This is inconvenient in some ways, but at least it is sort of privacy as good as it gets while still being able to run official apps when I need them at home.
To de-google the phone, I use F-Droid as primary App store, Aurora as fallback for non-f-droid Apps and as a last resort Obtainium to install Apps that are not in these stores.
The only google App I really "need" (kind of) is the Camera App, which is sandboxed via GrapheneOS Storage Spaces and without Network permission (why would a camera need internet?).
To backup my phone, I use the integrated GrapheneOS Solution (seedvault!?) for storage and apps, immich for Photos and MyPhoneExplorer for Contacts.
Sometimes it is a bit hard to find good apps for specific purposes, so for everyone interested, here is a list of Apps that I personally use or have used.
Newpipe - Youtube Client
Audiobookshelf - Audiobooks
Voice (PaulWoitaschek) - Local Audiobook Player
Substreamer - Music
DSub - Music (alternative)
VLC - Video-Player
Organic Maps - Google Maps alternative (not as good)
PDF Doc Scanner - Open Source Document Scanner
Wireguard - VPN
Immich - Photo Backup / Viewer
LocalSend - File Transfer
K9 Mail / FairMail - Email Client
KOReader - Ebooks
Binary Eye - QRCodes and Barcodes
Pure Todo - Self hosted PWA PHP Todo List
Signal - Messenger
Open Camera - Open Source Camera AppIt's mind boggingly stupid that they lock down apps like this, when you can just open the thing in a website anyway. I can use my bank on some linux distro, crazy that they trust me since it is not Windows - the truly secure OS!
Knew about those things before I started, so all in all I'm pretty happy. I'd recommend NOT using different users for different things (I started with banking etc in one profile, that ended up being a huge PITA and according to their docs it is mostly security theater anyway). Happy tinkering!
I wonder how secure GrapheneOS is in that regard, and what the other contenders are?
However, there was one case that lead me to thinking about ditching grapheneos to this day. I installed Uber on my phone and I was able to successfully create an account and use it. When it came to booking a ride, the app crashed and I had to log in again. Once I did that, I was told that my account has been suspended for violating the terms of services. All I did to that point was creating an account and booking a ride. I was able to resolve the issue luckily after a few days and going back and fourth a couple of times with the Uber support, however, the risk of getting banned on any such platform is still risky, and thus I'm not sure if grapheneos is usable if you need to use such services.
Luckily I have hardware 2FA keys from my bank so I can authenticate using that. It also slightly decreases the suck-factor from whenever the phone decides to fly off down a drain. This may not be the case for you, so do your research on what you need for daily living.
Are there valid reasons to only support pixels?
For me the biggest concern is that while you may be able to use and run your own device, you will be locked out of most propietary services. Much like how more and more websites simply don't work with Firefox anymore.
Want to use Vipps tæpp so much but I have Nordea for private and they don't allow it on their cards, for whatever godforsaken reason.
(it's not magic. All big vendors have these details, just choose to take their sweet time to patch them. GOS has partnered with a major OEM vendor who provides them with access)
Other than the specific patches above, there's a list of generic GOS features: https://grapheneos.org/features#exploit-protection
All in all you're probably much safer.
I agree that the locking down is truly stupid. For what itβs worth, the reasoning for locking down mobile apps is allegedly that mobile users are a less technologically competent demographic than desktop users. I do not think so myself, given the difficulty in trying Graphene vs. Desktop Linux.
Android's attack surface seems pretty jagged. For example there is only one webrender engine on iOS, where you can run anything you like on Android/GrapheneOS.
That limitation might be doing you a favor, as these things go...
Even if Pixels hadn't PWM a larger screen (or, dare I say, a book) will be an improvement for longer reading sessions.
The good news is that they are actively working on developing their own hardware. The bad news is that itβs been delayed. But Iβm watching closely.
https://www.galaxus.at/en/page/grapheneos-postpones-pixel-al...
I also with they could support non-Google phones, but that's a problem coming from the manufacturers, not from GrapheneOS.
My understanding is that there are close to half a million GrapheneOS users. And many potential users don't want to buy a Google phone. So it feels like it is starting to become worth considering for manufacturers...
I don't get why Fairphone doesn't look into that. Is it because they are not aware, or is it too hard for them to make hardware that is compliant with what GrapheneOS requires? Hundreds of thousands of devices may not count so much for Samsung, but they must definitely count for Fairphone.
If you are using a rather popular banking app, chances are high that it has been discussed in the GrapheneOS forum.
Anyway, with google play services installed, mine have worked out of the box.
Edit: ignore this - there's a list elsewhere in this thread!
Remember that GrapheneOS is not Android: it's an AOSP-based OS.
- If your phone is supported by GOS, you should go for GOS.
- If your phone is not supported by GOS, you should look carefully and compare between /e/OS and Stock Android.
I had a Fairphone 3, and after 5 years, /e/OS was outdated by 4 years w.r.t. the manufacturer updates. In other words, Stock Android coming from Fairphone was more secure than /e/OS on that Fairphone.
In my experience, /e/OS has a tendency to claim that they support everything, but they just can't, there is too much. And then they complain when GrapheneOS criticises the fact that some /e/OS users believe their phone is well supported but actually isn't. And GrapheneOS is not wrong: I realised I was in that case after 4 years with /e/OS.
https://eylenburg.github.io/android_comparison.htm
In short, GrapheneOS is vastly superior.
https://grapheneos.org/articles/attestation-compatibility-gu...
https://privsec.dev/posts/android/banking-applications-compa...
I've had less issues than with CalyxOS for example, where more apps broke.
(Also it is possible to do these things if you root your phone, but caries its own risks and I wouldn't recommend. Ending your dependency on third party processors is probably the best outcome)
Why are GrapheneOS releases dependant on Google releases?
Still missing Android Pay but that's due to Android Pay being closed. I wish banks would do something and support NFC payment systems that don't require the device to be controlled by Google (how can we be okay with this?!)
In any case, for me this also sort of defeats the purpose: I'd rather break free from Google and Apple, not just (stock) Android and iOS.
Why start from scratch?
