• Off Topic
  • Share your Graphene OS setup. Here is mine.

I recently upgraded my Pixel 7 Pro to Graphene OS. My heartfelt thanks to the developers of gOS and the community for their efforts. Hope this post will help new gOS users. Senior users can give their feedback and help me reduce risks while improving the overall experience.

The installation process was smooth, notwithstanding the scary looking bootloader screens. :)

I created 3 profiles:

  1. Owner - with no Google services
  2. Not Google - With Google services enabled for non-Google Apps (Banking, etc) and no access to Phone/sms.
  3. Google - With Google services enabled for Google only Apps (Gmail, Maps, Drive, etc) and no access to Phone/sms. Used sparingly.

Apps installed, in addition to standard Apps.

  1. Owner - Fdroid, Tutanota, Newpipe, Syncthing, VLC, Organic Maps
  2. Not Google - Playstore, Banking App, Gym App, Linkedin, Signal, MS Authenticator
  3. Google - Playstore, Gmail, Maps, Meet, Sheets, Docs, Keep <- Use only for non-personal data.

Some (hopefully) best practices followed:

  1. Use the profile Not Google and Google ony on need basis.
  2. End the sessions when not in use. Use Owner profile most of the time.
  3. All apps have the basic 'Network' access only
  4. Enable - PIN scrambling, Secure app spawning, Delete guest activity
  5. Disable - Camera, Mic access, Location, Automatic sync, unless explictly needed 'only' while using an App
  6. Vanadium:
    6.1 Enable Use secure connections, Close tabs on exit, Open external links incognito.
    6.2 Disable auto-complete searches and URLs, Access payment methods.
    6.3 Clear browsing data daily.
    6.4 Block or Ask first all site settings.
    6.5 Allow all except 3rd party cookies.
    6.6 Disable - Save passwords, Auto-signins, payment methods, Addresses.
    6.7 Search engine defaults to Duckduckgo.
  7. Using 'Syncthing' to sync data to the profiles. Not tested across profiles. Should work. To be used sparingly.
  8. Those who have issues with the b&w icons, can add a nice wallpaper to improve the look.

Not happy with
I would have preferred to have Signal on my primary profile. However, Signal only runs from Google playstore and I am not comfortable using Aurora store, yet. Hence it is on my Not Google profile, which means I cannot access Signal all the time and I may miss any incoming call, as it is on the profile which is not always on.

    • [deleted]

    • Edited

    tastazardo However, Signal only runs from Google playstore and I am not comfortable using Aurora store, yet.

    You can download and run .apk from signal.org/android/apk. You don't need any Google components for full Signal functionality.

      have you tried your banking applications without gservices? Two of mine complain about missing it, but still work anyway.
      signal, as @[deleted] mentioned, also does not need gservices.
      ALL of the crap you have in profile #3 can be replaced with better and open source options, except for maps, which does not require gservices to function.

        tastazardo
        Regarding 7. I have a synced folder between users, however when I tested a while ago, syncthing would only run one instance on the phone at any given time. Even across different users, so it was never able to sync to each user syncthing instance.

        I solved this by adding my NAS (could be a PC or anything else) as a central node. So the users always have somewhere to sync.
        The NAS folder is set as untrusted so it only sees encrypted data.

        [deleted] You can download and run .apk from signal.org/android/apk.

        Thx for the reply. That should work.

        I tried downloading the Signal APK using Vanadium on gOS - it required me to enable javascript for the button to be visible. However, the download hangs at 28.89MB/76.80MB. Weird! Maybe it is some thing I configured.

        I tried downloading it from my desktop which it did and then synced the file back to my profile. On trying to install it, it gives a 'App not installed as package appears to be invalid.' message.

          intelligence ALL of the crap you have in profile #3 can be replaced with better and open source options, except for maps,

          Agree!

          intelligence have you tried your banking applications without gservices? Two of mine complain about missing it, but still work anyway.
          signal, as @314random mentioned, also does not need gservices.

          I was successfully able to use Aurora store to install the other apps without using google services. Hence I have deleted profile 2.

          Edit to my orignal post:

          I have created two profiles:

          1. Owner - without google services
          2. Google - with google services enabled

          Apps installed, in addition to standard Apps.
          Owner - Fdroid, Aurora Store, Tutanota, Newpipe, Syncthing, VLC, Organic Maps, Banking App, Gym App, Linkedin, Signal
          Google - Playstore, Gmail, Maps, Meet, Sheets, Docs, Keep

          I need to work on migrating to open source but private non-Google app alternatives. So there is no dependency on Google services.

          Hi, here is my personal setup for user profiles.

          • (Owner #) has nothing installed only Default apps - Password protected βœ…

          • (Main πŸ‘€) every day work profile only Privacy Android apps - Password protected βœ… - Push Services ❌

          • (GoogleπŸ–•) apps requiring Google Services - Biometric (Fingerprint) protected βœ… - Push Services βœ…

          My complete setup is on github https://github.com/ivoarch/GrapheneOS-Setup

            I've the following profiles:

            • Main - Google Camera, Google Photos, Aurora+FDroid, Slide/SkyTube, Notes, Catima, etc. For Google Camera to function had to install Google services (with internet access disabled). Considering moving to Gcam-Services-Provider though.

