This was a very needed intermediate level GrapheneOS tutorial. IT's easy to install GrapheneOS and blindly trust all of the defaults and not take full advantage of the privacy and security features. I learned a few things and changed my phone settings in a couple of places to tighten security. The video seemed to show how to have the most private and secure phone-centric life with many apps installed and a lot of phone activity. I have a different approach. I have very few apps on my phone to reduce the threat surface. I don't do any banking or payment using my phone. I use the phone for calls, texts, Signal secure texting, and the occasional web browsing or video watching.
Thanks for your feedback! Very interesting! I work in the internet space and use lots of tools. So this is geared towards being able to use various apps in an as secure way as possible. Not using the apps in the first place is the better way to go, but not everybody can. Cheers for your feedback! The next video will be about making your own private VPN.
This was extremely comprehensive and VERY easy to follow. Your pace was a good balance between speed and clarity. I followed everything except I opted to download .apk files direct from source.
I just got my new phone and installed Graphene on it and it's thanks to videos like yours that it's been smooth sailing up to now. Thank you very much!
I am slowly getting up my courage to install GrapheneOS on my phone. This video is a great resource and has added to my confidence. I haven't actually watched the install video yet, but I will now.
how do you logically separate between profiles? do you keep the Admin profile empty & use another profile like your "me" profile as your main use profile? Do you install neostore & aurora store in each profile separately? or conversely do u keep neostore & aurora only in your main or Admin profile , download required apps there & then copy the apps to other profiles? how does this work if the app needs Google play services but the downloading profile doesnt have google play services?
@DigitalIndependent I'd be also interested in what @acespade987 mentioned. And by they way, as @mistawinta asked below, any idea why Neostore hasn't been updated in a year? Is it still the way to go for apps? Thanks a lot in advance. Best regards
You are asking the right questions :) I install aurora and neo afterwards on the various profiles and add apps per user later on. This was just a shortcut to get the first set of local users up and running without having to duplicate steps. Should have mentioned that though :)) For apps requiring google play services: they are sandboxed and have reduced privileges in graphene. So I try to group apps into two additional users: one profile that really requires Google stuff (navigation mainly, but also meet and others) and one profile for specific apps that need Google play services (that’s a few banking and business apps). If you play games, then that would be a separate user, because I inherently don’t trust game developers security practices.
You are asking the right questions :) I still use neo store, it just pulls the f-droid stuff and presents it in a nicer way. Since I do updates and maintenance only once or twice a week I usually switch off the „install apps“ permission for these when I am not using them. Not sure, if you get a notification for my other comment, so here’s my answer: I install aurora and neo afterwards on the various profiles and add apps per user later on. This was just a shortcut to get the first set of local users up and running without having to duplicate steps. Should have mentioned that though :)) For apps requiring google play services: they are sandboxed and have reduced privileges in graphene. So I try to group apps into two additional users: one profile that really requires Google stuff (navigation mainly, but also meet and others) and one profile for specific apps that need Google play services (that’s a few banking and business apps). If you play games, then that would be a separate user, because I inherently don’t trust game developers security practices
What happens if I have a messenger app on a separate profile and receive a notification there? Will I be notified while I am logged in with another user profile? If yes, clicking on the notification will open the chat on the other profile where the messenger app is installed?
SMS: no idea. Probably some app that allows you to export them. Have a look in the neostore. Contacts: those can be exported and imported. But I host my contacts in a nextcloud and sync them via CardDAV. That’s one of my planned videos
Awesome video. New to graphene and this has opened my eyes to the possiblities. Can I still use music apps like Spotify and Apple Music and should I add them into its own profile? Thank you for the help - new guy 😂
How do the user profiles work? Does it work like Samsung's Safe Folder? (Get notifications, and quickly switch to apps in other profile from the drawer/open apps menu)
Very much agree on your choices and like the way you present and explain, thanks! Yet, one thing I'd love to better understand is under which profile you install apps; do you tend to do this as owner and remove the ability to install apps in all other profiles? And have you come across a reliable and pricacy firendly profile switcher that you like?
You can switch profiles by simply pulling from the top twice: once to see the controls and again for the extended version of the controls. Bottom right is your profile Switcher. I have one profile for everything that absolutely need google, one for private surfing, one for kids and one for work. All with their own apps.
@@DigitalIndependent Thanks for pointing that out. I am aware of the regular method to switch profiles, not too complex but yet I thought there might be some kind of shortcut. For the second part, this was clear to me from your video. Yet I wondered if you you install them from within the individual profile OR if you remove the ability to install apps for the less priviledges profiles and use the Owner profile for installation and then make them available to the respective profiles. Maybe in the end this would be the same from a security perspective, I don't (but would love to) know.
How do you suggest maintaining contacts? Currently I have two phones for personal and another for work. If I combine them both into a single GrapheneOS phone - should/can these be on different user profiles? Or might I have to setup a contact group?
Thank you. Very good video from all aspects. I have a problem with the user profiles. Many recommend leaving the primary (owner) profile clean or just for installing apps and pushing them to secondary profiles. Then having several secondary profiles (as you suggested) for various scenarios and ..... then having the daily driver (like your "me" profile) having most apps with google play services off ... but then many of the daily apps dont function (bcs they need google services or like need the WhatsApp backup from Google drive). My question: is it still more useful to use the sandboxed google services on the daily profile anyway?
