GrapheneOS

GrapheneOS first setup: your first hour

The OS is installed. Now comes the real work: setting up the phone for daily use without clicking away the security. This article covers the first choices you make.

GrapheneOS first setup: your first hour

The OS is installed. Now comes the real work: setting up the phone for daily use without clicking away the security. This article covers the first choices you make.

Who this guide is for

This guide is for people who have already installed GrapheneOS and now want a sensible first setup without turning the phone into a friction project on day one.

It fits especially:

readers who chose GrapheneOS deliberately and want a realistic daily-use setup
privacy-aware users who want to get the first decisions right before adding more tools
higher-risk readers who need a base configuration before more specialised hardening

If you are still deciding whether GrapheneOS is the right move at all, start with the broader GrapheneOS overview or Do you need to switch phones? first.

What you gain, and what it costs

If you handle the first setup well, you usually gain:

a stronger baseline without losing the phone to unnecessary complexity
clearer control over which apps and services you trust
fewer early mistakes that make later hardening harder

But it costs something:

some setup time
some trial and error around apps, notifications, and defaults
a little discipline not to install every advanced option immediately

For most readers, that is a good trade. It becomes overkill when you try to turn the first hour into a full high-risk hardening project before the phone is even usable for daily life.

The first choice: do you want Google Play?

GrapheneOS offers sandboxed Google Play — a version of the Google Play Store that runs in isolation, without full system access. This is different from a standard Android phone, where Google Play Services has near-unlimited system privileges.

The question is not whether you can use Google Play on GrapheneOS. The question is whether you want to.

Install sandboxed Google Play if:

You need apps that are only available in the Play Store
You want to use banking apps
You are less willing to find alternatives

Do not install Google Play if:

You want maximum isolation from Google
You are willing to use open-source alternatives
You only install apps via F-Droid or direct APKs

There is no wrong answer. Sandboxed Google Play is significantly more secure than regular Google Play. You can always install or remove it later.

How to install: Settings → Apps → Install Sandboxed Google Play

Basic settings to change immediately

Screen lock

Use a PIN of at least six digits, or better: a password. Avoid pattern unlock — it leaves visible smear marks on the screen.

Fingerprint as a supplement to a PIN is fine. Fingerprint only without a PIN is less secure — fingerprints are not protected against legal compulsion.

Auto-lock

Set the screen to lock immediately when the display turns off: Settings → Display → Lock screen

USB connections

Settings → Security → Exploit protection → USB port → Charging-only when locked

This prevents a malicious USB port or cable from accessing the device. GrapheneOS blocks this at both the hardware and OS level, which is stronger than the standard Android setting.

Network permissions per app

GrapheneOS has built-in per-app network permissions. This is a simple on/off toggle for network access per app.

Go to Settings → Apps → [app] → Permissions → Network to configure this per app.

Apps to install first

F-Droid — open-source app store

F-Droid is the alternative app store for open-source Android apps. No account required, no tracking.

Install via the F-Droid website — download the APK directly and install manually. See also the F-Droid guide for repositories and recommended apps.

Vanadium — the default browser

GrapheneOS ships Vanadium as the default browser. This is a hardened version of Chromium with additional security improvements. Use this as your daily browser.

For anonymous browsing: Tor Browser, available via the Guardian Project F-Droid repository.

Signal — encrypted communication

Signal is the standard for encrypted messages and calls. Install via the official Signal website or via sandboxed Google Play.

Aegis — authenticator app

Aegis (available via F-Droid) is an open-source 2FA app. Local storage, no cloud, exportable. Replace Google Authenticator or Microsoft Authenticator with this.

Bitwarden — password manager

Open-source password manager with a self-hosting option. Available via F-Droid or Google Play. If you do not yet use a password manager, start here.

Organic Maps — maps without Google

Offline maps based on OpenStreetMap. No account, no tracking. Works without an internet connection once the map is downloaded.

What to leave off by default

Bluetooth — turn it off when not in use
Location access for apps — check which apps have location permissions via Settings → Privacy → Permissions
Microphone access — GrapheneOS lets you set this per app; limit it to what is genuinely needed

The trade-off

Every setting in this article makes your phone more secure and slightly less convenient. That is honestly the core of privacy: you pay in convenience for what you get back in control.

Do not change everything at once. Start with the basic settings and the apps. Build it up step by step. Security is a habit, not a one-time action.

Next step

Go further

GrapheneOS hardening guide — decide which extra protections are worth the friction for your profile
Installing GrapheneOS on a Pixel — the installation step before this guide
Profiles on GrapheneOS — app isolation with separate profiles
Google Play sandbox on GrapheneOS — run Play apps in isolation
VPN comparison — choosing a VPN provider

← Back to guides