This week, I successfully installed GrapheneOS on a brand new Pixel 3a: I now have a phone run entirely with an open-source operating system. Open source means the software that runs the phone is available for anyone to inspect, improve, and repair. By extension, because the code is always open to scrutiny, and because improvements can be implemented and proposed by anyone, security vulnerabilities are more likely to be discovered and squashed in a timely fashion. This means that exploitation by a hacker is far less likely—for example, a hacker gaining control of the phone's camera, microphone, virtual keyboard, or network stack.
Additionally, open source means improved security simply by removing tools that corporations use for data collection. Tools that a hacker undoubtedly knows how to use far better than you do.
My end goal upon completion of this process was a working and reliable device that could serve as my primary cell phone. Therefore, I first needed to find a quality implementation guide; and then I needed to settle on a well-understood, well-tested phone. In this process, I discovered the GrapheneOS—essentially the Android operating system with all the proprietary Google bits removed. GrapheneOS currently supports Pixel 3 phones, which narrowed the selection. (Pixel 2 phones are also supported, and an experimental version of GraphenOS exists for Pixel 4.) I settled on a Pixel 3a to minimize complications. It also had to be unlocked, as some phones made by wireless carriers lock down their phones so that they can't be used with other companies or operating systems.
A modern smartphone is far more than just the operating system, of course. Apps for a GrapheneOS phone can be obtained through the F-Droid catalog. All apps in the F-Droid catalog are open source. From F-Droid one can install the Aurora Store. Ironically, the Aurora Store is an application that serves to enable browsing and installation from the Google Play store. Fair warning: it is unclear whether this application violates Google's Terms of Service.
It is also important to know what to expect before installing GrapheneOS. A phone running nothing but open-source software won't necessarily be able to solve every problem. Since GrapheneOS does not include any Google services, apps that normally rely on those services might not work correctly or not work at all. For example, Signal messenger normally requires Google push notifications. As a workaround, Signal on GrapheneOS employs a non-Google background notification service.
I found the GrapheneOS for Pixel 3a installation guide provided by Tales from the Crypt to be quite good. The only hiccup I ran into was verification of the digital signature for the downloaded GrapheneOS package. Note, verifying the signature is optional but strongly recommended. Verifying the signature is the best way to check whether you have the version of the software intended and that it was not tampered with.
The result is a working phone that I'm very happy with that is run by nothing but open-source software. I installed my existing Verizon SIM card and the phone worked right away. As time goes on, I'm sure I'll learn more about what works and what doesn't, but allow me to provide some initial impressions.
So far, I've identified two apps that don't work on this phone:
Bloomberg: Market & Financial News
Some apps and services actually seem to preform better:
Spotify seems to preform at least as good as I expect.
Sonos works much better than I remember.
My bluetooth earbuds work very well.
The hot spot works very well.
Note, the better performance could be explained by the fact that this phone is much newer than my old phone.
A core strength of the GraphenOS platform is the F-Droid ecosystem. As mentioned earlier, F-Droid is a catalog of open-source software that makes software installation and management simple. The catalog is installed by browsing to the F-Droid website, downloading the catalog application, and installing it on your phone. This bootstrapping process, was not difficult. Once you have the F-Droid catalog installed, installation of available applications is as easy is using the Google Play store on a typical Android phone.
Some of the applications I installed included andOTP to replace Google Authenticator, Open Keychain for PGP key management (nice to see an encryption application so prominent), and calculatorpp which has all the calculator functions I need. I also installed a terminal emulator and through that installed Python, the programming language interpreter. I installed SSH and then remotely explored (from the phone) some of my running computers. I'm sure I could do this with a stock android phone, but I have never considered them secure enough.
GrapheneOS requires some technical effort to install and therefore is not for everyone, but so far I'm quite happy with it. I have no doubt I'll use a closed-source device from time to time, but who knows, GrapheneOS (and the robust communities surrounding it and the F-Droid ecosystem) encourages the notion that an open-source alternative will always be available and improving well into the future.
Now excuse me while I compare Open Street Maps Automated Navigation Directions to Google Maps.