Avoid The Hack: 2 Best Privacy Friendly Operating System Picks for Mobile
This post was originally published on 1 DEC 2021; it has since been updated and revised.
Most people have a smartphone. Odds are this smartphone is either an iPhone (iOS) or some flavor of Google Android - but still an Android.
Unfortunately, in a myriad of ways, neither are exactly the best for security or privacy. Between Google-flavored Android and iOS, determining which mobile operating system is worse for your privacy is a continuous discussion. Recent news, updates, personal circumstances, and users’ threat models must all be taken in account. Due to different users’ needs, wants, and goals it’s tough to reach a definitive “do this to be correct” answer.
For more adventurous and technically-inclined users, Google’s vision of Android - even when “hardened” for security and “tweaked” for privacy - can still be rather lackluster on both fronts. In this case, such users may want to look into installing an alternative mobile operating system on their devices.
A word on iOS devices...
Long story short, you can't install a new operating system on iDevices. This is primarily due to the closed-source bootloading "defense" mechanisms Apple employs on its devices.
This isn't a "death sentence" for those that prefer iOS devices. Users on iOS can take steps to reasonably harden the device in terms of privacy and security. A good start is to install a reputable device-wireputable device-wide tracker blocker, such as installing and using privacy-oriented browsers and installing a reputable device-wide tracker blocker, such as Adguard.
An iDevice simply will not execute anything not "signed" by Apple on boot, so installing a third-party and custom operating system remains more in the realm of impossible. At least for now.
Therefore, when talking about alternate and privacy-friendly mobile operating systems around the privacy community, Android is primarily referenced. The same holds true for this post.
Typically, users will find that in the greater privacy community, jailbreaking an iDevice is not advised. This is mostly due to the risk vs. reward of jailbreaking in today's threat landscape... the risk is far greater than the reward for many people's threat models. Generally, the biggest risk with jailbreaking is the device cannot receive iOS updates -- therefore you may be leaving yourself open to known exploits and vulnerabilities that could be patched by simply updating.
What is jailbreaking? Simply put, jailbreaking refers to escaping the walled garden of Apple's iOS devices. Jailbreaking an iDevice gives root privileges of the device, which in turn allows performing tasks such as sideloading apps and other third-party software. On a slightly more technical level, jailbreaking actually takes advantage of a privilege escalation exploit... which, when executed, gives the "jailbreak."
"Jailbreaking" actually applies to more than just iOS - but it most commonly refers to skirting around the locked-down environment of iOS itself. Though similarities between rooting and jailbreaking iOS exist, there are some fundamental differences.
Jailbreaking was far more common in the early days of the iPhone and the now defunct-iPod Touch due to the heavily limited customization options available at the time. For example, early iPhone verions did not have an official app store, so downloading apps was only possible on a jailbroken iPhone. Jailbreaking has also proved useful in unlocking carrier-locked iPhones but it has also been used for more "dubious purposes" such as installation of malware/spyware and/or software piracy.
Interestingly, a lot of features gained by jailbreaking iOS have been subsequently adopted by Apple over the years. These adoptions have arguably reduced the appeal of jailbreaking for many "main stream" or "everyday" users. This is in addition to Apple consistently fighting against jailbreaking techniques with major iOS updates.
malloc, and kernel
- Hardened WebView / Chromium (Vanadium)
- Network and Sensor permission toggles
- Support for long passwords (64 characters)
- Enhanced sandboxing capabilities
GrapheneOS focuses on both privacy and security but offers more security-oriented features; it’s frequently regarded as the most secure mobile Android operating system.
Much of GrapheneOS’s focus is mitigating and defending against the exploitation of unknown vulnerabilities, commonly referred to as “zero-days.” Zero-day vulnerabilities are vulnerabilities discovered by attackers before the product vendor is made aware of these vulnerabilities; the vendor usually has to play “catch-up” to push an update fixing new zero-day vulnerabilities, which can sometimes take hours to weeks, and can in the meantime be subject to zero-day attacks and exploits.
This operating system takes 4 distinct approaches to defending against zero-days:
- Attack surface reduction
- Exploit mitigations
- Improved Sandboxing (over Android Open Source Project, “vanilla” Android.)
