GrapheneOS is an open source privacy and security focused mobile OS with Android app compatibility. It's focused on the research and development of privacy and security technology including substantial improvements to sandboxing, exploit mitigations and the permission model. GrapheneOS also develops various apps and services with a focus on privacy and security.
GrapheneOS is a collaborative open source project, not a company. It's used and supported by a variety of companies and other organizations. It won't be closely tied to any company in particular. There will eventually be a non-profit GrapheneOS foundation, but for now the developers represent the project.
GrapheneOS has made substantial contributions to the privacy and security of the Android Open Source Project, along with contributions to the Linux kernel, LLVM, OpenBSD and other projects.
The official GrapheneOS releases are supported by the Auditor app and attestation service for hardware-based attestation. For more details, see the about page and tutorial. These also support other operating systems.
GrapheneOS was founded by Daniel Micay in late 2014. It started as a solo project incorporating his previous open source privacy/security work. The project initially created a port of OpenBSD malloc to Android's Bionic libc and a port of the PaX kernel patches to the kernels for the supported devices. It quickly expanded to having a large set of homegrown privacy and security improvements, particularly low-level hardening work on the compiler toolchain and Bionic. Work began on landing code upstream in AOSP and other upstream projects. A substantial portion of these early changes were either successfully landed upstream or heavily influenced the upstream changes which replaced them. The project was able to move very quickly in these days because there was so much low hanging fruit to address and it wasn't yet trying to produce a highly robust, production quality OS.
In late 2015, a company was incorporated which became the primary sponsor of the project. The intention was to use the company to build a business around GrapheneOS selling support, contract work and customized proprietary variants of the OS. The company was supposed to serve the needs of the open source project, rather than vice versa. It was explicitly agreed that GrapheneOS would remain independently owned and controlled by Daniel Micay. This company failed to live up the promises and is no longer associated in any way with GrapheneOS.
In 2018, the former sponsor attempted to take over the project through coercion, but they were rebuked. They seized the infrastructure and stole the donations, but the project successfully moved on without them and has been fully revived. Since then, they've taken to fraudulently claiming ownership and authorship of our work, which has no basis in fact. They've tried to retroactively change the terms of their involvement and rewrite the history of the project. These claims are easily falsified through the public record and by people involved with the open source project and the former sponsor. This former sponsor has engaged in a campaign of misinformation and harassment of contributors to the project. Be aware that they are actively trying to sabotage GrapheneOS and are engaging in many forms of attacks against the project, the developers, contributors and supporters. Meanwhile, they continue profiting from our open source work which they falsely claim as their own creation.
After splitting from the former sponsor, the project was rebranded to AndroidHardening and then to GrapheneOS and it has continued down the original path of being an independent open source project. It will never again be closely tied to any particular sponsor or company.
The copyright for GrapheneOS code is entirely owned by the GrapheneOS developers and is made available under OSI-approved Open Source licenses. The upstream licensing is inherited for the modifications to those projects and MIT licensing is used for our own standalone projects. GrapheneOS has never had any copyright assignment and the developers have always owned their own contributions.
The tiny portion of the code written by people under contract with the former sponsor has not been included in the project since it was ported from Android Oreo to Pie in 2018. This code became obsolete and was no longer useful. The vast majority of the code from the previous era was owned by Daniel Micay, with very few exceptions. It was never written under any contracts or employment agreements, was never assigned to any company or organization and was the continuation of the original independent open source project. The code was originally published under the same permissive open source licenses that are used by GrapheneOS today. Only a small portion of this historical code is actually still in use today. Most has become obsolete or has been replaced by rewrites taking better approaches than in the past.
There was an era from September 2016 until the project split from the former sponsor in 2018 where non-commercial usage licensing was used for revisions to the existing permissively licensed code. This was an attempt to prop up the sponsor that was supposed to be supporting the open source project. This did not impact ownership of the code and Daniel Micay has relicensed the portions of the code that are used by GrapheneOS. GrapheneOS does not contain any code based on code under non-commercial usage licensing. Great care was taken to avoid pulling in anything that was not solely owned by Daniel Micay, which was the case for nearly everything in the project.
Details on the roadmap of the project will be posted on the site in the near future.
To get an idea of the near term roadmap, check out the issue trackers. The vast majority of the issues filed in the trackers are planned enhancements, with care taken to make sure all of the issues open in the tracker are concrete and actionable.
In the long term, GrapheneOS aims to move beyond a hardened fork of the Android Open Source Project. Achieving the goals requires moving away from relying the Linux kernel as the core of the OS and foundation of the security model. It needs to move towards a microkernel-based model with a Linux compatibility layer, with many stepping stones leading towards that goal including adopting virtualization-based isolation.
The initial phase for the long-term roadmap of moving away from the current foundation will be to deploy and integrate a hypervisor like Xen to leverage it for reinforcing existing security boundaries. Linux would be running inside the virtual machines at this point, inside and outside of the sandboxes being reinforced. In the longer term, Linux inside the sandboxes can be replaced with a compatibility layer like gVisor, which would need to be ported to arm64 and given a new backend alongside the existing KVM backend. Over the longer term, i.e. many years from now, Linux can fade away completely and so can the usage of virtualization. The anticipation is that many other projects are going to be interested in this kind of migration, so it's not going to be solely a GrapheneOS project, as demonstrated by the current existence of the gVisor project and various other projects working on virtualization deployments for mobile. Having a hypervisor with verified boot still intact will also provide a way to achieve some of the goals based on extensions to Trusted Execution Environment (TEE) functionality even without having GrapheneOS hardware.
Hardware and firmware security are core parts of the project, but it's currently limited to research and submitting suggestions and bug reports upstream. In the long term, the project will need to move into the hardware space.