A Canada-based foundation established in 2023 supports the work on GrapheneOS, but there seems to be very little public information about this organization.

Essentially, GrapheneOS aims to enhance Android's security against various threats and to prioritize the privacy of its users. It is built on the Android Open Source Project but eliminates significant code and incorporates numerous modifications. Some of these changes, like a fortified malloc() library or extra control-flow-integrity features, are largely unnoticed by users (unless they cause apps to malfunction, which has reportedly occurred). Some are clearer, yet it's evident that considerable effort has been made to ensure the security enhancements are as inconspicuous as possible.

Certain Android variations focus on supporting a broad array of devices, aiming to extend the functionality of older models. GrapheneOS is not among these initiatives. It offers support for a limited selection of devices, specifically the Google Pixel 6 through Pixel 9 series, with some minimal support for Pixel 4 and 5 models. However, newer devices are highly recommended.

The 8th and 9th generation Pixels offer at least 7 years of support from launch, increasing from the previous 5-year minimum. Additionally, these models include support for the highly powerful memory tagging security feature, thanks to the adoption of new ARMv9 CPU cores. GrapheneOS employs hardware memory tagging by default to safeguard the core OS and user-installed apps that are known to be compatible from being exploited. Users have the option to apply this protection to all apps, while allowing them to opt-out individually for apps that are not compatible.

My phone had been suggesting for some time that it wouldn't be reliable in the future, but the thought of purchasing a new one filled me with dread. Every new model seems to include more privacy-invading "features" and intrusive AI "assistants," and locating all the "disable" options is a time-consuming and error-prone process. This, combined with the news that Google's "Gemini" appears to have growing access to a device owner's data no matter its settings, motivated the acquisition of a Pixel 9 device to experiment with GrapheneOS and see if it could serve as a daily alternative to the default Android.

Installing firmware on a costly device can be nerve-wracking; the GrapheneOS installer aims to reduce the anxiety involved. The documentation outlines two installation methods: one using a web-based interface and the other via the command line. Of course, I opted for the command-line version. The steps are simple: download the installation image, connect the device, and execute the provided script. The script completed and confidently announced success, yet the device still only booted into standard Android—a consistent outcome, but not the desired one.

After some research, it was discovered that the web installation method is considered more reliable than the command-line version, though this wasn't documented. I gave it a try, and it worked perfectly, marking the start of the GrapheneOS experiment.

Stock Android offers convenient features to simplify transitioning to a new device, which is not surprising considering the motivation to encourage frequent upgrades. Most of the data, apps, and settings from the previous device are automatically transferred to the new one. In contrast, GrapheneOS lacks this capability; a newly set up phone is a blank canvas that requires configuration from scratch. You can anticipate spending considerable time rediscovering those settings that were perfectly adjusted some years back.

A stock Android installation includes a wide array of apps from the start, many of which the user probably didn't want and often can't remove. GrapheneOS lacks all these unnecessary apps. It provides its own versions of a web browser, camera app, PDF viewer, and app store. Notably, GrapheneOS doesn't come with the Google Play Store or any of its apps (though keep reading for more on Google Play). The app store only has a total of 13 apps.

The web browser, named Vanadium, is a Chromium fork. It allows strict site isolation on mobile devices, a feature apparently lacking in Chrome, and includes several code-hardening features. The documentation strongly advises against using Firefox, labeling it as "more vulnerable to exploitation."

The camera app is claimed to be the finest in a style commonly associated with GrapheneOS:

GrapheneOS Camera surpasses all portable open-source camera options and even most proprietary camera apps, including paid ones. On Pixels, the Pixel Camera can serve as an alternative offering more features.

The camera app strips Exif metadata by default, and location metadata must be enabled separately if it is wanted.

Another option available from the GrapheneOS store is the Accrescent app store, an alternative repository emphasizing security and privacy. It offers a selection of additional apps, such as Organic Maps, the Molly Signal fork, and IronFox, a fortified version of Firefox.

With those app stores, you can activate some basic phone functions, but unfortunately, many of us require a little more than just that. One option, however, is F-Droid, which can be installed and used on GrapheneOS. Although those deeply focused on security, like members of the GrapheneOS community, often criticize F-Droid (as illustrated in this article), it remains a valuable resource for mainly free software apps.

Ultimately, many people frequently rely on the Google Play store; without the apps available there, an Android device can be almost unusable for some. GrapheneOS provides a sandboxed version of Google Play, making it just a regular app without the special privileges it usually holds on standard Android systems. It functioned perfectly in this instance; although the documentation notes that some apps might not function properly, I didn't experience any issues.

It is important to mention that Android offers an "integrity API" which allows checking the status of the software operating on the device. It can confirm, among other things, whether the secure-boot sequence was successfully completed or if the device is using an official Android version. GrapheneOS incorporates this API and, because it utilizes the secure-boot mechanism, it can clear the initial test, but it is not an authorized image and fails the second test. Some applications are concerned with the outcomes of these inquiries and might refuse to operate if they receive an unfavorable response.

GrapheneOS will display a notification every time this API is utilized, making it simple to identify which apps are accessing it. While the majority of apps do not use it, a few certainly do. I noticed a few apps accessing this API, yet none of them failed to function; they were satisfied with secure booting. However, some apps are more selective, and there is a short list of apps that won't operate on GrapheneOS. It's crucial to test any essential apps before switching to an alternative build like GrapheneOS as part of due diligence. There's always the risk that a future app update might cause a previously working app to stop functioning; this is a definite risk when using any alternative Android build.