Maybe I missed it, but how do you split the app install across the profiles. Do you have anything installed on the "admin" profile? Do you install apps with the "me" profile primarilly? Where do you use the app services, only in the "googleshit" profile or in all of them? Thanks for the great tutorial.
I install the most common apps across all profiles in the admin/owner profile. Then I can transfer these app installs to all other profiles under „manage users“. Then I delete them from the owner profile. In every single profile I separately install apps. Googlesh*t is a profile where the few apps run that insist on Google play services. They are sandboxed there. Usually navigation and all E.V. related apps
@@DigitalIndependent Aren't the Google Play Services sandboxed regardless of where installed GoogleSh*t or Owner profile? Does 'Sandboxing' stop an app from communicating with other apps? I thought that was the definition but I hear others - that make great videos like you - saying that you use the user profiles to do that. In that case the user profile IS the sandbox. Is this correct?
You can have completely different apps on each profile. Some apps even create problems, if you install them later on a different profile. F-Droid is an example for that. Better use the alternative I described.
@@DigitalIndependent I followed your neostore advice but couldn't locate Aurora store within it, using the search function or filtering alphabetically. Has it been removed from the neostore?
The neo store just does not work on mine, it just shows Battery Optimization and Permission to post notifications only and no way to get rid of them, any idea how to solve this?
Hi there. Thanks for the time you invested in the making of this video. I installed my GrapheneOS on Google Pixel Pro 8 at the beginning of the week, which was quite a challenge (more of a PC kind of guy). Now, I've invested tons of hours already, to get some basic functionality back (e.g. Contact sync) and still struggling with selecting a calendar app (about to try Etar or aCalendar). Now, the profiles ID I understand perfectly. Alas, I learned about it just now. I did activate the multiple user option and I THEN set up a PrimaryAdmin second account. Key qustion: can I still make this my real Owner Profile, as, OFC, I don't want to reset the phone again once more. OR: can I "clone" the Owner Profile (and then, alas, remove all the apps I have already installed)?
Question, if I may. Doesn't metadata negate some of the isolation and privacy? Also, and pardon me if this has been answered in another video, has anyone carried out independent tracking checks after base and modified installations? The reason I ask relates to the aforementioned.
Is there something like a false PIN login? Like if you type in a different pin code it logs you into another sandboxed account, can be good if you’re in a situation like journalists and less privacy respecting country, or criminals, or an exceedingly overbearing parent. All the data saved and stored in one account and one seemingly innocent false account no one bats an eye at.
I don’t think there’s much difference because carriers are usually some kind of „critical infrastructure“ and thus fall under special legislation. That usually hits all of the carriers. So choosing wisely isn’t going to help that much. A much larger impact would be using a good VPN for surfing. That’s why my latest video was about securing a simple and cheap VPS (virtual private server). As soon as you have that, you can configure a VPN on it (that’s one of the next three videos coming up). Do stay tuned :)
The first 16 mins is this intended for the primary/admin user account or done on all user accounts? If set on admin user will it carry over to secondary user accounts?
I usually install the apps on the admin user, then transfer them to the other users and delete them from the admin. This saves time, but only if you intend to have some apps in multiple local users. Otherwise just run through this on a per user basis
Thank you for this video! I'm confused about the difference between installing and using google play store with a throwaway account and permissions locked down, versus installing the Aurora store and using that with a throwaway account. Why is the Aurora store the preferred approach?
Lots of little benefits, but I wouldn’t call them big: 1. purity: the play store app never even touches your phone 2. obscurity: who know what security issues might come up in the future. Not having the play store App might just mitigate in some imaginary scenarios. 3. showing Google that we want more freedom. The EU is forcing side loading soon anyway, but it’s still a statement. 4. supporting Aurora by using it. 5. my main reason: I don’t have to rely on GrapheneOS or me having locked down the Play Store App properly, because it’s not there :)
@@DigitalIndependent I saw, in this video, on your Primary user account (red) that you had Google Play Services installed. But I believe, in a comment you said that you only put them on the google profile. ... Confused. Do we know if deleting these services really wipes them off?
When you set up storage scopes the app is already installed. (???) Does that mean that the folder you specify is a user-data only folder (not the app itself)? I make these changes but just don't get to see the effect.
This is my question as well. He responded to a different post that he makes them only where he uses them. I did post a question to see about a different way. - putting everything under the owner but then turning off network access for owner and using it to push apps out to users. We shall see if he responds.
Is there any analysis video of this operation system? It's nice that everyone repeats the same buzz words privacy and open source but i was wondering if anyone actually read the code and checked if there's nothing suspicious there. And also how can you make sure the web installer install the same open source code and not something else?
Isn't it better to retain the owner user to install apps (with zero perms), and share them down where needed, rather than install apps on sub-users...?
What if you still need Google apps for work purposes? Does it defeat the purpose even if we run it on different user profiles? Is it still better to use graphene even with a work user profile with outlook, slack, whatsapp etc. or does it defeat the purpose and should I stay with iphone?
