What is the most private and secure phone

Be sure to check the attached PDF for reference on scoring!

Introduction

Smartphones are ultimate spying devices. Apple is collecting your detailed usage information even if you opt out. Google is tracking your location even if you turn it off entirely. And the predatory advertising industry is gathering, selling and sharing your data with no precautions, making you fall victim to scammers, fraudsters or power-tripping cops.

Of course, the big tech is getting backlash for the dystopia they are building for us. So now they are all telling us that they take our privacy seriously and do everything they can to protect it.

But how can you trust their claims? All of this is really just marketing. Is there a method that’s based on evidence that can tell us which options are actually private? Yes, that’s what we are going to do in this video. We are gonna analyze which phone on the market is currently the most private option for you.

There are myriads of phones to choose from so to keep things simpler, here’s what I decided to do: We’ll make the iPhone its own category, which will compete against Pixel phones from Google. Then all the remaining Android vendors will be grouped into one category. I am singling out Pixel here for reasons that will become clear later. Then we’ll also have to test all of these against AOSP + forks because they do offer some advantages as well as disadvantages. And among them, GrapheneOS will also be singled out due to facts that will be explained along the way.

As we go along, you’ll get a strong grasp on what makes a phone private and what doesn’t and by the end, you’ll get a total score. I encourage you to follow this method and see if you can reproduce the results or come up with something else. Feel free post your own findings on my subreddit or Patreon. Now without further ado, let’s jump into it.

Methodology – LINDDUN

How do we decide how private any given phone is? Well, you can ask people who have something to sell you or you can use something like a benchmark to test the phone against. Our benchmark is gonna privacy threat model called LINDDUN. LINDDUN is basically just a list of seven privacy threat categories. These threats encompass everything personal data on your phone can be exposed to. From creepy advertisers and data brokers, through hackers and government agencies, to bad practice and conduct at the companies themselves.

LINDDUN was built for privacy engineering and we are not engineers but we can still use it. We will take these seven threat categories and measure how much each phone is exposing our data to each threat. We’ll go by each LINDDUN category and assign a point for when a phone is vulnerable to a privacy threat. So the more points a phone gets, the worse it is for your privacy.

This is gonna be very easy to follow and reproducible so if you think I got some stuff wrong, you can follow this method yourself and offer your perspective. So let’s get started!

LINKABILITY

The first and most immediate privacy threat is linkability. Linkability is whenever two pieces of data are related or linked – for example, your travel patterns can be linked to your identity by tracking your license plate.

The iPhone

The iPhone immediately scores several points. In order to use the iPhone in any capacity, you need to create an Apple account and connect it to the internet. This will immediately broadcast all unique identifiers from your phone to Apple. Apple will use that information to uniquely profile your phone and track all of your usage data at least for the duration of your account. Apple will track your activity and data across all Apple apps and services. That means the iPhone scores points on linkability of credentials, usage data, flow of personal data and metadata. But Apple does abide by principles of data minimization and they are processing more data on device rather than in the cloud. So they won’t get any more points on linkability.

Google Pixel

Google Pixel has all the same data collection problems as Apple does, but by default Google does share more data with third parties than Apple so I have to give Pixel a point on linkability of shared data. Google also implements data minimization and also processes more and more data on device so Pixel won’t get any more points on linkability.

Stock Android

The same can’t be said of the rest of Android vendors. They often ship their phones with unnecessary preinstalled apps with privileged permissions. That bloatware can’t be deleted and its permissions can’t be revoked, so data collection is completely out of hand. Other than Google, Android vendors rarely abide by any security and privacy principles, they collect more than they need, retain it for longer and sell it to third parties without restraints. So all other Android phones and vendors get all points on linkability.

