I've been running GrapheneOS as my daily driver for about two years. My phone is a Pixel 8a. I use it for banking (yes, it works), navigation, work email, and everything else a normal person needs a phone for. GrapheneOS is not a project for paranoid hobbyists anymore—it's a genuinely polished operating system that happens to not send your location, contacts, clipboard contents, and behavioral data to Mountain View every few seconds.
Stock Android, even on a Pixel, phones home constantly. Google Play Services runs as a privileged background process with access to nearly every part of your device. It knows when you wake up, where you go, what apps you open, and what you type. Not because Google is evil—it's just how the business model works. Your attention and behavioral data fund everything.
GrapheneOS removes that entire layer and replaces it with nothing, by default. You can add controlled access back in specific, sandboxed containers if you need it. This guide covers the full process.
What GrapheneOS Actually Is
GrapheneOS is a security and privacy-focused Android operating system. It's based on the Android Open Source Project (AOSP)—the open-source foundation that Google publishes, before they add all their proprietary services on top. The GrapheneOS team takes that foundation and significantly hardens it.
It's not a fork that lags behind Android security patches. GrapheneOS typically ships security updates within a day or two of Google releasing them. In some areas, it's more secure than stock Pixel Android because of custom hardening that Google hasn't implemented: a hardened memory allocator, exploit mitigations, sandboxed network and sensor access per-app, per-contact and per-photo scoped storage permissions, and more.
GrapheneOS vs Stock Pixel Android: Key Differences
The project is developed by a small, focused team led by Daniel Micay. It's a nonprofit. There's no venture capital, no data monetization, no hidden agenda. The code is open source and the threat model is documented publicly at grapheneos.org.
Which Phones Are Supported
GrapheneOS only supports Google Pixel phones. This isn't arbitrary—Pixels are the only Android devices that support the security features GrapheneOS depends on: verified boot with user-controlled keys, strong hardware attestation, and long-term security update commitments from Google. Most other Android manufacturers don't provide these guarantees, and GrapheneOS won't sacrifice security to support them.
Supported devices as of early 2026:
| Device | Support Until | Recommendation |
|---|---|---|
| Pixel 9 Pro XL | 2031 | Best overall |
| Pixel 9 Pro | 2031 | Excellent choice |
| Pixel 9 | 2031 | Best value new |
| Pixel 8a | 2029 | Best value overall |
| Pixel 8 / 8 Pro | 2028 | Good, getting older |
| Pixel 7 / 7a / 7 Pro | 2027 | Use what you have |
My recommendation: if you're buying new, get the Pixel 8a or Pixel 9. The 8a is the sweet spot—excellent camera, solid performance, compact-ish size, and meaningfully cheaper than the 9 series. The Pixel 9 is worth it if you want seven years of support or prefer the Tensor G4 chip's performance.
Google Pixel 8a
Best value for GrapheneOS. 7-year support commitment, great camera, compact form factor.
View on Amazon → Recommended HardwareGoogle Pixel 9
Latest generation with Tensor G4, support until 2031. The safest long-term investment.
View on Amazon →One important note: buy an unlocked Pixel, not one tied to a carrier. Carrier-locked phones sometimes have bootloader restrictions or stripped-down firmware that complicates the installation process.
Installing GrapheneOS: The Web Installer Method
The GrapheneOS team built a web-based installer that handles the entire process through your browser using WebUSB. You don't need adb, fastboot, or any command-line tools. If you can follow instructions, you can do this.
Before You Start
Back up your phone. Installing GrapheneOS erases everything. Export your contacts, save photos, note which apps you use. You'll be starting fresh.
What You Need
- A supported Pixel phone, fully charged
- A computer running Chrome or another Chromium-based browser (Firefox doesn't support WebUSB)
- A USB-C cable—use the one that came with the phone, third-party cables sometimes cause issues
- About 30–45 minutes
Step 1: Enable Developer Options and OEM Unlocking
On your Pixel, go to Settings → About Phone and tap "Build Number" seven times until you see "You are now a developer." Then go to Settings → System → Developer Options and enable OEM Unlocking. If the option is grayed out, connect to Wi-Fi and wait a few minutes for the device to check in with Google's servers.
