About me: My name is Solène Rapenne, pronouns she/her. I like learning and sharing knowledge. Hobbies: '(BSD OpenBSD Qubes OS Lisp cmdline gaming security QubesOS internet-stuff). I love percent and lambda characters. Qubes OS core team member, former OpenBSD developer solene@. No AI is involved in this blog.

Contact me: solene at dataswamp dot org or @solene@bsd.network (mastodon).

I'm a freelance OpenBSD, FreeBSD, Linux and Qubes OS consultant, this includes DevOps, DevSecOps, technical writing or documentation work. If you enjoy this blog, you can sponsor my open source work financially so I can write this blog and contribute to Free Software as my daily job.

Introduction to GrapheneOS

Written by Solène, on 12 January 2025.
Tags: #android #security #privacy

Comments on Fediverse/Mastodon

1. Introduction §

This blog post is an introduction to the smartphone and security oriented operating system GrapheneOS.

GrapheneOS official project web page

Thanks to my patrons support, last week I have been able to replace my 6.5 years old BQ Aquaris X which has been successfully running Lineage OS all that time, by a Google Pixel 8a now running GrapheneOS.

Introducing GrapheneOS is a daunting task, I will do my best to present you the basics information you need to understand if it might be useful for you, and let a link to the project FAQ which contains a lot of valuable technical explanations I do not want to repeat here.

GrapheneOS FAQ

2. What is GrapheneOS? §

GrapheneOS (written GOS from now on) is an Android based operating system that focuses security. It is only compatible with Google Pixel devices for multiple reasons: availability of hardware security components, long term support (series 8 and 9 are supported at least 7 years after release) and the hardware has a good quality / price ratio.

The goal of GOS is to provide users a lot more control about what their smartphone is doing. A main profile is used by default (the owner profile), but users are encouraged to do all their activities in a separate profile (or multiples profiles). This may remind you about Qubes OS workflow, although it does not translate entirely here. Profiles can not communicate between each others, encryption is done per profile, and some permissions can be assigned per profile (installing apps, running applications in background when a profile is not used, using the SIM...). This is really effective for privacy or security reasons (or both), you can have a different VPN per profile if you want, or use a different Google Play login, different applications sets, whatever! The best feature here in my opinion is the ability to completely stop a profile so you are sure it does not run anything in the background once you exit it.

When you make a new profile, it is important to understand it is like booting your phone again, the first log-in with the profile you will be asked questions like if you started the system for the first time. All settings have the defaults values, and any change is limited to the profile only, this includes ringtones, sound, default apps, themes… Switching between profile is a bit painful, you need to get the top to bottom dropdown menu at full size, then tap the bottom right corner icon and choose the profile you want to switch to, and tap the PIN of that profile. Only the owner profile can toggle important settings like 4G/5G network, or do SIM operations and other "lower level" settings.

GOS has a focus on privacy, but let the user in charge. Google Play and Google Play Services can be installed in one click from a dedicated GOS app store which is limited to GOS apps only, as you are supposed to install apps from Google Play, F-droid or Accrescent. Applications can be installed in a single profile, but can also be installed in the owner profile which lets you copy it to other profiles. This is actually how I do, I install all apps in the user profile, I always uncheck the "network permission" so they just can't do anything, and then I copy them to profiles where I will use it for real. There is no good or bad approach, this fits your need in terms of usability, privacy and security.

Just to make sure it is clear, it is possible to use GOS totally Google free, but if you want to use Google services, it is made super easy to do so. Google Play could be used in a dedicated profile if you ever need it once.

3. Installation and updates §

The installation was really simple as it can be done from the web page (from a Linux, Windows or macOS system), by just clicking buttons in the correct order from the installation page. The image integrity check can be done AFTER installation, thanks to the TPM features in the phone which guarantees the boot of valid software only, which will allow you to generate a proof of boot that is basically a post-install checksum. (More explanations in GOS website). The whole process took approximately 15 minutes between plugging the phone to my computer and using the phone.

It is possible to install from the command line, I did not test it.

Updates are 100% over-the-air (OTA), which mean the system is able to download updates over network. This is rather practical as you never need to do any adb command to push a new image, which have always been a stressful experience for me when using smartphones. GOS automatically download base system updates and offer you to reboot to install it, while GOS apps will just be downloaded and update in place. This is a huge difference from LineageOS which always required to manually download new builds, and applications updates were parts of the big image update.

