edit: thank you all for your replies! They are all very helpful. I am reading through them and will ask follow-up questions if needed.
I made a post some days ago asking about LineageOS, but my curiosity towards Google Pixels and GrapheneOS has been growing. As somebody who has always used regular Samsungs and iPhones, I hope somebody can clear up some questions I have regarding this OS.
I plan that my next phone is to be either a Motorola (LineageOS/SailfishOS?) or a Pixel (GrapheneOS). My first question about GrapheneOS, or really any non-standard OS, is this:
- how does having an account on the device work? For example, Samsungs require a Samsung account and iPhones require an iCloud account. How does it work on non-standard OSes?
My second question touches on built-in apps that you often get with every phone:
- does GrapheneOS have its own Notes/Drive/Photos/Messages app? If not, how does one go about obtaining these? Related question:
- how do I sync my notes/photos/files/etc to the “cloud” of GrapheneOS?
My third question regards the app store of GrapheneOS. I have heard that the sandboxed Play Store is better than FDroid, for instance; what are your thoughts? Do I go for Aurora Store instead? Is there any major difference at all? Is it possible to use multiple app stores?
- note that I likely won’t be solely relying on FDroid since I need some non-FOSS apps (FB Messenger for contacting family for example).
I know that in the privacy community, it’s very common to fix up a cloud of your own (i.e. NextCloud). I have no experience doing this, but is it something I must do when I install atypical OSes? Then comes the question about pricing, how private and secure it really is, which one to choose… and so on.
I understand many of these questions will sound stupid to those who are experienced, but I have not been part of this community very long. Feel free to link any educational videos or articles that answer my questions. I hope to learn more about this subject and one day installing a more secure system on my phone. Cheers!
- Your user account on GrapheneOS is just a local user account
- GrapheneOS comes with its own camera, gallery, contacts, sms, phone, and file manager apps, a hardened fork of Chromium called Vanadium, and an app that lets you install sandboxed versions of google play services and google play store, if you so wish. Nothing else. You can install other apps using F-Droid, or by installing the google play store app.
- GrapheneOS does not have a “cloud”, aside from the web services it uses to check for and pull new updates. If you want to sync files somewhere, you can install whatever you want (Nextcloud, Google Drive, etc)
- F-Droid is a fine choice, and the google play store is as well, all depending on what your priorities are for your phone. I only use F-Droid and have no non-foss apps on my phone for privacy reasons, for example.
- Running your own Nextcloud server is a great learning exercise, but it’s a big commitment of time if you’re not already familiar with linux administration, and if you want it to be secure and accessible remotely that’s even harder. Don’t let that be an impediment to getting a secure phone though - you can always keep using Google Drive for now, and then learn how to set up Nextcloud or some such as you go along.
Good luck!
Can we use Google maps and Google pay/wallet and Android auto? A previous look a while ago said no and I was bummed on that
Yes to google maps if you have the play services activated.
No to pay/wallet.
Yes to Android Auto as of recently. The grapheneos team just released a implementation of it.
Ah cool
Google maps does work if you give it the right permissions. Google Pay does not, as NFC doesn’t work under GrapheneOS.
NFC is working as expected on graphene. As is mobile payments, if your bank supports it.
Google pay does not work because Google does not allow it to work, there is not a technical reason behind that.
deleted by creator
- There’s no grapheneos account identifier.
- you can use any app you want.
- Usually nextcloud is the go to for cloud stuff.
- you can install play store or use aurora store.
Also, doesn’t Graphene sandbox the Play Store (and Google Services) if you install it?
Lineage (and DivestOS) enable you to install MicroG into a single user account on the phone (e.g. The work profile) and isolate it there.
The Graphene approach is even more restrictive, I just forget how they do it.
It’s just an app like any other. No special treatment
You can use a work profile but don’t have to. Grapheneos’ team don’t support fdroid or aurora store, hence they propose installing everything via play store.
Edit:
What do you mean it doesn’t support fdroid? I’m using fdroid on my GOS phone and GOS tablet.
My bad! Thx.
Grapheneos’ Team don’t support it in tge sense they don’t like it
Ah gotcha. Wasn’t aware the GOS team doesn’t like F-Droid.
