While the web is full of reviews, this repo aims to cut through some of the noise and give yet another, user-level perspective. I'll cover the open-source apps I rely on, the commercial software I haven't found good FOSS or open-source replacements for, the settings and configurations I personally use, and even the small annoyances that I've run into over time.
Whether you're considering switching to GrapheneOS, have already jumped ship, or are just curious about using a privacy-focused, de-googled Android fork β this hopefully helps to get some insights.
Before getting into the first major topic, I want to clear up a common misconception about GrapheneOS: While Graphene is well-known as a privacy-focused Android fork, you don't need to be a hardcore privacy enthusiast to benefit from using it.
Yes, GrapheneOS is built with strong security and privacy principles at its core β but that doesn't mean you must give up Google services or only use open-source apps to enjoy it. In fact, you can absolutely use GrapheneOS while still relying on Google apps and other proprietary software, and it works just fine. I personally do appreciate the built-in privacy and security features, but I'm also perfectly fine with using the Google Play Store β thanks to GrapheneOS's sandboxed Google Play compatibility layer β for a good chunk of my apps.
But the reason I still stick with GrapheneOS β tho this applies to most custom Android OSes β is how clean it is. No bloat, no preinstalled junk I didn't ask for and can't remove (looking at you Facebook), and no forced usage of certain apps. Just a fast, minimalist system that stays out of my way. And best of all, no more mysterious background processes eating up resources with no explanation. My phone runs what I tell it to run β nothing more, nothing less.
I was honestly surprised by how smoothly the installation process went. I expected it to be complicated β especially since this was my first time flashing a custom Android ROM β but it turned out to be far more approachable than I had anticipated. The official Web Installer makes the whole thing simple: it runs right in your browser and walks you through unlocking your bootloader, flashing the OS, and locking it again once everything's done.
The instructions on the official website are clear enough, though I'll admit I personally find visual guides easier to follow than text-based ones. But you will find plenty of excellent tutorials online that make the process even clearer. All in all, it took me about one or two hours to get everything set up β not bad at all for a first-time install.
Here's a quick breakdown of all the apps I currently use on my GrapheneOS device, what category they fall into, and why I use them.
These are the system apps that come pre-installed with GrapheneOS. They're sandboxed, secure, and cover most basic functions. The pre-installed apps are kept deliberately minimal β providing only the core functionality necessary for a secure system baseline. GrapheneOS prioritizes a minimal attack surface, avoiding unnecessary components, and ensuring that each app is sandboxed and permission-limited by default.
| App | Description |
|---|---|
| App Store | Installs a limited set of trusted core apps (includes sandboxed Google Play) |
| Auditor | Verifies device integrity |
| Calculator | |
| Camera | Secure camera app with standard functionality; does not include document scanning |
| Clock | Alarm, timer, stopwatch, and world clock |
| Contacts | |
| Files | File manager with storage access framework |
| Gallery | Barebones gallery app; poor interface |
| Info | |
| Messaging | |
| PDF Reader | |
| Settings | |
| Telephone | |
| Vanadium | Hardened browser based on Chromium |
*You can find additional information on GOS and its features on their webpage.
These are the apps I use to replace proprietary tools or to expand and enhance functionality on GrapheneOS. All apps mentioned here are fully open-source (partial exception: Bitwarden, whose official clients are not fully open-source unless self-hosted), making them inherently more transparent, secure, and privacy-focused β so I won't repeat this for every individual app.
The apps are presented in order of personal priority.
| Type | App | Description |
|---|---|---|
| APK Manager | Obtainium | Install and update FOSS/open-source apps directly from GitHub |
| 2FA Code Manager | Aegis | Alternative to Google Authenticator |
| Password Manager | Bitwarden | Secure cloud sync with open-source backend |
| Gallery | AvesLibre | |
| Document Scanner | OpenScan | |
| Keyboard | FUTO Keyboard | Offline speech-to-text, keeping your data fully local |
| Thunderbird | Full-featured, cross-platform mail client | |
| File Sync Tool | Syncthing-Fork | Peer-to-peer file sync; local-first, no cloud required |
| Network Tool | Orbot | Tor routing for apps |
| Device Integration | KDE Connect | Cross-device sync and file sharing between Android and Linux |
| Terminal | Termux | Linux environment and terminal emulator |
| Book Tracker | OpenReads | |
| Youtube | NewPipe | Ad-free YouTube and Soundcloud frontend |
| Weather App | Breezy Weather | |
| Maps | Organic Maps | Alternative to Google Maps |
| Streaming | Twire | Alternative Twitch client |
| Fitness Tracker | OpenTracks | |
| Social Media | Mastodon |
The default GrapheneOS App Store isn't really an "app store" in the traditional sense. Its main purpose is to update GrapheneOS system apps and install sandboxed Google Play Services. Yes, you can install Accrescent through it β another FOSS app store β but personally, I've never been fully satisfied with either F-Droid or Accrescent. That's why I use Obtainium. Tho it's not technically an "app store" either and functions more like a lightweight package manager that pulls APKs directly from trusted upstream sources like GitHub or GitLab. It gives me full control over updates and sources, without going through an external app stores.
