Every phone ships with a remote. Pre-pointed, from the factory, at your data, your location, your habits and your wallet, held by people who paid for the access. It decides what the device records, who it reports to, what it gets up to while you sleep. You were given the handset. Someone else kept the remote, by design, and it was never going to change hands on its own. This guide is about taking it. Not throwing the phone away. Picking up the control that should have been yours from the first day.

I did not arrive here through theory. I arrived through a second-hand Pixel 5, about five years ago, bought to sit beside the iPhone I still carried everywhere. I had been reading Bazzell. Extreme Privacy. The kind of book that does not hand you a tip, it hands you a posture, and once you are holding the posture you cannot put it back down. Everything got slower. More deliberate. I started asking what each thing on the phone was actually for, and who it was for. The phone itself was the last question, and the hardest, because the phone is the one you sleep next to.

I flashed GrapheneOS onto that Pixel 5 expecting an experiment. Something to tinker with for a week and abandon. I never went back. The iPhone went quiet, then went into a drawer, then went away. The 5 became a 6, a 6a, a 7, an 8, a 9 Pro, and the OS came with me the whole way. The same posture, wearing newer hardware.

This is not the story of my phone. That one is coming, a field note, the specifics of how I run mine. This is the general case. The argument, and the practice, for anyone standing where I stood five years ago with a device in one hand and a quiet unease in the other.

So. GrapheneOS. What it is. Why a phone built by an advertising company is the right tool for leaving one. And what changes the morning you stop being the thing the phone watches, and start being the one who writes what it does.

the pixel paradox#

There is a sentence that stops a privacy conversation dead. To get off Google, buy a Google phone.

It sounds like a joke, or a trap. You spend years learning how the advertising machine works, you decide to walk away from it, and the first instruction is to go and buy a Pixel, Google’s own phone. People hear that and assume the advice is broken.

It is not broken. It rests on a distinction the industry works hard to blur. A phone is two things. There is the hardware, the metal and the silicon, and there is the operating system that runs on top of it. We are trained to feel them as one object. They are not. GrapheneOS keeps the first and deletes the second.

Here is the part that turns the paradox into the argument. Google builds the best security hardware in the consumer market. Not the best cameras, not the best screen. The best security. A dedicated security chip. Real hardware-backed key storage. Verified boot. And one thing almost no other Android maker allows. You can load your own signing keys and lock the bootloader again afterwards.

That last sentence is the whole game. Most phones let you unlock the bootloader and never properly lock it back down with keys you control. So you trade a sealed phone you do not own for an open phone anyone can tamper with. The Pixel lets you have both at once. Locked, and yours. Verified boot stops guarding Google’s OS and starts guarding an OS that answers to you.

So the hardware is hard because Google is paranoid. They built a watchtower because their model depends on no one else getting in. GrapheneOS takes the watchtower and changes whose hand is on the key. You do not smash the tool. You repurpose it. That is the posture of this whole blog compressed into a single device. Build the parallel thing out of the pieces in front of you. Do not spend your life fighting the machine on its own ground.

The honest cost is the dependency. For years this meant one vendor, the exact company you were leaving. That is starting to change. In March 2026 the GrapheneOS Foundation and Motorola announced a long-term partnership, with GrapheneOS-capable hardware aimed at Motorola’s 2027 flagships, possibly shipping with the OS already on it. Today’s Motorola phones do not qualify, they lack the memory tagging and the relock workflow the threat model needs, so this is a horizon, not a shop-today option. But it matters. The parallel road is widening past a single gate. The day a hardened phone ships ready to go is the day this stops being only for the people willing to flash one themselves.

not just degoogled#

There is more than one way off Google, and they are all real. CalyxOS. /e/OS. LineageOS. I will not pretend they are worthless, because they are not. If your problem is that Google is reading your life, any of them moves the needle.

But there are two different jobs here, and most of the field only does one.

Degoogling removes the watcher. It pulls out Google Play Services, the layer that phones home, and either leaves it out or swaps in a stand-in. The advertising company stops getting the feed. That is genuine, and for a lot of people it is enough.

