GrapheneOS

This is a text automatically translated from Italian. If you appreciate our work and if you like reading it in your language, consider a donation to allow us to continue doing it and improving it.

GrapheneOS, caratteristiche principali

for Android
Open source
Android-based operating system focused on privacy and security
Google's Play Services can be enabled and they will be used in an isolated manner and above all without administrator privileges
it can be installed only and exclusively on Google Pixels
Almost all applications work with the original Play Services
security audits

As many of you may have already guessed, I often create articles on projects and alternatives that I found myself trying partly out of necessity and partly out of pure curiosity. Today's article will be slightly different from usual, especially in form, because I wanted to talk about it in the first person rather than in the third as is normally done on this blog.

Before starting, here is a very brief summary of why I decided to try GrapheneOS. For personal reasons I need, in this period, to use some applications on the Play Store that do not work via microG and therefore it was impossible for me to put an operating system like CalyxOS (here is the difference between CalyxOS and GrapheneOS by PrivacyGuides), Murena or how iode. Because, as already said in the various past reviews, the implementation of microG is definitely interesting but many applications do not work or in any case can cause problems.

GrapheneOS, the alternative operating system without microG

However, I have read around, including on our wonderful Telegram group, That GrapheneOS it is different because it does not use microG but has found a probably even more interesting system to implement Google services. The Play Services are in fact implemented (optionally, let's be clear), they are isolated and given a few essential permissions.

What does this mean exactly? The documentation of GrapheneOS And decidedly broad and you can read it independently, however to put it briefly it means that they do not have administrator privileges like in normal smartphones but are only used to run certain applications. In practice, it is explained to us that i Google Play Services they are implemented like any other app and not as an application with administrator privileges ¹.

So it can't do anything more than any other application would do. Furthermore, and here is perhaps the even better part, it only works within a profile. You could therefore install Google services only on a profile and use it only for the applications that you are somehow obliged to use.

Play Store or Aurora Store?

To give a quite practical example: if you decide to also enable the Play Store, all it will do is install the apps, it will not have any other privileges. Indeed, according to its developer, if you use GrapheneOS there isn't much difference between using the original Play Store with a Google account disposable and download applications via Aurora Store ². This is because Aurora Store uses a Google account shared with many other users to function and the Play Store on GrapheneOS will not have administrator powers and if you use a disposable account it will work, for better or worse, just like Aurora Store.

This implementation means that the applications that do not work on GrapheneOS, with Play Services installed, can be counted on the fingers of one hand ³. There are always incompatibilities, obviously and unfortunately, but from personal experience I can say that they are much fewer than those I had using CalyxOS with microG.

Audits

Before listing some features of GrapheneOS, I would like to underline that their code has received security audits ⁴ and it is constantly under observation. The GrapheneOS team also happened to discover dangerous Android bugs before the Google team ⁵.

Some features of GrapheneOS

So far I have only written about a tiny part of the features of GrapheneOS, let's say the most visual part in daily use. GrapheneOS was born from AOSP, i.e. the basic version e Open source of Android, on which changes have been made all focused on security and privacy. Being able to make a list of everything that has been done is quite long (and certainly boring) and I refer all interested parties to the official website of GrapheneOS.

I will limit myself to reporting the most impactful features in use, even if as already mentioned most are things that you don't see in the normal use of a smartphone.

Some features are the ability to turn off Bluetooth after a few minutes or hours of non-use ⁶. The aforementioned isolated Play Services ⁷, the integrated firewall to remove permission from applications to access the network ⁸ and the ability to disable access to all sensors not normally covered by stock Android such as the accelerometer, compass and any other sensor present ⁹.

All EXIFs within the screenshots taken are automatically deleted ¹⁰ and the numbers inside the PIN mask for unlocking the smartphone are randomly mixed every time ¹¹. There is a nice option to restart the device if it is not unlocked for more than 'some' hours, the profiles have been improved ¹² And up to 32 different profiles can be set ¹³.

Together with GrapheneOS we also find some applications such as Browsers and the WebView Vanadium ¹⁴, GrapheneOS Camera ¹⁵, GrapheneOS PDF Viewers ¹⁶ And Auditors ¹⁷.

