First of all, Google is lying. It does meet security standards and it is not rooted. I get that I have no right to run someone else's software in an environment they don't like, but this is just misinformation. 3rd party OSes are often more secure that a stock OS which has been left to rot by an unresponsive manufacturer.

Anyway, here's how you can use contactless payments on Graphene.

Prerequisites

I'm going to tell you what I did. If you found another way, leave a comment or write your own blog post.

I'm using the latest version of Graphene (2025062000) with Play Services installed. The app is running in my main profile. None of the advanced app protection has been toggled for the app. NFC is on.

You will have to agree to Curve's privacy policy. And the privacy policy of your credit card. Look, if you're using Graphene, you're probably overly privacy sensitive. If you're concerned about The Man™ knowing that you used your card to buy a breakfast beer and then sharing that with 958 trusted partners, just use cash instead.

Install Curve

Here's a referral link to install Curve - join and you get £10. Or, you can install directly from the Play Store.

You'll need to create an account and pass KYC / AML checks. Curve are regulated by the FCA so you should feel safe giving your details to them.

Add a card

Curve is a virtual card provider. So add your existing Visa or MasterCard to the app (no Amex). When you spend on Curve, you're actually spending on the underlying card you've added. Curve promise cheaper foreign exchange fees and a few other perks. But what we're really interested in is NFC payments.

Set up Curve Pay

On your app's dashboard, you should see a banner saying "Curve Pay is good to go!". If not, head into your account and set it up there.

If it has all set up, you should see a welcome tutorial explaining how contactless works.

Set your default wallet

On your phone, go to Settings → Connected devices → Connection Preferences → NFC → Contactless Payments.

Or, search your settings for Pay.

Select your default wallet app - in this case, Curve.

Pay for something

You need to make sure NFC is turned on before you can use NFC payments. I know that sounds obvious, but I forgot to do it the first time and got very confused.

Go to a local shop, pick up something, hand it to the merchant, wave your phone over the payment terminal like you are a technowizard from the future.

Enjoy eating whatever you paid for!

That's it!

Once you're done, you can turn of NFC if you're paranoid.

Apparently, Curve also works with Garmin Smart Watches - but I don't have one to test out.

If you've found this blog post useful, I'd be grateful if you signed up with my referral link for Curve.

Nowadays, thieves are not only snatching phones, but forcing their owners to transfer money to the thieves. This is not an isolated incident¹.

How can you protect yourself from such a situation²?

Broadly speaking, there are four ways to protect your sensitive apps. Relying on the regular lockscreen, hiding the apps, using a Private Space, or placing the apps in different profile. Let's look at the advantages and disadvantages of each approach.

Regular Lockscreen

Android's lockscreen controls are pretty good - if you turn them on.

Perhaps you have a super-long and complicated password. Maybe a 10 digit PIN that only you know. Biometrics like facial recognition and fingerprints are reasonably strong and fairly convenient.

But that relies on your phone being locked when it is snatched. If you're using your phone when it is taken from you, the lockscreen might detect it and lock automatically, but you need a modern device and to have specifically enabled the setting.

If a thief has shoulder-surfed your 4 digit PIN, that will be enough to let them enter your phone.

But here we are concerned with someone threatening you. Basically, if someone has a knife pointed at you, you're probably going to unlock the phone for them³. So, let's assume we want to protect our banking apps from someone who has access to your unlocked device.

Launcher Hiding

Some Android phones let you hide apps. When an attacker is scrolling through the list of installed apps, they won't be able to see any apps which are hidden.

This, I think, is a reasonable way to hide your banking apps. You can show the thug that there aren't any installed. That may or may not be enough to mollify them. They might still nick your device, but you won't be forced to transfer your savings elsewhere.

This, of course, presents a problem for the regular user. How do you launch your apps if you can't find them? Most launchers will let you type in the name of the app to find it - the app is merely hidden from the default list.

So an attacker would have to try typing "HSBC" or "Barclays" or "Chase" or a dozen different names until they find your app. Will they be angry if you've lied to them? Is that a risk you want to take?

Some launchers will let you change the name and icon of your sensitive apps. You can rename "Midland Bank" to "Calculator" and change its icon. Not every launcher supports this sort of hiding though. It also places a cognitive load on you that you need to remember what you've hidden your apps as. Will you remember than Bank 1 is calendar and Bank 2 is Bumble?

Private Space

Android 15 has introduced the concept of a Private Space. It is like a digital lock-box for your apps. If someone has your unlocked phone, they need to pass through authentication in order to use apps which are locked.

There are two main drawbacks with this approach.

Firstly, locked apps don't run in the background. That means you won't get alerts from them. If you rely on push notifications to tell you if someone is using your card fraudulently, this could be a problem.

Secondly, the Private Space shows up at the bottom of your app list like this:

So an attacker can easily see it and demand that you open it up. You can set the Private Space to be hidden. But then you're in the same position as above - typing in "private space" will show it in your launcher.

Work Profile

Android has the concept of "Work Profiles". They're designed to segregate your work apps and your personal apps. Your work admin can wipe your work profile without touching your personal stuff, and you can't copy confidential emails to your personal area. Nifty!

If you don't have work apps on your phone, you can use an app like Shelter to make your own Work Profile.

You can stick your banking apps in the Work Profile and have them locked away from prying eyes.

