De-googling your phone means removing all the apps, connections, server call-backs, and integrations with the Google ecosystem.
This is most easily done, ironically, with a semi-recent Google Pixel phone.
GrapheneOS is recommended over LineageOS for its “verified boot” — but LineageOS is still a great option and is compatible with a much larger range of older Android phones.
GrapheneOS supports only a few of the recent Pixels: essentially the 3a and up are actively updated, while the 3 has a legacy version and previous models are no longer updated as of 2022.
For the official install instructions, go to grapheneos.org/install. There is even a web installer which makes a lot of the install relatively hands-off.
For this example, I will show you how to install GrapheneOS on your Pixel (3a to 6 and above) using a Linux computer and some small software tools.
- Prepare the Pixel Before Installing GrapheneOS
- Next, Download and Install the GrapheneOS
- How to Harden GrapheneOS After Installing
- Keeping Your New Phone Secure: Proper Security Practices
- For Windows or Mac Users: Or If You Want to Use the Web Installer to Install GrapheneOS
- A computer running Linux , either a dedicated host or running on a LiveUSB. The host install (Linux installed as the operating system) is best. Do not use a Linux virtual machine for this purpose. If you have a Windows or Mac machine, don’t worry, there is a web installer. More details below.
- A cord to connect your device to your computer.
- An Internet connection.
- A new or used unlocked pixel device supported by GrapheneOS. Make sure your files on the device are saved somewhere else and backed up before proceeding.
Prepare the Pixel Before Installing GrapheneOS
- Turn on the Pixel device.
- Enable developers mode by going to Settings, clicking About phone, tapping Build number at the bottom several times until Developer mode is enabled.
- Click the back arrow and click System -> Advanced -> Developer Options.
- Enable OEM Unlocking and confirm. If this option is greyed out, restart your device, re-enable developer options if needed, and try unlocking again. Wait a few minutes. Restart the device and check to see if the OEM Unlocking is accessible again. Sometimes this is tricky but eventually it will work.
- Power off the device.
First, prepare your computer by installing a few tools.
Open up a Terminal window and type the following, pressing enter after each line, to download and install platform tools:
- sudo apt install libarchive-tools
- curl -O https://dl.google.com/android/repository/platform-tools_r31.0.3-linux.zip
- bsdtar xvf platform-tools_r31.0.3-linux.zip
- export PATH=”$PWD/platform-tools:$PATH”
- sudo apt install android-sdk-platform-tools-common
- sudo apt install signify-openbsd
- fastboot –version
After typing the last command which verifies Fastboot is installed, the display should be of the Fastboot version number currently installed.
Power down your Pixel device.
Next, boot your device into the bootloader interface by holding down the power and volume down buttons simultaneously.
When Fastboot mode menu shows up, connect the device to your computer with the USB cord.
Type the following command in a Terminal window:
fastboot flashing unlock
It should display OKAY after executing.
Press the volume down button on the Pixel device until the Unlock the bootloader is displayed.
Press the power button.
Next, Download and Install the GrapheneOS
For the most up-to-date release, go to grapheneos.org/releases and choose your device from the “Stable Channel” list.
Replace the file names below with the most recent version of the file on that list. This is the most recent as of January 25, 2022.
Execute the following, line by line, in a Terminal. The last line will print out a confirmation that the file has integrity and has not been tampered with.
- curl -O https://releases.grapheneos.org/factory.pub
- curl -O https://releases.grapheneos.org/sunfish-factory-2022011423.zip
- curl -O https://releases.grapheneos.org/sunfish-factory-2022011423.zip.sig
- signify-openbsd -Cqp factory.pub -x sunfish-factory-2022011423.zip.sig && echo verified
Now extract the files and install your new GrapheneOS to your device:
- bsdtar xvf sunfish-factory-2021081411.zip
- cd sunfish-factory-2021081411
- fastboot flashing lock
Now the device will show the option “Do not lock the bootloader”. Press the volume down button until the option “Lock the bootloader” is selected. Press the power button.
Great! Now you may restart your device by pressing the option “Start” or by holding the power button down to shut off the device as usual, disconnect your Pixel device from your computer, then power the device back on.
The splash screen will say there is an error because you are booting into something other than stock Android — that is to be expected. Also do not worry about the momentary Google logo, it does not mean Google Android is still on your phone.
How to Harden GrapheneOS After Installing
Now you are ready to harden a few settings to make your minimal install secure and practical.
Upon the first boot of your shiny new operating system, you’ll want to update some settings. If you have an Ethernet to USB-C adapter, use that to connect your device to the Internet.
Otherwise, press Next until the WiFi screen displays. Connect to WiFi and do the following:
- Disable location services
- Assign a secure PIN for your screen lock
- Add your fingerprint for unlocking your device, if you want
- Skip the restore options
Now your device is running GrapheneOS, is not sending any of your data back to Google servers, and is not revealing your location to any apps.
Now to tighten a few more things:
- Disable unlocking and developer tools: Settings -> About phone -> Tap “build number” until “Developer mode” is enabled.
- Click the back arrow and click System -> Advanced -> Developer options.
- Disable OEM Unlocking, confirm the choice.
- Disable Developer options.
- Reboot your Pixel.
Downloading Apps for GrapheneOS and Keeping it Secure: F-Droid and Aurora Store
Since we are not utilizing Google for anything, Google Play Store is not going to factor into our new setup. Goodbye, centralized corporate gatekeeper!
Instead, let’s use F-Droid and Aurora Store. Most apps we need will be covered by these two app stores.
To download F-Droid, a Free and Open Source Android App Repository:
- Launch your new browser, Vanadium, and go to f-droid.org.
- Click “Download F-Droid”. Confirm the download, then open it.