Forks

Android is an open source operating system, which means anyone can take it and make its own version from it. This is where forks of AOSP and GrapheneOS take their stand. Because of the open nature, you are not forced to use a Google account or any unnecessary bloatware with these forks. However, there is a difference between GrapheneOS and the rest of AOSP. GrapheneOS is the only Android fork that significantly enhances the application sandbox to the point no app on your phone has any privileged access whatsoever. On top of that, GrapheneOS is the only OS that allows you to create fully isolated user profiles where you can install privacy invasive apps and keep them separate from your private data. This significantly reduces the privacy exposure to all linkability threats, even if you end up installing privacy invasive apps. If you install them on other AOSP forks, you are pretty much just as exposed as on stock Android minus the bloatware. So I’ll give AOSP forks 5 points on linkability and I’ll give GrapheneOS 0 points.

Identifiability

The next privacy threat, very closely related, is identifiability. You are exposed to identifiability whenever you are required to provide identifiable information, such as your email, phone number, home address or via purchasing methods. You can also be identified by patterns of behavior in case of extensive and prolonged data collection. And this is where it goes downhill for most smartphone options.

The iPhone and Pixel

To use the iPhone, you have to create an Apple account and activate it over the internet. This immediately gives Apple your email address, phone number, payment method, IP address and all hardware identifiers from your iPhone. The same is true for when you create a Google account on Android, although it must be said that it is possible to use Android without an account. And because both Google and Apple are collecting detailed usage data and personal data over a long period of time, your usage, behavior and metadata will all be identifiable. Apple and Google also store your data with identifiers that are either unique per profile or tied to your account. So for the class of identifiability threats, both iPhone and Pixel get 5 points.

Stock Android

Other Android vendors are guilty of the same and much more. Again, preloading phones with privileged apps that can’t be removed or contained is a privacy disaster. That bloatware will always collect personal and identifiable information and there are zero privacy guarantees as to what happens to it when it leaves your phone. So all Android vendors get 7 points on identifiability.

Forks

For all AOSP forks, including GrapheneOS, no identifiable information is required. However, only GrapheneOS sufficiently prevents third parties from obtaining identifiable information from your device – for instance by full mac address randomization and stronger sandbox that bars third parties from tracking you across apps and services. There is only one identifiable data point that not even GrapheneOS can protect you from and that’s your device IMEI – that information leaks to telecom companies when you use cell radio, i.e. when not in an airplane mode. So all in all, GrapheneOS gets one point for identifiability. With other AOSP forks, the only privacy benefit is that you can easily use them without a Google account, but they expose the same amount of information to third parties as stock Android, minus the bloatware. So AOSP forks get 3 identifiability points.

Non-repudiation

The third privacy threat is non-repudiation, which is basically just the opposite of plausible deniability.

This whole threat revolves around the question: can you use this phone anonymously or without detection? There are increasingly more and more cases when this is required as we do more and more sensitive stuff on our phones. We trust them with tracking our health and fitness, including mental health, it’s used for tracking periods, managing finances or dating. There are many use cases where it’s important that you can plausibly deny having used a service. This is why it is crucial to be careful who you trust your data with.

Now Apple and Google collect personally identifiable information from you. But that in isolation wouldn’t be sensitive, unless using them is illegal in your country. Where it becomes extremely sensitive is through the logging of requests between apps and services by these companies. They log and store your interactions along with your personal data which makes your use of these service undeniable. This is why geofence requests from government agencies are so frequent and are often used for prosecution and persecution. Whenever Apple or Google get a request for user data, they also get all these sensitive logs that are now tied to your account. The very same applies to other android phones and AOSP forks if you use them with Google services.

The only phone that has full plausible deniability is GrapheneOS and that is even if you use Google. That’s because not even Google nor GrapheneOS have access to any hardware identifiers and it’s impossible for them to know what individual phone you are using. So GrapheneOS gets zero points on non-repudiation, Pixel, iPhone and AOSP forks get 3, and other Android vendors get all 5 due to unnecessary involvement of privileged third parties with preinstalled access.

Detectability

The next class of threats is detectability. Detectability is the ability to observe whether a data point exists or not, even if the contents cannot be seen. So for example, if I grab your encrypted card, I can see there is data in it, I just can’t see what’s in it. In almost all cases, detectability threats will come from external sources. All phones, including GrapheneOS, will make the traffic between the apps on your phone and outside services detectable. The only way to prevent this is by turning on an airplane mode or leaving your phone in a Faraday bag.

