In my previous post about the future of tech, I discussed my concerns about big tech, and some of the changes we could make as a society to remedy the trends. However, as a developer, I’m in the position of being able to do something about my individual situation right now. Even though it isn’t accessible to everyone yet, someone who isn’t afraid to tinker a bit with their devices can effectively remove their dependence on big-tech platforms right now.
In this post I’d like to discuss what I view as the most important step away from big tech—the phone. We’re going to explore how I replaced all proprietary Google code from my phone using LineageOS, and minimized the interactions with external Google services using microG and an Open Source ecosystem of apps.
Rather than breaking down every step and installation command to “de-Google” your phone, this post provides an overview to explore some of the concepts and explain the many choices you’ll have to make along the way—and the tradeoffs of those choices. Some of the choices I made may not be right for you, but my hope is that this will help demonstrate how all the pieces go together.
The two main phone operating systems available are iOS by Apple, and Android by Google. Of the two of them, Apple puts a high emphasis on external privacy, but you pretty much have to trust Apple because the code is almost entirely closed source; we don’t know exactly what data is sent from your phone to Apple. And even though Apple seems to be making good choices at the moment, and their business model focuses on selling products, not necessarily information, once your data is sent to Apple’s servers, you no longer have control over it in any concrete way. Any change in leadership, business ethics, or business model means that all bets are off; your data is already available to them to do with as they please. We can’t make decisions completely based on the present—we also need to consider the potential future. Data is Forever™.
Google makes no grandiose claims about protecting users’ privacy. The focus is on convenience and connectedness, but this comes at a cost. According to a study by Professor Douglas J. Leith at the University of Dublin, Google collects about 20 times the telemetry that Apple does. What information is in this telemetry is anyone’s guess, but for a company whose business model is building incredibly complex models of our personal lives and selling targeting ads, my guess is that it’s far from benign.
It turns out the core of the Android operating system is Open Source, but not terribly useful on its own without all of the proprietary Google patches woven into it. Fortunately, there are a plethora of Open Source projects that flesh out the Android core and make it accessible as a fully functioning operating system.
For me, LineageOS was the winner since it seemed to be the largest project with the best documentation (complete with specific detailed instructions for almost any phone in existence) and company support. It also was not very opinionated—giving me as close to the vanilla Android experience as possible—and focuses on stability. I wasn’t looking for something cool and heavily customizable, I just wanted my phone to work normally without all the Google tracking built in.
A tempting alternative is /e/. There are a few pieces of LineageOS that still reference Google’s services such as DNS. And you still have to carefully choose apps (as we’ll discuss later) that suit your needs with an acceptable level of privacy. /e/ OS aims to be a one stop shop deGoogled phone with all of the preselected apps you’ll need to live your life, as well as the option to create an /e/ account for a small fee which provides Open Source alternatives to Google services. It appears they even sell phones with /e/ pre-installed and ready for the consumer. This could be a great way to start getting more nontechnical folks thinking about privacy. However, when I looked at this project it still seemed a bit early-phase, and I wanted something a bit more stable. Carefully choosing my own apps was also a good exercise to go through to take more ownership of my privacy.
Stock LineageOS comes with one huge caveat. Push notifications don’t work without Google’s “Play Services” constantly running in the background. Notifications triggered by the device work fine, such as alarms, but anything that originates from a web-service, like an incoming message from a messaging app, won’t make it to your phone. (Note: SMS notifications work since these are pushed directly to your device from the carrier.)
Google Play Services is the giant Google brain that constantly lives and runs on a traditional Android device. It’s proprietary so we don’t know everything it does, but for notifications it acts as a server that handles incoming requests. Whenever an app is installed on the device, it registers itself with Google Play Services which then notifies Firebase Cloud Messaging (Google’s cloud messaging infrastructure) of the new install, which then calls out to any server side applications registered for that app ID and gives them the new device using their app. Once all registered, the server side applications can then ask Firebase Cloud Messaging to send notifications to devices on its behalf.
In summary this allows Google devices to have one common interface for listening for incoming notifications, rather than an individual custom server listening for notifications for every service you use on your phone. This would cause developers to have to constantly reinvent the wheel, and also be a drain on battery life with all the extra processing necessary.
While the architecture makes sense, this unfortunately means all notification traffic needs to go through Google and Google Play Services needs to be running on device to listen for these notifications. While both of these are an issue for me, Google Play Services running on device is the more concerning of the two, because beyond listening for messages, it’s doing much much more, sending telemetry data to Google constantly, and tracking your location using router triangulation. It’s all closed source so I can’t make an informed decision whether this is acceptable to me.