GrapheneOS offers various security and privacy features in addition to its extensive system hardening. Many of these features ensure that the device operates as if it is truly owned by its user. For instance, the provisioning data that comes with Android, which guides the device on collaborating with carriers globally, permits carriers to dictate that certain features, like tethering, should not be accessible. GrapheneOS never managed to implement that part of the system. Instead, there is an option to stop the phone from reverting to older, less-secure cellular protocols.

The standard Android system allows control over certain app permissions, but it doesn't allow users to block an app's network access. However, GrapheneOS offers this control, although network access is initially enabled to ensure compatibility. When network access is turned off, the app perceives the environment as if access is available, but the device simply never connects to a signal. Therefore, apps shouldn't decline to operate merely due to the lack of network access, although they might not function properly.

A "sensors" permission bit regulates access to sensors not covered by other permissions, such as the accelerometer, compass, thermometer, or similar devices. This permission is also activated by default but can be disabled by the owner.

The storage scopes feature allows apps to operate in a sandbox, giving them the impression of full access to the device's shared storage, but they can only access files they have personally created. Similarly, the contact scopes feature permits apps to think they have complete access to the owner's contacts, while actually keeping most or all of that information concealed from them.

GrapheneOS includes fingerprint unlocking similar to standard Android, but with a key distinction: after five failed attempts, the fingerprint option is deactivated for 30 minutes. This allows a device owner to rapidly disable the feature by using a finger that isn't recognized if they are compelled to unlock the device. For individuals with heightened privacy concerns, a duress PIN can be set up; inputting this PIN will prompt the device to instantly erase all its data. It's important to note that this self-destruct option should be used cautiously.

A unique application can evaluate the status of a GrapheneOS device and, by utilizing hardware security features, confirm that the device has neither been altered nor downgraded to a previous software version.

The project regularly releases updates, and GrapheneOS systems installed on devices update promptly. The project upgraded to the Android 16 release in early July, just under a month after Google launched that version. By default, the device will automatically reboot after 18 hours of inactivity to ensure all data is stored (encrypted) at rest; this also ensures the device runs the latest software version.

See also this page comparing a long list of security features across several Android-based builds.

One possible drawback is the unclear development community backing GrapheneOS. While a foundation is established to support this system, details on its operations are sparse, apart from a lengthy list of donation methods. Public records reveal three directors: Micay, Khalykbek Yelshibekov, and Dmytro Mukhomor, yet there is no information available on director selection or fund allocation by the foundation.

The project has numerous repositories with its source code, but there's minimal guidance on contributing or insights into the development community's activities. Some details are available on the build-instructions page. The project manages chat rooms and a forum, though discussions are mainly user-focused rather than centered on development. Contributions to the forum by the project are made through a general "grapheneos" account.

In response to a private inquiry, the project stated that it has ten active, paid developers, with most working full-time. However, it seems that Micay still plays a key role in leading GrapheneOS; at the very least, the project's aggressive stance on the fediverse closely mirrors his previous interaction styles. The outcome if he were to leave the project is uncertain. This presents a potential risk that is difficult to measure.

Configuring the device with GrapheneOS took a few days, primarily focused on replicating the apps and settings from the older device. Time was needed to properly adjust privacy settings and assign necessary permissions to apps. Ultimately, the device functions just as effectively as its previous version, offering all essential features while excluding many unnecessary ones. I am wholeheartedly dedicated to using it and have no plans to revert.

The system is undeniably more secure, even if the unseen hardening modifications have no real effect. The sandboxing is stricter, there's greater control over what apps can do, and there isn't any AI trying to break free.

Naturally, the ongoing issue is that GrapheneOS by itself won't suffice for many individuals, necessitating the introduction of proprietary software. Although the documentation states that Play Store login isn't mandatory, it demanded a login from me, reconnecting the link to Google that GrapheneOS installation had severed. The keyboard doesn't allow for "swipe" typing, so users wanting that feature will probably install GBoard, which comes with its own privacy concerns. The GrapheneOS messaging app functions, but Google's app can filter out some spam, so it might also be worth adding. Some sensible, privacy-friendly weather apps are available on F-Droid nowadays, however, the proprietary ones that compromise privacy have superior access to weather alerts (at least in regions with operational weather agencies) and red-flag warnings. Android Auto is very practical and functions well on GrapheneOS, though it necessitates its own set of special access permissions.

Additionally, there are numerous banking, ride-sharing, airline apps, and similar services that appear essential in today's world. However, each of these app breaches the privacy barrier that GrapheneOS has meticulously built. It's possible to survive and even prosper without them, and we know some who do, yet these tools are popular and available for valid reasons. For many people, it's just not feasible to manage without using proprietary software, much of which is known to monitor our activities and behave in unfriendly ways.

Installing GrapheneOS on a phone ensures awareness of each vulnerability created and encourages minimizing these vulnerabilities as much as possible. When potentially harmful software must be permitted on a device that holds sensitive information, the system will strive to keep that software confined to its designated limits, preventing it from acting beyond its permissions. Installing GrapheneOS aligns a device more closely with the owner's interests, which in itself is worth the investment.

Over 700 subscribers

Support dialog