• General
  • Questions and feedback for new grapheneos user.

I am a new grapheneos user. I love the operating system! I have had my pixel phone for a couple of weeks now but I have not been using it because I am trying to gain the knowledge to make sure I do everything as perfect as possible when it comes to having a private phone. I guess I am experiencing information overload and I need to actually just start using my damn phone!

So my first question is what are some ways I can harden the OS before I even start using the phone and before I start installing apps? For all the default grapheneos apps, I have turned off pretty much everything: permissions, background mobile data, open links, display over other apps, modify system settings. Location is turned off. Keeping the wallpaper to the default colour. Wifi and bluetooth scanning turned off and wifi and bluetooth is turned on only when I need it. Wifi mac address is randomized. This is the default changes I will have for every profile that will be created on my phone.

My second question is about profile setups. Again, feedback will be appreciated how I can harden my profile setups to be as private and secure as possible for my needs. The owner profile will not be used at all and will be locked with a password. I will have three additional profiles:

Profile 1: A physical sim card will be used and this profile will therefore be used as my personal profile where I will be installing the Firefox browser to do personal unannonymous activities such as banking, online shopping etc. The only other app that willil be installed on this profile will be the aurora store to install and update the firefox browser.

Profile 2: This will be used for anonymous activities such as creating and using annonymous social media accounts. The brave browser and Orbot will be used to achieve this. The only other app installed will be the aurora store to install and update these 2 apps.

Profile 3: This profile will only have Tor browser installed.

Additional questions:
1) I have heard conflicting opinions about installing browser plugins. Some say it is not good for privacy or security but the Tor browser itself has plugins installed out of the box. Obviously Tor is not normally used for personal unanonymous activities therefore the plugins would not know much about you and hence why plugins on Tor is not really an issue? For my 1st profile for unanonymous activities, should I install a plugin such as Ublock Origin on the Firefox browser? Even though the firefox browser will be used for unanonymous activities, it would be nice to have Ublock Origin to block requests being made to trackers. But would having Ublock Origin be a privacy or security concern?
2) If I use display over other apps, is this a privacy concern? For example, if I use Newpipe over the brave browser, what information does newpipe have access to. Does it see what I type and everything shown on the browser?

Sorry if I wrote too much. It is not easy for a noobie like me to learn and implement a privacy lifestyle without the help of other humans!

    Ghj456 noobie

    Even if you're new to it, you do more research than others who claim to be privacy conscious. I feel like you have a good grasp of things. I do have some comments about some things, though.

    Ghj456 what are some ways I can harden the OS

    The GrapheneOS developers do a lot of research and hardening on their own so we as users don't have to take any further steps to harden the OS. It's our job as users to further protect ourselves via our actions, i.e. not sharing personal info, using good passwords, etc.

    In other words, GrapheneOS can do a lot to protect us but it cannot protect us from ourselves.

    Ghj456 Firefox browser

    from the GrapheneOS website (under web browsing):

    Avoid Gecko-based browsers like Firefox as they're currently much more vulnerable to exploitation and inherently add a huge amount of attack surface. Gecko doesn't have a WebView implementation (GeckoView is not a WebView implementation), so it has to be used alongside the Chromium-based WebView rather than instead of Chromium, which means having the remote attack surface of two separate browser engines instead of only one. Firefox / Gecko also bypass or cripple a fair bit of the upstream and GrapheneOS hardening work for apps. Worst of all, Firefox does not have internal sandboxing on Android.

    Ghj456 brave browser and Orbot

    This is fine if you understand that Brave would make it easier to fingerprint you than the Tor Browser.

    Ghj456 browser plugins

    from the same section on web browsing I linked above:

    We recommend against trying to achieve browser privacy and security through piling on browser extensions and modifications. Most privacy features for browsers are privacy theater without a clear threat model and these features often reduce privacy by aiding fingerprinting and adding more state shared between sites.

    This is from the Tor project's website:

    Tor Browser comes with one add-on installed: NoScript. You should not install any additional add-ons on Tor Browser because that can compromise some of its privacy features.

    Ghj456 If I use display over other apps, is this a privacy concern?

    I've wondered about this before and researched it because I read conflicting things on the internet about this. I live in an area that sometimes has very large earthquakes, so I have an app that displays over others to warn me ahead of time.

