• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

[Rom][GrapheneOS]Android 12][AOSP][OFFICIAL]

Search This thread

SyntaxError

Senior Member
Screenshot_2021-10-26 Introducing GrapheneOS(3).png


Features overview

GrapheneOS is a private and secure mobile operating system with great functionality and usability. It starts from the strong baseline of the Android Open Source Project (AOSP) and takes great care to avoid increasing attack surface or hurting the strong security model. GrapheneOS makes substantial improvements to both privacy and security through many carefully designed features built to function against real adversaries. The project cares a lot about usability and app compatibility so those are taken into account for all of our features.

GrapheneOS is focused on substance rather than branding and marketing. It doesn't take the typical approach of piling on a bunch of insecure features depending on the adversaries not knowing about them and regressing actual privacy/security. It's a very technical project building privacy and security into the OS rather than including assorted unhelpful frills or bundling subjective third party apps choices.

GrapheneOS is also hard at work on filling in gaps from not bundling Google apps and services into the OS. We aren't against users using Google services but it doesn't belong integrated into the OS in an invasive way. GrapheneOS won't take the shortcut of simply bundling a very incomplete and poorly secured third party reimplementation of Google services into the OS. That wouldn't ever be something users could rely upon. It will also always be chasing a moving target while offering poorer security than the real thing if the focus is on simply getting things working without great care for doing it robustly and securely.

This page provides an overview of currently implemented features differentiating GrapheneOS from AOSP. It doesn't document our many historical features that are no longer included for one reason or another. Many of our features were implemented in AOSP, Linux, LLVM and other projects GrapheneOS is based on and those aren't listed here. In many cases, we've been involved in getting those features implemented in core infrastructure projects.

GrapheneOS

Partial list of GrapheneOS features beyond what AOSP 12 provides:

