Smartphone

Basics

Combinations

[Ignores Apple.]

• Android phone with stock OS, run Android apps.
  
  
• Android phone with AOSP-compatible third-party OS (LineageOS, Replicant, Paranoid Android, Resurrection Remix, /e/, Calyx, GrapheneOS, DivestOS), run Android apps.
  
  Can be hard to install OS and update it.
  
  
• Android phone with Linux, run Linux apps recompiled for ARM ? Can't make phone calls ?
  
  
• Android phone with new OS such as Sailfish or Ubuntu Touch, run what apps ?
  
  
• Custom phone such as PinePhone or Librem 5 with new OS such as Sailfish or Ubuntu Touch, run what apps ?
  
  
• Custom phone such as PinePhone or Librem 5 with Linux, run what apps ? Can't make phone calls ?
  
  

Non-Android operating systems

It's unclear to me: which of these give you a "smartphone", and which give you a "small computer with touchscreen" ?

• Sailfish OS (on Wikipedia) (praised by Noah Chelliah)
  
  
• KaiOS (based on discontinued Firefox OS)
  
  
• Ubuntu Touch by UBports (not Canonical) video
  
  
• Manjaro ARM
  
  
• postmarketOS + Phosh
  
  
• Mobian
  
  
• Droidian
  
  
• PureOS (Purism, Librem)
  
  

KDE Plasma Mobile DE

It may be possible to run some stock Android apps on a Linux smartphone.
Bart Ribbers' "State of Linux on mobile and common misconceptions"
But from someone on reddit 7/2020:

> will normal Android apps such as WhatsApp and my bank's app and K-9 Mail work on these phones ?

No, most likely not. Android apps were specifically built to work for Android (even though Android is itself a fork/derivative of Linux). You will need to wait for a Linux-native app to realistically use any Android apps*. Banking apps will likely be the most annoying and last to show up, but communication apps like WhatsApp and K-9 would likely be ported if the platform gained any significant user base. Already, apps like Signal have perfectly fine (even if not tailored for mobile experience yet) apps for Linux.

* technically Android apps will probably run through an emulation or interpretation layer, though the experience would likely be not very good, especially on an under-powered phone.

Madaidan's Insecurities' "Linux Phones - Comparison with Other Phones"

From people on reddit 8/2020:

My prediction of a Linux phone: It will probably never be all that good. I had a Windows phone which I loved, but it was completely crap to own due to the lack of apps. A phone is only as good as the apps that you can get for it.

Android is Linux, so getting the most pure, de-Googled Android ROM is the easiest way to get a Linux phone without compromising too much.

...

I doubt they will ever be a proper daily driver in a world where almost all applications rely on stable closed-source friendly development environments, which desktop ecosystem Linux suite has never been. If you have a limited digital life (no banking, no chat applications, no transportation apps, limited mapping functionality), my guess is you'll get something that occasionally bugs out and can hold a charge half a day in a year or so. I would bet my money on Pinephone rather than Librem. However considering the funding the software projects receive I am not that hopeful.

Replacing Google services

From Serge Wroclawski's "The Search for a FLOSS Mobile OS (Aug 2021)":
"... most modern Android applications rely on features that are not available through AOSP, including notifications, application debugging, and other features and applications. These are called the Google Mobile Services, or GMS. Without Google Mobile Services, many Android applications simply won't work."

Alternatives:

• Google Mobile Services (GMS).
• Use apps from F-Droid that don't use GMS.
• Replace GMS with microG.

Custom (non-Android-compatible) smartphones

• PinePhone
  
  on Wikipedia
  /r/PINE64official
  Jesse Smith's "The PinePhone running Manjaro and Plasma Mobile" (12/2021)
  Brest's "PINEPHONE First Impressions" (video) (3/2020)
  
  Phone has hardware switches to enable/disable microphone and camera etc, but you have to take off the back of the phone to access the switches.
  
