I just installed GrapheneOS, a security-hardened fork of the Android Open Source Project, on a Google Pixel 6a. I am not the end-user of this case, but I thought that it would be worth sharing my experiences with the installation and my very surface impressions of GrapheneOS from configuring it before handing it off.
Note: You should not read this article as a guide to installing GrapheneOS (notwithstanding the post category). My purpose in writing is simply to share my experience with and impressions of the GrapheneOS web installer and setting up GrapheneOS based on a single experience from May 13 and 14, 2023 (moreover, while I am capable of following instructions, I am far from what one would consider a leading expert in this area). If you are interested in installing GrapheneOS, I would encourage you to do your own research and consult the up-to-date documentation on the project website for case-specific instructions.
What is GrapheneOS?
GrapheneOS is an open source security-hardened fork of the Android Open Source Project. In short, it provides what is, on the surface, a relatively vanilla Android experience (sans the default vendor and Google apps), but with a focus on security.
There are several forks of the Android Open Source Project available for installation on Android devices (it is free to use and the project accepts donations). I have previously covered installing LineageOS on a Google Nexus 7 (2013) tablet and running /e/ OS on a Murena Teracube 2e phone. Moreover, I have been running LineageOS as my daily phone driver (on a Google Pixel 3a XL) since November 2022, a fact I referenced in a couple of subsequent posts dealing with phone apps.
GrapheneOS distinguishes itself from LineageOS with its emphasis on security and hardening. LineageOS is focused on maintaining support for older devices (see e.g., my Pixel 3a XL and 2013 Nexus 7 tablet) and offering a way to use newer devices without Google cruft. Murena’s /e/ OS builds on LineageOS with a focus on providing a user-friendly de-Googled experience. The focus of GrapheneOS is on providing users with an even more secure option than what Google itself offers on its flagship devices.
There are many consequences of the differing focus of GrapheneOS from LineageOS. One shows in the list of supported devices. GrapheneOS only supports newer Google Pixel phones (as of the writing of this article). LineageOS and /e/ OS support a much broader range of devices. GrapheneOS does not allow device rooting but does allow for re-locking the bootloader, whereas LineageOS allows users to root their devices but it discourages, in most cases, trying to re-lock the bootloader.
(There are other options in the Android Open Source Project-fork space, notably DivestOS, CalyxOS, and Replicant.)
I describe these forks generally as alternatives to stock Android, although some Hacker News commenters on my /e/ OS review took a narrower view of what constitutes an Android alternative (see my discussion on the meaning of Android alternative).
Prepping my Google 6a
Before installing GrapheneOS, you need one of the small number of supported phones. As I noted above, GrapheneOS only works on Google Pixel devices. The oldest Pixel currently supported is 4, which is in extended support (my own 3a XL is no longer supported by GrapheneOS). GrapheneOS generally recommends that people purchasing new phones go with one of the phones from the Pixel 6 or 7 lines because they have the strongest security features and longest support cycles.
I purchased a Google 6a for its good combination of long-term support and price. After the phone arrived as expected, I made sure that it turned on and was in working order. Not only did everything work as expected, but it arrived with an about 80% charge, sparing me the trouble of having to charge it before beginning to work with it.
Using the GrapheneOS Web Installer
GrapheneOS offers two installation methods: A command line installer and a web installer. I installed LineageOS on my 2013 Nexus 7 tablet and Pixel 3a XL through the command line, by following careful instructions. The experience led me to conclude that graphical installers are far preferable, especially for making these Android alternatives accessible to a broader audience. I used a graphical installer (in app form) to install Ubuntu Touch on a now-unsupported 2013 Nexus 7 (see my article on installing Ubuntu Touch in July 2021). However, my experience with the Ubuntu Touch installer was not always smooth sailing. I had originally purchased my current Pixel 3a XL to test with Ubuntu Touch, but I defaulted to LineageOS after I could not quite get it to work even with the graphical installer.
How would GrapheneOS’s web installer perform?
GrapheneOS’s web installer works a little bit differently than the Ubuntu Touch app I described in July 2021. The Ubuntu Touch installer came as an app and, ideally, required no command line input at all. The GrapheneOS installer is a webpage.
(Note before continuing that I am describing my experiences from May 14, 2023. My description of the GrapheneOS installer may be out of date whenever you read this. Instead of taking my story as a guide, make sure you carefully consult GrapheneOS’s up-to-date documentation. If you need further assistance, GrapheneOS maintains a community forum.)
