Privacy Phone With Google Pixel and Calyx OS

After many years of trust and the feeling of safety with the "privacy company" Apple, I've decided to review my choices with companies from "the land of the free". The catalyst for me was Apple's recent CSAM disaster. I used to go with iOS because it is convenient, I believed myself to "think different" and that "privacy is a fundamental human right" as the website states to this day. Also you know, ***"what happens on your iPhone, stays on your iPhone"***.

What happens on your iPhone, stays on your iPhone[1]

1: What happens on your iPhone, stays on your iPhone

Apple built trust over many years. In 2015 a strong stance on privacy was demoonstrated[1] by not helping the FBI decrypt the phone of a terrorist and further cemented trust in 2019 with the Hide My Email for Sign in with Apple[2] feature. iOS 14 brought us an indicator when a microphone or camera is in use, and we can show our location as approximate rather than exact. When applications ask for locations we can be precise in when and what we want to share.

1: a strong stance on privacy was demoonstrated

2: Hide My Email for Sign in with Apple

Just this year in 2021 iOS 15 will ship with email tracking protection, Protect Mail Activity[1] that will hide your IP address and loads remote content in the background through proxy services. This is a great record and direction and convinced even mild tinfoil hats like myself that it's kind of okay. Okay enough to trust a walled garden, to keep payment solutions on my phone and not really worry about it.

1: Protect Mail Activity

But then it would appear Apple went a step too far. With the roll out of iOS 15 in September 2021, the intention is to introduce CSAM detection[1], (Child Sexual Abuse Material). What looks harmless and like a good entry to bolster brand image in a board meeting, may be the harbinger of a surveillance tool and plausible deniability for deep privacy intrusions into your private life. Unlike other existing systems, the proposed processing is not happening on the "cloud" with pictures you voluntarily uploaded for a backup, but on the device itself. For this it will hash and match photos against a database of known CSAM. Upon matching, your files will uploaded and reviewed by staff. Hash collisions and implications were already discussed on Hacker News[2]. Edward Snowden was quick to call out the slippery slope the "pro-privacy" company is on and called into question the ownership of the data on _your_ phone.

1: the intention is to introduce CSAM detection

2: Hash collisions and implications were already discussed on Hacker News

Admittedly, I'm also a user of Googles ecosystem. Using Gmail since it's been in beta and above all other services Maps. Again, it's convenient and saves me time. I knew about tracking and all concerns but it didn't bother me much. Who has nothing to hide has nothing to worry about, right? I got more bothered when the cancel culture set in, not for any online presence of my own, but for the dying exchange of ideas. We're seeing heavy censorship in times of the pandemic that kicked into full gear since the Trump Biden election campaigns among the internet giants. Then earlier year we learned about Google’s Intelligence Agency Jigsaw[1].

1: Google’s Intelligence Agency Jigsaw

These were the catalysts that tipped me over and do the work to deGoogle and see how easy or difficult it is to get rid of big tech in my private life. Setting up a phone without big-tecch and no tracking will cost me time and convenience, but I no longer feel comfortable selling my data and cut off the weakest link to my privacy. I might learn a thing or two along the way.

Why Pixel Phones?

Pixel phones have a number of features that outperform. The Titan M security chip protects against physical attacks. It verifies that the boot loader is not manipulated, checks for brute force attacks and passwords, API keys can be encrypted directly on the chip. Pixel Phones also provide baseband isolation, allowing you to operate just the wifi without cellular networking enabled.

Google provides security updates for over 3 years and usually faster than any OEM vendor. It also had recent Pixel phones independently audited for ioXt by the NCC Group and for Common Criteria evaluation[1] by by Gossamer Security Solutions[2]. While these may appear like expensive check box exercises, it at least ensures that the devices comply with standards on security, upgradeability and transparency. Not many vendors will invest in these expensive endeavours.

1: Common Criteria evaluation

2: by Gossamer Security Solutions

Ironically, it appears that Pixel smartphones are the best available hardware for a Google-free experience.

Google Pixel 4a 5G with CalyxOS[1]

1: Google Pixel 4a 5G with CalyxOS

The process of setting up a privacy phone

Operational security is actually difficult and having the luxury to exercise the steps for education is an interesting adventure. I probably missed a few important steps even and decloaked the phone along the way, if you spot something, let me know.

I bought a Google Pixel 4a (5G) with cash in a local store as well as a burner SIM. We have to turn the phone on with vendor OS and connect to a wifi network, so I headed to a busy coffee shop to turn the phone on the first time as that location and other data leaks and will be recorded.

Before leaving the coffee shop

- Don't configure biometrics (more plausible deniability). Use a pin and enable pin layout scrambling for pin entry protection under CCTV.

- Put the phone to airplane mode before you go home, and only connect to cellular services in busy locations.

