Mobile Privacy Setup

Pixel 9 Pro with GrapheneOS. Three profiles for Owner, Messenger and Banking. Mullvad as always-on VPN. Aegis instead of Microsoft Authenticator. Privacy as configuration, not as marketing buzzword.

Privacy GrapheneOS Pixel Mullvad Aegis Mobile
GrapheneOS mobile privacy setup

The setup

Pixel 9 Pro as hardware. On it runs no stock Android but GrapheneOS, a hardened Android derivative without Google services in default and with a notably stricter permission model.

Three separate profiles run on the device:

  • Owner — the main room. Only the essentials.
  • Messenger — everything that’s communication. Element, Signal, Threema, WhatsApp.
  • Banking — everything that touches sensitive financial data. Banking apps, TAN generators.

Profiles in GrapheneOS are real user separations. What runs in the banking profile, the messenger profile doesn’t see. A compromised app in the messenger profile doesn’t mean your online banking is gone too.

Network

Mullvad as always-on VPN, in lockdown mode. Without tunnel no traffic, full stop. Mullvad because no account binding to personal data and payment is possible even in cash or crypto.

2FA

Aegis instead of Microsoft Authenticator or Google Authenticator. Open source, locally encrypted, exportable. 2FA tokens don’t belong in a closed-source app that could quietly snapshot your login sequences.

Why bother

Because “privacy” on the phone doesn’t come from marketing promises but from configuration. On stock Android every app permission dialog quietly hands off more data in the background than most people think, and the telemetry volume isn’t small. With the setup above I know what goes out and what stays.

This isn’t for everyone. But if you really want to separate, here’s a setup that works without falling into the convenience crater.