps, and apps can only generally have permissions that you grant, with no direct access to the kernel. However, rooting adds an entirely new attack surface for which there are no protections whatsoever. Desktop Linux, on the other hand, does expect users to need root level access from time to time. That's what sudo is for, but you should not confuse this with switching your user entirely to root and doing everything as root. There's a reason that's not recommended on Linux: it's dangerous. The same thing applies to Android. On top of that, Linux has other tools and protections designed to make running as sudoer safer, and Android has none.
Finally, it breaks your ability to use proper verified boot. If your system partions silently get malware installed, there's generally no way for a user with a rooted phone to notice. Verified boot protects against this, but because rooting (along with whatever else you're running as root) changes your partition hashes, it will either stop booting or revert your changes.
If mobile Linux ever takes off, it will likely be very similar to desktop Linux and be designed with root in mind.
Touching the system partition isn't the only thing one would do with root. And if the ROM ships su in the ROM, there's no problem of being out of sync with upstream or even not passing boot verification.
It does open up an attack surface against the app that provides the UI to gate root access. But that has to be considered against the "availability" arm of the security triad.
Regarding the system partion and verified boot, it's the fact that it isn't the only thing one would do with root that breaks verified boot. You totally could package su in the ROM and ship it, but if a user installs something else to the system with it, it is very likely that the verified boot hash would change, unless I'm missing something.
Good guess about the federating problem. Thats a good reminder for me to change instances (was on lemm.ee before it died, .world was my backup).
OTA, while a fair point, again sounds to me like a technical problem, not a fundamental design problem. E.g. disable the partion hash check so OTA can be installed in a timely way.
Linux has other tools and protections.
OTA, as of right now, needs to hash the device to prevent system corruption. I don't think it's a very simple problem to solve, or surely there would be a ROM out there that does fix it with root. A better fix would be a package manager, but that's not going to happen with AOSP.
Regarding #1, it's fundamental to AOSP, and not any particular ROM. Similar to the OTA issue above. It's not just graphene (which, technically, you can root fyi, but I really would not do so, as again it defeats the purpose of running a verified boot secured phone).
#2 is debatable, because it's also highly dependent on the distro and configuration. As an example, immutable distros (which are actually closer to Android than non-immutable distros) make it so sudo/root isn't needed very often, if at all. Fedora CoreOS, for example, can run package updates on a schedule without user intervention, use rootless containers, and do verified boot. It can be deployed from a single file and validate itself after the fact, meaning a user would never be prompted for a password at any point. Obviously that's not a 1:1 because it isn't made for PC usage, but other distros based on Fedora Silverblue and the like can be more secure than standard Linux for similar reasons. Everything is generally sandboxed (flatpaks and containers) and root is rarely, if ever, required.
That being said, if you're not concerned, there isn't anything stopping you aside from your phone's manufacturer, which I'm sure you're aware of. I'm fine just knowing that I could do it, and much prefer the security benefits of verified boot and proper sandboxing above all else. I don't trust Google to properly patch zero days related to rooted phones, let alone patch the ones that affected non rooted devices.
Immutable OS's like nix and fedora silverblue still have sudo, they can still rm -rf /. If they can do it and maintain security, then Android can too.
I agree both the OTA and safe way of doing superuser requests could be heavy technical work. My bigger point is people who manage ROM's shouldn't demonize having full control of devices we own. Root can be done safely. Its not an inherent security risk, its just a technical problem waiting for a technical solution. "Just accept you dont need it" is not an acceptable response IMO.
_
Do you need root? It's a big security risk, for multiple reasons.
You can always just get a used pixel (no further money to Google), and install a custom ROM that allows your bootloader to relock after installation. I personally prefer Graphene for this, but I believe Lineage also allows you to do so. They both have no bloat from the start, and GOS has sandboxed Google Play and Lineage has the ability to use microG iirc.
