PrivacyPhones.com
Article

GrapheneOS Basics: the Setup That Actually Matters

A practical, opinionated walkthrough for your first week on GrapheneOS — profiles, permissions, sandboxed Google Play, app choices, hardening, and the mistakes most people make.

· Updated April 11, 2026

TL;DR: GrapheneOS’s privacy comes from defaults, profile separation and per-app permissions — not from “200 tweaks.” Install updates. Use the Owner profile sparingly. Put sandboxed Google Play in its own user profile. Deny network and sensors aggressively. Don’t sign into Google in your main profile. Most people are done in an evening.

Before you start: what this article is and isn’t

This is the opinionated post-install checklist we’d hand to a friend on day one with a freshly flashed GrapheneOS phone. If you haven’t installed the OS yet, read What Is GrapheneOS? first and then follow the full setup guide. This article picks up the moment you boot into GrapheneOS for the first time.

We’re going to skip the things GrapheneOS already does for you (verified boot, hardened malloc, exploit mitigations, attestation) and focus on the choices you still have to make. Those choices are where 95% of the real-world privacy wins are.

Principle 1: Keep it boring

The biggest single mistake new GrapheneOS users make is treating their phone like a hobby project. They install 40 apps, switch DNS providers twice a week, layer five firewalls, and end up with a less secure phone than they started with.

The strongest privacy phones we see in the wild are the boring ones:

  • Up-to-date GrapheneOS
  • A small, deliberate set of apps
  • Strong screen lock
  • Profile separation between “stuff that needs Google” and “everything else”
  • No tinkering after week one

Security comes from defaults and updates, not from cleverness. Boring is the goal.

Step 1: Lock screen and device encryption

GrapheneOS encrypts your device by default. The strength of that encryption depends entirely on your screen-lock secret.

  • Use a PIN of at least 8 digits, or (better) a passphrase. GrapheneOS uses scrypt-derived key strengthening, but a 4-digit PIN is still brute-forceable by a serious attacker.
  • Don’t use a swipe pattern. Patterns leak through smudges on the screen and shoulder-surfing.
  • Enable “Auto reboot” in Settings → Security. We recommend 18 hours. If your phone is left unattended, it’ll automatically reboot into the stronger Before-First-Unlock encryption state.
  • Enable “Duress PIN/password” if you have a credible coercion threat. It wipes the device when entered.
  • Set “Lock after screen timeout” to a short value (30 seconds is reasonable).
  • Disable fingerprint and face unlock until you’ve decided. Biometrics are convenient and weaken your legal position in some jurisdictions. If you use them, treat them as a UX feature, not a security one.

This single screen takes five minutes and accounts for an enormous percentage of the real-world security of your device. Spend the five minutes.

Step 2: Set up your user profiles

This is the single most under-used feature in GrapheneOS, and it’s the single most impactful one for privacy.

GrapheneOS supports multiple user profiles. Each profile is, for practical purposes, a separate phone. Apps in one profile cannot see apps, data, files, accounts or notifications in another. The profiles share the OS and the hardware, and nothing else.

We recommend the following profile layout for most users:

Owner profile (minimal)

The Owner profile in GrapheneOS is special — only it can change global settings, accept system updates, and create other profiles. Treat it like the BIOS of your phone:

  • No apps beyond the defaults
  • No personal accounts
  • No browsing
  • Use only for updates and creating/managing other profiles

”Main” secondary profile (your daily driver)

This is where your daily life happens. Browser, messaging, photos, notes, banking, navigation.

  • Install only the apps you actually use.
  • Do not sign into a Google account here.
  • Do not install sandboxed Google Play here unless you absolutely must.

”Google” secondary profile (for apps that need Play Services)

Some apps don’t work without sandboxed Google Play — typically rideshare, certain banking apps, work apps, and a handful of mainstream services. Instead of contaminating your Main profile, give them their own:

  • Install Sandboxed Google Play here (and only here).
  • Install only the apps that need it.
  • Use this profile when you need Uber. Switch back when you’re done.

Optional: “Work” or “Throwaway” profiles

If you have a job that requires invasive MDM, an internship, or anything you’d like to bin in 3 months without affecting your main life: give it a profile and revoke at will.

Profile switching is fast. You can run multiple profiles at the same time (they continue to receive notifications via “End session” / “Run in background” toggles), and the lock-screen profile selector is one tap away.

Step 3: Sandboxed Google Play — choose intentionally

Sandboxed Google Play is GrapheneOS’s superpower. It lets you install the real Google Play Store, Google Play Services and Google Services Framework — but as regular, sandboxed, revocable apps with no system privileges.

Most people should install sandboxed Google Play in exactly one user profile, and then think hard about which apps to put in it.

To install:

  1. Open the GrapheneOS App Store (preinstalled).
  2. Install Google Play services, Google Play Store, Google Services Framework.
  3. Open the Play Store, sign in (or use it without signing in for many apps).

