Graphene OS with Whatsapp and other noob questions

Privacy Questions
1

I recently installed GrapheneOS and had a few questions for the community. Besides changing to dark mode, enabling pin scramble, setting up auto reboot, and configuring WiFi/Bluetooth to turn off automatically, are there any other settings you’d recommend changing for better security or usability?

Currently, I have four profiles set up: Owner, Streaming, Personal, and Google.

Unfortunately, I have to use WhatsApp because it’s required for work communications (hundreds of employees) and my family in China heavily relies on it. I’ve tried getting people to switch to Signal (especially as a medical provider), but it hasn’t been successful. Would it be okay to install WhatsApp on my Owner profile, or should I move it to a separate profile for better isolation? If I do move it to a separate profile, will I still receive notifications if I disable profiles from running in the background?

Additionally, I’ve kept Proton Calendar and my contacts on the Owner profile. Is it okay to leave them there, or would it be better to move them to a different profile for security reasons?

A couple of other things:

  • Is it safe to use the Google Pixel camera app (I think it’s called GCam)? It seems much better than the GrapheneOS camera.
  • Can I safely use Google Keyboard with restrictions? I’m having issues typing efficiently with the GrapheneOS keyboard.

Under my Personal profile (where I’ve placed my email and banking apps), the Chase app seems to break. Has anyone found a workaround for this issue?

Lastly, I’ve noticed YubiKey doesn’t seem to work with GrapheneOS. Are there any workarounds for this?

I’m sure I have more questions but wanted to start with these. Any advice would be greatly appreciated!

If this reads like an AI wrote it it’s because I used it to better convey my thoughts. Otherwise it wouldn’t read well.

1 Like
2

Fair warning, this will be a long post.

I will start off by cautioning restraint when getting started with GrapheneOS. Oftentimes, people eventually realise that they dove into the deep end of the pool without really considering what they need and what will work best for them. There is no perfect configuration that will work for everyone.

Privacy & Security Settings

Auditor: You should enable remote attestation, ideally right after setting up the device for the first time. This can be done in any profile, but since the owner is always alive,that is probably best. Source.

Private DNS: I recommend Mullvad since they don’t keep any logs.

Always-on VPN: I can recommend Mullvad VPN, but not everyone needs a VPN so it is up to you and your threat model.

Screen-timeout: Configurable down to 15 seconds, personal preference of course but worth a look.

Lock after screen-timeout: Should also be set to immediately.

App Exploit Protection: Toggle everything on by default. Also disable sensors permission to apps by default.

Duress Password: Very dependent on threat model, but in my humble opinion, it can’t hurt to have one in case you need it.

Screen lock: You should be using at least a 6-digit PIN if relying on Titan M2 throttling is acceptable to you, otherwise a 6-8 word diceware password. Source.

Network toggle: Disable network access for apps that should not require it, such as keyboards, camera, etc.

System Apps: You should not disable these apps or alter any of their permissions. Doing so will lead to unexpected breakage, which may be difficult to diagnose later. This applies to the default apps too; just leave them be.

Alternative launcher app: Some users are unhappy with the lack of advanced features in the default launcher. In that case, I can recommend Lawnchair, which is visually inspired by the Pixel launcher.

I am a little confused as to the difference between what you use the owner and personal profiles for. Do you mind elaborating?

Using WhatsApp is fine. It’s obviously not great, but it is E2EE and is miles better than SMS/MMS. You will not receive notifications from any app in a profile that is not running in the background. Additionally, WhatsApp works best with Google Play Services for notifications. It can provide notifications by itself, but that requires allowing it to use unrestricted battery, and it is significantly less power-efficient.

This should be fine, unless you believe some specific part of your threat model requires otherwise.

It’s called Pixel Camera and is only officially available through the Google Play Store, although it functions just fine without Google Play Services. You can disable network access for it, though you may want to allow it at first so it can download some advanced ‘AI’ editing features.

Again, I can recommend disabling network access, although there are other FOSS keyboard options such as Heliboard and FlorisBoard, which you may want to try first.

Read this. It seems like it should work with exploit protection compatibility mode though I can’t test that myself.

See this. TL;DR it’s a whole mess but should work with sandboxed Google Play Services installed.

Once again, at the risk of sounding like a broken record, I would strongly encourage you to properly evaluate your threat model before going ahead, lest you burn out from privacy fatigue.

3 Likes
3

To clarify how I’ve set up my profiles and share some thoughts:

Owner Profile: This is mainly for checking my calendar, managing my schedule, and for calling and texting. It felt easiest to use this profile for those tasks.
Streaming Profile: Used solely for streaming apps like Netflix, Viki, HBO, Prime Video, and NewPipe. Honestly, I’m not a fan of NewPipe compared to YouTube Vanced, which I used to prefer.
Personal Profile: Reserved for banking apps and email. I don’t check email often—once a day is my goal—so I keep this profile simple.
Google Profile: This one is just for Google services, particularly Google Maps. While I dislike Google Maps for privacy reasons, it’s incredibly useful for travel. For example, in Japan or Europe, it provides detailed instructions for navigating complex train systems. On my current phone, I somehow messed up Google Maps, and it thought I was in Tokyo even though I was actually three hours away. I don’t remember what I did to cause that issue, but I set up the Google profile in GrapheneOS to help segregate these services. My hope is that this setup will make Google less invasive by limiting its access to all my locations at all times.

I’ve looked into alternatives for keyboards, but many options seem outdated or no longer supported. For now, I’m considering using Google Keyboard with restrictions because I’m struggling with the GrapheneOS keyboard.

Regarding the camera, I noticed a big difference between my ASUS ROG 6 and a friend’s Google phone during a recent trip to Japan—their pictures were much better. I’m wondering if the Google Pixel camera app would perform better than the GrapheneOS camera.

On a positive note, I switched to the Proton ecosystem last year, and I’ve been really happy with it. The email alias feature is fantastic for avoiding spam—I just disable an alias when it starts getting junk mail and create a new one. Their VPN has also been great, especially when traveling to China, where it worked just as well as ExpressVPN for bypassing the firewall.

I’ve also grown frustrated with Google’s practices, especially with their new Gemini integration for SMS. It feels invasive, and I don’t want my personal conversations being monitored.

While I don’t have a specific threat model, I want to take back some of my privacy. It’s unsettling to talk about something and then see targeted ads almost immediately.

I’ve avoided social media for a long time, as I don’t see the point of sharing everything I do. Plus, it’s a huge time sink. My wife, on the other hand, uses Facebook and Instagram frequently—I can’t seem to convince her to stop.

1 Like
4

If your profile setup works for you then that’s really the most important thing.

The quality is the same but the Pixel Camera app is more feature rich. Source.