GrapheneOS Guide \ stacker news ~tutorials

pull down to refresh

GrapheneOS Guide

1858 sats \ 22 comments \ @expatriotic 13 Feb tutorials

Original Post

Core Philosophy

Privacy ≠ Optional: Prevents mass data collection by design
Security > Convenience: Sacrifices "smart" features for exploit resistance
Transparency: Every line of code auditable
Device Sanity: Removes 2M+ lines of Google telemetry code
Proactive Hardening: Replaces reactive "vulnerability whack-a-mole" with systemic memory safety improvements. 73% of Android CVEs prevented via Scudo++ allocator and Rust integration.
Hardware Paradox: Uses Google Pixels because of their Titan M2 secure enclave (physically separate from main CPU, Verified Boot with user-defined root of trust, Firmware-level MAC randomization (prevents Wi-Fi tracking)).
Support Superiority: GrapheneOS support for Pixel phones is 2 years longer Google's.

"We're eliminating entire vulnerability classes - not just patching holes."

History

Born in 2014 as CopperheadOS
2016: First Pixel support (Google's hardware + de-Googled OS)
Rebranded in 2019 after a developer split. Focuses exclusively on Pixel phones.
2021: Scudo++ with quarantines (NSA-grade exploit mitigation)
2023: Full Rust integration (prevents buffer overflows in core OS)
2023: Controversial lead dev, Daniel Micay, stepped down but remains director
2024: Quantum-resistant encryption prototypes

"Our Auditor app detects hardware tampering better than Apple's T2 chip."

Installation

Minimum: Pixel 4a
Recommended: Pixel 7a (5-year update guarantee)
Backup data first: unlocking bootloader wipes device

Beginners: Web Installer

Enable OEM Unlock:
Settings → About → Tap Build Number 7x → Developer Options → OEM Unlocking
Visit grapheneos.org/install
Connect phone → Follow prompts (20 minutes)

Advanced: CLI install

Full CLI guide: grapheneos.org/install/cli (8 minutes)

"We're proving iPhones aren't the only secure option - just better marketed."

Post-Install Checklist

[ ] Deny all "convenience" permissions
[ ] Enable Sensors Off toggle
[ ] Install Auditor app
[ ] Sensors Killswitch: Quick Settings → Toggle Off
[ ] Network Restrictions:

Settings → Network & Internet → Firewall  
- Enable per-connection MAC randomization  
- Block local network discovery

[ ] Auditor Validation: Daily automated checks against Google's hardware certs

Setting up

Priority Sources

Accrescent (Pre-installed)
- Molly (Signal fork)
- Aves Gallery (EXIF stripping)
- AppVerifier (APK validation)

Obtainium (GitHub)

1. Search "[App] GitHub releases"  
2. Copy releases page URL  
3. Paste into Obtainium → Auto-updates enabled

Example: NewPipe → https://github.com/TeamNewPipe/NewPipe/releases

Google Play (Last Resort)
- Use separate profile
- Burner account: Fake name + NO phone number

FOSS Apps

Accrescent - Privacy-focused app store
Aegis - 2FA authenticator
Amethyst - Nostr decentralized social client
AndBible - Offline Bible study
Antennapod - Podcast manager
AppVerifier - APK signature validation
Ashigaru - Bitcoin wallet with Ricochet
Aves Gallery - Gallery with EXIF stripping
Brave - Anti-fingerprinting browser
Easy Noise - Offline white noise generator
Easy Note - Minimalist notes
Envoy - Bitcoin wallet
IronFox - Hardened Firefox fork
KeePassDX - Offline password manager
Léon - URL tracking stripper
LocalSend - AirDrop alternative
Material Files - File manager
Molly - Signal fork with local encyption
Monero.com - Official Monero wallet
NetGuard - No-root firewall
NewPipe - YouTube client with SponsorBlock
Nextcloud - Self-hosted cloud suite
OpenKeychain - PGP encryption
Organic Maps - Offline navigation
Orbot - Tor proxy
Proton Drive - E2E encrypted storage
Proton Mail - Zero-access email
RedReader - Privacy-first Reddit client
Simple Calendar Pro - Telemetry-free calendar
Telegram FOSS - Decentralized messaging
Tor Browser - Onion-routed browsing
Twidere - Twitter/Fediverse client
Tuta - Encrypted email
Tuta Calendar - Encrypted calendar
Vanadium - Hardened Chromium
Zeus - Bitcoin Lightning node

"Your phone is a corporate surveillance device that happens to make calls. GrapheneOS removes the spyware OS while keeping the secure hardware."

