In PART 1 of our extreme privacy journey, we took the first step towards securing our digital lives by setting up a Linux system using Pop!_OS, following the guidance of Michael Bazzell's book Extreme Privacy: What it takes to disappear. We configured the OS, installed necessary applications, and created backups to ensure data security. Now, it's time to focus on securing our mobile devices.
As we continue to follow the book's guidance, we'll explore GrapheneOS, a security-focused mobile operating system that provides a robust and private alternative to traditional mobile operating systems. GrapheneOS is designed to provide maximum security and privacy, making it an ideal choice for those seeking to protect their digital lives.
The book suggests using GrapheneOS for its strong security features and minimalistic approach to pre-installed apps. By following the book's recommendations, we can create a secure and private mobile device that protects our personal data and maintains our online anonymity.
On Stacker News there are already some great posts that cover GrapheneOS e.g.:
You should read them first.
In this post, I 'll provide a step-by-step guide on how to install and configure Graphene OS on your mobile device, as outlined in the book. We'll cover topics such as:
  • Preparing your device for installation, as recommended by Bazzell
  • Installing Graphene OS, following the book's instructions
  • Configuring the OS for maximum security and privacy, using the book's guidelines
  • Installing necessary applications, as suggested by Bazzell
  • Creating backups and securing your data, in accordance with the book's best practices
By the end of this post, you'll have a secure and private mobile device, running GrapheneOS and configured to protect your personal data and maintain your online anonymity. Let's get started on this next step in our extreme privacy journey.

1️⃣ Purchase a New Mobile Device

To achieve extreme privacy, it's essential to replace our mobile device. Factory resetting is insufficient, as the device's serial number and unique identifiers remain tied to the manufacturer, allowing for user tracking.
I took this advice to heart and decided to purchase a new device with cash. I went to a local store, withdrew the necessary funds, and made the purchase. To maintain my anonymity, I wore a hat and sunglasses, feeling like a character from a spy novel. It was a bit of a weird but funny experience.
The book suggests opting for an unlocked device, which allows for greater flexibility and control over cellular service providers. A Google Pixel device is specifically recommended due to its superior hardware security capabilities and compatibility with GrapheneOS.

2️⃣ Install a New Mobile Operating System

Preparing Your Device

Before installing a new mobile operating system, you'll need to prepare your device. Start by turning it on and dismissing any attempts to enter a Google account. Then, follow these steps:
  • Click Get started, then select Skip, and then Set up offline.
  • Click Continue, then Next.
  • Deselect all options and click Accept, then I Accept.
  • Click Skip, confirm Skip, and then Skip again.
  • Apply all pending updates in the System Update section.
  • Reboot and continue to apply updates until none are available.

Enabling Developer Mode

Next, you'll need to enable Developer mode on your device. To do this, follow these steps:
  • Tap About phone and then tap Build number several times.
  • Enable OEM Unlocking and USB debugging in the Developer Options section.
  • If OEM Unlocking is greyed out, you may need to conduct a full factory reset.

Installing GrapheneOS

Once your device is prepared and Developer mode is enabled, you can install GrapheneOS. To do this, follow these steps:
  • Visit the official GrapheneOS website and follow the installation steps provided there.
  • Use the web installer to install the operating system.
  • Follow the on-screen instructions to complete the installation process.
  1. Unlock bootloader: This will allow flashing the OS and firmware. Confirm the command on the device, which will wipe all data.
Download the factory images: Obtain the GrapheneOS factory images for your device.
Flash the factory images: This will replace the existing OS installation and wipe all data. Wait for the flashing process to complete.
Lock the bootloader: This enables full verified boot, preventing modifications to the OS partitions and ensuring data integrity. Confirm the command on the device, which will wipe all data again.
After installation, your device will be completely encrypted and will not send any data to Google. You can then harden a few settings to ensure your device is secure, such as disabling OEM Unlocking and Developer options.
Thats it, now we can start to configure our new GrapheneOS device.

