alt Hacker NewsGrapheneOS – Break Free from Google and Apple
Comments
I personally tend to own two Phones. One all-day carry GrapheneOS device (Pixel 8) and an older WiFi and at home only iPhone for all payment and ensurance stuff.
This is inconvenient in some ways, but at least it is sort of privacy as good as it gets while still being able to run official apps when I need them at home.
To de-google the phone, I use F-Droid as primary App store, Aurora as fallback for non-f-droid Apps and as a last resort Obtainium to install Apps that are not in these stores.
The only google App I really "need" (kind of) is the Camera App, which is sandboxed via GrapheneOS Storage Spaces and without Network permission (why would a camera need internet?).
To backup my phone, I use the integrated GrapheneOS Solution (seedvault!?) for storage and apps, immich for Photos and MyPhoneExplorer for Contacts.
Sometimes it is a bit hard to find good apps for specific purposes, so for everyone interested, here is a list of Apps that I personally use or have used.
Newpipe - Youtube Client
Audiobookshelf - Audiobooks
Voice (PaulWoitaschek) - Local Audiobook Player
Substreamer - Music
DSub - Music (alternative)
VLC - Video-Player
Organic Maps - Google Maps alternative (not as good)
PDF Doc Scanner - Open Source Document Scanner
Wireguard - VPN
Immich - Photo Backup / Viewer
LocalSend - File Transfer
K9 Mail / FairMail - Email Client
KOReader - Ebooks
Binary Eye - QRCodes and Barcodes
Pure Todo - Self hosted PWA PHP Todo List
Signal - Messenger
Open Camera - Open Source Camera App"Break free from Google" and buy a Pixel phone from them to do so.
But unironically Pixels are currently some of the best actually open phones. They do not lock down or require shady practices for unlocking the bootloader (although they do require a network check once that happens automatically, but it will permanently allow unlocking the bootloader if successful once. Pixels are very easy to restore and almost un-brickable, allow bypassing the boot screen warning by pressing the power button twice, actually allow relocking the bootloader and don't void your warranty unlocking it, don't have a shady one-time fuse like Samsung phones do with Knox, etc.
And once you are on GrapheneOS, break free from your proprietary watch ecosystem and switch to GadgetBridge (https://gadgetbridge.org/)
I run a Thinkpad with NixOS and KDE, a Pixel 9 with GrapheneOS, and an Amazfit watch paired with GadgetBridge on my phone.
It's a testament to the hard work of the FOSS maintainers of these projects, and the spirit of open source, that everything works flawlessly together without any cloud service sucking up my data. For example, I can control youtube and music playback on my laptop with my watch because KDE Connect syncs my laptop and my phone, and gadgetbridge syncs the phone and the watch. The breezy weather app on my phone can automatically push its data to gadgetbridge which in turn pushes the data to the watch. And so on. So many little things, developed independently, working like a single well oiled machine.
Been running GrapheneOS for a while on a Pixel 9, and extremely happy with it! Apart from the usual perks of the FOSS ecosystem, there are a few things specific to GrapheneOS that are not immediately apparent but have turned out to work very well -
1. The Pixel camera app works, including all modes and settings. A camera that takes good photos was absolutely a requirement for me, and the FOSS camera apps are not quite as good yet.
2. I don't have Google Photos and the pixel camera app tries to launch google photos when you want to review the picture you just took. But there is a FOSS app called GPhotosShim that uses the same namespace as google photos and thus fools the camera into launching that app instead. Once launched, it just launches whatever media management app you actually have configured, so it's seamless.
3. Android Auto works!
4. Android QuickShare works!
5. NFC tags / Yubikey integration works!
6. Screencasting works!
7. Sensor access and internet access can be disabled for apps by default (and I do).
Been running GrapheneOS for about 18 months now on a Pixel 8 Pro. The banking app situation is genuinely better than the article implies. Sandboxed Play Services handles most major apps fine, including N26 and Revolut which I use daily for fintech work. The main friction is not apps but convenience features like auto-fill across profiles breaking if you use the separate work/personal profile setup.
What most people miss: the real value of GrapheneOS is not just escaping Google surveillance but the per-app network and sensor permission toggles. Being able to cut network access to apps that have no business phoning home changes how you think about every install. That alone is worth the switch.
The banking app compatibility issue gets framed wrong. The real problem is not "does Google Play work" but "does Play Integrity API work" - that is a device attestation mechanism, not a Google dependency per se.