I can’t find the source right now. It’s about the whole app installation process. They prefer play store. Aurora store isn’t enough. I guess fdroid isn’t good because fdroid signs every apk. Haven’t read it in a while. Iirc, their stance was that every app should have its own updater.
Update: i found a source
Official grapheneos account:
GrapheneOS includes our own app repository client which provides a way to install the sandboxed Play Store. There is no advice for this fitting everyone’s preferences because all of the available options other than our own app repository currently only used for our own apps have major flaws.
https://discuss.grapheneos.org/d/6758-a-message-for-grapos-developers-whats-your-recomendation/16
Which means all stores are bad.
Thanks for the link.
From my quick read, doesn’t seem that they don’t support it. More of a caution to understand the risks involved with each App Store. For example, their comments regarding F-Droid are completely valid.
All you get from F-Droid is knowing that the developer adding a closed source third party library will likely get detected and the app won’t get updated, but in exchange you’re trusting people to build/sign the apps who have shown consistent untrustworthy behavior. You’re also getting significantly delayed updated in many cases.
- You don’t need an account, and there is no such thing as a GrapheneOS account. Most of your apps should be able to be installed through either F-Droid, Obtainium, or the sandboxed Play Store. Some apps require Google Play Services, however, but LineageOS has an alternative called microG which works most of the time, and GrapheneOS containerises apps.
- GrapheneOS, I believe, uses the default gallery and SMS apps from stock Android; and they also have their own camera, PDF viewer, and web browser (Vanadium), which are developed in-house. However, cloud syncing and note-taking apps are not included. I would suggest either having a look on F-Droid, asking on this sublemmy, or checking out Privacy Guides to find some apps you’ll like.
- GrapheneOS doesn’t have a “cloud”, as such. This is a good thing, and it lets you choose your own provider if you must. I would personally recommend Filen for files and photos, and Cryptee for notes.
- It is completely possible to use multiple app stores. If you use GrapheneOS, I would say use F-Droid or Obtainium when possible, and the Sandboxed Play Store for everything else.
- We like to use things like NextCloud because it gives us full control over our data, among other reasons. However, it is not essential. I, personally, use Filen for my cloud sync needs; but I also tend to use physical storage a lot because of my shitty internet and cheap hardware. You also don’t necessarily need to pay for these services, but it’s polite and it can improve your experience.
Good luck on your privacy journey, and don’t hesitate to ask more questions. In addition to Lemmy, here are a few good resources:
Hi! Thank you so much for the all the links, I really appreciate it. And thank you for introducing me to both Filen and Cryptee. Regarding Filen, I have a question. It says the price for lifetime starter is €30, but are there any other lifetime options (such as for the pro plans) that offer more storage?
I’m not entirely sure. I’m still using the free tier. A bit hypocritical for me to say that payment is polite, I know; but I do tend to use USB drives more than the cloud.
Do you know how Filen compares to Nextcloud or Syncthing? It’s definitely confusing to try to navigate in this huge technical world and know what service is the best haha
Essentially:
- Filen - Server in Germany, run by Filen. Has clients for Windows, macOS, Linux (both x86_64 and arm64), iOS, and Android; but not BSD or ChromeOS. You get 10 GB for free.
- Nextcloud - Server wherever you want, as you host it yourself. Has clients for most platforms, including Android, and also supports WebDAV. Everything is on your terms. Also comes with things like a calendar, a notes app, and ActivityPub (I think). You can run NextCloud on a Raspberry Pi under your desk for cheap.
- Syncthing - No server and no account, as it is strictly peer-to-peer. Has clients for Windows, macOS, Linux, BSD, illumos, Solaris, and Android; and there’s an unofficial client for iOS (Möbius Sync). Devices must be on the same network to sync (although there’s probably a way of getting it working globally). Totally free to use.
I use Filen because I only have one Raspberry Pi (which is in use), so Nextcloud isn’t a viable option; and I had trouble getting Syncthing to work.
The past part sounds like a joke, love all the sources, but they all have a beef with GOS 😆
So bringing up GOS in those communities can spark some controversial discussions
In the meanwhile in GOS community it’s strictly prohibited to mention those projects, and every time any of the projects says “Graphene” GOS asks them to not to 😅
deleted by creator
Mostly correct, but at the same time Techlore in their “Graphene toxic community” videos explicitly multiple times said that it’s better to avoid projects that have bad/toxic communities or devs
deleted by creator
Removed by mod
I’ve done a huge amount of research on those guys and I think they are collabing with the feds by proxy. it is indeed a circus.
how does having an account on the device work? For example, Samsungs require a Samsung account and iPhones require an iCloud account. How does it work on non-standard OSes?