In regular use, main difference will be that /e/OS comes with access to the alternative cloud service that project provides. It uses the default FOSS solution microG for google api compatibility, unlike GrapheneOS with their sandbox approach. /e/OS sets on AppLounge to install and upgrade both play store or F-Droid apps. Graphene has a small curated app repo instead.
I'd never use GrapheneOS since I don't trust the project. /e/OS is also not my favorite since it feels like it is developing slowly, having had issues with outdated software versions - though it does work well in practice. Have a look at iode for an alternative.
/e/OS community talking about it: https://community.e.foundation/t/article-from-grapheneos-abo...
And then maybe this: https://eylenburg.github.io/android_comparison.htm
Hope that helps.
/e/OS (and similar "non-LineageOS" ROMs really) instead focus more on de-Googling. They're still generally security focused, but the priority is less "someone's after you" and more "corporate surveillance is kinda scary innit". The aim is less to avoid someone actively trying to drain your phone of data and more to prevent your phone from passively sending everything it can possibly find to the Big G's ad machine (as well as whatever other trackers get snuck into apps.) Because of this, they usually have better depreciation timelines and support a lot more devices compared to GOS who only support the Pixel line (which is an increasingly awful set of phones truth be told); their scope is much smaller.
Finally, it's worth noting that the GOS community is absurdly toxic to anyone doing anything privacy-related that isn't under the banner of GOS. It's extremely maximalist, tends to get very upset at other projects whenever they get attention (see sibling reply to this, where they pretty much melted down because an outlet dared to recommend a Fair phone+/e/OS) and the projects official channels have generally encouraged this sort of behavior. It doesn't really damage the software itself, but it's worth considering.
Your aim is misplaced: ditch Uber, not GrapheneOS.
https://privsec.dev/posts/android/banking-applications-compa...
That's not just a claim, this is an objective fact. GrapheneOS has a excellent track record when it comes to security, they have made several patches that got upstreamed to Android, etc.
Not really. On GrapheneOS, the Play Services/Play Store run as sandboxed apps, i.e. they are not system apps like on Android. They just run like a normal, unprivileged app. That's a lot better than on Android.
> I'd rather break free from Google and Apple, not just (stock) Android and iOS
If you want to break free, you don't have to install the Play Services / Play Store on GrapheneOS, just like you don't have to install microG on LineageOS. There is a misconception that microG is better than sandboxed Play, but I disagree. With microG, your apps still connect to the Google servers, so you're not "breaking free".
The problem is not GrapheneOS, but rather that phone manufacturers other than Google don't care. Now if there were millions of GrapheneOS users, it would start becoming interesting for other phone manufacturers to care.
My point being that I buy Pixel in order to give more weight to GrapheneOS, in the hope that other manufacturers will eventually realise that.
https://www.androidauthority.com/graphene-os-major-android-o...
Itβs cool itβs possible, but itβs not practical for most people.
My running watch is from a chinese company that I do not trust, so I lock down the permissions quite far. I like that Graphene lets me control the network permission and have offline maps that cannot report anything external.
Overall the most annoying thing is not being able to iMessage... I moved who I could over to signal.
Also the battery life is amazing because I keept restricting apps from background usage and the defaults already do a good job of that
Every app on my phone has at least one other app, usually already installed, that can replace it. This wasn't intentional, it just happened naturally. Unless all two or three apps in a category get blocked for me at the same time, this already unlikely situation is barely an inconvenience.
I'm not a mobile phone security expert but my feeling is that in the case of GrapheneOS - which target is probably high-profile people at risk of state actors et similia attacks - a zero-day in the closed source firmware from Qualcomm will probably screw you anyway.
I understand that you are anyway reducing the attack surface (now they need to target the modem firmware specifically), I understand the concept of security in depth and I also understand that by using GrapheneOS you are already placing mitigations for many other known and unknown attack vectors. But still...
There are countries where it's possible to pay everywhere with the banking app scanning a QR code. No need for NFC :-).
> it's worth noting that the GOS community is absurdly toxic to anyone doing anything privacy-related that isn't under the banner of GOS
What I have seen (and I am not involved in any of those projects) is that GOS does care a lot about security, has a higher quality in that regard than anything else, and tends to be blunt about "inferior" projects communicating about security.
Not that they couldn't improve their communication style, but usually when they call out technical limitations of other projects (e.g. /e/OS), they are right. And I mean the technical arguments. Then I have seen a bunch of drama, but to be fair I have seen those other communities show toxic behaviour towards GOS just as much as the opposite.
It feels like it is GOS vs "the others", because the others don't criticise each other, and GOS bluntly criticises when they see claims they find are wrong (I have seen claims by /e/OS going from misleading to downright wrong).
On my particular phone, after 5 years with /e/OS, the Fairphone updates were outdated by 4 years. In terms of security I would have been better with the Stock Android. It depends on the phone of course, because /e/OS tends to claim that they support everything and they just can't. Even on a phone that /e/OS supports well, GrapheneOS is superior, period.
But I agree, I could do without all the drama. I guess my point is that it goes both ways.
Fair enough, you choose what you trust.
But personally, I have never seen a technical claim from GrapheneOS that was wrong or misleading. But I have seen many claims from /e/OS that were technically wrong or misleading. So I trust GrapheneOS more.
Then there is the drama, and all sides annoy me when they behave like this. But I have seen drama coming from all sides.
Sure they have hardened everything but realistically, that's not the main threat for your average user.
Their top contribution to android is the sandboxed Google Play, by far.
The only things I'm missing (which don't exist in other OS'es either):
- Being able to configure contact scopes in such a way that the app in question only gets access to the phone numbers of the contacts belonging to the label I specified, e.g. "WhatsApp", nothing more. Yes, one can of course add contacts' phone numbers to the contact scopes "by hand" but 1) there is a limit on the number of contacts/phone numbers configured this way, and 2) AFAIK there is no way to back up that list.
- Being able to install browser extensions in Vanadium.
- Being able to configure multiple VPNs at once, e.g. for Tailscale, ad filtering, blocking HackerNews during times when I should be doing something more productive :) etc., especially since the Vanadium browser doesn't support extensions (see above). I was hoping that the Rethink app might implement something like this (https://github.com/celzero/rethink-app/issues/1047) but it doesn't look like it's coming and it'd probably be much better to do this at the OS level.
