T

tornsail

nuclear
Safety wise, I believe that installing GrapheneOS will be like a factory reset; and things are designed such that you don't need to worry about any lingering malware on a boot partition/loader ( like you might with a PC disk).

With a second hand phone, you need to ensure the phone can be OEM unlocked:
https://grapheneos.org/install/cli#enabling-oem-unlocking

Useful discussions here:
https://discuss.grapheneos.org/d/3719-oem-unlock
https://discuss.grapheneos.org/d/10362-oem-possibly-carrier-locked-phone/5

Argos, is that UK? You should be OK:
https://discuss.grapheneos.org/d/6809-uk-carrier

So just get the seller to confirm it was a UK/EU sourced phone and not from USA.

In Android Settings > About Phone > Battery Information there is a battery 'Cycle Count' number displayed. I'd ask the seller give you that information - or be suspicious if they give excuses "too hard to find, too busy" etc.

ryrona

This is what I see on my phones:

Primary Profile: settings/app-info shows all apps installed, on all profiles.
This makes sense because the primary profile needs authority to delete a secondary profile (and hence any apps + data installed by that profile). Such 'secondary profile apps (SPA)' show in the PP as 'Not installed for this user'; for such an app, from the PP>settings>AppInfo>App>top right corner you have the option to uninstall the SPA for all users.

Secondary Profiles: settings>AppInfo shows only the apps installed by that profile or pushed to that profile by the Primary Profile.

ryrona If I have the same app installed in two user profiles

Have you actually tried this with two Secondary Profiles? Someone here did have an issue when they were trying to do similar:
https://discuss.grapheneos.org/d/12091-app-not-installed-as-package-conflict-with-an-existing-package and @other8026 fixed it for them.

I have installed apps in the Primary Profile with Sandboxed PlayStore, when they were already installed in a Secondary Profile with Aurora. This was very nice because that app in the SP was updated with the latest PlayStore version and now showed PlayStore as the origin not Aurora. In both profiles the first install date shows as the Aurora first install date.

I think you will find all profiles are using the same app install in the same place - probably based on the (unique) reverse dns name like com.android.deskclock. Some people here do have different versions of apps installed but they are using a third party 'work profile' app to achieve this; not the GrapheneOS provided mechanisms. Perhaps you will need to look at this if you want to hide app installs in a Secondary Profile.

AOSP/GrapheneOS is likely to be using some combination of fscrypt / namespaces / uuid / selinux such that a Secondary Profile has no permission to see or access an App in an app folder until either the app is pushed to it from the PP or installed by an app store in that SP.

https://source.android.com/docs/security/features

GraphyGraphy WORKS / SOLVED for this use case:

I have tested this and made the same transition. Switching from Secondary Profile based Aurora and PlayStore installed apps > to > updating those apps using a Primary Profile PlayStore. This has worked fine for me. The updated apps still kept their app settings, data, fingerprint checks etc.

Starting point:

• a blank primary profile
• secondary profile with Aurora+fdroid-basic installed and apps installed using Aurora+f-droid
• banking secondary profile with sandboxed GPS and banking apps installed using GPStore

Intention:
Without uninstalling apps transition to using a Primary Profile with sandboxed GooglePlayStore and fdroid-basic to install & update all apps and push apps out to the Secondary Profiles. No PlayStore or f-droid in the secondary profiles.

Procedure:

• End sessions for all Secondary Profile, just in case an active profile could cause a glitch
• In the Primary Profile (PP) use GrapheneOS-app app to install sandboxed Google Play Services and PlayStore
• Apps installed with Aurora/GPS in Secondary Profiles will not show up in the PlayStore yet
• Use GPS to search for & install the apps, disable these apps in the PP
• go to the secondary profiles and check the AppInfo shows the updated app version and that the app was installed from the PlayStore. The AppInfo settings and data remain from the earlier Aurora installation.
• from now on you can update and install all apps from the PP

Extra steps taken for caution:

• I have only done this with apps that have an updated newer version on the PlayStore
  I can't be sure what will happen if you do this with the same version of an app
• take some screenshots of AppInfo dates/versions/origin-store before you start so you can confirm what has changed in the secondary profiles
  If you also do this in the Primary Profile, you will see that the Secondary Profile installed apps are 'greyed out'

GraphyGraphy donovxn
I believe this does work as you expect but you are right to observe that apps already installed with Aurora do not show up in the Sandboxed PlayStore (until you install an updated version of the app with PlayStore)..

