• Off Topic
  • Share your Graphene OS setup. Here is mine.

This is what my setup is right now. There are no usability compromises I can speak of while maintaining a reasonable level of privacy and security imo.

Profile 1 (Everyday Use):
Biometric unlock, Google Services Framework, but no Play Services of Play Store.

Apps: Aegis, Aurora Store, Bitwarden, Notally, Molly (Signal), Mullvad VPN (with DNS blocking), Musicolet, Neo Store, Organic maps, Proton Calendar, WhatsApp, Vanadium.

I also replaced the AOSP apps with the default apps (Camera, Calculator etc.) by Google with network permission turned off.

Profile 2:
PIN lock. This profile is for my banking 2FA apps which require the full Google Play Services (no network permission) enabled to run.

I'm in Germany so unfortunately it's impossible to ditch WhatsApp for me. I used to have a third profile with WhatsApp and other privacy invasive apps inside, but especially for whatsapp it was just too much of a hassle to share contacts and photos between profiles, for other services I have moved to Vanadium.

I really like this thread, interesting to read what everyone makes of the tools.

    I tried to keep a system setup as simple as possible based on my threat model.

    I have only the Owner profile with the Google Play apps installed. Most of the app I use are FOSS. Everything comes from the Play Store.

    Basically, if I can use Vanadium to access a service I do, unless there is a FOSS app that exists to perform the same task.

    I would have loved to avoid Google entirely, but I still need some apps from the Play Store and the FIDO2 capabilities of my Nitrokey in Vanadium.

    • [deleted]

    I installed all my apps from the owner profile from Google Play Store (because it is apparently more secure than Aurora) and distributed the apps I wanted on my profile from the owner profile with "install avalaible apps" option.
    I have 1 owner profile (only used to download apps), 2 a general profile (general usage) without GSF, 3 a banking profile with Play Services (not logged in in Google), 4 and one profile with Play Services (not logged in Play Services) to try the Pixel features (google photos, recorder, etc.).

    Hello, my setup is as follows :
    Owner profile

    • no Google apps or services,
    • stores : Aurora, Obtainium, Accrescent (to show I'm a geek ;)), Droid-ify ; most apps installed through Obtainium,
    • apps that are not privacy invasive and don't require Google services, two apps are a bit more invasive : Health Mate (for my connected devices), and Spotify to pilot my stereo,

    Google services profile

    • Google services framework installed with no network privilege (seems to work without the other two pieces),
    • stores : Aurora, Droid-ify,
    • privacy invasive apps and apps that require GSF, including Whatsapp, that I don't really use.

    I think many of my invasive apps don't really require GSF so I might port them to the main profile since they are sandboxed, but I'm too lazy to do the switch, and I barely use them.

    tastazardo

    'App not installed as package appears to be invalid.' message.
    I observed the same. On repeated attempt, with downloaded latest Signal version .apk from their site on the desktop and moving it over to the device, the installation worked OK and now Signal works with no Google in sight.

    bluegrass
    When you create a new contact or restoring from a contact backup (vcf) file there will be an option as 'Phone storage (not visible by other apps)', contacts stored under this section is visible only to the simple apps, you can restrict that access also if you want to.

    https://ibb.co/948bdxy

    • [deleted]

    omori well I don't know what the others would say, but looking at your app setup nothing even suggests that you run Graphene. My first words were OMG and "you sure you don't want to go back to stock?" Because i can't tell the difference.

      5 days later
      • [deleted]

      I finally put everything in the same profile with GSF/GPServices because my threat model does not imply to not make connections to Google at all, for convenience, lower battery usage (than running multiple user profiles) and because I use Play Store to download apps the most secure way possible and I need Play Services to make my banking apps + Google apps work.
      Installed :

      Aegis (greatest app)
      Aurora (for apps which cannot be installed on Play Store...)
      Aves Gallery (greatest app)
      Bitwarden
      Brave (everyday's browsing)
      K9 mail (for Posteo)
      DAVx5 (could easily without it but why not)
      Deepl
      Etar
      Feeder (greatest app)
      IVPN (best VPN and app)
      Newpipe (insane app)
      Opendocumentreader (necessary to open other files than PDF...)
      Organic maps (greatest app for me)
      Rail Planner
      Screen Time by Markus Fisch
      Signal
      Spotify
      Telegram
      Vanadium (default browser so unknown links open in it for better security than Brave)
      Whatsapp
      4 banking apps

      Gboard
      Google photos (to modify pictures)
      Play Store
      Goole voice recorder
      Google messages (for RCS)
      Google Speech Services (for navigation voice)

      Graphene's Apps app
      Graphene's calculator
      Graphene's camera (would like to disable it)
      Graphene's contacts
      Graphene's files
      Graphene's clock
      Graphene's PDF viewer
      Graphene's dialer

      Grant minimal permissions to apps, especially Google ones

      6 days later

      proclaim

      Hi, Which front end are you using for Lingva?
      I found no app called Lingva on Fdroid but a few front ends came up.

      PS: Very good of you to put your setup on GitHub.
      I found it very useful.

        [deleted] graphene better 👺🤺 so ion going back + u can't judge me 👴

        Owner: The basics so if in the worst case scenario I have to delete my other profiles, I'll have a profile that appears used
        Color Note
        Read You
        1Password
        Infinity for Reddit
        AudioAnchor
        Sony Headphones app

        Main
        Read You
        1Password
        Infinity for Reddit
        Sony Headphones app
        Molly IM (FOSS)
        Tutanota
        SimpleLogin
        Proton Mail
        NewPipe
        Catima
        Brave (everyday browser with Vanadium as default)
        Joplin
        Standard Notes
        Simple Gallery Pro
        Volumetric Weather (no location permissions)

        Play Store: GSF enabled
        Health services app
        Provincial Services app
        Color Note
        Sony Headphones app
        Brave
        Points app
        Banking apps
        Costco app
        Parking apps
        Proton VPN
        Play Store

        Work
        Work-related app to see timestamps and pay stubs
        Bitwarden

        School
        Bitwarden
        AnkiDroid

        Games
        A few free games off Aurora

        Maps
        Google Maps
        Organic Maps
        OsmAnd
        Magic Earth
        Color Note

        6 months later
        • [deleted]

        hisar I also replaced the AOSP apps with the default apps (Camera, Calculator etc.) by Google with network permission turned off.

        Just because they have no network permission it doesnt mean that there isnt a way to get those data on the cloud. Two apps can communicate with each other if there is "consent" between them. So google camera can access all files it created on android (including gos). Lets say it chooses to communicate metadata with play services, which has access to internet. Good luck.

          • [deleted]

          [deleted] the privacy implications of having a sandboxed google (which can't realistically run without network and other permissions) installed should ideally be discussed in a separate thread and trying to point things like that out has already earned me two bans. Developers for some reason do not want to go near that and moderators religiously punish it. Another thing that might be beneficial to cook into the OS might be (since they already included call recorder and screen recorder) some sort of a network monitor and packet analyser. Until that happens there is no place for sandboxed google on my phone.

          4 months later

          proclaim

          Thank you for the very in-depth description of your setup on Github.

          Do I understand correctly that you have updated your setup and are now only using the Owner Profile?