Overview
I deployed GrapheneOS — a hardened Android OS — as a daily-driver phone to strip out the manufacturer and Google surveillance that ships with stock Android. The concern that drives this for a business is concrete: stock Android continuously collects location, communication metadata, and app-usage data, and for an executive that data quietly maps travel, meetings, and relationships. The point of the project was full data sovereignty without giving up a usable phone.
Setup
Google Pixel (official GrapheneOS support)
Official web installer with cryptographic verification
Bootloader relocked after install, verified boot enabled
Hardware-backed security via the Titan M chip
What It Changes
Compared to stock Android, the controls that matter most to me are the ones Google doesn't offer: a per-app network permission (an app you don't want phoning home simply can't), a sensors toggle that cuts microphone/camera/location access, storage scopes that limit what an app can see, and one-time permissions that expire after a single use. Underneath that sits a hardened kernel, verified boot with a custom key, and security updates that don't wait on a manufacturer — with Google Play Services and its data collection gone entirely.
Compartmentalization
I split the device into separate profiles the same way I do on the desktop — an Admin profile for device management, a general-use profile for day-to-day apps, and an Experimental profile for anything untrusted. Each profile is its own sandbox with its own credentials, so a bad app in one can't reach another. Where a Google Play app is genuinely unavoidable, it goes in sandboxed Play inside an isolated profile, as a conscious trade-off rather than a default.
What I Took From It
The honest takeaway is that absolute privacy and a practical phone are in tension, and pretending otherwise leads to a device you stop using. Navigation still needs location sometimes; a couple of apps still need Play. Good security engineering here meant pushing the protections as far as they'll go and then making deliberate, documented exceptions — the same balancing act that shows up in any enterprise MDM program, where controls have to coexist with people getting work done.
Evidence & availability
Built and run on my own hardware, so there's nothing client-confidential here — which means I can show the working parts. Configuration, scripts, and a full walkthrough are available on request.