In PART 1 of our extreme privacy journey, we took the first step towards securing our digital lives by setting up a Linux system using
Pop!_OS, following the guidance of Michael Bazzell's book Extreme Privacy: What it takes to disappear. We configured the OS, installed necessary applications, and created backups to ensure data security. Now, it's time to focus on securing our mobile devices.As we continue to follow the book's guidance, we'll explore GrapheneOS, a security-focused mobile operating system that provides a robust and private alternative to traditional mobile operating systems. GrapheneOS is designed to provide maximum security and privacy, making it an ideal choice for those seeking to protect their digital lives.
The book suggests using GrapheneOS for its strong security features and minimalistic approach to pre-installed apps. By following the book's recommendations, we can create a secure and private mobile device that protects our personal data and maintains our online anonymity.
On Stacker News there are already some great posts that cover GrapheneOS e.g.:
- A Basic Guide To Making The Switch To Graphene OS by @Siggy47
- My Graphene OS Journey So Far by @Siggy47
- GrapheneOS: The Purpose, The Strategy, and The Why [Article] by @final
You should read them first.
In this post, I 'll provide a step-by-step guide on how to install and configure Graphene OS on your mobile device, as outlined in the book. We'll cover topics such as:
- Preparing your device for installation, as recommended by Bazzell
- Installing Graphene OS, following the book's instructions
- Configuring the OS for maximum security and privacy, using the book's guidelines
- Installing necessary applications, as suggested by Bazzell
- Creating backups and securing your data, in accordance with the book's best practices
By the end of this post, you'll have a secure and private mobile device, running GrapheneOS and configured to protect your personal data and maintain your online anonymity. Let's get started on this next step in our extreme privacy journey.
1️⃣ Purchase a New Mobile Device
To achieve extreme privacy, it's essential to replace our mobile device. Factory resetting is insufficient, as the device's serial number and unique identifiers remain tied to the manufacturer, allowing for user tracking.
I took this advice to heart and decided to purchase a new device with cash. I went to a local store, withdrew the necessary funds, and made the purchase. To maintain my anonymity, I wore a hat and sunglasses, feeling like a character from a spy novel. It was a bit of a weird but funny experience.
The book suggests opting for an unlocked device, which allows for greater flexibility and control over cellular service providers. A
Google Pixel device is specifically recommended due to its superior hardware security capabilities and compatibility with GrapheneOS.2️⃣ Install a New Mobile Operating System
Preparing Your Device
Before installing a new mobile operating system, you'll need to prepare your device. Start by turning it on and dismissing any attempts to enter a Google account. Then, follow these steps:
- Click
Get started, then selectSkip, and thenSet up offline. - Click
Continue, thenNext. - Deselect all options and click
Accept, thenI Accept. - Click
Skip, confirmSkip, and thenSkipagain. - Apply all pending updates in the
System Updatesection. - Reboot and continue to apply updates until none are available.
Enabling Developer Mode
Next, you'll need to enable Developer mode on your device. To do this, follow these steps:
- Tap
About phoneand then tapBuild numberseveral times. - Enable
OEM UnlockingandUSB debuggingin theDeveloper Optionssection. - If
OEM Unlockingis greyed out, you may need to conduct a full factory reset.
Installing GrapheneOS
Once your device is prepared and Developer mode is enabled, you can install GrapheneOS. To do this, follow these steps:
-
Visit the official GrapheneOS website and follow the installation steps provided there.
-
Use the web installer to install the operating system.
-
Follow the on-screen instructions to complete the installation process.
Unlock bootloader: This will allow flashing the OS and firmware. Confirm the command on the device, which will wipe all data.
Download the factory images: Obtain the GrapheneOS factory images for your device.Flash the factory images: This will replace the existing OS installation and wipe all data. Wait for the flashing process to complete.Lock the bootloader: This enables full verified boot, preventing modifications to the OS partitions and ensuring data integrity. Confirm the command on the device, which will wipe all data again.After installation, your device will be completely encrypted and will not send any data to Google. You can then harden a few settings to ensure your device is secure, such as disabling
OEM Unlocking and Developer options.Thats it, now we can start to configure our new GrapheneOS device.