Hardening is the other job, and it is the one almost nobody does. It does not ask who is watching. It asks how someone gets in, and it shrinks the answer. Less attack surface. Stronger memory handling, so a bug is harder to turn into a break-in. The bootloader locked again with your keys, so the boot chain still verifies itself. A degoogled phone with an unlocked bootloader has removed Google and left the front door open.

GrapheneOS is the one that does both. It strips Google and it hardens what is left. A hardened memory allocator. Exploit mitigations the stock system does not ship. Per-app network and sensor permissions, so an app can be denied the internet entirely, or the microphone, or the camera, one switch each. And the part that matters most, it does not need Google at all, but it will run Google when you want it.

That last point is where it pulls away from the others. Many alternatives lean on a reimplementation of Google’s services that still runs with system privileges, the old problem in a new coat. GrapheneOS runs the actual Google Play, but caged. An ordinary app in a sandbox, no special access, no keys to the rest of the phone. You get the apps that demand it, and Google gets a box with walls.

This is why I chose it, and why the spy in your life only got you halfway. That piece was about watching. The harder threat is not watching, it is intrusion, the actor who does not care about your ad profile and wants inside the device itself. Degoogling does nothing about him. Hardening is the only thing that raises his cost. There is a piece coming on exactly that, on the tools built to walk through phones. For now the point is narrow. Privacy and security are not the same fight, and GrapheneOS is the only common option that takes both seriously.

what you need#

Less than you would think.

A supported Pixel. GrapheneOS runs on the Pixel 6 and everything after it, up to the current generation. Anything older is off the list, it lacks the hardware the security model leans on. The rule for choosing is not speed and it is not the camera. It is the support window. Every Pixel has a date after which Google stops shipping security patches, and security patches are the entire reason you are here. So buy as new as the budget allows, and buy for the years of updates ahead of it, not the megapixels.

New or second-hand both work, and which you choose says something about how far you are taking this. Second-hand is cheaper, and bought with cash it is quieter to acquire. Either way you wipe and flash from clean, so you inherit none of the last owner’s software. New costs more, but it hands you a device with no prior history at all. And there is a step past that, a new phone kept off the cellular network from its first day, whose IMEI is therefore never given to a carrier and tied to a name. That is the far end of the question, and it is what the my-phone field note will get into. For most people, either road is fine. One trap to avoid on all of them. Stay away from carrier-locked models, the kind sold tied to a network on a payment plan. Some of them, certain US carrier variants in particular, ship with the bootloader locked shut and cannot be opened at all, which kills the whole process before it starts. Buy the unlocked, factory version.

A computer with the right browser. The official installer is a web page, run from a desktop or laptop with the phone plugged in. It needs a browser that can talk directly to USB, which in practice means a Chromium-based one. No command line required, though one exists for the people who want it.

A cable that carries data. This sounds too small to mention until it is the thing that wastes your afternoon. Plenty of USB-C cables only move power. Use one you know carries data, not just charge.

And a little time, and slightly more nerve than the task actually asks for. That is the whole list. A clean Pixel, the right browser, a real cable, an hour you will not be interrupted.

taking the keys#

The install is the easy part. That surprises people who expect a rite of passage.

There is an official installer, a web page, and it has become better than any walkthrough I could write and keep current. You open it in the browser, plug the phone in, and it talks you through. I am not going to reprint the steps here. They change, the page does not, and a copy of instructions is just a thing that goes stale and sends someone down the wrong path. Go to the source. Follow it once, slowly, and it works.

What I will do is name the one moment that matters, because it is the moment people are tempted to skip, and it is the whole point.

The process has three beats. You unlock the bootloader. You flash GrapheneOS through the browser. You lock the bootloader again. That last beat is where the phone changes hands.

When you unlock, the phone protests. Loud warnings on every boot, your device is not secure, your data is at risk. They are true. An unlocked bootloader means the boot chain trusts anything, so anyone holding the phone could slip something underneath the OS. This is where most custom-ROM journeys quietly end, unlocked forever, because most hardware cannot lock back down with keys the owner controls. The warnings just become wallpaper.

