Privacy discussion: IodeOS vs Google Apps

Hi all,
I just joined the community a week ago. I flashed one of my Android phones with IodeOS, the other is left on stock. After a week of De-Googled life and without any G apps or even any logins to any big tech, I rarely see much traffic other than my browser and Whatsapp, not much is happening (I’m surprised that Whatsapp isn’t spying, given that Meta owns it).
I find the standard Iode protection sufficient so far. I had like a few dozens blocked traffic, only 4 of those weren’t blocked (this is where the iode subscription would come into play).

So if I never login into big tech apps, apparently no-one is really spying on this phone according to the iode app, so there’s no reason to subscribe. BUT, I still very much would like the convenience of the mainstream apps, like the Google cloud services, Map, Translate, Wallet, shopping apps, Android Auto (this hurts a lot, having to use the car’s own navigation ), etc.

So my guess is the subscription would make more sense when there is actually a lot going on on the phone, but from a privacy standpoint I’m conflicted whether I should let the phone get fingerprinted again and start using my Google ID on it, among others.

I still have a stock Android for the banking app, which I guess I could live without and get away with internet banking only on the desktop, but man is it convenient to access it through an app and fingerprint… So having one stock Android and keep it home does make my transition a bit easier.

But now I wonder how effective iodeOS actually is in spoofing Google? Even if attestation doesn’t work for the most part and many apps refuse to operate, the ones that do work would still attempt to spy. How effectively can iodeOS prevent that? I guess once I use my Google/Facebook ID on the phone, then any sort of correlation will be easy for the trackers. But I remember reading it somewhere or hearing it that even genuine Gapps have trouble with spying on the user in a De-Googled phone. Is that true? I wonder if I reflashed the spare phone too, yeah I lose the banking app, but having two iode phones would allow for one to use Google ID and some apps, and one that isn’t logged in to anything and with luck, it remains invisible to big tech.

Any thoughts on the privacy aspects?

At least they scored number one on the largest data leak in history. They published the data openly on the internet and did not move even though the scientists informed them mupltiple times.

Yes! Your data is safe with them! (may contain traces of irony)

On the topic: Many people who value their data privacy use the two-devices-strategie, since sadly there is some apps (like banking) that will not work on a completely de-googled phone.

So having 95 percent of my data private and only 5 percent compromised seems a better decision to me than just having the easy life and throwing all my data out there.

Yes, this is how they hook people up in the first place. And after they lured 80 % in, they have all the power to force the rest into it. It is upon each user to decide how far he/she is willing to put up a fight and draw lines. I for myself do not use banking apps on my device. Not convenient, not cheap, but my choice.

You’re probably not wrong there.
How do people go about this two-devices-strategy? Any practical advice?
Like I’m not even sure what you mean by 95% of your data being private. I don’t even generate usage data on my De-Googled phone now. As in I don’t really use it as a smart phone that much anymore, with 98% of my usual library axed. Or did you mean actual files and personal info on the device?

I don’t know how bad the situation actually is with the big brother, but it kinda feels peaceful that my iodeOS maybe doesn’t follow me, listen to me, evaluate me 24/7 like what I suspect anything else can do. Even if their privacy settings wouldn’t allow it.

Well, for example, if you are planning to visit South America, where you simply cannot even book a hotel without Whatsapp (they don’t even understand why you wouldn’t want to use WA), then you could use a second device just for Whatsapp and for a local SIM card. No connection to your “other life” on your main device.
I even got myself a prepaid telephone number just for Whatsapp that does not connect to me. So if they want to publish it (they did), they may as well, I do not have my contacts or any other info related to my “real life” on that device.

Or let’s say “banking app”: Use an old stock-ROM device and put the banking app on there. Use it only at home (2FA) for banking with your computer, shut off the device afterwards.

All your other data (contacts, messenger, mail, navigation, …) are on the de-googled device.

That is the best way, of course: live an analogue life, as much as possible. But let’s face it: We are increasingly cornered, many services are no longer available offline. Sad, but true and part of the agenda.

