I’ve said it before, and I’ll say it again: our smartphones are incredible tools—but they’re also spyware magnets. Our smartphones constantly track us through apps, built-in radios, sensors, and the operating systems themselves. We carry these devices everywhere, giving them access to our location, cameras, microphones, and personal conversations. If privacy matters to you, it’s essential to plug these leaks.
Here’s the good news: you don’t have to ditch your smartphone to protect yourself. One of the biggest impacts I’ve made to transform my privacy is installing GrapheneOS on my phone.
What is GrapheneOS?
GrapheneOS is a mobile operating system designed specifically to protect your privacy and security. Unlike Android and iOS, it doesn’t share your data with Google or Apple. It’s currently the gold standard for privacy-conscious smartphone users.
7 steps to secure your phone with GrapheneOS
Step 1: Pick the right hardware
GrapheneOS is available exclusively on Pixel phones and tablets because Pixel meets Graphene’s strict security standards—especially the ability to relock the bootloader after installation. This prevents unauthorized OS modifications.
To choose the right Pixel, there are 2 websites I recommend:
- grapheneos.org lists currently supported models.
- endoflife.date/Pixel shows how long each model will receive security updates.
Always pick a device that will get security updates for as long as possible.
Step 2: Purchase smart
Be extremely careful not to purchase a “variant device”, a modified Pixel typically tied to carrier contracts. These devices often have their bootloaders permanently locked—meaning you can’t unlock the bootloader to install GrapheneOS. Even if the carrier plan expires or the phone is later listed as “unlocked,” this restriction usually remains permanent.
To avoid issues:
- Don’t buy Pixels bundled with carrier plans.
- If buying refurbished or second-hand, explicitly confirm with the seller that the “OEM unlock” feature is enabled. (Note: “Carrier unlocked” and “OEM unlocked” are not the same thing.)
A locked bootloader makes installing GrapheneOS impossible, so verifying this before purchase is critical.
The most private way to buy your Pixel phone is in-store, using cash. Electronics retailers like Best Buy in the U.S. usually carry Pixel phones. Cash helps you maintain anonymity, since credit card purchases link your personal information directly to your device’s unique identifiers.
Step 3: Installing GrapheneOS
The installation may look daunting, but I’ve done it dozens of times—it’s quick, straightforward, and has an amazing web interface that makes it super simple:
We have a step-by-step tutorial you can follow along in our latest video:
The whole process usually takes under 20 minutes.
Step 4: Set up your phone
Here are some things I do when setting up my phone. These are just my preferences, so if you have a different setup, let others know in the comments!
- In “Exploit Protections,” set your device to auto-reboot after 12 hours if not unlocked. This clears RAM (short-term memory), protecting encryption keys from theft.
- Leave USB-C settings on “charging only when locked” to prevent unauthorized data access via USB.
- Enable automatic shutdown of Wi-Fi and Bluetooth after 5 minutes of inactivity. This reduces location tracking.
Step 5: Install app stores
You don’t have to rely on the Google Play Store to get apps on your phone. Here are four alternative app stores I use:
- GrapheneOS built-in app store
- Comes pre-installed on your Graphene device (just search “App Store”).
- Includes essential default apps and optional sandboxed Google Play Services, if needed.
- Accrescent
- Comes from the GrapheneOS community and offers privacy-focused apps.
- Install via the built-in GrapheneOS app store.
- F-Droid
- Provides free, open-source apps built directly from publicly available source code.
- Installing apps through F-Droid simplifies managing updates compared to manually downloading individual APK files (but be aware that updates may be released more slowly through F-Droid due to its review and build process).
- Install F-Droid directly from f-droid.org.
- Aurora Store
- A privacy-friendly front-end for the Google Play Store, allowing you to download apps without linking them to a Google account.
- Install Aurora via the F-Droid store.
Privacy Tip: Keep your installed apps to a minimum—the fewer apps, the smaller your digital footprint and the fewer vulnerabilities you’ll face.
Step 6: Use profiles to secure your apps
Apps installed within the same profile can detect each other and potentially communicate without you realizing. To prevent this, GrapheneOS lets you separate your apps into secondary profiles, each isolated from one another.
Why use secondary profiles?
- Individual Security: Each profile has its own PIN and encryption key, significantly enhancing security.
- Clearing Sensitive Data: Profiles can automatically reboot when you exit, wiping RAM and protecting sensitive data, like your 2FA or financial apps, from unauthorized access.
However, managing multiple profiles can add complexity, especially if you’re new to Graphene. Starting with a single profile is simpler, and many users prefer this initially.
How I set up my profiles:
- Owner Profile: Minimal essentials (browser, VPN, app stores).
- Daily Driver: Everyday apps (Signal, email, maps).
- Sensitive Apps: Apps I keep offline unless needed (2FA, financial apps).
- Invasive Apps: Less-private or rarely-used apps (Spotify, social media).
- Google Play Services: Apps requiring Google’s services.
- Sandbox Profile: Testing or higher-risk apps.
I recommend beginning with a single profile and gradually adding others as you find new use cases.
Setting up a secondary profile:
- Go to Settings > System > Users, and tap Add user.
- For sensitive profiles, toggle off “Run in background” to enhance security.
Step 7: What about Google Play services?
You might be wondering: this article is called “DE-GOOGLE your phone”, so why even consider adding Google services back in?
Unfortunately, some popular apps won’t function unless Google Play Services is installed. Usually, Google Play Services is incredibly invasive, collecting large amounts of data with elevated system-level permissions. But here’s where GrapheneOS shines: it offers Sandboxed Google Play Services, which treats Google Play like any other app—restricted and isolated, without special privileges or deep system access.
If you must use apps that rely on Google Play, you can install this sandboxed version without compromising the privacy and security of your entire phone. For even more control, isolate Google Play Services within a secondary profile to prevent it from interacting with or detecting other apps across profiles.
This way, you get the functionality you need without letting Google take over your device.
Taking control of your digital privacy
Hopefully, this gives you a thorough idea of what your new GrapheneOS phone can do. Privacy doesn’t mean losing smartphone convenience; it means regaining control over your digital life.
GrapheneOS feels familiar to Android users, but without bloatware and surveillance. It’s proof that enjoying technology doesn’t require sacrificing privacy—it’s about making informed choices and using tools that protect rather than exploit you.
We have many more privacy resources available. Explore our playlist covering privacy-friendly apps, alternatives, and practical privacy strategies
Your smartphone doesn’t have to be a surveillance tool. With GrapheneOS, you’ve already taken a huge step toward protecting your data.
