Virtual phone number for Graphene OS user (no eSIM)

Hello, I’m new here ^^ I hope you can help me with some recommendations.
I am based in Switzerland, and I have a use for a second phone number. I have a Pixel phone with Graphene OS. I am not interested in anonymity for this use case, just I don’t want my Google account to ever see my main number.

My main user is completely de-Googled and FOSS, but I have a second user account that I use for work and has all the Google crap in there. In order to maximize isolation, I did not give to this user access to the SIM stack and contact list, so this user cannot use eSIM, place calls or send/receive SMS (but it can receive incoming phone calls for the main user, there is no way to stop this without going into flight mode, albeit as AFAIU this is just a OS passthrough interface that does not leak anything to Google about the inbound call, correct me if I’m wrong).

Everything works nicely, but of course now I would like to have a proper mobile phone number on the Google user as well, to use Whatsapp, Telegram and whatever. So I need a service which offers the following:

- At the very minimum, a phone number to receive activation SMS for popular apps, ideally even banking apps (the few ones that run on GOS).

• Ideally, the possibility of placing regular calls through some dedicated or FOSS VoIP app like Linphone.
• Ideally, a Swiss (+41) mobile number, or at least EU (DE/NL/FR/IT/AU/BE).
• Ideally, a reputable provider which does proper KYC and has therefore less risk of disappearing overnight due to sanctions (remember I don’t care about anonymity here).

Regarding the first point, I have heard that many virtual numbers might be blocked by popular apps from receiving activation SMS, so I was looking into providers of physical numbers like crypton.sh but that looks extremely sketchy to me (also, expensive). But I guess it might be the most straightforward way if I only want SMS activation, right?

I have heard good things about jmp.chat but that also seems to offer virtual numbers only, right? This seems more risky than crypton.sh for services like Whatsapp that are very aggressive in banning virtual numbers (see this).

I was thinking of using a traditional virtual number provider like Telnix or Twilio, and then bridging the number to Linphone for calls and to XMPP for SMS through soprani.ca but I’m not even sure whether this is possible. And, anyway, again, these are virtual numbers, right?

How about a self-hosting solution? Buying a SIM and a modem, and having them interface somehow with my Google user?

Thanks in advance for any useful reply!

It’s hard to know which service would work for you since I’m not based in Swiss. I’ve been trying to be less dependent on SIM cards, but for now, I do need a SIM number (proper), not just VoIP number (virtual). I’ve been using my SIM on a second phone to set-up WhatsApp on my GrapheneOS phone, which does not have a SIM. I usually make calls / text using WhatsApp, or MySudo outside of WhatsApp, so I don’t need to use my SIM for communication. I use my SIM for banking verification and mobile data, and I plan to port my SIM number to another VoIP provider in the future. I don’t know if using a SIM on a second phone is what you’re looking for, but porting a SIM number to a VoIP provider is an alternative you could look into, but you would need to find out if this is supported in your home country.

Firstly, all cellular-related settings on Android (and GrapheneOS by extension) are global and not per profile, so there’s that. Secondly, Google apps on GrapheneOS are bound to the same permission model as your other third-party apps. They have no access to your SIM number (like they do on stock Android) unless you grant them that permission or list it with one of their apps. You also don’t have to share your entire contact list with any app on your phone. Contact Scopes exist and work very well.

Everything works nicely, but of course now I would like to have a proper mobile phone number on the Google user as well, to use Whatsapp, Telegram and whatever.

Immediately rules out “VoIP”. WhatsApp won’t allow registration to go through (this is stated on their website), and Telegram treats VoIP numbers as spammy and initially places significant limits on your account, so you need to make appeal to them.

Not only will the VoIP numbers be routinely blocked as rule, but only a fraction of those numbers are even capable of receiving SMS in the first place. So if you decide to go with traditional VoIP outfits like Twilio or Telnyx, keep that in mind. In any case, they don’t want your business. You’re not their bread and butter.

Ideally, the possibility of placing regular calls through some dedicated or FOSS VoIP app like Linphone.

You’re unlikely to have a good time with this setup. It will not even approach the current GrapheneOS dialer over cellular experience and stability.

My take? It’s all way too much effort for no return. But I can vouch for JMP.chat. If you build up a bit of history with them, they can move your number (subject to area code) to one of their other upstream providers (they call it “Premium” and “Premium+” routes), which are not labeled as VoIP carriers in lookups, so they might be a bit better. Still a far cry from regular SIMs, I found.