Building fintech apps, we integrated Play Integrity as a fraud signal. Sandboxed Play Services on GrapheneOS actually passes most of these checks now, and false positive rates for legitimate users are negligible. The hardliners who refuse sandboxed Play can still use most banking apps that fall back to basic root detection rather than hardware attestation.
The real gap is NFC payments - Google Pay needs privileged hardware access that sandboxed apps cannot get. But that is one use case, not a reason to skip GrapheneOS entirely. Curve works fine in EU.
I've used GrapheneOS on a Pixel 3a, 5, 8 and 10 Pro so far and it's worked really well. I couldn't imagine going back.
The only things I'm missing (which don't exist in other OS'es either):
- Being able to configure contact scopes in such a way that the app in question only gets access to the phone numbers of the contacts belonging to the label I specified, e.g. "WhatsApp", nothing more. Yes, one can of course add contacts' phone numbers to the contact scopes "by hand" but 1) there is a limit on the number of contacts/phone numbers configured this way, and 2) AFAIK there is no way to back up that list.
- Being able to install browser extensions in Vanadium.
- Being able to configure multiple VPNs at once, e.g. for Tailscale, ad filtering, blocking HackerNews during times when I should be doing something more productive :) etc., especially since the Vanadium browser doesn't support extensions (see above). I was hoping that the Rethink app might implement something like this (https://github.com/celzero/rethink-app/issues/1047) but it doesn't look like it's coming and it'd probably be much better to do this at the OS level.
About his comment:
> Unfortunately, I must recommend Windows 10/11 here, because then you don’t have to mess around with any drivers; it’s the simplest option.
When I worked at Microsoft but ran FreeBSD at home, I often used my work Windows laptop to install custom ROMs. This is because FreeBSD was finicky with adb.
Now I run Fedora and the Android drivers are pre-installed. I installed GrapheneOS on both a Pixel 10 Pro (main) and Pixel 9 (spare) that way.
On Windows, I've had more trouble with Android drivers than I did on non-Windows.
This is especially interesting in regard to the recent HN dicussion on spyware by for-profit intel firms having access to Whatsapp, Telegram, Signal, etc. (https://news.ycombinator.com/item?id=47033976) through OS-level no-click hijacks.
I wonder how secure GrapheneOS is in that regard, and what the other contenders are?
I've been using GrapheneOS for about 3 years now. For the most part, it works very well. I don't have any issues with banking apps, nor any other closed source apps. I'm using two profiles both with sandboxed Google play installed. I'm logged in into my private Google account on the work profile.
However, there was one case that lead me to thinking about ditching grapheneos to this day. I installed Uber on my phone and I was able to successfully create an account and use it. When it came to booking a ride, the app crashed and I had to log in again. Once I did that, I was told that my account has been suspended for violating the terms of services. All I did to that point was creating an account and booking a ride. I was able to resolve the issue luckily after a few days and going back and fourth a couple of times with the Uber support, however, the risk of getting banned on any such platform is still risky, and thus I'm not sure if grapheneos is usable if you need to use such services.
It's a shame only Pixel phones are supported. I have PWM sensitivity and Pixel phones are notoriously bad for this, my eyes hurt when I look at one for more than 30mn. Due to the lack of good, secure alternative, I have had to give up on privacy in exchange for manufacturer updates.
GrapheneOS' approach is to focus more on security than privacy, because they believe increased security leads to increased privacy. Unfortunately, that means their hardware requirements pretty much limit the hardware that you can run it on (currently only the Pixel phone range). Worse, it also means they stop supporting a device when it reaches End-Of-Life as software security updates stop for it (see How long can GrapheneOS support my device for? - https://grapheneos.org/faq#device-lifetime ). Sad though - GrapheneOS on Sony Open Devices ( https://developer.sony.com/open-source/aosp-on-xperia-open-d... ) would have been nice.
This is the phone version of saying “the power utility is an evil awful monopoly that treats me like shit, so I’m gonna get solar and batteries and go off grid.”
It’s cool it’s possible, but it’s not practical for most people.
While I admire GrapheneOS and its goals, I feel that until we free the proprietary baseband processors and their RTOS from the grips of Qualcomm and friends it's a pyrrhic victory, at best.
