Best Apps for GrapheneOS: 5 Essential Installs for 2026

Most people who flash GrapheneOS spend hours researching the OS and five minutes thinking about apps. That's backwards. GrapheneOS handles the hard stuff at the OS level: no Google services baked in, verified boot, a hardened memory allocator, per-app network controls. What you install on top of that is where you actually live day to day. These are the five apps we'd put on any GrapheneOS device from day one.

//01. Signal

If you're moving to GrapheneOS because you care about privacy, you're probably already on Signal. But it's worth covering why it belongs on this list specifically, not just as a messaging app but as infrastructure.

Signal is end-to-end encrypted by default for everything: messages, voice calls, video calls, group chats. That's not a premium feature or a settings toggle, it's just how it works. The protocol it uses (the Signal Protocol) has been independently audited and is widely regarded as the strongest cryptographic foundation for consumer messaging available today. WhatsApp actually uses the same protocol under the hood, though the app itself collects significantly more metadata.

On GrapheneOS, Signal works without any Google dependency. It uses its own notification infrastructure rather than Google's Firebase Cloud Messaging, which means your messages don't route through Google servers to reach your device. It installs cleanly from the Apps app and runs without sandboxed Google Play enabled.

• ▸Sealed sender: the server cannot see who is messaging whom, only that a message was sent
• ▸Disappearing messages: set a timer per conversation, messages delete automatically on both sides
• ▸Note to Self: encrypted, synced private notes across your own devices
• ▸No ads, no data collection, nonprofit structure

One practical note: the people you're communicating with also need Signal. It falls back to unencrypted SMS for contacts who aren't on it, which Signal marks clearly. Getting your circle onto Signal is as much a part of a private setup as installing the app itself.

//02. Aurora Store

Aurora Store is an open source Google Play client that lets you download and update apps from the Play Store without a Google account. On a stock Android device this is a minor convenience. On GrapheneOS, it's a genuinely useful tool for anyone who wants Play Store access without linking their real Google identity to the device.

The way it works: Aurora generates anonymous sessions using pooled Google accounts maintained by the Aurora project. You authenticate as an anonymous user, browse the Play catalog normally, and download apps without any account of your own. For free apps, this means your downloads are not tied to your Gmail address, your purchase history, or your Google profile.

Aurora works best alongside GrapheneOS's sandboxed Google Play rather than as a replacement for it. If you want to run apps that require Google Play Services (most banking apps, for example), you'll need sandboxed Play installed. Aurora handles the download side; sandboxed Play handles the runtime compatibility.

One limitation worth noting: Aurora can't download paid apps without using your own Google account session. If you have paid apps you want to access, you'll need to log in with your actual account for those, or use sandboxed Google Play directly.

//03. Mullvad VPN

The VPN market is full of marketing that outpaces the product. Mullvad is a rare exception, and the privacy community has largely settled on it as the most trustworthy option available.

What sets Mullvad apart isn't just the technical spec (WireGuard protocol, no-logs policy, independent audits). It's how the business is structured. Mullvad doesn't ask for your email address. When you sign up, you receive a randomly generated account number. That's your entire account. You can pay with cash, Monero, or Bitcoin. There is no mechanism for Mullvad to know who you are because there's no account tied to your identity.

In 2023, Swedish police arrived at Mullvad's offices with a warrant to seize customer data. They left with nothing, because there was nothing to seize. That's not a marketing claim. It happened, it was reported, and it's the kind of operational proof that no amount of privacy policy language can replicate.

• ▸WireGuard and OpenVPN support
• ▸No account email required, ever
• ▸Accepts cash, Monero, Bitcoin, and card
• ▸DAITA (Defence Against AI-guided Traffic Analysis): obfuscates traffic patterns
• ▸Works with GrapheneOS's per-app VPN feature to route specific apps through the tunnel
• ▸Independently audited by Cure53 and others

The native Android app is available directly from Mullvad's website as an APK, which you can install without the Play Store. On GrapheneOS, you can configure it as a system-level VPN or use the app itself. Either way it integrates cleanly.

//04. Bitwarden

A strong password manager is not optional. Every account you have that uses a weak or reused password is a potential entry point into everything else. Bitwarden is the open source answer to this problem, and it's the one the GrapheneOS community consistently reaches for.

The core product is free and fully featured. Your vault is end-to-end encrypted before it ever leaves your device, meaning Bitwarden's servers store only ciphertext they can't read. The code is open source and has been through multiple independent audits, including a cryptography review by ETH Zurich's Applied Cryptography Group and a SOC 2 Type II attestation completed in 2025. These aren't self-reported claims. They're third-party findings.

For GrapheneOS users specifically, Bitwarden is available through F-Droid, which means you can install and use it without sandboxed Google Play enabled at all. The app works fine without any Google dependency.

The free tier covers password storage, sync across devices, and autofill. The paid tier adds TOTP generation inside the vault (useful if you want your 2FA codes and passwords in one place) and some organizational features. At a few dollars a year, it's reasonable.

//05. Proton Mail

Email is structurally difficult to secure. The protocol is old, most providers have full access to your messages, and even if you encrypt your outgoing mail, what arrives from other people is often unencrypted anyway. Proton Mail is not a complete solution to this problem, but it's the most practical partial solution available for most people.

Proton Mail's core feature is zero-access encryption: your inbox is encrypted with keys that only you hold. Proton's servers store ciphertext. Even if Proton received a legal order to hand over your messages, they would have nothing readable to give. This is a meaningful structural protection, not just a policy promise.

Proton is headquartered in Switzerland, which has some of the strongest statutory privacy protections for email in the world. They've passed SOC 2 Type II and ISO 27001 audits. The apps are open source. The business model is subscriptions, not advertising.

• ▸Zero-access encryption on your inbox (Proton cannot read your mail)
• ▸End-to-end encryption for mail between Proton accounts
• ▸Swiss jurisdiction, audited infrastructure
• ▸Free tier with a Proton address; paid tiers add custom domains and storage
• ▸Calendar, Drive, VPN, and Pass (password manager) available under the same account if you want to consolidate

The one thing to be clear about: when you email someone on Gmail or Outlook, that mail is delivered unencrypted to their provider. Proton encrypts your end. It cannot encrypt the destination. For fully private communications, Signal is the right tool. Proton Mail is the right answer for the email workflows you can't replace with Signal.

//How They Work Together

These five apps aren't a random list. They cover the main surfaces where data leaks out of a private setup: messaging (Signal), app sourcing (Aurora), network traffic (Mullvad), credentials (Bitwarden), and email (Proton Mail). GrapheneOS closes the OS layer. These apps close the application layer.

None of them require a Google account. All of them are open source or independently audited. All of them work cleanly on GrapheneOS, with or without sandboxed Google Play. That last point matters: a lot of apps that market themselves as privacy tools still phone home to Google for push notifications, analytics, or crash reporting. These five don't.

If you're starting from a fresh GrapheneOS install and want to know where to begin, this is the list. Everything else can come after.