GrapheneOS Post Installation Setup Guide

This is a comprehensive and simple to use GrapheneOS setup guide to maximize privacy.  Please use the steps below or watch the video for guidance.  This guide is assuming you have a a fresh installation of GrapheneOS, or you have factory reset a phone that has GrapheneOS installed on it.

Play Video

1. Initial Boot Up

To setup GrapheneOS using this guide, first power on your phone and go through the setup screens, including:

    • Language: Set the operational language
    • Time and Date: Set the time zone, date and time
    • Wi-Fi: Connect to an accessible Wi-Fi network
    • Cell Data: Assuming you don’t have access to Wi-Fi, decide if you want to use cellular data in the setup process. Charges may apply depending on your plan and the number of apps you decide to install later on in the setup.
    • Location Access: Decide if you want apps to be given location access in your GrapheneOS setup.  You can always change permission access in the phone settings once it’s been set up.
    • Secure Your Phone:  Decide what kind of security you want for your device to unlock it.  A fingerprint (if your phone model has one), or a PIN, password or pattern.  It’s highly recommended you set up at least one of these security features to prevent unauthorized access to your phone.

2. Setup GrapheneOS with Apps from F-Droid and the Aurora Store

If you are not familiar with these two apps, Atsanik has a very comprehensive guide on How to Setup and Use F-Droid and Aurora Store.

  • In the Vanadium browser on your phone, go do the F-Droid website, download the app apk file and install it.  Search for and install Aurora Store via then F-Droid app.
  • Research and make a list of apps or app functions (e.g. messenger, email, calendar etc.) that you would like to install in your phone. 
  • Read Atsanik’s page on Privacy Focused App Alternatives and determine if any of these meet your needs or use the F-Droid app to look for apps.  Apps from F-Droid are free and open source, minimize permissions, and do not have built in app trackers thus assuring a high level of privacy.
  • If you need apps from the Google Play Store, use Aurora Store to download them.  Before doing so, go to the Exodus Privacy website and use their Search Tool to look up the each app’s name and determine the number and type of data trackers and permissions that app has.  Exodus will also tell you if any are considered dangerous.  If you don’t know exactly what trackers are and what they do, Exodus Privacy provides easy to understand information on trackers as well as permissions.
  • If during your research you find an app has too many trackers or permissions, continue to look for alternatives in F-Droid or Aurora Store.  You can also lock down an app’s access to the internet, in the GrapheneOS Firewall, to prevent tracking and data sharing but that will only work if the app does not need to access the internet as a core function.  For example, a video or audio streaming app.

3. Tweak Settings in the GrapheneOS Firewall

During your GrapheneOS setup process, you can use it’s built in firewall to control background, Wi-Fi, and mobile data .  Blocking an apps access to the internet will also block it from sharing private data, collected through trackers and internal app, to Big Tech companies and third parties.  Some apps need internet access to function properly, so if you want to avoid tracking and data sharing, use the recommendations from the previous section.

  • Navigate to the App Drawer –> Settings –> Apps and Notifications –> See All ## Apps.  Here you will see a list of apps installed on your device.
  • Select an app, chose Permissions, then see if Network is listed under Allowed or Denied. Select Network and make your choice to Allow or Deny network access for the app. If you choose Deny, it will block both Wi-Fi and Mobile access.
  • Block Wi-Fi and mobile data access unless there is some core functionality that needs it.  For example, calendars, email, messenger apps, video and music streaming apps etc.  Also some apps need access to download content like apps for podcasts, maps and navigation, internet browsers, cloud storage, and some note taking apps with online syncing etc.
  • To block background data access, again navigate to App Drawer –> Settings –> Apps and Notifications –> See All ## Apps. Here you will see a list of apps installed on your device.
    Select and app, choose Mobile Data and Wi-Fi, and here you can use the toggle to disable or enable background data.
  • Block background network access to apps that don’t require notifications.  This is essentially anything outside a messenger, email, social media or calendar app but your preferences may differ.
  • You may need to test and tweak each app for your particular requirements.

4. Install a VPN Service

A VPN service encrypts network traffic between your device and the VPN provider. VPNs help cloak information from your internet provider who may block you from certain sites or even sell your browsing history data.

  • There are many free and paid services available. For free services, Calyx, RiseUp and Proton are good choices for the average user.
  • At a minimum, ensure you use a VPN when connected to any public (e.g. a coffee shop, library or airport) or shared Wi-Fi networks (e.g. work network).
  • You can use a VPN a continuously, but this may slow network traffic or use your battery more quickly.

5. Install a Private DNS Service

A DNS can be considered the telephone book of the internet. It allows you to type a human friendly website name like atsanik.com instead of entering a computer friendly IP address, like 192.128.7.9, into a web browser. A DNS service translates the human friendly version of an address to the computer friendly numerical version. Your network provider typically provides the DNS Service and in some jurisdictions can sell your browsing history to third parties.

  • Navigate to the App Drawer –> Settings –> Network and Internet –> Advanced –> Private DNS
  • GrapheneOS defaults to using Cloudare DNS. If you do not want to use Cloudfare, you can select to use your internet / mobile provider DNS or enter an alternate DNS hostname in the Private DNS provider hostname text field.
  • A list of private and free DNS services on our Private DNS Providers page.

6. Control App Permissions

Many apps ask for a significant number of permissions including access to sensors like the microphone, your location, the camera, body sensors and information like your contacts, messages, call logs and files.  Some of the information collected can be shared with Big Tech and other third parties via trackers or coding within the app.

The Android Permission Manager classifies permissions into 13 different categories. Within those categories are a total of 57 individual permissions. These are essentially hidden unless you research each app individually. One way to do this is the Exodus Privacy website, where you can search an app and determine which of the 57 permissions it’s requesting.

Unfortunately, Exodus Privacy only lists the permission and provides some general guidance if it could be dangerous. To find a full description, copy the Permission name from Exodus Privacy and then search for it on our Android Permissions  page..

When you decide on a permission, ask yourself if it seems valid for the purpose and function of the app, and if you feel comfortable granting that type of access.

  • Navigate to the App Drawer –> Settings –> Apps and Notifications –> See All ## Apps –> select an app –> Permissions.   Individually go through the list of apps and choose to Approve, Deny or Ask Every time under a set criteria.
  • An alternate way of accessing permissions is to view them category.  This can be done  by navigating to App Drawer –> Settings –> Privacy –> Permission Manager. Individually go through each permission category, select an app and choose to Approve, Deny or Ask Every time under a set criteria.
  • There will be some trial and error to determine if an app actually requires a permission in order to operate as you or the app requires.
  • It’s a good initial practice to Deny obvious flagrant permission requests. Select to Ask Every Time for ones you are not sure of and Allow access for ones that are obviously required.