Hey.
My phone is a Pixel 8A Graphene OS Phone. I Want to make this phone a Hardended phone. A safe phone. Privacy friendly phone. Not a Watched or tapped into phone. Basically limit the spying and intercepting and get control of the spying mechanisms that may be at play.
The phone has Sandboxed google.play services.
(grapheneos) and 1 profile (owner)
The phone has a kyc sim card. ( currently no way out)
Thanks.
Activate the private space and move sandboxed google play and any non-foss apps there. You can use separate user profiles to do this, but in practical use, the private space works much more smoothly. The “private space” is a fairly recent addition to GrapheneOS which is why most advice recommends to use multiple user profiles, but take it from me, the private space is much easier to use.
Only use free, open-source apps in the main profile. Installing F-droid to handle your apps works well here.
Alternatively you can install Obtainium to manage your apps. Obtainium can install apps from f-droid or if you are adventurous you can use obtainium to install and update apps from their github repos - but this can be a lot of effort.
For gps navigation Install OsmAnd and familiarize yourself with it and learn how to get it setup to your liking. OsmAnd can be tough at first so get used to it’s limitations. You MUST get in the habit of planning your route before you leave to minimize any problems or surprises.
Go to Signal’s website and find the app download link there, determine the download URL of the .apk file and paste that address into Obtainium as a source address so Obtainium can handle the installation and updates of Signal… Even though it is open source, signal isn’t on the f-droid repo so the only clean way of getting it is from their website. It can be installed from the play store but if you do that, it is possible for the feds to force google to push a compromised update to your phone in-particular.
Remove the sim card and leave it locked away in a drawer at home. There are plenty of places around town where free WiFi is available and very few people are too important to wait for you to return their message. Use a VPN (mullvad) with other peoples WiFi, though. In the Mullvad app’s split tunnelling settings, select show system apps, scroll down to “Captive Portal Login” and exclude it from the VPN connection - without doing this you won’t be able to hit the “I agree to the terms of use” prompt free WiFi connections present to users before allowing internet to connect.
Find a cheap VoIP/SIP provider. Install Linphone as your SIP client so you can make phone calls while out-and-about on free WiFi if the need ever presents itself.
Make sure you enable airplane mode too, even without a SIM it’ll still be connected to the cell towers.
Create a separate user profile (one for each “online identity” if needed).
Install orbot (tor) on the main (admin) profile, along with any stores or app installers.
Install apps with the admin profile and pass them to your user profiles that will use them. Your installs will be anonymous through orbot. Disable all apps on the admin profile and don’t use apps on it.
I use an always on VPN on user profiles. You can also use orbot, but it will likely be slower.
I have the exact same setup as you lol
You can also use the Aurora Store and not use appls from the playstore.
I also have a separate SIM in here from Redpocket. You could buy the $30 annual plan on ebay with a visa gift card or something to make it slightly more hard to trace you down. And ofc you can use Signal and no log kyc VPN to do your activities.
And Obtainium for open source apps. I use Aurora only for apps I can’t get via Obtainium.
Can’t use Redpocket. I’m in the UK. All require kyc since is in Europe. What should I do?
If you use Signal, they don’t collect your information at all. I believe it’s only your phone number, registration date, and last time you pinged their servers. They don’t get any messages you send.
As for mail, I think this one’s a tricky bastard but if you use VPN, something like protonmail won’t receive anything on their end, maybe some metadata from when you sent the email though, and assuming the other person is also using protonmail or pgp encryption.
I personally also have a threat model outlined and have 2 phones. One cheap flip phone with my redpocket sim which I use for government and banking stuff. My tmobile phone is for anything else, like friends and social stuff. Maybe you could have the same thing set up.
I think that better than using a VPN I to use an app that protects you from trackers like duckduckgo or rethink DNS
You’ve already got Grapheneos, so the next step would be not using Google play or other Google/Facebook/etc. apps and services.
What VPN can you recommend me for my phone?
What are you trying to accomplish with a VPN?
Mullvad, protonvpn, I hear ivpn is good as well.
Same config, I have been using my 8a with graphene since Jan. Works great.
I actually put Google Play and the few apps that use that in the Private Space and just use clean apps in my owner profile. There are a lot of different ways to divide up apps between Owner Profile, Private Space, the 31 separate user profiles, and work profiles.
As for app sources I use mostly Graphene, FDroid, Aurora, and Obtainium stores and tools. I only use Play Store directly in my Private Space. There are pros and cons of course.
What VPN should I use on my pixel 8a grapheneos phone?
Whatever https://www.privacyguides.org/ recommends. I am not a big VPN user. I care more about using good apps and prefering the web browser over apps and configuring that.
Good luck!