- Anti-persistence and detection
Much of the attack surface reduction in GrapheneOS is accomplished via stripping out “unnecessary” code and disabling optional features by default.
malloc provides improved defense against common memory corruption vulnerabilities, which are often the basis for more full-blown developed exploits or chained attacks. The hardened kernel improves security at the most fundamental level of the operating system and enables the improved sandboxing capabilities of GrapheneOS. Enhanced verified boot helps ensure executed code comes from a defined and trusted source.
The improved sandboxing capabilities extend across the app sandbox and the WebView rendering sandbox. Interestingly, GrapheneOS’s enhanced sandboxing allows robust sandboxing even for Google Play services, which when implemented “regularly,” enjoy high-level and unmodified privileges to the device.
With the implementation of Android 13, GrapheneOS’s enhanced Google Play services sandboxing introduces a newer compatibility layer for Android apps. In this enhanced sandbox, even Google Play services are treated as “regular” apps by the operating system, allowing user control of their permissions.
All of this emphasis on security also lends well to user privacy; GrapheneOS does have features dedicated to enhancing user privacy:
- GrapheneOS doesn’t include Google apps/services by default
- Storage Scopes - a more secure, restricted alternative to the standard Android storage permission manager
- Sensor permission toggle - device sensors have been used by apps to collect highly unique, identifying, and valuable data silently (for example, the Facebook app does this) and gives users the option to deny these permissions.
- Private Wi-Fi
GrapheneOS delivers regular security updates, and in some cases, the project has implemented security fixes prior to upstream Android doing so.
Due to the enhanced stock Android security features native to the Google Pixel device line, such as the Titan M secure element that enables verified boot, GrapheneOS only supports Google Pixel devices. This operating system’s aim isn’t to have the most broad device support. Rather, the focus is own choosing devices based on standard requirements as outlined on GrapheneOS’s official website.
The project was originally founded in 2014 under a different name and has undergone a number of reorganizations and renaming efforts since its origin. Of these reorganizations, most notably, GrapheneOS was formerly CopperheadOS. As of writing, CopperheadOS is a closed-source project unrelated to GrapheneOS; allegedly, the new CopperheadOS has used previous branding and code established/owned by now-GrapheneOS.
GrapheneOS is maintained by the non-profit GrapheneOS Project and the open-source community at large.
- Automated Kernel CVE Patching
- Hardened Webview (Mulch)
- Tracker/ad blocking hosts file
- Removal of hundreds of proprietary blobs
- Multiple device support
DivestOS is a fork of LineageOS. Specifically, it is an unofficial soft fork of LineageOS and aims to help users “take back (some) control of your device.”
DivestOS supports a given subset of devices and posts guidelines for choosing a device for use with DivestOS; however, the developer recommends using a non-carrier branded Google Pixel where possible.
The official F-droid app is included with DivestOS. DivestOS uses the official F-droid client to fetch updates from its associated repos. It removes many proprietary blobs from its build time, increasing security and privacy by eliminating untrusted and unnecessary code.
DivestOS allows users to restrict network access - cell, Wi-Fi, or virtual private network (VPN) connections - on a per-app basis. Users can run apps using Shelter or in a separate user profile, which minimizes the data available to apps when granted permissions; this helps prevents apps from silently collecting data using permissions already granted by the user, but not necessarily intended when these permissions were granted.
By default, DivestOS ships with Hypatia, an open-source real-time malware scanner. It leverages ClamAV signature databases to scan for and detect known malware signatures.
Unlike many antivirus solutions, Hypatia’s operations are performed on the device - internet connectivity is primarily used to update the signature databases. Local operations reduce the avenue for possible data collection, given that antivirus software has high-level privilege to a system to perform some functions; “traditional” commercial antivirus software has been accused of abusing its high-level privileges to a system, silently collecting data and phoning home to associated remote servers.
System WebView (Chromium Webview) is hardened via DivestOS's implementation named "Mulch" and features security-enhanced integrations and uses GrapheneOS’s Vanadium as upstream. Mulch is updated separately from the operating system via an F-droid repository, allowing it to keep up with rapid updates from the general Chromium project. Mulch uses GrapheneOS’s Vanadium browser for upstream.
