GrapheneOS: After 3 Years, This Is How I Install Apps on My “De-Googled” Phone

published 2024-09-16 · updated 2024-09-19 #how_to #android #grapheneos #obtainium #apps
I walk you through how I install apps on my Google Pixel running GrapheneOS after 3 years of testing and refining my setup. I demonstrate how to use multiple app sources, including the GrapheneOS App Store, Accrescent, Obtainium, and the Google Play Store, while maintaining privacy and security.



Transcript

Please excuse any grammatical errors. I used a tool to generate the transcript and haven't had a chance to read through it yet.

Before we begin, I want to make a quick disclaimer. If you're just starting out using GrapheneOS, I highly recommend not using the setup I'm about to discuss in this video. This setup will create friction, and friction is the enemy of adapting to something new, especially if you're hesitant to begin with. When you install GrapheneOS, just install the Play Store, sign in, download apps as you normally would, and get used to things. You can always switch to a different setup later. For everyone else, here's how I install apps on my Google Pixel running GrapheneOS.

So, this idea was suggested to me around two years ago, but I finally set it up about one year ago. This isn’t something that was just shared with me recently and now I'm sharing it—I’ve tested it, and it’s been working well for me. This also won’t be a step-by-step guide. I’ll demonstrate installing three different apps from three different sources and give you details of my setup. When I upgrade my device in the future (still TBD), I plan to make a step-by-step video.

Before we begin, I want to mention that I just published the second episode of my podcast, which is called In the Hell. If you want to find out how you can listen to it, head over to inthehellpodcast.com, which I’ll link below. It's also worth noting that it's hosted on Yellowball, the no-BS podcast hosting platform I recently launched, in case you’re looking to start your own podcast.

When you first install GrapheneOS, you have one user profile, the owner profile, which is there by default, and you cannot delete it. From there, you can create additional user profiles depending on how you want to separate your apps. In my setup, all apps are installed from the owner profile, and I use the "Install Available Apps" feature to push those apps to my daily user profile. I like this setup because it lets me install apps from the Google Play Store without actually having the Play Store installed on my daily user profile. It’s kind of like having a command center for app installations.

The recording on the screen right now is my owner profile. The first thing I did when I set this up was install Orbot, which is a free proxy that lets you send all your device traffic over the Tor network. That means that all of our traffic when accessing the Play Store will go over the Tor network, along with any downloads of system updates from GrapheneOS, since those are all done from the owner profile. You can install Orbot by downloading the APK from GitHub, which I’ll also link down below.

Once we open Orbot, we can click "Start VPN" and give it a minute to connect. Now we have a full-device VPN, which means all of our owner profile traffic is going over the Tor network. It’s important to note that VPNs are profile-specific, so while our owner profile traffic is using Orbot, any secondary user profiles (which we’ll discuss later) will not use Orbot by default—it’s only for the profile that it's installed on.

You might notice where it says "Change Exit." I currently have it set to the United States, and the reason for that is that sometimes when you go into Google Play, it might say "App not available" if the exit node is in a different country. This is common with banking apps or social media apps. If you run into that issue, you can change the exit node to match your country and see if you can access the app.

One other quick tip about Orbot: if you switch networks (for example, from Wi-Fi to cellular) or the Wi-Fi disconnects, Orbot might say it’s connected, but it’s really not. You’ll notice that because your browser won’t be able to load anything. What I found helpful is to long-press on the Orbot app, select "App Info," force stop it, then clear the cache (but don’t clear the storage). After that, restart Orbot, click "Start VPN," and nine times out of ten, it fixes the issue.

Now, let’s talk about the first app store I use. The first store I search for apps is the default GrapheneOS app store. In this case, I installed Accrescent from here, which is actually the second app store I use. If an app isn’t available in the first store, I move on to the second. The GrapheneOS app store mostly has system apps, but Accrescent is available there, so I installed it from there.

The second app store I use is Accrescent. There aren’t a ton of apps here, but it’s actively developed, and they’re constantly adding new apps and working with developers to get more. I plan to make a video just about Accrescent in the future because they’re doing great work, especially from a security perspective. For this demonstration, I’ll be installing Xf Eraser. I just click "Install," and it’s done.

