So, you want to install GrapheneOS
A couple of months ago I decided to take the plunge and install GrapheneOS onto a Google Pixel 9a. My previous device was a Nothing Phone 2 and aside from it's size (bit too large) it was a very nice phone. Yes the glyph interface isn't as useful as it is a nice design aesthetic, but in general Nothing devices are a great mid priced alternative to the mainstream.
For those who are not aware, GrapheneOS is a private and secure operating system alternative to an OEM (original equipment manufacturer) installed version of Android. Each manufacturer (Nothing, Samsung et al) have their own tweaked version of the Android operating system that they preinstall on their devices. Some are more of a pleasure to use than others, but they all have stock Android underpinning them.
But, why?
Over the last few years I have significantly reduced my use of many mainstream tech services. I moved entirely away from Meta (then Facebook) products in 2017 and also began using Proton as a general replacement for Google.
Migrating away from Google can be particularly tricky as things like Google Maps and Android itself are very useful and/or pervasive. Coinciding with the start of the Rebel Tech Alliance adventure I decided it was about time I began exploring a deeper interest in privacy than simply using an different email provider.
There are numerous alternative operating systems out there, which is the beauty of open source software development:
However GrapheneOS is often touted as the most secure of them all. If your only purpose is to just de-Google then it may be worth exploring the above as well.
This post is not an in depth review of GrapheneOS as a whole but rather just recounting my experiences with installing and using it every day for the past couple of months. In a future post I will mostly likely go through my own "privacy" stack.
Installation
GrapheneOS themselves have a very thorough installation guide that can be followed if you like written, step by step guides.
If you would prefer to follow along to a video though, then here is one specifically for a Pixel 9a.
It's a nice 7 minute guide and was especially helpful since I use the Brave browser and the web based installation of GrapheneOS would have failed had he not mentioned that the shields need to be turned off.
You need to enable OEM unlocking and allow flashing as root. Other than that the web installer is very straight forward and smooth. No hiccups and it worked first time.
If you hate all things GUI then Graphene have you covered too!
So it begins
After that, I got cocky. I am a technical person so therefore I should go for the most complete and secure approach, right? Well, maybe I shouldn't have. At least not the first time.
There are many different ways to setup GrapheneOS for your own personal use. I found what I thought was the best approach which was to have three profiles; one owner, one for your everyday use apps and a third for the ones that require Google Mobile Services (Play) installed.
"He chose . . . poorly."
This was a mistake. As the dude in the video above states; if this is your first time installing GrapheneOS just use one profile and install the Play services. The friction of having three separate accounts is pretty high. Even if you have read the guides on GrapheneOS's site, the reality of the difference can be quite stark with three separate profiles.
Each profile is a sandbox of sorts. If you install apps to one profile they are not available in another unless you choose to allow them to be installed via the owner account. The clipboard is also not shared between profiles. Obvious when you think about it, but for me caused a moment of "oh, damn" when trying to input an OTP code.
Permissions are also deliberately restrictive by default. You need to grant things like network access (cellular and WiFi), location, camera, storage etc on a per app basis.
Only the owner account (which I named "root" because of course I would) has the permission to connect to a new WiFi network or to turn on and off the SIMs installed in the phone. You also have to remember to enable SMS and phone calls for any other profiles otherwise your device will be pretty silent. Though in hindsight that could actually be the purest form of bliss in the modern world. . .
The Pixel 9a is dual SIM compatible but the secondary one is an eSIM. It is fairly straight forward to get that working on GrapheneOS.
Unusable Native Apps
Some apps will either refuse to install at all or not allow you to login to the service. This is because they do Hardware Attestation Enforcement. Unsurprisingly these are, more often than not, banking apps. A non exhaustive list that I made a note of:
- Lloyds Bank
- Wise
- Santander
- Coinbase
- Google Wallet
NFC payments via Google Wallet will not work. You will need to reach into your pocket and take out your actual credit card to pay for things. Boarding passes, concert tickets and such like still work fine.