3️⃣ Configure Your New Mobile Operating System
The section states that a new GrapheneOS device is private and secure by default, but some adjustments can further optimize it. GrapheneOS is not just a reskinned Android, but a heavily customized OS prioritizing privacy and security.
To ensure a smooth user experience, let's walk through the default settings and customizations, highlighting their benefits and potential drawbacks. Bazzell explains how to customize the quick menu on a GrapheneOS device. He shares his preferred layout, which includes:
- Top row:
Internetandairplane modetoggles for quick connectivity control - Second row:
LocationandBluetoothtoggles, which are usually kept disabled - Third row:
Mic accessandCamera accesstoggles, which are typically kept disabled to prevent accidental sharing of audio or video - Last row:
FlashlightandData saverbuttons for easy access
Think about your own habits and needs as you arrange your menu. Prioritize the data saver button if you're often in areas with spotty internet. Keep location services disabled if you're concerned about being tracked.
Next I navigate to
Settings > Network & internet and connect to my home network via Wi-Fi. Since I don't have a VPN-enabled home firewall (yet), I've installed a VPN on my device to add an extra layer of security.Then, head to
Settings > Security & privacy > Exploit Protection and make the following changes:- Enable the
Turn off Wi-Fi automaticallyfeature - Set the timer to
1 minute, which means that my device will disable Wi-Fi altogether if I'm not connected to a network for more than a minute - Disable
Turn on Wi-Fi automatically - Disable
Notify for public networks
You can also make a few more tweaks to your security settings:
- Add a fingerprint to the system for easy unlocking
- Disable the
Native code debuggingoption - Disable the
Allow camera accessoption
In addition, turn off the
Wireless emergency alerts feature, as Bazzell mentions these alerts to be more of an annoyance than a useful feature.Finally, customize your display settings:
- Navigate to
Settings>Accessibility>Color and motion>Color Correction - Enable
Use color correction - Select
Grayscale - Enable the
Color correction shortcut, which allows to quickly toggle between color and grayscale modes.
To make it easier to access the color correction shortcut, I also:
- Navigate to
Settings>System>Gestures>System navigationand select3-button navigation - Navigate to
Settings>Accessibility>Accessibility shortcuts>Accessibility button>Locationand selectNavigation bar
This minimizes the screen impact of the shortcut and makes it easily accessible.
Next open the camera app, swipe down slightly and make some adjustments to present the settings menu:
- Select
Optimize forandQuality - Click
More Settings; enableGyroscope Suggestions; and disableCamera Sounds
Bazzell prefers a quiet device that won't draw much attention, so navigate to
Settings > Sound & vibration and make the following changes:- Change
Phone ringtoneto none - Change
Default notification soundto none - Disable
Screen locking sound - Disable
Charging sounds and vibration - Disable
Tap & click sounds
PIN Scrambling
Recent updates to GrapheneOS have introduced a new security feature that may be of interest to some readers. Bazzell notes that this feature can provide an additional layer of protection for those who are concerned about surveillance.
The feature allows you to scramble the numbers presented within a PIN entry screen. This can be valuable for individuals who fear they are under surveillance and are concerned that entering the same pattern on every unlock could provide a way for an attacker to gain access to their device. With this feature enabled, unlocking the device takes a bit longer since the numbers are randomized each time. However, this adds an extra layer of security, as there will no longer be an identical pattern present within surveillance video, and fingerprint smudges on the screen will not be helpful to an attacker.
To enable this feature, navigate to
Settings > Security & privacy > Device unlock > Settings icon next to Screen lock and toggling Scramble PIN input layout.Auto Reboot
As an added layer of security, GrapheneOS devices are designed to automatically reboot every 72 hours if they have not been unlocked. This feature provides an additional safeguard in the event that a device is lost, stolen, or seized. If the screen has not been unlocked within three days, the device will reboot into a state that requires a PIN for access, rather than biometrics. Bazzell notes that this setting is suitable for most individuals, but for those with extreme needs, it can be modified.
