Core PhilosophyCore Philosophy
- Privacy ≠ Optional: Prevents mass data collection by design
- Security > Convenience: Sacrifices "smart" features for exploit resistance
- Transparency: Every line of code auditable
- Device Sanity: Removes 2M+ lines of Google telemetry code
- Proactive Hardening: Replaces reactive "vulnerability whack-a-mole" with systemic memory safety improvements. 73% of Android CVEs prevented via Scudo++ allocator and Rust integration.
- Hardware Paradox: Uses Google Pixels because of their Titan M2 secure enclave (physically separate from main CPU, Verified Boot with user-defined root of trust, Firmware-level MAC randomization (prevents Wi-Fi tracking)).
- Support Superiority: GrapheneOS support for Pixel phones is 2 years longer Google's.
"We're eliminating entire vulnerability classes - not just patching holes."
HistoryHistory
- Born in 2014 as CopperheadOS
- 2016: First Pixel support (Google's hardware + de-Googled OS)
- Rebranded in 2019 after a developer split. Focuses exclusively on Pixel phones.
- 2021: Scudo++ with quarantines (NSA-grade exploit mitigation)
- 2023: Full Rust integration (prevents buffer overflows in core OS)
- 2023: Controversial lead dev, Daniel Micay, stepped down but remains director
- 2024: Quantum-resistant encryption prototypes
"Our Auditor app detects hardware tampering better than Apple's T2 chip."
InstallationInstallation
- Minimum: Pixel 4a
- Recommended: Pixel 7a (5-year update guarantee)
- Backup data first: unlocking bootloader wipes device
Beginners: Web InstallerBeginners: Web Installer
- Enable OEM Unlock:
Settings → About → Tap Build Number 7x → Developer Options → OEM Unlocking - Visit grapheneos.org/install
- Connect phone → Follow prompts (20 minutes)
Advanced: CLI installAdvanced: CLI install
- Full CLI guide: grapheneos.org/install/cli (8 minutes)
"We're proving iPhones aren't the only secure option - just better marketed."
Post-Install ChecklistPost-Install Checklist
[ ] Deny all "convenience" permissions
[ ] Enable Sensors Off toggle
[ ] Install Auditor app
[ ] Sensors Killswitch: Quick Settings → Toggle Off
[ ] Network Restrictions:
Settings → Network & Internet → Firewall
- Enable per-connection MAC randomization
- Block local network discovery [ ] Auditor Validation: Daily automated checks against Google's hardware certs
Setting upSetting up
Priority SourcesPriority Sources
- Accrescent (Pre-installed)
- Molly (Signal fork)
- Aves Gallery (EXIF stripping)
- AppVerifier (APK validation)
- Obtainium (GitHub)
1. Search "[App] GitHub releases" 2. Copy releases page URL 3. Paste into Obtainium → Auto-updates enabled- Example: NewPipe →
https://github.com/TeamNewPipe/NewPipe/releases
- Example: NewPipe →
- Google Play (Last Resort)
- Use separate profile
- Burner account: Fake name + NO phone number
FOSS AppsFOSS Apps
- Accrescent - Privacy-focused app store
- Aegis - 2FA authenticator
- Amethyst - Nostr decentralized social client
- AndBible - Offline Bible study
- Antennapod - Podcast manager
- AppVerifier - APK signature validation
- Ashigaru - Bitcoin wallet with Ricochet
- Aves Gallery - Gallery with EXIF stripping
- Brave - Anti-fingerprinting browser
- Easy Noise - Offline white noise generator
- Easy Note - Minimalist notes
- Envoy - Bitcoin wallet
- IronFox - Hardened Firefox fork
- KeePassDX - Offline password manager
- Léon - URL tracking stripper
- LocalSend - AirDrop alternative
- Material Files - File manager
- Molly - Signal fork with local encyption
- Monero.com - Official Monero wallet
- NetGuard - No-root firewall
- NewPipe - YouTube client with SponsorBlock
- Nextcloud - Self-hosted cloud suite
- OpenKeychain - PGP encryption
- Organic Maps - Offline navigation
- Orbot - Tor proxy
- Proton Drive - E2E encrypted storage
- Proton Mail - Zero-access email
- RedReader - Privacy-first Reddit client
- Simple Calendar Pro - Telemetry-free calendar
- Telegram FOSS - Decentralized messaging
- Tor Browser - Onion-routed browsing
- Twidere - Twitter/Fediverse client
- Tuta - Encrypted email
- Tuta Calendar - Encrypted calendar
- Vanadium - Hardened Chromium
- Zeus - Bitcoin Lightning node
"Your phone is a corporate surveillance device that happens to make calls. GrapheneOS removes the spyware OS while keeping the secure hardware."