I just watched a video from Rob Braxman talking about avoiding the “relationship map” by cutting off your email and phone number everywhere you can. Use separate emails for socials, work, financial, etc. Use separate phones for 2FA and online accounts, and your private contact list, and never mix them.

It’s a difficult concept I admit, I kinda couldn’t wrap my head around the fact that what’s the point of all this, when nowadays every company has a ‘know your customer’ policy, so even my aliases and burner phone numbers are registered to my real identity.

I get it that for big tech it’s harder to correlate emails and phone numbers that are not on your friends’ contact lists, but for a gov entity who has access to not only big tech databases, but also network providers, I’d think it’s fairly basic to tie all your numbers and emails to the same person.

The same goes for Whatsapp of course, as that’s tied to a phone number as well.

Yeah, I guess you could go offline altogether in your life as much as you want (in your free time that is), but… That’s not easy in a world where your digital life is more prominent than your real life.

Great discussion so far. I think you will find there are many directions you can go, and many of them differ based on what your motivations are (concerns of big-tech overreach, concerns of government tracking, wanting more control of your data and host your own services, etc.)

My thoughts are that I have been trying to not double carry for several years as I find that to be a bit too cumbersome and awkward.

For me, what I do is use Shelter to set up a private “work” profile and that is what I put my Whatsapp, Telegram, Banking Apps, and other non-free software in (yes Telegram is technically free at the client side but not on the server and hooo boy do I get a lot of spam from it so I just don’t want it in my main profile). So my main profile is nearly exclusively open source / privacy respecting apps. I use Google Services in Shelter as well, in fact my WhatsApp and Telegram registrations are to a Google Voice phone number (also only used in the Shelter profile) so my “real” phone number isn’t exposed to them.

With Shelter you can configure if you want to enable “cross profile interaction” so your contacts can pass through, for example. But the key additional nice feature is that you can set apps to “auto-freeze”. This way they are fully disabled when I am not using them. My phone doesn’t even know that WhatsApp or my Banking App are installed until I unfreeze and launch them, and then one tap (or auto-freeze after some inactivity) and they are all frozen again.

For WhatsApp you may ask how do I then get push notifications? I use “Beeper” which is basically a hosted matrix service with integrated bridges to WhatsApp, Signal, Telegram, and even iMessage if you have it. So I leave the primary services deactivated with Shelter, only launching them once a month or so when they complain they are disconnected due to inactivity.

I am sure there are better technical solutions, and there are far more secure and privacy conscious people than me (I am sure many will eagerly criticize my approach if I were on other “not-so-friendly” forums about now in fact Shelter itself is not under active development. But it works for me and allows me to not double carry, while at the same time not having the I need these apps on my phone but I don’t want to have them on my phone continually run in the background doing who-knows-what. Because as I note at my personal site, https://openmobile.us, if it isn’t open source then how can you trust it (I consider that true for MS, Apple, Google, my Bank, and all the others regardless of their appearance of ethics or not.)?

Good luck on the journey, let’s see if others will contribute a few other comments so you can get a broader picture of what the options are.

He may not necessarily be the expert he appears/pretends to be, but these recommendations do indeed seem useful/reasonable.

If you want to protect yourself from gov, you’re using the wrong OS. The only devices that can currently resist gov are ninth or tenth generation Pixels running GrapheneOS.

How I do it:
On my main user, microG is via ADB uninstalled (if you deinstall it via Settings, it will be deinstalled for all users). All of open-source and closed-source apps are installed on my main user. Most apps are updated via Obtainium (also WhatsApp could be updated). A few apps (my banking app, yes it doesn’t need Google Play Services) are updated via Aurora Store pseudonym (anonymous login). The apps which are installed via Otainium are in Aurora Store on the blacklist.
On a second user (settings > system > users) I installed microG and apps, that require microG but not logged in (app of my health insurance provider). WhatsApp works if you uninstall microG from all users (which I haven’t done) or if microG is installed in the corresponding user. So WhatsApp is also installed on my second user and updated via obtainium which also installed in second user. The same applies to my public transport app (not compatible with Öffi), so it is also installed there (but is updated via the Aurora Store).
In the third user, I then logged into microG with my real Google account for everything I purchased via the Play Store (a game)/where I have a subscription via the Play Store and the app operator does not check otherwise I paid for the subscription (komoot, for example, still runs in my main user because I once paid a subscription, the subscription renews annually, and you have an account with komoot and the payment is temporarily stored in this account).
The iodé firewall is set to the highest level (including subscription) for each user. In addition, specifically added websites are filtered out.

