GrapheneOS
Security-focused, Android-based mobile operating system
From Wikipedia, the free encyclopedia
GrapheneOS[b] (/ˈɡræfiːn.oʊˈɛs/) is a free and open-source, privacy- and security-focused, Android-based operating system for Google Pixel and future Motorola devices.[7] GrapheneOS is built on the Android Open Source Project (AOSP). It focuses on researching and improving the privacy and security of Android. GrapheneOS is developed by the GrapheneOS Foundation, a Canadian nonprofit corporation founded in March 2023.[3]
| GrapheneOS | |
|---|---|
| |
 GrapheneOS home screen | |
| Developer | GrapheneOS Foundation[a] and contributors |
| Written in | Java, Kotlin (UI), C (core), C++, Rust[4] and others |
| OS family | Android (Linux) |
| Working state | Current |
| Source model | Open source |
| Initial release | April 2019 |
| Latest release | 2026050900[5]  / 9 May 2026 |
| Latest preview | 2022073000[6] / 30 July 2022 |
| Repository | github |
| Marketing target | Privacy- and security-focused operating system |
| Update method | Over-the-air (OTA) or via USB (ADB sideloading) |
| Package manager | APK-based |
| Instruction sets | ARMv8 or later (ARMv8.5-A or newer is recommended because of hardware memory tagging support), x86-64 (emulator) |
| Kernel type | Monolithic (Linux/Android kernel) |
| Influenced | DivestOS, secureblue |
| Influenced by | OpenBSD, PaX |
| License | MIT, Apache License, various permissive open-source |
| Official website | grapheneos |
| Formation | March 17, 2023 |
|---|---|
| Registration no. | 1485757-7[2] |
| Legal status | Nonprofit corporation |
| Focus | Mobile security, Defense in depth, Hardening, Attack surface reduction |
| Headquarters | Toronto, Ontario, Canada |
Directors |
|
| Website | grapheneos |
| ASN | 40806 |
History
The main developer, Daniel Micay, co-founded and originally worked on CopperheadOS, until a schism over software licensing between the co-founders of Copperhead Limited led to Micay's dismissal from the company in 2018.[8] Micay continued working on the Android Hardening project, which was renamed to GrapheneOS and announced in April 2019 as the "true successor" to CopperheadOS, with a goal of restoring the same functions.[8][9] The project's website states that CopperheadOS was renamed to GrapheneOS.[10]
In March 2022, two GrapheneOS apps, "Secure Camera" and "Secure PDF Viewer", were released on the Google Play Store.[11]
Also in March 2022, GrapheneOS released Android 12L for Google Pixel devices before Google did, second to ProtonAOSP.[12]
In July 2025, the GrapheneOS Foundation stated it was pursuing a partnership with a "major Android OEM" with the goal of engineering devices with official GrapheneOS support that meet the project's extensive hardware and vendor support requirements.[13][14]
In March 2026 an official announcement was made, revealing that the partner is Motorola Mobility.[15]
As of April 2026, GrapheneOS developers reported they had around 400K active users. The figure is an inexact estimate based on statistics generated from the access logs of the update servers. This is the only way for the GrapheneOS Foundation to approximate the number of users, since no telemetry mechanism is included in the operating system.[16]
Features
![](#/media/File:GrapheneOS_"Apps"_app.png)
Sandboxed Google Play
By default Google apps are not present on GrapheneOS,[7][17] but users can install a sandboxed version of Google Play Services from the pre-installed "App Store".[17] The sandboxed Google Play Services implementation allows access to the Google Play Store and apps dependent on it, along with features including push notifications (Firebase Cloud Messaging) and in-app payments.[17]
This differs from other custom Android distributions, such as CalyxOS, iodéOS or /e/OS, that replace Google Play Services with microG. According to some analysts, the microG implementation is problematic because it can log users out of the Play Store and not allow them to download more apps.[18]
The "Markup" app for editing screenshots, as well as the Pixel Thermometer app, which are by default included in the stock Pixel operating system and can not be obtained from the Play Store, are also available in the GrapheneOS App Store.[citation needed]
In December 2023, Android Auto support was added to GrapheneOS, allowing users to install it via the App Store.[19] The Sandboxed Google Play compatibility layer settings adds a new permission menu with 4 toggles for granting the minimal access required for wired Android Auto, wireless Android Auto, audio routing and phone calls.[20]
GrapheneOS provides stub implementations for multiple features of Google Play Services, including Wi-Fi positioning, geocoding, and reverse geocoding. By default, all location requests are rerouted to the regular AOSP geolocation subsystem, which uses Assisted GNSS (A-GNSS) data and performs the location calculations locally. The GrapheneOS Foundation provides proxy servers for both Secure User Plane Location (SUPL) and Predicted Satellite Data Service (PSDS).
