• Off Topic
  • Share your Graphene OS setup. Here is mine.

I tried to keep a system setup as simple as possible based on my threat model.

I have only the Owner profile with the Google Play apps installed. Most of the app I use are FOSS. Everything comes from the Play Store.

Basically, if I can use Vanadium to access a service I do, unless there is a FOSS app that exists to perform the same task.

I would have loved to avoid Google entirely, but I still need some apps from the Play Store and the FIDO2 capabilities of my Nitrokey in Vanadium.

  • [deleted]

I installed all my apps from the owner profile from Google Play Store (because it is apparently more secure than Aurora) and distributed the apps I wanted on my profile from the owner profile with "install avalaible apps" option.
I have 1 owner profile (only used to download apps), 2 a general profile (general usage) without GSF, 3 a banking profile with Play Services (not logged in in Google), 4 and one profile with Play Services (not logged in Play Services) to try the Pixel features (google photos, recorder, etc.).

Hello, my setup is as follows :
Owner profile

  • no Google apps or services,
  • stores : Aurora, Obtainium, Accrescent (to show I'm a geek ;)), Droid-ify ; most apps installed through Obtainium,
  • apps that are not privacy invasive and don't require Google services, two apps are a bit more invasive : Health Mate (for my connected devices), and Spotify to pilot my stereo,

Google services profile

  • Google services framework installed with no network privilege (seems to work without the other two pieces),
  • stores : Aurora, Droid-ify,
  • privacy invasive apps and apps that require GSF, including Whatsapp, that I don't really use.

I think many of my invasive apps don't really require GSF so I might port them to the main profile since they are sandboxed, but I'm too lazy to do the switch, and I barely use them.

tastazardo

'App not installed as package appears to be invalid.' message.
I observed the same. On repeated attempt, with downloaded latest Signal version .apk from their site on the desktop and moving it over to the device, the installation worked OK and now Signal works with no Google in sight.

bluegrass
When you create a new contact or restoring from a contact backup (vcf) file there will be an option as 'Phone storage (not visible by other apps)', contacts stored under this section is visible only to the simple apps, you can restrict that access also if you want to.

https://ibb.co/948bdxy

  • [deleted]

omori well I don't know what the others would say, but looking at your app setup nothing even suggests that you run Graphene. My first words were OMG and "you sure you don't want to go back to stock?" Because i can't tell the difference.

    5 days later
    • [deleted]

    I finally put everything in the same profile with GSF/GPServices because my threat model does not imply to not make connections to Google at all, for convenience, lower battery usage (than running multiple user profiles) and because I use Play Store to download apps the most secure way possible and I need Play Services to make my banking apps + Google apps work.
    Installed :

    Aegis (greatest app)
    Aurora (for apps which cannot be installed on Play Store...)
    Aves Gallery (greatest app)
    Bitwarden
    Brave (everyday's browsing)
    K9 mail (for Posteo)
    DAVx5 (could easily without it but why not)
    Deepl
    Etar
    Feeder (greatest app)
    IVPN (best VPN and app)
    Newpipe (insane app)
    Opendocumentreader (necessary to open other files than PDF...)
    Organic maps (greatest app for me)
    Rail Planner
    Screen Time by Markus Fisch
    Signal
    Spotify
    Telegram
    Vanadium (default browser so unknown links open in it for better security than Brave)
    Whatsapp
    4 banking apps

    Gboard
    Google photos (to modify pictures)
    Play Store
    Goole voice recorder
    Google messages (for RCS)
    Google Speech Services (for navigation voice)

    Graphene's Apps app
    Graphene's calculator
    Graphene's camera (would like to disable it)
    Graphene's contacts
    Graphene's files
    Graphene's clock
    Graphene's PDF viewer
    Graphene's dialer

    Grant minimal permissions to apps, especially Google ones

    6 days later

    proclaim

    Hi, Which front end are you using for Lingva?
    I found no app called Lingva on Fdroid but a few front ends came up.

    PS: Very good of you to put your setup on GitHub.
    I found it very useful.

      [deleted] graphene better 👺🤺 so ion going back + u can't judge me 👴

      Owner: The basics so if in the worst case scenario I have to delete my other profiles, I'll have a profile that appears used
      Color Note
      Read You
      1Password
      Infinity for Reddit
      AudioAnchor
      Sony Headphones app

      Main
      Read You
      1Password
      Infinity for Reddit
      Sony Headphones app
      Molly IM (FOSS)
      Tutanota
      SimpleLogin
      Proton Mail
      NewPipe
      Catima
      Brave (everyday browser with Vanadium as default)
      Joplin
      Standard Notes
      Simple Gallery Pro
      Volumetric Weather (no location permissions)

      Play Store: GSF enabled
      Health services app
      Provincial Services app
      Color Note
      Sony Headphones app
      Brave
      Points app
      Banking apps
      Costco app
      Parking apps
      Proton VPN
      Play Store

      Work
      Work-related app to see timestamps and pay stubs
      Bitwarden

      School
      Bitwarden
      AnkiDroid

      Games
      A few free games off Aurora

      Maps
      Google Maps
      Organic Maps
      OsmAnd
      Magic Earth
      Color Note

      6 months later
      • [deleted]

      hisar I also replaced the AOSP apps with the default apps (Camera, Calculator etc.) by Google with network permission turned off.

      Just because they have no network permission it doesnt mean that there isnt a way to get those data on the cloud. Two apps can communicate with each other if there is "consent" between them. So google camera can access all files it created on android (including gos). Lets say it chooses to communicate metadata with play services, which has access to internet. Good luck.

        • [deleted]

        [deleted] the privacy implications of having a sandboxed google (which can't realistically run without network and other permissions) installed should ideally be discussed in a separate thread and trying to point things like that out has already earned me two bans. Developers for some reason do not want to go near that and moderators religiously punish it. Another thing that might be beneficial to cook into the OS might be (since they already included call recorder and screen recorder) some sort of a network monitor and packet analyser. Until that happens there is no place for sandboxed google on my phone.

        4 months later

        proclaim

        Thank you for the very in-depth description of your setup on Github.

        Do I understand correctly that you have updated your setup and are now only using the Owner Profile?

          Profiles:

          Owner - This is my default profile. No play services. I have had re-occurring issues with SMS not reliably being received by secondary profiles, which is why the owner profiles remains the daily driver profile. VPN enabled.
          Driving - This for driving and auto-insurance app to get a discount. The insurance app is extremely intrusive which is why driving is its own profile.
          Google - All apps that require play services or apps that I don't want on another profile (such as Taco Bell). VPN enabled.
          Banking - Banking Apps. This also has play services installed but I prefer to keep banking apps separated. VPN enabled.
          Work - All my work related apps. I get paid a stipend to use my phone for work. This is the profile dedicated to work.

          Apps:

          Not going to create a huge list of apps but I will list a few main ones
          -Proton Mail and Drive for emails and photos.
          -Wireguard for VPN. I may switch to AirVPNs Eddie app at some point to take advantage of the blocklist features since Vanadium does not provide any sort of content blocking but, since I do not have issues with ads and, the Eddie app is unreliable I have not made the switch.
          -Obtanium as the primary way to update apps. I do not have an app store installed on my main profile.