Sign in Subscribe

Guide to Setting up a Graphene OS high security phone

CCT

12 min read
Guide to Setting up a Graphene OS high security phone

This a guide for journalists, high net worth individuals, targets of industrial espionage, human rights activists, and people interested in mobile privacy.

For persons with an iPhone we recommend following the steps in our Internet Security advice for persons of interest post to configure it in a more secure manner. However, if you want the maximum available security and privacy, there is only one choice at the moment – Graphene OS on a Google Pixel series phone.

If you are new to Graphene, this guide will help you get up and running. It was a private guide for donors, but is now available for public benefit.

GrapheneOS is a high security version of android that has a variety of really impressive security and privacy features and options and is easy to use.  It can be installed in a mode without google/apps at all, or it can utilize apps just like a regular android device (but with higher security).

Grantee Naomi Brockwell has a great video series on phone privacy, explaining how to install GrapheneOS, how to set up the device, and which more privacy-preserving apps you can use instead of mainstream options. Her institute also has a Signal group dedicated to helping people with their installations.

Before we get started: What will I not like?
Three things might annoy you:
1) There's no device migration when you get a new phone (but I find it not to matter)
2) No Google Wallet (can't add cards until Google signs graphene devices)
3) You might have to fiddle app settings to get some to work right (5%)

- To run your bank app, or travel app you might need to press and hold, click "app info" and turn off exploit mitigations. Then it will run as normal
- To run certain apps you might need to press and hold, click "app info" and then select permissions and give them additional fine grained permissions, or you might need to install and/or add permissions to Google play services
- To get location to work the way it did on your android, you may have to explicitly enable google access to your location in location settings.

To get started with Graphene

  1. Obtain a recent Google Pixel device.  Ideally purchase a Pixel branded phone or tablet directly from Google Store (if you purchase it from a carrier the phone may be locked. Verizon assured me it would not be, but it was). Using your existing phone is possible (but harder to migrate signal).
  2. Take your computer, USBC cable and phone and follow the graphene installation instructions.   This took me about 10 minutes.  
  • Essentially all you do is turn on developer setting mode in the phone, select oem unlocking, reboot to a special mode and let the web installer do the rest.  It’s pretty easy.
  • Note that this will wipe your phone, so it might be better to start with a second new phone.  Do not forget to backup your signal messenger history, or keep your old phone working so you can transfer it to the new phone.
  1. Post completion setup  (what this guide is about)
  2. You can also go back to a regular android install if something goes wrong or you don’t like it

Advanced questions?  Official Chatroom: https://app.element.io/#/room/#grapheneos:grapheneos.org

Realistic Expectations / Disclaimer - These interventions can help you protect yourself from some amount of nation state actor espionage and location tracking while traveling. If you are in a very serious situation - don’t imagine you are anonymous to your country as cell towers know the location and subscriber of every sim card. Unless you bought the phone anonymously, never logged into your wifi during activation or setup, used a vpn router wifi at all times with generic name, kept location off at all times, never logged into any apps or accounts, or use a sim not connected to you (and only while traveling), you would be known to your government. When you land at an airport and go through the two gates with camera, a photo of you is taken along with digital device signatures. Additionally when using apps you will still need to consider what they are sharing.

Post Completion Setup

This part really depends on if the phone is your main phone which needs to run every program or is a special secure phone and will have minimal apps, but I will document what I did below to make graphene work for a direct android replacement main phone.

Pre Step 1: Backup any Data from your old phone (optional):

For example

  • I ran google backup (settings->google->backup), 
  • I manually ran the google drive whatsapp chat backup (settings->chats->backup)
  • Note to not lose your signal messages you need to be able to transfer them from the old phone to your new phone, so do not wipe the old phone yet
  • Make a list of apps you want or need to install on the new phone (optional)

Now that you have graphene installed on the new phone –

Step 1: Connect to wifi

Step 2:  Install an App store (optional)

Graphene comes with an app store with very little in it that updates the secure apps that come with graphene (Camera, SMS, PDF etc).  One of the things in the app store (Accrescent) is itself another app store also with only a very few 3rd party things in it.  You can find “Molly” in there (one of our grantees), which is a security hardened version of Signal, as well as a nice maps app, and a great offline text to speech app, text editor.

If this is enough for you, then you are set. If you want to make it more like a regular full Google phone, there are a few options.

Graphene apps are all black and white.  Find the one called “Apps”, and install the "Google Play store", which will allow you to install android apps as normal (but more secure). See https://grapheneos.org/usage#sandboxed-google-play

After that you go start the play store and it will ask you to sign in. After this you can download and install apps like on a normal phone only they may need you to give them increased permissions to work right in some cases.