I just (re)tested your scenario: an Aurora installed app I had not updated, and not showing in PlayStore, was updated with PlayStore and now shows as installed by PlayStore and shows in the PlayStore' Manage Apps' list.

Like you, I first started using GrapheneOS with Aurora. I have used Aurora for some years to avoid needing a Google account (and even on BB OS to get around the lack of GooglePlayStore). However, I have never liked using Aurora Store because I think it would be possible (in theory) for Aurora to install a compromised app. I wanted to avoid this threat when I started to use banking apps and travel apps with credit card payments.

As I think you have also identified, it is very elegant to use a Primary Profile sandboxed Google PlayStore to install and update all apps for all profiles and then push them to a Secondary Profile. The Google Play stuff can be left disabled except when updating and installing. This also works for me using f-droid basic in the Primary Profile and the same too for an old manually installed BB keyboard app which I push out to a couple of secondary profiles.

=== SOLVED === but how do I add a SOLVED TAG?

UndercoverBozo On mine I have an APK folder under documents. On the left draw.

Sorry, yes, that is where my Amaze/APK folder is too.

d4f2 Kanade works for me.

I will try this next, thank you. In the mean time:

SOLVED - the good news is with the helpful pointer from @UndercoverBozo the split apks have been backed up and installed on the second GrapheneOS device.

For future readers, this is what worked for me (all the detail is for anyone like me at my end of the ability spectrum; all the experts here are at the other end - sorry to them for the long detail :)

My intention was to make a copy of an older app (free but commercial=Garmin), that was no longer available from the PlayStore, and install it on a second device and avoid using an apk mirror.

• apk-extractor (from f-droid) did NOT work for me
• Install Amaze file manager on device A (or may be Kanade or APK Explorer & Editor will work too, but I've not tested yet)
• Use Amaze to backup the app to external USB storage
  (there's some hokey-pokey with storage permissions, but Amaze leads you through it)
• On this occasion, the app was 4 apks (known as a split apk I think)
• I did not find a way to install the split apks using Amaze or the default filemanager
• On device B install APK Explorer & Editor
• Using APK Explorer & Editor select all the split apks for the app (four in this instance) on the external USB storage and then you will find the install option

There might be something else here of interest to some people. I read in the forum quite frequently that some GrapheneOS users don't want to use the sandboxed PlayStore and head off to the Aurora Store despite the risks. Maybe people in that situation could use a secondary device to obtain their apps/apks direct from the PlayStore and then use this app backup technique to move the app to their primary device. Catch would be no easy updates of course. For myself, I just enable the Sandboxed PlayStore/Services stuff in the primary profile to install or update an app, then Sandboxed PlayStore/Services is disabled again immediately afterwards and then push the app to the required secondary profile.

This has been a great learning experience. Thank you for all your help.

UndercoverBozo Thank you for the pointer - and I have Amaze file manager installed now. It has an App Manager with a 'backup' option which seems to extract the selected app's apks into an Amaze/APK folder.

In this case I get four apks - the main big one ...garmin.apps.explore.apk + ...garmin.apps.explore_arm64_v8.apk + two small _en.apk + _xxhdpi.apk

I think this is called split apks and I guess I require some sort of split apk installer. I've not yet found a way to use Amaze to do this. Just installing the largest apk doesn't give a functioning app - whether using Amaze or the default filemanager.

After a did around on the web, I've found a few likely split apk installer stuff including SAI; I have a suspicion that Android 14 will not like them.

If anyone has any further helpful hints whilst I'm digging around, I'd be very grateful.