Practical privacy and simple cybersecurity.
TheNewOil.org

One Week of LineageOS

Recently I came into possession of an old, cheap Android phone that just so happened to be compatible with LineageOS. I have no desire to use Lineage as a daily driver for security reasons I'll discuss shortly, but I thought it might be a fun experiment to flash the phone. It may surprise some of my readers to know that I’ve never flashed a phone before. My privacy journey started much more recently than some of you may suspect, and due to a combination of frugality and not wanting to bite off more than I can chew, I’ve been using the same stock device that I’ve had since then. So I decided this would be a zero-risk, zero-cost chance to experiment with both the flashing process and the phone itself. After having a Lineage phone for about a week, I thought I’d report on my initial impressions.

Why/What is LineageOS?

Google has an interesting and surprisingly supportive relationship with the Open Source community. Chrome is based on Chromium – an open-source, simplified version of Chrome. Likewise, Android is based on the Android Open Source Project (AOSP). Both of these projects are highly complete and well-supported, allowing for others to take the mantle and run with it relatively easily. This is where we get browsers like Brave, Vivaldi, and many, many others. Likewise, thanks to the open source nature of AOSP, we have alternative operating systems (called “ROMs”) for Android phones. Just like with Linux, these vary based on what they’re aimed to do, but generally in the privacy community there’s a few that get brought up most often: Graphene is best for security, Calyx is the best compromise between Graphene’s security and stock, mainstream Android’s user-friendliness, and then there’s a handful of popular but less secure options. Among these, the two that usually get cited most are /e/ and Lineage. These are typically considered less secure because they’re based on older Android kernels (Graphene and Calyx are both based on Android 12, the latest at the time of writing, while Lineage and /e/ are both based on 11 or earlier depending on your device) but more importantly because they don’t lock the bootloader, which – from what I understand – is similar to saying “everything runs with admin privileges 24/7.” This means that malware is virtually unchecked and can completely take over your device and access every single piece of sensitive information if you slip up even once.

So why did I go with Lineage? Frankly: because the phone was free, I had no plans to make it my daily driver, and because I have because internet common sense. I don’t mean that as an insult to the less tech-savvy amongst us, but there are some foundation rules for using technology: don’t click links you aren’t sure of, don’t download apps you don’t need, and don’t give away too much information (I discuss all of this on the website here). If you live by these rules, the unlocked bootloader is unlikely to be a problem (though I do recommend a secure ROM as a safety net). It was with this in mind that I decided to give Lineage a shot and see what I thought of it.

The Flashing Process

So the first and most obvious question was “how easy was it to ‘de-Google’ the phone?” The honest is answer is “not easy.” It was probably mostly user error, though my research did indicate that my particular brand of phone was not exactly friendly toward this process which probably didn’t make life any easier. Having said that, I still wouldn’t describe the process as “hard.” Lineage thankfully has a very active Reddit community who was incredibly gracious, patient, and helpful. Between that and just following the instructions, I was up and running in a collective total of a couple hours (a later flash I did on another, different device took less than one hour, so clearly the process isn't difficult if you follow the instructions and set aside some time to dedicate). The most time consuming part was getting the unlock PIN from my manufacturer, which was significantly more painful than necessary but I’ve come to expect no less from big tech companies. At any rate, all that to say it was a pretty simple process and there was help when I hit bumps.

Initial Impressions

As a first-time “degoogled” phone user, the thing I noticed right away was how fast I got up and running. Unlike a traditional Google phone (or iPhone, for that matter), there was nothing to sign into, no fifty pages of permissions and analytics to opt out of, no twenty extra pages of “here's what's new!” It asked me to set a PIN, connect to WiFi, and asked if I wanted to enable a few permissions, and possibly asked me if I wanted to submit analytics to the Lineage project (I can’t recall, but if they did it was only one page). The other big thing that stuck out to me was how clean it was, by which I mean “clean from apps.” Sure, it came with the obvious stuff: a camera, a browser, settings, a photo viewer, etc. But there was no Facebook, no fifteen Google apps or twelve stupid Apple apps I'll never use, no custom proprietary browser, etc. There was some stuff I removed because I knew I’d never use it, like the voice recorder or the file explorer, but there was nothing that I immediately identified as a privacy invasion that I wish would just go away.

The first order of business was apps. Normally I’d say settings, but as Lineage was already so clean there was very little to do in the way of changing settings. I did review them, but found very little to adjust other than personal-preference stuff like the background image and stuff. So that left me with getting the apps I wanted/needed onto it. Lineage comes with no app store, so I decided to start with F-Droid, an app store with very strict vetting procedures that accepts only open source apps. This was easily accomplished by simply navigating to F-Droid.org in the stock browser and choosing to install it. Once that was up and running, I decided to put my money where mouth is and install Bromite as my browser of choice. This was my first experience adding an F-Droid repository, and perhaps for that reason I was unable to add the repository via the link. Once again, this was almost certainly user error. The last time I recall having an Android of any kind was about 2013/2014. I had to pull up the QR code on a second device and scan it from there, which made me quickly realize that the stock Lineage camera did not feature a QR scanner. I had to go find one in F-Droid to finally scan it.

