Return to Level1Techs.com

The self-bettering de-google experience (GrapheneOS)

Ever wanted to degoogle and not have it be too much of a pain in the behind? Ever wonder what your loosing by spending too much time on social media? Digital health is important. I think one of the partial solutions to digital health is to degoogle.

Let’s examine this but first a link to the rest of community posts on it :slight_smile:

GEK (no longer with us)

Old Snake (historical post)

Long off topic discussion of it

Wendell

Heimdallr

Im sure there is more. so without further ado my mobile device is a Google Pixel 3XL. I would say to degoogle you have a ton more choice than you used to. You have OnePlus (great choice for flagships), pinephone (search the forum for content), nexus (older devices but solid ask @Adubs about his nexus 6P), and of course the Pixel line up. The best pixel phone for this operation are the Pixel 3 XL and the Pixel 3a XL.

I plan on keeping the 3 XL until 5G is mainstream and they are getting ready to beta test 6G. The way I have done this is I have gotten an armor case and a 5 pack of oleophobic thick tempered glass screen protectors and a camera lens protector. I purchased a wireless charger and wireless IEMs so to minimize the use of my phones port. This phone will remain pristine so long as I have it. (Before the stop being poor comments come. Its not because I cant afford its because I have no need for more.) Untill I can no longer access 4G speeds (which suffice) or can no longer update and exploit mitigate android, there is no need for excess. Its a gorgeous phone with a beautiful camera. It has excellent specs and its the 128 GB version. I will never use that much storage ever.

So whats it like to use the botnet (Google). I loved it. I have zero shame admitting the convenience of those features however I have realized their impracticality and I dont really want them spying on me for security and privacy reasons. I want people to know what I tell them and not much more. This isnt to avoid cell tower based tracking as one can never avoid cell location and GPS. These services always no where you are but at least this can turn off any capability of turning on the device remotely etc mainly due to the ROM used.

De-Google Step 1: Identify a ROM.

The objective is clear either find a hardened ROM or find a AOSP ROM easy to use a base. This gave me two options. Lineage OS or https://grapheneos.org/ to which I have built lineage from source but graphene allowed me an interesting path to take my phone. A non SU enabled ROM from a security standpoint is better and this used and leveraged the Titan M chip to verify the boot process. So graphene it was.

De-Google Step 2: BUILD IT FROM SOURCE! woot!

So nobody ever accused me of being a sane individual. Lets build this security focused for my phone. You cant build this for other devices easily because of a few reasons. Not to completely rip off the author but this ROM needs devices need to be meet the standards of the project in order to be considered as potential targets. The developer himself has made this a stricter set of characteristics to which suprisingly google held them selves up to in the PIXEL line and NOT THE NEXUS line. In addition to support for installing other operating systems, standard hardware-based security features like the hardware-backed keystores, verified boot, attestation and various hardware-based exploit mitigations need to be available. This is actually what the Titan M chipset is for and google is offering a bounty to who can hack it: https://www.wired.com/story/google-titan-m-security-chip-pixel-3/

The devices also need to have decent integration of IOMMUs for isolating components such as the GPU, radios, media decode / encode, image processor, etc. as if the hardware / firmware support is missing or broken, there’s not much that the OS can do to provide an alternative. The Pixel 3XL is built to this rather crazy standard. You can utterly isolate any part of the board if you want to. This is what made the Pixel 3XL my choice of phone. Its one of the more secure phones out there and few people realize this on a hardware level. As we should all know hardware, firmware and software specific to devices like drivers play a huge role in the overall security of a device. The goal of the project is not to slightly improve some aspects of insecure devices and supporting a broad set of devices would be directly counter to the values of the project. A lot of the low-level work also ends up being fairly tied to the hardware. So lets build this software shall we :wine_glass:

I am build for : aosp_crosshatch aka the Pixel 3 XL. (I love its nickname, crosshatch, someone was a car nut). This will take a lot of bandwidth and space. Few people realize what it takes to compile a ROM. Have at least 16 GB of RAM and 75+ GB of space just to be safe.

The author gives instructions just find the latest version and compile.

IF youve ran arch linux you can SO build android for your device. Its a very enlightening experience. Then go OTA from there.