On GrapheneOS, you don’t log in to any online account. All your stuff is just locally stored on your device by default. You can install third-party apps to sync your data, but GrapheneOS has no online account/sync system built in.
does GrapheneOS have its own Notes/Drive/Photos/Messages app? If not, how does one go about obtaining these? Related question:
It has the standard Android (non Google) File manager, Gallery and SMS app. These aren’t particularly good though. I recommend Fossify apps, they are completely free and open source, respect your privacy and offer a pretty good user experience. Fossify has a notes app, gallery, file manager, SMS app, phone app (dialer), music player, clock, keyboard, launcher and some other stuff.
how do I sync my notes/photos/files/etc to the “cloud” of GrapheneOS?
GrapheneOS doesn’t have a cloud. You need to find a solution for syncing your data yourself. There’s DAVx5, which uses the WebDAV protocol, Nextcloud, EteSync, PhotoPrism, Immich and many more. They all serve different purposes. DAVx5 works with any WebDAV-compatible server, it lets you sync calendars, contacts and tasks. Nextcloud is a self-hosted replacement for things like Google Drive, it lets you sync files, calendars, contacts, notes, photos, bookmarks, recipies, basically everything you could imagine. Note that the official Nextcloud app only lets you sync files, but there are other Nextcloud-compatible apps on F-Droid that let you use more features of the Nextcloud server. Both PhotoPrism and Immich are self-hosted solutions for syncing your photos, Immich has an official Android app on F-Droid , PhotoPrism only has this unofficial one called Gallery for PhotoPrism. If you’re not into self-hosting, there are still good, private options out there. EteSync allows you to sync your contacts, calendars, tasks and notes, and it uses end-to-end encryption by default. You can self-host it, but you don’t have to. You can just pay them $2/month and they will handle it for you. Personally, I like to self-host my own instance of Etebase, the backend server for EteSync. Other private, cloud-hosted options are Proton for email, calendar and files or Ente for photos (their app is also on F-Droid).
My third question regards the app store of GrapheneOS. I have heard that the sandboxed Play Store is better than FDroid, for instance; what are your thoughts? Do I go for Aurora Store instead? Is there any major difference at all?
Personally, I use Aurora Store if I need to download something from Google Play.
Is it possible to use multiple app stores?
Yes, you’re not bound to one app store, you can use multiple ones.
You can DM me if you have more questions.
+1 for recommending Fossify over ‘SimpleApps’
Extending the reply for ‘Sandboxed Play Store … F-Droid … Aurora Store’ -
- In case of Sandboxed Play Store - we’d need to login via a Google account in order to be able to download apps. Also, when we allow network access to the Play Store, it may send device info, app downloaded, updated etc related telemetry to Google. Also expect the promoted apps/games ads in the Play Store home screen.
- In case of Aurora Store - we can use it via Anonymous User or we can supply our own Google Account. Aurora Store just uses the credentials to download apps from Google Play, but other telemetry is limited compared to Play Store.
- In case of F-Droid store - It mostly hosts open-source Apps. And has cautions whenever an app uses proprieray libraries, code or needs access to specific network(eg - Telegram FOSS needs Telegram Servers access to function) in order to work.
I’d recommend you have both - F-Droid and Aurora Store. If you need to access the Play Store subscriptions, then you’d need to install Play Store as well.
Thanks for taking the time to answer
Grapheneos can be used almost identically to stock android. You can install google apps and use them or not. The biggest piece of it is the options.
There is no account associated to GOS. You can login to an existing google account etc, just like any android.
GOS has messages for SMS only. It had a Gallery app for photos and a files app for system files. There aren’t many apps it comes with, so getting alternative apps is easy. Mostly via Fdroid (or droidify for a more modern looking app). For a better photos app, I recommend “Aves” For a drive app, a private option would be proton drive. Notes app can be anything you want, but GOS doesn’t come with one. If you want to use google notes you can. I wouldn’t recommend it, but you can. There are lots on Fdroid to choose from.