Then, the part most people skip:

  • Revoke “Nearby devices” from Google Play services. It’s used for cross-device tracking and Bluetooth beacon scanning.
  • Revoke “Location” unless you have a specific app that needs background location through Google.
  • Revoke “Contacts”, “Calendar” and “Phone” unless you’re using a Google-tied app that needs them.
  • Leave network access enabled — sandboxed Play won’t function without it.

The point of profile separation is exactly this: you can be reckless with Play permissions in the Google profile and tight everywhere else.

Step 4: The “permissions are the product” mindset

GrapheneOS extends Android’s permission model in ways no other OS does. Use them.

Network permission

GrapheneOS lets you revoke the INTERNET permission from any app. No other Android variant offers this. Use it generously:

  • Photo viewers, calculators, PDF readers, dictionary apps — no network.
  • Local-only apps (notes, OsmAnd offline maps, file managers) — no network.
  • Anything you downloaded for a one-off task — no network until proven necessary.

This single setting blocks almost every form of in-app tracking and ad-SDK behavior. It’s the most powerful per-app control on the entire device.

Sensors permission

Apps that aren’t a camera, a fitness tracker, or a level should not have access to your gyroscope, accelerometer, or barometer. These sensors are widely used for device fingerprinting and even for inferring keystrokes from vibration patterns.

Revoke sensors aggressively. Re-grant on demand. You will almost never miss them.

Location

  • Set all apps to “Allow only while using the app.”
  • For most apps, “Don’t allow” is the correct answer.
  • For navigation apps, “Allow precise location” is fine while using the app.
  • Never grant background location unless you specifically want it (e.g., a fitness tracker recording a run).

Contact and Storage Scopes

GrapheneOS lets you give an app access to only the specific contacts or files you choose, instead of your entire address book or storage tree.

  • For an app that asks for contacts (Signal, WhatsApp, etc.), use Contact Scopes to share only the people you want it to see.
  • For an app that asks for storage, use Storage Scopes to share only the specific folder it needs.

This takes 20 seconds per app and is dramatically more private than the all-or-nothing model on stock Android.

Step 5: Build a deliberate app set

A small, intentional app set is one of the highest-leverage privacy decisions you can make. Here’s a defensible starter set:

Browser

  • Vanadium (preinstalled). Hardened, sandboxed Chromium. Use it as your default.
  • If you want fingerprint resistance, add Mull (a hardened Firefox fork) from the F-Droid-based Accrescent or DivestOS repos.
  • Avoid the desktop Tor Browser unless you’ve thought hard about it. Orbot is the right call for Tor on mobile.

Messaging

  • Signal for general private messaging. See Signal vs SimpleX vs Briar vs Session if you want to go further.
  • Molly is a hardened Signal fork worth considering.
  • If your contacts are on iMessage and unwilling to move, look into Beeper in a separate profile.

App stores

  • GrapheneOS App Store (preinstalled) for sandboxed Google Play and Auditor.
  • Accrescent for a curated, modern, signed-by-default app store.
  • F-Droid for older open-source apps. (We have a separate post on privacy phone app stores if you want the deeper comparison.)
  • Aurora Store if you want Play Store apps without a Google account.

Maps

  • Organic Maps for offline navigation. No accounts, no tracking, decent for most cities.
  • OsmAnd if you want richer hiking/biking/transit data and don’t mind a busier UI.
  • Google Maps only inside your Google profile, and only when you specifically need live traffic.

VPN (optional)

A VPN is not a privacy strategy. But it can be a useful tool against ISP-level metadata collection and to bypass region locks. See Best VPNs for Privacy Phones for our current picks. Mullvad and IVPN remain our defaults.

Email

  • Proton Mail or Tutanota for accounts you control.
  • K-9 Mail / Thunderbird Mobile for IMAP with a privacy-friendly provider.
  • Avoid Gmail in your Main profile. If you must have it, it lives in the Google profile.

Authenticator

  • Aegis (preferred). Encrypted, exportable, no cloud.
  • Avoid Google Authenticator (no encryption, syncs to Google).
  • Avoid Authy (closed-source, recent breach history).

That’s it. Most privacy-conscious daily drivers we see have fewer than 30 apps installed total, across all profiles combined.

Step 6: Network and connectivity hygiene

A surprising amount of mobile tracking happens at the network layer, not the app layer. GrapheneOS gives you good defaults; tune them slightly.

Wi-Fi

  • MAC randomization: GrapheneOS uses per-network randomized MAC by default. Leave it on. Don’t switch to “Use device MAC” unless a specific network requires it.
  • Disable Wi-Fi when not in use. Settings → Network & internet → Wi-Fi → “Turn off Wi-Fi automatically.” Phones constantly scan for known networks even when “not connected,” which is a strong location signal.
  • Forget networks aggressively. Hotel, airport, and conference Wi-Fi are a tracking goldmine.

