+ GrapheneOS feature overview +
+ +This is a newly created page (started 2020-12-05) and is in the process of + being written. More details and links to more detailed documentation and relevant + repositories will be added over time.
+ +This is an overview of the current set of features differentiating GrapheneOS from + the Android Open Source Project (AOSP). Each major release of AOSP brings substantial + privacy and security improvements, many of which have obsoleted historical features in + GrapheneOS. This page does not currently cover any of the historical features since it + aims to cover the current differences rather than what we've done over the years.
+ +Graphene features:
+ +-
+
- Hardened kernel +
- Hardened libc providing defenses against the most common classes of vulnerabilities (memory + corruption) +
- Hardened malloc (memory allocator) leveraging modern hardware capabilities to provide + substantial defenses against the most common classes of vulnerabilities (heap memory corruption) + along with reducing the lifetime of sensitive data in memory +
- Hardened app runtime +
- Filesystem access hardening +
- Enhanced verified boot with better security properties and reduced attack surface +
- Enhanced hardware-based attestation with more precise version information +
- Eliminates remaining holes for apps to access hardware-based identifiers +
- Greatly reduced remote, local and proximity-based attack surface by stripping out unnecessary + code, making more features optional and disabling optional features by default or when the + screen is locked +
- Low-level improvements to the filesystem-based full disk encryption used on + modern Android +
- Support for logging out of user profiles without needing a device manager: makes them inactive so that they can't continue running code while using another profile, purges disk encryption keys (which are per-profile) from memory and hardware registers +
- LTE-only mode to reduce cellular radio attack surface by disabling enormous amounts of legacy + code +
- Default enabled per-connection MAC randomization as an improvement over Android's default + per-network MAC randomization reusing the same MAC address until the DHCP lease with that + network expires +
- Vanadium: hardened WebView and default browser +
- Auditor: hardware-based attestation used to secure devices for users and + organizations instead of using it as a form of DRM +
- PDF Viewer: sandboxed, hardened PDF viewer using HiDPI rendering with pinch to zoom, text + selection, etc. +
- Secure application spawning system +
- Network permission toggle disallowing both direct and indirect network access, superior to a purely firewall-based implementation only disallowing direct access to the network without covering inter-process communication +
- Sensors permission toggle +
- Authenticated encryption for network time updates via a first party server to + prevent attackers from changing the time and enabling attacks based on bypassing + certificate / key expiry, etc. +
- Proper support for disabling network time updates rather than just not using + the results +
- Connectivity checks via a first party server with the option to revert to the + standard checks +
- Hardened local build / signing infrastructure +
- Seamless automatic OS update system that just works and stays out of the way + in the background without disrupting device usage +
Infrastructure features:
+ +-
+
- Strict privacy and security practices for our infrastructure +
- Services hosted on OVH without involving any additional parties for CDNs, + mirrors or other services - we don't outsource to others +
- Our services are built with open technology stacks to avoid being locked in to + any particular hosting provider or vendor +
- Open documentation on our infrastructure including listing out all of our + services, guides on making similar setups, published configurations for each + of our web services, etc. +
- No proprietary services +
- Authenticated encryption for all of our services +
- Strong cipher configurations for all of our services (SSH, TLS, etc.) +
- DNSSEC for all our domains +
- SSHFP across all domains for pinning SSH keys +
- DANE TLSA records for pinning keys for all our TLS services (unfortunately only + used by a subset of other mail services in practice, and not yet web + browsers) +
- Static key pinning for our services in apps like Auditor +
- No cookies or similar client-side state for anything other than login sessions, + which are set up via SameSite=strict cookies and have server-side session tracking + with the ability to log out of other sessions +
- scrypt-based password hashing (likely Argon2 when the available implementations + are more mature) +
Beyond the technical features of the OS:
+ +-
+
- Collaborative, open source project with a very active community and contributors +
- Can make your own builds and make desired changes, so you aren't stuck with + the decisions made by the upstream project +
- Non-profit project avoiding conflicts of interest by keeping commercialization + at a distance. Companies support the project rather than the project serving the + needs of any particular company +
- No proprietary services +
- Strong privacy policies +