[code-blooded]

CalyxOS is the alternative to Graphene mentioned above. CalyxOS has a bit different goals - it cares about privacy more than security and complete removes Google services instead of sandboxing them (they get replaced with MicroG which is a shim of Google services so that majority of apps continue to work). I successfully used it for a few years on my Pixel 4a. Most apps just worked including banking, but some didn't. Notably dating apps didn't work well and Uber's map didn't look right.

[doug-moen]

Graphene completely removes Google services in the default install. There is an option to install a sandboxed version of the Google play store, with enhanced privacy and security, but you don't need to install this or any other Google services if you don't want to, and I have opted to keep my Graphene installation Google-free.

There is a disagreement between the Graphene and CalyxOS community about which is more secure/private: Graphene's sandboxed Google play store, or CalyxOS's MicroG. I've read posts advocating for both sides, but I don't have the expertise to have an opinion, and I decided that I don't want either software on my phone, since I don't want to run google code or play store apps.

Although I'm not expert enough to validate the following claims, here's what I've read.

Graphene people claim that MicroG needs elevated privileges to run, privileges that Graphene doesn't grant to any app. MicroG also loads and runs Google code (in a context where that Google code would presumably have access to those elevated privileges). Graphene's version of the play store emulates some APIs without using Google code (for privacy), and sandboxes the Google code that it does run, running it with reduced privileges. This is a security first posture, keeping in mind that if you don't have security then you can lose privacy via exploits of your security holes.

CalyxOS's MicroG emulates a larger fraction of the google play APIs, making it less reliant on google code to operate, and this is the source of the claim that MicroG offers more privacy.

[cyberax]

It's really not feasible to run most apps without Google Play APIs/MicroG. The most problematic issue is the notification API.

MicroG runs with elevated permissions to avoid being killed, and so that it can continue listening to socket events. Once an event arrives, it decodes it into a notification, packages into an RPC request, and awakes/runs the target application activity. Then it, crucially, uses the elevated privileges to override the default policy to also allow the target application to run without interruptions for 20 seconds (to process the notification).

[doug-moen]

I get my apps from F-Droid, which guarantees that the apps are open source, free of most "unwanted features" (ie, not malware), and don't depend on google play APIs. Apps written to the F-Droid standard don't use Google Play APIs for notifications. I acknowledge that most people want to run closed source apps from the google play store, but I consider those apps untrustworthy, and what I do won't work for most people.

The specific privilege that MicroG wants and that GrapheneOS doesn't allow is the ability to spoof the signatures of other apps. GrapheneOS runs the Google Play APIs in a sandbox, and this sandbox allows push notifications to work, so that's not the problem with MicroG from a GrapheneOS perspective.

[notpushkin]

I just really wish they would just allow microG, sandboxed in the same way as Google services (like DivestOS does), behind as many security warnings as they see fit.

[aesh2Xa1]

The DivestOS project put stronger emphasis on device longevity and on libre ("free as in speech"), so their microG implementation was just a better fit for their case.

- https://github.com/Divested-Mobile/DivestOS-Build/discussion... - https://discuss.privacyguides.net/t/divestos-unprivileged-mi...

[NotPractical]

They didn't have a microG implementation from what I can tell. From your first link:

> DivestOS will not include microG or the GrapheneOS' Play Services sandbox.