Google’s support for my current Pixel phone will end in a couple of weeks and though CalyxOS will probably still release updates for quite a while, it will not receive full security updates anymore. Thus I opted for a new Pixel 7a. It’s a nice phone, not too expensive, about the size of my old Pixel 4a(5G) and will be supported by Google until May 2028. Of course, I wanted to replace Google’s version of Android with a privacy respecting custom ROM again.
The Pixel 7a does not come with a charger and is lacking a standard headphone port. So, I also bought a USB(C) to headphone converter and I’m using the charger which came with my Pixel 4a(5G). When I powered it up for the first time I mostly skipped all of the initial setup options. However, I connected to WiFi and updated to the latest stock Android. I briefly checked the camera, but that was about it.
My original plan was to install CalyxOS again. I’m running it since Android 11, updated all the way to Android 13 and I’m quite happy with it (see here and here). Unfortunately, when I wanted to install it on my new Pixel 7a their website was down at that very moment. Not sure what happened, but being not very patient, I just decided to install GrapheneOS instead. I’ve always kept an eye on both of these two custom ROMs, so I was not completely unprepared. Both have their similarities and their differences - both with their pros and cons of course. I.e., while CalyxOS comes with microG preinstalled, GrapheneOS offers a sandboxed version of the original Google Play Services. In both cases it’s optional to install or make use of this feature. Anyway, please take a look at their respective websites to get to know their individual features and philosophies.
To install GrapheneOS you can either make use of their web based installer - which is VERY easy to use, even for the less tech savvy - or run it from command line. (In either case: read the original instructions first before you start!) I opted for the command line installation, just because I like to see what’s happening. The process is rather fast, I’d say it took no longer than 20-25 min (including download and verification of the files). The actual flash process probably just took around 5-10 mins. Once that is done and the bootloader is re-locked, you should also disable “Enable OEM unlocking” from developer options again. Anyway, just make sure to follow the instructions on their website to the end. I then did just a few checks to roughly see that all is working. If you have a physical SIM card you might want to insert it now. Then, I’ve reset to factory defaults again to give it a clean start.
The initial setup is quite easy and similar to what you already know from either stock Android or CalyxOS: choose your timezone, connect to WiFi, set a PIN or password, add a fingerprint, etc. I also went through all settings then to make sure it’s all setup as I prefer.
If you make use of an eSIM and did not install it while still running stock Android, you can do so now. Make sure to install Google Play Services first. You can do that by opening the app “Apps” and then tap on “Google Play services”. This might take a bit, be patient. (No need to login to a Google account!) You can remove all permissions for Google Play services, except for “Network”. Next go to “Settings => Network and Internet” and enable “Enable privileged eSIM management”. It might require a reboot and enabling it again. Now you can just add an eSIM by scanning a QR code. If you have no further use for “Google Play services” you can uninstall them again.
In order to install apps from Google’s Play Store you will need to login to a Google account. If you just want Google Play services for receiving notifications, you actually don’t need a Google account. Anyway, as I wanted to install apps via Play Store I created a new Google account and disabled pretty much everything in its privacy settings. I did not find a way to create a new account without submitting a phone number though… Once the account is created, you can remove it again, but Google will still know that this phone number was once associated with this account. If you have an additional phone number available, I would not use my “main” number for this.
Opening the Play Store will let you login to this new account. I then first installed KDE Connect. It’s a neat little tool to integrate your phone with your Linux desktop and it also let’s you transfer files to your phone (and vice versa). In my case I’m running Gnome with GSconnect shell extension. If you don’t like KDE Connect (or don’t run Linux at all) you could also try something like Snapdrop to transfer files without the need to connect via cable. Or, you can simply use a cable…
Anyway, it’s up to you how you’d like to install additional apps. You can just stick to Google’s Play Store and get everything from there. It is probably the most secure way and you will have Google Play services running in the background.
I decided to split things up a little:
- Google Play Store for all apps not available elsewhere (i.e. like banking apps, apps for music streaming, etc.)