Bluetooth

  • Same story. Turn it off when you’re not actively using it. Auto-off after 2 hours is on by default — leave it on.

Cellular

  • Use a privacy-respecting MVNO if you can. We cover the US market in Cape Privacy Carrier Review.
  • Disable 2G in Settings → Network & internet → SIMs → Allow 2G. 2G is unencrypted and is used by IMSI catchers.

DNS

  • GrapheneOS supports private DNS (DoT). Set it to Mullvad’s privacy DNS (base.dns.mullvad.net for a generic privacy stance, or adblock.dns.mullvad.net to also block ads).
  • Don’t enable Google or Cloudflare DNS unless you’ve specifically chosen them — you’re moving trust to a single party.

Auto-connect to public Wi-Fi

  • Disable it. Both the explicit setting and the “Wi-Fi Assistant” patterns. Your phone should connect to networks you choose, not networks that choose you.

Step 7: Updates, backups, and the “set it and forget it” plan

Updates

  • GrapheneOS auto-checks for updates and applies them in the background. Don’t disable this.
  • Apply updates to all profiles — the system prompt will tell you when secondary profiles need to be touched.
  • After a major Android version update, briefly review per-app permissions; some defaults can shift.

Backups

  • Use Seedvault (GrapheneOS’s built-in encrypted backup tool) to back up app data to a USB drive or local file. Write down the recovery key. Store it somewhere offline.
  • Back up your Aegis vault separately and treat the export password like your life depends on it. (For some people, it does.)
  • Back up photos to a self-hosted target (Immich, Nextcloud) or an encrypted cloud (Proton Drive, Tresorit). Not to Google Photos in your Main profile.

The “weekly check”

Once a week, in five minutes:

  • Open Settings → Apps → “Permissions used in the last 24 hours.” Review.
  • Look at battery usage by app. Anything unexpected near the top is worth investigating.
  • Update your app set if needed.

That’s the entire maintenance schedule. There is no Step 8.

Mistakes we see constantly

In rough order of frequency:

  1. Signing into Google in the Main profile. This undoes a huge fraction of the privacy benefit. Use a separate profile.
  2. Installing 40+ apps “to test.” Each app is an attack surface and a tracking surface. Be ruthless.
  3. Disabling auto-updates. Don’t. Update lag is the leading cause of real-world compromise.
  4. Using a 4- or 6-digit PIN. Brute-forceable. Use 8+ or a passphrase.
  5. Granting INTERNET to apps reflexively. GrapheneOS gives you a unique tool — use it.
  6. Treating biometrics as security. They’re a UX feature. Your PIN is your security.
  7. Adding “privacy” launchers and “privacy” keyboards from unknown developers. AOSP Keyboard (preinstalled) is fine. Vanadium is fine. Don’t add complexity.
  8. Ignoring sensor permissions. Sensors are a quiet, powerful tracking vector.
  9. Layering five firewalls. GrapheneOS’s per-app INTERNET permission is the firewall. You don’t need a second one.
  10. Tinkering forever. After your first week, stop. Boring is the goal.

FAQ

Do I really need separate profiles? Isn’t one enough?

You can run a single profile if you must, but you’ll either give up app compatibility (no Google services anywhere) or contaminate your daily phone with Google services everywhere. Profiles let you have both. The five-minute setup is worth it.

Will sandboxed Play track me less if I don’t sign in?

Yes — significantly. Play Services without an account still phones home, but the data is anonymized and decoupled from your identity. Many users run sandboxed Play indefinitely without ever signing into a Google account.

Should I install Auditor?

Yes, briefly. The Auditor app verifies your device’s firmware and OS integrity using GrapheneOS’s attestation service. Run it once to confirm your install. Keep it around if you’re high-threat.

Should I install a firewall like NetGuard?

No, generally not. GrapheneOS’s per-app INTERNET permission is more powerful than a userspace firewall and uses less battery. Use the OS toggle, not a third-party app.

Should I disable JavaScript everywhere?

No. You’ll break the modern web. Disable it for sites you don’t trust (long-form reading, archived pages), leave it on for sites you actively use.

What about a “secure messenger” like Session or Threema?

Signal is the right default for almost everyone. Session, SimpleX, and Briar solve specific threat models (metadata resistance, no phone number, mesh). See Signal vs SimpleX vs Briar vs Session before adding more messengers — running too many is itself a privacy problem.

Should I run Tor on my phone?

Use Orbot when you specifically need it (research, censorship circumvention, geo-restricted reading). Don’t tunnel all traffic through Tor by default — it’ll break captive portals, push notifications, and many apps.

Where to go next

Your phone is now set up. The remaining wins come from app and account hygiene, not from the OS.

If you remember nothing else, remember this: the privacy on a GrapheneOS device doesn’t come from how many tweaks you make. It comes from a few well-chosen defaults, profile separation, and a small app set. Get those right, and stop touching the phone.