First, I don't know the right non-Reddit place to ask GrapheneOS questions. (I don't have a Reddit account.) So apologies for posting one here, but this was the only issue tracker I found that seemed to be along the lines of FAQs/general user information.

I use an application that runs as an app-defined Android VPN (InviZible Pro). Here is the link to my question over on that project: Gedsh/InviZible#82 It routes network traffic through Tor (like Orbot), & DNS requests through DNSCrypt servers. I would like the VPN functionality (always on, block all traffic when not on) to apply to all user profiles. It works flawlessly in the Owner profile. But it does not have any effect on traffic in user profiles. Installing the application in a user profile doesn't work either, because it doesn't show up as a candidate for VPN in the Android VPN settings.

According to the developer of that app, 'So it looks like GrapheneOS doesn't support managing apps in user profiles from the main profile in VPN mode.' Is this the case?

More generally, is it possible to have an app-defined VPN that applies to all user profiles with GrapheneOS? If so, any pointers how to accomplish it would be appreciated. If not, I think it might be something worth making possible in GrapheneOS.

This is an example of a template layout proposal to use for the App Compatibility List - Gold.md

Purpose: Convenience for visitors to have direct links that are relevent as well as this is an ever-expanding result list, perhaps providing a template for users to PR additional apps?

S

• Scrambled Exif
• Shelter
• Signal Private Messenger
  www | apk | faq general - security - troubleshooting | support | forum
  audit | git | issues | chat
• Simple Calendar
• Simple Gallery
• Simple Music Player
• SuperTuxKart

T

• Telegram
• Telegram
• Telegram FOSS
• Termux
  Owner Profile ✓ Secondary Profile¹✗
  www | f-droid | faq | wiki | git | issues | community+chat
  ^{1: Termux is broken and hard-wires a path in a way that breaks it in secondary profiles.}
• Tor Browser

# S
* Scrambled Exif
* Shelter
* **Signal Private Messenger**  
    [www](https://signal.org "Signal's Website") | [apk](https://signal.org/android/apk/ "Offical Android APK") | faq [general](https://support.signal.org/hc/en-us/sections/360001602832-General-FAQ "Signal's General FAQ") - [security](https://support.signal.org/hc/en-us/sections/360001614191-Security-FAQ "Signal's Security FAQ") - [troubleshooting](https://support.signal.org/hc/en-us/sections/360001602812-Troubleshooting-FAQ "Signal's Troublshooting FAQ") | [support](https://support.signal.org/hc/en-us "Support") | [forum](https://community.signalusers.org/ "Signal user's Community Forum")  
    [audit](https://community.signalusers.org/t/wiki-overview-of-third-party-security-audits/13243 "Overview of third-party security audits reports") | [git](https://github.com/signalapp/Signal-Android "Github repo for Signal App on Android") | [issues](https://github.com/signalapp/Signal-Android/issues "Signal App for Android Issue tracker") | [chat](https://matrix.to/#/!qZFigcWoZoRODhzUlw:matrix.org "#signalapp:matrix.org")  
* **Simple Calendar**
* Simple Gallery
* Simple Music Player
* SuperTuxKart
# T
* Telegram  
* Telegram  
* Telegram FOSS
* **Termux**  
    Owner Profile &check; Secondary Profile<sup>1</sup>&cross;  
    [www](https://termux.com/ "Termux's Website") | [f-droid](https://f-droid.org/packages/com.termuxk "Offical F-Droid ") | [faq](https://wiki.termux.com/wiki/FAQ "Termux's FAQ") | [wiki](https://wiki.termux.com/wiki/Main_PageQ "Signal's Security FAQ") | [git](https://github.com/termux/termux-app "Github repo for Termux App on Android") | [issues](https://github.com/termux/termux-app/issues "Termux App for Android Issue tracker") | [community+chat](https://wiki.termux.com/wiki/Community "Termux Communtiy Support")  
    <sup>1: Termux is broken and hard-wires a path in a way that breaks it in secondary profiles.</sup>
* **Tor Browser**

Google Camera is listed as broken but according to the GrapheneOS website this might have changed recently(?)

Google Camera can be used with the sandboxed Play services compatibility layer and can take full advantage of the available cameras and image processing hardware as it can on the stock OS.

are you open to me adding info to the silver list about how to get Wire to work on grapheneOS?

or is this documentation geared more towards "What works and what doesn't" rather than "how to make something work"?

@Peter-Easton thank you for making this guide and updating it! This is really helpful!

https://github.com/Peter-Easton/GrapheneOS-Knowledge/blob/master/For%20Testers/The-Compatibility-Test-Suite.md

I was building GrapheneOS on Ubuntu 20.04 and at the last step "Generating signed factory images and full update packages" I got the following error:

script/signify_prehash.sh: line 13: signify: command not found

Daniel already made a note of this signify issue for Debian/Ubuntu in the install guide but it's not documented in the official build guide (since he probably uses Arch for everything).

My workaround was to make a symlink:

me@server:~/android/grapheneos-10$ type signify-openbsd
signify-openbsd is hashed (/usr/bin/signify-openbsd)
me@server:~/android/grapheneos-10$ ln -s /usr/bin/signify-openbsd ~/bin/signify
me@server:~/android/grapheneos-10$ type signify
signify is /home/user/bin/signify

Running script/release.sh <device> was successful after the workaround was applied.

I've read at https://libredd.it/r/privacy/comments/me4xjw/how_to_protect_your_phone_against_companies_such/ the assertion that the way Cellebrite, Grayshift, etc. extract data is by exploiting phones that are in AFU mode. According to the Reddit post's author, 'The reason your phone needs to be in BFU mode is because the encryption keys are stored in memory for your data, when the phone is powered on, but has been unlocked at least once. Forensic companies logically exploit this to extract almost all your phone data from your phone, without even needing to know your passcode.'

Does this apply to GrapheneOS (& is it even accurate)?

I have read the FAQ at https://github.com/Peter-Easton/GrapheneOS-Knowledge/blob/master/GrapheneOS-Security-Q%26A.md#what-security-measures-does-grapheneos-have-against-those-cell-phone-unlockers-used-by-the-military-like-cellebrite-graykey-etc-what-about-nation-states-with-unlimited-resources . It would seem to suggest that passphrase or PIN would be required in any event (delayed by throttling if the HSM is undefeated, but also even in the case that the Titan-M is defeated), contradicting the Reddit author's idea that if the phone has been unlocked once, encryption keys are floating around in memory & data can somehow be extracted without having to obtain the passphrase or PIN. Note: the author references iOS but other commenters suggest it applies to Android as well.

Hi Peter,

Since you wrote elsewhere that you would now like to document apps that are not compatible with GrapheneOS, it seems I've come across the first one: Urban Sports Club. It crashes during startup.

I would have also created a PR but I wasn't sure which format you wanted to follow.

Merry Christmas!

I wanted to suggest that for the list, it be grouped by app categories, rather than alphabetically?

so, you would have one category like

Messaging Services

• Element
• Signal Private Messenger
• Telegram
• Telegram FOSS
• WhatsApp Messenger
• Wire (Cannot connect to the server on boot. In order to display notifications you must manually open the app first.)

Would make more in my opinion cause then someone going through the list of a specific services doesn't have to guess which apps do what.