How To DE-GOOGLE Your Phone! (2025)
Spyware is all over our smartphones. Through the apps we install, the radios and sensors embedded in the hardware, and the OS itself which ties everything together in a way that leaks a ton of information to countless entities. Our phone is an intensely sensitive device, because of the fact that we take it everywhere we go, it has location tracking, cameras, and microphones, and we use it for all kinds of personal communication and daily activities. So it’s really important to protect our device and plug the privacy leaks. One of the biggest upgrades that I’ve made to the privacy on my phone is
installing GrapheneOS. It’s an operating system. You’ve heard of the big two: Android and iOS. Well, Graphene is also a mobile phone operating system, but it’s designed to be super secure and private; and unlike the big two, it doesn't send all your data back to Google and Apple. If you want a Graphene phone, the best thing is to install it yourself. This video will explain how. I’ll talk about the hardware needed and how to purchase it, and go through the entire installation process.
Then I want to answer the big question: 'What next?' This is the most common thing that people ask me after installing Graphene. What settings should they be aware of? How do they install apps? How do they use secondary profiles to silo activities? And what about Google Play Services? So I’ll take you through what I do on my Graphene phone to give you an idea of what’s possible. Keep in mind that these are just my preferences for how to set up the device. If you have a different setup that you prefer, please let people know about it in the comments. And regardless of whether you do any additional setup to your phone, by simply installing and running Graphene you’re doing wonders to improve your privacy already. Let's get started by talking about hardware. GrapheneOS can only be installed on Pixel phones and tablets.
Why does it require Pixel? Because Pixel is the only device that meets Graphene’s security prerequisites. One of these prerequisites is verified boot. Basically you can flash an alternative operating system on many types of Android hardware, but for basically all these other devices, you undermine important security features that come along with the hardware by doing so. Pixel devices, on the other hand, allow you to relock the bootloader after flashing an alternate OS. This prevents someone from tampering with your OS without you knowing, ensuring its integrity and preventing unauthorized modifications.
Currently, only Pixel meets this standard along with the other prerequisites that Graphene requires, in order to guarantee certain security and privacy protections. To decide which Pixel model you want, there are 2 webpages I recommend. The first is Grapheneos.org which shows you which models are currently supported. The second is endoflife.date/Pixel which shows you how long these devices will continue to receive
security updates. You want to choose a model that will receive security updates for quite a while. Using hardware that no longer gets security updates puts your device at greater risk of being infected with malware. Once you’ve chosen your model, what’s the best way to purchase the phone? The most private way is in a physical store using cash.
Many electronics stores sell Pixel phones, like Best Buy in the USA. Cash is more private than a credit card, because your credit card will be linked to your device’s identifiers, whereas cash allows you to remain anonymous. Next, be VERY careful not to purchase a variant device. This is important. A variant device is a slightly modified Pixel that is very likely going to be incompatible with GrapheneOS. How do you know whether your Pixel is a variant device? Well, they’re often tied to carrier contracts, and a little cheaper as a result.
They are usually carrier locked, meaning that they’re restricted to a specific cell network, but they’re also usually “bootloader locked”, meaning that the OEM unlock option has been disabled. Essentially they have modified the Pixel bootloader so that users of that specific device can no longer unlock it to install a custom operating system. Why do they do this? Well usually to ensure that the software on the device remains unchanged, so that they can enforce the terms of the contract or installment plans associated with the device.
But the thing is, if that phone was EVER a bootloader-locked variant, that OEM unlock feature will likely be grayed out on the device permanently, and there is usually nothing you can do to re-enable it. it doesn’t matter whether the carrier contract has expired, whether the device has since been carrier unlocked, or whether the device has even been refurbished: Variant devices usually have the OEM unlock option permanently disabled, which means that you won't be able to install GrapheneOS on your phone. So you have to be really careful what kind of device you purchase. I strongly
recommend you don’t buy your Pixel in conjunction with a carrier plan. You also have to be careful of refurbished devices, because you may not know whether it's actually a variant device that was originally locked into a phone carrier contract. It may say “unlocked” in the description, but OEM-unlock and carrier unlocked are 2 different things. So if you purchase second hand, be sure to confirm with the original owner that the OEM unlock option is enabled.
