 |
Title: Introduction to GrapheneOS |
|
Author: Solène |
|
Date: 12 January 2025 |
|
Tags: android security privacy |
|
Description: In this blog post, you will learn about the security |
|
oriented smartphone operating system GrapheneOS |
|
|
|
# Introduction |
|
|
|
This blog post is an introduction to the smartphone and security |
|
oriented operating system GrapheneOS. |
|
|
 |
GrapheneOS official project web page |
|
|
|
Thanks to my patrons support, last week I have been able to replace my |
|
6.5 years old BQ Aquaris X which has been successfully running Lineage |
|
OS all that time, by a Google Pixel 8a now running GrapheneOS. |
|
|
|
Introducing GrapheneOS is a daunting task, I will do my best to present |
|
you the basics information you need to understand if it might be useful |
|
for you, and let a link to the project FAQ which contains a lot of |
|
valuable technical explanations I do not want to repeat here. |
|
|
|
GrapheneOS FAQ |
|
|
|
# What is GrapheneOS? |
|
|
|
GrapheneOS (written GOS from now on) is an Android based operating |
|
system that focuses security. It is only compatible with Google Pixel |
|
devices for multiple reasons: availability of hardware security |
|
components, long term support (series 8 and 9 are supported at least 7 |
|
years after release) and the hardware has a good quality / price ratio. |
|
|
|
The goal of GOS is to provide users a lot more control about what their |
|
smartphone is doing. A main profile is used by default (the owner |
|
profile), but users are encouraged to do all their activities in a |
|
separate profile (or multiples profiles). This may remind you about |
|
Qubes OS workflow, although it does not translate entirely here. |
|
Profiles can not communicate between each others, encryption is done |
|
per profile, and some permissions can be assigned per profile |
|
(installing apps, running applications in background when a profile is |
|
not used, using the SIM...). This is really effective for privacy or |
|
security reasons (or both), you can have a different VPN per profile if |
|
you want, or use a different Google Play login, different applications |
|
sets, whatever! The best feature here in my opinion is the ability to |
|
completely stop a profile so you are sure it does not run anything in |
|
the background once you exit it. |
|
|
|
When you make a new profile, it is important to understand it is like |
|
booting your phone again, the first log-in with the profile you will be |
|
asked questions like if you started the system for the first time. All |
|
settings have the defaults values, and any change is limited to the |
|
profile only, this includes ringtones, sound, default apps, themes… |
|
Switching between profile is a bit painful, you need to get the top to |
|
bottom dropdown menu at full size, then tap the bottom right corner |
|
icon and choose the profile you want to switch to, and tap the PIN of |
|
that profile. Only the owner profile can toggle important settings |
|
like 4G/5G network, or do SIM operations and other "lower level" |
|
settings. |
|
|
|
GOS has a focus on privacy, but let the user in charge. Google Play |
|
and Google Play Services can be installed in one click from a dedicated |
|
GOS app store which is limited to GOS apps only, as you are supposed to |
|
install apps from Google Play, F-droid or Accrescent. Applications can |
|
be installed in a single profile, but can also be installed in the |
|
owner profile which lets you copy it to other profiles. This is |
|
actually how I do, I install all apps in the user profile, I always |
|
uncheck the "network permission" so they just can't do anything, and |
|
then I copy them to profiles where I will use it for real. There is no |
|
good or bad approach, this fits your need in terms of usability, |
|
privacy and security. |
|
|
|
Just to make sure it is clear, it is possible to use GOS totally Google |
|
free, but if you want to use Google services, it is made super easy to |
|
do so. Google Play could be used in a dedicated profile if you ever |
|
need it once. |
|
|
|
# Installation and updates |
|
|
|
The installation was really simple as it can be done from the web page |
|
(from a Linux, Windows or macOS system), by just clicking buttons in |
|
the correct order from the installation page. The image integrity |
|
check can be done AFTER installation, thanks to the TPM features in the |
|
phone which guarantees the boot of valid software only, which will |
|
allow you to generate a proof of boot that is basically a post-install |
|
checksum. (More explanations in GOS website). The whole process took |
|
approximately 15 minutes between plugging the phone to my computer and |
|
using the phone. |
|
|
|
It is possible to install from the command line, I did not test it. |
|
|
|
Updates are 100% over-the-air (OTA), which mean the system is able to |
|
download updates over network. This is rather practical as you never |
|
need to do any adb command to push a new image, which have always been |
|
a stressful experience for me when using smartphones. GOS |
|
automatically download base system updates and offer you to reboot to |
|
install it, while GOS apps will just be downloaded and update in place. |
|
This is a huge difference from LineageOS which always required to |
|
manually download new builds, and applications updates were parts of |
|
the big image update. |
|
|
|
# Permission management |
|
|
|
A cool thing with GOS is the tight controls offered over applications. |
