Reclaiming (Mobile) Privacy with GrapheneOS

… and improving your smartphone’s security along the way!

Reclaiming (Mobile) Privacy with GrapheneOS

tl;dr: GrapheneOS has been the best Android experience I’ve had, especially on Pixel phones, in the last decade. It has never been so easy to unlock a device and install a custom ROM and the overall system is snappy, looks extremely sleek – especially using the pitch-black dark theme – and coming from /e/OS I have not had any significant changes or discomforts that I had to adapt to. If you have any of the supported Pixel phones around and you’re using your smartphone as more of a tool and less of a lifestyle device, you should definitely give it a try right now.


Over the past decade or so I’ve been going back-and-forth between Android and iOS, with some exceptions like WebOS, Windows Phone and Chinese iOS copycats every once in a while. New features and hardware releases kept pulling my attention and interest from the one ecosystem to the other. Up until 2013 the technological advancements that companies like Apple and Samsung presented on a yearly basis were the only factors in picking a daily-driver smartphone for me.

However, that all changed when in June of 2013 Edward Snowden reached out to Glenn Greenwald (amongst others) and handed over a large chunk of classified NSA documents that described what many had feared for years: Programs for global surveillance, run by the United States, Europe and Oceania.

From that point on the shiny devices, that we carry around in our pockets, weren’t only Connecting People © anymore, but have increasingly become malicious tools of governments, law enforcement and even for-profit corporations. All of the sudden, tin foil hatters laughed at us and companies began what has evolved into a charade of bluewashing that has been going on up until this day.

The Future Is Private, F8 2019. (c) Meta Inc.
You control what data gets saved. (c) Compliance Week
Privacy is King. That's iPhone. (c) unknown

Since back in 2013, projects that were initially super niche, like CyanogenMod (now LineageOS), have become increasingly popular. I have been a long-time CyanogenMod and LineageOS user, only to come back to /e/OS this year, after a roughly two year period of mainly iOS and (what I would call) Samsung Android.

The key reasons that had me going back to iOS were practicability, as well as – obviously – the comfort of “just works”. Having used CyanogenMod, LineageOS and other ROMs between 2013 and 2019 I still had the bitter taste of Android in my mouth. Back then, Android had plenty rough edges, plenty of issues – from sporadic drops in connectivity, over camera glitches, up to sudden reboots in the midst of important situations like trying to open an e-mail containing the digital boarding pass while waiting in line at the airport gate. I have to admit that I never liked Android, and it never liked me. Bloated and sluggish UIs, the awful performance of the Java stack and the ridiculous memory footprint and battery use were all things that made it really hard to truly enjoy an Android smartphone. Let alone the security flaws and malware issues the ecosystem is generally suffering from. Just search the web for “android critical flaw” the moment you read this and I bet you will find results dating back less than two months.

Nevertheless, like every few of years, this year I decided to give Android another look, once again. Obviously, using an iOS device for private communication and data never had me feel at ease, yet the experiences I had with especially Android were never sufficient to make the platform stick. Also, deep inside me I was still awaiting my preferred option to show up: A true Linux phone. Unfortunately it turned out we aren’t quite there yet.

I decided to give Android another go and flashed /e/OS onto the Samsung Galaxy S10 that up until that point was running Samsung’s stock firmware and that I solely kept as a backup device in case my iPhone would suddenly malfunction. The main reason for going with /e/OS was a study from the Trinity College Dublin:

We present an in-depth analysis of the data sent by the Samsung, Xiaomi, Huawei, Realme, LineageOS and /e/OS variants of Android. We find that, with the notable exception of e/OS, even when minimally configured and the handset is idle these vendor-customized Android variants transmit substantial amounts of information to the OS developer and also to third-parties (Google, Microsoft, LinkedIn, Facebook etc) that have pre-installed system apps. While occasional communication with OS servers is to be expected, the observed data transmission goes well beyond this and raises a number of privacy concerns.

It seemed like even the former poster boy of privacy-focused Android ROMs, LineageOS, didn’t do too well in that analysis. While I had heard of GrapheneOS and its evil twin CalyxOS before, most reviews online were (are?) exaggeratedly negative in terms of everyday usability. Add to that some social revelry that was (is?) going on between the Graphene and the Calyx camp – including the necessary coverage from YouTubers and even hackernews – and you might end up with an awesome project that uninformed users won’t touch with a ten-foot pole.

GrapheneOS / CalyxOS

Anyway, up until recently, before my Samsung Galaxy S10 gave up on me, /e/OS had become my daily driver phone, replacing my iPhone and making it a dedicated leave-at-home business phone that contains everything I wouldn’t want to carry around in my pocket. Banking and eCommerce apps, proprietary instant messengers, and all of the other spyware that would track things like location, usage patterns and probably a lot more.