Next is the install. The whole process usually won’t take you more than 20 minutes, sometimes much faster depending on how good your internet connection is. You will need both the Pixel you plan to install Graphene on, and a computer or secondary device to run the installer on. For this second device you can use Mac, Windows, Chromebook, or Linux for the install, or even another phone or tablet.
I’ve done dozens and dozens of these installs and found that using a mac has been the most seamless, but these days it’s pretty seamless on any device. Graphene has an amazing web interface that makes the whole installation process super easy. Some things to know before you get started: First, don’t use a virtual machine. Next, make sure your computer has enough free memory and storage space. Now whichever operating system you are using, make sure it’s up-to-date. Then you have to make sure that you use a Chromium-based browser and that it’s up-to-date.
In this browser, don’t use Incognito or private browsing modes. And if you use Brave, make sure the shields are disabled. Now it’s also a best practice to go ahead and update your new Pixel before installing GrapheneOS, because this means you’ll have the latest firmware, but I have never found this to be necessary for my installs. Next make sure you have a good quality USB-C cable, ideally the new one that comes with your device.
If you don’t have a USB-C port on your computer, use a high quality USB-C to USB-A adapter and avoid using a USB hub, because these can create issues. We now have everything we need to get started. On your new Pixel, Go to Settings, about phone, and scroll to the bottom. press the build number a bunch of times until developer mode is enabled.
Now when you go to Settings > and System > you will see the developer options menu. Click Developer options, and scroll to where it has the “OEM unlocking” toggle. Switch that on, which is where the little circle is to the right. If it is grayed out,
make sure that you’re connected to the internet. If it’s still grayed out, you may have purchased a variant device and should return the device. Once you’ve enabled OEM unlocking on our Pixel device you’re going to boot into the bootloader mode, navigate to the power off menu by pressing the power button and the volume up button at the same time, and select restart. You’ll immediately hold the volume down button while the device boots, and keep holding it until the bootloader interface appears. There should be a red warning triangle on the screen and the words "Fastboot Mode". Don’t touch anything on the device yet. Now open up your secondary device,
ideally a computer, open up your chromium-based browser like brave, make sure shields are off, and Go to Grapheneos.org/install/web scroll down to where you see Unlocking the bootloader. Now you’ll plug your Pixel into your computer, and then click “unlock bootloader” on the computer. You should get a popup on screen asking which device you’d like to choose, and your Pixel should be listed there. Windows computers used to have a bunch of driver issues that you’d need to fix here, where no device would show up, but Current Windows 10 and Windows 11 no longer require installing a driver for installation, there’s already one preinstalled. If you don’t see your device,
it could be that you need to update your OS. There are instructions on the Graphene website if you need to troubleshoot this. Once you select your Pixel on the list, then you’ll need to confirm the selection on your actual phone. Now currently, Written next to the power button it will say “do not unlock bootloader”. Press the down or up volume button to scroll
through options until it says “unlock bootloader”. Then you’ll press the power button to confirm. Your fastboot mode screen will now have red writing that says “unlocked”. Next, on your computer, you go to the “Obtaining factory images” section, and click “download release”. This may take a while depending on how fast your internet
is. When the download is finished, the progress bar will be fully blue, and the text on screen will change from having said: “downloading” your version, to “downloaded” your version. Now go to the “Flashing factory images” section on the website. This step will wipe the entire device and install the new operating system. Click “flash release”
"Flash" is the term used to describe the installation of a new operating system. It essentially means install, but it’s a specialized process that directly modifies the SYSTEM software itself, rather than just adding an app or program. During this process don’t touch your device or computer. The phone may seem like it’s stuck in a refresh loop, and your computer will seem like there are a million different parts of the installation process.