|
First, this is done by profile, so if you use the same app in two |
|
profiles, you can give different permissions, and secondly, GOS allows |
|
you to define a scope to some permissions. For example, if an |
|
application requires storage permission, you can list which paths are |
|
allowed, if it requires contacts access, you can give a list of |
|
contacts entries (or empty). |
|
|
|
GOS Google Play installation (which is not installed by default) is |
|
sand-boxed to restrict what it can do, they also succeeded at |
|
sand-boxing Android Auto. (More details in the FAQ). I have a |
|
dedicated Android Auto profile, the setup was easy thanks to the FAQ |
|
has a lot of permissions must be manually given for it to work. |
|
|
|
GOS does not allow you to become root on your phone though, it just |
|
gives you more control through permissions and profiles. |
|
|
|
# Performance |
|
|
|
I did not try CPU/GPU intensive tasks for now, but there should be |
|
almost no visible performance penalty when using GOS. There are many |
|
extra security features enabled which may lead to a few percent of |
|
extra CPU usage, but there are no benchmark and the few reviews of |
|
people who played high demanding video games on their phone did not |
|
notice any performance change. |
|
|
|
# Security |
|
|
|
GOS website has a long and well detailed list of hardening done over |
|
the stock Android code, you can read about them on the following link. |
|
|
|
GrapheneOS website: Exploitation Protection |
|
|
|
# My workflow |
|
|
|
As an example, here is how I configured my device, this is not the only |
|
way to proceed, so I just share it to give the readers an idea of what |
|
it looks like for me: |
|
|
|
* my owner profile has Google Play installed used to install most apps. |
|
All apps are installed there with no network permission, then I copy |
|
them to the profile that will use the applications. |
|
* a profile that looks like what I was doing in my previous phone: |
|
allowed to phone/SMS, web browser, IM apps, TOTP app. |
|
* a profile for multimedia where I store music files, run audio players |
|
and use Android Auto. Profile is not allowed to run in background. |
|
* a profile for games (local and cloud). Profile is not allowed to run |
|
in background. |
|
* a "other" profile used to run crappy apps. Profile is not allowed to |
|
run in background. |
|
* a profile for each of my clients, so I can store any authentication |
|
app (TOTP, Microsoft authenticator, whatever), use any app required. |
|
Profile is not allowed to run in background. |
|
* a guest profile that can be used if I need to lend my phone to |
|
someone if they want to do something like look up something on the |
|
Internet. This profile always starts freshly reset. |
|
|
|
After a long week of use, I came up with this. At first, I had a |
|
separate profile for TOTP, but having to switch back and forth to it a |
|
dozen time a day was creating too much friction. |
|
|
|
# The device itself |
|
|
|
I chose to buy a Google Pixel 8a 128 GB as it was the cheapest of the 8 |
|
and 9 series which have a 7 years support, but also got a huge CPU |
|
upgrade compared to the 7 series. The device could be bought at 300€ |
|
on second hand market and 400€ brand new. |
|
|
|
The 120 Hz OLED screen is a blast! Colors are good, black is truly |
|
black (hence dark themes for OLED reduce battery usage and looks really |
|
great) and it is super smooth. |
|
|
|
There is no SD card support, which is pretty sad especially since |
|
almost every Android smartphone support this, I guess they just want |
|
you to pay more for storage. I am fine with 128 GB though, I do not |
|
store much data on my smartphone, but being able to extend it would |
|
have been nice. |
|
|
|
The camera is OK, I am not using it a lot and I have no comparison, |
|
from reviews I have read they were saying it is just average. |
|
|
|
Wi-Fi 6 works really fine (latency, packet loss, range and bandwidth) |
|
although I have no way to verify its maximum bandwidth because it is |
|
faster than my gigabit wired network. |
|
|
|
The battery lasts long, I use my smartphone a bit more now, the battery |
|
approximately drops by 20% for a day of usage. I did not test charge |
|
speed. |
|
|
|
# Conclusion |
|
|
|
I am really happy with GrapheneOS, I finally feel in control of my |
|
smartphone and I never considered it a safe device before. I never |
|
really used an Android ROM from a manufacturer or iOS, I bet they can |
|
provide a better user experience, but they can not provide anything |
|
like GrapheneOS. |
|
|
|
LineageOS was actually ok on my former BQ Aquaris X, but there were |
|
often regressions, and it did not provide anything special in terms of |
|
features, except it was still having updates for my old phone. |
|
GrapheneOS on the other hand provides a whole new experience, that may |
|
be what you are looking for. |
|
|
|
This system is not for everyone! If you are happy with your current |
|
Android, do not bother buying a Google Pixel to try GOS. |
|
|
|
# Going further |
|
|
|
The stock Android version supports profiles (this can be enabled in |
|
system -> users -> allow multiple users), but there is no way to |
|
restrict what profiles can do, it seems they are all administrators. I |
|
have been using this on our Android tablet at home, it is available on |
|
every Android phone as well. I am not sure if it can be used as a |
|
security feature as this. |