> For me, it works like this: on the Owner user, because that’s the name of the main account created automatically with the system, I installed the Google Play Store along with Google Play services and GmsCompatConfig
Many people here might recoil at this: to go through the trouble of de-Googling your phone and then just install Google Play services and the Play Store, but the important part is that it is a choice they could make.
Pixels are arguably the best option for software choice among mainstream phones (and iPhones are the worst), but both are a huge regression of choice compared to traditional personal computing platforms.
I use and appreciate GrapheneOS due to it being one of, if not the best, option we currently have.
That said, I do not like how much the project depends on Google.
- GrapheneOS is based on Android, which is solely developed by Google.
- GrapheneOS only supports Google Pixel devices. Thankfully, they are working on partnering with a different manufacturer, but details are still very limited.
- They recommend using the Google Play Store (requires a Google account) to get apps and recommend against using F-Droid.
- Their Vanadium web browser is based on Chromium, which is controlled by Google. It also does not have an ad blocker or support extensions. They recommend against using Firefox. Firefox, and Safari to a more limited extent, are the only web browsers keeping Google from having complete control over web standards and the way we can access the internet.
This is not a criticism of the GrapheneOS project or developers. I understand that security is the biggest priority of GrapheneOS and I understand that Google is often good at security. They are following the goals of the project. It is more directed towards the GrapheneOS community that often blindly recommends GrapheneOS as the only option and treats any alternative as inferior and not to be considered. Most users do not need security at all costs. Especially among the free and open source enthusiast community, freedom and user control are often prioritized. There should be more awareness and discussion about what the user wants and whether that actually aligns with the security-first goals of GrapheneOS.
Break free from Google*. As long as you buy a Google phone. I really want to use it, but the Pixel only requirement is a deal breaker
One of the only big downsides I've noticed with GrapheneOS is that several banking apps don't work with it at all thanks to being tied to Google's verification ecosystem.
Luckily I have hardware 2FA keys from my bank so I can authenticate using that. It also slightly decreases the suck-factor from whenever the phone decides to fly off down a drain. This may not be the case for you, so do your research on what you need for daily living.
The biggest hold-back for me is that, here in Australia, Google Wallet (aka Google Pay) is the only way you can do tap credit card payments that I know of. Can't with Paypal. Not with any banking apps that I know of.
It's just so damned convenient. And the recording of transactions on the phone saves me having to collect paper receipts.
One thing that is a game changer on GrapheneOS is the network toggle for apps. Turn off network access for your keyboard, camera app, calculator, files, etc.
We need Linux OSes and phones to catch up to really break free from this duopoly. Only when there is enough traction, essential infrastructure like banks will start supporting Oses like that. It's a chicken and egg kind of problem.
Until these OS also start putting forward something like WebOS that tried to get phones back to on open web, there is no breaking the binary format and Appstore monopoly.
I wish Europe would have forced that 10 years ago since the US is beyond saving.
The main problem with the Pixel phones, along with most Android phones these days, is the lack of a μSD card slot and a 3.5mm headphone jack. When I recently had to purchase a new phone, I had to go with a Motorolo G, as it had both of those features.
Does anyone have a good grasp of the differences between GOS and /e/OS? I'm buying a Fairphone soon and was wondering what both are like
As a long time iOS user, I now mainly run Graphene + GadgetBridge with a helio strap. Pretty nice and private setup.
My running watch is from a chinese company that I do not trust, so I lock down the permissions quite far. I like that Graphene lets me control the network permission and have offline maps that cannot report anything external.
Overall the most annoying thing is not being able to iMessage... I moved who I could over to signal.
Also the battery life is amazing because I keept restricting apps from background usage and the defaults already do a good job of that
"Break free from Google ..." by purchasing Google hardware and using [software "based on"] Google software
Is it really "breaking free" from a company if the method of "breaking free" requires continued cooperation from the company
This is not to suggest using a modified version of Android isn't useful. This comment is not about GrapheneOS. (But there will be HN replies that will try to redirect focus to it anyway.) This comment is about claiming it's possible to "break free" from something while still remaining inextricably tied to it
In addition to using a custom ROM, there are methods of stopping the Pixel's attempts to "phone home" to the company that work even with the version of Android pre-installed by the company intact. However if a method requires software, e.g., drivers, or is "based on" software controlled by the company, then ultimately the company holds the cards. IMHO, this is not what it means to "break free"
Perhaps the most reliable method of stopping these connections to the company is one that does not rely on cooperation by the company. This is because if the company decides to stop cooperating, the method still works
Let’s just say, it took a while for the Stingray to get in while moving at 70mph. But it got in when it’s 0mph
FYI: Google Fi + GrapheneOS doesn't work. My son recently tried setting up GrapheneOS and got everything working but couldn't get connected to Google Fi to work, even with a SIM card.
