42 |
45 |
46 |
49 |
97 |
98 |
101 |
102 |
105 |
Resoundingly yes, Graphene OS is stable and feature-rich enough to be utilized as a daily
106 | driver operating system with only one consideration: an app store (F-Droid, Yalp, Google Play)
107 | is not included by default to allow the user the choice. An app store can be added by simply
108 | downloading, verifying and installing the required .apk.
109 |
110 |
111 |
114 |
No. Your phone will automatically download and install the updates when they are released,
115 | provided an internet connection is available. The update images are provided for those who
116 | need to download them off of the device for any reason.
117 |
118 |
Updates are digitally signed by Daniel Micay and verified by the device. Unlocking to update
119 | is not needed.
120 |
121 |
124 |
Yes, under Settings -> System -> Advanced -> System update Settings -> Permitted networks,
125 | set it for unmetered networks only to prevent the update client from using up your cellular data
126 | plan.
127 |
128 |
131 |
"Out of the box", the operating system comes with an app for SMS messages and a Phone app, a
132 | search app, Vanadium Browser, Auditor, Mail, Calendar, Photo Gallery, Calculator, Camera, and a
133 | File Browser. More apps can always be installed as desired.
134 |
135 |
138 |
GrapheneOS will run most apps for Android. Most apps from F-Droid will run. GrapheneOS will
139 | run proprietary apps such as Spotify and some banking apps if they are loaded from .apk so long as
140 | they do not have a hard dependency on the absent Google Software Frameworks.
141 |
142 |
Apps that are written unsafely or attempt to violate the security policies that GrapheneOS has put
143 | in place will be halted immediately, and a notification that the application has stopped working
144 | displayed to the user.
145 |
146 |
149 |
Yes, Signal Private Messenger works great on GrapheneOS.
150 |
151 |
155 |
Yes, long passphrases consisting of many dictionary words (using the
156 | "Correct Horse, Battery Staple" approach) work perfectly
157 | fine. The limit is 64 characters.
158 |
159 |
163 |
None. GrapheneOS is designed to be secure by default and requires no tweaking nor custom
164 | tuning.
165 |
166 |
169 |
No, root is not provided. Root is discouraged in a security-focused environment to minimize
170 | access, privilege, reduce the attack surface of the applications, and reduce the consequences
171 | of user error as much as possible.
172 |
173 |
176 |
Yes. Orbot, OpenVPN for Android, the userspace implementation of WireGuard, and the Private
177 | Internet Access VPN app have all been tested and reported working. VPNs can be configured
178 | under Settings -> Network & Internet -> Advanced -> VPN.
179 |
180 |
183 |
Yes, Trezor Model Ts are tested and working with GrapheneOS.
184 |
185 |
188 |
Yes, Yubikeys are tested and working with both NFC and connected by USB.
189 |
190 |
193 |
Absolutely. Hotspot and tethering have been tested and work fine.
194 |
195 |
198 |
199 |
202 |
Support for other devices is planned, but there are a few requirements for full support from
203 | Graphene OS. Rather than aim to try to support many devices, GrapheneOS seeks to support only
204 | the devices with the best security, and focus on specific devices to ensure that the most
205 | attention can be paid to the quality of the code, review, and testing.
206 |
207 |
A more detailed answer is in the documentation at the entry under
208 | device support.
209 |
210 |
213 |
214 |
Yes. The Pixel 3a works fine.
215 |
216 |
220 |
221 |
Devices purchased for running GrapheneOS should be bootloader unlocked. Devices that
222 | are sold by Verizon are bootloader locked and cannot be unlocked to allow them to be
223 | flashed.
224 |
225 |
228 |
229 |
234 |
This is normal and expected behaviour, as the phone is now running a different operating
235 | system than the factory one installed by the manufacturer. If you see this screen, it is a
236 | good sign, as it indicates that the Android Verified Boot is doing its job to
237 | verify the software, even though it is different than the factory image.