3️⃣ Configure Your New Mobile Operating System

The section states that a new GrapheneOS device is private and secure by default, but some adjustments can further optimize it. GrapheneOS is not just a reskinned Android, but a heavily customized OS prioritizing privacy and security.
To ensure a smooth user experience, let's walk through the default settings and customizations, highlighting their benefits and potential drawbacks. Bazzell explains how to customize the quick menu on a GrapheneOS device. He shares his preferred layout, which includes:
  • Top row: Internet and airplane mode toggles for quick connectivity control
  • Second row: Location and Bluetooth toggles, which are usually kept disabled
  • Third row: Mic access and Camera access toggles, which are typically kept disabled to prevent accidental sharing of audio or video
  • Last row: Flashlight and Data saver buttons for easy access
Think about your own habits and needs as you arrange your menu. Prioritize the data saver button if you're often in areas with spotty internet. Keep location services disabled if you're concerned about being tracked.
Next I navigate to Settings > Network & internet and connect to my home network via Wi-Fi. Since I don't have a VPN-enabled home firewall (yet), I've installed a VPN on my device to add an extra layer of security.
Then, head to Settings > Security & privacy > Exploit Protection and make the following changes:
  • Enable the Turn off Wi-Fi automatically feature
  • Set the timer to 1 minute, which means that my device will disable Wi-Fi altogether if I'm not connected to a network for more than a minute
  • Disable Turn on Wi-Fi automatically
  • Disable Notify for public networks
You can also make a few more tweaks to your security settings:
  • Add a fingerprint to the system for easy unlocking
  • Disable the Native code debugging option
  • Disable the Allow camera access option
In addition, turn off the Wireless emergency alerts feature, as Bazzell mentions these alerts to be more of an annoyance than a useful feature.
Finally, customize your display settings:
  • Navigate to Settings > Accessibility > Color and motion > Color Correction
  • Enable Use color correction
  • Select Grayscale
  • Enable the Color correction shortcut, which allows to quickly toggle between color and grayscale modes.
To make it easier to access the color correction shortcut, I also:
  • Navigate to Settings > System > Gestures > System navigation and select 3-button navigation
  • Navigate to Settings > Accessibility > Accessibility shortcuts > Accessibility button > Location and select Navigation bar
This minimizes the screen impact of the shortcut and makes it easily accessible.
Next open the camera app, swipe down slightly and make some adjustments to present the settings menu:
  • Select Optimize for and Quality
  • Click More Settings; enable Gyroscope Suggestions; and disable Camera Sounds
Bazzell prefers a quiet device that won't draw much attention, so navigate to Settings > Sound & vibration and make the following changes:
  • Change Phone ringtone to none
  • Change Default notification sound to none
  • Disable Screen locking sound
  • Disable Charging sounds and vibration
  • Disable Tap & click sounds

PIN Scrambling

Recent updates to GrapheneOS have introduced a new security feature that may be of interest to some readers. Bazzell notes that this feature can provide an additional layer of protection for those who are concerned about surveillance.
The feature allows you to scramble the numbers presented within a PIN entry screen. This can be valuable for individuals who fear they are under surveillance and are concerned that entering the same pattern on every unlock could provide a way for an attacker to gain access to their device. With this feature enabled, unlocking the device takes a bit longer since the numbers are randomized each time. However, this adds an extra layer of security, as there will no longer be an identical pattern present within surveillance video, and fingerprint smudges on the screen will not be helpful to an attacker.
To enable this feature, navigate to Settings > Security & privacy > Device unlock > Settings icon next to Screen lock and toggling Scramble PIN input layout.

Auto Reboot

As an added layer of security, GrapheneOS devices are designed to automatically reboot every 72 hours if they have not been unlocked. This feature provides an additional safeguard in the event that a device is lost, stolen, or seized. If the screen has not been unlocked within three days, the device will reboot into a state that requires a PIN for access, rather than biometrics. Bazzell notes that this setting is suitable for most individuals, but for those with extreme needs, it can be modified.
To adjust this setting, follow these steps:
  • Navigate to Settings and then Security & privacy
  • Select Exploit protection then Auto Reboot
  • Modify the setting as desired
With these modifications in place, you should now have a solid foundation for securing your device. Next, Bazzell tackles the topic of Push Services, an important aspect of maintaining control over your digital life

