Make Your Phone More Private

00:00

We want to help you with your phone privacy. In  a world more connected than ever, our smartphones  

00:06

have become the ultimate tracking devices. They see our every movement, conversation,  

00:11

and click. They go with us everywhere  we go, capture our memories, and often  

00:16

sit next to our bed as we sleep. But it is possible to better protect this  

00:21

data on our phones, and the operating system  that you use makes a huge difference.  

00:27

Most people use phones powered  by either iOS or Android.  

00:31

But Apple and Google gather a staggering  amount of information from these operating  

00:36

systems. Telemetry data revealing our  interactions with the device. Precise  

00:40

location details. This data gives them a  scary amount of insight into our lives.  

00:46

So if you’re privacy conscious like  me, you’ve probably switched to an  

00:49

alternative operating system that prioritizes  privacy. I personally use GrapheneOS.  

00:56

It's an open-source, privacy-focused mobile  OS with enhanced security features.  

01:01

It isolates apps to limit their invasiveness, and  it offers clear settings for selectively disabling  

01:06

things like internet connectivity for specific  services. It's a great choice for those who want  

01:11

to reclaim their digital privacy. We have a tutorial that explains how  

01:15

to install it on your device if  you want to take the plunge.  

01:18

In this video we're going to dive into more DETAIL  about what makes Graphene great for privacy.  

01:24

There’ll be tips on how to get started, like what  you need to know before you even buy your phone,  

01:29

then we’ll walk you through how to  optimize your settings to really  

01:32

get the most from your new device. Just to be clear, whether you customize  

01:36

your settings or not, you're already doing a huge  amount for your privacy just by making the switch  

01:42

to Graphene. So you should feel awesome about  that. And if you haven't yet taken the plunge,  

01:47

this video will give you a glimpse of some of the  cool features that await you when you do.  

01:52

So to understand how to make your digital  footprint as small as possible, Let’s start with  

01:57

purchasing your device in the first place. GrapheneOS is only compatible with Pixel devices,  

02:02

and this may seem like a contradiction for some  people: How can I have a secure and private  

02:08

device if I’m using Google hardware! There are some great reasons why GrapheneOS  

02:13

has chosen to focus on supporting Pixel  devices. Pixels have many features that  

02:18

just aren’t available on other phone models. First they come with a robust hardware security  

02:24

infrastructure, such as the Titan M2 security  chip and the Tensor security core.  

02:29

These are key hardware features for ensuring  strong file encryption on your device,  

02:34

and providing solid protection against  unauthorized access if someone has the  

02:38

device in their physical possession. We’ll explain more about this a little later.  

02:43

Second, Pixels allow you to run alternate  operating systems, with user controlled  

02:48

signing keys, whilst preserving all  hardware security features, such as  

02:54

It sounds super confusing, but essentially  what this means is that with Pixels,  

02:59

users can replace or modify the operating system  without breaking the device's ability to verify  

03:05

the integrity of the software at boot time. It is possible to install alternate operating  

03:10

systems on a variety of Android devices, but it's  usually done in an insecure way or by crippling  

03:16

security features. Pixels are different, in that  they officially support this functionality and  

03:22

allow you to maintain the device's full  security features when doing so.  

03:26

Google also provides long-term  security support for Pixel devices,  

03:30

meaning regular security updates that last  for many years, up to 7 years on the Pixel  

03:35

8! This is a longer support period than any  other manufacturer of Android devices.  

03:40

And finally, one other cool  feature that Pixel 8 added is  

03:44

hardware support for memory tagging. Memory tagging is a security feature that  

03:48

helps protect a system against certain types of  memory corruption vulnerabilities, such as double  

03:53

free and use-after-free bugs. Again, it sounds confusing,  

03:57

but basically it's a feature that will  drastically improve the security of your  

04:01

device against targeted attacks, and GrapheneOS  is taking full advantage of this feature.  

04:07

So if you decide to install GrapheneOS,  which Pixel device should you choose? Well,  

04:13

probably the latest model of Pixel  within your budget constraints – right  

04:17

now the latest model is the Pixel 8. This will give you the longest support for  

04:21

security updates, which is important because  you don't want to keep using hardware that's no  

04:26

longer getting security updates. Next, you’ll be tempted to buy a phone  

04:30

that is cheaper because it’s been  tied to a carrier contract.  

04:33

Stop, there are super important things  you need to know about this first!  

04:37

If you're buying your device while signing  a contract with a carrier, you'll likely  

04:41

be sold a 'carrier-locked' device. These are restricted to a specific cell network,  

04:47

binding the user to a carrier contract. But they're often not just carrier-locked.  

04:52

Sometimes they're what's called "variant  devices" that are also “bootloader-locked”.  

04:57

Carriers like Verizon are notorious for this:  on their variant devices, the OEM unlock option  

05:03

has been disabled, and there's nothing  you can do to get it enabled again.  

