GrapheneOS is a nobrainer for everyone that somewhat cares about security and privacy. You don’t have to be techincal, you don’t have to be scared of incompatability issues. This blog post is a review of my GrapheneOS usage for the past 2 months now on the latest Google Pixel 7.
Why GrapheneOS?
It was time for some proper security and privacy in my life, using my (now old) Galaxy S8 that hadn’t had updates for years now. Running Google services deeply intertwined in my core operating system.
Generally you have two options, CalyxOS or GrapheneOS.
My personal choice was easily made, GrapheneOS has fast and proper updating cycles - plus it has it’s own compatability layer for Google Play Services. CalyxOS still uses microG, which I wasn’t so keen on installing - given it still has severe privacy implications. microG operates at system level, whilst Google Play Services on GrapheneOS runs as any other regular app - safely sandboxed. That’s if you even want to use Google Play Services, if you really care about privacy - you shouldn’t. Practically though, I really do want to keep using apps like Waze - which require the services. Either way - it’s a massive improvement from where I was coming from.
If you want a full overview of what GrapheneOS does, the best place is the GrapheneOS website - it has excellent documentation.
App compatability
The app compatability is awesome, if you install the sandboxed Google Play Services. The only app that really doesn’t work, is an app like Google Pay (or android carplay - but I don’t use that) - but they have a whitelist for OS’es they want to run on. It has nothing to do with GrapheneOS not being able to technically. All my finance apps (I use around 9) all work without any hiccup. Flitsmeister, Google Maps and Waze all work without issues. For those wondering, Flitsmeister alerts without any additional notitification delay.
The only issues I had thus far with the additional exploit prevention measures from GrapheneOS, was with Waze - but you can turn that off per app basis which fixed that.
If your company doesn’t have too strict of a policy set (like Google does for Google Pay - enforcement of certain OS’es) you can also use the work profile to have isolated access to your work resources. I managed to set it up without any issue for me, but do note that the Company Portal never fully initializes. This means the company does not have remote access or say so about my work profile - whilst I am able to access all resources I want. I used this guide.
Backups
This is where it get’s a bit more iffy. Seedvault sucks (builtin backup tool) and I don’t trust it. My current setup contains of a full Proton stack (email, calender, cloud storage, vpn) with Aegis (2FA) + Bitwarden. Proton and Bitwarden are cloud native, but Aegis isn’t. Aegis is backed up encrypted using Nextcloud, that’s also how I backup my photo’s now. Nextcloud does suck in way, in the sense that that does require quite some techincal know how to setup. For Aegis you might use something like Authy (cloud sync), but still for pictures I’m not aware of a user friendly backup service that doens’t invade your privacy like Google Photo’s does.
Donations
If you do end up using GrapheneOS (which you should), please also consider donating what you can miss / afford on a monthly basis for as long as you use the OS! GrapheneOS doesn’t just fall out of the sky and gets maintained for free. You can donate via GitHub without any thirdparty snooping fees, and it’s automatic as well.
Google Pixel increasingly popular in Dutch criminal underworld?
Something funny I noticed since using the Google Pixel, which has nothing to do with GrapheneOS necessarily, is the usage in the Dutch criminal underworld. Recently a batch of Google Pixel phones (intended for sale to criminals) was part of a bust and also the Peter R. de Vries killer used a Google Pixel.
Even Dutch rappers (known to be actively intertwined in criminal activity - in past or present) are rapping explicitly about it now (from 4:22)…
It makes sense, given that the Google Pixel is practically the only phone that does security in a proper way hardware wise. Perhaps criminals finally moved on from proprietary Encron PGP like phones, and are using proper phones - like Google Pixel! Combined with a clean GrapeheneOS image, Signal (or similar app) with built-in notification services and expiring messages. Turn on 4G only, turn off all other sensors - I’d say your good to go. Fool with a tool, is still a fool though.
References
- https://grapheneos.org/
- https://twitter.com/grapheneos/status/1480951411978420228
- https://twitter.com/GrapheneOS/status/1524043361509912577
- https://grapheneos.org/donate
- https://open.spotify.com/track/3kB9jESlEh7x0e2IPDFLuc?si=2b961d77aeec4de5
- https://www.parool.nl/amsterdam/justitie-wil-5-jaar-cel-voor-rapper-b12-van-zone6-vooral-voor-bezit-8-wapens-en-ruim-een-ton-cash~b954d510/
- https://www.rtlnieuws.nl/nieuws/nederland/artikel/5318957/verdachte-moord-peter-r-de-vries-taghi-krystian-m