Operating systems - GrapheneOS
GrapheneOS is secure and private mobile operating system based on the Android Open Source Project with security and privacy achieved without compromising user experience and application compatibility.
Hardware Compatibility
Only recent Pixel devices are supported due to security requirements.
Security
Some custom ROMs or Android-based distribution are presented as secure despite their flawed approach to security, lack of substance and use of security theater. GrapheneOS on the contrarily not only keep Android security model intact but improve upon it, often upstreaming changes to the original project.
Unknown vulnerabilities protection
The OS protects against unknown vulnerabilities through several methods.
Attack surface reduction
Unnecessary code is removed and optional features are disabled by default; like NFC and Bluetooth, USB and camera access when locked or WiFi or Bluetooth after a timeout.
Exploits mitigation
Exploits mitigation techniques are employed to render vulnerabilities impractical or impossible to use.
Many system components are hardened; the kernel; libc; the memory allocator; the app runtime and the filesystem.
Sandboxing
Sandboxing isolate the various system components limiting the extent of potential damage. Improvements have been made to the app and the web browser renderer sandbox.
Anti-persistence and Detection
The authenticity and integrity of the operating system is verified on each reboot thanks to verified boot.
Known vulnerabilities protection
Patching
Known vulnerabilities have patches issued to fix them, then included even when not yet applied to Android.
Security preview releases
Security preview releases are early access to Android Security Bulletin patches distributed as binaries prior to disclosure, after which the source code will be made available.
User facing security
Some security features are user dependent.
Improved unlocking
The unlocking mechanism allows for longer passwords, two-factor fingerprint and PIN scrambling, a rate limited input attempts making 6 digits PIN reasonably secure and rendering bruteforce impossible and a a duress PIN or password to irreversibly wipe the device in case of emergency.
Network and sensors permissions
Access to network and sensors can be controlled with permissions toggles.
Storage and contacts scopes
Access to storage or contacts can be granted more selectively with scopes.
Auto Reboot
Auto-reboot put the data at rest after a period of inactivity.
User profiles
User profiles (Android isolated workspaces for applications and data) allows for the creation of personal, work, banking profile. App installation can be disabled or managed from the owner profile, notification forwarded, background session behavior set with an end session mechanism putting the data at rest.
Privacy
Google Services
No Google services are required by the OS. If necessary they can be installed as any other applications without any special access or privilege, limiting their otherwise invasive nature.
Carrier access
Carrier support is provided in a non intrusive manner with 5G and insecure 2G, 3G disabled to reduce cellular radio attack surface.
Prevent identifier leaks
Hardware identifiers uniquely link a device. Many of them are closed by preventing their access by applications, randomizing the Media Access Control (MAC) address used to identify hardware on a network and striping metadata containing sensitive information in screenshots such as EXIF data with OS build / version / family/ model information, local date, time and timezone offset.
Other improvements
Keyboard suggestions are disabled, notifications on the lock screen and password entry hidden.
Usability
Users familiar with Android will immediately feel at ease.
Installation
The web-based installer and setup wizard render the installation and configuration quite trivial.
Default setup
A very conservative approach is taken with pre-installed applications only adding their own:
- an auditor app / attestation service providing hardware based verification of the authenticity and integrity of both firmware and software
- a modern, secure and private camera app
- a hardened PDF viewer
- Vanadium a hardened variant of the Chromium web browser
- an first party app repository
Software installation
External applications quality and security cannot be vetted by the project, nor does it makes sense to include them by default as the choice should be left to the user. Applications can be installed with F-Droid repositories or directly from the source with Obtainium.