pull down to refresh

What is Graphene?

Graphene is an operating system (OS) based on the Android Open Source Project (AOSP). Graphene improves the security of AOSP code by improving sandboxing and exploit mitigations, while providing more extensive permission options than stock open source android. It is probably a good idea to do your homework before switching to Graphene, since there is a lot to learn, and the user experience is not as smooth and intuitive as you would find on a typical android phone.
For me, the security and privacy was reason enough to switch, but it is also a way to help free me from big tech.

Getting Ready

I have been gradually de-googling my life for a few years now, so I was somewhat prepared to switch to graphene. I replaced gmail, google drive, google calendar, and google contacts with protonmail equivalents. I replaced the google search engine with duck duck go, and replaced google chrome with a bunch of different browsers. I have set for myself the ambitous goal of never using the Google Play Store again. This will be difficult, and I may have to abandon this notion. We'll see.
You may not have started the process of weaning yourself off of Google and or Apple. If that's the case, your transition may be harder.
You may also intend to use google apps and use the Google Play Store. Graphene has a sandboxed mirror of the Google Play Store in its app repository. I will explain what this means and the best way to use it later.

Choosing A Phone

I call this section "Choosing A Phone", but there is really not much choice. You need to get yourself an unlocked Google Pixel. If you're buying a new device, I advise that you buy it directly from Google. I made the mistake of getting an "unlocked" phone from a retailer. What they meant was "carrier unlocked", which means you can choose any wireless service. I struggled for a while with this type phone before realizing my phone was not really unlocked. The phone needs the ability to have its bootloader unlocked. Why does Graphene only support Google Pixel phones? Well, one reason is that the factory phone permits its bootloader to be unlocked. Most other major manufacturers have locked down their devices. Also, the Pixel has hardware-backed keystores, verified boot, attestation, and input-output memory management units (IOMMUs). What this means, in plain english, is that the phone is capable of sandboxing components like the GPU and radios.

Preparing your Phone

I chose a Pixel 7. Since it's new, I figured that it would get updates for many years. I also like the sturdy build quality. From here on, you should refer to this excellent guide, which will help you unlock your bootloader and flash the Graphene OS. Just keep these few points in mind:
  • When you follow the directions to enable developer options, be sure to enable usb debugging AND OEM unlocking.
  • After struggling for a very long time attempting to unlock my bootloader on both a Ubuntu laptop and a Windows 11 laptop, I easily was able to use the web installer to unlock on a Macbook. I link here to a discussion thread I started on Stacker News which documents my struggles and the help I received. @03365d6a53 was particularly generous with his time and suggestions. If using Ubuntu, avoid the Flatpak installs of browsers, because the sandboxing will likely prevent a USB connection. Also, if attempting to unlock the bootloader using Ubuntu, you may need to install sudo apt install adb in addition to following the other instructions you find on the page.
  • Overall, I found the Ubuntu installation to be simpler than Windows 11, but many people claim to have had more success using Windows than any linux distro.
Once you have unlocked the bootloader, the rest of the process is a breeze. The windows installer makes it easy. You can also choose the CLI install option. Instructions are available on the page I linked.

Graphene OS First Impressions

Coming from a Samsung Galaxy, I immediately noticed the spare, functional look of the home screen. I appreciated the absence of any bloatware. In my case, I do not have wireless service set up yet. I am still considering my options.
Since I’m heavily immersed in the ProtonMail ecosystem right now, the first thing I did after creating my pin and setting up wifi was grab the ProtonMail PWA by using the default Vanadium browser. Next, I installed the Fdroid app. From there, I downloaded the Proton VPN. Next I downloaded the Stacker News PWA, of course. Graphene has its own apps. These are the apps in the native repository:
  • Auditor
    According to its description, the Auditor App “uses hardware-based security features to validate the identity of a device along with authenticity and integrity of the operating system. It will verify that the device is running the stock operating system with the bootloader locked and that no tampering with the operating system has occurred." This can be done because Pixel phones allow this “attestation”, which I talked about earlier.
  • Camera The Graphene Camera App is designed for privacy and security. It is called “Secure Camera” in the Google Play Store. It has security features like a dedicated QR scanning mode without Network and Media/Storage permissions, and the optional stripping of EXIF metadata from photos and videos.
  • PDF Viewer The PDF Viewer allows the viewing of pdfs in a sandbox that requires no permissions.
  • Vanadium Browser The Vanadium Browser is basically a stripped down chromium browser with added security enhancements.
  • Mirrored Google Play Services The Google Play Services Mirror App is a sandboxed version of the Play store, which removes permissions. I describe this function in greater detail elsewhere.
I was using Vanadium as my browser, which seemed fine at first. I quickly realized that I had gotten used to Brave’s natural ad blocking, so I hunted around for a browser alternative. I downloaded Mull from Fdroid. That seemed okay. I intend to try Mullvad VPN with its browser, and see how that goes. I will likely go back to Brave eventually.
Keep in mind that there is an alternative to Fdroid if you’re looking to download open source apps. It’s called Obtanium, and this video explains it. As for me, I’m going the tedious route of downloading apps directly from github. The first app I added in this way was the Phoenix wallet.