GOS can be installed via chromium based browsers, even from another phone. Security wise, there's nothing more secure at the moment.
Desktop operating systems provide root access without forcing you to bypass manufacturer restrictions. Why should phones be any different?
Android is not designed the same way as a desktop operating system. For example, Android is designed to sandbox all applications and never require kernel level access. This means that if one app is malicious, as long as you haven't granted it extra permissions, it's much more difficult for it to affect any other apps. If you root, you're breaking that level of defense. Android simply wasn't designed for users to need or regularly use root, whereas Linux was built from the ground up with that expectation.
Root also makes applying security patches a challenge. Android doesn't have a standard package manager like desktop Linux. This means that users with rooted phones are less inclined to go through the pain of updating. I haven't rooted in a long while, but I can confirm that when I did root, I tended to avoid it for far too long. Anyway, the way Android's incremental OTA updates work is by comparing partition hashes. When rooted, this hash gets changed and you can no longer install OTA updates.
Further, root on Android can (and as far as I recall, does) affect verified boot, meaning if you want verified boot, every time you reboot you lose root. Android verified boot detects changes to system partition and either doesn't boot or reverts the changes. If you turn off verified boot, you cannot know if your system has been modified in a malicious way.
Put a slightly different way, Android's security model is entirely different than the security model of something like Linux. Linux expects you to need sudo/root for certain tasks, and other protections are built around that. Android does not expect you to ever need root, so it's not a consideration in its security design.
By rooting, you're not just bypassing manufacturer restrictions, you're bypassing Android's security design entirely. It's much more secure to just install a debloated, degoogled OS that can do verified boot.
Now, if mobile Linux ever takes off, then I'm sure it would be more like a desktop distro and less like Android.
Why are pixels so popular for this?
Pixels are (currently) the only phones that allow for all of the following at once:
In short, it's simply because Pixel currently has the most hardware level security features of any Android phone (on top of bootloader unlocking), for now. The Graphene team is allegedly in talks with an OEM to produce a phone specifically designed for it, which may be just as or even more secure. Time will tell.
I feel the need to mention that I'm not trying to shill for Graphene and especially not Google. Depending on your threat model and goal, Lineage or similar might be just fine for you. I just don't think there's anything more secure than GOS at the moment, and if that is important to you, along with minimizing bloat, it's a great choice. I do highly recommend avoiding root and instead just get something that you can unlock the bootloader for, and then install a degoogled ROM. Just make sure you don't accidentally buy a permanently locked phone, make sure it says unlocked somewhere in the listing.
Great write up! Thank you!!
I'm sure its in the link the other comment provided, but I'll call out that you not only can unlock your bootloader to install your OS but you can relock it so nothing can install anything afterwards.
So if your phone is ever not in your possession you can be sure that nobody installed anything. Also keeps your phone safe from malware (at root level).
Re: all the other root concerns. I'm on Graphene sans root and it's fine because my OS isn't actively cockblocking anything. I can even spoof GPS and such. Is there something you know you need root for v the normal setup on non-Googled Android forks?
Similar to the full app backup use-case mentioned in another comment, I regularly use root to (through adb shell) make a personal backup of my owned kindle books and keys which I can then use to convert them to DRM-free epub and read those books in non Amazon approved apps. The encrypted books are in shared storage but the key to decrypt them is in an app-private database. I also occasionally backup my own apk/obb files.
A "security model" designed around the idea that users should never be able to have any kind of access, not even read-only, to the data that app developers store on their owned device if the developer doesn't want them to is one that is fundamentally incompatible with computing freedom.
I keep a secondary device with rooted Lineage at home for the few apps I want root access to, instead of rooting my daily driver, but I always feel like it would be reassuring to have the ability to make proper backups from my main phone.
Not OP, but Neobackup (full app backup) and Hail (ability to "freeze" - stop apps until you explicitly run them again) are my two big use cases for root
If I can't rm -rf my root directory, then I'm not happy
Recently I got an update that forced perplexity on my phone.