I intentionally downgraded the phone I keep in my pocket for it to be less of a lifestyle device and more of an actual tool. Something that would allow me to communicate with the most important people in my life, in a way conversations are kept private and not scanned by the manufacturer.

Frankly speaking, /e/OS delivered well on its promises. It was Android, but without Google. Yet, Google’s Service Framework – the software that for example allows phones to retrieve push notifications – could still be used, but in a more abstracted, more open source and less invasive way (microG). While Android R, the version /e/OS is currently based on, is already an older release of Android, the /e/OS people seem to have made it a lot less awful than I experienced it with vendor versions from Google, Samsung and even OnePlus. It’s not shiny, but it’s neither rough. It’s a solid, almost boring experience that, in a way, also “just works”. I had no trouble running any of the Android apps I was trying to run – not only from F-Droid but also from the Google Play Store, via Aurora Store. Neither did I experience any significant glitches on the software side whatsoever. Especially the Advanced Privacy settings of /e/OS are something that definitely raise confidence in the somewhat flimsy looking and feeling Android OS.

However, with the Samsung’s hardware eventually dying – at least temporary, as it turned out recently – I was forced to purchase new hardware and decided to blindly make the leap towards GrapheneOS. I found a good deal on the Google Pixel 6a and even though friends and the internet repeatedly warned about recent Pixel smartphones, I decided to give it a try nevertheless.

And, boy, am I happy that I did.

Google Pixel 6a

Hardware

The Pixel 6a is a Google phone and features Google’s typical design language, to put it lightly. I’m not a fan of the aesthetic to be frank.

However, the internals seem pretty good. The phone sports a 6.1" OLED display with a 1080 x 2400 px resolution and HDR, a 4400 mAh battery that supports fast charging, 6GB LPDDR5 RAM, 128GB internal UFS 3.1 storage, two rear cameras (12.2 MP f/1.7 77°, 12 MP f/2.2 114°), one front camera, two SIMs (although one of them is an eSIM), 5G and WiFi 6/6E connectivity and a SoC that Google dubbed Tensor, that appears to be a custom version of Samsung’s Exynos. In addition, Google added the Titan M2, which is a custom, AVA_VAN.5 certified RISC-V controller for Android Strongbox.

With dimensions of 152.2mm x 71.8mm x 8.9mm the device is not too large nor too small, allowing me to still comfortably reach the pull-down statusbar with my thumb. Reaching the upper opposite corner requires me to change my grip, though.

Installation

The GrapheneOS installation is a breeze. I double-checked with videos from others online, just to make sure the GrapheneOS team didn’t try pull my leg when they said that all that’s needed to install Graphene is a cable and a supported browser - Chromium in my case. No adb, no fastboot, no fiddling with recoveries and sideloading. You unlock the bootloader, connect the phone to the computer, open Graphene’s WebUSB installer in a compatible browser and basically just click through the individual steps.

The whole installation process took maybe 15 minutes and I was already greeted with a GrapheneOS themed startup screen. Compared to how much time I wasted throughout the years sideloading, recovering and sometimes even rescuing Android devices (with a dedicated Windows VM and the MSM tool), the installation process of GrapheneOS is merely something worth mentioning.

First Steps

The first steps are identical to basically every Android phone/ROM that I used in the past years – including /e/OS. Nothing really special. However, even during the first few minutes of use I noticed a huge difference in snappiness and a sort of airiness of the whole UI. I can’t tell if that’s Android T in general or specific to Graphene, but it’s definitely a noticeable improvement in user experience over e.g. Samsung’s Android 12 and /e/OS’s Android 11. Overall the UI feels more solid yet lighter in terms of responsiveness and animations.

Graphene comes with its own app store, which however only offers installation and updates to a handful of apps:

  • Auditor
  • Apps (the app itself)
  • Camera
  • GmsCompat config
  • PDF Viewer
  • Google Play Store
  • Google Play services
  • Google Services Framework

This list already tells that even with Graphene it turns out to be possible to use Google services. More information on how to install and configure Google services and also what the limitations are can be found on the GrapheneOS website. One note especially important for people intending to use an eSIM:

By default GrapheneOS always has shipped with baseline support for eSIM, where users can use any eSIMs installed previously on the device. However, in order to manage and add eSIMs, proprietary Google functionality is needed. This is fully disabled by default.

