GrapheneOS first setup: your first hour
GrapheneOS is installed — now what? We walk through the first settings, the key choices, and which apps to install first.
GrapheneOS first setup: your first hour
The OS is installed. Now comes the real work: setting up the phone for daily use without clicking away the security. This article covers the first choices you make.
The first choice: do you want Google Play?
GrapheneOS offers sandboxed Google Play — a version of the Google Play Store that runs in isolation, without full system access. This is different from a standard Android phone, where Google Play Services has near-unlimited system privileges.
The question is not whether you can use Google Play on GrapheneOS. The question is whether you want to.
Install sandboxed Google Play if:
- You need apps that are only available in the Play Store
- You want to use banking apps
- You are less willing to find alternatives
Do not install Google Play if:
- You want maximum isolation from Google
- You are willing to use open-source alternatives
- You only install apps via F-Droid or direct APKs
There is no wrong answer. Sandboxed Google Play is significantly more secure than regular Google Play. You can always install or remove it later.
How to install: Settings → Apps → Install Sandboxed Google Play
Basic settings to change immediately
Screen lock
Use a PIN of at least six digits, or better: a password. Avoid pattern unlock — it leaves visible smear marks on the screen.
Fingerprint as a supplement to a PIN is fine. Fingerprint only without a PIN is less secure — fingerprints are not protected against legal compulsion.
Auto-lock
Set the screen to lock immediately on sleep: Settings → Security → Automatically lock screen → Immediately
USB connections
Settings → Security → Allow USB connections → Charging only
This prevents a malicious USB port or cable from accessing the device.
Network permissions per app
GrapheneOS has a built-in per-app firewall. You can set per application whether it has access to Wi-Fi, mobile data, or no internet at all.
Go to Settings → Apps → [app] → Permissions → Network to configure this per app.
Apps to install first
F-Droid — open-source app store
F-Droid is the alternative app store for open-source Android apps. No account required, no tracking.
Install via the F-Droid website — download the APK directly and install manually.
Vanadium — the default browser
GrapheneOS ships Vanadium as the default browser. This is a hardened version of Chromium with additional security improvements. Use this as your daily browser.
For anonymous browsing: Tor Browser, available via the Guardian Project F-Droid repository.
Signal — encrypted communication
Signal is the standard for encrypted messages and calls. Install via the official Signal website or via sandboxed Google Play.
Aegis — authenticator app
Aegis (available via F-Droid) is an open-source 2FA app. Local storage, no cloud, exportable. Replace Google Authenticator or Microsoft Authenticator with this.
Bitwarden — password manager
Open-source password manager with a self-hosting option. Available via F-Droid or Google Play. If you do not yet use a password manager, start here.
Organic Maps — maps without Google
Offline maps based on OpenStreetMap. No account, no tracking. Works without an internet connection once the map is downloaded.
What to leave off by default
- Bluetooth — turn it off when not in use
- Location access for apps — check which apps have location permissions via Settings → Privacy → Permissions
- Microphone access — GrapheneOS lets you set this per app; limit it to what is genuinely needed
The trade-off
Every setting in this article makes your phone more secure and slightly less convenient. That is honestly the core of privacy: you pay in convenience for what you get back in control.
Do not change everything at once. Start with the basic settings and the apps. Build it up step by step. Security is a habit, not a one-time action.