One Month with GrapheneOS

My experience with GrapheneOS on the Google Pixel 6a.

Mason C.B.
10 min readAug 28, 2022

For an updated review of my experience with running this OS as a daily driver, check out my 1 year review here: GrapheneOS — Mobile Privacy: 1 Year Later

Photo by Dan Nelson on Unsplash

This past year I have been making the move in my life to find a balance between privacy and convenience. Part of me thinks poorly of the insanity that is FAANG (MAANG, I guess… and others) and their data collection on every aspect of my digital life, while the other part of me truly enjoys some of the apps and tools they offer.

In my journey towards finding a balance on this spectrum, I decided that GrapheneOS was a move I was interested in. My goal in this post is to detail, from the perspective of a tech-savvy end user, my experience in daily driving this OS and the pros and cons I have noticed.

What made me switch?

I realize the irony in this next statement, especially as someone attempting to be concerned with security and privacy, but I had been running with a 5 year old phone, 2 years out of security updates until July 28th this year.

I knew I wanted to move towards a 2022 release phone, I wanted solid hardware as I could now afford to purchase it, and I wanted something that was as concerned about my data/security, as I was attempting to be.

With some research I found a middle ground of the Pixel 6a. I did not need the flagship features of the current Pro version and I did not want the aging Pixel 5 versions as the cost was too similar for their lack of long term promised security updates.

Photo by Vanja Matijevic on Unsplash

Why the Google Pixel specifically?

Frankly, a good explanation of this already exists here.

In short though:

  • The phones are guaranteed full security updates for 5 years (2027).
  • They have a CPU twice as fast as the previous gen models.
  • An SoC that is the same as the Pro variation of the phone (for cheaper).
  • I can manage apps by individual permission and tie them down with Storage Scopes.
  • And maybe most importantly of all, support for verified booting of custom ROMs (aka GrapheneOS) backed by the hardware security of the Google Titan M chip.

How was the install process?

Honestly, it was incredibly easy and is detailed here.

Simply give it a quick read and it is as easy as plugging in the phone and clicking through the steps. Took me all of 30 minutes, if that.

Disclaimer:

While this no longer applies as a new update has since been released, on the initial launch of the Pixel 6a only Verizon customers could get the over-the-air update from Google.

There were workarounds that would make this process a bit more time consuming for other carriers, so in the future if you have a newly released Pixel, be aware you may run into similar issues.

It seems Google simply botched the launch timing a bit, so my review includes 1 week running the Pixel 6a beta channel “launch” build. It has since merged into the Stable build and that is what I currently run as of this review.

Post-Install

At this point, I needed some help navigating my setup as both the OS and the specific changes made by GrapeheneOS were new to me. This channel, SideOfBurritos, gave me some solid tips on setup at every step of the way:

Setting Changes & Personalization

As with any new phone run updates on the base install and any apps that are pre-installed. As this was a first release beta install, there were none for me but there may be for you.

I also went through and made some personal adjustments. My threat model did not necessitate the need for every notification to be hidden from the lock screen or scrambled password keypads but I did make some basic changes:

  • Enabled dark mode, added screensavers, changed locked screen layout.
  • Added lock down mode to the Power Button options.
  • Added battery percentage to top bar.
  • Enabled auto-reboot, among a few other changes.

I would advise simply clicking through everything in the settings and seeing what options you have and what preferences you may want to enable/disable.

I certainly took a middle ground approach of some convenience and some security. After, I downloaded Neo Store and Aurora Store to install apps.

Photo by Adrien on Unsplash

Installing Apps

My main process for adding apps was three-fold:

  • One, get rid of apps I truly did not need or use (aka, don’t install them on my new device if I did not use them much on my old one).
  • Two, look FIRST for a Free and open-source software (FOSS) alternative for any apps I decided I wanted to keep. Especially things that are dependent on big companies like Google, Amazon, etc.
  • Three, use a 3rd party to download popular Google Play Apps anonymously if I could not find a suitable replacement.

After removing apps I did not use (you know, the ones you have installed that you never click on), I moved to the FOSS apps.

App Replacements

Here are some apps I found that replace either the “less feature-rich” default apps or ones that I found as good alternatives to apps I could replace.

There are a few more but those were some of the biggest ones.

Feel free to leave a comment if you have any questions on suggestions for apps as I have tested quite a few at this point.

Photo by Tech Daily on Unsplash

Banking Apps

This is a bit tricky as some of the apps here do not work with GrapeheneOS for security reasons that are a bit over my head, more info here.

Luckily, the banks I have by default DO work on GrapheneOS but this may not be the case for you. A list can be found here if you want to check compatibility.

If they don’t work, my backup was to install a secondary profile (video info here) and keep them totally separate from everything else. However, I found that after some adjustments, I didn’t even need to use the apps on my phone.

I mostly use them on desktop, I have my passwords safe with a password manager, everything is 2FA, and I get text messages/emails about any alerts on all of my accounts.

