What is Graphene?
Graphene is an operating system (OS) based on the Android Open Source Project (AOSP). Graphene improves the security of AOSP code by improving sandboxing and exploit mitigations, while providing more extensive permission options than stock open source android. It is probably a good idea to do your homework before switching to Graphene, since there is a lot to learn, and the user experience is not as smooth and intuitive as you would find on a typical android phone.
For me, the security and privacy was reason enough to switch, but it is also a way to help free me from big tech.
Getting Ready
I have been gradually de-googling my life for a few years now, so I was somewhat prepared to switch to graphene. I replaced gmail, google drive, google calendar, and google contacts with protonmail equivalents. I replaced the google search engine with duck duck go, and replaced google chrome with a bunch of different browsers. I have set for myself the ambitous goal of never using the Google Play Store again. This will be difficult, and I may have to abandon this notion. We'll see.
You may not have started the process of weaning yourself off of Google and or Apple. If that's the case, your transition may be harder.
You may also intend to use google apps and use the Google Play Store. Graphene has a sandboxed mirror of the Google Play Store in its app repository. I will explain what this means and the best way to use it later.
Choosing A Phone
I call this section "Choosing A Phone", but there is really not much choice. You need to get yourself an unlocked Google Pixel. If you're buying a new device, I advise that you buy it directly from Google. I made the mistake of getting an "unlocked" phone from a retailer. What they meant was "carrier unlocked", which means you can choose any wireless service. I struggled for a while with this type phone before realizing my phone was not really unlocked. The phone needs the ability to have its bootloader unlocked.
Why does Graphene only support Google Pixel phones? Well, one reason is that the factory phone permits its bootloader to be unlocked. Most other major manufacturers have locked down their devices. Also, the Pixel has hardware-backed keystores, verified boot, attestation, and input-output memory management units (IOMMUs). What this means, in plain english, is that the phone is capable of sandboxing components like the GPU and radios.
Preparing your Phone
I chose a Pixel 7. Since it's new, I figured that it would get updates for many years. I also like the sturdy build quality.
From here on, you should refer to this excellent guide, which will help you unlock your bootloader and flash the Graphene OS. Just keep these few points in mind:
- When you follow the directions to enable developer options, be sure to enable usb debugging AND OEM unlocking.
- After struggling for a very long time attempting to unlock my bootloader on both a Ubuntu laptop and a Windows 11 laptop, I easily was able to use the web installer to unlock on a Macbook. I link here to a discussion thread I started on Stacker News which documents my struggles and the help I received. @03365d6a53 was particularly generous with his time and suggestions. If using Ubuntu, avoid the Flatpak installs of browsers, because the sandboxing will likely prevent a USB connection.
Also, if attempting to unlock the bootloader using Ubuntu, you may need to install
sudo apt install adb
in addition to following the other instructions you find on the page. - Overall, I found the Ubuntu installation to be simpler than Windows 11, but many people claim to have had more success using Windows than any linux distro.
Once you have unlocked the bootloader, the rest of the process is a breeze. The windows installer makes it easy. You can also choose the CLI install option. Instructions are available on the page I linked.
Graphene OS First Impressions
Coming from a Samsung Galaxy, I immediately noticed the spare, functional look of the home screen. I appreciated the absence of any bloatware. In my case, I do not have wireless service set up yet. I am still considering my options.
Since I’m heavily immersed in the ProtonMail ecosystem right now, the first thing I did after creating my pin and setting up wifi was grab the ProtonMail PWA by using the default Vanadium browser. Next, I installed the Fdroid app. From there, I downloaded the Proton VPN. Next I downloaded the Stacker News PWA, of course. Graphene has its own apps. These are the apps in the native repository:
Since I’m heavily immersed in the ProtonMail ecosystem right now, the first thing I did after creating my pin and setting up wifi was grab the ProtonMail PWA by using the default Vanadium browser. Next, I installed the Fdroid app. From there, I downloaded the Proton VPN. Next I downloaded the Stacker News PWA, of course. Graphene has its own apps. These are the apps in the native repository:
-
AuditorAccording to its description, the Auditor App “uses hardware-based security features to validate the identity of a device along with authenticity and integrity of the operating system. It will verify that the device is running the stock operating system with the bootloader locked and that no tampering with the operating system has occurred." This can be done because Pixel phones allow this “attestation”, which I talked about earlier.
