Why Your Phone Spies on You
Android phones shipped by manufacturers (Samsung, Google, OnePlus):
- 40+ Google services running in background
- Constant location tracking
- Metadata uploaded to manufacturer
- Vendor apps can’t be uninstalled
- Device can wake up GPS without permission
iPhone is slightly better (App Tracking Transparency) but:
- Apple knows everything (no end-to-end encryption for photos/backups)
- Can’t choose defaults (Safari, Mail forced)
- Closed source (can’t audit)
Privacy-focused alternative OS remove tracking, limit permissions, require explicit consent.
This guide covers five practical alternatives.
Quick Comparison Table
| OS | Privacy | App Support | Banking Apps | Device Support | Learning Curve |
|---|---|---|---|---|---|
| GrapheneOS | Excellent | 95% (via MicroG) | 60% (workarounds) | Pixel only | Low |
| CalyxOS | Excellent | 95% (via MicroG) | 80% (native) | Pixel + OnePlus | Low |
| LineageOS | Good | 99% (full Google) | 99% (full Google) | 200+ devices | Low |
| /e/OS | Good | 95% (MicroG) | 70% (workarounds) | 100+ devices | Medium |
| Ubuntu Touch | Good | 50% (Linux apps) | 15% (not recommended) | Few devices | High |
GrapheneOS: Strongest Privacy
GrapheneOS is hardened Android with kernel-level security improvements. Privacy first, usability second.
What’s Different from Stock Android
Removals:
- No Google Play Services (requires workaround)
- No Google apps preinstalled
- No telemetry collection
- No predictive text (privacy risk)
- No automatic crash reports
Additions:
- Sandboxed Google Play (optional)
- Scoped storage enforcement (limit app access)
- Hardware-backed encryption enforcement
- Stricter SELinux policies
- Automatic reboot after inactivity (clear memory)
Installation
# Step 1: Get compatible phone
# Supported: Google Pixel 6a, 7, 7a, 7 Pro, 8, 8 Pro only
# Cost: $300-600
# Step 2: Download GrapheneOS installer
# From: https://grapheneos.org/releases
# Step 3: Boot into fastboot
# Power off phone
# Hold: Power + Volume Down
# adb reboot bootloader
# Step 4: Flash GrapheneOS
# Run installer script
# Takes 10 minutes
# Phone wipes automatically
# Step 5: Enable optional services
# Settings > Apps > Google Play Services (Sandboxed)
# Enables Google apps without stock privacy issues
Privacy Features (Technical)
Sandboxed Google Play:
GrapheneOS allows optional "Sandboxed Google Play"
- Google Play runs in isolated container
- Can't access device storage
- Can't access location
- Can't access contacts
- Can't access call history
Benefits:
- Use Gmail, Maps, Drive (if needed)
- No tracking of location/activity
- Revoke permissions instantly
Install:
Settings > Apps > Google Play (Sandboxed)
Restricted Permissions:
Default permission structure:
- Location: Apps can't access unless explicitly granted
- Camera: No background access
- Microphone: No background access
- Contacts: Per-app access control
- Files: Scoped storage (app can't see all files)
Example:
- Google Maps can access location (when explicitly granted)
- But can't access: Photos, contacts, call history
- Permission auto-revokes after 30 days
Hardware-Backed Keystore:
Keys stored in secure enclave:
- Not accessible to software
- Protects encryption keys
- Resists extraction attacks
- Used for payment security
App Compatibility
Apps That Work Fine:
- All major apps: WhatsApp, Telegram, Signal
- Banking apps: 60% work without workarounds
(Bank of America, Chase, etc.)