Step 2: Boot Into Fastboot Mode
Power off the phone completely. Then hold the Volume Down button while pressing Power. Keep holding Volume Down until you see the fastboot screen (it looks like the Android robot with an arrow). Connect the phone to your computer with the USB-C cable.
Step 3: Run the Web Installer
Open Chrome on your computer and go to grapheneos.org/install/web. Click "Unlock bootloader" and follow the prompts. Chrome will ask permission to connect to your phone—select your device from the list.
The installer walks you through each step in sequence:
- 1 Unlock bootloader — The phone will confirm on-screen. Use volume buttons to select "Unlock the bootloader" and press Power to confirm. The phone wipes and reboots.
- 2 Boot back to fastboot — Skip setup wizard (skip everything, don't connect Wi-Fi or create account), re-enable Developer Options and re-connect USB in fastboot mode.
- 3 Download and flash — The web installer downloads the GrapheneOS image for your specific device model, verifies its cryptographic signature, and flashes it. This takes 10–20 minutes depending on your connection speed.
- 4 Lock bootloader — Critical step. This re-enables verified boot with GrapheneOS's keys, so the device will only boot verified GrapheneOS. Do not skip this.
- 5 Done — Phone reboots into GrapheneOS. First boot takes a minute or two as it initializes.
The web installer really is that straightforward. The GrapheneOS team has put significant effort into making this accessible. The only place people commonly get stuck is forgetting to boot back into fastboot mode after the initial unlock and wipe—just re-follow the boot steps.
Essential Apps to Install First
Out of the box, GrapheneOS has no app store. That's intentional—you get to choose your app ecosystem. Here's what to install in order.
F-Droid: Open Source Apps
F-Droid is an alternative app repository containing only open-source apps. Download the F-Droid APK directly from f-droid.org on your phone. You'll need to allow installation from the browser in Settings → Apps → Special app access → Install unknown apps.
Once F-Droid is installed, search for and install Droid-ify or Neo Store—they're better front-ends for the F-Droid repository with faster search and a more modern UI. You can then uninstall the original F-Droid app if you prefer.
Recommended F-Droid Apps to Start
Aurora Store: Access Google Play Without an Account
Aurora Store is an unofficial Google Play client that lets you download Play Store apps without logging in. It uses anonymous Google accounts to authenticate. Install it from F-Droid. Search for "Aurora Store."
It works for most free apps. Paid apps require your Google account. Aurora Store is good for apps that aren't available on F-Droid but don't need Google Play Services to function—things like news apps, games, some productivity tools. If an app requires Play Services to run (like Google Maps), Aurora Store won't save you there—you need Sandboxed Google Play for that.
Privacy Settings to Configure
GrapheneOS ships with strong defaults, but there are additional settings worth configuring right away.
Network permission per app
GrapheneOS adds a "Network" permission that stock Android doesn't have. You can revoke internet access from any app entirely. Useful for apps you want to use offline only. Go to Settings → Apps → [App] → Permissions.
Sensors permission
Also unique to GrapheneOS. Blocks access to the accelerometer, gyroscope, and other sensors. Useful for apps that have no legitimate reason to access sensor data (which can be used for fingerprinting).
Contact scopes
When an app requests contact access, GrapheneOS can show you a picker to select only specific contacts instead of granting access to your entire address book. Set this per-app in permissions.
Auto-reboot timer
Settings → Security → Auto reboot. Set it to 8 or 18 hours. If the phone hasn't been unlocked in that time, it reboots automatically, locking all app data behind your PIN again. This matters if your phone is seized or stolen.
USB-C port control
Settings → Security → USB accessories. Set to "Disallow new USB accessories" when the screen is locked. This prevents forensic tools from connecting to the phone while it's locked.
Disable 2G
Settings → Network → SIMs → [Your SIM] → Allow 2G: off. IMSI catchers (Stingrays) typically force phones to downgrade to 2G to intercept calls and SMS. Disabling 2G prevents this class of attack.
Running Google Play Apps: Sandboxed Google Play
This is the feature that makes GrapheneOS genuinely usable for most people. Sandboxed Google Play lets you run apps that require Google Play Services—but instead of giving Play Services root-level system access like on stock Android, it runs in an isolated profile with no more privilege than a regular app.
