GrapheneOS

So i am installing GrapheneOS rn and i need help:

i want app tracking protection to every app something like duckduckgo's app tracking protection if there is something better?!
someone explain me (with simple words) what is auditor cause i can't understand even if i read about it on GrapheneOS' website (i am like 50% noob with these things)
is my wifi masked automatically with GrapheneOS or should i 100% use a vpn? is there a setting in the OS somewherere? i need a lot of privacy and security to my phone!!!

also tell me additional tips for privacy/security for GrapheneOS if u have any!

thanks a lot!

18 comments

Not sure on this one.
The auditor is to make sure you are installing an authentic version of graphene. That it is not a modified version that has been tampered with (e.g., backdoors).
Automatically enables MAC randomization. This can help with being tracked on public networks. Fingerprinting techniques have gotten better though with deep packet inspection and even measuring radio characteristics. I've seen demos of two brand new and identical models of iPhones being distinctly picked out due to variances in the radios during manufacturing.
Doesn't help with advertisers tracking behavior based on IP. VPNs help with "blending-in" by putting multiple users behind the same IP. Provider matters here. Needs to be a VPN provider that won't just sell your data or cave to law enforcement. Mullvad is my preference. Paid with crypto. RAM only logs. That said, use Tor or I2P for anything you don't want subpoenaed.
For additional tips:
Can't remember if its on by default, but auto-reboot to put data at rest (encrypted and not in RAM). This is for a state-actor threat level, and less about advertisers.
I prefer pin codes to unlock my device and don't use biometrics. Graphene has a feature to randomize the pin pad every time to protect against a recording of the pin be entered. Specifically where the numbers aren't picked up on the video but the pattern your hand makes can be seen. Again, more of a state-actor threat level.
- I've been eyeing Graphene for a while now but I'm not really a tech person. I fumbled my way through installing and doing basic tweaks on Linux Mint but I don't know the first thing about coding or programming. Is that kind of knowledge a must for this OS or is it more dummy friendly? And what's a good cheap phone to grab to start messing with it and getting familiar, do you have any recommendations on that front?
  
  It's almost the same as plain Android, only with the Google services removed or locked down, and additional security restrictions and permissions control. Most apps work without any additional configuration, unless they're doing something unusual.
  The only supported devices are Pixels, so take your pick from the list: https://grapheneos.org/faq#supported-devices
  
  No programming knowledge required.
  Graphene only supports Pixels due to the titan chip. The versions with "a" are cheaper. Check when they go end of life to find the cheapest if you care about updates. So probably the 6a or 7a if you want at least 2 years of updates.
  
  It's pretty dummy friendly. Accept that some things may not work or will work differently (Most notably tap to pay is a no go AFAIK,) and be willing to learn if something comes up would probably be how I describe it. The only problem that might turn up that an app that you need doesn't pass gOS' security checks, but there's an app level setting to lessen security restrictions if it's something you NEED.
  Otherwise, meh? Flashing back to stock is super easy via a google web tool if you don't like it. (I had to for a trip, Ticketmaster was being wonky and all my shows were ticketmaster haha. I've never had a problem before with the Ticketmaster app so IDK if it's an ongoing thing or not)
  
  I'm not really a tech person
  You don't say? You reported me to myself on a community that I created, lol.

Best tip i can give you is this...
https://discuss.grapheneos.org/
Make an account there and find all your answers. The community is VERY knowledgeable. Good luck

1 i prefer netGuard but trackerControl, which is based on netGuard, seems to be what you're describing there
3 when you write "my wifi", to what do you connect your phone to?

Tracking protection on every app is best done via custom DNS. Since you successfully installed graphene OS, you can probably follow instructions well enough to set up a few DNS servers.
Personally, I have a few adguard -> unbound (unbound set as a recursive resolver) and then adguard set up with block lists at varying levels of strictness.
A very lax instance for my router as to not break the internet for anyone on my WiFi.
A few setup strict for my devices (phone, TV etc). Personally I keep the TV on a different instance as its super chatty and I don't want it muddying up my stats for other devices
I have a separate one that services my IoT devices
If you don't feel like setting up adguard/unbound you could use nextdns or adguard hosted, but local control gives you the most configurability and privacy, depending on your threat model.
Edit: unsure why I'm being down voted. All duckduckgo is is an app that acts as a VPN and blocks traffic to trackers. Why use their blocker when you can use your own, and have it for all of your devices, not just your phone?

This "app tracking protection" is just a DNS filter. You can achieve the same by setting a filtered DNS resolver like base.dns.mullvad.net in the Private DNS options.
Auditor just verifies that your installation of GrapheneOS is real and unmodified, meaning it hasn't been tampered with by an attacker or corrupted in any other way.
I would recommend using a VPN. That's also why I prefer the DNS filter over something like app tracking protection, since it doesn't occupy your VPN slot. GrapheneOS only improves the actual Wi-Fi connection privacy (by randomizing your Wi-Fi MAC address), but it has nothing to do with the data transmission over the Wi-Fi network. That's what you need a VPN for. You can check out this comment about the Pros and Cons of VPNs, as well as the criteria for picking a good and trustworthy VPN provider: https://lemmy.dbzer0.com/comment/15631872 Here's some more advice about VPNs: https://www.privacyguides.org/en/vpn/

I've been using Graphene for a while. Here are some things i've changed and found useful:
I really like the storage scopes feature. Whenever an app requests access to storage/contacts, i setup scopes for it. This feature alone makes me never want to leave Graphene.
I also really like the random mac adress feature. Whenever i connect to wi-fi, my mac adress gets randomized to appear as a different device, (except on my LAN, otherwise, my router would be flooded with different devices that in reality, are the same).
Multiple profiles is also a nice feature. I've used them before, but now i just use everything under the root profile, even Google services. Since they run in a sandbox, i'm ok with it. This is probably something you want to avoid if your threat model requires you to, but i have found that for banking apps, it was a major drawback for me, that i had to switch profiles everytime i wanted to acess them. And even worst, if i wanted to send documents over e-mail, since my e-mail was on my non-Google profile, it was very annoying, so, i simply went with everything under root.
The on/off toogle for camera & microphone is also really nice. I use it all the time.
I've also set a 1 min timer to disable my wi-fi when i have no active connection, (e.g when i leave my house).
I've changed my DNS to a more private one, (currently using family.dns.mullvad.net).
On settings, if you go to NFC, you have an option to request device unlock to use NFC. I've set this to on, dispite having NFC off all the time.
- How do you set toggle timers? This is new.
  
  I've found this video very useful when i installed Graphene.
  The answer to your question can be found on minute 07:00.

use FOSS software whenever you can try https://github.com/MuntashirAkon/AppManager it lets you see every known tracking library that apps have and you can even block those, while maintaining functionality. set fingerprint and don't lend your phone to anyone scan all downloads with virustotal use a hosts file based ad and malware blocker (you need root for it) like AdAway use Invizible Pro, where you can configure Tor, i2pd, dnscrypt run at the same time. Use Cromite or Tor browser or Vanadium update your software as soon as possible use a password manager, like any maintained keepassxc fork or bitwarden, with a foss authenticator app (i use Aegis) change email provider: protonmail, tutanota use Termux for everything that you don't need a gui for or don't have a gui for (like low-level operations, getting system info, compiling, converting and compressing niche formats, http server, network analysis and so on)

Idk if good idea and this needs root try to change the etc/hosts you can find some online.
The only con is it needs to be updated manually and requires root
You can use AdAway to do it automatically for you

18 comments