Operating systems - GrapheneOS
GrapheneOS is secure and private mobile operating system based on the Android Open Source Project
with security and privacy achieved without compromising user experience and application compatibility.
Hardware Compatibility
Only recent Pixel devices are supported due to security requirements.
Security
Some custom ROMs or Android-based distribution are presented as secure despite their flawed approach
to security, lack of substance and use of security theater. GrapheneOS on the contrarily not only
keep Android security model intact but improve upon it, often upstreaming changes to the original
project.
Unknown vulnerabilities protection
The OS protects against unknown vulnerabilities through several methods.
Attack surface reduction
Unnecessary code is removed and optional features are disabled by default; like NFC and Bluetooth,
USB and camera access when locked or WiFi or Bluetooth after a timeout.
Exploits mitigation
Exploits mitigation techniques are employed to render vulnerabilities impractical or impossible
to use.
Many system components are hardened; the kernel; libc; the memory allocator; the app runtime and the
filesystem.
Sandboxing
Sandboxing isolate the various system components limiting the extent of potential
damage. Improvements have been made to the app and the web browser renderer sandbox.
Anti-persistence and Detection
The authenticity and integrity of the operating system is verified on each reboot thanks to verified
boot.
Known vulnerabilities protection
Patching
Known vulnerabilities have patches issued to fix them, then included even when not yet applied to
Android.
Security preview releases
Security preview releases are early access to Android Security Bulletin patches distributed as
binaries prior to disclosure, after which the source code will be made available.
User facing security
Some security features are user dependent.
Improved unlocking
The unlocking mechanism allows for longer passwords, two-factor fingerprint and PIN
scrambling, a rate limited input attempts making 6 digits PIN reasonably secure and rendering
bruteforce impossible and a a duress PIN or password to irreversibly wipe the device in case of
emergency.
Network and sensors permissions
Access to network and sensors can be controlled with permissions toggles.
Storage and contacts scopes
Access to storage or contacts can be granted more selectively with scopes.
Auto Reboot
Auto-reboot put the data at rest after a period of inactivity.
User profiles
User profiles (Android isolated workspaces for applications and data) allows for the creation of
personal, work, banking profile. App installation can be disabled or managed from the owner profile,
notification forwarded, background session behavior set with an end session mechanism putting the
data at rest.
Privacy
Google Services
No Google services are required by the OS. If necessary they can be installed as any other
applications without any special access or privilege, limiting their otherwise invasive nature.
Carrier access
Carrier support is provided in a non intrusive manner with 5G and insecure 2G, 3G disabled to reduce
cellular radio attack surface.
Prevent identifier leaks
Hardware identifiers uniquely link a device. Many of them are closed by preventing their access by
applications, randomizing the Media Access Control (MAC) address used to identify hardware
on a network and striping metadata containing sensitive information in screenshots such as EXIF data
with OS build / version / family/ model information, local date, time and timezone offset.
Other improvements
Keyboard suggestions are disabled, notifications on the lock screen and password entry hidden.
Usability
Users familiar with Android will immediately feel at ease.
Installation
The web-based installer and setup wizard render the installation and configuration quite
trivial.
Default setup
A very conservative approach is taken with pre-installed applications only adding their own:
- an auditor app / attestation service providing hardware based verification of the authenticity and
integrity of both firmware and software - a modern, secure and private camera app
- a hardened PDF viewer
- Vanadium a hardened variant of the Chromium web browser
- an first party app repository
Software installation
External applications quality and security cannot be vetted by the project, nor does it makes
sense to include them by default as the choice should be left to the user. Applications can be
installed with F-Droid repositories or directly from the source with Obtainium.