Arg's blog

This is more of a check-list that a comprehensive guide. Every items might not apply to your specific “threat model”. Readers are encouraged to also check-out the GrapheneOS for Anarchists guide and GrapheneOS official usage guide and faq.

Which device to chose?

Pixel phone (from version 6 onward) are known to resist very well to Celebrite data extraction, as of February 2025. A Google Pixel 6a would be the cheapest option. Don't use any earlier device. If you think you might be actively targeted, chose a Pixel 8 or later model (or better: no phone at all).

In any case, use a device that is still actively supported.

Also you might want a phone that is not linked to your identity: bought with cash or through a community service that buy phones for many people and distribute them without keeping transaction traces.

Where to do the install?

To keep your phone unlinked from your personal identity, do not switch on the phone in your home until you have finished the guide: you might want to keep your phone on Aireplane mode at least whenever you are near your home (ideally always). So chose a public place in a city center with a public wifi, bring a trusted laptop or android phone with access to a Chromium-based browser to run the web installer, and KeePass{XC,DX} to generate your passwords.

Install

Follow Web installer instructions. Check OS hash on first boot screen: – Pixel 9a: 0508de44ee00bfb49ece32c418af1896391abde0f05b64f41bc9a2dfb589445b – Pixel 9 Pro Fold: af4d2c6e62be0fec54f0271b9776ff061dd8392d9f51cf6ab1551d346679e24c – Pixel 9 Pro XL: 55d3c2323db91bb91f20d38d015e85112d038f6b6b5738fe352c1a80dba57023 – Pixel 9 Pro: f729cab861da1b83fdfab402fc9480758f2ae78ee0b61c1f2137dd1ab7076e86 – Pixel 9: 9e6a8f3e0d761a780179f93acd5721ba1ab7c8c537c7761073c0a754b0e932de – Pixel 8a: 096b8bd6d44527a24ac1564b308839f67e78202185cbff9cfdcb10e63250bc5e – Pixel 8 Pro: 896db2d09d84e1d6bb747002b8a114950b946e5825772a9d48ba7eb01d118c1c – Pixel 8: cd7479653aa88208f9f03034810ef9b7b0af8a9d41e2000e458ac403a2acb233 – Pixel Fold: ee0c9dfef6f55a878538b0dbf7e78e3bc3f1a13c8c44839b095fe26dd5fe2842 – Pixel Tablet: 94df136e6c6aa08dc26580af46f36419b5f9baf46039db076f5295b91aaff230 – Pixel 7a: 508d75dea10c5cbc3e7632260fc0b59f6055a8a49dd84e693b6d8899edbb01e4 – Pixel 7 Pro: bc1c0dd95664604382bb888412026422742eb333071ea0b2d19036217d49182f – Pixel 7: 3efe5392be3ac38afb894d13de639e521675e62571a8a9b3ef9fc8c44fd17fa1 – Pixel 6a: 08c860350a9600692d10c8512f7b8e80707757468e8fbfeea2a870c0a83d6031 – Pixel 6 Pro: 439b76524d94c40652ce1bf0d8243773c634d2f99ba3160d8d02aa5e29ff925c – Pixel 6: f0a890375d1405e62ebfd87e8d3f475f948ef031bbf9ddd516d5f600a23677e8

Initial wizard configuration

Language

If you are planning to use a (tor) VPN and are somewhat comfortable with English then using default language (English (United States)) will give you a bit more anonymity (larger user pool).

Connect to Wi-Fi

Don't yet. We want to register initial fingerprint of the firmware/OS using the Auditor app before making any network connection: you will need an another android phone (ideally on of a comrade you see from time to time) for this.

So tap Set up without Wi-fi.

Date and time

Just select your time zone here.

Location services

Uncheck Allow apps that have asked your permission to use your location information. This can be enabled later via a quick toggle.

Set a PIN

Theoretically, if you trust the Titan M2 protection against brute force attacks, a random 8 digits PIN is good enough. For additional safety (eg. if you need to be sure the content of your phone cannot ever be decrypted in your life time), tap Screen lock options to chose a Password of 18 random characters or 7 random words (or more), ie. enough entropy bits to last a life-time. Tip: Remembering 7 random words can be tough at first, so maybe try to start with four and modify your passphrase regularly to add a new random word until you reach 7 or 8 words.

Fingerprint unlock

Skip for now (to enable only with 2FA PIN).

Restore apps & data

Skip. This can be done later if needed.

Auditor app setup

The auditor app allows to perform hardware-based verification that the phone firmware and OS have not been tampered with. Follow related section of the GrapheneOS for Anarchists guide – except you don't actually need internet connectivity to register remote verification.

Only owner profile needs to setup Auditoring.

Settings hardening

Let's start by toggling on Aireplane mode.

Only settings which are to be modified from default values (as of April 2025) are mentioned here.

Network & internet

Internet > Network preferences

Uncheck Allow WEP networks. WEP wifi AP should not exist nowadays so if one does, better be aware that something is wrong.

