Privacy Phone With Google Pixel and Calyx OS

After many years of trust and the feeling of safety with the “privacy company” Apple, I’ve decided to review my choices with companies from “the land of the free”. The catalyst for me was Apple’s recent CSAM disaster. I used to go with iOS because it is convenient, I believed myself to “think different” and that “privacy is a fundamental human right” as the website states to this day. Also you know, “what happens on your iPhone, stays on your iPhone”.

Apple built trust over many years. In 2015 a strong stance on privacy was demoonstrated by not helping the FBI decrypt the phone of a terrorist and further cemented trust in 2019 with the Hide My Email for Sign in with Apple feature. iOS 14 brought us an indicator when a microphone or camera is in use, and we can show our location as approximate rather than exact. When applications ask for locations we can be precise in when and what we want to share. Just this year in 2021 iOS 15 will ship with email tracking protection, Protect Mail Activity that will hide your IP address and loads remote content in the background through proxy services. This is a great record and direction and convinced even mild tinfoil hats like myself that it’s kind of okay. Okay enough to trust a walled garden, to keep payment solutions on my phone and not really worry about it.

But then it would appear Apple went a step too far. With the roll out of iOS 15 in September 2021, the intention is to introduce CSAM detection, (Child Sexual Abuse Material). What looks harmless and like a good entry to bolster brand image in a board meeting, may be the harbinger of a surveillance tool and plausible deniability for deep privacy intrusions into your private life. Unlike other existing systems, the proposed processing is not happening on the “cloud” with pictures you voluntarily uploaded for a backup, but on the device itself. For this it will hash and match photos against a database of known CSAM. Upon matching, your files will uploaded and reviewed by staff. Hash collisions and implications were already discussed on Hacker News. Edward Snowden was quick to call out the slippery slope the “pro-privacy” company is on and called into question the ownership of the data on your phone.

Admittedly, I’m also a user of Googles ecosystem. Using Gmail since it’s been in beta and above all other services Maps. Again, it’s convenient and saves me time. I knew about tracking and all concerns but it didn’t bother me much. Who has nothing to hide has nothing to worry about, right? I got more bothered when the cancel culture set in, not for any online presence of my own, but for the dying exchange of ideas. We’re seeing heavy censorship in times of the pandemic that kicked into full gear since the Trump Biden election campaigns among the internet giants. Then earlier year we learned about Google’s Intelligence Agency Jigsaw.

These were the catalysts that tipped me over and do the work to deGoogle and see how easy or difficult it is to get rid of big tech in my private life. Setting up a phone without big-tecch and no tracking will cost me time and convenience, but I no longer feel comfortable selling my data and cut off the weakest link to my privacy. I might learn a thing or two along the way.

Why Pixel Phones?

Pixel phones have a number of features that outperform. The Titan M security chip protects against physical attacks. It verifies that the boot loader is not manipulated, checks for brute force attacks and passwords, API keys can be encrypted directly on the chip. Pixel Phones also provide baseband isolation, allowing you to operate just the wifi without cellular networking enabled.

Google provides security updates for over 3 years and usually faster than any OEM vendor. It also had recent Pixel phones independently audited for ioXt by the NCC Group and for Common Criteria evaluation by by Gossamer Security Solutions. While these may appear like expensive check box exercises, it at least ensures that the devices comply with standards on security, upgradeability and transparency. Not many vendors will invest in these expensive endeavours.

Ironically, it appears that Pixel smartphones are the best available hardware for a Google-free experience.

The process of setting up a privacy phone

Operational security is actually difficult and having the luxury to exercise the steps for education is an interesting adventure. I probably missed a few important steps even and decloaked the phone along the way, if you spot something, let me know.

I bought a Google Pixel 4a (5G) with cash in a local store as well as a burner SIM. We have to turn the phone on with vendor OS and connect to a wifi network, so I headed to a busy coffee shop to turn the phone on the first time as that location and other data leaks and will be recorded.

Before leaving the coffee shop

• Don’t configure biometrics (more plausible deniability). Use a pin and enable pin layout scrambling for pin entry protection under CCTV.
• Put the phone to airplane mode before you go home, and only connect to cellular services in busy locations.
• Don’t sign in to your regular Google, Facebook, Twitter accounts or interact with them

If you don’t change the OS (you should), install all available security and app updates before doing anything else.

CalyxOS

Few options for privacy focused Android mods are around, Graphene OS and Calyx OS are mentioned frequently. Trust is a difficult thing. I looked up who is behind Calyx OS and was instantly convinced. None other than the legendary Nicholas Merrill. If you don’t know who that is, don’t take my word for it and read him up. It’ll be worth your time.

Seeing the website, CalyxOS has its primary focus on privacy, offers the option of microG, F-Droid and the Aurora Store that gives anonymous access to the Play Store, so I didn’t need any further convincing.

