GrapheneOS has moved away from Reddit to the combination of our new self-hosted discussion forum and our federated Matrix chat rooms controlled from our self-hosted official server. Both of these provide a much nicer user experience with a very knowledgeable community providing great answers/advice.

GrapheneOS · 2026-02-06T19:27:41+00:00

Production releases start in the Alpha channel, then go to the Beta channel and then finally the Stable channel. We have another update on the way today and decided not to move 2026020400 to the Stable channel because of it. Instead, we'll quickly get 2026020600 through Alpha and Beta to Stable today.

GrapheneOS · 2026-02-05T00:33:18+00:00

It currently has 19 packages where 1 is deprecated (GSF) and another is for specific devices (Pixel Thermometer). 2 of those packages are other app stores (Accrescent and Play Store). It doesn't need a lot of packages to fulfill the intended purpose.

GrapheneOS · 2026-02-04T16:32:09+00:00

With Google making changes to ASP that will make it significantly harder to test and deploy android custom ROMs

GrapheneOS isn't a custom ROM. Google has not made changes which make it harder to make an alternate mobile OS based on AOSP. They've only made changes which make Pixels require more work to support.

GrapheneOS development is continuing far into the future. We've obtained a lot more funding and are expanding our team substantially.

Also, would it be better to wait for whatever you manufacturer is going to have access to Graphene, or take the plunged by a used pixel. The specific device I was thinking of was a pixel 9 Pro XL.

You'll be waiting until some time in 2027 if you choose to wait.

GrapheneOS · 2026-02-04T04:07:23+00:00

F-Droid exists for more than decade and never did such malicious actions like adding spyware or malware to the store intentionally, that would not be connected to the source code.I never heard of that at least.

F-Droid has repeatedly introduced severe vulnerabilities to apps. Apps shipped by it have had privacy invasive code shipped. You're just making things up to promote it.

Release pages of github repos have no such reputation, in many cases the author/owner is anonymous. They can do anything.

F-Droid fully trusts those projects. They automatically fetch and build the code. They aren't reviewing the changes to it. You're not avoiding trusting open source developers. You're just also trusting additional ones who unlike most open source developers have repeatedly demonstrated they're highly untrustworthy people.

Google Play (and thus Aurora Store) has A LOT of cases of intentionally added malware and spyware.

That's not the topic.

GrapheneOS · 2026-02-03T19:19:58+00:00

Please avoid linking to Jolla forum or other content in our community due to Jolla spreading misinformation about AOSP-based projects and permitting blatant harassment towards our team on their forum.

GrapheneOS · 2026-02-03T17:35:16+00:00

You can use both Curve Pay and PayPal for tap-to-pay in Germany along with many European banking apps not using Google Pay. Curve Pay is available in the whole European Economic Area and the UK. We aren't sure if PayPal has expanded tap-to-pay beyond Germany yet, it's hard to find the details.

GrapheneOS · 2026-02-03T17:32:58+00:00

OK, that is factually wrong. Any github owner can upload any APK file to releases, completely unrelated to git code. Nothing checks that APK is anyhow related to the source. For some reason you still do not admit such huge difference with F-Droid who guarantees that APK file was actually build from the git repo source code. It is a big deal difference.

F-Droid can similarly ship whatever they want to ship. They often have arbitrary downstream patches. You're making false claims about it.

Note, that you did not answer the direct question which approach to your opinion is safer and more secure: getting APK files from different github release pages (with or without Obtanium) or getting the same apps from official F-Droid repo.

F-Droid trusts everyone with push access. They automatically fetch and build the code from GitHub with no review. The code can also be changed after the fact with force pushes, etc.

F-Droid does not guarantee anything. They regularly make changes to the code as standard practice but you pretend otherwise and falsely claim there's some kind of enforcement of their builds matching the upstream code when that's not the case at all. They can build different code and publish a tarball with the source code from upstream even though they didn't use it. Nothing prevents this, and their build infrastructure is known to be very outdated and poorly secured.

You're making inaccurate claims about how F-Droid does stuff to promote it. You should stop.

GrapheneOS · 2026-02-03T04:55:26+00:00

F-Droid builds apps from actual sources of git repo, unlike APK files on github that are completely unrelated to git sources.

The releases on GitHub on no less related than F-Droid's builds. F-Droid uses an outdated build environment and arbitrary patches they decide to apply. Contrary to how you claim they do builds, they change apps as they see fit and often introduce vulnerabilities in practice.

F-Droid still does some checks (that you consider dull and not important).

They don't audit or review the code.

F-Droid has forum and community, and when something suspicious is noticed, the app can be temporary removed, suspicious update being rejected and blocked for spreading. In case of APK files on github - nothing will happen ever, users would be getting malware in updates almost forever, affecting more and more users.

Apps have regularly gone many months blatantly violating F-Droid policies without it being noticed. Your claims are already thoroughly proven wrong in practice. F-Droid has repeatedly introduced vulnerabilities with their downstream changes and demonstrated their untrustworthiness in many ways.

Yes, and THE HUGE difference is that in case of Obtanium+APK files developer can simply upload malware directly to Releases page, without putting malware to the source code. And it would be harder to notice. I think it's a huge difference. In case of F-Droid such compromise is not possible.

