GrapheneOS (written GOS from now on) is an Android based operating system that focuses security. It is only compatible with Google Pixel devices for multiple reasons: availability of hardware security components, long term support (series 8 and 9 are supported at least 7 years after release) and the hardware has a good quality / price ratio.
The goal of GOS is to provide users a lot more control about what their smartphone is doing. A main profile is used by default (the owner profile), but users are encouraged to do all their activities in a separate profile (or multiples profiles). This may remind you about Qubes OS workflow, although it does not translate entirely here. Profiles can not communicate between each others, encryption is done per profile, and some permissions can be assigned per profile (installing apps, running applications in background when a profile is not used, using the SIM…). This is really effective for privacy or security reasons (or both), you can have a different VPN per profile if you want, or use a different Google Play login, different applications sets, whatever! The best feature here in my opinion is the ability to completely stop a profile so you are sure it does not run anything in the background once you exit it.
↫ Solène Rapenne
I switched to GrapheneOS on my Pixel 8 Pro as part of my process to cleanse myself of as much Big Tech as possible, and I’ve been incredibly happy with it. The additional security and privacy control GrapheneOS brings is amazing, and the fact it opted for a sandboxed Google Play Services basically means there’s no compatibility issues, unlike when using microG, where compatibility problems are a fact of life. GrapheneOS’ security and other updates are on par or even faster than the stock Google Pixel’s Android, and the overall user experience is virtually identical to stock Android.
The only downside is the reliance on Pixel devices – it’s an understandable choice, but does mean giving money to Google if you don’t already own a Pixel. A workaround, if you will, is to buy a used or refurbished Pixel, but that may not always be an option either. For me personally, I’ll be sticking with my Pixel 8 Pro for a long time, but if it were to break, I’d most likely go the used Pixel route to avoid enriching Google. For pretty much anyone reading OSNews, GrapheneOS would be a great choice, and if you already have a Pixel, I strongly urge you consider switching.
Does this allow having an equivalent of root in one profile and non-rooted environment in another one so that I can use both apps that require root and apps that won’t normally run on a rooted system on the same device?
It doesn’t work like that, or at least I have never heard of such a ‘configuration’.
But the thing is – with GrapheneOS there are very few usecases for rooting.
If the bootloader is locked back after flashing GrapheneOS, it will happily run a lot of banking apps, without them complaining.
I’m not sure about GooglePay (should work too).
Furthermore GrapheneOS allows you (like almost no other Android) to disable/freeze apps through the normal Settings > Apps
In that state – they can not collect i. e. location, accelerometer-data, etc.
Want to use Flightradar 24?
Install GooglePlayServices and Flightradar24.
Use the app for a while.
Got to Settings > Apps
Deactivate them both.
GrapheneOS is rootable, but strongly discouraged by the people of GrapheneOS.
I recommend the web-installer for GrapheneOS, but primarily for people who use Chrome in Windows.
Reason: the required webUSB-capability of browser is broken in other browsers and also not working if you use i.e. Chromium on Ubuntu which comes as a snap package and cannot properly access USB.
Also USB3-Ports can be problematic, better resort to a USB2-Port if you can.
Agree with lazar, I think you need to figure out if you want root for the sake of it, or if there is really a use case for that and find an alternative. For example, for firewall there is no need on graphene as there is internet permission, but on a regular android you also have vpn firewalls. root is very bad for security and is never going to be officially supported on Graphene.
https://www.reddit.com/r/GrapheneOS/comments/13264di/is_root_possible_with_grapheneos/
I think the multi-profile workflow is very tiring. For most people, a private space or a work profile set up with Shelter, or both, might be an easier way to achieve separation of apps and data while not creating the friction of having to constantly switch profiles.
>hardware has a good quality / price ratio.
Not sure about that. I got a good deal on my Pixel 8 but I have to say that the hardware is crap. No SD card, no headphone jack – of course, that’s standard now, because they want you to buy their cloud storage and Bluetooth headphones. But the battery life is really bad when you’re on a cellular network (fine on Wifi) which is a well-known “bug” with the crappy modem the Pixels 6-9 use. My old Samsung S10 (from early 2019 I think) was overall a better piece of hardware than the Pixel 8 (from late 2023). And of course for gamers who need CPU, GPU and RAM, all those gigantic but cheap Chinese phablets give you great bang for the buck.
I have to say it was painful for me to buy a Pixel Tablet for that reason. Being the only tablet supported by Graphene was the only reason I picked this over an iPad at this price.
We have GOS on my wife’s Pixel 4a which just ran out of support from GOS. We never leveraged the multiple profiles. She just used it like a normal user, we minimised use of non-Froid apps where possible. It’s been very good with no real issues. When my Pixel 6 came out CalyOS was first to release a rom so went with this and it’s been quite a similar experience however I opted for microG. Again, I use mostly Fdroid apps apart from Teams, Zoom and MS Auth in a work profile that I only enable when I need to. I’ll replace hers and mine with Pixels again. Unsure if I will choose GOS or CalyxOS (or equiv) but it will absolutely have to be as G00gle free as possible.
GrapheneOS was quicker to support the pixel 6 than CalyxOS. We also still support the 4a by the way, albeit in extended support because it has reached end-of-life quite a while ago already.
GrapheneOS and CalyxOS are very different. GrapheneOS is a hardened OS with substantial privacy/security improvements:
https://grapheneos.org/features
CalyxOS is not a hardened OS. It greatly reduces security vs. AOSP via added attack surface, weakened security model and slow patches.
Compatibility with Android apps is also much different. GrapheneOS provides our sandboxed Google Play compatibility layer:
https://bsky.app/profile/grapheneos.org/post/3lamcjfv5r22s
Can run nearly all Play Store apps on GrapheneOS, but not CalyxOS with the far more limited and less secure microG approach.
https://eylenburg.github.io/android_comparison.htm is a third party comparison between different alternate mobile operating systems. It could include many more privacy/security features but it’s a good starting point.
https://privsec.dev/posts/android/choosing-your-android-based-operating-system/ is an article with more long form comparisons between the operating systems.
> A main profile is used by default (the owner profile), but users are encouraged to do all their activities in a separate profile (or multiples profiles). [proceeds to describe ¡7! different profiles]
I’ve been using Graphene for almost 2 years and it is the first time I hear this. To be fair profiles is a feature of vanilla Android, and it is a PITA to use. I use a separate profile for apps that need google play services and my work apps (VPN included), which would be something like the shit profile. Since Android 15 I’ve also been using the private space which is wonderful to run proprietary apps, and I have my banking, investing and gaming apps on a basic iphone, so I’m not new to compartimentalization. But this is madness, and can only come from a Qubes developer.
Good day! GrapheneOS team member here. We would absolutely be down to support other devices too, but at this point of time nothing other than pixels come close to fulfilling our requirements. The crucial, well implemented hardware security features are a big factor, they have an overall excellent update frequency and also fully support 3rd party operating systems with no downsides or strings attached.
If you would like to read in on the details on what exactly these requirements are, we’ve laid them out here: https://grapheneos.org/faq#future-devices