- Social media: Twitter, Reddit, Instagram
- Productivity: Office, Google Docs, Notion
Apps With Issues:
- Netflix: Requires Netflix ID (might not work)
- Pokemon Go: Requires workarounds (spoofing detection)
- Google Fit: Works only via Sandboxed Play
- Maps: Full features only via Sandboxed Play
Workaround for Banking Apps:
If banking app requires Google Play Services:
Option 1: Use Sandboxed Google Play
Settings > Apps > Google Play (Sandboxed)
Grant permission to banking app
Works 80% of the time
Option 2: Use web banking instead
Most banks support mobile web
Slightly less convenient, still secure
Option 3: Different phone (if critical)
Keep one regular Android for banking
Use GrapheneOS for everything else
Pricing
Pixel 8: $799
GrapheneOS (free): $0
Installation time: 30 min
Monthly updates: Free (fast)
Total annual cost: $0 (phone only)
Strengths
- Strongest privacy (kernel hardening)
- Google Play sandbox (optional, not forced)
- Fast updates (updates within 24 hours of Google release)
- Minimal bloat (can remove almost everything)
- Strong encryption
- Excellent documentation
Weaknesses
- Pixel-only (expensive)
- Banking app support limited
- No microSD card slot on Pixels (storage limitation)
- Learning curve (fewer conveniences)
- Smaller ecosystem (fewer apps available)
- Some enterprise apps won’t work
Best For
- Privacy advocates willing to accept some friction
- Developers (good for security work)
- People not requiring banking apps
- Those valuing control over convenience
Maintenance
# Monthly: Check for updates
# Settings > System > System Update
# Install when available
# Quarterly: Review app permissions
# Settings > Apps > Permissions
# Remove unnecessary permissions
# Annually: Reflash if major update available
# Backup data
# Wipe phone
# Install latest GrapheneOS
CalyxOS: Balanced Privacy
CalyxOS is based on GrapheneOS but with better app compatibility. It includes MicroG (open-source Google Play replacement).
What’s Different from GrapheneOS
CalyxOS includes:
- MicroG (open-source Google Play Services replacement)
- More devices supported (Pixel + OnePlus + Fairphone)
- Better app compatibility (some apps don't need Google)
- Integrated DNS privacy (NextDNS option)
- Signal integration (messaging priority)
MicroG benefits:
- Apps think they have Google Play
- But MicroG doesn't track location
- MicroG doesn't collect data
- More apps work without workarounds
Installation
# Step 1: Download CalyxOS from https://calyxos.org
# Supported devices:
# - Google Pixel (all recent models)
# - OnePlus 6, 6T, 7, 7 Pro, 7T
# - Fairphone 3, 3+, 4, 5
# Step 2: Flash using installer
# Same as GrapheneOS process
# Takes 15-20 minutes
# Step 3: First boot
# Automatically installs F-Droid, Signal
# MicroG enabled by default
Key Feature: MicroG Integration
MicroG vs Stock Google Play:
Stock Google Play Services:
- Tracks location constantly
- Uploads app usage
- Stores device profile
- Serves ads
MicroG (CalyxOS):
- Fakes location to apps (if enabled)
- Doesn't track app usage
- No device profile stored
- No ads served
- Completely open source (can audit code)
Banking App Support with MicroG:
Many banking apps work with MicroG:
- Chase, Bank of America work
- Venmo works
- Paypal works
- Some require Play Services validation (workaround needed)
Success rate: 80%+ (much better than GrapheneOS)
App Compatibility Comparison
| App | GrapheneOS | CalyxOS | Comments |
|---|---|---|---|
| Chase Banking | 50% | 95% | MicroG helps significantly |
| Netflix | 30% | 80% | MicroG satisfies app requirements |
| Pokemon Go | 0% | 20% | Anti-spoofing still blocks |
| Google Maps | Full* | Full | Works better in CalyxOS |
| 100% | 100% | Works identically | |
| Banking apps (general) | 60% | 80% | Advantage to CalyxOS |
*With Sandboxed Play
Pricing
Pixel 8: $799
Fairphone 5: $649
CalyxOS (free): $0
Installation time: 20 min
Monthly updates: Free
Total annual cost: $0
Strengths
- Better app compatibility than GrapheneOS
- MicroG included (better banking support)
- More device options (Pixel, OnePlus, Fairphone)
- Excellent privacy (nearly identical to GrapheneOS)
- Good documentation
- Fast updates
Weaknesses
- Slightly less hardened than GrapheneOS (security trade-off)
- MicroG isn’t as audited as open source claims
- Some apps still won’t work
- Learning curve (not as user-friendly as stock)
Best For
- Users needing privacy AND banking apps
- Those wanting multiple device options
- Privacy-conscious developers
- People who compromise between privacy and usability
Real-World Setup
# Day 1: Flash CalyxOS
# Day 2: Install apps
# F-Droid: Open app store (privacy apps)
# Signal: For messaging
# Nextcloud: For cloud sync
# FOSS apps from F-Droid
# Day 3: Enable MicroG for banking
# Settings > MicroG Settings
# Grant location permission (optional, faked)
# Install banking app from Play Store (via MicroG)
# Day 4: Set up DNS privacy
# Settings > Network > DNS > NextDNS
# Choose blocklists
# All DNS queries encrypted
# Day 5: Enable Firewall
# Settings > Firewall
# Block all apps from accessing internet
# Enable only those needing it (banking, messaging)
LineageOS: Maximum Compatibility
LineageOS is Android without Google bloat but WITH Google Play Services (optional). It prioritizes app compatibility over privacy.
