A GrapheneOS device can be utilized in a large variety of ways. An important part of this is the basic configuration, which should act as a solid foundation for secure and private usage. Yet, choosing the best option for yourself can be challenging, especially for new users.
In this post, I will show you an approach to this, explain the reasoning behind it and guide you through some parts of the setup.
I might use this as the foundation for a guide in a future project of mine, so your thoughts on the content as well as the style of the text are hugely appreciated.
Goals & Priorities
When deciding on device configuration, it makes sense to set specific goals and ideally work out a threat model beforehand. This helps by giving us a clear focus and prioritization, which we can then make decisions upon. I'll keep this very short here for the sake of brevity and universality, but keep in mind that your requirements might differ. That said, the approach we'll follow won't be a downright catastrophe in most cases, it just might not be optimal.
Our goal will be to choose a setup for our device that provides a good base for further usage. We want to be able to protect all data on the device and prevent threat actors from linking any info they get to our personal identity. When in question, we're going to prioritize security over privacy.
The setup should work well with compartmentalization and using different user profiles for different activities. It should be flexible to allow for profiles adapted to their purpose, while minimizing the chance that a compromised profile can be used to compromise the whole device. There should be a secure way of installing apps, reliably offering timely updates. Which apps we install and the actual usage of them are outside our scope.
Google Play Services
There are many valid approaches that don't require Google Play Services at all. At first glance, they might seem fundamentally preferable, as even with the sandboxing from GrapheneOS, Google is still an additional, in many ways malicious, party. All else being equal, avoiding Google would be preferable. In practice, there are clear benefits, like improved push message functionality, FIDO2 support, and access to the Google Play Store.
For our scope, the last one is especially important: Currently the Play Store provides superior security to F-Droid, better reliability than Aurora Store or Obtainium, and much greater app variety than Accrescent. It is also one of the most simple and certainly the most beginner-friendly option. Its biggest drawback is easily the privacy threat, especially because a Google account is required to use it.
Here, we will go with installing Sandboxed Google Play and using the Play Store as our method to download and update apps. The reasons for this are its security benefits and usability advantages, which trump the privacy concerns in accordance with the goals we set in the beginning.
Mitigating the Privacy Threat
The decision in favor of the Play Store might be in line with our goals, but the concessions in privacy we are forced to make might still leave some feeling unsatisfied. Google is a considerable threat to privacy, especially in the realms of linkability, identifiability and non-repudiation. However, we are far from powerless and will not simply accept defeat without a fight.
Google can be assumed to collect as much info as it can, but through its sandboxed implementation, its access is limited. The GrapheneOS Usage Guide summarizes it well:
Since the Google Play apps are simply regular apps on GrapheneOS, you install them within a specific user or work profile and they're only available within that profile. Only apps within the same profile can use it and they need to explicitly choose to use it. It works the same way as any other app and has no special capabilities. As with any other app, it can't access data of other apps and requires explicit user consent to gain access to profile data or the standard permissions. Apps within the same profile can communicate with mutual consent and it's no different for sandboxed Google Play.
This enables us to block Google from accessing most data it would be able to collect on another OS. We are going to use Google only where necessary, namely the Play Store, and restrict its permissions as much as possible without breaking the functionality we require. We will also be using a trusted VPN or Orbot with a killswitch in all user profiles with Sandboxed Google Play installed, to prevent being identified because of our IP address.
Something we can't shield from Google in this setup is data about which apps we have installed. As a highly unique identifier, this can allow Google to fingerprint and identify us. Our counter against this is splitting our usage into multiple user profiles. Google isn't able to link multiple instances of Play Services from different user profiles on a device, and will thus only ever know part of all the apps we use. This isn't perfect, but if enough activities are split off to specific user profiles, app-fingerprinting should become much less of a threat, if not impossible.
Anonymous Google accounts
To prevent Google linking data from different places to reveal our identity, any Google account should exclusively be used for one purpose. This means, for every user profile from which we want to download apps, we are going to use a new Google account. It should be created inside the profile in which is then used. If the linked user profile is deleted, they should not be reused and can be deleted as well.
All of this is of limited worth if we hand Google our identity on a silver plate during account creation. Luckily, we can avoid doing so.
To begin, we will install a trusted VPN or Orbot either through the owner profile, or by downloading and installing the .apk file directly through Vanadium. It's important to make sure the download is coming from the official website or GitHub page. After it is done, the permission to install apps can be removed from Vanadium again, and the VPN should be connected with killswitch enabled. It is crucial that the killswitch remain active at all times that an internet connection is possible to continually mask our real IP.
Now, Google Play Services can be installed through the official GrapheneOS app repository. After it is finished, we can open the Play Store and create a new Google account. It is likely that SMS verification will be required. While some have found success by connecting to a VPN server from certain regions that might give you an option to skip it, this method doesn't work reliably. If you can't skip SMS verification, the easiest option will likely be to use a burner phone number. I successfully tested this with JuicySMS, but you can also pick a different service; KYCnot.me provides a good overview. For any other inputs that can't be skipped, use fake but realistic info.
The actual configuration
We have decided on the Play Store to download apps, and we know how to minimize Googles privacy invasiveness by using Sandboxed Google Play and anonymous Google accounts. Now we just need to put all of this into a specific configuration.
Most importantly, almost all usage should take place in different user profiles, each with a specific purpose. Permission to run in the background and access to phone & SMS should be given out restrictively. The owner profile should only be used for administrative purposes.
Play Services should at least be installed in the owner profile, as this enables the option to install apps from the owner directly into a user profile. If all apps inside a user profile are installed this way, this means that the permission to install apps can be withdrawn for that profile, and that Play Services aren't needed there. Meanwhile in the owner profile, unused apps can be disabled without impeding updates or functionality inside other profiles. This can benefit security, privacy and usability, if still used sparingly to avoid fingerprinting the owner profile through the apps.
Final Thoughts
I hope you found this helpful or interesting! As I touched on in the beginning, this is V1 of something I might use in a future project of mine, addressed mostly towards beginners. Apart from general feedback and your thoughts surrounding the contents of the post, I'd like your opinion on a specific consideration:
In the last paragraph, I touched on the idea of using the owner profile for downloading & updating apps to then distribute them into user profiles. In principle, I find this to be quite elegant, but the more it is done, the higher the risk of fingerprinting being used as a unique identifier. At a certain point, it seems to become a question of weighing the added security of having user profiles without the permission to install non-first-party-apps against the lost privacy from a more unique fingerprint. What's better depends on individual priorities, but I struggle to really assign a "value" to both of them, especially how big of a security improvement this enables. So, please share your evaluation of this if you have a more profound understanding of the factors!
Again, thank you all <3