On a Pixel running GrapheneOS, you lock it again. And locking it does something specific. It tells verified boot to trust GrapheneOS, and only GrapheneOS, from now on. The phone that just warned you it was open boots clean and verified once more, but the thing it is now verifying answers to you, not to Google. The boot chain checks itself against keys that mean GrapheneOS and refuses anything that does not match.

That is the repossession. Unlocking is the phone laid open. Locking is you putting your own keys in the door and keeping the only copy. Ten seconds, the step the impatient skip, and it is the difference between a borrowed phone and one that is actually yours. Do not leave it unlocked. An unlocked phone is on loan to whoever picks it up next.

Then it boots. And the first thing you notice is what is missing. No demand for a Google account before the phone will work. No setup wizard turning your name and your contacts and your face into the price of entry. It just comes up, quiet, waiting for instructions. Yours.

the controls#

You picked it up. Here is what is on it.

None of this is mandatory. GrapheneOS boots usable out of the box, and you could run it for years touching almost nothing. These are capabilities, switches that sit there waiting. The point of knowing them is knowing what you are choosing every time you leave one alone.

Start with profiles. One phone can hold several, each walled off from the rest, each with its own encryption, its own apps, its own life. A work profile that knows nothing about your personal one. A profile for a single sensitive task that you open, use, and end, dropping its data back into a sealed state. Nothing in one profile can see or reach into another. This is compartmentalisation, the same instinct that keeps identities on separate tiers, made physical in something you can hold. Why bother. Because the damage from a bad app, a leak, a phone taken from you, stops at the wall of the profile it happened in, instead of spreading across your whole life at once.

Profiles are the heavy isolation. There is a lighter sibling now, Private Space, a sealed area that lives inside a profile rather than beside it. Think of it as a locked room in the house you are already standing in. Its own encryption, its own lock, and it can vanish from the app drawer when closed. You keep your riskiest or most sensitive apps in there, the ones you want present but not loose. The trade is in the name. While it is locked the apps inside are not running, so no notifications and nothing working in the background until you open the room again. It suits the things you reach for deliberately, not the app you need pinging you all day. Profiles for separate lives. Private Space for a guarded corner of one.

Then the question of Google’s apps. Some things you need will not run without Google’s services, a bank, a transit card, a ticket. GrapheneOS lets you install the real Google Play, but in a sandbox, an ordinary app with no power over the rest of the phone. Keep it in one profile and leave another free of it entirely. The app gets what it wants. Google gets a sealed room. You decide, per profile, whether that room exists at all.

The switch I reach for most is the network one. GrapheneOS lets you turn the internet off for any app, completely, at the level of the OS rather than some setting the app is free to ignore. Ask how many things on a phone actually need to reach the outside world to do their job. A calculator does not. A notes app does not. A scanner does not. Cut the line and the app still works and can no longer phone anything home, because there is no line out. Android never gave you that, and once you have it the old way looks absurd.

There is a sensors switch too, apart from the camera and microphone you already know. A phone carries a drawer of other sensors, the parts that feel motion and orientation and pressure, and apps read them freely, which is enough to fingerprint and follow a device without anything as loud as location. GrapheneOS lets you shut that drawer per app. Most things have no honest reason to feel your phone move.

And when an app demands the whole house, your entire contact list, every file on the device, you are not stuck choosing between handing it everything and not using it at all. Scopes let you give it a curated view, or an empty one. The app believes it has access. It sees only what you chose to show it. Yes, and nothing, on your terms.

The last group is for the moment the phone is out of your hand. It can reboot itself back to a fully sealed state after sitting untouched for a while, so a lost or seized phone is far harder to open than one resting on a lock screen. It can refuse data over the USB port while locked, closing the door on the cable that is quietly a computer. None of this asks for your attention day to day. It just narrows the window when the window is no longer yours to watch.

How these get wired together in a real setup, which profiles, which spaces, which switches thrown and which left alone, and the trade-offs that only surface once you live with them, is the subject of the my-phone field note. It takes this panel and shows it in use, mine, in far more depth and well past this list.

Every switch here moves protection one way. Which is exactly the moment to be honest about the other way, because the same hand that throws these switches can throw them all back.

the quiet#

There is a change you will feel before you can name it. The phone stops interrupting you.

