If I’m charitable, I could assume they intended to make a controversial move to drive public attention to the growing government restrictions on innocuous apps. As far as I know, though, nobody at F-Droid admitted to this; and if they were, why didn’t they mark other widely used apps like Wikipedia and Reddit frontends that provide easy access to much more sexually explicit content in the same protest?
If I’m less charitable, and go by what F-Droid admins actually said, they took this action out of a sincere belief that these apps contained content unsafe for minors that necessitated flagging, and sincerely believed that Wikipedia and Reddit frontends somehow don’t qualify for the same. If they honestly believed this, it demonstrates (to me) poor judgment; and since the action was walked back almost immediately due to negative public response, that indicates further that they never actually believed this in the first place, and that instead somebody took it upon himself to specifically target religious apps out of his own bias.
Either way, it really soured me on the judgment of the F-Droid maintainers. After a stunt like that, I no longer trust them to fight the battle against oppressive government restrictions on operating systems effectively. Formerly an F-Droid user of many years, this caused me to switch away completely: I’ve started donating monthly to Accrescent instead, download as many apps as I can from there, and switched from F-Droid to Obtanium for any apps not yet on Accrescent.
scrollop 5 hours ago [-]
Will F-droid continue when Google bring in their changes, soon?
microtonal 4 hours ago [-]
Even with Google's changes, F-Droid will continue to work with Android phones that do not use Google GMS.
If you care about your actually owning your device, install something else than stock OS. I would recommend GrapheneOS, since the security of some/most other alternatives is pretty bad.
miroljub 3 hours ago [-]
GrapheneOS works only with Pixel devices, which doesn't make it much useful for the vast majority of Android users.
hypercube33 3 minutes ago [-]
Huge opportunity for Lenovo/Motorola here who have been the quiet Linux favorite for a while but we shall see if they even bother.
microtonal 3 hours ago [-]
Indeed. Sadly the reality is that most other Android devices are simply not secure enough. Many Android phones do not have a separate secure enclave (outside Pixel and IISC Samsung flagship and A5x range), so they are vulnerable to breaking PIN-based unlocking, side channel attacks, etc. Besides that they often only provide old vendor kernel trees, old firmware blobs, etc.
So, you have to wonder whether you want such a phone anyway if you care about security and privacy. If you don't care about security anyway, you could as well run /e/OS, etc.
Above-mentioned Samsung phones could perhaps make the cut, but don't support unlocking anymore (and when they still did, would blow a Knox eFuse).
saintfire 2 hours ago [-]
Reduced security has always annoyed me a bit as an argument. Sort of in the same way as signal deprecating SMS because it's insecure.
I get all or nothing when your threat model is state actors. However, for most people, the benefit is just freedom from corporate agendas.
Not everyone needs kernel hardening, or always E2EE (as with signal). Personally I just like the features it provides (e.g. scoped storage, disabling any app including Google play services, profiles etc etc
Its also an easier sell to people who are apathetic to security when the product is just better and more secure, the same way apple does (for whatever their reasons may be).
All that said, I get they're limited in funds and manpower, plus the things mentioned at the end there, so I can only be so peeved they chose a target and stuck with it. They typically cite security as the reason, not those other ones, however.
thewebguyd 3 minutes ago [-]
> I get all or nothing when your threat model is state actors.
The problem for those of us in the USA, that labels anyone who disagrees with the current administration and ICE as a domestic terrorist, means that now everyone's threat model is a state actor.
The threat model of every citizen that dares to exercise their first amendment rights now escalated beyond corporate agendas to "How do I make sure Israeli & Palantir spyware doesn't end up on my phone? How do I make sure if my phone does get confiscated, Cellebrite can't image it or access the data?"
Even if that weren't the case, I see no valid reason to be lax with security in 2026. There's no excuse anymore, I mean we still have OEMs selling phones that they do not issue security updates for after purchase. That's just gross negligence.
microtonal 26 minutes ago [-]
Reduced security has always annoyed me a bit as an argument.
Security is one of one of the main selling points of GrapheneOS, I can fully understand that they don't want to weaken that by supporting fundamentally insecure devices.
I think a nice side-effect is that they only focus on a small number of devices (Pixels) and support those really well. I have followed the /e/OS forums for a while and many devices have constant regressions because it is hard to validate each release on tens of devices.
I get all or nothing when your threat model is state actors.
People do have different thread models, though I think up-to-date software should be the baseline for everyone and where pretty much every phone outside iPhone, Google Pixel, and a subset of Samsung phones fail. Also, I think having a secure enclave should be the baseline, since phones do get stolen.