GrapheneOS improves the privacy of PSDS on devices using Qualcomm GNSS hardware by removing the User-Agent header containing unique hardware identifiers, such as the serial number of the chip.[1][21][22]
Optionally, the use of the Apple Wi-Fi positioning system, either directly or through a proxy hosted by the GrapheneOS Foundation, can be enabled in the settings. The GrapheneOS Foundation also hosts an instance of the Nominatim geocoder, which uses OpenStreetMap data.[23][24]
Security and privacy features
GrapheneOS introduces revocable network access and sensors permission toggles for each installed app.[7][25] GrapheneOS also introduces a PIN scrambling option for the lock screen as well as a feature called Duress password which will wipe on-device personal data when entered on lock screen instead of a regular PIN/password.[26][27]
GrapheneOS randomly generates a new MAC address every time a Wi-Fi connection is established, instead of the default Android behavior of randomizing the address per Wi-Fi network.[8][28]
GrapheneOS includes a feature that automatically initiates a reboot of the device when at rest for a set time period in order to revert from the after first unlock (AFU) state to before first unlock (BFU), wiping the cryptographic keys used for disk encryption from RAM. It aims to make brute-force attacks significantly more difficult by enforcing the throttling of unlock attempts through the secure element. The automatic reboot feature is enabled by default and configured to activate after 18 hours. The time period can be set to values between 10 minutes and 72 hours in the settings.[29][24]
iOS 18 implemented a similar feature called Inactivity Reboot with a fixed time of 7 days. The time period was shortened to 72 hours in version 18.1.[30][31][32] It is not clear whether Apple was inspired by GrapheneOS.[33]
It also includes automatic Wi-Fi and Bluetooth disabling, along with software and hardware level disabling of the USB-C port and pogo pins (as found on the Pixel Tablet). GrapheneOS can also disable the microphone, camera, and sensors for apps. Additionally, it offers the Contact and Storage Scopes feature, which allows users to select which specific contacts or files/folders an app can access.[24]
A hardened Chromium-based web browser and WebView implementation known as Vanadium, is developed by GrapheneOS and included as the default web browser and system WebView.[25] It includes automatic updates, process and site-level sandboxing, disabling the V8 JavaScript just-in-time (JIT) compiler by default for attack surface reduction and built-in ad and tracker blocking.[34] Vanadium enables JIT-less WebAssembly support through the DrumBrake interpreter originally developed by Microsoft and upstreamed into the Chromium project.[35]
Auditor, a hardware-based attestation app, developed by GrapheneOS, which "provide strong hardware-based verification of the authenticity and integrity of the firmware/software on the device" is also included.[24] The app also includes an optional, scheduled remote verification feature, which runs in the background and performs regular verifications against the GrapheneOS attestation service. It can alert users via email if the device fails to provide valid attestations in time. The remote attestation interval and permitted time before an alert can be configured by the user using the web portal.[36] Both the Auditor app and the AttestationServer backend are open source and permissively licensed under the MIT license.[37]
Apps like Secure Camera and Secure PDF Viewer offer features such as automatic removal of Exif metadata and protection against malicious code in PDF files by opening them within a sandboxed PDF.js environment in the hardened Vanadium WebView.[38]
GrapheneOS also includes a hardened memory allocator (hardened_malloc) intended to provide substantial defenses against common classes of vulnerabilities such as heap memory corruption.[39] In addition, its Chromium-based browser/WebView (Vanadium) enables further exploit mitigations beyond upstream defaults (e.g., type-based control-flow integrity (CFI), stronger stack-smashing protection (SSP) or zero-initialization of variables).[24][40]