238 |
239 |
Device Integrity Monitoring can be used to further attest
240 | to the authenticity of the installed operating system.
241 |
242 |
247 |
If you see this orange screen, the phone is telling you that the boot loader has been left
248 | unlocked. This allows persistent changes to be written to the operating system at will.
249 | Unlocking the bootloader is one of the steps taken during installation of the operating system, but
250 | it is crucially important that as soon as the installation has been finished, the bootloader is
251 | locked again immediately. Your phone should never be used if your bootloader is unlocked; doing
252 | so switches off Verified Boot.
253 |
254 |
Visit the installation guide
255 | on locking the bootloader to find out how to fix this issue.
256 |
257 |
260 |
Full factory images are included complete with the flash-all scripts. A
261 | step-by-step walkthrough is available on the
262 | install guide. You will need to be familiar with the commandline.
263 |
264 |
267 |
Linux, Mac, and Windows users should always follow the same process and obtain Android Debug
268 | Bridge directly from the
269 | official sources.
270 | No software needs to be installed, the program simply may be run via the commandline from
271 | where it is unzipped to.
272 |
273 |
Linux users should not utilize the version of Android Debug Bridge packaged by
274 | their distro. Not only are these versions often out of date, but often have their versions
275 | numbered according to the distro, rather than the official source.
276 | Utilizing an out-of-date version of Fastboot may brick your device.
277 |
278 |
282 |
You will need the correct udev rules to allow adb to communicate with the devices or to run
283 | adb as root. The workflow for adding the correct adb rules for your device will likely be specific
284 | to your distro, so they are not listed here.
285 |
286 |
290 |
Your /tmp partition may be full or too small. Ensure you see the
291 | installation guide.
292 |
293 |
42 |
43 |
46 |
49 |
114 |
115 |
This section provides some rudimentary answers to frequently asked questions about GrapheneOS.
116 | It is intended to only give some matter of brief, accessible, non-intimidating answers to a few
117 | questions about GrapheneOS and the projects associated with it and where possible, provide links
118 | to where more exhaustive answers can be found.
119 |
120 |
121 |
123 |
124 |
125 |
128 |
Support for other devices is planned, but there are a few requirements for full support from
129 | Graphene OS. Rather than aim to try to support many devices, GrapheneOS seeks to support only
130 | the devices with the best security, and focus on specific devices to ensure that the most
131 | attention can be paid to the quality of the code, review, and testing.
132 |
133 |
A more detailed answer is in the documentation at the entry under
134 | device support.
135 |
136 |
139 |
Please see device support. OnePlus devices do not meet
140 | the minimum requirements for support on GrapheneOS, and cannot be supported until they do.
141 |
142 |
146 |
Yes.
147 |
148 |
151 |
No. GrapheneOS is not a business, but rather a research and engineering project. Your
152 | easiest bet to get a phone with GrapheneOS is to purchase one of the officially supported
153 | devices as a bootloader-unlocked phone and simply follow the
154 | installation guide. Compiling from source is not
155 | required to run GrapheneOS. The installer script will automate the process of flashing the OS
156 | onto the phone.
157 |
158 |
162 |
Devices purchased for running GrapheneOS should be bootloader unlocked. Devices that
163 | are sold by Verizon are bootloader locked and cannot be unlocked to allow them to be
164 | flashed. Err on the side of caution: prior to purchasing, ask the seller if the phone has been
165 | bootloader unlocked for flashing.
166 |
167 |
171 |
Resoundingly yes, Graphene OS is stable and feature-rich enough to be utilized as a daily
172 | driver operating system. Each release is throughly tested and stable. The base install is
173 | fairly minimal, which is why it has been listed as not production ready.