SIMs

if you have a SIM card:

Toggle off Allow 2G at the bottom of the screen. This should make downgrade attacks of IMSI-catchers more difficult. To go one step further, set Preferred network type to 5G or 4G only.

Once done, you can activate Airplane mode.

Notes on SIM cards: – Wi-FI calling do not use the VPN slot of your user session, so it will reveals your current IP address to your carrier. – Unless a SIM card is Turned off, apps can see the country code of your SIM card, even if Airplane mode is on, and use it to fingerprint you.

Data Saver

Toggling on Use Data Saver can be useful to save some MBytes on a cheap data plan, or just to reduce battery usage. Though if you use the VPN slot this won't stop connection from apps that go through the VPN. Use the VPN app firewall feature instead (available in eg. Invizible Pro or RethinkDNS).

Private DNS

if you plan to use the VPN slot (for a VPN provider or TOR) do not use the Private DNS feature because it would take precedence over your VPN app built-in DNS, which you should probably use to avoid sticking-out among the VPN user pool.

If you don't plan to use a VPN then you chose a privacy-respecting DNS resolver like quad9 or dns0.eu.

Connected devices > Connection preference

NFC

Temporarily enable Use NFC, then toggle on Require device unlock for NFC, then revert back off Use NFC.

Printing > Default Print Service

Unless you plan to use it, toggle off Use print service for attack surface reduction.

Notifications > Notification on lock screen

If you don't want someone that got their hands on your (locked) phone to know which app you use for communication (eg. Signal): set this setting to Don't show any notification.

Battery

Not privacy related, but you might want to switch on Charging optimization to limit battery charging to 80% for longer battery life. Maybe also enable the Battery Saver feature.

System

Backup

The Backup app (Seedvault can backup some app data (the ones that implement the required API), APKs and user folders (eg. Documents). It is per user, so the app need to be run for every user profiles for which you need a backup. Safer option is to backup on a USB key (you can use the same USB key for multiple user/devices) that can be hidden in a safe place (and make copy of it from time-to-time, stored in another location).

System updates

For added security at the price of maybe missing some notifications, enable Automatic reboot, unless you plan to use a secondary profile and rely on its alarm-clocks: those won't ring after a reboot until your secondary profile is unlocked. Alarm-clocks of owner profile get to work thanks to the Direct-Boot feature, but even then, better to don't rely on snoozing as it might not work.

To save on a small data plan, you might want to set Permitted networks to Unmetered.

Users

Users, and the Private Space (Owner profile only for now) can be used to segregate apps into isolated profiles (almost as if on different phones) depending on their privacy issues and/or to isolate your professional/personal/militant activities. In particular to mitigate a major android issue that many apps can see which apps are active in the same profile.

If you only want to isolate the Play Store and some apps installed from it (eg. Banking apps), you can use the Private space feature of GrapheneOS under Security & privacy. Keep in mind that apps in Private space cannot receive notifications when the private space is locked, nor their data be backup-ed using the Seedvault app.

For those reasons full fledged user profiles might be preferable, in particular, a Default secondary profile, as recommended by the AnarSec guide. One major advantage is that you can close the secondary session, it then return to Before First Unlock state but you can still use your phone through the Owner profile.

The AnarSec guide recommend a different password for the secondary profile but using the same strong password as for the owner profile is not a big security risk, especially if you use Fingerprint + 2FA-PIN unlocking after first unlock of the profile.

Security & privacy

Device unlock

Screen lock config

Enable Scramble PIN input layout to make it more difficult for a hidden camera/observer to guess your PIN.

Fingerprint Unlock

Using fingerprint unlock protect against shoulder surfing attacks on your PIN. But an adversary could force you to unlock your phone with your finger (you can still try to use an unregistered finger), which is why the AnarSec guide recommend against it. But nowadays we can setup a Second factor PIN, which mitigate the issue; 6 digits should probably be enough.

Duress password

This is a PIN that would trigger the erasing of decryption keys and reboot your phone if entered anywhere a PIN is asked. This one is tricky and depends of legal implications. There might be less legal repercussion for not giving your PIN than being accused of destruction of evidence. One compromise would be to use a PIN and password that could be tried by the adversary, without you having to give it (but I'm no lawyer so I don't really know), eg. using your date of birth or 1312/acab.

If you do setup a duress password/PIN, be sure to keep your backups up-to-date.

Exploit protection

Auto reboot

This is a major security feature of GrapheneOS: it reboot (returns the device to Before First Unlock state) if the device is not unlocked for a certain amount of time (18 hours by default). Shorter time improve security: don't hesitate to temparilly shorten the time when you need it. 12 hours is probably a good default value for most people.

Turn off Wi-Fi automatically

Maybe set it to something like 5 minutes, to reduce battery usage (and very slightly the attack surface: very unlikely to be an attack vector though.

Turn off Bluetooth automatically

Same as above.

Native code debugging

Toggle on Block for third-party apps by default to improve sandboxing.

