Matthew Brunelle's Blog
I spent money on a domain so I might as well use it.

I Picked A Really Weird Time to Try Out GrapheneOS

I rush out a blog post from my hastily scribbled notes since its suddenly a timely topic.

I used to really enjoy custom ROMs back in the day. Over time Android integrated just about everything that custom ROMs had that I wanted, so I stopped using them. Recently though I've been wanting to try out GrapheneOS. I've been self-hosting for a while now and have been substituting FOSS apps. Switching to GrapheneOS is sort of the logical extreme of this and fun exercise. My hope was it would force me to be more intentional about what apps and services I use.

Or thats what the plan was for the last couple of weeks. Then this happened today:

Post by @GrapheneOS@grapheneos.social
View on Mastodon

I had a draft post with my notes from trying out GrapheneOS ready, and while I was going to test for another week now seems like a good time to talk about it. Also to have a chat about GrapheneOS going forward and if I'll use it. When possible in this post I will try to defer to the official documentation. Things go fast in this space and any details here will go stale.

Before Installing GrapheneOS and Device Support

Before even attempting the installation I wanted to survey the applications I was currently using. So I went through each one and tried to put them into five different buckets:

  • "Essential" apps that feel like a part of my daily life. In quotes because often they are not actually essential.
  • Nice to have - apps I use pretty regularly, but I don't feel as attached to.
  • Google - Google's various services
  • Work - My employer uses Google Workspace and I have a couple apps in a work profile
  • Private Space - the "Jail". Junk apps that I only need on occasion like airline, rideshare, and restaurant. When private space is not on the apps are all frozen.

My current device is a Pixel 9 Pro Fold. Here of the official docs on supported devices but the short of it is Google Pixel devices 6 or newer are supported. This is because they are the only phones currently where you can install a custom ROM and relock the bootloader while still keeping a verified boot with custom keys. I don't really see a single section in the docs summarizing this but the whole general security and privacy section covers this in detail.

Different Users and Profiles with GrapheneOS

You'll notice I mentioned using work profiles before I installed GrapheneOS. Android supports having multiple users on one device. You have to use a user switch button in the pull down shade to change between them. However there is also support for "enterprise work profiles" that sit on top of a user which I believed arrived in Lolipop (5.0). The pitch is you get isolation for your work apps from your personal apps without having to flip between users.

The mechanisms for this sits on both sides of Android Open Source Project (AOSP) and Google Play Framework. More or less:

  • DevicePolicyManager is built into the OS
  • All the pieces for creating and managing the user profiles is built into Play Services.

Based on what I could find out this mostly because Google wanted to integrate it with the Play Store for managing the installation and management of work apps.

So in GrapheneOS we have the DevicePolicyManager but not the Play Services piece. Even if you install Play Services you wont get this because of the sandbox GrapheneOS implemented (more on this later). This means you can't use a work profile like on stock. So you lose the ability for a single user for personal and work apps.

There are open source apps like Shelter, Island and Insular that interact with DevicePolicyManager to isolate apps into profiles in a similar way you would use work profiles. Privacy Guides's writup on why not to use those apps explains it well so I'll point you there to decide if you want to use them or not.

For my testing with GrapheneOS I decided not to use those apps and see how far along I could get with just the Private Space feature that was added in Android 15. This is thankfully a part of AOSP and is now integrated into more and more launchers. I also wanted to test out having just a work user.

So yes back to users. Here are the official docs on improved user profiles in GrapheneOS. There are a lot of features they implemented so go read the primary source. The big one for me is notification forwarding. This means that if one user is in the background and gets a notification you can still see it on your main user. If you are logged in and the main Owner user you can go into the system settings for users and choose which get to run in the background so this is also configurable. For example if you wanted to get notifications from work related apps like calendar reminders.

Speaking of...

Work User, Web View, Vanadium

Slack usually requires Chrome for the Google login flow to work. Every time I've used it in a work profile I had to add Chrome into the work profile.

GrapheneOS already a custom Chromium fork call Vanadium that is also used as the system webview in place of Chrome. Its a very nifty project. See the official docs for more details.

When I tried to use Google to log into Slack on GrapheneOS though the login flow was broken. So I tested out installing Chrome on my Work User. That cause something called the "Trichrome library" to prompt for installation. This seems to be the default system webview on Android. That attempt however didn't work, which is probably good since we don't want to circumvent Vanadium. What does work is use the option in Slack to log in with my workspace's name. That takes you to a page in the Vanadium web view that you can then use to log in with your work Google account.

Work profiles require the Device Profile app to be installed. The app is supposed to make sure the device follows the security policies they set. Unfortunetely I could not get it to work which meant that apps like Google Calendar and Gmail did not work. This seems to be because privileged permissions are required. There is an issue covering this but it is marked closed. The good news is there a recent and very active PR working on support!

One downside vs stock is that stock also has Digital Wellbeing which lets you set work hours where the work profile will automatically turn off. That is not a part of AOSP so we lose it. Luckily users on GrapheneOS have an "end session" button on the lock screen you can use at the end of the day to turn the work user off.

