Intro, keep it simple
This guide is meant for people who have an old stock android device which is not receiving updates anymore and it is not supported by main alternative os / custom roms like GrapheneOS or LineageOS.
This is just a simple generic overview on how to set up stock android for harm reduction when you have no other better choice to run your device in a more privacy respecting manner.
Somewhat more advanced techniques using tools like Canta, Universal Android Debloater NG or ADB are not covered.
This is supposed to be an agnostic device guide since every stock os and versions are different so your mileage may vary.
Notes
If you have an android device that comes at least with android 10 or newer you still could receive some critical APEX updates through Google play services.
For this reason and for stability sake you should not try to “degoogle”.
If you have an android device prior to android 10 you could still follow this guide but your device will not receive any critical update and it is highly unsecure (even Webview is not supported anymore) and it will likely stop working soon. You should consider to dismiss the device or at least repurpose it for offline use only.
To avoid breaking the android security model you should not root your device.
The idea
What I suggest is to keep Google Play Services, the Google Store and, depending of your device, just disable the rest of google apps and bloat if possible.
The main concept here is to not use a Google account tied to your device, so if you already are logged in you should remove the account.
We will be using third party app stores and PWAs to manage apps leaving Google services auto update system components if needed.
Checklist
- clean-up, go to the device settings > apps and disable any bloat you can
- in settings > account, remove the active google account if any
- in settings > network > private dns, setup a recommended one
- go to f-droid.org and download and install F-droid basic
- using F-droid install Aurora Store, you will use it in anonymous mode to install Google store apps that are not present on F-droid
- install RethinkDNS from F-droid, you can use it to restrict network access on per app basis and further filtering if needed
- install a privacy respecting browser (Brave, Cromite), use it as default browser and to install PWAs version of privacy invading app that you can’t avoid using (like Instagram, X, Fb, GMaps) if you can bear some feature limitations.
- if your device doesn’t come with the recent private space feature, install Shelter from F-droid and use it to confine untrusted apps (ex. Whatsapp) in a separate working profile and restricting what they can gather (ex. contacts list)
- take the time to scroll over your installed apps and check for unnecessary permissions that can be disabled
- replace basic apps (photo gallery, keyboard, calendar, etc.) with FOSS privacy respecting ones (ex. Fossify)
- in settings > privacy > ads (or settings > google) delete the Android Advertising ID
- to reduce some attack surface disable 2G network support in settings> network and consider to disable auto download MMS in your message app
Last edited by @user1 2025-12-12T08:26:15Z
