← All Guides

How to Use a Secure Phone Properly

A hardened device is only as secure as the person using it. Hardware and software provide the foundation, but your daily habits determine whether that foundation holds. This guide covers the practices that matter.

Use separate profiles

GrapheneOS supports multiple user profiles, each with its own isolated app data, storage, and permissions. Use them deliberately.

  • Owner profile: Keep this minimal. System settings, VPN, and core utilities only.
  • Work profile: Business apps, email, documents. Sandboxed Google Play if needed for compatibility.
  • Personal profile: Messaging, browsing, media. Separate from work data entirely.
  • Sensitive profile: For high-risk communications. No unnecessary apps. No accounts linked to your real identity.

When a profile is not active, its data is encrypted and inaccessible. This is real compartmentalisation, not just separate app folders.

Practice app discipline

Every app you install is a potential data channel. Be selective.

  • Install only what you actively use. Remove everything else.
  • Prefer open-source apps from F-Droid where possible.
  • Review permissions after installation. Deny location, contacts, and microphone access unless genuinely required.
  • Avoid apps that require a Google account to function. If you must use one, run it in the sandboxed Play compatibility layer.
  • Do not install social media apps on your secure profile. Use the browser instead.

Manage network behaviour

Your network connections reveal as much as your app activity.

  • Use a VPN at all times. Mullvad is configured on every device we ship. Keep it on.
  • Avoid connecting to public Wi-Fi without VPN active. Open networks expose your traffic to anyone nearby.
  • Use private DNS. GrapheneOS supports DNS-over-TLS natively. Configure it to prevent DNS leak.
  • Disable Wi-Fi and Bluetooth when not in use. Both can be used for location tracking via nearby access points and beacons.
  • Be aware of your eSIM and SIM activity. Your carrier always knows your approximate location when cellular is active.

Keep your device updated

GrapheneOS receives security patches directly, often ahead of stock Android. Install updates as soon as they are available. Do not delay. Security vulnerabilities are actively exploited, and patches close those windows.

Enable auto-reboot (configured on devices we ship). This forces the device to restart after a period of inactivity, returning it to the encrypted "Before First Unlock" state. If someone gains physical access after a reboot, they face full-disk encryption rather than a live, unlocked filesystem.

Think before you act

The most common security failures are behavioural, not technical. Do not click links from unknown sources. Do not enter credentials on unfamiliar pages. Do not share your device PIN. Do not leave your device unlocked and unattended. Do not assume that because the device is secure, you are immune to social engineering.

The device does the hard work. Your job is to not undo it.

Browse secure devices that ship fully configured, or reach out on WhatsApp.