Workarounds for moving to GrapheneOS

mockingjay

I'm considering switching to GrapheneOS, but I can't find unambiguous answers to my questions to decide whether to make the switch. The more I read, the more confusing it gets.
Can you help me out with the following questions and provide me with workarounds where possible? I'm currently using a rooted Pixel 7 with modified stock ROM (removed system apps, etc).

I love using AdAway, which isn't possible on GrapheneOS since rooting isn't possible/recommended. AdAway isn't using resources and provides systemwide filtering, something I can't achieve with a local VPN like Adguard. The latter is draining my battery and when selecting the option "block connections without VPN" in my system settings, I'll prohibit local network discovery. Not selecting the option causes some apps to bypass the local VPN. Is there any way to have systemwide adblocking on GrapheneOS without these compromises?
I'm rooted because I use some apps that need root privilege. AFWall+ is handled by GrapheneOS being able to switch off apps' their internet permission. How about my Call Recorder, backing up with root permission, FindMyDevice (will ring even when phone was put in silent mode) , Tasker or alternative app stores? These will stop working, but are there any worthy alternatives?
How accurate is location positioning / navigating without Play Services?
Are there any "smart" Google functions I might miss that I'm not aware of? I'm not using any Google apps, but perhaps launcher/OS or Chromecast-wise?
I'm using two apps that have a bought license linked to my Google account. Will these paid apps work in the sandboxed profile with Google Play?
Do push notifications and bank apps work at all?
Anything else I might not have thought about?

Dumdum

mockingjay I'm using two apps that have a bought license linked to my Google account. Will these paid apps work in the sandboxed profile with Google Play?

"Signing in into a Google account is optional, unless you want to use features depending on being signed into an account. For example, some apps use Google account authentication instead of their accounts having a username and password. The Play Store requires being signed into an account in order to install apps or use in-app purchases. This is still true even for an alternate frontend to the Play Store. Aurora Store still requires an account but fetches shared account credentials from Aurora Store's service by default.

The Play Store provides many services used by apps including Play Asset Delivery, Play Feature Delivery, in-app purchases and license checks for paid apps. The Play Store app is also the most secure way to install and update apps from the Play Store."
https://grapheneos.org/usage#sandboxed-google-play-installation

Some apps may not work though, depending on whether they utilise the Play Integrity API to block alternative OSes or not.

Do push notifications and bank apps work at all?

"You should give a battery optimization exception to Google Play services for features like push notifications to work properly in the background. "
https://grapheneos.org/usage#sandboxed-google-play-installation

Apps can also use push notifications without Google Play, if they have their own push service. This typically uses more battery and/or is less reliable than Firebase push notifications.

As for banking, info here: https://grapheneos.org/usage#banking-apps
And compatibility guide here: https://privsec.dev/posts/android/banking-applications-compatibility-with-grapheneos/

missing-root

mockingjay

RethinkDNS
Separately:

A: Graphene has a Call recorder natively

B: backups are being worked on, the currently used SeedVault is a mess

C: findmydevice shouldnt need this permission, you can allow with "ignore do not disturb" I think

D: tasker no idea, probably not. Note that there is "OwnDroid" which could work for whatever it works for. Not sure if it is just a POC currently

E: Alternative appstores never need root

GPS is pretty accurate. Network location will come soon™️ but no actually there is progress. You can indirectly help by using NeoStumbler (and TowerCollector if you go fast, by car, train, ... it is better there)
Probably. Not sure about lens, might work. It is nearly all remotely done so you should absolutely learn to live without it. There is FUTO keyboard / Voice input, and this TTS website: https://k2-fsa.github.io/sherpa/onnx/tts/apk-engine.html which are great. ImageToolbox has OCR (text recognition)
If you use sandboxed play yes
Yes, with sandboxed play, own mechanisms (like Signal etc) or UnifiedPush. Bank apps are a separate point, check the internet there is a list.

(Man your list is totally messed up and the forum software didnt like it)

Carlos-Anso

mockingjay Is there any way to have systemwide adblocking on GrapheneOS without these compromises?

Each profile has its own network configuration. Using an app in the VPN slot is where you need to configure DNS blocking, as you have been doing.

when selecting the option "block connections without VPN" in my system settings, I'll prohibit local network discovery. Not selecting the option causes some apps to bypass the local VPN.

Apps can do this correctly. Sadly many do not. The android developers docs are probably not helping

Carlos-Anso

mockingjay
Ive not tested myself but imagine rethinkdns would be worth trying. @ignoramus, who works on it is sometimes active in this forum and so tends to be aware of GrapheneOS users needs.

Also Id point you at my recent post
https://discuss.grapheneos.org/d/18953-why-the-stigma-against-rooting/45

Carlos-Anso

mockingjay
not sure what 'smart functions' you're looking for.

missing-root There is FUTO keyboard / Voice

For TTS and voice control Id suggest looking instead at Transcribo, Sayboard and Dicio.

mockingjay

Thanks. And what about blocking trackers? Currently using App Manager to block trackers, works like a charm. It needs root access to do so. Has GrapheneOS integrated a way to block app trackers?

N1b

I don't see a solution to allow for the privacy you gain via adaway and automation you get from tasker. But also every alternative that comes to mind (rooting, custom roms, iPhone) will compromise your security or give you less privacy.

What I'd do in your position is making extensive use of the user profiles and set them up however I need. Maybe owner profile for app installations and updates. One user profile with always on mullvad or nextdns to block ads and trackers there. Another for offline use, another for local printing etc.

It's not very convenient, but with your threat model (or what I can see of it) any current rooted solution would be worse. Also think of the features you don't get elsewhere, like duress pin, 2fa pin, contact and storage scopes, mac randomization, sensor permission etc.

In the end it's a compromise you have take. I wish there would be good alternatives to GrapheneOS security- and privacy-wise, but for now it's the way to go and I'm very grateful it exists.

missing-root

Carlos-Anso

Transcribo is only for english afaik. FUTO Voice input has a lot of languages.

Why specifically "recommend instead"? And what here does TTS?

Carlos-Anso

missing-root
Sorry I got it the wrong way round. meant STT. Speech to text.

The project has made various posts talking about issues with futo

missing-root

Carlos-Anso

Yup heard of that but their software is good and there are no good replacements yet.

SayBoard has way worse quality, transcribo might be nice but english only