On GrapheneOS, the updater runs before first unlock (BFU) to grab security patches, but Proton VPN’s kill-switch isn’t Direct-Boot aware. Enabling it brings up the VPN UI BFU, yet no network ever connects, so updates fail until you unlock the device.

Repro:

Install Proton VPN on GrapheneOS (e.g. Pixel 6 Pro 2025.05.15)

Turn on kill-switch

Reboot and stay at lock screen

Watch the BFU updater time out for lack of network

Impact:
Devices miss critical patches until next unlock, extending exposure to exploits.

Fix:
• Mark the VPN service as android:directBootAware="true" in AndroidManifest.xml
• Move its config/certs into Device-Protected Storage for BFU access