  From someone on reddit 4/2022 about Pine64 / PinePhone Pro:
  Severe problems with charging, and with keyboard. And if battery goes flat, often the phone is bricked completely. Return/refund terms very harsh.
  
  
  
• Purism
  
  Librem 5
  /r/Purism
  Phone has hardware switches to enable/disable microphone and camera etc, and the switches are on outside of phone.
  
  
  
• Volla
  
  Can have either a non-Google Android-compatible OS, or a Linux OS.
  
  

Dangers of a completely unrestricted-software phone: megi's "Let's talk about safety of Pinephone"

Security and Privacy

Identifying numbers

• Phone's IMEI: permanently built into the hardware of the phone.
  
  
• SIM card's IMSI: permanently built into the hardware of the SIM card. And in many countries, you will have to show govt ID to get a SIM card.
  
  
• Phone number: phone company associates phone number with the SIM card. If you change phone company, you will have them "port" the phone number from the old SIM card to a new SIM card.
  
  
• Android build serial number: don't know.
  
  
• Android ID number: don't know. Changes if you do a factory reset.
  
  
• Wi-Fi MAC address: permanently built into the hardware of the phone.
  
  
• Bluetooth MAC address: not sure if it's permanent or can be changed by OS.
  
  

A web page, JavaScript, or web server can not read any of these numbers, without special cooperation from a browser extension or some other unusual addition.

But an app (malicious or not) on your phone could read those numbers and send them to any web site. In Android, starting with version 10, there are additional protections of these numbers: article. In various Android versions, or in some states of the phone, an app trying to read one or more of those numbers may get a null value.

Some legitimate apps (e.g. financial) may use these numbers to confirm identity. For example, when you first install your bank's app and register, maybe those numbers are sent to their server. Then any time you log in, the app sends the nunmbers again and the server checks that you're still using same phone, it's really you.


A web page or JavaScript probably can read your phone model, Android OS version number, screen size, CPU type, maybe your phone service provider (owner of your IP address while on cell data), plus the usual info that a desktop browser reveals.
Try various browsers, with VPN off, with:
BrowserLeaks.com
Device Info

• Of course, do the basics right: have a PIN or password on your phone, turn on encryption, write your email address on the outside so it can be returned if lost, do backups, use a case to protect it if dropped, record serial numbers and model number so you can report them in case of theft or loss.
  
  
• Have a PIN or password on your carrier's Support account for your SIM/number/account, so any change to your SIM or number or account requires a password, even if you're calling Support on the phone.
  
  
• Turn off caller-ID. But some of your friends and family may reject your calls if they can't see who's calling.
  
  
• Turn off ad-tracking, and reset your ad ID:
  Mike Epstein's "How to Keep Your Personal Data Out of IRL Targeted Ads"
  NAI's "Information on Opting out on Mobile Devices"
  
  
• If you stop using Google Play Store (use Aurora Store instead), you can use your Android phone without logging into a Google account.
  Paul Bailey's "Have Your Privacy Cake on Android and Eat it Too"
  
  
• Carry your phone as little as possible. Leave it at home when you can.
  
  
• Keep your phone turned off as much as possible.
  
  
• If your phone is turned on, keep it in a Faraday bag as much as possible. That way you can pull it out when you need it and it will be ready to use right away.
  
  
• Keep the phone's camera pointed at something uninteresting when you're not using the phone. Or put a piece of tape over the lens.
  
  
• If you need to plug the USB cable into a USB charging station (such as in an airport), use a data-only USB cable or a "data blocker" USB connector. Better yet, plug into AC instead using your AC adapter.
  
  
• Any time your Android phone pops up a Google dialog saying "hey, time to set a payment method you can use in apps !", choose Skip instead of PayPal or any other choice.
  
  
• After any major software update, check settings such as airplane-mode and privacy settings. They may get reset by the update.
  
  
• Don't reply to SMS's or call back to calls from unknown numbers. They could be premium-charge services.
  