This is where microG comes in. The folks at microG managed to reverse engineer the main functionality of Google Play Services in Open Source, leaving out all the uncomfortable telemetry. Google can tell us all it wants, but we don’t have to tell it anything we don’t want. (This had the wonderful side effect of doubling the battery life on my phone). The only information we need to give Google is a device ID, essentially a randomly generated piece of text that Google has no way of correlating with me as a human. This is privacy through obfuscation, where we still utilize the outside world, but not on their terms. While maybe not as airtight as privacy through abstention, it’s a tradeoff I’m willing to make.
Using Firebase Cloud Messaging is still an uncomfortable side effect of this, but many of the apps I use, especially the privacy minded ones, don’t send content itself in the notification payload, simply a deviceID and an app ID. This then triggers the app itself to go fetch the payload directly from the service without going through Google. Now the only information Google has is metadata surrounding a deviceID. Using machine learning, it’s possible my device ID could be correlated to me as a human, and based on the patterns of when and how many notifications I get, some information could be gleaned. However, this seems like a huge improvement, so it was a reasonable tradeoff. I’ve run across some initiatives to build an open source notification service that can be self-hosted and completely remove Google from the mix, but they are still early-phase, and getting application adoption would be a huge challenge.
The main issue with microG is that most applications don’t have a way to configure what “push server” to register with. The package name for Google Play Services is hard coded into the SDKs for most Android apps and they have no way of knowing they should now reach out to some other app called “microG” to register. Signature spoofing is the way around this, allowing an application to advertise itself under a different identity. For an operating system, allowing this is a huge security risk. If you happen to install an app off the internet claiming to be your bank, now it can imitate your bank app at an OS level and intercept traffic. LineageOS agrees that this is terrible, and has taken a hard stance that enabling signature spoofing on their builds will never happen, rendering microG useless. As a result microG made a fork of LineageOS that enables signature spoofing but also hardens it, so that only system level apps could get this permission with user approval. It could never happen automatically. Of course, no matter how many bars you put in front of a window, it’s never going to be as secure as never having a window, so I understand the concerns from the LineageOS team who prioritize stability and security since so many other operating systems build off of their base.
For my use cases, it seems like a reasonable tradeoff since I am well informed, and even if all their security measures fell over, I’m not in the habit of installing many apps, especially ones I don’t know, off the internet.
The installation of microG flavored LineageOS is exactly the same as plain LineageOS except your recovery
.img and lineage
.zip should be downloaded from the microG downloads site. You can find the name of your build using the device lookup on the LineageOS wiki. Thankfully microG now provides their own recovery images that are signed for their special build of Lineage. Previously, you had to modify the keys of the lineage recovery image manually with no documentation.
As far as installation, the steps are documented in detail for all supported devices on the LineageOS wiki, so I’m going to focus on adding some background to some of the things I wish I had understood better going through this process.
The wiki has a pretty good explanation of adb:
The Android Debug Bridge (adb) is a development tool that facilitates communication between an Android device and a personal computer.
It’s basically a command line utility that allows you to control a phone over a USB cable.
Fastboot on the other hand is a lower level utility that allows you to send commands to a phone when it is in the “bootloader” mode.
The LineageOS documentation shows downloading the tools directly from Google and adding it to your PATH, but I find it much easier to just install using the Homebrew package manager, since I already have that setup on my Mac.
brew install android-platform-tools
An Android device has a hard drive with several partitions that are divided up for different purposes, like recovery, system files, user space, etc, and the bootloader essentially tells the hardware where to look for the instructions on how to start up. It also acts as the gatekeeper to the device to protect the phone from executing code that is not trusted. I found this article quite helpful.
The bootloader interface/configuration mode on most devices is “locked” by the manufacturer to make sure the phone can’t be tampered with by anyone who can get physical access to your device. For example, someone could tamper with the files, even loading on a customized OS that leaks data to the hacker. However, since I’m intentionally trying to install a new operating system, I can unlock this, so that I can boot into this bootloader configuration mode. Unfortunately after adding your custom OS, you can’t relock the bootloader since the manufacturer’s expected OS signature is baked into the device’s hardware, and if you relock the bootloader, it won’t match the OS that you installed. At that point, you’ve ruined your phone since the bootloader is locked, and you can’t load the OS to unlock it again.