The third app store I use is Obtainium. If you’ve never used it before, it can be confusing, but I have a video dedicated to it, which I’ll link below. I use Obtainium for all my open-source apps or any apps that publish APKs directly on their site or on GitHub. For this example, I’ll install NewPipe. I’ll copy the GitHub link, add the app to Obtainium, and let it download. Then I’ll install it.

With this owner profile setup, I always make sure to uncheck "Allow Network Permission" when installing apps because I don’t use these apps in the owner profile. If you forget to uncheck it, you can always change it later. Now we can see that NewPipe is installed.

So far, we’ve seen the GrapheneOS app store, Accrescent, and Obtainium. The last store I use is the Google Play Store, which I installed using the GrapheneOS app store. You’ll notice that there’s no "Install" button for Google Play Services because I already have it installed. The issue with the Play Store is that you need an account to access it, which sucks. Unlike Aurora Store, which lets you use anonymous accounts, I’m not a fan of shared anonymous accounts, so I prefer this setup.

Creating an anonymous Google account without getting it blocked or locked is somewhat difficult but not impossible. If you try to create it over a VPN or Tor, you’ll likely run into issues. What I do is drive to a parking lot with free Wi-Fi—like at a grocery store or coffee shop—connect with my laptop, and create the account using a fake name generator for the required information.

The tricky part is when they ask for a phone number for SMS verification. You don’t want to use your real number here because it would ruin the anonymity. Instead, you can temporarily rent a phone number just for receiving the SMS code. There are free services, but I wouldn’t recommend them because they’re public and often blocked. You’ll have to pay, but it’s usually 50 cents to a dollar. I’ll link the site I use in the blog post for this video, but I won’t mention it here on YouTube. Once you receive the SMS code, you can validate your account.

I’ve done this for about ten different Google accounts without any issues. The key is to practice compartmentalization—don’t use this account for anything else. Just use it for the Play Store. If you get a new device, create a new account rather than using the same one. It sounds like a hassle, but it’s how you keep things separate and private. And since Orbot is running, all of your Play Store traffic is going over the Tor network, which helps maintain your anonymity.

Some people might critique using a shared phone number for account validation. While there’s a small risk someone else could gain control of that number, from what I can tell, it’s only used for initial validation, and Google doesn’t tie it to your account. If you’re concerned, you could use a prepaid SIM instead, but personally, I think the risk is low.

At this point, you can now sign into the Play Store with an anonymous Google account and start installing apps. For this demo, I’ll install WhatsApp. You might notice slower downloads when using Tor, but that’s normal. After installation, I’ll uncheck "Allow Network Permission" like I did with NewPipe.

Now, to avoid accidentally using the apps in the owner profile, I’ll disable them. Long-press on the app, go to "App Info," and click "Disable." I’ll do this for NewPipe, WhatsApp, and Xf Eraser.

The next step is to use the "Install Available Apps" feature to push these apps to my secondary user profile. In the demo, I created a profile called "YouTube Demo," but you can call it whatever you like. This is the profile you’ll use daily instead of the owner profile. Once you select the secondary user profile, you can go to "Install Available Apps," check the apps you want to install, and they’ll be available in the secondary user.

To switch profiles, swipe down from the top of the screen, tap the user icon, and select the profile. Screen recordings don’t work across profiles, so I’ll be back in a moment.

Now we’re in the secondary user profile. If I swipe up, you’ll see the apps we installed—Xf Eraser, NewPipe, and WhatsApp—all from different sources.

So this is how I install apps on my device running GrapheneOS. If you have apps that require Play Store Services, you can install them in the secondary profile. In my setup, I only have Play Store Services running in a specific profile for calls, not in my daily profile.

The benefit of separating profiles like this is that you can end a session for a profile where Play Store Services are running. This essentially puts that profile to rest, so Play Store Services are no longer running in the background. You can’t do this with the owner profile unless you power off the device. This method allows you to shut down Play Store Services without turning off your device.

One more thing to note: there’s only one instance of an app installed on the device at a time, so when you update an app in the owner profile, it’s updated across all profiles. You don’t need to worry about updating it in each profile.

After recording this, I realized it’s a lot of information, and it might seem overwhelming. But once you set it up, it’s pretty much "set it and forget it." When you need to install a new app, install it in the owner profile, disable it, use "Install Available Apps" for the secondary user, and you’re good to go.

If you have any questions or comments, feel free to leave them down below, and I’ll see you next time.