GrapheneOS – Break Free from Google and Apple

🇬🇧->🇵🇱 Przejdź do polskiej wersji tego wpisu / Go to polish version of this post

Table of contents:

Just a year ago, I was really deep into the Apple ecosystem. It seemed like there was no turning back from the orchard for me. Phone, laptop, watch, tablet, video and music streaming, cloud storage, and even a key tracker. All from one manufacturer. Plus shared family photo albums, calendars, and even shopping lists.

However, at some point, I discovered Plenti, a company that rents a really wide range of different devices at quite reasonable prices. Casually, I threw the phrase “samsung fold” into the search engine on their website and it turned out that the Samsung Galaxy Z Fold 6 could be rented for just 250-300 PLN per month. That was quite an interesting option, as I was insanely curious about how it is to live with a foldable phone, which after unfolding becomes the equivalent of a tablet. Plus, I would never dare to buy this type of device, because firstly, their price is astronomical, and secondly, I have serious doubts about the longevity of the folding screen. I checked the rental conditions from Plenti and nothing raised my suspicions. Renting seemed like a really cool option, so I decided to get the Fold 6 for half a year. That’s how I broke out of the orchard and slightly reopened the doors to my heart for solutions without the apple logo. I even wrote a post about the whole process - I betrayed #TeamApple for broken phone. What I’m getting at is that this is how Android returned to my living room and I think I started liking it anew.

My adventure with Samsung ended after the planned 6 months. The Galaxy Z Fold 6 is a good phone, and the ability to unfold it to the size of a tablet is an amazing feature. However, what bothered me about it was:

All the points above made me give up on extending the rental and start wondering what to do next. Interestingly, I liked Android enough that I didn’t necessarily want to go back to iOS. Around this time, an article hit my RSS reader: Creators of the most secure version of Android fear France. Travel ban for the whole team (I think it was this one, but I’m not entirely sure, it doesn’t really matter). It talked about how France wants to get its hands on the GrapheneOS system and thus carry out a very serious attack on the privacy of its users. I thought then, “Hey! A European country wants to force a backdoor into the system, because it is too well secured to surveil its users. Either this is artificially blowing the topic out of proportion, or there is actually something special about this system!”. At that moment, a somewhat forgotten nerd gene ignited in me. I decided to abandon not only iOS, but also mainstream Android, and try a completely alternative system.

GrapheneOS is a custom, open-source operating system designed with the idea of providing users with the highest level of privacy and security. It is based on the Android Open Source Project (AOSP), but differs significantly from standard software versions found in smartphones. Its creators completely eliminated integration with Google services at the system level, which avoids tracking and data collection by corporations, while offering a modern and stable working environment.

The system is distinguished by advanced “hardening” of the kernel and key components, which minimizes vulnerability to hacking attacks and exploits. A unique feature of GrapheneOS is the ability to run Google Play Services in an isolated environment (sandbox), allowing the user to use popular applications without granting them broad system permissions. Currently, the project focuses on supporting Google Pixel series phones, utilizing their dedicated Titan M security chips for full data protection.

When I used to read about GrapheneOS, the list of compatible devices included items from several different manufacturers. Now it’s only Google Pixel devices. This doesn’t mean you can’t run this system on a Samsung, for example, but the creators simply don’t guarantee it will work properly, and you have to deal with potentially porting the version yourself. Note that it’s quite funny that a system freed from Google services should be run exactly on Google devices. If anyone wants to read more about why Pixels are the best for GrapheneOS, I recommend checking out the following keywords - Verified Boot, Titan M, IOMMU, MTE.

I’ve bolded the items that are not only supported but also recommended (at the time of writing this post, you can find the current list here)

At the stage of choosing a device to test GrapheneOS on, I wasn’t yet sure if such a solution would work for me at all and if I’d last with it in the long run. So it would be unreasonable to lay out a significant amount of money. Because of this, probably the only sensible choice was the Google Pixel 9a. This was a few months ago, when not enough time had passed since the premiere of the 10 series models for them to make it onto the fully supported devices list. At that time, the Pixel 9a was the freshest device on the list (offering up to 7 YEARS of support!) and on top of that, it was very attractively priced, as I bought it for around 1600 PLN (~450 USD).

In retrospect, I still consider it a good choice and definitely recommend this path to anyone who is currently at the stage of deciding on what hardware to start their GrapheneOS adventure. The only thing that bothers me a bit about the Pixel 9a is the quality of the photos it takes. I switched to it having previously had the iPhone 15 Pro and Samsung Galaxy Z Fold 6, which are excellent in this regard, so it’s no wonder I’m a bit spoiled, because I was simply used to a completely different level of cameras. Now I also know that GrapheneOS will stay with me for longer, so it’s possible that knowing then what I know now, I would have opted for some more expensive gear. However, this isn’t important to me now, because for the time being I don’t plan to switch to another device, and by the time that changes, the market situation and the list of available options will certainly have changed too. Besides, I’m positively surprised by the battery life and overall performance of this phone.