I isolate all Apps that need Google in a seperate profile and this doesn't run in the background. And I have started phasing out many apps that rely on Google. You'd be surprised about the quantity and quality of Apps on neostore/F-Droid
the elephant in the room is what to do for a navigation app on a privacy fork of Android, such as GrapheneOS (great video, BTW - a nice follow on would be a video highlighting various apps that are likely to be needed by most users - I have a fav note taker app, 2 factor authentication app, bar code scanner app, the whole subject of VPN, perhaps email clients - use Proton Mail myself, secure chat clients as alternatives to just using SMS, etc., etc., etc.)
@@JohnDoe-iv5ns I use Standard Notes, which recently got acquired by ProtonMail guys, which I also use. I use it on my personal Linux PC and laptop and my Windows work laptop and can, of course, keep notes synced across all devices.
Very interesting ideas! Personal VPN is coming up next. Casual navigation is doable, but for professional travellers it’s very lacking. App recommendations is great, I have started the script on that.
Not much. Random MAC addresses in the setting for that specific WiFi and set your own dns, maybe Quad9 or another public dns server. But the traffic is going through that WiFi, not protected by a vpn. So that’s inherently un-private.
Half and half. Apps really don’t read each others files and data. Since the apps are one of the greatest potential vectors for snooping and siphoning data I’d say that’s a very good baseline. There are occasional holes in the separation, which are mostly upstream bugs in Android. The media player card currently bleeds out into other profiles‘ notification centres. But that’s mostly it. Do you have a link to the thread?
@@DigitalIndependent my comments are not being posted - weird. Here is someone from Graphene forum: Unlike Qubes where VMs provide the security boundary, in Android user profiles are separated via SELinux MLS (multi level security). Apps with a targetSDK of 28 (Android 9) or later also have their sandbox enforced by SELinux MLS. Any exploit that could cross the boundary between apps would likely be capable of crossing between user profiles
@@abexman yes. But SELinux exploits are rather rare. And that’s more like the persistent advanced threat actor that gets to use those. Separation is more against the abuse of permissions and being able to selectively delete a partner your digital life
Nice interesting video, I'm totally new to GrapheneOS and this has been a very good introduction. Do you know if Graphene lets you run alternative launchers? I quite like the Trebuchet launcher used in LineageOS.
Thanks so much for stretching what to do after the installation. So many helpful hints and tips. Any insights or thoughts on DNS services? I have heard to better use a secure protocol and connet with one which refuses censorship. Kind greetings from Düsseldorf.
Thanks! That is the topic of the next video: your own (self hosted) VPN for private surfing. Ich hoffe die Zahlen in deinem Profil sind nicht politisch gemeint.
@@DigitalIndependent It never worked for me as it doesn't find any devices. E.g. I was trying to Screen cast to my Samsung QLED TV. Works with every other Android Phone, just not with the Pixel running GrapheneOS 😥
Didn't work for me. Even re-flashed back to droid and tried again. Tried cables too. Giving up or trying to find someone who can help me near where i live.
I had it work from my PC on a brand new Pixel then in a few days tried it again (different brand new pixel) and it didn't work. I had to take the cable to another PC and then it worked. I blamed my PC port.
Its so amazing how well graphene os works. Does anyone have a tip how I can improve GPS? It just takes many minutes until I find my location, because there is no WiFi location turned on. But even if I turn it on and set location services to Google, it does not get faster.
I guess I would make a good criminal because every time I register a fingerprint on any device it works for a few weeks and then doesn't work anymore. I have tried different fingers in case forefinger gets more callused or something. No joy.
It's pretty high. Seems like 32. A content creator "Naomi Brockwell TV" goes over this. I just saw that it was plenty accounts even if each app went under it's own user account.
Damn all I want is for google and Samsung to not collect mountains of data on me 😭 Still fire video, very informative + i now feel like Edward Snowden LMAO
Yes. Your own VPN is coming up. Had to re-do the whole video because the maintainer of the easiest but also safe way noped out and nobody has taken the reigns. So the original video got useless.
Too many things to consider when trying to secure phones, laptops, desktops, browsers, and so on. And you have to review security implementations on a regular basis because some apps can become rogue or there are better ways to secure everything or there is some new exploit. I think we're fooling ourselves into a false sense of security. That said, I have bought a Pixel 6 Pro and installed graphene on it. Too bad that a lot of phones can't be rooted so that an alternate OS can be put on it.
Good question. The pixel has acceptable global sales numbers and it’s a vanilla version of Android, without additional vendor changes like in Samsung. It just seems to be the obvious choice…
I JUST LOST A YEAR OF IMPORTANT PHOTOS!!! BACKUP FIRST!!! I guess I only have myself to blame really; but I watched 5+ long videos about GrapheneOS and installation walkthroughs, and I guess I still somehow just missed the memo to make sure your phone is COMPLETELY BACKED UP (PHOTOS, files, anything that you would lose if you could push one “wipe phone” button on your phone). Do not do a single step of installing GrapheneOS, before making sure you haven’t forgotten to backup EVERYTHING. RIP Dad, RIP Lily, RIP Patches; a year of saving things through pictures and screenshots gone, a year of a lot of photos of myself that now, I just won’t have a year of my life to be able to reference or look back at; just a year that I’ll pretend I was blackout drunk literally every day, because I literally have no other way of verifying that that year even happened tbh. Poof. RIP me
I had to laugh when I saw your user profiles because I toss all my Google apps into a folder called Google shit also lol I have been using a zte blade I've moved back to an older device because I pretty much stipped everything off it you might say it's a smart phone that's been rendered dumb its for texting and calls only so far if I brick the zte I don't really care it's basically a shitbox but will be fun to play with a custom ROM
Thanks for pointing that out! I would suggest isolating the private stuff in one user account that doesn’t unlock with a fingerprint. Maybe call it something harmless like „kids“ or „drug trade“.