Its also an easier sell to people who are apathetic to security when the product is just better and more secure, the same way apple does
That's really a weird example though for supporting the argument that GrapheneOS should support more devices. Isn't Pixel + GrapheneOS then pretty much iPhone + iOS? Privacy-respecting, secure, not pushing AI subscriptions all the time (though iOS is getting worse in that respect), offering useful functionality?
At any rate, I understand if you have another phone, you wouldn't buy a Pixel for GrapheneOS, but it does make sense to buy your next phone for running GrapheneOS. Pixel covers a pretty wide price range to, e.g. the Pixel 9a was 349 Euro here recently, all the way up to the Pixel fold.
Novosell 56 minutes ago [-]
Oh man, I am still annoyed about Signal removing SMS support. Had to add another app to my phone and I can now no longer accidentally discover that someone I'm texting has Signal, which happened more than once to me!
RealStickman_ 2 hours ago [-]
Perfect really is the enemy of good when it comes to GrapheneOS
tjpnz 24 minutes ago [-]
Every GrapheneOS proponent I've seen has claimed that other devices are inferior to Pixel security wise, and that's why they're not supported. That always sounded a bit odd to me and certainly seems to have a bit more nuance based on your comment. Thank you for adding some clarity here.
izacus 5 minutes ago [-]
There's really nothing odd that company that runs Project Zero also builds devices that are well secured.
CivBase 49 minutes ago [-]
Imagine if the Linux project had this same mentality. Thank goodness they don't.
microtonal 23 minutes ago [-]
Imagine if Apple had this same mentality, they would never be where they are.
(/s in case it is needed.)
As a smaller project, choosing a small set of hardware and supporting it really well (aside from security reasons) seems like a much better strategy than supporting tens of devices badly (go to e.g. the /e/OS forums to see what regressions people are dealing with after monthly updates).
scrollop 4 hours ago [-]
Would love to ditch google and use grapheneOS, however have so many banking and (stupid) outlook for work.
Even if it works now, how can you be sure the next app update doesn't break it in the name of security?
amelius 7 minutes ago [-]
Because it would cause public uproar.
ekjhgkejhgk 2 hours ago [-]
> Would love to ditch google and use grapheneOS
grapheneOS only works with google phones.
kruffalon 31 minutes ago [-]
For now[0].
And I don't really think that people mean using google hardware but rather being mined by google software.
May I ask, if you (a) just want to be technically correct, (b) don't see the difference or (c) are trying to make a point I don't understand and if so would be willing to explain?
I would rather pay a one off ransom to google, than have them harvest all my data and profit from them in perpetuity.
Better yet, you can buy a used pixel phone.
burningChrome 56 minutes ago [-]
Pixel 9 Pro handsets are going for around $500 on the secondary markets like ebay. That's a only a single generation off from their current Pixel 10 models and you still get OS and security updates until 2031.
Not a bad deal and pretty crazy how fast smartphones depreciate now.
microtonal 19 minutes ago [-]
Indeed and Pixel 10 was 549 Euro here just a few weeks ago and Pixel 9a as low as 338 Euro.
ninjasmosa 4 hours ago [-]
The outlook app works for me on GrapheneOS, is there something about it that doesn't work for you?
Many banking apps do work on GrapheneOS, the list had already been linked to by others
TobTobXX 4 hours ago [-]
The outlook webapp is quite decent. I've never used their native app, but I've manahed to get by fine with their webapp, even though notifications don't work (I just check it regularily). IIRC K9/Thunderbird also has support for exchange now.
sheiyei 4 hours ago [-]
Apparently a lot of banking apps work with the sandboxed Google malwares. Not sure though, I'm not a user (wrong hardware)
microtonal 3 hours ago [-]
Correct. I am using my Dutch bank and credit card apps without any issues. Someone linked the curated GrapheneOS banking list already. If your bank does not support it, you could either contact them. If they require remote attestation, this can be implemented for GrapheneOS as well:
If the bank is very hard-nosed about it, you could consider keeping an old iPhone or Pixel (because long security updates) for banking if it is practical to do for you. 95% without big tech is also a big win. Of course, if you need to have it with you at all times, that might not be a worthwhile option.
wafflemaker 4 hours ago [-]
can confirm. And there are even some pages that list banking and other apps working on GrapheneOS. It's actually very few that don't work with sandboxed Google Play API.
Why do people need banking on their phones though? Banks have websites too.
pmontra 2 hours ago [-]
This is asked again and again. Apparently you guys in the USA or in other parts of the world are still lucky, but in Europe banks must be compliant with regulation that more or less force them to do 2FA through their app with the biometric authentication of either an Android or an iOS phone. There are other ways (eg giving a hardware OTP generator to customers,) but apps are the cheapest solution.
gyulai 2 hours ago [-]
> Why do people need banking on their phones though? Banks have websites too.