Privileged eSIM management can be enabled in Settings ➔ Network & Internet ➔ Privileged eSIM management. The toggle will be greyed out and unusable if sandboxed Google Play is not installed, as the functionality is reliant on it.

By enabling the toggle, the proprietary Google functionality is enabled and will be used by the OS to provision and manage eSIMs.

In addition, the usage guide points out important things in regard of especially banking apps. Clearly, a TPM-style pattern is recognizable from the described issues with the basicIntegrity vs. ctsProfileMatch validation, pointing towards a similarly grim future for projects like GrapheneOS – and open source in general – as it seems to be the case with eSIM support.

Using the onboard browser it only takes a few taps to download and install F-Droid, though. Having documented the apps that I used on the Samsung, I was able to reproduce an identical setup on Graphene within less than an hour.

Features

With Graphene, the privacy (and security) features are predominantly behind the curtains. Unlike /e/OS, Graphene for example does not feature a dedicated Advanced Privacy screen in the settings that allows spoofing location information – meaning, making the location service report a different location than the phone is actually in – or that would allow activating a Tor-based VPN globally in the background. On the other hand, Graphene has some tricks on its own up its sleeves, like the sensors permission toggle or storage scopes. While I made use of /e/OS’ location spoofing feature, it often got in the way. For example when ordering an Uber or quickly trying to navigate somewhere, flipping the random location feature off never seemed to instantly switch to the actual location and instead usually required multiple minutes for positional data to become correct.

Similarly, the integrated Tor VPN in /e/OS was barely something I would use, mainly due to the significant decrease in bandwidth/speed. Just like on my workstation I set up WireGuard and used my own VPN instead.

What I do miss however is the tracker blocker of /e/OS. I know there are third-party apps that could do something similar on Graphene, however, most of them will interfere with a running WireGuard VPN, since they basically set up an internal “virtual” VPN and route every app’s requests through it. That way they are able to identify the endpoints an app tries to connect to and can block connections to known tracker IPs/hosts.

/e/OS’ tracker blocker however uses a slightly different, Pi-hole-like approach, in which they block trackers on DNS level. This way, VPNs still function, although it requires the system and apps to continue to use the internal /e/OS DNS resolution instead of the VPN-provided DNS server.

Both solutions have benefits and downsides, and even though Graphene doesn’t ship with either implementation, it’s certainly possible to use third party apps or dedicated DNS configurations/VPN setups to achieve this. Things like these however show that while /e/OS tries to do most heavy lifting for its users, Graphene is rather minimal and more laser-focused on specifics. And at the end of the day one must admit that things like the tracker blocker are part snakeoil, since in-app trackers still have plenty other ways to escape the device, despite being presumably blocked.

Google Pixel 6a, running GrapheneOS

Daily-Driver

Coming from an already minimalist /e/OS phone that’s been in use for nearly a year, the switch to GrapheneOS was seamless and not at all difficult for me. The only app that completely stopped working was Pushover, for which I have already implemented a workaround. I assume that if I would have gone the extra mile to install Google service, Pushover would have continued to work flawlessly.

Local push notifications, as well as push notifications from apps that keep an open network connection to the respective service work nevertheless, which is why I’m using my Pushover bridge to forward messages to XMPP. For that, I get notifications through the Conversations client that keeps an open connection with the XMPP server. Similarly, the official Element client can also function without GSF/FCM/GCM by keeping an open connection to the homeserver.

I also have yet to decide whether to install Firefox or stick to Graphene’s Vanadium browser, which unfortunately doesn’t support uBlock Origin (yet) but offers greater overall security and at the very least allows for JavaScript to be turned off completely.

Compared to Samsung’s stock Android, OnePlus’ OxygenOS and even /e/OS, Graphene feels like an overall smoother and more optimized experience, without any unnecessary bloat. System performance is top-notch, although to be fair: Having a nearly four years old Galaxy phone compete against a Pixel 6a probably isn’t an equal fight to begin with. It also certainly didn’t help that /e/OS is lagging two AOSP versions behind GrapheneOS. However, if I didn’t know it any better I probably would not have thought that Graphene is still just Android after all.

GrapheneOS: Just Android after all

To give an impression of how well the system works, my biggest complaint right now is an issue where my fingers seem to be too thick to slide the screen brightness slider, leading to constantly opening the network settings instead, for whatever reason.

The battery runtime for me is between two to three days, without ever turning on the battery saver. However, I keep the phone in airplane mode with only wireless LAN turned on while I’m near a trusted WiFi, and I don’t use 5G as it hasn’t been deployed around here. Also I only actually use my phone when I’m not at my workstation – so virtually never (-: – and when I do it’s mostly to catch up on RSS feeds, meaning, a lot of white text on black background and only little media use. This probably contributes to the overall great battery life as well.