Can I install graphene OS en this device? Device Information App Version 7.1-rc1-release Version Code 96 Device Manufacturer realme Device Name RMX1931L1 Device Model RMX1931 Device Brand realme Android Version 11 CPU Arch aarch64 Storage Total 108.19GB Storage Free 90.24GB RAM Total 7.32GB Is Device Rooted false
This was a very needed intermediate level GrapheneOS tutorial. IT's easy to install GrapheneOS and blindly trust all of the defaults and not take full advantage of the privacy and security features. I learned a few things and changed my phone settings in a couple of places to tighten security. The video seemed to show how to have the most private and secure phone-centric life with many apps installed and a lot of phone activity. I have a different approach. I have very few apps on my phone to reduce the threat surface. I don't do any banking or payment using my phone. I use the phone for calls, texts, Signal secure texting, and the occasional web browsing or video watching.
Thanks for your feedback! Very interesting!
I work in the internet space and use lots of tools. So this is geared towards being able to use various apps in an as secure way as possible.
Not using the apps in the first place is the better way to go, but not everybody can.
Cheers for your feedback! The next video will be about making your own private VPN.
This was extremely comprehensive and VERY easy to follow. Your pace was a good balance between speed and clarity. I followed everything except I opted to download .apk files direct from source.
Thanks for the feedback! Very much appreciated :)
Though about that as well. How does this work with updates? Do you have to maintain everything manually?
I just got my new phone and installed Graphene on it and it's thanks to videos like yours that it's been smooth sailing up to now. Thank you very much!
Just don't allow any browser to install apps. Instead allow your Files app to install apks.
Very good point! That’s even better than having a separate browser for maintenance
I don't seen an option for this, whenever I open an APK from the files app it wants me to give Vanadium permission
How do we do that? @rasix86
@@notme3945 install shizuku and SAI. Give Shizuku the permissions it needs with ADB. Then give SAI the Shizuku permission.
26:53
Thank you so much for the Guide helping others navigating through GOS. Your mouth speaks gold man. Thanks again.
Awesome tutorial!
There are plenty of tutorials on how to install GrapheneOS, but very few follow-on guides to optimize or harden settings after that.
Also good that the 'why' of each setting/optimization is explained, rather than just 'do this, trust me it's secure!'.
Just installed this OS and followed your suggestions...thanks man👍
Enjoy :)
I am slowly getting up my courage to install GrapheneOS on my phone. This video is a great resource and has added to my confidence. I haven't actually watched the install video yet, but I will now.
I just did it I was like fuck it after using Iphone after years...honestly its super dope and Im super stoked I did itt
I'm thinking about using it too, but before, I want to make sure how to use it well before installing, I don't want to own a phone I can''t use at all
Just installed Graphene and went through your steps, thanks for this guide!
Glad it helped!
how do you logically separate between profiles? do you keep the Admin profile empty & use another profile like your "me" profile as your main use profile?
Do you install neostore & aurora store in each profile separately?
or conversely do u keep neostore & aurora only in your main or Admin profile , download required apps there & then copy the apps to other profiles? how does this work if the app needs Google play services but the downloading profile doesnt have google play services?
@DigitalIndependent
I'd be also interested in what @acespade987 mentioned.
And by they way, as @mistawinta asked below, any idea why Neostore hasn't been updated in a year? Is it still the way to go for apps? Thanks a lot in advance. Best regards
You are asking the right questions :)
I install aurora and neo afterwards on the various profiles and add apps per user later on. This was just a shortcut to get the first set of local users up and running without having to duplicate steps. Should have mentioned that though :))
For apps requiring google play services: they are sandboxed and have reduced privileges in graphene. So I try to group apps into two additional users: one profile that really requires Google stuff (navigation mainly, but also meet and others) and one profile for specific apps that need Google play services (that’s a few banking and business apps). If you play games, then that would be a separate user, because I inherently don’t trust game developers security practices.
You are asking the right questions :)
I still use neo store, it just pulls the f-droid stuff and presents it in a nicer way. Since I do updates and maintenance only once or twice a week I usually switch off the „install apps“ permission for these when I am not using them.
Not sure, if you get a notification for my other comment, so here’s my answer:
I install aurora and neo afterwards on the various profiles and add apps per user later on. This was just a shortcut to get the first set of local users up and running without having to duplicate steps. Should have mentioned that though :))
For apps requiring google play services: they are sandboxed and have reduced privileges in graphene. So I try to group apps into two additional users: one profile that really requires Google stuff (navigation mainly, but also meet and others) and one profile for specific apps that need Google play services (that’s a few banking and business apps). If you play games, then that would be a separate user, because I inherently don’t trust game developers security practices
Thanks. Could you explain how you use your owner profile? Do you take and receive calls from there ? Do you have any repos installed ?
