hello everyone,
I recently switched from iOS to grapheneons in an attempt to increase my security, but primarily privacy. Although I cannot tell if I indeed succeeded in improving and if the amount of gain is worth the switch.
I consider myself to have a low threat model. I want better overall general privacy. To be more specific:against corporate tracking, advertisers, and mass surveillance style data collection etc etc, relying less on big tech. Just trying to maintain a clean, minimum digital footprint.
iOS Setup
I've been using iOS for pretty much all my life with the same account/apple id. Until a year ago I started looking on how to improve my privacy on iOS, so I followed the recommended configuration from Privacy Guides's "iOS overview" article, started using NextDNS, using as much social media apps etc through webapps and moving to as much FOSS apps as I could.
GrapheneOS Setup
I currently use 2 user profiles, owner and primary.
Owner Profile used as an “administrator” for installing apps and system updates. Owner runs RethinkDNS with Quad9 DoH + on-device blocklists. App install flow: GrapheneOS App Store > Accrescent > Obtainium w/ github > F-droid via Droidify. If possible, apps are verified with AppVerifier. Installed apps are disabled on owner and forwarded to primary. + I have setup auditor with attestation.
Primary Profile used for daily use, consists of as much FOSS apps as possible and those apps that dont rely on google play store/services. Primary profile is running same RethinkDNS setup as owner profile. I do use reddit on here, but through ironfox's webapps (I am aware of gecko browser's vulnerabilities and but vanadium doesn't have webapps from my understanding + the addition of ublock w/ ironfox is nice)
Primary Profile > Private Space I haven’t set this up yet with an exception of only whatsapp installed w/ their APK. The plan is to put apps that require Google Play services into Private Space (Spotify, banking app, app for ebike etc) so they’re isolated. Private Space would run RethinkDNS in proxy mode with Proton VPN through wireguard (always on) plus on device blocklists. My reason for using private space instead of a separate user profile is more for convenience; e.g, using spotify while reading my mails without having to continuously switch between profiles, though I haven't used this in practice yet so this is just an speculation and could change depending if user profiles and more private.
Google Account will be created on a network that isn't my home network, like a coffee shop, with fake information, simplelogin alias and phone number verified with the help of a number pool.
Questions
Would this setup be meaningfully better in privacy/security vs iOS for my low threat model, enough to justify switching given Grapheneos’s inconveniences of use ability in exchange of privacy/security. Also buying a google pixel 9a and it's price, exiting Apple's ecosystem, possible resistance from google against development of Grapheneos?
With the setup described, what concrete privacy or security gains should I expect andwhat leaks or limits will remain?
Is my plan for creating an anonymous Google account likely to provide effective anonymity, or am I missing major deanonymization risks? Though full anonymity is probably pretty hard to achieve, Anything else I could do to improve it?
What do you think of my private space setup? Are private spaces as private as user profiles? If not, what makes it less?
Fdroid repository is, from my understanding, not the best when it comes to security. Would direct apk install link be better w/ obtainium to keep ir up to date?
Does installing apps in the owner profile, disabling them there and forwarding to primary meaningfully improve isolation/ security, or is it fine to install and use apps directly in the primary profile and use it as daily driver?
And, of course, any concerns about and recommendations on how to improve my setup are welcome and appreciated. Thanks!