SECURE: Advanced Amahl Farouk's GrapheneOS setup

Last updated
Jan 1, 2021
About PC
This is my primary device
Brand
Google
Model/Series
Pixel 3a
Mobile OS
Android (Custom ROM) - see below for details
Mobile OS version
GrapheneOS (latest stable)
Mobile system updates
Automatic - allow the operating system to manage system updates
Mobile app updates
Automatic - update over any network
Special app access
Limited access - some apps are allowed to install unknown apps - see below for details
Allowed unknown apps
Aurora Store
Autora Droid
Play Protect settings
Automatic - allow periodic scans to protect against potentially harmful apps
Real-time security apps
LibreAV - real-time “AI” permissions scanner
Auditor app - device integrity monitoring
Hardened Memory Allocator - memory isolation
GOS Android Sandbox hardening - app permissions isolation
GOS Firewall - ability to completely revoke internet access permissions from apps, not just block them
Authenticator apps
Aegis
Password manager apps
Bitwarden
Find my phone
Disabled - device may be unrecoverable if lost or stolen
SIM PIN security
SIM card is locked
Screen lock settings
PIN
Biometric lock settings
  1. Fingerprint or TouchID
Sharing visibility
Off or Hidden - block all incoming files
Browser apps
Vanadium
Content filtering apps
DNS filtering
DNS
DNS-over-TLS to my own server running AdGuard Home in a FreeBSD jail
VPN
Wireguard
Optimization & maintenance
GOS Storage Manager
Phone & Caller ID apps
GrapheneOS Dialer
Messaging apps
QKSMS+
Signal
Music & Podcasts apps
None.
Video & Livestream apps
Signal
Gaming apps
None.
Other apps
NewPipe (YouTube)
OsmAnd+ (Maps)
DAVx5 (CalDAV + CardDAV)
Etar (Calendar)
FairEmail (Email with Mailbox.org)
Open Camera (API 2 support)
Tasks
Voice (Audiobook player)
Tutanota (Email)
Forecastie (Weather)
Auditor with Remote Attestation
Personal Files & Photos backup
Nextcloud client with auto-upload to LAN NAS for Photos and Contacts
Personal backup routine
Automatic (scheduled)
Your changelog
1.0
  • Initial config
1.1
1.2
  • Added LibreAV (thanks to @HarborFront)
  • Migrated to Aegis for 2FAs instead of Bitwarden
My request for feedback

Maximum – critical feedback

Amahl Farouk

Level 1
Jan 11, 2021
34
I’ve added LibreAV to the mix. Seems like a decent addon especially since it has no requirement for special permissions. It didn’t find anything for the moment but I guess it’s good in case some apps get updated to weird permissions. (y)

P.S. Also in the process of migrating to a separate 2FA app instead of Bitwarden...convenience can be pricey in this case 🤫
 

Amahl Farouk

Level 1
Jan 11, 2021
34
Having a coffee break, warming my hands from the cold (in Netherlands) from working outside, wondering why a security oriented Android OS receives the RISK: At Risk label. Xould one of the mods explain?
Was wondering the same thing. Maybe because I was using Bitwarden for both passwords and 2FA, but I’ve since migrated my accounts to Aegis and am in the process of resetting most of my passwords just in case.
Other than this, the only thing that comes to mind is the whole discussion regarding Play Protect, as I’ve explained in previous post, I think the option “Not applicable” should apply to GOS as well. I’ve also added LibreAV which is pretty much better than what Play Protect seems to ofer anyways.
 

harlan4096

Moderator
Verified
Staff member
Malware Hunter
Apr 28, 2015
6,968
Tag changed! "stop crying like boys ;)" initially, as I pointed in post #13 of this thread, there were some security features disabled or just not filled up, and still, for example, Find my phone is disabled...

About "Play Protect" -> Not Applicable for some Android devices, it's @Jack or @Spawn who must add this new option to the mobile fields config structure :)
 
Last edited:

Amahl Farouk

Level 1
Jan 11, 2021
34
Tag changed! "stop crying like boys ;)" initially, as I pointed in post #13 of this thread, there were some security features disabled or just not filled up, and still, for example, Find my phone is disabled...

About "Play Protect" -> Not Applicable for some Android devices, it's @Jack or @Spawn who must add this new option to the mobile fields config structure :)
Thanks for the update :D Well, since GrapheneOS doesn't have this feature implemented, I guess I could just add it as an addon to my Nextcloud server and use their app for location tracking. But since I rarely need my phone outdoors, it would pretty much be useless data and an extra liability/vector of attack/tracking that for the moment I don't see the point in enabling.

Looks like your setup is now even advanced while my is only complete :
Well, I would imagine that "Complete" implies that it is the max level of security and "Advanced" has some tweaks that still need to be made. For my phone, I guess that would be the "Find my phone" feature. (y)
 
Top