Yes, thanks for the clarification. What I mean is that, in Graphene OS, when you create a new user profile, that profile by default does not have access to phone calls and SMS, you have to manually enable that (which I did not do for my Google user). The user has its own contact list, which is separated from the one of my main user (and that is what I want).

Yeah, that’s also what I’ve heard. But is this still true for those (few) VoIP numbers that are classified as “mobile” numbers, and also support SMS? Telnix and Twilio offer these, at least for few countries, and these are companies which do proper KYC. Even provided it is possible to distinguish them from “physical SIMs”, why would Whatsapp/Telegram have any reason to distrust these numbers? I’m not saying you’re wrong here, I just want to understand how it works.

Uhm, can you clarify? I have used Linphone to place calls through a Belgian number with Telnix. Admittedly, the configuration is Hell. But once I figured it out, the link was reliable and clean for me. This setup was just a test though, and ultimately didn’t work out for me because this was a landline number (so no SMS nor Whatsapp authentication).

Well, but what would your proposed solution be then? To keep things simple, assume I have a main user without Google and with a SIM and phone number which I only use and share with my family, and a user profile with Google that I only use for work and share with colleagues, and I don’t want any activity about my real number to leak to the “work” domain. From what I understand, JMP.chat “currently only provides numbers in the USA and Canada” (citing their website’s FAQ). Plus, it is not clear to me whether these numbers are flagged by Whatsapp.

One solution that I know works 100% with Whatsapp (because a friend of mine does it) is crypton.sh but I have some concerns about it (see my post above).

Thanks!

This has no bearing on Google apps being able to access your SIM number by default (they can’t).

Apps do lookups that return carrier name and type that issued your number, among other things. Much like IP addresses belonging to VPNs, this class of phone number is very well understood and can be discriminated against (since they can be bought in bulk and abused). It has nothing to do with phone number supporting or not supporting SMS.

In that case, that’s all that matters. I personally found I could not rely on it to the same extent as my cellular dialer. I’ve tried a few dedicated VoIP apps, both free and paid, and they left me unimpressed.

If you want to keep your Owner profile FOSS, it’s probably warranted to use a secondary user (I would use Private Space instead) for work. Since you have no objections to passing KYC, I would just buy an extra line from your existing carrier and use that number for everything you need. An app running in a secondary user profile on a non‑Google‑certified OS is often considered suspicious as is. Unless your goal is to make many cellular calls while decoupling your physical location from more basic call metadata, I don’t see why you need to add a VoIP component to your current setup, you’d then have to worry whether an app considers your number valid.

At the very least, their basic numbers aren’t suitable for WhatsApp (I’m not sure about Premium routes, which you don’t qualify for anyway). They’re just a good non‑cellular, KYC‑free number option if you ever need one, but their default upstream provider is a VoIP carrier.

To my knowledge they use regular SIMs, but I don’t understand why you’d want any such outfit in control of something this critical. I wouldn’t even use Njalla for domains, and they have street cred, unless this really made sense.

Crypton uses +44 numbers for SIMs. I assume that’s because the UK country code is relatively desirable and, more importantly, the UK doesn’t require KYC for prepaid SIMs. If you don’t need their extra features, it’s functionally the same as going with giffgaff (if you have objection to buying another +41 line from your carrier), a well-known UK MVNO running on O2, topping it up £10 and using a little bit of data or making a call every six months to keep it active. It can be activated overseas as well as in the UK, last time I checked, which is quite rare. Crypton, however, costs more than a Proton Unlimited subscription if I understand their pricing correctly.

Oh, now I see what you mean, gotcha. Anyway the gist of the problem is that I don’t want to use my private number for Whatsapp/Telegram (which are apps I would install on my Google user).

My question was more “why should a number like this represent a problem for Whatsapp, since if you do a lookup you can see it’s Telnix, a reputable KYC provider?” but yes, it’s more of a philosophical question.

Yes, that’s what I’m doing (second user profile).