Interesting stuff!
Isnt it a “issue” that the IMEI number is always the same and so tying all the users/profiles back to the same device (and therefor user) is easy?

You can set what data is transmitted to Google in microG. In addition, Google is not allowed to use the IMEI under the GDPR and does not use it. Instead, the Google Advertising ID is used, which, incidentally, can be deactivated in the real Google Play Services (in microG, it is not generated anyway, of course).

Great response, thanks!
I looked into this Shelter and found that it’s likely obsolete, as Andoid has a native sandbox that integrates seamlessly. In IodeOS you’ll find it as “Private Space” in the Security & Privacy.
It creates an isolated environment for the apps that’s original purpose was to lock your sensitive apps away from intruders. But it works exactly how you described Shelter: it isolates the apps on the device, and freezes them when the space is locked.

Although it’s a neat feature to quarantine Whatsapp and the other Play Store apps, it doesn’t prevent traffic correlation on a device level, so your hardware IDs could still leak out and/or your activities correlated. For proper device isolation sandboxing isn’t enough. Plus my banking app doesn’t work on my Pixel with IodeOS, as there’s no attestation at all currently - even my bootloader is still open and I’m scared to close it before a new system update comes out in 2026 (I had a December 2025 sec update on the vanilla rom before I flashed IodeOS).

So at the end of the day I started using Private Space, that was a great advice thank you!
But I’ll still keep my spare phone with stock android for the normie apps to run properly when needed. But it’s kept at home and powered off most of the time. I just adjusted my habits that I can 100% get through my day without needing access to my banking app on the go, etc.
Well, at this point I’ve already begun to question whether I need apps at all for many things, that I could just do on my desktop PC instead. At least the apps are not following me around on my phone anymore.

I also plan to purchase a brand new stock Android to register a fresh Google account with, that won’t know my real identity. So apart from the network operator (we have mandatory registration for new numbers) no 3rd party should know whose device that is. I plan to use this for Google services that are genuinely useful and I rely on, like navigation, Sat View, Street View, Android Auto, etc.

And of course the Iode phone is the personal one I carry with me, now with a quarantined Whatsapp!

So yeah, this is how my opsec plan is looking like currently. Any obvious holes I haven’t thought about?

Well, the government (and pretty much anyone with trackers) already knows all my personal info since I made my first Google account when I was 13, lol.
I’m not a target for the government - I’d like to believe -, and they’ll inevitably have access to my file, through the providers, utilities, or otherwise. So my threat model only consists of minimizing my digital footprint in general for longer term future security, really. I just want to rein in on my personal data and control who I share it with - preferably consciously.

But you picked my curiosity, so what do Pixel 9 and 10 have that would make it particularly difficult for any government to track you?

Uhm, I had a quick look at Beeper.

I’m not sure how it’s any better from a privacy perspective than using Whatsapp directly.

Correction: Pixel 10/9/8 with GrapheneOS (the only OS that stands against Celebrite UFED)

So the new Pixels have some hardened hardware features against exploits and malware. Great.
This did not really address the question though, why would it be difficult for any government to track a new Pixel phone? I doubt any state level organization would need to rely on mere Trojans to track you down. They have the reach and the authority to just go through the network provider to request your information. Particularly if the law enforcement is interested in you, or just finding out who’s number is that. I doubt anyone would have to gain physical access to your phone first. And hardware security is kinda like in computers I imagine. Scientists study CPU exploits, then manufacturers patch those in their microcode, etc. We all hear about these in the news every other year. But it’s not lost on me that these threats are just theoretical for the end users at best because without exception they all need to get physical access to the target machine first to inject their code. I mean, maybe if your phone get seized? But if that happens, you’ll have bigger problems than protecting your privacy phone.
And that’s not the kinda theat model IodeOS is catering for. I hear GrapheneOS is the way to go if one is to hide from the government. Iode is more for the wider privacy conscious audience, who are less technical and prefer ease of use.

