Secure Mobile Phones - GrapheneOS

6th December 2022

On-line security is a growing threat but you don’t have to be a secret agent to want to guard your privacy; in fact, you probably aren’t a secret agent but your data is still being collected and every device connected to the internet is vulnerable to hacking and probably will be, simply because algorithms exist to attack and extrapolate data on a vast scale from everyone in the hope that someone finds something. 

There is so much information on data hacking, picture hacking, stealth recording, and tracking movements….  I don’t want to go full-on tin-hat over this but it is not something I want.  Certainly not when it comes to work.

And even more so when I’m traveling abroad.

The problem with enhancing your security is a loss of convenience.  We like Apple and Google products because they work seamlessly across all of our devices and allow the convenient sharing of information with our friends and colleagues.   But because Apple and Google are the largest providers they are the most vulnerable.

My current work phone is a Google Pixel 6 which I have removed the standard Android OS and replaced with GrapheneOS – a more secure operating system.   But moving away from either Apple or Google will result in a loss of convenience.   That is the price you have to be willing to pay.  Convenience = vulnerability and resilience = inconvenience (albeit slight).

 

The Benefits of GraheneOS

  • Firstly, GrapheneOS also doesn’t require you to create an account with them, unlike Google and Apple. Without a unique GrapheneOS account, your OS can’t be identified and it doesn’t have access to your device ID.

  • iPhones and Android phones are full of bloatware – apps that you cannot remove.  Android phones often moreso with the likes of Samsung, LG or Huawei, even having duplicate apps; the manufacturer’s calendar, contacts, web browser, email client and so on, as well as the Google versions.  Fewer apps mean more memory available and faster processing.

  • It is through these bloatware apps that Google and other corporations track you to serve you targeted ads.  By removing all Google apps, GrapheneOS ensures that advertisers can’t access your web activity.

  • Every device that connects to the internet has a MAC address assigned to it.  When your phone is looking for a WiFi network to connect to, it sends out a request which includes the device’s MAC address.   If you are moving from place to place, your MAC address can be tracked showing your movements.  GrapheneOS creates a randomized MAC address each time it connects to a WiFi network.

  • GrapheneOS features an LTE-only mode that reduces the cellular radio attack surface by disabling legacy code (2G, 3G) and bleeding edge code (5G).

  • Both Wi-Fi and Bluetooth can be set to automatically turn off if not connected to a device.

  • Photos taken with the Graphene Camera App do not include metadata and geotagging.

  • Your pin display can be scrambled.   I don’t need to see someone’s actual PIN number Frape someone, I just have to see the pattern they type with their finger as it moves across the keys.  With pin scrambling the keypad rearranges the numbers each time.

  • The OS gives you the option to revoke full network access of any app on your phone—a feature that neither Android nor iOS offers.  By revoking an app’s full network access, you can limit its ability to track you and access your data.

  • And as it is not a mainstream OS, viruses and hacking are significantly reduced.  A hardened OS protects against Zero-Day Vulnerabilities - vulnerabilities and viruses which are not resolved with security fixes and patches until the vulnerabilities are discovered, sometimes months later.

And finally… How long your battery will last depends on how much you use your phone but fewer apps, less unsolicited data transmission all mean longer battery life.


The Disadvantages of GrapheneOS

The biggest disadvantage of Graphene is that it is not Google or Apple. And here is the inconvenience.

Most custom ROMs don’t have Google by default, but they do have microG.  Through microG, you can manually install Google Play Services and choose how much access Google has to your data. GrapheneOS, on the other hand, won’t let even the slightest implementation of Google into its system.

That said, you can still install open-source alternatives to many Google apps through F-Droid. Here, you can also install the Aurora Store, which is a Google Play Store client, if you want to get mainstream apps like Facebook and Spotify.  However, those that require Google Play Services to run might have some missing features or might not open at all.

Some Push Notifications may not work as most developers use Firebase Cloud Messaging (FCM) a cross-platform messaging service that requires Google services on Android to work correctly.  These Apps which use Google services may have issues with push notifications.   This phone is purposefully kept lean but I have not had an issue with any Push Notifications so far.

The absence of Push Notifications, may, for some even be an advantage.

Graphene OS Install

This process will erase all data from your phone.  Before continuing, ensure you have backed up any important documents, photos, playlists, contacts, and messages.