What About Google Apps?

As I said earlier, I’m going to try to avoid using Google Apps from this point forward. If you decide that you want to continue to use Google Apps, Graphene allows you to do this in a safe, fully sandboxed way. When android ships in a typical phone, all the Google apps are given special privileged status right from the start. This allows them to bypass the default android sandbox, which prevents apps from interacting with each other without permission. Google Apps are free to interact and collect data. In essence, they are spy apps.
Graphene gives Google apps no special privileges. You can use them on Graphene through the mirror, but those apps are sandboxed.
Graphene also allows the setting up of multiple users on the phone. These users have their own environments, cut off from each other. You could create a profile called something like “Google User” who has normal play store access. This video gives you all the information you need.

Help From The Stacker News Community

I received a tremendous amount of help on Stacker News when getting started, so I’m just going to include some of the tips and insights and link to the user, in case you want to show your appreciation: 1.@03365d6a53 provided some great ideas for those not wanting to use the device to make cellular phone calls. I learned from him that if you have airplane mode on, Graphene does not ping your IMEI (International Mobile Equipment Identity) and location to nearby cell towers. He recommends putting an anonymous data sim in a VPN dongle, such as the Mudi GL 750 with Blue Merle software. @final provides a more in depth explanation here @final is also an expert in this area. You would be well advised to ask them for advice. @final may also be posting a guide soon which will provide much more in depth information than the basic stuff I have included here.
  1. @03365d6a53 also provided a list of apps that he likes:
  • Simplex Chat
  • Mullvad VPN
  • Amethyst Nostr client (I use this app too, and it’s working great on Graphene)
  • K9 Mail
  • Element
  • Obtanium
  • Aurora (I don’t intend to go this route)
  • BitWarden
  • Organic Maps
  • BTC Maps
  1. I was not enjoying the stock keyboard, so @final recommended FlorisBoard, which is available on Fdroid. I like it a lot so far, but one suggeston: Turn off the sound. The loud click each time you press a key will drive you and everyone around you crazy.
  2. @039a43f343 recommended this link, which is a directory of Fdroid repositories.

Conclusion.

