Miskatonic University PressLast month I got a new phone and installed GrapheneOS on it. It’s working wonderfully and I’m happy I did it. Here are a few notes.
Background
GrapheneOS is a privacy-focused phone operating system based on Android. I’ve used Android-based phone OSes before. I bought a Samsung Galaxy S III in 2012, and by 2015 it was getting a little old (Samsung had stopped updating it) so I installed CyanogenMod on it. “It’s like having a new phone,” I wrote. About eighteen months later I realized, “but one that isn’t as good as my old phone,” so I installed LineageOS on it, and said, “It really is like having a new phone.” Both OSes let me keep more up to date with Android and they had no vendor applications installed. Lineage was nice.
By 2019 the phone was seven years old and barely functioning. I had to carry a USB battery with me so I could recharge it every few hours, and it would sometimes spontaneously reboot while I was in the middle of a phone call. I bought a Moto G7 Play, which was reasonably priced and didn’t do anything special. Getting a new phone after seven years was fantastic: everything worked, and fast!
The new phone had some Motorola junk on it, which I ignored, and of course had the full Google suite of everything. I removed some applications and took other steps to have as much privacy as I could manage, but this was an increasing concern for me. After five years the phone was showing its age and there were no more operating system updates for it. It was past time for a new phone.
I’d been watching GrapheneOS for a while and had decided my next phone would run it, which meant I’d need to get a Pixel from Google—the current release is a Pixel 8, which I bought at a store. (Happily I didn’t need a new SIM card.)
Why run GrapheneOS on it? Because I wanted as much privacy and control as possible. I was guided by Michael Bazzell’s Extreme Privacy: Mobile Devices, where he says:
I believe GrapheneOS is the ultimate solution for our needs. It is the only option which meets all of my requirements, including the following.
- It is completely open-source software which converts a traditional Google Pixel device into a pure native Android environment, including many enhanced privacy and security features, without any Google network services or connections.
- It has a large community testing and verifying any changes, and updates are much more frequent than other builds.
- It provides only the basics and allows you to customize the software you need.
- It has a locked bootloader and does not require root access.
- It allows sandboxed Google push services if appropriate for your needs which can easily be disabled or removed completely if desired.
- It does not require microG for notifications.
I recommend buying the entire set of Bazzell’s books. (I hope he restarts the Intel Techniques podcast one day. It was great.)
My biggest worry (aside from bricking the phone) was that I wouldn’t be able to run Cisco’s Duo authentication app, which I need for work.
Installing
To warm up, I watched GrapheneOS: first impressions, stumbling blocks, and opinions by Veronica Explains on YouTube, which is now a year old but still relevant, and does a great job of showing how installation works and how easy it is.
As GrapheneOS recommends, I started up the phone out of the box, skipped over everything about logging in to Google, and upgraded the system and enabled developer mode. Then I used the web-based installer, which works like magic. I had to use my work laptop because it has Edge on it, which I needed to make the USB stuff work, but basically I plugged my new phone into my laptop, pushed a few buttons on a web page, and in a few minutes I had a new operating system on my phone. Compared to what I did years ago this is an unbelievable dream!
After that I followed along with Bazzell’s book for some basic configuration. Some points from my notes also include:
- Setting up private DNS with NextDNS.
- Configuring the phone to always use the same MAC address when on my home network (“This can be controlled per-network in Settings > Network & internet > Internet > NETWORK > Privacy”), and configuring my router first to always give that MAC address the same IP number, then to always route it through the VPN I use on the router.
- Installing Google Play Services: I want to be able to receive phone calls and push notifications.
- Installing F-Droid.
- Installing Aurora Store through F-Droid, so I can anonymously install apps from the Play Store. This worked the first time for me, with no problems. I installed Duo Mobile and it worked: phew! With that done I knew everything would be okay now. I also installed Signal and Firefox here.
- Installing more apps from F-Droid.
- Setting up Termux.
- Copying and restoring configurations and data from my old phone, including a backup of all my Signal chats.
I may write up how I backed up and restored my contacts and other settings with Termux, but I’ll stop here for now, with GrapheneOS installed and working.
So far
The phone is wonderful! Everything is working perfectly. I installed fewer applications on it, and I’m using it much less. When I do use it, I know it’s safe and secure. GrapheneOS is giving me a great user experience. Many thanks to everyone who works on it! I made a donation to the project and will do another soon.
One small feature that’s great to have back (Lineage had it) is scrambling the PIN input on the lock screen. Instead of having the standard numeric grid layout it mixes up the numbers each time, so anyone glancing over your should will find it much harder to see the PIN.
If you’re thinking about installing GrapheneOS but a bit worried something might go wrong, don’t be. Go for it.