My main reason for turning to an alternative Android flavor is privacy. GrapheneOS takes this to the next level and by default doesn’t talk to any Google servers at all. Even things like the connectivity check web request when connecting to a new network or requesting ephemeris information for fast GPS startup go to GrapheneOS servers rather than to Google. Like on LineageOS, which I have used so far, the downside of not having any Google software on the device is that particularly banking apps do not run. A small price to pay for privacy, but GrapheneOS offers a way out of this without compromising privacy: Running Google Services, particularly Google Play in a sandbox.
In short, the sandbox completely removes system access for Google Play, i.e. Google no longer has access to files, location, calendars, contacts, other apps and many other things. Nice! In addition, the GrapheneOS manual suggests to move Google Play and any other apps that want to use it into either the Android ‘Private Space‘ that was introduced with Android 15, or a ‘local Work Profile‘. Both options completely separate Google Play services, the Google Play store and any apps in those areas from anything in your main profile. So what exactly is this ‘Private Space’ and a ‘local Work Profile’?
A Work Profile – Creative Re-Use of a Concept for Centralized Control
Lets Start with the local Work Profile first. This is a feature that has existed in Android for a long time and basically splits a device into a private profile and a work profile. When used, the device is under the control of a central MDM (Mobile Device Management) solution, e.g. from Microsoft. This device management solution is then used by companies to manage their employees’ devices and deploy applications and settings to the devices, perform remote wipes, etc. etc. The only space the user is still somewhat in control of is the private profile, which is not managed by the MDM solution. But basically, an MDM managed device is not your device anymore. So far, so bad.
The good news: The mechanism to split an Android user into a private profile and a work profile can also be used with a ‘local MDM’ app. There are open source apps in the F-Droid store such as ‘Island’ that can do exactly that: The Island app calls the user’s normal profile ‘Mainland‘ and the work profile is called ‘Island‘. The second feature of the app is to enable copying apps from Mainland to Island. This feature is then used to create a copy of the GrapheneOS app store to Island (i.e. the work profile) and perhaps other apps, such as a web browser such as Fenix or Firefox, which were installed over another app store such as F-Droid. With an independent copy of the GrapheneOS app store one can then install Google Play services and the Google Play store (if desired) into the Island. GrapheneOS’ approach to Google Play services and Google Play is to treat them like any other app. This means that they are put into sandboxes, and they have no privileged access to files, location, etc. Once those two components are installed, one can then go ahead and install proprietary applications into the Island. Each application is again sandboxed and firewalled. Also, nothing that runs on the Island has access to any data, files and apps on Mainland.
The main catch of this approach: The fingerprint reader does not work on the Island. Seems to be a Google MDM limitation. At first, this doesn’t sound like a big deal, but most banking apps require authentication each time they are started. Without a fingerprint reader, PINs and passwords are required. Far from ideal.
The Google Private Space – Another Creative Re-Use of a Feature
The alternative to the use of Mainland and Island to separate and contain Google Services and proprietary apps is the Android Private Space. Introduced with Android 15, the idea behind the Private Space is that users can put sensitive apps into a secluded area that has to be unlocked separately. When locking the Private Space, the list of apps no longer shows the apps of the Private Space. GrapheneOS creatively reuses this feature to enable separation of Google Play and proprietary apps. No app is needed to create the private space, it is part of Android. Also, it’s not necessary to copy any apps from the normal space to the private space, GrapheneOS automatically creates copies of all GrapheneOS apps, including the GrapheneOS app store into the Private Space. Via this copy of the GraphneOS app store, it is then possible to install the Google Play services and the Google Play store into the private space. Again, sandboxed and nicely shielded from access to any private information.
The disadvantages: Every time the device is unlocked and a private app is clicked on, the private space has to be unlocked, e.g. with a separate touch on the fingerprint reader. Also, apps in the private space can’t be put on the ‘desktop’, they can only be accessed from the app menu that appears with a swipe up gesture.
The advantage: Apps in the Private Space can use the fingerprint reader! Very useful for banking apps that require Google Play services to function.
Or Just Use Google Play Services Without Segregation?
And then, it is of course always possible to install the Google Play services and the Google Play store in the main user profile, no Island, no Private Space. According to the GrapheneOS documentation, it is just as private. But quite frankly, I can’t bring myself to do that, it just doesn’t feel right. In the future perhaps 🙂 In the meantime, I’ve decided to put Google stuff, banking apps and one or two proprietary apps into the Private Space, as the fingerprint reader is an important convenience element for the banking apps.
So there you go, 3 options to keep your privacy and security while still being able to use Google stuff on your GrapheneOS device.