- Don't sign in to your regular Google, Facebook, Twitter accounts or interact with them

If you don't change the OS (you should), install all available security and app updates before doing anything else.

CalyxOS

Few options for privacy focused Android mods are around, Graphene OS and Calyx OS are mentioned frequently. Trust is a difficult thing. I looked up who is behind Calyx OS and was instantly convinced. None other than the legendary Nicholas Merrill[1]. If you don't know who that is, don't take my word for it and read him up. It'll be worth your time.

1: Nicholas Merrill

Seeing the website, CalyxOS[1] has its primary focus on privacy, offers the option of microG, F-Droid and the Aurora Store that gives anonymous access to the Play Store, so I didn't need any further convincing.

1: the website, CalyxOS

CalyxOS also has some nice defaults worth noting

- locked boot loader ensures the operating system has not been tampered with

- MAC randomization prevents tracking wifi scanners

- PIN layout scrambling, allows entering PIN in public

Installing CalyxOS on the Pixel 4a (5G Japan version)

Unlock the bootloader and turn on USB debugging:

Go to System settings -> About phone -> tap on ‘Build number’ several times until Developer options is enabled Go to System Settings -> System -> Advanced -> Developer Options -> - Enabled OEM Unlocking - Enable USB Debugging

Go to the CalyxOS website's download section[1] and get the image for your device, for me it was:

1: CalyxOS website's download section

Place device-flasher as well as the CalyxOS .zip image into the same folder on your laptop. I did the following steps this on my MacBook using iterm2[1]. No need to extract or rename the zip but copy it as-is. Downloadd all the required files to one directoory:

1: iterm2

verify the checksums of the files

On MacOS install minisign to verify the signatures

If the above message appears and the signature verifies we can execute the device flasher (without sudo).

which will prompt for the following steps:

1. Connect to a wifi network and ensure that no SIM cards are installed 2. Enable Developer Options on device (Settings -> About Phone -> tap "Build number" 7 times) 3. Enable USB debugging on device (Settings -> System -> Advanced -> Developer Options) and allow the computer to debug (hit "OK" on the popup when USB is connected) 4. Enable OEM Unlocking (in the same Developer Options menu)

When we continue, during the installation it prompts to unlock the boot loader which requires a manual up and enter.

after the installation it again promts to re-lock the bootloader for tamper protection. It replaced the OEM key with a CalyxOS key and therefore allow you to lock the bootloader again.

<details> <summary>Full flasher logs for reference</summary>

<pre><code>./device-flasher.darwin Android Factory Image Flasher version 1.0.3 Extracting bramble-factory-2.8.0.zip Downloading https://dl.google.com/android/repository/fbad467867e935dce68a0296b00e6d1e76f15b15.platform-tools_r30.0.4-darwin.zip Downloading... 9.5 MB downloaded Verifying fbad467867e935dce68a0296b00e6d1e76f15b15.platform-tools_r30.0.4-darwin.zip Extracting fbad467867e935dce68a0296b00e6d1e76f15b15.platform-tools_r30.0.4-darwin.zip 1. Connect to a wifi network and ensure that no SIM cards are installed 2. Enable Developer Options on device (Settings -> About Phone -> tap "Build number" 7 times) 3. Enable USB debugging on device (Settings -> System -> Advanced -> Developer Options) and allow the computer to debug (hit "OK" on the popup when USB is connected) 4. Enable OEM Unlocking (in the same Developer Options menu)

Press ENTER to continue

Detected bramble XXXXXXXXXXXXXX

Devices to be flashed: bramble XXXXXXXXXXXXXX

Press ENTER to continue Unlocking bramble XXXXXXXXXXXXXX bootloader...

1. Please use the volume and power keys on the device to unlock the bootloader Flashing bramble XXXXXXXXXXXXXX bootloader...

Sending 'bootloader_a' (8754 KB) OKAY [ 0.360s] Writing 'bootloader_a' (bootloader) Flashing Pack version b5-0.3-7241846 (bootloader) Flashing partition table for Lun = 0 (bootloader) Flashing partition table for Lun = 1 (bootloader) Flashing partition table for Lun = 2 (bootloader) Flashing partition table for Lun = 4 (bootloader) Flashing partition table for Lun = 5 (bootloader) Flashing partition xbl_a (bootloader) Flashing partition xbl_config_a (bootloader) Flashing partition aop_a (bootloader) Flashing partition tz_a (bootloader) Flashing partition hyp_a (bootloader) Flashing partition abl_a (bootloader) Flashing partition keymaster_a (bootloader) Flashing partition devcfg_a (bootloader) Flashing partition qupfw_a (bootloader) Flashing partition uefisecapp_a (bootloader) Flashing partition featenabler_a (bootloader) Flashing partition logfs OKAY [ 0.259s] Finished. Total time: 0.909s Rebooting into bootloader OKAY [ 0.080s] Finished. Total time: 0.080s < waiting for any device > Sending 'radio_a' (149780 KB) OKAY [ 4.230s] Writing 'radio_a' (bootloader) Flashing Pack version SSD:xxxxx-xxxxx-xxxxxx-x-xxxxxxx (bootloader) Flashing partition modem_a OKAY [ 0.822s] Finished. Total time: 5.342s Rebooting into bootloader OKAY [ 0.080s] Finished. Total time: 0.080s Erasing 'avb_custom_key' OKAY [ 0.216s] Finished. Total time: 0.366s Sending 'avb_custom_key' (0 KB) OKAY [ 0.140s] Writing 'avb_custom_key' OKAY [ 0.226s] Finished. Total time: 0.586s Rebooting into bootloader OKAY [ 0.080s] Finished. Total time: 0.080s extracting android-info.txt (0 MB) to RAM...