As for some of the other native apps: I've never had much use for the Auditor or Info apps, tho they're nice to have. The default Gallery app is a rough experience. Thus AvesLibre (or just Aves) has become my go-to gallery app. It feels more like a desktop app, which is a vibe I also appreciate in the native Files app. With the Files app, you can easily browse the contents of your device without artificial limitations.
The rest of the built-in apps generally do their job well enough that I haven't felt the need to replace them.
I did however install OpenScan to complement the default Camera app, since GrapheneOS doesn't include document scanning out of the box. Beyond that, the camera app works fine for my needs. That said, I'm not a professional photographer β so if you have a favorite camera app with better image quality or features you want, don't hesitate to pick it up. Graphene's camera is decent, but it's not trying to compete with flagship camera apps.
Among the third-party open-source apps, there's a core group I consider key for a security-hardened setup: Aegis, Bitwarden and Orbot cover a lot of bases when it comes to digital hygiene and peace of mind. Orbot is an app you can probably skip if you don't need secure routing, and Aegis isn't necessary unless you use 2FA codes β but Bitwarden should really be a staple in every setup. I personally use Aegis alongside Bitwarden so that if something ever happened to my Bitwarden account, my passwords and 2FA codes wouldn't both be lost at the same time. Plus, I just really love Aegis's design β it feels clean and straightforward.
GrapheneOS doesn't ship with voice input out of the box, and most keyboards either require network access or lack features. That's why I use FUTO Keyboard β it offers offline speech-to-text, solid typing feel, and keeps your data fully local. It's a keyboard that hits the sweet spot between usability and privacy.
Thunderbird is still relatively new on mobile as of writing this. It merged with K-9 Mail, though both remain available as separate apps. While Thunderbird is coming along nicely, if you feel dissatisfied or just want to explore your options, K-9 Mail is still actively maintained and worth considering β in fact, some users may find it even more polished for mobile at this stage.
Termux adds a full-fledged Linux terminal environment into your phone, capable of running real command-line tools, programming languages, and even lightweight servers β all without root access. With its built-in package manager, you can install familiar utilities like ssh, python, or git, effectively turning your device into a pocket-sized Linux workstation. It's an incredibly flexible tool for anyone who enjoys tinkering, scripting, or automating things β and it shines when it comes to smart home setups. Through simple shell or Python scripts, Termux can monitor or control IoT devices, interact with APIs like Home Assistant, or perform scheduled automation tasks completely offline and securely. If you want to take things further, Tasker can trigger Termux scripts based on conditions like time, location, or system state, making complex automations both local and private. Pairing Termux with Syncthing-Fork allows you to keep scripts, configs, and logs in sync across all your devices without relying on cloud storage. Add Tailscale to the mix, and you can securely access your Termux environment or smart home network remotely, no port forwarding or public exposure needed. Simply a great app.
Other open-source apps that really impressed me were NewPipe, OpenReads and Organic Maps. NewPipe is an excellent YouTube frontend β works great overall, though it can get a bit clunky when routing through a VPN. OpenReads was a pleasant surprise. I'd never used a book-tracking app before, but if you read regularly, it's absolutely worth trying. Organic Maps is a great Google Maps alternative. As someone who relied exclusively on Google Maps for years, I was genuinely surprised by how well Organic Maps performs and how accurate it is.
All of the above mentioned apps are solid enough that I'd recommend them for daily use, even if you're not running GrapheneOS.
Used when no equivalent FOSS or open-source app meets functionality needs β trade-offs acknowledged.