1. The Pixel camera app works, including all modes and settings. A camera that takes good photos was absolutely a requirement for me, and the FOSS camera apps are not quite as good yet.
2. I don't have Google Photos and the pixel camera app tries to launch google photos when you want to review the picture you just took. But there is a FOSS app called GPhotosShim that uses the same namespace as google photos and thus fools the camera into launching that app instead. Once launched, it just launches whatever media management app you actually have configured, so it's seamless.
3. Android Auto works!
4. Android QuickShare works!
5. NFC tags / Yubikey integration works!
6. Screencasting works!
7. Sensor access and internet access can be disabled for apps by default (and I do).
But unironically Pixels are currently some of the best actually open phones. They do not lock down or require shady practices for unlocking the bootloader (although they do require a network check once that happens automatically, but it will permanently allow unlocking the bootloader if successful once. Pixels are very easy to restore and almost un-brickable, allow bypassing the boot screen warning by pressing the power button twice, actually allow relocking the bootloader and don't void your warranty unlocking it, don't have a shady one-time fuse like Samsung phones do with Knox, etc.
Many people here might recoil at this: to go through the trouble of de-Googling your phone and then just install Google Play services and the Play Store, but the important part is that it is a choice they could make.
Pixels are arguably the best option for software choice among mainstream phones (and iPhones are the worst), but both are a huge regression of choice compared to traditional personal computing platforms.
> Unfortunately, I must recommend Windows 10/11 here, because then you donβt have to mess around with any drivers; itβs the simplest option.
When I worked at Microsoft but ran FreeBSD at home, I often used my work Windows laptop to install custom ROMs. This is because FreeBSD was finicky with adb.
Now I run Fedora and the Android drivers are pre-installed. I installed GrapheneOS on both a Pixel 10 Pro (main) and Pixel 9 (spare) that way.
On Windows, I've had more trouble with Android drivers than I did on non-Windows.
I run a Thinkpad with NixOS and KDE, a Pixel 9 with GrapheneOS, and an Amazfit watch paired with GadgetBridge on my phone.
It's a testament to the hard work of the FOSS maintainers of these projects, and the spirit of open source, that everything works flawlessly together without any cloud service sucking up my data. For example, I can control youtube and music playback on my laptop with my watch because KDE Connect syncs my laptop and my phone, and gadgetbridge syncs the phone and the watch. The breezy weather app on my phone can automatically push its data to gadgetbridge which in turn pushes the data to the watch. And so on. So many little things, developed independently, working like a single well oiled machine.
That said, I do not like how much the project depends on Google.
- GrapheneOS is based on Android, which is solely developed by Google.
- GrapheneOS only supports Google Pixel devices. Thankfully, they are working on partnering with a different manufacturer, but details are still very limited.
- They recommend using the Google Play Store (requires a Google account) to get apps and recommend against using F-Droid.
- Their Vanadium web browser is based on Chromium, which is controlled by Google. It also does not have an ad blocker or support extensions. They recommend against using Firefox. Firefox, and Safari to a more limited extent, are the only web browsers keeping Google from having complete control over web standards and the way we can access the internet.
This is not a criticism of the GrapheneOS project or developers. I understand that security is the biggest priority of GrapheneOS and I understand that Google is often good at security. They are following the goals of the project. It is more directed towards the GrapheneOS community that often blindly recommends GrapheneOS as the only option and treats any alternative as inferior and not to be considered. Most users do not need security at all costs. Especially among the free and open source enthusiast community, freedom and user control are often prioritized. There should be more awareness and discussion about what the user wants and whether that actually aligns with the security-first goals of GrapheneOS.
Is it really "breaking free" from a company if the method of "breaking free" requires continued cooperation from the company
This is not to suggest using a modified version of Android isn't useful. This comment is not about GrapheneOS. (But there will be HN replies that will try to redirect focus to it anyway.) This comment is about claiming it's possible to "break free" from something while still remaining inextricably tied to it
In addition to using a custom ROM, there are methods of stopping the Pixel's attempts to "phone home" to the company that work even with the version of Android pre-installed by the company intact. However if a method requires software, e.g., drivers, or is "based on" software controlled by the company, then ultimately the company holds the cards. IMHO, this is not what it means to "break free"
Perhaps the most reliable method of stopping these connections to the company is one that does not rely on cooperation by the company. This is because if the company decides to stop cooperating, the method still works
It's just so damned convenient. And the recording of transactions on the phone saves me having to collect paper receipts.
I am probably going to switch back to a used old iPhone for "phone appliance" tasks, but keep around the Pixel for other things.
My main takeaway from the experience is that iMessage is an even bigger weapon than I thought.
I wish Europe would have forced that 10 years ago since the US is beyond saving.
I could not get a replacement as I bought the phone in a foreign country (Google doesnβt sell Pixels here in Brazil).
So as much as I love the idea of running a more private phone, I found the hardware extremely fragile and poorly designed, so I will not buy from them again anytime soon.
Oh the irony.
Privacy is more a dream than a real thing.
If using GrapheneOS significantly increases the risk a person won't be able to use a service they rely on, that may be unacceptable.
And it's not only security - simple stuff like USB data off unless the phone is unlocked, native call recording, much enhanced user profiles (to separate data mining apps like Uber or Instagram from your financial affairs), etc.
And yes, it's about reducing the attack vector. On most other handsets you'll get most of the fixes 6 months or a year later. At best.
I do understand your point that people at risk of state level attacks might get a false surface level appearance of defence from this. But then anyone who's a target of state level attacks and is making OS decisions based on a surface level understanding of the tech is not going to have a good time anyway.
What that means is they can push malicious settings and configurations (Definitely) and probably malicious firmware to the handset at will. They don't need to code this, they buy the software packages from the usual suspects. Adversary simply needs to put a drt box or a hailstorm or what-not close enough to the handset to do the work.
The baseband can do a lot, it has dma (if I recall correctly) and can almost certainly screen look, and extract information from some but not all base bands. This varies.
GrapheneOS cannot really influence this, but hardened_malloc could conceivably help. What would be great is a bench firmware re-flash, but I don't want to do this every single day.
