GrapheneOS Features

The USB-C port setting safeguards against attacks via USB-C while the operating system is running.

The feature offers five modes:

• Off

• Charging-only

• Charging-only when locked

• Charging-only when locked, except before first unlock

• On

By default, it is set to Charging-only when locked, which greatly reduces the attack surface when the device is locked. Once locked, it immediately blocks any new USB connections through both USB-C and pogo pins at the hardware level by configuring the USB controller, and also at the OS level within the kernel to provide an additional layer of protection. It disables the data lines at the hardware level as soon as existing connections end, which occurs immediately if there were no active USB connections. It also disables USB-C alternate modes, including DisplayPort, at both the OS and hardware levels.

Our implementation is significantly more secure than Android's standard USB HAL toggle available to device admin apps. The standard feature only disables high-level USB handling in the OS. It does not block new USB connections or disable data lines at the hardware level. Furthermore, it keeps the USB-C and pogo pins protocols enabled in the OS and does not disable USB-C alternate modes. The standard feature either blocks or does not block USB at a high level, lacking the ability to block new connections and disable USB only after existing connections end. Other operating systems attempting to implement a similar feature using the standard toggle continue to allow new USB connections in the OS until all connections finish, unlike our two-phase approach used in the two Charging-only when locked modes.

The highest security Off mode disables charging along with data to eliminate the remaining attack surface from the USB controller and OS components supporting charging, including the USB-PD protocol. There is no risk of the device being unable to charge because this feature does not apply when the device is powered off, booted into firmware-based fastboot mode, or in charging, recovery, and fastbooted modes.

GrapheneOS enhances the app sandbox by strengthening the SELinux policy and seccomp-bpf policy, along with reinforcing components such as the kernel that implement the app sandbox and could potentially be exploited by attackers to escape it. While the main focus is on the app sandbox, improvements are also made to other sandboxes, including direct enhancements to the web browser renderer sandbox used by both the default browser and the WebView rendering engine provided by the OS, which is utilized by many other apps ranging from dedicated browsers to messaging applications.

GrapheneOS significantly improves security by addressing many unresolved vulnerabilities in Android. It quickly deploys the latest Linux kernel LTS point releases on GKI-supported devices, such as 6th and 7th generation Pixel phones. As of November 2023, GrapheneOS uses Linux 5.10.199, while the stock Pixel OS runs an older 5.10.157 version with fewer security patches. This proactive update strategy allows GrapheneOS to incorporate hundreds of relevant and security-related kernel patches ahead of stock releases. The team frequently discovers and reports new vulnerabilities affecting both generic Android and Pixel-specific code. They also identify overlooked patches, especially in device-specific components with partially shared codebases. While systemic privacy and security improvements are the main focus, addressing individual vulnerabilities remains essential to their work.

GrapheneOS includes a compatibility layer that allows official Google Play releases to run within the standard app sandbox without granting special privileges or bypassing sandbox protections. Google Play operates like any other app within a user or work profile, accessible only within that profile and requiring explicit user permissions for data access or inter-app communication. The sandboxed Google Play offers near-complete compatibility with the Google Play ecosystem, although some inherently privileged features remain unavailable. Most Play services, including dynamically updated modules and Google Play Games components, work smoothly. Location requests are redirected to a GrapheneOS reimplementation of the Play geolocation service by default, with an option to use the standard Google network location service. The compatibility layer fully supports the Play Store, including in-app purchases, asset and feature delivery, and license checks, requiring user consent for installations and updates, and leveraging Android 12+ unattended updates for automatic app maintenance.

GrapheneOS provides an option to install and use the official releases of Android Auto.

Android Auto requires privileged access in order to work. GrapheneOS uses an extension of the sandboxed Google Play compatibility layer to make Android Auto work with a reduced level of privileges.

GrapheneOS has introduced a Network permission toggle that blocks all direct and indirect network access, including the device-local network (localhost), which is important for preventing inter-profile communication between apps. Unlike firewall solutions, this toggle stops apps from accessing networks through OS APIs or other apps within the same profile if they are properly marked. When the Network permission is disabled, GrapheneOS simulates a network outage by reporting network unavailability through APIs, returning connectivity errors instead of permission denials, and blocking scheduled jobs that require network access. This method ensures apps perceive the network as down, preventing crashes or error messages related to failed network attempts.

GrapheneOS introduces a sensors permission toggle that blocks access to all sensors not covered by existing Android permissions, such as accelerometers, gyroscopes, compasses, barometers, and thermometers. When disabled, apps receive zeroed data and no sensor events, enhancing user privacy. To improve usability, GrapheneOS notifies users when apps attempt to access blocked sensors, allowing users to monitor such activity easily. By default, this permission is enabled to maintain compatibility with Android apps. Users can disable the sensors permission for installed apps via Settings > Security & privacy > More security & privacy, and the notifications triggered by denied access can be turned off for convenience.