Make sure that you don’t touch the device until you’re sure that the process is completely finished, and the screen says “Flashed (past tense) your version to device” Once it’s finished, continue to the “Locking the bootloader” section. Locking the bootloader is a super important security feature: it enforces full verified boot, ensuring that no one can tamper with your operating system or replace it with an unauthorized version without you realizing. Click “lock bootloader” You’ll need to confirm this command on your Pixel phone. Next to the power button it will say “do not lock bootloader”. Press either the down or up volume until it says “lock bootloader” and then press the power button. This will once again wipe the data on the phone. Once this is complete, it should say in green letters on your device “locked”. Next to the power button it should say “start”. Unplug your device and
press the power button. Now that you’ve installed your new OS, now it is time to set it up. Powering on your new GrapheneOS phone each time, Google will insist on showing you a scary screen that says that you’re booting a different operating system. It will then insist on showing you the Google logo, just so you don’t forget them. Don’t let them psych you out. The next screen will be your beautiful GrapheneOS logo, welcoming you to a new life of peace away from invasive data collection.
Take a moment here to take a deep breath of gratitude that alternatives to spyware do exist, and that there are people out there who want to help you protect your privacy. *sigh of relief* The first screen you’ll see after this booting process is a welcome screen. Choose your language and continue, Then you’ll be asked to connect to Wi-Fi. We’ll need this in a moment, so you may as well connect now.
Next you’ll set the date and time. You’ll be given a screen asking if you want location services on or not for that profile. This is the owner profile you’re currently setting up, which will always be running in the background regardless of which profile you’re in, so make your choice accordingly. You can always adjust these settings later, and you can also decide at a granular level later which apps in the profile you want to get access to these location services. On the next screen you can choose and activate a PIN to unlock your phone. You can also choose a password if you’d prefer.
Then you’ll be given a prompt to restore apps and data from a previous device. We’re setting this phone up from scratch, so click skip. The next screen just explains how to swipe, so do that tutorial if you need to, or press skip. The final page has a box that by default is checked, that will disable OEM unlocking. Keep this checked, and press start to continue. This takes you to your home screen of your owner profile. There are a few settings that I tweak here. Go to settings, security and privacy, and scroll down to “exploit protections”.
Under auto-reboot, I set my phone to 12 hours. This feature is a helpful security measure because it clears the RAM, a type of memory that temporarily holds sensitive data while the phone is in use. It’s possible that a thief who gets access to your phone could try to extract this sensitive data from the RAM; but restarting the device wipes the RAM, which means that there will no longer be any sensitive data to extract. Setting auto-reboot
to 12 hours limits the attack window. If someone steals my phone, they only have 12 hours to try extracting the decryption key from RAM before the phone restarts, erasing RAM and making data extraction nearly impossible. The phone will only reboot if it hasn’t been unlocked with the PIN or password during that time. For the USB-C port section, I stick with the default setting: 'charging only when locked. This blocks any data connection to the phone through the USB-C port while it's locked, which is an excellent security measure. For 'Turn off Wi-Fi automatically' and 'Turn off Bluetooth automatically,' I set both to 5 minutes.
This means that if no devices are connected for 5 minutes, those radios are shut off. It’s a great setting that prevents your phone from unnecessarily transmitting signals, which can be used for location tracking and other purposes. Next, there are four App Stores I have on my device. You don’t have
to download all of these but this is what I do. The 1st is already inbuilt. To find it, swipe up from the middle of your screen and a search bar will appear. Type in “App Store” in this search bar or tap it, if it’s already there. You’ll find
this app store represented by a little cube icon. In this App Store you’ll find a handful of apps that are by default installed on your device, as well as a few other options you might consider like sandboxed Google Play Services, which we’ll talk about in a moment. The next App Store we’ll install is called Accrescent, and you’ll find it inside this inbuilt Graphene App Store. Tap Accrescent from inside the Graphene App Store, and then Click install. You won’t find many apps through this Accrescent store either, but the ones in there have been approved by Graphene as being good privacy alternatives, such as a maps app and a crypto wallet. The 3rd App Store that we’ll download is F-Droid. This App Store is going to be great for finding a lot of free and open source alternatives to the regular apps you use.
