Skip to main content

GrapheneOS review: De-Googled goodness [Video]

Avatar for Damien Wilde  | Apr 16 2024 - 10:00 am PT
17 Comments

There is merit in wanting increased privacy on your Android phone. One of the best ways to do so is with a custom ROM like GrapheneOS. Is it worth it? Here’s everything you need to know.

Who is GrapheneOS for?

Privacy in the 21st Century is becoming increasingly difficult as lots of our most popular apps and services siphon off data including GPS location, phone number, email, and that’s just the tip of the iceberg. While the average person isn’t likely to be targeted in the same way as Edward Snowden, his seal of approval is huge for privacy advocates.

Android – the platform – is very different from the version we actually run on our phones. What we ordinarily refer to as “Android” is proprietary and developed by Google, while the Android Open Source Project (AOSP) is the building block for the biggest mobile operating system. It’s open source, which means that anyone can access and modify the code. To simplify even further, AOSP is the open-source foundation, while Android is the finished product most of us are used to.

AOSP lacks some features you may be used to on commonly distributed builds of Android found on phones from most OEMs. Google Mobile Services is not packaged as standard; it is a bundle that includes popular apps like the Play Store, Gmail, Maps, and more.

While you can ditch Google entirely, Graphene allows you to sandbox every single app on your phone. This isn’t possible on most Android phones as any Google apps still have unrestricted access right from the initial setup phase.

If you want true, privacy-first, full control over your Android smartphone, GrapheneOS is one of the best options. The reason Graphene is not used by lots of people is that privacy isn’t profitable. Lineage OS 21 is a solid alternative to your stock Android experience, but it lacks some of the refined privacy controls that GrapheneOS prides itself on offering.

Table of contents

Simple installation

grapheneos web installer

Installing this custom ROM is super easy. You can use the Chrome browser like that of the Android Flash Tool. You can enable USB Debugging plus OEM unlocking, and you’ll be ready to plug into your PC or Mac, but the GrapheneOS team actually suggests these are left disabled per their original documentation. Personally, I found this didn’t cause issues, but it’s worth trying if you encounter some issues when using the web installer.

The web installer requires a few button presses to unlock your device bootloader and download the latest GrapheneOS factory images and flash. Re-lock the bootloader and you’re good to go. One thing to note is that to get started you’ll need your phone to be in fastboot mode for the web installer to recognize that your phone is connected.

You can return to a stock OS build but must remove the non-stock Android Verified Boot key first. This is also possible using the web installer. From here, the Android Flash Tool can get you back to stock. One downside is that GrapheneOS only supports Google Pixel phones and devices that still receive regular security updates.

If you have an older phone or a phone from another manufacturer, then you might want to try another third-party ROM.

Privacy & Security Focus

One of the most significant differences is the absence of pre-installed Google apps and services. By default, GrapheneOS comes clean of Google software, reducing the amount of data Google collects about your activity and minimizing potential attack vectors for hackers.

However, if you rely on certain Google apps, GrapheneOS allows you to install a sandboxed version of Google Play. This sandbox restricts Google Play’s access to your system, offering a compromise between functionality and privacy.

Beyond the core system modifications, GrapheneOS offers enhanced permission controls. Unlike stock Android, you have granular control over what data each app can access. This includes the ability to restrict an app’s access to the internet, sensors like your microphone or location, or even specific folders on your device’s storage.

GrapheneOS also features per-connection MAC address randomization – changing device ID – making tracking your device across different Wi-Fi networks more difficult. Additionally, PIN scrambling adds another layer of security by making it harder for someone to guess your PIN by observing your finger movements on the screen.

  • Hardened Android: Built on a secure foundation of AOSP with additional exploit mitigations, improved sandboxing, and stricter permission controls.
  • No Google Apps Installed by Default: Reduces data collection and potential attack vectors. You can optionally install a sandboxed version of Google Play for limited access.
  • Enhanced Permission Controls: Offers granular control over app permissions, including network and sensor access on a per-app basis.
  • Privacy as standard: Features like per-connection MAC address randomization and PIN scrambling further enhance privacy.
  • Vanadium Browser: Replaces Chrome with a hardened fork of Chromium, offering a more secure browsing experience.

For added protection, it is recommended that you use an always-connected VPN. This is optional, but worth it for added protection and peace of mind.

Improved Sandboxing

Another key app, although optional, is the sandboxed version of Google Play. As mentioned earlier, this lets you access apps that rely on Google Play Services for functionality, but with stricter limitations on data access and a reduced attack surface for potential security threats.

  • Sandboxed Google Play (Optional): If you need Google Play apps, GrapheneOS lets you install a sandboxed version, restricting its access to your system and, therefore, giving you greater privacy controls to use popular Google services without making personal data part of your user transaction.
  • Improved User Profiles: Allows for more user profiles than stock Android, with the ability to end sessions for additional security.
  • Network access controls: By default you can block apps from having network access permissions. Often lots of Android apps will ask for this without any real reason to need connection to a network.
  • Storage Scopes: When you enable Storage Scopes for an app, it behaves as if it has full storage access. By default, the app can only see its own files and folders created by itself. It cannot see any files or folders created by other apps on your device.

Unique Apps in GrapheneOS

grapheneos homescreen and dock

GrapheneOS doesn’t just change the system under the hood; it also comes with unique apps designed to keep your information safe. Instead of Chrome, GrapheneOS uses Vanadium as your web browser. Vanadium is like a tougher version of Chrome, built from the same basic parts but with all the unnecessary features and tracking tools stripped out. This makes Vanadium a more secure option for browsing the web.

