Mobile Privacy with a Pixel 4a & CalyxOS
This is a step-by-step guide on how to privately purchase a Google Pixel 4a mobile phone, flash it with CalyxOS, and use it to guard your privacy while on the go. If you are prepared to give up your current phone number and switch to Android then this guide will show you how to reclaim your privacy while maintaining your mobility. You can also find this article on the @BitcoinMagazine website, here.
For many people, their mobile phone is at the center of all their communications and nearly all of their activity. You may depend on your mobile phone for sending emails, posting to social media, keeping track of contacts, password managers, using maps, voice communications, text messaging, video conferencing, banking details, third party payments, Bitcoin wallets, photographs & videos, audio recordings, notes, music preferences, audio books, shopping history, health statistics, location information and more.
That's a lot of details about a person, and this is generally normal this day and age. Billions of people globally depend on their mobile phones to interact with the world around them. Mobile phones have put an impressive level of technology and connectivity into the hands of most people on Earth. This is also fueling the data harvesting industry.
It cannot be denied that the level of data harvesting from huge tech companies like Google is staggering. Projections place revenue from big data & business analytics at $274.3 billion USD globally by 2022. Google specifically controls about 62% of mobile browsers, 69% of desktop browsers, 71% of mobile device operating systems, and 92% of internet searches worldwide. Every single click, search, key-stroke, motion, movement, and any other data point that can possibly be monitored is being collected and used in Google's revenue model. To learn more about how your data is used by Google visit this page, where you can find this helpful info-graphic:
On your mobile device specifically, Google isn't the only one getting your information. You are also sharing a lot of data with your Cell Phone Service Provider and with the applications you use on your device. If the data collected from the apps on your phone is not being sold directly to Google, then it is likely being used in a similar revenue model by the app developer. A team of researchers from Trinity College Dublin claim that Google collects 20 times the amount of data about Android users than Apple collects about iPhone users. Their full technical text can be found here. Although, it does not appear to be peer reviewed or published by a scientific society, so take that for what it's worth.
Even if the amount of data being collected is off by an order of magnitude like a Google representative claims, that is still a staggering amount of information about you and your activities being collected.
Like most honeypots, this creates a bifurcated threat for the end user. On one hand, your government could gain access to this data, threatening your freedom. On the other hand, an attacker could gain access to this data, threatening your life. Either way, there is action that you can take to defensively guard your privacy. One of the steps you can take is to flash a privacy-focused operating system onto your mobile device.
CalyxOS is an Android mobile operating system that puts privacy and security into the hands of everyday users. Plus, proactive security recommendations and automatic updates take the guesswork out of keeping your personal data personal.
If you are interested in the advantages of a CalyxOS but for whatever reason you do not want to set it up yourself, there are options available for a turnkey solution that offers you everything ready to go out of the box. Mamushi Mobile offers secure phones with CalyxOS installed. Mamushi Mobile accepts Bitcoin & Monero.
Step 1: Obtain a Mobile Device
You may already have a suitable Android device for flashing CalyxOS, you can view a list of compatible devices here. Keep in mind that your device will need to be "unlocked" in order for this to work. In the USA, Google Pixel phones from Verizon have a locked boot loader that blocks OS flashing. If you don't have a suitable device, then you will need to get one and there are some considerations I recommend before doing so:
Registering a phone with a mobile carrier will attach your personally identifiable information (PII) to the device and the SIM card.
Purchasing a phone with a credit/debit card could potentially link PII to the device.
The Google Pixel 4a offers robust hardware for a reasonable price, ~$350 USD. In my opinion, this is the most well balanced phone for security, performance, and price.
In order to avoid the first consideration, I recommend buying an unlocked phone from a box store like Best Buy. And to avoid the second consideration, I recommend using bitcoin to purchase a Best Buy gift card from BitRefill then use the gift card to buy the phone in person.
Now, if you decide to use bitcoin for this, there are some additional considerations I recommend:
Second, CoinJoin your bitcoin in Whirlpool to break the deterministic links to your on-chain history.
Once you have your gift certificate, Check online to see which stores near you have the device in stock. You can print out your gift certificate, but from my experience at Best Buy it is easier for the employee if you just have the bar code pulled up on your phone for them to scan.