2FA. I was a smartphone hold-out for longer than anyone I know, but banks mandating 2FA with no options for doing it in a standards-compliant way or any way that doesn't involve the app stores was what finally broke my resistance.
zipping1549 2 hours ago [-]
My bank has no website or physical branches. They’re mobile-only, but their app is leaps and bounds ahead of the competition.
rkagerer 3 hours ago [-]
I don't much like the official Outlook app. Been using Nine for ages, it does everything I've needed.
kgwxd 3 hours ago [-]
Can you not setup your work email through a regular email client? I thought the days of being locked into Outlook specifically went away with Exchange. Everywhere I've worked since has been able to.
Also, what kind of banking are people doing that requires an app? I genuinely don't know what it could be.
duozerk 2 hours ago [-]
> Also, what kind of banking are people doing that requires an app? I genuinely don't know what it could be.
Close to every bank in the EU requires their user to have an app, for MFA (both for logging in and for validating transactions - transfers, payments). They use the smartphone's TPM. I have yet to see one that allows you to use your own MFA app.
The few I've seen that don't require it will validate the same through text messages (not everyone has a smartphone); though if you associate their app even once, you're screwed - the app it is from now on.
wizzwizz4 30 seconds ago [-]
> though if you associate their app even once, you're screwed
Can you go in branch and get that fixed?
bluebarbet 2 hours ago [-]
>Close to every bank in the EU requires their user to have an app
Possibly this was hyperbole but in any case it's not correct at all.
Anecdotally, of my two EU (massive legacy French) banks, neither requires a mobile app. SMS all the way.
Even Wise, a cutting-edge neobank, does not require you to use its app. And its website accepts standard TOTP authenticator for 2FA.
Revolut is app-only, which is why I never use it.
duozerk 10 minutes ago [-]
> Anecdotally, of my two EU (massive legacy French) banks, neither requires a mobile app. SMS all the way.
My wording was bad, sorry; but try to install their app just once. After that, I'd bet you won't ever be able to go back to SMS validation (which is what I was talking about at the end of my comment).
If not, I'd be curious to know the banks you're talking about (to consider switching to them, for one thing). What I said above is true of Caisse d'Epargne, HSBC, CCF, among others.
microtonal 16 minutes ago [-]
Here in The Netherlands banks used to offer authenticator devices, which they are phasing out (you can still use them, but they wont replace them once they run out of battery). Pretty much all banks switched to app-only.
No SMS at all (which is not surprising, because SMS is not secure).
Also, IMO fingerprint/face-based authentication is much nicer/quicker, especially for online payment flows like iDEAL (Dutch predecessor to Wero). And banks here work on GrapheneOS, so not much is lost.
wafflemaker 3 hours ago [-]
It's way more comfortable to login with fingerprint and not going through a longer login to the website.
Especially since in many countries it requires a national e-ID that is an app on your phone.
scrollop 52 minutes ago [-]
It's nice to have widgets.
echelon 4 hours ago [-]
This piddly open source effort pales in comparison to what we should really be doing:
Horizontally splitting Google into multiple companies.
Not division via department splits, but equal partitioning across the company into multiple horizontal businesses that compete on the same offerings.
The EU and next DOJ/FTC need to force this.
microtonal 3 hours ago [-]
I agree, but the probability that this is going to happen anytime soon is near-0. The current US administration is not going to rein in the tech broligarchy and if they did, it would be done out of spite and the pieces wold sold to administration-aligned oligarchs (e.g. Ellison), which might end up being worse.
The EU is not going to force this, because it has enough fights to pick with the US, and this is not the hill that they are willing to die on. It would be far more likely for them to financially support an AOSP-based OS.
lukan 2 hours ago [-]
The EU simply is not (and should not) be able to split up google who operate international. But they can regulate the EU market and declare that a monopolist cannot operate there as a monopolist and introduce any arbitary rule achieving it.
microtonal 2 hours ago [-]
Yes, though I think that is what echelon was aiming at - the EU saying either you break up or you cannot do business here.
burningChrome 45 minutes ago [-]
Not sure if you know this, but both Biden and Trump (in his previous admin) had their DOJ file lawsuits against Google. "United States v. Google LLC," which was filed in 2020 and focused on Google's dominance in search and advertising markets. A separate case was filed in 2023 targeted Google's monopolization of digital advertising technologies. The State of Texas also sued them in 2020.