1.        Setting the Phone.

1.1    First, turn on the Pixel device.

1.1.1 If you are starting with a new phone, dismiss all prompts to enter a Google account. Swipe up to access the menu and launch “Settings”.

1.1.2 If you are installing on a phone you currently use, backup all of your data before performing a Factory reset.

1.2    Tap “About Phone”

1.3    Scroll to the bottom and tap “Build Number” several times until “Developer Mode” is enabled

1.4    Tap the back arrow

1.5    Tap “System”

1.6    Tap “Developer Options”

1.7    Enable “OEM Unlocking”

1.8    Look to see that “USB Debugging” is already enabled

On some Pixels the OEM Unlocking is ‘greyed out’ preventing it being manually enabled.  The fix is to change the date on your phone to any date prior to June 2022.  Repeat the above steps and then you should be able to turn on the OEM Unlocking switch.

 

2.        Connecting your phone

2.1.    Start up your Windows or Mac laptop and go to https://grapheneos.org/install/web in a Chrome, Edge, or Brave browser.

2.2    Turn off the Pixel device

2.3    Hold the power and volume down buttons at the same time

2.4    When you see the “Bootloader” menu, connect the device to your computer with the USB cable.

If the device is showing as “Locked” you will need to correct this in Section 3 below, before returning to this section.

2.5    Click the “Unlock Bootloader” button on the GrapheneOS web page.

2.6    Select your device from the popup menu

If the device is not showing, you will need to move to Section 4 before continuing.

2.7  Click “Connect”

2.8    Press the volume down button on the device to select “Unlock Bootloader”

2.8.    Press the power button to confirm the choice

2.9.    Click the “Download Release” button

2.10   Allow the process to complete

2.11   Click the “Lock Bootloader” on the GrapheneOS page.

2.12   Press the volume down button on the device to select “Lock Bootloader”

2.13   Press the power button to confirm the choice

2.14   Make sure “Start” appears next to the power button and press it

2.15   Allow the phone to boot

 

3.       Device Locked?

3.1    If the above steps in Section 1 do not automatically unlock your phone in the Fastboot function you will need to unlock it manually.

3.2    Go to https://developer.android.com/studio/releases/platform-tools and download the Windows version of android SDK Platform Tools.

3.3    Extract the files and save to a location you will remember, eg. C:\Program Files

3.4    Open the folder you have extracted the files to and  type “CMD” in the address bar to open up the Command prompt for that folder.

3.5    To make sure your phone is connected, type “fastboot devices”, hit enter and you should see a line appear showing the serial number of your phone.

 

If you do not get a response you will need to go to Section 4 before continuing

3.6    To ensure you have Android SDK Platform Tools installed on your laptop properly, type “fastboot –-version”

A new line should appear showing the version you have installed.

3.7    Type “Fastoboot flashing unlock”.

The phone screen should now change.  Next to the Power button of your phone it says “Do not unlock bootloader”.  

3.8    Use the volume up and down buttons to select “Unlock Bootloader”.

3.9    Press the power button and the phone will restart in Bootloader showing the device is unlocked.

 You can now go back to step 2.3

4.       Phone not connecting?

4.1    With your phone connected to your laptop go into “Device manager” on your laptop and under “Other Devices” you will see your phone listed with a yellow exclamation mark before it, indicating your phone is connected but the drivers are not yet installed on your laptop. It can see it but it can’t communicate with it.

4.3    Download the driver and extract the files from the Zip folder using “Extract here” to the Download folder

4.4    You will see a new folder called “USB_Drivers”

4.5    Re-open Device Manager and click on your phone under “Other Devices”

4.6    Click the Drivers tab and select “Update Drivers”

4.7    On the next screen select “Browse my computer for drivers”.

4.8    Select the “USB_Drivers” folder from “Downloads” and select “Next”.

4.9    Go back into “Device Manager” and you will now see your phone is no longer listed in “other devices” but a new folder called “Android Device” appears near the top.  

Your Pixel drivers are now installed and this should remedy any problems in Section 2 or 3.

You now have a very clean, secure phone with no accounts linked to it, no background apps sending out your data or location, no unknown Wifi or Bluetooth connections taking place in the background. It’s just a very secure phone…and it looks it. When you turn it on, get used to the Bootloader Screen appearing for a few seconds, don’t touch anything, it then briefly flashes to a “Google” logo and then the Graphene OS loads.

