Some Questions after Installing GrapheneOS

I recently bought a Pixel and installed Graphene OS in order to replace my iPhone and I have a couple of questions and thoughts.

For now I think I will start by using just the owner profile with google services installed, maybe I will change that later.

Regarding installing apps, most apps I can install directly from source using Obtainium but some are not available this way. I tried using Aurora for those apps but it was buggy, sometimes failed and one app refused to work and redirected me to the play store. So I created a new fake Google account for the play store and installed those apps from there. I noticed that this method added my fake google account to the Passwords, passkeys & accounts section in settings and also logged me in to Google Maps (which I downloaded). What are the implications of that? I there a way to avoid this and keep the account logged in only in the Play Store?

There are two reasons for why I installed Google Play Services: 1) Notifications, 2) Google Maps. What permissions do I need to grant Google Play Services and Google Play Store respectively for those two things to work?

What does disabling background usage for an app do? Is it a good idea to disable background usage for privacy invasive apps such as Google Maps and WhatsApp?

Is it safe to download and use the Pixel Camera app if I disable network permission for it? Because from what I understand it can still communicate with Google Play Services.

For apps that publish directly to F-Droid, such as Gadgetbridge, is it ok add the F-Droid link to Obtainium and install them this way?

How do I create PWA in Android/GrapheneOS? I tried the “Add to Home screen” button in Vanadium and Cromite but it just creates a shortcut that opens the browser.

Any general Android/GrapheneOS advice for someone coming from iOS?

I’m getting my Pixel 8a delivered soon too so I’m going to have similar questions. I’ll follow this post to be notified of the answers for the similar questions I too have.

Owner profile with GPS (Google Play Services) installed is a big step up in terms of privacy and security compared to stock ROM. That’s a pretty basic setup so try and see how it goes.

The easiest and most secure way to install apps is using an anonymous/burner gmail account for Play Store. Aurora has plenty off issues and security concerns but is great if you need more privacy than security. Obtainium is an awesome tool - just be sure to verify downloaded apps before you install them.

Google apps tend on automatically sign you in so be sure to use the option “Use without account/offline” in Google Maps, Messages, Photos, Recorder, etc… also, be sure select Bitwarden, KeepasXC or any other password manager as primary in Passwords, passkeys and accounts. You can safely log out of the apps and they won’t auto-login anymore (in my experience).

Using Play Services will also improve you battery life if you have several apps running in the background waiting for incoming notifications which is good. You don’t need to have Play Services installed to use Google Maps. Only Play Services need several permissions like Notifications, Sensors, Storage while you can deny other what ever you want.

I usually disable all background app usage except Signal and Tuta. Background usage for Whatsapp (for an example) is disabled as is background network access which means I have to enter the app for it to sync to the servers and get the new messages.

Google Pixel camera has better quality at the moment compared to the GOS one and you can install it and disable network access. In theory, apps can communicate over IPC and GOS has a plan to implement a solution for that as well. I wouldn’t think about it to much, it’s out of our control. The same applies for Google Photos which actually improve the photo quality in post processing. Great to couple it with Pixel Camera.

It is OK, but it’s sometimes better to get the app from the source (github, gitlab, iceberg, etc).

It depends if the website is PWA compatible. Usually it says Install or Add to Home screen.

Just do it and enjoy the ride
GrapheneOS Forum is an excellent choice to get more tips and meet some awesome folks - same as here.

Thank you for this detailed and informative response! I have some follow up questions.

For apps that I can download from both the Play Store and Obtainium (like Signal) is there a significant downside to Obtainium? Because I prefer the idea of Obtainium and I download from official sources and verify downloaded apps with AppVerifier.

Unfortunately it seems that after a recent update Google Maps needs Play Services. See here.

Great thanks. So I will disable background usage for some apps. Do notifications still work for those apps though?

Regarding notifications and the Play Store. Am I understanding correctly that for notifications to work I only need Google Play Services with Network and Sensors permissions?
Can I disable all the permissions for the Play Store and restrict background usage? Enabling network permission only when I want to download an app?

No downside.

I would recommend trying to reduce your reliance on Google apps and use the alternatives. See the apps PG has recommended:

For those times when you really need Gmaps, use it in the browser, which reduces the number of permissions you have to permit. Or for increased privacy access Gmaps from Mullvad Browser (with a vpn) or Tor.

Depending on your threat model, try to see if you can forgo installing proprietary apps and use them from a browser instead. Loss in security is debatable as it involves JavaScript but could be an acceptable risk. There is an argument of gaining security when minimizing the number of apps you install because it reduces your attack surface.

Use airplane mode as much as possible to reduce cellular tracking. A bolder approach is to forgo a sim card completely and connect to public wifi when necessary.

Also, make sure to have a vpn on at all times.

One note here, even the website is PWA compatible, you need to be in normal browsing mode (i.e. NOT incognito mode) to see the install option.

Google Map can be installed as PWA, try if that suits you.

Likely not. You will also need to allow unrestricted background usage for Google Play Services for reliable notifications across the board.

Expect some apps such as banking , some government apps , and google PAY not working.

Expect some apps are incompatible / partially incompatible with exploit protection, you will need to tinker with the settings on a case by case basis.

You will also find the OS are quite barebone, even compared to stock Pixel firmware, as there is ZERO bloatware in GOS.

Thank you for the response.

I don’t use almost all Google services but unfortunately, for where I live, there is no real alternative to Google Maps so I do use it.

Will try that, thanks.

Haven’t noticed that so far.