Silent.Link eSIM: Anonymous ConnectivitySilent.Link eSIM: Anonymous Connectivity
No Phone Number Required
Visit Silent.Link → Select data plus eSIM plan (with NO phone number).
I've used this successfully in many countries. It even gives me unfettered and free internet in China. Be sure to pick the telecom company based on what they charge per GB of data. The difference can be 100x!
Support the Project:Support the Project:
- Donate: grapheneos.org/donate
- Community: grapheneos.org/contact
"GrapheneOS isn't about becoming a privacy expert overnight. It's about systematically removing corporate surveillance hooks - one app, one permission, one profile at a time."
There's already a guide for it. #200175 There's also a guide provided by Graphene itself. https://grapheneos.org/usage
Of course there is. There are MANY. This is my guide with my style. Thanks for sharing though! That's a good comment for people to find here.
Reading now. As I suspected. It's a lot of prose. Similar to how I used to do it. Now I try to make guides that are quick and easy to digest. I try to avoid "prose" pieces for guides where I insert my opinions and tell a story. I prefer a bullet point approach. People should be able to read one of my guides fast.
Zapstore not included as I haven't used it yet.
Here's the list with verified GitHub links:
Great list. Just a comment: the Simple Mobile tools were sold to a company and the open source project was abandoned. Fossify forked Simple Mobile tools and development is active, I suggest to check it out.
Ahhhh fossify. Okay yeah I do need to check it out! You didn't want to link the GitHub repo?
https://www.fossify.org
https://github.com/FossifyOrg
Is Brave a good browser? I thought their crypto stuff is not good for privacy. I only prefer Cromite https://github.com/uazo/cromite and Firefox. I recently found a new browser as well, but I'm waiting for it to be open source.
Usually one of the top recommendations due to anti-fingerprinting and based on chrome which is generally recommended as being more secure/private than firefox unfortunately. Avoid firefox... Although there are hardened forks like librewolf and ironfox
Thanks for your help, I'm using IronFox now
Thanks for not just posting a link to your blog btw
I have a personal aversion to link posts. Discussion posts are the way. Don't teleport me out of SN please....
That was ambiguous.
I meant the links for external content, not @ek
Thanks for the guide. It's wonderful and going to my bookmarks for future use.
Good one. Can you also add links to the apps github releases so can be easily added to Obtainium? Also you can mention zapstore.dev is really good for apps. And please explain in some simple steps how people can use eSIM.
the instructions for e-SIM is on the page after purchasing Silent.Link. I found it to be enough and didn't want to clutter my simple guide
ah ok, right.
#884989
A GrapheneOS user here. Nice guide, I like the succinct style. Thanks for the useful list of apps, I was not aware of some of them. But what is this:
!?
IMO Telegram does not belong to the list at all. It is centralized and does not use encryption by default. That is worse than Viber and Whatsapp.
Here is an alternative:
Simplex - A messenger without user IDs. Obtainium app configuration as HTML link
Okay a few things.
Most people still have telegram groups. These are basically public forums. WHICH DO NOT REQUIRE ENCRYPTION. Avoid dms on telegram. Therefore use the FOSS version of telegram if you have to have it.
Simplex for groups (dms are fine) suck. I uninstalled.
Signal for groups/dms is 🔥. Other than asking for a phone number which is GAY. But I don't share to anyone.
Here's another helpful comment by @03365d6a53 #200668
Here are some great comments about enhancing your privacy with a GrapheneOS phone with some tricks related to the IMEI...
A suggestion was made to NOT have a SIM/e-SIM in the phone but to use a travel router + e-SIM + Blue Merle. The OP wrote it before the Mudi supported e-SIMs and so he was recommending changing the physical SIM monthly.
#198535 by @03365d6a53
#198353 by @final