GrapheneOS is a non-profit, open-source Android fork engineered to harden mobile privacy and security at the operating system layer. It ships with no bundled Google services and fortified app sandboxing enabled by default, per the project’s official documentation GrapheneOS official site. All development is funded by public donations, with no paid feature tiers or commercial revenue drivers.
Unlike stock Android, which prioritizes feature breadth and deep integration with Google’s proprietary service ecosystem, GrapheneOS focuses exclusively on mitigating entire classes of common vulnerabilities. It hardens security boundaries between apps and the core system, and gives users granular control over permissions and hardware access. All core privacy and security features are enabled by default, requiring no user configuration to activate, so users do not need to navigate complex security settings to benefit from the OS’s hardening GrapheneOS official site.
GrapheneOS Android Privacy and Security Architecture
GrapheneOS launched in 2014 under the name CopperheadOS, before rebranding in 2019 to reflect its expanded focus on independent privacy and security research GrapheneOS about page. The 2019 rebrand marked a formal transition to a registered 501(c)(3) non-profit, community-driven development model focused exclusively on security and privacy research, rather than commercial product expansion GrapheneOS about page.
The project modifies the Android Open Source Project (AOSP) at the lowest possible layers to close attack surfaces that stock Android leaves open by default, per its official FAQ GrapheneOS project FAQ. It explicitly avoids adding unnecessary configuration complexity. All core privacy and security features ship enabled by default, with no user action required to activate them GrapheneOS project FAQ.
GrapheneOS explicitly excludes Google Play Services and any alternative proprietary service implementations from its default builds, per the project’s FAQ GrapheneOS project FAQ. Default builds contain no code from Google’s proprietary service layer, eliminating the risk of privileged system access that comes with bundled Play services in stock Android GrapheneOS security overview.
The OS does not include any pre-installed apps that collect user telemetry or usage data, and all core functionality works without an internet connection or user account GrapheneOS project FAQ.
GrapheneOS is built exclusively for Google Pixel devices. The project prioritizes devices with publicly available, auditable firmware and unlockable bootloaders to maintain its security guarantees GrapheneOS project FAQ. As of 2025, the project supports 11 Google Pixel models: Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel 8, Pixel 8 Pro, Pixel 8a, Pixel 9, Pixel 9 Pro, Pixel 9 Pro Fold, and Pixel 9 Pro XL GrapheneOS supported devices.
Monthly Security Patching and Supported Device Cadence
As of 2025, GrapheneOS releases monthly security patches within 24 hours of Google’s public Android Security Bulletin release, per the project’s official release log GrapheneOS official site. This cadence ensures supported devices receive critical fixes on the same day Google publishes them, rather than waiting for OEM-specific rollout schedules that often delay patches by weeks or months GrapheneOS official site.
Sandboxed Google Play Compatibility Without Privileged System Access
GrapheneOS retains full compatibility with standard Android apps distributed via APK or its sandboxed Google Play compatibility layer, per its official project overview GrapheneOS project overview. Users can sideload apps directly or access the full Google Play Store catalog without compromising the OS’s default security posture.
The compatibility layer runs Google Play services as a set of fully isolated, sandboxed apps with no special system privileges GrapheneOS security overview. It operates in a separate isolated user profile from the primary user’s apps and data.
For example, the sandboxed Google Play Services app is restricted to a dedicated isolated user profile, with no access to the primary user’s contacts, SMS, or file storage unless explicitly granted by the user for a specific task GrapheneOS security overview.
This design eliminates the security risks associated with bundled Play services while retaining full access to the entire Google Play Store app catalog, including apps that require Google Play Services for authentication or in-app purchases GrapheneOS security overview.
Users can choose to sign in to a Google account only for the Play Store, with no requirement to link the account to core OS functionality GrapheneOS project overview. The compatibility layer can be disabled entirely at any time without affecting core OS stability.
Core Exploit Mitigations and Sandbox Hardening
GrapheneOS’s hardening work targets three core areas: exploit mitigations, app sandbox fortification, and granular permission controls. The project deploys mitigations for entire classes of common vulnerabilities, making exploitation far more difficult even when unpatched vulnerabilities exist, per its feature documentation GrapheneOS feature documentation. These mitigations are enabled by default for all supported devices, with no user configuration required.
