So i am installing GrapheneOS rn and i need help:
-
i want app tracking protection to every app something like duckduckgo’s app tracking protection if there is something better?!
-
someone explain me (with simple words) what is auditor cause i can’t understand even if i read about it on GrapheneOS’ website (i am like 50% noob with these things)
-
is my wifi masked automatically with GrapheneOS or should i 100% use a vpn? is there a setting in the OS somewherere? i need a lot of privacy and security to my phone!!!
also tell me additional tips for privacy/security for GrapheneOS if u have any!
thanks a lot!
I’ve been using Graphene for a while. Here are some things i’ve changed and found useful:
I really like the storage scopes feature. Whenever an app requests access to storage/contacts, i setup scopes for it. This feature alone makes me never want to leave Graphene.
I also really like the random mac adress feature. Whenever i connect to wi-fi, my mac adress gets randomized to appear as a different device, (except on my LAN, otherwise, my router would be flooded with different devices that in reality, are the same).
Multiple profiles is also a nice feature. I’ve used them before, but now i just use everything under the root profile, even Google services. Since they run in a sandbox, i’m ok with it. This is probably something you want to avoid if your threat model requires you to, but i have found that for banking apps, it was a major drawback for me, that i had to switch profiles everytime i wanted to acess them. And even worst, if i wanted to send documents over e-mail, since my e-mail was on my non-Google profile, it was very annoying, so, i simply went with everything under root.
The on/off toogle for camera & microphone is also really nice. I use it all the time.
I’ve also set a 1 min timer to disable my wi-fi when i have no active connection, (e.g when i leave my house).
I’ve changed my DNS to a more private one, (currently using family.dns.mullvad.net).
On settings, if you go to NFC, you have an option to request device unlock to use NFC. I’ve set this to on, dispite having NFC off all the time.
Best tip i can give you is this…
https://discuss.grapheneos.org/
Make an account there and find all your answers. The community is VERY knowledgeable. Good luck
-
Not sure on this one.
-
The auditor is to make sure you are installing an authentic version of graphene. That it is not a modified version that has been tampered with (e.g., backdoors).
-
Automatically enables MAC randomization. This can help with being tracked on public networks. Fingerprinting techniques have gotten better though with deep packet inspection and even measuring radio characteristics. I’ve seen demos of two brand new and identical models of iPhones being distinctly picked out due to variances in the radios during manufacturing.
Doesn’t help with advertisers tracking behavior based on IP. VPNs help with “blending-in” by putting multiple users behind the same IP. Provider matters here. Needs to be a VPN provider that won’t just sell your data or cave to law enforcement. Mullvad is my preference. Paid with crypto. RAM only logs. That said, use Tor or I2P for anything you don’t want subpoenaed.
For additional tips:
- Can’t remember if its on by default, but auto-reboot to put data at rest (encrypted and not in RAM). This is for a state-actor threat level, and less about advertisers.
- I prefer pin codes to unlock my device and don’t use biometrics. Graphene has a feature to randomize the pin pad every time to protect against a recording of the pin be entered. Specifically where the numbers aren’t picked up on the video but the pattern your hand makes can be seen. Again, more of a state-actor threat level.
I’ve been eyeing Graphene for a while now but I’m not really a tech person. I fumbled my way through installing and doing basic tweaks on Linux Mint but I don’t know the first thing about coding or programming. Is that kind of knowledge a must for this OS or is it more dummy friendly? And what’s a good cheap phone to grab to start messing with it and getting familiar, do you have any recommendations on that front?
It’s pretty dummy friendly. Accept that some things may not work or will work differently (Most notably tap to pay is a no go AFAIK,) and be willing to learn if something comes up would probably be how I describe it. The only problem that might turn up that an app that you need doesn’t pass gOS’ security checks, but there’s an app level setting to lessen security restrictions if it’s something you NEED.
Otherwise, meh? Flashing back to stock is super easy via a google web tool if you don’t like it. (I had to for a trip, Ticketmaster was being wonky and all my shows were ticketmaster haha. I’ve never had a problem before with the Ticketmaster app so IDK if it’s an ongoing thing or not)
It’s almost the same as plain Android, only with the Google services removed or locked down, and additional security restrictions and permissions control. Most apps work without any additional configuration, unless they’re doing something unusual.
The only supported devices are Pixels, so take your pick from the list: https://grapheneos.org/faq#supported-devices
No programming knowledge required.
Graphene only supports Pixels due to the titan chip. The versions with “a” are cheaper. Check when they go end of life to find the cheapest if you care about updates. So probably the 6a or 7a if you want at least 2 years of updates.
-
1 i prefer netGuard but trackerControl, which is based on netGuard, seems to be what you’re describing there
3 when you write “my wifi”, to what do you connect your phone to?
use FOSS software whenever you can try https://github.com/MuntashirAkon/AppManager it lets you see every known tracking library that apps have and you can even block those, while maintaining functionality. set fingerprint and don’t lend your phone to anyone scan all downloads with virustotal use a hosts file based ad and malware blocker (you need root for it) like AdAway use Invizible Pro, where you can configure Tor, i2pd, dnscrypt run at the same time. Use Cromite or Tor browser or Vanadium update your software as soon as possible use a password manager, like any maintained keepassxc fork or bitwarden, with a foss authenticator app (i use Aegis) change email provider: protonmail, tutanota use Termux for everything that you don’t need a gui for or don’t have a gui for (like low-level operations, getting system info, compiling, converting and compressing niche formats, http server, network analysis and so on)