I Was Sick of Android Apps Spying on Me, So I Tried GrapheneOS and PlugOS

I Was Sick of Android Apps Spying on Me, So I Tried GrapheneOS and PlugOS | PCMag

Skip to Main Content

PCMag editors select and review products independently. If you buy through affiliate links, we may earn commissions, which help support our testing.

GrapheneOS Our Take GrapheneOS is a free, privacy-focused Android alternative with a polished experience and easy setup. However, its support is currently limited to a handful of Google Pixel devices, which can make getting started expensive if you don't have one. VS PlugOS Our Take PlugOS is a USB-C hardware platform that aims to provide a portable, privacy-focused Android experience. Although it succeeds in delivering Android on the go, its steep price, inconsistent privacy practices, and underwhelming performance make it a hard sell for most users.

Table of Contents

Data breaches are commonplace, and mobile devices are a prime target for attackers. Malicious apps, adware, spyware—you name it, and it’s there, right there in most app stores. Even beyond malicious entities, everyone wants your data. Something as simple as a missed app permission can result in all of your personal browsing data being funneled off to brokers. I wanted a more secure Android experience, so I tried GrapheneOS and PlugOS (the latter of which also works with iOS devices). Both claim to offer a private experience, but one provides this protection through hardware, while the other does so through software. I put them head-to-head to see which one actually delivers.

ins]:-ml-24 2xl:[&>ins]:w-[970px]" data-autopogo aria-label="Comparison Body Content"> Cost: One Requires a $299 Device, the Other Requires a PixelIf you're interested in PlugOS, the first thing you should know is that you need a physical piece of hardware, a PlugMate, and it isn’t cheap, with an MSRP of $299 (although at the time of writing, it's on sale for $199). That price gets you the PlugMate, a thin plastic case, and a card with your unique access key.

(Credit: Justyn Newman)

Also in the box is an angled USB-C extension that runs the PlugMate behind your phone, making it easier to handle.

(Credit: Justyn Newman)

It comes in one memory configuration with 128GB of storage and 4GB of unspecified flash memory. The site shows an additional 6GB/256GB version, but it cannot be selected.

(Credit: PCMag/TrustKernel)

The PlugMate uses an octa-core MediaTek Helio G80 mobile processor and runs a virtualized, stripped-down version of Android 14. The outer shell comes in black, red, or starlight gray.GrapheneOS, on the other hand, is a free, open-source operating system that replaces the one on your phone. You don’t have to purchase anything to get the protection it offers, but there’s a rather big caveat—you need to have a supported Pixel phone for it to work. It’s a no-brainer on the cost front if you already have a Pixel, but the PlugMate becomes more affordable if you have to buy a specific phone for Graphene.

(Credit: PCMag/GrapheneOS)

As for support, Graphene is compatible with most OEM-unlocked Pixel phones and tablets starting with the Pixel 6. Pay close attention to that OEM-unlocked criteria. Some carriers, like Verizon, restrict OEM unlocking, so make sure the device you have (or the one you plan to buy) is carrier-unlocked. Support for Graphene is set to expand via an upcoming collaboration with Motorola. Graphene will be compatible with flagship Motorola devices in 2027, with potential support for midrange and entry-level devices down the line. Privacy: GrapheneOS Explains Everything, PlugOS Leaves Questions UnansweredTrustKernel, the parent company of PlugOS, has mixed privacy standards and policies. I found some good indicators of trust as well as some shortfalls. While there are no records of data breaches or security incidents involving TrustKernel’s prior products, the PlugOS platform is still new, having launched in early 2026.The company’s security whitepaper covers its numerous security certifications and its adherence to privacy standards, including the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). TrustKernel also claims to undergo third-party penetration testing from “top-tier” companies and shows proof of various certifications and awards on its compliance page. However, most of these, such as ISO certifications, are used to verify internal business processes and don’t necessarily indicate that PlugMate was involved in the testing. Without a document outlining the scope of each evaluation, you’re left taking the company at its word. I reached out to TrustKernel for a statement regarding its audits, and a spokesperson stated that, “The security evaluation was conducted in accordance with EAL4, a widely recognized international standard for security certification,” and provided a certification from the China Cybersecurity Review Technology and Certification Center (CCRC) that you can view below:

(Credit: CCRC)

I pressed further, clarifying that I was looking for a public report detailing the scope and results of either a privacy or a security audit. The spokesperson stated, “Given that our product has only recently been launched, related third‑party security and privacy audit reports are still in the process of being developed and finalized. We are in the process of commissioning assessments from other internationally recognized institutions as well. We uphold stringent cybersecurity and data protection standards and will make appropriate information public through the official website in a timely manner once the relevant audit work is completed."As I’ve learned from testing VPNs, a company’s word doesn’t mean much in a world of frequent data breaches. Other key details, such as data retention periods, are unclear and poorly defined. On the other hand, GrapheneOS’s documentation is comprehensive and in-depth. It’s also an open-source project, and the full technical details are available in Graphene's GitHub repository.

(Credit: PCMag/GrapheneOS)

The FAQ page outlines every aspect of how the company handles data, encryption, and app access. It’s one of the most well-structured privacy documents I have read. It does get technical and dense in parts, but I highly recommend reading through it so that you know exactly how the operating system works. It offers interesting insights into how regular Android works and the data that apps can access. There are linked guides that explain how Wi-Fi works, including data handoffs, and how permissions can funnel data to places you may never have thought of. Beyond being a good privacy policy, the document is a great place to start if you’re interested in learning about where your data goes when you use a smartphone. The transparency difference between PlugOS and GrapehenOS is stark. PlugOS and its parent company, TrustKernel, leave a lot of important privacy questions unanswered. GrapheneOS User Experience: A Clean Android Experience Without the FrictionRunning alternative operating systems on anything can be a pain if you’re not familiar with the more technical aspects of the device in question. Graphene makes the process easy with a web-based interface that runs you through the installation process step by step.

(Credit: PCMag/GrapheneOS)

All I had to do was connect my Pixel 6 Pro to my PC via USB-C and click the appropriate buttons right there on the web page. It took me about 15 minutes from start to finish to get the device up and running with Graphene. Keep in mind that this change does require a full reset of your Pixel, so make sure you backup any important files before proceeding. 

(Credit: PCMag/GrapheneOS)

From there, you can use GrapheneOS as you would your regular Pixel. You can run a sandboxed version of the Play Store to fetch apps from, but you have a lot more control over what permissions apps have and for how long. You can decide whether or not to allow network access to any app when you install it, which means you can run essentially any app completely offline.

(Credit: PCMag/GrapheneOS)

Graphene doesn’t come with many apps. It has a privacy-focused browser called Vanadium by default, a PDF viewer, and an in-built device auditor. The auditor is a niche but useful tool that uses a second Android phone to confirm your bootl