4. Permission management §

A cool thing with GOS is the tight controls offered over applications. First, this is done by profile, so if you use the same app in two profiles, you can give different permissions, and secondly, GOS allows you to define a scope to some permissions. For example, if an application requires storage permission, you can list which paths are allowed, if it requires contacts access, you can give a list of contacts entries (or empty).

GOS Google Play installation (which is not installed by default) is sand-boxed to restrict what it can do, they also succeeded at sand-boxing Android Auto. (More details in the FAQ). I have a dedicated Android Auto profile, the setup was easy thanks to the FAQ has a lot of permissions must be manually given for it to work.

GOS does not allow you to become root on your phone though, it just gives you more control through permissions and profiles.

5. Performance §

I did not try CPU/GPU intensive tasks for now, but there should be almost no visible performance penalty when using GOS. There are many extra security features enabled which may lead to a few percent of extra CPU usage, but there are no benchmark and the few reviews of people who played high demanding video games on their phone did not notice any performance change.

6. Security §

GOS website has a long and well detailed list of hardening done over the stock Android code, you can read about them on the following link.

GrapheneOS website: Exploitation Protection

7. My workflow §

As an example, here is how I configured my device, this is not the only way to proceed, so I just share it to give the readers an idea of what it looks like for me:

  • my owner profile has Google Play installed used to install most apps. All apps are installed there with no network permission, then I copy them to the profile that will use the applications.
  • a profile that looks like what I was doing in my previous phone: allowed to phone/SMS, web browser, IM apps, TOTP app.
  • a profile for multimedia where I store music files, run audio players and use Android Auto. Profile is not allowed to run in background.
  • a profile for games (local and cloud). Profile is not allowed to run in background.
  • a "other" profile used to run crappy apps. Profile is not allowed to run in background.
  • a profile for each of my clients, so I can store any authentication app (TOTP, Microsoft authenticator, whatever), use any app required. Profile is not allowed to run in background.
  • a guest profile that can be used if I need to lend my phone to someone if they want to do something like look up something on the Internet. This profile always starts freshly reset.

After a long week of use, I came up with this. At first, I had a separate profile for TOTP, but having to switch back and forth to it a dozen time a day was creating too much friction.

8. The device itself §

I chose to buy a Google Pixel 8a 128 GB as it was the cheapest of the 8 and 9 series which have a 7 years support, but also got a huge CPU upgrade compared to the 7 series. The device could be bought at 300€ on second hand market and 400€ brand new.

The 120 Hz OLED screen is a blast! Colors are good, black is truly black (hence dark themes for OLED reduce battery usage and looks really great) and it is super smooth.

There is no SD card support, which is pretty sad especially since almost every Android smartphone support this, I guess they just want you to pay more for storage. I am fine with 128 GB though, I do not store much data on my smartphone, but being able to extend it would have been nice.

The camera is OK, I am not using it a lot and I have no comparison, from reviews I have read they were saying it is just average.

Wi-Fi 6 works really fine (latency, packet loss, range and bandwidth) although I have no way to verify its maximum bandwidth because it is faster than my gigabit wired network.

The battery lasts long, I use my smartphone a bit more now, the battery approximately drops by 20% for a day of usage. I did not test charge speed.

9. Conclusion §

I am really happy with GrapheneOS, I finally feel in control of my smartphone and I never considered it a safe device before. I never really used an Android ROM from a manufacturer or iOS, I bet they can provide a better user experience, but they can not provide anything like GrapheneOS.

LineageOS was actually ok on my former BQ Aquaris X, but there were often regressions, and it did not provide anything special in terms of features, except it was still having updates for my old phone. GrapheneOS on the other hand provides a whole new experience, that may be what you are looking for.

This system is not for everyone! If you are happy with your current Android, do not bother buying a Google Pixel to try GOS.

10. Going further §

The stock Android version supports profiles (this can be enabled in system -> users -> allow multiple users), but there is no way to restrict what profiles can do, it seems they are all administrators. I have been using this on our Android tablet at home, it is available on every Android phone as well. I am not sure if it can be used as a security feature as this.