These mitigations include a hardened version of the LLVM compiler’s Scudo memory allocator, configured with extended quarantine periods for freed memory to reduce use-after-free exploit success rates GrapheneOS feature documentation. The OS also uses ahead-of-time (AOT) compilation for the Android Runtime (ART), which disables just-in-time (JIT) compilation entirely to eliminate the entire class of JIT-spraying code injection attacks that target stock Android’s default runtime configuration GrapheneOS feature documentation.
The default app sandbox isolates apps from each other and the core system, fortified to prevent compromised apps from accessing sensitive system resources or data belonging to other apps GrapheneOS security overview.
Unlike stock Android, which uses a small set of shared SELinux policies across all apps, GrapheneOS assigns a unique, restrictive SELinux security policy to every individual installed app GrapheneOS security overview.
For example, a weather app on GrapheneOS is restricted to only the network and location permissions it explicitly requests, with no access to contacts, SMS, or device identifiers it does not need to function, even if the app requests those permissions in its manifest GrapheneOS security overview.
GrapheneOS also hardens security boundaries between user space and the kernel to reduce the impact of kernel-level exploits. These improvements include additional kernel address space layout randomization (KASLR) enhancements that were upstreamed to the Linux kernel 6.1 release in 2022 GrapheneOS security overview.
Granular Permission Controls Beyond Stock Android
GrapheneOS adds granular permission toggles not present in stock Android. Key examples include per-app controls for the Sensors permission that block all sensor access, including accelerometer, gyroscope, magnetometer, and barometer, for the selected app GrapheneOS permission controls documentation. For example, a user can block all sensor access for a single installed game to prevent it from collecting motion data even if the game requests the Sensors permission GrapheneOS permission controls documentation.
The OS also includes restrictions on physical port access when the device is locked. These block all USB peripheral access, data transfer, and USB debugging by default, only enabling these functions after the user explicitly unlocks the device and confirms the action in a system prompt GrapheneOS permission controls documentation.
Additional toggles include per-app network access blocks, lock screen restrictions for camera and quick tile access, and a secure clipboard feature GrapheneOS official site. The secure clipboard prevents other apps from reading clipboard content unless the user explicitly pastes content into that app, eliminating the risk of background apps exfiltrating copied passwords, messages, or other sensitive data GrapheneOS official site.
For example, if a user copies a password from a password manager, only the app they explicitly paste the password into can access that clipboard content GrapheneOS official site. These toggles are opt-in only where they would impact user experience, while all core exploit mitigations and sandbox hardening are enabled by default with no configuration required GrapheneOS official site.
First-Party Privacy and Security Apps
Beyond OS-level modifications, GrapheneOS develops and ships a suite of first-party privacy and security apps built to the project’s hardening standards, with no special system access beyond what is granted to standard third-party apps GrapheneOS official site.
The project’s flagship security app, Auditor, provides local and remote device attestation. It verifies a device’s firmware integrity against a known trusted baseline signed by the GrapheneOS project GrapheneOS Auditor app documentation. Attestation reports are generated using the device’s hardware-backed keystore stored in the device’s Trusted Execution Environment (TEE), ensuring the attestation key cannot be extracted even if the device is compromised at the software level GrapheneOS Auditor app documentation.
Reports generated by the Auditor app can be verified locally on the device itself, or remotely on a separate trusted device owned by the user. This confirms the device has not been tampered with at the firmware level, and is running an unmodified version of GrapheneOS GrapheneOS Auditor app documentation.
Upstreamed Contributions and Non-Profit Development Model
Many of the exploit mitigations and privacy features first developed for GrapheneOS have been upstreamed to AOSP, the Linux kernel, and other open-source projects, per the project’s about page GrapheneOS about page. These contributions improve baseline security for all stock Android users worldwide, even as GrapheneOS continues to develop more aggressive, device-specific hardening that is not suitable for mainstream Android releases GrapheneOS about page.
These contributions include the hardened Scudo memory allocator, merged into AOSP starting with the Android 12 release in 2021 GrapheneOS about page. They also include KASLR improvements merged into the Linux kernel 6.1 release in 2022 GrapheneOS about page. Additional upstreamed contributions include per-app SELinux policy improvements and privacy-focused permission controls adopted in mainstream Android releases GrapheneOS about page.