The owner profile is a normal android user. So just install and use whatever you want on it…
Thanks from Germany. Really good video!
awesome tutorial; thanks for the time putting all this together!
Thanks for watching and your feedback!
Your own private VPN is coming soon…
This Video was so helpful - Thank You, just picked up my Pixel 7 this morning and installed GrapheneOS with your help. Well Done....
Great to here! Have lots of fun!
What happens if I have a messenger app on a separate profile and receive a notification there? Will I be notified while I am logged in with another user profile? If yes, clicking on the notification will open the chat on the other profile where the messenger app is installed?
Yes. Every profile can be set to „receive notifications from other profiles“.
Then you see a notification „signal“ from profile „private“.
excellent, i will be installing after watching the Naomi Brockwell videos.
I’ve got a full install video here, too:
ua-cam.com/video/QOqVOcvgahc/v-deo.html
Excellent guide, thanks for putting it together!
Really looking forward to more content from you 😊
What best/easiest way to import my app and app date from old phone to GrapheneOS phone please
Excellent video. You explained a lot of what I wanted to know and more.
Where do you import your past SMS mesaages to (profile) and how? What about contacts?
SMS: no idea. Probably some app that allows you to export them. Have a look in the neostore.
Contacts: those can be exported and imported. But I host my contacts in a nextcloud and sync them via CardDAV. That’s one of my planned videos
This is incredibly helpful. Thank you SO much for creating this. I am just being my graphene transition.
Glad it was helpful! :)
Awesome video. New to graphene and this has opened my eyes to the possiblities. Can I still use music apps like Spotify and Apple Music and should I add them into its own profile? Thank you for the help - new guy 😂
How do the user profiles work? Does it work like Samsung's Safe Folder? (Get notifications, and quickly switch to apps in other profile from the drawer/open apps menu)
Very much agree on your choices and like the way you present and explain, thanks!
Yet, one thing I'd love to better understand is under which profile you install apps; do you tend to do this as owner and remove the ability to install apps in all other profiles? And have you come across a reliable and pricacy firendly profile switcher that you like?
You can switch profiles by simply pulling from the top twice: once to see the controls and again for the extended version of the controls. Bottom right is your profile Switcher.
I have one profile for everything that absolutely need google, one for private surfing, one for kids and one for work. All with their own apps.
@@DigitalIndependent Thanks for pointing that out. I am aware of the regular method to switch profiles, not too complex but yet I thought there might be some kind of shortcut.
For the second part, this was clear to me from your video. Yet I wondered if you you install them from within the individual profile OR if you remove the ability to install apps for the less priviledges profiles and use the Owner profile for installation and then make them available to the respective profiles.
Maybe in the end this would be the same from a security perspective, I don't (but would love to) know.
This is what I'm interested also.
For example are all Google apps installed under the googleshit profile or under the primary profile?
And apps that I once bought, under what profile do I install them?
This was really great. Thank you!
Glad it helped :)
Thanks a ton! Tricking out my Pixel 4a. Sub'd!
Thanks! Pixel 4a is a great value phone and gets new life from graphene.
Thank you very much for so smooth and comprehensive instructions!
How do you suggest maintaining contacts? Currently I have two phones for personal and another for work. If I combine them both into a single GrapheneOS phone - should/can these be on different user profiles? Or might I have to setup a contact group?
Great video, it helped me to optimise my GrapheneOS
Glad it helped :)
Thank you. Very good video from all aspects. I have a problem with the user profiles. Many recommend leaving the primary (owner) profile clean or just for installing apps and pushing them to secondary profiles. Then having several secondary profiles (as you suggested) for various scenarios and ..... then having the daily driver (like your "me" profile) having most apps with google play services off ... but then many of the daily apps dont function (bcs they need google services or like need the WhatsApp backup from Google drive). My question: is it still more useful to use the sandboxed google services on the daily profile anyway?
and I would like see more of your videos in the near future
Maybe I missed it, but how do you split the app install across the profiles. Do you have anything installed on the "admin" profile? Do you install apps with the "me" profile primarilly? Where do you use the app services, only in the "googleshit" profile or in all of them?
Thanks for the great tutorial.
I install the most common apps across all profiles in the admin/owner profile. Then I can transfer these app installs to all other profiles under „manage users“. Then I delete them from the owner profile.
In every single profile I separately install apps. Googlesh*t is a profile where the few apps run that insist on Google play services. They are sandboxed there. Usually navigation and all E.V. related apps
@@DigitalIndependent Aren't the Google Play Services sandboxed regardless of where installed GoogleSh*t or Owner profile?
Does 'Sandboxing' stop an app from communicating with other apps? I thought that was the definition but I hear others - that make great videos like you - saying that you use the user profiles to do that. In that case the user profile IS the sandbox. Is this correct?
@@Loves-f3y yes, they are sandboxed no matter where they are installed. But I don’t even install them on other profiles
Great tutorial. With multiple profiles, is the same app required to be installed per profile or are there ways to optimize it?