    The app I use specifically uses SYSTEM_ALERT_WINDOW and so does NewPipe according to their AndroidManifest file. This access only permits an application to display over some, not all, other windows. That's it. Before giving the app I use access, I searched around and saw conflicting information online. Some websites claimed that this access allows the app to see everything all the time, which was concerning, but their claims were made without any proof. If you found the same claims online, here's some info from Android's developer website about the permissions and you can decide whether to allow that or not on your own:

    SYSTEM_ALERT_WINDOW

    Allows an app to create windows using the type WindowManager.LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. Very few apps should use this permission; these windows are intended for system-level interaction with the user.

    TYPE_APPLICATION_OVERLAY

    Window type: Application overlay windows are displayed above all activity windows (types between FIRST_APPLICATION_WINDOW and LAST_APPLICATION_WINDOW) but below critical system windows like the status bar or IME.

    The system may change the position, size, or visibility of these windows at anytime to reduce visual clutter to the user and also manage resources.

    Requires Manifest.permission.SYSTEM_ALERT_WINDOW permission.

    The system will adjust the importance of processes with this window type to reduce the chance of the low-memory-killer killing them.

    In multi-user systems shows only on the owning user's screen.

    Ghj456 Sorry if I wrote too much.

    me too!

      22 days later

      unwat Thanks for reply and help.

      Isnt Tor also gecko based and therefore have the same issues as firefox?

      Does "picture in picture" also have possible privacy issues as "display over apps"?

      8 days later

      missing-root

      So if I use the aurora store, google can still take the original apk file and change it and no one will notice it? I thought apk files downloaded from aurora store is open source therefore if google did modify the file then it would be discovered? Was this the case for Firefox? Did google take the Firefox file and modify it or did Firefox have this tracking from the start? Also what google firefox tracking are you specifically talking talking about, if you can link me an article about it. Is it this one? https://www.reddit.com/r/privacy/comments/kh6398/friendly_reminder_that_firefoxs_tracking/

      My initial approach was to download apk files directly from the company's website but not all of them have it available to download on their website. I then tried to find these apps on fdroid but they also did not have it. I then resorted to downloaded the apk file from aurora store as this what was recommended to do. The reason why I am using browsers like Brave is because it is what is recommend by privacy channels such as Techlore. You are the first person to recommend me an app like Mule.

      Apart from being easier to be fingerprinted, isnt installing add ons invasive because they ask for pernissions where they can see what you do and type in your browser therefore it is best to limit them? Like you said, I guess it depends what the threat model is and what the browser will be used for.

      The difference of opinion and lack of clarity just makes it even more confusing and stressful than it already is for laymen like myself who are new to the privacy world.

        Ghj456 I thought apk files downloaded from aurora store is open source...

        I just wanted to point out that the Aurora Store is simply an open source front-end client for the Play Store. You're downloading the apps themselves from Google, both closed and open source. I think you're confusing Aurora with F-Droid, which provides its open source APKs directly.

        As for the other comments, I think it's important to remember that the privacy community as a whole can be pretty polarizing, with camps staunchly believing in one ideology while shunning all others. My advice would be to just do as much research as you can, and form your own opinions on what matters most to you.

        Ghj456 google can still take the original apk file and change it and no one will notice it?

        Only if google is given the signing keys the developer is using for the package, which is a service they do offer. In other more common cases of the application developer controlling their own signing keys, the answer is NO, google most definitely does not have the ability to modify the file in any way.

        It is recommended that you verify the signature with the software vendor if at all possible.

        24 days later

        Ghj456

        • The apps come from Google, Aurorastore just allows proxied downloads and manual selection (device faking, older versions,...), also not this stupid login thing and unnessecary permissions and tracking, like what sandboxed Play should be imho
        • Firefox may include it themselves, at least Fennec, Mull, Tor for Android have it as stubs (inactive but still detected)
        • Reddit answer Tor Blog

        Downloading APKs externally vs. from a repo

        downloading apks is dangerous. HTTPS helps certifying the origin, because "I am the owner, this is my app" are all things that have to be proven using the methods of asymmetric encryption (private keys, signing). F-Droid compiles the apps from source, so it is what they claim to publish. If you download precompiled .apks the devs could actually change it, you could still compile the source code yourself and compare the hashsums, but nobody does that. If devs then add .sha56sum´s or .asc PGP signatures (you need their PGP key first), this is only to prove that the .apk comes from them, not that the .apk is what they claim in the sourcecode it is. So you see, downloading from external sources is COMPLEX and F-Droid makes all that very easy. Its the principle of a trusted Linux repository.