Locking the bootloader is crucial because it enables the full operation of the Verified Boot feature. It also prevents the use of fastboot mode to flash, format, or wipe partitions. Verified Boot detects any modifications to the OS partitions and blocks the reading of any altered or corrupted data. If changes are detected, the system uses error correction data to attempt to recover the original data, which is then verified again – thanks to this mechanism, the system is resilient to accidental (non-malicious) file corruption.

However, before re-securing the bootloader, I recommend checking if the system was flashed correctly and everything works as it should, because if it doesn’t, locking the bootloader might brick (completely block, or even damage) the phone. Therefore:

The final step before starting to play with the new system is reapplying the OEM lock.

Now the real fun begins. You’ll hear/read as many opinions on what you should and shouldn’t do regarding GrapheneOS hardening as there are people. Some are conservative, while others approach the topic a bit more liberally. In my opinion, there is no one right path, and everyone should dig around, test things out, and decide what suits them and fits their security profile. You’ll quickly find out that GrapheneOS is really one big compromise between convenience and privacy. While this same rule applies to everything belonging to the digital world, it’s only in this case that you’ll truly notice it, because GrapheneOS will show you how many things you can control, which you can’t do using conventional Android.

I don’t intend to use this post to promote some “one and only” method of using GrapheneOS. I’ll simply present how I use this system. This way, I’ll show the basics to people fresh to the topic, maybe I’ll manage to suggest an interesting trick they didn’t know to those who have been users for a while, and on a third note, maybe some expert will show up who, after reading my ramblings, will suggest something interesting or point out what I’m doing wrong / could do better. I’m sure that’s the case, since my adventure with GrapheneOS has practically only been going on for 3 months. I warn you right away that I’m not sure if I’ll be able to maintain a logical train of thought, as I’ll probably jump around topics a bit. The subject of GrapheneOS is vast and in today’s post I’ll only manage to slightly touch upon it.

One of the first things I did after booting up the freshly installed system was to create a second user profile. This is done in Settings -> System -> Multiple users. The idea is for this feature to allow two (or more) people to use one phone, each having a separate profile with their own settings, apps, etc. Who in their right mind does that? While I can imagine sharing a home tablet, sharing a phone completely eludes me. It therefore seems like a dead feature, but nothing could be further from the truth.

For me, it works like this: on the Owner user, because that’s the name of the main account created automatically with the system, I installed the Google Play Store along with Google Play services and GmsCompatConfig. This is done through the App Store application, which is a component of the GrapheneOS system. Please don’t confuse this with Apple’s app store, even though the name is the same. From the Play Store I only installed the following applications:

And that’s it. As you can see, this profile serves me only for apps that absolutely require integration with Google services. In practice, I switch to it only when I want to pay contactlessly in a store, which I actually do rarely lately, because if there’s an option, I pay using BLIK codes. Right after switching from Samsung there were more apps on this profile, but one by one I successively gave up on those that made me dependent on the big G.

It’s on the second profile, which let’s assume I called Tommy, that I keep my entire digital life. What does this give me? For instance, the main profile cannot be easily deleted, but the additional one can. Let’s imagine a situation where I need to quickly wipe my phone, but in a way that its basic functions still work, i.e., without a full factory reset. An example could be, say, arriving in the USA and undergoing immigration control. They want access to my phone, so I delete the Tommy user, switch to the Owner user, and hand them the phone. It makes calls, sends SMS messages, even has a banking app, so theoretically it shouldn’t arouse suspicion. However, it lacks all my contacts, a browser with my visited pages history, a password manager, and messengers with chat histories. This is rather a drastic scenario, but not really that improbable, as actions like searching a phone upon arrival in the States are something that happens on a daily basis. Besides, the basic rule of security is not to use an account with administrator privileges on a daily basis.

On GrapheneOS, Obtainium is my primary aggregator for obtaining .apk installation files and automating app updates. It’s like the Google Play Store, but privacy-respecting and for open-source applications. It would be a sin to use GrapheneOS and not at least try to switch to open-source apps. Below I present a list of apps that I use. Additionally, I’m tossing in links to the source code repositories of each of them.

To understand how Obtainium works and how to use it, I recommend checking out this video guide.

