Hi everyone,

Currently looking at either a Pixel 8 or a S23 as a replacement for my Zenfone 8 that is slowly becoming a hindrence due to (primarily) the battery. I would replace it, but as it costs a lot to do that here and I have needs for a non-compromised water protection DIY feels like a dangerous option.

So S23 vs Pixel 8, what would you guys recommend assuming I can get either for the same price?

I like the S23 hardware a bit better on paper, but as Pixel phones generally are very flashable my anti-Google sentiments might (ironically) push me there.

I would get a fairphone 5 for the hot-swappable battery etc if they weren’t so expensive for what you get, and as Im buying second hand reuse is better for the environment anyways.

  • Pantherina@feddit.de
    link
    fedilink
    English
    arrow-up
    1
    ·
    10 months ago

    If I’m not using any Google apps, how is micro g a security risk?

    Any app can choose to embed the play services for displaying ads or sending data. And those are not just passive libraries, they are actively sending tons of stuff to Google. As they are not isolated as user apps you always have to assume the worst, that they send all your stuff to google.

    This is the best answer

    The Google Play libraries could do everything that it can do without it. In many cases, Google’s libraries including the Google Ads SDK do work without Google Play. There is no inherent need for Google Play to use Google services. You can see for yourself that Google Maps works fine without it, although it depends on it for some functionality even though that could also work without it. Everything that sandboxed Google Play can do could simply be done by the Google libraries without it though.

    Apps within the same profile are free to communicate with mutual consent including the Google Play code included by those apps.

    Each app you’re using which depends on it includes the Google Play code with their access, and that includes the Google Play code in each of these apps being able to communicate between them if it decided to do that.

    microG provides much less functionality and therefore much less app compatibility than sandboxed Google Play in general. Unfortunately, some of the missing functionality are missing security checks.

    Also, Signal is a perfect example where the app works fine without Google Play including with push but will not work correctly in a setup you proposed in the other thread of using it with FCM disabled.

    (Signal sees the faked google play services and automatically uses them for push messages. Its own websocket request thing is only used with a warning, if they are not found)

    I am relieved, because I was at first questioning what I told you.

    • MicroG presents itself as a fully FOSS app, and many parts are
    • it still downloads Google binaries for certain things
    • apps still use Google libraries embedded in them
    • microG is highly unstable because it fakes to be Play services and if the usage is high enough, Google will increase checks that will make require it to fake values all the time.

    So it is insecure because it allows Google binaries to run without a container.

    UnifiedNLP, Mapbox tiles, UnifiedPush, are all great. But if apps implement Google libraries, only official play services will work reliably. Its responsibility you know, it could break and then the project gets flooded with bug reports and gets a bad reputation.

    only present if you explicitly give permission

    Those have to be internal permissions as microG has to be installed into the system partition and thus doesnt need any permissions.

    It is a long time ago that I used microG though.

    I just don’t see the point of worrying about problems that haven’t occurred yet

    Proactive security. I wouldnt want to be in a situation where I cannot use my phone anymore suddenly, until the OS has patched a vulnerability that would probably not exist if their entire implementation was different (as a sandboxed app).

    The problem is that microG needs to fake values etc. For some reason that means it cannot be a user app, which makes it fundamentally incompatible with the more secure GrapheneOS approach poorly.

    I would like to use those service too, GrapheneOS allows redirecting location queries to the OS at least, so the app thinks it gets that fancy Google location data (fine location, NLP) but it actually just gets the A-GPS (rough location).

    you’re concerns and mine are not the same.

    Probably but that transparency point was interesting.

    Can you show me the updates that are delayed for months by fairphone?

    They have to have release notes for their updates. No motivation to dig them up tbh.

    They are an OEM, this is relevant because GrapheneOS “just” takes the complete AOSP updates for the exact phones they produce directly from Google (which is a huge help, they have all the patches, Kernel, vendor code etc. for exactly those phones) and feed it into their build system.

    That will all be automatic. So they add the apps and stuff and build the packages, and ship them.

    Fairphone needs to patch their own (?) Kernel, as their phones are somewhat unique. No idea how to do that, but they will have a mix of components and the kernel has to work on those. This is a bit more work but doesnt explain months of delay.

    Also OEMs get early access exactly for that reason, so that they can patch their custom kernels and code, because Android phones are SOCs, every Android is different.

    There are steps towards mainline kernel support, which means that the phones can run on regular Linux with less trouble. This improves the patching and modification process, ensures longer updates, … and of course also saves money. Google is doing things in that direction.

    Also idk if Murena gets early access from Fairphone, because Fairphone is using a Google certified OS and Murena doesnt. So this may be a problem.

    • Varyk@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      10 months ago

      Got it, plan was to avoid adding my Google profile onto this phone. Anyway, I don’t use Gmail or gsearch or Google maps or any of that.

