GrapheneOS feature overview
This is an overview of the current set of features differentiating GrapheneOS from the Android Open Source Project (AOSP). This page does not currently cover any of our historical features that are either not yet reimplemented or which became obsolete due to improvements in AOSP. Each major release of AOSP brings substantial privacy and security improvements, some of which have been based on our research and development work.
GrapheneOS is based on the Android 11 release of the Android Open Source Project which provides a strong baseline for privacy and security. GrapheneOS takes great care to preserve the baseline privacy and security, including taking full advantage of all of the standard hardware features. The privacy and security features inherited from AOSP and the hardware are not covered here. Documentation on that will be gradually added elsewhere on our site.
Partial list of GrapheneOS features beyond what AOSP 11 provides:
- Hardened app runtime
- Stronger app sandbox
- Hardened libc providing defenses against the most common classes of vulnerabilities (memory corruption)
- Our own hardened malloc (memory allocator) leveraging modern hardware capabilities to provide substantial defenses against the most common classes of vulnerabilities (heap memory corruption) along with reducing the lifetime of sensitive data in memory. The hardened_malloc README has extensive documentation on it. The hardened_malloc project is portable to other Linux-based operating systems and is being adopted by other security-focused operating systems like Whonix. Our allocator also heavily influenced the design of the next-generation musl malloc implementation which offers substantially better security than musl's previous malloc while still having minimal memory usage and code size.
- Hardened compiler toolchain
- Hardened kernel
- Prevention of dynamic native code execution in-memory or via the filesystem for the base OS without going via the package manager, etc.
- Filesystem access hardening
- Enhanced verified boot with better security properties and reduced attack surface
- Enhanced hardware-based attestation with more precise version information
- Eliminates remaining holes for apps to access hardware-based identifiers
- Greatly reduced remote, local and proximity-based attack surface by stripping out unnecessary code, making more features optional and disabling optional features by default (NFC, Bluetooth, etc.) or when the screen is locked (connecting new USB peripherals, camera access)
- Low-level improvements to the filesystem-based full disk encryption used on modern Android
- Support for logging out of user profiles without needing a device manager: makes them inactive so that they can't continue running code while using another profile and purges the disk encryption keys (which are per-profile) from memory and hardware registers
- Support longer passwords by default without a device manager
- Stricter implementation of the optional fingerprint unlock feature permitting only 5 attempts rather than 20 before permanent lockout (our recommendation is still keeping sensitive data in user profiles without fingerprint unlock)
- PIN scrambling option
- LTE-only mode to reduce cellular radio attack surface by disabling enormous amounts of legacy code
- Default enabled per-connection MAC randomization as an improvement over Android's default per-network MAC randomization reusing the same MAC address until the DHCP lease with that network expires (can still use the standard implementation or fully disable it)
- Vanadium: hardened WebView and default browser - the WebView is what most other apps use to handle web content, so you benefit from Vanadium in many apps even if you choose another browser
- Hardware-based security verification and monitoring: the Auditor app app and attestation service provide strong hardware-based verification of the authenticity and integrity of the firmware/software on the device. A strong pairing-based approach is used which also provides verification of the device's identity based on the hardware backed key generated for each pairing. Software-based checks are layered on top with trust securely chained from the hardware. For more details, see the about page and tutorial.
- PDF Viewer: sandboxed, hardened PDF viewer using HiDPI rendering with pinch to zoom, text selection, etc.
- Encrypted backups via integration of the Seedvault app with support for local backups and any cloud storage provider with a storage provider app
- Secure application spawning system avoiding sharing address space layout and other secrets across applications
- Network permission toggle disallowing both direct and indirect network access, superior to a purely firewall-based implementation only disallowing direct access to the network without covering inter-process communication (enabled by default for compatibility)
- Sensors permission toggle: disallow access to all other sensors not covered by existing Android permissions (enabled by default for compatibility)
- Authenticated encryption for network time updates via a first party server to prevent attackers from changing the time and enabling attacks based on bypassing certificate / key expiry, etc.
- Proper support for disabling network time updates rather than just not using the results
- Connectivity checks via a first party server with the option to revert to the standard checks
- Hardened local build / signing infrastructure
- Seamless automatic OS update system that just works and stays out of the way in the background without disrupting device usage, with full support for the standard automatic rollback if the first boot of the updated OS fails
- Require unlocking to access sensitive function via quick tiles
- Minor changes to default settings to prefer privacy over small conveniences: personalized keyboard suggestions based on gathering input history are disabled by default, sensitive notifications are hidden on the lockscreen by default and passwords are hidden during entry by default
Service infrastructure features:
- Strict privacy and security practices for our infrastructure
- Unnecessary logging is avoided and logs are automatically purged after 10 days
- Services hosted on OVH without involving any additional parties for CDNs, mirrors or other services - we don't outsource to others
- Our services are built with open technology stacks to avoid being locked in to any particular hosting provider or vendor
- Open documentation on our infrastructure including listing out all of our services, guides on making similar setups, published configurations for each of our web services, etc.
- No proprietary services
- Authenticated encryption for all of our services
- Strong cipher configurations for all of our services (SSH, TLS, etc.) with only modern AEAD ciphers providing forward secrecy
- Our web services use OCSP stapling with Must-Staple
- DNSSEC implemented for all of our domains, which is particularly important for securing email due to it relying on DNS records
- DANE TLSA records for pinning keys for all our TLS services (mostly helps to secure email due to lack of browser support)
- Our mail server enforces DNSSEC/DANE to provide authenticated encryption when sending mail including alert messages from the attestation service
- SSHFP across all domains for pinning SSH keys
- Static key pinning for our services in apps like Auditor
- No cookies or similar client-side state for anything other than login sessions, which are set up via SameSite=strict cookies and have server-side session tracking with the ability to log out of other sessions
- scrypt-based password hashing (likely Argon2 when the available implementations are more mature)
Beyond the technical features of the OS:
- Collaborative, open source project with a very active community and contributors
- Can make your own builds and make desired changes, so you aren't stuck with the decisions made by the upstream project
- Non-profit project avoiding conflicts of interest by keeping commercialization at a distance. Companies support the project rather than the project serving the needs of any particular company
- Strong privacy policies