To adjust this setting, follow these steps:
- Navigate to
Settingsand thenSecurity & privacy - Select
Exploit protectionthenAuto Reboot - Modify the setting as desired
With these modifications in place, you should now have a solid foundation for securing your device. Next, Bazzell tackles the topic of Push Services, an important aspect of maintaining control over your digital life
4️⃣ Consider Push Services
Before we proceed with application installation and telephony services, let's discuss push services. Push services allow apps to receive notifications and updates in real-time, but they can also compromise your privacy.
Bazzell emphasizes the importance of considering push services when setting up your device. He notes that traditional Android and iPhone devices rely heavily on push services, which can create a significant attack surface.
If you want to maintain your privacy, you'll need to consider alternative push services. One option is to use open-source alternatives like microG, but Bazzell cautions that these services may still rely on Google's network.
A better option is to use GrapheneOS's sandboxed version of Google's services, which can be enabled within the GrapheneOS Apps menu. This approach provides a more secure way to receive push notifications, as Google's services are severely restricted and only have permissions on an application level.
Bazzell notes that this limited version of Google's services is superior to microG and provides a more secure way to receive push notifications. However, he also acknowledges that some people may not need push services at all.
If you don't need push services, you can simply skip to the next task. However, if you do need them, you can enable them within the GrapheneOS Apps menu.
- Swipe up to see your application drawer and tap
Apps - Click the
Google Play servicesoption and install it - Allow installation with default network permission for all three options
- When complete, click
SettingsbelowGoogle Play services - Tap
App battery usageand change it toAllow background usage - Navigate to
Settings>Apps>See all ...and tap the three dots in the upper-right toShow system - Tap
GmsCompat>Notificationsand disable all
That's it. You now are ready to install applications and receive the benefits of push services without allowing Google unfettered access to your entire device. If you change your mind, you can disable all three options by opening each; clicking the three dots in the upper-right; and selecting "Uninstall". Your device will be Google-free again.
5️⃣ Privately Install Applications
Now that we have our GrapheneOS device set up, it's time to install some applications. Since we're avoiding Google services, we won't be using the Google Play Store. Instead, we'll use F-Droid, a popular alternative app store that offers a wide range of free and open-source apps.
To install F-Droid, follow these steps:
- Launch the
Vanadiumbrowser on your GrapheneOS device - Navigate to f-droid.org and click the
Download F-Droidbutton - Confirm the download and click
Openat the top of the screen - If prompted, click
Settingsand enableAllow from this source - Confirm the installation of F-Droid
- Open the F-Droid application and confirm any warnings
- Click
Don't Allowfor notifications - Swipe down from the top and fetch any F-Droid updates available
- Tap
Updatesto install any pending updates. If prompted, repeat enabling ofAllow from this source - Reopen the F-Droid application
Once F-Droid is installed, we can use it to install other applications. Bazzell suggests starting with Aurora Store, which is an unofficial client to Google's Play Store. This allows us to search, install, and update apps without requiring a Google account.
To install Aurora Store, follow these steps:
- Tap the
Latesticon within F-Droid and tap thesearchicon - Search
Aurora Storeand tapInstall - Allow the installation to complete and open Aurora Store
- When prompted, accept their Terms of Service and follow the initial setup screens
- Enable
Anonymousmode to prevent Google account requirements
If you're having issues with Aurora Store, don't worry. Google occasionally blocks access to their app store via Aurora, but there are workarounds. Bazzell notes that the issues with Aurora Store often correct themselves after a while, so you can try waiting it out. Alternatively, you can try reinstalling Aurora Store or using a workaround method.