Most of what makes a modern phone loud runs through Google. The push service that wakes an app to buzz your pocket lives inside Google’s services, and it is the same pipe that carries the marketing, the re-engagement nudges, the look-at-me of a hundred apps fighting for your next minute. GrapheneOS ships without Google’s services unless you deliberately add them back in a sandbox. So most of that pipe is simply not there. The apps that used to shout now wait until you open them. The phone goes quiet, not because you fought it into silence one app at a time, but because the machinery that made it shout was never installed.

This is the other half of the spy in your life, the half about attention rather than data. A device that is not constantly tugging at you is a device you can actually put down. The compulsion was never wholly yours. A good part of it was engineered, and a good part of that engineering needed Google in the loop to run.

There is a cost on the same coin, and it is honest to name it before you flash, not after. A few apps lean on that same Google plumbing, and a very few will refuse to run at all. The mechanism is the Play Integrity API. It is how an app asks Google whether the phone underneath it is a blessed, certified, unmodified Android. A de-googled phone cannot answer yes, because not being that was the entire point. Most apps never ask. Of the ones that do, sandboxed Google Play satisfies a lot of them. But a stubborn handful, a particular banking app, the odd game, something wired to streaming DRM, will go looking for Google’s blessing, fail to find it, and close the door. Not many. Few enough to count on a hand. Often there is another way in, the website instead of the app, a different provider. And sometimes the honest answer is that an app demanding to verify your obedience before it will run is an app you are better off without.

Everything in the last two sections is a ceiling. None of it is a floor. The floor is you.

A hardened phone is still a phone you operate, and the person operating it is the one part that never gets a security patch. You can undo any of it without noticing. Sign into a profile you meant to keep clean with an account that carries your name, and the wall is gone. Tap through a permission prompt because it was the third one that morning and you were tired, and the line you could have cut stays open. Pile every part of your life into a single compartment, and the compartments were theatre. Carry it everywhere with every radio awake, and the OS cannot hide you from a network that is watching the radios, not the apps.

The tool answers the questions it was built for. It cannot answer the ones you stop asking. It will hand a curated view to an app, but only if you set the scope. It will keep your work life and your private life apart, but only if you keep them apart and do not text the same person from both. It will give you a phone with no name welded to it, right up until you log in as yourself and weld one on.

This is not a reason to be afraid of the thing. It is the opposite. Fear wants a product that saves you so you never have to think again, and that product does not exist, in phones or anywhere else. What exists is a tool good enough to be worth the discipline of using it well. The hardening raises how high you can climb. Your habits decide how far you can fall. The gap between the two is the only place your privacy actually lives.

So it is not a shield. It is a pen. You write what the phone does, which means you own what you write. Sovereignty was never a thing you buy and switch on. It is a thing you keep doing, quietly, on the ordinary days when no one is watching and it would be easier not to.

the morning after#

The phone does not stop being the first thing in reach just because the OS changed.

The tool does not change that on its own. I do not keep mine in the room I sleep in anymore, and that was not GrapheneOS, that was me. The OS made the phone safe to put down. Putting it down was the part only I could do. That is the shape of the whole thing in a single habit. The right tool clears the ground. The life you build on the cleared ground is still yours to build.

Be honest about what none of this buys you. You are not a ghost. Carry a live radio and the tower down the road still knows a phone is near it. The people you love still text you from phones that watch them, and you cannot flash the whole world. GrapheneOS did not lift you out of the net. That was never the offer, and anyone selling you that is selling the same fantasy in a different jacket.

Here is what it did. It changed who the phone answers to. Every switch you threw was a sentence in your own hand. The device stopped being a thing that happens to you and became a thing you do, and that is the entire distance between the spy in your life and this one. The first named the instrument. This one put it back in your hand, the right way round. Not a spy anymore. A tool. Which is all it ever should have been.

So use it less, now that less is finally a choice and not a fight. The machine that needed your every waking minute is quieter, and the minutes it stops taking are simply yours again. Spend them or do not. That is the point. The decision came home.

Sun before screen. Easier still when the screen is not even in the room.

You picked it up. Good. Now you get to decide when to put it down.