What do I do after I get/flash my phone?
The main question you will have after you get/flash your phone is: Where is the app store? If you want to maximize privacy, just use the web browser for everything. Unfortunately, while this works a lot of the time, it is not feasible for everyone. GrapheneOS recommends installing their Sandboxed Google Play Store as the most secure method to get verified apps installed on the phone. This can be done by swiping up to open the app tray and selecting the “Apps” app and going to “Google Play Services.” This installs the libraries apps need to think they’re talking with Google services. Out of an abundance of caution, we would recommend going into the settings and disabling their network access (except for the Play Store because it needs to download apps). This can be done within GrapheneOS’s Apps or by going to Settings>Apps and finding “GmsCompatConfig,” “Google Play Services,” and “Google Services Framework” and going to their permissions and auditing them. This is a good practice with every app you install. A note taking app doesn’t need access to your Physical Activity data. Personally, I even have the Google camera app installed (with network permissions revoked) as it is a superior product due to the AI photo enhancement that’s being done in the background. More information on Sandboxed Google Play here: https://grapheneos.org/features#sandboxed-google-play.
What doesn’t work on GrapheneOS?
Android Auto. It has to be compiled into the operating system, and is also a security issue, so GrapheneOS does not make Android Auto available. Every other app can be installed with Sandboxed Google Play (most secure option, ironically), the Aurora Store (https://auroraoss.com/ less secure in that the anonymized accounts are all lumped together), or side loaded using ADB. There may be some that do not work, but we have not heard of any. If you run into any that do not work, contact us and we’ll add it to this list.
Run Into Problems?
Hard brick: Device will not do anything. Black screen only, maybe some buzzing. Likely caused by installing the software for the wrong type of device (ie Pixel 5 software on a Pixel 4a). I cannot fix this. If the phone is warrantied, you might be able to return it as they probably can’t tell what is wrong with it.
Soft brick: Device will boot into the bootloader, boot loops (tries to start, then restarts), or something else. Caused by a bad load or it can randomly happen after unlocking the bootloader. This can be fixed. Follow the instructions and download the correct image from here: https://developers.google.com/android/ota. As always, ensure that you download the correct version, which will be listed at the top of the recovery page.
Rules of Thumb Using GrapheneOS
1) Audit application permissions. A recipe app does not need access to your contacts
2) If the company has a website that performs the same function as the app, don’t install the app. This includes your bank. Downside is you will be 2 factor authenticated more often
Recommended Links/Apps/Services
- Privacy and Security Based Operating System: https://grapheneos.org/
- GET OFF GMAIL/YAHOO/AOL/etc. These services scan every email that comes in and out of your account to sell ads or sell your data. Tutanota (https://tutanota.com/) and ProtonMail (https://protonmail.com/) are popular simple options. With these services you can buy a domain, such as lastname.com and have a custom email like firstname@lastname.com. More complicated would be setting up your own mail server.
- A good place to start with Android apps which prioritize privacy: https://atsanik.com/privacy-android-apps/. The “Simple” apps on F-Droid are excellent.
- Anonymized port of YouTube with no ads: https://github.com/TeamNewPipe/NewPipe/releases. Only download from github, as it is the most current and youtube tends to change things that disable it from time to time (they’re very quick to circumvent). I would use this over the stock YT app just for the lack of ads.
- Go to GrapheneOS’s App Store, and download the “Sandboxed Google Play.” Yes, this is counterintuitive, but this allows for the option to install and use the official releases of Google Play in the standard app sandbox. This severely restricts Google Play’s app access and privileges. For more information: https://grapheneos.org/usage#sandboxed-google-play. Installation instructions: https://grapheneos.org/usage#sandboxed-google-play-installation. GrapheneOS strongly discourages against F-Droid not only due to the constant attacks on them and systematic corruption, but it is a highly insecure, unprivate, and even vulnerable store with zero assurance or checks that what you’re downloading is what it is. The entire thing is ideologically driven and has been a major burden not only in security and privacy, but in UX due to them re-using app IDs and causing signature conflicts with the official apps such as from Play Store or the developer’s GitHub. A GrapheneOS community member has created this: https://wonderfall.dev/fdroid-issues/. Likewise, Aurora Store is a similar manner where people are under the impression that Aurora Store is an “open source port” or “bypasses” the need for an account when it really just mass-creates shared Google accounts that people log into using the “anonymous” button. You’re just trusting that someone isn’t sniffing the credentials and hijacking the accounts and scraping user data like device model, the apps you install, login IP address, etc. It isn’t any different than making your own throwaway account and just logging into the Play Store. Aurora Store lacks certificate pinning and requires overly broad and invasive permissions for no good reason other than developer laziness. Aurora Store directly communicates with Google servers using a Google account to obtain APKs and isn’t an “open source port”. In some circumstances Aurora Store even gets the wrong apps due to the widely shared usage of Google accounts by multiple people.
