Amahl Farouk's GrapheneOS setup

Last updated
Jan 1, 2021
Phone brand
Google
Phone model
Pixel 3a
Phone OS
Custom
Phone OS version
GrapheneOS (latest stable)
Phone OS updates
Automatic updates
App updates
Automatic, auto-app updates on any connection
Phone unlock
Biometric security
    • Fingerprint(s)
SIM card lock
Protected by a PIN code
Find my Phone
Off (disabled)
Security & Privacy Apps
LibreAV - real-time “AI” permissions scanner
Auditor app - device integrity monitoring
Hardened Memory Allocator - memory isolation
GOS Android Sandbox hardening - app permissions isolation
GOS Firewall - ability to completely revoke internet access permissions from apps, not just block them
Browser
Vanadium
Password manager
Bitwarden
Authenticator
Aegis
Phone & Caller ID
GrapheneOS Dialer
Messaging
QKSMS+
Signal
Music & Podcasts
None.
Entertainment
Signal
Games
None.
File and Photo backup
Nextcloud client with auto-upload to LAN NAS for Photos and Contacts
Notable changes
1.0
  • Initial config
1.1
1.2
  • Added LibreAV (thanks to @HarborFront)
  • Migrated to Aegis for 2FAs instead of Bitwarden
What I'm looking for?

Looking for maximum feedback.

enaph

Level 28
Verified
Honorary Member
Top Poster
Well-known
Jun 14, 2011
1,787
May I ask why do you use Bitwarden for 2FA?
This goes against the idea of two-factor authentication and you should choose another authenticator app so your passwords and authentication keys are separated. That's just my humble opinion.
 

Amahl Farouk

Level 1
Thread author
Jan 11, 2021
34
May I ask why do you use Bitwarden for 2FA?
This goes against the idea of two-factor authentication and you should choose another authenticator app so your passwords and authentication keys are separated. That's just my humble opinion.

Thanks for the tip. I was actually considering self-hosting Bitwarden on my server. Would this reduce the risk given that I control both passwords and 2FA keys on the server?

Or are you more concerned about a possible exploit via the app itself?

Might decide to switch to Aegis for 2FAs and re-generate all passwords + keys (I usually go through this process annually anyways)

P.S. At the moment, it's a matter of convenience that I use the same provider for both.
 

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
6,014
One more question.

Do you know which VPN(s) work well with GrapheneOS? By default, GrapheneOS is already slow (like compared to Calyx OS) and if use TOR would make surfing even slower. I mean VPNs like ExpressVPN, VyprVPN, NordVPN, SurfShark VPN etc
 

Amahl Farouk

Level 1
Thread author
Jan 11, 2021
34
One more question.

Do you know which VPN(s) work well with GrapheneOS? By default, GrapheneOS is already slow (like compared to Calyx OS) and if use TOR would make surfing even slower. I mean VPNs like ExpressVPN, VyprVPN, NordVPN, SurfShark VPN etc

Well, that's a complicated question to answer. :unsure:

I personally tested Wireguard protocol (which I recommend for speed over any OpenVPN protocol connection) with CyberGhostVPN and my own server. Both have excellent speeds and I haven't noticed any slowdowns compared to stock Android.

GrapheneOS isn't really comparable to Calyx in terms of security. It has many more hardening features at the OS level, not just debloated/no Google apps (which is more of a privacy vs security discussion anyways).
The slowdown you might be experiencing is related to the hardened memory allocator that GrapheneOS uses to isolate memory for each app, which does add some slowdown/overhead to the app's launch. But in terms of post-launch behavior it is pretty much the same as stock.

Regarding network throughput, I cannot imagine why GOS would be slower. If anything, It's a matter of the VPN implementation and not the network stack.

Long story short, if you're concerned with network throughput, I'd recommend a VPN provider with Wireguard support. Otherwise, GOS is meant for security first and a hardened os compared to stock--which might be slightly slower in day-to-day usage. Privacy-wise, I wouldn't care for any privacy feature if the base OS is weak, so I don't know what to say about Calyx in this matter. To each it's own.
 
F

ForgottenSeer 85179

Totally right @Amahl Farouk.
CalyxOS doesn't add any security or privacy improvement over normal AOSP. That's why a comparison on below Pixel 4/ 4a isn't fair.
With Pixel 3a the performance is slowed down because of security hardening and restricted hardware power in comparison to the 4a with enhanced storage speed.

So, with Pixel 4/ 4a the difference isn't much while GrapheneOS provide a lot better security and privacy.

