My entire life (it seems) I have been a phone addict. Always have the newest, trendiest  ones, but as soon I get it out of the box...I need to start tweaking. Mostly checking xda developers for a more 'Google-free' experience.  

Then I've also always had iPhones and iPads just to be on the puls but also to tweak as much as you can out of a closed black-box, blocking all Apple domains or just as many as you can but still have most things work.

HostFiles to block Apple from collecting

iOS Paranoid - Blocks most Apple Analytics and requests (Push and App Store works)

Apple & iOS - Apple Telemetary

iOS Ads - Careful might block more than you want!

AdGuard Safari - Safari Browser Ads blocker

I even got into Huawei recently (and briefly), not so much because they are more private or secure, in fact they are a nightmare when it comes to patches from the latest android security updates, at least not the ones that come without Google. In fairness, I only owned the Mate 30 Pro, so I can't really say much about the rest of their phones. But what attracted me was partially the camera and more so that they have zero Google!

Huawei HostFile

Huawei - Cellphones call home

What made them interesting is that you don't need to block one more crappy advertising and tracking company. The king pin of all if that's what you like and want. They also don't have the deeply embedded Facebook shit that Samsung has pre-installed and which they only let you disable but not remove.

However, I've been a long term fan of Lineage, it can be rooted, it has no Google and its as close to Vanilla Android as possible. The CyanogenMod Project who creates Lineage has also been around long enough to be trusted.

But being privacy focused and learning more and more as I go along, I just think a phone by itself is a no-go when you really want privacy. And if you like privacy with security it gets even trickier. Even fresh out of the box you can tweak and install and add/remove/disable away bad bloatware etc., but it is still not a bullet-proof device and it never will be!

When it comes to Lineage what is also disturbing is the Google Analytics and other Google stuff on their servers and website. I mean you offer a 'Google-free' device but track people with Google? C'mon??? don't get me started!

I made a challenge to myself and dropped all phones and am now solely on my notebook. Powered with coreboot and a Linux version I feel comfortable with. I will cover my setup and post a review on a System76 laptop soon, but let's get back to cellphones.

As already mentioned cellphones are the worst when it comes to privacy. You have it with you at any given time, if you switch it on and off the metadata profiles you and when you you move around or engage with the phone you are adding to this profile. The pictures you take have even greater metadata included. Sure there are apps to remove the metadata before sharing, and Signal, for instance, routinely removes it before sending them out, but what about that night you were drinking and forget to take the metadata out and sent it via Riot or any of the other privacy apps?

LineageOS has always been a favorite as I could install a root firewall and host files via AdAway.

Yes, Lineage was a good way to stay private, BUT it is not the most secure way!

In fact security is already compromised by opening the boot-loader and running it on root. Now you might say but I have so much more options when it comes to privacy, and I totally agree, but when you compromise your security you compromise your privacy.

So after starting my 'Linux notebook only' challenge I said to myself "what happens when this entire pandemic is over and I see some friends for a drink or BBQ?" I won't carry my notebook just to be reachable. Well I could as most of my friends are on Riot or Signal and those who aren't are those who won't download a free messenger for me so maybe not my good friends after all!

So what is the solution? What phone should I carry around when I go out of the house? And keep in my Faraday/Go Bag when I am at home?

I talked about this to one of our readers on Riot and Telegram about this situation and he reminded me that he had advised me once that there is only one phone that he trust. Well I did remember, it was a few years back, I had ordered a phone from CopperheadOS, right at the beginning of my 'privacy first when it comes to cellphones' journey. But shortly after I received my phone Daniel Micay, one of the founding partners, had a fallout with his partner. For me that was the end of Copperhead as the OS without Daniel there wasn't even a signing key to update the firmware.

So it was back to LineageOS and I stuck with it as much as I could..but now Daniel is back, and he has created an even better setup for the Pixel series of phones. The irony of it! Get rid of Google by using a Google Phone! And I am not alone in my thoughts, as Edward Snowden has also endorsed Daniel and his new brainchild GrapheneOS:

Edward Snowden (@Snowden)
If I were configuring a smartphone today, I’d use @DanielMicay’s @GrapheneOS as the base operating system. I’d desolder the microphones and keep the radios (cellular, wifi, and bluetooth) turned off when I didn’t need them. I would route traffic through the @torproject network.

He added he would route traffic through the Tor network:

"I wouldn't use WiFi at home, because global maps of every wireless access point's unique ID—including yours—are free and constantly updated. I would use ethernet; yes, ethernet on a phone. I would deny network permissions to any app that doesn't need it using an app firewall"
"I would use an ad blocker. I would use a password manager. I would block third-party cookies in the browser. These last three are steps that absolutely everyone should consider, because they're simple, cost little or nothing, and protect you while making your phone faster."
"I would not (and do not) use email, except as throwaways for registration. Email is a fundamentally insecure protocol that, in 2019, can and should be abandoned for the purposes of any meaningful communication. Email is unsafe. I'd use @Signalapp or @Wire as a safer alternative."

