242 lines
16 KiB
HTML
242 lines
16 KiB
HTML
<!DOCTYPE html>
|
|
<html lang="en" prefix="og: https://ogp.me/ns#">
|
|
<head>
|
|
<meta charset="utf-8"/>
|
|
<title>Feature overview | GrapheneOS</title>
|
|
<meta name="description" content="Overview of GrapheneOS features differentiating it from the Android Open Source Project."/>
|
|
<meta name="theme-color" content="#212121"/>
|
|
<meta name="msapplication-TileColor" content="#ffffff"/>
|
|
<meta name="viewport" content="width=device-width, initial-scale=1"/>
|
|
<meta name="twitter:site" content="@GrapheneOS"/>
|
|
<meta name="twitter:creator" content="@GrapheneOS"/>
|
|
<meta property="og:title" content="GrapheneOS features overview"/>
|
|
<meta property="og:description" content="Overview of GrapheneOS features differentiating it from the Android Open Source Project."/>
|
|
<meta property="og:type" content="website"/>
|
|
<meta property="og:image" content="https://grapheneos.org/opengraph.png"/>
|
|
<meta property="og:image:width" content="512"/>
|
|
<meta property="og:image:height" content="512"/>
|
|
<meta property="og:image:alt" content="GrapheneOS logo"/>
|
|
<meta property="og:site_name" content="GrapheneOS"/>
|
|
<meta property="og:url" content="https://grapheneos.org/features"/>
|
|
<link rel="canonical" href="https://grapheneos.org/features"/>
|
|
<link rel="icon" sizes="16x16 24x24 32x32 48x48 64x64" type="image/vnd.microsoft.icon" href="/favicon.ico"/>
|
|
<link rel="icon" sizes="any" type="image/svg+xml" href="/mask-icon.svg"/>
|
|
<link rel="mask-icon" href="/mask-icon.svg" color="#1a1a1a"/>
|
|
<link rel="apple-touch-icon" href="/apple-touch-icon.png"/>
|
|
<link rel="stylesheet" href="/grapheneos.css?29"/>
|
|
<link rel="manifest" href="/manifest.webmanifest"/>
|
|
<link rel="license" href="/LICENSE.txt"/>
|
|
</head>
|
|
<body>
|
|
<header>
|
|
<nav id="site-menu">
|
|
<ul>
|
|
<li><a href="/">GrapheneOS</a></li>
|
|
<li aria-current="page"><a href="/features">Features</a></li>
|
|
<li><a href="/install/">Install</a></li>
|
|
<li><a href="/build">Build</a></li>
|
|
<li><a href="/usage">Usage</a></li>
|
|
<li><a href="/faq">FAQ</a></li>
|
|
<li><a href="/releases">Releases</a></li>
|
|
<li><a href="/source">Source</a></li>
|
|
<li><a href="/history">History</a></li>
|
|
<li><a href="/articles/">Articles</a></li>
|
|
<li><a href="/donate">Donate</a></li>
|
|
<li><a href="/contact">Contact</a></li>
|
|
</ul>
|
|
</nav>
|
|
</header>
|
|
<main id="features">
|
|
<h1><a href="#features">Features overview</a></h1>
|
|
|
|
<p>This is an overview of the current set of features differentiating GrapheneOS from
|
|
the Android Open Source Project (AOSP). This page does not currently cover any of our
|
|
historical features that are either not yet reimplemented or which became obsolete due
|
|
to improvements in AOSP. Each major release of AOSP brings substantial privacy and
|
|
security improvements, some of which have been based on our research and development
|
|
work.</p>
|
|
|
|
<p>GrapheneOS is based on the Android 11 release of the Android Open Source Project
|
|
which provides a strong baseline for privacy and security. GrapheneOS takes great care
|
|
to preserve the baseline privacy and security, including taking full advantage of all
|
|
of the standard hardware features. The privacy and security features inherited from
|
|
AOSP and the hardware are not covered here. Documentation on that will be gradually
|
|
added elsewhere on our site.</p>
|
|
|
|
<nav id="table-of-contents">
|
|
<h2><a href="#table-of-contents">Table of contents</a></h2>
|
|
|
|
<ul>
|
|
<li><a href="#grapheneos">GrapheneOS</a></li>
|
|
<li><a href="#services">Services</a></li>
|
|
<li><a href="#project">Project</a></li>
|
|
</ul>
|
|
</nav>
|
|
|
|
<section id="grapheneos">
|
|
<h2><a href="#grapheneos">GrapheneOS</a></h2>
|
|
|
|
<p>Partial list of GrapheneOS features beyond what AOSP 11 provides:</p>
|
|
|
|
<ul>
|
|
<li>Hardened app runtime</li>
|
|
<li>Stronger app sandbox</li>
|
|
<li>Hardened libc providing defenses against the most common classes of
|
|
vulnerabilities (memory corruption)</li>
|
|
<li>Our own <a href="https://github.com/GrapheneOS/hardened_malloc">hardened malloc (memory allocator)</a>
|
|
leveraging modern hardware capabilities to provide substantial defenses against
|
|
the most common classes of vulnerabilities (heap memory corruption) along with
|
|
reducing the lifetime of sensitive data in memory. The
|
|
<a href="https://github.com/GrapheneOS/hardened_malloc/blob/master/README.md">hardened_malloc
|
|
