How to install Google Play Services, Google Play Store, and proprietary apps on a secondary user in GrapheneOS

published Dec 31, 2021, last modified Dec 30, 2022

Run many proprietary Android applications in a strong sandbox on your phone. Control when they run — giving you maximum privacy while making minimal sacrifices.

How to install Google Play Services, Google Play Store, and proprietary apps on a secondary user in GrapheneOS

This guide will help you install proprietary apps on your GrapheneOS phone, in a separate containment area so that they may not affect your main phone compartment, and you can shut them down at will.  We've based this guide on the official GrapheneOS guide, and added more details.

In GrapheneOS, the Google apps — known as Play Services / Services Framework /  Play Store — are regular apps under your control; they do not have the OS administration superpowers they normally do, as shipped in all devices using official Google Android.  Nevertheless, they still "phone home", so they can present a data leak issue.  This guide will help you minimize that issue too.

At the time of writing this guide, the steps were written with Android 12 in mind.

Eliminate any Google Services Framework clone first

No.

First, ensure that your primary user does not have the following applications installed:

  • Gcam Services Provider.
  • Any application from the microG suite.
  • Any application with unique name com.google.android.gsf.

These applications are GSF (Google Services Framework) emulators.  They are often found on GrapheneOS phones, simply because the Google Camera and other GSF-using applications require them — and these applications are popular, even among privacy-conscious GrapheneOS users.

You may have other apps that need to be uninstalled

Unfortunately, if you have these applications installed, you will have to uninstall them.  To make things worse, if you installed applications that use these GSF emulators, you will have to uninstall them for now (we will show you how to reinstall them later).  If you don't uninstall them at this point — and this is typical of applications like Google's Camera app — they will simply hang upon next start.

Install Google Services Framework on your primary user

Services Framework gets no permissions on your primary user.

Yes, sadly, you're going to have to bite this bullet and install the official Google Services Framework (com.google.android.gsf).  Don't worry — you'll mitigate any potential privacy impact immediately after install.

  1. First, install the GSF Android package (APK).  Install it via the Apps app that ships with GrapheneOS.
  2. Then go to the Apps section of the Settings application on your phone, and revoke any permissions you find suspicious from the newly-installed Google Services Framework application.
    1. Do note that, by revoking permissions from the GSF app, some functionality may break.

With this, you have installed Google Services Framework on your primary user.

Reinstall applications you uninstalled before

At this point, you would reinstall the Google Camera or any other applications you had to delete when you deleted the GSF emulators.

Create your secondary user

Creating the second user

Go to your phone Settings System panel, and tap on Multiple users.  Turn on Use multiple users, and create a user (your choice of name and profile photo).  Let the setting Disallow installing apps remain off for now.

Switch to the user.  You'll see the setup screen then.  Do whatever setup steps you consider necessary at this point.

Install Google Services Framework on your secondary user

While logged on as your secondary user profile, obtain the Google Services Framework APK again, then install the package on this user.  Use the Apps app built into GrapheneOS to perform this install.

Because this is the exact same package you installed on your primary user, the install should go fast and give you no trouble.

Install Google Play Services on your secondary user

The Play Services app, installed and with minimal needed permissions.

Much like in the previous step, install the Play Services app.  The recommended way is to use the Apps app.

Once the Google Play Services (com.google.android.gms) application is installed, go to the Apps panel of your Settings, find Google Play Services, then grant it permissions it will likely need:

  • At a minimum, the location permission will be necessary for many apps dependent on Google Play Services — applications like Uber or Lyft, that will not work if Google Play Services doesn't have the right permissions.
  • Very important: in the Battery submenu, disable battery optimizations (select Unrestricted) for this app.  Otherwise notifications from apps (which use Play Services to route notifications to your phone) will not work.

You are one step away from being able to use the Google Play Store, if that's what you wish.  Either way, don't skip the next step — you have to initialize the Play Store, even if you don't use it, or nothing will work.

Install and initialize the Google Play Store on your secondary user

Use the Apps app built into GrapheneOS to perform this install.

Launch the Play Store, and let it walk you through the login steps.

You don't have to log in — the important thing is for the app to show you the login screen, and then you can exit the Play Store.  Of course, if your aim is to install applications using your Google Play Store account, by all means, log in.  If you experience issues here, you probably forgot to add permissions to the Play Services application — so fix that.

The Play Store, installed and with the minimally needed permissions.

Congratulations!  Your Play Services are initialized and working.

Install and test any apps dependent on Play Services

At this point, you can install the apps you wanted to test, and verify they work — or try different permissions on the app / on Play Services / on Services Framework, until they do work for you.

Of course, you can use the Play Store to install apps, or use another app like Aurora to perform the installation.

Clean up

OK.  Your secondary profile is ready to go.  Here are the cleanup steps you must perform, just so you don't forget:

  • In both your secondary and primary phone users, revisit the Apps panel of your Settings, and go under Special App Access -> Install unknown apps.  Revoke the permission to install unknown applications from all the apps that you used to install the APKs above.
    • Protip: switch users by swiping down from the notifications area until the tiles section is fully displayed, then tapping on the user icon to switch from the current user to the other user.
  • If any downloaded APKs exist, delete them, archiving them first if that's your desire.
  • If you won't be installing any more applications in your secondary user, you can revoke this permission from your primary (administrator / owner) user for added peace of mind.
    • While logged in as your primary user, go to Settings, open the System panel, and tap on Multiple users.  Now select the secondary user, and toggle the slider Disallow installing apps to the on position.
  • To close all apps from the secondary user, lock your screen while logged in as the secondary user.  Then push the power button, and you'll see a button at the bottom of the screen titled End session.  Tap it — this closes down every secondary user app, and returns you to the primary user.
  • To prevent someone who seizes your phone from attempting to launch the secondary user (by swiping down from your notification area), you can also turn off the setting Use multiple users altogether; you can then turn it on later.

Remember to always close down the secondary user session when you are done with it.

  1.  Lock phone.
  2. Push power button.
  3. Hit End session button onscreen.

Notes

  1. The fused location provider — the software gizmo in Google Android phones that augments GPS indoors and increase location discovery accuracy and speed — may not work correctly in GrapheneOS.  Location providers in GrapheneOS are limited to whatever the OS has authorized, and GrapheneOS by design does not allow unauthorized applications to act as fused location providers.  There are plans to fix this, but don't expect location discovery to work as fast — especially indoors — in GrapheneOS as is does in Google Android, just because you installed Play Services.
Packages

Mirror of Android APKs to make this guide work.