Google lost all three cases. The DOJ in all three recommended the company be broken up, but the judges disagreed. If you want to blame someone, then blame the judges, not the current admin or Bidens DOJ - both of whom said Google should be broken up.
microtonal 11 minutes ago [-]
Trump 2 is very different from Trump 1 though. Trump 1 still had competent, less corrupt people in many positions. Grifters are going to grift.
Anyway, I am going to stop here, since this will probably derail in a non-productive political discussion otherwise.
duskdozer 4 hours ago [-]
As of now, Google isn't destroying non-Google android installs, so F-droid will still work there (correct me if wrong). So until Google takes android fully closed or succeeds in getting popular/necessary apps to blacklist non-Google-verified devices, F-droid still has a role
izacus 3 hours ago [-]
Is there a KDE/GNOME/kernel-like group forming to take over Android AOSP development and provide free alternative yet?
4 hours ago [-]
riedel 4 hours ago [-]
I hope so. The changes can mean two things: people can only use it easily in custom roms (I guess there is an overlap there) or they actually would play with Google: i guess technically they could as well register and sign the stuff with a Google key as the software is all FOSS and would allow defining another responsible developer (otherwise Google would have to through out all FOSS without CLA from their playstore). I guess quitting would be an option, but IMHO the outrage outside the bubble would probably be hardly noticable, so what would be the point?
brador 4 hours ago [-]
You always start open source at the kernel.
Linus knew this day 1 and it bows to no one.
iberator 4 hours ago [-]
what do you even mean?! start what at the kernel?
kernel is locked and most phones can't be rooted anymore
Rendered at 16:15:04 GMT+0000 (Coordinated Universal Time) with Vercel.
If I’m charitable, I could assume they intended to make a controversial move to drive public attention to the growing government restrictions on innocuous apps. As far as I know, though, nobody at F-Droid admitted to this; and if they were, why didn’t they mark other widely used apps like Wikipedia and Reddit frontends that provide easy access to much more sexually explicit content in the same protest?
If I’m less charitable, and go by what F-Droid admins actually said, they took this action out of a sincere belief that these apps contained content unsafe for minors that necessitated flagging, and sincerely believed that Wikipedia and Reddit frontends somehow don’t qualify for the same. If they honestly believed this, it demonstrates (to me) poor judgment; and since the action was walked back almost immediately due to negative public response, that indicates further that they never actually believed this in the first place, and that instead somebody took it upon himself to specifically target religious apps out of his own bias.
Either way, it really soured me on the judgment of the F-Droid maintainers. After a stunt like that, I no longer trust them to fight the battle against oppressive government restrictions on operating systems effectively. Formerly an F-Droid user of many years, this caused me to switch away completely: I’ve started donating monthly to Accrescent instead, download as many apps as I can from there, and switched from F-Droid to Obtanium for any apps not yet on Accrescent.
If you care about your actually owning your device, install something else than stock OS. I would recommend GrapheneOS, since the security of some/most other alternatives is pretty bad.
So, you have to wonder whether you want such a phone anyway if you care about security and privacy. If you don't care about security anyway, you could as well run /e/OS, etc.
Above-mentioned Samsung phones could perhaps make the cut, but don't support unlocking anymore (and when they still did, would blow a Knox eFuse).
I get all or nothing when your threat model is state actors. However, for most people, the benefit is just freedom from corporate agendas.
Not everyone needs kernel hardening, or always E2EE (as with signal). Personally I just like the features it provides (e.g. scoped storage, disabling any app including Google play services, profiles etc etc
Its also an easier sell to people who are apathetic to security when the product is just better and more secure, the same way apple does (for whatever their reasons may be).
All that said, I get they're limited in funds and manpower, plus the things mentioned at the end there, so I can only be so peeved they chose a target and stuck with it. They typically cite security as the reason, not those other ones, however.
The problem for those of us in the USA, that labels anyone who disagrees with the current administration and ICE as a domestic terrorist, means that now everyone's threat model is a state actor.
The threat model of every citizen that dares to exercise their first amendment rights now escalated beyond corporate agendas to "How do I make sure Israeli & Palantir spyware doesn't end up on my phone? How do I make sure if my phone does get confiscated, Cellebrite can't image it or access the data?"
Even if that weren't the case, I see no valid reason to be lax with security in 2026. There's no excuse anymore, I mean we still have OEMs selling phones that they do not issue security updates for after purchase. That's just gross negligence.
Security is one of one of the main selling points of GrapheneOS, I can fully understand that they don't want to weaken that by supporting fundamentally insecure devices.