Silent.Link eSIM: Anonymous Connectivity

No Phone Number Required

Visit Silent.Link → Select data plus eSIM plan (with NO phone number).

I've used this successfully in many countries. It even gives me unfettered and free internet in China. Be sure to pick the telecom company based on what they charge per GB of data. The difference can be 100x!

Support the Project:

Donate: grapheneos.org/donate
Community: grapheneos.org/contact

"GrapheneOS isn't about becoming a privacy expert overnight. It's about systematically removing corporate surveillance hooks - one app, one permission, one profile at a time."

Moar Halp

view all related items

21 sats \ 3 replies \ @DarthCoin 13 Feb

Good one. Can you also add links to the apps github releases so can be easily added to Obtainium? Also you can mention zapstore.dev is really good for apps. And please explain in some simple steps how people can use eSIM.

0 sats \ 1 reply \ @expatriotic OP 13 Feb

the instructions for e-SIM is on the page after purchasing Silent.Link. I found it to be enough and didn't want to clutter my simple guide

0 sats \ 0 replies \ @DarthCoin 13 Feb

ah ok, right.

0 sats \ 0 replies \ @expatriotic OP 13 Feb

#884989

54 sats \ 2 replies \ @ek 13 Feb

Thanks for not just posting a link to your blog btw

15 sats \ 1 reply \ @expatriotic OP 14 Feb

I have a personal aversion to link posts. Discussion posts are the way. Don't teleport me out of SN please....

0 sats \ 0 replies \ @expatriotic OP 14 Feb

That was ambiguous.

Don't teleport me out of SN please....

I meant the links for external content, not @ek

113 sats \ 6 replies \ @expatriotic OP 13 Feb

Zapstore not included as I haven't used it yet.

Here's the list with verified GitHub links:

Accrescent - Privacy-focused app store
Aegis - 2FA authenticator
Amethyst - Nostr decentralized social client
AndBible - Offline Bible study
Antennapod - Podcast manager
AppVerifier - APK signature validation
Ashigaru - Bitcoin wallet with Ricochet
Aves Gallery - Gallery with EXIF stripping
Brave - Anti-fingerprinting browser
Easy Noise - Offline white noise generator
Easy Note - Minimalist notes
Envoy - Collaborative Bitcoin multisig
IronFox - Hardened Firefox fork
KeePassDX - Offline password manager
Léon - URL tracking stripper
LocalSend - AirDrop alternative
Material Files - File manager
Molly - Signal fork with freeze codes
NetGuard - No-root firewall
NewPipe - YouTube client with SponsorBlock
Nextcloud - Self-hosted cloud suite
OpenKeychain - PGP encryption
Organic Maps - Offline navigation
Orbot - Tor proxy
Proton Drive - E2E encrypted storage
Proton Mail - Zero-access email
RedReader - Privacy-first Reddit client
Simple Calendar Pro - Telemetry-free calendar
Telegram FOSS - Decentralized messaging
Tor Browser - Onion-routed browsing
Twidere - Twitter/Fediverse client
Tuta - Encrypted email
Tuta Calendar - Encrypted calendar
Vanadium - Hardened Chromium
Zeus - Bitcoin Lightning node

24 sats \ 2 replies \ @clr 14 Feb

Great list. Just a comment: the Simple Mobile tools were sold to a company and the open source project was abandoned. Fossify forked Simple Mobile tools and development is active, I suggest to check it out.

0 sats \ 1 reply \ @expatriotic OP 14 Feb

Ahhhh fossify. Okay yeah I do need to check it out! You didn't want to link the GitHub repo?

