So after more research linage OS and calyx only allow Micro G apps to spoof and the verify via the app signature key the are signed with to verify this is the only way LinageOS would agree to adding micro G support so it is secure but still makes me feel unsafe at least to me just my opinion but yes it can be done securely I would use Linage OS with Micro G if the supported relocking the bootloader I know pixels support this but requires you to build your own version from source of linage and the sign your device with your own key that you also sign your build with as well I think I’ll stick with GrapheneOS.

Questions why fuck capcom indont really play thier games what did the do?

Then buy a newer one with longer support this will always be a issue since the support window is the same as Google. Once a manufacturer stops updating drivers and device firmware the said device can no longer effectively be secure because any exploit in the drivers or firmware will forever go unfixed compromisimg the devices security. Doesn’t matter what devices you buy this will always be the case it just depends on what your personal threat model is.

Correct but GOS reverses alot of Google patches like always on voice requires kernel privalage it is disabled on GOS etc. But kernel level signature spoofing gives way for a malicious app to spoof as micro g and infect your device and you would never know because micro g requires the same thing to function it is making itself look like Google when it is not google. So using microg opens your device up to allot more ways for it to be compromised and also makes it harder to detect or notice once it is compromised. For me the security risk of kernel level spoofing is way to high to use on a production device used everyday. Also I trust neither Google or microg I only use Foss apps I don’t have Sandboxed play services installed at all I just don’t use Google anymore.

No because the data is encrypted especially on Graphene OS and even on stock pixel phones data at rest is fully encrypted and pixel phones also have a onboard security chip as well. So unless you can unlock the user data it would be useless. That is why a locked bootloader is so important it is needed to ensure at rest encryption its a requirement for it.

It could be included as both with a unlocked bootloader all user data could be easily retrived with physical access to device.

So contactless is still broken and that is because it is signed by a certificate granted by Google GOS does not have this cert so contactless is. Broken Unless your bank has thier own implementation then it may work. Also if the app your using comes from the play store you must have sandboxdd play services installed or. Yes you are correct notifications will be broken as it relies on play services for them to work but if you use play services sandboxed everything should work minus any app that enforces play services integrity check…

I use GOS and agree with you completely some of the things GOS has done and said in the past should have never happened and hurt GOS more than it helped it. Also on the micro G front You are correct still being debated but as long as Micro G is signature spoofing it is my opinion it is not secure as signature spoofing requires kernel changes that in fact weaken Android’s security model.

GOS Supports the pixel devices for the same amount of time as Google hard to keep a device secure once drivers are no longer being updated. But with Google extending support for pixel 6 and 7 series and the new 7 year guarantee on pixel 8 devices and newer this isn’t really a concern anymore. So pixel 7a and fold will be supported until 2028 and Pixel 6 and 6 pro until 2026 pixel 7, 7 pro, and 6a until 2027. Seems like plenty of time for support and that means as long as Google supports it so does GOS.

My last bank did that so I switched banks my new bank app works without any play services installed on GOS.

Once LinageOS is installed your bootloader is always unlocked so anyone who finds your phone if lost owns it. GrapheneOS and a few other ROMs I forget the names of allow the bootloader to be relocked keeping android security model intact allowing the device to still be secure.

Works on GrapheneOS

All apps work fine on GOS no tinkering needed if a app is broken its broken on linage as well because of play integrity

Can confirm on Android 15 on GOS that JXL in the gallery app you linked does work and open them.

So I have Aurora in my main profile that allows apps from play store with no play services installed it just uses the open source aurora store and my bank apps all work without playservices. And I don’t use streaming services in anyway I buy everything on bluray and then rip it to my server. But with private space on android 15 you can install sandboxed play services in private space and it is 100% seperate sandboxed from your main profile and can use apps like Netflix etc that do require sandboxed play services and then when not using it you can pause private space essentially shutting it all down and preventing any of the apps from running in the background at all. Plus with sandboxed play services on GOS you can control all permissions for play services all way down to network so you can only allow network or more just depends on your personal threat level or how comfortable you are sharing the data. But even with sandboxed play services in a main profile would still be more secure as it only installs the play store and play services apps no AI.

As soon as Apple announced AI for iOS I sold my iPhone 15 and got a pixel and installed GrapheneOS on it and have no Apple or Google services installed all open source. And more importantly no AI.

To my knowledge reddit has always worked like this when a mod removes a post no new users that have zero interaction with the post will see the comments it removes the post from all. But if you have commented in the past or are a original OP or have the direct link to the post the comments will always be there.

This just seperates it into a secondary profile but all apps in your main profile are already sandboxed as well the only apps that are not sandboxed are system apps such as Play services. But you could use the app in a work profile(shelter) under a seperate Google account that would add a bit more anonymity. But android default app sandbox could be more secure there are other custom ROMs that do just that making the regular app sandbox even more secure.

Here is more information on how each android app is sandboxed(except Play Services)

https://source.android.com/docs/security/app-sandbox

Thank you already seen this and like I said if it’s a system app it’s a no go for me any app to do with Google needs to be sandboxed being a privileged app is why I won’t use it.

I use this on my pixel with Graphene OS and it works great once I completely degoogoled my entire phone my spam calls and text pretty much all went away.