To use the workaround, follow these steps:
- Open
Settingsand selectApps>Default apps>Opening links - Tap
Aurora Storeand enableOpen supported links - Add links to Aurora Store and enable all options
If thats not working, disable links from Google Play Store first:
- Open
Settingsand select "Apps" >Default apps>Opening links - Tap
Google Play Storeand disableOpen supported links - Back to
Settingsand selectApps>Default apps>Opening links` - Tap
Aurora Storeand enableOpen supported links - Add links to Aurora Store and enable all options
This should allow you to open Google Play Store links within Aurora Store. You can test it by searching for
Signal Play Store in your Vanadium browser and clicking the link to open the page within Aurora Store.Although the workaround method requires a few extra steps, it can help you navigate issues with the Aurora Store. Prioritize F-Droid for app installations, followed by Aurora and only use Google Play links via Aurora as a last resort. Also keeping Aurora updated through F-Droid is crucial for maintaining its functionality.
Alternative options like APK Pure and Obtainium are available but are considered unnecessary and potentially risky. Logging into a Google account from your device is strongly discouraged, as it would compromise its anonymity.
Controversy
Some readers may criticize the recommendation to use F-Droid and Aurora Store for application installation, but these criticisms are often based on a single source or a vocal minority. In reality Bazzell notes, these alternatives are the best options for maintaining privacy and security.
While F-Droid and Aurora Store may not be perfect, they are a better choice than installing the official Google Play Store and logging into a Google account. Installing applications from open-source APK files is also not a practical solution, as many apps do not offer this option and manual updates would be time-consuming. to keep them manually updated.
To maintain security, it's essential to only install trusted and vetted applications from F-Droid and Aurora Store. Avoid experimenting with new services on a clean device, and only install apps that are truly needed. By taking a cautious approach, you can minimize the risk of security scares.
When installing applications, GrapheneOS may prompt you to provide a network connection to the app. Block any apps that do not need network connectivity, such as home screen launchers or local music players.
Finally, review the permission manager within Aurora to ensure that apps are not accessing hardware features unnecessarily. Modify these settings to your specifications, disabling access to features like the camera, microphone, or location services for apps that do not require them.
6️⃣ Establish Private Cellular Service
Before proceeding with the next steps, I want to note that this section of the book was not easily applicable to my situation, as it is mostly focused on people living in the United States. However, I will try to summarize the strategies proposed by Bazzell.
To establish private cellular service, Bazzell recommends using a prepaid provider. This approach allows for more anonymity than traditional contracted plans, which often require a soft credit pull and a copy of our license. This way you get a prepaid plan not tied to your identity,
Some popular prepaid providers include Mint Mobile, Tello, US Mobile, and RedPocket. Mint Mobile is Bazzell's top recommendation, as it offers affordable plans, does not require user verification, and allows for prepayment up to a year.
To obtain a cellular plan with
Mint Mobile, you can purchase a physical SIM card or use the eSIM option. Bazzell explains the benefits and inconveniences of each option, noting that physical SIM cards are more traditional and allow for easy transfer between devices, while eSIMs are more convenient and don't require shipment.To activate a physical SIM card with Mint Mobile, you'll need to insert the card into your device, install the Mint Mobile app via
Aurora, and follow the activation process.Mint Mobile does not validate any information, so a random alias name is fine
You'll need to provide a name, email address, and physical address for billing purposes. Bazzell recommends using an
alias name (as Mint Mobile does not validate any information) and a hotel address in your local area to maintain anonymity.For eSIM activation, you'll need to enable
eSIM support in your device's settings, then follow the activation process within the Mint Mobile app. Bazzell notes that this process can be more complicated, but it allows for more flexibility and convenience.Ultimately, he emphasizes the importance of maintaining anonymity and security when obtaining cellular service. By using a prepaid provider and an alias name, you can reduce the risk of your personal information being shared or compromised.
