GrapheneOS feature overview

This is a newly created page (started 2020-12-05) and is in the process of being written. More details and links to more detailed documentation and relevant repositories will be added over time.

This is an overview of the current set of features differentiating GrapheneOS from the Android Open Source Project (AOSP). This page does not currently cover any of our historical features that are either not yet reimplemented or which became obsolete due to improvements in AOSP. Each major release of AOSP brings substantial privacy and security improvements, some of which have been based on our research and development work.

GrapheneOS is based on the Android 11 release of the Android Open Source Project which provides a strong baseline for privacy and security. GrapheneOS takes great care to preserve the baseline privacy and security, including taking full advantage of all of the standard hardware features. The privacy and security features inherited from AOSP and the hardware are not covered here. Documentation on that will be gradually added elsewhere on our site.

Partial list of GrapheneOS features beyond what AOSP 11 provides:

Hardened app runtime
Stronger app sandbox
Hardened libc providing defenses against the most common classes of vulnerabilities (memory corruption)
Our own hardened malloc (memory allocator) leveraging modern hardware capabilities to provide substantial defenses against the most common classes of vulnerabilities (heap memory corruption) along with reducing the lifetime of sensitive data in memory
Hardened kernel
Prevention of dynamic native code execution in-memory or via the filesystem for the base OS without going via the package manager, etc.
Filesystem access hardening
Enhanced verified boot with better security properties and reduced attack surface
Enhanced hardware-based attestation with more precise version information
Eliminates remaining holes for apps to access hardware-based identifiers
Greatly reduced remote, local and proximity-based attack surface by stripping out unnecessary code, making more features optional and disabling optional features by default (NFC, Bluetooth, etc.) or when the screen is locked (connecting new USB peripherals, camera access)
Low-level improvements to the filesystem-based full disk encryption used on modern Android
Support for logging out of user profiles without needing a device manager: makes them inactive so that they can't continue running code while using another profile, purges disk encryption keys (which are per-profile) from memory and hardware registers
LTE-only mode to reduce cellular radio attack surface by disabling enormous amounts of legacy code
Default enabled per-connection MAC randomization as an improvement over Android's default per-network MAC randomization reusing the same MAC address until the DHCP lease with that network expires
Vanadium: hardened WebView and default browser - the WebView is what most other apps use to handle web content, so you benefit from Vanadium in many apps even if you choose another browser
Auditor: hardware-based attestation used to secure devices for users and organizations instead of using it as a form of DRM
PDF Viewer: sandboxed, hardened PDF viewer using HiDPI rendering with pinch to zoom, text selection, etc.
Secure application spawning system avoiding sharing address space layout and other secrets across applications
Network permission toggle disallowing both direct and indirect network access, superior to a purely firewall-based implementation only disallowing direct access to the network without covering inter-process communication (enabled by default for compatibility)
Sensors permission toggle: disallow access to all other sensors not covered by existing Android permissions (enabled by default for compatibility)
Authenticated encryption for network time updates via a first party server to prevent attackers from changing the time and enabling attacks based on bypassing certificate / key expiry, etc.
Proper support for disabling network time updates rather than just not using the results
Connectivity checks via a first party server with the option to revert to the standard checks
Hardened local build / signing infrastructure
Seamless automatic OS update system that just works and stays out of the way in the background without disrupting device usage, with full support for the standard automatic rollback if the first boot of the updated OS fails

Infrastructure features:

Strict privacy and security practices for our infrastructure
Services hosted on OVH without involving any additional parties for CDNs, mirrors or other services - we don't outsource to others
Our services are built with open technology stacks to avoid being locked in to any particular hosting provider or vendor
Open documentation on our infrastructure including listing out all of our services, guides on making similar setups, published configurations for each of our web services, etc.
No proprietary services
Authenticated encryption for all of our services
Strong cipher configurations for all of our services (SSH, TLS, etc.)
DNSSEC for all our domains
SSHFP across all domains for pinning SSH keys
DANE TLSA records for pinning keys for all our TLS services (unfortunately only used by a subset of other mail services in practice, and not yet web browsers)
Static key pinning for our services in apps like Auditor
No cookies or similar client-side state for anything other than login sessions, which are set up via SameSite=strict cookies and have server-side session tracking with the ability to log out of other sessions
scrypt-based password hashing (likely Argon2 when the available implementations are more mature)

Beyond the technical features of the OS:

Collaborative, open source project with a very active community and contributors
Can make your own builds and make desired changes, so you aren't stuck with the decisions made by the upstream project
Non-profit project avoiding conflicts of interest by keeping commercialization at a distance. Companies support the project rather than the project serving the needs of any particular company
Strong privacy policies