F-Droid builds apps from the source code, rather than using premade versions from developers. This means that as long as you trust F-Droid, you can be confident the apps come from publicly available code. The upside of downloading these apps through F-Droid instead of downloading the APK (or app package) directly from their repo yourself, is because it’s a lot easier to manage updates through the F-Droid store than having to manage updates for each app manually. The downside is that updates may be released more slowly through F-Droid than they appear in an app's source code repository, due to F-Droid's review and build process. If an app is available through F-Droid, I usually install through there, but you can decide whether this App Store is right for you. To install F-Droid, Open the Vanadium browser you already have on your device by default, and go to F-Droid.org. Click download, and you’ll get a popup in your browser asking where you want
to save the APK file, which is the app package. Click download again. The download should appear as a popup, or alternatively you can find it in the downloads section of your Vanadium browser. Click open. You’ll get a pop up asking you to allow the installation of unknown apps via Vanadium. Click settings, and on the next screen activate the first prompt to “allow from this source”.
You can also turn this setting back off afterwards if you want to make your device more secure, so that you don’t accidentally download apps through the browser in future. After you give Vanadium permission, you’ll then get another popup from F-Droid. Click “install”. The 4th and final App Store that I install is the Aurora App Store. It’s basically a more private front end for Google Play, that you can use without having to link a Google account. Some people don’t like the Aurora store but I find it super valuable because I hate having that Google play account linking every app I download.
Now I install Aurora through the F-Droid store, which again, makes it easier to handle updates. Open F-Droid, and search for the Aurora store by clicking on the green magnifying glass on the bottom bottom right. click install. You’ll again get a popup asking if you want to allow downloads via this source, meaning the F-Droid store. In settings, toggle that on, and check the box that says you want this app to be able to have access to the internet. Then click install. And you can toggle the next permission too if you want to be able to download large apps (which includes mostly gaming apps). Or you can leave it unchecked if not, and exit out of settings by clicking the back arrow.
Once installed Open Aurora, and you’ll come to your setup menu. Click next, open the Installer permission. The first toggle allows the installing of apps through the Aurora store.
The second you can decide whether you want to toggle, which is required if you want to be able to download larger apps. Then click the external storage manager permission, which is another required permission. You can choose whether you want to give it full access or set up scopes to limit the access that Aurora has. The third permission I also enable, because I like Aurora to be able to download updates in the background. The fourth I enable because I like being reminded about available updates.
And the fifth permission will allow you to open the Aurora store by default instead of the Google play store. Why is this helpful? The Aurora Store uses proxy accounts to access the Google Play Store, allowing users to download apps without logging into a Google account. However, this approach can trigger Google's rate limiting measures, which are designed to prevent abuse and scraping of the Play Store.
When Google detects suspicious activity from the proxy accounts used by Aurora Store, it may temporarily limit or block access to the Play Store for those accounts. So this final permission for app links will help you bypass this search-limit. Click “grant”, and on the next page click “add link”. Then check the 2 supported link types that it gives you. What this setting does is, if you’re on a website and there’s a Google play store link on the site, if you click that link, it will open the app in the Aurora store instead.
Now click the back arrow and the Aurora installation will be complete. You can try out these App Stores by downloading some apps to get you started. The first ones I start with on my owner profile are a VPN and a browser. Let’s quickly summarize these App Stores to make sure that you understand what each is for. Graphene in-built store: for apps already on your device by default, and additional things like sandboxed Google Play.
A mirror of the Accrescent store, currently in alpha, which focuses on security and privacy. This store comes from the Graphene community and they’re collaborating with Graphene. F-Droid for free and open source software you can’t find on these first 2 apps.
Aurora: a more private front end for Google Play Store, that doesn’t require a Google account, where you’ll find all the other apps you might want on your device. And there’s a 5th way that you can download apps is by installing the APK directly from the app’s codebase or website, but this is annoying because you’ll likely have to manage all updates manually. A word of caution: the more apps you install on your device, the larger your attack surface, So to keep your device as secure and private as possible you’ll want to only put essential things on your phone that you really need, and try to use a web browser on your phone or computer wherever possible instead of downloading a native app.
Once my App Stores are installed, I go ahead and set up additional profiles The benefit of a secondary profile is that it helps you silo and protect apps better. Graphene already does a great job sandboxing apps on the phone, but separating them in different profiles has additional benefits. First of all, apps in the same profile can talk to each other if they mutually agree to do so. They can also see which other apps are on the device. So theoretically your banking app could see that you have a crypto app on your device. Siloing them across profiles stops this.