You can have completely different apps on each profile. Some apps even create problems, if you install them later on a different profile. F-Droid is an example for that. Better use the alternative I described.
@@DigitalIndependent I followed your neostore advice but couldn't locate Aurora store within it, using the search function or filtering alphabetically. Has it been removed from the neostore?
The neo store just does not work on mine, it just shows Battery Optimization and Permission to post notifications only and no way to get rid of them, any idea how to solve this?
You have to deactivate batter optimisation and give permissions for notifications for this message to go away
Hi there. Thanks for the time you invested in the making of this video. I installed my GrapheneOS on Google Pixel Pro 8 at the beginning of the week, which was quite a challenge (more of a PC kind of guy). Now, I've invested tons of hours already, to get some basic functionality back (e.g. Contact sync) and still struggling with selecting a calendar app (about to try Etar or aCalendar).
Now, the profiles ID I understand perfectly. Alas, I learned about it just now. I did activate the multiple user option and I THEN set up a PrimaryAdmin second account.
Key qustion: can I still make this my real Owner Profile, as, OFC, I don't want to reset the phone again once more. OR: can I "clone" the Owner Profile (and then, alas, remove all the apps I have already installed)?
I have GrapheneOs on a pixel 6. My question i want to make a forward calling. But the to use is not available to use what can i do?
I am not sure what you mean, sorry :/
When I created a second profile I'm unable to use messages it says
"This app isn't allowed by the device owner"
Is there a way to fix this
You have to go to the profile settings of that specific profile and ensure you have activated „make calls and send messages“ (or something similar
Question, if I may. Doesn't metadata negate some of the isolation and privacy? Also, and pardon me if this has been answered in another video, has anyone carried out independent tracking checks after base and modified installations? The reason I ask relates to the aforementioned.
I'm hesistant to download the neostore as it hasn't been updated in a year. Any idea why? Do you still use it?
Same here, what did you end up doing ?
Is there something like a false PIN login? Like if you type in a different pin code it logs you into another sandboxed account, can be good if you’re in a situation like journalists and less privacy respecting country, or criminals, or an exceedingly overbearing parent. All the data saved and stored in one account and one seemingly innocent false account no one bats an eye at.
no, only a duress code that wipes your phone
Thanks for the video! How do you approach selecting the right carrier and/or SIM card from a privacy standpoint?
I don’t think there’s much difference because carriers are usually some kind of „critical infrastructure“ and thus fall under special legislation. That usually hits all of the carriers. So choosing wisely isn’t going to help that much.
A much larger impact would be using a good VPN for surfing. That’s why my latest video was about securing a simple and cheap VPS (virtual private server). As soon as you have that, you can configure a VPN on it (that’s one of the next three videos coming up). Do stay tuned :)
Is there an possibily to reset the Phone automatically when its connected to an pc?
Not that I know of. Maybe with Tasker and running command line scripts. The Tasker ecosystem might have something. Please report back :)
The first 16 mins is this intended for the primary/admin user account or done on all user accounts?
If set on admin user will it carry over to secondary user accounts?
I usually install the apps on the admin user, then transfer them to the other users and delete them from the admin. This saves time, but only if you intend to have some apps in multiple local users. Otherwise just run through this on a per user basis
Thank you for this video! I'm confused about the difference between installing and using google play store with a throwaway account and permissions locked down, versus installing the Aurora store and using that with a throwaway account. Why is the Aurora store the preferred approach?
Lots of little benefits, but I wouldn’t call them big:
1. purity: the play store app never even touches your phone
2. obscurity: who know what security issues might come up in the future. Not having the play store App might just mitigate in some imaginary scenarios.
3. showing Google that we want more freedom. The EU is forcing side loading soon anyway, but it’s still a statement.
4. supporting Aurora by using it.
5. my main reason: I don’t have to rely on GrapheneOS or me having locked down the Play Store App properly, because it’s not there :)
@@DigitalIndependent That makes a lot of sense, thank you!
@@DigitalIndependent I saw, in this video, on your Primary user account (red) that you had Google Play Services installed. But I believe, in a comment you said that you only put them on the google profile. ... Confused. Do we know if deleting these services really wipes them off?
When you set up storage scopes the app is already installed. (???) Does that mean that the folder you specify is a user-data only folder (not the app itself)? I make these changes but just don't get to see the effect.
How does theming work on GrapheneOS? Is it the same as stock's Material You, or is there no theming by default?
Sorry, haven’t tried that :(
Thank you so much for this video.
What user do you make the installs on?
This is my question as well. He responded to a different post that he makes them only where he uses them. I did post a question to see about a different way. - putting everything under the owner but then turning off network access for owner and using it to push apps out to users. We shall see if he responds.
Is there any analysis video of this operation system? It's nice that everyone repeats the same buzz words privacy and open source but i was wondering if anyone actually read the code and checked if there's nothing suspicious there. And also how can you make sure the web installer install the same open source code and not something else?
Good question. There was some talk on Reddit on audits. But I can’t find the link. Try the privacy subreddit for that…
Isn't it better to retain the owner user to install apps (with zero perms), and share them down where needed, rather than install apps on sub-users...?
