GrapheneOS App Compatibility: What Works and What Doesn't

The most common objection to GrapheneOS is the app question: "I can't use it because I need my banking app" or "WhatsApp won't work without Google." These concerns are understandable but, in most cases, incorrect. GrapheneOS has developed a sophisticated solution to the app compatibility problem, and understanding how it works is essential before deciding whether GrapheneOS is viable for your situation.

Why the problem exists

Standard Android ships with Google Play Services — a privileged system component that sits between apps and the operating system. Google Play Services handles push notifications, maps APIs, authentication, in-app payments, and a large number of other functions that apps use rather than implementing themselves. It also collects extensive telemetry and serves as Google's primary data collection mechanism on Android devices.

GrapheneOS removes Google Play Services entirely. This is the source of the compatibility question. Apps that call Google Play Services APIs will either crash, display error messages, or fail to function correctly if those APIs are not present. This was a genuine barrier in earlier versions of GrapheneOS. It largely isn't any more.

Sandboxed Google Play: the solution

GrapheneOS's sandboxed Google Play is the key development. Rather than reinstating Google Play Services as a privileged system component (which would undermine the security model), GrapheneOS allows Play Services to be installed as a regular app — unprivileged, sandboxed, isolated from the system, and subject to the same permission controls as any other app.

From the perspective of apps that depend on Play Services, the APIs are present and functional. From the perspective of the operating system, Play Services is just another app with no special access. It cannot access data from other apps, cannot modify system settings, and cannot perform the privileged operations it can on standard Android. The surveillance and data collection functions of Play Services still operate within that sandbox, but they are isolated — they cannot see your other apps, cannot access hardware they haven't been explicitly granted permission for, and cannot modify system behaviour.

This is a genuinely novel approach. No other privacy-focused Android distribution has implemented it. It allows GrapheneOS to offer strong privacy and security guarantees while remaining compatible with the app ecosystem that most people's lives depend on.

What works with sandboxed Play

The vast majority of apps work normally with sandboxed Play installed:

• Messaging apps: WhatsApp, Signal, Telegram, and similar apps work fully. Push notifications function correctly because they route through Play Services as intended.
• Navigation: Google Maps works. Alternative navigation apps (OsmAnd, Organic Maps) work without any Play Services at all.
• Productivity: Microsoft Office, Google Docs, Notion, and standard productivity applications function normally.
• Banking apps: The majority of European banking apps work correctly with sandboxed Play. The percentage of compatible banking apps has increased substantially with each GrapheneOS release.
• Streaming: Netflix, Spotify, YouTube, and most major streaming services function with sandboxed Play.

Play Integrity: the remaining compatibility question

Some apps use Google's Play Integrity API (formerly SafetyNet) to verify that they are running on an unmodified Android device with certified Google services. This was historically the largest compatibility barrier on GrapheneOS. GrapheneOS's sandboxed Play implementation now passes Play Integrity checks in standard integrity mode, which is sufficient for the vast majority of apps that use it.

A small number of apps use stronger "STRONG_INTEGRITY" checks that require hardware attestation keys issued by Google specifically for the device. These checks can fail on GrapheneOS. The apps most likely to use strong integrity are some banking apps in certain markets, certain mobile gaming platforms with anti-cheat systems, and enterprise MDM deployments with strict device certification requirements. The list of apps with issues has shrunk considerably over GrapheneOS's recent development, but it is not zero.

What doesn't work or is limited

• Google Pay / NFC payments: Google Pay requires Google Play Services with privileged system access for its NFC payment functionality. This does not work on GrapheneOS. Alternative payment methods (contactless bank cards, other NFC-enabled payment apps) are unaffected.
• Apps requiring device administrator rights: Some enterprise MDM profiles require device admin rights that GrapheneOS's security model restricts. In corporate environments with specific MDM requirements, compatibility needs to be verified.
• Some regional banking apps: A minority of banking apps, particularly in some markets, use strong integrity checks that fail. This varies by country and bank — checking the GrapheneOS app compatibility documentation for your specific bank before switching is advisable.

F-Droid and Obtainium: the Play-free path

Many users find that they don't need Play Services at all once they evaluate which apps they actually use. F-Droid is an alternative app repository exclusively for Free and Open Source Software. It contains thousands of apps — browsers, email clients, messaging apps, productivity tools, media players — that install and run without any Google infrastructure. Obtainium fetches apps directly from their GitHub releases, bypassing app stores entirely.

Running without sandboxed Play in the main profile and using only F-Droid and Obtainium apps in that profile is the highest-security configuration. For apps that require Play, a secondary isolated profile with sandboxed Play installed provides access while keeping the main profile completely Google-free.

How Norypt configures it

All Norypt GrapheneOS phones arrive configured with sandboxed Play pre-installed in a separate user profile. The main profile has no Play Services at all. This means your primary day-to-day usage has no Google infrastructure present, while apps that require Play are accessible in the secondary profile when needed. This is the configuration GrapheneOS developers recommend for the best balance of security and compatibility.