Technically leaving the bootloader unlocked is a security risk as previously mentioned, but since there isn’t a huge market for hackers to roam the streets looking for that one out of a million person that has a phone with an unlocked bootloader, and I’m not carrying state secrets, this seemed like a reasonable tradeoff for me.
Typically unlocking the bootloader is just an option under developer settings. To unhide developer options on Android, go to Settings -> About Phone and tap on Build number about 5 times quickly until the phone notifies you that developer tools are enabled. Some phones require you to request on the manufacturer’s website a bootloader unlock code.
Once unlocked in settings, boot into the bootloader with
adb reboot bootloader
and enable “flashing” (applying updates in the form of
.img files) to device partitions
fastboot flashing unlock
Check your device’s installation wiki for detailed instructions.
While still in the bootloader interface, flash the recovery image to the
boot partition of the device with
fastboot flash boot <lineage-recovery>.img
Typically on a phone “Recovery Mode” stores the factory version of your operating system that you can reset your phone to, but the LineageOS recovery image is more of a utility for doing tasks related to the LineageOS. It doesn’t actually store the full OS, it simply gives you
adb support so you can load the OS from your computer. It also just helps simplify the installation process.
You could technically (I have not tried) install Lineage manually without using the recovery utility by unzipping the LineageOS zip and using fastboot to flash each
.img within the zip to its appropriate partition, but this is quite error prone, and time consuming.
Enter recovery mode following instructions for your device on the wiki. The lineage recovery acts as a simplified OS with touch support and it responds to commands from
adb which makes it convenient to load images from the computer.
First, we need to format the partitions because writing images isn’t an overwrite. It behaves more like a commit in git, where changes overlay on top of each other. Leaving the device unformatted will likely cause conflicts with the factory OS. If we apply extra patches to Lineage, or we are doing a major Android version upgrade in the future, we won’t format since these are made to upgrade seamlessly, and we don’t want to lose our user data.
Tap Factory Reset, then Format data / factory reset
Next, we can load in our LineageOS zip. Return to the main screen and tap Apply Update then Apply from ADB. This will allow us to interact with the device using adb, in this case to simultaneously transfer our zip from our computer, and apply the zip to the device. From your computer run
adb sideload <lineage>.zip
This will stop at 47% and display an error such as “failed to read command” but this is expected, and as long as the device screen doesn’t show errors, the install was successful. Once again, follow your wiki for detailed instructions.
At this point, you can return to the main menu and tap, Reboot system now.
Now that we have a functioning deGoogled phone, we need to make ourselves at home and find apps that provide us the services that we are used to, while remaining as privacy-minded as possible.
Before installing anything, open up the microG Services Core app and make sure the Self Check shows that it is installed correctly. At this point, I turned on Google device registration and Cloud Messaging so that any apps installed will register themselves with microG for notifications. I also enabled Mozilla Location Services which gives more detailed location information to apps beyond what GPS can provide, using network based location methods such as WiFi routers and Bluetooth. This shares data with Mozilla, but the product is Open Source, and community supported, so I feel confident that they aren’t abusing my data.
F-Droid is installed by default with the microG distribution of LineageOS. F-Droid is an app store like Google Play Store, except it only distributes Open Source apps. Whenever I need an app for something, I start here since I want to prioritize using Open Source whenever possible. One caveat is that none of the apps here use push notifications since that uses the closed source Google push API. Sometimes there will be a version of an app on F-Droid as well as on the Play Store, but it will be slightly modified to remove proprietary APIs. This is worth keeping in mind if you rely heavily on push for the app to be useful. It also doesn’t have the most sophisticated searching behavior, so if you search “Texting” you might not end up seeing the best SMS app the store has to offer. If I don’t know exactly what I need, I usually end up searching the internet for the best options on F-Droid.
The Aurora Store is an Open Source client to the Google Play Store backend repository. This is what I use for all apps that I simply can’t get away from using Closed Source, but it allows me to preserve my privacy in the same way microG does for notifications. The Aurora store has pools of throw-away Google accounts that are not associated to you in any way, and allows you to download any free app off the Play Store anonymously. Equally useful is the “privacy” section of each app’s description which details exactly what trackers are present in the app, allowing you to make an informed decision when choosing to use an app.
The DuckDuckGo browser, available on F-Droid, blocks trackers and uses DuckDuckGo as the search engine by default. F-Droid does give you a warning that this app has anti-features, and uses proprietary web features, which is true since search results are supplemented by Bing. Once again, the results are not associated with me in any way, so I felt this was the best way for me to have access to convenient features with minimal tradeoffs.