GrapheneOS offers Storage Scopes as a fully compatible alternative to standard Android storage permissions. Rather than granting explicit storage permissions, users can enable Storage Scopes, which make the app behave as if it has all requested storage permissions. On Android, even without storage permissions, an app can create files and directories and access those it created. Additionally, users can add files and directories as storage scopes, allowing the app to access files created by other apps. This approach enhances privacy and control over app storage access while maintaining compatibility with Android's permission system.

GrapheneOS provides Contact Scopes as an alternative to granting the Contacts permission. By default, it acts as if the contacts list is empty and users can grant different kinds of access to specific contacts or groups of contacts.

GrapheneOS offers wider carrier support than AOSP and closely aligns with the stock OS on Pixel devices without compromising user experience. The CarrierConfig2 project and scripts convert GrapheneOS’s APN, carrier configuration, MMS, and visual voicemail databases into AOSP-compatible formats. The process removes restrictive settings such as mandatory tethering provisioning and disabling 2G, enhancing user control. Additionally, invasive carrier-specific apps and support for Open Mobile Alliance Device Management (OMA DM) are excluded, along with any configurations that depend on them. This approach ensures broader compatibility while maintaining privacy and user autonomy.

LTE-only mode to reduce cellular radio attack surface by disabling enormous amounts of both legacy code (2G, 3G) and bleeding edge code (5G).

GrapheneOS enhances privacy by supporting per-connection MAC randomization, which is enabled by default and offers better privacy than the standard persistent per-network random MAC used in modern Android. This method flushes the DHCP client state before reconnecting to prevent revealing the device's identity across connections. Additionally, GrapheneOS fixes critical flaws in the Linux kernel's IPv6 privacy address implementation that could expose device identifiers across different networks. These fixes are necessary for earlier kernel LTS branches but are not required for Pixel 6 and later devices, as the issue has been resolved upstream in their Linux kernel versions. Overall, these measures strengthen device anonymity and network privacy on GrapheneOS.

GrapheneOS offers an opt-in network-based location feature that detects location via nearby networks, enhancing indoor and urban positioning where GNSS struggles. Unlike Google's server-side estimation, GrapheneOS uses a local caching system that stores location data for up to 15 minutes, enabling offline use after initial data retrieval. This method only sends network identifiers once, preserving privacy by not sending distance estimates repeatedly. The system primarily relies on Wi-Fi Access Points, with cell towers as fallback, and does not prioritize Bluetooth beacon support due to its limited relevance. Users can currently choose between a proxy to Apple’s service or direct access, while GrapheneOS is developing its own multi-source database to enable fully offline location services without needing to send network identifiers.

GrapheneOS enhances privacy by disabling sensitive metadata in screenshots that is normally included on Android devices. Standard Android screenshots embed an EXIF Software tag revealing detailed OS build and version information, which can expose the OS type, version, and device family. GrapheneOS completely removes this tag to prevent such leaks. Additionally, Android screenshots typically contain EXIF data for local date, time, and timezone offset, which can reveal time and approximate location. GrapheneOS disables this metadata by default to protect user privacy. Instead, the visible screenshot file name contains date and time information that users can modify without extra tools. For users who prefer to retain this metadata, GrapheneOS offers a toggle in Settings under Security & Privacy for re-enabling it. This approach balances privacy with user control over metadata visibility.

GrapheneOS addresses significant device identifier leaks that bypass Android's safeguards against apps uniquely identifying devices. Its secure application spawning system enhances protection against exploitation and also improves privacy by preventing secrets used in exploit mitigations like ASLR from serving as persistent device identifiers across app profiles until reboot. While some side channels for device identification remain, this system fixes most known direct leaks. Additionally, GrapheneOS closes several gaps that allow apps to access hardware identifiers, especially by enforcing stricter restrictions on apps targeting older Android versions. These measures collectively strengthen device privacy and security beyond standard Android protections.

GrapheneOS prioritizes privacy and security by excluding Google apps and services by default, allowing users to add them as sandboxed apps without special privileges through an optional sandboxed Google Play feature. The OS defaults to privacy-focused settings, such as disabling personalized keyboard suggestions, hiding sensitive notifications on the lockscreen, and masking passwords during entry. It reduces attack surfaces by limiting exposure of unnecessary radios and mitigating potential hardware privacy bugs. GrapheneOS uses its own servers for services like connectivity checks, attestation key provisioning, GNSS almanac downloads, network time, and component updates, with toggles to revert to Google servers if desired. The system also improves SUPL privacy by routing it through a proxy by default, offering users control to switch to carrier SUPL servers or disable the service. These features help GrapheneOS provide a secure, privacy-respecting mobile experience while giving users explicit control over Google service usage.