  • Hardened app runtime
  • Stronger app sandbox
  • Hardened libc providing defenses against the most common classes of vulnerabilities (memory corruption)
  • Our own hardened malloc (memory allocator) leveraging modern hardware capabilities to provide substantial defenses against the most common classes of vulnerabilities (heap memory corruption) along with reducing the lifetime of sensitive data in memory. The hardened_malloc README has extensive documentation on it. The hardened_malloc project is portable to other Linux-based operating systems and is being adopted by other security-focused operating systems like Whonix. Our allocator also heavily influenced the design of the next-generation musl malloc implementationwhich offers substantially better security than musl's previous malloc while still having minimal memory usage and code size.
    • Fully out-of-line metadata with protection from corruption, ruling out traditional allocator exploitation
    • Separate memory regions for metadata, large allocations and each slab allocation size class with high entropy random bases and no address space reuse between the different regions
    • Deterministic detection of any invalid free
    • Zero-on-free with detection of write-after-free via checking that memory is still zeroed before handing it out again
    • Delayed reuse of address space and memory allocations through the combination of deterministic and randomized quarantines to mitigate use-after-free vulnerabilities
    • Fine-grained randomization
    • Aggressive consistency checks
    • Memory protected guard regions around allocations larger than 16k with randomization of guard region sizes for 128k and above
    • Allocations smaller than 16k have guard regions around each of the slabs containing allocations (for example, 16 byte allocations are in 4096 byte slabs with 4096 byte guard regions before and after)
    • Random canaries with a leading zero are added to these smaller allocations to block C string overflows, absorb small overflows and detect linear overflows or other heap corruption when the canary value is checked (primarily on free)
  • Hardened compiler toolchain
  • Hardened kernel
    • Support for dynamically loaded kernel modules is disabled and the minimal set of modules for the device model are built into the kernel to substantially improve the granularity of Control Flow Integrity (CFI) and reduce attack surface.
    • 4-level page tables are enabled on arm64 to provide a much larger address space (48-bit instead of 39-bit) with significantly higher entropy Address Space Layout Randomization (33-bit instead of 24-bit).
    • Random canaries with a leading zero are added to the kernel heap (slub) to block C string overflows, absorb small overflows and detect linear overflows or other heap corruption when the canary value is checked (on free, copies to/from userspace, etc.).
    • Memory is wiped (zeroed) as soon as it's released in both the low-level kernel page allocator and higher level kernel heap allocator (slub). This substantially reduces the lifetime of sensitive data in memory, mitigates use-after-free vulnerabilities and makes most uninitialized data usage vulnerabilities harmless. Without our changes, memory that's released retains data indefinitely until the memory is handed out for other uses and gets partially or fully overwritten by new data.
    • Kernel stack allocations are zeroed to make most uninitialized data usage vulnerabilities harmless.
    • Assorted attack surface reduction through disabling features or setting up infrastructure to dynamically enable/disable them only as needed (perf, ptrace).
    • Assorted upstream hardening features are enabled, including many which we played a part in developing and landing upstream as part of our linux-hardened project (which we intend to revive as a more active project again).
  • Prevention of dynamic native code execution in-memory or via the filesystem for the base OS without going via the package manager, etc.
  • Filesystem access hardening
  • Enhanced verified boot with better security properties and reduced attack surface
  • Enhanced hardware-based attestation with more precise version information
  • Eliminates remaining holes for apps to access hardware-based identifiers
  • Greatly reduced remote, local and proximity-based attack surface by stripping out unnecessary code, making more features optional and disabling optional features by default (NFC, Bluetooth, etc.), when the screen is locked (connecting new USB peripherals, camera access) and optionally after a timeout (Bluetooth, Wi-Fi)
  • Option to disable native debugging (ptrace) to reduce local attack surface (still enabled by default for compatibility)
  • Low-level improvements to the filesystem-based full disk encryption used on modern Android
  • Support for logging out of user profiles without needing a device manager: makes them inactive so that they can't continue running code while using another profile and purges the disk encryption keys (which are per-profile) from memory and hardware registers
  • Option to enable automatically rebooting the device when no profile has been unlocked for the configured time period to put the device fully at rest again.
  • Improved user visibility into persistent firmware security through version and configuration verification with reporting of inconsistencies and debug features being enabled.
  • Support longer passwords by default (64 characters) without a device manager
  • Stricter implementation of the optional fingerprint unlock feature permitting only 5 attempts rather than 20 before permanent lockout (our recommendation is still keeping sensitive data in user profiles without fingerprint unlock)
  • Support for using the fingerprint scanner only for authentication in apps and unlocking hardware keystore keys by toggling off support for unlocking.
  • PIN scrambling option
  • LTE-only mode to reduce cellular radio attack surface by disabling enormous amounts of legacy code
  • Per-connection MAC randomization option (enabled by default) as a more private option than the standard persistent per-network random MAC.
  • When the per-connection MAC randomization added by GrapheneOS is being used, DHCP client state is flushed before reconnecting to a network to avoid revealing that it's likely the same device as before.
  • Improved IPv6 privacy addresses to prevent tracking across networks
  • Vanadium: hardened WebView and default browser — the WebView is what most other apps use to handle web content, so you benefit from Vanadium in many apps even if you choose another browser
  • Hardware-based security verification and monitoring: the Auditor app app and attestation service provide strong hardware-based verification of the authenticity and integrity of the firmware/software on the device. A strong pairing-based approach is used which also provides verification of the device's identity based on the hardware backed key generated for each pairing. Software-based checks are layered on top with trust securely chained from the hardware. For more details, see the about page and tutorial.
  • PDF Viewer: sandboxed, hardened PDF viewer using HiDPI rendering with pinch to zoom, text selection, etc.
  • Encrypted backups via integration of the Seedvault app with support for local backups and any cloud storage provider with a storage provider app
  • Secure application spawning system avoiding sharing address space layout and other secrets across applications
  • Network permission toggle for disallowing both direct and indirect access to any of the available networks. The device-local network (localhost) is also guarded by this permission, which is important for preventing apps from using it to communicate between profiles. Unlike a firewall-based implementation, the Network permission toggle prevents apps from using the network via APIs provided by the OS or other apps in the same profile as long as they're marked appropriately.
  • The standard INTERNET permission used as the basis for the Network permission toggle is enhanced with a second layer of enforcement and proper support for granting/revoking it on a per-profile basis.
  • Sensors permission toggle: disallow access to all other sensors not covered by existing Android permissions (Camera, Microphone, Body Sensors, Activity Recognition) including an accelerometer, gyroscope, compass, barometer, thermometer and any other sensors present on a given device. To avoid breaking compatibility with Android apps, the added permission is enabled by default.
  • Authenticated encryption for network time updates via a first party server to prevent attackers from changing the time and enabling attacks based on bypassing certificate / key expiry, etc.
  • Proper support for disabling network time updates rather than just not using the results
  • Connectivity checks via a first party server with the option to revert to the standard checks (to blend in) or to fully disable them
  • Hardened local build / signing infrastructure
  • Seamless automatic OS update system that just works and stays out of the way in the background without disrupting device usage, with full support for the standard automatic rollback if the first boot of the updated OS fails
  • Require unlocking to access sensitive functionality via quick tiles
  • Minor changes to default settings to prefer privacy over small conveniences: personalized keyboard suggestions based on gathering input history are disabled by default, sensitive notifications are hidden on the lockscreen by default and passwords are hidden during entry by default
  • Minimal bundled apps and services. Only essential apps are integrated into the OS. We don't make partnerships with apps and services to bundle them into the OS. An app may be the best choice today and poor choice in the future. Our approach will be recommending certain apps during the initial setup, not hard-wiring them into the OS.
  • No Google apps and services. These can be used on GrapheneOS but only if they avoid requiring invasive OS integration. Building privileged support for Google services into the OS isn't something we're going to be doing, even if that's partially open source like microG.
  • Compatibility layer for coercing user installed Google Play services into running as sandboxed apps without any special privileges.
  • Fixes for multiple serious vulnerabilities not yet fixed upstream due to a flexible release cycle / process prioritizing security.