README</a> has extensive documentation on it. The hardened_malloc project is
|
|
portable to other Linux-based operating systems and is being adopted by other
|
|
security-focused operating systems like Whonix. Our allocator also heavily influenced the
|
|
design of the <a href="https://www.openwall.com/lists/musl/2020/05/13/1">next-generation
|
|
musl malloc implementation</a> which offers substantially better security than musl's
|
|
previous malloc while still having minimal memory usage and code size.</li>
|
|
<li>Hardened compiler toolchain</li>
|
|
<li>Hardened kernel</li>
|
|
<li>Prevention of dynamic native code execution in-memory or via the filesystem
|
|
for the base OS without going via the package manager, etc.</li>
|
|
<li>Filesystem access hardening</li>
|
|
<li>Enhanced verified boot with better security properties and reduced attack surface</li>
|
|
<li>Enhanced hardware-based attestation with more precise version information</li>
|
|
<li>Eliminates remaining holes for apps to access hardware-based identifiers</li>
|
|
<li>Greatly reduced remote, local and proximity-based attack surface by
|
|
stripping out unnecessary code, making more features optional and disabling
|
|
optional features by default (NFC, Bluetooth, etc.), when the screen is
|
|
locked (connecting new USB peripherals, camera access) and optionally after a
|
|
timeout (Bluetooth)</li>
|
|
<li>Low-level improvements to the filesystem-based full disk encryption used on
|
|
modern Android</li>
|
|
<li>Support for logging out of user profiles without needing a device manager:
|
|
makes them inactive so that they can't continue running code while using
|
|
another profile and purges the disk encryption keys (which are per-profile)
|
|
from memory and hardware registers</li>
|
|
<li>Indicators for active camera and microphone usage are enabled by default
|
|
alongside the traditional location indicator</li>
|
|
<li>Support longer passwords by default without a device manager</li>
|
|
<li>Stricter implementation of the optional fingerprint unlock feature permitting
|
|
only 5 attempts rather than 20 before permanent lockout (our recommendation is
|
|
still keeping sensitive data in user profiles without fingerprint unlock)</li>
|
|
<li>PIN scrambling option</li>
|
|
<li><a href="/usage#lte-only-mode">LTE-only mode</a> to reduce cellular radio
|
|
attack surface by disabling enormous amounts of legacy code</li>
|
|
<li><a href="/usage#wifi-privacy-associated">Default enabled per-connection MAC randomization</a>
|
|
as an improvement over Android's default per-network MAC randomization reusing
|
|
the same MAC address until the DHCP lease with that network expires (can still
|
|
use the standard implementation or fully disable it)</li>
|
|
<li>Vanadium: hardened WebView and default browser — the WebView is what most
|
|
other apps use to handle web content, so you benefit from Vanadium in many apps
|
|
even if you choose another browser</li>
|
|
<li>Hardware-based security verification and monitoring: the
|
|
<a href="https://github.com/GrapheneOS/Auditor/releases">Auditor app</a> app and
|
|
<a href="https://attestation.app/">attestation service</a> provide strong
|
|
hardware-based verification of the authenticity and integrity of the
|
|
firmware/software on the device. A strong pairing-based approach is used which
|
|
also provides verification of the device's identity based on the hardware backed
|
|
key generated for each pairing. Software-based checks are layered on top with
|
|
trust securely chained from the hardware. For more details, see the
|
|
<a href="https://attestation.app/about">about page</a>
|
|
and <a href="https://attestation.app/tutorial">tutorial</a>.</li>
|
|
<li><a href="https://github.com/GrapheneOS/PdfViewer">PDF Viewer</a>: sandboxed,
|
|
hardened PDF viewer using HiDPI rendering with pinch to zoom, text selection,
|
|
etc.</li>
|
|
<li>Encrypted backups via integration of the
|
|
<a href="https://github.com/seedvault-app/seedvault">Seedvault app</a> with
|
|
support for local backups and any cloud storage provider with a storage provider
|
|
app</li>
|
|
<li><a href="/usage#exec-spawning">Secure application spawning system</a> avoiding
|
|
sharing address space layout and other secrets across applications</li>
|
|
<li>Network permission toggle disallowing both direct and indirect network access,
|
|
superior to a purely firewall-based implementation only disallowing direct
|
|
access to the network without covering inter-process communication (enabled by
|
|
default for compatibility)</li>