The Play Services Sandbox

Here are the official docs on sandboxed google play. Once again please read the official source because this is extremely interesting. The sandbox does provided an explicit choice for you to make with your device: by default the Owner user and any new users you make will not have Play Services installed. You have to decide to install Play Services through the "Apps" app that GrapheneOS provides.

Installing GrapheneOS and apps

Installing was actually pretty painless. I just followed the steps on the web installer in Chrome. Firefox did not work, I believe its related to WebUSB. Much easier than the days of flashing with ADB commands.

Please read this though: installing GrapheneOS involves temporarily unlocking the bootloader. This means totally wiping you device. Please make sure everything is backed up. Part of why I went through all my apps and thought about them was to make sure I had a backup and restore strategy for any if needed.

One other note: GrapheneOS disables just in time compilation and instead only uses ahead of time compilation. This means app installation will often take longer compared to stock android.

Lessons From Daily Driving

So now we are finally here. Talking about the actual apps getting installed. Initially I thought of listing out all my apps, talking about FOSS alternatives, etc but that seems out of theme with what I've written so far so I'll punt that to another post. What I do want to say is that I initially set up my device like this:

  • Owner user, no play services. Installed all important FOSS apps through Obtanium.
  • "Google" user, play services installed. Installed all apps that are on the Play Store only.

I figured this setup would not work well and people advised against but I wanted to see just how bad it feels. So here's some examples why this was tough:

  • I couldn't listen to podcast/music and use Maps at same time. My music is all self hosted and Pocket Casts is open source so they are on the Owner profile while maps is on the Google profile.
  • Visual voicemail for phone calls didn't seem to work unless it was on the Owner profile. However looking over the forums visual voicemail seems fickle in general. See Carrier functionality in the docs for more.
  • Android auto seems like it needs to be in the Owner profile to work though I haven't been able to confirm this. See the usage guide on the official docs. GrapheneOS does some deep magic to make it work with the Sandboxed Google Play.
  • The only way to use RCS right now is through Google Messages. See this long issue thread on the Fossify Messages repo for why that is the case. I tried installing messages in the Google user and the app claimed RCS was enabled but it did not work. RCS does work when it is in the main profile.

What I settled on for now is this:

  • Owner user with play services installed. FOSS apps and essential Google apps.
  • "Friction" user with all the other Play apps I'm still evaluating.

I called it Friction because the act of changing users create a tiny bit of intentionality where I get to think about if I want to use those apps.

Categories of features

Another part of this experiment is getting a better understanding of what features come from where. My current mental model is there are three buckets:

  • AOSP, as mentioned these are things in the base open source Android OS. All Android phones should have these.
  • Google, things related to Google Play Services and the Play Stores. Not all Android phones will have these but many will. Google has to approve devices for manufacturers to get Play services. For example Amazon's Android devices do not have Play Services. I also put in this bucket random Google owned apps like Speech Synthesis Services or AICore.
  • Pixel, which are only on Google's own phones. These are the what they talk up in the "Pixel Feature Drops".

I've noticed over the last couple years that Google's own language around these buckets is kind of blurry. I've been on Nexus/Pixel devices for a long time too so for me especially the features are all mushed together.

So anyways here's an unordered list of other things I've noticed these past couple of weeks relating to features that change with GrapheneOS. I've tagged them with the bucket I think they belong to when I can:

  • (Pixel) No Now Playing ❌
  • (AOSP since 14) Health Connect ✅
  • (Google) Digital Wellbeing ❌ I think I could install this from the Play Store but I'm choosing not to. This means I lose things like Flip to Shh, Bedtime Mode, and Work Hours
  • (AOSP) Night Light ✅ where the screen shifts towards red tones.
  • (Google) WiFi password syncing ❌ where Google saves and sync WiFi passwords between devices. My guess is this lives in Play Services but the sandbox protects us from this.
  • (Google) Wallet NFC payments ❌ This is a big an of worms I won't open here but basically Google prevents it. I believe passes might work but I have not tried.
  • (Google) Passkey login to apps using a third-party password manager does not work unless Play Servics is installed. According to this issue they do not plan to support that.
  • (AOSP) ❌ The network connectiom symbols are the default generic names rather than the carrier branded versions. For example I see "5g+" instead of "5g UC". Because OSS is awesome there is already an issue covering this.

Final Thoughts

This has already been quite a long post. So huzzah for more long form writing but I'll wrap up for now and talk more about app specifics later.

At the top though I mentioned the uncertain future of GrapheneOS and what my future plans are. Prior to today I felt I wanted to continue using GrapheneOS and thought the trade-offs where worth it. After today? Honestly I'm only more invigorated. This action from Google makes projects like GrapheneOS more import. Hopefully Graphene can get their own device in the future like they want and keep us free from enshitification.

Oh also I'm going to donate. If you give GrapheneOS a try, like it and are in a position to help out then I hope you do too!