Services

Service infrastructure features:

  • Strict privacy and security practices for our infrastructure
  • Unnecessary logging is avoided and logs are automatically purged after 10 days
  • Services are hosted entirely via our own dedicated servers and virtual machines from OVH without involving any additional parties for CDNs, SaaS platforms, mirrors or other services
  • Our services are built with open technology stacks to avoid being locked in to any particular hosting provider or vendor
  • Open documentation on our infrastructure including listing out all of our services, guides on making similar setups, published configurations for each of our web services, etc.
  • No proprietary services
  • Authenticated encryption for all of our services
  • Strong cipher configurations for all of our services (SSH, TLS, etc.) with only modern AEAD ciphers providing forward secrecy
  • Our web sites do not include any third party content and entirely forbid it via strict Content Security Policy rules
  • Our web sites disable referrer headers to maximize privacy
  • Our web sites fully enable cross origin isolation and disable embedding in other content
  • DNSSEC implemented for all of our domains to provide a root of trust for encryption and authentication for domain/server configuration
  • DNS Certification Authority Authorization (CAA) records for all of our domains permitting only Let's Encrypt to issue certificates with fully integrated support for the experimental accounturi and validationmethods pinning our Let's Encrypt accounts as the only ones allowed to issue certificates
  • DANE TLSA records for pinning keys for all our TLS services
  • Our mail server enforces DNSSEC/DANE to provide authenticated encryption when sending mail including alert messages from the attestation service
  • SSHFP across all domains for pinning SSH keys
  • Static key pinning for our services in apps like Auditor
  • Our web services use robust OCSP stapling with Must-Staple
  • No persistent cookies or similar client-side state for anything other than login sessions, which are set up via SameSite=strict cookies and have server-side session tracking with the ability to log out of other sessions
  • scrypt-based password hashing (likely Argon2 when the available implementations are more mature)

Project

Beyond the technical features of the OS:



Installation Instruction and downloads

Dwonload for pixel 5 and other Releases
https://grapheneos.org/releases

GrapheneOS has two officially supported installation methods. You can either use the WebUSB-based installer recommended for most users or the command-line installation guide aimed at more technical users.

We strongly recommend using one of the official installation methods. Third party installation guides tend to be out-of-date and often contain misguided advice and errors.

If you have trouble with the installation process, ask for help on the official GrapheneOS chat channel. There are almost always people around willing to help with it. Before asking for help, make an attempt to follow the guide on your own and then ask for help with anything you get stuck on.

The command-line approach offers a way to install GrapheneOS without trusting our server infrastructure. This requires being on an OS with proper fastboot and signify packages along with understanding the process enough to avoid blindly trusting the instructions from our site. For most users, the web-based installation approach is no less secure and avoids needing any software beyond a browser with WebUSB support.