4️⃣ Consider Push Services

Before we proceed with application installation and telephony services, let's discuss push services. Push services allow apps to receive notifications and updates in real-time, but they can also compromise your privacy.
Bazzell emphasizes the importance of considering push services when setting up your device. He notes that traditional Android and iPhone devices rely heavily on push services, which can create a significant attack surface.
If you want to maintain your privacy, you'll need to consider alternative push services. One option is to use open-source alternatives like microG, but Bazzell cautions that these services may still rely on Google's network.
A better option is to use GrapheneOS's sandboxed version of Google's services, which can be enabled within the GrapheneOS Apps menu. This approach provides a more secure way to receive push notifications, as Google's services are severely restricted and only have permissions on an application level.
Bazzell notes that this limited version of Google's services is superior to microG and provides a more secure way to receive push notifications. However, he also acknowledges that some people may not need push services at all.
If you don't need push services, you can simply skip to the next task. However, if you do need them, you can enable them within the GrapheneOS Apps menu.
  • Swipe up to see your application drawer and tap Apps
  • Click the Google Play services option and install it
  • Allow installation with default network permission for all three options
  • When complete, click Settings below Google Play services
  • Tap App battery usage and change it to Allow background usage
  • Navigate to Settings > Apps > See all ... and tap the three dots in the upper-right to Show system
  • Tap GmsCompat > Notifications and disable all
That's it. You now are ready to install applications and receive the benefits of push services without allowing Google unfettered access to your entire device. If you change your mind, you can disable all three options by opening each; clicking the three dots in the upper-right; and selecting "Uninstall". Your device will be Google-free again.

5️⃣ Privately Install Applications

Now that we have our GrapheneOS device set up, it's time to install some applications. Since we're avoiding Google services, we won't be using the Google Play Store. Instead, we'll use F-Droid, a popular alternative app store that offers a wide range of free and open-source apps.
To install F-Droid, follow these steps:
  • Launch the Vanadium browser on your GrapheneOS device
  • Navigate to f-droid.org and click the Download F-Droid button
  • Confirm the download and click Open at the top of the screen
  • If prompted, click Settings and enable Allow from this source
  • Confirm the installation of F-Droid
  • Open the F-Droid application and confirm any warnings
  • Click Don't Allow for notifications
  • Swipe down from the top and fetch any F-Droid updates available
  • Tap Updates to install any pending updates. If prompted, repeat enabling of Allow from this source
  • Reopen the F-Droid application
Once F-Droid is installed, we can use it to install other applications. Bazzell suggests starting with Aurora Store, which is an unofficial client to Google's Play Store. This allows us to search, install, and update apps without requiring a Google account.
To install Aurora Store, follow these steps:
  • Tap the Latest icon within F-Droid and tap the search icon
  • Search Aurora Store and tap Install
  • Allow the installation to complete and open Aurora Store
  • When prompted, accept their Terms of Service and follow the initial setup screens
  • Enable Anonymous mode to prevent Google account requirements
If you're having issues with Aurora Store, don't worry. Google occasionally blocks access to their app store via Aurora, but there are workarounds. Bazzell notes that the issues with Aurora Store often correct themselves after a while, so you can try waiting it out. Alternatively, you can try reinstalling Aurora Store or using a workaround method.
To use the workaround, follow these steps:
  • Open Settings and select Apps > Default apps > Opening links
  • Tap Aurora Store and enable Open supported links
  • Add links to Aurora Store and enable all options
If thats not working, disable links from Google Play Store first:
  • Open Settings and select "Apps" > Default apps > Opening links
  • Tap Google Play Store and disable Open supported links
  • Back to Settings and select Apps>Default apps>Opening links`
  • Tap Aurora Store and enable Open supported links
  • Add links to Aurora Store and enable all options
This should allow you to open Google Play Store links within Aurora Store. You can test it by searching for Signal Play Store in your Vanadium browser and clicking the link to open the page within Aurora Store.
Although the workaround method requires a few extra steps, it can help you navigate issues with the Aurora Store. Prioritize F-Droid for app installations, followed by Aurora and only use Google Play links via Aurora as a last resort. Also keeping Aurora updated through F-Droid is crucial for maintaining its functionality.
Alternative options like APK Pure and Obtainium are available but are considered unnecessary and potentially risky. Logging into a Google account from your device is strongly discouraged, as it would compromise its anonymity.

