Notes from the first week on GrapheneOS - Working on new norms

The user shares their experiences and observations after a week with GrapheneOS on a Pixel 9 Pro, including successful app integrations, privacy thoughts, and minor hardware quirks.


First 48 hours with GrapheneOS on the Pixel 9 Pro

Auto-generated description: A smartwatch displaying the time sits next to a smartphone showing a list of apps on a wooden surface.

With recent world news making many of us rethink our relationship with technology, specifically our relationship to U.S technology companies that run the most popular services being used; I decided to take the plunge and try moving to GrapheneOS on my Google Pixel 9 Pro.

The goal

Despite the common reason for those looking to get a custom deGoogled ROM, I’m not looking to eliminate Google from my online activity. Instead, I want to reduce my reliance on their services wherever I can.

The primary way of doing this was moving my email account away from Google, and all the services attached to it. While that is still in progress, I’ve made enough of a head start that I thought I could make it work. But was I a bit too keen and would that compromise the migration?

Barriers I knew heading in

Of course, going from having a lot of your services centred around Google makes leaving the ecosystem somewhat problematic with adjustments needed. For myself, in regard to moving to a deGoogled ROM, there were two main concerns:

  1. There’s apps I need from Google Play (banking, work apps, Google apps etc). While GrapheneOS has a sandboxed Google Play option to allow full access to the store and its functions, will there be any issues with the services I need?

  2. I have a Pixel Watch. I actually quite like it, something I wasn’t expecting coming from the Apple Watch ecosystem prior. Given the Pixel Watch relies heavily on Google Services, will there be any issues and can I even get the watch synced and working in a usable state?

Installation and the first 24 hours: What have I done?

Auto-generated description: A desk setup featuring an LG monitor, smartphone, Bose speaker, and various tech items and accessories on a wooden surface.

The web based installation itself went as smoothly as you can imagine, in terms of installing a custom ROM onto an Android phone. If you’ve done this in the past (even if it was many years ago), you would notice that this is a far nicer and simpler experience. It’s still not a process I would tell any non-technical person to do, I don’t think any custom ROM process can be; however it is about is seamless as it can get.

What you are greeted with once it is complete though is bare bones Android, an App Store with a handful of apps and no onboarding for those not of a technical mindset. This is not an experience for the faint hearted or for those not willing to dig into things and work it out themselves, or at least with a little online help from guides out there.

I proceeded to install a few items, then also look at some open source alternatives through F-Droid and Obtainium. I eventually got to installing the sandboxed Google Play service through Graphene’s App Store app, logged into my Google account.

My main goal for the Google Apps at this stage was to get my Pixel Watch synced and running. With the Watch app installed, I setup the Watch with the phone itself without too many issues. However it was when I started to use the watch that I realised just how dependent on Google connectivity the watch is.

Auto-generated description: Settings screen showing a toggle option for syncing Do Not Disturb and Bedtime modes across a watch and phone via Bluetooth. A notification prompts to update the Digital Wellbeing app on Google Play due to an unavailable setting.Auto-generated description: A search for digital wellbeing shows a message indicating that the app won't work on the device.

The first issue I noticed was that my Do Not Disturb setting was not syncing between the watch and phone. After playing around with permissions settings, I realised from the Watch app that this sync requires Google’s Digital Wellbeing service; which is both not installed nor can it be installed from the Play Store (not compatible based on the Play Store listing). I used this a fair bit but now I’ll need to manage these separately (I find setting it on the phone prevents unwanted calls and notifications coming to the watch anyway).

The second issue was the barrage of Fitbit notifications from the watch. The watch app itself is able to update directly via the Google Play store without needing to install the Fitbit app, however trying to access any of the Fitbit stuff on the watch will require downloading and setting up the phone app. I only care about the step count anyway, which is still visible by a tile or complications on the watch without needing to install the app; so I still haven’t bothered with that.

The third issue was not getting ring notifications on my watch for incoming calls until after I missed the call. Trying to stick with Graphene’s stock phone and messages apps was the plan, and messages came through fine and I could even respond from the watch without issues. However, calls would not show up on the watch until the missed call notification came through.

It was at this point, I started to wonder if this was all worth it and thought I might be moving back to stock within 24 hours.