05:08

OEM unlock is what allows you to unlock the  bootloader, so that you can install a custom  

05:13

operating system on the device. If this is  grayed out, it means you won't be able to  

05:18

install GrapheneOS on your phone. The reason some carriers disable this  

05:22

option is to ensure that the software  on the device remains unchanged,  

05:26

and to enforce the terms of the contract  or installment plans associated with the  

05:31

device. But the real problem with these variant  devices is that, if that phone was initially a  

05:38

carrier-locked variant, it will stay a variant,  and that OEM unlock feature still won't work,  

05:44

even if the carrier contract has expired,  and even if it's been refurbished.  

05:49

So you have to be really careful what  kind of device you purchase.  

05:53

Our tips: Don’t purchase  

05:55

a phone in conjunction with a carrier plan, you  must ensure that it's not a variant device, and  

06:00

make sure that OEM unlock is enabled on it. Second, be careful of refurbished devices.  

06:06

You may not know whether it's actually a  variant device that was originally locked into  

06:11

a phone carrier contract. So before purchasing a  refurbished phone, make sure you ask the seller  

06:17

whether OEM unlock is grayed out or not. Final tip for purchasing a device: We recommend  

06:22

buying your Pixel in person from a physical  store using cash. It’s more private than  

06:28

purchasing online with a credit card in your  name and a delivery to your home address.  

06:32

Next is your carrier – If you want to be able  to use your phone to make calls and access the  

06:37

internet anywhere you go, you’ll need a sim card.  Ideally you should purchase a prepaid sim card  

06:43

with cash without tying it to your identity.  In the US in most states this is very easy,  

06:49

but if you’re somewhere else in the world this  may be more difficult. Michael Bazzel’s book  

06:53

“extreme Privacy for Mobile Devices” has some  good solutions for international people.  

06:58

Personally I prefer not to have a SIM in my phone  at all, and in an upcoming video in our phone  

07:04

privacy series, I explain why, and whether or not  this is the right choice for most people.  

07:09

Now let’s think about mobile accessories: A physical case is great just for protecting  

07:13

your device in general. And to protect your privacy  

07:16

I highly recommend a privacy screen: If you think the personal information on  

07:21

your phone is safe because it's locked  with a passcode, it's not. Bad guys can  

07:25

look over your shoulder, memorize your  passcode and then snatch your phone  

07:29

If you’ve ever sat in an auditorium or on a  plane or next to someone in a queue, you’ll know  

07:35

that you can see everything that person types on  their phone, even from a long distance away.  

07:40

A privacy screen makes it far more difficult  for someone to see what’s on your phone and is  

07:45

essential for a privacy-conscious person. Now let’s dive into ways you can optimize your  

07:50

phone settings once you have  GrapheneOS installed.  

07:53

While graphene defaults are already really  awesome, there are further steps you can take  

07:57

to lock down your device even more. For example you can make sure that your  

08:01

device doesn’t connect with 2g networks. Under settings, Go to Network & internet, select  

08:07

SIMs, select your SIM, and scroll to the bottom  where it says “Allow 2G”. Toggle that off.  

08:13

Organizations like EFF have been sounding  the alarm against the security and privacy  

08:17

problems of 2G for years, so let’s talk about why  this is an important setting to disable.  

08:23

First, 2G networks use a weak encryption  standard that’s easier to crack.  

08:27

Obviously your cell provider can access your phone  calls and messages regardless of which network  

08:32

you’re using, but when you use 2g your mobile  phone calls and text messages can potentially be  

08:38

intercepted and decoded by 3rd parties in-between  your phone and the cell tower too.  

08:44

Also, in 2G, only the mobile device is  authenticated by the network, but not vice versa.  

08:50

This makes it easier to set up rogue base stations  known as "IMSI catchers" or "Stingrays" that  

08:55

pretend to be legitimate cell towers. Devices then  connect to these fake towers, allowing attackers  

09:01

to intercept and monitor communications. Even if you have more secure 3g or 4g networks  

09:07

available on your phone, attackers can  force a device to "downgrade" and use  

09:11

the less secure 2G network, and then  intercept your communications.  

09:15

So you should disable 2g. Now let's look at airplane mode.  

09:19

It can be really helpful for privacy to put  your phone into airplane mode whenever you  

09:23

are not using it, but be aware that you  won’t be able to receive calls through  

09:27

your regular cell network if you do this. The reason it’s good for privacy is because your  

09:31

phone is constantly communicating  with nearby cell towers.  

09:35

Cell providers are able to use this  communication to monitor your real-time location,  

09:40

and they actually have a long history  of selling this location data.  

09:44

Airplane mode is the only setting that stops  your phone constantly pinging cell towers.  

09:48

It’s worth noting that your phone is actually  pinging cell towers whether you have a SIM in  

09:53

your phone or not, performing all kinds  of functions. One of them is something  

09:57

called “time sync”, where phones connect to  cell towers to retrieve accurate time data,  

10:03

synchronizing with the network's time. Network time can actually be disabled:  

10:08

Go to Settings  

10:09

System Date & time  

10:11

and then un-enable ”Set time automatically” On AOSP or the stock OS of other android devices,  

10:17

your phone will keep making these network  connections, even after disabling this  

10:22

setting --your phone just stops setting  time based on these connections.  