De-Google Step 2 (LOL): Acquiring and installing the ROM

So your likely already downloading your ROM. Flash it using TWRP and what you need to. My guide here applies only to the Pixels.

Enable OEM unlocking in device developer settings and reboot to fastboot from the advanced menu.

Then when in fastboot mode unlock the bootloader by fastboot flashing unlock

unzip crosshatch-factory-*.zip
cd crosshatch-pq3a.190605.003
SUDO ./flash-all.sh

You must be in sudo to flash it. In my case I had built it and not zipped it so I had everything I needed to flash it already unzipped.

Make sure to LOCK the bootloader if you dont plan to root. I dont plan to root because of im security and privacy focused. Its why I use secure boot in the UEFI and sign my kernels :wink:

fastboot flashing lock

Then disable OEM unlocking and your back to a very secure environment and the TITAN M is preventing exploitation. If your bootloader is unlocked you lose ALL the security of this device.

Want more info on graphenes security see here: https://grapheneos.org/usage which talks about a part I especially like. Exec spawning and hardened malloc:

`You may notice that cold start app spawning time takes a bit longer 
(i.e. in the ballpark of 100ms) than stock Android, along with higher app 
memory usage. This is due to security centric exec spawning model used by 
GrapheneOS to provide each application with a unique address space layout, 
random hardened_malloc heap layout and unique keys / seeds for other 
probabilistic exploit mitigations like stack canaries, setjmp protection and 
future features like randomized memory tags. Exec spawning doesn't cause a 
performance cost after launching an app, and similarly doesn't cause any extra 
latency for app spawning if the app was already running / cached in the background.
It isn't very noticeable on flagship devices with a high end CPU like a Pixel 3, and is 
a lot more noticeable on a lower end device like a Pixel 3a.

Alright now that I am on a firmly degoogled ROM. Lets acquire F-Droid our open source store and also a means of aquiring open source play store apps that doing have an Fdroid repo yet. Yes they exist and no they dont use GoPlServ

https://f-droid.org/

I needed a banking app which functions fine. I dont mind my bank intruding on my privacy. They already do it in so many other ways.

I need maps and a way to navigate so I grabbed OSMAnd~ which is an amazing offline and online maps navigation. You can do what most of google does save some updated address youll have to grab from duckduckgo.

https://osmand.net/

This leads me to search. Duck Duck go is what I prefer. Its really just google but it does protect us more.

For cloud. Host Next Cloud 17. Its an amazing piece of software. See wendel’s video on it :wink: . The swiss army knife of having your calendar, contacts, etc all syncd to it. I use DAV with it. I also have the server E2E encrypted which is a solid benefit for cloud security.

I also use a few more apps. I still use spotify which is a little broke but still works for content discovery. I love the platform but hate how much it knows my music. I am in the process of migrating to this alongside my nextcloud

I needed a replacement for last pass. I really searched hard and found bitwarden. Its awesome. Your data is sealed with end-to-end AES-256 bit encryption, salted hashing, and PBKDF2 SHA-256. For me I love that they are open about their security like this instead of claiming little to no breaches like leakypass LOL.

https://bitwarden.com/

https://help.bitwarden.com/security/

What does my android setup look like? As black as possible without being too ugly. It really does help AMOLED conserve energy.

The project comes with Vanadium which is more secure than bromite if you need something based on chromium. Personally I like firefox better. Here are my plugins to keep it from being too broke on mobile.

You can use the advanced permissions of any good ROM to act like a firewall to forgo root for AFWall+. This rom allows you to deny access to connectivity for any ROM so its similar to a firewall built in. It also prevents the apps from accessing location in the background.

For email I use FairMail. I like this app because I can integrate GPG with Open Keychain easier. See you can still use google private. Just send GPG messages. Google cant read those.

Frost- As you saw in the picture is used for facebook however im considering decentralized social media if anybody is down to share.

Camera

BTW I never lost the Pixel Visual Core camera’s awesome image processing. Open Camera can use it :slight_smile:

What to do if locked into other platforms

  1. evaluate why you use them and if you get the benefits suggested?
  2. Evaluate exit routes. Get out of using it. Migrate what you need and move away
  3. Find a way to use it without google?
  4. Dont switch now, wait until you have something that suits your lifestyle.