Anyway, back to the configuration:
i would enable SIM Pin and add Auditor ;)
Also, nice to see another GrapheneOS setup here :emoji_beer:
 

Amahl Farouk

Level 1
Thread author
Jan 11, 2021
34
Totally right @Amahl Farouk.
CalyxOS doesn't add any security or privacy improvement over normal AOSP. That's why a comparison on below Pixel 4/ 4a isn't fair.
With Pixel 3a the performance is slowed down because of security hardening and restricted hardware power in comparison to the 4a with enhanced storage speed.

So, with Pixel 4/ 4a the difference isn't much while GrapheneOS provide a lot better security and privacy.

Anyway, back to the configuration:
i would enable SIM Pin and add Auditor ;)
Also, nice to see another GrapheneOS setup here :emoji_beer:

Will do regarding the SIM pin. Haven't used on since it's a disposable number...but I guess it doesn't hurt to add it.

I used the Auditor when I initially flashed the device and all was OK, but I have since removed it. From my understanding it is useful to compare the hashes on install. Is it needed for every update, too? :unsure:
 

Amahl Farouk

Level 1
Thread author
Jan 11, 2021
34
Auditor check by default (it's configurable!) every 4 hour against manipulation and if problems detected, it sends an email if configured.
See Auditor tutorial

It's a persistent protection against all kind of manipulation :)

Awesome stuff! Initially I didn't read the tutorial and had no idea about the remote attestation service. I just used my 2nd GOS device to verify my main one and was done. :oops:

I've enabled 4h remote attestation for both phones now with "Security level: High (StrongBox) - Hardware Security Module (HSM)" results. :love:

Thanks a lot for the tip!
 
Last edited:

harlan4096

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Apr 28, 2015
8,635
@Amahl Farouk: what about these fields:
Play Protect: off - device may be at risk to apps that violate the Play Store

Find my phone
- Disabled - device may be unrecoverable if lost or stolen

SIM PIN security - SIM card is unlocked

Sincerely I'm not sure about the 1st one (probably not), since I have no experience in Graphene OS, but the others 2 I'm sure can be applied :)
 

Amahl Farouk

Level 1
Thread author
Jan 11, 2021
34
@Amahl Farouk: what about these fields:


Sincerely I'm not sure about the 1st one (probably not), since I have no experience in Graphene OS, but the others 2 I'm sure can be applied :)
Thanks for the suggestions. I’ve enabled SIM Lock now. 😁
I’m pretty sure Play Protect requires Google Services/Play Store to be available for it to work and even then it’s not really a protection layer, more like a service for Google to push out warnings about malicious apps thar have already been flagged. Since there’s no Google anything in my phone, I am not really concerned about this vector. The only app I have from the Aurora Store is Signal, and even that one can be manually downloaded from their site and verified for integrity.

So the biggest issue I have with GOS is the reliance on F-Droid repo and the occasional app that is exclusively on Aurora (Play Store front, i.e. Banking apps) or on GitHub. I know that Daniel (the lead of GOS project) is working on a solution for external apps that is going to be more secure and have some sort of a integrity verification and hopefully compliance, but the details are still in the works.
Regarding find my phone, it’s a feature that I have no use for, even if it were available on GOS. I rarely use my phone anyways and hardly leave home with it, so losing it isn’t really a concern. The bigger issue would’ve been “evil maid” attacks or some sort of carrier hack, but thanks to @SecurityNightmares I now have remote attestation of the device's integrity so I can be a little more reassured.

I know Nextcloud has a client/server implementation of this protocol (“find my device”) that would function perfectly well on GOS, but again, given my use case, I don’t think I’ll use it. Plus, if the phone does get knicked I trust the encryption to protect its content and there wouldn’t be a scenario where find my device would help me recover it...so, it would just introduce an extra privacy concern at no security benefit. :unsure:
 
Last edited:

Amahl Farouk

Level 1
Thread author
Jan 11, 2021
34
@harlan4096 Slightly off-topic, but I didn't want to open a new thread since it's somewhat connected to this one and most others in this section of the forums.

There are a few questions regarding the methodology used to rank these setups as secure vs at risk. For example:

Play Protect settings
For all stock Google/Android flavors out there, there's zero benefit from disabling this feature as the Play Store is arguably the single most dangerous vector of attack for users, second only to a browser zero-day; but one could argue that you're more likely to get infected via that new shiny game/weather app that drops a malicious payload on your phone than via casual browsing.
However, the implementation requires the presence of Google Play and Google Messaging Services to ensure proper functioning, that is, to scan devices for apps that have already been installed and flagged by Google as being malicious. It provides no proactive protection and wouldn't stop anything already deployed on your device from doing damage. There is also an open-source project called Exodus that provides (at the moment) tracker analysis for apps before and after you install them. This is not comparable to Play Store's security feature, but it could be upgraded to implement at least VirusTotal or some other similar feature that would actually provide a layer of active scanning of apps on the device, which would be a massive improvement from Google's Play Protect feature.
This being the case, all non-Google Android flavors that don't implement GMS cannot have Play Protect enabled. This does mean a weakened security given the threat vector described above, however I doubt this is the case for users that go through the process of installing GOS and add all the security it provides to then have some unknown apps running on the device. In this particular case (and it truly is particular), GOS is the only non-Google Android versions that is a significant improvement over the stock version, with a fully locked and verified bootloader and hardened SELinux setup.
The honest/correct setting for the "Play Protect settings" on this thread should be "Not Applicable" but currently this is suggested only for "iOS" devices and Android users are forced to choose "Off", which as I explained isn't an issue as proper phone hygiene, as I am sure anyone that goes through the GOS conversion is perfectly aware, is all that is needed to make it at least comparable to the passive "security" provided by Google's Play Protect.