For those who wants google play store apps please watch this video, Its not recommended but i use it myself on this rom.
GrapheneOS - Full Post Install Setup Guide - Maximize Security and Privacy On Your Android Phone


Source code
https://github.com/GrapheneOS
https://github.com/GrapheneOS/kernel_google_redbull
https://github.com/GrapheneOS/device_google_redfin-kernel
https://github.com/GrapheneOS/device_google_redfin

Credits and Thanks

We would like to give thanks to everyone in the Android community, big or small.
That said, we would like to Thank all These Teams for their contribution to the Open Source Community. Special Thanks to Daniel Micay
 

Attachments

  • Screenshot_20211026-233704.png
    Screenshot_20211026-233704.png
    100.8 KB · Views: 492
  • Screenshot_20211026-233651.png
    Screenshot_20211026-233651.png
    2.3 MB · Views: 520
  • Screenshot_20211026-233743.png
    Screenshot_20211026-233743.png
    842 KB · Views: 491
  • Screenshot_20211026-233704.png
    Screenshot_20211026-233704.png
    100.8 KB · Views: 501
  • Screenshot_20211026-233715.png
    Screenshot_20211026-233715.png
    408.3 KB · Views: 471
  • Screenshot_20211026-233722.png
    Screenshot_20211026-233722.png
    136.5 KB · Views: 449
  • Screenshot_20211026-233728.png
    Screenshot_20211026-233728.png
    169 KB · Views: 399
Last edited:

jailbird2

Senior Member
Sep 5, 2007
56
16
I want to say thank you so much for all of the work on this ROM, it is awesome!

Has anybody gotten root to work on this? I tried patching the boot.img with Magisk, but after I flash the patched boot.img, the bootloader says it can't find a valid operating system?
 
  • Like
Reactions: SyntaxError

SyntaxError

Senior Member
I want to say thank you so much for all of the work on this ROM, it is awesome!

Has anybody gotten root to work on this? I tried patching the boot.img with Magisk, but after I flash the patched boot.img, the bootloader says it can't find a valid operating system?

The whole point of this rom is security haha so no root only pure security and bootloader will be locked if you followed the instructions.
 
  • Like
Reactions: Bryanx86

jailbird2

Senior Member
Sep 5, 2007
56
16
The whole point of this rom is security haha so no root only pure security and bootloader will be locked if you followed the instructions.
Yep, I know. As the phone mainly stays connected in my vehicle, I was using a framework that allowed me to trigger actions when the charging power comes on (eg, vehicle is started) and goes away (vehicle is turned off). I was hoping to be able to keep that AND keep the extra security :).

I completely understand though, thanks!
 

SyntaxError

Senior Member
Yep, I know. As the phone mainly stays connected in my vehicle, I was using a framework that allowed me to trigger actions when the charging power comes on (eg, vehicle is started) and goes away (vehicle is turned off). I was hoping to be able to keep that AND keep the extra security :).

I completely understand though, thanks!

Aha well there are certain things we have to sacrifice lol for security sake.
 

williejack619

Member
Feb 18, 2017
19
3
look im going to be honest with you guys i use my phone as a daily driver and with out gapps its pointless to use this rom i need gapps to download my apps and to restore my info. and i all ready try to install gapps on this rom it doesnt work
 

beggar23

Senior Member
Jul 10, 2010
359
95
Berlin
Google Pixel 5
look im going to be honest with you guys i use my phone as a daily driver and with out gapps its pointless to use this rom i need gapps to download my apps and to restore my info. and i all ready try to install gapps on this rom it doesnt work
Sorry mate, GrapheneOS is not meant to have any Google framework stuff in it. If you need such and at the same time want more privacy you might want to have a look at CalyxOS, at least there is an option to include microG. Have fun.
 

SyntaxError

Senior Member
look im going to be honest with you guys i use my phone as a daily driver and with out gapps its pointless to use this rom i need gapps to download my apps and to restore my info. and i all ready try to install gapps on this rom it doesnt work
you can install fdroid and from fdroid install https://f-droid.org/en/packages/com.aurora.store/ and you can have all play store apps without any account or you can sign in and still retain your privacy.
 
  • Like
Reactions: elong7681

k0rner

Senior Member
Jan 23, 2010
180
124
Kyiv
Google Pixel 5
Sorry mate, GrapheneOS is not meant to have any Google framework stuff in it. If you need such and at the same time want more privacy you might want to have a look at CalyxOS, at least there is an option to include microG. Have fun.
They've documented how to install Google services:
 
The whole point of this rom is security haha so no root only pure security and bootloader will be locked if you followed the instructions.
The problem I have with not having root is that google backups suck. An example is google authenticator. It loses all settings and will force the user to redo every site where it was used for 2fa. I absolutely need the ability to restore my apps properly, and I currently use TitaniumBackup for that. I'm also playing around with 'Migrate', but both need root.
 