The apps are presented in order of personal priority.
| App | Description |
|---|---|
| Google Play Store | Sandboxed |
| Banking | My local banking app β not listed by name for obvious reasons |
| Paypal | |
| To stay in contact with family and friends | |
| Obsidian | Markdown-based note-taking |
| Proton Calendar | Encrypted calendar; privacy-first, seamlessly syncs across devices |
| Tailscale | Mesh VPN; used for remote access and secure networking |
| Spotify | |
| Netflix | |
| Discord | Gaming, Dev and Twitch communities |
| Malwarebytes | On-demand malware scanning |
| Loxone | Smart home / security control app; work requirement |
| MS Teams | Work requirement |
| Mobile Games | A few games for when I'm traveling (Gwent, KARDS, Fallout Shelter, etc. ...) |
| Joyn | |
| Crunchyroll |
Obsidian + Syncthing-Fork deserves a special mention as one of the best privacy-respecting productivity setups I've found. Instead of paying for Obsidian's premium sync service, I use Syncthing-Fork to handle vault synchronization across all my devices β completely free, peer-to-peer, and with no cloud middleman. You get full control: sync your entire vault, cherry-pick specific folders, or set up multiple sync configurations. It's fast, reliable, and keeps everything local-first. Add plugins like Excalidraw for sketching and Kanban boards for task management, and you've got a powerful low-overhead system for organizing your thoughts and structuring your projects β all without any recurring subscription fees or third-party servers touching your data.
You can expand the setup even further by combining Syncthing-Fork with KDE Connect and Tailscale. Together, they form a powerful, privacy-respecting foundation for seamless device interaction, file sharing, and remote access. Tailscale creates a secure mesh VPN across all your devices β phone, laptop, desktop, or server β allowing direct, encrypted communication over the internet or local network, without requiring port forwarding or exposing devices publicly. KDE Connect bridges Android and Linux devices over the same network or via Tailscale, enabling clipboard sync, file transfers, notifications, and even remote input, making day-to-day phone-to-desktop integration smooth and convenient. Syncthing-Fork handles continuous, peer-to-peer file synchronization over local networks or Tailscale, keeping folders in sync between devices in a fully encrypted, self-hosted way, ideal for backups, project sharing, or media libraries. Together, these three apps replace many proprietary cloud services, providing a local-first, encrypted, and self-controlled ecosystem for file sharing, device connectivity, and remote access.
Proton Calendar is my go-to alternative to the Google Calendar. It's fully encrypted, easy to use, and works seamlessly across devices. While it doesn't have all the bells and whistles of some mainstream calendars, it covers the essentials β scheduling, reminders, and recurring events β without sending your data to thirdβparty trackers. Even though it's not a FOSS app, Proton is a wellβrespected company in the privacy community, and their services are widely trusted and secure. Worth noting: if you use any of Proton's other services, such as Proton Mail or Proton Drive, the calendar integrates with them just like Google Calendar does with other apps.
I use Malwarebytes as an on-demand malware scanner. While GrapheneOS is very secure by default, I like having the peace of mind of occasionally scanning for malicious APKs, suspicious files, or potentially harmful apps I might sideload. The free version is more than sufficient for this on-demand scanning, but if you want real-time protection β either for an extra layer of security or when using a less secure OS β the paid subscription is, in my opinion, worth it. Malwarebytes can also be used on Windows, where it remains one of the most reliable malware scanners I've personally used. I don't run it constantly on my devices, so I can't talk about performance, but it's definetly a helpful safety net when testing new software or working with suspicious files.
Among the proprietary apps, many are essential β online banking, contactless payments, and communication tools are hard to avoid. Others, like streaming services or mobile games, are entirely optional depending on your lifestyle. Then there are apps that fall somewhere in between, where your needs may vary: Malwarebytes, Obsidian, Proton Calendar and Tailscale are good examples, though all of them are among the most privacy-respecting proprietary options available. But the one app I haven't found a full replacement for is Spotify. If you have Spotify Premium, it's hands down the best music streaming experience on mobile β nothing else comes close in terms of library size, features, and overall usability. Without Premium, though, the mobile app is nearly unusable. So if you can't use Premium, I strongly recommend you try out NewPipe β it covers YouTube and SoundCloud, giving you access to a wide range of content, and with features like background playback and downloads, you get a surprisingly complete listening experience without relying on proprietary streaming apps.