For those who use GrapheneOS, is it worth it? Do you like it?
My backups are done, all that is left is the final choice to wipe my whole phone.
It’s great! Top notch privacy and security with OEM update convenience.
I’m pretty sure they don’t “guarantee software integrity” as it is. At least not in any meaningful way.
Welcome to the cool side Peter! (Family guy joke). No but seriously, jumping over to GrapheneOS was the best choice i’ve made in years.
Same here, never looked back. Enjoy it as long as it lasts
Easily the best phone i ever used. Graphene on a Pixel that is.
Honestly man god bless I’m here for the cause but it’s a real pain as a daily driver.
What makes it a pain to daily drive for you?
my work stack is all google. i tried using it full time last year with a pixel and i just found the sandboxed google services to be too unreliable in a pinch
Work profiles are a big sticking point for tech workers I think. Apparently some have got it to work, but my org’s didn’t. I think if your company uses MAM instead of MDM you might have better luck, but I couldn’t get Intune to set up the work profile correctly. I started carrying a phone size ereader everywhere so I just set up work stuff on that, but even then managing wifi for the second device is a pain.
Why don’t you elaborate and say why?
6 months in, and I can’t imagine going back. Use the web installer if possible, it is quick and really easy. Then immediately create a secondary user account for the Google compatibility layer, if you want that shit. I dont but I need my bank app. Keep it seperate. If you wanna use Google apps sometimes, have a separate user for that. You will gain quite a bit of battery without Google calling home every couple minutes. But if you install the compatibility layer in your main profile it becomes a chore to move to another account.
That’s where I’ve gone wrong…
What about 2FA, and banking apps, and banks’ payment apps? At least in Yurop they require a “safe” / “uncompromised” OS. Oh the irony! But that is why I am still unrooted.
I used to have a service which required Authy and that will not work with a failed Play Integrity API check.
Chase and AMEX make it more annoying to log in by requiring additional 2FA after fingerprint unlocks.
Capital One is the same experience as my stock OS.
2FA has been fine for me, but banking apps are iffy where some work and some do not. I don’t use or trust banking apps, so it wasn’t a blocker for me.
If you install sandboxed Play Services then they should work. If not then the websites will.
Made the jump a couple of weeks ago, and couldn’t be happier with it. Everything just worked out of the box. The web installer is literally point and click, zero hassle. Google store installer is bundled by default, and you can install it right away. All the apps I use worked fine for me without any issues.
I’m using GrapheneOS to type this and have been using it (periodically) for weeks. I just noticed today that it doesn’t have visual voicemail, and I haven’t the foggiest idea what my vmail PW is. But all in all, it’s solid (knock on wood).
You should be able to call your service provider to reset password for vmail. I had to do that a couple years ago as my voicemail was full and I needed to empty it and have access while applying for jobs … don’t wait untill you need to do it it is kind of annoying to deal with!
Noted, thank you for the tip.
And all customer service interactions have become annoying! In my book, it’s just businesses acting entitled, which irks me.
It is so obscenely easy to install graphene on your phone. I bought a pixel just to try it like a 6 for 60 bucks or something and it took no time whatsoever. Online easy peasy and it is so much better than googles Android
Just go for it. You can always go back to stock if you dont like it.
My advice: dont make it too complicate. GOS has a lot of different securities and you can choose whatever you want to do with your phone. Some examples::
-
you can run the whole thing on 1 profile
-
1 main profile and 1 secondary for Google
-
1 main profile for admin and several secondary profiles each with their own private space… .
and so on and on. I like to think of GOS similar to Archlinux. You can choose your way, but if things go south , a extremely complicate setup will make it very difficult to diagnose and maintain.
If you could tell me the logic behind using the different securities… I’m working on figuring out graphene and using it as a daily driver. Currently I’ve got my owner profile which is the one with Google Play. I’ll just push the apps to my daily driver…
What would you suggest?
