GrapheneOS - Install notes and quirks

GrapheneOS (GOS) is a privacy respecting Android custom ROM that gives a lot more control back to the user and is much safer by default. The only requirement is that the device you are using is a Google Pixel of some variety. The latest at the time is usually what is recommended; at the time of writing that is the Pixel 6 line.

They have an extensive guide on GOS on their website: https://grapheneos.org/

There is also a neat write-up on privacy for mobile phones on SideOfBurritos’ website: https://sideofburritos.com/docs/setup-guides/mobile-privacy/ Highly recommend his youtube channel, anyone using GOS should watch all his videos on it. They are very short and highly informative.

Installing

The easiest thing I’ve ever done in terms of tinkering around inside the internals of a device. You just go to the GOS website and follow the steps. Any chrome based browser will be able to connect directly to your phone and do most things automatically. It will prompt you for a couple of the steps, but mostly it is done automatically.

Getting Apps

As you will see when you first boot into GOS, there isn’t much at all. That’s because on the essentials are installed by default. You’ll notice an “Apps” app, that is where packages from the GOS developers can be installed. For you this will typically be the Google stuff if you need it briefly to install something.

If you want regular apps the best place is the Aurora Store. It can be found here: https://auroraoss.com/ This is a replacement front-end for the Google Play Store that doesn’t require a sign in to get the apps. One thing to recommend it to enable Storage Scopes for Aurora Store when it asks for access to files on your phone. It asks for this despite not needing it. Storage Scopes allows you to tell it that it has access without actually giving it. It also allows you to selectively tell it what files and folders it has access to, which it pretty neat.

A lot of free software can be grabbed from the F-Droid Store (or one of its better and safer front-ends like Droid-ify), however it is insecure as they resign all the software with their own keys. Meaning that if they got compromised and signed a malicious package your phone wouldn’t know and would just install it as an update to one of your apps. Normally the developers themselves sign the APKs, meaning that if one of them gets compromised it’s only their app that will cause an issue and not literally every app on the store. A redeeming thing about the Google Play Store is that they distribute APKs that are signed by the developers of the apps, meaning that it is much safer.

So to reiterate the best place to gets apps is through the Aurora Store or directly from github. Getting from github is best for FOSS software that is normally on F-Droid and may offer a paid “Pro” version on the Google Play Store, such as the Simple Mobile Tools suite.

Simple Mobile Tools Suite

The simple mobile tools suite of apps are simple functional replacements for most of your basic functional apps on Android, and in this case GOS. Some of the replacement GOS went with are kinda bad and lack polish. Give these alternative a try and see which you want to replace.

They can be found here: https://github.com/orgs/SimpleMobileTools/repositories

Installing Google Camera

Yes, removing Google just to reinstall it. Hear me out. The default app on GOS is terrible, it utilises a very limited subset of what the Pixel 6 hardware is capable of. GCam is much, much better but is obviously rife with spyware.

But fortunately, because we’re running GOS we only have to install the necessary parts that GCam is reliant on and sandbox it so it can’t do nasty things.

The GCam Services Provider only implements the necessary functionality to get it working and nothing more. After installing GCam make sure to revoke permissions such as location and network so that it can’t phone home.

Note: That you cannot have Google Services Framework and GCam Services Provider installed at the same time. They both use the same system name internally but GCam Services Provider just implements less functionality. So if you need to install an app that requires it, I would install the app first using the Google Services you need, remove the Services and then install GCam Services Provider again.

App quirks

Most apps that I installed work fine out of the box. However, certain apps such as banking apps use limited functionality from either the Google Services Framework, Google Play Services, or the Google Play Store. I had an issue with a Banking app that required Play Store to be installed for the initial setup process and could be deleted once it was removed.

Push notifications won’t work without Play Services installed. So with apps like Signal, they are required to run in the background constantly.

Linux Nemo File Manager Pixel 6 Quirk

It seems the Nemo file manager doesn’t play nicely with either the Pixel or GOS. In order to connect to it and transfer files, Nemo needs to be not running when setting the Android device to “Transfer Files” in the USB options.