Smartphones have become a big part of our daily lives for almost everything we do. This has created a new concern about how much of our private data may be exposed to outside threats or large corporations. Whether scrolling through social media, browsing the internet, or chatting with family and friends, these actions could give a glimpse into your personal life and on-device data. Pair one of the best Google Pixel smartphones with GrapheneOS to minimize these potential threats for maximum security.
There are a few things to consider before using GrapheneOS. GrapheneOS only officially supports Google Pixel devices. Pixel devices have powerful hardware security features not found in other Android-based devices, such as the Titan M2 chip in the Google Pixel 8 series. Installing GrapheneOS involves unlocking the bootloader and sideloading a custom ROM. Going this route isn't recommended unless you have some background on the topic or are willing to give it a shot for the first time.
GrapheneOS: A brief overview
GrapheneOS is a privacy-focused operating system was founded in 2014 as CopperheadOS and was briefly known as the Android Hardening project in 2018. Afterward, it became GrapheneOS. It is based on the open source Android code (AOSP).
GrapheneOS improves the privacy and security of the OS by mitigating classes of vulnerabilities. This makes it challenging for outside threats to exploit code in the operating system. Additionally, GrapheneOS enhances the security of the OS and the apps running on it by providing more granular control of system-level permissions. The app sandbox and other security boundaries are also fortified.
From an organizational standpoint, GrapheneOS is a nonprofit and intends to remain that way. The approach allows the developers to focus on improving privacy and security without building a business model that aligns with the success of the open source project.
According to the developers, many of the past features of GrapheneOS were contributed to AOSP. They then became part of its code for implementation by anyone developing Android-based custom ROMs using AOSP. For context, these features aren't mentioned below as they are now part of the AOSP code. They can be found in most modern custom ROMs by popular smartphone device manufacturers and various independent developers from the open source community.
As mentioned by the GrapheneOS developers, the new CopperheadOS project is closed source and not associated with the original project.
GrapheneOS Features
Source:GrapheneOS
Several steps can be taken to enhance privacy and security on Android devices. At the same time, in a world of growing cyber threats and social media companies hungry for user data, some individuals need an extra layer of protection to safeguard their online digital lives from potential danger.
GrapheneOS is a custom operating system (OS) based on Android, designed for users who demand more from their devices. It focuses on the research and development of privacy and security technologies. These include improvements to sandboxing, exploit mitigations, and the OS's permission model.
Protection against zero-day vulnerabilities, along with additional user and network features
GrapheneOS protects its users against zero-day vulnerabilities. To do so, the GrapheneOS implements attack surface reduction by removing unnecessary code from the OS. This includes stripping out potentially unsafe system features and keeping certain built-in apps, including core Google apps, off the device entirely.
GrapheneOS includes Network and Sensors permission toggles that are generally unavailable on AOSP-based custom ROMs. The OS also supports per-connection MAC randomization, a private screenshot feature that deactivates the inclusion of sensitive metadata, and an LTE-only mode to reduce cellular radio attack surface by deactivating legacy code (2G, 3G) and bleeding edge code (5G). Wi-Fi and Bluetooth can also turn off automatically if not connected to a device, saving battery life and preventing potential outside wireless attacks.
Safeguarding against memory corruption bugs and sandboxing the OS, apps, and processes
The custom ROM prevents attackers from exploiting a vulnerability by making it impossible (or at least more challenging) to develop. GrapheneOS dedicates substantial resources to developing memory-safe languages and libraries, static and dynamic analysis tooling, and more.
The GrapheneOS developers believe in sandboxing at various levels via fortifying the kernel and other base OS components. This means sandboxing within a specific Android codec, app, or user profile. Doing so allows all app permissions and processes to remain separate, protecting them from malware and other potential security threats.
This list is not exhaustive. More details about these features can be found on the GrapheneOS website.
GrapheneOS apps
GrapheneOS offers its built-in fortified apps for basic tasks to maintain high levels of security across the entire OS. Some are available on the Google Play Store, while others are not. First and foremost, there's the Vanadium WebViewer and browser. The app is a hardened variant of Chromium, providing enhanced privacy and security features. Vanadium isn't available on non-GrapheneOS ROMs.
If you're looking for a new browser, we can help you choose one.
GrapheneOS offers a camera app called Secure Camera on the Google Play Store. It's built by the GrapheneOS team (not based on AOSP code) and supports most traditional camera modes. Aside from this, it includes extra privacy and security features that may be helpful for most users. These include a dedicated QR scanning mode without Network and Media/Storage permissions and the optional removal of EXIF metadata from your photos and videos.
