> OS in lockdown mode has multiple features disabled [...] while GrapheneOS is just...

...disabling features. Android Auto, Google Pay, enhanced GPS, SafetyNet, push notifications, support for any apps requiring device integrity, etc.

They aren't redesigning and re-implementing these features securely, they are reducing attack surface just like lockdown mode.

>> [...] while GrapheneOS is just... > ...disabling features. Android Auto, Google Pay, enhanced GPS,

This is broadly false, not just misleading but false. - Android Auto: working wired or wireless without problems - Google Pay: app vendor choice to put it behind DEVICE_INTEGRITY check, not OS vendor. NFC payments work just fine with other vendors. - enhanced GPS: whatever that means, is most likely false. Users don't experience any issues with GPS

> SafetyNet

SafetyNet Attestation API is deprecated and no longer available so also not true. But from the context I think you meant Play Integrity API.

This is Google Services feature, not AOSP feature. GrapheneOS is an AOSP-based system.

GOS passes MEETS_BASIC_INTEGRITY. It doesn't pass DEVICE_INTEGRITY because it doesn't run privileged, unbound Google Surveillance Services (according to Google 10 year old phone not updated for 8 years is more secure as long as it allows Google Services sniff everywhere). It cannot pass MEETS_STRONG_INTEGRITY they way Google requires it because AFAIR that thing is signed by the TPM. It does provide an alternative STRONG_INTEGRITY assurance based on the AOSP Hardware Attestation API (which many developers in fact use).

> push notifications,

This is so false it should be called out as a lie, not just a falsehood. Reliable push notifications are supported both in the standard way (if user decides to do so), via GCM, or in one in the alternative ways, for example UP, exactly like on the standard Android phone.

> support for any apps requiring device integrity, etc.

This is also a lie or ignorance. See above. For example Starling Bank has explicitly implemented GOS Hardware Attestation API.

> They aren't redesigning and re-implementing these features securely,

What do you mean?

hardened_malloc? Memory tagging for entire kernel? automatic switch to BFU after timeout? USB data blocked by default with the screen locked? Network permission toggle? Storage/contact scopes? Critical patches released seemingly _months_ before the major vendors?

LOL. Half of your claims are either lies or misrepresentation.

The other half (Google Pay and Play Integrity) are vendor functionality. They would have to spoof (fake) it - exactly like rooted phones do (and which can often be detected). Or allow Google in the privileged mode, which is not going to happen.

That has been explained by the development team _so_ many times already.

They cannot "re-implement" a feature that *GOOGLE* offers to the developers using *Google store*. That would for example require using leaked private key. They are challenging Google's stance on Play Integrity with EU commission, because there is no technical reason to bar the safe hardware+OS passing a standard AOSP hw attestation.

This is an AOSP OS, not a hacked Google Pixel ROM.

> they are reducing attack surface just like lockdown mode.

They are reducing attack surfaces without locking down functionality. Google deciding to not support the competition is not GOS locking somehow down.

Entirely different from Apple's lockdown mode. QED.

I wouldn't mind listing _downsides_ of using GOS as a first/main device (because there are many), but I prefer facts over confabulations :)

I fail to see any meaningful difference between breaking and disabling a feature.

So you fail to see the difference between AOSP functionality and proprietary Google services?

So why are we even discussing?

Most of the alleged issues you raised are either untrue or broken *by Google*, by design, and yet you attribute them to GOS.

Somehow you also decided to bundle the functionality broken by Google with the security improvements available without turning on any specific, special mode.

What disabled features are you talking about? Face unlock? :)