Introduction

Goals:

• GrapheneOS instead of stock Android
• No Google Play Services installed
• Not logged into any Google accounts

Google Pixel Phone

One goal of this article is to run GrapheneOS. The phones supported by GrapheneOS Releases are currently limited to Google Pixel devices.

Pick the newest Google Pixel Phone that is on the list of GrapheneOS supported devices and is in your price range.

GrapheneOS

GrapheneOS is a privacy and security focused mobile OS based on the Android Open Source Project (AOSP). GrapheneOS currently only supports Google Pixel devices, so this article assumes that you have a supported Google Pixel phone.

Follow the GrapheneOS Install Instructions. This article does not cover the OS installation procedure. After you complete the GrapheneOS install, return to this article for information and recommendations on app stores, specific applications, and configuration settings.

App Stores

This section covers app store options within GrapheneOS and their preferred order for obtaining apps.

GrapheneOS App Store

The GrapheneOS App Store is extremely limited and only contains GrapheneOS maintained apps (Camera, Messaging, PDF Viewer, Vanadium, …); Accrescent (a private and secure Android app store); and several core Android apps from Google for users that want to install them in a sandbox (Google Play Store, Google Play services, Android Auto, Markup).

Install:

• Accrescent (app.accrescent.client): https://github.com/accrescent/accrescent/releases

Do NOT install the Google Play Store, Google Play services, or the other Google apps unless absolutely necessary for your use case.

Accrescent

Accrescent is an Android app store focused on security, privacy, and usability. Accrescent is still in alpha, and doesn’t contain many apps. However, it is implicitly recommended by GrapheneOS via their app store, and it is a convenient way to install and update several apps.

Install:

• Organic Maps (app.organicmaps): https://github.com/organicmaps/organicmaps/releases
• Just (Video) Player (com.brouken.player): https://github.com/moneytoo/Player/releases
• AppVerifier (dev.soupslurpr.appverifier): https://github.com/soupslurpr/AppVerifier/releases
• BeauTyXT (dev.soupslurpr.beautyxt): https://github.com/soupslurpr/BeauTyXT/releases
• Inter Profile Sharing (digital.ventral.ips): https://github.com/VentralDigital/InterProfileSharing/releases
• Auxio (org.oxycblt.auxio): https://github.com/OxygenCobalt/Auxio/releases

As more apps are added, prefer installing apps via Accrescent instead of the following methods.

However, links to the GitHub releases are also provided in case you want to use Obtainium instead of Accrescent, you want to download APK files for an offline backup, or you want to review the source code.

Obtainium

The Obtainium website, wiki, and GitHub repository cover how to use the Obtainium app to install, update, and receive release notifications for Android apps directly from their respective release pages on GitHub, GitLab, and other sources.

Install Obtainium directly from the project’s GitHub Releases page. Since we are using a newer Google Pixel device and are avoiding F-Droid packages, you want the app-arm64-v8a-release.apk.

Once Obtainium is installed and granted permission to install apps, you can Add App and either directly enter an app source URL, search various sources for the app, or use the link at the bottom of the panel to search supported crowdsourced app configurations. The following list will either specify searching the crowdsourced configurations or will provide a direct repository URL to enter into Obtainium.

Install:

• Aurora Store (com.aurora.store): crowdsourced app configuration
• Brave (com.brave.browser): crowdsourced app configuration
• DAVx5 (at.bitfire.davdroid): https://github.com/bitfireAT/davx5-ose/releases
• Exodus (org.eu.exodus_privacy.exodusprivacy): crowdsourced app configuration
• KeePassDX (com.hunzisoft.keepass.free): https://github.com/Kunzisoft/KeePassDX/releases
  • Choose KeePassDX-x.y.z-free.apk
• LibreTube (com.github.libretube): https://github.com/libre-tube/LibreTube/releases
• Meshtastic (com.geeksville.mesh): https://github.com/meshtastic/Meshtastic-Android/releases
  • Choose googleRelease-x.y.z.apk
• Proton Calendar (me.proton.android.calendar): crowdsourced app configuration
• Proton Drive (me.proton.android.drive): crowdsourced app configuration
• Proton Mail (ch.protonmail.android): https://github.com/ProtonMail/android-mail/releases
• Readest (com.bilingify.readest) https://github.com/readest/readest/releases
• Signal (org.thoughtcrime.securesms): crowdsourced app configuration
• WiFiAnalyzer (com.vrem.wifianalyzer): https://github.com/VREMSoftwareDevelopment/WiFiAnalyzer/releases
• WireGuard (com.wireguard.android): crowdsourced app configuration

For a regular email client, you have a choice depending on your personal preference and exact needs:

• Thunderbird (net.thunderbird.android): crowdsourced app configuration
• FairEmail (eu.faircode.email): crowdsourced app configuration
  • Choose FairEmail-...-github-release.apk

Thunderbird for Android is simpler and integrates nicely with Thunderbird desktop. FairEmail has additional features, but is more complicated and cluttered as a result.

If you want a terminal emulator with Bash and packages for various command-line tools, install the Termux app and some of its add-on apps.

• Termux (com.termux): https://github.com/termux/termux-app/releases
• Termux:API (com.termux.api): https://github.com/termux/termux-api/releases
• Termux:Boot (com.termux.boot): https://github.com/termux/termux-boot/releases

Google Play Store

Some apps are only available from the Google Play Store.

Use Aurora to install:

• OpenKeychain: Easy PGP (org.sufficientlysecure.keychain)
• Speech Recognition and Synthesis from Google (com.google.android.tts)
• CoPilot GPS (com.alk.copilot.mapviewer)
• ATAK-CIV (com.atakmap.app.civ)

F-Droid

The PrivSec article on F-Droid Security Issues and the Privacy Guides article on Obtaining Android Apps describe multiple problems with the F-Droid app store.

