Privacy, by design
GrapheneOS is a security- and data preservation focused Android-compatible OS for Google Pixel hardware. It hardens the whole stack and gives you precise controls (network & sensor toggles, Storage/Contact Scopes, sandboxed Play) so you decide what runs and what reaches your data.
Hardened runtime, allocator, kernel & sandboxing reduce the blast radius of bugs.
Per-app Network & Sensors toggles, Storage/Contact Scopes narrow data exposure.
Optional sandboxed Google Play keeps apps working inside the normal app sandbox.
What makes GrapheneOS different?
Big picture: reduce attack surface, raise exploit cost, and give the user precise, usable controls.
Hardened runtime & kernel
GrapheneOS ships a hardened C library and hardened malloc memory allocator, a more defensive app runtime, and a kernel with extra hardening / integrity checks. The goal is simple: convert single-bug break-ins into multi-bug puzzles.
- Out-of-line metadata, canaries, quarantine & zero-on-free in the allocator
- Higher-entropy ASLR, memory wiping on free/boot, and extra kernel consistency checks
- AOT compiled apps (no JIT by default in WebView/Vanadium) to shrink dynamic code attack surface
Containment as a safety net
Modern security assumes some bugs slip through. GrapheneOS leans on Android’s app sandbox and adds tighter process isolation and per-site renderers via the Vanadium browser.
- Secure application spawning and stricter policies on dynamic code loading
- Vanadium (hardened Chromium) as browser & WebView
Network & Sensors toggles
Flip a switch to deny an app all network access (even localhost) or block motion/environment sensors (accelerometer, gyroscope, barometer, compass…). Apps behave as if the network is down or sensors are unavailable, instead of crashing.
Storage & Contact Scopes
Replace broad file/contacts permissions with precise allow-lists. Grant an app access only to specific folders/files or selected contacts/groups, keeping the rest of your data out of reach.
Wi-Fi & cellular hygiene
Per-connection MAC randomization (enabled by default) and fixes for historical IPv6 privacy leaks reduce tracking across networks. LTE-only mode can further trim radio attack surface.
Auditor & hardware attestation
Verify—don’t just hope. The Auditor app uses hardware-backed keys and verified boot signals to check OS integrity and persistent state, locally (QR) or via scheduled remote checks.
Vanadium hardened browser
Vanadium raises the default privacy/security bar versus stock Chromium, with conservative defaults on risky features (like JIT), plus per-site controls.
Sandboxed Google Play (optional)
Need banking, ride-share, or work apps? Install Google Play as normal apps living inside the standard app sandbox—no privileged OS hooks, no signature spoofing. You choose their permissions like any other app.
How it compares to a stock Android experience
| Area | GrapheneOS | Typical stock Android |
|---|---|---|
| Per-app network kill switch | Yes — toggle denies all network paths (incl. localhost) | No — requires firewalls/workarounds per app |
| Per-app sensors kill switch | Yes — block motion & environmental sensors | No — limited app-level controls |
| Fine-grained file/contact access | Storage/Contact Scopes (allow-lists) | Broader permissions by default |
| Browser/WebView hardening | Vanadium (hardened Chromium) | Baseline Chromium |
| OS integrity checking | Auditor app w/ hardware attestation | No equivalent built-in workflow |
Per-app network kill switch
Per-app sensors kill switch
Fine-grained file/contact access
Browser/WebView hardening
OS integrity checking
Note: Stock Android continues to improve. GrapheneOS focuses on going further for users who prioritize privacy and control.
Common questions & misconceptions
“Do I have to give up mainstream apps?”
No. Sandboxed Google Play lets most apps run inside the normal app sandbox. You keep permission control, and you can remove Play services at any time.
“Is this just ‘de-Googled Android’?”
It’s a data-preservation-first OS with extensive hardening. Many users choose it for privacy even if they install Play later. The point is control, not ideology.
“Isn’t a VPN enough?”
VPNs protect traffic in transit. GrapheneOS reduces what apps can read or leak in the first place, and shrinks the attack surface if an app or component gets compromised.
“Who should use this?”
Executives, creators, journalists, travelers, security-conscious professionals—or anyone who wants a trustworthy daily driver without handing out data by default.
Ready to own your data?
Paradox Mobile ships devices prepped with GrapheneOS and data-preservation defaults. Keep your workflows—lose the data exhaust.