174 |
175 |
176 |
181 |
Because Pixel 1s lack some of the security features that set the Pixel 2 and 3 apart, such as
182 | the hardware-backed keystore, insider access protection, and remote attestation, they will not
183 | have all the security features of the newer devices that do. As time goes on, it becomes
184 | increasingly likely that the vendor will cease to provide firmware patches and updates for these
185 | devices. Because of this, the Pixel and Pixel XL would not normally not meet the criteria for
186 | support from GrapheneOS, but have both been included because the project supported them in the
187 | past, and will continue to support them until their obsolescence as a migration strategy. They
188 | are marked as "Legacy" for these reasons.
189 |
190 |
Former users of Android-Hardened or other former incarnations of the project may download
191 | the installers at the releases page under
192 | <>Marlin (for Pixel XL) or
193 | <>Sailfish (for Pixel) and
194 | follow the installation instructions to install
195 | it on their existing devices. Nexus 5X and 6P phones are no longer supported.
196 |
197 |
201 |
"GrapheneOS is a privacy and security research and engineering project above all."
202 | With GrapheneOS, security hardening and privacy come first and all available development time
203 | goes toward improvements in those areas while supporting only devices carefully chosen for
204 | their security and features such as Verified Boot and Remote Attestation. In the future, the
205 | operating system and user experience may be further locked down as a safeguard against malware,
206 | user error, and
207 | social engineering.
208 |
209 |
LineageOS focuses heavily on permissiveness to allow the user to tinker, and widespread
210 | device support, including many older devices, for which firmware and driver updates are no
211 | longer available or no longer maintained. LineageOS also does not support Android Verified Boot,
212 | which is seen as desirable to allow users (or anyone else who has access to the phone) to make
213 | changes as they please. As the goals of a strongly restricted and secure environment and very
214 | careful device selection to select only the devices which have the best security, versus
215 | permissiveness for user customizeability and widespread compatibility are mutually exclusive,
216 | GrapheneOS should not be considered to be a competitor to LineageOS. The two are meant for
217 | different purposes, and different audiences.
218 |
219 |
More information on the project and its roadmap is available at the
220 | writeup for development.
221 |
222 |
226 |
227 |
The Librem 5 builds on a proprietary ARM SoC and other proprietary components of which the
228 | firmware source code is not open. In contrast to a modern smartphone operating system which runs
229 | the applications in their own contained environments, it utilizes the Linux software stack
230 | running the GNOME desktop environment. The desktop software stack (in this case, consisting of a
231 | rebranded but otherwise copied-verbatim version of Debian) considers all the apps running in the
232 | same space to be trustworthy and offers no application isolation. The Librem 5 does not at this
233 | moment appear to support verified boot, hardware-backed keystore and encryption and no technical
234 | information or source code has surfaced on IOMMU setup and mitigations.
235 |
236 |
These design choices and vague promises of a "separate baseband" with the lack of any real
237 | technical information on memory management suggest a haphazard and insecure design, and running
238 | the desktop software stack represents many steps back for privacy and security. Daniel Micay has
239 | discussed this on the
240 | /r/linux subreddit.
241 |
242 |
GrapheneOS on the other hand achieves its security via strong application isolation, improved
243 | memory management, IOMMU setup, SELinux security policies, and the project seeks to combine the
244 | security features and hardening of the operating system with devices that support Verified Boot,
245 | remote attestation, and hardware-bound encryption.
246 |
247 |
250 |
As per the question on support of devices, to reiterate, devices that will be considered
251 | eligible for GrapheneOS support must have several important things: verified boot, hardware-
252 | backed keystore, hardware-bound encryption, full support for ARM SMMU or IOMMU, and ongoing
253 | vendor support in the form of firmware and driver updates. The Purism Librem 5 has none of
254 | these and cannot be supported.
255 |
256 |
259 |
260 | - The Linux Kernel is distributed under the GPL2 license.
261 | - Android Open Source Repositories are distributed under the Apache 2 license.
262 | - New projects are distributed under the MIT License, including Auditor.