The project’s custom kernel includes additional hardening patches not included in stock Pixel firmware, including stricter memory protection and reduced attack surface for kernel exploits, added due to the project’s specialized hardware requirements and acceptable performance overhead GrapheneOS about page. All development is funded by public donations, with no paid feature tiers or commercial revenue drivers GrapheneOS official site.
Frequently Asked Questions About GrapheneOS
- 1.Is GrapheneOS legal to use and distribute?Yes, per the project's official FAQ GrapheneOS project FAQ, GrapheneOS is a fully legal open-source operating system.
It is distributed under the MIT and Apache 2.0 licenses, which permit free use, modification, and distribution by anyone worldwide, and the project complies with all applicable export control regulations for open-source software.
The OS’s open-source licensing means users and developers can audit the full source code, modify the OS for personal use, and redistribute modified versions without restriction GrapheneOS project FAQ.
Users in all countries can freely download, install, and distribute the OS without legal restriction.
- 2.Does GrapheneOS work with all Android apps?The vast majority of Android apps work without modification on GrapheneOS, per the project's official compatibility page GrapheneOS project overview.
Apps that rely on Google Play Services function normally via the sandboxed compatibility layer. Only apps that require deep system integration, privileged system access, or custom device administration features — such as some enterprise mobile management tools, carrier provisioning apps, or banking apps with anti-modified-OS detection — may have limited or no functionality on GrapheneOS.
For example, the Google Maps app functions fully via the sandboxed Play compatibility layer, while some corporate mobile device management (MDM) apps that require privileged system access to enforce device policies will not install or function as intended GrapheneOS project overview.
- 3.Can I use GrapheneOS without a Google account?Yes, GrapheneOS does not require a Google account for any core functionality.
This includes app installation via APK sideloading, over-the-air OS updates, and device attestation via the Auditor app, per the project's FAQ GrapheneOS project FAQ.
The sandboxed Play compatibility layer allows users to sign in to a Google account only for the Play Store, with no access to the core OS or other apps, and users can disable the compatibility layer entirely at any time.
For example, a user can sideload an open-source app like Signal directly via the OS’s built-in package installer, with no Google account or Play Store access required GrapheneOS project FAQ.
- 4.Is GrapheneOS free to use?Yes, GrapheneOS is completely free to download, install, and use, per the project's official download page GrapheneOS official site.
The project is funded entirely by public donations, and does not charge for any part of the OS, its associated device flashing tools, or its first-party apps. There are no paid tiers, feature gates, or subscription requirements for any GrapheneOS functionality.
For example, the Auditor attestation app, the sandboxed Play compatibility layer, and all OS security updates are available to all users at no cost, with no account or payment required GrapheneOS official site.
- 5.Which devices support GrapheneOS?As of 2025, per the project's official supported devices page GrapheneOS supported devices, GrapheneOS supports 11 Google Pixel models: Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel 8, Pixel 8 Pro, Pixel 8a, Pixel 9, Pixel 9 Pro, Pixel 9 Pro Fold, and Pixel 9 Pro XL.
The project explicitly avoids supporting devices with locked bootloaders, proprietary firmware that cannot be fully audited, or inconsistent security patch release schedules. This policy maintains its security and privacy guarantees for all supported devices.
For example, the project does not support Samsung Galaxy or other non-Pixel devices, as their locked bootloaders and unauditable proprietary firmware prevent the project from verifying the full firmware stack GrapheneOS supported devices. Bottom line: GrapheneOS is the strongest consumer-grade Android option for users who prioritize verified security and privacy over default Google ecosystem integration.
It delivers default-on exploit mitigations for entire classes of common vulnerabilities, monthly security patches delivered within 24 hours of Google’s public Android Security Bulletin release, and a sandboxed Play compatibility layer that preserves access to the full Google Play Store catalog without granting privileged system access to Google services.
It is recommended for users with a supported Google Pixel device (as of 2025, 11 models from the 2022 Pixel 6a through the 2024 Pixel 9 Pro XL) who are willing to sideload apps or use the compatibility layer for Play Store access, and who do not require proprietary apps that depend on deep system integration or privileged Play Services access.