Personally, I stay away from Wire as its now in the hands of a US venture capital company name Morpheus Ventures and if you take a closer look into the companies they have invested in, you can see they are all about the 'tracking and collection business'.

However, I am adding Riot to the list of my personal go-tos and push everyone to join and connect, as it's one of the best solutions out there, including their new P2P approach, not just in calling or one-on-ones, but also in chats via browser. Anyway, we have a Riot article coming up, so stay tuned for that.

Signal, which Snowden mentioned, is second to none when it comes to encryption and has proven lately to listen to the members and work on removing the telephone number requirement and replacing it with a PIN. Plus the new blurring feature where you can edit pictures before them out sending has been a big hit. They also have almost no metadata.

We also covered Signal in June of last year and will take another in-depth look later this year as part of our annual Messenger Service Provider review.

Now back to what made me switch to GrapheneOS

Security at the core but with privacy in mind!

Micay explained

"The goal is not making devices with poor security slightly more secure, and choosing the best devices to officially support is an important aspect of it. It will definitely support more than Pixels, but 3rd and 2nd generation Pixels are the best choices for the initial two devices. 1st generation Pixels aren’t currently supported, because the point of the project is not dumping all the resources into device porting."

Installation is straight forward

GrapheneOS install documentation
Installation instructions for GrapheneOS, a security and privacy focused mobile OS with Android app compatibility.

I actually got the Pixel 3a and this installation did not work straight out of the box, but that was not related to the documentation but my own fault and ignorance. You need to update the phone first to be at the very latest which Google has to offer. I updated and tried, but it turned out I needed to update again, restart, get a new update and the cycle was not complete until I was at the May 2020 security update, then the installation worked like a charm ;)

Make sure you also close the Bootloader!

After installing GrapheneOS, the first thing I did was to set up a custom DNS, fallback on GrapheneOS is not Google but Cloudflare (incredibly), which does not make it better when it comes to privacy, but it's an easy fix!

Settings ➔ Network & internet ➔ Advanced ➔ Private DNS and enter a DNS-over-HTTPs provider of your choice.

The Privacy Cookbook - Chapter 2 – Protecting your DNS
We promised you that within this cookbook we will go deeper into the rabbit hole....well, here we go and in this chapter let’s start with something simple! DNS! Most people are not aware what DNS is or what it does.
The Domain Name System (DNS) is one of the foundations of the internet, yet most p…

I host my own with AdGuard Home therefore I also have my ad and traffic blocked activated.

Privacy Cookbook - Chapter 3.2 - AdGuard Home
AdGuard Home is the next step up when it comes to blocking ads, trackers and all the other nasty BS what haunts the interwebs! We have nextDNS [/privacy-cookbook-chapter-2-1-nextdns/] covered as a possible cloud solution, we have an in-house solution with Pi-hole [/privacy-cookbook-chapter-3-1-put-…

GrapheneOS has the Android Open Source Project firewall integrated as standard.

GrapheneOS adds a user-facing Network permission toggle providing a robust way to deny both direct and indirect network access to applications. It builds upon the standard non-user-facing INTERNET permission, so it's already fully adopted by the app ecosystem.

Revoking the permission denies indirect access via OS components and apps enforcing the INTERNET permission, such as DownloadManager. Direct access is denied by blocking low-level network socket access.

GrapheneOS also has a Chromium based browser called Vanadium

Vanadium is a privacy and security hardened variant of Chromium providing the WebView (used by other apps to render web content) and standard browser for GrapheneOS. It depends on hardening and compatibility fixes in GrapheneOS rather than reinventing the wheel inside Vanadium. For example, GrapheneOS already provides a hardened malloc implementation so there's no need for Vanadium to replace it. Similarly, it can deploy security features causing breakage on other operating systems due to the ability to fix compatibility problems in the OS.

I've actually already received 2 security updates so far and they both arrived faster than on any other OS. Daniel pushes them out as soon they are discovered or when he discover his own. Fantastic guy and an super smooth experience of an cellphone. The camera is also decent enough and I am happy without having to tweak around all day!

I made it my daily drive when I leave the house, having lived off of f-droid for years, it was an easy switch.

F-Droid - Free and Open Source Android App Repository
© 2010-2020 F-Droid Limited and Contributors

Personally, I work always from home, I love to be at my house, so the need for a cell phone is not so great so only a laptop works fine, but when it comes to going out and staying connected, yet private and secure, GrapheneOS is the way that is working for me and I strongly recommend it for the privacy focused users and readers of decentralize.today

Stay safe, stay secure!

The Privacy Advocate