SyntaxError

Senior Member
The problem I have with not having root is that google backups suck. An example is google authenticator. It loses all settings and will force the user to redo every site where it was used for 2fa. I absolutely need the ability to restore my apps properly, and I currently use TitaniumBackup for that. I'm also playing around with 'Migrate', but both need root.
I just don't understand why no one understands the meaning of privacy?
This rom is made for privacy and security without Google as in degoogled phone so no root access because the bootloader will be locked after flashing this rom.
And yes you can install play store apps my way or the official way and there is a link to that provided by @k0rner . And yes I understand backup and restoring from Google is a pain so just do a manual restore like I did if you want privacy and if you want root and Google services then this rom is not meant for you and to be used with Google services.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 5
    Sorry mate, GrapheneOS is not meant to have any Google framework stuff in it. If you need such and at the same time want more privacy you might want to have a look at CalyxOS, at least there is an option to include microG. Have fun.
    They've documented how to install Google services:
    3
    The problem I have with not having root is that google backups suck. An example is google authenticator. It loses all settings and will force the user to redo every site where it was used for 2fa. I absolutely need the ability to restore my apps properly, and I currently use TitaniumBackup for that. I'm also playing around with 'Migrate', but both need root.
    I just don't understand why no one understands the meaning of privacy?
    This rom is made for privacy and security without Google as in degoogled phone so no root access because the bootloader will be locked after flashing this rom.
    And yes you can install play store apps my way or the official way and there is a link to that provided by @k0rner . And yes I understand backup and restoring from Google is a pain so just do a manual restore like I did if you want privacy and if you want root and Google services then this rom is not meant for you and to be used with Google services.
    2
    look im going to be honest with you guys i use my phone as a daily driver and with out gapps its pointless to use this rom i need gapps to download my apps and to restore my info. and i all ready try to install gapps on this rom it doesnt work
    Sorry mate, GrapheneOS is not meant to have any Google framework stuff in it. If you need such and at the same time want more privacy you might want to have a look at CalyxOS, at least there is an option to include microG. Have fun.
    1
    look im going to be honest with you guys i use my phone as a daily driver and with out gapps its pointless to use this rom i need gapps to download my apps and to restore my info. and i all ready try to install gapps on this rom it doesnt work
    you can install fdroid and from fdroid install https://f-droid.org/en/packages/com.aurora.store/ and you can have all play store apps without any account or you can sign in and still retain your privacy.
  • 10
    Screenshot_2021-10-26 Introducing GrapheneOS(3).png


    Features overview

    GrapheneOS is a private and secure mobile operating system with great functionality and usability. It starts from the strong baseline of the Android Open Source Project (AOSP) and takes great care to avoid increasing attack surface or hurting the strong security model. GrapheneOS makes substantial improvements to both privacy and security through many carefully designed features built to function against real adversaries. The project cares a lot about usability and app compatibility so those are taken into account for all of our features.

    GrapheneOS is focused on substance rather than branding and marketing. It doesn't take the typical approach of piling on a bunch of insecure features depending on the adversaries not knowing about them and regressing actual privacy/security. It's a very technical project building privacy and security into the OS rather than including assorted unhelpful frills or bundling subjective third party apps choices.

    GrapheneOS is also hard at work on filling in gaps from not bundling Google apps and services into the OS. We aren't against users using Google services but it doesn't belong integrated into the OS in an invasive way. GrapheneOS won't take the shortcut of simply bundling a very incomplete and poorly secured third party reimplementation of Google services into the OS. That wouldn't ever be something users could rely upon. It will also always be chasing a moving target while offering poorer security than the real thing if the focus is on simply getting things working without great care for doing it robustly and securely.

    This page provides an overview of currently implemented features differentiating GrapheneOS from AOSP. It doesn't document our many historical features that are no longer included for one reason or another. Many of our features were implemented in AOSP, Linux, LLVM and other projects GrapheneOS is based on and those aren't listed here. In many cases, we've been involved in getting those features implemented in core infrastructure projects.

