Free your phone — Degoogle & use FOSS¶
Mobile apps from Google, Facebook, Samsung or Microsoft are downloaded by the billions. Often, they come pre-installed without the user's explicit consent.
This raises serious privacy concerns. Many of those apps request access to your location, microphone, camera, contacts and so on. They also contain trackers to collect information about you. On average, the top 50 Android apps (over 100 billion downloads) contain 2 to 3 trackers and require 36 permissions, as illustrated below.
In this chapter, we'll discuss how to privilege free and open source mobile apps without trackers and with minimal permissions.
Tell me more about trackers
A tracker is a piece of software gathering information on how applications and smartphones are being used. Carefully check for trackers and permissions when you install an app, for example using εxodus.
|Analytics||Collects data, for example which websites you visit, for how long, which part of the website, and so on.|
|Profiling||Builds a virtual profile by looking at your browsing history, installed apps, and so on.|
|Identification||Determines who you are by referring to your name or pseudonyms, location, and so on.|
|Advertisement||Identifies who is using your device, to serve targeted ads.|
|Location||Determines your position by checking GPS, cell towers, WiFi networks nearby, and so on.|
|Crash reports||Informs developers if applications encountered an issue.|
Google & iOS free phones¶
In 2020, the world counted 3.5 billion smartphone users. That's almost half of the world's population. Three out of four of these phones were running Google's Android, the rest Apple's iOS. And 3.3 billion people were using at least one of Facebook's core products — Facebook, WhatsApp, Instagram or Messenger.
Privacy has never been the main focus of these companies. Quite the opposite: smartphones are constantly "sharing" private data with Google, Facebook and Apple, as well as an army of marketers and data brokers. Android phones for example send 12 megabytes of data to Google every day. Even when idle, they communicate their location to Google 14 times per hour. Likewise, iPhones push 6 megabytes of data to Google and 1 megabyte to Apple — every day.
Beyond looking at FOSS apps, this chapter will also explain how to free your phone from Google and Apple, using either CalyxOS or LineageOS.
CalyxOS is a fully-fledged Android OS without Google's Play Services. It currently supports the Pixel phone line only. It also allows to use microG, which replaces Google's proprietary libraries with free and open-source code. CalyxOS focuses on privacy and security: safe communication with end-to-end encryption, private browsing with Tor and DuckDuckGo, automatic security updates, verified boot, and much more.
LineageOS for microG is a fully-fledged Android OS without Google's Play Services. It currently supports hundreds of phone models, and builds on the microG project, which replaces Google's proprietary libraries with free and open-source code. The project is a fork from the free and open-source Android distribution LineageOS, which itself is the continuation of CyanogenMod.
I want increased privacy on my phone — what are my options?
|1. Dump your phone||Phones haven't been designed with privacy in mind. If you really care about privacy, you shouldn't be carrying a mobile phone. For most of us, this option is however too radical.|
|2. Go for a FOSS mobile OS||The next best option would be to find a phone with fully open-sourced software (and possibly hardware). There are some ongoing projects such as the Librem 5, Pinephone, Postmarket OS, Ubuntu Touch or Sailfish OS (the latter is not entirely FOSS). Again, these bleeding-edge solutions are not for everybody.|
|3. Free Android from Google||In principle, Android is open-source. Getting rid of Google's applications and proprietary software is the best compromise solution as of now. This can for example be achieved by switching to CalyxOS or LineageOS for microG.|
Should I choose LineageOS for microG or CalyxOS, or something else?
It depends on your phone model, as well as your threat model. LineageOS for microG is compatible with many phone models, at the cost of enhanced security. CalyxOS is more secure, but compatible with less phone. Here an overview of the three mobile operating systems:
|Features||LineageOS for microG||CalyxOS|
|Automatic security updates(4)||Limited||Yes|
|Signature spoofing(6)||Yes||Yes (if using microG)|
|Supported devices||Available to hundreds of devices||Google's Pixel line only|
|Ease of installation(7)||Hard||Medium|
(1) While not entirely open-source, LineageOS for microG and CalyxOS get rid of Google apps and limit the amount of proprietary code to a strict minimum.
(2) Considering aspects such as app compatibility, push notifications, access to maps, and so on. While most apps work just fine with LineageOS for microG or CalyxOS, some programs don't play nice. Also, using paid apps without Google's Play Store can be a little tricky.
(3) Considering aspects such as battery, storage and CPU usage. microG only takes up 4 MB, compared to over 700 MB for the full Google Apps stack.
(4) CalyxOS automatically receives security updates. LineageOS rolls out manual security updates: while these regularly include patches for Android, patches to the devices's kernel or drivers are not consistent.
(5) CalyxOS can lock the bootloader. This maintains the ability for verified boot, in line with Android's security model. LineageOS on the other hand runs with the bootloader unlocked. This is a security issue, which can be exploited by an attacker with physical access to the phone, or by persistent exploits able to survive a reboot, e.g. from malicious apps or browser exploits.
(6) microG uses signature spoofing, which can present certain security vulnerabilities. On CalyxOS, signature spoofing is implemented in a very restricive manner.
(7) Setting up LineageOS for microG can seem quite complex and lengthy. You might run into unforeseen issues, especially if it's the first time.