postmarketOS vs GrapheneOS

Posted Jan 31, 2026 0:48 UTC (Sat) by DemiMarie (subscriber, #164188)
Parent article: Open source for phones: postmarketOS

GrapheneOS takes a different approach. They have agreements that allow them to receive Android updates when they go to production, rather than much later. Unfortunately, they can only ship security patches in binary form for several months.

The advantage is that GrapheneOS is vastly more secure than any desktop Linux-based that does not isolate every application in a virtual machine. I believe GrapheneOS intends to use VM-based isolation in the future, which will close the remaining gap with Qubes OS. The drawbacks are that GrapheneOS only supports Google Pixels, relies on Android continuing to be something they can use, and is dependent on access not available to the general public.

To me, the main advantages of postmarketOS are e-waste reduction and risk mitigation. Old phones that no longer receive security updates, but which have the wireless stack and modem disabled and use trusted USB NICs, can be used as sensors, servers, or kiosks. The firmware attack surface is much less of an issue here, as so long as accelerators (GPU, NPU) are disabled it simply isn’t attackable by untrusted code. postmarketOS also provides an alternative in case Android becomes closed source and GrapheneOS and others are not able to successfully fork it or create an alternative.

That said, not everyone has security as their top priority, and postmarketOS also has usability advantages. Not everyone likes Android’s UI! It is also a super cool project in its own right, and I’m glad it exists.

I wonder if integrating Spectrum with postmarketOS could someday mitigate some of its security weaknesses. Spectrum is very much not ready yet, but it could provide verified boot, virtualization-based partitioning of applications, and sandboxed drivers.