Note: As I'm not a US resident, I couldn't verify if the methods outlined in the book actually work. While searching for similar eSIM services outside of the US, I stumbled upon kycnot.me/ - a pretty valuable resource. Too bad that even the most established option, silent.link, only supports US and UK residents for their .IDENTITY plans. If any Stackers got other options for aquiring a prepaid paln without ID verification feel free to leave a comment.
Also, I found some interesting reads on this topic: a FAQ post on What does GrapheneOS do about cellular tracking, interception and silent SMS? and some insightful comments from @final in Graphene Fixes This post by @siggy47.
Secondary Account
Bazzell shares an example of a client who relies on a banking app for mobile check deposits. However, her bank's app requires a true cellular telephone number to be associated with the account, and it sends a text message for authorization every time the app is opened.
To address this, she uses a Mint Mobile SIM card and a Tello voice and text account within the eSIM slot. She enables the eSIM only when needed, receives the verification text, and then disables it.
SIM and eSIM Disabling
Bazzell highlights one of the features of GrapheneOS that he finds particularly interesting - the ability to not only disable an eSIM, but also to disable the physical SIM via software. Most Android devices require you to remove your physical SIM card if you want it disabled, but GrapheneOS provides a toggle option within the SIM card's settings page.
This feature would be especially useful in situations where airplane mode is accidentally disabled near a sensitive location, as it would prevent SIM and eSIM connections from being enabled.
Payment Considerations
When setting up prepaid cellular service, it's essential to consider payment options carefully. Bazzell recommends avoiding payments that can be linked to our true identity, such as credit cards or PayPal. Establishing a masked payment as explained later in the book is the preferred option. This is because your mobile device is a tracking device that constantly announces your location, and associating it with your true name could compromise your identity.
As a bitcoiner, I appreciate that there are ways to enable private payments such as using services like Silent.Link that offer On-chain Bitcoin and Lightning payments where you dont need to doxx your identity to setting up a cellular service.
7️⃣ Consider Wi-Fi Calling
Wi-Fi calling allows you to make and receive calls and texts through your cellular carrier number while in airplane mode and connected only to Wi-Fi. This feature can be useful in certain situations, such as receiving a text message from a traditional cellular number while maintaining anonymity.
However, Bazzell notes that calls and texts made this way are logged in your cellular account forever. He can see the advantages of using this feature in certain situations, such as making calls unrelated to your identity or conducting banking transactions while in airplane mode. It's a trade-off between convenience and exposure, and each individual must decide what works best for them.
Personally, Bazzell relies on Voice over Internet Protocol (VoIP) numbers, which provide an additional layer of anonymity. However, he notes that not everyone has access to these options, and Wi-Fi calling can be a useful alternative in certain situations.
If you want to use Wi-Fi calling follow these steps:
- go to
Settings>Network & internet>SIMs - select you SIM and tap
Wi-Fi calling - Enable
Use Wi-Fi callingand change theCalling preferencetoCall over Wi-Fi
8️⃣ Customize Your Device
Bazzell is quite particular about the look and feel of his device, and he makes some significant changes to the default GrapheneOS Home app. He adopts a custom launcher, which allows him to modify the icons, change the names of the shortcuts, and fit more information on his screen.
I decided to follow his lead and customize my own device. I downloaded the custom launcher Lawnchair 14 via Aurora Store to my GrapheneOS device and began the customizations. After installation, I navigated to
Settings > Apps > Default apps > Default home app. I seleced the Lawnchair and returned to the home screen. It appeared quite different.Configuring Lawnchair
Once you've installed Lawnchair, you can configure it to suit your needs. To do this, follow these steps:
- Swipe up to see the application drawer and select the launcher to browse through the configuration options.
- Some settings I modified were the desktop icon grid (5x5), adapting icon and label size to my needs, and enabling a search bar. The seems to be a great viarity of customization options with Lawnchair, so feel free to adjust your device to your own taste.
9️⃣ Consider Android Profiles
Android profiles allow you to create unique configurations for multiple users or alias profiles on a single device. Bazzell experimented with this feature but ultimately decided not to use it as part of his communications strategy.
