Several steps can be taken to enhance privacy and security on Android devices, and they apply to the majority of smartphones and tablets running Google’s mobile operating system. At the same time, in a world of ever-growing cyber-threats and social media companies hungry for user data, there are individuals who need an extra layer of protection to fend off both legal and illegal dangers to one’s digital person. GrapheneOS is an operating system (OS) designed to appeal to such users and focuses on the research and development of privacy and security technologies. These include improvements to sandboxing, exploit mitigations, and the OS’s overall permission model.
But you should know what you’re getting into—using GrapheneOS and taking advantage of the enhanced privacy requires some background knowledge. Here’s everything you need to know the privacy- and security-focused alternative to Android.
What is GrapheneOS?
Founded in 2014 as CopperheadOS, the privacy-focused operating system was briefly known as the Android Hardening project in 2018, before officially becoming GrapheneOS. Based on the open-source Android code (AOSP), GrapheneOS improves the privacy and security of the OS by mitigating whole classes of vulnerabilities, as well as making exploiting the most common sources of vulnerabilities more difficult. Additionally, GrapheneOS enhances the security of both the OS and the apps running on it, for instance by providing more granular control of permissions. The app sandbox and other security boundaries are also fortified.
From an organizational standpoint, GrapheneOS is a nonprofit and said it intends to remain such. The model allows the developers to focus on improving privacy and security without having to build a business model that is not in conflict with the success of the open source project.
According to the developers, many of GrapheneOS past features were contributed to AOSP and became part of its code, for implementation by anyone developing Android ROMs based on AOSP. For context, these features will not be mentioned below as they are now part of the AOSP code and can be found in most modern ROMs by phone manufacturers and independent developers alike.
According to GrapheneOS developers, the new CopperheadOS project is closed source and not associated with the original project.
What are the features of GrapheneOS?
As mentioned above, GrapheneOS is particularly focused on protecting users against so-called zero-day vulnerabilities. To do so, GrapheneOS believes the first line of defense is attack surface reduction, meaning the removal of unnecessary code from the OS, both in terms of potentially unsafe features, and traditionally built-in apps (more on this later).
In this regard, GrapheneOS includes Network and Sensors permission toggles that are not normally available on AOSP ROMs. The OS also supports per-connection MAC randomization, a private screenshot feature that disables the inclusion of sensitive metadata, and an LTE-only mode that reduces cellular radio attack surface by disabling legacy code (2G, 3G) and bleeding edge code (5G) . Additionally, both Wi-Fi and Bluetooth can be set to automatically turn off if not connected to a device.
The ROM also aims to prevent attackers from exploiting a vulnerability by making it impossible (or at least harder) to develop. GrapheneOS says it dedicates substantial resources to the development of memory-safe languages and libraries, static and dynamic analysis tooling, and more.
Finally, GrapheneOS developers strongly believe in sandboxing at various levels, via fortification of the kernel and other base OS components. This means sandboxing within a specific Android codec, app, or user profile.
This list is not exhaustive, and more details about each of these features can be found on the GrapheneOS website.
GrapheneOS offers a series of built-in hardened apps for basic tasks. Some of them are available on the Play Store, while others are not. First and foremost, there’s the Vanadium WebViewer and browser. The app is essentially a hardened variant of Chromium, providing enhanced privacy and security features. Vanadium is not available on non-GrapheneOS ROMs, but if you’re looking for a new browser, we can help.
GrapheneOS also offers a camera app called Private Camera, which is available on the Google Play Store. It’s built by the GrapheneOS team (not based on AOSP code) and supports most traditional shooting modes, alongside a raft of privacy/security features. These include a dedicated QR scanning mode, functioning without Network and Media/Storage permissions, and the optional stripping of EXIF metadata from photos and videos.
Additionally, the GrapheneOS team has developed a sandboxed, hardened PDF viewer app, blocking another common attack vector. There’s also an Auditor app, designed to provide hardware-based verification of the authenticity and integrity of the firmware/software on devices. Both of these apps are available on the Play Store.
Can I use Google services on GrapheneOS?
As a general rule of thumb, GrapheneOS tries to avoid impacting the user experience with the addition of the aforementioned privacy and security features. That being said, the nonprofit also acknowledges that is not always feasible. The Google apps are a strong example of this, as GrapheneOS does not bundle them into their system natively. The team clarifies that they aren’t against users using Google services per se, but they do say they don’t belong integrated into the OS in an invasive way.
Because of this, Google apps can be installed in GrapheneOS through a dedicated compatibility layer that strips them of the special access or privileges they normally enjoy on AOSP ROMs. More information about the Sandboxed Google Play compatibility layer is available here.
What devices does GrapheneOS support?
GrapheneOS says the appropriate resources should be available, and releases for each supported device should be robust and stable, with all standard functionality working properly and testing for each of the releases. Currently, that means Pixel phones and only Pixel phones. These devices support the stringent privacy and security standards required by the project. These include support for installing other operating systems, standard hardware-based security features (eg hardware-backed keystores, verified boot, attestation, etc.), and input-output memory management units (IOMMUs). With IOMMUs, the system can isolate components like the GPUs and radios, among others.
GrapheneOS currently supports the Pixel 4 and above, with the Pixel 3 line now being end-of-life and no longer receiving full security updates. The nonprofit also confirmed the ROM will also be available on the Pixel 6a shortly after its official release.
Although GrapheneOS only works on a handful of phones, it’s a great way to extend the life of an aging Pixel or simply make your phone more private and secure. If you’ve got a Pixel device and want to see what true mobile privacy is like, check out our how to install GrapheneOS guide.