Graphene OS with Whatsapp and other noob questions

I recently installed GrapheneOS and had a few questions for the community. Besides changing to dark mode, enabling pin scramble, setting up auto reboot, and configuring WiFi/Bluetooth to turn off automatically, are there any other settings you’d recommend changing for better security or usability?

Currently, I have four profiles set up: Owner, Streaming, Personal, and Google.

Unfortunately, I have to use WhatsApp because it’s required for work communications (hundreds of employees) and my family in China heavily relies on it. I’ve tried getting people to switch to Signal (especially as a medical provider), but it hasn’t been successful. Would it be okay to install WhatsApp on my Owner profile, or should I move it to a separate profile for better isolation? If I do move it to a separate profile, will I still receive notifications if I disable profiles from running in the background?

Additionally, I’ve kept Proton Calendar and my contacts on the Owner profile. Is it okay to leave them there, or would it be better to move them to a different profile for security reasons?

A couple of other things:

  • Is it safe to use the Google Pixel camera app (I think it’s called GCam)? It seems much better than the GrapheneOS camera.
  • Can I safely use Google Keyboard with restrictions? I’m having issues typing efficiently with the GrapheneOS keyboard.

Under my Personal profile (where I’ve placed my email and banking apps), the Chase app seems to break. Has anyone found a workaround for this issue?

Lastly, I’ve noticed YubiKey doesn’t seem to work with GrapheneOS. Are there any workarounds for this?

I’m sure I have more questions but wanted to start with these. Any advice would be greatly appreciated!

If this reads like an AI wrote it it’s because I used it to better convey my thoughts. Otherwise it wouldn’t read well.

1 Like

Fair warning, this will be a long post.

I will start off by cautioning restraint when getting started with GrapheneOS. Oftentimes, people eventually realise that they dove into the deep end of the pool without really considering what they need and what will work best for them. There is no perfect configuration that will work for everyone.


Privacy & Security Settings

Auditor: You should enable remote attestation, ideally right after setting up the device for the first time. This can be done in any profile, but since the owner is always alive,that is probably best. Source.

Private DNS: I recommend Mullvad since they don’t keep any logs.

Always-on VPN: I can recommend Mullvad VPN, but not everyone needs a VPN so it is up to you and your threat model.

Screen-timeout: Configurable down to 15 seconds, personal preference of course but worth a look.

Lock after screen-timeout: Should also be set to immediately.

App Exploit Protection: Toggle everything on by default. Also disable sensors permission to apps by default.

Duress Password: Very dependent on threat model, but in my humble opinion, it can’t hurt to have one in case you need it.

Screen lock: You should be using at least a 6-digit PIN if relying on Titan M2 throttling is acceptable to you, otherwise a 6-8 word diceware password. Source.

Network toggle: Disable network access for apps that should not require it, such as keyboards, camera, etc.

System Apps: You should not disable these apps or alter any of their permissions. Doing so will lead to unexpected breakage, which may be difficult to diagnose later. This applies to the default apps too; just leave them be.

Alternative launcher app: Some users are unhappy with the lack of advanced features in the default launcher. In that case, I can recommend Lawnchair, which is visually inspired by the Pixel launcher.


I am a little confused as to the difference between what you use the owner and personal profiles for. Do you mind elaborating?

Using WhatsApp is fine. It’s obviously not great, but it is E2EE and is miles better than SMS/MMS. You will not receive notifications from any app in a profile that is not running in the background. Additionally, WhatsApp works best with Google Play Services for notifications. It can provide notifications by itself, but that requires allowing it to use unrestricted battery, and it is significantly less power-efficient.

This should be fine, unless you believe some specific part of your threat model requires otherwise.

It’s called Pixel Camera and is only officially available through the Google Play Store, although it functions just fine without Google Play Services. You can disable network access for it, though you may want to allow it at first so it can download some advanced ‘AI’ editing features.

Again, I can recommend disabling network access, although there are other FOSS keyboard options such as Heliboard and FlorisBoard, which you may want to try first.

Read this. It seems like it should work with exploit protection compatibility mode though I can’t test that myself.

See this. TL;DR it’s a whole mess but should work with sandboxed Google Play Services installed.


Once again, at the risk of sounding like a broken record, I would strongly encourage you to properly evaluate your threat model before going ahead, lest you burn out from privacy fatigue.