GrapheneOS adds a toggle for enabling PIN scrambling to raise the difficulty of figuring out the PIN being entered by a user either due to physical proximity or a side channel. PIN scrambling is applied to both the lock screen and SIM PIN/PUK.

GrapheneOS introduces a feature that requires users to enter a second-factor PIN after unlocking their device with a fingerprint on the lockscreen. This enhancement allows biometric unlock to serve as a convenient secondary method, while a strong passphrase remains the primary security measure. Users can thus benefit from the ease of fingerprint authentication combined with the added security of a short PIN as a secondary verification step. Incorrect PIN entries are counted towards the device's standard lockout attempt limits, maintaining security against unauthorized access. This approach balances convenience and security by integrating multi-factor authentication on the lockscreen.

GrapheneOS supports setting longer passwords by default: 128 characters instead of 16 characters. This avoids the need to use a device manager to enable this functionality.

This feature allows users to make use of diceware passwords if they don't want to depend on the security of the secure element which provides very aggressive throttling and offers a high level of security even for a random 6 digit PIN.

GrapheneOS includes an auto-reboot feature that restarts locked devices after a set time to ensure data remains secure. Each time the device locks, a countdown begins, and if no successful unlock occurs before it ends, the device reboots. Unlocking any user profile cancels this timer, not just the Owner profile. The default timer is 18 hours but can be adjusted from 10 minutes to 72 hours or disabled entirely. This feature does not activate during the "Before First Unlock" state, preventing continuous reboot loops since data is already secured then. It is integrated into the init process, making it resistant to bypass attempts via system crashes, as such crashes trigger a kernel panic and reboot.

GrapheneOS enhances security by adding zeroing of freed memory to both userspace and kernel allocators, which clears sensitive data promptly and defends against exploits. Android's regular compaction of frozen cached and background apps uses full compacting garbage collection (GC) paired with malloc memory freeing, benefiting from these zeroing features. When the device locks, GrapheneOS triggers full compacting GC for SystemUI and system_server processes to release unused memory back to the OS, ensuring sensitive data like PINs and keys are cleared quickly. This approach builds on Android’s standard method of running full compacting GC after unlocking to remove sensitive remnants. Additionally, GrapheneOS modifies reboot processes to ensure memory is cleared by kernel page and slab allocator zeroing, complementing its auto-reboot feature that clears all OS memory for enhanced security.

GrapheneOS allows users to set a duress PIN or password that triggers an irreversible device wipe, including any installed eSIMs, when entered anywhere device credentials are requested, such as the lockscreen or OS prompts. This wipe happens instantly without needing a reboot and cannot be stopped. Users can configure this feature in Settings > Security & privacy > Device unlock > Duress Password within the owner profile. The duress PIN is used exclusively for PIN entry, while the duress password is for password entry; both are required to accommodate different unlock methods across profiles. The duress PIN also triggers a wipe when entered as the two-factor fingerprint unlock PIN but not as the SIM PIN. Importantly, if the duress PIN or password matches the regular unlock method, the device will unlock normally without wiping, as the actual unlock takes precedence.

GrapheneOS enhances fingerprint unlock security by limiting users to only 5 total attempts, unlike the standard approach of allowing 20 attempts with a 30-second delay after every 5 failures. This reduces the number of potential unlock tries and allows easy disabling of fingerprint unlock by deliberately failing 5 times with a different finger. Additionally, GrapheneOS introduces the option to use the fingerprint scanner solely for app authentication and unlocking hardware keystore keys, by disabling its use for device unlocking. This functionality parallels the existing feature for Android's face unlock system, providing more granular control over biometric authentication methods. These improvements collectively strengthen device security and user control over biometric access.

Android user profiles are isolated environments with separate app instances, data, and encryption keys, preventing apps from accessing other profiles without consent. GrapheneOS enhances this by increasing the limit of secondary profiles from 4 to 32, allowing greater flexibility. It enables logging out of profiles without device manager control, which deactivates apps and clears encryption keys for security. Additionally, GrapheneOS introduces a toggle to disable app installation in secondary profiles, a feature typically reserved for managed devices but now available to device owners. It also supports installing apps already present in the Owner profile into secondary profiles without redownloading, improving app management. Notification forwarding from background profiles to the active user is supported but disabled by default, with users able to enable it per profile for convenience. These improvements make user profile management more secure and user-friendly.

