Setting up GrapheneOS the 'right' way - looking for suggestions


  • trying to switch away from ios after having only iphones ever since the 4th version. It was never about being fancy, trendy or whatever else, they were better built than most stuff around and were positioned as privacy oriented.
  • For a while now apple showed that privacy is a nice label, which they don’t fully intend to uphold, however all that i’ve heard about linux phones is that it is still isn’t a nice experience for a day-to-day on mobile.
  • So I posted here on the forums a couple of days ago and was pointed amongst other options to GrapheneOS, which in its description is exactly what i’m looking for - privacy oriented mobile OS that has access to any app an android phone would without the bloatware that google and other ‘friendly’ companies so generously install on the device that you pay them for…
  • I installed GrapheneOS and it works smoothly.
  • Hardware that i have is a pixel 3 phone.

The Area where I’m looking for opinions/advices/suggestions:

  • I am looking for a balanced secure set up with functionality i need:
    • what stores to use for what software
      • whether it be fdroid/aurora store, sandboxed google play services or going for the apk files directly
    • should i set up a work profile (as some suggested)
      • and have aurora store and fdroid for the personal profile and sandboxed google for the work one.

What i’ve tried so far and why i am looking for a better way:

  • I installed a work profile with an app shelter and set up play services there, whilst personal had fdroid and aurora store.
    • why i need play services - pixel camera app (i’d like to use the pixel camera benefits for family photos), google maps and threema messenger (paid app tied to the google account)
  • I also installed signal in the work profile for so that i wouldn’t run into issues with notifications not coming in instantly if signal is installed through aurora (which happened when i tried to set up without sandboxed google(although i checked the battery usage to unrestricted))
    • signal was working fine except for 1 hiccup - i couldn’t figure out how to change the notification sounds, i could change them in the settings, and it would show the changes saves, however when receiving the notifications - both phone and messages - the sound would be default.
    • I decided to reinstall signal again through aurora and check if i might have missed smth on the side of notifications, but after the installation when trying to register it keeps giving me an error regarding google play store (which is still running in the work profile, the signal client in the work profile was deleted and all the cache from google core services was cleared, the device rebooted).
      Which brings me to the idea that work profile isn’t as isolated because the new Signal installation from aurora store in ‘personal’ section can see smth from the leftovers from the original Signal insatlllation from the sandboxed google form ‘work’ section.
      And running signal in work section was working fine except for the damn notification sounds which didn’t want to switch at all.
  • So now i want to reset the device and set it up in a more logical sense, i would go straigh for the apk’s of the files, but when i did so for signal and looking to check the sha256 i discovered that i’d need android developer tools installed to check it which i don’t need and installing additional software on the computer wouldn’t be my first choice, but even bigger issues with apk - you can’t find apks for everything and i’d rather be consistent in my installation methods.

Apps that i need fully functional:

  • gmaps
  • google camera
  • threema
  • signal
  • proton
  • whatsapp
    everything else is secondary and easier to figure out along the way.

How have you or would you do the set up?
How much info can play store get on your device while being sandboxed?

The post came out to be pretty long, thank you for reading and for your time

1 Like