This is a big issue for myself. The primary reason I have a watch is for call notifications (I had some important missed calls over the years from my wife when I didn’t have a watch, so now she insists on it). Installing Google’s own phone app fixed this and instantly enabled the ability to take calls from the watch too. I’m not too concerned about using the Google phone app as it has very good spam call filtering and is generally nicer to use than stock.

If you use RCS, you will notice the stock messages app doesn’t support it either for privacy reasons. While I don’t use it so don’t have an issue with this, others may want to install Google’s own messages app as well.

Working through the kinks and getting back to normal operations

It not all problems though as there has been some things on the watch that are working which I didn’t expect to on a custom ROM with restricted Google access.

The calendar app gets its info directly from the cloud, so you can see your Google calendar and tasks entries directly without needing to install or sync these to the phone. Pretty useful for me as we still have a family calendar in Google (and I’m not forcing my wife to change again after migrating away from iCloud).

The same applies to Keep notes, where I would use Google’s Assistant to add and update my shopping list in Keep. With the Keep tile also working, updating and ticking off my shopping list is exactly the same as it was prior. Speaking of Assistant while you do need to install the Google app to configure it on the watch initially, once this is done the Watch assistant runs locally and the Google app can be uninstalled from the phone.

Google Pay was something I definitely wasn’t expecting to work. While I knew that tap-to-pay though the phone was not possible due to security restrictions, I did install the Wallet app for all my other passes already saved to the Google account. I was pleasantly surprised when I was able to setup my payment card in Google Pay for the watch and use it successfully. In hindsight, as long as the watch can setup the card, there’s no reason it shouldn’t work as the Pixel Watch as its software is still stock; but it was an added benefit I didn’t expect. Note: In order for the Google Wallet app not to crash on loading, you must allow Phone and SMS permissions for Google Play Services. This might be a privacy red flag for some.

My mistake: trying to look for Google alternatives straight away

While I came into GrapheneOS to start my journey away from Google, I got caught up in trying to do things without Google’s oversight straight away. As a result, I almost got too frustrated trying to work out the issues I was encountering and considered going back to Google’s OS instead.

Auto-generated description: A social media post by GrapheneOS discusses using sandboxed Google Play and apps in the Owner user, with the possibility of changing the approach later.

I was reminded by Graphene’s Mastodon account itself that it’s fine to start with all the Google services setup and work your way backwards from there.

Next steps in the journey

I’m still working through the pros and cons of routing Geolocation access requests through Graphene’s system instead of enabling the permission through Play Services and using Google’s Location Accuracy functionality. It is definitely slower to get a location and not as accurate, which mainly impacts using Google Maps.

Auto-generated description: A smartphone screen displays the Sandboxed Google Play settings menu with options related to app info, geolocation, and location accuracy.

My next step is to re-establish my work profile and MFA apps for use at work. I have my old iPhone 13 setup as a backup for now with my work stuff on it, so it’s not a critical thing to get working ASAP.

Why bother if I’m just using Google services anyway?

There’s probably many who are asking this question. I mean if I’m just installing and enabling Google services anyway, why go through all of this trouble?

Well the main thing is a combination of agency and privacy of my device over Google. There was a recent discovery of Android System SafetyCore service secretly installed onto Android devices to assist with on device scanning of images for unwanted content; which raised the same privacy concerns as Apple did a few years prior. Auto-generated description: A list of two recently updated apps, Android System Key Verifier and Android System SafetyCore, with their icon, size, and a dropdown arrow is displayed.

The other thing is just the volume of services Google installs on Android phones and how often it sends data back to Google. As per the screenshots, there’s just a bunch of stuff I don’t want or need, but I don’t have a choice with the stock OS. Also, when I did have location enabled for Play Services, it was curious to see just how often it accessed my location even when I was doing an activity not related to location at all (a.k.a opening my Mastodon app). Auto-generated description: A mobile device screen displays a list of non-installed apps with their sizes, under the Manage tab in an app store interface.

Combined with the security hardening the GrapheneOS team have done which goes beyond what Google have; even if I continue to use Google services themselves, it seems to be a benefit to run this more locked down OS.