The list of open source apps in this article was very informative and something you can benefit from even if you don't use GrapheneOS. Many of the apps listed I hadn't heard of.
Switched to this from Apple a year and a half ago. Works for most things. Unexpectedly, replacement apps lack polish. Also, RCS works very inconsistently (been without it for months), seems to be Google's fault. There may be workarounds, but I haven't had the energy to try the more complicated suggestions.
I am probably going to switch back to a used old iPhone for "phone appliance" tasks, but keep around the Pixel for other things.
My main takeaway from the experience is that iMessage is an even bigger weapon than I thought.
How is it a break from google/appple if the only supported devices are Pixels? I can't use my sony or other vendors hardware at all.
Are there valid reasons to only support pixels?
It's not breaking free from Google, but pretending it does not affect you. You are still at mercy of app developers and Google which may introduce some changes that will affect you. Additionally you never know what will work or stop working.
What about device attestation? Will you be able to run banking apps and Netflix et. al.?
For me the biggest concern is that while you may be able to use and run your own device, you will be locked out of most propietary services. Much like how more and more websites simply don't work with Firefox anymore.
Does anyone have an answer to the problem of an OS for a laptop? I'm thinking about strong security here, less so about privacy (which is doable, for example via a Linux distribution).
Been using GOS since roughly 2020. I refuse to use a Phone without GOS on it. It's been amazing.
I've been using /e/OS for years. Since 2025 I'm on Pixel 9A and GOS. It's excellent. Everything I need works great. Updates are so frequent. Attention to details regarded to security is amazing. My favorite mobile OS.
I wish there were a good iPhone Mini sized phone I could install GrapheneOS on.
Switched a couple of weeks ago and works perfectly. I also found so many better apps that dont steal your data for basic stuff like weather, notes, messaging,...
> "Perplexity - I switched to Gemini, but I confirm it works"
Oh the irony.
Wallet Apps and Tap-to-pay do not work. Even got banned from PayPal. Android needs an architectural change from the ground up.
How does this break free from Google? Isn't the Android that Google themselves writes and maintains the upstream of Graphene? Are they going to disconnect completely from upstream Android or something?
Should be noted that in order for OEM unlocking toggle to work, you need to turn on WiFi and connect to the internet.
I had a Pixel 6a with Graphene OS for a year before the phone started to glitch and eventually die. It ran pretty hot; sometimes it was hard to even hold the phone in my hands without burning myself.
I could not get a replacement as I bought the phone in a foreign country (Google doesn’t sell Pixels here in Brazil).
So as much as I love the idea of running a more private phone, I found the hardware extremely fragile and poorly designed, so I will not buy from them again anytime soon.
Do they just not have ANY screenshots of the OS anywhere on the web site
I've been using it for more than 2 years, and I can't think of ever going back to a stock OS. I had to send my phone for a screen repair, in the meantime I picked up my old Samsung, and the sheer amount of apps I didn't want, notifications and dark patterns to tricking me into handing over my data made me anxious. I couldn't finish setting the phone up and drove to my parent's home to pick up their old, remotely nerfed by Google, Pixel 4a so I could install GrapheneOS into it and use it while I waited for my repaired Pixel 8.
Google is so much engrained in our lives that we can't really break free. You can't just don't use youtube and for that you need a google account.These projects are nice and good for tinkering, but can't use this as a dialy driver.
Been using this for about a year on a p9 pro. It works very well. I hear the google tap to pay does not work, but I've never tried it. However Vipps with their tap to pay works fine. BankID works but not with biometric login, which some things require IIRC. And for some reason DnB private works fine, but you are not allowed in on the corp app.
It's mind boggingly stupid that they lock down apps like this, when you can just open the thing in a website anyway. I can use my bank on some linux distro, crazy that they trust me since it is not Windows - the truly secure OS!
Knew about those things before I started, so all in all I'm pretty happy. I'd recommend NOT using different users for different things (I started with banking etc in one profile, that ended up being a huge PITA and according to their docs it is mostly security theater anyway). Happy tinkering!