NFC is by far more convenient and reliable.
You don't need a Google account to use YouTube and can use it via the browser, NewPipe or several other alternatives rather than their app.
The linked article covers someone's first experience with it with a lot of detail. They're using it as their daily driver with mainly open source apps and separate profiles with mainstream apps they still need. They're using those with much better privacy protections including having sandboxed Google Play in those profiles for using mainstream apps rather than regular highly privileged Google Play heavily integrated into the OS and not running with the standard app sandbox or privileges.
In my case, it was a few months ago, so end of 2025.
I think it's just that they can't possibly support thousands of Android devices. I just don't like that they are not being very clear about it. You would think that buying a phone through Murena would guarantee some kind of support, but it actually doesn't.
QR codes are reliable.
π¬π§->π΅π± PrzejdΕΊ do polskiej wersji tego wpisu / Go to polish version of this post
Table of contents:
Just a year ago, I was really deep into the Apple ecosystem. It seemed like there was no turning back from the orchard for me. Phone, laptop, watch, tablet, video and music streaming, cloud storage, and even a key tracker. All from one manufacturer. Plus shared family photo albums, calendars, and even shopping lists.
However, at some point, I discovered Plenti, a company that rents a really wide range of different devices at quite reasonable prices. Casually, I threw the phrase βsamsung foldβ into the search engine on their website and it turned out that the Samsung Galaxy Z Fold 6 could be rented for just 250-300 PLN per month. That was quite an interesting option, as I was insanely curious about how it is to live with a foldable phone, which after unfolding becomes the equivalent of a tablet. Plus, I would never dare to buy this type of device, because firstly, their price is astronomical, and secondly, I have serious doubts about the longevity of the folding screen. I checked the rental conditions from Plenti and nothing raised my suspicions. Renting seemed like a really cool option, so I decided to get the Fold 6 for half a year. Thatβs how I broke out of the orchard and slightly reopened the doors to my heart for solutions without the apple logo. I even wrote a post about the whole process - I betrayed #TeamApple for broken phone. What Iβm getting at is that this is how Android returned to my living room and I think I started liking it anew.
My adventure with Samsung ended after the planned 6 months. The Galaxy Z Fold 6 is a good phone, and the ability to unfold it to the size of a tablet is an amazing feature. However, what bothered me about it was:
All the points above made me give up on extending the rental and start wondering what to do next. Interestingly, I liked Android enough that I didnβt necessarily want to go back to iOS. Around this time, an article hit my RSS reader: Creators of the most secure version of Android fear France. Travel ban for the whole team (I think it was this one, but Iβm not entirely sure, it doesnβt really matter). It talked about how France wants to get its hands on the GrapheneOS system and thus carry out a very serious attack on the privacy of its users. I thought then, βHey! A European country wants to force a backdoor into the system, because it is too well secured to surveil its users. Either this is artificially blowing the topic out of proportion, or there is actually something special about this system!β. At that moment, a somewhat forgotten nerd gene ignited in me. I decided to abandon not only iOS, but also mainstream Android, and try a completely alternative system.
GrapheneOS is a custom, open-source operating system designed with the idea of providing users with the highest level of privacy and security. It is based on the Android Open Source Project (AOSP), but differs significantly from standard software versions found in smartphones. Its creators completely eliminated integration with Google services at the system level, which avoids tracking and data collection by corporations, while offering a modern and stable working environment.
The system is distinguished by advanced βhardeningβ of the kernel and key components, which minimizes vulnerability to hacking attacks and exploits. A unique feature of GrapheneOS is the ability to run Google Play Services in an isolated environment (sandbox), allowing the user to use popular applications without granting them broad system permissions. Currently, the project focuses on supporting Google Pixel series phones, utilizing their dedicated Titan M security chips for full data protection.
When I used to read about GrapheneOS, the list of compatible devices included items from several different manufacturers. Now itβs only Google Pixel devices. This doesnβt mean you canβt run this system on a Samsung, for example, but the creators simply donβt guarantee it will work properly, and you have to deal with potentially porting the version yourself. Note that itβs quite funny that a system freed from Google services should be run exactly on Google devices. If anyone wants to read more about why Pixels are the best for GrapheneOS, I recommend checking out the following keywords - Verified Boot, Titan M, IOMMU, MTE.
Iβve bolded the items that are not only supported but also recommended (at the time of writing this post, you can find the current list here)
At the stage of choosing a device to test GrapheneOS on, I wasnβt yet sure if such a solution would work for me at all and if Iβd last with it in the long run. So it would be unreasonable to lay out a significant amount of money. Because of this, probably the only sensible choice was the Google Pixel 9a. This was a few months ago, when not enough time had passed since the premiere of the 10 series models for them to make it onto the fully supported devices list. At that time, the Pixel 9a was the freshest device on the list (offering up to 7 YEARS of support!) and on top of that, it was very attractively priced, as I bought it for around 1600 PLN (~450 USD).
In retrospect, I still consider it a good choice and definitely recommend this path to anyone who is currently at the stage of deciding on what hardware to start their GrapheneOS adventure. The only thing that bothers me a bit about the Pixel 9a is the quality of the photos it takes. I switched to it having previously had the iPhone 15 Pro and Samsung Galaxy Z Fold 6, which are excellent in this regard, so itβs no wonder Iβm a bit spoiled, because I was simply used to a completely different level of cameras. Now I also know that GrapheneOS will stay with me for longer, so itβs possible that knowing then what I know now, I would have opted for some more expensive gear. However, this isnβt important to me now, because for the time being I donβt plan to switch to another device, and by the time that changes, the market situation and the list of available options will certainly have changed too. Besides, Iβm positively surprised by the battery life and overall performance of this phone.
Locking the bootloader is crucial because it enables the full operation of the Verified Boot feature. It also prevents the use of fastboot mode to flash, format, or wipe partitions. Verified Boot detects any modifications to the OS partitions and blocks the reading of any altered or corrupted data. If changes are detected, the system uses error correction data to attempt to recover the original data, which is then verified again β thanks to this mechanism, the system is resilient to accidental (non-malicious) file corruption.