Once Bromite was installed, I searched for Signal and to my chagrin was reminded that Signal is not available via F-Droid. This meant I should use the Play store, but of course as this was my chance to try to finally be private, I decided to get Signal via the Aurora store, a Google Play proxy. Fortunately this turned out to be super easy as Aurora is available on F-Droid. From there, adding whatever I needed was a breeze. If it wasn’t on F-Droid, I’d simply pop over to Aurora and get it there.

One Week Later

Let me make something clear: I f*cking despise my phone (speaking now of my usual daily driver). I normally try not to drop “F-Bombs” on The New Oil, but I truly cannot impart on my readers the intensity with which I hate my phone. My hatred of my phone is rivaled only by my hatred of Old Navy commercials (dunno why) and Mitch McConnell (I’m told by my right-leaning friends that this is not exactly a controversial opinion, so that’s probably okay to say here). I truly mean that: I view my phone as a necessary evil that I’m forced to exist with for at least the next few years. (Don’t come at me with how you’ve been phone free for years. Trust me, I can’t do that right now and you’re only going to incur my ire by trying to convince my otherwise.)

Having said that, I love this Lineage phone. I haven’t shut up about it all week. One of my coworkers remarked that he’s never heard me rave about a phone like this before. I know it’s got some valid security concerns, but the peace of mind I get from this device is unreal. Every day I tell people that I’m one day closer to making it my daily driver. I love this phone.

There’s a few drawbacks, of course. Perhaps the most concerning is the lack of automatic updates. It seems that Lineage once had automatic updates, but something went wrong (probably a change on the AOSP end) and the devs are working to rebuild this capability. But this isn’t limited to just the OS, rather also to the apps. I have to manually check both F-Droid and Aurora to see if there’s any app updates. I’ve seen a few people in various forums speculate that turning off “battery optimization” for these services may allow them to run continuously, and therefore might allow automatic updates, but I haven’t seen anything to confirm that and I haven’t had time to confirm this myself. Personally this isn’t a dealbreaker – I usually manually check for updates about once a day anyways – but it makes me reticent to recommend the device to anyone else as not everyone is quite so studious. The device is also a bit slow and unresponsive at times, but I largely suspect that’s due to using such an old device and not an actual shortcoming of Lineage itself.

There have also been peripheral benefits I’ve enjoyed exploring. For example, my PineTime now works with my phone way more than it did before. I get notifications of Signal messages (but weirdly not content) and Matrix messages (weirdly with content). Syncing Nextcloud was absolutely painless. (Meanwhile, with my latest iOS device I’m still attempting to sync over a week later.) And thanks to using an old device, I still have a headphone jack (thus my Lineage device has become my workout device until I can afford some wireless headphones). It’s been fun to learn all the little quirks and differences on this device.

Final Thoughts

Will I make good on my promise to make Lineage my daily driver? Probably not, mostly because of the slow performance. I need a phone that’s at least moderately snappy when it comes to using VoIP and stuff like that. But I now carry two phones everywhere. Even without a SIM card, I can (and do) connect Lineage to the WiFi (with a VPN) and so far this system has worked very well for me. It’s been a wonderful breath of fresh air to have a device that isn’t stalking my every single move and forcing me to put up with bloatware. (I know that if I made it a daily driver I’d still have my location tracked by the carrier – plus the few proprietary apps I still use like Spotify – but that’s still a lot less tracking than a stock phone.)

Would I recommend Lineage? Only under a few specific circumstances. First and foremost: you have to know the security risks. Again, unlocked bootloader and no automatic updates. You have to be extra careful because there’s no malware safety net, and you have to be sure to stay on top of those updates (I recommend checking at least once per day). Second, I’d only recommend it if you’re unable to get a better device. If you have an old Android that’s compatible and you simply can’t afford to buy a more modern one, then I would recommend Lineage over an outdated Android version in a heartbeat. But if you can afford a Pixel with Graphene/Calyx (or a current iPhone if you don't want that for whatever reason), at least those offer a secure safety net against mistakes. Again though, if you exercise some basic caution and your threat model doesn’t include “targeted attacks,” you’ll likely be safe with Lineage.

Ultimately, not to sound overdramatic, but this week has made me rethink what a phone – and technology in general – can really be. Not every piece of technology has to be the antichrist incarnate come to stalk and track every breath I take. Rather, freedom through FLOSS technology may actually be not only more possible, but closer than we think. From a tech perspective, this has been a very exciting week for me, and I’m glad I went down the road of this little experience.

For those who fear they aren’t “tech savvy” enough or “smart enough” to flash a phone, I strongly encourage you to – if you can afford it – get your hands on an old device with no risk and try flashing it. I think you’ll find it’s a lot easier than you think, and the peace of mind and privacy is immeasurable. And if for whatever you reason you decide it’s not for you, you’ve lost very little and I would consider that knowledge worth the price. But either way, I encourage you to go find out. It’s worth it.

You can find more recommended services and programs at TheNewOil.org, and you can find our other content across the web here or support our work in a variety of ways here. You can also leave a comment on this post here: Discuss...