What if you still need Google apps for work purposes? Does it defeat the purpose even if we run it on different user profiles? Is it still better to use graphene even with a work user profile with outlook, slack, whatsapp etc. or does it defeat the purpose and should I stay with iphone?
I isolate all Apps that need Google in a seperate profile and this doesn't run in the background. And I have started phasing out many apps that rely on Google.
You'd be surprised about the quantity and quality of Apps on neostore/F-Droid
the elephant in the room is what to do for a navigation app on a privacy fork of Android, such as GrapheneOS
(great video, BTW - a nice follow on would be a video highlighting various apps that are likely to be needed by most users - I have a fav note taker app, 2 factor authentication app, bar code scanner app, the whole subject of VPN, perhaps email clients - use Proton Mail myself, secure chat clients as alternatives to just using SMS, etc., etc., etc.)
What note taker app do you use? I'm thinking of trying Joplin or Obsidian.
@@JohnDoe-iv5ns I use Standard Notes, which recently got acquired by ProtonMail guys, which I also use.
I use it on my personal Linux PC and laptop and my Windows work laptop and can, of course, keep notes synced across all devices.
Very interesting ideas! Personal VPN is coming up next. Casual navigation is doable, but for professional travellers it’s very lacking.
App recommendations is great, I have started the script on that.
Obsidian with Syncthing. Have two syncthing nodes at locations I control.
If you have no VPN and have to connect to untrusted wi-fi, are there settings/features on grapheneos that can protect you?
Not much. Random MAC addresses in the setting for that specific WiFi and set your own dns, maybe Quad9 or another public dns server.
But the traffic is going through that WiFi, not protected by a vpn. So that’s inherently un-private.
I'm still juggling between this and lineage OS 21
another issue is our fin tech app in our country don't support rooted phones
Really informative, did not know this was a feature. I have a different alternative OS and it works for it as well.
What do you run?
I'd be intereded as well. Looking for a good option for a Fairpone.
Someone on Reddit said that putting things in separate profiles doesn't provide true 'sandboxing' - is this correct?
Half and half. Apps really don’t read each others files and data. Since the apps are one of the greatest potential vectors for snooping and siphoning data I’d say that’s a very good baseline.
There are occasional holes in the separation, which are mostly upstream bugs in Android. The media player card currently bleeds out into other profiles‘ notification centres. But that’s mostly it.
Do you have a link to the thread?
@@DigitalIndependent my comments are not being posted - weird. Here is someone from Graphene forum: Unlike Qubes where VMs provide the security boundary, in Android user profiles are separated via SELinux MLS (multi level security).
Apps with a targetSDK of 28 (Android 9) or later also have their sandbox enforced by SELinux MLS.
Any exploit that could cross the boundary between apps would likely be capable of crossing between user profiles
@@abexman yes. But SELinux exploits are rather rare. And that’s more like the persistent advanced threat actor that gets to use those.
Separation is more against the abuse of permissions and being able to selectively delete a partner your digital life
Nice interesting video, I'm totally new to GrapheneOS and this has been a very good introduction. Do you know if Graphene lets you run alternative launchers? I quite like the Trebuchet launcher used in LineageOS.
Yes, you can use any launchers. But beware, many are very aggressive at tracking you
Thanks so much for stretching what to do after the installation.
So many helpful hints and tips.
Any insights or thoughts on DNS services? I have heard to better use a secure protocol and connet with one which refuses censorship.
Kind greetings from Düsseldorf.
Thanks! That is the topic of the next video: your own (self hosted) VPN for private surfing.
Ich hoffe die Zahlen in deinem Profil sind nicht politisch gemeint.
@@DigitalIndependent Da bin ich mir keiner Schuld bewusst. YT hat irgendwann an alle Profilnamen ein paar Zahlen angehängt.
Keep uploading about Privacy , security and stuff :)
Are you able to enable Mobile Data and Hotspot from non-admin users?
Nope. One of the downsides. Hotspot is only for the main user. But you can activate mobile data per user
what is vanadium - is it a spoofed google chrome browser? is it compatible with add-ons like say an metamask wallet?
Thank you, that was very clear
Hi there, just wondering what equivalent to Microsoft office might you use on a phone that has GrapheneOS installed, mainly for word type documents ?
Calibre or OnlyOffice.
@@utubepunk Thanks a lot
Do you think the bunq banking app will run??
How did u manage to get ur screen cast working?
Built-in. Just started it and it worked. Why?
@@DigitalIndependent It never worked for me as it doesn't find any devices. E.g. I was trying to Screen cast to my Samsung QLED TV. Works with every other Android Phone, just not with the Pixel running GrapheneOS 😥
@@acehoodman I misunderstood, sorry! I thought you meant the screen recording. Haven’t tried casting to a tv yet.
@@DigitalIndependent Screen recording works fine but Screen Casting seems to be a general issue with AOSP and Pixel devices.
Didn't work for me. Even re-flashed back to droid and tried again. Tried cables too. Giving up or trying to find someone who can help me near where i live.
you cannot reflash after gos installed. its bricked afer gos
@@fdsknjlsfnubk3e7hi8sxThat is definitely not true
I had it work from my PC on a brand new Pixel then in a few days tried it again (different brand new pixel) and it didn't work. I had to take the cable to another PC and then it worked. I blamed my PC port.
