Notices by GrapheneOS (grapheneos@grapheneos.social)

Android Security Bulletin for April 2025 has 2 more vulnerabilities marked as being exploited in the wild.

GrapheneOS fully prevented exploiting both vulnerabilities for locked devices, made both far harder to exploit while unlocked and already had both patched for a while too.

CVE-2024-53150: heap overflow (read) in a Linux kernel USB sound card driver
CVE-2024-53197: heap overflow (write) in a Linux kernel USB sound card driver

These vulnerabilities were being exploited by Cellebrite for data extraction from locked Android devices without GrapheneOS.

Murena sells highly insecure devices without basic privacy/security patches or the standard privacy/security model intact. Direct opposite of GrapheneOS in regards to privacy and security. It also lacks the stability and app compatibility of GrapheneOS...

https://xcancel.com/gael_duval/status/1905171960138547267

Murena, the company behind /e/OS, heavily pushes using both an insecure OS and services. Their services lack end-to-end encryption and are the opposite of private. People purchasing their devices are making a huge privacy and security sacrifice compared to simply using an iPhone.

Murena misleads people into wrongly believing that GrapheneOS is harder to use as their CEO is doing there. GrapheneOS has far better app compatibility, far better stability and unlike /e/OS is a serious production quality OS keeping up with updates and keeping things working.

/e/OS is a fork of LineageOS, a volunteer developed project focused on broad device compatibility and power user features rather than privacy or security. /e/OS is a security disaster even compared to LineageOS with far longer update delays and far more security regressions.

Here's another example of the CEO of Murena replying to a post about GrapheneOS trying to mislead people about it and promote their products:

https://xcancel.com/gael_duval/status/1904097790977810458

Here's a high quality third party comparison between Android-based operating systems:

https://eylenburg.github.io/android_comparison.htm

Despite all the money Murena makes selling overpriced insecure devices and grifting EU government funds, they aren't even able to keep their non-end-to-end encrypted services up. Those services were recently down from early October until mid-February. That's not remotely serious.

Here's another on X:

https://xcancel.com/gael_duval/status/1887528529694273590

Gaël Duval consistently misleads people about the ease of obtaining GrapheneOS, app compatibility, usability and privacy. These desperate posts on X, Mastodon and elsewhere are a small fraction of it. It's Murena's company policy.

@bjb @spyro The CEO of a company is using their personal, project and corporate accounts to mislead people about GrapheneOS with dozens of posts across different platforms in the past few months. There have been hundreds over the longer term. Hopefully they see it and realize that what they're doing is counterproductive. Overall, they've done the opposite of promoting their products. We don't have products to sell and most people who support us want to be informed that this is happening.

@spyro @bjb

> i literally replied into this thread, precisely because it is exactly what you accuse your opponents of.

We've done nothing of the kind. We haven't made any false claims. Everything we've posted about it is accurate and verifiable. You can read about the widely acknowledged insecurity of /e/OS from many reliable sources.

> Stop trashing them with comments like 'insecure is' etc.

We're warning people against using something unsafe that's promoted with false marketing.

@spyro @bjb

> Anyone can accused any project of being insecure.

/e/OS is objectively highly insecure. It doesn't provide the current Android privacy and security patches. It doesn't keep basic parts of the privacy and security model intact. It's not an accusation but rather factual information about it which you can confirm from many sources.

> So stop going on about them, and tell us why, in detail, you feel your project is better.

GrapheneOS is in an entirely different space anyway.

@spyro @bjb

> There are plenty of other actors who will trash e/OS for you, if it's so awful as you claim.

/e/OS are the ones targeting GrapheneOS with highly inaccurate claims and spin for years. You're getting angry with us for posting a single thread responding to months of their attacks on us. We only linked a few of their posts on X but could also link dozens on Mastodon, their forum and elsewhere. We may respond to more of it. We'll see if they stop or continue doing it first.

@spyro @bjb

> Post your developments, improvements, and findings about YOUR OWN OS.

Nearly everything we post in our timeline is about GrapheneOS. The thread you're responding to is about GrapheneOS. It's a response to years of attacks on it from Gaël Duval, /e/OS and Murena project/corporate accounts where they keep making misleading and false claims about it across platforms along with personal attacks on our team including fabricated stories aimed at directing harassment towards them.

@spyro @bjb /e/OS is not a hardened OS. It does not substantially improve privacy and security compared to the Android Open Source Project like GrapheneOS but rather substantially reduces both. They do not provide users with the current privacy and security patches and do not keep basic parts of the security model like verified boot or the full standard app sandbox intact. It's a misconception that they're at all similar or working on the same things. We are not working towards the same things.

@spyro @bjb We recommend the third party comparison between Android-based operating systems at https://eylenburg.github.io/android_comparison.htm as a starting point to understand how vastly different they are.

This is the data shown about updates for /e/OS there:

> Security update speed (AOSP subset of ASB)
>1-2 months, sometimes longer
> Full patches on fully supported devices
> Many months to over a year

Nearly all the devices they support are far more behind than this. This is the best case for devices like Pixels.

@spyro @bjb Do you disagree that providing patches for known, public privacy and security vulnerabilities is part of the bare minimum for protecting user privacy and security? It is not something advanced or only relevant to protecting against sophisticated attacks. It's basic privacy and security protection which every user should be provided from all of the software they use without major delays.

It's not ethical for devices with such severe privacy problems to be marketed as highly private.

@spyro @bjb

> But two projects tearing each other down is not what i want to see.

They're selling people highly insecure devices which are presented as something they're really not and through that harming them. We are not on the same side as them.

> So why rise to the bait, if that is what you think their project is doing?

They're harming GrapheneOS with their inaccurate claims about it and fabricated stories about our team. We're showing them that there will be a cost to them doing it.

@spyro @bjb We don't need input from /e/OS supporters into why we shouldn't response to years of attacks on us from /e/OS and criticize with accurate and factual content as we've done here. You are not going to convince us to stop posting that kind of content about it. You're only going to encourage us to post much more of it with your highly biased replies in support of people who effectively scammed you.

Convince the people who have made years of attacks on us to stop doing it bothering us.

@460c25e682fda7832b52d1f22d3d22b3176d972f60dcdc3212ed8c92ef85065c @ecda4328c0bb929ca285a42762f4fffd632d358ea4841fcb7424b7101278f072 That's not what happened at all. Rossmann is intentionally targeting our team with harassment by pushing blatant spin and fabrications aimed at a Kiwi Farms audience. He openly has an account on that harassment site and regularly posts rants attacking people he wants them to target. Rossmann targeted Asahi Linux too for supporting us against his attacks.