As for cloud sync, GOS doesn’t do this, but again, you can use any other service you’d normally use to sync. I use Syncthing to sync a folder on my phone to a folder on my PC. That way I can have things like my photos easily on desktop and have backups.
As for app stores, GOS doesn’t recommend Aurora because they don’t sign the apps the provide, but I use it anyways, as it is the best way to get apps without a google account.
You definitely don’t need your own Nextcloud or Homelab. I prefer paying for hardware I own instead of cloud things, but both have good positives.
Also, your questions aren’t stupid their great! You’re just learning about this stuff that that’s amazing. Keep learning.
How’s adblocking? I need to use some apps from the Play Store and my blocker requires root to not be crappy. Is there something built in?
No adblocker built in, but Rethink DNS is a great app that will set up a local VPN and do firewall filtering and DNS filtering. There are other apps too and they should all work on any OS.
Personally I self host a VPN and pihole and stay connected to that
Checked it out, just realised how out of date my setup is now. I got some setting up to do.
You can also set your DNS in settings to an adblocking DNS such as Mullvad, that works really well for me. Rethink is also for for more precise control.
Mullvad link to their dns servers: https://mullvad.net/en/help/dns-over-https-and-dns-over-tls
I hop around a few blocking DNS providers but I use that as a fallback. I don’t control the list, though. I just need a good chance to play around with it. Rethink checks all the boxes though.
No adblocker built in
They actually added a basic content blocker back in mid February, and plan on improving it over time:
Github source: https://github.com/GrapheneOS/Vanadium/releases/tag/122.0.6261.43.1
Discussion forum: https://discuss.grapheneos.org/d/11000-vanadium-version-12206261431-released
Samsung requires a Samsung account? Since when? I’ve used them since 2014, never had a Samsung account. Still don’t, and have a Samsung TV.
Not sure what you mean by “non standard phones”.
iOS “requires” an Apple account if you want to store anything in an Apple account. Android “requires” a Google account if you want to store anything in a Google account.
I’ve used both without an account. And Samsung devices don’t require a Samsung account at all.
Also both require an account to download anything, from their stores.
- There is no GrapheneOS account.
- GrapheneOS has some built in apps, namely for SMS, gallery viewer, camera, PDF reader, calculator, contacts, files, phone and web browser (vanadium, based on chromium). GrapheneOS offers no cloud. You are responsible for using the service of your choice to manage and backup your data. It is currently undergoing a transition for backup management, but otherwise you can make use of a selfhosted service like nextcloud.
- GrapheneOS does come preinstalled with its own app store but that it is reserved to GrapheneOS apps and the distribution of certain google services which can be optionally installed using their sandbox. Besides that, you can indeed install the aurora store to get access to the free apps on the google play store, or actually use the google play store. They can all be installed and used simultaneously. Though you might want to be mindful of you install an app on one store to not update it on another as the two versions could work differently (e.g. an app installed on f-droid might have a different notification system than one on the google play store). You do not need to use nextcloud if you don’t want to. GrapheneOS has no dependencies on any other additional app. It is a standalone OS. Once you install it, you use it however you want.
Edit: one key advantage of GrapheneOS is the possibility of using multiple users. You can (and I recommend it) separate apps into different user profiles. You can for instance dedicate one user profile to apps requiring Google services, let’s call it Gapps. GrapheneOS then allows you to then pipe your notifications between user accounts, so if you are in your main user profile you can get notifications from apps running in Gapps in the background. Very convenient.
Android provides a multi-user setup since Marshmallow(?), definitely with Nougat (I’ve used it on a stock Android N phone).
Some vendors hid it/didn’t expose the UI.
Graphene takes advantage of it and makes it more fluid.
Its interesting, because multi-user is a native functionality of Linux… It’s likely always been there, just not exposed.
In this case, you can have a primary user with no google services and a secondary with google services (Play store etc) that you can’t live without, until you find FOSS alternatives for your main. You can also revoke network permission on any app, including google’s. Rocks.
You are right. What I want to highlight was not that, but the notifications piping which is what makes the multi user profile interesting and usable for a single person, IMO. And that is what I think is unique to GrapheneOS. I did not express myself well in that regard, my bad.