Real-time security apps
Real-time security on phones is something that is far from being comparable to the PC. At best, there's passive scanners of signatures for apps that are installed on the device, however most just provide a warning to users regarding apps that are flagged as malicious and do much to nothing to prevent the infection once installed (similar to what Google's Play Protect does). This being the case, most security apps rely on Android's built-in security (sandboxing and SELinux) and users of GOS benefit from hardened malloc, a much tighter SELinux ruleset, and exec-spawning protection for the sandbox. GOS Firewall is also provided as a layer of protection on top of stock OS to actually revoke internet permissions from apps, effectively isolating the app to a offline-only functioning (no malicious code downloaded post-install). All these features don't technically equate to real-time protection, but since apps are severely restricted compared to stock OS, the only missing layer would be a signature scanner--which I'm sure Daniel is already working on as a subset of the application updater.

I'm really curios what your thoughts and the community's are regarding these topics. :unsure:
 
Last edited:

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
6,014
@Amahl Farouk

I think the concerns are firstly, you do not have an AV in your phone. Secondly, what happens if you sideload a malicious application from F-Droid or Aurora Store?

Just sharing

I don't have Pixel with GrapheneOS yet. However, I use an android phone and I don't download apps from Google Play Store and I don't use any Google apps for I try to de-Google myself as much as possible. I download apps from other 3rd-party stores like apkmirror, apkpure, apkmonk etc. Sometimes Play Protect will pop up and ask me whether I want to check the downloaded app and I just deny it even though I have it disabled. It is definitely unwanted in a de-Googled Pixel phone with GrapheneOS

I do have Zemana Antivirus, and it'll check my downloads. Another working app is IntelliAV which also will check my downloaded apps. Unfortunately, IntelliAV belongs to Alphabet which owns Google so it's not good for your use. Another non-Google app which does similar function to IntelliAV is LibreAV which is open source.

I know GrapheneOS is very strong in security/privacy but sideloading apps from non-Google stores can pose a risk.

I have put the acquisition of Pixel 6XL 6.7-inch screen as one of my hopeful items in this year’s resolution. Hopefully, GrapheneOS will be available then knowing that it's still not available for Pixel 5
 
Last edited:
F

ForgottenSeer 85179

I think the concerns are firstly, you do not have an AV in your phone. Secondly, what happens if you sideload a malicious application from F-Droid or Aurora Store?
a AV isn't needed on Android because of isolation.
Also AVs doesn't have the needed permissions so they can't do anything.

F-Droid is a known safe store as they build all apps by their self's. Aurora isn't a store but downloader from Google store without any modifications.

So the protection is slightly lower but better in privacy.
Also apps can't do anything malicious if permissions aren't allowed.
Auditor also protect against unwanted system changes.
 

Amahl Farouk

Level 1
Thread author
Jan 11, 2021
34
@HarborFront @SecurityNightmares Thank you both for your thoughts on this.

Indeed, from my understanding, Aurora's store (not to be confused with Aurora Droid--an F-Droid store replacement) is just a bypass of the google authentication mechanism (it uses shared/private user accounts in rotation) to access the same download sources as Google Play store. So, in theory, it has access to the same filtering that Google does on the existing store apps.

Of course, if you get to install a malicious app before Google flagged it, all bets are off and in that case a stock Google phone wouldn't fare better anyways, as it will still be infected. Regarding other download sources for Play Store apps (i.e. apkmirror, etc.) I trust them even less than I trust F-Droid repos, since in essence you're being served an apk by an unknown server.

In this case, my recommendation would be to try out Aurora Store (front-end for Play Store). It's opensource and the only thing it does is bypass the need for a Google account on your phone. It cannot auto-update apps it just notifies you of new updates and it also has built-in Exodus verification which would expose trackers (if you are concerned about Google) on your apps before you download them. There's also a separate Exodus app, but that's a different manner.