  
• One of the worst things about smartphones is that usually you're forced to log in to a cloud service associated with the phone, such as Android's Google Services or iPhone's AppleID. And on Android the manufacturer (e.g. Samsung) may encourage you to log in to their cloud service too. That's a recipe for having unknown ties between phone and service, including automatic backups or sharing, telemetry, etc. Try to avoid logging in if you can. You would lose some nice features, mainly backup/restore, and easy migration of data to a new phone.
  
  
• Each time you change to a new phone or phone number for some reason is an opportunity to create a new Apple or Google account, separate from past accounts you used. Unless you need to bring across lots of info from iCloud or Google's cloud, keep new separate from old.
  
  
• Maybe have two phones: one with your contacts and only trusted apps (email, banking, messaging) and a second with untrusted stuff (games, social media, map apps, etc).
  
  
• Use as few apps as possible; each additional app installed means a greater chance of getting a malicious app or a security hole. Use browser access to web pages as a safer alternative to apps.
  
  ClassyShark3xodus (app to scan other apps for trackers)
  Exodus Privacy (check apps for trackers)
  [Exodus Privacy has better UI, but ClassyShark3xodus tests 2x or 3x as many apps; use both.]
  
  Steve Kelly's "10 Free Apps to Protect your Android Device from Spying"
  Narseo Vallina-Rodriguez and Srikanth Sundaresan's "7 in 10 Smartphone Apps Share Your Data with Third-Party Services"
  Chris Welch's "Google took down over 700,000 bad Android apps in 2017"
  Dan Goodin's "22 apps with 2 million+ Google Play downloads had a malicious backdoor"
  Catalin Cimpanu's "Android ecosystem of pre-installed apps is a privacy and security mess" Evan Schuman's "Massive bank app security holes"
  
  1/2020 I used ClassyShark3xodus to scan my phone's apps for trackers:
  
  

  • Most trackers that apps contained were Google Analytics, Google Firebase Analytics, Google CrashLytics, Google Ads, and/or Google Tag Manager.
  • Some app-scans (Proton Mail, Sophos Intercept X) failed with "sorry, don't support ODEX" message. That's an optimized format where some or all source code is removed.
  • I was happy to see that some key or security apps contained no trackers: K-9 Mail, Keepass2Android Offline, strongSwan VPN Client.
  • F-Droid app contained 136org.acra
  • Fing app contained 12 trackers including several from Facebook.
  • OpenKeychain app (PGP for K-9 Mail) contained 40org.piwik
  
  See Remove Apps section of my Android page.
  
  
• Many apps harvest data from your Contacts list. Maybe keep only essential contacts in there, not everybody. And for those contacts, keep only essential data (name and phone number) in there. Maybe even abbreviate the names a bit.
  
  
• Keep as little data as possible on your phone, and backed up into the phone's cloud account. I sweep pictures from my phone to my laptop via USB cable within hours of taking the photos. Don't save a lot of downloaded documents and cached data on your phone. Check to see if apps such as WhatsApp are doing backups (thus retaining deleted photos).
  
  
• Go through the permission settings for every app. Try to set app permissions to the smallest set possible.
  
  The default settings are chosen to benefit the app company, not you.
  
  
• Some apps demand a huge list of permissions, to everything in your phone. Maybe don't install those apps; choose other apps that take fewer permissions, or access the services through a browser instead. For example, use m.facebook.com or mbasic.facebook.com through a browser instead of the Facebook app (or, some people say use apps Tinfoil for Facebook or FaceSlim). Review the permissions given to each app, in Settings / Apps. But expect some tweaking; I found my Camera app refuses to run unless given permissions for recording audio and making phone calls.
  
  
• Permission-controlling add-on.
  
  
• VPN. I use Windscribe, and I've found that the open-source client app strongSwan works better than the proprietary Windscribe app.
  