Controversy

Some readers may criticize the recommendation to use F-Droid and Aurora Store for application installation, but these criticisms are often based on a single source or a vocal minority. In reality Bazzell notes, these alternatives are the best options for maintaining privacy and security.
While F-Droid and Aurora Store may not be perfect, they are a better choice than installing the official Google Play Store and logging into a Google account. Installing applications from open-source APK files is also not a practical solution, as many apps do not offer this option and manual updates would be time-consuming. to keep them manually updated.
To maintain security, it's essential to only install trusted and vetted applications from F-Droid and Aurora Store. Avoid experimenting with new services on a clean device, and only install apps that are truly needed. By taking a cautious approach, you can minimize the risk of security scares.
When installing applications, GrapheneOS may prompt you to provide a network connection to the app. Block any apps that do not need network connectivity, such as home screen launchers or local music players.
Finally, review the permission manager within Aurora to ensure that apps are not accessing hardware features unnecessarily. Modify these settings to your specifications, disabling access to features like the camera, microphone, or location services for apps that do not require them.

6️⃣ Establish Private Cellular Service

Before proceeding with the next steps, I want to note that this section of the book was not easily applicable to my situation, as it is mostly focused on people living in the United States. However, I will try to summarize the strategies proposed by Bazzell.
To establish private cellular service, Bazzell recommends using a prepaid provider. This approach allows for more anonymity than traditional contracted plans, which often require a soft credit pull and a copy of our license. This way you get a prepaid plan not tied to your identity,
Some popular prepaid providers include Mint Mobile, Tello, US Mobile, and RedPocket. Mint Mobile is Bazzell's top recommendation, as it offers affordable plans, does not require user verification, and allows for prepayment up to a year.
To obtain a cellular plan with Mint Mobile, you can purchase a physical SIM card or use the eSIM option. Bazzell explains the benefits and inconveniences of each option, noting that physical SIM cards are more traditional and allow for easy transfer between devices, while eSIMs are more convenient and don't require shipment.
To activate a physical SIM card with Mint Mobile, you'll need to insert the card into your device, install the Mint Mobile app via Aurora, and follow the activation process.
Mint Mobile does not validate any information, so a random alias name is fine
You'll need to provide a name, email address, and physical address for billing purposes. Bazzell recommends using an alias name (as Mint Mobile does not validate any information) and a hotel address in your local area to maintain anonymity.
For eSIM activation, you'll need to enable eSIM support in your device's settings, then follow the activation process within the Mint Mobile app. Bazzell notes that this process can be more complicated, but it allows for more flexibility and convenience.
Ultimately, he emphasizes the importance of maintaining anonymity and security when obtaining cellular service. By using a prepaid provider and an alias name, you can reduce the risk of your personal information being shared or compromised.
Note: As I'm not a US resident, I couldn't verify if the methods outlined in the book actually work. While searching for similar eSIM services outside of the US, I stumbled upon kycnot.me/ - a pretty valuable resource. Too bad that even the most established option, silent.link, only supports US and UK residents for their .IDENTITY plans. If any Stackers got other options for aquiring a prepaid paln without ID verification feel free to leave a comment.
Also, I found some interesting reads on this topic: a FAQ post on What does GrapheneOS do about cellular tracking, interception and silent SMS? and some insightful comments from @final in Graphene Fixes This post by @siggy47.

Secondary Account

Bazzell shares an example of a client who relies on a banking app for mobile check deposits. However, her bank's app requires a true cellular telephone number to be associated with the account, and it sends a text message for authorization every time the app is opened.
To address this, she uses a Mint Mobile SIM card and a Tello voice and text account within the eSIM slot. She enables the eSIM only when needed, receives the verification text, and then disables it.