Based on my experience, when I bought my Pixel 4a I was not asked for identification or for my name. But that doesn't mean everyone will have the same experience. Consider visiting your local store during peak volume business hours to leverage the advantage of the staff being busy and more likely to just get the sale completed so they can move on to the next customer. In the event that you are asked for personal information, the veracity of that information is at your discretion.
If everything went according to plan, then you should now have an unlocked Google Pixel 4a that is not tied to your identity.
Step 2: Unbox Pixel 4a
First, remove your device from it's packaging and check it for any damage.
Next you will need to get a few things ready on your desktop computer. You can set your Pixel 4a aside for now.
Step 3: Select & Download CalyxOS Image to your Desktop
This will download the Image File that will be used to generate the Calyx Operating System on your phone. You can do this from Linux, MacOS, or Windows. These instructions are for Windows.
Navigate to: https://calyxos.org/get/ and select the download link for your device. I purchased a Pixel 4a without 5G capabilities, so I chose the Sunfish link. Make note of the hash value next to the download link. These hash values are subject to change as new updates are rolled out, so be sure to reference what you see on the CalyxOS website, not my screen shots below. Ideally CalyxOS would provide a PGP signature but this will have to do for now.
Next, you will want to calculate the hash value on the Zip Archive that you just downloaded. If you downloaded the Sunfish Zip Archive like I did then it should be called "sunfish-factory-2021.03.04.13.zip" and it should be roughly 1.3GB in size.
I use a program called HxD to easily load a file and run a checksum. HxD has other cool features if you're into viewing meta data or need a good hex editor. HxD can be downloaded here.
Once you open the Zip Archive in HxD, navigate to "Analysis>Checksums>Then scroll down to SHA256". Now you can compare your hash value to the one on the CalyxOS website.
*Always check the CalyxOS website for the most up to date hash values.
Once you have the Zip Archive hash value verified, do not unzip it. Just leave it for now and we're going to do a couple other things first.
Step 4: Select & Download Device Flasher to your Desktop
This will download the Executable File that will help get the CalyxOS Image File onto your phone. You can do this from Linux, MacOS, or Windows. These instructions are for Windows.
Navigate to: https://calyxos.org/get/install/ and select the appropriate flasher for your desktop. Make note of the hash value on the website. On Windows, you are likely to start running into errors at this point. Your browser will probably tell you that it prevented this file from being downloaded because it is "suspicious". If at first you do not succeed, try a different browser. I was able to get this to download with FireFox and then selecting the options to override the "security" warnings.
Once you get the file downloaded it should be called "device-flasher.exe" and it should be roughly 6.8MB in size. Again, you will want to follow the same process as used above to verify the hash value of the flasher file.
*Always check the CalyxOS website for the most up to date hash values.
Now you want to create a new folder and put the Image File Zip Archive and the Flasher Executable File in the this folder with nothing else.
Step 5: (Only for Windows) Check your USB Driver
You need to make sure that your computer has the appropriate USB Driver installed for talking to your Pixel 4a. What worked for me was the standard MTP USB Driver installed on my computer. Here is how you can verify.
If you haven't done so already, go ahead and connect your Pixel 4a to your desktop, turn it on, do not insert the SIM card yet, step through all the setup prompts skipping the parts where it asks you to enter personal information, and connect to WiFi. Here is a video of the whole initial set up:
Next, on your desktop open your computer manager by right-clicking on "This PC" from your file explorer.
You should be looking at your Computer Management window now.
Click on "Device Manager>Portable Devices>Pixel 4a".
Right click on Pixel 4a and select "Properties".
Click on the Details tab and then from the drop-down menu choose Driver Description.
You want to see "MTP USB Driver" here.
If you have a different driver then you may need to update it.
To update your USB Driver, you will first need to download the Google USB Driver. This driver along with more detailed instructions can be found here. This will download another Zip Archive called "usb_driver_r13-windows.zip" which should be roughly 8.3MB in size.
Save this Zip Archive to a different folder location than the folder with the CalyxOS Image File Zip Archive & Device Flasher Executable File.
Then extract the Google USB Driver Zip Archive.
Navigate back to your Computer Management window.
Go back to "Device Manager>Portable Devices>Pixel 4a".
Right click on Pixel 4a> Update Driver, this will launch the Update Wizard.
From the Update Wizard, it will ask you where to find the new USB Driver, point it to the folder location that you extracted the Zip Archive contents to.
Then the Update Wizard should walk you through the rest of the necessary steps.