Google Play Services cannot read your other apps' data, cannot access the system at a privileged level, and can be uninstalled like any other app. If you want to run your banking app, Google Maps, or something else that needs Play Services, you can. Google still gets some data from those interactions—but it's sandboxed, not system-wide.
How to Install Sandboxed Google Play
- 1 Open the GrapheneOS App Store (it's included by default, look on your home screen or app drawer)
- 2 Search for "Google Play" or scroll to find the Google Play package group
- 3 Install: Google Play services, Google Play Store, and Google Services Framework
- 4 Open Google Play Store, sign in with your Google account (or a dedicated account you don't use elsewhere), and install whatever apps need Play Services
I run Sandboxed Google Play in a secondary user profile. GrapheneOS supports multiple user profiles, which gives each profile a completely isolated app environment. My main profile has no Google anything. My secondary profile has Sandboxed Google Play for the handful of apps that need it. Switching takes two seconds.
This approach means even the sandboxed Google Play can't see my main profile's apps, data, or contacts. It's the cleanest way to maintain privacy while still having access to the full app ecosystem when you need it.
What You Actually Lose
Being straight with you here because other guides aren't: there are real trade-offs.
Apps that may not work
- Some banking apps with aggressive SafetyNet checks (improving with Play Integrity API support)
- Games with anti-cheat systems (some mobile games check for rooted/modified OS)
- Snapchat camera effects (the standard Snapchat app works, some AR features don't)
- Apps that refuse to run without Google Play Services installed
- Some corporate MDM/work profiles
What still works fine
- Most banking apps (with Sandboxed Play)
- Google Maps, Waze (with Sandboxed Play)
- WhatsApp, Telegram, Signal
- Spotify, Netflix, YouTube
- Most games on the Play Store
- Android Auto (via Sandboxed Play)
The banking app situation has improved significantly. A year ago this was a major headache. GrapheneOS now supports Play Integrity API through Sandboxed Google Play, which is what most banking apps check. Chase, Bank of America, and similar major US banks work for me. Some regional banks and credit unions are hit-or-miss—check the GrapheneOS discussion forum for your specific bank before switching.
Push notifications are slightly different without Google's Firebase Cloud Messaging as a system service. Apps that use FCM for notifications work fine through Sandboxed Play, but apps relying on direct socket connections (like some self-hosted apps) need to be open in the background. This is a minor inconvenience at most.
Battery Life and Security Improvements
This surprised me more than anything else when I switched: my battery life got noticeably better. The Pixel 8a was already solid on stock Android, but on GrapheneOS without Google Play Services constantly waking up, syncing, polling servers, and running location checks, I routinely get 25–30% more screen-on time from the same charge.
If you use Sandboxed Google Play, some of that advantage returns because Play Services still runs—but it's not privileged, so it can't wake up the device as aggressively. Even with Sandboxed Play in a secondary profile, my battery is better than it was on stock.
On the security side, GrapheneOS provides things stock Android doesn't:
- Hardened malloc: A custom memory allocator that makes heap exploitation significantly harder. This matters for browser exploits and app-level attacks.
- Exploit mitigations: Additional compiler-level hardening and runtime checks that upstream AOSP doesn't include.
- Verified boot: The device won't boot modified software. Your security state is cryptographically verified every boot.
- No privileged background processes: Nothing running with elevated access that you didn't explicitly install. This eliminates an entire class of supply-chain and pre-installed malware risk.
Worth It?
Yes, for the right person. If you're already thinking about this, you're probably that person. The installation takes an afternoon and feels intimidating the first time, but the web installer genuinely makes it accessible. Post-installation daily use is completely normal—it's Android, just without the surveillance layer.
The app compatibility situation is better than it's been at any point in GrapheneOS's history. Sandboxed Google Play is a real solution, not a workaround. You can run essentially everything you need while keeping the system itself free from Google's reach.
If you're just starting to think about degoogling your life, GrapheneOS pairs well with the rest of the ecosystem changes covered in the complete DeGoogle guide. For your phone, consider replacing Gmail too—see the Protonmail vs Gmail comparison. And if you're thinking about what else to layer on top of GrapheneOS for network privacy, our VPN guide covers the options that actually hold up.