I was digging through my desk drawer the other day and found my old Pixel four. It is amazing how small that thing feels now, but it still boots up. I actually spent the weekend rooting it because I wanted to see if I could turn it into a dedicated, distraction free music player without all the bloat. It felt like a little victory when that Superuser icon popped up, but then I started wondering if I had actually accomplished anything meaningful for my privacy. Today's prompt from Daniel is about that exact tension. He is asking if Android and Google are so inextricably linked that even a rooted device stays tethered to those services, and whether there are any truly functional open source hardware alternatives that get away from the Android stack entirely while still working with modern carriers and electronic subscriber identity modules.
Herman Poppleberry here, and I have to say, Daniel is hitting on the fundamental paradox of mobile tech in twenty twenty-six. We are in this weird era where the hardware belongs to us, but the trust belongs to the manufacturer. You can root that Pixel four all day long, Corn, but you are basically just painting the walls of a room while Google still owns the foundation, the plumbing, and the electrical wiring. The link between the Android Open Source Project and Google Mobile Services has become so tight that trying to separate them is like trying to take the flour out of a baked cake.
That is a depressing start, Herman. I was feeling pretty good about my little project. I mean, if I have root access, I can delete the apps. I can freeze the background processes. I can block the trackers. Why is that not enough to cut the cord?
Because of the black box. When we talk about Android, we have to distinguish between the open source part, which is just the skeleton, and the proprietary blobs and services that make it a modern smartphone. Even if you strip away the Play Store, you are still dealing with Google Play Services. That is a massive, privileged background process that handles everything from location triangulation to push notifications and even basic security updates. Most people do not realize that their phone is constantly talking to Google servers just to verify it has an internet connection. It is called a captive portal check. Your phone pings a Google server, usually connectivity check dot gstatic dot com, every time you join a network. If you block that, the phone thinks it is offline, even if the data is flowing. It is a hardcoded dependency.
So even if I am not signed into a Google account, my hardware is still checking in like a teenager with a curfew. But what about the apps themselves? If I am using open source apps from F-Droid, surely they are not calling home to Google.
Some are not, but many are. This is the dependency problem. Most modern Android apps, even those not in the Play Store, are built using libraries that expect Google Play Services to be there. They use the Google implementation for maps, for ads, and for Firebase Cloud Messaging. If those libraries do not find the Google framework, the app often just crashes or refuses to load. And this has actually gotten significantly worse this month. On March nineteenth, twenty twenty-six, Google published details on an advanced flow for power users to install unverified apps, but here is the catch. That entire bypass mechanism is delivered through Google Play Services, not the operating system itself. Google is essentially saying they will let you tinker, but only if they are the ones holding the key to the toolbox. They are moving the gatekeeping from the system level to the service level.
It feels like they are moving the goalposts. It used to be that if you could unlock the bootloader, you were the king of the castle. Now, it sounds like the castle is built on Google's land, and they can revoke the lease whenever they want. What about this new Play Integrity API? I have heard that is the real killer for rooted phones lately.
It is the ultimate gatekeeper. In the past, we had SafetyNet, which was a bit of a cat and mouse game. You could use tools to hide your root status and pass the check. But as of March twenty twenty-six, Google has fully pivoted to hardware backed attestation using chips like the Titan M-two. They call it the Strong Integrity verdict. When an app like your bank or even something like Uber or TikTok wants to run, it asks the hardware chip, hey, has this bootloader been tampered with? Because that chip is physically isolated and uses cryptographic keys fused into the silicon during manufacturing, you cannot lie to it with software. If the bootloader is unlocked, the chip tells the app, and the app shuts down. You are basically locked out of the modern economy if you want a truly open device. We are seeing this even with work apps now. If you use Microsoft Outlook or Teams for work, your company's IT policy likely requires a Strong Integrity verdict. Rooting your phone in twenty twenty-six effectively means resigning from your digital life.
So I can have my privacy, but I cannot have a bank account or a ride home. That is a tough trade. But let's look at the other side of Daniel's question. What if we just walk away from Android? We have seen these Linux based phones like the PinePhone and the Librem five. Are those actually viable in twenty twenty-six, or are they still just expensive toys for people who like to compile their own kernels?
The news there is a bit of a mixed bag, and honestly, mostly leaning toward the difficult side. Just a couple of days ago, on March twenty-fourth, twenty twenty-six, PINE sixty-four announced they are discontinuing the PinePhone Pro. They cited low sales and a global shortage of the specific memory chips they were using. The original PinePhone is still around, but by twenty twenty-six standards, it is incredibly underpowered. It is like trying to run a modern web browser on a toaster. We are also seeing projects like postmarketOS and Mobian making great strides in software, but they are constantly fighting against the hardware. Most modern phone hardware requires proprietary binary blobs for the graphics processor and the camera sensors. Without those, the Linux community has to reverse engineer drivers, which means your camera might only take grainy photos or your battery might die in four hours.