I am very new to Graphene. I have a lot to learn. Getting my Pixel set up as a daily driver is going to take some work. Still, I am optimistic. I’m not going to rush it. I am keeping my old Galaxy around too, so my transition will be gradual. If you decide to make the change, I hope this short guide is useful.
Great post! Some good details here, will add onto some of the information:
The Auditor app essentially acts an intrusion detection utility. The hardware attestation method of verification is for extremely sophisticated attacks. If such an attacker somehow manages to change something with kernel/root level access, the Auditor app can detect that by performing hardware-based attestation, comparing itself to a uncompromised one. Don't trust, Verify.
The Google Play apps you install via the apps repository are not a special version of them, they are the real Google Play services apps, the permission controls exist because you installed them as a user app rather than a system one.
A special app/service called GmsCompat essentially acts as a intermediary whenever Google Play Services tries to call something privileged or query certain information. It stops Google Play from breaking and also allows GmsCompat to shim Google Play functionality in a privacy respecting way. This is also why you may often see notifications come from GmsCompat when doing Google Play specific things. The name Sandboxed Google Play comes from the default sandbox of user-installed apps, rather than it being a special sandbox.
Also the Proton Mail app could be better than the PWA, as it relies on the hardware-backed keystore (the same your OS uses) to store the mailbox's decryption data in.
If you enable PIN code on the mobile app there's little way of them getting in, unlike the PWA where you can just tap and sign in.
Some favourite apps of mine are:
reply
This is a real treasure trove of information! Thanks
reply
A great privacy respecting way to sync files between phone and multiple computers is https://syncthing.net/ - it creates a direct encrypted connection between the devices, so the data doesn't go through any "server". It works on Graphene or Calyx.
reply
A couple of interesting apps:
  • Florisboard: Customizable open source keyboard
  • Habits Tracker: Define and track your habits
  • RunnerUp: Open Source run tracker with support for heart rate monitors
  • Aegis: Open Source 2-step Authenticator
reply
Bookmarked - thanks for the writeup! And the kind words!
Some more graphene titbits:
  • Double click the power button on the top right to open the camera
  • Once you have enabled an app in your dedicated user profile (eg banking stuff, or google), you can disable it in your main profile so it won't appear there
  • Graphene doesn't have a good backup / restore feature. They're working on this
  • To get around rate limiting in Aurora, hold the icon to view "app info", then select "open by default", "add link" and select the google play links. Now you can navigate to an app on play store in your browser, and install it directly from there (useful for those apps that just aren't available as open source, eg Uber / Bolt)
reply
Thanks for more tips! Is there any chance you can help @duvel with the eSIM issue?
reply
No - I don't recommend EVER putting a SIM card (or esim) into a mobile phone
Not just to avoid tracking. The Pegasus spyware exploits also work through missed calls and SMS. You can pretty much eliminate that threat by avoiding the use of GSM networks.
Yes I know it's inconvenient, yes I know that it's difficult to explain to grandma, but we all need to move away from our reliance on phone numbers.
reply
Could we have both by having a sim in the phone, having the phone on airplane mode and using wifi calling? This works great for me. Agree that in the long term phone numbers need to go.
reply
I've never tried wifi calls like that, but sounds reasonable if you're happy with your analytics being shared through your telco provider
reply
Good post, I also tried to switch to Graphene, but after a couple of days I went back to the stock firmware because I experienced a lot of inconveniences that I was used to. It's really bad, really, that big corporations do everything to make you get used to using their services and not know the alternatives. It's like a drug that's very hard to get off in the future.
But I'm going to try it again. Right now I'm phasing out Google services, replacing them with alternatives.
reply
I had that problem just trying to change from gmail. It had gradually infiltrated its way into so many areas of my online life: photos, google docs, drive, youtube. It's been a few years since I broke that pattern, which is making this switch to graphene much easier.
reply
If you want to have full control over your calendar and contacts (and remote files!), you can setup your own CalDAV server.
Radicale and SabreDAV are both great. Just choose one and set it up in a few minutes in either a local machine or an internet connected server for easier access.
Then on your phone, install DavX5 which is an android app to sync with CalDAV/CardDAV. Your local calendar app will be able to read from that.
Then for desktop, Thunderbird is a nice client that connects to CalDAV.
And that's pretty much it. That way you will have your own calendar and contacts (and files), on your own server.
reply
thanks! I hadn't realised you need TWO apps to make the calendar work. Now with davx5 and simple calendar pro (both on f-droid) I finally have my calendar working (served from radicale)
thanks again!
reply
On the BitWarden recommendation, just make sure you're self-hosting as by default you will be storing passwords in their cloud.
reply
Fantastic post.
I've been using Graphene for almost a year now after switching from iOS. For the most part there is no degradation in UX, but a few things bug me:
  • Keyboard autocorrect (even with Floris board, or Openboard which I use) is much worse and really slows me down sometimes. Just need to concentrate more!
  • System updates and required restarts are much more frequent
  • Camera just isn't as responsive, and I miss some photos that would have been caught with my iPhone
  • I've backed up with USB, but I have low confidence this will work based on the warnings I've seen from the developers
  • For some reason Bitwarden autofill didn't work at first, but now does and its really convenient. This is a bit erratic.
Apart from those, its great and gives me such peace of mind knowing that I'm a bit more protected against big tech and other bad actors.
Also I'm not yet fully degoogled... but getting there. Slowly changing email logins and using legacy Google and Apple stuff less and less. One step at a time!
