• Off Topic
  • Best Privacy Apps/Tools for GrapheneOS

Hey, I’m wondering what the best privacy-focused apps and tools are for GrapheneOS. Things like VPNs, browsers, messaging apps, and other essential tools.

Also, I heard that F-Droid has some privacy concerns now is that true?

Would love to hear your recommendations

    wisejoy60685

    There is probably a thread on here somewhere that answers most of your query but here are some basics anyhow that most of us agree on.

    VPN - Mullvad, IVPN, Proton
    Browser - Vanadium
    Secure Notes - Standard Notes
    Messaging - Signal or Molly

    There are plenty of threads regarding F-droid, if you do a search in the forum you will get lots of info. Hope that helps you a bit.

    It usually depends on your threat model and definition of privacy. For starters, the privacyguides recommendations are solid.

    The best weapon to defend your privacy is your education. You want to figure out these concepts for yourself:

    • Elimination (uninstall apps you don't really need)
    • Sandboxing (use PWA versions or websites if possible, check out the permissions, user profiles and other features you have on GOS)
    • Compartmentalization (use different approaches for a different context, don't put all your data in one service)
    • Aliasing (use pseudonyms and make it generally hard for third parties to collect data about you)

    Last but not least I recommend giving this article a try to familiarize yourself with good opsec and the best practice fallacy.

    VPN : Mullvad or Proton (I don't trust IVPN)
    Browser : Vanadium or Brave
    Messaging : SimpleX, Threema or Briar (no phone required)
    Maps : Organic Maps
    Notes : Standard Notes
    Encrypted emails : Proton, Posteo, Tuta, countermail, lavabit ect.
    Encrypted cloud storage : proton drive , tresorit , spider oak ect.
    Password manager : keepassDX

      Photos storage and management: Ente
      Audio player: Auxio
      Audio recorder: Record You
      Weather: Breezy Weather (open-meteo as the source of data)
      Password manager: KeePassDX
      RSS: Read You / Feeder
      Regular phone number alternative (VoIP): Cheogram + jmp.chat
      Messaging: Signal / Molly / Simplex
      Navigation / maps: Magic Earth (works offline, can show traffic data if online, check the privacy policy!)
      Email: Tuta, Proton
      VPN: Mullvad, Proton
      Storage: Proton
      Dictionary / words translation (not sentences): QuickDic

      wisejoy60685 Also, I heard that F-Droid has some privacy concerns now is that true?

      Forgot to answer this. F-Droid Repository and the F-Droid app have caused some security (not so much privacy) concerns as far as I can tell. For my secure and private experience, I'd go through these options in order from first to last:

      1. Not using the app/service at all
      2. Using the website via Vanadium instead of the app.
      3. Install the app via GOS App Store or Accrescent which itself is installed via GOS App Store.
      4. Install the app via Sandboxed Play Store. It's secure, but for more privacy I have to use a dummy account and preferably install from owner profile but use on separated user profile.
      5. Install via Obtainium (if I want to take care of opsec and verifying the app) or Droid-ify (if I choose to trust the repository from F-Droid, Izzy etc., but still verify myself)
      6. Install via Aurora Store as a last resort. Only use case I can see compared to Sandboxed Play Store is apps that require KYC in Play Store (such as Discord, if I really don't like using the website).

      But this is just my answer, and as you can see from the partly opposing answers above, there is no one correct way of privacy. Please don't trust me or any other internet stranger. Do more research and make a basic threat model so you're able to evaluate what fits your individual needs. Best practice approaches will only end up in inferior privacy.

      I can only speak for myself, after using GrapheneOS for almost two years on a Pixle6a, less is indefinably more!
      Obviously GrapheneOS is installed, along with a VPN, email and a messaging app, and that's it.
      My Pixle6a is a communications device and nothing else. Nothing is stored on the device, no photos, email or messages. Once read, deleted..
      Every time a new update of GrapheneOS is released and is downloaded to my phone, I factory reset my phone to that release, no matter how often these releases are.
      Auto reboot at 30 minutes
      16 digit pin and no fingerprint phone unlock.
      I use my laptops to do anything else, including writing this.
      my phone is a phone, nothing more...

        area51 this is not necessarily a good approach. I agree with simple setup and using always on VPN. But I wouldn't recommend desktop for everything else because in no desktop environment you can control at the same level what OS itself and apps can access as you can do with GrapheneOS out of the box.

          DeletedUser127 But I wouldn't recommend desktop for everything else because in no desktop environment you can control at the same level what OS itself and apps can access as you can do with GrapheneOS out of the box.

          This is actually not true. QubesOS offers far better control over this than what GrapheneOS does. When I really need privacy, I use my laptop.

