Note privacy implications of GrapheneOS proxy services

To my understanding, GrapheneOS replaces a lot of default Android connections to Google with connections to either GrapheneOS services or GrapheneOS-operated proxies in front of Google’s services (see: Comparison of Android ROMs).

It’s good for de-Googling, but this is an example of shifting trust instead of actual privacy, which I think should be noted. There are a lot of reasons people wouldn’t want to trust GrapheneOS or Google.


I disagree. Following your logic, DuckDuckGo and Startpage are useless.

You only have to shift trust when there is a need for trust. With their 10-days data retention policy (Frequently Asked Questions | GrapheneOS), there is less reason for you to trust them.

Plus, many of these can be disabled, or are local and don’t require internet. Only real concern is the dns checks.


It replaces necessary connections with its own or just proxies things to Google. Things that are unnecessary can be disabled in the settings. I don’t understand what you are trying to achieve with this post.

Note: GrapheneOS has a very good privacy policy, compared to Google’s. So using GrapheneOS services and proxies is a considerable boost to privacy.


This implies that I think shifting trust is useless, which I have never said, so you are not correctly following my logic.

Privacy Guides notes the usefulness of shifting trust often, for example:

I am only pointing out that people should know when they are shifting trust to another party. Surely that is not controversial?


For the VPN example, this isn’t an example of shifting trust. Privacy Guides require VPN provider to not log queries (verified with open source client and audited servets) , have good security policy and allow anonymous account creation. This is precisely, as stated by Privacy Guides so you don’t have to shift trust, since the trust isn’t needed as it is guaranteed by technogical means.

Re-read the linked quotation:

Using a VPN hides even this information from your ISP, by shifting the trust you place in your network to a server somewhere else in the world.

A privacy policy is not a technological privacy measure.


Not logging with verification from third-parties is.

Anonymous (Monero OR Cash) payments is.

Hm, well this makes sense to me. Like @Lukas said, this is generally a good thing, and we can point out how this is a differentiator between GOS and other ROMs like LineageOS.

Looking at the Android ROM page I see that our entries on GrapheneOS and DivestOS are rather short in comparison to the detailed entries we’ve been writing on other recommendations lately. They’re probably due for a refresh where we explain why they’re good for privacy/security instead of merely stating that they are :+1:


GrapheneOS also allows you to change internet connectivity checks back to Google, so you can blend in with billions of other devices if you’re using a VPN or Tor because internet connectivity checks are made outside of a VPN tunnel. So changing it back to Google might be useful if you want to hide the fact that you’re using GrapheneOS.

You can also disable them, but it would still make you stand out, and things like captive portals, etc. would break.


That’s also probably something good to point out, although I’d have to look more into whether this is actually the case. The phone would still connect to some GOS services like update servers presumably… or I could be wrong, but I think a VPN is a simpler/safer way to hide network traffic than switching back to Google.

Anyways I will set this topic to auto-bump when I get back from vacation, so that I remember to mark it as approved in case there aren’t any other replies between now and then… unless anyone has some other objection in the meantime. Not really sure why we wouldn’t approve simply adding factual information though.

1 Like

What I meant is that if you use a VPN or Tor, then internet connectivity checks still happen outside of a VPN. Everything else goes through a VPN or Tor, including updates.


I just disagree with @Lukas ,hiding that you use privacy tools is impossible and useless.

Just like it could make sense to try and hide Tor usage by connecting to a VPN first, it also could make sense to hide the fact that you’re using GrapheneOS from the ISP, network admins, etc.

1 Like

If you use GrapheneOS, you already trust their developers, so there’s no additional party to trust with these connections.


Sure, there are reasons but I can’t recall ever hearing a good one.



Trust is a very personal (and situational) thing. What counts as a ‘good reason’ for you and for someone else won’t necessarily be the same. This is one reason why it is useful to acknowledge when a privacy measure is not purely technical and is based on trust or shifting trust.

I don’t think this is something that anyone needs to be getting defensive about (not pointing at anyone specifically just my impression of the overall tone of the thread), shifting trust isn’t a fully verifiable or technical solution, but it is a practical solution to various privacy problems that can’t be easily solved in other ways. A VPN shifts trust, a private search engine shifts trust . The goal is to shift trust from a less trusted to a more trusted entity, when a trustless solution isn’t practical. And the reason it is important to be clear about that is because we all have differing levels of trust in different entities, and because we don’t want to give less informed users an inflated sense of confidence (common problem with VPNs for example).

Realistically with GrapheneOS, I’m sure that the vast majority of people who choose to go out of their way to install GOS would much prefer a GOS proxied connection instead of a direct connection to an untrusted 3rd party service. Proxying connections in this context is a good thing in my eyes. But that doesn’t mean people shouldn’t be aware of the trust relationship and the inherent theoretical vulnerability that exists.


The GrapheneOS proxies are different depending on connection.

Some just pass an encrypted blob onward to Google, others can actually see the contents of the request, others are just downloading a static file with no information from client.

  • connectivity check is just a static request/response from their server
  • the time request piggy backs on the connectivity check requests
  • the remote provisioning proxy passes an encrypted payload to/from Google
  • the psds proxy just proxies static files from broadcom/samsung/qualcomm
  • the vanadium proxy just proxies static files from google
  • the supl proxy however can let them see the contents of the supl request

This can actually be of interest when being in certain places where you could become a person of interest due to these things. Question remains if that doesn’t already happen but some people might not want to take that risk.

I have frequently seen (perhaps not so much this forum) in other places where people question what Google and others say i.e. don’t accept what they say or perhaps saying that even if a product is open source you still can’t be sure that the source code available is the same as running code. It may be that Graphene deserves more trust than Google because there is no reason to distrust but I think all the OP is saying is that one still should be aware that using Graphene requires one to trust Graphene’s developers . There is always going to be some trust required unless you write and compile the software yourself.

1 Like