For privacy, it uses a custom hosts file that blocks over 900,000 known advertising and tracking servers. Mull is the default browser, which is a Firefox (Gecko) fork, using tweaks from the Tor uplift project and arkenfox-user.js to resist common fingerprinting techniques. The default DNS server is set to Quad9, which provides good filtering/blocking of known malicious domains and hosts, and is a recommended DNS service provider on avoidthehack.
DivestOS itself has monthly updates for supported devices; select devices receive smaller, incremental updates. The mobile operating system also automatically checks for Linux kernal patches that fix security related common vulnerabilities and disclosures (CVEs) for supported devices.
DivestOS is primarily maintained by the Divested Computer Group.
A word on CalyxOS
Previous versions of this post recommended CalyxOS as a mobile operating system alternative for Android. However, it was brought to avoidthehack’s attention that CalyxOS poses some unnecessary risk in its implementation of specific features both “introduced” and native to recent versions of vanilla Android. After a good amount of digging, many of these concerns were corroborated.
CalyxOS weakens the default verified boot found in regular Android and has shown patterns of lagging behind vital security updates for WebView (Chromium) and operating systems. Additionally, the optional inclusion of microG, which enables compatibility with Google Play services has fundamental privacy issues.
Lack of timely updates
CalyxOS has a rather documented history of lagging behind implementing upstream Android security updates and upstream WebView (Chromium) updates.
When major Android 12 version was released (4 OCT 21), 4 months passed before CalyxOS implemented the associated security fixes, moving from Android 11. For reference, upstream Android 12 fixed numerous vulnerabilities, some of which were actively exploited in the wild at time of release. Since CalyxOS users were still on Android 11, CalyxOS users were vulnerable to attacks or exploits due to running outdated firmware and software during these 4 months.
It seems CalyxOS also regularly lags behind in implementing upstream WebView (Chromium) security patches in a timely manner:
- On 17 AUG 22, Google pushed Chromium 104.0.5112.97; GrapheneOS pushed the same version more or less the same day; CalyxOS pushed the same version on 31 AUG 22.
- On 28 MAY 22, Google pushed Chromium 102.0.5005.78; GrapheneOS pushed the same version on 30 MAY 22; CalyxOS pushed the same version on 9 JUN 22.
- By at least 21 JAN 22, CalyxOS was using a version of Chromium from OCT 21.
In some cases, CalyxOS has regularly skipped patches.
At time of writing (9 SEP, 2022), CalyxOS has yet to push an Android 13 version; Google released Android 13 on 15 AUG 22. Android 13 introduces security improvements and security patches over Android 12.
CalyxOS’s source code supports a weakened iteration of the modern Android’s verified boot model, placing more trust in the persistent state over the current state.
Trusting a persistent state also puts trust in changes made; both regular processes and malware frequently write to and alter operating system files, so changes could be benign or malicious. While trusting persistence provides convenience, it can also introduce increased risk that the user might not necessarily know they are taking.
If the device is infected with malware that tampers with operating system files and establishes persistence, this becomes a compounding issue the more a user uses the infected device. The device will successfully boot into the operating system as if everything is “checked out,” which in the case of some malware infections, isn’t necessarily true. Once the operating system loads, the malware could gain access to sensitive data on the device and/or compromise the device.
The in-app firewall included in CalyxOS is reportedly leaky. Additionally, as of writing, despite CalyxOS being on Android 12, the documentation for the in-app firewall is for Android 11.
The state of “optional” microG is a two-step problem. Whether or not a user chooses to include microG in their installation of CalyxOS, CalyxOS bundles Google’s eSIM into the install without explicitly informing the user. This is problematic because many users seek to get away from permission irrevocable Google apps and services by installing alternative mobile operating systems.
microG also expects a high level of privilege on the system. For example, its manifest lays out microG’s expected accesses for:
READ_PHONE_STATEwhich allows read-only access to things like the cellular network status, status of calls, and the list of any PhoneAccounts registered on the device
ACCESS_FINE_LOCATIONwhich allows access to the device's "fine" location
WRITE_EXTERNAL_STORAGEwhich allows writing to external storage
GET_ACCOUNTSwhich allows access to the accounts list in the accounts storage section
The primary issues with microG aren’t necessarily with its permissions requests, but the problem rests with its bundling of Google’s eSIM and the inability to revoke these permissions. This is identical to Google Play services issue on Google’s flavor of Android, where Google Play services enjoy irrevocable privileged access to the device.