Only GrapheneOS can still be usable and avoid detection by using it as a WiFi-only device and with a trusted VPN, which is how I use my phone. Doing this, you avoid all cell traffic, and GrapheneOS will completely anonymize your phone to any WiFi network you connect to. No other phone can do this. So all phone options except for GrapheneOS get two points on detectability.

Data disclosure

The next privacy threat is data disclosure. This pertains to data practices, i.e. what these companies do with your information, as well as data security, i.e. do they properly secure it against breaches, leaks and unauthorized access.

iPhone and Pixel

Apple and Google do some great things to minimize unnecessary data collection. They introduce more and more ways of how to keep your data on device rather than processing it in the cloud. They inject noise into data they do collect in order to anonymize it. And they also federate machine learning for certain smart and AI features on your phone so that only aggregated data is used for training their AI models. Both Google and Apple also abide by minimal retention of your personal data and they in fact do not share your personal data with third parties unless necessary for the service. They enforce this with increasingly restrictive permissions and new popups asking for your consent. So there is a lot of positive development here. However, they still do a lot of unnecessary data collection and analysis in my opinion, as they collect and process all usage data across apps and services on your phone. But there is one thing to note, Apple does offer end-to-end encryption of iCloud data, which covers more personal data than Google's cloud encryption. To distinguish this difference, iPhone gets two points on data disclosure and Pixel gets three.

Other

AOSP forks benefit from Android’s privacy features, but they don’t do anything above that. The only exception is GrapheneOS that treats all apps as third party apps and can completely restrict privacy invasive apps in fully compartmentalized user profiles. So AOSP forks get 3 points and GrapheneOS gets 0. As for the other Android vendors, because of unnecessary bloatware, overreaching permission access, neglected security and terrible privacy practices, they get all five data disclosure points.

Unawareness and non-compliance

All that remains is the last two privacy threats – unawareness and non-compliance. These are soft threats that stem from bad conduct and practice at phone companies and developers. Which happens all the time given the frequency of terrible data breaches.

Things in these threats include lack of transparency, intentionally bad user controls to make it more difficult to opt out of data collection, lack of portability of your data, i.e. the walled garden cancer, collecting and sharing your data without your consent, collecting more than strictly necessary, retaining more information and for longer than necessary, and automating decisions on your behalf without informing you… Pretty much all tech companies are guilty of this, and that is true for Apple, Google and all smartphone vendors. Apple and Google are at least trying to minimize unnecessary processing and collection, but Android vendors are proactively trying to do the opposite.

The iPhone’s biggest hurdle is how hard Apple is making it for users to migrate to different services that aren’t Apple. That issue isn’t nearly as bad on Android. Both companies let you easily delete all of your data, but their privacy controls are still intentionally muddied in my opinion. They do provide consent controls but they’ve been caught multiple times in the past ignoring or neglecting that consent. I also think their privacy marketing is misleading and they don’t properly inform users of the true scale of collection they are doing. So for unawareness and non-compliance the iPhone gets 6 points, Pixel gets 5, and Android vendors get all 10. As for AOSP forks, none of them sufficiently mitigate these threats except for GrapheneOS thanks to its fully compartmentalized user profiles. So GrapheneOS gets 0 and other forks get 5, the same as Pixel.

FINAL SCORE

This concludes the LINDDUN benchmark. Now, we have the final score so what is it? In the last place, we have Android vendors with 36 points. Next we have the Google Pixel with 22 points, tying the iPhone. Second position is taken by the broad class of AOSP forks at 20 points. And the first place is taken by GrapheneOS with only 1 point.

End

This video has been brought to you with 0 sponsorship interest. There are no affiliate links either. I am pretty much only sustained by Patreon at this point. Please go to my page at patreon.com/thehatedone and become a member to get early access to all of my podcasts, exclusive content, posts and even merch. Thank you!