-
Camera The Graphene Camera App is designed for privacy and security. It is called “Secure Camera” in the Google Play Store. It has security features like a dedicated QR scanning mode without Network and Media/Storage permissions, and the optional stripping of EXIF metadata from photos and videos.
-
PDF Viewer The PDF Viewer allows the viewing of pdfs in a sandbox that requires no permissions.
-
Vanadium Browser The Vanadium Browser is basically a stripped down chromium browser with added security enhancements.
-
Mirrored Google Play Services The Google Play Services Mirror App is a sandboxed version of the Play store, which removes permissions. I describe this function in greater detail elsewhere.
I was using Vanadium as my browser, which seemed fine at first. I quickly realized that I had gotten used to Brave’s natural ad blocking, so I hunted around for a browser alternative. I downloaded Mull from Fdroid. That seemed okay. I intend to try Mullvad VPN with its browser, and see how that goes. I will likely go back to Brave eventually.
Keep in mind that there is an alternative to Fdroid if you’re looking to download open source apps. It’s called Obtanium, and this video explains it.
As for me, I’m going the tedious route of downloading apps directly from github. The first app I added in this way was the Phoenix wallet.
What About Google Apps?
As I said earlier, I’m going to try to avoid using Google Apps from this point forward. If you decide that you want to continue to use Google Apps, Graphene allows you to do this in a safe, fully sandboxed way. When android ships in a typical phone, all the Google apps are given special privileged status right from the start. This allows them to bypass the default android sandbox, which prevents apps from interacting with each other without permission. Google Apps are free to interact and collect data. In essence, they are spy apps.
Graphene gives Google apps no special privileges. You can use them on Graphene through the mirror, but those apps are sandboxed.
Graphene also allows the setting up of multiple users on the phone. These users have their own environments, cut off from each other. You could create a profile called something like “Google User” who has normal play store access. This video gives you all the information you need.
Help From The Stacker News Community
I received a tremendous amount of help on Stacker News when getting started, so I’m just going to include some of the tips and insights and link to the user, in case you want to show your appreciation:
1.@03365d6a53 provided some great ideas for those not wanting to use the device to make cellular phone calls. I learned from him that if you have airplane mode on, Graphene does not ping your IMEI (International Mobile Equipment Identity) and location to nearby cell towers. He recommends putting an anonymous data sim in a VPN dongle, such as the Mudi GL 750 with Blue Merle software. @final provides a more in depth explanation here @final is also an expert in this area. You would be well advised to ask them for advice. @final may also be posting a guide soon which will provide much more in depth information than the basic stuff I have included here.
- @03365d6a53 also provided a list of apps that he likes:
- Simplex Chat
- Mullvad VPN
- Amethyst Nostr client (I use this app too, and it’s working great on Graphene)
- K9 Mail
- Element
- Obtanium
- Aurora (I don’t intend to go this route)
- BitWarden
- Organic Maps
- BTC Maps
- I was not enjoying the stock keyboard, so @final recommended FlorisBoard, which is available on Fdroid. I like it a lot so far, but one suggeston: Turn off the sound. The loud click each time you press a key will drive you and everyone around you crazy.
- @039a43f343 recommended this link, which is a directory of Fdroid repositories.
Conclusion.
I am very new to Graphene. I have a lot to learn. Getting my Pixel set up as a daily driver is going to take some work. Still, I am optimistic. I’m not going to rush it. I am keeping my old Galaxy around too, so my transition will be gradual.
If you decide to make the change, I hope this short guide is useful.