I think a nice side-effect is that they only focus on a small number of devices (Pixels) and support those really well. I have followed the /e/OS forums for a while and many devices have constant regressions because it is hard to validate each release on tens of devices.
I get all or nothing when your threat model is state actors.
People do have different thread models, though I think up-to-date software should be the baseline for everyone and where pretty much every phone outside iPhone, Google Pixel, and a subset of Samsung phones fail. Also, I think having a secure enclave should be the baseline, since phones do get stolen.
Its also an easier sell to people who are apathetic to security when the product is just better and more secure, the same way apple does
That's really a weird example though for supporting the argument that GrapheneOS should support more devices. Isn't Pixel + GrapheneOS then pretty much iPhone + iOS? Privacy-respecting, secure, not pushing AI subscriptions all the time (though iOS is getting worse in that respect), offering useful functionality?
At any rate, I understand if you have another phone, you wouldn't buy a Pixel for GrapheneOS, but it does make sense to buy your next phone for running GrapheneOS. Pixel covers a pretty wide price range to, e.g. the Pixel 9a was 349 Euro here recently, all the way up to the Pixel fold.
(/s in case it is needed.)
As a smaller project, choosing a small set of hardware and supporting it really well (aside from security reasons) seems like a much better strategy than supporting tens of devices badly (go to e.g. the /e/OS forums to see what regressions people are dealing with after monthly updates).
https://privsec.dev/posts/android/banking-applications-compa...
grapheneOS only works with google phones.
And I don't really think that people mean using google hardware but rather being mined by google software.
May I ask, if you (a) just want to be technically correct, (b) don't see the difference or (c) are trying to make a point I don't understand and if so would be willing to explain?
---
[0] https://piunikaweb.com/2026/02/02/grapheneos-non-pixel-hardw...
Better yet, you can buy a used pixel phone.
Not a bad deal and pretty crazy how fast smartphones depreciate now.
Many banking apps do work on GrapheneOS, the list had already been linked to by others
https://grapheneos.org/articles/attestation-compatibility-gu...
If the bank is very hard-nosed about it, you could consider keeping an old iPhone or Pixel (because long security updates) for banking if it is practical to do for you. 95% without big tech is also a big win. Of course, if you need to have it with you at all times, that might not be a worthwhile option.
edit: https://privsec.dev/posts/android/banking-applications-compa...
2FA. I was a smartphone hold-out for longer than anyone I know, but banks mandating 2FA with no options for doing it in a standards-compliant way or any way that doesn't involve the app stores was what finally broke my resistance.
Also, what kind of banking are people doing that requires an app? I genuinely don't know what it could be.
Close to every bank in the EU requires their user to have an app, for MFA (both for logging in and for validating transactions - transfers, payments). They use the smartphone's TPM. I have yet to see one that allows you to use your own MFA app.
The few I've seen that don't require it will validate the same through text messages (not everyone has a smartphone); though if you associate their app even once, you're screwed - the app it is from now on.
Can you go in branch and get that fixed?
Possibly this was hyperbole but in any case it's not correct at all.
Anecdotally, of my two EU (massive legacy French) banks, neither requires a mobile app. SMS all the way.
Even Wise, a cutting-edge neobank, does not require you to use its app. And its website accepts standard TOTP authenticator for 2FA.
Revolut is app-only, which is why I never use it.
My wording was bad, sorry; but try to install their app just once. After that, I'd bet you won't ever be able to go back to SMS validation (which is what I was talking about at the end of my comment).
If not, I'd be curious to know the banks you're talking about (to consider switching to them, for one thing). What I said above is true of Caisse d'Epargne, HSBC, CCF, among others.
No SMS at all (which is not surprising, because SMS is not secure).
Also, IMO fingerprint/face-based authentication is much nicer/quicker, especially for online payment flows like iDEAL (Dutch predecessor to Wero). And banks here work on GrapheneOS, so not much is lost.
Especially since in many countries it requires a national e-ID that is an app on your phone.
Horizontally splitting Google into multiple companies.
Not division via department splits, but equal partitioning across the company into multiple horizontal businesses that compete on the same offerings.
The EU and next DOJ/FTC need to force this.
The EU is not going to force this, because it has enough fights to pick with the US, and this is not the hill that they are willing to die on. It would be far more likely for them to financially support an AOSP-based OS.
Google lost all three cases. The DOJ in all three recommended the company be broken up, but the judges disagreed. If you want to blame someone, then blame the judges, not the current admin or Bidens DOJ - both of whom said Google should be broken up.
Anyway, I am going to stop here, since this will probably derail in a non-productive political discussion otherwise.
Linus knew this day 1 and it bows to no one.
kernel is locked and most phones can't be rooted anymore