Ex. go to Settings -> Apps -> Google play services -> Permissions and give special permission (files, devices near me)

Additionally you'll possibly want to install the Google Apps that come with your phone like "Phone" and "Messages", "Contacts" by Google from the App store, instead of the graphene provided secure apps so that they will sync with Google.

The alternative to this is to use something like protonmail/drive/calendar and never use any of the google services (gmail, gmaps, etc) or google apps framework.  

Second profiles: Graphene supports multiple users, and lets you hop between them easily, or even sent notifications from one to the next. This lets you partition all of your infrequently used apps into a silo with another password or pin. I set up a second profile I can log into from the owner profile for rarely used apps without Google play services installed. When I'm done, I log off and go back to the owner and these apps are not running in the background, preserving phone battery and increasing location privacy. 

This allows me for example to separate my 2 factor auth away from my main login and so one login doesn't have both email recovery and password and 2 factor. This makes it a lot harder to remotely mine all the credentials in an exploit.  (more on second profiles later below)

Google Play store alternatives: 

There are apps like Aurora store that give you an anonymous login to download from the google store, obtainium which lets you update straight from the apps developer’s releases on github or similar.  There’s also an open source app store called F-droid, which has open source apps and connects to third party repositories like https://guardianproject.info/fdroid/ – though its probably less secure than the play store to use. You can also manually download and install apps via APK files. Or make your own app store!

Most but not all non google apps will work without the Google Play services

Step 3: Install the apps you need from the app store

In my case I downloaded bitwarden / proton pass and authy first to make sure I’d have the passwords and 2 factor authentication I would need to setup and log into other apps. If you are worried about security, you may want to delete them after and put these on another device or profile so if this one is hacked, they will not get them.. but during setup it's convenient.

After that I installed absolutely every app I would have used on my regular phone to test them.  Normally you’d think about minimizing apps for security reasons, but I wanted to know if this could fully replace my regular phone and the answer was yes!

Remember: If an app doesn't run, press and hold the app, click "app info" and turn off exploit mitigations. If an app doesn't work as expected, it may need more permissions.

Install rarely used apps elsewhere (optional below)

I've since moved a lot of apps to a rarely used second phone/ipad but you can put them in a separate graphene user and hope between them quickly. Separation of concerns is a very important security principle. More on this below.

Go Deeper: Do I need to install all these apps?

Why not to install every app: https://theintercept.com/2022/04/22/anomaly-six-phone-tracking-zignal-surveillance-cia-nsa/

The most secure app is one you didn’t install.  There are also more secure app versions. Ex Facebook Lite and Messenger Lite (where facebook runs the app in the cloud) is hypothetically more secure than the full apps with all the code.

You can audit the apps you want to install here for trackers: https://reports.exodus-privacy.eu.org/en/   

Likewise, although I don't personally use them – many apps like Uber are also available in Progressive web app form.  To see this at work go to m.uber.com in the vanadium browser (this is just a high security chrome browser that comes with Graphene) and add a shortcut to the desktop.  Now you have a browser based uber app/icon. Lyft’s is ride.lyft.com.  I’m not going to say they are fully as good as having the app, but it’s an alternative.  

Step 4: Customize Graphene to your preferences

Make it as much like stock android as possible (optional)

If you like to have a more normal or syncd experience as we mentioned you can install the Google Camera, Google contacts, Google phone, Google keyboard (gboard), Google calendar, etc (see notes at end if you have issues)

VPN / Ad / Security Service

This will help protect your traffic by encrypting it and blocking malware, but may reduce your phones battery life

  • Proton VPN with Net shield / ad blocker DNS etc  (free or pay)
  • Mullvad VPN
  • Calyx VPN (free)
  • Cloudflare has some interesting offerings that should be investigated (see tunnels and browser isolation).  
  • A custom VPN can be setup with WireGuard or a mesh VPN of your network with Tailscale
  • GoogleOne – Google provides a free VPN on Google FI and with google storage in some cases, though note Google can see all your traffic passing through it.

Backup

  • Google backup doesn’t work (but Google photos backup does). 
  • There is a built in graphene backup in its place. Turn on backup (to flashdrive, or nextcloud). Write down your 12 word backup code. I personally don't use it.

     This area needs a little more investigation and documentation.

Dark Mode

I set my phone to Dark mode, extra dim, and turn on night light (amber at night) features which saves battery and eyesight, and limits viewing distance a bit. I find the default jarring at night. 

Battery Life Notes

It's worth noting battery is much better with graphene than android, until you install Google services and a bunch of apps and they start polling for updates all the time. The only time its worse is when it uses actual gps instead of Google's system of locating networks. Graphene is building their own system which will be ready soon. You can turn off location in the top menu to help, or go back to using the google system. 5g kills battery on all phones pretty aggressively. You can turn that off, as well as 2g to improve security compromises from the cell network.
(if you are in a serious situation, take out your sim card and connect via a hotspot or WiFi).