WebView JIT

Toggle on Disable for third-party apps by default to reduce attack surface.

DCL via memory

Toggle on Restrict for third-party apps by default for the same reasons as above.

DCL via storage

Same as above (as stated, you might have to enable it manually for some apps that depends on Play service).

More security & privacy

Toggle off Allow Sensors permission to apps by default. Add it back to the apps that actually need them (eg. for auto-rotate).

How to install apps?

The usual recommendation to install a third-party app is to try in order:

1. When a (progressive) web app is available and you don't need the features (eg. notifications) of the native app: use their website/PWA. In Vanadium, tap Add to Home screen.
2. Accrescent, a secure and open-source app store that can be installed from GrapheneOS built-in App Store.
3. Google Play Store (also installed from the built-in App Store)
4. APK published on project's forge using Obtainium + App verifier (the later being installed from the built-in App Store and used to check the Obtainium APK).
5. Self-updating apps, like Wiregard or Signal.
6. The project own f-droid repo (eg. repos of The Guardian Project, SimpleX, Briar, FUTO).
7. IzzyOnDroid f-droid repo.
8. Official F-Droid repo.

This order has been chosen based on security practices involved and to both minimize update delay and number of third-parties to trust.

F-droid repo in particular should be avoid for security critical due, among other issues, to their (slow) update process and (often out-dated) build environment.

For apps only available in a f-droid repos (third-party or official), either use Obtainium or F-droid Basic.

Regarding Play Store you should be able to register with it, without giving any phone number, with a dedicated YopMail address for example. Use the 4 step setup to disable personalized tracking.

Once Obtainium is installed, remove the Allow from this source install capability from Files or Vanadium that was granted to install the APK.

Recommended apps

VPN / Tor

A good VPN (ie. Mullvad / IVPN) is probably enough for most activities. You can use Tor Browser for Android when needed but Tor browser on desktop / Tails would probably provide better anonymity (larger user pool).

Nonetheless if you don't want to pay for a VPN, using a TOR-based VPN, Orbot or Invizible Pro, is viable, especially since its often faster than the free RiseUp VPN. If you chose to use the owner profile only to install/update apps, then use a VPN (if your home router does not) rather than TOR, which may often disconnect when not in used for long period of times (and thus you may miss updates). RiseUp VPN is fine for this purpose.

Invizible Pro Beta (beta has no “ask for donation” popup) signature (for AppVerifier):

pan.alexander.tordnscrypt
1E:A0:9E:90:62:28:59:84:FF:E8:96:56:05:ED:AB:8B:01:ED:19:DF:A0:19:C3:14:84:A3:38:2A:CC:C1:9A:CE

Invizible has a custom “DNS Crypt” option which you can use to avoid loading ads, but it's at the cost of standing out a bit among most TOR users that rely on the exit node for name resolution.

If you want to stack Invizible on top of, eg., Mulllvad VPN, you can connect to Mullvad through Shadowsocks in proxy mode: – https://mullvad.net/en/help/shadowsocks-android – https://invizible.net/en/tor-over-vpn/ Though TOR over VPN is usually not a net gain (see links at end for the InviZible documentation above), except if you use Shadowsocks to easily bypass most public wifi firewall and/or you don't want to be identified by network/ISP as a TOR user and/or you want to some apps to be routed through your VPN only and not tor.

Here is Shadowsock-android signature for AppVerifier:

com.github.shadowsocks
92:41:6E:A4:16:64:22:61:3D:3D:1D:58:5A:C1:C7:0F:03:83:40:70:77:13:46:36:B4:CF:B2:F0:BD:8E:01:F0

(use -tv- for the inverted APK regex filter in Obtainium).

Email

Either FairEmail or Thunderbird-Android (simpler, less configurable, less anti-tracking features, but can import all your account from desktop easily), with OpenKeychain for GPG support.

Instant Messaging

The usual suspects: Signal (or better: Molly, installed from Accrescent), SimpleX, Cwch and Briar.

Mitigation against forceful take-over of unlocked phone

You can activate Google Play Theft Detection Lock in Google Settings > Theft protection but it is rather peculiar to the conditions that activate the locking. So you can also install Private Lock. The app is quite old, but working. Sensitivity set to 30 appears to be usable.

Password manager

KeepassDX is good. Can be synced with your PC with syncthing if needed.

Various other apps

• Keyboard: HeliBoard
• Casual browsing: IronFox (for website that don't requires login, are at least that don't incur a financial or reputational risk if you get hacked, as IronFox (Firefox) sandbox is significantly weaker than Vanadium. But it has better tracker/ads blocking.
• Sensitive websites: tor browser
• Agenda: Etar, ICSx⁵ (public ical calendar), DAVx⁵ (private caldav)
• Reading: LxReader, OpenLib
• Weather app: Breezy Weather
• GPS: OrganicMap (trekking), OSMAnd+ (power users), Magic Earth (for the bus schedules).

#GrapheneOS #Android #Hardening #Cellebrite