The home screen is….. bare. But I like that. But there are some Apps you can install.

 

Apps

Not being connected to Google means no Google Play.

To be clear, this is my work phone, not my personal phone.   I am far too in love with social media to go completely Google-free in life.   The main purpose of this phone is communication and mapping (more on that in a separate article).

GrapheneOS offers a few built-in hardened apps for basic tasks.  Some of them are available on the Play Store, while others are not.  First and foremost, there's the Vanadium browser. The app is essentially a hardened variant of Chrome, providing enhanced privacy and security features.  Vanadium is only available for GrapheneOS.

GrapheneOS also offers a camera app called Private Camera, which is available on the Google Play Store. It's built by the GrapheneOS team (not based on AOSP code) and supports most traditional shooting modes, alongside a raft of privacy/security features. These include a dedicated QR scanning mode, functioning without Network and Media/Storage permissions, and the optional stripping of EXIF metadata from photos and videos. But, and its a big but, if you use your camera a lot for work, it is nowhere near as functional or as goodas the Pixel Camera.

Additionally, the GrapheneOS team has developed a sandboxed, hardened PDF viewer app, blocking another common attack vector. There's also an Auditor app, designed to provide hardware-based verification of the authenticity and integrity of the firmware/software on devices. Both of these apps are available on the Play Store.

Without Google Play there are alternatives.

F-Droid offers a limited selection of Free Open Source Software Apps.  Aurora Store allows you to download Google Play Store Apps without Google Play or other Google services.

Download both of these apps to your phone.


Contacts

To be honest, I am not completely Google free. I still used Google Contacts and Calendar as this is a work phone.   It would be nonsensical to keep a copy of my contacts in an encrypted format on a secure phone (which I then have to manually update, say, once a week) when they are stored on Google Contacts on at least three other platforms elsewhere. 

But accessing my contact from a more secure phone reduces vulnerabilities;  if someone wants my data, there are many ways of getting it, but at least it is less likely to be through my phone.   (And the other platforms are also pretty secure).

There are probably more secure, non-Google or Apple ways of syncing contacts but for me, it is not worth the effort of changing the process across the business. Yet.

 

VPNs

If you have gone to all of this trouble it would be rash to not simply install a VPN and use it as standard practice.

I have been using NordVPN on my phones, laptop and desktop for years.  ProtonVPN is also worth looking at.

 

Whatsapp

I still use Whatsapp as my main communication.   Back in 2021 a whole load of people lost their collective shit when Whatsapp announced a change to its privacy agreement after its buy-out by Facebook.   This was (for about 6 hours) the biggest thing to happen to some of my friends in the security industry.   When Facebook bought WhatsApp they changed the privacy agreement to record the shared information of both entities through their parent company Meta.   Some eople took this to mean that all of our messages would be publically accessible and it was no longer secure.    That day I had over 100 requests from my contacts to join them on Signal.

Two years on and I think I have exchanged about 3 conversations with people on Signal. It is just as secure as Whatsapp. Maybe more secure. But the biggest issue I have with it is that not enough people use it to make it my standard messaging app.

I have Signal on this phone (installed through the Aurora Store) because a couple of contacts insist on using it as their sole messaging tool but for everything else it is still Whatsapp for me.

WhatsApp is still end-to-end encrypted.  Meta cannot see your conversation, they cannot see your shared location (and the Share My Live Location feature is the most underrated and underused tool on Whatsapp), and they don’t share your contacts.   It is still more secure than most members of the public will ever need.

The only vulnerability is if your backed-up messages are not encrypted.  That can be done in a few clicks in “Settings”

1. Start the WhatsApp app.

2. If you have an iPhone, tap Settings at the bottom right. On Android or GrapheneOS, tap the three-dot menu at the top right and choose Settings in the dropdown menu.

3. Tap Chats.

4. Tap Chat Backup.

5. Tap End-to-end Encrypted Backup and then tap Turn On.

 To download Whatsapp without Google Play you can use Aurora Store or directly from here.

Navigation

I purposefully don’t use navigation Apps on this phone but there are a bunch of Open Source apps available on F-Droid and Aurora Store to choose from.

For work purposes, I use ATAK which I’ll be discussing n the next article.