So, regarding the account: it depends. AFAIK, there’s no “graphene account” in grapheneos, but you can use the regular google account after installing sandboxed play services. Note: you don’t have to, the only things from google I personally used were gcam (since their hdr+ thingy is quite good) and photos (since foss alternatives I’ve tried can’t 3d transform), both without play services and internet access. On other roms there may be an optional account (ex, /e/os).
Applications: there’s a messaging app (regular SMS) and gallery (not sure here, tho, mb there wasn’t; once again I decided to keep using google photos), otherwise - nope. All can be obtained from f-droid/play store/aurora. Syncing probably needs to be done via 3rd party stuff (I’d probably go with self-hosted nextcloud instance, which can be done rather easily and for free with tailscale if you have a spare laptop/pc)
App installation: I personally went with f-droid plus aurora (since the proprietary software I use doesn’t rely on play services other than for sending notifications, exception - gcam, but fixable with gcam services provider from f-droid with the caveat of not being able to use sandboxed play services due to the name collision). Idk how exactly sandboxed play services are “better” compared to f-droid, mb in terms of software availability? Otherwise I prefer f-droid since stuff there is Foss, trackerless and overall better audited (paste here the links to numerous articles about actual malware being found in play store).
Self-hosting nextcloud is relatively easy (I can drop some links later if you’re interested), but you can also keep using whatever you used before. Also (correct me if I’m wrong) /e/ provides their cloud with some amount of free storage, so you may want to start with that.
Hi, thank you for the comment! I’m very interested in those links about getting started with NextCloud. :)
So, as I’ve mentioned, you’ll need another machine (I’d advice running Linux on it, but it’s probably not strictly necessary)
The easiest route would probably be to run their all-in-one docker image. I believe, their instructions are rather straightforward. It would be enough to expose port 8080 only in the provided
docker run
command.Then accessing from outside the local network may be accomplished via tailscale.
By default it will be accessible from within your tailnet only, but if it doesn’t suite you (e.g. you want to use another VPN on your phone to hide your traffic from your provider or bypass regional restrictions) you can expose it to the internet via tailscale funnel.
I don’t know if there exists such a thing as GrapheneOS account, but it is not required. You can add Google, Facebook or other accounts like with regular Android. I use a self hosted Nextcloud instance to synchronize contacts and calendar with DavX5 app. GrapheneOS has built-in apps. I use most of them. For the app stores I mostly use Fdroid and Aurora store for non open source software. I don’t use Google play store even sandboxed because I don’t accept the terms of use, mostly because they have the right to uninstall apps from your phone without consent or notice.
Good job getting here.
- You won’t have any accounts to sign in to anymore unless you install an app that requires an account. You are free from forced accounts that track you.
- Graphene is very barebones at start. You need to use the web browser (Vanadium) to install an app store to download apps or download apk’s straight from the source/Github.
- You sync data by either manual backups or by using your chosen app for syncing. Syncthing, NextCloud, ProtonDrive, Ente, Immich, etc.
- I would say that the fdroid store is better than the PlayStore. Everything is open source, no ads, and a lot less/close to zero junk apps spamming my searches. You also have access to repositories to add even more apps.
- I would suggest looking at DivestOS instead of Lineage. It’s more secure as you can re-lock the bootloader. I do suggest Graphene over all else for you specifically as it’s incredibly simple to install and the Google Sandbox works very well.
I am using GraphineOS right now. Here’s my answers:
- Accounts are local. They don’t necessarily have an online component. Aurora store works fine. The only major issue is some apps from the play store will break if you don’t have Google services installed. The level of breakage really depends how the app handles this lack. Sometime you may not have a feature and other times it will just not run. You can install and run Google services but I’m unconvinced that your privacy will be protected just by the sandbox. A possible solution is to run all that stuff in it’s own profile. You can’t run both simultaneously, though.
- For synchronization, I use Syncthing. It’s not to the cloud but it’ll get files and photos off your device. As for notes Turtl and I believe Obsidian sync to their own servers. Mega.nz runs on GraphineOS also. I don’t know if it syncs, though
- Notes - no. I use Turtl. But I’ve heard good things about Obsidian. Drive - don’t know wouldn’t think so. Photos - yes. Messages - yes. For the last two, you’d have to find a solution if you want to back them up.
For backup, GraphineOS will also backup to USB drive.
Like all things, it a trade off. You trade security for convenience.
But one very nice surprise is I now have so much better battery life. I’m getting nearly 3 days off a charge!