Thoughts on this phone setup

Hi all

Recently I’ve been reviewing my setup on my phone and wondered if the community would review the config to see if there’s anything I might have missed.

It heavily relies on syncthing, this way all my devices are in sync and the data is up to date in almost real time.

My tablet follows the same setup as they both run GrapheneOS.

Owner profile - installs apps only, using a mixture of obtanium + aurora store (droidify is used as an app search over installer), apps are disabled as they are installed.

Daily profile - Obtanium apps only here (apart from WhatsApp as I haven’t gotten people to move to signal yet), this is where syncthing is installed and all data is synced to / from.
Apps include Antennapod, Keepass, Aegis, Molly, Newpipe, I leverage a lot of the stock apps for like gallery.
Permissions are heavily restricted here, sensor is removed, background usage and data is removed if the app doesn’t use it, and any other unrequired permissions are removed.
All the security settings are configured such as MTE, disabled dynamic loading from memory or storage etc.
Mullvad VPN + DNS is used here, split tunnel only to make syncthing work correctly.

Car profile - used for the car, has Android auto, play services etc.
Only used for the car, disabled otherwise.

Banking - Banking apps only, apps heavily restricted in terms of permissions, if the app isn’t used here it’s disabled.

Any other suggestions?

Thanks!!

The best recommendation that I can give is: stick with the owner profile only, unless you really need some other profiles.

The advantages of daily driving multiple user profiles are not worth it at all because of all the disadvantages.

Could you list some of the disadvantages? The idea of profiles for me was IPC

Battery life, performance, inconvenience, complexity, and all sorts of bugs/issues.

I haven’t personally found any battery drain (not saying it’s a thing however).
So maybe move the daily profile to the owner (maybe car profile with some restrictions) and then have Banking as separate?

Your setup seems really good to me, but I have some suggestions.

Instead of having Droidify installed only for app search, you could use this website, maintained by the IzzyOnDroid repository maintainer, to search for apps available in some F-droid repositories, including the IzzyOnDroid and the F-droid repositories.

If you want, you can use bookmarks in your preferred browser to organise different apps directly from that website and F-droid’s website for your personal purposes.

This is what I would personally do, but the choice is yours.

You can install and update WhatsApp from Obtainium, it’s even available as one of the default sources for app installation on Obtainium’s supported sources.

When you go to the “Add App” menu on Obtainium, you should see at the left down corner “Supported Sources”. Click on it and you will see it includes WhatsApp. If you then click on “WhatsApp”, the WhatsApp website opens in your browser and you can add it to Obtainium, as you would with any other app, and download/update WhatsApp automatically.

I use this method to update WhatsApp (I also need to use it) and it as worked reliably for me for many months already.

You mean KeepassDX, right?

You can install Molly trough Accrescent if you want, it is available trough the GrapheneOS App Store and is usually advertised as a secure way to download and update applications.

Speaking of Accrescent, you can also download App Verifier from it or from GitHub releases to verify that your apps are genuine.

Other than the AppVerifier GitHub repository, this thread on the GrapheneOS forum is the best source I could find explaining different ways to use this app:

There are different ways to get a SHA-256 fingerprint for an app:

• Some apps write it publicly on their website, social media profiles or code repositories (like GitHub and GitLab) Accrescent and Aegis are two apps that do this.

• For most apps, if you want to verify their signatures, you likely need to follow this tutorial: apksigner  |  Android Studio  |  Android Developers

I never tried the second process due to inconvenience, so I don’t know fully how it works, but at least installing AppVerifier to verify apps that have their signatures available in AppVerifier’s database is a convenient extra security measure that I use when possible, specially with the Obtainium integration.

All in all thought, in my opinion, your setup is already very good and my suggestions are only small things that you can consider or not based on your individual needs, whishes and how much convenience you are willing to sacrifice for some possible privacy and security improvements, don’t feel pressure to follow any of them.

Good luck.

I know you mentioned that you configured all security settings, but better be safe than sorry. The following post is a bit outdated, but should cover most settings that may interest you.

You’ve opened my eyes to some extra things, I’ll give them a test much appreciated, didn’t know obtanium intergrated with app verifier.

And yes, the FOSS offline Keepass for android, can never remember if its XC or DX lol.

I’ll try the whatsapp thing also, looks like a good idea to remove the final bits of Google on my phone

This is good advice. I followed a similar setup as the OP and absolutely struggled. Best recommendation I was given is assess your threat model and plan your setup accordingly. Multiple profiles were interesting until it started interfering with your work flow and day-to-day life and of course how much time you have to tinker with to have a device that suit your needs. I had maps and WA in a different profile initially but had to switch them to the main profile for my sanity. For maps I use Here. The open source alternatives are good but doesn’t fit my use case, this was the best app I decided to settle on. Works offline, clean UI. For WA, similar to your circle I just couldn’t get my parents to switch and I live overseas. WA seems to be the best way they can get in touch with me. One of my parents who is decently tech savvy just plain refuses to switch out of sheer convenience and less regard for any far reaching privacy consequences. Trust me when I say I tried, for the reason of privacy just don’t seem to fly with them.

At the end of the day you will only know what works after you have tried it for some time. In my case, I tried for 2 months and it made sense to have just one profile with just the absolute necessary apps, and the rest being PWAs and web apps. I also don’t do banking on the phone. I have a secondary phone (iOS) for banking but I prefer to do most of the banking in a desktop.

Some already mentioned but I’ll just endorse. I have an Owner Profile, a Daily Profile and a Sandbox Profile, kinda similar setup to yours. If I’d start it again I’d NOT have done this. Each profile keeps its contacts and photos, fingerprint unlock doesn’t work when switching between profiles, certain settings are only available in the Owner profile like deleting a Wi-Fi network, if you add the same app in two different profiles and keep it under the app library from each profile (like in the PlayStore in one profile and Obtainium in the another one) you may have some annoying app version issues that says that the app is older and can’t be installed, I only see if there are System Updates if I’m logged to the Owner profile, there is an issue keeping the last color pallet in your material theme after restarting the phone in the secondary profiles etc… the last one may be a thing on my side, I can’t get Molly to be installed in two distinct profiles.

In summary, I’d try to have things in two profiles, maximum but, even with my recommendation and all the issues I still like my setup, , so maybe ignore all that we are saying and see what works for you !?

I agree with everything apart from 1 point.
Fingerprint works, you have to swipe back first and then it reveals the scanner.

I have noticed some issues with bluetooth and profiles, so i may adjust this setup again yet.

You only need 2 profiles for daily use.
It’s recommend to not touch the owner profile since it has the admin privilege.

Apps are sandboxed so you don’t need to worry, you can also disable the internet connection for certain apps when it’s not used all the time.

Can’t imagine if someone send an important message while you’re on the other profile and you missed it.

That’s not how it works.

There is an option to forward notifications to other user profiles.

You are right