I agree, Motorola is owned by Lenovo. They have found middling success with the return of their Razr line and with phones in the lower to mid tier range. But they really want something super flagship. Something like the Think Phone would have probably sold really well with a Graphene option.
Device hardware, firmware, and software are integrated to protect your most sensitive data from mobile threats. With Moto KeySafe, PINs, passwords, and cryptographic keys are isolated from other device data for an added layer of high-level security.
It (unfortunately) isn’t required. Most current Android devices on the market have serious security issues (most notably, full disk encryption can easily be bypassed due to a lack of effective unlock attempt rate limiting) due to their lack of a secure element.
Are you sure there’s no rate limiting? My phone definitely does rate limit the on-boot disk decryption prompt. Do you mean there’s no rate limiting if someone detaches the NAND and brute-forces it off-device?
That rate limiting can easily be bypassed by an attacker. In order to be effective, the rate limit needs to be enforced by tamper-resistant hardware, i.e. a secure element. Here are some of the requirements for a secure element: https://developer.android.com/privacy-and-security/keystore#StrongBoxKeyMint
An implementation of StrongBox KeyMint must contain the following:
Its own CPU
Secure storage
A true random-number generator
Additional mechanisms to resist package tampering and unauthorized sideloading of apps
A secure timer
A reboot notification pin (or equivalent), like general-purpose input/output (GPIO)
Only devices with a proper implementation of a secure element (Titan M2, i.e. Pixel 6 or later, or the Apple SEP, i.e. iPhone 12 or later) are actually resistant to brute-force attacks by forensic data extraction tools, such as Cellebrite or GrayKey. GrapheneOS has obtained some internal documents from multiple forensics companies. They published the Cellebrite docs at https://discuss.grapheneos.org/d/14344-cellebrite-premium-july-2024-documentation
Specifically, I recommend looking at this chart:
It clearly shows that data cannot be extracted from iPhones with the SEP, unless the device is in the AFU state, meaning that the encryption keys are kept in memory.
It (unfortunately) isn’t required. Most current Android devices on the market have serious security issues (most notably, full disk encryption can easily be bypassed due to a lack of effective unlock attempt rate limiting) due to their lack of a secure element.
Not OP, but my (German) bank supports the Digitales Bezahlen App with GrapheneOS. I used it exactly twice, both times because I forgot my wallet at home.
I think people overestimate that feature. Where I live you still have to hand your card to the teller most of the time and nobody is handing their phone over for tap to pay.
I pay with a normal card but I’d say the majority of people around me pay with their phone.
Also, I need to use my bank app to pay for things online. I scan a QR code and confirm the payment with a pin or fingerprint. Correct me if I’m wrong but I think many bank apps also don’t work properly with graphene.
Edit: maybe I’m getting confused, I thought bank apps normally needed google play services and that because of that they don’t work on grapheneOS, but I don’t know if that’s correct
I live in the US and I also just got back from a 10 day trip that had me in 6 different airports around the US and saw basically nobody using their phones to pay. I saw a bunch of people using the translate app, the camera, FaceTime, Apple wallet for boarding passes, but no tap to pay.
I think it’s because the places that use it also have their own apps, like Starbucks. You can order and pay in the app and if you are likely to setup Apple Pay you are probably fine going all the way with the app too. The same is true of Walmart and other major retailers who also specifically don’t take Apple or Google pay because they want you to use their app.
It’s heavily used everywhere else in the world, the US is well-known to lag behind on payment technology. It’s like travelling back in time when you go there.
I pay with my phone literally everywhere in Canada, haven’t opened my wallet in months. I was in the US last year and they didn’t have mobile payment terminals at restaurants so you always had to pay for sit down service at a counter, always wanted me to sign for tap, kept calling it Apple Pay instead of tap or contactless, had places that would only swipe a physical card which isn’t even allowed in other countries anymore, it’s crazy.
Walmart takes tap in Canada, they were one of the last holdouts. The “individual app for each service” thing is very American, even American companies abroad don’t do it because they’ll lose business. It’s the same thing with cash transfers. There are 100 different private ways to send money in the US. PayPal, CashApp, Facebook Pay, Apple Pay, Venmo, etc.
None of those exist in Canada because we just have Interac e-transfers. Hard to compete with free & automatic support by every bank account in the country. Other countries have similar systems. The US has Zelle but as far as I know that was implemented way later and doesn’t have the mindshare.
So random that the USA is lagging behind in this regard, travelled Europe - everyone using phone pay, and in Australia my home country, it’s pretty much the only way people pay nowadays.
I agree, Motorola is owned by Lenovo. They have found middling success with the return of their Razr line and with phones in the lower to mid tier range. But they really want something super flagship. Something like the Think Phone would have probably sold really well with a Graphene option.
Yeah this sounds like what Graphene insists on.
That sounds like a fancy speak for a Trusted Platform Module. Isn’t some kind of TPM mandatory to obtain a google certification for a new device?
Yeah, a TPM or secure element. I don’t think it’s required.