3 Likes

To clarify how I’ve set up my profiles and share some thoughts:

Owner Profile: This is mainly for checking my calendar, managing my schedule, and for calling and texting. It felt easiest to use this profile for those tasks.
Streaming Profile: Used solely for streaming apps like Netflix, Viki, HBO, Prime Video, and NewPipe. Honestly, I’m not a fan of NewPipe compared to YouTube Vanced, which I used to prefer.
Personal Profile: Reserved for banking apps and email. I don’t check email often—once a day is my goal—so I keep this profile simple.
Google Profile: This one is just for Google services, particularly Google Maps. While I dislike Google Maps for privacy reasons, it’s incredibly useful for travel. For example, in Japan or Europe, it provides detailed instructions for navigating complex train systems. On my current phone, I somehow messed up Google Maps, and it thought I was in Tokyo even though I was actually three hours away. I don’t remember what I did to cause that issue, but I set up the Google profile in GrapheneOS to help segregate these services. My hope is that this setup will make Google less invasive by limiting its access to all my locations at all times.

I’ve looked into alternatives for keyboards, but many options seem outdated or no longer supported. For now, I’m considering using Google Keyboard with restrictions because I’m struggling with the GrapheneOS keyboard.

Regarding the camera, I noticed a big difference between my ASUS ROG 6 and a friend’s Google phone during a recent trip to Japan—their pictures were much better. I’m wondering if the Google Pixel camera app would perform better than the GrapheneOS camera.

On a positive note, I switched to the Proton ecosystem last year, and I’ve been really happy with it. The email alias feature is fantastic for avoiding spam—I just disable an alias when it starts getting junk mail and create a new one. Their VPN has also been great, especially when traveling to China, where it worked just as well as ExpressVPN for bypassing the firewall.

I’ve also grown frustrated with Google’s practices, especially with their new Gemini integration for SMS. It feels invasive, and I don’t want my personal conversations being monitored.

While I don’t have a specific threat model, I want to take back some of my privacy. It’s unsettling to talk about something and then see targeted ads almost immediately.

I’ve avoided social media for a long time, as I don’t see the point of sharing everything I do. Plus, it’s a huge time sink. My wife, on the other hand, uses Facebook and Instagram frequently—I can’t seem to convince her to stop.

1 Like

If your profile setup works for you then that’s really the most important thing.

The quality is the same but the Pixel Camera app is more feature rich. Source.

I have been recently experiencing issues with WhatsApp on GrapheneOS, receiving an error message that I need to install the original application. Has anyone else experienced this? I tried to download from Play Store or direct APK install from the WhatsApp website but neither works. This only applies for directly registering a phone number. The app works fine when used as a linked device.

Works fine for me but I have Google Services
enabled

So have I, but this is the error message I receive. Maybe it’s a new thing and not affecting existing registrations?

Don’t know if you’ve already read this thread, but these people are running into the same issue that seems to pop up when registering a new SIM on WhatsApp on GrapheneOS.

Maybe a workaround would be to grab an old phone and link WhatsApp through the “link a device” function on your Graphene phone.

Did you download it from the official source ? IF that didn’t work maybe using it in Private Space would do the trick.

Thank you for the link!

Yes, this is what I am doing right now but it is not ideal.

Yes, I tried downloads from the website (APK - direct and via Obtainium) as well as Play Store/ Aurora Store.

In order to do this, I suppose the general consensus on this forum remains that iOS is better than any flavour of Android if it’s unavoidable to have another phone in addition to GrapheneOS? I know that the debate gets very heated when it comes to whether GrapheneOS with Sandboxed Google Play Services or iOS is better but this is a slightly different question of course.

I don’t think you should overthink whether to choose iOS or GrapheneOS just to put WhatsApp on it.

(I would have even chosen any not-too-old Android Version with the official phone debloated ROM or privacy-oriented ROM, but I don’t think that’s looked upon favorably by the forum.)

1 Like

I just want to add that my advice may be right or wrong depending on the threat model being implemented and the risks one is willing to take (so for example, using an insecure phone for WhatsApp might not be the best idea if you have a more restrictive threat model or want to take fewer risks).

I’m making these clarifications because I’ve noticed the forum seems to be visited more frequently by activists or at-risk people lately.