What’s Different from Stock Android
Removals:
- No preinstalled Google apps
- No vendor bloat (Samsung, OnePlus apps)
- No telemetry
Additions:
- Security patches (often faster than stock)
- Privacy Guard (granular permissions)
- Built-in file manager
- Customizable UI options
- Longer device support (years after manufacturer drops)
Difference from GrapheneOS:
- Doesn't remove Google Play Services option
- Less kernel hardening
- More user customization
- Better app compatibility
Device Support (Massive Advantage)
LineageOS supports 200+ devices:
- Samsung (S21, A52, etc.)
- OnePlus (all models)
- Google Pixel (all)
- Motorola (many models)
- Sony Xperia
- Xiaomi (many models)
- HTC, LG, etc.
Why matters:
- Use any old phone (extends life 3-4 years)
- Upgrade path for older phones
- Affordable options ($100-300 used)
Installation Process
# Step 1: Download LineageOS for your device
# https://lineageos.org/devices/
# Step 2: Download device-specific tools
# Fastboot tool (flashing utility)
# ADB (Android Debug Bridge)
# Step 3: Boot into recovery
# Power off > Power + Volume Up
# Choose "Recovery"
# Step 4: Flash LineageOS
# Via recovery menu
# Select ZIP file
# Flash process (10 minutes)
# Step 5: Reboot
# Phone restarts with LineageOS
Privacy Settings
Privacy Guard (Built-in):
Settings > Privacy Guard > App Permissions
Per-app control:
- Location access (fake location available)
- Camera access
- Microphone access
- Contacts access
- Call history access
- Files access
More granular than stock Android
Optional Google Services:
LineageOS doesn't include Google Play by default
Options:
1. Use F-Droid only (privacy, limited apps)
2. Install MicroG (privacy-friendly)
3. Install Google Play Services (full compatibility, less privacy)
4. Mix and match (banking apps via Google Play, others via F-Droid)
App Compatibility
Advantage over GrapheneOS:
Because LineageOS supports full Google Play Services:
- Netflix: 100% works
- Banking apps: 99% work
- Streaming apps: All work
- Enterprise apps: Usually work
- Gaming: All work
Cost: Must accept Google Play to get this
Pricing
Used Samsung S21: $250-400
Used OnePlus 9: $200-350
LineageOS (free): $0
Installation time: 45 min
Monthly security updates: Free
Total annual cost: $0
Strengths
- 200+ devices supported (maximum flexibility)
- Best app compatibility (can use Google Play)
- Good privacy without sacrificing all features
- Long device support (5+ years after manufacturer drops)
- Free, open source
- Good documentation
- Large community
Weaknesses
- Not as hardened as GrapheneOS (less security)
- Optional privacy (requires manual setup)
- Updates less frequent than Pixel-based systems
- Requires more technical knowledge for flashing
- Device variability (some ports better than others)
Best For
- Users with older phones wanting privacy upgrade
- Those requiring app compatibility
- Privacy-conscious but realistic (not perfect)
- Budget-conscious (use older phones)
- People wanting to extend phone life
/e/OS: Privacy-Respecting Interface
/e/OS is based on LineageOS with privacy-first defaults and cloud integration (Nextcloud).
