You are indeed correct. Whoops.

Now about OSs.

Most privacy oriented mobile OSs are based on AOSP. Ubuntu touch may qualify as an option that is not, but due to it’s lack of the added security layer that Android provides, I would strongly advise against it.

The “golden standard” for Security and Privacy on a smartphone is GrapheneOS. GrapheneOS has extensive hardening, uses their own servers for services that are usually provided by Google and if a vulnerability is detected they are the first to patch it. I remember reading Kuketz’s security blog, where he contacted the Graphene devs about the fact that at system start, their OS, by default, asks Google servers for the time. He analyzed a few OSs and all had this issue iirc, but it took the team of Graphene mere hours to make the device call their own Server and roll out an Update. They regularly patch vulnerabilities before Google does. What’s the catch? It currently is only developed for Google devices due to their superior security. This includes the tablet. While GrapheneOS has a lot of amazing stuff, my favorite is the fact, that by default, no app has any permissions and I have even finer control over those permissions than I have on stock Android. The big one here is internet access permission. I would play Graphene badly though by just leaving it at that, so I would advise you to check the feature page. Graphene will support a device, as long as it gets security updates by it’s vendor and fulfills their device requirements. This includes new Android versions and is another reason why the Graphene team chooses Google devices, as these logically always have the newest version first.

CalyxOS is a rom often compared to GrapheneOS. I believe this could be, because Calyx and Graphene favour Google devices. Calyx however is nowhere near as secure and as hardened as Graphene, though it is hardened well. The people behind Calyx are incredibly good at networking and by default you get an incredibly fine tunable firewall. It is often used to block certain IPs, say a Google Server. Unlike Graphene, Calyx has support for Microg, which all of the following roms have. This is bad for security and good for usability. Choose your poison. Calyx is also more performant than Graphene, as it is not quite as hardened. Taking Kuketz’s blog as an example again, the answer of the Calyx institute on the question about the Google server call for time was that it is “intended behaviour”. While I don’t doubt that it is, I do not like this at all, especially as this service is easily replacable without consequence. The Calyx institute has a very friendly community and is more than just the OS. They have other tools at their disposal, most of which focus on networking, including the free VPN, that is not a scam, but really slow. Calyx works on the Fairphone, Pixels and the Shift phone. Please do check out the feature page.

Lineage is a rom that was created out of the need to bring devices that have lost update support from their vendors back to life. As a result, it is neither specifically made for security or privacy nor should it really be used for other reasons than it’s reason for creation. It is supported over a wide range of devices and as such does not support specific security features offered by the hardware. It is made to just work on everything.

DivestOS is one of the few mobile OSs that is not built on top of AOSP. It is only by extension, as it is built on top of LineageOS. It too has a wide range of supported devices. What sets it apart from LineageOS is that it has a lot of the hardening that Graphene has. It still has the issue of the widely treaded support, but it would be my second choice for security. The “team” of this project is only made up of one very knowledgeable guy though, so as always be careful. Divest also has incredibly useful resources on their website where they e.g. compare browsers in privacy and security in a concise manner. As Divest does not have a singular feature list, just look through their website to find out if it’s a match.

iodé is an OS created in one of the nordic countries. I believe it was sweden? They have a giant, system wide ad and tracker blocker that is incredibly configurable. This approach is not very beneficial, as this is not privacy friendly but ad reducing. The issue is, that there is one point of defense. That is not enough. Calyx has something like this with its firewall on top of it’s great hardening and google reduction. While iodé does reduce the use of proprietary apps, their goal was never to provide a private experience, but to provide an adless one.

