When it comes to custom ROMs and privacy on a mobile phone it was always GrapheneOS for me.

Even though it only works on Pixel Phones, it was just something I always felt comfortable leaving the house with, knowing I was not being traced, or spied on or risking having my data taken and sold to the highest bidder. Even Edward Snowden once tweeted that GrapheneOS would be his pick.

Edward Snowden (@Snowden)
If I were configuring a smartphone today, I’d use @DanielMicay’s @GrapheneOS as the base operating system. I’d desolder the microphones and keep the radios (cellular, wifi, and bluetooth) turned off when I didn’t need them. I would route traffic through the @torproject network.

With the latest release of iOS 14 I need to say I like the way Apple now indicates when a microphone or camera is in use, when an app uses the clipboard data or how you can now show your location as approximate rather than exact and how you can chose just once or never or forever based on each app.

The problem with iOS of course is that it is part of the closed apple garden, as Apple gives you no access to the source code and you can only use apps approved by Apple and available through the app store. However, most people who do not tweak their phones much or don't have the time, knowledge or patience to do so, therefore an 'out of the box' iOS 14 is, at the moment, better than an Android (BUT on a privacy/freedom level Android still outperforms iOS).

GrapheneOS, as great it is, might not be everybody's cup of tea. Simply put...it lacks PlayServices. And sure, whilst that's pleasing for some of us (like myself) even for apps like Protonmail (which is supposed to be super private) you still require Google to receive push notifications. There is always Lineage, which did a great job combined with MicroG to get around these limitations, and the beauty of it is that it works on so many more phones than GrapheneOS, it's just not as secure and private as GrapheneOS.

Thankfully, we have a new kid on the block and it'sbeen getting a lot of attention in the privacy world lately - meet CalyxOS.

CalyxOS is great for privacy oriented people, but also works for the soccer mom who just wants to use her phone and at the same time valoes some privacy. CalyxOS has a setup which comes with or without MicroG pre-installed, in other words it can use Google PlayServices and Push notifications, but is open source and doesn't connect to Google's privacy invasive servers, just to the necessary ones!

Let's just step back in history a bit. The Calyx Institute is a Non-Profit-Organization from NY. Founded in 2010 by Nicholas Merrill, who owned a ISP (internet Service Provider) named Calyx. At the time he operated the ISP the FBI approached him with an NSL (National Security Letter) asking for the data of a user. The letter also indicated that Merrill wasn't allowed to talk to anyone about the letter. He, however, decided to fight to protect his and his customers rights going to court and winning the case after eleven years of legal action.


After that short history lesson on who is behind Calyx, let's jump into the actual OS.

Just like GrapheneOS you can only install CalyxOS on Google Pixel Phones and on a cheaper Xiaomi Mi A2 device. CalyxOS launched V1 of its OS in early September 2020. It is based on the AOSP (Android Open Source Project) but with some privacy and security tweaks. CalyxOS is based on Android 10, but we might see an Android 11 update soon. Installation is via script, but should be easy enough for most geeks out there to install ;)


The installation of CalyxOS will replace the Google key with an CalyxOS key and therefore allow you to lock the bootloader again. This is recommended, but if you like to use AFWall+ to lockdown your apps you can keep it unlocked. I personally recommend an locked bootloader for security reasons.

During the process and the first boot CalyxOS will let you pick if you like the MicroG version or don't want to use MicroG. To explain this again, MicroG is an open-source replacement for the Google Framework which allows push notifications and play services. If you don't need push or services we recommend not installing MicroG and you'll end up with pretty much the same setup as GrapheneOS.

However, if you need an phone that can basically do all the things a standard Pixel Phone can do and also use the fantastic Camera Software the Pixel line has, you should install MicroG. You'll not just get MicroG but also F-Droid which is and should be your main goto store for all apps. You can install the Aurora Store which allows you to use the Google PlayStore (anonymously) on your phone.

CalyxOS allows backing up data via Seedvault as a replacement to Google cloud backup. You get 12 words as a seed similar to a Bitcoin seed and that can be used as an encryption for your backup so write that down! This has also been integrated in GrapheneOS for all users who use it and want to backup their data using Seedvault.

CalyxOS looks pretty much like the normal Android 10 experience that you would get from a Pixel Phone, minus the Google apps and privacy invasion system Google ships with it. The system is fully encrypted and uses the chip Google ships with the Pixel Phones, so everything happens on your phone! Google won't have this encryption/decryption key.

Talking of security, CalyxOS updates are pushed once a month, so they are solid, like a Samsung or most other updates pushing once a month, but not as fast as GrapheneOS. Please keep that in mind. I still think its a solid and fast update and should not concern most people.

Now one thing that is pretty cool on iOS, as mentioned earlier, is the indicator for when a microphone or camera is in use, well, CalyxOS has integrated this function too and it's something I really like to see! Actually I don't like to see it, but it puts me at ease to know which apps are using my mic and camera and which aren't. It is also great when you go to call someone and the OS offers you the call via Signal (if you and the other party have installed!). If you make a normal call the phone shows you with a yellow indicator tat you may be on an insecure connection.

There is also an indicator that shows you what apps have had access to the microphone, telephone, contacts and camera during the day. CalyxOS also has a panic bottom that let's you hide or delete apps you specify in the setup. Pretty cool feature when you're travelling over borders and just don't want a border patrol officer reading your Signal messages..

Privacy is still a thing ;) and the app is integrated into the system, but actually called Ripple, and is devolved by the Guardian Project.

CalyxOS can be used as a daily drive even for people who are in need of apps that depend on Google Services. It helps just knowing that you are still using a privacy orientated and not an utterly googlely phone. My personal take is that it is second to GrapheneOS when it comes to privacy and security, yet a great companion for people who use apps for business that rely on Google Services,for push or other features or reasons.

I strongly recommend as always to use a secure DNS Settings -> Private DNS in your settings to force all traffic to be encrypted. NextDNS, for example, also allows you to filter traffic, which is an easy to handle yet powerful tool to have.

Privacy Cookbook - Chapter 2.1.1 - DNS - NextDNS (revised)
Almost a year ago we published a Privacy Cookbook chapter about NextDNS. They have improved, we have used it on our phone and even the routers so it deserves an update. NextDNS is easy to set up and works on every device regardless, Linux, Mac, Windows, iOS or Android. And the best of all is that y…

Till next time, stay safe and stay secure!

The Privacy Advocate