Running the installer in Brave
The first thing I noted was that GrapheneOS’s web installer only officially supports Chromium-based web browsers: Chromium, Vanadium, Google Chrome, Microsoft Edge, and Brave. (It also specifically advises Linux users to not use Flatpak- or Snap-packaged versions of the browsers.) While my primary browser is Firefox, I keep Brave around for several reasons. One of those reasons is that there is the occasional site that does not like Firefox. Another reason is that it is easier to create and manage profiles in Brave than it is in Firefox (not to mention Brave has more sensible defaults, although I prefer a well-configured Firefox in the end). I run the Arch User Repository Brave package on my main workstation (running EndeavourOS), so I had no Flatpak or Snap issues. I created a fresh Brave profile for the GrapheneOS installer (a fresh profile to ensure that no extension or setting would cause an issue).
Enabling OEM Unlocking
GrapheneOS’s first listed step is to enable OEM unlocking on the phone. This requires using the phone’s settings menu to enable developer mode (pressing the build number in About, under phone Settings, six times). My phone came with developer mode enabled (probably not how I would have shipped it…), so that, to my surprise, was already done. OEM unlocking was also enabled (again, not how I would have shipped it…), so it turned out that I had nothing to do. However, I read an interesting note pertinent to my phone:
For the Pixel 6a, OEM unlocking won’t work with the version of the stock OS from the factory. You need to update it to the June 2022 release or later via an over-the-air update. After you’ve updated it you’ll also need to factory reset the device to fix OEM unlocking.
Just to be on the safe side and avoid backtracking, I connected the Pixel 6a to the internet, installed a pending update, and factory reset it. I then confirmed that OEM unlocking was enabled before proceeding.
Booting into bootloader with command line
The next step listed on the GrapheneOS installation is to install the android-udev package (for Arch-based Linux users). I already have that package installed (evinced by the fact I put LineageOS on my Pixel 3a XL a few months ago), so I skipped to booting into the bootloader. Now recall I said that I prefer a graphical installer for dealing with Android nonsense to the command line method. I changed my mind for one step.
You need to boot your phone into the bootloader interface. To do this, you need to hold the volume down button while the phone boots.
I tried turning the Pixel 6a off. One would assume you do this by holding down the power button, right? When I held down the power button, I received some prompt about Google something or other, I think assistant. I was confused. To be sure, the power button was probably in the top drawer. But I thought about all of these steps – figuring out how to use buttons to turn it off, holding down during boot, etc – and decided it would be easier to just use the command line after all. I had already enabled ADB Debugging in developer settings and connected the Pixel 6a to my computer (“ADB” stands for Android Debug Bridge). The next step on GrapheneOS’s guide is to connect the phone to the computer. I decided to combine the steps into one! While my phone was connected via USB and recognized by ADB, I ran the following command in the terminal:
adb reboot bootloader
I will have you know I did not even need to look it up. Regular ADB professional here (not quite). In any event, the Pixel 6a rebooted to the bootloader menu as expected.
Using the GrapheneOS installer
I was able to skip the connecting the phone section because I had already connected the Pixel 6a to my computer. Now in the bootloader menu, it was time to finally test the online installer.
First, the installer page has a section called Unlocking the bootloader. There is a button which says Unlock bootloader. Pressing the button assumes that you have completed all of the other steps, that your phone is connected to the computer, and that you are in the bootloader menu. I pressed the Unlock bootloader button and a confirmation pop-up appeared listing my device. I unlocked the bootloader. Then, on the phone itself, I had to confirm that I wanted to unlock the bootloader (you navigate the bootloader menu options using the volume buttons to toggle and the power button to select).
Second, the installer has a section called Obtaining factory images. There is a button which says Download release. This will download the correct GrapheneOS version onto your phone. The button assumes you have completed the previous steps, including unlocking the bootloader. I pressed the button and it downloaded the correct version of GrapheneOS as expected.
Third, it was time to flash the GrapheneOS release to the phone (see Flashing factory images). There is a button which says Flash release. Again, this presumes you have completed the previous steps, including downloading the release which you will now flash. I pressed the button. This step took a few minutes and the Pixel 6a restarted a few times. To replicate the experience, I will quote GrapheneOS’s explanation of what was happening:
Wait for the flashing process to complete. It will automatically handle flashing the firmware, rebooting into the bootloader interface, flashing the core OS, rebooting into the userspace fastboot mode, flashing the rest of the OS and finally rebooting back into the bootloader interface. Avoid interacting with the device until the flashing script is finished and the device is back at the bootloader interface.
