Graphene OS Vs Lineage OS

SOURCE:   eylenburg.github.io

Graphene OS Vs Lineage OS

Graphene OS and Lineage OS are very different. Graphene OS is a hardened OS with substantial privacy and security improvements. Lineage OS is not a hardened OS. It actually greatly reduces security verses the Standard Android OS via added attack surfaces, rolled back security and slow patches.

Simple Example

On a Pixel 7, for example, you won't have current privacy or security patches with Lineage OS. It's missing more than half the patches for October, November and December. This happens every year with the release of new major versions of Android, since there's no Pixel LTS branch for Android 13.

Google Free Vs DeGoogled

Many think Lineage OS is a Google free version of the Standard Android OS, and supporting as many phones as possible. The facts are that Lineage OS is not Google free. While it does not contain Google apps [for licensing reasons] it does still retain other aspects like captive portal check, agps, dns to name a few that still use Google servers. It is not "degoogled" in any way. Lineage OS is significantly less secure and less private than Graphene OS.

Graphene OS is about making a privacy-centric version of Android that can run Google apps sandboxed. Additionally, Graphene OS only supports pixel phones, because the Pixel Phone is the only phone hardware on the market that includes a Secure Element Chip [Titan M2] which supports the myriad of privacy and security features that Graphene OS incorporates, along with the significant Verified Boot feature. There really is no comparison between Graphene OS and Lineage OS when it comes to privacy and security. Pixel phones also have stronger security as they are designed to fully support custom OS installations and Verified Boot. Verified Boot not only protects your phone, but allows you to verify that your phone OS has not been tampered with and remains secure and private.

Additional Hardening

Graphene OS improves upon AOSP [Standard Android] security with:

• Hardened WebView: Vanadium WebView requires 64-bit processes on the WebView process and disables legacy 32-bit processes. It uses hardened compiler options such as -fwrapv and -fstack-protector-strong, which can help protect against stack buffer overflows. APIs such as the battery status API are disabled for privacy reasons. All system apps on GrapheneOS use the Vanadium WebView which means that apps which use WebView will also benefit from Vanadium's hardening. The Vanadium patch set is a lot more comprehensive than Lineage OS's Chromium patch set which is derived from it.

• Hardened Kernel: Graphene OS kernel includes some hardening from the linux-hardened project and the Kernel Self Protection Project (KSPP). Lineage OS uses the same kernel as regular Android with some minor modifications.

• Hardened Memory Allocator: Graphene OS uses the hardened malloc subproject as its memory allocator. This focuses on hardening against memory heap corruption. Lineage OS uses the default AOSP Scudo Malloc, which is generally less effective. Hardened Malloc has uncovered vulnerabilities in AOSP which have been fixed by Graphene OS such as CVE-2021-0703.

• Secure Exec Spawning: Graphene OS spawns fresh processes as opposed to using the Zygote model used by AOSP and Lineage OS. The Zygote model weakens Address Space Layout Randomization (ASLR) and is considered less secure. Creating fresh processes is safer but will have some performance penalty when launching a new application. These penalties are not really noticeable unless you have an old device with slow storage such as the Pixel 3a/3a XL as it has eMMC.

Please note that these are just a few examples and are not an extensive list of Graphene OS's privacy and security hardening. For a more complete list, please read our Understanding Graphene OS page.