CalyxOS also has some nice defaults worth noting

• locked boot loader ensures the operating system has not been tampered with
• MAC randomization prevents tracking wifi scanners
• PIN layout scrambling, allows entering PIN in public

Installing CalyxOS on the Pixel 4a (5G Japan version)

Unlock the bootloader and turn on USB debugging:

Go to System settings -> About phone -> tap on ‘Build number’ several times until Developer options is enabled Go to System Settings -> System -> Advanced -> Developer Options ->

• Enabled OEM Unlocking
• Enable USB Debugging

Go to the CalyxOS website’s download section and get the image for your device, for me it was:

Pixel 4a (5G) (bramble)

Place device-flasher as well as the CalyxOS .zip image into the same folder on your laptop. I did the following steps this on my MacBook using iterm2. No need to extract or rename the zip but copy it as-is. Downloadd all the required files to one directoory:

ls -l
total 3072408
-rw-r--r--  1 dre  users   1.5G Sep  1 22:09 bramble-factory-2.8.0.zip
-rw-rw-rw-@ 1 dre  users   289B Sep  1 22:30 bramble-factory-2.8.0.zip.minisig
-rwxr-xr-x@ 1 dre  users   6.3M Sep  1 20:39 device-flasher.darwin*
-rw-r--r--  1 dre  users   113B Jul 10 07:30 minisign.pub

verify the checksums of the files

shasum -a 256 device-flasher.darwin
5e5542f51c1592e392114636f2e64fe9dae1cacaaf55c722822780ec5cbf9331  device-flasher.darwin
shasum -a 256 bramble-factory-2.8.0.zip
e695116ce6c15c27392df6d82b88576db87b5fe66192ba18f7323f6414fe88ff  bramble-factory-2.8.0.zip

On MacOS install minisign to verify the signatures

brew install minisign

minisign -Vm bramble-factory-2.8.0.zip -p minisign.pub
Signature and comment signature verified
Trusted comment: CalyxOS 2.8.0 - August 2021

If the above message appears and the signature verifies we can execute the device flasher (without sudo).

./device-flasher.darwin

which will prompt for the following steps:

1. Connect to a wifi network and ensure that no SIM cards are installed
2. Enable Developer Options on device (Settings -> About Phone -> tap “Build number” 7 times)
3. Enable USB debugging on device (Settings -> System -> Advanced -> Developer Options) and allow the computer to debug (hit “OK” on the popup when USB is connected)
4. Enable OEM Unlocking (in the same Developer Options menu)

When we continue, during the installation it prompts to unlock the boot loader which requires a manual up and enter.

Unlocking bramble XXXXXXXXXXXXXX bootloader...
5. Please use the volume and power keys on the device to unlock the bootloader

after the installation it again promts to re-lock the bootloader for tamper protection. It replaced the OEM key with a CalyxOS key and therefore allow you to lock the bootloader again.

Locking bramble XXXXXXXXXXXXXX bootloader...
6. Please use the volume and power keys on the device to lock the bootloader

This was incredibly easy and took mere minutes to complete. The log above says it only ran for 148 seconds. A day and night change to the last time I toyed with such process ca. 2012.

When you switch on the device, you’re navigated through a few steps that are all very self explanatory and that I leave as an exercise for the reader. One thing to note is that if you don’t need push or services or access to the app store you don’t need to install MicroG. Otherwise it allows anonymous access to all apps through the Aurora store.

VPN

The Calyx Institute is a non-profit that offers a free, open source VPN, the CalyxVPN app comes with the OS and can otherwise be installed via F-Droid. While VPNs may help circumvent censorship, they’re not really helping anonymity. For this Calyx ships with two Tor apps.

Tor

CalyxOS ships with both the Tor Browser and Orbot. Tor Browser is like a regular browser that uses the Tor network and tries to be anonymous while easy to use. It can browse the clear and the dark net. Orbot is a proxy that allows to anonymize all of the Android traffic through the Tor network.

DNS Servers

The first thing we want to do is switch out DNS servers. Don’t use Cloudflare 1.1.1.1 nor 8.8.8.8 which are odd defaults to use here actually. Select a DNS provider that is less mainstream and may protect your privacy better and some even apply ad blockers. A short list of example providers: Quad9 (Swizerland), BlahDNS (Germany), Digitale Gesellschaft (Switzerland), UncensoredDNS (Denmark). Go to:

Settings ->
  Network & Internet ->
    Advanced ->
      Private DNS ->
        Private DNS provider hostname:
        9.9.9.9

Apps

F-Droid is rather slow in my area. Expect some wait time for installations.

I’m using both F-Droid and Aurora Store. The latter connects you anonymously to the play store and has a nice feature that shows app trackers. Viewing these, I’d exclude most mainstream social media and even alternatives are often riddled with big tech trackers (yikes). For messaging there is Signal, Telegram. For web, I’ve addedd Firefox, DuckDuckGo, Tor Browser. There are YouTube clients like Newpipe and alternatives like Rumble. Twitter clients like Twiderer X and alternatives like Gettr (with Facebook plus Google tracking yikes). I should review these alternatives social media platforms at some point given it appears that most of them fail in their privacy claims. An okay Maps alternative in my region is OsmAnd, however it doesn’t come close to the usual Maps experience.

Even if I’d install big tech apps like Keyboards & Camera, the Datura Firewall allows per-app network isolation and we can remove internet access from such apps.

For remote ssh access to my servers, I also install Termux.

Conclusion

I expected this to be a bit more work than what it was, buying phone and SIM was straightforward. Installing CalyxOS was a breeze. I will probably have to explore anonymous eSIMs and write up a summary of alternatives to big tech. I will definitely keep my iPhone for work and life for a while. The real cost will come while switching. I learned a few things here, mostly about an ecosystem that has matured quite a bit and of which progress I wasn’t aware of.

I’ll update this post as I’m exploring the usability over the next weeks. On my second phone I do rest assured that everything that happens on this phone, stays on the phone.