SIM and eSIM Disabling

Bazzell highlights one of the features of GrapheneOS that he finds particularly interesting - the ability to not only disable an eSIM, but also to disable the physical SIM via software. Most Android devices require you to remove your physical SIM card if you want it disabled, but GrapheneOS provides a toggle option within the SIM card's settings page.
This feature would be especially useful in situations where airplane mode is accidentally disabled near a sensitive location, as it would prevent SIM and eSIM connections from being enabled.

Payment Considerations

When setting up prepaid cellular service, it's essential to consider payment options carefully. Bazzell recommends avoiding payments that can be linked to our true identity, such as credit cards or PayPal. Establishing a masked payment as explained later in the book is the preferred option. This is because your mobile device is a tracking device that constantly announces your location, and associating it with your true name could compromise your identity.
As a bitcoiner, I appreciate that there are ways to enable private payments such as using services like Silent.Link that offer On-chain Bitcoin and Lightning payments where you dont need to doxx your identity to setting up a cellular service.

7️⃣ Consider Wi-Fi Calling

Wi-Fi calling allows you to make and receive calls and texts through your cellular carrier number while in airplane mode and connected only to Wi-Fi. This feature can be useful in certain situations, such as receiving a text message from a traditional cellular number while maintaining anonymity.
However, Bazzell notes that calls and texts made this way are logged in your cellular account forever. He can see the advantages of using this feature in certain situations, such as making calls unrelated to your identity or conducting banking transactions while in airplane mode. It's a trade-off between convenience and exposure, and each individual must decide what works best for them.
Personally, Bazzell relies on Voice over Internet Protocol (VoIP) numbers, which provide an additional layer of anonymity. However, he notes that not everyone has access to these options, and Wi-Fi calling can be a useful alternative in certain situations.
If you want to use Wi-Fi calling follow these steps:
  • go to Settings > Network & internet > SIMs
  • select you SIM and tap Wi-Fi calling
  • Enable Use Wi-Fi calling and change the Calling preference to Call over Wi-Fi

8️⃣ Customize Your Device

Bazzell is quite particular about the look and feel of his device, and he makes some significant changes to the default GrapheneOS Home app. He adopts a custom launcher, which allows him to modify the icons, change the names of the shortcuts, and fit more information on his screen.
I decided to follow his lead and customize my own device. I downloaded the custom launcher Lawnchair 14 via Aurora Store to my GrapheneOS device and began the customizations. After installation, I navigated to Settings > Apps > Default apps > Default home app. I seleced the Lawnchair and returned to the home screen. It appeared quite different.

Configuring Lawnchair

Once you've installed Lawnchair, you can configure it to suit your needs. To do this, follow these steps:
  • Swipe up to see the application drawer and select the launcher to browse through the configuration options.
  • Some settings I modified were the desktop icon grid (5x5), adapting icon and label size to my needs, and enabling a search bar. The seems to be a great viarity of customization options with Lawnchair, so feel free to adjust your device to your own taste.

9️⃣ Consider Android Profiles

Android profiles allow you to create unique configurations for multiple users or alias profiles on a single device. Bazzell experimented with this feature but ultimately decided not to use it as part of his communications strategy.
However, he notes that this feature can be useful for individuals who need to isolate their app usage or create separate environments for different purposes. For example, a client might need to use Google Maps for daily navigation but doesn't want any Google services in her primary device profile.
To create a new profile, you can follow these steps:
  • navigate to Settings > System > Users,
  • enable the Allow multiple users toggle,
  • and click the Add user to create a new profile.
This new profile is a separate environment from the primary profile, where you can install and use apps without affecting the primary profile.
When exiting a secondary profile, it's essential to note that it does not shut down all of the active services within it, which can lead to unnecessary battery drain and RAM usage. To avoid this, you can reboot the device after using the secondary profile or use GrapheneOS's "End Session" feature.
I still need to consider whether using Android profiles is right for me. Having a separate profile for certain apps could be useful, but I'll have to see the benefits and drawbacks and decide what works best for my needs.