Uhm, but that would entice giving the Google user access to calls, right? I don’t like too much this solution, for many reasons:

1. It relies too much on good opsec, i.e. when placing a call from the Google user I would have always to be super-careful to choose the right SIM.
2. I’m still a bit skeptical on the fact that Google apps would not be able to see my primary number. I understand sandboxing etc, but TBH it feels too fishy to me that Google Apps are not be able to see any logs etc of the phone app. At the very minimum I would have to be super careful to not copy-paste my real number or contacts while logged in with the Google user. because for sure these apps will have access to the clipboard.
3. Since I only have one physical SIM slot, this would imply enabling the eSIM stack (which I could happily do without). Moreover, how many eSIM slots are supported? Doesn’t seem to scale as a solution if I have more than two users (banking, dating, drug cartel friends, etc) each one with its own phone number.
4. Most importantly, it would defeat the whole purpose of having the nice experience of: I log out from work user after hours → nobody from work can reach me (because the work eSIM is also shared in the main user, I would have to manually disable it every time).

Heh, you’re right, that’s why I wanted to avoid if possible, but I couldn’t find any other solution for Whatsapp so far. Regarding the physical SIM, my understanding (but I will ask more my friend, haven’t tested yet) is that crypton.sh offers 3 types of services:

• eSIM for data plans (probably they just resell Alao or similar).
• Physical SIM hosted by them and they give you access through their web portal. This is what 100% works for Whatsapp but a) it’s SMS only, no calls b) it’s expensive: cheapest is UK at 14 EUR/month, while the cheapest EUs (Poland etc) are 20 EUR/month.
• Virtual SIM (they call it “3rd party provider”). Only a few countries available, US and CA 5 EUR/month, while cheapest EU is Sweden at 10 EUR/month.

The way my friend uses it is: buy a physical SIM for 1 month, receive SMS activation for Whatsapp/Telegram, then stop paying and get rid of the number. Since at that point the phone number is just an id string for Whatsapp/Telegram, that’s fine. Thinking about it, it’s the same as if I were to buy in cash a prepaid anonymous SIM card, use it to receive activation SMS for Whatsapp etc, and then throw it away. Since I don’t live in a country where this is possible, crypton.sh gives me the possibility of doing it virtually. But of course there is always the risk that tomorrow Whatsapp decides that “In order to verify you, we have logged you out and we will require another one-time reactivation SMS code”, that’s what worries me (for Google there is also this risk, but can be mitigated by activating 2FA after account creation).

Ah yes, I saw your second comment later, I agree.

As I said, it doesn’t matter whether a service is reputable or disreputable, or whether they require KYC. Numbers provided by Telnyx, Twilio, VoIP.ms, and similar services will all return results you don’t want when lookups will be performed on their numbers, and that’s what matters. They will then likely combine this result with other signals and label you as an even higher risk than you already are, using an aftermarket OS.

Google apps are in no way involved in this. They don’t know which SIM cards are in your phone, what your hardware identifiers are, or whether you’re placing calls from a particular SIM card.

They’re not. They’re just regular apps like WhatsApp and Telegram. Evidently it’s hard for people to understand this, but that’s what GmsCompat is for.

You can have dozens of eSIMs installed, with a maximum of two active at any one time (including the physical SIM).

Awful idea. It might be just an identifier, but it’s not supposed to be disposable. That’s just asking for trouble. If you don’t like phone identifiers, use messengers that don’t use phone numbers as identifiers, but don’t treat semi-permanent (recycled, I might add) identifiers as disposable.

The reason why I don’t want my Google user to have access to calls is exactly that I also fear that apps like Whatsapp/Telegram can see my real number. Yes, sandboxing, GmsCompat, etc, but at the end of the day you cannot disregard good opsec in those case. As soon as you copypaste something from user A while you are logged as user B that’s game over for me. I might be uselessly paranoid here, but for me the ideal situation is not having anything from user A to ever be even running while I’m logged as user B. From this point of view, Graphene gives me the convenience of not carrying two devices.

OK, but then what do you propose? Not using Whatsapp is not an option (I mean, it is for my personal account, since I have lived a whole life without Whatsapp at the cost of social isolation and convenience, but that’s not an option for the new use case I have in mind).

If I understood well, what you are proposing is:

1. have two SIM/eSIM active, one for the real user and one for the Google user
2. Give access to calls/SMS to the Google user

This would not work for my use case, because there is no way in Graphene to assign SIMs to one particular user. If I receive a call on my work phone number while I’m logged off from my work account, my non-work user will still receive the call, which is something I don’t want. Or did I get it wrong? What are you proposing exactly?