@pinball_wizard@lemmy.zip was correct: Even a single GOS profile is already much better than normal Android. You can read up all the security stuff GOS offers in Settings/Security and Privacy. A lot of those features are already much better than stock Android, e.g. strict control over USB c, spawn app securely, wifi/BT auto off…etc.
As to your question about logic in using diff securities, GOS is the only OS that allows you to have many profiles. These profiles are completely isolated from each other. You have your own keylock, user for each profile. That is much more powerful that stuff like Peivate Space (stock Android has) or even Samsung Secure Folder. So I want to make the best use for these features…
That and we have too much personal and sensitive stuff on our phones nowdays. I’m not talking about normal stuff like emails and photos. I meant online banking apps, identity card app that each country for some reasons force citizens to install…And everything else, literally everything has an app.
Anyway…
Initially i went with: 1 owner profile (the one you started originally), 1 media profile, 1 bank profile and 1 daily profile. You know like completely compartmentalize your life.
This works BUT there is a lot of inconvenience. .E.g. if i see an article in Vanadium in daily and want to share it to whatsapp/viber/signal which live in media, i cant.
So I then went with: 1 owner profile and 1 sensitive profile…So all the things that are very important to me like banks, IC app I put in sensitive. .Everything else I put in owner. Note: in sensitive profile, I do not user fingerprint; I set a long password for that.
Hope that helps.
What would you suggest?
Not OP, but here’s an answer for your consideration.
Assuming you are not currently being hunted by well resourced scary people…
It seems to me that even using a single user profile on GrapheneOS already provides dramatically better security and privacy outcomes than any other mobile device option, anyway.
I don’t think I’m being hunted or resourced… But realistically speaking I’m just tired of not having control of my data.
I’m more just trying to figure out the most effective setup. Because I am going to need certain apps I’m going to get from the Google store. I don’t need them all the time, what I really need to understand is which profile should I have the Google Play store on. Should I have it on a secondary profile or the owner profile.
I don’t intend on using the profile with Google Play on it daily.
another solution for you is no profiles, just the main + Private Space. In main you dont use any Google stuff. In your private space (setup with a different unlock method from your screenlock), you sign in and get your Google stuff. I havent tried it but it sounds ok…Not sure about transferring files though. E.g. what if I have a news article in Vanadium in mainland and want to share it to my contacts in Private Spac? Or the reverse: I got a pdf from whatsapp in Private Space and want to store it in my main’s folder?
I haven’t even realized there’s a private space…
-
I bought a Pixel for it (I needed a phone upgrade) and installed GrapheneOS immediately after bringing it home. There was a little bit of friction because a few things weren’t working out of the box for me, like Android Auto and a few apps that use GPS (I tried to Pokemon Go, for example) but all these issues went away eventually. The only thing I miss is tapping my phone to pay for things, but this isn’t a GrapheneOS issue, (bank/card providers in north America and their reliance on Google Wallet/Apple pay are). There are financial institutions from other countries that offer tap to pay using their own app.
I love being able to select what files/contacts each app has access on my phone. I like being able to disable my camera/microphone for all apps with a simple touch.
I wonder why nobody found a way to trick Google Wallet into running anyway
They just need to learn how to trick Google’s Integrity API
I’m not an expert, but can’t a phone just reply “yes it’s safe” to any Google’s Integrity API request?
I’ve been using Graphene for several years and I love it. I could never go back now, Google android feels so incredibly bloated and invasive by comparison.
Double check your backups just to be safe, and then go for it. It’s not hard to revert if you hate it. There is a big of a learning curve, mainly just using the alternative app stores like Accresent, F-Droid, etc.
But once you spend a bit of time getting your apps installed and your system set up the way you like, you’ll love it.
“Software integrity cannot be guaranteed on a custom os”
Ah yes software integrity like, sorry we no longer support your device beyond its intended lifecycle and please make sure your beloved app has the latest enshitification update installed.
It’s the opposite- you’ll come to the bright side, to the free lands
Will digital ID’s and banking and stuff work? Or do you need to root it?
Works for me with 3 banks, there’s a checkbox you might need in the app’s info screen to enable a ‘compatibility’ mode.