However, before re-securing the bootloader, I recommend checking if the system was flashed correctly and everything works as it should, because if it doesnβt, locking the bootloader might brick (completely block, or even damage) the phone. Therefore:
The final step before starting to play with the new system is reapplying the OEM lock.
Now the real fun begins. Youβll hear/read as many opinions on what you should and shouldnβt do regarding GrapheneOS hardening as there are people. Some are conservative, while others approach the topic a bit more liberally. In my opinion, there is no one right path, and everyone should dig around, test things out, and decide what suits them and fits their security profile. Youβll quickly find out that GrapheneOS is really one big compromise between convenience and privacy. While this same rule applies to everything belonging to the digital world, itβs only in this case that youβll truly notice it, because GrapheneOS will show you how many things you can control, which you canβt do using conventional Android. I donβt intend to use this post to promote some βone and onlyβ method of using GrapheneOS. Iβll simply present how I use this system. This way, Iβll show the basics to people fresh to the topic, maybe Iβll manage to suggest an interesting trick they didnβt know to those who have been users for a while, and on a third note, maybe some expert will show up who, after reading my ramblings, will suggest something interesting or point out what Iβm doing wrong / could do better. Iβm sure thatβs the case, since my adventure with GrapheneOS has practically only been going on for 3 months. I warn you right away that Iβm not sure if Iβll be able to maintain a logical train of thought, as Iβll probably jump around topics a bit. The subject of GrapheneOS is vast and in todayβs post Iβll only manage to slightly touch upon it.
One of the first things I did after booting up the freshly installed system was to create a second user profile. This is done in Settings -> System -> Multiple users. The idea is for this feature to allow two (or more) people to use one phone, each having a separate profile with their own settings, apps, etc. Who in their right mind does that? While I can imagine sharing a home tablet, sharing a phone completely eludes me. It therefore seems like a dead feature, but nothing could be further from the truth.
For me, it works like this: on the Owner user, because thatβs the name of the main account created automatically with the system, I installed the Google Play Store along with Google Play services and GmsCompatConfig. This is done through the App Store application, which is a component of the GrapheneOS system. Please donβt confuse this with Appleβs app store, even though the name is the same. From the Play Store I only installed the following applications:
And thatβs it. As you can see, this profile serves me only for apps that absolutely require integration with Google services. In practice, I switch to it only when I want to pay contactlessly in a store, which I actually do rarely lately, because if thereβs an option, I pay using BLIK codes. Right after switching from Samsung there were more apps on this profile, but one by one I successively gave up on those that made me dependent on the big G.
Itβs on the second profile, which letβs assume I called Tommy, that I keep my entire digital life. What does this give me? For instance, the main profile cannot be easily deleted, but the additional one can. Letβs imagine a situation where I need to quickly wipe my phone, but in a way that its basic functions still work, i.e., without a full factory reset. An example could be, say, arriving in the USA and undergoing immigration control. They want access to my phone, so I delete the Tommy user, switch to the Owner user, and hand them the phone. It makes calls, sends SMS messages, even has a banking app, so theoretically it shouldnβt arouse suspicion. However, it lacks all my contacts, a browser with my visited pages history, a password manager, and messengers with chat histories. This is rather a drastic scenario, but not really that improbable, as actions like searching a phone upon arrival in the States are something that happens on a daily basis. Besides, the basic rule of security is not to use an account with administrator privileges on a daily basis.
On GrapheneOS, Obtainium is my primary aggregator for obtaining .apk installation files and automating app updates. Itβs like the Google Play Store, but privacy-respecting and for open-source applications. It would be a sin to use GrapheneOS and not at least try to switch to open-source apps. Below I present a list of apps that I use. Additionally, Iβm tossing in links to the source code repositories of each of them.
To understand how Obtainium works and how to use it, I recommend checking out this video guide.
I have a few apps that are not open-source, but I still need them. In this case, I donβt download them from the Google Play Store, but exactly from the Aurora Store, which I mentioned above.
Aurora Store is an open-source client of the Google Play store (I guess you could call it a frontend) that allows downloading applications from Google servers without needing Google services (GMS) on the phone.
The Internet characterizes this solution as follows:
Sounds perfect, right? A bit, yes, but unfortunately not everything holds up completely. I have two main complaints about Aurora Store.
With these anonymous accounts, the thing is that sometimes they work, and sometimes they donβt, due to limits that are unreachable with a normal account used by one person, but when a thousand people download apps from one account at once, it starts to get suspicious, and the limits are exceeded quite quickly. Using Aurora Store violates the Google Play Store terms of service, so on the other hand if we use our Google account, it might be temporarily blocked or permanently banned. Some option here is to create a βburnerβ account just for this, but that takes away some of our privacy, because Google can still index us based on what we downloaded. Anonymous accounts in this case provide almost complete anonymity, because then we are just a drop in the ocean.
When it comes to security, yes, in theory we download .apk files from a verified source, but only under the condition that the Aurora Store creators donβt serve us a Man in the Middle attack. The decision whether you trust the creators of this app is up to you.
Below I present a list of applications that I downloaded from the Aurora Store, checked, and can confirm that they work without GMS (Google Mobile Services).
GrapheneOS allows for full control over what permissions each application can have. For example, in conventional Android forks, every application by default has granted Network (internet access) and Sensors (access to all sensors like the accelerometer) permissions.
Has anyone ever wondered if all apps on a phone need Internet access? Indeed, in the vast majority of cases, a mobile app without network access is useless, but you canβt generalize like that, because for example, the previously mentioned FUTO Voice Input uses a local LLM to convert speech to text, which works offline on the device. Why would such an app need Internet access then? For nothing, so it shouldnβt have such permission. Now letβs take apps like FairScan (document scanning), Catima (loyalty card aggregator), Collabora Office (office suite), or Librera (ebook reader). They too do not need Internet access!
The situation looks even more bizarre when you look at which apps actually need access to all of our deviceβs sensors. If we think about it calmly, weβll conclude that in this specific case itβs completely the opposite of the previous one, meaning practically no app needs this information. And I remind you that by default on Android with Google services, all apps have such permissions.