F-Droid's repo (their store app is arguably not the best, but there's Aurora as an alternative) is exclusively open-source software that is compiled by their servers from mostly GitHub repos and signed with their private keys, so the whole process should be reasonably secure and transparent. A big downside would be that it sometimes falls behind the dev versions with bugfixes/security enhancement as they need to be audited internally before being compiled and pushed to the repo. It's a similar situation with most linux repos that don't follow a strict rolling-release model. Security gets delayed. A small benefit would be that some undesirable features and trackers are stripped-out and you get a cleaner version of the app, but that depends a lot on the developer support. Some app developers offer their apps for both Google and F-Droid store (which require some special steps to have it auto-compiled and pushed). In any case, it's a better bet than downloading the apk from some shady website.
An alternative would be to manually download and verify the integrity of the apks from GitHub, if you don't trust F-Droid.

Regarding the antivirus, it would need access to device-admin, not necessarily root, to properly audit and protect from malicious apps, something which I wouldn't trust to any app on my phone to be honest. It breaks the whole OS sandbox and pretty much is a remote admin waiting to happen. I would appreciate a reasonable scanner that could verify the apps I have for signatures of know threats, but I don't know of one, other than Graphene's own Auditor, which is not exactly a scanner but a integrity checker (it doesn't enforce anything if it notices discrepancies).

I would expect GOS to be available for the Pixel 6 probably 6 to 12 months after it's release but that depends a lot on the changes from previous model and, of course, the all too-generous Daniel Micay not being completely swamped with work. :emoji_beer:
 
Last edited:

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
6,014
@HarborFront @SecurityNightmares Thank you both for your thoughts on this.

Indeed, from my understanding, Aurora's store (not to be confused with Aurora Droid--an F-Droid store replacement) is just a bypass of the google authentication mechanism (it uses shared/private user accounts in rotation) to access the same download sources as Google Play store. So, in theory, it has access to the same filtering that Google does on the existing store apps.

Of course, if you get to install a malicious app before Google flagged it, all bets are off and in that case a stock Google phone wouldn't fare better anyways, as it will still be infected. Regarding other download sources for Play Store apps (i.e. apkmirror, etc.) I trust them even less than I trust F-Droid repos, since in essence you're being served an apk by an unknown server.

In this case, my recommendation would be to try out Aurora Store (front-end for Play Store). It's opensource and the only thing it does is bypass the need for a Google account on your phone. It cannot auto-update apps it just notifies you of new updates and it also has built-in Exodus verification which would expose trackers (if you are concerned about Google) on your apps before you download them. There's also a separate Exodus app, but that's a different manner.

F-Droid's repo (their store app is arguably not the best, but there's Aurora as an alternative) is exclusively open-source software that is compiled by their servers from mostly GitHub repos and signed with their private keys, so the whole process should be reasonably secure and transparent. A big downside would be that it sometimes falls behind the dev versions with bugfixes/security enhancement as they need to be audited internally before being compiled and pushed to the repo. It's a similar situation with most linux repos that don't follow a strict rolling-release model. Security gets delayed. A small benefit would be that some undesirable features and trackers are stripped-out and you get a cleaner version of the app, but that depends a lot on the developer support. Some app developers offer their apps for both Google and F-Droid store (which require some special steps to have it auto-compiled and pushed). In any case, it's a better bet than downloading the apk from some shady website.
An alternative would be to manually download and verify the integrity of the apks from GitHub, if you don't trust F-Droid.

Regarding the antivirus, it would need access to device-admin, not necessarily root, to properly audit and protect from malicious apps, something which I wouldn't trust to any app on my phone to be honest. It breaks the whole OS sandbox and pretty much is a remote admin waiting to happen. I would appreciate a reasonable scanner that could verify the apps I have for signatures of know threats, but I don't know of one, other than Graphene's own Auditor, which is not exactly a scanner but a integrity checker (it doesn't enforce anything if it notices discrepancies).

I would expect GOS to be available for the Pixel 6 probably 6 to 12 months after it's release but that depends a lot on the changes from previous model and, of course, the all too-generous Daniel Micay not being completely swamped with work. :emoji_beer:
You can try LibreAV and it's open source. It works on AI (like IntelliAV which belongs to Alphabet). Looks like no permission given on my android phone. You can get it from github or F-droid

 

Attachments

  • Screenshot_20210113_073828_com.google.android.permissioncontroller.jpg
    Screenshot_20210113_073828_com.google.android.permissioncontroller.jpg
    117.2 KB · Views: 355

Amahl Farouk

Level 1
Thread author
Jan 11, 2021
34
You can try LibreAV and it's open source. It works on AI (like IntelliAV which belongs to Alphabet). Looks like no permission given on my android phone. You can get it from github or F-droid


Awesome. I will most certainly try it out. Thanks for the recommendation!
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top