263 |
264 |
265 |
269 |
No. The project predates that and traces its roots to an independent security/hardening
270 | project that was started by Daniel Micay many years ago. At one point, phones that were pre-
271 | installed with Daniel's work were sold under a different branding that has since lapsed.
272 | GrapheneOS is the original project that predates this branding and is being continued as a
273 | research and engineering project.
274 |
275 |
278 |
No, it is not a fork of LineageOS or CyanogenMod, and never has been. It is a research and
279 | engineering project focused on improving the security and privacy qualities of the Android Open
280 | Source Project and utilizing mobile devices that support the best security.
281 |
282 |
283 |
286 |
287 |
291 |
It is the same difficulty as as flashing your phone back to the factory operating system. It
292 | is much easier than installing LineageOS. Daniel Micay has included an automated installer
293 | script that will do the heavy lifting for you, and a step-by-step walkthrough is available on
294 | the project website. You will need to be familiar
295 | with the commandline and be able to follow instructions to utilize Android Debug Bridge.
296 | Remember to follow the instructions and lock your bootloader afterward!
297 |
298 |
303 |
By design, when your phone is unlocked to allow for flashing of the boot loader to install the
304 | operating system onto it, as a safety precaution, your phone will immediately reset itself. This
305 | will cause all data stored on the phone to be lost forever. This is not a bug. Instead, it's a
306 | very important security precaution done to prevent an attack where someone may physically sieze
307 | and unlock the bootloader, install mallware or modify the operating system to steal your password
308 | next time you enter it, then return it to you as if nothing has happened.
309 |
310 |
To prevent this, you can back up your files saved on your shared storage by connecting it to a
311 | trustworthy USB storage device located in a physically secure and trustworthy environment such as
312 | your private home to move your photos and shared storage to it, and back up your apps using Android
313 | Debug Bridge, which includes a backup utility specifically for backing up your
314 | application data, which you can restore in place later.
315 |
316 |
Signal Private Messenger includes its own backup system which allows recovery of your verified
317 | contacts. See "Signal" below.
318 |
319 |
325 |
If you are on Linux, you will need the correct udev rules to allow adb to communicate with the
326 | devices or to run adb as root. Running adb and/or fastboot as root is not recommended, and the
327 | proper way to do it is to set udev rules to allow adb and fastboot to talk to the phone.
328 |
329 |
The workflow for adding the correct adb rules for your will vary by your operating system,
330 | although all of them are somewhat similar. Void Linux has a tutorial at the
331 | Void Linux Wiki.
332 | Arch Linux has documentation at the Arch Linux Wiki under
333 | Adding udev Rules.
334 |
335 |
339 |
Your /tmp partition may be full or too small. Ensure you see the section
340 | for how to fix this problem.
341 |
342 |
343 |
346 |
347 |
351 |
If an attacker has successfully exploited and gotten privileged (root) access on your device,
352 | Android Verified Boot (also called AVB) is designed to prevent a root-level compromise from
353 | persisting and be able to revert the system to a known good state next reboot utilizing error
354 | correction codes until it passes the signature validation. This would require an attacker to
355 | compromise it a second time after a reboot, before they can continue to do nasty things to
356 | your phone.
357 |
358 |
Remote Attestation adds more to this by utilizing some of the hardware security features in
359 | modern phones to detect if unauthorized changes have occurred. In conjunction with each other,
360 | these offer some means to guard against tampering with the operating system. Remote attestation
361 | in the future may be utilized to detect a compromise, and Android Verified Boot to revert
362 | one in the event it has happened.
363 |
364 |
A more detailed overview of verified boot is available at the official documentation about
365 | Android Verified Boot.
366 |
367 |
371 |
The hardened malloc is a memory allocator for the kernel which is designed to protect against
372 | memory corruption vulnerabilities. The one used in GrapheneOS is an all-new design developed by
373 | Daniel Micay, although it is similar in design to OpenBSD's malloc. More detailed and technical
374 | information on the purpose and design of the hardened memory allocator, as well as building it
375 | and what it can do can be found at the manifest
376 | at the Github page.