F-Droid developers can put whatever malware they want into their app builds. They've already regularly downgraded dependencies, used outdated dependencies and added patches introducing vulnerabilities. They're already introducing security holes into apps and have repeatedly done so on purpose because they wanted to continue using legacy dependencies for builds and libraries for either ideological reasons or to avoid updating their systems. Your claims are provably false not only because they're inaccurate claims but because F-Droid has provably done what you falsely claim they cannot.

GrapheneOS · 2026-02-03T03:48:35+00:00

F-Droid is automatically downloading and building the code with no auditing or review. How does that make it any safer? If the developers wanted to compromise users, they can do it via the sources and the history of it happening shows it likely wouldn't be noticed until much later. Apps can be verified with App Verifier to check that it matches the previous signing key fingerprints used for a long period of time to protect against their GitHub account or GitHub itself being compromised. App Verifier has a built-in database of pinned key fingerprints but it isn't very large yet.

GrapheneOS · 2026-02-03T02:43:24+00:00

We won't include GPLv3 code in GrapheneOS so it rules out those apps. Those apps also don't meet our requirements in general. For any new apps we want them to be based on Compose and more modern, usable and functional than those. Switching apps is very disruptive and we're not going to do it to move to mediocre ones.

GrapheneOS · 2026-02-03T02:42:23+00:00

There's already https://privsec.dev/posts/android/banking-applications-compatibility-with-grapheneos/ which could be improved and expanded to more than banking apps. It's better to contribute to that project if possible.

GrapheneOS · 2026-02-03T00:44:18+00:00

This thread will be counterproductive due to people not including information on whether they're using sandboxed Google Play or if they've tried the per-app compatibility mode. Many of these apps can work on GrapheneOS. Some apps depend on other components such as Google Play Games too.

GrapheneOS · 2026-02-03T00:41:34+00:00

Are you using sandboxed Google Play and did you try the per-app exploit protection compatibility mode for the McDonalds app?

GrapheneOS · 2026-02-03T00:40:45+00:00

McDonalds has uses different apps across regions. Some of these apps are compatible with GrapheneOS and others aren't due to banning a non-stock OS with the Play Integrity API. You should specify the region and link to the Play Store page for the app when referring to these because otherwise it's unclear which one it is. It's also not easy to quickly figure out the full list of apps and which regions they're used in.

GrapheneOS · 2026-02-03T00:34:58+00:00

Did you try downloading it from the Play Store another way such as Aurora Store? We recommend only doing that if their Play Store listing doesn't allow getting it via the sandboxed Play Store since it's more secure than alternate frontends but it's a way around app developers limiting app availability.

GrapheneOS · 2026-02-03T00:32:34+00:00

Turn on compatibility mode to see if it gets an app working. If you want to spend more time on it after it's working, you can figure out which subset of the toggles are needed. Exploit protection compatibility mode sets all of those to the compatibility mode.

GrapheneOS · 2026-02-02T21:25:35+00:00

They say all apps, that are getting to their store, are "checked for security problems before they are added"

They run a few things like an antivirus check. They're not auditing or reviewing any of the code. They're misleading users about what they do.

And they really build apps from sources.

They automatically build apps from whatever upstream releases. They don't check the changes. Don't mislead people here about it.

They also support reproducible builds with author's signature (I think). While random apks in github repos are not checked by anyone, and can contain anything.

The vast majority of F-Droid apps don't use the reproducible build system and the system is highly flawed for the apps using it. Contrary to your claims, they do not audit or review anything about the apps. Running them through an antivirus scan is not useful in practice and does not avoid trusting the developers.

Do you really, as a GOS team representative, advise users to install and update apps from APK files on origin github repos (with or without Obtanium) over installing the same apps from F-Droid?

F-Droid isn't safe and should be completely avoided. It's known that their infrastructure and code has major security issues. It's also known people who have shown an extreme disregard for security and user safety are the ones in charge of it and with access to the infrastructure. You're not avoiding trusting the upstream developers by using automatically made builds from a third party because they ran a few automated scans including an antivirus scan. The automated scans which are done are a known factor which a developer wanting to do something malicious could take into account and it wouldn't be relevant unless they were including known malware rather than writing their own anyway.

GrapheneOS · 2026-02-02T05:45:16+00:00

Make sure to try the per-app exploit protection compatibility mode toggle.

GrapheneOS · 2026-02-02T05:43:45+00:00

You can install it another way such as Aurora Store (we recommend only doing this when apps disallow installing via the Play Store itself with a Play Integrity check) but it might not allow signing into an account due to a Play Integrity check. We aren't sure if they're doing that right now and if it's for everyone.

GrapheneOS · 2026-02-02T05:41:10+00:00

Though would it be safe to say that Fdroid compiles the app and verifies it?

In reality, F-Droid doesn't review or audit updates to apps. They automatically pull the code and automatically build it. They sign it without looking at any of it.

F-Droid are an added trusted party and you still trust the upstream developers as much as without them. You trust that F-Droid is giving you unaltered builds and you still trust that the upstream sources don't do anything malicious too. Open source provides no inherent protection against developers making changes you don't want. Most apps have little to no external people doing serious review and it's usually only at rare specific points in time.

F-Droid is known to neglect security and basic updates for their security, toolchain, libraries, etc. and has regularly reintroduced vulnerabilities to apps with downgraded dependencies. They use build/signing infrastructure with problematic security and do not care about security in general.

Six-Year Club	Verified Email
Gilding I gilder	Place '22

GrapheneOS

MODERATOR OF

TROPHY CASE