Connectivity in general seems flawless. The WiFi connection is stable and the speed is top-notch. I’ve had the Pixel connected via Bluetooth to my Sony speaker, as well as to my B&O headphones and haven’t had any issues with that either. I remember Bluetooth connectivity to have been a soft spot on Android a few years back, but this seems to have been fixed.

Another thing that I really like with Graphene are the sensor switches in the pull-down menu:

Sensor Switches

Most Android ROMs have radio switches for toggling airplane mode, location services, Bluetooth and NFC. However, Graphene has two additional sensor switches: One for the camera and one for the microphone.

With those it’s possible to allow or block access to either of these two sensors on a system level. While for example the camera sensor is blocked, it’s not possible for any app to use the camera without having a message popping up, asking the user whether to unblock the camera. It gives peace of mind to know that the camera and mic are blocked on system level and that no app could easily start listening in. The only thing that would be better than a software switch would be the Purism Librem’s hardware kill switches that physically disconnect these radios and sensors.

In addition there’s also a network permission toggle that’s exclusive to GrapheneOS. This toggle shows as a checkbox on the “Install app” popup that appears when a user opens an APK. Unchecking network permissions would prohibit the specific app from directly and indirectly accessing any of the available networks. That’s a handy feature for apps that won’t need network access anyway – e.g. a gallery or a launcher – to make sure they won’t do shady things.

Speaking about apps: As mentioned before, I install and manage most apps I use through F-Droid, and the ones that are non-free (1Password, Niagara Launcher) through Aurora Store. Now, there are mixed opinions on F-Droid in general, but I’d argue that for technical people (who are able to due diligence source code) it might nevertheless be the best option available, in terms of privacy and security.

You can check out all features in detail on Graphene’s features page. I have also updated my phone page and listed the GrapheneOS device with all the apps that I’m using. I’m also going to post dedicated write-ups on specific topics soon.

Conclusion

So far I have been very satisfied with the overall experience on GrapheneOS. It’s definitely geared towards more (technically) advanced users than /e/OS and especially manufacturer’s stock Android, but due to its WebUSB installer I’d argue that the average person will have significantly less trouble getting Graphene up and running, as compared to /e/OS, LineageOS or other custom ROMs. The only thing easier than installing Graphene is sticking to the stock ROM.

For someone who’s looking for an actual tool, rather than a social-media-face-filter-whatsapp-sticker-candy-crush device, Graphene can be the perfect choice. Especially when there is an untrusted secondary device available for running things like banking or eCommerce apps when needed, Graphene can help a lot with minimizing one’s exposure to various forms of surveillance and security flaws.

Would I still choose GrapheneOS if it was the only smartphone I’d have at my disposal? I think yes.

If I wouldn’t have an additional iOS device for dirty apps (again, banking, eCommerce, etc), I’d rather try to not have to use these apps at all, over going back to iOS or stock Android. Again, GrapheneOS can certainly run most of these apps with a few exceptions. The question is however, whether it makes sense to switch to an operating system that focuses heavily on privacy and security, but then continue to use the very apps that infringe or endanger these things.

Apps aren’t a necessity, even if companies these days are trying to sell them as if they were. Remember how we all lived and did basically the same things back in 2000, without there being an app for it? Your bank account will function without you using an app. Similarly, you’re able to shop online without using a dedicated app for that, and you can even participate in online meetings without installing dedicated software. It’s less a question of whether these things are possible and more a question of whether you’re okay with giving up the cozy comfort into which surveillance capitalism has lulled you.

Hence my conclusion is that, if you’re looking to declutter your digital life and get rid of all the Facebooks and Googles, or if you have already gone down that path and would like to reap the additional benefits of improved security and privacy, it would definitely be worth to give GrapheneOS a go. The closer you currently are to solely relying on open source apps and not depending too much on your smartphone as the center of your everyday life, the easier it will be to migrate. And if things really turn out differently, it is nevertheless possible install sandboxed Google services and get much of the stock functionality back.

For me personally it turned out that not having things like push notifications available for every app – or not having specific apps available at all – has been beneficial to my mood, my productivity and my overall mental health. Not keeping the Amazon app around results in a lower temptation to mindlessly consume. Not having push notifications for e-mails means longer, more efficient periods of focus and productivity. And being able to communicate freely with others gives peace of mind.

Former NSA contractor and fellow privacy connoisseur (https://nitter.nl/Snowden/status/1588472045960327168)
collections [ ] · tags [ ]
published [ ] · updated [ ]