In this guide, we walk through the steps to get CalyxOS up and running on your mobile device. This guide assumes you have a new installation of CalyxOS.

Table of Contents

  1. Initial Power-on
  2. Configure MicroG
  3. App Repositories - F-Droid and Aurora Store
  4. Hardening Your Device

Initial Power-on

Watch this 3-minute video to become familiar with the initial steps after powering on the new phone. Each step is described in detail below.

  • Language: Select your preferred language
  • Date and Time: Set your time zone and adjust current date and time if needed
  • Wi-Fi: Connect to available Wi-Fi network and enter password if required
  • Turn on Cellular Data: If you have a SIM card installed and are not connected to a Wi-Fi network, you will have the option of using cellular data to complete the setup process. As always, charges may apply.
  • SIM card missing: If you do not have a SIM card installed, you will get this screen with the option to install one at this point or setup ESIM.
  • Location services: Determine whether to give apps permission to the device's location data. Optionally you may set up location data permissions within the individual app settings later.
  • Navigation: Choose your preferred navigation method (Gesture, 2-button, 3-button). You can change this anytime in settings.
  • Fingerprint setup: To use your fingerprint sensor to unlock the screen, you will need to provide your fingerprint. This step is optional and I recommend against providing bio-metric information to be stored on the device.
  • Protect your phone: Set up a PIN, password or pattern to unlock the screen.  This is an optional step however it will prevent unauthorized access to your phone by another individual.
  • MicroG: This options allows apps such as Google Maps, Youtube and ride sharing services to run on your device. It will provide anonymous signature spoofing to Google Play Services, allowing more apps to function on your phone, while keeping data collection and sharing with Google to a minimum. Although it is a pragmatic balance between privacy, choice of apps, and functionality, I do not use MicroG or recommend any communication with Google, even if it is mostly anonymous.
  • Additional Apps: Calyx Institute has curated an impressive list of privacy-respecting apps that can be immediately installed during set up. I recommend installing all apps. You can always delete them later.

Configure MicroG

I recommend leaving MicroG disabled and finding alternatives to apps that require Google Play Store to function. However, if you install the MicroG software, you'll be wise to configure it to restrict as much communication with Google as possible.

  1. Open Settings > MicroG
  2. Self Check: Select this section and ensure all boxes are checked
  3. Account: If you have a Google account and need to sign in, go to Account and sign in with your credentials. It is highly recommended that you do not use this feature as it will connect your device and identity with Google. Instead of relying on Google services, find alternatives that accomplish the same goal but respect your privacy.
  4. Google Device Registration and Cloud Messaging: If you choose to install apps that send push notifications that depend on Google Cloud Messaging, then leave Google Device Registration and Cloud Messaging enabled. However, it is recommended to choose alternative apps that don't depend on Google.
  5. Google Safety Net: Some apps from the Google Play Store depend on Google Safety Net to ensure the operating system is properly secured. For example banking apps like Square and Paypal, or shopping apps like Amazon require it. My recommendation is not to use banking apps or apps to make purchases.
  6. Location Modules: Go to Location Modules and check that at least one Network-based geolocation module and one Address lookup module are enabled. For information about installing alternative modules, see more about MicroG's Unified Network Location Providers.
  7. Exposure Notifications: To enable the functionality of Google's contact tracing, MicroG offers this feature. I recommend disabling this option.

App Repositories - F-Droid and Aurora Store

F-Droid: This software repository serves a similar function to the Google Play store. It contains only free and open source apps. Applications can be browsed, downloaded and installed from the F-Droid website or client app without the need to register for an account.

Aurora Store: Aurora Store is an unofficial FOSS alternative to Google's Play Store, with an elegant design, using Aurora you can download apps, update existing apps, search for apps, get details about in-app trackers, spoof your location and much more. For those concerned with privacy, Aurora Store does not require Google's proprietary framework (spyware?) to operate. It works perfectly fine with or without Google Play Services or MicroG.

Use F-Droid and Aurora Store just like you would Apple Store or Google Play Store. Search for apps, download, and install. Both repositories will keep you aware of app updates as well.

Hardening Your Device

  1. Reduce App Dependency: The fewer apps on your phone, the more secure and private it will be. I challenge you to only install what you need. This will increase available storage space and reduce the potential for leaked data through random apps.
  2. Review App Permissions: Apps don't always need the permissions they request. Go to Settings > Apps & notifications > See All ## Apps. Then select each app and review permission settings. Change to Approve, Deny, or Ask Every Time as necessary.
  3. Configure Datura Firewall: In the app drawer select Firewall. Scan through the list of apps and decide whether to grant communication through four catagories: (1) background network access, (2) Wi-Fi data, (3) mobile data, or forcing app access through a (4) VPN service installed on your device.  Completely blocking access to the internet will block an app from sending data and disable trackers. However, you may prevent an app that requires internet access from functioning properly (i.e. Telegram, Signal, Brave, etc).
  4. Activate Private DNS: Why is DNS important? Learn more. Go to Settings > Network & Internet > Advanced > Private DNS. Select Cloudflare DNS, or input a Private DNS provider hostname.
  5. Install a VPN: A virtual private network encrypts the data being sent from your device by tunneling to a VPN server, effectively cloaking your data and preventing ISP interception. Additionally, to the downstream recipient, your device's location will appear to be the location of the VPN server. This feature is extremely useful when accessing websites that restrict access from specific countries. There are three free VPN services available through F-Droid: the CalyxVPN, RiseUpVPN, or ProtonVPN.