If you encounter problems with updating your USB Driver through Windows Computer Management, it may be necessary to install Android Studio and then update the USB Driver with the SDK Manager following the full instructions available here. I'm not entirely sure what happens after you tell the Windows Update Wizard which Driver to use since my computer already had a working driver. I imagine that you should be able to go back through the steps to check if you have the best driver installed and end up looking at a message like the one in the image above.
Step 6: Flash CalyxOS on to your Pixel 4a
This will use the CalyxOS Image File Zip Archive and the Device Flasher Executable File to flash the new operating system on to your Pixel 4a. You should have already connected your phone to your desktop, powered on the phone, followed the set up prompts, and connected to WiFi. Your computer should also be able to talk to your phone with no issues.
Navigate to the folder where you placed the CalyxOS Image File Zip Archive and the Device Flasher Executable File. The Zip Archive should still be unzipped. If you already extracted the contents then this won't work, so if you did that, then delete the extracted contents. The only things you want in this folder are the CalyxOS Image File Zip Archive and the Device Flasher Executable File. Like this:
Double click on the device-flasher.exe and this should initiate the process. If this fails to initiate the process then you can try to do it from the command line by hitting the Window key + R, then type "cmd" in the dialog box that pops up.
Once the command terminal launches, you can use the "cd .." command to change your file path all the way back to the C:\ drive if you need to. Then you can change directory ("cd") to the file path which points to the folder with the CalyxOS Image File zip archive and the Device Flasher Executable File. Once there, enter ".\device-flasher.exe" and hit enter. This should get the process started and then you should be looking at something like this:
Whether you double clicked on the device-flasher.exe or used the command line to launch it, the result should lead you to looking at the message in the image above.
Next, follow the instructions in yellow on the Pixel 4a:
1) Ensure the Pixel 4a is connected to WiFi and there is not a SIM card installed.
2) Navigate to "Settings>About Phone>Build Number" then tap on "Build Number" 7 times to enable Developer Mode.
3) Now Navigate to "Settings>System>Advanced>Developer Options" then enable USB Debugging and hit "OK".
4) Also from this Developer Options menu, scroll down and enable "OEM Unlocking".
Once you have completed the 4 steps above, go back to your desktop keyboard and hit "Enter".
The flashing script will start to run and then, in the terminal window, it will prompt you to unlock the bootloader from your Pixel 4a.
On your Pixel 4a, you will see a short description of some product & device information. You will notice that it indicates in green that the Device Status is locked:
After a moment, the message on your Pixel 4a will change to a warning about unlocking the bootloader. You should see "Do not unlock the bootloader" next to the power button.
Using the volume buttons, you can scroll through the available action options. Continue pressing the volume button until you see the action option to "Unlock the bootloader". Then press the power button. If you don't see the option for unlocking the bootloader then you might have a problem with your USB drivers that requires you to follow the steps in this guide, h/t @DebasedMoney
The Pixel 4a should now re-display the original screen with the product & device information, but this time, you will notice that the Device Status is "Unlocked" in red.
The flashing script should continue automatically at this point, you should not have to press the start action with the power button on your Pixel 4a. The Pixel 4a may disconnect & reconnect to your desktop a few times, with the screen on the Pixel 4a resetting each time. This is normal. After a moment, you should see this screen:
This message should be immediately followed by the "fastbootd" screen:
The fastbootd screen should remain for a few moments while the new image is flashed. Then in the terminal window on your desktop, when the script is all finished running, it should indicate to you to exit by pressing any key.
That completes the process of flashing CalyxOS onto your Google Pixel 4a. Congratulations. You will want to be sure to lock the bootloader again when you see the screen in the image below:
Again, use the volume keys to select the action option to "Lock the bootloader". Then press the power button to initiate this action:
You can confirm that your bootloader is now locked again by the indication in green on this screen:
You will receive a message confirming that your Pixel 4a is loading a different Operating System. Then it will automatically reboot.
Once rebooted, your Pixel 4a will load and open CalyxOS and you can follow all the initial startup prompts and configure your settings how you like:
One option you will have during the initial startup process is to enable or disable MicroG. This implements Google Compatibility Services, enabling MicroG after the fact may cause certain apps to react erratically. Uninstalling and then re-installing certain apps may be required in this scenario. If you are not sure whether or not the apps you want to use will need Google Services, then just leave MicroG enabled.
