As an EU citizen the biggest issue for me is that even if I bought a fairphone with grapheneOS, it might as well be a "dumb" phone. This is because all the apps to make our daily lives non-annoying require the Google Play or the Apple App store. So to me it's the lack of digital sovereignty from the EU and our individual countries that is the main issue. Sure it would be nice if big tech didn't close their platforms, but that ship appears to have sailed. If they ever get around to making these apps available through a different store, then I don't see why I wouldn't want a different OS.
We still need open hardware and more companies like fairphone to utilize it, but we primarily need the EU to get it's act together and break the reliance on big tech app stores. I know there are a few companies trying to build app stores with the necessary security compliance and if the EU wants to be serious about digital sovereignty it'll need to support these.
> As an EU citizen the biggest issue for me is that even if I bought a fairphone with grapheneOS, it might as well be a "dumb" phone. This is because all the apps to make our daily lives non-annoying require the Google Play or the Apple App store.
This is a common misconception I see around here, probably because people think Graphene is yet another custom rom like LineageOS, and haven't actually tried it for themselves.
GrapheneOS supports Google Play (it ships with an app that lets you install it in one click), it does NOT give you root access, and it goes through the extra effort of implementing the obscure security features that banking apps require. I won't say 100%, but maybe 99% of apps on Google Play will work on Graphene, including banking apps. This compatibility, along with the added security and privacy features are why it's such a big deal. It's not just hype around the latest shiny custom ROM.
Banking apps will work on Graphene if you have sandboxed Google Play Services installed, and if the banking app requires only a basic level of Play Integrity attestation. I got the same level of support with my previous LineageOS for MicroG phone as I have with my current GrapheneOS phone, it just required a lot more tinkering (and was a lot less secure).
I do appreciate the work the GrapheneOS team puts in toward compatibility, and especially the fact that they just got RCS messaging working. But any time Google or even an app vendor wants to tighten the noose, they can, just by requiring the higher, hardware-backed attestation level.
That page seems to be saying the opposite: hardware attestation would support GrapheneOS, whereas the Play Integrity API would not.
Anecdotally, both of the banking apps I use 'just work', and I haven't encountered any app that doesn't work. The closest thing was the Disney parks app a few years ago which would crash on launch until I disabled the hardened malloc feature for it.
I see "... and permitting our official release signing keys" there, which means you are swapping Google Android for GrapheneOS Android, and you can't use bogwog Android if you wanted to.
There is a list of apps banning GrapheneOS keys here, including govt apps, ticket apps, and McDonalds for some reason:
> you are swapping Google Android for GrapheneOS Android
No? You're adding support for Graphene's keys, not replacing Google's. Obviously, the main barrier is convincing developers of these apps to add support for Graphene's keys. However, this is only a problem for apps that opted to implement the Play Integrity API at all, which doesn't seem to be very common. All the recent monopoly rulings against Google may be deterring devs from implementing this obviously anti-competitive feature, and that's not to mention Google's new responsibility to offer the Play store app catalog to competing stores, thanks to the Epic case.
> The injunction issued last year by U.S. District Judge James Donato requires Google to allow users to download rival app stores within its Play store and make Play's app catalog available to competitors. Those provisions do not take effect until July 2026.
My point was that this situation doesn't allow for Software Freedom, since you the user cannot control the OS, its an unmodifiable blob unless you are either someone with a blessed key (like Google, or GrapheneOS devs), or are willing and able to to go without the apps that use the attestation APIs, or have one locked down device for attestation apps and a separate one that you can actually control. Probably the only way to deal with that is make attestation to third parties illegal, I assume governments and banks would get exempted from such laws though.
Android has a hardware attestation API that is compatible with GrapheneOS (if the app accepts GOS's keys), but nobody uses it. Everyone uses the Play Integrity API; GrapheneOS can't pass the "strong" (hardware-backed) level of Play Integrity, though it passes the weaker ones.
The Dutch electronic identification app, DigiD, uses the Android-native attestation API.
Also good to make a distinction between the different things you can do in an attestation procedure: bootloader/boot integrity checks, attest a specific key, and ID (imei etc) attestation.
We still need open hardware and more companies like fairphone to utilize it, but we primarily need the EU to get it's act together and break the reliance on big tech app stores. I know there are a few companies trying to build app stores with the necessary security compliance and if the EU wants to be serious about digital sovereignty it'll need to support these.