A note on operating system security¶

There is a singular all-or-nothing, all-encompassing Android security bulletin released every month that covers security issues across the entire system.
Below we break it into five parts solely for ease of understanding for you to determine the general security of a given operating system.
Being behind on any one part means the system is inherently insecure.

1. the version of Android itself, newer versions have more security features/hardening
2. the ASB patch level, these are essential security patches
3. the Pixel ASB patch level, these are recommended security patches and are only provided for the latest Android version. Despite the name, the majority are NOT Pixel specific as described here.
4. the vendor ASB patch level, see Qualcomm
5. and lastly the Linux kernel version

• GrapheneOS, with the exception of the Pixel 4 series, strictly only supports devices that have all parts updated.
• CalyxOS, with the exception of the Pixel 3/4 series and other non-Pixel devices, in theory only supports devices that have all parts updated.
• LineageOS can help with 1, 2, 3, and usually 5, but if a device is out of support by its manufacturer it cannot help with 4.
• DivestOS, being Lineage based helps with 1, 2, 3, can minimize 4 via the deblobber, and improve 5 significantly using the CVE auto-patcher.
• Any of the above operating systems will be an improvement for any device that is no longer receiving support from its manufacturer if they continue to offer monthly updates with at least some parts covered.

What about this other OS?¶

• CalyxOS occasionally falls behind updates (see 1 and 2), has no added hardening features, and primarily only supports Pixels which are better supported by GrapheneOS.
• /e/OS has many severe issues as documented here.
• iodéOS has numerous issues as documented here.
• UBports, based on Ubuntu 20.04, lacks encryption support, retains many of the Android components via Halium, and uses unpatched & end of life kernels in many of its featured devices.
• Replicant 6.0, based on LineageOS-13.0, hasn't received any security patches in years and the devices run decade+ old Linux 3.0 kernels.
• Proprietary aftermarket systems should be avoided as they generally do not provide enough additional value over the existing open source options that are available.
• GSIs should be avoided, they do not provide the kernel or vendor components and cannot utilize many security features.
• Lastly many aftermarket systems often do not provide consistent and timely updates to the system WebView component as documented here. This is a security critical component of the system not included in the ASB that is frequently overlooked and/or ignored.

Does DivestOS make my device secure?¶

The short answer: No.
The long answer is that DivestOS is likely the best harm reduction option if your device is no longer in support by its manufacturer or vendor.
Any project or product claiming they make end-of-life devices secure should be rigorously scrutinized.
If you want a reasonably secure and well-maintained device, please acquire a newer Pixel (6/6a/7) that is fully supported by GrapheneOS and use it instead.
Lastly it must be noted that privacy and security go hand-in-hand, there is a fundamental limit of how much privacy you can achieve if you do not have security backing it up.

Branches¶

Last updated: 2023-06-02
Asterisk* denotes known missing patches
DivestOS inherently cannot and does not include all patches from the monthly Android Security Bulletin.
The patch level shown in the Settings app on DivestOS should not be regarded as accurate, in favor of this page. It merely conveys the most recent month that it may contain patches from.
Also of note, DivestOS typically takes eight months to stabilize after a new Android version is released.

A historical comparison of operating system patch levels is available here, along with patch counts documented here.

Linux Version Status¶

Last updated: 2023-06-02

Devices¶

Last updated: 2023-05-07
Of note, DivestOS only includes firmware on select devices as documented here.
Devices listed below denoted with a '★' can be considered reasonably secure if firmware is included, the device is relocked, and it supports verified boot.
Please also take into account whether or not a device actually has a working bootloader.