Fuck me, that's infuriating.
What country are you in? Murena sells Fairphones in the US.
Other than that, I know this isn't what you asked for but GrapheneOS can be installed from the browser on your computer....
Brax phone, braxtech.net.
They are focused on privacy and no bloat. I don't have one but will be getting one when my phone needs replacing.
I have seen a lot of braxman's videos and he seems very knowledgeable, but I wonder why his products aren't recommended.
Can any of these downvoters tell me why?
That’s what OnePlus, Nothing, and FairPhone are supposed to be about.
For privacy, I like my iPhone, but I can’t really recommend them anymore. Even with “Apple Intelligence” the keyboard is hilariously terrible. It gets a few things right and I’m wondering more and more if the ecosystem is worth it. But throwing money at Google somehow seems worse.
Shift and Volla are closer than Nothing, I'd say. OnePlus, like you said in another comment, belongs nowhere near that list anymore.
But I have a feeling privacy and security minded folks are going to be moving more towards Linux phones (I know Android uses a Linux kernel) over the next few years, as Android continues to get locked down, and cater to government surveillance.
Huh. I haven’t even heard of those two.
I want to believe Apple has my privacy in mind like they say because I want to believe they’re a computer company first and not an information services company and all that… and it would make me feel better about my iPhone 16 Pro Max having such lousy software running on it… but also because going back to Android seems scary. No good privacy options. Nova is basically dead. Google is going after sideloading. Google is going hard with AI. The Pixel camera straight up hallucinates detail. And yet if I needed a new phone right now it probably would be a Galaxy S25, but I can’t say for sure it wouldn’t be an iPhone 17.
It's probably not a good idea to believe that. Even if they do fight for you behind closed doors, which I doubt, they will still have to bow to large governments for the sake of their shareholders. That's the world we live in right now.
I'm on Graphene on a Pixel 8 right now, but I really don't trust the overall direction that Google is pulling AOSP, nor the closed security chip in Pixel phones. I'm trying to decide if I want to stick with AOSP with a non-Pixel device, or give some form of non-Android Linux phone a shot. The Jolla C2 is looking intriguing, but getting one in the US isn't the easiest thing. I've also considered a Shiftphone 8.1 and Fairphone 6, but I'd want to run Calyx, and the future is murky. The Shiftphone is also tricky to get in the US, as is Volla which comes with an AOSP OS without Google services.
Sadly, we've lost Calyx till Febuary. Fairphone 5 with Calyx is the ultimate private phone. You can also get any Google device and flash Graphene.
Have a CMF1 from Murena for few months now, pretty happy with it. 350EUR with unlocked bootloader and rooted, used it as daily driver since day one. Transition from iOS was surprisingly painless.
Less expensive than I expected, but no headphone jack, no SD slot, comes with /e/OS.
In the end any mobile phone is inherently privacy invasive because of tracking by the cellular carrier, and the unending security bugs in the software. It's hard to do much about this.
A headphone jack is just another attack vector! Use your head!!!
no headphone jack, no SD slot, comes with /e/OS.
In the end any mobile phone is inherently privacy invasive because of tracking by the cellular carrier, and the unending security bugs in the software. It’s hard to do much about this.
Consider if you truly need root on your device because its more of a risk then a benefit in most cases these days. Most features that used to require root no longer do or have more secure alternatives
Another consideration is that while you can buy a phone with grapheneos preinstalled, it's much better if you take the time to do the web install yourself because anyone selling preinstalled phones could potentially be a honeypot.
Pixels don't include bloat other than google, installing grapheneos is a simple and easy process you can do from your browser, unfortunately that's about the only truely secure option available currently any other devices (ie fairphone) will be a trade off of less/slower security updates and/or lack of ability to relock the bootloader.
None currently ,closest is pixel with for now easy unlockable bootloader
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
much thanks to @gary_host_laptop for the logo design :)