      And it looks like as long as I don’t have a profile, the minimal data that is sent out from micro g would be anonymized.

      Proactive security is important, but obviously use case is also pretty important.

      Agree that graphene OS seems like a pretty secure option, but for me personally it wouldn’t add much more security than how I already use my phone.

      I still like the idea, and when I get a new phone, I’ll probably be experimenting on this one a lot more, and I’m sure that’ll include graphene OS at some point.

      I’ll have to get a new non-pixel phone anyway, since non-expandable storage was already absurd 5 years ago, but graphene OS does look like it’s worth playing around with on my older phone.

      Oh, and I do have to make it perfectly clear that the ethical supply lines, corporate responsibility and transparency, as well as consumer respect from fairphone is the larger reason I’m intent on buying a fairphone, the added privacy and security is just a bonus to that.

      • Pantherina@feddit.de
        link
        fedilink
        English
        arrow-up
        1
        ·
        10 months ago

        Keep in mind that if you download apps from the playstore (no idea if /e/ proxies those apps or something) many include Google Play libraries and SDK.

        I think I linked that comment under the microG post in the GOS discuss. Apps dont even need any play services to communicate to Google.

        the minimal data that is sent out from micro g would be anonymized.

        MicroG downloads official Google binaries, e.g. their tracking BS. These are able to read persistent device identifiers like IMEI etc. Under many circumstances these are personal identifiers, and if you for example would create a seperate user profile for banking or Google crap, Google could easily link those activities.

        non-expandable storage was already absurd 5 years ago

        It never worked well. Either it was unencrypted, or it could only be read by this device, making it useless as a backup solution if your device dies.

        corporate responsibility and transparency

        I think they are transparent in the hardware area. I didnt find it very easy to find out where exaclty who is getting how much money, with what companies they share production facilities etc. But I understand that point.

        Just want to stress that their software and their de facto limitations due to standars hardware suppliers like anyone else, are not really transparent.

        Cheers!

        • Varyk@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          1
          ·
          10 months ago

          At this point, minimal anonymized data is fine by me. I equate it with walking down the sidewalk and people who don’t know me being able to know what color I want my hair to be. Not what color it is, but what I would like it to be.

          Honestly even minimal non-anonymized data doesn’t really bother me relative to the changes that an ethical company makes.

          I’m not sure what e specifically uses, I know that murena allows you to choose your app store according to whether you want to use open source apps or not, or tethered to play services or not.

          Yeah, non-expandable storage is incomprehensible to me, having used phones with expandable storage and having used phones with non-expandable.

          • Pantherina@feddit.de
            link
            fedilink
            English
            arrow-up
            1
            ·
            10 months ago

            Keep an eye on DivestOS. It seems to be somewhat similar to GrapheneOS but on more devices.

            I think the changes are a bit too many though. They support microG in the GrapheneOS sandbox, which may be pretty cool (until it breaks, or you need stuff not included in microG)

            I think 128GB is enough, but a small phone with a headphone jack, good cameras and a working fingerprint sensor…

            • Varyk@sh.itjust.works
              link
              fedilink
              English
              arrow-up
              1
              ·
              10 months ago

              I am pure Bluetooth, I was very happy to get rid of the headphone jack.

              Thanks for the OS recommendation.

              Oh, if you’re interested in cameras, you should check out the side by side videos of fairphone cameras with pixels and iPhones. At least half the time, I prefer the fair phone camera shots I’m seeing.

              I don’t know if it’s less processing or what, but something about the fair phone photos look better to me, even without umpteenth megapixel updates.

              128 GB is way too small for me. I can work with it, but it’s like 12 minutes of video and I take a lot of video.

              7 years ago I had an oppo with their proprietary usb charging that went zero to 80 in 30 minutes and had up to four gigabytes expandable storage, I had 512 gb on there, 6gb ram.

              The state of phone tech today is crazy to me, the one percent increase in CPU processing power every month means nothing to me if I can’t take more than 20 minutes of HD video and edit it without the phone crashing.

              Also, not really relevant, bring back front facing speakers! I want a phone with front facing speakers again so bad.

                • Varyk@sh.itjust.works
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  ·
                  10 months ago

                  I read about that on the graphene forum, i wouldn’t mind waiting a few seconds for a higher level of security

                  • Pantherina@feddit.de
                    link
                    fedilink
                    English
                    arrow-up
                    1
                    ·
                    10 months ago

                    No, not at all.

                    I am on Secureblue now on my Laptop, which also takes way longer to start. This is a different thing, but in general, “performance improvements” are often dangerous security drawbacks.

                    Like this Zygote thing in Android where all Apps share some memory parts or the layout or whatever (already forgot it) which makes them similar to each other and predictable for memory exploits.

                    On Linux there is something like “zero trust randomization” which increases startup time, because the OS doesnt trust the hardware to do good randomization and instead does it itself.