What’s Different
/e/OS adds to LineageOS:
- Proprietary /e/ launcher (privacy-focused)
- Built-in Nextcloud integration (cloud replacement)
- Default Duck Duck Go search (not Google)
- Default Proton Mail settings
- No Google by default
- Location masking (fake GPS)
- Advanced privacy settings UI
Installation
# Step 1: Check device support
# https://doc.e.foundation/supported-phones
# 100+ devices supported
# Step 2: Download /e/OS
# From e.foundation
# Download device-specific ROM
# Step 3: Flash using recovery
# Similar to LineageOS process
# 30-45 minutes
# Step 4: First boot setup
# Configure Nextcloud (optional)
# Choose privacy settings
# Select default apps (DDG, Proton, etc.)
Key Feature: Nextcloud Integration
/e/Cloud (Nextcloud):
/e/OS integrates Nextcloud for:
- Photos backup (privacy: photos stay yours)
- Contact sync (not to Google)
- Calendar sync (not to Apple)
- File sync
- Notes sync
Cost:
- Free: /e/ provides Nextcloud instance (5GB)
- Paid: Self-hosted or other Nextcloud instance
Privacy Features
Location Masking:
Settings > Privacy > Location Spoofing
- Apps think phone is in different location
- Useful for privacy without disabling GPS
- Banking apps still work (use rough location)
App Permissions (Strict):
All apps require explicit permission
- Location access: Ask on first use
- Camera: Deny by default
- Microphone: Deny by default
- Contacts: Deny by default
App Compatibility
Better than GrapheneOS:
Can use MicroG or Google Play Services
Provides interface to choose per-app
- Maps: Use Google Play version
- Banking: Use native
- Social: Use privacy apps from F-Droid
Pricing
Fairphone 5 (most /e/ phones): $649
/e/OS (free): $0
Nextcloud storage (free): 5GB included
Optional paid storage: $1-10/month
Total annual cost: $0-120
Strengths
- Good privacy defaults (doesn’t require manual setup)
- Nextcloud integration (avoid Google Photos)
- More devices than CalyxOS, fewer than LineageOS
- Polished UI (better than LineageOS)
- Good documentation
- Cloud privacy (your data, not /e/’s)
Weaknesses
- Smaller community than LineageOS
- Less tested than CalyxOS/GrapheneOS
- Nextcloud integration adds complexity
- Updates less frequent than Pixel-based systems
- Some enterprise apps won’t work
Best For
- Users wanting privacy without learning curves
- Those needing cloud integration (Nextcloud)
- People avoiding Google services entirely
- Fairphone users (best support on Fairphone)
Ubuntu Touch: Linux on Phone
Ubuntu Touch ports Linux to phones. Drastically different from Android.