    GrapheneOS

    Partial list of GrapheneOS features beyond what AOSP 12 provides:

    • Hardened app runtime
    • Stronger app sandbox
    • Hardened libc providing defenses against the most common classes of vulnerabilities (memory corruption)
    • Our own hardened malloc (memory allocator) leveraging modern hardware capabilities to provide substantial defenses against the most common classes of vulnerabilities (heap memory corruption) along with reducing the lifetime of sensitive data in memory. The hardened_malloc README has extensive documentation on it. The hardened_malloc project is portable to other Linux-based operating systems and is being adopted by other security-focused operating systems like Whonix. Our allocator also heavily influenced the design of the next-generation musl malloc implementationwhich offers substantially better security than musl's previous malloc while still having minimal memory usage and code size.
      • Fully out-of-line metadata with protection from corruption, ruling out traditional allocator exploitation
      • Separate memory regions for metadata, large allocations and each slab allocation size class with high entropy random bases and no address space reuse between the different regions
      • Deterministic detection of any invalid free
      • Zero-on-free with detection of write-after-free via checking that memory is still zeroed before handing it out again
      • Delayed reuse of address space and memory allocations through the combination of deterministic and randomized quarantines to mitigate use-after-free vulnerabilities
      • Fine-grained randomization
      • Aggressive consistency checks
      • Memory protected guard regions around allocations larger than 16k with randomization of guard region sizes for 128k and above
      • Allocations smaller than 16k have guard regions around each of the slabs containing allocations (for example, 16 byte allocations are in 4096 byte slabs with 4096 byte guard regions before and after)
      • Random canaries with a leading zero are added to these smaller allocations to block C string overflows, absorb small overflows and detect linear overflows or other heap corruption when the canary value is checked (primarily on free)
    • Hardened compiler toolchain
    • Hardened kernel
      • Support for dynamically loaded kernel modules is disabled and the minimal set of modules for the device model are built into the kernel to substantially improve the granularity of Control Flow Integrity (CFI) and reduce attack surface.
      • 4-level page tables are enabled on arm64 to provide a much larger address space (48-bit instead of 39-bit) with significantly higher entropy Address Space Layout Randomization (33-bit instead of 24-bit).
      • Random canaries with a leading zero are added to the kernel heap (slub) to block C string overflows, absorb small overflows and detect linear overflows or other heap corruption when the canary value is checked (on free, copies to/from userspace, etc.).
      • Memory is wiped (zeroed) as soon as it's released in both the low-level kernel page allocator and higher level kernel heap allocator (slub). This substantially reduces the lifetime of sensitive data in memory, mitigates use-after-free vulnerabilities and makes most uninitialized data usage vulnerabilities harmless. Without our changes, memory that's released retains data indefinitely until the memory is handed out for other uses and gets partially or fully overwritten by new data.
      • Kernel stack allocations are zeroed to make most uninitialized data usage vulnerabilities harmless.
      • Assorted attack surface reduction through disabling features or setting up infrastructure to dynamically enable/disable them only as needed (perf, ptrace).
      • Assorted upstream hardening features are enabled, including many which we played a part in developing and landing upstream as part of our linux-hardened project (which we intend to revive as a more active project again).
    • Prevention of dynamic native code execution in-memory or via the filesystem for the base OS without going via the package manager, etc.
    • Filesystem access hardening
    • Enhanced verified boot with better security properties and reduced attack surface
    • Enhanced hardware-based attestation with more precise version information
    • Eliminates remaining holes for apps to access hardware-based identifiers
    • Greatly reduced remote, local and proximity-based attack surface by stripping out unnecessary code, making more features optional and disabling optional features by default (NFC, Bluetooth, etc.), when the screen is locked (connecting new USB peripherals, camera access) and optionally after a timeout (Bluetooth, Wi-Fi)
    • Option to disable native debugging (ptrace) to reduce local attack surface (still enabled by default for compatibility)
    • Low-level improvements to the filesystem-based full disk encryption used on modern Android
    • Support for logging out of user profiles without needing a device manager: makes them inactive so that they can't continue running code while using another profile and purges the disk encryption keys (which are per-profile) from memory and hardware registers
    • Option to enable automatically rebooting the device when no profile has been unlocked for the configured time period to put the device fully at rest again.