            • Messengers - Viber, Telegram, Signal. Viber unfortunately requires Google services, so have those installed and running.

            • Navigation - Organic maps, MAPS.me, Wikimapia, Google Maps. No google play there for now, but looks like for Taxi apps to work (like Uber, etc) which are based on google maps, I'd have to install google services.

            Also added a more or less convenient shortcuts on the desktop of each profile for switching between profiles as described among the answers here.

            I was with no google services installed for more than 2 years and was using a very complicated setup to maintain, recently realized i don't have that much of a threat model to go that far.
            Then i created a secondary user google services installed without login.

            Owner - foss apps, installed from github/gitlab tracked updates via rss reader, signal app from their website.
            Googleed user - all other non foss apps i needed which are installed from aurora store, google services installed without login.

            After few months started to having issues with apps which wont work if not installed from google play store, i had to use adb commands to spoof installation source after every update.
            Also few apps started saying it cannot run on secondary profile install inside owner profile including my car tracking app.

            Finally, now im using only the owner profile signed in with a throw away google account, came out of lot of stress.
            I install everything from google play store, even the open source apps if its available there, using Droid-ify to install apps which are not available in playstore, mostly avoiding the official f-droid repo.
            My mobile usage is also much lesser now since i dont have to go back and forth to check and install updates, battery life also got improved,i think its because of the signal app doesnt needs to run in background now.

            I use the Simple mobile apps as contact,dialer, sms apps, since since the simple contacts have a in app storage option which the contacts stored inside it can be visible to only the simple apps and non-of the other apps.
            Once graphene introduce the contact scope ill drop this setup and will be back to the default phone, sms apps.

              I use NextDNS for ad blocking. For Youtube ads, I use LibreTube. Both work great.

              I have Google Play Services. I hate it, but how can I use my phone without notifications?

              BitWarden autofill makes life a lot easier.

              I also have Termux. I love the possibility of writing python scripts on my phone. But so far I don't have a real use for it... Also SSH:ing to phone is great.

              Battery and data savers are on 24/7.

                This is what my setup is right now. There are no usability compromises I can speak of while maintaining a reasonable level of privacy and security imo.

                Profile 1 (Everyday Use):
                Biometric unlock, Google Services Framework, but no Play Services of Play Store.

                Apps: Aegis, Aurora Store, Bitwarden, Notally, Molly (Signal), Mullvad VPN (with DNS blocking), Musicolet, Neo Store, Organic maps, Proton Calendar, WhatsApp, Vanadium.

                I also replaced the AOSP apps with the default apps (Camera, Calculator etc.) by Google with network permission turned off.

                Profile 2:
                PIN lock. This profile is for my banking 2FA apps which require the full Google Play Services (no network permission) enabled to run.

                I'm in Germany so unfortunately it's impossible to ditch WhatsApp for me. I used to have a third profile with WhatsApp and other privacy invasive apps inside, but especially for whatsapp it was just too much of a hassle to share contacts and photos between profiles, for other services I have moved to Vanadium.

                I really like this thread, interesting to read what everyone makes of the tools.

                  I tried to keep a system setup as simple as possible based on my threat model.

                  I have only the Owner profile with the Google Play apps installed. Most of the app I use are FOSS. Everything comes from the Play Store.

                  Basically, if I can use Vanadium to access a service I do, unless there is a FOSS app that exists to perform the same task.

                  I would have loved to avoid Google entirely, but I still need some apps from the Play Store and the FIDO2 capabilities of my Nitrokey in Vanadium.

                  • [deleted]

                  I installed all my apps from the owner profile from Google Play Store (because it is apparently more secure than Aurora) and distributed the apps I wanted on my profile from the owner profile with "install avalaible apps" option.
                  I have 1 owner profile (only used to download apps), 2 a general profile (general usage) without GSF, 3 a banking profile with Play Services (not logged in in Google), 4 and one profile with Play Services (not logged in Play Services) to try the Pixel features (google photos, recorder, etc.).

                  Hello, my setup is as follows :
                  Owner profile

                  • no Google apps or services,
                  • stores : Aurora, Obtainium, Accrescent (to show I'm a geek ;)), Droid-ify ; most apps installed through Obtainium,
                  • apps that are not privacy invasive and don't require Google services, two apps are a bit more invasive : Health Mate (for my connected devices), and Spotify to pilot my stereo,

                  Google services profile

                  • Google services framework installed with no network privilege (seems to work without the other two pieces),
                  • stores : Aurora, Droid-ify,
                  • privacy invasive apps and apps that require GSF, including Whatsapp, that I don't really use.

                  I think many of my invasive apps don't really require GSF so I might port them to the main profile since they are sandboxed, but I'm too lazy to do the switch, and I barely use them.

                  tastazardo

                  'App not installed as package appears to be invalid.' message.
                  I observed the same. On repeated attempt, with downloaded latest Signal version .apk from their site on the desktop and moving it over to the device, the installation worked OK and now Signal works with no Google in sight.