/e/ os is weird. I like it, but it’s weird. I will call it æ from now on as that is faster to type. Project æ, the project behind æ OS, has the right goal. They want you to have a google free experience. I believe the OS has some hardening. Not on the same level of Graphene, Calyx and Divest however, which themselves are on differing levels. With this OS, you get some benefits. Project æ has created an app store. Inside this app store are reviewed and approved apps, which they apparently did by hand. I have never had an æ os device, but I believe that in this app store proprietary software is also available. You get a similar rating to the software that F-Droid and Exodus provide, just done by humans, so they have given the apps points in different categories and explain why, which is indeed more advanced than the alternatives. æ OS also comes with a possible cloud subscription. I do not recommend this, as it just seems to be a Nextcloud reskin. Nextcloud does not have a good encryption method, as the key for decryption of the files that are encrypted at rest is saved in clear text. Murena, which I think is the same group behind æ also sells phones with æ OS preloaded. They have partnered with fairphone to make the newest Fairphones available at their shop. All of this capitalism is not important for you though, that’s to keep the project going. æ OS supports a wide range of devices which, again, is not desirable for security purposes. Check it out here.

A note on Copperhead. The creator of CopperheadOS and the creator of GrapheneOS used to both develop for Copperhead. The current Copperhead owner has made bad choices back then, so the creator of GrapheneOS has split himself from the project and made his own. Do not trust Copperhead, it may still be recommended in some old post.

If you know german, please take a look at Kuketz’s blog, where he currently is comparing these custom ROMs. I am not in any way affiliated with him.

Yes. To explain this further to you I will first define some jargon for you, as you seem to be new to this.

FOSS means “Free and Open Source Software”. Here, free does not mean free as in beer, but means that the software is free to download, use, modify or study. This is different from just open source software, as this only means that the source code is publically available in some way.

Libre refers to the same concept as free, just in an edgy, viva la revolucìon, kind of way.

Privileged apps have a nasty amount of permissions and can access most of the device. They are always treated extra and are often the ones that get you.

Microg is an open source alternative for google services. It can directly replace them and only connects to the google servers when necessary for an app to function. This is also why Microg exists, as it keeps better compatability for apps, than just removing google services completely. It is not perfect though, so some apps might still not work. It can often times be completely disabled, so to have no Google API calls at all. The issue here is, that it is a priviledged App and can most times not be simply removed.

Sandboxed google play services are specific to GrapheneOS. Instead of using the rather incomplete and sometimes unstable Microg, they simply removed all privileges from Google services and made it an untrusted, sandboxed app, that may not even have internet access. This has the best “degoogled” implementation for compatability of apps using google services, but has obvious drawbacks of having closed source Google software on you device, though that device is the most secure device you will likely ever lay your hands on, so no biggie. GrapheneOS comes by default without any implementation or alternative of Google services, so it has incredible privacy with some incompatability issues, although if you use FOSS software, this should not really be an issue in the first place.

A proxy is essentially a server(1) you ask to ask another server(2) for some data. This way, the server(2) does not get your IP. It is different from a VPN you pay a subscription for, as not all your requests are run through a proxy. Only the specific app that uses the proxy will decide for which part of it’s traffic it will use the proxy. There is also no fancy adblocking or other extra features like some VPNs provide.

F-Droid is an app store for FOSS apps. By default, it only lists the official F-Droid repository, which already has a bunch of good software. You can however add other repositories, as for example to add an app that is not quite FOSS, but still very private. The Proton E-mail client is an example, as it uses a singular proprietary library for popup notifications. IzzyOnDroid is a great example for a third party repository you can add for some more apps. Remember, the repositories can not hurt you, but the software you install from them may. Nothing is stopping anybody from distributing malicious software. Do not trust blindly.

Alternative front ends are nice if you want to access a service that has disadvantages you do not like. Libretube is a very nice Piped client. What does that mean? Well Piped acts as a middleman between Youtube (Google) and you, asking the Youtube Server for Videos, while your IP remains hidden. So, Libretube is basically a Youtube client with none of the tracking. Social media has frontends, but there are others. F-Droid has two popular front ends, Droidify and Neo Store. Why? Well, F-Droid is no bad guy. However, the app is rather old and developed for an old Android version. This is bad, as new Android patches and security updates may not hold. There are alternative front ends for a lot of stuff. There is this timetable client called Untis, which has an alternative frontend called BetterUntis lol. It’s important to note though, that not every alternative frontend hides your IP by default. BetterUntis for example directly accesses Untis APIs from your phone. To hide your IP, use a VPN or configure the used app to use a proxy if the app provides an option for it.