The GrapheneOS team also developed the Secure PDF Viewer app, a sandboxed PDF reader to block an additional attack vector. The Auditor app provides hardware-based verification to ensure the device's software and firmware are safe and authentic. Both of these apps are available on the Google Play Store.
Can you use Google apps and services on GrapheneOS?
GrapheneOS avoids impacting the user experience by including its unique privacy and security system-level features. GrapheneOS doesn't come with the typical Google apps and services you're used to using, including the Google Play Store. As such, you'll likely be looking into reliable third-party open source alternatives. The team clarifies that they aren't against users using Google services. However, they say Google services shouldn't be integrated into the OS in an invasive way. The idea is to keep background-tracking apps and services to a minimum.
Google apps can be installed on GrapheneOS through a dedicated compatibility layer that strips them of the special access or privileges they typically have on AOSP-based custom ROMs. You can use Google apps and services if you want, but they will be modified to follow the motto of GrapheneOS. GrapheneOS strives to provide users with increased privacy and security.
More information about the Sandboxed Google Play compatibility layer is available on the GrapheneOS website.
Use a VPN with GrapheneOS
The features you get with GrapheneOS help increase on-device privacy and security to minimize potential threats to your personal data. Installing the custom ROM onto your Android-based device doesn't automatically guarantee you will avoid all threats by using these features. Since most of your on-device activities require a constant internet connection, take a few steps to secure your online browsing data. Whether from your home Wi-Fi network, 4G LTE and 5G wireless signal, or hotspots, adding a virtual private network (VPN) with GrapheneOS fortifies your privacy and security.
Using the built-in configuration feature to set up your VPN, GrapheneOS supports the IKEv2/IPSec VPN protocol. That can be accessed by going to Settings > Network & Internet > VPN. To use a modern VPN protocol such as WireGuard, download a separate dedicated VPN app that offers other protocols and set it up from there. For example, installing the NordVPN app on your device allows you to gain access to NordLynx, which is NordVPN's custom implementation of the WireGuard protocol with added security features.
Keeping your on-device data safe using all the privacy-focused features of GrapheneOS is an excellent choice, but relying on that isn't enough. Safeguard your online browsing activities with a VPN since we live in an always-connected world of mobile devices. This can also protect against data snooping from your internet service provider (ISP). If you plan to use GrapheneOS long-term, pair it with one of the best VPNs to help keep your data secure. Third-party VPN app compatibility with GrapheneOS is not guaranteed, but try your favorite one to see how it works.
What devices does GrapheneOS support?
GrapheneOS only supports Google Pixel devices, which are often the best for developers because they meet the quality standards required for such a project. These include support for installing other operating systems, standard hardware-based security features (hardware-backed keystores, verified boot, and attestation), and input-output memory management units (IOMMUs).
With IOMMUs, the system can isolate components like the GPU and radios. The GrapheneOS developers ensure that all standard functionality works correctly and is tested for each release. This allows the public builds for supported Pixel devices to be as robust and stable as possible.
GrapheneOS officially supports the following Google Pixel devices:
- Pixel 8 and Pixel 8 Pro
- Pixel Fold
- Pixel Tablet
- Pixel 7a
- Pixel 7 and Pixel 7 Pro
- Pixel 6a
- Pixel 6 and Pixel 6 Pro
- Pixel 5a
GrapheneOS supports the Google Pixel 5a and above, including the newly released Google Pixel 8 and Google Pixel 8 Pro models. It also supports the Pixel Fold and Pixel Tablet, which is excellent news for a larger-screen Android-based experience. The Pixel 5 and 4a are currently on extended support, which means they will eventually lose official releases for GrapheneOS. When that happens, these device builds become obsolete and aren't updated by the official GrapheneOS team. That's not to say a third-party developer won't continue the project unofficially.
Installing GrapheneOS can boost your privacy and security
Installing GrapheneOS on your Google Pixel device can further protect your private data and increase on-device security. Doing so strips away all Google apps and services, limiting how much of your information is tracked across your installed apps. This also means you must readjust how you use your device by relying more on open source apps. To complete your experience with GrapheneOS, use a VPN to protect your online browsing activity. When you combine these methods, your personal data will be as safe as possible.
If you have a Google Pixel device and want to use it without the core Google apps and services, check out our guide on how to install GrapheneOS. We cover everything you need to know, including an initial checklist, the setup process, and tips to help you along the way.