|
|
<li>Sensors permission toggle: disallow access to all other sensors not covered by
|
|
existing Android permissions (enabled by default for compatibility)</li>
|
|
<li>Authenticated encryption for network time updates via a first party server to
|
|
prevent attackers from changing the time and enabling attacks based on bypassing
|
|
certificate / key expiry, etc.</li>
|
|
<li>Proper support for disabling network time updates rather than just not using
|
|
the results</li>
|
|
<li>Connectivity checks via a first party server with the option to revert to the
|
|
standard checks</li>
|
|
<li>Hardened local build / signing infrastructure</li>
|
|
<li><a href="/usage#updates">Seamless automatic OS update system</a> that just
|
|
works and stays out of the way in the background without disrupting device
|
|
usage, with full support for the standard automatic rollback if the first boot
|
|
of the updated OS fails</li>
|
|
<li>Require unlocking to access sensitive function via quick tiles</li>
|
|
<li>Minor changes to default settings to prefer privacy over small conveniences:
|
|
personalized keyboard suggestions based on gathering input history are disabled by
|
|
default, sensitive notifications are hidden on the lockscreen by default and
|
|
passwords are hidden during entry by default</li>
|
|
</ul>
|
|
</section>
|
|
|
|
<section id="services">
|
|
<h2><a href="#services">Services</a></h2>
|
|
|
|
<p>Service infrastructure features:</p>
|
|
|
|
<ul>
|
|
<li>Strict privacy and security practices for our infrastructure</li>
|
|
<li>Unnecessary logging is avoided and logs are automatically purged after 10 days</li>
|
|
<li>Services hosted on OVH without involving any additional parties for CDNs,
|
|
mirrors or other services. We don't outsource to others</li>
|
|
<li>Our services are built with open technology stacks to avoid being locked in to
|
|
any particular hosting provider or vendor</li>
|
|
<li>Open documentation on our infrastructure including listing out all of our
|
|
services, guides on making similar setups, published configurations for each
|
|
of our web services, etc.</li>
|
|
<li>No proprietary services</li>
|
|
<li>Authenticated encryption for all of our services</li>
|
|
<li>Strong cipher configurations for all of our services (SSH, TLS, etc.) with
|
|
only modern AEAD ciphers providing forward secrecy</li>
|
|
<li>Our web services use OCSP stapling with Must-Staple</li>
|
|
<li>DNSSEC implemented for all of our domains, which is particularly important
|
|
for securing email due to it relying on DNS records</li>
|
|
<li>DANE TLSA records for pinning keys for all our TLS services (mostly helps
|
|
to secure email due to lack of browser support)</li>
|
|
<li>Our mail server enforces DNSSEC/DANE to provide authenticated encryption
|
|
when sending mail including alert messages from the attestation service</li>
|
|
<li>SSHFP across all domains for pinning SSH keys</li>
|
|
<li>Static key pinning for our services in apps like Auditor</li>
|
|
<li>No persistent cookies or similar client-side state for anything other than
|
|
login sessions, which are set up via SameSite=strict cookies and have
|
|
server-side session tracking with the ability to log out of other
|
|
sessions</li>
|
|
<li>scrypt-based password hashing (likely Argon2 when the available implementations
|
|
are more mature)</li>
|
|
</ul>
|
|
</section>
|
|
|
|
<section id="project">
|
|
<h2><a href="#project">Project</a></h2>
|
|
|
|
<p>Beyond the technical features of the OS:</p>
|
|
|
|
<ul>
|
|
<li>Collaborative, open source project with a very active community and contributors</li>
|
|
<li>Can make your own builds and make desired changes, so you aren't stuck with
|
|
the decisions made by the upstream project</li>
|
|
<li>Non-profit project avoiding conflicts of interest by keeping commercialization
|
|
at a distance. Companies support the project
|
|
<a href="/faq#company">rather than the project serving the needs of any
|
|
particular company</a></li>
|
|
<li><a href="/faq#privacy-policy">Strong privacy policies</a></li>
|
|
</ul>
|
|
</section>
|
|
</main>
|
|
<footer>
|
|
<a href="/"><img src="/mask-icon.svg" width="512" height="512" alt=""/>GrapheneOS</a>
|
|
<ul id="social">
|
|
<li><a href="https://twitter.com/GrapheneOS">Twitter</a></li>
|
|
<li><a href="https://github.com/GrapheneOS">GitHub</a></li>
|
|
<li><a href="https://reddit.com/r/GrapheneOS">Reddit</a></li>
|
|
<li><a href="https://www.linkedin.com/company/grapheneos/">LinkedIn</a></li>
|
|
</ul>
|
|
</footer>
|
|
</body>
|
|
</html>
|