It (unfortunately) isn’t required. Most current Android devices on the market have serious security issues (most notably, full disk encryption can easily be bypassed due to a lack of effective unlock attempt rate limiting) due to their lack of a secure element.
Are you sure there’s no rate limiting? My phone definitely does rate limit the on-boot disk decryption prompt. Do you mean there’s no rate limiting if someone detaches the NAND and brute-forces it off-device?
That rate limiting can easily be bypassed by an attacker. In order to be effective, the rate limit needs to be enforced by tamper-resistant hardware, i.e. a secure element. Here are some of the requirements for a secure element: https://developer.android.com/privacy-and-security/keystore#StrongBoxKeyMint
For details, I recommend reading:
Only devices with a proper implementation of a secure element (Titan M2, i.e. Pixel 6 or later, or the Apple SEP, i.e. iPhone 12 or later) are actually resistant to brute-force attacks by forensic data extraction tools, such as Cellebrite or GrayKey. GrapheneOS has obtained some internal documents from multiple forensics companies. They published the Cellebrite docs at https://discuss.grapheneos.org/d/14344-cellebrite-premium-july-2024-documentation
Specifically, I recommend looking at this chart:
It clearly shows that data cannot be extracted from iPhones with the SEP, unless the device is in the AFU state, meaning that the encryption keys are kept in memory.
Those are the charts for Pixels:
It (unfortunately) isn’t required. Most current Android devices on the market have serious security issues (most notably, full disk encryption can easily be bypassed due to a lack of effective unlock attempt rate limiting) due to their lack of a secure element.
The only way a graphene is phone gets major adaptation is if you could use pay with it.
I can pay with NFC and my GrapheneOS phone.
Where is this/ what app do you use?
I’m in the UK and use Curve. I’ve used it locally, of course, but also in Singapore, Australia and Japan and it worked without incident.
Not OP, but my (German) bank supports the Digitales Bezahlen App with GrapheneOS. I used it exactly twice, both times because I forgot my wallet at home.
There are several supported apps, such as Curve Pay, PayPal, and banking apps that have their own tap-to-pay implementation.
https://shkspr.mobi/blog/2025/06/contactless-payments-with-grapheneos/
https://grapheneos.social/@GrapheneOS/115295538501760765
You can also use the
contactless payments supported
tag when searching the GrapheneOS banking app compatibility list on GitHub. https://github.com/PrivSec-dev/banking-apps-compat-report/issues?q=is%3Aissue+label%3A"contactless+payments+supported"We need details please
I’m in the UK and use Curve. I’ve used it locally, of course, but also in Singapore, Australia and Japan and it worked without incident.
I think people overestimate that feature. Where I live you still have to hand your card to the teller most of the time and nobody is handing their phone over for tap to pay.
deleted by creator
I pay with a normal card but I’d say the majority of people around me pay with their phone.
Also, I need to use my bank app to pay for things online. I scan a QR code and confirm the payment with a pin or fingerprint. Correct me if I’m wrong but I think many bank apps also don’t work properly with graphene.
Edit: maybe I’m getting confused, I thought bank apps normally needed google play services and that because of that they don’t work on grapheneOS, but I don’t know if that’s correct
hmm how bout round the world?
Like Germans prefer cash but tons go all digital—yuge in China for example, Apple Pay’s big stateside (USA)…
Curious your region btw to expand my knowledge on this
I live in the US and I also just got back from a 10 day trip that had me in 6 different airports around the US and saw basically nobody using their phones to pay. I saw a bunch of people using the translate app, the camera, FaceTime, Apple wallet for boarding passes, but no tap to pay.
I think it’s because the places that use it also have their own apps, like Starbucks. You can order and pay in the app and if you are likely to setup Apple Pay you are probably fine going all the way with the app too. The same is true of Walmart and other major retailers who also specifically don’t take Apple or Google pay because they want you to use their app.
It’s heavily used everywhere else in the world, the US is well-known to lag behind on payment technology. It’s like travelling back in time when you go there.
I pay with my phone literally everywhere in Canada, haven’t opened my wallet in months. I was in the US last year and they didn’t have mobile payment terminals at restaurants so you always had to pay for sit down service at a counter, always wanted me to sign for tap, kept calling it Apple Pay instead of tap or contactless, had places that would only swipe a physical card which isn’t even allowed in other countries anymore, it’s crazy.
Walmart takes tap in Canada, they were one of the last holdouts. The “individual app for each service” thing is very American, even American companies abroad don’t do it because they’ll lose business. It’s the same thing with cash transfers. There are 100 different private ways to send money in the US. PayPal, CashApp, Facebook Pay, Apple Pay, Venmo, etc.
None of those exist in Canada because we just have Interac e-transfers. Hard to compete with free & automatic support by every bank account in the country. Other countries have similar systems. The US has Zelle but as far as I know that was implemented way later and doesn’t have the mindshare.
So random that the USA is lagging behind in this regard, travelled Europe - everyone using phone pay, and in Australia my home country, it’s pretty much the only way people pay nowadays.
Not really. The kind of people this ROM caters to are exactly the kind of people who don’t use Google Pay to begin with.
There’s other pay features in the world like Wero and MobilePay