More than a few people around me are waking up and realising that the simple cellphone is the weakest link when it comes to privacy.
I've reported about GrapheneOS in the past and use it as my personal daily drive.
Lately, reading privacy blogs and following other privacy oriented individuals on Mastodon and the like, CalyxOS has been creating a buzz, so I also covered that in a previous Privacy Cookbook entry.
The question I've been getting most lately has been "can CalyxOS or GrapheneOS be the daily drive for everyone or just for privacy freaks, and if so, which would be the better option?"
Well, to be fair, both are Android operating systems, so if you like that then you are half way there. The big question you need to answer is are you ok with a Pixel phone (the irony is stunning… get a Google phone, so you can ungoogle your life)?
Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a and Xiaomi Mi A2
Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL and Pixel 4a
Google Play Services and Play Store (with privacy in mind)
The next question is "do you need Google Play Services and the Google Play Store?" If so CalyxOS is the more obvious pick as microG can be selected during the installation plus you can also select Aurora Store which will give you the opportunity to download from the Google Play Store, totally anonymously. It won't allow you to download paid apps in anonymity but you can use your Google account to download via the Aurora Store, I do recommend signing back out after downloading your apps.
CalyxOS also offers other applications like Signal or F-Droid etc. to be pre-installed during the setup which makes it easier for people who are just switching from a regular Android phone to a privacy-focused phone.
GrapheneOS, on the other hand, does not offer a microG option and so Google Play Services won't work. Whilst that is a plus on the privacy side, it is a big minus if you need those services. Keep in mind, of course, that you can install the Aurora Store and download all apps just as you would with the Play Store, the difference is that you might get warnings about Play Services not being installed and some of the apps not working.
I have, however, not seen this on any of the apps I am using except ProtonMail which doesn't send notifications as it relies on the Google Cloud Service for push and Nextcloud Talk which faces the same issue. I know ProtonMail and Nextcloud Talk are both privacy-focused apps, but they do not bother to have an interval email/messaging checking option or run in the background like Signal or Telegram when you do not have Google Cloud…sad but true!
So, when it comes to Google Services related apps, if you really need them, then CalyxOS could be your daily drive. You won't miss much or even realise that you don't have Google Android…apart from not getting customised ads or being tracked as much.
Let me say this again, download F-Droid and use the open-source apps it offers over Google (Aurora) and its tracker ladened apps.
Hardening and Security
Both CalyxOS and GrapheneOS only work on devices with a verified boot. This means the boot-loader is locked and can’t be manipulated, for example, as with an Evil-Maid attack
GrapheneOS will only boot when you have a verified boot and therefore no manipulation in the code, via ADB etc.
CalyxOS and GrapheneOS picked the Pixel models because fingerprints and Face unlock both and get verified on the device via the Titan-M-Chip. This chip also verifies that the boot-loader is not manipulated, it checks for Brute-Force attacks and another great option is via Android-API private keys and passwords that can be encrypted directly on the Titan-M Chip.
GrapheneOS goes the extra mile and hardens the Kernel and also has its own malloc development.
Unlike CalyxOS, GrapheneOS also comes with a hardened browser called Vanadium. It is Chromium-based but is heavily hardened and has everything Google removed from the browser itself. Similar to Bromite, yet one level up, and optimised for the Graphene operating system it also includes the WebView component.
GrapheneOS comes with its own PDF-viewer and an onboard encrypted backup solution called SeedVault (which was originally part of CalyxOS first), so, you have this option on both operating systems.
Pixel Phones provide baseband isolation, in other words, the mobile and Wi-Fi band is separated from the actual OS, which makes the possibility of attack way less likely:
“Activating airplane mode will fully disable the cellular radio transmit and receive capabilities, which will prevent your phone from being reached from the cellular network and stop your carrier (and anyone impersonating them to you) from tracking the device via the cellular radio. The baseband implements other functionality such as Wi-Fi and GPS functionality, but each of these components is separately sandboxed on the baseband and independent of each other. Enabling airplane mode disables the cellular radio, but Wi-Fi can be re-enabled and used without activating the cellular radio again. This allows using the device as a Wi-Fi only device.”
Metadata and Telemetry
GrapheneOS has a slight advantage over CalyxOS here, yet neither are perfect.
CalyxOS uses Google's DNS-Servers pre-configured, GrapheneOS goes with Cloudflare as a fallback pre-configured, both solutions are horrible ideas when it comes to privacy. The good news is that on Android you can always change your DNS in Settings and make your entire experience encrypted and using a trusted DNS server.
After the first boot the Captive-Portal-Check kicks in, which uses Google to do so, see:
By default, the GrapheneOS connectivity check server is used via the following URLs:
HTTP fallback: http://grapheneos.network/gen_204
HTTP other fallback: http://grapheneos.network/generate_204
"Vanadium does not make connections not requested by the app as part of providing the WebView implementation in the OS. If you choose to use it as your browser, it performs similar connections as the ones performed by the OS above. It does not send any identifying information to servers, etc. but rather fetches some static assets like dictionaries when triggered by usage of the app. We're working on eliminating everything unnecessary and making our servers the default for handling anything that cannot simply be shipped with Vanadium for one reason or another such as requiring quicker updates."
Worth mentioning at this point is that CalyxOS comes with Android 10, while GrapheneOS is already on Android 11.
So, as a recap, first things first, regardless of whether you use CalyxOS or GrapheneOS or any other Android or even iOS-based operating system, change your DNS. I love NextDNS which filters all trackers and ads and just gives you a great experience.
However, DNS is the first thing you should change on your device. The second is a decent firewall and I recommend NetGuard for this. It won't allow you to use a separate VPN and really closes down, thanks to the lockdown feature, the internet to apps that are not supposed to have internet access.
If you like to use an VPN to make sure your ISP does not see your internet traffic I recommend iVPN, ProtonVPN or Mullvad. All the official apps will respect your private DNS setup, so even if you use a VPN to hide traffic from your ISP, you'll still have the encryption and possibly the ad and tracking filters from your trusted DNS provider.
Overall, it comes back to what you need or want. CalyxOS has a more standard Android feel as even Google Services are working, thanks to MicroG, yet still respects privacy.
GrapheneOS, however, gets faster security patches vs CalyxOS at just once a month and GrapheneOS really has the advantage in hardening.
Coming back to the question "could either of the two be a great daily drive?" It sure is for me, and if you are really concerned about privacy and want a phone that doesn't just claim to care about your privacy, then any of the two operating systems are a great pick.