Its so amazing how well graphene os works. Does anyone have a tip how I can improve GPS? It just takes many minutes until I find my location, because there is no WiFi location turned on. But even if I turn it on and set location services to Google, it does not get faster.
You have to change a setting so that the phone doesn't use the Graphene servers for location. This way it will use Google and be fast/regular.
Can i install graphene os in my samsung f14 5g
Can GrapheneOS be installed on a Samsung Note II?
Nope. Sorry
I guess I would make a good criminal because every time I register a fingerprint on any device it works for a few weeks and then doesn't work anymore. I have tried different fingers in case forefinger gets more callused or something. No joy.
Uhoh! Please never buy a fingerprint lock to your flat or house :)
Great introduction, thank you!
how do I install a terminal?
Getting my new pixel soon
Enjoy !
whats the max amount of user profiles?
I have 6, no maximum found until now
It's pretty high. Seems like 32. A content creator "Naomi Brockwell TV" goes over this. I just saw that it was plenty accounts even if each app went under it's own user account.
The profiles sound like they are going to cause more hassle than it's worth but im still going through the video to see the detail.
does google pay work there?
such a great video thankyou
Damn all I want is for google and Samsung to not collect mountains of data on me 😭
Still fire video, very informative + i now feel like Edward Snowden LMAO
Big thank you !
You're welcome! Thanks for watching and have lots of fun with your Graphene phone!
Quick plug: your own self-hosted VPN is coming up next
Any plans for more videos?
Yes. Your own VPN is coming up. Had to re-do the whole video because the maintainer of the easiest but also safe way noped out and nobody has taken the reigns. So the original video got useless.
Too many things to consider when trying to secure phones, laptops, desktops, browsers, and so on. And you have to review security implementations on a regular basis because some apps can become rogue or there are better ways to secure everything or there is some new exploit. I think we're fooling ourselves into a false sense of security. That said, I have bought a Pixel 6 Pro and installed graphene on it. Too bad that a lot of phones can't be rooted so that an alternate OS can be put on it.
Why only pixel? Is there any secret deal with Google? Becsuse this forces one to buy a pixel phone
Good question. The pixel has acceptable global sales numbers and it’s a vanilla version of Android, without additional vendor changes like in Samsung. It just seems to be the obvious choice…
Thanks!
You’re welcome :) more coming…
I JUST LOST A YEAR OF IMPORTANT PHOTOS!!! BACKUP FIRST!!!
I guess I only have myself to blame really; but I watched 5+ long videos about GrapheneOS and installation walkthroughs, and I guess I still somehow just missed the memo to make sure your phone is COMPLETELY BACKED UP (PHOTOS, files, anything that you would lose if you could push one “wipe phone” button on your phone).
Do not do a single step of installing GrapheneOS, before making sure you haven’t forgotten to backup EVERYTHING.
RIP Dad, RIP Lily, RIP Patches; a year of saving things through pictures and screenshots gone, a year of a lot of photos of myself that now, I just won’t have a year of my life to be able to reference or look back at; just a year that I’ll pretend I was blackout drunk literally every day, because I literally have no other way of verifying that that year even happened tbh. Poof.
RIP me
👍
Cheers :)
Me pregunto si cuesta algo poner subtitulos en tus videos...Un saludo desde España
There are some AI and translation services out there. Maybe that’s a perk when I have 5.000 subscribers :)?
I had to laugh when I saw your user profiles because I toss all my Google apps into a folder called Google shit also lol I have been using a zte blade I've moved back to an older device because I pretty much stipped everything off it you might say it's a smart phone that's been rendered dumb its for texting and calls only so far if I brick the zte I don't really care it's basically a shitbox but will be fun to play with a custom ROM
I thought Google was integral with the OS and not removable. How did you strip down the zte blade? I want to do that too.
American police and officials are now legally allowed to use your fingerprint to open your phone - by force.
So... I guess that debate is settled.
Thanks for pointing that out! I would suggest isolating the private stuff in one user account that doesn’t unlock with a fingerprint. Maybe call it something harmless like „kids“ or „drug trade“.
@@DigitalIndependent LOL, something harmless like 'drug trade'.
@@Loves-f3y 1. it was a joke. I was being ironic. And 2. Germany has just legalised weed.
Can I install graphene OS en this device? Device Information
App Version 7.1-rc1-release
Version Code 96
Device Manufacturer realme
Device Name RMX1931L1
Device Model RMX1931
Device Brand realme
Android Version 11
CPU Arch aarch64
Storage Total 108.19GB
Storage Free 90.24GB
RAM Total 7.32GB
Is Device Rooted false
Nope. Pixel or pass
My only fear is Google stopping to make phones, lol, 😅🤣the irony on that?!
Unhealthy for society?Unhealthy things? Mild way of putting it.
Go on the dark web with it and live stream it.
"kebab-case" 🤣
no contact less no funny
keep up 🆙 👍 😅 updates & privacy 🔏 ❤ i wish grapheneOs become more popular and compatible with other phones 😅