377 |
378 |
381 |
The file data is encrypted with AES-256 in XTS mode. Depending on the device, the filenames
382 | are encrypted with AES-256-CTS, or AES-256-HEH. On the Pixel 3 and 3 XL, the Titan M is used to
383 | verify the lock screen password as well as well as derive the symmetric keys to decrypt the
384 | information stored on the solid state drives. Keys are of 256-bit length. The Advanced
385 | Encryption Standard cipher is a thoroughly modern, well-tested cipher that has withstood 20
386 | years of public cryptanalysis and may be used with confidence.
387 |
388 |
File-Based Encryption (FBE) has several advantages over Full-Disk Encryption (FDE). Access to
389 | the unlocked files can be granularized to allow certain profiles on the phones to be given
390 | access to only what they need to access, without giving access to the entire drive and everything
391 | on it as would be the case with Full-Disk Encryption. This also allows the keys to be kept out
392 | of memory when they are not in use and to limit the amount of access that profiles have to the
393 | files. Layering of File-Based Encryption inside of Full Disk Encryption has been discussed by
394 | Daniel Micay but has been determined not to be practical nor offer much appreciable security
395 | benefit for the increased complexity and attack surface.
396 |
397 |
400 |
The primary selling point of the Titan M hardware security module is the Strongbox Keymaster,
401 | which allows secret keys to be created, stored and used within the chip, where even root on the
402 | operating system cannot extract them. The physically separated chip offers significantly less
403 | attack surface than ARM Trusted Execution Environment. Auditor on GrapheneOS starting with
404 | version 11 of the Auditor App uses the Strongbox Keystore API for verifying the operating system
405 | if it is present. This security feature has extensive functionality and could be used for secure
406 | payments, public key cryptography, or allowing apps to use the Titan M to save data to the drive
407 | encrypted while the phone is locked, without needing to risk exposing the keys. For example, one
408 | application that this would benefit from would be to allow the phone to take pictures without
409 | needing to handle the keys to the drive. The chip is physically hard-wired to the buttons on the
410 | phone, so user input to it cannot be spoofed by a malicious app or a compromised operating
411 | system.
412 |
413 |
It provides 'insider attack protection' which requires the owner to authenticate to the chip
414 | using a password that is chosen by the owner, before the chip will allow the firmware of the
415 | device to be updated. This is intended to dissuade a situation similar to the 2015 Apple v.
416 | FBI case, where a malicious actor could confiscate the device, find an exploit to gain
417 | control of the operating system, then use legal or extralegal pressure to force Google to issue
418 | a rogue firmware update that would disable the security features. Since the phone cannot accept
419 | the updates without the owner's password, this removes the vendor from being a third party in
420 | that particular attack vector.
421 |
422 |
The Titan M is also used for verifying of the user's password and for drive encryption. The
423 | chip creates and stores a secret token. The chip will not calculate and release the secret token
424 | that the phone will use to derive the keys to the drive until it gets the correct password.
425 | Since the chip uses its own internal timer built into it, it can enforce a progressively
426 | lengthening timeout to deter brute force attacks more reliably than relying on the strength of
427 | the password and a work factor such as a key derivation function alone. This also presents a
428 | safer alternative to keeping the keys in a continually precarious state and erasing them should
429 | ten incorrect guesses at the pincode be made. Unlike the factory image, GrapheneOS supports the
430 | use of long passphrases to allow for both security measures of a cryptographically strong
431 | passphrase and hardware bound encryption to be used together, combining hardware-backed
432 | encryption with a cryptographically strong passphrase.
433 |
434 |
The Titan M is incorporated into the boot process by storing the last good version of the
435 | operating system within itself and not allowing the phone to be downgraded to an earlier
436 | revision to disable or roll back security protections.