reply
Note that you can add your gmail email without having to install the full Google Services. Here's how you do it:
Done, now you can use gmail email in GOS without installing Google Services.
reply
This is the way. Thanks for the helpful write up!!!
reply
I have been using GrapheneOS for nearly two years as my daily driver. Great work. Works great with Federated Computer, too.
reply
If you can't afford a pixel then DivestOS is a great alternative for older/lower end devices.
reply
I cannot wait to upgrade my phone to something I can get Graphene on. I can't do it until I can afford to buy a phone at full price. It really is a shame that for phones we only have Android and Apple. Any time someone starts up a competing OS project one of the two companies force a buy out.
reply
The Pixel 6a is usually on sale these days. Great phone and it gets security updates until at least July 2027.
reply
Thank you for this, bookmarked to read asap later today
reply
Thank you for documenting your experience and making this write up!
reply
great write up! bookmarked
thanks for this and rad that you linked back to the prior thread with all the tips ✌
one thing with installing apps i found helpful and just want to write here in case it helps anyone else: there's the aurora store if really need to use Play Store for an app.
well the search function in aurora store is borked, it took me some time to realise the way to do it is set it as default to open play links (via Settings) and then search for the app in duckduckgo then click and voilà it opens in aurora
maybe thats dumb, but didn't see it on any of the intro vids I watched, and i couldnt work out how people were able to use it!
just a little thing that helped make it make sense.
reply
Thanks for that tip. That's the kind of thing that can drive me nuts until I figure it out.
reply
Excellent article you wrote. I'm new(ish) to GOS as well.
What have you found best/most comfortable/easy-to-use with Graphene? What have you found to be its limitation/frustrations/issues/trade-offs, etc. ?
reply
Thanks, but I'm not an expert. I have stubbornly refused to use the Google Play Services, so I have had a few challenges. For the most part, though, it has been fairly easy. I should mention that I don't do any banking, paypal, venmo stuff.
reply
Same boat with you; I use zero banking-related apps, zero playstore connections, etc. Basically just a Bitcoin/Nostr/P2P device and works great. No eSIM either, no need just use public wifi with VPN (for me at least).
Haven't missed out on much. Overall great experience so far.
One downside I noticed is I have trouble using any Nostr-extension logins like NIP46 or nsecbunker for remote sign-in for things like here on SN, or nostr clients.
Problem is since Graphene is so closed-off and sandboxed in ways the apps have difficult time communicating with each other in the background.
Overall works great though.
reply
Same! I do run into nostr issues. I must say the SN PWA works great on Vanadium
reply
Fr it does! Do you use any Nostr extensions to login to SN via PWA?
reply
No. I honestly haven't been spending much time on nostr recently.
reply
All good was curious. Any good pleb recommendations to follow here on SN?
reply
I would hate to leave anyone out! There are so many great accounts here. I suggest you start by hanging out in the Saloon. You will find many regulars in there. You'll get a feel for the place. Then find some posts you like and check out the profiles of those stackers.
Greateful
reply
Great content!
Do you or anyone else have issues with eSIM (internet only) on GrapheneOS without Google Play Services?
I read on their Github that Google Play Services are required. I managed to get eSIM activated with Google Play Services installed and removed it later on. Then I had no internet connection even when I installed Google Play Services again and restarted.
reply
You need to have Google Play Services to install an eSIM for the first time.
Once it is installed, you can remove Google Play Services and you will be able to use the eSIM.
By default GrapheneOS always has shipped with baseline support for eSIM, where users can use any eSIMs installed previously on the device. However, in order to manage and add eSIMs, proprietary Google functionality is needed. This is fully disabled by default.
Privileged eSIM management can be enabled in Settings ➔ Network & Internet ➔ Privileged eSIM management. The toggle will be greyed out and unusable if sandboxed Google Play is not installed, as the functionality is reliant on it.
By enabling the toggle, the proprietary Google functionality is enabled and will be used by the OS to provision and manage eSIMs.
Note that if the eSIM installation process does not progress past the "Checking network info..." stage despite having a stable Internet connection, you may need to call the USSD code ##4636## and then enable DSDS in the menu that is presented.
If you have any issues, you should check out their discussion forum, they are great.
reply
Personally I haven't used an eSIM yet, but I'm planning to soon. I'm sure someone on the thread can provide more info.
reply
How's the eSIM journey going? I'm currently trying to figure it out.
reply
I haven't done it yet. Still just running wifi
reply
oh cool! That's the level i'd like to be at but it's hard getting away from a phone number
reply
This post was featured on This Day in Stacker News as the top post of the day.
reply
Two days in a row!
This post was featured on This Day in Stacker News as the top post of the day.
reply
good info to know :)
reply
Great guide!
I am still hesitant to buy directly from Google. What personal information did they ask for? Can you pay with other means than card? Personal information can easily be linked to the IMEI.
Physical stores should carry a no-brand OEM-unlocked version that should be equivalent but with better privacy.
reply
You are correct that privacy is an issue buying from Google. You can try different retailers and see whether the bootloader can be unlocked. If not, return it.
reply
It would be good to know if there's a specific model number/code that indicates OEM unlocked. Apparently if it has zero carrier branding and/or says international it should be good. But you're right, return it otherwise
reply
I realize the link I provided for the windows installer appears to be broken. Sorry about that. This should work: https://grapheneos.org/install/web
reply
I wish it worked with more phones besides Pixels ...
reply
Same here. At least this process trains google a tad by diverting ad revenue to hardware revenue
reply
stackers have outlawed this. turn on wild west mode in your /settings to see outlawed content.