Checking 'product' OKAY [ 0.067s] Checking 'version-bootloader' OKAY [ 0.069s] Checking 'version-baseband' OKAY [ 0.070s] Setting current slot to 'a' OKAY [ 0.086s] extracting boot.img (96 MB) to disk... took 0.355s archive does not contain 'boot.sig' Sending 'boot_a' (98304 KB) OKAY [ 2.400s] Writing 'boot_a' OKAY [ 0.474s] extracting dtbo.img (16 MB) to disk... took 0.061s archive does not contain 'dtbo.sig' Sending 'dtbo_a' (16384 KB) OKAY [ 0.480s] Writing 'dtbo_a' OKAY [ 0.158s] archive does not contain 'dt.img' archive does not contain 'recovery.img' extracting vbmeta.img (0 MB) to disk... took 0.001s archive does not contain 'vbmeta.sig' Sending 'vbmeta_a' (8 KB) OKAY [ 0.140s] Writing 'vbmeta_a' OKAY [ 0.077s] extracting vbmeta_system.img (0 MB) to disk... took 0.000s archive does not contain 'vbmeta_system.sig' Sending 'vbmeta_system_a' (4 KB) OKAY [ 0.140s] Writing 'vbmeta_system_a' OKAY [ 0.078s] extracting vendor_boot.img (96 MB) to disk... took 0.343s archive does not contain 'vendor_boot.sig' Sending 'vendor_boot_a' (98304 KB) OKAY [ 2.390s] Writing 'vendor_boot_a' OKAY [ 0.485s] extracting super_empty.img (0 MB) to disk... took 0.000s Rebooting into fastboot OKAY [ 0.070s] < waiting for any device > Sending 'super' (4 KB) OKAY [ 0.001s] Updating super partition OKAY [ 0.007s] Resizing 'product_a' OKAY [ 0.004s] Resizing 'system_a' OKAY [ 0.004s] Resizing 'system_ext_a' OKAY [ 0.004s] Resizing 'system_b' OKAY [ 0.004s] Resizing 'vendor_a' OKAY [ 0.005s] Resizing 'vendor_b' OKAY [ 0.005s] archive does not contain 'boot_other.img' archive does not contain 'odm.img' extracting product.img (965 MB) to disk... took 6.513s archive does not contain 'product.sig' Resizing 'product_a' OKAY [ 0.005s] Sending sparse 'product_a' 1/4 (262140 KB) OKAY [ 7.386s] Writing 'product_a' OKAY [ 2.569s] Sending sparse 'product_a' 2/4 (262140 KB) OKAY [ 7.366s] Writing 'product_a' OKAY [ 1.530s] Sending sparse 'product_a' 3/4 (262140 KB) OKAY [ 7.048s] Writing 'product_a' OKAY [ 1.535s] Sending sparse 'product_a' 4/4 (201776 KB) OKAY [ 5.526s] Writing 'product_a' OKAY [ 1.126s] extracting system.img (801 MB) to disk... took 5.701s archive does not contain 'system.sig' Resizing 'system_a' OKAY [ 0.041s] Sending sparse 'system_a' 1/4 (262140 KB) OKAY [ 7.149s] Writing 'system_a' OKAY [ 2.535s] Sending sparse 'system_a' 2/4 (262140 KB) OKAY [ 7.292s] Writing 'system_a' OKAY [ 1.557s] Sending sparse 'system_a' 3/4 (262140 KB) OKAY [ 7.271s] Writing 'system_a' OKAY [ 1.582s] Sending sparse 'system_a' 4/4 (34684 KB) OKAY [ 0.930s] Writing 'system_a' OKAY [ 0.229s] extracting system_ext.img (191 MB) to disk... took 1.210s archive does not contain 'system_ext.sig' Resizing 'system_ext_a' OKAY [ 0.006s] Sending 'system_ext_a' (196076 KB) OKAY [ 4.676s] Writing 'system_ext_a' OKAY [ 2.134s] extracting system_other.img (25 MB) to disk... took 0.178s archive does not contain 'system.sig' Resizing 'system_b' OKAY [ 0.004s] Sending 'system_b' (25880 KB) OKAY [ 0.617s] Writing 'system_b' OKAY [ 0.198s] extracting vendor.img (663 MB) to disk... took 5.027s archive does not contain 'vendor.sig' Resizing 'vendor_a' OKAY [ 0.004s] Sending sparse 'vendor_a' 1/3 (262140 KB) OKAY [ 7.514s] Writing 'vendor_a' OKAY [ 2.544s] Sending sparse 'vendor_a' 2/3 (262140 KB) OKAY [ 7.203s] Writing 'vendor_a' OKAY [ 1.580s] Sending sparse 'vendor_a' 3/3 (155228 KB) OKAY [ 4.258s] Writing 'vendor_a' OKAY [ 0.955s] archive does not contain 'vendor_dlkm.img' archive does not contain 'vendor_other.img' Erasing 'userdata' OKAY [ 7.855s] Erase successful, but not automatically formatting.

