The Most Private and Secure Android OS

GrapheneOS is commonly billed as the world’s most secure mobile operating system, offering a level of privacy and security that is unmatched, but does it live up to the hype.

Users have grown increasingly wary of Big Tech, thanks to rampant privacy abuses by many companies, as well as the danger of relying on a few companies for privacy and security. This was recently illustrated by the UK trying to force Apple to backdoor its encryption for all users worldwide. As a result, open-source alternatives are growing in popularity, giving users true choice and greater control over their security and privacy.

I have personally used GrapheneOS for years on multiple devices and promoted it to others, both online and offline. In this review, however, we look at GrapheneOS, what it is, the security and privacy it offers, why users should consider it, and a word of caution.

What Is GrapheneOS?

GrapheneOS (or Graphene) is based on the Android Open Source Project (AOSP). It may be a surprise to some that Android is not a single monolithic operating system provided and controlled by Google. Instead, there are several different flavors of Android, all based on AOSP, with Google’s Android being the most common and well-known. Google takes AOSP, adds its proprietary bits, Play Services, and everything Google to collect the data it relies on for its advertising business, and bundles it as the stock Android most people are familiar with.

There are a number of projects that take AOSP and use it to build a de-Googled version of Android that offers more privacy and security than Google’s stock version. GrapheneOS, CalyxOS, LineageOS, IodéOS, and /e/OS are the most common.

What Sets GrapheneOS Apart?

A number of Android flavors inherit the strong security protections provided by AOSP, and some of them take additional measures to boost security and keep data out of the hands of Google and Big Tech. Graphene, however, takes things much further.

Graphene is designed from the ground up to provide a level of security and hardening that none of the other flavors of Android provide, including against zero-day (previously undisclosed) vulnerabilities, as well as both local and remote code execution vulnerabilities.

The project’s website describes some of the features that provide the added protections:

• Hardened app runtime
• Secure application spawning system avoiding sharing address space layout and other secrets across applications
• Hardened libc providing defenses against the most common classes of vulnerabilities (memory corruption)
• Our own hardened malloc (memory allocator) leveraging modern hardware capabilities to provide substantial defenses against the most common classes of vulnerabilities (heap memory corruption) along with reducing the lifetime of sensitive data in memory.
• On ARMv9, Branch Target Identification (BTI) and Pointer Authentication Code (PAC) return address protection are enabled for userspace OS code we build instead of only specific apps
• Signed integer overflow is made well defined in C and C++ for code where automatic overflow checking is disabled
• Hardened kernel
• Android Runtime Just-In-Time (JIT) compilation/profiling is fully disabled and replaced with full ahead-of-time (AOT) compilation. The only JIT compilation in the base OS is the V8 JavaScript JIT which is disabled by default for the Vanadium browser with per-site exception support.
• Dynamic code loading for both native code or Java/Kotlin classes is blocked for nearly the entire base OS to prevent base OS processes.
• Dynamic code loading for both native code or Java/Kotlin classes can be disabled for user installed apps via 3 exploit protection toggles
• Filesystem access hardening

In addition, Graphene secures the USB-C port, locking it down to charging-only mode whenever the screen is locked, minimizing the risks from malicious USB devices. Graphene’s protection goes far beyond what is provided in stock Android.

Our implementation is far more secure than Android’s standard USB HAL toggle available to device admin apps. The standard feature only disables high level USB handling in the OS. It doesn’t block new USB connections or disable the data lines at a hardware level. It also leaves the handling of the USB-C and pogo pins protocols enabled in the OS, and it doesn’t disable the USB-C alternate modes. The standard feature is also either blocking or not blocking USB at a high level, without the ability to block new connections and disable USB only once the existing connections end. Other operating systems trying to implement a similar feature via the standard toggle end up continuing to allow new USB connections in the OS until all connections end instead of the two-phase approach we use for our two Charging-only when locked modes.

Graphene also relies on SELinux—a popular Linux mandatory access control (MAC) system—to provide application sandboxing.

What Phones Does GrapheneOS Support?

Graphene only supports Pixel devices that are still within their support window from Google. It may seem counter-intuitive for a de-Google Android OS to rely on hardware from Google, but there’s a very good reason.

Despite Google being one of the most privacy-invasive companies in existence, Pixel hardware is some of the most secure mobile hardware on the market. Google also makes it easy to unlock and re-lock the bootloader, a necessary step for installing an alternative OS.

Finally, Graphene only supports Pixels still in their support Window, since those devices still receive firmware support for the modem, chipset, and underlying hardware.

Installation Process

Graphene supports two different installation methods. Like most alternative Android operating systems, it is possible to download the adb and fastboot, and go through a relatively tedious process installing the OS.

Where Graphene’s installation process really shines, however, is with the browser-based installer they pioneered. It is much easier, more straight-forward, and can be done via a Chromium-based browser on Linux, macOS, Windows, or another Android device.

Additional Features

In addition to the above security features, Graphene includes a host of other useful features, most aimed at improving privacy and security.

• Advanced permissions controls, including the ability to toggle network access per application.
• The ability to use a PIN longer than 16 characters.
• The option to scramble the PIN layout so someone looking over a shoulder can’t easily decipher the PIN based on the location of screen taps.
• The option to set a duress PIN that will securely wipe the device if a user is being forced to provide a PIN to unlock it.

What About Android Apps?

