Building a Private Smartphone Stack With GrapheneOS

by Chez  (chez.village494@passmail.net)

Towards the end of last year, I made the decision to aggressively "DeGoogle" - painfully migrating my digital life to the fruity lesser evil, as well as some self-hosted services running on my home network.

One side effect of this exercise was that I had a sizable inventory of devices from "The Big G" I no longer had any desire to use.  I'd heard somewhere that one of the devices in my collection - the Google Pixel 6a - is a great handset for running GrapheneOS: an open-source, security-hardened, privacy-first mobile operating system based on the Android Open-Source Project (AOSP).

The following is a guide to show how, using GrapheneOS, I built a secure, anonymous, performant smartphone complete with everything you might want in a daily driver.

Parts List

• A Windows, Mac, or Linux computer.


• An officially supported device (grapheneos.org/faq#supported-devices)


• External USB-C storage.


• An anonymous debit card.  In my country, these can be bought in cash and without providing ID in any post office.  They're intended as gifts but serve our purpose perfectly.  U.S. users might wish to use a reverse ATM like those discussed in "Take Me Out to the Reverse ATM" from the Spring 2025 edition.


• Crypto or cash (optional).

On Your Computer

1.)  Sign up for a new Proton account.  In order to not trigger Proton's Automated Abuse Detection, you'll need to either add a recovery email or upgrade to a paid account.  Proton accepts crypto and even physical cash by mail for payment.  While the free tier works fine, you're going to have a better experience - including much faster VPN speeds - if you pay for unlimited.

2.)  Use your computer to download Proton Mail (github.com/ProtonMail/android-mail/releases) and Proton VPN (github.com/ProtonVPN/android-app/releases) onto the external USB storage.

3.)  Follow the CLI install guide (grapheneos.org/install/cli#cli-install) to install GrapheneOS on your phone.  (The GrapheneOS installation process is far beyond the scope of this article; it's not particularly challenging, but there are lots of steps.  Furthermore, GrapheneOS has heaps of great capabilities and features which we don't have the space to get into now - but that you should definitely look into.)

On Your Phone

4.)  Complete Welcome to GrapheneOS setup wizard.

5.)  Connect the external USB drive to your phone and install both Proton apps by opening the APK files via the Files app.

6.)  Log into Proton VPN and establish a VPN connection.

7.)  Go to Settings -> Network & Internet -> VPN -> Proton VPN -> Enable Always-on VPN and Block connections without VPN.  (To prevent network traffic leaks during initial setup, consider connecting to a Wi-Fi network that is already behind a VPN (e.g., a router configured to use a VPN).  This way, even before enabling Always-on VPN, your traffic remains encrypted.)

8.)  GrapheneOS doesn't come with an app store preinstalled, but you can download F-Droid via the Vanadium browser.  From there, install it and then use it to find Aurora Store, an unofficial Google Play client.

9.)  Install Aurora Store in Anonymous Mode.  Do not sign in with a Google account - there's no need.

10.)  Sign into Proton Mail and create an alias for our eSIM provider: Airalo.  This will be used for sign-up instead of your primary Proton address.

11.)  Find Airalo on Aurora Store and install it.

12.)  Register with Airalo using the alias and purchase an eSIM using your anonymous debit card.

13.)  Once installed and configured correctly, you should have VPN'd anonymous cellular Internet access.  You will not, however, have a phone number.

14.)  For messaging, I'd recommend a third-party Signal client called Molly.  This is free and open-source and has some great features.  Most significantly, Molly allows linking to an existing Signal account - even if it's already in use on another phone.  This helps bypass Signal's one-device limitation without needing a new phone number.

15.)  The remainder of apps can be installed via F-Droid or Aurora Store.  Here are my recommendations - all of which are disentangled from Google and their Google Services Framework (GSF).

• Browser & Search:  Vanadium (comes with GrapheneOS), but I personally prefer DuckDuckGo.


• LLM:  Duck.ai, integrated into the DuckDuckGo browser, allows anonymous access to AI models such as ChatGPT, LLaMA, Claude, and Mistral.


• Cloud Storage:  Proton Drive


• Password Manager:  Proton Pass


• Crypto Wallet:  Proton Wallet


• Podcasts:  Pocket Casts


• YouTube:  NewPipe - anonymous access and "premium" features.


• Music:  Musicolet


• Video:  VLC


• Maps:  Organic Maps - not perfect, but the best option I've found.


• Social:  Discord - good for getting support from the GrapheneOS community.


• BitTorrent:  LibreTorrent

Be sure to create a new Proton Mail alias for anything that requires an email and password.  While this started out as a technical exercise - an experiment in building something private and functional with the tools I had lying around - I've become really invested in the process.  Seeing how well it actually works has honestly blown me away, and I'm seriously considering making it my main device!

Shame on (((Google))) for forcing us down this path - but huge respect and immense gratitude to the open-source developers and communities who work so hard to make alternative options available to the privacy minded among us.