I'd like to start by thanking the devs for the work they've put into Graphene.

I'm looking to move to GrapheneOS but I have some questions about what this OS can and cannot do.

I mainly need Signal to work, but due to some unusual personal circumstances, I also find myself in need of having no access to an internet browser nor access to a repository where I can download one.

Am I right to assume Vanadium and the Apps repo client cannot be uninstalled?

If I'm correct in that assumption, would it be possible to make use of multiple profiles to have some kind of restricted profile with Signal, possibly giving a trusted friend the login information for the Owner profile? I don't know how updating would work though...

Thanks for reading, I'm aware this is an unusual setup I'm aspiring to.

Why can’t you just disable it?

Am I revealing my ignorance here?

Hey there. The setup you're after is more or less impossible to achieve; let me elaborate.

GrapheneOS comes with Vanadium by default. This is true for any user profiles you make as well. You can't uninstall Vanadium either.

You can have a user profile that doesn't allow you to install apps, so you could create a profile, install Signal to it and then make it so you can't install anything else.

You could lock the Owner profile with a PIN/Password that you don't know, but keep in mind that whenever the device is rebooted (for any reason, such as an update), you won't be able to access any secondary user profile until you unlock the Owner profile at least once.

I hope that helps.

  • [deleted]

  • Post #4

Well, it is possible through adb (usb debug on) the usual: pm uninstall -k --user 0 apk.vanadium.browser but beware, you can't reinstall as i have found out, at least until next system update... :)

Sounds like setting up a phone for a child? Or some kind of weird court conditions? If not, then normally, things like this will be handled through responsible behavior.

Realistically, the only way to do this is rebuild from source with those components missing. But even then, another web browser could easily be installed through ADB, or even through the one application you are letting yourself install (signal).

a year later

Leaving this here

_I'd look into setting up a private DNS (eg. NextDNS) on Admin profile, blocking all TLDs (takes a while but it works and blocking child profile from installing apps.

Every once in a while log into Admin to update apps and system, and warn kid not to let phone die as unlocking the phone after reboot requires Admin password.

Works perfectly.

PS. the reason I don't recommend blocking sites using blocklists or one-by-one is that they'll always find some site they can access, some site a friend recommends for example._

    4 months later

    For me the command: pm uninstall -k --user 0 app.vanadium.browser works you can easily check the app name when hold click App-Info scroll down. You can delete every app with this method.

      mousakke

      Using adb opens up a large security hole. adb gives highly privileged access and could be highly problematic If the device or app performing adb is malicious or compromised. If security is important adb should be avoided.

        distro interesting idea.
        It can be bypassed by setting Vanadium's own DNS settings to 1.1.1.1.

        But might work for a little kid though. Some other ideas that aren't 100% safe but might work for kids:

        • Even easier is just removing Vanadium's network permission.

        • a firewall app to remove network access for all apps and is protected by a pin (only one I've used is RethinkDNS, and it's protected by the profile's unlock method, so no good). Anyway, GOS might forbid profiles from installing apps, but not from deleting them.

        • Lastly, there's maybe a launcher that allows to hide all apps except Signal.

        Add all those up, and if the kid accesses the internet, worry not - your kid is a genius! Lol

        But if the one really wants to have a Signal-only phone for a kid, the solution might just be to buy a Punkt phone.