The installation

Let's now come to the methods of using GrapheneOS. First of all, it can only be installed on a Google Pixel ¹⁸. Its installation is incredibly simple and made through one's own Browsers. Small warning, since I tried it myself. The cable used to do this operation is fundamental. The best and suggested thing would be to work with USB-C -> USB-C and with the original cable. Alternatively you can try a USB-A -> USB-C but it must be a quality cable and must also be attached to the main port of the computer, not through hubs. It works on almost all operating systems. On Linux an additional operation may be necessary: Connecting the phone.

Methods of use

Once you follow the simple instructions and have installed GrapheneOS on your smartphone there are different ways, in my opinion, to use it. I will try to say the ones that seem most suitable and plausible to me but don't limit your imagination!

• Basic use: this is probably the best and almost perfect choice. GrapheneOS was born without anything from Google, you can use F-Droid And Aurora Store to install your favorite applications. If you don't need to use applications linked to Google services (banking applications, car sharing, games, etc.) then this is definitely the solution for you.

• Use with Play Services active: if you need to use some applications that require Google services you can simply install them like any application, as mentioned at the beginning. You can find it within the pre-installable applications together with Vanadium (The Browsers) and the few others present. Please note that this does not necessarily mean installing the applications using the Play Store and therefore a Google account. To install the applications you can always use Aurora or F-Droid. In this case you can update Google Play Services directly from the Play Store without risk and even if you don't have an active Google account ¹⁹. However, here are more possibilities in my opinion:
  • in the main profile, that is, in what you mainly use. The one generally defined as “Owner”,
  • in another profile, this is probably the best choice. On GrapheneOS the profiles have been improved and have some unique and interesting features such as, for example, the possibility of notifying the profile in use in case of notifications (forgive the turn of phrase) in another profile. All you need to do is enable multi-users, create a new one and install Google services there. Now you can install applications via Aurora or F-Droid and isolate them only on this profile;
  • in a work profile, different from the user profile and less insulating (here are the differences between work profiles and user profiles) but more practical in daily use. You can enable and manage it thanks to the Shelter application and install Google services only in the work profile and install the applications thanks to Aurora or F-Droid.
  • Using with Play Services active and a Google account: it is an identical section to the previous one except that instead of installing the applications via the Aurora Store you will do it via a real Google account. Therefore, perfect if you have made some purchases and want to recover them or if some applications do not work if installed from Aurora because they necessarily want to be installed from the Play Store. As mentioned before, according to the GrapheneOS developer, using this operating system there will not be much difference between Aurora Store and a Play Store with an account disposable and anonymous. The rest I would say is a copy of what was said above.

Now in my opinion these are the main methods of use for GrapheneOS. As you can see, each method increases the compromises you have to make but remember that even if you log in with any Google account you are still using GrapheneOS and therefore it's not quite the same as doing it on a stock Android phone.

New Google account in minutes

Small separate paragraph dedicated to the last point mentioned above. But did you know that on Android it is possible to create a Google account in 2 minutes and without a phone number? Also on GrapheneOS! So if you really have to use the Play Store (for example to make a Chromecast work) you can go to Password and account, press on add and then up Google. From here you can create a Google account in just a few minutes, remove all possible tracking and not give out any phone number.

Incompatibilities and problems

Based on my experience with the last point, that is, installing applications directly from the Play Store with my Google account fake, the problems were fewer than those I had encountered with microG.

I have encountered problems with only one car sharing application, i.e Zity by Mobilize And it was explained to me which is precisely the application that deliberately does not support any different operating system regardless of Google services or where it is installed.

After a few days of use the application also started giving me problems NexiPay but since I moved it to my work profile without Google services it seems to be going without problems.

I also noticed that geolocalization is a little slower than normal, this is due to the fact that Play Services are not used to locate the smartphone but this is first bypassed by GrapheneOS. However, you can improve it, in case you have problems, by giving access to the location to Play Services (if you have them installed) although obviously this is not entirely recommended (you are giving your location directly to Google).

I also read that NFC payments don't work ²⁰, I don't use them so I couldn't try them first hand. If you have any updates on this, let me know and I will update the article. I also know that neither Android Auto It works, I haven't tried this one myself either.

The Chromecast, however, works without problems by logging into Google. However, screen casting, i.e. streaming of the entire screen, does not work well because it requires privileges that GrapheneOS does not allow it to have ²¹.