I have a few apps that are not open-source, but I still need them. In this case, I don’t download them from the Google Play Store, but exactly from the Aurora Store, which I mentioned above.

Aurora Store is an open-source client of the Google Play store (I guess you could call it a frontend) that allows downloading applications from Google servers without needing Google services (GMS) on the phone.

The Internet characterizes this solution as follows:

Sounds perfect, right? A bit, yes, but unfortunately not everything holds up completely. I have two main complaints about Aurora Store.

With these anonymous accounts, the thing is that sometimes they work, and sometimes they don’t, due to limits that are unreachable with a normal account used by one person, but when a thousand people download apps from one account at once, it starts to get suspicious, and the limits are exceeded quite quickly. Using Aurora Store violates the Google Play Store terms of service, so on the other hand if we use our Google account, it might be temporarily blocked or permanently banned. Some option here is to create a “burner” account just for this, but that takes away some of our privacy, because Google can still index us based on what we downloaded. Anonymous accounts in this case provide almost complete anonymity, because then we are just a drop in the ocean.

When it comes to security, yes, in theory we download .apk files from a verified source, but only under the condition that the Aurora Store creators don’t serve us a Man in the Middle attack. The decision whether you trust the creators of this app is up to you.

Below I present a list of applications that I downloaded from the Aurora Store, checked, and can confirm that they work without GMS (Google Mobile Services).

GrapheneOS allows for full control over what permissions each application can have. For example, in conventional Android forks, every application by default has granted Network (internet access) and Sensors (access to all sensors like the accelerometer) permissions.

Has anyone ever wondered if all apps on a phone need Internet access? Indeed, in the vast majority of cases, a mobile app without network access is useless, but you can’t generalize like that, because for example, the previously mentioned FUTO Voice Input uses a local LLM to convert speech to text, which works offline on the device. Why would such an app need Internet access then? For nothing, so it shouldn’t have such permission. Now let’s take apps like FairScan (document scanning), Catima (loyalty card aggregator), Collabora Office (office suite), or Librera (ebook reader). They too do not need Internet access!

The situation looks even more bizarre when you look at which apps actually need access to all of our device’s sensors. If we think about it calmly, we’ll conclude that in this specific case it’s completely the opposite of the previous one, meaning practically no app needs this information. And I remind you that by default on Android with Google services, all apps have such permissions.

To manage a given application’s permissions, just tap and hold on its icon, select App info from the pop-up menu, and find the Permissions tab. A list categorized by things like - Allowed, Ask every time, and Not allowed will appear. I recommend reviewing this list for each app separately right after installing it. This is the foundation of GrapheneOS hardening.

A collective menu where you can view specific permissions and which apps have them granted is available in Settings -> Security & privacy -> Privacy -> Permission manager. Another interesting place is the Privacy dashboard available in the same location. It’s a tool that shows not only app permissions, but also how often a given app reaches for the permissions granted to it.

In GrapheneOS we don’t only have user profiles, but each user can also have something called a Private space. I encountered something similar on Samsung, where it was called Secure Folder, so I assume this might just be an Android feature implemented differently by each manufacturer.

Private space is turned on in Settings -> Security & privacy -> Private space. It acts like a sort of separated sandbox that is part of the environment you use, but at the same time is isolated from it. For me, it’s a place that gives me quick access to apps that nevertheless require Google services. You might ask - why then do I keep the mBank and T-Mobile apps on the Owner user if I could keep them here? Well, for reasons unknown to me, I’m unable to configure my private space so that paying with contactless BLIK via NFC works correctly in it. The same goes for Magenta Moments from T-Mobile, which don’t work correctly despite GMS being installed in the private space.

Oof… I did it again, sorry. I’m just counting the characters and it comes out to just under 35,000… I’ll probably break that barrier with these next few sentences. Well, long again, but purely meaty again, so I don’t think anyone has reason to complain. As I mentioned earlier, I’ve only touched upon the topic of GrapheneOS, which is extensive, and it’s a good thing, because it’s a great system, and the biggest respect goes to the people behind this project. It’s thanks to them that we even have the option of at least partially freeing ourselves from Google (Android) and Apple (iOS). Therefore, I highly invite you to the final chapter of this post.

Finally, I would like to encourage you to support the GrapheneOS project. The developers behind it are doing a really great job and in my opinion deserve to have some money thrown at them. Information on where and how this can be done can be found here.

Wszystkie powyższe treści udostępniam za darmo i nie wymagam niczego w zamian, dlatego jeżeli uważasz, że to co publikuję ma dla Ciebie jakąkolwiek wartość to proszę rozważ docenienie mojej pracy poprzez wsparcie finansowe przy użyciu którejś z poniższych form 🙂