🔟 Maintain Your Device

To ensure your device remains secure, it's essential to keep it up to date. Bazzell recommends enabling the default update options, as GrapheneOS delivers security patches frequently, often every week or two.
Monitoring Battery Life
Disabling push services can lead to faster battery drain, as some apps may constantly listen for new incoming communications. To mitigate this, monitor your battery usage and restrict apps that consume excessive power.
Optimizing Battery Life
To optimize battery life, charge your device to 100% and use it normally until the battery is almost dead. Then, check the battery history in Settings > Battery > Battery usage > View by apps to identify power-hungry services. If necessary, restrict background usage for specific apps by changing the optimized setting to Restricted in Settings > Apps > See all. Select the app and tap App battery usage and then disable Allow background usage.
Backing Up Your Data
Bazzell no longer recommends using the native SeedVault app, as many users have reported it to be less reliable. Instead, he suggests using a manual backup process using ADB. This method is not perfect and should only be used when absolutely necessary, such as to recover lost data.
To follow these steps open a Terminal on macOS or Linux machine which possesses ADB and make sure the device is connected via USB and debugging is enabled:
cd ~/Desktop adb backup -all -system -apk -keyvalue -obb -shared -f backup.ab
Restoring the backup to your device with:
adb restore ~/Desktop/backup.ab

Photos and Data transfer

In terms of photos and data transfer, Bazzell advises against relying on cloud storage services like Google Photos or iCloud, instead recommending a manual backup process using a USB-C flash drive. This involves connecting the drive to the mobile device, selecting all photos, and moving them to the external drive.
  • connect a FAT32 formatted USB-C flash drive to the mobile device.
  • make sure USB-C port is set to On
  • Open the Files application on the mobile device.
  • Open the upper-left hamburger menu and select the device, such as Pixel 7a.
  • Navigate to DCIM > Camera.
  • Tap the three dots and choose Select all.
  • Tap the three dots and choose Move to....
  • Open the upper-left menu and select the external drive.
  • Tap Move in the lower area.
  • Eject the external device and insert into a secure computer.
  • Move the photos to your desired storage location.
  • Make sure the photos were erased from the external device
This seems to be less convenient than Google or iCloud storage, but it is also much more secure and private. I actually find it quite convenient and I appreciate that I don't have to upload all my sensitive data and photos to some random server. This approach, as recommended by Bazzell, really resonates with me.

Conclusion 🎯

This was my journey with GrapheneOS. I really appreciate the advice and guidance I've received on how to have a more secure and private mobile experience. By implementing these strategies, I feel more confident and in control of my digital life, and I'm grateful for the peace of mind that comes with knowing I'm doing everything I can to protect my data.
I hope you've been able to follow along with the steps outlined here, and I encourage you to consider giving GrapheneOS a try for yourself. It's worth the effort to take control of your mobile experience and enjoy the benefits of a more private and customizable operating system.
In the next post, we'll focus on iOS mobile devices, exploring ways to improve security and privacy settings for those who prefer to stick within Apple's ecosystem or aren't ready to make the switch to GrapheneOS. Stay tuned ✌️

Resources 📚

Thanks for this amazing post. I'm bookmarking for when I go full private.
reply
USB-C back-up is great, a Pixel/Graphene OS combo is a reminder that a smart phone is a powerful computer with hard drive and saving feature. Also consider Syncthing for real time back-up
reply
Interesting!
reply
21 sats \ 3 replies \ @OT 2 Nov
Great write up. Its a monster of a book
reply
Thanks, yes it truly is. Will probably take some more months to go through. Which part are you currently?
reply
0 sats \ 1 reply \ @OT 2 Nov
Here!
Actually, I've been busy with some other stuff and won't be getting a new phone for a while. When I do I can go through chapter 2 more thoroughly.
There really is a lot to be aware of and requires some big changes. Come to think of it, I've been kinda putting it off. Old habits die hard.
reply
So true, time will come :)
reply
Totally bookmarking this for later. Thanks for the hard work, friend!
Also, is it still the case that mobile pay (Google/Apple Pay) don't work over graphene?
reply
reply