    • Improved user visibility into persistent firmware security through version and configuration verification with reporting of inconsistencies and debug features being enabled.
    • Support longer passwords by default (64 characters) without a device manager
    • Stricter implementation of the optional fingerprint unlock feature permitting only 5 attempts rather than 20 before permanent lockout (our recommendation is still keeping sensitive data in user profiles without fingerprint unlock)
    • Support for using the fingerprint scanner only for authentication in apps and unlocking hardware keystore keys by toggling off support for unlocking.
    • PIN scrambling option
    • LTE-only mode to reduce cellular radio attack surface by disabling enormous amounts of legacy code
    • Per-connection MAC randomization option (enabled by default) as a more private option than the standard persistent per-network random MAC.
    • When the per-connection MAC randomization added by GrapheneOS is being used, DHCP client state is flushed before reconnecting to a network to avoid revealing that it's likely the same device as before.
    • Improved IPv6 privacy addresses to prevent tracking across networks
    • Vanadium: hardened WebView and default browser — the WebView is what most other apps use to handle web content, so you benefit from Vanadium in many apps even if you choose another browser
    • Hardware-based security verification and monitoring: the Auditor app app and attestation service provide strong hardware-based verification of the authenticity and integrity of the firmware/software on the device. A strong pairing-based approach is used which also provides verification of the device's identity based on the hardware backed key generated for each pairing. Software-based checks are layered on top with trust securely chained from the hardware. For more details, see the about page and tutorial.
    • PDF Viewer: sandboxed, hardened PDF viewer using HiDPI rendering with pinch to zoom, text selection, etc.
    • Encrypted backups via integration of the Seedvault app with support for local backups and any cloud storage provider with a storage provider app
    • Secure application spawning system avoiding sharing address space layout and other secrets across applications
    • Network permission toggle for disallowing both direct and indirect access to any of the available networks. The device-local network (localhost) is also guarded by this permission, which is important for preventing apps from using it to communicate between profiles. Unlike a firewall-based implementation, the Network permission toggle prevents apps from using the network via APIs provided by the OS or other apps in the same profile as long as they're marked appropriately.
    • The standard INTERNET permission used as the basis for the Network permission toggle is enhanced with a second layer of enforcement and proper support for granting/revoking it on a per-profile basis.
    • Sensors permission toggle: disallow access to all other sensors not covered by existing Android permissions (Camera, Microphone, Body Sensors, Activity Recognition) including an accelerometer, gyroscope, compass, barometer, thermometer and any other sensors present on a given device. To avoid breaking compatibility with Android apps, the added permission is enabled by default.
    • Authenticated encryption for network time updates via a first party server to prevent attackers from changing the time and enabling attacks based on bypassing certificate / key expiry, etc.
    • Proper support for disabling network time updates rather than just not using the results
    • Connectivity checks via a first party server with the option to revert to the standard checks (to blend in) or to fully disable them
    • Hardened local build / signing infrastructure
    • Seamless automatic OS update system that just works and stays out of the way in the background without disrupting device usage, with full support for the standard automatic rollback if the first boot of the updated OS fails
    • Require unlocking to access sensitive functionality via quick tiles
    • Minor changes to default settings to prefer privacy over small conveniences: personalized keyboard suggestions based on gathering input history are disabled by default, sensitive notifications are hidden on the lockscreen by default and passwords are hidden during entry by default
    • Minimal bundled apps and services. Only essential apps are integrated into the OS. We don't make partnerships with apps and services to bundle them into the OS. An app may be the best choice today and poor choice in the future. Our approach will be recommending certain apps during the initial setup, not hard-wiring them into the OS.
    • No Google apps and services. These can be used on GrapheneOS but only if they avoid requiring invasive OS integration. Building privileged support for Google services into the OS isn't something we're going to be doing, even if that's partially open source like microG.
    • Compatibility layer for coercing user installed Google Play services into running as sandboxed apps without any special privileges.
    • Fixes for multiple serious vulnerabilities not yet fixed upstream due to a flexible release cycle / process prioritizing security.