Another huge benefit is that each profile has a separate PIN and encryption key. You can also configure profiles to automatically reboot after exiting, which clears sensitive data from RAM. This means that you can walk around with your owner profile active, but you can keep more sensitive things that you don’t need active all the time, like your 2fA app for example, on a secondary profile, and it provides an extra layer of security in case someone gets access to your device. To create a secondary profile, go to settings, system, and click users. Click add user, next, and name it something that makes sense to you, like “Secondary”. Next you’ll come to a settings page for your new profile, and the first toggle allows you to choose whether or not this secondary profile can run in the background.
Now your owner profile (the first profile you started with) is the primary profile on the device so it always runs in the background, including system services. But for your secondary profiles, you might consider toggling off “allow running in the background”. This is what I do, because I want them to automatically reboot after exiting, as an added security protection for everything in those profiles. Then I click 'Install available apps' and choose which of my already downloaded apps I want to add to the secondary profile. For example, I want my VPN, browser, and App Stores available in all profiles.
You can also install additional apps directly inside your secondary profiles, but if an app is already installed in the owner profile, there’s no need to download it again—you can simply toggle it on from the main profile instead. Each secondary profile has to be set up from scratch and manages its own VPN. However, most network settings, including Wi-Fi, are global. This means you won’t need to re-enter your Wi-Fi password in secondary profiles, but you will have to reinstall and configure a VPN separately in each profile. Now that we know how to create a secondary profile, I’ll show you how to set one up with sandboxed Google Play Services. You might want Google Play Services on your phone because some apps require it to function.
Normally, Google Play Services is a highly invasive framework, but GrapheneOS sandboxes it so that it behaves like any other sandboxed app, without privileged system access. If you want to further limit its access, you can install it in a separate profile, too. This prevents it from communicating with apps outside that profile or seeing apps in other profiles. To download this sandboxed version, go to the profile where you want Google Play Services to run, you’ll go to the in-built Graphene store, and scroll down to where it says “Google Play Services” mirror.
Click that and then click install. After downloading you’ll get a prompt to confirm that you want to allow it internet access, then you’ll click install again. You can have up to 32 secondary profiles on Graphene OS, including a guest profile, but using all of them is probably overkill. I know many people who stick with just one profile and love it. I’m a little more extreme, so I use six profiles to silo my activities: My owner profile includes the bare minimum apps, like browser, VPN, and App Stores. My daily driver has all the apps I constantly use throughout the day including Signal, Maps, email, audiobooks etc.
My sensitive apps profile for things like 2FA that I want to keep offline until needed. I have a profile for invasive apps that I seldom want to access, like Spotify. A profile for sandboxed Google Play Services and apps that require it. And then I have an extra profile just as a kind of sandbox that I rarely use. For most people, a single profile is going to be the easiest to manage. You can experiment with adding additional profiles as you find use cases for them.
Hopefully, this gives you an idea of some of the ways you can use your awesome new GrapheneOS phone. If you want to dive deeper, we have a playlist on phone privacy that explores all kinds of alternative apps that don’t harvest your data—apps you can try to make your device as private as possible. As difficult as it may seem, it’s not actually hard to enjoy all the benefits of a smartphone without compromising your privacy. I strongly believe the best thing you can do is upgrade to GrapheneOS. The experience feels just like using Android, but it actually runs better—without the bloatware and surveillance that come with a stock Android device. Privacy isn’t about going
off grid; it’s about making informed choices. And with GrapheneOS, you’re taking control of your device, your data, and your digital freedom. NBTV is a project of the Ludlow Institute, a non-profit research and media institute that teaches you how to reclaim ownership of your digital life. Help us shift the culture around privacy. Visit ludlowinstitute.org/donate to set up a monthly, tax deductible donation. And
take a look at our merch shop. We just added some new designs, let us know what you think. (sings) You asked for a dance, well here is the dance. You hung around for a dance and it’s a really good one!
2025-03-24 17:01