- Obtainium for apps I could find on GitHub and which can be verified in some way (checksum or even via key signing)
- F-Droid for all other apps
If you never heard of Obatainium before you should check it out. This app can handle different sources for Android apps, like GitHub or GitLab, and will also take care of updating them. You can download the app from GitHub. Make sure to verify the downloaded apk (there’s even a GPG signed checksum file available). Transfer the apk to your phone and install it. Next I searched for a few apps which I wanted to install from GitHub, downloaded and verified the apk files and then transferred them to my phone to install them. I added their respective GitHub URL to Obtainium. It’s usually something like “
https://github.com/DEVELOPER/APPNAME”. In most cases Obtainium recognized the app was already installed and thus will take care of future updates for this app. In some cases it did not initially recognize that the app was already installed (i.e. KeePassDX), however, it will upon next update. Of course you can skip the step of manually installing the app first and then adding it to Obtainium and just install it right away via Obtainium. I didn’t because I like to add some small extra security to this process by verifying the downloaded apk files as proper as possible. From there on the app can only be updated if its signature is matching the one already installed (TOFU => Trust On First Use).
For F-Droid I decided to go with Neo Store and installed it via the above process. Neo Store is able to automatically update apps installed by it.
Migrate to the new phone
Transferring your data and apps from one phone to another is a little bit of manual work. As I never really used Google’s backup services to migrate between phones even at the time I was still using Google’s Android, for me the process is not really new. And the whole point of installing a custom ROM is to get as far as possible away from Google.
As you still have your old phone at this point there’s not really a risk of losing data.
Calendar and address book
My recommendation would be to sign up with decent email provider which will also let you sync your calendar and address book, like Mailbox.org or posteo.de for example. Or - if you can - just self host Nextcloud. You will need DAVx5 to sync. If you have everything stored locally only, you can simply export and import your data. Check out Simple Contacts and Simple Calendar.
For messaging I’d recommend Signal and/or Threema. When you start Signal for the first time on your new device it will ask if you’d like to restore from a previous device. You can do that either by connecting both phones to the same WiFi (I think it requires bluetooth as well) and scanning a QR code or by exporting all chats on the old device (take a note of the password, you will need it!). Copy the backup to the new device and when asked, choose to restore a local backup. The latter works also for Threema. You will have all your chats ready on the new device. (Uninstall Threema on the old device as there can only be one.)
Most 2FA apps will let you export their data and thus it can easily be transferred to the new device and then imported back into the app. Keep in mind that this is very sensitive data and it should be kept in a safe place and encrypted with a good password. Take Aegis Authenticator for example.
At this point you can make use of F-Droid, Obtainium and even Google Play store to install your favorite apps. I was still missing a good weather app. I liked Geometric Weather a lot, but unfortunately it seems discontinued. There is a fork available called Breezy Weather. You can install it by either adding an additional repository to your F-Droid client, or by downloading it directly from GitHub and adding it to Obtainium.
In my experience, running Signal without Google Play services (or microG) will probably drain your battery quite a lot. In case of GrapheneOS my recommendation would be to install the sandboxed Google Play services. They do not require any permission except for “Network”. (I wish Signal - or basically all messengers - would support UnifiedPush.)
You can also install Google Camera from Play Store which will probably improve the image quality. It will require a few more permissions, but you can (and probably should) remove “Network” permission. I’m currently fine with the default GrapheneOS camera app though.
If this is the first time you’re running a custom ROM, and want to use more open source apps, here’s a list of additional apps which I think are pretty good and which work for me quite well (make sure to do your own research though!):
Manage Passbook files (as known from Apple):
- Vanadium (already comes with GrapheneOS) (Chromium)
- Mull (Mozilla)
TTS: if you require TTS your best option is probably to install the one from Google or - if the supported languages are OK - checkout RHVoice
The sandboxed Google Play services are working well, but I think they might require a little more battery power than microG. Of course, I might be wrong with that as I cannot really compare the old phone’s battery usage running a different custom ROM with the new one. Just a “feeling”… ;-) Installing them is kind of a trade off: you gain compatibility with most apps (in fact, all apps I have installed are working fine with sandboxed Play services), but you will loose some privacy to Google. But this is the very same dilemma with microG of course.
In any case, make sure to only grant the minimum permissions required to make the apps work. Having that said, GrapheneOS comes with a very nice and unique feature: “storage scopes”. Apps which require to have full access to all files, can be tricked by using storage scopes and thus only exposing dedicated directories to those apps. Read about it here. For example, my Gallery app can only access the
DCIM directory - it does not need to access the complete filesystem.
So, overall I’m pretty happy with GrapheneOS as well. Updates come quite fast (four days after the official Android 14 release it also came to GrapheneOS!) and sometimes quite often. But security being the main point of GrapheneOS this should not come as a surprise and I appreciate it.