Apps for poor Internet (optional)

In environments with poor internet you can use Briar app. Poor service is very common in activist areas as documented by NetBlocks and in Ukraine The Last Cell Tower in Mariupol | WIRED 

Apps for voice and video calls (optional)

There are voice and video solutions like Jitsi and BigBlueButton - Wikipedia or Guardian’s https://keanu.im/ that go beyond signal and are more like Google Meet. Of course you can also just use Google or zoom.

Add ons for extra security (generally not needed)

Set Fingerprint + code unlock (2 factor)
iVerify Basic (free) for manual scanning

Duress: Secure wipe with duress pin/password at the login prompt (This now comes built in to graphene)
Wasted: Set secret wipe trigger, etc
Sentry: Set more advanced security settings
Panic: Guardian project’s set of panic triggers include Ripple
Molly.im: Security hardened version of signal (via accresent app store)

If you are feeling more paranoid there are a raft of settings you can consider like https://grapheneos.org/usage#lte-only-mode and apps from Guardian Project like Ripple,

I've since moved a lot of apps to a rarely used second phone/ipad or profile. Separation of concerns is a very important security principle.

If you are in a serious situation, consider our Internet Security advice for persons of interest to get iVerify security software.

Set up multiple user profiles (optional for higher security, maybe don’t do it the first time)

This is an important concept to understand however.  In graphene you can easily add a new user with a different PIN code and hop between the two on your device.  This allows you to isolate apps and settings for high and low security.  Apps within one profile can talk to each other but not between profiles. Ex. I set up a Finance user with my crypto and bank items only (no google services, no other apps). If someone hacks my messaging app, they won’t see my banking info, or my human rights work.

Ex. if I’m doing a human rights task of high security, I’ll open a new user, do whatever is needed and then delete the user after.  

You can also use this for plausible deniability during a phone search (as we're seeing in Russia right now at borders) or to loan someone your phone for a bit by logging into a profile without your protected content and just 20 innocuous contacts.

Step 5: Connect to cell network (optional)

Connecting a cell phone to a cell network by setting up a sim or esim makes it a lot less secure.  At the very least it will reveal your location to the cell service.  For a high security phone its best to just connect over wifi with VPN to your main phone or hotspot.  But if you want to use graphene on your main phone, that works well too.   In most cases graphene will just work with a sim card placed in the sim tray.  To use E-sim, there is a special esim setting you need to turn on under network settings when you request it, and you’ll normally need a carrier app to get it.

Google Fi

I tested this by setting up and getting Google Fi to work via downloading a new esim.  Apart from the esim setting toggle in graphene (and turning if off after), I needed to install the Google Fi app, the Google Phone, and Google Messages app, and make sure they all had the right permissions (otherwise fi sends you a non voice data only esim).  Google Fi makes some effort to protect your traffic from local cell networks.

Pay as you go

You can off course put a local anonymous pay as you go sim card in your phone.

Portable wifi hotspots

In addition to regular mobile carriers, In the US and EU there are NGOs that will lease you protected / anonymized access points, which you connect to rather than have cell service on your device. This helps to avoid software like pegasus Ex. https://calyxinstitute.org/membership/internet 

VIP / HNWI Cell plan

There exist high priority cell plans with additional privacy and security features for corporate and high net worth individuals.  For example https://xcapeinc.com/ and https://www.efani.com/blackseal . Do be aware, whomever your cell provider is you will need to trust with your location and data, just like your VPN provider.

Step 6: Note anything that didn’t work or get help

I got help fixing things I didn’t immediately get to work here: https://app.element.io/#/room/#grapheneos:grapheneos.org

And by searching for solutions in the issue tracker https://github.com/GrapheneOS/os-issue-tracker/

Reading the documentation on GrapheneOS is a great way to educate yourself on security topics.

Consider enhancements or customizations we can offer.  We should consider funding an external audit of graphene if we are using it and recommending.

Step 7: Decide how this fits into the rest of your life

Probably there should be a setup guide for graphene as a main phone and one for it as a secure activist phone. As these are fairly different concepts. But with this paradigm I have gone back to only using one device daily and carrying a backup device in my luggage that stays off and is only used for high security things.  

Ipads, Google Chromebooks, and Macbooks with M-series chips can also run popular apple apps for those with iphone specific app needs. Of the two, Ipad is the more secure platform as it will not install custom programs. Google Chromebooks are especially useful when crossing dangerous borders as its very easy to wipe your device and re-login on the other side.

See also our Privacy Guide