For extra privacy you could setup a burner number, dual sim (not sure if it is fully supported on GrapheneOS), or use an email like Proton for notifications.

In my case, I felt the risk of the rare times I need to use the apps didn’t outweigh potential for all my financial assets to be accessible on a phone if it was lost or compromised.

Google Camera

This is still my favorite app but it won’t even launch without Play Services. Stuff like this is frustrating because why does my camera need access to Google to “work”? I digress though.

Luckily, there is an alternative to make this app work while maintaining a lack of Google apps, using Gcam Services Provider.

This fakes the necessary APIs to make the app launch and it even lets you simulate in a way opening your last photo in the app of your choosing (instead of Google Photos). In that case, Simple Gallery Pro that I mentioned above.

Issues & Incompatibilities

Google Camera, Gcam Provider, & Google Play Services

The first I noticed was that Gcam Services Provider, will not install if Google Play Services is installed. They tell you this in the github readme but what they don’t say (or what I maybe missed) is that it detects it cross-profile so that even if you do not have it on your current profile, but it is installed elsewhere, it won’t work.

My guess is that it simply sees it in the installed apps list and won’t proceed with the install, even though the apps list states it is installed on another profile.

This causes a problem for example if you want a “Google free” profile, yet you want a Play Services profile for banking or social media. I eventually adopted a single profile and have been happy with the minimal things I might be missing otherwise.

Photo by Brett Jordan on Unsplash

Notifications on Certain Apps

My biggest culprits for this are Slack, Discord, Snapchat, and DUO 2FA.

Yes, I know. I am not perfect to be privacy minded yet still have these downloaded but I am not willing to ditch active social communities for full 100% privacy.

As with many things, it is a balance and taking a step to better your privacy standing is still better than doing nothing at all.

Simply put, these apps do not send push notifications unless they are open and active on-screen. With some apps, this can be resolved but letting the app have “Unrestricted” access in Battery Life (so that it constantly checks for notifications) but the ones I listed do not work that way.

My workarounds are listed below:

Slack

For Slack, I use this at work and will generally be at my desk using that app. When I am away, I check every 10–15 minutes to see if I missed something, this was an acceptable balance for me as I am rarely contacted in an urgent matter this way.

Discord

The same apples here as it did Slack, I use it but never urgently so a few minute late replies doesn’t hurt anyone. Plus, when I actively need it I am probably gaming with my friends on Desktop anyway.

Snapchat

Frankly, I don’t use this app except for like 2 people. This still works but displays a popup message that “this app wont work without Play Services”… but it totally still does.

I just check on my lunch break or in downtime to send something or reply back if need be. My goal is to get off this app and go back to texting if need be.

Duo 2 Factor

This one displays a similar message but it works. However, it does not send push notifications as well and only check for new requests when you open the app or return to it.

If you open it and then send the notification for login, you won’t get it until you pop out to the switch apps view and pop back into it. This was acceptable for me as all I have to do is open the app AFTER the prompt has been sent and it works fine.

Possible Alternative Solution

Use microG. I have not researched this enough to know this solution and it is my understanding that SOME people have had minor success with it on a per-app basis for notifications but you can read more about microG in this Twitter thread from the official GrapheneOS page.

Texting with Signal

For notifications to work with Signal (they seem to occasionally delay by a minute or two RARELY) you need to use the APK from their site here.

It auto-updates on it’s own (rather it notifies you to update) and is built without a dependence on Google Play for notifications (like the Google Play Store version is).

Photo by Kenny Eliason on Unsplash

Final Thoughts

Outside of some minor notification issues on lesser used apps and a few minor graphical issues on the original beta build for the Pixel 6a, my experience does not feel any less than that of any other smartphone user.

I can:

  • Take photos using Google Camera (without Google dependence) to get panoramic shots and wide angles.
  • I can read and listen to my books, I can launch Spotify for my music.
  • I get timely phone calls and text messages.
  • I get notifications for 95% of my apps including Instagram, WhatsApp , Twitter (again not perfect in a privacy sense but its where my friends are).
  • I can download apps from alternative locations like Neo Store (F-Droid client).
  • Bluetooth is snappy and works with all my devices (car, headset, earbuds).
  • I can specify exact notifications and really drill down permissions given for each app individually.
  • I can lock down many apps with Storage Scopes.

In fact, I think I feel better about this setup than I would with a default GoogleOS or otherwise. It feels more granular for the end user and its security/privacy focused.

I may not ever be perfect in regards to privacy and frankly some of the trade-offs might be worth giving out some data, but I think it is important to take some steps to alleviate the mass collection that goes on behind the scenes.

The internet, its tools, and the resources we use to navigate our lives should be in our control every step of the way and this was my first step towards toward supporting that future and the people who create it.

Closing

If you enjoyed this article, have any questions, or simply want to chat feel free to reach out on Twitter or on here.

Thanks for making it this far, stay tuned for more.

--

--

Mason C.B.
Mason C.B.

Written by Mason C.B.

DevSecOps / Creative Hobbyist. Just trying to be all that I can.

Responses (3)