Skip to main content

Graphene is not that scary!

·796 words·4 mins
Piotr Nowakowski
Author
Piotr Nowakowski
security software dev at BHIS | cybersecurity specialist | free software advocate | linux hacker

There’s nothing to be afraid of. Really.
#

GrapheneOS is just AOSP without all the bad stuff Google sneaks inside, with a hardened kernel and a few other features, none of which is there to make your life harder without a very good reason. Well, if that’s questionable, they’re at least not enabled by default. Seriously, if you already use Linux, you will have absolutely no problem moving to GrapheneOS.

Let’s debunk some myths first:
#

I’ll lose warranty
#

No, your hardware warranty has nothing to do with the software you use. The process of unlocking the bootloader is completely reversible and doesn’t affect the hardware warranty.

I won’t be able to go back
#

No, you can go back anytime you want. GrapheneOS has instructions for flashing the stock ROM again in case you want to return to it. You can even remove your non-stock Android Verified Boot key, which is added while installing GrapheneOS, to provide a secure experience. So your phone will get back to the exact same state as before the installation.

Banking apps don’t work
#

You can check it here. If your bank’s app is not verified, from my experience, it’s very likely that it does work. Oftentimes it required Google services though…

Some apps don’t work
#

Maybe some of them, but definitely not many. Personally, I was able to move all of the apps I used before switching with no issues at all. If that’s not the case, you can disable exploit protection. In many cases that seems to fix the apps, but be aware that it loosens the app sandbox, so it decreases your security a bit. Many apps also use Google Maps SDK, so they require Google services to run correctly.

Notifications don’t work
#

Most apps use Firebase Cloud Messaging for notifications which requires Google Services to work. There are other ways to get notifications running without Google (like unified push), but not many mobile app developers implement them. Most of the time, you’ll need to run Google services to use notifications.

I need Google Maps/Google Pay/Google something, so it won’t work
#

You can run Google apps in GrapheneOS as long as you install sandboxed Google Play Services.

Why would I use a custom ROM if I need to install Google services on it either way?
#

There are many reasons to use GrapheneOS even if you need Google services. First, it also increases your security compared to the stock Android. Second, GrapheneOS gives you the ability to run Google services in a sandbox, so it’ll be running as every other app installed on your phone, unlike on a standard ROM, where it runs with admin permissions, having access to everything that you can’t disable. With GrapheneOS, you can adjust the permissions for Google Play Services. I just disabled all of them except network in order to receive notifications. Also, no other Google apps are installed unless you explicitly install them. Another thing is that there are a lot of other services that depend on Google’s infrastructure. One of them is indoor location (aka SUPL) for which you can either use Apple’s service, which is more private, or Graphene’s proxy to Apple’s service. There are a lot more features like this and you can read about all of them here. I’ll be covering a few more in this article.

What do I need privacy for if I have nothing to hide?
#

Ahhh, classic!

Read any of George Orwell’s books and say that again.

Why bother?
#

Even if you’re not the main target of three-letter agencies you can feel a little safer with a hardened kernel, libc and malloc. You’ll be able to see what’s happening on your phone with a location indicator, shown in the top right corner when any app tries to access location. You’ll also have more control over what your apps have access to with additional network and sensors permissions. Other features are just cool like the PIN scrambling. But most notably, it’s a phone you can actually control. If you’re fed up with full of ads, spyware and useless bloatware experience you get from most smartphone OEMs out of the box, you’ll feel at home. Just believe me, you’ll finally start to like your phone again.

Ok, but what do I do now?
#

In my next blog post I’ll be showcasing a full, opinionated GrapheneOS setup for daily usage which in my opinion offers just right balance between privacy, security, and convenience.

Stay tuned hackers!
#

Notice that due to hardware/firmware requirements, GrapheneOS is only available on Google Pixel phones, as of the time of writing this post, so if you own one of those or you’re planning on buying a new phone, good for you!