File system type raw not supported.

Erasing 'metadata' OKAY [ 0.005s] Erase successful, but not automatically formatting.

File system type raw not supported.

Finished. Total time: 147.875s Rebooting into bootloader OKAY [ 0.001s] Finished. Total time: 0.001s Locking bramble XXXXXXXXXXXXXX bootloader...

1. Please use the volume and power keys on the device to lock the bootloader Rebooting bramble XXXXXXXXXXXXXX...

1. Disable OEM unlocking from Developer Options after setting up your device

Flashing complete </code></pre> </details>

This was incredibly easy and took mere minutes to complete. The log above says it only ran for 148 seconds. A day and night change to the last time I toyed with such process ca. 2012.

When you switch on the device, you're navigated through a few steps that are all very self explanatory and that I leave as an exercise for the reader. One thing to note is that if you don't need push or services or access to the app store you don't need to install MicroG. Otherwise it allows anonymous access to all apps through the Aurora store.

VPN

The Calyx Institute is a non-profit that offers a free, open source VPN, the CalyxVPN app comes with the OS and can otherwise be installed via F-Droid. While VPNs may help circumvent censorship, they're not really helping anonymity. For this Calyx ships with two Tor apps.

Tor

CalyxOS ships with both the Tor Browser and Orbot. Tor Browser is like a regular browser that uses the Tor network and tries to be anonymous while easy to use. It can browse the clear and the dark net[1]. Orbot is a proxy that allows to anonymize all of the Android traffic through the Tor network.

1: dark net

DNS Servers

The first thing we want to do is switch out DNS servers. Don't use Cloudflare 1.1.1.1 nor 8.8.8.8 which are odd defaults to use here actually. Select a DNS provider that is less mainstream and may protect your privacy better and some even apply ad blockers. A short list of example providers:

Quad9[1] (Swizerland), BlahDNS[2] (Germany), Digitale Gesellschaft[3] (Switzerland), UncensoredDNS[4] (Denmark). Go to:

1: Quad9

2: BlahDNS

3: Digitale Gesellschaft

4: UncensoredDNS

Apps

F-Droid is rather slow in my area. Expect some wait time for installations.

I'm using both F-Droid and Aurora Store. The latter connects you anonymously to the play store and has a nice feature that shows app trackers. Viewing these, I'd exclude most mainstream social media and even alternatives are often riddled with big tech trackers (yikes). For messaging there is Signal, Telegram. For web, I've addedd Firefox, DuckDuckGo, Tor Browser. There are YouTube clients like Newpipe and alternatives like Rumble. Twitter clients like Twiderer X and alternatives like Gettr (with Facebook plus Google tracking yikes). I should review these alternatives social media platforms at some point given it appears that most of them fail in their privacy claims. An okay Maps alternative in my region is OsmAnd, however it doesn't come close to the usual Maps experience.

Even if I'd install big tech apps like Keyboards & Camera, the Datura Firewall[1] allows per-app network isolation and we can remove internet access from such apps.

1: Datura Firewall

For remote ssh access to my servers, I also install Termux.

Termux on the Google Pixel 4a[1]

1: Termux on the Google Pixel 4a

Conclusion

I expected this to be a bit more work than what it was, buying phone and SIM was straightforward.

Installing CalyxOS was a breeze. I will probably have to explore anonymous eSIMs and write up a summary of alternatives to big tech. I will definitely keep my iPhone for work and life for a while.

The real cost will come while switching. I learned a few things here, mostly about an ecosystem that has matured quite a bit and of which progress I wasn't aware of.

I'll update this post as I'm exploring the usability over the next weeks. On my second phone I do rest assured that ***everything that happens on this phone, stays on the phone***.