  
• There are claims that some apps may listen to you through the phone's microphone, even when you're not using the app. Major apps such as those from Facebook and Google don't do this; they've been tested, and anyway those companies have much easier ways of learning all about us.
  Rachel Sandler article
  Skeptoid's "How Your Smartphone Is Listening to You"
  
  
• Older versions of Android give less control over app permissions. So upgrade the version (which may require getting a new phone, or installing a new OS).
  
  
• Ad-blocker on phone:
  Blokada (not in Google Play Store, have to download and install it specially; doesn't need rooted phone; can't use with a VPN ?)
  AdAway (requires rooted phone)
  DNS66 (acts as a VPN, does DNS filtering)
  personalDNSfilter (acts as a VPN, does DNS filtering)
  Block This
  NetGuard (non-root; don't use version in Play Store)
  Fabio Buckell's "7 Apps to Get Rid of Annoying Ads on Your Android Device"
  Apparently, non-root ad-blockers appear as a VPN to the phone, so you can't use them together with a real VPN.
  In Firefox browser, use uBlock Origin add-on.
  
  
  
• Anti-virus on phone:
  Aaron Phillips' "We tested 21 Android antivirus apps and found these serious vulnerabilities"
  Brendan Hesse's "Double-Check That Your Android Antivirus App Actually Works"
  I use Sophos.
  
  
  
• Firewall on phone:
  "Any security difference between root based firewall (AFWall+) and non-root based ones (NetGuard)?"
  Glasswire ?
  
  
  
• Backup on phone:
  Make sure you know where the backup is going to; I tried Titanium and it just backed up to a different partition on same phone, no help if phone dies or gets reinstalled.
  My experience with IDrive starting 3/2018:
  Bought a lifetime mobile subscription for $20. It's limited to 5 mobile devices, and you can't delete one and add another in its place. So it's "lifetime" of each phone, not your lifetime. No limits on amount of data. Started using it only on my partner's Android phone; my phone is almost empty. Initial backup of 7 GB or more took 6 hours or more.
  Tracey Rosenberger's "5 of the Best Android Apps to Back Up Your Phone's Data"
  
  
  

Google Pixel 6a smartphone

Carrier/Factory Unlocked == without network/SIM lock, use any carrier.

OEM Unlocked == bootloader is unlocked, can root the device, can install new OS.

From XDA-Developers thread:
"All or most of the US versions of Pixel devices for the different US carriers (i.e. Verizon, AT&T, Sprint, T-Mobile, etc.) are bootloader-locked, buy directly from Google or buy an international version of Pixel with an international model number."

article about carrier-unlocked

Android:

GrapheneOS. https://grapheneos.org/faq#device-support
CalyxOS. https://calyxos.org/docs/guide/device-support/
LineageOS. https://wiki.lineageos.org/devices/#google
Not /e/OS easy-installer. https://doc.e.foundation/easy-installer#list-of-devices-supported-by-the-easy-installer
Not /e/OS install from Gitlab. https://doc.e.foundation/devices
Not Replicant. https://replicant.us/supported-devices.php

Linux:

Not SailfishOS. https://docs.sailfishos.org/Support/Supported_Devices/
Not Ubuntu Touch. https://devices.ubuntu-touch.io/
Not KaiOS. https://www.kaiostech.com/explore/devices/
Not postmarketOS. https://wiki.postmarketos.org/wiki/Devices
Not PureOS. https://tracker.pureos.net/w/faq/
Not Mobian. https://wiki.mobian.org/doku.php?id=devices
Not Manjaro ARM. https://wiki.manjaro.org/index.php/Manjaro-ARM#Device_List

Miscellaneous

• Have a valid phone number.
• Make and receive voice calls.
• Receive SMS messages.
• Take photos.
• Play MP3 audio files.
• Run WhatsApp.
• Run some IMAP email app (K-9 Mail).
• Run some CalDAV calendar app.
• Run KeePass.
• Run bank apps.