GrapheneOS features a custom app store client designed for security, minimalism, and usability, which accesses their first-party app repository. This repository currently distributes GrapheneOS's own apps as well as a version of Google Play for the sandboxed Google Play feature. Looking ahead, it will also host first-party GrapheneOS builds of externally developed open source apps, enhanced with additional hardening for improved security. This approach aims to maintain control over app distribution while ensuring apps meet GrapheneOS's stringent security and usability standards. Both app stores can be used on the device at the same time.

GrapheneOS Camera is a modern camera app with a great user interface and a focus on privacy and security.

GrapheneOS PDF Viewer is a sandboxed, hardened PDF viewer using HiDPI rendering with features like pinch to zoom, text selection, viewing encrypted PDFs, etc.

The device features a custom Setup Wizard for initial setup and user profiles, similar to the Pixel OS wizard but with enhanced security. It detects an unlocked bootloader early, warning users and offering a reboot to fastboot mode for locking the device. To ensure users notice this warning, skipping it requires waiting through a timer. By default, the wizard disables OEM unlocking at the end, though users can opt out, reducing the attack surface. Future updates will add improved lock methods, including two-factor fingerprint authentication and automatic generation of random diceware passphrases and PINs, enhancing overall device security.

Seedvault offers encrypted backups through integration with local storage and any cloud provider that has a compatible storage app. Originally developed by a GrapheneOS community member for inclusion in their operating system, Seedvault is currently used as the best available solution for encrypted backups. However, the project has been taken over by a different group whose goals and approach differ from those of GrapheneOS. Consequently, GrapheneOS plans to replace Seedvault with a new implementation in the future. Meanwhile, they have incorporated Seedvault with several security fixes to address upstream issues and provide users with reliable encrypted backup support.

GrapheneOS enhances location privacy by enabling a location access indicator similar to the standard Android camera and microphone indicators. Unlike Android 13, where the location indicator is a developer option and only signals high power GNSS requests, GrapheneOS displays the indicator for all location data accesses via any APIs. This includes network location and other sources controlled by location permissions and global toggles. The indicator appears as a bright green icon during access and minimizes to a small green dot when the quick settings tray is closed, mirroring the behavior of camera and microphone indicators. Additionally, Android 12 integrates location data into the privacy dashboard alongside other runtime permissions, allowing users to review access history. GrapheneOS also addresses user experience issues in the existing AOSP implementation to improve usability.

GrapheneOS now supports disabling user-installed apps, not just system apps. This feature lets users fully prevent an installed app from running without uninstalling it and losing app data. It offers stricter control compared to the standard force stop, which only stops an app from starting on its own. Unlike force stop, disabled apps cannot restart even if another app tries to access their activities or services. This enhancement gives users more effective management over their apps, improving privacy and control on their devices.

GrapheneOS significantly enhances Android's protection against VPN leaks by addressing vulnerabilities in both built-in VPN support and VPN apps when the "Block connections without VPN" toggle is enabled. It prevents DNS queries from leaking to network-provided DNS servers during VPN downtime, fully blocking unicast DNS leaks by extending leak protection to the system resolver. GrapheneOS also stops processes and apps from bypassing VPNs via multicast packets, using extended eBPF filtering and disabling mDNS connections when VPN lockdown is active. Additionally, it improves privacy by managing VPN configurations across profiles, blocking unauthorized multicast packet sending through VPN tunnels of other profiles. The OS also fixes a loophole in Android’s eBPF firewall that allowed VPN bypass via specific interface calls. Despite these improvements, GrapheneOS considers VPN leak protection a work in progress due to remaining minor issues.

The update enhances security and privacy in multiple areas. File name padding is increased from 16 to 32 bytes to reduce information leakage. Firmware security visibility is improved with version and configuration checks. Network time updates are authenticated via a first-party server to prevent tampering, with proper support for disabling these updates. The build and signing infrastructure is hardened, and the OS update system is seamless with automatic rollback support. Access to sensitive functions requires unlocking via quick tiles. The OS includes minimal bundled apps, recommending rather than hard-wiring apps. Wireless alerts are optional, addressing misuse in some regions. Certain root certificate authorities are removed, and Android 12 PendingIntent security is enhanced for compatibility. Debug warnings and prototype device alerts are fixed. Bootloader and partition checks are enabled, and location permission is tightened for system browsers. Apps without storage permission can't access user directories. Screenshot shutter sound is toggleable. System clock precision is improved for time-based protocols. Call recording is integrated without regional restrictions, and package installer behavior preserves disabled apps after updates. VPN settings default to "Always-on" and "Block connections without VPN." Permission prompts include a delay to prevent accidental approvals.