6.6 KiB
| title | icon |
|---|---|
| GrapheneOS vs CalyxOS | material/cellphone-cog |
Profiles
CalyxOS includes a device controller app so there is no need to install a third party app like Shelter.
GrapheneOS extends the user profile feature allowing a user to press an "End Session" button. This button clears the encryption key from memory. There are plans to add a cross profile notifications system in the future. GrapheneOS plans to introduce nested profile support with better isolation in the future.
Sandboxed Google Play vs Privileged MicroG
When Google Play services are used on GrapheneOS, they run as a user app and are contained within a user or work profile.
Sandboxed Google Play is confined using the highly restrictive, default untrusted_app domain provided by SELinux. Permissions for apps to use Google Play Services can be revoked at any time by the user.
MicroG is a reimplementation of Google Play Services. This means it needs to be updated every time Android has a major version update (or the Android API changes). It also needs to run in the highly privileged system_app SELinux domain like normal Google Play Services and requires access to signature spoofing so this is less secure than the Sandboxed Google Play approach. We do not believe MicroG provides any privacy advantages over Sandboxed Google Play except for the option to shift trust of the location backend from Google to another provider such as Mozilla or DejaVu.
From a usability point of view, Sandboxed Google Play also works well with far more applications than MicroG, thanks to its support for services like Google Play Games and In-app Billing API.
Privileged App Extensions
Android 12 comes with special support for seamless app updates with third party app stores. The popular Free and Open Source Software (FOSS) repository F-Droid doesn't implement this feature and requires a privileged extension to be included with the Android distribution in order to have unattended app installation.
GrapheneOS doesn't compromise on security; therefore, they do not include the F-Droid extension. Users have to confirm all updates manually if they want to use F-Droid. Alternatively, they can use the Droid-ify client which does support seamless app updates in Android 12. GrapheneOS officially recommends Sandboxed Google Play instead. Many FOSS Android apps are also in Google Play but sometimes they are not (like NewPipe).
CalyxOS includes the privileged extension, which may lower device security. Seamless app updates should be possible with Aurora Store in Android 12.
Additional hardening
GrapheneOS improves upon AOSP security with:
- Hardened WebView: Vanadium WebView requires 64-bit processes on the WebView process and disables legacy 32-bit processes. It uses hardened compiler options such as
-fwrapvand-fstack-protector-strong, which can help protect against stack buffer overflows. APIs such as the battery status API are disabled for privacy reasons. All system apps on GrapheneOS use the Vanadium WebView which means user installed apps that use WebView will also benefit from Vanadium's hardening. The Vanadium patch set is a lot more comprehensive than CalyxOS's Chromium patch set which is derived from it. - Hardened Kernel: GrapheneOS kernel includes some hardening from the linux-hardened project and the Kernel Self Protection Project (KSPP). CalyxOS uses the same kernel as regular Android with some minor modifications.
- Hardened Memory Allocator: GrapheneOS uses the hardened malloc subproject as its memory allocator. This focuses on hardening against memory heap corruption. CalyxOS uses the default AOSP Scudo Malloc, which is generally less effective. Hardened Malloc has uncovered vulnerabilities in AOSP which have been fixed by GrapheneOS such as CVE-2021-0703.
- Secure Exec Spawning: GrapheneOS spawns fresh processes as opposed to using the Zygote model used by AOSP and CalyxOS. The Zygote model weakens Address Space Layout Randomization (ASLR) and is considered less secure. Creating fresh processes is safer but will have some performance penalty when launching a new application. These penalties are not really noticeable unless you have an old device with slow storage such as the Pixel 3a/3a XL as it has eMMC.
Please note that these are just a few examples and are not an extensive list of GrapheneOS's hardening. For a more complete list, please read GrapheneOS' official documentation.