Require Google Play Services
Others will allow you to install but you only use them if you enable Google Mobile Services (Play):
- All other banking apps
- Citymapper
- Telegram (disappointing)
- Outlook
- ProtonMail (for notifications)
Again, not an exhaustive list, just the ones I made a note of.
Telegram requiring Google services is a shame. Pavel Durov talks a good talk after all.
The one surprise for me was ProtonMail. While Proton's app installs just fine, you do not receive notifications for new emails unless Google Play services are enabled. I do not know for certain why but it might be if Proton use FCM (Firebase Cloud Messaging) for their push notifications. Firebase is a Google owned service.
Initially I installed ProtonMail only in the profile where Google Play was enabled. However swapping between profiles in order to look at my emails was a level of friction I was unwilling to accept in my day to day use. I suppose I could have settled for just opening the app every now and then and letting it fetch any new emails.
In the end I deleted the third Google Services profile and enabled it on my secondary day to day use profile. There is still the primary owner profile via which installation of any new apps happen and new WiFi network connections are added.
Any apps that are not able to be installed I use via their web based alternatives.
The Google Mobile Services Conundrum
Google's Mobile Services are a suite of different apps that usually come preinstalled on Android devices. Google Play is part of that suite and allows users to install apps via the official app store.
On GrapheneOS even if you install and enable Google Play it runs in a sandbox and has restricted permissions. This is great news and should make you feel somewhat safer with just going ahead and enabling it on your profile.
However this is not the full story. When installed and enabled Google Play services will still connect to Google infrastructure periodically and still require some permissions such as network usage.
The simplest way to think of it is that the sandbox that Google Play services runs in makes sure that it is isolated from the rest of your device, but it does not make you or your device anonymous nor invisible.
For my purposes I created a brand new Google account specifically for the Pixel 9a device and that is what I use to sign into Google Play. Still not ideal, but pragmatic for less friction in user experience.
There are numerous posts on the GrapheneOS forums talking about this further.
Further Quirks
The stock messaging app is laggy. Messages that are received often take seconds to appear in app after the notification has been received. The delay is slow enough to be really quite annoying, but not slow enough to be unusable.
The battery drains quite quickly compared to the Nothing Phone 2. This is despite it being significantly larger in the Pixel 9a (5,100mAh) than the Nothing Phone 2 (4,700mAh). Looking at the battery usage this predominantly seems to stem from the Brave browser and Signal.
In the end I turned off all background app usage permissions to save on battery life. I still need to charge it more often than I had to charge the Nothing Phone 2 but at least I can make it through a day.
Closing Thoughts
Finally, I will reiterate that I am just a CRUD monkey. I do not require absolute anonymity in my every day life. There is a way to make use of GrapheneOS while remaining orders of magnitude more private and anonymous, but that is beyond the scope of this particular article and my expertise. If that is what you require the only thing I can offer as a starting point is:
- buy the device you're going to install GrapheneOS on using cash
- buy it from a place far from where you live
- travel there without using any form of digital payment mechanism
- while avoiding all CCTV
TL;DR. I came here for the summary
Ultimately what's it like to use GrapheneOS as your daily phone OS? Well, it's fine. It's definitely not a pleasure, but once you have configured permissions and such like it is perfectly usable.
Not being able to install some apps at all is frustrating. Companies do not always prioritise the web experience for their users and this can result in a significantly degraded user experience, particularly around 2FA codes that you may be used to receiving in the app as opposed to via SMS. Of course this is most certainly not the fault of GrapheneOS but it is important to highlight the changes in how you would interact with your device.
In some ways this might be a good thing; if your phone is less enjoyable to use you may be less likely to pick it up and start doom scrolling.
None of the experiences I had above are necessarily bad things in of themselves, after all the point of using GrapheneOS is to retain control of your privacy and data. You will need to decide for yourself whether that additional friction is worth it to you.
Regardless, if you went ahead with installing GrapheneOS onto a compatible device, congratulations:
"You've taken your first steps into a larger world."