        Apps not on F-Ddoid

        If an app is not on F-Droid, in most cases its not open source and you cant trust it. Use it with internet permission off, maybe also battery restricted and storage scopes to only what they need. If you have no play services installed, thats it, the app will mostly not be able to collect your data, only if you have an app with internet permissions that this app is talking to. So also use the Work profile (shelter, island) or even another user profile, to isolate it even further.

        Mull vs Chromium

        Mull is hardened Firefox. It is still the only mobile browser that allows addons and it is pre-hardened. It has no good Tab isolation and less security features than Firefox desktop or Chromium, thats why you can use Vanadium / Brave mobile if you want security, I prefer Mull for privacy and features.

        I mean, you cant use Ublock or Noscript (I would be fine with only those two, although more are nice), custom search enginges like searx.neocities.org etc. Vanadium is pretty vanilla on the UI, which makes it not ideal for privacy.

        Browser addons

        Addons are hard, as the permissions are not very well visible on Firefox mobile. Use as little addons as possible, trusted ones like Noscript, Ublock, not many more. Many things like video downloading or printing can be done on Firefox desktop natively, but there are useless addons just redirecting you to a webservice. Look out for that. also Firefox mobile supports less features like printing or video downloading, so you need these webservices if your really need that feature. You can disable addons if you dont currently use them.

        An addon I was curious about: "Translate webpages", actually is offline until you choose to translate a text. Even language recognition is done offline, the dev sais. It is open source. I still keep it deactivated most of the time.

        Addons that dont interfere with the outside look of your browser cant be detected by websites, and used for fingerprinting. No website will see, if you have "add custom search engine" installed on desktop. They will see, if you use privacybadger, ublock and noscript together though, because of these changes

        This is an interesting read, a guy hardening Brave talking about fingerprinting


        Everyone is new at some level. I have no idea of complex coding like in GrapheneOS, I only somehow understand what to use and what not. Everything has pros and cons.

        Good reads

        (also always make bookmarks of everything, so you dont rely on search engines and will not click on fake sites, except if these sites have expired TLS certs or, cough z-lib got raided by the Feds)

        a year later

        addition: I read somewhere that apps coming from the same developer/organization, e.g. Google, can share internet access.

        I have no source on this, but example: You have Google Maps with Internet access, and Google Files or something without. Google files might share data about your stuff through the internet permission of Google Maps.

        • de0u replied to this.

          I deleted my former comment, as some things had no source. I dont think Google can add stuff like Tracking to apps, as yes, the app as an APK is signed by the developer.

          So Google can only test the app for permissions, code structure and more. There always is a chance of an update being malicious, as I suppose the first upload to the Playstore includes an intense test, after that it is probably less intense.

          I personally dont trust Google, but it is more secure than using "official releases" on Github and the like, as those are not scanned at all. F-Droid on the other hand will also just take the sourcecode and compile the apps themselves. This means if you read every change, the apps will be what they claim to be.

          But F-Droid has no good filtering for secure apps. Some have tags like "needs outdated libraries" or "has broad permissions" or "known security vulnerability", but these are not enforced, and there are many many apps not updated in years.

          Also on GrapheneOS (which is either EOL or Android 13+) you should use F-Droid Basic instead of the old client, which uses modern libraries and is thus more secure.

          https://f-droid.org/en/packages/org.fdroid.basic/

          Directly download that instead of the old client.

          missing-root I read somewhere that apps coming from the same developer/organization, e.g. Google, can share internet access.

          I have no source on this, but example: You have Google Maps with Internet access, and Google Files or something without. Google files might share data about your stuff through the internet permission of Google Maps.

          All apps in the same user profile may choose to communicate via IPC. This is a normal part of Android and is independent of who wrote which apps.

          https://discuss.grapheneos.org/d/9879-google-voice-is-creeping/4