However, he notes that this feature can be useful for individuals who need to isolate their app usage or create separate environments for different purposes. For example, a client might need to use Google Maps for daily navigation but doesn't want any Google services in her primary device profile.
To create a new profile, you can follow these steps:
- navigate to
Settings>System>Users, - enable the
Allow multiple userstoggle, - and click the
Add userto create a new profile.
This new profile is a separate environment from the primary profile, where you can install and use apps without affecting the primary profile.
When exiting a secondary profile, it's essential to note that it does not shut down all of the active services within it, which can lead to unnecessary battery drain and RAM usage. To avoid this, you can reboot the device after using the secondary profile or use GrapheneOS's "End Session" feature.
I still need to consider whether using Android profiles is right for me. Having a separate profile for certain apps could be useful, but I'll have to see the benefits and drawbacks and decide what works best for my needs.
🔟 Maintain Your Device
To ensure your device remains secure, it's essential to keep it up to date. Bazzell recommends enabling the default update options, as GrapheneOS delivers security patches frequently, often every week or two.
Monitoring Battery Life
Disabling push services can lead to faster battery drain, as some apps may constantly listen for new incoming communications. To mitigate this, monitor your battery usage and restrict apps that consume excessive power.
Optimizing Battery Life
To optimize battery life, charge your device to 100% and use it normally until the battery is almost dead. Then, check the battery history in
Settings > Battery > Battery usage > View by apps to identify power-hungry services. If necessary, restrict background usage for specific apps by changing the optimized setting to Restricted in Settings > Apps > See all. Select the app and tap App battery usage and then disable Allow background usage.Backing Up Your Data
Bazzell no longer recommends using the native SeedVault app, as many users have reported it to be less reliable. Instead, he suggests using a manual backup process using ADB. This method is not perfect and should only be used when absolutely necessary, such as to recover lost data.
To follow these steps open a Terminal on macOS or Linux machine which possesses ADB and make sure the device is connected via USB and debugging is enabled:
cd ~/Desktop adb backup -all -system -apk -keyvalue -obb -shared -f backup.ab
Restoring the backup to your device with:
adb restore ~/Desktop/backup.ab
Photos and Data transfer
In terms of photos and data transfer, Bazzell advises against relying on cloud storage services like Google Photos or iCloud, instead recommending a manual backup process using a USB-C flash drive. This involves connecting the drive to the mobile device, selecting all photos, and moving them to the external drive.
- connect a FAT32 formatted USB-C flash drive to the mobile device.
- make sure
USB-C portis set toOn - Open the Files application on the mobile device.
- Open the upper-left hamburger menu and select the device, such as
Pixel 7a. - Navigate to
DCIM>Camera. - Tap the three dots and choose
Select all. - Tap the three dots and choose
Move to.... - Open the upper-left menu and select the external drive.
- Tap
Movein the lower area. - Eject the external device and insert into a secure computer.
- Move the photos to your desired storage location.
- Make sure the photos were erased from the external device
This seems to be less convenient than Google or iCloud storage, but it is also much more secure and private. I actually find it quite convenient and I appreciate that I don't have to upload all my sensitive data and photos to some random server. This approach, as recommended by Bazzell, really resonates with me.
Conclusion 🎯
This was my journey with GrapheneOS. I really appreciate the advice and guidance I've received on how to have a more secure and private mobile experience. By implementing these strategies, I feel more confident and in control of my digital life, and I'm grateful for the peace of mind that comes with knowing I'm doing everything I can to protect my data.
I hope you've been able to follow along with the steps outlined here, and I encourage you to consider giving GrapheneOS a try for yourself. It's worth the effort to take control of your mobile experience and enjoy the benefits of a more private and customizable operating system.
In the next post, we'll focus on
iOS mobile devices, exploring ways to improve security and privacy settings for those who prefer to stick within Apple's ecosystem or aren't ready to make the switch to GrapheneOS. Stay tuned ✌️