yore

The recommended approach is to choose a DNS server that blocks ad domains.

We recommend doing it as part of DNS resolution which can either be done with the Private DNS feature or a local DNS filtering app via the VPN service app feature. If you use a VPN, we recommend not mixing that with Private DNS so a VPN app able to handle local filtering of DNS should be used, or a VPN service which can filter it remotely. Filtering can be detected by websites, etc. and they can enumerate what's being filtered vs. not filtered so bear that in mind.

      Rapunzli Those have unfortunately never been a correct implementation of this feature and it was always trivially bypassed in the past. It's still trivially bypassed on most Android-based operating systems.

        Rapunzli

        The first is AF-Wall. But it is only operable on rooted devices. I would like to have a replacement for this, because I want to have detailed control, whether an app may use WiFi or mobile net or nothing. There are many apps, which do not need any network connection.

        This is a badly designed app which massively reduces OS security. You should read our FAQ sections on these topics where we mention apps like RethinkDNS able to do local filtering which also using a VPN. We don't specifically recommend RethinkDNS but unfortunately there aren't other examples without bigger issues.

        So I have tried NetGuard Firewall, which will insert a virtual VPN within the device. But it seems to be incompatible with GrapheneOS, because after installation and activation, no app could connect to network services.

        It's not incompatible with GrapheneOS. It's incompatible with the standard Android leak blocking toggle because of implementation flaws. It shouldn't be used.

        Second I would lie to use AdAway. This app will function without root access, but the will insert a virtual VPN similar to NetGuard Firewall and with the same result: No other app can connect to network services any more. So my question is, whether there is no need for an app like AdAway on GrapheneOS, because it would suppress unwanted ads on system level. Or does someone know of an app, which would be compatible with GrapheneOS?

        You're trying to use the Android leak blocking toggle with a VPN app not providing traffic routing. The leak blocking toggle is working as designed and preventing all the non-DNS traffic from leaking. This is a configuration error on your part. There's nothing about this specifically incompatible with GrapheneOS. It's a bad implementation of this though and it encourages massively reducing OS security. Recommend avoiding this app too.

        NetGuard is meant to actually filter traffic and SHOULD be compatible with the leak blocking toggle like RethinkDNS. None of this is specific to GrapheneOS. We improve the leak blocking but it does not break any of these apps. They would break with it on the stock Pixel OS too, it's just not enabled by default in the setup screen there.

          I am sorry to have not seen the number 68 in the URL to this thread. I have only seen: "app-compatibility-with-grapheneos" and therefor I thought, it could be the right plave for my questions.

          I thank you for your quick answers and I will need some time to understand all this in detail. And I will regard your hints to the manual or the FAQ.

          4 days later

          It's been reported here that certain Google AI features stop working after unlocking the bootloader. Has anybody with a P9 tested this? I mean it's probably not a big deal considering that many users here wouldn't touch that anyway but it's good for full disclosure and future users who might consider jumping ships to GrapheneOS. (Apologies if this issue has been discussed somewhere else. A quick forum scan did not yield any results on this.)

            Phead It's been reported here that certain Google AI features stop working after unlocking the bootloader.

            Quote from the article you linked:

            Unrooting and locking the bootloader seems to be the only reliable fix so far.

            If you are following the official install instructions, GrapheneOS will not be rooted and the bootloader will be locked. So this is a non-issue. 😊

                fid02 If you are following the official install instructions, GrapheneOS will not be rooted and the bootloader will be locked. So this is a non-issue.

                True, but you have to unlock the bootloader first, before you lock it again. My question was if the mere unlocking prevents the Google AI stuff from working or if it's the state of beeing unlocked (wich, in our case should not be a problem since we lock it in one the final install steps, as you correctly pointed out).

                    Phead My question was if the mere unlocking prevents the Google AI stuff from working or if it's the state of beeing unlocked (wich, in our case should not be a problem since we lock it in one the final install steps, as you correctly pointed out).

                    The article says that unrooting and re-locking solves the problem. If that is true (I have no idea) then the problem is being unlocked. I don't see how to read that text any other way.

                    If the problem is a strong Play integrity check, then those apps likely won't run on GrapheneOS, period.

                    It is plausible that clicking through to the XDA posts will reveal more details.

                        Phead I agree with de0u, in that the article is very clear on the point that locking the bootloader again seems to fix the issue (if the issue exists in the first place).

                          de0u
                          You're right, I missed that part somehow. Reading on the bus is not good for my attention, obviously.

                            11 days later

                            Heyo,

                            My business relies on Matterport and to use it I've been having to use a much older phone that doesn't use Graphene, etc. It says that "the app is not available", and using Aurora, I can download it, but of course it says, "Not downloaded from google play services" so it refuses to connect.

                            I realize this is likely really complicated, and I understand that some apps are switching over to "Play Integrity API" which is causing certain apps to fall out of availability. I also saw some posts talking about spoofing the install location
                            which would be incredible and solve the problem immediately, as I only need to stop thinking my device doesn't support it. However, again, vulnerability issues, complications, etc.

                            Either way, is it all possible to get Matterport and/or Craigslist apps working, for example? Mainly Matterport. The "not available for your device" issue, is insanely frustrating, I can't seem to find a solution at all.

                            • de0u replied to this.

                              GrapheneOS The recommended approach is to choose a DNS server that blocks ad domains.

                              We recommend doing it as part of DNS resolution which can either be done with the Private DNS feature or a local DNS filtering app via the VPN service app feature. If you use a VPN, we recommend not mixing that with Private DNS so a VPN app able to handle local filtering of DNS should be used, or a VPN service which can filter it remotely.

                              pDNS can be a good choice here
                              Works very well on GOS. I'm very satisfied with it.
                              https://www.zenz-solutions.de/personaldnsfilter-wp/

                                  I created a post regarding the Uber driver app which for the first time now considers GOS an authentic device and works perfectly. Thought I would share it here as well.

                                    2 months later

                                    AlphaElwedritsch Works very well on GOS. I'm very satisfied with it.

                                    pDNSF is neat, but I don't think it ever handled DNS over TCP? One can check that with Termux, after installing dig & starting pDNSf, dig +tcp <some-blocked-domain> and this request would not be intercepted.

                                    Edit: Here's what I see (Imgur)

                                      25 days later

                                      Hi Google Fi is not detecting my eSIM. How do I fix this?
                                      Pixel 8a
                                      I already uninstalled Google Fi on my old device.

                                      a month later

                                      Dexcom G7 app won't show the initial logon and seems to have many unauthorized calls in the log. Basically seems incompatible. Where can I upload the log?