- Graphene has their own camera app that is light weight and secure, but it is lacking in capability (mainly Portrait and Night modes). You can install the full Google Camera using the Sandboxed Play Store: https://grapheneos.org/usage#google-camera
Why Pixel Devices?
Seems ironic, doesn’t it? Here is from Graphene’s FAQ: https://grapheneos.org/faq#future-devices
This is a reddit post with more detail: https://www.reddit.com/r/GrapheneOS/comments/htwm9t/why_is_grapheneos_supported_only_on_pixels/fyjjq9z?utm_source=share&utm_medium=web2x&context=3
GrapheneOS vs CalyxOS vs LineageOS
LineageOS is not at all as secure as stock G OS. The builds are userdebug builds which expose tons of debugging APIs, weakened SELinux policies, and adb root. It even has the ability to disable SELinux which is one of the big pillars of Android security. LineageOS does not sign their builds so you cannot lock the bootloader. Bootloader locking enforces verified boot and integrity checks for majority of the OS. It can do error correction and it eliminates persistence for malware. LineageOS doesn’t ship firmware updates and relies on the user to update it themselves and uses a misleading security patch level for only AOSP security patches and not both AOSP and firmware/vendor patches. This leaves many people with critical vulnerabilities that can be trivially exploited by script kiddies. Having an unlocked bootloader fails SafetyNet basicIntegrity check and spoofing SafetyNet is extremely fragile and a losing battle as more and more apps are starting to migrate to hardware attestation, and hardware attestation works perfectly fine and passes on GrapheneOS. Hardware attestation would fail on unlocked bootloaders and you cannot spoof hardware attestation as easily as SafetyNet.
CalyxOS took the easy way out and integrated microG which has numerous security and privacy issues and threatre. microG is a very poor compatibility layer that intercepts signature-enforced requests and APIs. microG being integrated into the OS breaks the security model and app sandbox. It does not have broad app compatibility and is extremely prone to breakage. microG doesn’t subvert contacting Google in any way. Apps can talk to Google without microG or Play services installed. It’s how apps can show you ads even without Play services by implementing the Ads SDK themselves. Apps can very well operate without Play services and integrate Google Play SDKs themselves. Most may just need privileged integration. microG has full invasive privileged integration with far weaker SELinux policies You can read more here: https://madaidans-insecurities.github.io/android.html and https://twitter.com/GrapheneOS/status/1437380576055541761
Along with CalyxOS having substantial security and privacy downgrades like them integrating and enabling the invasive privileged Google eSIM apps by default, the invasive system integration of microG, using the default Google NTP servers, using the default Google DNS servers, the Mozilla Location Provider which works the exact same way as Google’s location accuracy (both are network location providers and send precise location data and Wi-Fi and Bluetooth addresses), and the F-Droid privileged extension which is a UserManager and Device Manager vulnerability that bypasses restrictions on app installation and can be assisted in exploitation by bypassing restrictions.
GrapheneOS is the most secure option, endorsed by Edward Snowden. Entirely funded by donations and run by Daniel Micay, who is extremely passionate about privacy and security. The OS is updated and patched more often than G does with every conceivable method of hardening possible. They now have a sandboxed Google Play service that has the broadest app compatibility. Privileged API calls are redirected to unprivileged APIs. It has zero privileged integration and the default helper app (which is not privileged, it’s a normal user app) is only activated if sandboxed Google Play is installed. They don’t spoof anything, integrate any kind of privileged apps, make any security or privacy compromises, and the apps are fully confined to the standard normal app sandbox. They aren’t special apps and you can limit the data you give them by the standard app permission model. These apps do not have access to persistent hardware identifiers where as microG has access to them. Many banking apps, payment apps (except for Google Pay), games, and streaming services work just fine with sandboxed Google Play. GrapheneOS passes SafetyNet basicIntegrity and that is usually more than enough for apps. Majority of apps work just fine and include things like their own camera app, app store which will soon start including hardened builds of 3rd-party apps, their own secure PDF viewer, and soon more. Snowden recommends desoldering microphones, keeping on the radios off when unused, and routing internet traffic thru the Tor network. You, however, likely don’t have 5 eyes after you, so this is a bit overkill. Pick a good VPN (ExpressVPN, ProtonVPN, etc, not NordVPN), and audit the permissions of each app you have installed.
Worried about 5G?
implest way is to go to Settings and search for “Preferred network type” and select “LTE Only.” According to GrapheneOS, the following is unnecessary, but if you want to be extra sure, follow the next few steps:
Do this after you insert the SIM. Also, you may be able to get a SIM without 5G from your provider.
1. Go to the dialer and punch in *#*#4636#*#*
2. Tap on Phone Information
3. Find the drop down for preferred network type. The NR at the beginning of the list is 5G.
4. Select a more appropriate network type. LTE/CDMA/EvDo/GSM/WCDMA should be universal.
5. You’re done. Phone won’t try to use the 5G radio.