To manage a given applicationβs permissions, just tap and hold on its icon, select App info from the pop-up menu, and find the Permissions tab. A list categorized by things like - Allowed, Ask every time, and Not allowed will appear. I recommend reviewing this list for each app separately right after installing it. This is the foundation of GrapheneOS hardening.
A collective menu where you can view specific permissions and which apps have them granted is available in Settings -> Security & privacy -> Privacy -> Permission manager. Another interesting place is the Privacy dashboard available in the same location. Itβs a tool that shows not only app permissions, but also how often a given app reaches for the permissions granted to it.
In GrapheneOS we donβt only have user profiles, but each user can also have something called a Private space. I encountered something similar on Samsung, where it was called Secure Folder, so I assume this might just be an Android feature implemented differently by each manufacturer.
Private space is turned on in Settings -> Security & privacy -> Private space. It acts like a sort of separated sandbox that is part of the environment you use, but at the same time is isolated from it. For me, itβs a place that gives me quick access to apps that nevertheless require Google services. You might ask - why then do I keep the mBank and T-Mobile apps on the Owner user if I could keep them here? Well, for reasons unknown to me, Iβm unable to configure my private space so that paying with contactless BLIK via NFC works correctly in it. The same goes for Magenta Moments from T-Mobile, which donβt work correctly despite GMS being installed in the private space.
Oofβ¦ I did it again, sorry. Iβm just counting the characters and it comes out to just under 35,000β¦ Iβll probably break that barrier with these next few sentences. Well, long again, but purely meaty again, so I donβt think anyone has reason to complain. As I mentioned earlier, Iβve only touched upon the topic of GrapheneOS, which is extensive, and itβs a good thing, because itβs a great system, and the biggest respect goes to the people behind this project. Itβs thanks to them that we even have the option of at least partially freeing ourselves from Google (Android) and Apple (iOS). Therefore, I highly invite you to the final chapter of this post.
Finally, I would like to encourage you to support the GrapheneOS project. The developers behind it are doing a really great job and in my opinion deserve to have some money thrown at them. Information on where and how this can be done can be found here.
GrapheneOS does care about both, quite obviously. And GrapheneOS tends to say that if your security is bad, then it is affecting your privacy too. Whereas others say "sure, we break the Android security model by unlocking the bootloader and signing our system with the Google test keys, but your apps will contact Google through microG instead of the Play Services, so it's more private". Which is worth what it is worth...
You can use IronFox - available in Accrescent store that comes with GrapheneOS, and install firefox extensions
Does this require installing google play and other google services to work?
Pretty much yeah.
Also, the surveillance tech is getting ahead of the people now, this article might make sense back in 2015, itβs not the case anymore, even if you use a full linux distribution, hardened too, but connected to the cellular network through a modem, the operator can pinpoint your location accurately, because all new cell modems are equipped with gnss and send the NMEA message either in demand or periodically to the towers.. not to mention if your software is open source and secure, your hardware isnβt, and until we reach that point, I would prefer to have a gray man model and blend in within the crowd rather than standing out like a sore thumb.
GrapheneOS is based on the Android Open Source Project. It's incorrect to say it's solely developed by Google and it's open source software which we're free to change as we see fit.
> GrapheneOS only supports Google Pixel devices. Thankfully, they are working on partnering with a different manufacturer, but details are still very limited.
No, we already have a partnership with a major Android OEM. It's not something we're working on obtaining and we've provided a fair bit of details including that it will be publicly announced by the OEM in March, that the devices will launch in 2027 and that they'll use a high end Snapdragon SoC which is either the flagship (most likely) or one step below it.
> They recommend using the Google Play Store
No, that's not our recommendation.
> recommend against using F-Droid
We recommend against F-Droid due to it being an unnecessary middleman between users and app developers which does not truly reduce trust the app developers. F-Droid apps are consistently out-of-date and often lag months being on important privacy and security fixes. F-Droid consistently makes problematic undocumented changes to apps including rolling back dependency updates. F-Droid is known to use highly outdated build infrastructure which is very poorly secured. They have a bunch of bad security practices throughout their approach and have made it clear it isn't a priority for them. They've repeatedly said they don't believe app sandboxing is useful and much more than that. Many open source apps including Signal and WireGuard have asked to have their apps omitted from F-Droid due to the security and trustworthiness issues with the project. That's not at all something specific to GrapheneOS.
> Their Vanadium web browser is based on Chromium, which is controlled by Google.
Chromium is an open source project which is collaboratively worked on by multiple projects using it as the basis for their browsers. That includes Microsoft who implemented the WebAssembly interpreter available in the upstream Chromium codebase which is used by Vanadium but is dead code in Chrome and regular Chromium builds since it was added for Edge.
> It also does not have an ad blocker
No, that's not true. Vanadium has a default enabled ad blocker which uses EasyList, EasyPrivacy, EasyList's Adblock Warning Removal List and also selectively activates a whole bunch of EasyList affiliated language/regional lists based on the currently active languages. This approach avoids adblocking being used for fingerprinting, avoids greatly weakening site isolation sandboxing as extensions do and is much higher performance which is important on mobile. It very clearly has ad blocking and a per-site toggle for it.
> or support extensions
Extensions greatly weaken site isolation and give third party code without verified boot extensive access to website content similar to dangerous Android accessibility service apps. Very few extensions are focused on privacy and security in a similar way to GrapheneOS and would compromise what we're trying to build. It's not the approach we want to use in Vanadium. If you want to use extensions then you can use a browser with them but it doesn't fit into what we're building with Vanadium where we want to implement features ourselves in a very private, secure and robust way which cannot be done with extensions. Extensions fundamentally reduce security including because they used a shared process across all isolated websites which inherently reduces isolation. Few extensions take this seriously, even the ones focused on privacy. They commonly add leaks between sites. There are plenty of other browsers available but ours is aiming for a standard of privacy and security which cannot be achieved with extensions.
> They recommend against using Firefox.
Firefox's Android app has atrocious privacy and security. A browser without even basic content sandboxing let alone sandboxing with full site isolation. That's combined with major other major security deficiencies and it isn't something we could recommend using. Recommending against it doesn't mean people can't use it...
