Title: Introduction to GrapheneOS
Author: Solène
Date: 12 January 2025
Tags: android security privacy
Description: In this blog post, you will learn about the security
oriented smartphone operating system GrapheneOS
# Introduction
This blog post is an introduction to the smartphone and security
oriented operating system GrapheneOS.
HTML GrapheneOS official project web page
Thanks to my patrons support, last week I have been able to replace my
6.5 years old BQ Aquaris X which has been successfully running Lineage
OS all that time, by a Google Pixel 8a now running GrapheneOS.
Introducing GrapheneOS is a daunting task, I will do my best to present
you the basics information you need to understand if it might be useful
for you, and let a link to the project FAQ which contains a lot of
valuable technical explanations I do not want to repeat here.
HTML GrapheneOS FAQ
# What is GrapheneOS?
GrapheneOS (written GOS from now on) is an Android based operating
system that focuses security. It is only compatible with Google Pixel
devices for multiple reasons: availability of hardware security
components, long term support (series 8 and 9 are supported at least 7
years after release) and the hardware has a good quality / price ratio.
The goal of GOS is to provide users a lot more control about what their
smartphone is doing. A main profile is used by default (the owner
profile), but users are encouraged to do all their activities in a
separate profile (or multiples profiles). This may remind you about
Qubes OS workflow, although it does not translate entirely here.
Profiles can not communicate between each others, encryption is done
per profile, and some permissions can be assigned per profile
(installing apps, running applications in background when a profile is
not used, using the SIM...). This is really effective for privacy or
security reasons (or both), you can have a different VPN per profile if
you want, or use a different Google Play login, different applications
sets, whatever! The best feature here in my opinion is the ability to
completely stop a profile so you are sure it does not run anything in
the background once you exit it.
When you make a new profile, it is important to understand it is like
booting your phone again, the first log-in with the profile you will be
asked questions like if you started the system for the first time. All
settings have the defaults values, and any change is limited to the
profile only, this includes ringtones, sound, default apps, themes…
Switching between profile is a bit painful, you need to get the top to
bottom dropdown menu at full size, then tap the bottom right corner
icon and choose the profile you want to switch to, and tap the PIN of
that profile. Only the owner profile can toggle important settings
like 4G/5G network, or do SIM operations and other "lower level"
settings.
GOS has a focus on privacy, but let the user in charge. Google Play
and Google Play Services can be installed in one click from a dedicated
GOS app store which is limited to GOS apps only, as you are supposed to
install apps from Google Play, F-droid or Accrescent. Applications can
be installed in a single profile, but can also be installed in the
owner profile which lets you copy it to other profiles. This is
actually how I do, I install all apps in the user profile, I always
uncheck the "network permission" so they just can't do anything, and
then I copy them to profiles where I will use it for real. There is no
good or bad approach, this fits your need in terms of usability,
privacy and security.
Just to make sure it is clear, it is possible to use GOS totally Google
free, but if you want to use Google services, it is made super easy to
do so. Google Play could be used in a dedicated profile if you ever
need it once.
# Installation and updates
The installation was really simple as it can be done from the web page
(from a Linux, Windows or macOS system), by just clicking buttons in
the correct order from the installation page. The image integrity
check can be done AFTER installation, thanks to the TPM features in the
phone which guarantees the boot of valid software only, which will
allow you to generate a proof of boot that is basically a post-install
checksum. (More explanations in GOS website). The whole process took
approximately 15 minutes between plugging the phone to my computer and
using the phone.
It is possible to install from the command line, I did not test it.
Updates are 100% over-the-air (OTA), which mean the system is able to
download updates over network. This is rather practical as you never
need to do any adb command to push a new image, which have always been
a stressful experience for me when using smartphones. GOS
automatically download base system updates and offer you to reboot to
install it, while GOS apps will just be downloaded and update in place.
This is a huge difference from LineageOS which always required to
manually download new builds, and applications updates were parts of
the big image update.
# Permission management
A cool thing with GOS is the tight controls offered over applications.