That is a shame. I always liked the idea of the PinePhone. It felt like a community project. What about the Librem five? That thing is built like a brick and has those physical kill switches for the camera and microphone. That seems like the dream for someone like Daniel.
It is the dream if you have a very deep pocket and a very sturdy belt. The Librem five is over one thousand two hundred dollars now, and it is significantly bulkier than any mainstream phone. It runs PureOS, which is a genuine desktop class Linux distribution adapted for mobile. It is arguably the most sovereign phone you can buy because it uses a separate baseband processor. But that leads us to the carrier problem Daniel mentioned. In the United States, T-Mobile is really the only major carrier that plays nice with these devices. Verizon and AT and T have these strict certification lists. If your device lacks the proprietary Voice over L-T-E certifications, they will often just kick it off the network. Purism is a small company; they cannot afford the millions of dollars it costs to get every carrier to bless their hardware. So you end up with a phone that is private but can only make calls in certain zip codes.
And then there is the electronic subscriber identity module, or eSIM. I noticed Daniel specifically asked about that. Most of these open source phones are stuck in the physical SIM card era, right?
Mostly. Neither the PinePhone nor the Librem five supports native eSIM as of right now. The technology required to manage eSIM profiles is heavily guarded by proprietary vendor software and strict licensing agreements under the S-G-P dot twenty-two standard. If you want to use an eSIM on a de-Googled phone, you usually have to buy a physical adapter, like the ones from JMP Chat or eSIM dot me. You plug this special SIM card into a regular Android phone, use their proprietary app to download your carrier profile onto the card, and then move that physical card over to your Linux phone. It is a total cludge. It works, but it is the opposite of a seamless user experience. It highlights the gap between the open source dream and the proprietary reality of telecommunications infrastructure.
Moving from the software layer to the hardware reality, it sounds like a lot of work just to make a phone call. I am starting to see why you called it a paradox. You want to escape the surveillance, but the infrastructure of the modern world is built to only talk to the things that are doing the surveying. Is there any middle ground? What about GrapheneOS? I know they have been making some moves lately.
GrapheneOS is probably the most practical compromise we have in twenty twenty-six. They are a hardened version of Android that focuses on security and privacy without throwing away the ability to run actual apps. Their big breakthrough, which they announced on March second, was a partnership with Motorola. For years, you could only really run GrapheneOS on Google Pixel hardware, which was always a bit ironic. You had to buy a Google phone to escape Google. But now they are supporting non-Pixel hardware, which opens things up. It is still the Android stack, but it is stripped of the Google integration at a deep level.
How does GrapheneOS handle the Google dependency issue? Do they just break all the apps?
They have a brilliant solution called Sandboxed Google Play. Instead of giving Google Play Services full, privileged access to your entire system, GrapheneOS forces those Google services to run like any other normal app. They have no special permissions. They cannot see your files, your location, or your contacts unless you specifically grant them. It tricks the apps into thinking the Google framework is there, so they do not crash, but it keeps Google in a very small, very dark box. It is the best way to get that Strong Integrity verdict while still maintaining some semblance of privacy. It is not perfect, but it is the most functional de-Googled experience available.
That sounds like a much better weekend project than what I was doing with my old Pixel. But I want to go back to something you mentioned earlier about the baseband processor. You said the Librem five is more sovereign because it separates that. What does that actually mean for the average person? Is my phone's modem spying on me even if the operating system is clean?
This is the final boss of privacy that almost no one talks about. Your phone actually has two computers inside it. There is the main processor that runs Android or Linux, and then there is the baseband processor, which is the modem that talks to the cell towers. That modem runs its own proprietary operating system, usually something called a Real Time Operating System, or R-T-O-S. On almost every modern smartphone, the main processor and the modem share the same memory. This means the modem, which is running closed source code you can never see, theoretically has access to everything happening on your phone through Direct Memory Access. Even worse, the modem is always talking to the carrier's towers. It provides your location via triangulation and shares unique hardware identifiers like the I-M-E-I that you cannot change.
So even if I have the world's most secure, de-Googled, encrypted operating system, the modem is sitting right next to it, whispering to the cell tower about where I am and who I am?
That is the reality. The Librem five handles this by putting the modem on a completely separate bus, so it physically cannot see the main memory. It also has a hardware kill switch that cuts the power to the modem entirely. But for ninety-nine percent of phones, including the ones Daniel is likely looking at, the modem is an inescapable part of the package. This is why some privacy advocates say that if you really want to be off the grid, you have to leave the phone at home. But for most of us, that is not an option. We have to find the least bad compromise. The modem is a black box within a black box.
It is interesting that you mention the least bad compromise because it feels like the walls are closing in on the developers too. You mentioned a September twenty twenty-six mandate for developers. What is that about?