You'll still be using Vanadium as the web content engine within apps using the WebView such as email clients rendering HTML email and many more. Many people have a misunderstanding of what the WebView is and confuse it with custom tabs which are provided by the user's selected default browser rather than the WebView used within other apps.
> This is not a criticism of the GrapheneOS project or developers.
How isn't it criticism of GrapheneOS? Regardless, Vanadium does have an adblocker and we don't specifically recommend the Play Store as you said. The biggest issue is that what you're saying about what we prioritize, advise or provide isn't accurate.
> I understand that security is the biggest priority of GrapheneOS
Privacy is the biggest priority of GrapheneOS and privacy depends on security. GrapheneOS is a privacy project.
> It is more directed towards the GrapheneOS community that often blindly recommends GrapheneOS as the only option and treats any alternative as inferior and not to be considered.
Our project and community regularly recommends iOS as an alternative which provides far better privacy and security than non-GrapheneOS options. Most other options have very poor privacy/security including lacking even basic privacy/security patches and protections. Similarly, our project and community regularly recommends using macOS for better privacy and security than either Windows or desktop Linux. What you're saying are blind recommendations are anything but that but rather very well informed information provided by the GrapheneOS project.
> Most users do not need security at all costs.
GrapheneOS is not about security at all costs and this misconception which regularly comes up that it's about security rather than privacy is completely wrong. Many projects failing to provide decent privacy treat it as if privacy is solely about which apps/services are bundled rather than needing to provide privacy patches, privacy protections and solid security to protect that from being bypassed. Much of what GrapheneOS provides are privacy features such as Contact Scopes, Storage Scopes and the Sensors/Network toggles along with much more. The security protections it provides exist to protect privacy. Why else would the security protections be there other than to protect privacy? It's not a separate thing from privacy but rather is a huge part of providing it. There's no other reason for us to work on security than protecting privacy. It doesn't make sense to say we work on security instead of privacy.
Most users do need basic privacy/security updates and protections. Failing to keep up with basic updates and misleading users about it is a severe issue. There isn't any major non-GrapheneOS AOSP-based OS that's doing the bare minimum of keeping up with updates.
> Especially among the free and open source enthusiast community, freedom and user control are often prioritized. There should be more awareness and discussion about what the user wants and whether that actually aligns with the security-first goals of GrapheneOS.
You aren't accurately representing what GrapheneOS provides, our approach or our priorities. People can see for themselves from the detailed article that it provides a highly usable and compatible system with a huge amount of user choice. People can choose from a wide range of approaches based on their privacy and security goals. It doesn't impose choices on people. You treat it as if people are forced to use Vanadium when it's another choice of browser which people have on GrapheneOS but not elsewhere. GrapheneOS users have more choice among browsers and the one we have DOES provide ad blocking contrary to what you said. GrapheneOS users can use F-Droid despite us recommending against it due to the major security deficiencies. Providing well informed recommendations with detailed explanations does not in any way hinder user choice but rather informs people so they can make better choices. Our recommendations not aligning with your personal beliefs or preferences doesn't mean we're somehow reducing user choice.
The best thing would be to switch to Signal (Molly) for texting.
As an aside, from the latest release notes: Sandboxed Google Play compatibility layer: add toggle for granting Play services access to ICC auth in order to support RCS with carriers requiring it for RCS in Google Messages including T-Mobile (see RCS usage guide)
If anything, iOS seems buggier and less reliable, but I know (and am related to) a lot of people who insist on using iMessage/RCS, and I can't be missing messages.
And sandboxed Google Play services serve both goals -- it runs the service as a regular android service, not an exceptional one that has a bunch of extra permissions. So you can allow/restrict it as you seem fit, while not "getting behind" on features/apps that mandate it.
I bought a second hand Pixel 7 to test this and an exFat SanDisk Extreme Portable 2TB works with reads/writes perfectly.
Does that require being logged into a Google account? How to ensure Google knows nothing about your shares?
I have Graphene w/ Google Play Services (required for my job) and would love a easy way to share files/info with various devices (incl. iOS/macOS which I remember should work with QuickShare in the future) but will avoid a service that shares data with Google.
Pixel are supposed to be very good in photography, part hardware and part software, and my concern would be degradation of that software part. With small kids, there is nothing more important on phone for me than photos/video quality these days (apart from never going into apple ecosystem, I am just incompatible with that company' philosophy).
Or its just about slapping some commercial photo app (like I heard from other photographers is often done on apple to get most out of it, but forgot the name of the app) and not caring about this?
https://www.youtube.com/watch?v=ik0AiO0WtuU
If you don't like giving money to Google, plenty of companies offer refurbished Pixel phones.
Anyway, I now need to get the battery replaced, because apparently they are dangerous and Google pays for the replacement. Unfortunately, the replacement process requires the stock android to be installed. Meaning, I would need to backup the whole phone, reinstall stock android, then restore everything - and hope the whole ordeal works out.
https://www.androidauthority.com/graphene-os-major-android-o...
In background I also have Withings scale sync the measurements a couple of times a day to Garmin.
So I ended installing ActivityLog2[0] to do something with the files I had to have on desktop and GadgetBridge was of little use because relying on GadgetBridge without actually syncing the files might make me forget about doing the backup to a device I control (GrapheneOS or a computer).
As soon as GadgetBridge support syncing the files from the watch to the app (or any local folder on Android), I'll install it again and stop doing the manual backups over USB. Syncthing will do it automatically.
Then switch back to Google/Apple after half a year when you discover that you canβt run
- your banking app - any government app - the app required to access large sports events - the pandemic tracking app without which you canβt enter an airport - various other random apps
because they ALL detect that youβre running on a phone with an unlocked bootloader and will flat out refuse to start. And for many of those, there is no legal alternative.
(The extent of this varies depending on where you live, of course.)
It does have a network-level ad blocker. What it doesn't have is a blocker which modifies/injects Javascript into pages, which iiuc is the main reason that the blocker doesn't help with ads on YouTube much, or pages which employ similar techniques.
> They recommend against using Firefox.
To clarify: they recommend against Firefox Mobile because it didn't support site isolation until last month's v147 updates. I don't know if the goalpost has moved since, but in any case: there's nothing on Graphene that would prevent you from using Firefox.
