SOVEREIGN
← All guides/

Apps & compatibility

How to Install Apps on GrapheneOS: Aurora, F-Droid, and Sandboxed Play

7 min read

GrapheneOS doesn't come with Google Play as the default app installer. This is one of the most significant differences from stock Android, and it's the thing most new users have questions about.

In practice, you have more options than you did before — and better control over what each app can do. Here's how the three main installation methods work, and which one to use for different situations.

Aurora Store: Google Play Without the Account

Aurora Store is pre-installed on every SOVEREIGN device. It connects to Google's Play Store catalogue anonymously — no Google account required — and lets you search for, download, and update any free app in the Play Store.

Updates work the same way: Aurora Store checks for newer versions and installs them. You can set it to update automatically in the background.

Aurora Store cannot install paid apps or handle subscription verification — those require a signed-in Google account. For most free apps, including all major Australian apps, it works without any account at all.

From a privacy standpoint: Google knows an anonymous Aurora client downloaded a particular app, but cannot connect that download to your identity. This is significantly better than the standard Play Store experience.

F-Droid: Open-Source Apps With Verified Builds

F-Droid hosts only free and open-source software. Every app in the F-Droid repository is independently compiled from source code, not taken directly from the developer's build — which means F-Droid's team has verified there are no hidden trackers or binaries that don't match the source.

F-Droid is best for privacy-sensitive tools where you want to verify what you're running. Signal is available via F-Droid. Organic Maps is on F-Droid. Proton's apps are on F-Droid. Standard Notes, Bitwarden, KeePassDX, and most of the privacy ecosystem is represented.

F-Droid's catalogue is smaller than the Play Store, and some apps update more slowly. For general apps, Aurora Store is faster and more convenient. Use F-Droid specifically for open-source tools where build verification matters to you.

Sandboxed Google Play: Full Compatibility

For apps that specifically require Google Play Services to function — including some banking apps, Google's own apps, and any app that uses Play Integrity attestation — GrapheneOS offers Sandboxed Google Play.

This is the key difference from other de-Googled Android forks: GrapheneOS runs Google Play Services as a fully sandboxed, unprivileged app. On stock Android, Play Services has elevated system permissions and can access contacts, location, device identifiers, and other sensitive data at any time. On GrapheneOS, Play Services is just an app — it only gets the permissions you explicitly grant it, the same as any other app.

The result is that apps that check for Google Play certification (banking apps, payment apps) work correctly, because Verified Boot is active and the bootloader is locked — the device passes integrity checks. But Google's access to your data is constrained by the sandbox.

How to Enable Sandboxed Google Play

We recommend installing sandboxed Play in a secondary user profile rather than your main profile. This keeps all Google-related activity isolated: when you close the secondary profile, its encryption keys are purged and Google's services are completely shut down.

  1. Go to Settings → System → Users → Add user
  2. Switch to the new profile
  3. Open the GrapheneOS app installer (pre-installed)
  4. Install Google Play Services, Google Play Store, and Google Services Framework
  5. Open Play Store, sign in (or continue without account for most apps)
  6. Install your apps
  7. Return to your main profile when done — the secondary profile closes and all keys are purged

Direct APK Installation (Sideloading)

Any app can be installed by downloading its APK file directly from the developer's website. This bypasses all app stores entirely.

To sideload: download the APK in Vanadium, then open it from the Downloads folder. You'll be prompted to enable 'Install unknown apps' for your browser — do this, install the app, then immediately revoke the permission (Settings → Apps → Vanadium → Install unknown apps → Not allowed).

Only sideload apps from verified developers. An APK from an unofficial source may contain malware. If the app is available on Aurora Store or F-Droid, prefer those — they have at minimum a consistent distribution chain.

Which Method for Which Apps

  • Social media, streaming, general apps → Aurora Store
  • Signal, Proton apps, Organic Maps, security tools → F-Droid (or Aurora if you prefer)
  • Banking apps, Google Pay, Google Maps → Sandboxed Google Play (secondary profile)
  • Enterprise apps from your employer → direct APK from your IT team, or sandboxed Play
  • Developer tools, apps from GitHub releases → sideload from developer's release page

Frequently asked questions

Can I use the real Google Play Store?
Yes — install it via Sandboxed Google Play in a secondary profile. You'll have the full Play Store experience, including paid apps and subscriptions, within the sandboxed environment.
Do Aurora Store apps update automatically?
Aurora Store can auto-update apps. Enable this in Aurora Store → Settings → Updates → Enable auto-updates.
Is it safe to sideload apps?
It depends entirely on the source. Sideloading an APK from a developer's official GitHub release page is safe. Sideloading from a random website is not. If the app is on Aurora Store or F-Droid, use those instead.
Can I install apps from the Amazon App Store?
Yes. The Amazon Appstore APK can be sideloaded from Amazon's website, and it works on GrapheneOS. This gives you access to Amazon's catalogue, including Prime Video for offline downloads.

Still have questions?

We answer personally — no ticket queue.

Contact us →