Sandboxed Google Play on GrapheneOS: how does it work?
GrapheneOS offers sandboxed Google Play — an isolated version of the Play Store. We explain what it can do, what it cannot, and when to install it or not.
Sandboxed Google Play on GrapheneOS: how does it work?
The most common question about GrapheneOS: “Can I still use my apps?” The answer is nuanced — which is exactly why this article exists.
Regular Google Play vs. sandboxed Google Play
On a standard Android phone, Google Play Services has near-unlimited system access. It runs in the background, has access to location, contacts, microphone and more — even when you are not using the Play Store itself. This is not a bug, it is by design.
Sandboxed Google Play runs as a regular app in an isolated environment. It has no special system privileges. It can only see what you explicitly permit — just like any other app on GrapheneOS.
What it can do: install apps, download updates, relay push notifications. What it cannot do: collect location data in the background without your permission, access other apps or system data.
Banking apps: do they work?
Mostly yes. Most banking apps work on sandboxed Google Play.
ING, ABN AMRO, Rabobank and bunq have been reported as working by the GrapheneOS community. The DigiD app works too.
There are exceptions. Some apps use the Google Play Integrity API to check whether the device is “certified”. GrapheneOS does not always pass that check — this changes per update and per app.
If a banking app refuses to start: check whether the app is up to date, and check the GrapheneOS community for the current status of your app.
Alternatives to Google Play
F-Droid
Open-source apps, no account required, no tracking. The selection is more limited than Google Play but contains most of the privacy-friendly alternatives you need.
Aurora Store
An open-source client that anonymously downloads apps from the Google Play Store — without a Google account. Not all apps work via Aurora (apps with DRM or complex license checks can have issues), but most work fine.
Direct APK installation
For apps that offer an official APK (Signal, Brave, ProtonMail) you can install directly from the developer. This bypasses the Play Store entirely.
When should you install sandboxed Google Play?
- You need apps that are genuinely not available any other way
- Your banking app does not work via Aurora
- You want a normal Android experience with better security than stock
When should you not install it?
- You want maximum isolation from Google services
- You are willing to use open-source alternatives for all functionality
- You accept that some apps will not work
The trade-off, stated plainly
Sandboxed Google Play is a compromise. It is significantly more secure than regular Google Play, but you are still sharing data with Google — less than before, but not zero. If Google is part of your threat model, do not install it.
If your threat model is about advertisers, data breaches and general tracking — sandboxed Google Play is fine. It is a realistic middle ground between fully open and fully closed.
You can always install it, test it, and remove it again. GrapheneOS makes that easy.