Android has a built-in SMS app, but I find it to be so ugly I couldn’t bear it. QKSMS available on F-Droid is a fantastic little Open Source texting app. There’s not much to say about it, other than that it’s run by one person, and development can be a little slow sometimes. I experienced a performance bug that made it almost unusable for a few weeks, but it has since been fixed. The searching capability is powerful, and the UI is as good as Google’s in my opinion.
Once again, Android comes with a music app, but I found Phonograph to be a much more slick experience for on-device music playing. While on the subject of audio, I found that .m4a files were very inconsistent on LineageOS. Sometimes they would play, and sometimes they would freeze, so I converted my music library to .mp3 and haven’t had any issues.
The built in Calendar and Contacts are fantastic and I’ve had no problems. For Tasks, I use OpenTasks which I find is a little nicer than Tasks, but still leaves much to be desired as far as usability. As far as syncing all these devices to the cloud, I run a Nextcloud server that supports calendar, contacts, and tasks over a DAV API, so I use DAVx5 to sync my phone to my cloud. The app asks you to disable battery-optimization so that it can run constantly in the background. It sounds scary, but the battery hit is invisible compared to the toll that all the Google services take in normal Google Android.
Geometric Weather comes with several widgets that combine the current weather and the Clock on my home screen. It’s Open Source and available on F-Droid but comes with the caveat that it uses some non Open Source services like AccuWeather. Since it’s anonymous, that works for me for now.
Here’s where I’m left disappointed. I haven’t yet found a good substitute for Google Maps, so I still use it, installed through the Aurora Store. At least I have some peace of mind knowing that it’s just a normal app operating on Android and can’t fetch my location constantly behind my back when it’s not running. The alternative I’ve tried is OsmAnd+ which uses the OpenStreetMaps service, but the interface is unusable in my opinion. After trying on two separate occasions to use it for directions, and being unable to find a way to use it without pre-downloading my trip, I gave up. I also definitely miss the traffic-informed directions from Google. Perhaps I will invest in an old-school GPS for my car.
I use the default Gallery app for viewing my photos, and use the Nextcloud client to automatically stream photos I take to my Drive. Sometimes this doesn’t feel very integrated, since the Gallery app is not integrated with Nextcloud, so if I delete a photo there, it doesn’t prompt me to delete it from the cloud, and conversely, the Nextcloud App is only a view into the Nextcloud storage and doesn’t prompt me to delete items from my Android Photos folder if I’m deleting something that was automatically uploaded.
I’m not a huge fan of using mail clients on my phone since I like to unplug, but I do use the ProtonMail app to connect to my personal ProtonMail account when needed. I only use this for personal things, so I don’t have to worry about getting inundated with spam. There are times where I need to access something from my other mail accounts, so I use K9Mail, however I have all notifications and auto-refresh turned off. If I need something, I can open the app, and hard refresh. I have to say, it’s not much to look at, but I don’t use it often so it works for me.
While there are freedom focused alternatives to YouTube itself, at the moment the majority of content still exists on the YouTube platform. I use an app called NewPipe to anonymously browse and view YouTube videos. It’s an open source client to the YouTube backend, similar to microG in that it asks Google for what it needs, but offers nothing for free.
Joplin has apps for all the main platforms (Android, Mac, Linux etc), and syncs using the DAV API on my Nextcloud instance. It functions very similarily to Evernote, and has both WYSIWYG and Markdown editors. I enjoy the ability to go dark mode on all of my platforms!
I’ve been using this phone for about six months now, and most of the time I completely forget that it’s not like any other phone. It stays out of my way and gets the job done. There were a few kinks in the road early on while the microG build for my phone was broken and I had to live without notifications, and it was very frustrating trying to play music until I converted everything to mp3, but those issues are cleaned up now. The keyboard is still a source of minor inconvenience. Since it doesn’t have Google’s autocorrection engine behind it, it can no longer predict what I’m thinking, so I get a lot more typos. There are also times for work or with friends that it becomes inconvenient as most people/organizations expect that you have a traditional smartphone available with all the big-tech integrations
And that’s it folks! Your phone is only a piece of your privacy footprint, but I think it’s the largest. Getting that tracker out of my pocket is a huge breath of fresh air, without giving up too many of the conveniences that I’m used to. It comes with its fair share of “jank,” but makes up for it with the pride of knowing how much of myself I’m getting back.