Unlike AOSP, the stock Pixel operating system, and other Android-based systems, GrapheneOS heavily makes use of the memory tagging extension (MTE) found in the processor cores of ARM chips using the ARMv8.5-A architecture or newer.[41][42] The first devices on the market featuring MTE-enabled processors were Google's Pixel 8 and Pixel 8 Pro models released in October 2023.[43] GrapheneOS added support for the feature in November of the same year.[44]
GrapheneOS developers noted that the feature could especially be of importance for instant messaging applications, such as WhatsApp or Signal, which use large amounts of memory-unsafe code for features like WebRTC and are common targets of attackers.[45]
In March 2024, the team reported that the feature helped it uncover a high-severity memory corruption vulnerability in an Android Bluetooth Low Energy system component.[46] The bug was acknowledged by Google and became known as CVE-2024-23694.[47] It was fixed in the May 2024 Pixel Update Bulletin.[48]
The underlying Linux kernel is covered by the hardware tag-based KernelAddressSanitizer (KASan).[49]
Hardware compatibility
GrapheneOS maintains an extensive list of hardware and OEM support requirements. These include bootloader requirements, such as Android Verified Boot with rollback protection, the ability to unlock the bootloader, and relock it with a custom signing key.[50]
A high-quality secure element is required in order to facilitate full disk encryption and storage of sensitive cryptographic secrets. The secure element must provide support for the Android StrongBox key storage mechanism, Weaver API, which handles the throttling of unlock attempts, insider attack resistance, i.e. requiring authentication before firmware updates can be applied to the secure element, and hardware-based key attestation (for example used by the built-in Auditor app).[51]
The USB controller must be configurable by the operating system via device drivers and must allow completely disabling USB at a hardware level in order to minimize attack surface.[1]
The wireless hardware must fully support Wi-Fi anonymity, including MAC address and probe sequence number randomization, and shall not leak unique identifiers in other ways.[51]
JTAG or other debugging interfaces must be disabled when the device is locked to further reduce the attack surface.[1]
GrapheneOS mandates a minimum OEM support period of 5 years for smartphones and 7 years for tablets. This includes regular updates to firmware, drivers, hardware abstraction layers and other device-specific code without delays longer than a week.[52][1]
Installation
GrapheneOS currently is only compatible with Google Pixel devices,[53] due to specific requirements that GrapheneOS has for adding support for a new device, including an unlockable bootloader and proper implementation of verified boot.[54][14] In October 2025, GrapheneOS said that it was working with a "major" Android OEM on future devices that would support the OS on Qualcomm Snapdragon platforms, and that they will be the flagship devices, expected to appear in Q4 2026 or Q1 2027.[55][56][57] In March 2026, it was revealed that this partner is Motorola Mobility, and a device list will be released some time later that year.[15]
The operating system can be installed from various platforms, including Windows, macOS, Linux, and Android devices. Two installation methods are available: a web-based installer, recommended for most users, and a command-line based installer, intended for more experienced users.[58][59]
The web installer makes use of the WebUSB API and is based on the fastboot.js library, a JavaScript implementation of the Fastboot utility developed by Danny Lin. It has been inspired by Google's Android Flash Tool, which uses the same API for performing the installation in the browser. It is currently only supported in Chromium-based web browsers.[60] Unlike the command-line installation script, it does not require the installation of any additional software.[61][62]
Jack Wallen of ZDNET described the process as follows: "It sounds difficult, but it's really not.", and that it took him roughly ten minutes to complete the installation.[63]
Reception
| Edward Snowden (@Snowden) tweeted: |
_(cropped).jpg)
Replying to @Snowden
If I were configuring a smartphone today, I'd use @DanielMicay's @GrapheneOS as the base operating system. I'd desolder the microphones and keep the radios (cellular, wifi, and bluetooth) turned off when I didn't need them. I would route traffic through the @torproject network.