This article avoids using the F-Droid app store in any way.

Configuration

System Text-to-Speech

Text-to-Speech (TTS) support is required for turn-by-turn voice instructions in GPS navigation apps.

The following steps will temporarily grant the Google TTS app network permissions, download the data files for your selected voices, reduce the number of cases where the app will try to use the network, and then revoke the network (and all other) permissions. Once complete, you will have a completely offline TTS app.

• Open OS Settings app:
  1. Apps -> Speech Recognition and Synthesis from Google -> Permissions:
     • Network: Allow (temporarily)
  2. Accessibility -> Text-to-speech output
     • Preferred Engine: Speech Recognition and Synthesis from Google
     • App settings gear:
       • Install voice data: English (United States) -> Voice VI (personal preference)
       • Use Wi-Fi only: On (Reduce attempts to use network permissions)
       • Amplify speech volume: On
       • Anonymous usage reports: Off (Prevent attempts to send usage reports)
     • Press the Play button to verify TTS works properly
  3. Apps -> Speech Recognition and Synthesis from Google -> Permissions:
     • Network: Don’t allow
     • Sensors: Don’t allow
     • (Anything else currently allowed): Don’t allow

Navigation App Text-to-Speech

Once the system is configured for Text-to-Speech (TTS), the GPS navigation apps must be configured to use the system’s TTS features.

Configure Organic Maps

• Open Organic Maps app -> Settings:
  • Voice Instructions:
    • Voice Instructions: On
    • Announce Street Names: On
    • Speed cameras: Always warn
    • Press Test Voice Directions (TTS, Text-To-Speech) to verify TTS works properly

Configure CoPilot GPS

• Open CoPilot GPS app -> Settings:
  • Regional and Voices -> Language:
    • US English: US English com.google.android.tts
      • Press the Test button at the bottom to verify TTS works properly
      • Press the Done button at the top to save the settings
  • Safety Alerts and Warnings:
    • Speed Limit:
      • Show speed limit: On
      • Show speed warning: On
      • Receive audible speed warning: On

Consistency and Usability

• Open OS Settings app:
  • Display
    • Lock Screen
      • Privacy: Show sensitive content only when unlocked
      • Dynamic clock: Off
      • Tap to check phone: On
      • Lift to check phone: On
      • Wake screen for notifications: On
    • Dark theme: On
    • Night Light: On
      • Schedule: Turns on from sunset to sunrise
      • Intensity: About 25%
  • Apps
    • Default apps
      • Browser app: Brave
      • Opening links
        • LibreTube
          • All of the youtube URL variants
        • Organic Maps
          • www.openstreetmap.org
        • Proton Calendar
          • calendar.protonmail.com
  • Battery
    • Battery manager
      • Use Battery Manager: On
    • Charging optimization
      • Limit to 80%: On
    • Battery percentage: On
  • Security & privacy
    • Exploit protection
      • Native code debugging
        • Block for third-party apps by default: On
• Open the Readest app:
  • Open an ebook and tap on the screen to bring up the menu.
  • Tap on three dots in top right corner -> Fonts and Layout
  • Define a new Theme Color named “Midnight” with these settings:
    • Text Color: #a0a0a0
    • Background Color: #000000
    • Link Color: #486e8a
  • Code Highlighting
    • Enable Highlighting: On
    • Code Language: Auto

Termux

• Open OS Settings app:
  1. Apps -> Termux -> Permissions -> Files
     • Files access for this app: Don’t allow (+ Storage Scopes)
     • Storage Scopes
       • DCIM
       • Documents
       • Downloads
       • Movies
       • Music
       • Pictures
• Open Termux app and run commands:
  • termux-change-repo
    • Single Mirror: default (Cached by cloudflare)
  • termux-setup-storage
  • pkg install termux-api termux-auth termux-services
  • pkg install bash bash-completion jq tree which
  • pkg install bat helix helix-grammars hunspell hunspell-en-us
  • pkg install mandoc manpages
  • pkg install dnsutils openssl openssh rsync
  • pkg install gnupg pinentry
  • pkg install git
  • pkg install iperf3 nmap
  • pkg install starship nerdfix
• Open Termux:API app once and perform setup
  • Disable battery optimizations for Termux:API
  • Do NOT grant display over other apps
  • Do NOT disable the launcher icon
• Open Termux:Boot app once to let it perform the necessary setup

Termux Specific Examples

Producing Text-to-Speech (TTS) voice output:

termux-tts-speak "This is a test."

SSH and File Transfer to the Phone

On the Phone

On the phone, inside the Termux app:

Start the OpenSSH daemon (sshd). The daemon will listen on port 8022.

sv up sshd

Find the username you need to specify when connecting. The output will be something like u0_aNNN.

whoami

Find the phone’s IP address in GrapheneOS, or find the IP from the Termux command line.

ifconfig

See the next section on transferring files from a computer where you have a bigger screen and a keyboard.

After you have finished all of your remote sessions, stop the OpenSSH daemon.

sv down sshd

On the Computer

Connect to the phone with ssh (to port 8022) and enjoy a full screen and keyboard for configuring the environment. Replace the username and IP address with the values obtained from the phone.

ssh -p 8022 u0_aNNN@phone-ip

Use rsync over ssh (to port 8022) to transfer files. The following example synchronizes a music library under ~/Music to the Music folder on the phone. Adjust the source directory on the computer as appropriate. Replace the destination username and IP address with the values obtained from the phone.

rsync --archive --verbose --progress \
    --rsh="ssh -p 8022" \
    ~/Music/ \
    u0_aNNN@phone-ip:storage/shared/Music/