I think it depends on your goals. Graphene's team rightly point out that Calyx's approach to spoofing the play store (microG) isn't safe, so security will be better on Graphene as long as that stays the same.
On the other hand, Calyx does actually include an app store with the base ROM. This is important if you are setting devices up for other people who need to be able to reproduce the steps you have taken. In such a case, even though I could set up Graphene myself, I would probably suggest Calyx. However I know that graphene are (were?) Working on a store of their own at some point, so when that is released my opinion may change.
Currently, it lists only graphene apps like Secure Camera, graphene PDF vewier, Auditor, Sandboxed Play services. Also, it only works for Android 12 and above, not only on GrapahenOS but other OS like Calyx, Lineage and it forks etc.
They are planning to add other graphene apps too, like Vandaium* etc. Non-graphene apps (like apps available on f-droid), I don't think they will be added. This store seems to be only for Graphene Apps.
> Graphene's team rightly point out that Calyx's approach to spoofing the play store (microG) isn't safe, so security will be better on Graphene as long as that stays the same.
AviD's rule of usability applies here, IMO. Doesn't GrapheneOS's approach have worse third-party app support than CalyxOS's approach? I can see that leading to people trying GrapheneOS and then saying "none of my apps work on this more secure version of Android, so I'll just stick with stock Android from now on."
At the same time, doesn't a "typical person" wanting Facebook, Uber, etc apps running kind of counter to the type of people that would want or need something like Graphene?
It's about the war, not the individual. If you're completely compromised by and beholden to google, then you've already lost. For many people, the threat model is protecting the commons and keeping the future possibility of commerce without a 30% tax collected by some middleman in california.
If people start from a device they own, then they can actually fight the other battles. Install facebook in a work profile for now but try and get some friends to move to xmpp. Install uber if and only if you're stuck and public transport has stopped for the night (and uninstall it after). Or any other compromise between complete submission and full device ownership.
Graphene as a project doesn't really seem aligned with this idea. Calyx and /e/ are a bit better.
If you have to compromise your values to allow such things, an example might be TikTok with Play Services on Graphene is possible, but you will be permanently banned shortly for not being spyable enough and failing modified ROM detection, would you want to compromise by re-adding what's basically a vulnerability if it increases userbase?
If it means that I only have to convince someone to give up a tiktok account they don't have rather than tiktok and pinterest amd facebook and whatsapp (and subsequently the ability to communicate with any of the local community groups) and the local covid app that allows you to leave the house and their university app and any kind of paid media, then yes.
A phone that my partner owns that I can actually realistically ask her to use is better than one that is secure against an attack that isn't even in my threat model and is a complete non starter.
> you will be permanently banned shortly for not being spyable enough and failing modified ROM detection
Wait, do they actually do this too, or is this a hypothetical you made up for the example? Or did you mean Snapchat instead of TikTok, which I know does actually do that?
I picked it as a random example but yes, it does do safetynet/aggressive device fingerprinting/bans root (magiskhide used to work for a bit afaik)/collecting as many identifiers as possible based on version of android.
That's a bit too coarsely grained IMO. There are different ways to resolve the question of security vs usability, varying by threat model and user confidence.
Graphene's approach is not inherently untenable: using the play store can be done via a separated profile - which is probably good opsec anyhow.
An alternative approach (which I believe the Graphene team are aware of, but don't necessary encourage) is to use F-Droid or the Aurora store. I believe there are some important shortcomings with this approach though.
In regards to 3rd party stores, I wouldn't use this approach for any kind of corporate or professional application, but if you're an end user there might be a case that this is preferable (suppose privacy is a much greater concern than security). I think that would be case by case though.
In the case of F-Droid, the apps need to be built using F-droid's build system, and is signed using F-Droids own keys[1], rather than the devs signing themselves. Not awful, but definitely not good.
So, regarding the 'too hard, gave up' problem you mentioned, I think you're right that its an important consideration, but disagree that Graphene's approach is "strictly" worse third party support.
> An alternative approach (which I believe the Graphene team are aware of, but don't necessary encourage) is to use F-Droid or the Aurora store. I believe there are some important shortcomings with this approach though.
I know the Aurora Store works fine for installing apps from the Play Store. My concern is more so whether those apps all work right after they're installed.
> Doesn't GrapheneOS's approach have worse third-party app support than CalyxOS's approach?
This isn't even correct anymore. "Sandboxed Play services" is essentially just play services but with the ability to uninstall it, and deny it permissions.
On the other hand, Calyx does actually include an app store with the base ROM. This is important if you are setting devices up for other people who need to be able to reproduce the steps you have taken. In such a case, even though I could set up Graphene myself, I would probably suggest Calyx. However I know that graphene are (were?) Working on a store of their own at some point, so when that is released my opinion may change.
Both are very usable in my opinion.