Can you clarify exactly why you think using temporary numbers like crypton.sh for Whatsapp/Telegram authentication is a bad idea? In practice, not just “they are not meant to be disposable”. Is it for the fear that one day Whatsapp might decide to log you out, as I discussed before? Or is there something else?

Sorry for the dumb questions, it seems you did lot of homework on this topic, so I’m genuinely here to understand

Actually, can you explain a bit better how giffgaff works? If I understood well what you suggest, that would be:

1. Buy the cheapest pay-as-you-go plan for 10 GBP.
2. Receive by post a physical UK SIM.
3. Use the number to receive the SMS activation code for Google/Whatsapp/whatever, then just don’t top up again.
4. Once every 6 months, re-plug the SIM into a phone and place a call or send an SMS.

Advantage compared to crypton.sh: you get to keep this number forever (at least until UK decides to ban anonymous SIM cards and requires KYC to not deactivate the number, it happened to me already around 2017 when Austria did the same, which was a shame because it was extremely convenient for me)

Disadvantage compared to crypton.sh: you don’t get to pay anonymously, only credit card or PayPal (which would not be a problem for my use case, but just sayin’).

Questions:

1. Can I activate the SIM remotely from Switzerland? Or does it come already activated? I’m asking because, if I recall correctly, Austrian SIMs had this annoying thing that they needed to be activated in Austria.
2. Are giffgaff numbers any good for Whatsapp? I assume so since they are physical, but did you try?

Thanks!

If I have read the whole thread correctly, I’d assume your main problem seems be a portable WhatsApp?

On telegram, you can login using 2FA and email, and can migrate easily to a new device without having the number on hand (sms-otp) .

You can use services like smspool.net to activate WhatsApp then login through desktop and backup the web profile somewhere.

On WhatsApp it seems migration from old device to new device without otp-SMS is also possible, something gone by “account transfer"

Well, ideally I wanted a phone number “to do everything”: Whatsapp/Telegram + Calls (voice) + SMS send/receive. But I start thinking this is not possible with my setup, so yes, at the very minimum a phone number I can use with Whatsapp/Telegram without having the related SIM in my phone.

OK, but this would a one-time thing, right? If I ever need that number again to receive another SMS I’m screwed, right?

You could try purchasing a prepaid SIM card (it can be anonymous if local legislation allows it) and use it only to register WhatsApp/Telegram.
Once the account is registered, remove the SIM card from the phone and insert it into a router compatible with OpenWrt (for example, gl.inet models).
Configure the router to act as a 4G/5G modem and enable access to the router’s web interface (usually 192.168.8.1). From there, you can read incoming SMS messages and, if the router supports it, send SMS messages.
Connect your phone to the router’s Wi-Fi. Messaging apps (WhatsApp, Telegram, Signal, etc.) will continue to work because they are already linked to the number and can operate on the router’s mobile data.
If you need to make traditional calls, keep another SIM active (e.g., your main number) in the phone itself.

Correct. Or use some data. They also offer straight to eSIM option, subject to your App Store/Play Store region.

There’s always a risk, but I don’t think it’s very likely they will target prepaid SIMs any time soon. If they do, it will affect Crypton +44 numbers as well.

I’m sure there are ways to buy their voucher with crypto or something similar if you search around.

You can activate them overseas during their activation hours (look it up). I’ve activated several. Their intended audience is people coming to the UK shortly who want a phone number active prior to landing (hence why they ship them overseas), but you can continue using them abroad. If you always roam, you just can’t qualify for their goodybags and other perks. You can’t port it to another provider while abroad, but you can change the number and replace your SIM if you lose it so have a spare one. They come without phone number tied to them. They issue you a phone number and tie it to your SIM upon activation and payment.

They ask for your name, but you can use a pseudonym. There’s no KYC unless you want to lift Adult Content Block (not sure why you would want to bother).

This is all based on my last experience with them, which is at least a year old, so take it with a grain of salt.

They’re normal phone numbers (not virtual ones) and are no different from any others. I have WhatsApp tied to one.

Dubline offers mobile NL numbers for 7 EUR/month but seems to work only through their non-FOSS app. Haven’t used their services.

Cheaper but SMS for activations only, there are $35/year Irish numbers at virtualsim.net. Have used their services for one-time activations before switching to smspool for better prices.

Flynumber also offers mobile numbers in various countries, some with SMS support (enter “mobile” in the search field on the Coverage page and look for “S”). Haven’t used their services.