In conclusion, I encountered fewer problems than the microG solution where I didn't like some applications like Enjoy which instead works on GrapheneOS. Not everything is perfect unfortunately because some things don't work at their best or don't work at all but it seems like a better and greater compromise than the alternatives with microG.

Differences with LineageOS and other operating systems

But so what are the differences between LineageOS, CalyxOS And GrapheneOS? Eh, good question. If we listen to the GrapheneOS team, most alternative systems such as LineageOS, CalyxOS and /e/ integrate Google services with administrator access ²² and generally reduce the security of the smartphone ²³. But let's say they look like it have it a bit with CalyxOS and anyone who develops operating systems on Android that are not GrapheneOS, just take a look at their Twitter to think so: 1 (Nitter), 2 (Nitter), 3 (Nitter). It is therefore difficult to get a complete, sincere and non-biased idea.

The idea that I have is that, as often happens, it is important to evaluate your own Threat Model or establish from which one threat you are trying to defend yourself. I think if you're a common user and your goal is just to have more awareness, give less power to Google and advertising agencies then you won't have much trouble using LineageOS and similar.

However, if you are in some way a target, tell them activists (Mostly in This historical period), journalists or you live in a less than democratic state then perhaps it is better to seriously evaluate the use of GrapheneOS.

Conclusions and other anecdotes about GrapheneOS

I end the article by saying that GrapheneOS is certainly a niche operating system but in addition to having had endorsements even from Snowden ²⁴ and recently also from Android Authority, has a large community behind it which has allowed it to reach 5000$ per month on GitHub alone ²⁵ and tens of thousands of euros via cryptocurrencies ²⁶ with which they pay the developers who work for them ²⁷.

They also recently opened a non-profit foundation in Canada ²⁸. The founder of GrapheneOS, Daniel Micay, is in fact Canadian and before GrapheneOS he had collaborated on CopperheadOS, maybe some of you still remember it.

For now I'm happy with it, I've installed more things than I should even just to try them out and do some tests and understand how compatible it actually is with the applications. I didn't find any major usability flaws, at least in my way of using the smartphone. We will see in the next few weeks if there will be updates as always I will also update the article.

Other useful information

In the Italian podcast DigiData there is an episode entirely dedicated to GrapheneOS where other operating systems are also mentioned and a general smattering of interest is given, especially for those approaching this world for the first time: 14 • GrapheneOS, an Android smartphone without the excessive power of Google.

We recently found a nice and complete guide on using GrapheneOS. It was written by iAnonymous3000 and you can only find it in English at this address: https://github.com/iAnonymous3000/awesome-grapheneos-guide (Archive). Use yours favorite program to translate it in Italian if you need it!

1. Our compatibility layer has to be expanded on a case-by-case basis to teach Play services to work as a regular app without any of the invasive access and integration it expects.[↩]
2. Daniel Micay on Aurora Store | Nitter[↩]
3. Banking Applications Compatibility with GrapheneOS[↩]
4. Is GrapheneOS audited?[↩]
5. GrapheneOS on Twitter | Nitter[↩]
6. Attack surface reduction[↩]
7. Sandboxed Google Play[↩]
8. Network permission toggle[↩]
9. Sensors permission toggle[↩]
10. Private screenshots[↩]
11. PIN scrambling[↩]
12. Improved user profiles[↩]
13. More user profiles[↩]
14. Vanadium: hardened WebView and default Browsers[↩]
15. GrapheneOS Camera[↩]
16. GrapheneOS PDF Viewer[↩]
17. Auditor app and attestation service[↩]
18. Which devices are supported?[↩]
19. Update play service[↩]
20. Gpay alternatives for grapheneos?[↩]
21. GrapheneOS on Twitter | Nitter[↩]
22. Tweet by GrapheneOS | Nitter[↩]
23. Tweet by GrapheneOS | Nitter[↩]
24. Snowden on Twitter | Nitter[↩]
25. 80% towards $6,000 per month goal[↩]
26. GrapheneOS on Mastodon And Graphene forum[↩]
27. GrapheneOS on Twitter | Nitter[↩]
28. GrapheneOS on Twitter | Nitter[↩]

Join communities