Criteria for mobile operating systems
At a minimum, to be listed as a recommendation on avoidthehack, privacy-friendly mobile operating systems must:
Open-source operating systems promote transparency; for reference, "vanilla" Android (not the Google-variant the world is used to) is open-source.
For iOS, as previously mentioned, the boot loader for iDevices will only permit booting with a genuine installation of iOS. While iOS is indeed closed-source, it sometimes gets a "pass" due the surprising level of control Apple gives the user of their data inside the iOS ecosystem.
Then again, iOS isn't an explicit recommendation here as this post is dedicated for Android-based devices.
Operating systems listed here should be free of upfront monetary costs. avoidthehack highly encourages users to donate to specific operating systems they find useful!
Provide security and privacy enhancements
Mobile operating systems listed here should provide considerable security upgrades and privacy enhancements over stock Android or the Google-flavor of Android, such as:
- Default privacy-oriented browser
- Verified/signed boot - specifically, an implementation that does not weaken the existing verified boot
- Better control (over regular Android) for managing app permissions and network activity
- Tracker/Ad blocking
Provide timely security updates
Update frequency matters for basic security and privacy - if your device is compromised as the result of running out-of-date software or firmware, then this obviously affects your privacy.
Naturally, some updates take precedence over others. Specifically, security updates, typically patching zero-day vulnerabilities that could be used in attacker exploit campaigns, are to be timely supplied by the vendor (the maintainer of the mobile operating system). This is especially important for security updates released by upstream Android, as the vendor will need to prepare and package them for shipping to you, the end user.
Vulnerabilities are typically characterized as critical, high, medium, or low. Depending on a vulnerability’s severity - and any known exploits happening in the wild - patches for critical or high vulnerabilities should be released promptly.
Not be considered alpha/beta software or a ROM
Mobile operating systems listed here should be complete alternative operating systems. ROM projects tend to only introduce tweaks or minimal features and can be haphazardly maintained. Plenty of alpha/beta software never makes it to “production.”
It's important to understand that in today's landscape, smartphones simply aren't geared for privacy as much as they should be. This is a serious issue across the board of smartphones and most mainstream (iOS and Google Android) operating systems. Ultimately, it desperately requires addressing from a point above the consumer and even the developer level.
Additionally, while smartphones can be "hardened," doing more "advanced" tweaking can break some real core functionality and completely detract from the user experience. Modern smartphones are designed to provide high convenience to the end user - this convenience often comes at the compromise of user privacy, and in some cases, security.
Therefore, it's important to understand that glitches and hiccups will come with installing a different operating system on your mobile device(s) and that there will be an adjustment period on your end. Some level of technical expertise (or willingness to learn by carefully reading documentation) is required to 1) prepare a device for installation of an alternative mobile operating system and 2) properly installing an alternative mobile operating systems.
Generally, for the recommendations listed here, avoidthehack recommends:
- GrapheneOS for vastly enhanced security and privacy, with some sacrifices in convenience, for more modern Pixel devices
- DivestOS for older (but compatible) devices. Users should remember DivestOS is a fork of LineageOS and has potential for compatibility with a wide variety devices
None of this information in this section is to definitively say that it's too “difficult” to adjust an alternative mobile operating system - but users should definitely be aware they are giving up some aspects of convenience and "simplicity" for far superior privacy and security. The extent of this tradeoff is dependent upon personal circumstances, preferences, and ultimately, a user’s threat model.
At the end of the day: be sure to pick an operating system that works for you. Again, users can harden Google’s flavored Android if compatibility and convenience - however there is a “ceiling” as to what can be hardened for security or tweaked for privacy on Google’s version of Android. Users should also be reminded iOS is also a viable option, despite its closed-source ecosystem.
In any case, the operating systems included on this list are all good picks and will go far in helping users protect and improve their online privacy.
So, with that said, stay safe out there!