    Services

    Service infrastructure features:

    • Strict privacy and security practices for our infrastructure
    • Unnecessary logging is avoided and logs are automatically purged after 10 days
    • Services are hosted entirely via our own dedicated servers and virtual machines from OVH without involving any additional parties for CDNs, SaaS platforms, mirrors or other services
    • Our services are built with open technology stacks to avoid being locked in to any particular hosting provider or vendor
    • Open documentation on our infrastructure including listing out all of our services, guides on making similar setups, published configurations for each of our web services, etc.
    • No proprietary services
    • Authenticated encryption for all of our services
    • Strong cipher configurations for all of our services (SSH, TLS, etc.) with only modern AEAD ciphers providing forward secrecy
    • Our web sites do not include any third party content and entirely forbid it via strict Content Security Policy rules
    • Our web sites disable referrer headers to maximize privacy
    • Our web sites fully enable cross origin isolation and disable embedding in other content
    • DNSSEC implemented for all of our domains to provide a root of trust for encryption and authentication for domain/server configuration
    • DNS Certification Authority Authorization (CAA) records for all of our domains permitting only Let's Encrypt to issue certificates with fully integrated support for the experimental accounturi and validationmethods pinning our Let's Encrypt accounts as the only ones allowed to issue certificates
    • DANE TLSA records for pinning keys for all our TLS services
    • Our mail server enforces DNSSEC/DANE to provide authenticated encryption when sending mail including alert messages from the attestation service
    • SSHFP across all domains for pinning SSH keys
    • Static key pinning for our services in apps like Auditor
    • Our web services use robust OCSP stapling with Must-Staple
    • No persistent cookies or similar client-side state for anything other than login sessions, which are set up via SameSite=strict cookies and have server-side session tracking with the ability to log out of other sessions
    • scrypt-based password hashing (likely Argon2 when the available implementations are more mature)

    Project

    Beyond the technical features of the OS:



    Installation Instruction and downloads

    Dwonload for pixel 5 and other Releases
    https://grapheneos.org/releases

    GrapheneOS has two officially supported installation methods. You can either use the WebUSB-based installer recommended for most users or the command-line installation guide aimed at more technical users.

    We strongly recommend using one of the official installation methods. Third party installation guides tend to be out-of-date and often contain misguided advice and errors.

    If you have trouble with the installation process, ask for help on the official GrapheneOS chat channel. There are almost always people around willing to help with it. Before asking for help, make an attempt to follow the guide on your own and then ask for help with anything you get stuck on.

    The command-line approach offers a way to install GrapheneOS without trusting our server infrastructure. This requires being on an OS with proper fastboot and signify packages along with understanding the process enough to avoid blindly trusting the instructions from our site. For most users, the web-based installation approach is no less secure and avoids needing any software beyond a browser with WebUSB support.

    For those who wants google play store apps please watch this video, Its not recommended but i use it myself on this rom.
    GrapheneOS - Full Post Install Setup Guide - Maximize Security and Privacy On Your Android Phone


    Source code
    https://github.com/GrapheneOS
    https://github.com/GrapheneOS/kernel_google_redbull
    https://github.com/GrapheneOS/device_google_redfin-kernel
    https://github.com/GrapheneOS/device_google_redfin

    Credits and Thanks

    We would like to give thanks to everyone in the Android community, big or small.
    That said, we would like to Thank all These Teams for their contribution to the Open Source Community. Special Thanks to Daniel Micay
    5
    Sorry mate, GrapheneOS is not meant to have any Google framework stuff in it. If you need such and at the same time want more privacy you might want to have a look at CalyxOS, at least there is an option to include microG. Have fun.
    They've documented how to install Google services:
    3
    The problem I have with not having root is that google backups suck. An example is google authenticator. It loses all settings and will force the user to redo every site where it was used for 2fa. I absolutely need the ability to restore my apps properly, and I currently use TitaniumBackup for that. I'm also playing around with 'Migrate', but both need root.
    I just don't understand why no one understands the meaning of privacy?
    This rom is made for privacy and security without Google as in degoogled phone so no root access because the bootloader will be locked after flashing this rom.
    And yes you can install play store apps my way or the official way and there is a link to that provided by @k0rner . And yes I understand backup and restoring from Google is a pain so just do a manual restore like I did if you want privacy and if you want root and Google services then this rom is not meant for you and to be used with Google services.
    2
    Follow the instructions properly it will flash I am using it right now.

    What method did you use to flash the rom?
    Use web installer it's easy.
    oh ok, thanks for that info. i was using a screwdriver and hammer...
    2
    look im going to be honest with you guys i use my phone as a daily driver and with out gapps its pointless to use this rom i need gapps to download my apps and to restore my info. and i all ready try to install gapps on this rom it doesnt work
    Sorry mate, GrapheneOS is not meant to have any Google framework stuff in it. If you need such and at the same time want more privacy you might want to have a look at CalyxOS, at least there is an option to include microG. Have fun.