September 21, 2019[64]
In 2019, Georg Pichler of Der Standard, and other news sources, quoted Edward Snowden saying on Twitter, "If I were configuring a smartphone today, I'd use Daniel Micay's GrapheneOS as the base operating system."[65][66][67]
In discussing why services should not force users to install proprietary apps, Lennart Mühlenmeier of netzpolitik.org suggested GrapheneOS as an alternative to Apple or Google.[68]
Svět Mobilně and Webtekno repeated the suggestions that GrapheneOS is a good security- and privacy-oriented replacement for standard Android.[69][70]
In a detailed review of GrapheneOS for Golem.de, Moritz Tremmel and Sebastian Grüner said they were able to use GrapheneOS similarly to other Android systems, while enjoying more freedom from Google, without noticing differences from "additional memory protection, but that's the way it should be." They concluded GrapheneOS cannot change how "Android devices become garbage after three years at the latest", but "it can better secure the devices during their remaining life while protecting privacy."[8]
Jack Dorsey, founder of Twitter and Bluesky, promoted GrapheneOS in January 2021.[71] According to the GrapheneOS Foundation, he later donated US$1 million to the project as part of his StartSmall initiative.[72]
In June 2021, reviews of GrapheneOS, KaiOS, AliOS, and Tizen OS, were published in Cellular News. The review of GrapheneOS called it "arguably the best mobile operating system in terms of privacy and security." However, they criticized GrapheneOS for its inconvenience to users, saying "GrapheneOS is completely de-Googled and will stay that way forever—at least according to the developers." They also noticed a "slight performance decrease" and said "it might take two full seconds for an app—even if it's just the Settings app—to fully load."[73]
In March 2022, writing for How-To Geek Joe Fedewa said that Google apps were not included due to concerns over privacy, and GrapheneOS also did not include a default app store. Instead, Fedewa suggested, F-Droid could be used.[7]
In 2022, Jonathan Lamont of MobileSyrup reviewed GrapheneOS installed on a Pixel 3, after one week of use. He called GrapheneOS install process "straightforward" and concluded that he liked GrapheneOS overall, but criticized the post-install as "often not a seamless experience like using an unmodified Pixel or an iPhone", attributing his experience to his "over-reliance on Google apps" and the absence of some "smart" features in GrapheneOS default keyboard and camera apps, in comparison to software from Google.[17]
In his initial impressions post a week prior, Lamont said that after an easy install there were issues with permissions for Google's Messages app, and difficulty importing contacts; Lamont then concluded, "Anyone looking for a straightforward experience may want to avoid GrapheneOS or other privacy-oriented Android experiences since the privacy gains often come at the expense of convenience and ease of use."[74]
In July 2022, Charlie Osborne of ZDNET suggested that individuals who suspect a Pegasus infection use a secondary device with GrapheneOS for secure communication.[75]
In January 2023, a Swiss startup company, Apostrophy AG, announced AphyOS, which is a subscription fee-based Android operating system and services "built atop" GrapheneOS.[76][77] The GrapheneOS team dismissed the project being based on GrapheneOS as misleading marketing due to AphyOS being based on an earlier version of Android, using the LineageOS update client and other inconsistencies.[78]
GrapheneOS is a popular choice within the DeGoogle movement.[79][80]
The operating system was reviewed by Jesse Smith of DistroWatch and by Jonathan Corbet of LWN.net in March and July 2025 respectively.[81][82]
Jack Wallen of ZDNET reviewed GrapheneOS in November 2025 in an article titled "I finally tried GrapheneOS on my Pixel, and it's the secure Android alternative I've been waiting for". He described that the development team "takes usability seriously", and that the operating system looks and feels like Android.[63]
In late 2025, GrapheneOS moved its infrastructure away from servers hosted by French provider OVHcloud over privacy and security concerns.[83][84] This applies to both servers located inside France, as well as Canadian servers owned by the company. The project stated, "France isn't a safe country for open source privacy projects. They expect backdoors in encryption and for device access too. Secure devices and services are not going to be allowed (in France)."
France voted in favor of a proposed, controversial EU measure commonly referred to as Chat Control which could require providers to create and open a backdoor to their services to enable authorities to scan user content.[85][86]
GrapheneOS gained attention in the media in March 2026 after stating the project would not comply with planned and heavily criticized age verification laws such as the California Digital Age Assurance Act (Assembly Bill 1043) or Brazil's Digital Statute for Children and Adolescents (Law No. 15,211/2025), even if it meant that future Motorola devices that will come with the OS preinstalled couldn't be sold in these regions.[87]