If anyone wants this without GrapheneOS: https://f-droid.org/packages/dev.ukanth.ufirewall
If anyone wants this without GrapheneOS and without root: https://f-droid.org/packages/net.kollnig.missioncontrol.fdro...
This sounds like your phone may have been one of the Pixel 6a models with a defective battery[1]. It was a major problem for which Google pushed out an update that nerfed the battery life. There is a tool online where you can check if your particular 6a was one with a battery from the bad production batch[2].
But that unfortunately doesn't help if you are in Brazil where, as you say, Pixels aren't officially sold and import/export controls tend to make tech warranties useless in practice.
[1] https://www.lifewire.com/pixel-6a-battery-overheating-warnin...
[2] https://support.google.com/pixelphone/answer/16340779?hl=en
For the end user, breaking free from Google means exiting from Googleβs services surveillance system wherever possible. It doesnβt mean complete elimination of the use of source code written by Google employees.
GrapheneOS is really the most private option of all viable daily drivable smartphone operating systems available, because your only other options generally involve Apple and Google services dependency.
You can use GrapheneOS and never send any user information to Google, thatβs how you βbreak free.β
https://grapheneos.org/faq#future-devices
8th, 9th and 10th gen Pixels provide our full set of requirements with 7 years of support from launch. 6th and 7th gen Pixels are missing the ARMv9 security features including the extremely important hardware memory tagging (MTE) feature we heavily use to protect against exploitation. Even the first devices we supported back in 2014 including the Nexus 5 had isolation for the cellular radio but similar isolation for Wi-Fi/Bluetooth started with the Nexus 5X.
The flag ship should not be more than $500
That's also why I don't keep anything important on my phone as I don't trust what's going on there despite having all the secure features that you would want.
My Librem 5 running PureOS also supports external storage just fine.
Not sure if airports specifically used another mechanism, but the Android contact tracing APIs were actually reimplemented in microG, allowing these apps to work even on custom roms.
Your other examples don't hold universally either (banking apps are compatible with un-rooted custom ROMs more often than not, and not sure how many sports event apps use integrity checks), but your general point stands that it may come with trade-offs.
Thats not coming from some paranoid security person, just regular (software dev) joe.
Also, do not leave your bootloader unlocked. That is an incomplete GOS install and you will need to lock it to secure your device. Not locking it is both insecure and will make a much higher number of apps fail.
Any privacy you have on a system is reliant on no one tampering with that system and on software behaving itself. Without security, you can't trust the system to implement any privacy.
On the other hand, if you switch to the latest Google camera app, you will not really be participating in making the open source version better.
https://play.google.com/store/apps/details?id=com.google.and...
When was in college and had Sprint this was a nightmare since then I wanted root for unlimited hotspot (Sprint made it easy that way), but most refurbished Pixels were Verizon variants.
And I couldn't just use OnePlus because they were only designed GSM networks or later Verizon CDMA-less. Then, new Pixels were unaffordable for me, but parents insisted on using Sprint.
I ended up getting a Pixel 3 off Mercari (which I still own) just to keep root.
Now, I can afford a Pixel 10 Pro new (which I am right now), alongside spare Pixel 9 and OnePlus 13R units. But even then (a) my income is lower than when I worked at Microsoft and (b) The OnePlus was from a trade-in deal.
The complete lack of content and site sandboxing on Firefox for Android is only one of the reasons we recommend against it. It has major security deficiencies beyond this and cannot benefit from many of the hardware and OS protections due to it. Vanadium is much more secure than standard Chromium while Firefox is much less secure than it, so there's quite a stark difference between them.
Recommending against using Firefox and F-Droid due to major security deficiencies doesn't in any way reduce user choice as the post above portrays it. Having a lot of accurate information provided by GrapheneOS enables our users to make more well informed decisions. We also do not specifically recommend the Play Store as the post says above but rather we provide nuanced information about the available choices. Specifically for obtaining apps from the Play Store which aren't available directly from the developers, we recommend using the sandboxed Play Store for users who using sandboxed Google Play in a profile for app compatibility already. Play Store itself has signature verification while Aurora Store only has TLS with a smaller set of trusted CAs by default similar to many Google apps. Aurora Store is sometimes needed to work around app's filtering who can install it so we do recommend it for that specific purpose. Aurora Store still logs into a Play Store account and making a throwaway account to use the Play Store app doesn't reduce privacy compared to using sandboxed Google Play without one.
My initial assumption was "this is gonna look like a typical OSS product, and not as polished as iOS or Android". A single screenshot would have dispelled that notion.
Which is (almost) the case during sales. The P10 was on sale for $599 not long ago, and you could buy a 9a for little more than $300. That is extremely good value compared to any iThing repoted your every move to Apple.
Decompiling apps only works if you can get the app. I don't understand GP's problem with the apk format either, but you do need to break terms of service to get the files if you don't have a phone with Google services installed. Whether that's ethical or legal is up for debate
You can't fix a lack of trust like you have in Android with technical solutions. The flaw in Android is fundamentally a social problem.
I prefer to use intermediaries like Kagi Assistant, thanks to the strict privacy conditions of the API and the mixing of queries from thousands of users.
If you want something backed by objective data, my phone has an advertising ID built in the OS and my laptop doesn't. My phone had 100s of privacy scandals and my laptop doesn't have one.
It's not just sports team, different philosophies create different results and computing goes beyond just the code.
This doesn't answer your question, but in case it helps for others out there: it's possible to use WhatsApp with no access whatsoever to your contacts and I used it that way for years. Connecting with people is slightly jankier but it still works.
> Itβs thanks to them that we even have the option of at least partially freeing ourselves from Google (Android) and Apple (iOS)
partially. And I do think they successfully did this. Asking Gemini questions when you really have something to ask is very different from integrating your whole digital life with Google.
This is separate from SIM locking, which forbids use with another carrier. US carriers still do that, but are required to remove the lock after a while if the customer doesn't owe them money.
It's not clear why Verizon insists on permanently locked bootloaders or why Google agrees to it for Verizon when they don't do it on Pixels sold anywhere else.
(I don't deny that there are apps that won't work. Best to check before switching full-time.)