Second to the privacy and security, one of Graphene’s greatest strengths is how it handles Android apps and the Google Play Store.

Most alternative Android operating systems do not include support for the Google Play Store and mainstream apps, or they use a service called MicroG. MicroG is an open-source implementation of the Google Play Store, effectively taking APKs from the Play Store and allowing customers to download them without signing into a Google account. MicroG does this by using anonymous emails to sign in so a user doesn’t have to disclose their identity to Google.

Unfortunately, this approach has real issues, including the fact that Google can and does occasionally block the anonymous emails MicroG relies on. A couple of years ago, this created serious issues that prevented users from being able to download new apps from the Play Store until MicroG could address it.

In contrast, GrapheneOS gives users the ability to install the Play Store and and use it to install apps. Unlike stock Android, however, the Play Store on Graphene does not have escalated or system-level privileges, and is sandboxed like any other app. As a result, it is a far more secure and private way to install apps.

As a result of Graphene’s approach, the OS is generally has less issues running problematic Android apps than the MicroG approach, since it does provide the official Play Store and Play Services that many apps require.

The one notable exception is Google Pay. At the time, and likely for the indefinite future, Google Play doesn’t work on Graphene or any alternative Android OS.

Who Should Use GrapheneOS?

Who should use GrapheneOS? In short, anyone who wants the most secure and private mobile operating system available without sacrificing access to the robust ecosystem of Android apps.

Graphene is one of those few security and privacy options that lets users “have their cake and eat it too,” blending industry-leading security and privacy with a level of convenience that rivals stock Android.

A Word of Caution (Warning, This Is Long)

The one word of caution regarding Graphene has nothing to do with the OS itself and has everything to do with project leadership.

Like many open-source projects, users tend to become invested in the project and want the best for it. This can result in feedback or critiques that are meant in a spirit of being helpful. This is especially true for users like yours truly, who write about and review technology products for a living.

A perfect example of this is YouTube The Linux Cast, who is a major openSUSE Tumbleweed fan. Because he is a fan, The Linux Cast recently created a video where he highlighted some areas where openSUSE could improve, with one of those being the friendliness of the community. The video was meant as a helpful critique, and in no way could be misconstrued as an attack on the openSUSE project.

Similarly, following a series of posts by Graphene leadership calling out a privacy YouTuber, I made the mistake of offering a similar critique. In the posts, Graphene leadership called the YouTuber “a charlatan,” “a serial fabricator and scam artist.”

I posted a polite and respectful reply emphasizing how big a fan of the project I am and saying that, while the Graphene project should absolutely defend itself and combat misinformation, a less combative and more restrained, distinguished, and professional tone would be less off-putting. Such an approach would essentially rise above any negative statements or attacks on the project and ultimately discredit them far more than a combative response that resorted to name-calling.

I thought my post would receive a response somewhere between ‘thank you, we got a little carried away’ and ‘thank you for the feedback, but we’re quite happy with our communication style.’ Any option like that would have been fine, and I would have gone about my day happy I at least tried to help.

Instead, I was banned from the Graphene forums (the ban was later lifted), and I received a hostile email saying that:

1. I was being “completely false and dishonest” by saying the team’s post included name-calling since their claims about the YouTuber “are complete factual,” with the author of the email apparently unaware that a statement can be true and factual and still constitute name-calling.
2. I was told I was no longer welcome in the community and warned not to try to rejoin it.

I politely emailed back and asked why I had received such a hostile response when my only goal was to provide constructive feedback as someone who communicates in a professional role for a living. In the subsequent series of emails, I was accused of being a friend of Graphene’s enemies and of attacking the Graphene project and its developers—all because I dared to say the project’s communication would be more effective and achieve the same goals if it was less combative and adopted a more restrained, professional tone.

In 25 years in the tech and software development community, both as a writer and a software developer, I have never had an interaction such as this one (and yes, I have screenshots of the entire email exchange).

To be fair, the Graphene project has suffered inexcusable harassment by some individuals and online communities, even escalating to swatting attacks on the project’s founder. Unfortunately, this seems to have fostered a ‘we vs. them’ mentality and a tendency to see enemies everywhere, including among friends and fans of the project who dare to offer well-meaning feedback or criticism.

Separating the Project From Its Leadership

Should users avoid GrapheneOS because of leadership’s poor and sometimes hostile communication? In short, no. Graphene remains the single most secure and private mobile operating system on the market and is THE BEST choice, bar none.

As a result, we WHOLEHEARTEDLY recommend GrapheneOS to the following users:

At the same time, we strongly caution users to avoid interaction with the project’s leadership until such time as it adopts a less “prickly” communication style.

This is not like Linux Mint, PopOS, Fedora, openSUSE, Debian, Ubuntu, GIMP, or most other open-source projects, where a free exchange of ideas among fans—especially criticisms designed to help and improve the project—is welcome.

But that doesn’t change the project’s merit, the team’s incredible accomplishments, or the value of GrapheneOS.

Rating

4.5 out of 5 stars

Pros:

• The most secure mobile OS available, bar none.
• A truly private OS that allows users to reclaim their privacy from Big Tech.
• Unparalleled compatibility with the Google Play Store among alternate Android operating systems.
• Open-source.

Cons:

• Project leadership can be “prickly” and openly hostile to any negative feedback, including well-meaning criticism from ardent fans.

In the next installment of this series, we’ll cover some best practices for daily GrapheneOS use, including how to overcome common issues.