The Aurora store is an alternative frontend for the google playstore, sharing a few google accounts between all of its users. You can also add your own account if you want, as the default accounts are often rate limited. Don’t do that though.

The AOSP, or “Android Open Source Project” is exactly what it sounds like. It’s simply supposed to make Android’s code publically available.

Rooting is rather fun. As Android is based on Linux, Android inherits a lot from Linux. One such thing is the base of it’s file system. The lowest path (imagine a folder) for Linux is called root. This makes sense, as it’s the root of everything. When rooting a device, you kind of reenable the file system of the underlying Linux system that Android is built upon. Doing this used to be kewl, is rather problematic however, as this exposes the underlying system of Android, which creates a huge attack surface with a bunch of known vulnerabilities. It’s kind of like stealing someone’s belt, now everyone could pull down their pants.

The word ROM is a little falsely used sometimes. A ROM, or Read Only Memory, is a persistent data storage type that can not be written to, only read. Android OSs are often called ROMs. I don’t actually know why, but it could be a decendant of video games, as those were often stored on ROM back in the day and maybe they still are, dunno. Android sort of runs on top of Linux, which feels similar to, say, a Nintendo game from a cartridge.

A bootloader is basically a small program that kickstarts the operating System (also called OS), a large and very complex program. For security purposes, most bootloaders are locked from the factory. This means, that you can’t just change the program that is started when the device is booted without rooting the device. Some bootloaders are not unlockable however, so you would have to root the device to change the OS, which is insecure.

A secure execution environment is essentially a processer that has limited access to system resources and can thus improve security if properly used.

Google Pixels are very special devices. They are made by Google so you may think they are naturally bad for privacy. They are surprisingly not as intrusive as other devices. Take a Samsung device for example. The Galaxy has Android. Not AOSP, but Google’s Android. They just take Google’s Android that is meant to be installed on non Google devices and slap their own spyware on top of Google’s spyware. So now, you are being spied on by an american monopoly as well as a korean monopoly. Yikes. Now, you want to install a custom rom anyways, right? So why care? I can just take any device, remove everything and use a custom rom. Well, most devices do not have good security in comparison to the Pixel, like the Fairphone. The Pixel has simply has good security. It’s not all sunshine and roses though. You still support Google financially by buying a Pixel. In order to unlock a Pixel, you will also have to connect to the internet, send Google the phone’s IMEI, which is unique and known by Google. So Google knows which devices have had an unlocked bootloader at least once and which didn’t.

The Fairphone is my favorite. It is user serviceable, has pretty decent specs, and is supported by privacy respecting ROMs. It does not have a secure execution environment and generally has sub par security. It does not notify Google or Fairphone when unlocking the bootloader, this is, to my knowledge, Google specific.

The Shift phone is also very nice. It is very similar to the Fairphone, as it is user serviceable, has bad security, yet is just as free. It differs, in that it is not as easily repairable as the Fairphone. It is still extremely easy, but unlike the Shift, the Fairphone does not have weak little wires that can break. The Fairphone is literally just Lego at this point. The Shift phone however seems to be less talk than Fairphone, so if you want to be certain that what you pay for (in the case of these two, environmental friendliness) is achieved, the Shift has got you covered.

Hardening refers to the process of altering a piece of software in a way, that makes it more secure. It is also sometimes used to describe the process of making the software more private. This sounds very good and in theory it is. It does of course come with drawbacks. A hardened Linux kernel will bring the system to a crash on purpose, every time anything suspicious happens. That’s kind of wrong, but for this example it’s enough. This is incredibly secure, but brings along the con of having an artifically more unstable system than before. The biggest con of hardening is performance impact. You can often harden something to quite a high degree without performance degradation, but once you go the extra mile, things just slow down. GrapheneOS is hardened to the very most extreme. It is also a lot slower than most OSs.

And yet he did not mention he does not own one. Am I supposed to withhold information because I’m not sure which information helps him? Am I supposed to play government?