First, this is done by profile, so if you use the same app in two
profiles, you can give different permissions, and secondly, GOS allows
you to define a scope to some permissions. For example, if an
application requires storage permission, you can list which paths are
allowed, if it requires contacts access, you can give a list of
contacts entries (or empty).
GOS Google Play installation (which is not installed by default) is
sand-boxed to restrict what it can do, they also succeeded at
sand-boxing Android Auto. (More details in the FAQ). I have a
dedicated Android Auto profile, the setup was easy thanks to the FAQ
has a lot of permissions must be manually given for it to work.
GOS does not allow you to become root on your phone though, it just
gives you more control through permissions and profiles.
# Performance
I did not try CPU/GPU intensive tasks for now, but there should be
almost no visible performance penalty when using GOS. There are many
extra security features enabled which may lead to a few percent of
extra CPU usage, but there are no benchmark and the few reviews of
people who played high demanding video games on their phone did not
notice any performance change.
# Security
GOS website has a long and well detailed list of hardening done over
the stock Android code, you can read about them on the following link.
HTML GrapheneOS website: Exploitation Protection
# My workflow
As an example, here is how I configured my device, this is not the only
way to proceed, so I just share it to give the readers an idea of what
it looks like for me:
* my owner profile has Google Play installed used to install most apps.
All apps are installed there with no network permission, then I copy
them to the profile that will use the applications.
* a profile that looks like what I was doing in my previous phone:
allowed to phone/SMS, web browser, IM apps, TOTP app.
* a profile for multimedia where I store music files, run audio players
and use Android Auto. Profile is not allowed to run in background.
* a profile for games (local and cloud). Profile is not allowed to run
in background.
* a "other" profile used to run crappy apps. Profile is not allowed to
run in background.
* a profile for each of my clients, so I can store any authentication
app (TOTP, Microsoft authenticator, whatever), use any app required.
Profile is not allowed to run in background.
* a guest profile that can be used if I need to lend my phone to
someone if they want to do something like look up something on the
Internet. This profile always starts freshly reset.
After a long week of use, I came up with this. At first, I had a
separate profile for TOTP, but having to switch back and forth to it a
dozen time a day was creating too much friction.
# The device itself
I chose to buy a Google Pixel 8a 128 GB as it was the cheapest of the 8
and 9 series which have a 7 years support, but also got a huge CPU
upgrade compared to the 7 series. The device could be bought at 300€
on second hand market and 400€ brand new.
The 120 Hz OLED screen is a blast! Colors are good, black is truly
black (hence dark themes for OLED reduce battery usage and looks really
great) and it is super smooth.
There is no SD card support, which is pretty sad especially since
almost every Android smartphone support this, I guess they just want
you to pay more for storage. I am fine with 128 GB though, I do not
store much data on my smartphone, but being able to extend it would
have been nice.
The camera is OK, I am not using it a lot and I have no comparison,
from reviews I have read they were saying it is just average.
Wi-Fi 6 works really fine (latency, packet loss, range and bandwidth)
although I have no way to verify its maximum bandwidth because it is
faster than my gigabit wired network.
The battery lasts long, I use my smartphone a bit more now, the battery
approximately drops by 20% for a day of usage. I did not test charge
speed.
# Conclusion
I am really happy with GrapheneOS, I finally feel in control of my
smartphone and I never considered it a safe device before. I never
really used an Android ROM from a manufacturer or iOS, I bet they can
provide a better user experience, but they can not provide anything
like GrapheneOS.
LineageOS was actually ok on my former BQ Aquaris X, but there were
often regressions, and it did not provide anything special in terms of
features, except it was still having updates for my old phone.
GrapheneOS on the other hand provides a whole new experience, that may
be what you are looking for.
This system is not for everyone! If you are happy with your current
Android, do not bother buying a Google Pixel to try GOS.
# Going further
The stock Android version supports profiles (this can be enabled in
system -> users -> allow multiple users), but there is no way to
restrict what profiles can do, it seems they are all administrators. I
have been using this on our Android tablet at home, it is available on
every Android phone as well. I am not sure if it can be used as a
security feature as this.