What’s Different
Ubuntu Touch runs:
- Linux kernel (not Android)
- Convergence UI (phone + desktop)
- Native Linux apps (not Android apps)
Benefits:
- Complete control (full Linux)
- Privacy by design (no proprietary layers)
- Can run server software
Drawbacks:
- Almost no app ecosystem
- Banking apps don't work
- Steep learning curve
- Very limited device support
Installation
# Step 1: Check device support
# Very limited: OnePlus One, OnePlus 6T, Pixel 3a
# Check: ubuntu-touch.io
# Step 2: Get Ubuntu Touch installer
# From: ubuntu-touch.io/get-ubuntu-touch
# Step 3: Run installer
# Automatic flashing process
# 30 minutes
# Step 4: First boot
# Completely different UI
# No Android app drawer
# Uses Ubuntu desktop paradigm
Use Cases (Realistic)
Good for:
- Privacy enthusiasts (extreme privacy)
- Linux developers (full Linux on phone)
- Research/experimentation
- Privacy experiments
Not good for:**
- Banking apps (don't exist)
- Messaging apps (very limited, Telegram only)
- Maps/Navigation (none available)
- Photos/Video (limited)
- Gaming (impossible)
- Most daily use
App Ecosystem
Available apps (estimated): 500-1000
Android apps: 2,000,000+
Realistic apps:
- Telegram (messaging)
- Terminal (command line)
- File manager
- Simple text editor
- Calculator
- Calendar
- Notes
Missing:
- Banking apps (0)
- WhatsApp (not available)
- Instagram (not available)
- Netflix (not available)
- Zoom (not available)
- Slack (not available)
Pricing
OnePlus 6T (used): $150-250
Ubuntu Touch (free): $0
Total annual cost: $0
Caveat: Not usable for normal tasks
Strengths
- Maximum privacy/security (full Linux control)
- Completely different from Android/iOS
- Good for privacy research
- Opensource community
- Convergence concept (phone + desktop)
Weaknesses
- Completely impractical for daily use
- No banking apps
- No mainstream messaging
- Tiny app ecosystem
- Very small community
- Updates infrequent
- Device support: 3 phones only
Best For
- Linux developers as side device
- Privacy researchers
- Hobbyists exploring alternatives
- NOT for primary phone
Recommendation Matrix
You want privacy AND banking apps: → CalyxOS (80% app support, excellent privacy)
You want maximum privacy: → GrapheneOS (95% privacy, 60% app support with workarounds)
You want compatibility AND privacy: → LineageOS + MicroG (99% app support, good privacy)
You want cloud integration: → /e/OS (Nextcloud built-in, 95% privacy)
You’re using an older phone: → LineageOS (supports 200+ devices, extends life 3+ years)
You’re a Linux enthusiast: → Ubuntu Touch (full Linux, impractical for daily use)
Cost Comparison (2-Year Scenario)
| OS | Phone Cost | Setup | Privacy | Banking | Total |
|---|---|---|---|---|---|
| GrapheneOS | $400 | $0 | Excellent | Poor | $400 |
| CalyxOS | $400 | $0 | Excellent | Good | $400 |
| LineageOS | $150 (used) | $0 | Good | Excellent | $150 |
| /e/OS | $650 | $0-120 | Good | Good | $650 |
| Ubuntu Touch | $200 | $0 | Excellent | None | $200 |
| Stock Android | $800 | $0 | Poor | Excellent | $800 |
Migration Path
Year 1: Try with cheap device
Buy OnePlus 6T used ($200)
Flash LineageOS + MicroG
Use for 3-6 months
Get comfortable with F-Droid, FOSS apps
Year 2: Upgrade to better privacy
If satisfied with privacy, upgrade to:
- CalyxOS (Fairphone 5: $650)
- GrapheneOS (Pixel: $400)
- /e/OS (Fairphone: $650)
Depending on needs:
- CalyxOS if banking support needed
- GrapheneOS if maximum privacy desired
Bottom Line
For most people: CalyxOS + Fairphone 5 ($650)
- Excellent privacy without sacrificing apps
- Good device longevity (Fairphone supports 8+ years)
- 80% app compatibility with workarounds
For privacy maximalists: GrapheneOS + Pixel 8 ($800)
- Maximum privacy/security
- Accept 60% app compatibility
- Fastest updates
- Switch to web-based alternatives for incompatible apps
For budget-conscious: LineageOS + used OnePlus ($200-300)
- Good privacy with minimal learning curve
- High app compatibility
- Extends old phone life 3+ years
- Can upgrade to better phone later
Don’t use: Ubuntu Touch (impractical), stock Android (privacy nightmare), iOS (Apple tracking)
Start with LineageOS on a used phone. If you need better privacy, migrate to CalyxOS. If you need maximum privacy, upgrade to GrapheneOS.
Each step is optional; you can stop when you reach your privacy/usability sweet spot.
Related Reading
- How to Use Tails Operating System for Extreme Privacy Daily
- Mobile App Store Privacy Labels How To Read And Compare Befo
- Mobile Fitness Tracker Privacy
- Mobile Keyboard Privacy: Which Keyboards Send Keystrokes.
- Nurse Practitioner Mobile Device Privacy Hipaa Compliant Pho
Built by theluckystrike — More at zovo.one