The Work Profile button is more subtle than the Private Space.

But it still has the disadvantage that, once locked, the apps are suspended and won't receive any alerts.

Secondary Profile

Finally, modern versions of Android support multiple profiles. They're generally designed so that multiple people can use your device - but there's nothing stopping you from putting your banking apps in there.

The immediate advantages of multi-user profiles are:

• The profile can be protected by a separate password.
• The profile switcher is generally more subtle than the Work Profile switcher or Private Space toggle.
• Apps can run in the background while in a separate profile.

The disadvantage is that, because it is a completely separate profile, you'll need to sign in again using your Google account in order to install apps from the Play store. If you use a password manager and MFA app, you may need to install them in both your main and secondary profile.

Because the apps can run in the background, there may be some (minor) impact on battery life - you're effectively running Google's Notifications Service twice.

If you are being held at knifepoint and a notification from your bank comes through - you may find it socially awkward to explain.

Which is right for me?

It is complicated. I think I can distil it down to the following:

• If you need alerts from your banking apps - put them in a secondary profile.
• There are some reports of banking apps not working in secondary profiles - if yours don't work in a profile then hiding apps is your best defence.
• If you're not using Work Mode and don't need alerts - put them in Work Mode.
• If you're using Work Mode and don't need alerts - put them in a Private Space and set the space to be hidden.

Remember, you can't fling technical solutions at social problems and expect them to solve everything. In general, crime in England and Wales is at its lowest level but certain crimes, like phone theft, are on the rise. Despite all the technology thrown at the problem, people are still walking around holding machines worth hundreds of pounds. Each of those machines is a gateway to potentially thousands of pounds. Phones and banking apps are incredibly lucrative targets.

The aim of this exercise isn't to solve the problem of crime. It isn't even to make you a less attractive target. It is to allow you to hand over your phone safe in the knowledge that your banking apps are somewhat protected from miscreants while still being useful to you.

If you have any tips on how to keep banking apps hidden, please leave a comment.

Before starting, I booted the Google OS to install the latest firmware and an eSIM. After a few days of enduring Google's naggy software, I was ready to commit to installing something better.

I tried using the Web Installer. It managed to flash some of the partitions and then failed with:

Failed to execute 'claimInterface' on 'USBDevice'

So I used the CLI instructions which were comprehensive. Worth re-reading them a few times to make sure you understand what needs doing. I (foolishly) assumed my fastboot didn't need updating. Tsk!

And then... it just worked!

Well, almost. The device saw the previously installed eSIM, but wouldn't connect to its network. I manually removed it, reloaded it. Still nothing. So I manually chose the network and that seemed to fix it. No idea if that's a problem with the network, the eSIM, or something else.

Bugs

As soon as I booted, my network provider sent me a text. I opened up the default messaging app and saw this error:

This is a known problem but it makes for a crappy user-experience. There's no way to update the app in Graphene - you need to manually install your preferred SMS app.

In similar UX fails, I tried to add the clock widget to my home screen. This is what I saw.

If you peer carefully, you'll see an analogue and digital clock. I hadn't switched to dark mode or anything like that - this is the default experience.

I wanted to see how long I could go before installing Google Play Services. The answer was... five minutes. I tried to log in to my password manager using a WebAuthN token and it wouldn't work. The default Vanadium browser can't handle them. Again, this is a known problem - but it does slightly undermine the attraction of Graphene. I'm privacy conscious and want as little Google in my life as possible. I'm security conscious and want to use MFA everywhere. Pick one.

Partway through the day, I got this internal error:

I was happily browsing the web with no connectivity issues. So I'm not sure what caused that.

It's annoying that Graphene doesn't support LineageOS's bottom-button changes. I have a decade of muscle-memory saying back is on the right. There's no way to change it, so I've swapped to gesture navigation.

The icon size on the stock launcher are far too small. On a massive screen like the 8 Pro they are tiny. So I've installed NeoLauncher which is a lot more customisable.

The only other (non-essential) thing missing is the ability to use Cast to screen share a device. There's a button in the UI, but it does nothing.

Setting up a work-profile required a little bit of a work-around, but seems to have worked. Hurrah for forum threads detailing the various tricks you need.

A software update allowed DisplayPort via USB-C. I plugged the 8 Pro into my USB-C hub, it detected the ethernet, keyboard, mouse, and display - graphics came through fine. Although there's no way to rotate an external screen - so you're stuck with landscape orientation. My HDMI adapters showed as detected via a little icon - but no video came out.

The Graphene camera's interface isn't as good as GCam and it is missing a bunch of options. Installing the stock Pixel camera worked - and there are lots of hacky derivatives.

Other than that, it has been pretty good so far. My banking apps work, call recording works, 5G and Bluetooth works, eSIM and regular SIM works. There have been a few odd things where apps have complained that they can't work and then suddenly sprang to life - but that might just be Android.

The only big thing Graphene is missing is Google Pay / Wallet. It is so convenient using tap to pay - but getting rid of the rest of the incessant Google bloat is worth the sacrifice.

Overall, I'm happy with the decision to nuke the original Google software. I know they say they'll support the device for 7 years - but I literally have no reason to trust them. Maybe I'm being naïve trusting a group of random hackers to produce a more secure OS - but I'd rather that than further entanglement with an organisation which has repeatedly shown contempt for its customers and users.