37 sats \ 0 replies \ @clr 14 Feb

https://www.fossify.org

https://github.com/FossifyOrg

0 sats \ 2 replies \ @NovaRift 13 Feb

Is Brave a good browser? I thought their crypto stuff is not good for privacy. I only prefer Cromite https://github.com/uazo/cromite and Firefox. I recently found a new browser as well, but I'm waiting for it to be open source.

0 sats \ 1 reply \ @expatriotic OP 14 Feb

Usually one of the top recommendations due to anti-fingerprinting and based on chrome which is generally recommended as being more secure/private than firefox unfortunately. Avoid firefox... Although there are hardened forks like librewolf and ironfox

41 sats \ 0 replies \ @NovaRift 14 Feb

Thanks for your help, I'm using IronFox now

43 sats \ 0 replies \ @IamSINGLE 14 Feb

Thanks for the guide. It's wonderful and going to my bookmarks for future use.

88 sats \ 2 replies \ @Coinsreporter 13 Feb

There's already a guide for it. #200175 There's also a guide provided by Graphene itself. https://grapheneos.org/usage

159 sats \ 0 replies \ @expatriotic OP 13 Feb

Of course there is. There are MANY. This is my guide with my style. Thanks for sharing though! That's a good comment for people to find here.

100 sats \ 0 replies \ @expatriotic OP 14 Feb

Reading now. As I suspected. It's a lot of prose. Similar to how I used to do it. Now I try to make guides that are quick and easy to digest. I try to avoid "prose" pieces for guides where I insert my opinions and tell a story. I prefer a bullet point approach. People should be able to read one of my guides fast.

10 sats \ 1 reply \ @anon 14 Feb

A GrapheneOS user here. Nice guide, I like the succinct style. Thanks for the useful list of apps, I was not aware of some of them. But what is this:

Telegram FOSS - Decentralized messaging

IMO Telegram does not belong to the list at all. It is centralized and does not use encryption by default. That is worse than Viber and Whatsapp.

Here is an alternative:

Simplex - A messenger without user IDs. Obtainium app configuration as HTML link

0 sats \ 0 replies \ @expatriotic OP 15 Feb

Okay a few things.

Most people still have telegram groups. These are basically public forums. WHICH DO NOT REQUIRE ENCRYPTION. Avoid dms on telegram. Therefore use the FOSS version of telegram if you have to have it.

Simplex for groups (dms are fine) suck. I uninstalled.

Signal for groups/dms is 🔥. Other than asking for a phone number which is GAY. But I don't share to anyone.

0 sats \ 0 replies \ @expatriotic OP 14 Feb

Here's another helpful comment by @03365d6a53 #200668

I don't recommend EVER putting a SIM card (or esim) into a mobile phone Not just to avoid tracking. The Pegasus spyware exploits also work through missed calls and SMS. You can pretty much eliminate that threat by avoiding the use of GSM networks. Yes I know it's inconvenient, yes I know that it's difficult to explain to grandma, but we all need to move away from our reliance on phone numbers.

0 sats \ 0 replies \ @expatriotic OP 14 Feb

Here are some great comments about enhancing your privacy with a GrapheneOS phone with some tricks related to the IMEI...

A suggestion was made to NOT have a SIM/e-SIM in the phone but to use a travel router + e-SIM + Blue Merle. The OP wrote it before the Mudi supported e-SIMs and so he was recommending changing the physical SIM monthly.

#198535 by @03365d6a53

My recommendation would be to purchase a GL 750 travel router (mudi) and install Blue Merle software (2 commands). You can then switch the IMEI every time you switch the sim (ie, monthly) so the most you would typically reveal would be a months worth of tracking data. Also, 100% of your traffic will be over VPN so the provider will know nothing about your browsing habits / destinations. And Blue Merle will also wipe the connection logs from the router.

#198353 by @final

If you want further clarification this is actually true: Airplane mode on phones turn the cellular radio off completely but having a SIM would still let you use over-IP carrier services like WiFi Calling. Send an SMS to yourself when you have Airplane mode on, you will receive it. Just not having a SIM isn't enough, you need to have both no SIM and airplane mode because it will broadcast to allow calling 911. The new Pixel Tablet has no cellular radio if you want to completely avoid it.