Journey In progress

At the end of the day its a journey of self and tech discovery. Evaluate your digital health. Should you be stuck to social media or should you read and strive to learn more and self better. This was my reasoning for going this route. My principles say tech shouldnt be this invasive. It should be a tool. To each their own on what that means.

Will update as I continue to use and discover new things. Thanks for stopping by and seeing what I do.

French Proverb:

“Praise the God of all, drink the wine, and let the world be the world.”

7 Likes

no pls

2 Likes

Regarding custom ROMs, make sure that you check the actual build number of the cellphone you are buying vs the build supported by the ROM (or even TWRP) itself. I just bought an Asus Zenfone Max Pro M2 few days ago and it turns out fastboot wont flash the TWRP into the recovery partition (bootloader was unlocked).

I tried rolling back the firmware through the service center (which I paid for because unlocking the bootloader voids the warranty). It still wont flash. I am down to installing Win 10 to a laptop as per the Lineage OS build dev suggested. F me if this will not work. I would have wasted money on a cellphone. Previously I had no problems with Oneplus.

1 Like

Did you seek help on XDA?

Also anybody serious about ROMs buys the phones mentioned in my post

Update: 1

Firefox likes to perform telemetry for good reasons. It helps them fix a ton of stuff and perform.experiments which they view as beneficial for the open source user. Open source != private. So lets tweak Firefox a bit. In order to disable telemetry completely and experiments. Works on both mobile and desktop.

Find these keys and make them false

browser.newtabpage.activity-stream.feeds.telemetry

browser.newtabpage.activity-stream.telemetry

browser.ping-centre.telemetry

toolkit.telemetry.archive.enabled

toolkit.telemetry.bhrPing.enabled

toolkit.telemetry.enabled

experiments.activeExperiment

experiments.enabled

experiments.supported

network.allow-experiments

toolkit.telemetry.firstShutdownPing.enabled

toolkit.telemetry.hybridContent.enabled (you may not see this one)

toolkit.telemetry.newProfilePing.enabled

toolkit.telemetry.reportingpolicy.firstRun

toolkit.telemetry.shutdownPingSender.enabled

toolkit.telemetry.unified

toolkit.telemetry.updatePing.enabled

Simple easy beautiful open source configurable software. No frills, no worries.

I have these plugins going BTW. Open to more good suggestions:

Ghostery spies on what you disable. Do not use ghostery for anti tracking. Dont enable DNS over https or TLS in browser. Do it via androids private DNS feature

Dont forget Mac randomization is good for anybody serious about avoiding tracking. In Wi-Fi settings

The randomized MAC address option is configured for each wireless connection, so there is no way to configure this globally unless you build it into the ROM which I added to this lovely graphene ROM. Once you connect to a wireless network, here’s how to make sure the device is using a random MAC address (instead of the device MAC address).

Open the Settings app.
Tap Network & Internet.
Tap Wi-Fi.
Tap the gear icon associated with the wireless connection to be configured.
Tap Advanced.
Tap Privacy.
Tap Use Randomized MAC

In my case its always enabled :slight_smile:

My WiFi also has probe sequence number randomization and per network association Mac randomization and hostname randomization. You have to manually build this into lineage OS if your on lineage. Plenty of guides out there on it

3 Likes

Upon further consideration I made an adjunct post to making Firefox a bit better

Firefox Hardening Tips 2019

3 Likes

I wish GrapheneOS had more devs! The single dev seems stressed out and he isn’t really social enough to ask for help… It would have to be a special person to work with him.

Aye, Crocker’s Rules compliance would be a must I think.

I do, however, suspect he may be correct not to explicitly ask for help; I imagine someone with the appropriate passion and skills for a project like GrapheneOS will be drawn in by looking at the code themselves far more than by explicit request. A “devs needed” post would probably draw in more “noise” than “signal”, and the original developer could end up fruitlessly trying to bring prospective devs up to speed, only for those devs to realise this is not their cup of tea, and leave. Better for the project to grow organically I think.

There’s a reason why “introverted” programmers’ social lives don’t “grow organically” as well as socially normal people… Perhaps there are many engineers who like the project, would be willing to help, but all experienced bystander’s apathy. You can clearly tell by his posts that he’s sick of it and at his limits. Pretty easy for me to make arguments that it is good to ask for help on his behalf, if we want to see it around in years.