I was patient and waited for the flashing to complete.
The final step is Locking the bootloader. There is a button which says Lock bootloader. Why would you lock the bootloader? GrapheneOS explains:
Locking the bootloader is important as it enables full verified boot. It also prevents using fastboot to flash, format or erase partitions. Verified boot will detect modifications to any of the OS partitions and it will prevent reading any modified / corrupted data. If changes are detected, error correction data is used to attempt to obtain the original data at which point it’s verified again which makes verified boot robust to non-malicious corruption.
I had flashed the release and was back in the bootloader menu, so I pressed the Lock bootloader button. The bootloader was locked almost instantaneously. Note one point of caution here:
The command needs to be confirmed on the device and will wipe all data. Use one of the volume buttons to switch the selection to accepting it and the power button to confirm.
After locking the bootloader, I booted into GrapheneOS. The system booted as expected. GrapheneOS recommended disabling OEM unlocking, which I did. It also recommended verifying the installation. I skipped that step, reasonably confident that I had not downloaded a fraudulent version of GrapheneOS (I am aware this goes against the spirit of the project). I also did not play around with GrapheneOS’s Auditor app, which performs a similar purpose. However, the options and recommendations are there and detailed in GrapheneOS’s install guide.
My thoughts on the GrapheneOS installer
The GrapheneOS installer was perfect in my one use of it. The directions are clear and everything worked exactly as expected. While I have only installed ROMs/OSs on a few Android devices, the GrapheneOS experience was the most seamless. However, it is worth noting that I have some experience with command line installs, and that experience gave me a surface level understanding of what I was doing in each step. I would recommend that people trying something like this for the first time read the instructions closely and make sure to understand each step in advance.
GrapheneOS Itself
I only used GrapheneOS to the extent of setting it up, so this is only a general impression of the immediate post-install environment. GrapheneOS comes very bare-boned. It uses a version of (what I think) is the default Pixel launcher, but with no colors (black and grayscale). The default apps were Vanadium, which is a GrapheneOS-exclusive fork of Chromium (it also uses its own WebView instead of Android System WebView), Settings, call and messaging apps, a PDF viewer, Auditor (mentioned previously), and an App called Apps, which can be used to install sandboxed Google Play Services (learn more here).
While I set up sandboxed Google Play Services, I opted for a different app store (this should be no surprise). Instead of installing Google Play Store, I installed Droid-ify, an app store which draws apps from F-Droid and other sources, from its GitHub repository. I discovered Droid-ify while reading through GrapheneOS’s forms as a preferable option to F-Droid (I agree and I have switched my own devices to it). GrapheneOS’s official position seems to disfavor F-Droid generally in favor of sandboxed Google Play Store, but Droid-ify is a nice modern client with access to many terrific free and open source apps. From there, I installed a suite of apps to prepare for the hand-off. Everything worked exactly as I would have expected it to work on an Android or Android-derived device.
Conclusion
I was very impressed with GrapheneOS’s user-friendly online installer. It goes a long way toward making GrapheneOS accessible to people who are interested in trying it on a newer Google Pixel device. It compares very favorably to CLI-install processes in lowering the barrier to entry, and I found that it worked better than the graphical Ubuntu Touch installer in my limited use of both.
Since I have not personally run GrapheneOS over an extended period of time, I cannot offer anything beyond initial impressions. But on the surface, it offers an Android-esque experience, albeit a bit bare bones out of the box. Its unique security features and the ability to run Google Play in a sandbox are useful for some use-cases. Given my more minimal phone security needs (I only use my phone for calls, SMS/XMPP, reading feeds, and as a Syncthing node), the security faults of LineageOS are not an issue for me, and I appreciate having root privileges. But were I to need a new phone, I might aim for a newer Google Pixel with GrapheneOS (I suppose I will see how the one I set up works out first).
I conclude by noting that anyone considering GrapheneOS or another AOSP-based alternative to stock Android should do their research and make sure they know the pros and cons of any operating systems or ROMs that they are considering. For example, if you, rely on banking apps or any particular proprietary apps that may need Google Play Services, you should research ahead of time whether the app(s) you need will work properly (neither was an issue here or in the case of my personal LineageOS phone). If you have important data on a phone that you are messing around with, make sure to back said data up before tinkering with your device. (Ideally, your data will already be on your computer(s) thanks to Syncthing.)