This is something that has the open source community, especially the folks at F-Droid, really worried. Starting in late twenty twenty-six, Google is going to require every developer who wants their apps to run on Android, even if they are not in the Play Store, to register with a government issued I-D and pay a twenty-five dollar fee. They are framing it as a security measure to prevent malware, but for an independent developer in a country with a repressive government, or just someone who wants to remain anonymous, it is a massive barrier. F-Droid has called it a death sentence for independent distribution. It is another step toward a closed ecosystem where every piece of software has to be tied to a verified human identity that Google and the government can track. It effectively ends the era of the anonymous hobbyist developer.
That feels very un-American, or at least very un-internet. The whole point of the early web was that you could build something and share it without asking for permission. Now we are moving toward a world where you need a digital passport just to write a calculator app. It makes me wonder if there is any hope for the open phone, or if we are just moving toward a future where there are two tiers of citizens. The people who accept the surveillance and get to use the apps, and the people who refuse it and get left behind.
I think we are already there, Corn. But there is some hope on the regulatory front. In the European Union, the Digital Markets Act is starting to force some of these companies to decouple their services. We might see a future where Google is forced to allow third party implementations of those core libraries, which would make things like micro-G much more effective. For those who do not know, micro-G is a free and open source re-implementation of Google's proprietary libraries. It allows de-Googled phones to run apps that require Google services without actually sending all that data back to Mountain View. It is a game of catch-up, but the developers are incredibly dedicated. The problem is that as soon as micro-G mimics a library, Google changes the A-P-I or moves the requirement into the hardware attestation layer.
So if someone like Daniel wants to take action today, what is the move? If he wants that control he felt when he rooted his device, but he wants it to actually matter for his privacy in twenty twenty-six, where should he put his energy?
The first takeaway is to stop thinking about total removal and start thinking about compartmentalization. You are never going to perfectly de-Google a modern smartphone while keeping it functional. It is just not possible with the way the hardware and the carrier networks are designed. But you can significantly reduce the surface area. My recommendation for most security conscious users is to get a supported device and install GrapheneOS. Use the Sandboxed Google Play feature for the three or four apps you absolutely need that require Google, and keep everything else in a separate user profile. It is the best balance of actual, usable security and privacy we have right now. It gives you the Strong Integrity verdict for your bank, but keeps Google away from your personal files.
And what about the hardware side? If he really wants to get away from the Android stack, is it worth looking at those Linux phones, or is the PinePhone Pro discontinuation a sign that the dream is dead?
I would not say the dream is dead, but it has moved back into the hobbyist shed. If you want a Linux phone in twenty twenty-six, you have to accept that you are an early adopter in a very difficult environment. You are going to struggle with battery life, you are going to struggle with camera quality, and you are definitely going to struggle with carrier compatibility. If you enjoy the challenge, the Librem five is the gold standard for hardware sovereignty, but you have to be prepared to work for it. For most people, the hardware software gap is just too wide right now. You cannot have a flagship experience on truly open hardware yet. The proprietary blobs for the graphics processors and the modems are just too far ahead of the open source alternatives. It is a choice between a smooth, surveilled experience or a clunky, private one.
It is a bit of a reality check. We like to think that rooting gives us the keys to the kingdom, but in twenty twenty-six, the kingdom has been redesigned so that the keys only work on the front door, while the back door is controlled by a chip you can't even talk to. I think the most important thing for Daniel and anyone else listening is to understand where the boundaries are. Know that your modem is a separate entity. Know that your bank app is checking your bootloader. Once you know where the fences are, you can decide which ones you are willing to climb over and which ones you are okay staying behind.
I agree. And I think we should keep an eye on these partnerships like GrapheneOS and Motorola. If we can get more mainstream hardware manufacturers to officially support third party operating systems, it might put pressure on Google to stop using hardware attestation as a weapon against power users. But until then, it is a game of clever workarounds and managed expectations. The fight for the open phone is not over, but it has moved from the software layer down into the silicon.
Well, I think I am going to keep my old Pixel four as a music player, but maybe I will stop pretending it is a fortress of solitude. It is just a very small, very old computer that really likes talking to Google. This has been a great deep dive, Herman. I think we have given Daniel plenty to chew on for his next project.
It is always a pleasure. These technical hurdles are frustrating, but the fact that people are still fighting to overcome them is what keeps the ecosystem interesting. We are at a crossroads where the definition of ownership is being rewritten by firmware.
If you enjoyed this dive into the weeds of mobile privacy, you might want to check out episode one thousand ninety-five, where we talked about whether the power user era is officially over. We also did a deep dive into the golden cage of Google services in episode seven hundred eighty. You can find both of those and our entire archive at myweirdprompts dot com.
Huge thanks to our producer, Hilbert Flumingtop, for keeping the gears turning behind the scenes.
And a big thanks to Modal for providing the GPU credits that power this show and allow us to keep exploring these weird prompts every week.
If you have a second, leaving a review on your favorite podcast app really helps us reach more people who care about this stuff.
This has been My Weird Prompts. We will see you next time.
See you then.