MicroG is an open source replacement for Google Play Services but without the advertising and location tracking parts. Here, you can read more about which parts of Google Play Services have been incorporated to MicroG.
The basic idea is that with MicroG you should have an easier time using more apps, getting push notifications, and using maps without revealing your personal information to Google's servers. This is a personal choice.
Once you have CalyxOS setup, it is good practice to disable OEM Unlocking by navigating to Settings>System>Advanced> Developer Options and then toggling off OEM Unlocking. You will be prompted to restart your Pixel 4a at this point.
Then it is also good practice to turn off Developer Mode. Navigate to Settings>System> Advanced>Developer Options and at the top of that menu you should see the toggle switch to turn off developer mode. If you ever want to turn it on again, simply navigate to Settings> About Phone>Build Number at the bottom of the menu and tap Build Number 7 times.
Step 7: SIM Card & Carrier Services
You may be using your new Pixel 4a strictly as a secure and private device for your Bitcoin wallet or secure messaging, ect. However, you may also want to use it as your regular phone as well. In this case you will need to pay for mobile cellular services and this is where you may want to make some careful considerations. If you go to a large service provider like Verizon or AT&T then they will register your Pixel 4a with your personal information which defeats some of the privacy benefits that brought you here in the first place.
One option is to buy a pre-paid and re-loadable SIM card from a smaller carrier. You should be able to find these SIM cards at the same store you bought your Pixel 4a from. In this case, you can purchase the pre-paid and re-loadable SIM card using the same gift card you bought at BitRefill, this way there is no personally identifying information attached to your new SIM card.
Simply log on to the SIM card provider's website and activate your new SIM card. You may be asked for your name and email address. The veracity of the information you provide is completely up to you. I recommend using a burner email address that doesn't reveal any personal information. Then you will be asked to enter a ZIP code so the service provider can assign you a new phone number based on that area. You will also need to enter the serial number of your SIM card during the account activation. If your selected service provider has SIM locking features, utilize them.
Once your account has been activated, insert the SIM card into your Pixel 4a. You now have a fully functioning mobile phone that is not attached to your identity in any way. Once your plan nears expiration you will need to think about how you can re-load your SIM card while protecting your private information. Consider using a private debit card or alternatively, consider using an e-SIM paid for using bitcoin like the ones provided by Silent Link. Silent Link e-SIM cards are compatible with Google Pixel 4a running CalyxOS. The phone number you receive from Silent Link will be a United Kingdom (+44) phone number. This is a good option for having a private phone number that supports SMS messaging which can come in handy when needing text verification at a Bitcoin ATM for example. Silent Link services do not support legacy GSM voice calls however. So weigh your options and proceed however you see fit.
I have been using my Pixel 4a with CalyxOS for a few days now and I have been very impressed with it overall. CalyxOS comes with several privacy-focused apps pre installed like Signal, Calyx VPN, & Briar. I recommend enabling the CalyxOS VPN for encrypting your internet access. Some apps don't work on "de-Googled" phones, I cannot install the Twitter app for example, but I can use the Chromium web interface to access it and it looks & feels just like using the app. Not all of the conveniences you may be used to will be available on your "de-googled" phone, but the privacy benefits outweigh the cost of these conveniences in my opinion. Below I make a few recommendations on apps that you may be interested in.
Bitcoin Wallet: Samourai Wallet
Password Manager: KeyPassDX
PGP Manager: OpenKeyChain
You can also jump in the CalyxOS Telegram channel for community support here.
If you are looking for a lock-screen wallpaper, I made these ones that you can download here and here. Remember, if you ever have your phone confiscated by authorities, anything you say can and will be used against you. So don't say anything without your attorney present. Use long random PIN codes for unlocking your phone. Do not share this PIN code. If you are not served a warrant then no one can search your phone. If you are served a warrant, you need to review it with your lawyer present. I am not a legal expert so consult professional counsel.
Thanks for reading! I hope that this article helped you understand how you can guard your privacy while remaining fully mobile and connected. CalyxOS is an incredible tool and the Google Pixel 4a offers great hardware for the price. With this kind of setup, alleviate some concerns over having your location tracked, your camera & microphone activated remotely, and your communications collected. If you are serious about Bitcoin then this is a great addition to the tools at your disposal for minimizing your digital footprint and protecting your privacy.
If you enjoyed this content, leave me a tip here: Donate.
This article can be found on Twitter as a thread here.