~/tools/mobile-os

Mobile OS

last updated 2026-06-12 · 4 recommendations · what changed

Your phone is the most personal computer you own and the most chatty: location, contacts, sensors, all reporting home by default. There are two sane answers: an iPhone configured deliberately, or a de-Googled Android. Which one is right is a pure threat-model question.

before you pick Be honest about what you'll live with. iOS asks nothing of you and covers the vast majority of threat models out of the box. Flashing a custom Android OS is a weekend project with real stakes: banking apps may object, there's no support line, and the friction is daily. The technically superior option you abandon in month two protects less than the good-enough one you keep.

what actually matters

update speed

Security patches matter more than any privacy feature. Days-behind-upstream is the standard to hold; Apple and GrapheneOS both meet it.

hardware security

Secure Enclave, Titan chips, verified boot: cryptographic key isolation and tamper-proof boot are hardware properties, not settings.

ecosystem exposure

Who the OS reports to by default, and whether you can turn it off. None at all, sandboxed and optional, or "trust Apple entirely" are all different answers.

app compatibility

The friction people underestimate until they live with it daily. Banking apps, tap-to-pay, and that one work app decide more setups than security specs do.

recommendations

iOS

the default pick
🍎 applesecure enclavestrict sandboxeverything workshardware from ~€500

One of the strongest out-of-the-box privacy and security postures available without meaningful setup overhead. The Secure Enclave isolates cryptographic material at the hardware level, the app sandbox and permission model are among the most strictly enforced in consumer mobile, and Apple Pay tokenizes payments, meaningfully better than handing out card numbers. Appropriate for the vast majority of users, including those with real operational security needs, where app compatibility and reliability matter.

good
  • Hardware-level key isolation (Secure Enclave) on every device
  • Strictly enforced sandbox and permission prompts
  • Apple Pay tokenization beats standard card transactions
  • Fast, long-lived updates with zero effort from you
mind the
  • Closed source; the trust model is "Apple, entirely": a FAANG dependency
  • No user-controlled OS attestation
  • iCloud backups (including iMessages) are not E2EE until you explicitly enable Advanced Data Protection: do it day one
os free · hardware from ~€500 apple.com/privacy →

GrapheneOS

the maximum-security pick
pixels onlyopen sourceverified boot keptsandboxed playfree

If your threat model extends to nation-state adversaries, device seizure, or verified OS attestation requirements, this is the technically superior choice: hardened memory allocator, stricter sandboxing, security patches in days, and Google Play (if you want it) running as an ordinary sandboxed app with no special privileges. It comes with real usability trade-offs and app-compatibility friction that most people underestimate until they're living with it daily. For those who understand and accept that, nothing else comes close.

good
  • Maximum verifiable security and privacy in consumer mobile
  • Sandboxed Google Play: compatibility without the privileges
  • Verified boot, user-controlled attestation, full OTA updates
  • Per-app network/sensor kill switches, storage scopes, duress PIN
mind the
  • Pixel hardware only today (buying a Google phone to escape Google, yes, the irony is noted); a Motorola partnership for non-Pixel devices was announced for 2027, none shipped yet
  • Some banking apps refuse non-stock OSes; no Google Pay tap-to-pay, period
  • The friction is daily, not just at setup; be honest about your tolerance
free · pixel from ~€350 used/refurb grapheneos.org →

CalyxOS

the middle-ground pick
pixels + fairphoneopen sourcemicrog bundlednonprofitfree

De-Googled Android with a gentler philosophy: privacy-respecting defaults that work out of the box, when a current build is available. CalyxOS was listed officially "Unsupported" from August 2025 after Google cut back Pixel-specific AOSP source and CalyxOS had to rebuild its release-signing infrastructure; it's been gradually resuming through 2026 but as of writing isn't back to a stable, fully-supported release. microG (an open reimplementation of Google's service APIs) ships preinstalled-but-optional, so push notifications and location work the way most apps expect without talking to Google directly. Less hardened than GrapheneOS, friendlier on day one when it's in a supported state: the halfway house between stock Android and the deep end.

good
  • microG covers most app expectations with far less Google exposure
  • Supports Fairphone: repairable hardware, not just Pixels
  • Thoughtful defaults: Datura firewall per app, Tor integration
mind the
  • Not currently back to a stable, fully-supported release after a 2025-2026 upstream disruption; check current status before relying on it as a daily driver
  • CalyxVPN is temporarily excluded from current builds
  • microG is a compatibility shim, not a security boundary: weaker isolation than sandboxed Play
  • Patches arrive on a monthly cadence, slower than GrapheneOS or Apple
  • Smaller team; fewer devices than Lineage
free calyxos.org →

LineageOS

the old-hardware pick
~200 devicesopen sourceno gapps defaultcommunity-runfree

The community ROM that keeps abandoned phones alive: a seven-year-old device running current Android with no Google apps installed is a genuinely private machine and a landfill rescue at once. The honesty clause: most builds relax verified boot and ship patches slower, so treat it as the sustainability pick, not the security pick.

good
  • Enormous device support, your drawer phone probably qualifies
  • Ships Google-free by default; you choose what to add
  • Two decades of community lineage (CyanogenMod heritage)
mind the
  • Verified boot usually lost; bootloader stays unlocked on most devices
  • Patch speed varies per device maintainer
  • Quality differs wildly across the device list, research yours first
free lineageos.org →

at a glance

osdevicesgoogle/apple exposureverified bootpatch speedbest for
iOSiPhoneapple, entirelyyesfastmost people
GrapheneOSPixel onlyoptional, sandboxedyes + attestationdaysmaximum security
CalyxOSPixel, FairphonemicroG shimyesmonthlyeasy de-Googling
LineageOS~200 modelsnone by defaultusually lostvariesreviving old phones

the android options are free and open source; cost is the hardware they run on.

worth knowing

On iOS, the checklist is short but real. Enable Advanced Data Protection (Settings → iCloud → Advanced Data Protection) so backups are actually E2EE, audit app permissions quarterly, and turn off the advertising identifier (Settings → Privacy → Apple Advertising). That's most of the gap closed.

On de-Googled Android, get apps from open stores first. F-Droid (or the nicer Droid-ify client) for open-source apps, Aurora Store for anonymous Play access. On GrapheneOS, sandboxed Play is the cleanest route for the stubborn few.

The OS doesn't fix the apps. Instagram on GrapheneOS still tells Meta everything you do in Instagram, and the same goes for iOS. Pair the OS choice with an app diet and the DNS filtering from the network page.

Mind the SIM. Your carrier logs tower locations regardless of OS. For most people that's accepted; for high-risk models it's the reason burner SIMs and Wi-Fi-only devices exist.