European authoritarians and their enablers in the media are misrepresenting GrapheneOS and even Pixel phones as if they’re something for criminals. GrapheneOS is opposed to the mass surveillance police state these people want to impose on everyone.
There are ongoing coordinated attempts at misleading people about GrapheneOS and Signal in multiple European countries. A consistent pattern are completely unsubstantiated claims about exploits with no evidence. These are contradicted by actual evidence, leaks and their behavior.
GrapheneOS is not immune to exploitation, but the fearmongering done in these ongoing attacks on it is very clearly fabricated. They feel threatened enough by GrapheneOS to engage in coordinated attempts at convincing people that it’s unable to protect their privacy and security.
GrapheneOS eliminates many classes of remotely exploitable vulnerabilities and makes the vast majority far harder to exploit. It even puts up a strong fight against attacks advanced forensic data extraction tools with physical access. See https://discuss.grapheneos.org/d/14344-cellebrite-premium-july-2024-documentation for an example.
There’s currently an example of one of these attacks on the project ongoing across Swedish forums and social media. This reached our forum at https://discuss.grapheneos.org/d/23535-unsubstantiated-claims-about-sweden-exploiting-grapheneos-with-no-evidence. An account pretending to be just asking questions goes on to pretend to be an expert citing non-existent sources.
This same thing is currently ongoing across several Swedish forums and on social media. It’s generally not in English which makes it inaccessible to the broader GrapheneOS and privacy community so they can get away with extraordinary, unsubstantiated claims much more easily.
GrapheneOS is not supposed to stop people installing malware and granting it invasive permission. It does provide alternatives to being coerced into granting invasive permissions by apps via our Storage Scopes, Contact Scopes and other permissions, but it’s a user choice.
GrapheneOS similarly not supposed to prevent authorized access to data by someone with the PIN/password and access to the device. Rather, we provide far stronger protection against unauthorized access via exploit protections, 2-factor fingerprint unlock, duress PIN/password, etc.
Our features page at https://grapheneos.org/features provides an overview of how GrapheneOS improves privacy, security and other areas compared to the most secure Android devices running the stock OS. It’s not immune to exploitation and cannot be. Products making that claim are scams.
Not being immune to exploitation doesn’t mean it can be successfully exploited in a given real world scenario. It’s significantly harder to develop and deploy an exploit successfully. It can be exploited, but it doesn’t mean it is happening especially at scale or consistently.
Having far from perfect security does not mean real world attacks including sophisticated ones will be successful in practice. Don’t fall for security nihilism propaganda. We’ll keep working on advancing security for general purpose computing devices. It will keep getting better.