The installation is done. Bootloader locked, first boot complete, and you're looking at a blank home screen. The install guide covers what every setting does at a technical level. This covers what to actually do with it — in order, on day one — with opinions where it matters.
Verify before you configure anything
Open the GrapheneOS App Store (it's already installed), search for Auditor, and install it. Run a local attestation. Auditor uses the Titan M2 chip to cryptographically verify that the bootloader is locked, that GrapheneOS is the installed OS, and that neither has been tampered with. The attestation is hardware-backed — it cannot be faked from software.
If something went wrong during the flash, better to find out now.
The lock screen decision that affects everything downstream
GrapheneOS derives disk encryption keys from your lock screen credential. Not metaphorically — your passphrase is the key material. And because auto-reboot is on by default at 18 hours, your phone regularly enters a Before First Unlock state where those keys are evicted from memory entirely. Every unlock reloads encryption keys derived from what you typed.
Set a passphrase. Not a PIN. Six random words beats eight random characters beats any PIN in every direction that matters — including biometrics, for reasons the fingerprint vs PIN breakdown covers. The auto-reboot cycling through BFU state is only valuable if the credential protecting it is actually hard to brute-force — which is the whole argument for rebooting your phone as a security habit in the first place.
Then go to Settings → Security & privacy → Device unlock → Scramble PIN and turn it on. Randomizes digit positions on every unlock attempt. Defeats shoulder-surfing and the class of attacks that reconstruct PIN entries from accelerometer data by correlating expected digit positions with recorded motion.
The Google Play decision
This is the most consequential choice you'll make on GrapheneOS. Worth thinking through before just installing Play and forgetting about it.
No Google Play at all is viable for more people than they expect. Signal, Bitwarden, Vanadium, and F-Droid cover a lot of ground. Worth testing for a week before you decide you can't live without Play. A lot of people discover they only needed three Play apps and two of those have F-Droid alternatives.
Sandboxed Google Play is the practical choice for most people — but install it in a secondary profile, not the owner profile.
Here's how: Settings → System → Users → Add user. Set up the secondary profile, switch into it, open the GrapheneOS App Store, and install Google Play services from there. Not from the Play Store itself — from the GrapheneOS App Store, which installs it correctly as a sandboxed, unprivileged app. Grant one battery optimization exception afterward (Settings → Apps → Google Play services → Battery → Unrestricted) or push notifications won't work reliably.
Why not the owner profile? Each GrapheneOS profile has independent encryption keys and full app isolation — apps in one profile cannot communicate with or enumerate apps in another. Sandboxed Play already strips the privileged system access it has on stock Android, running as a normal unprivileged app with a compatibility layer rather than as part of the OS. A secondary profile adds another layer of separation at no real cost. Your owner profile stays clean. Google Play stays contained.
Browser
Just use Vanadium.
It ships with GrapheneOS. Hardened Chromium, site isolation enforced, JIT compilation disabled by default, virtually all remote Google services stripped out. It's also the WebView implementation for the entire OS — every app that renders web content uses it. Using Vanadium as your daily browser means you're not running two separate browser runtimes side by side.
First thing to set: default search engine. Settings → Search engine. Beyond that, it works out of the box.
If you want Brave instead, that's fine — Brave Shields handles ad and tracker blocking without extension configuration, and it's a reasonable hardened Chromium alternative. GrapheneOS doesn't recommend it over Vanadium, but it's not a bad call.
What you shouldn't install is Firefox. On Android, Firefox has no site isolation and no internal process isolation — Gecko simply doesn't implement these on the platform. That's not a general knock on Firefox. It's a specific limitation of how the browser engine handles Android's process model, and on a security-focused OS it's the wrong trade-off.
Two radio settings worth doing today
LTE-only mode. Settings → Network & internet → SIMs → [your SIM] → Preferred network type → LTE only.
Disabling 2G and 3G closes the IMSI catcher attack surface. 2G has no mutual authentication — your phone connects to anything presenting as a tower, which is why those attacks work. LTE requires mutual authentication between device and network. Forcing LTE-only removes the fallback protocols that IMSI catchers exploit. You'll need VoLTE active on your SIM for calls — most carriers support it now, but worth confirming before flipping the switch.
Network location provider. Settings → Location → Location services → Network location. Switch from Apple's network location service to the GrapheneOS network location proxy. Straightforward swap that stops your location queries routing through Apple's infrastructure.
MAC randomization is already on by default — per-connection randomized MAC for every network. Leave it unless your router assigns DHCP leases by MAC address and you're getting conflicts, in which case switch to per-network randomized MAC (Settings → Network & internet → Internet → [network name] → Privacy). Otherwise, the default is fine.
What to install first, and where to get it
Signal. Bitwarden. Then everything else.
Signal because in 2026 there's no good reason to leave your message graph on a corporate server, and SMS is effectively plaintext. Bitwarden because you're on a fresh install and your passwords need to be somewhere immediately — and because GrapheneOS's profile isolation works better when each profile has its own Bitwarden vault rather than sharing credentials across profiles.
For app sources: GrapheneOS App Store first (sandboxed Google Play, Auditor, and a few others). Then Accrescent — limited catalog but developer-signed APKs with reproducible builds, which is meaningfully better than F-Droid's default model. F-Droid re-signs packages with its own key rather than the original developer's signing key. That's not a dealbreaker, but it's a trust decision worth knowing about. Within F-Droid, the IzzyOnDroid repository uses developer-signed packages and is the better default for most FOSS apps. For everything else: sandboxed Play in the secondary profile.
Sideloading direct APKs: enable install-unknown-apps for whichever app you're installing from, install, disable it immediately after. Don't leave it open.
One permission pass after you're done installing
GrapheneOS adds per-app network and sensor toggles that don't exist on stock Android. Running through them once after your initial app setup is worth the ten minutes.
Network toggle (Settings → Apps → [app] → Permissions → Network): any app with no reason to phone home — offline tools, note apps, games — block it. The app receives a standard network-unavailable error. It can't tell it's been cut off rather than offline. This is one of those controls that doesn't exist on stock Android at all, which is worth sitting with for a moment.
Sensors toggle: stock Android hands every app unrestricted accelerometer, gyroscope, barometer, and step counter access without a prompt. No permission dialog. No user awareness. GrapheneOS adds a per-app toggle for all of it — go through anything that has no plausible reason to read motion data. The list is usually longer than expected.
Storage Scopes: where you granted broad storage access during setup, check if you can scope it. Settings → Apps → [app] → Permissions → Storage Scopes. The app sees exactly what you've authorized and nothing else — it can't distinguish the scoped view from full access.
Privacy Guides rates GrapheneOS as the strongest Android distribution without qualification — no close alternatives named, no "for users who need X." The setup above is what puts you on the right side of that rating in practice rather than just technically running the OS.
The work is front-loaded. After the permission pass, the secondary profile, the radio settings — there's nothing left to configure. It runs like a phone. The complete Android privacy guide covers the threat model behind these decisions if you want to understand why the defaults land where they do. And once Bitwarden is set up, the passkey workflow is worth building out — a fresh GrapheneOS install is exactly the right moment to form the right habits.