- If prompted, go to “Settings” and “Allow from source” to give F-Droid permission to install.
- Click the back button and confirm the installation of F-Droid.
- Open up the F-Droid app.
- Swipe down from the top of the screen and install any updates to F-Droid, if applicable.
- If prompted, repeat the “Allow from source” permissions.
- Re-open F-Droid
Now you’ve got one alternative to Google Play Store, but this repository is limited to free and open source software applications. For a greater range, if you need it, Aurora store is a great and anonymous client to Google’s Play Store.
But Aurora Store does NOT require Google’s proprietary framework to work. In fact, it can spoof your identity, location, language etc. if you use an Anonymous profile (selected when you install Aurora Store).
- Use the “updates” option in F-Droid and Aurora store to keep your apps up-to-date. Keep Aurora updated through the F-Droid app.
- Your GrapheneOS will auto-update and when it does, you generally need to reboot for the updates to take effect.
Secure, Privacy-Respecting Communications Apps in GrapheneOS
Your Pixel device is now superior to any typical stock Android device or iPhone:
- Your Pixel does not share data with Google
- You require no account to download apps, therefore an account does not exist to surveil your habits
- There is no cloud storage embedded in your device to automatically sync your device to third-party servers
- You have a device that serves YOU and not those who wish to exploit your data, whether personally or in aggregate
- Since your Pixel does not have core Google services to enable notifications, you may notice the lack of push notification services, location, and mapping. For some this is an inconvenience but for me, it is a benefit of going without Google.
- Signal App, for example, relies on its own service for push notifications, while other apps for email may not give notifications until you open the app itself.
Signal App on GrapheneOS
Signal App (signal.org) is gaining in popularity as an end-to-end encrypted, secure communications platform.
- Signal offers E2EE (end-to-end-encryption) for both messages and calls. Encrypted voice calling is amazing! Traditional telephone service providers can intercept any call, but full encryption with Signal means that no one can access your data.
The alternative to the compromised Facebook-owned WhatsApp and other surveillance technocratic offerings, Signal App is great except that it requires your phone number in order to create your account.
This may not seem like a big deal, but your phone number is linked to you and reveals more about you than any other social security number or social credit number ever can.
- Optional: to prevent the privacy infringement, create a new number or use a Google Voice number (if available in your country). Or better yet, port your old number to Google Voice and then use that ported number. Never reveal the cell phone number that matches your actual device.
So now let’s download and configure Signal on your GrapheneOS Pixel:
- Download Signal App through Aurora Store.
- Launch the app, accept the defaults.
- Enter (a VOIP number, ideally) phone number, confirm the text or call.
- Enter a name you want to use, the shortest can be one letter.
- Enter a PIN.
- Tap the alert about missing Google services. Select “Allow” if you want the app to be running in the background (using battery resources) to receive message notifications. Select “Deny” if saving battery is more important to you and you don’t need message notifications until you open the app itself.
Keeping Your New Phone Secure: Proper Security Practices
Whenever you want to install a new app for a desired purpose, try the F-Droid store first; they have some good privacy-respecting apps that aren’t available anywhere else.
You could also find and install APK packages directly from apkpure.com if you need to find older releases no longer hosted on the usual app stores.
Try to keep your apps to a minimum. The first things I install on a new GrapheneOS device are:
Most of the popular apps are on Aurora store, and most of them will work fine without Google Play Services — even the Google ones — you just cannot login with your personal credentials.
Should you want to log into some Google apps, or should you need an app that you purchased, or an app that absolutely will not run without Google Play Services, GrapheneOS allows you to install sandboxed Google services.
- Use anonymous mode on Aurora store for all sessions, if practicable.
- Refrain from using your user credentials on the Aurora store, as doing so will reveal your personal details (obviously) and might lead to the deletion of your Google account (the store itself cannot be banned but clearly violates Google’s TOC).
- Generally, as a best practice, rely on F-Droid for apps. Access Aurora (and the Google domain) as the last resort; the entire idea of F-Droid is to have a better alternative that is FOSS.
Logging into Google with credentials linked to you, taints all.
Remember that once you sign into a Google Service with your real account — sandboxed or not — Google servers most likely will have recorded your IMEI forever. The same is true for any app that can read your “Phone State and Identity” and which runs under your real identity, since that unveils your phone number and other identifiers to them. In such cases, treat the entire phone as ‘burned’ for any activity you don’t want others to know about.
Transitioning Away from Apple or Google Apps
If you are addicted to certain apps that exist in one ecosystem — Apple, for example — you will do better by transitioning yourself out of it. First switch out all apps to non-Apple apps that exist cross-platform. Doing so makes it as easy to change devices as changing clothes once fully transitioned (hence their try to make their ecosystem as compelling as possible).
Keeping your data synced: The biggest of all transitioning problems for me was syncing my data. I recommend Nextcloud and Syncthing for that. I use Syncthing for bigger sets of data that I just want to move once (books, audiobooks, videos, music, etc.) or such data that I don’t want to touch the internet. And Nextcloud is the key program for my workflow for daily business, and also for my photo collections. I can’t recommend Nextcloud enough (it is an open-source hard fork from Owncloud). You can install and run it locally, or opt for an online install (either on an existing instance, which defeats its purpose partially, or self-hosted on a VPS).
For Windows or Mac Users: Or If You Want to Use the Web Installer to Install GrapheneOS
If you don’t want to attempt the command line install on Linux, or if you have a Windows or Mac machine, there are many videos showing you how to use the web installer for GrapheneOS.
One such is Install GrapheneOS With Web Installer (Degoogle Your Phone In 10 Minutes), hosted by the wonderful youtube alternative, Odysee.com