          With that said, GrapheneOS is far better at isolating apps and controlling access than most desktop operating systems are.

            grayway2 VPN : Mullvad or Proton (I don't trust IVPN)

            I respect your opinion but definitely dont agree. IVPN in my opinion are the most trustworthy. They do regular independent audits and are very well respected in the VPN industry. Like i said i respect your opinion but wouldnt want others being put off by it.

            ryrona what percentage of desktop users uses Qubes? You can not generalize from that. Vast majority of desktop distributions and what people commonly use are well below par with GrapheneOS in security as well as privacy POV.

              DeletedUser127 no, you're wrong and you can generalize

              If you are doing something complicated, and don't want to be identified, you can route traffic in much more complex ways easily in Qubes. You'll have a unique fingerprint because of the connection latency and characteristics but some deanonymizing attacks are much less likely to work. Xen can be hacked and sometimes has exploits but they are rare, so it's secure, but you can isolate what you are doing in Qubes so much more easily.

              This idea that Graphene is always better at everyrhing and all use cases is wrong. Graphene is a mobile OS and it's harder for anyone without a zero day exploit to hack it than regular mobile operating systems. It's defensive in a general way but it's not as good as Qubes for customizing things and running different types of programs. In Qubes if you wanted to daisy-chain whonix connections (which would be stupid possibly because you'll stand out) you can, if you want to work with a virus while working on other things you can (you could open up a disposable version of a mobile OS or clone it, load the virus, and safely do things in other programs at the same time as to see how the virus works). There are profiles that isolate in Graphene OS but you can't see many profiles at the same time.

              You just aren't a Qubes user and don't know. If you know, you know. Qubes also, unlike GOS, is often a pain in the ass. Qubes is not smooth, upgrades can cause problems. Graphene OS and Qubes both have small teams but GOS updates are frequent and mostly completely problem free. Because Qubes works on all sort of hardware (but often fails), the new Qubes update can suddenly break your system. Many ethical hackers don't like Qubes because it's so much work to maintain and use. Something that will take two minutes to do in Kali may take 20 minutes in Qubes. Multiple that times many things and Qubes is often not worth it unless a person really loves technology or has extreme needs or is just intuitively good at technology or has extreme paranoia. It is 100x harder to use than GOS. GOS is easy, everything about it is easy, and it's harder to mess up GOS. The only hard part of GOS is a person's own mindset and getting past their own fears regarding installation. After installation, the only problem is for Apps that use Play Integrity API.

              Some of the hardening doesn't even matter in Qubes because you use templates with very low attack surface or templates that spawn something temporarily so that if you are hacked, it's destroyed as soon as you are done anyway. You're more likely to get hacked in Qubes but it often matters less. Even with Qubes there are things you can't do because of limits of Xen which is why many tinkerers use things other than Qubes. There are lots of advanced use cases that can't be done in GOS out of the box, such as if you are trying to make and or compile a program.

                grayway2 never heard of anyone distrusting them before. Any reason?

                DeletedUser127 what percentage of desktop users uses Qubes? You can not generalize from that. Vast majority of desktop distributions and what people commonly use are well below par with GrapheneOS in security as well as privacy POV.

                I am not certain I understand your point. I mean, what percentage of mobile users use GrapheneOS? In both cases it is minuscule numbers. I was only remarking on your statement that no desktop operating system can offer control similar to GrapheneOS, as that in an absolute sense isn't true. QubesOS offers more control, and is a desktop operating system.

                angela everyone is entitled to a wrong opinion, including you, yet again my real point wasn't understood. I am pretty much done with this forum. But not with GrapheneOS, for sure.

                  DeletedUser127 also I apologies if my reply seemed insulting. They are just incrediy different operating systems with different use cases that often don't overlap.

                  • N1b replied to this.
                  • thmf likes this.

                    angela no worries, @DeletedUser127 is in an on/off relationship with this forum for a while, and definitely not leaving because of your post. Their posts are good and informative most of the time and I learn a lot by reading them, but let's not feel responsible for someone acting unreasonably.

                    DeletedUser127 I did not understand your point either. But GOS vs QubesOS is another topic anyway and shouldn't be discussed here.

                    Does anybody have to add something to OP's question regarding privacy apps and F-Droid?

                    I personally use:

                    Vpn: Mullvad (with their DNS)
                    Password Manager: Bitwarden
                    Email: Tuta (and Proton as backup)
                    Notes: standard notes app
                    Browse: Vanadium (as recommended)

                    (I also use the standard grapheneOs apps, if one is provided)

                    I didnt look up any other categories for apps.
                    And i decided on this based mostly on the opinion of people in forums, i didnt review any source code or anything (so evalute my opinion based on that)

                    For password managers, as far as im aware, if you want to use multiple profiles (and the same passwords), its easier to use a cloud base one like bitwarden, instead of a local one like keypassx (because sharing the files is harder)..

                    (proton vpn and password manager is also good btw, i am just personally not much of fan of the company anymore)