is something like a separate user and therefore something different than the work profile (which uses Shelter) which is a sandbox. Hier nochmal das ganze in ausführlicher auf deutsch: GrapheneOS: Sinnhaftigkeit des vertraulichen Profils - #28 von DwainZwerg - Betriebssysteme - Kuketz IT-Security Forum • IT-Sicherheit | Datenschutz

You could try the paid version of MagicEarth. You can purchase it anonymously from their website: Magic Earth

That’s not what this is about at all. It’s about protecting the data on your phone, even:

Yes certainly true. Sorry I kind of tangented there. My use of Beeper is not as much about privacy but more about using a single app that can be on several devices for the services that I don’t have any pretense of them being ethical and privacy respecting anyway. Using Beeper means I don’t need the 3 apps that Beeper is bridged to running in the background 24-7 doing “who knows what” (yes iodé blocker is helpful here too).

Probably it would be better of me to only have WhatsApp on a phone I keep at home but a few international contacts only use it and I give them occasional remote assistance so need voice / video calling to work which needs the “full WhatsApp” . So I get the missed call in Beeper, then unfreeze WhatsApp from Shelter profile and call them back.

I treat anything to do with Whatsapp as already privacy compromised but not as compromised as the insecured SMS / MMS world that I need to use to communicate to 90% of USA citizens sending cat photos via iMessage.

A followup question on “Private Spaces” I didn’t think apps running there could be fully “frozen”, I thought they were only basically containerized but still couldn’t be so easily fully disabled / re-enabled? I will need to re-look a them a bit, I am always available to learn to do things better

According to Google:
”Create a digital safe within your phone for the apps you don’t want others to easily access or find. These apps can isolate their data from the rest of your phone.”
”When private space is locked:
The apps in the private space are:
Completely stopped. These apps can’t perform foreground or background activities, like showing notifications.
When the device is locked, apps can’t access sensor data or perform any functions.”

Oh, f.ck. I just read further down:
”Private space apps bypass virtual private network (VPN) on the device.”

Maybe I need to re-evaluate this. This last one is kinda a deal-breaker.

Thanks for the info! So it’s basically a work profile, if not The Work Profile on IodeOS.
And I understand Shelter does the same thing, just with slightly different features?
Is there a native sandbox in AOSP and therefor in forks like IodeOS, that creates a truly isolated environment for the apps? Because I can see how the apps themselves are isolated in Private Space, but there’s no guarantee that once unlocked, they can’t access anything in the main profile.
And the VPN bypass is a slap in the face.

Okay, so I found that you can install and set up a separate VPN for Private Space, and in Android there’re going to be two active VPNs. But at the same time IodeOS 7.1 had some difficulty connecting to both simultaneously. I needed a reboot. Let’s see how stable this setup is in daily use… If it works, this could also be a way to spoof big tech. Probably not as secure as complete device isolation though. But a step in the direction to avoid “double carrying”.

A bit lost in this conversation and would appreciate some Golden Retriever level insight(s).

If I understand correctly, Shelter is no longer supported/updated and Private Space is dodgy?

While I would love to be completely free of all things G-verse I’m not in a position to add another phone to my kit at this time.

I’m part of an investment group that uses Telegram for communication, sharing of knowledge, etc… I use Whatsapp rarely, but most recently (prior to the Pixel 9A I have running iodeOS), I was part of health seminar, the coordinator of which uses Whatsapp.

Not overly happy with either, but it would be easier to simply carry one phone.

So, I’ve two questions at this point:

1. Which of the apps that isolate apps is the better of the two to work with - Shelter, Private Space, some other open source app?
2. Does anyone know if the Pixel 9a can support two phone numbers? I’m using the physical SIM for my primary phone number. If I could add another line using the e-SIM I might consider the seond line?

Thanks…

Just to confuse things further Maybe worth also looking at Insular, from F-Droid