10:26

But when you un-enable "set time  automatically" on GrapheneOS,  

10:30

your phone actually stops making these  network time connections entirely.  

10:35

Putting your phone in airplane mode  ALSO stops your phone connecting  

10:38

to cell towers for time sync. So airplane mode is a great privacy  

10:42

tool regardless of whether there's a SIM in your  phone, and we’ll dive further into this in an  

10:47

upcoming video in this series. Now let’s look at DNS settings  

10:50

on your GrapheneOS device. DNS stands for Domain Name System,  

10:55

and it’s how your device translates human  readable URLs into IP addresses that your  

11:00

device can understand. It can be a big privacy leak,  

11:03

because by default your cell provider  probably handles these DNS requests for you,  

11:08

so they see which websites you visit, and they are  also notorious for selling your private data.  

11:14

There are different ways to address this. You can install a VPN app on the device,  

11:18

and your VPN provider will usually handle  your DNS requests for you, as well as encrypt  

11:23

the traffic out of your device so that it  can’t be seen by your cell provider.  

11:27

Or you can change your DNS settings via the  "private dns" feature, so that your cell provider  

11:32

is no longer in charge of those requests. Be aware though that you'll have issues if  

11:37

you do BOTH these things: private DNS will  override the DNS settings of the VPN app.  

11:44

Basically enabling Private DNS makes your phone  stop using network DNS and replaces it with the  

11:50

Private DNS server. When you use a VPN, the  VPN DNS is your network DNS for everything  

11:57

other than connectivity checks. And so enabling private DNS AND using  

12:02

a VPN can actually make you stand out more,  because someone using quad9 DNS on a Mullvad  

12:08

IP address for example will be somewhat  unique. This makes you more trackable.  

12:13

Just using a VPN is generally a good  choice, and Mullvad and ProtonVPN  

12:18

are both highly regarded options. You would  just download the VPN app to set it up.  

12:23

If you do decide to switch out your DNS provider  instead, quad9 is a good choice for private DNS.  

12:29

They're a non-profit DNS resolver that blocks  malicious sites, and they also help prevent your  

12:34

ISP or cell provider from spying on your online  activities by encrypting requests as it travels  

12:40

from your device to Quad9. To set this up  

12:42

Go to Settings Network & internet  

12:45

Scroll Down Select "Private DNS"  

12:47

*Select "Private DNS provider hostname" then enter "dns.quad9.net"  

12:53

Now let’s look at how to set default apps If you go to settings  

12:56

Apps And select “default apps”  

12:58

you can set your favorite default apps there.  For example you might set Brave as your default  

13:04

browser, if that’s an app that you like. Vanadium is also a great choice for a browser,  

13:08

which is already your default. Then there’s notifications.  

13:11

under settings and Notifications,  

13:13

you can choose whether you want  notifications to appear on the lock screen.  

13:17

I select “don’t show any notifications” because I  don’t want people to be able to get ANY data about  

13:22

my phone activities when it’s locked. now  

13:25

Under settings, display, and lock screen, you  can disable “wake screen for notifications”. This  

13:31

prevents unintended exposure of notifications  by keeping the screen dark instead of turning  

13:36

on each time you get a notification. Screen timeouts is another setting you might  

13:40

want to tweak: Under settings  

13:42

and Display You'll see screen  

13:44

timeout. It’s a good practice to keep your  phone locked as soon as you have a period  

13:48

of inactivity. We recommend selecting 1 minute,  and this also aids in battery conservation.  

13:54

If you have a privacy screen on your device you  might want to consider tweaking some settings  

13:58

for the touch screen: Under settings,  

14:00

and display There’s an  

14:01

option to Increase touch sensitivity: This can be a helpful setting to turn on,  

14:05

to ensure accurate touch response despite  the additional privacy screen layer.  

14:10

Now let’s look at auto reboot. Rebooting your device is a valuable  

14:14

defense against attackers with physical access  to the device as it puts your device into a  

14:19

state known as “at rest”, where encryption  keys and memory are cleared out.  

14:24

While data in storage is always encrypted, as soon  as you log in to a profile after it's rebooted,  

14:30

ie put in your pin and unlock the device, the  encryption key becomes available to the device.  

14:36

So as long as the phone has been logged into at  least once since the last time it was rebooted,  

14:42

if a malicious actor has the device in  their possession, they could get access  

14:46

to your data even if the screen is locked. On Graphene, you can set your phone to auto-reboot  

14:52

if the device hasn't been unlocked within a  specified period. This reboot will frequently  

14:58

take your device back to the initial state where  no profiles are logged in, and so no one can get  

15:03

access to data within profiles if they manage  to get hold of your device. In this state,  

15:08

the Titan M2 chip will also prevent brute forcing  of the device passcode, so your data will remain  

15:15

secure until you unlock the phone. By default, GrapheneOS sets auto-reboot  

15:20

to 72 hours, but we recommend that most  people lower it to 12 hours or less.  

15:25

To do this, go to settings, Security,  

15:29

then select 12 hours or less  under auto-reboot  

15:32

Then there’s pin layout go to settings  

15:34

select Security and enable “scramble PIN input layout.