Another helpful app, though optional, is the special locked-down version of Google Play we mentioned earlier. This lets you use apps that rely on Google Play Services, but with tighter restrictions on what data they can access from your phone. This reduces the risk of these apps being used as a backdoor for hackers.

  • Vanadium: A hardened Chromium browser prioritizing security and privacy and includes an ad-blocker and DuckDuckGo as the search engine by default.
  • Sandboxed Google Play (Optional): Provides access to Google Play apps with stricter limitations.
  • Camera: GrapheneOS deliberately avoids the standard AOSP camera app for privacy and security reasons. It’s modified to not collect location data as standard and although it’s fine, lacks a lot of features that can truly take advantage of a Pixel camera system. For many Gcam might be a good replacement.
  • Auditor: Imagine Auditor as a digital security guard for your device. It uses special hardware features to confirm that the operating system is authentic and hasn’t been compromised by unauthorized modifications. This can be helpful if you’re concerned about potential tampering or want to ensure your device’s software integrity.
  • AOSP apps: GrapheneOS includes mostly stock AOSP apps with zero visual modifications – but there are some tweaks such as a call recorder in the default dialer. Like on most Android phones, all of these apps can be replaced as per your requirements.
    • Gallery: This is super basic and just offers a way to view media content on your device. The UI is straightforward to say the least.
    • PDF viewer: Just a simple PDF viewer.
    • Clock: The stock AOSP clock with all core functions included.
    • Calculator: Another stock AOSP app that lets you perform calculations.
    • Messaging: Sadly, there is no support for RCS in the default SMS application.
    • Dialer: A simple AOSP app to start calls and stay connected.
    • Contacts: No Google connection means you’ll need to import a .vcf file or manually add your contacts here.
    • Files: A basic file management tasks like copying, moving, renaming, and deleting files on your device.

Visually, everything feels like you remember on Pixel. Material You is here, as is the Dynamic Color. Not everything is present though making Graphene feel a little like Pepsi to the regular Pixel “Coca-cola” flavor. It’s good, but just slightly different. I’ve found myself really liking the experience despite a few things being out of place or missing entirely.

App Alternatives for Increased Privacy

grapheneos homescreen

Since GrapheneOS doesn’t come with Google apps, you’ll might need to explore external app stores. However, you can simply use the Sandboxed Google Play Store, which allows you to continue using your paid apps and services without compromising on data collection. When it comes to third-party app stores, one of the best options is F-Droid. F-Droid focuses on free and open-source software that aids user privacy. Here are some other popular options you might find useful:

  • F-Droid: This app store is your one-stop shop for privacy-focused apps you won’t find on Google Play.
  • Aurora Store (Optional): If you still need some Google Play apps, Aurora Store lets you download them anonymously without needing a Google account.
  • NewPipe: This app is a YouTube alternative, letting you watch videos without ads and even download them for offline viewing, giving you more control over how you watch videos.
  • K-9 Mail: This email app is an alternative to Gmail, offering more control over your email accounts and potentially improving your privacy.
  • Signal or Briar: These messaging apps use encryption to keep your conversations secure, making them a safer choice than regular texting apps.
  • OSMand: This open-source navigation app works offline, making it a good alternative to Google Maps if you value privacy and don’t need live traffic updates.

These are just a few examples, and the choice of alternative apps will depend on your specific needs. However, using GrapheneOS often involves embracing alternative app ecosystems like F-Droid, which offers a wider range of privacy-focused options.

Trade-offs to consider

Overall, GrapheneOS prioritizes security and privacy over convenience. It offers a more locked-down environment ideal for users who value control over their data and want to minimize potential security risks.

  • Limited App Selection: Without Google Play Services pre-installed, some apps might not function as intended and the core app lineup is fairly small right out of the gate. You’ll need to install the sandboxed Google Play to access your favorite apps and services.
  • More Technical Setup: Installing and using GrapheneOS requires a more technical user compared to the user-friendly Android build pre-installed on your Pixel phone despite the web installer being fairly simple.

Android Auto support has only just arrived after being touted in late 2023. NFC payments using services like Google Pay are also not available. Some banking apps will allow you to make contactless payments, but this isn’t the case for all financial institutions.

While you are unlikely to flash this ROM to improve performance, it is smooth and offers a seamless Android experience on Pixel hardware despite cutting out huge chunks of the UI that we’ve likely become accustomed. My take is that it feels familiar enough that it’s worth the trade-offs and perfect if you want an OS that is set up to make your phone feel truly secure.

If you’d like to get started and learn more about GrapheneOS, then you can find more information here.

Add 9to5Google to your Google News feed. 

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Google — experts who break news about Google and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Google on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Check out 9to5Google on YouTube for more news:

Comments

Guides

GrapheneOS

GrapheneOS

Author

Avatar for Damien Wilde Damien Wilde

Damien is a UK-based video producer for 9to5Google. Find him on Twitter: @iamdamienwilde. Email: damien@9to5mac.com

Damien Wilde's favorite gear

Google Pixel 7

Google Pixel 7
Samsung Galaxy Watch 5 Pro

Samsung Galaxy Watch 5 Pro

Manage push notifications

notification icon
We would like to show you notifications for the latest news and updates.
notification icon
Please wait...processing
notification icon
We would like to show you notifications for the latest news and updates.
notification icon
Please wait...processing