437 |
438 |
Factory Reset Protection to discourage steal-and-sell attacks where an attacker steals the
439 | phone, changes the IMEI and resets the operating system in order to resell it as if it were a
440 | legitimately purchased secondhand device is not yet implemented on GrapheneOS, but is also one
441 | of the features it supports and may be implemented in the future.
442 |
443 |
447 |
GrapheneOS selects devices that allow for baseband isolation via IOMMU which is capable of
448 | limiting direct memory access from the devices, and utilizes open source device drivers which
449 | can be verified for their correctness. Additionally, the radios (cellular, Wi-Fi, Near Field
450 | Contact, Bluetooth) are stateless. The operating system will load the binary firmware each time
451 | it boots, and the devices will validate the firmware. If they ever become compromised, rebooting
452 | the phone should reset them to the previous state, and verified boot should restore the operating
453 | system to the state it was in when it was signed and the Android Verified Boot key was
454 | provisioned.
455 |
456 |
Secondly, should they ever turn evil, the IOMMU is designed to limit the access they have to
457 | host memory, so the devices such as the phone's radios and modems, SSD, or graphics processor
458 | cannot simply read or write to host memory at will unless the driver allows it to, and only to
459 | locations the driver is specifically coded to allow.
460 |
461 |
466 |
This is a very complex and multifaceted, very technical discussion and is outside the scope of
467 | a 30-second answer page, so Daniel Micay has written a brief collection of his thoughts on the
468 | subject on the project subreddit
469 | which may be able to provide a bit of perspective.
470 |
471 |
475 |
Yes, long passphrases consisting of many dictionary words (using the
476 | "Correct Horse, Battery Staple" approach) work perfectly
477 | fine. The limit is 64 characters.
478 |
479 |
483 |
You don't.
484 |
485 |
By design, Android assumes that the third-party apps running on it are untrustworthy and must
486 | be confined to their own self-contained environments. This allows the operating system to
487 | enforce its own policy over them. These "security" apps such as Xprivacy and afwall are little
488 | more than security theatre, or to work, require more privilege over other apps. This is mutually
489 | exclusive with the goals of application isolation.
490 |
491 |
Exposure of root access to an application or to allow one app to break out of its isolation
492 | is defective by design, and is harmful to the security and privacy of your phone. GrapheneOS is
493 | implements its own networking permissions via a privileged extension which substantially
494 | reduces the attack surface.
495 |
496 |
499 |
500 |
None. GrapheneOS assumes a "secure and private by default" approach.
501 |
502 |
505 |
No, root is not provided. Root is discouraged in a security-focused environment to minimize
506 | access and privilege as much as possible. The defaults and policies have been very carefully
507 | and very deliberately set by a developer and security researcher with many years of experience
508 | and for specific reasons. Changing them will make your device less secure, not more.
509 |
510 |
Granting root permission to any app will mean that the moment that app is exploited, the
511 | entire operating system will be compromised, and the exploited app can read then the data out of
512 | the other apps that it normally wouldn't be able to without root. Android already distrusts third-
513 | party apps, which represents a massive increase in the amount of security that the operating
514 | system can provide when running programs that may not be trustworthy.
515 |
516 |
Verified Boot will attempt to undo any of the changes that you make to the operating system
517 | to roll it back to the last known good image that was signed and verified by the developers.
518 | This means in order to have persistent changes made as root, you would need to disable Verified
519 | Boot and leave your bootloader unlocked. Essentially, root access on GrapheneOS undoes most of
520 | the hardening and security work that has gone into it and is at odds with the project goals.
521 |
522 |
526 |
This feature has been requested frequently, but will need community contributions to be added.
527 |
528 |
529 |
530 |
531 |
534 |
535 |
538 |
No. All software releases are signed by Daniel Micay's software release keys, then are sent
539 | out over the air from the update server. Your phone will automatically download and install
540 | updates as they are released. You may choose whether or not to have the phone reboot after the
541 | update has been installed automatically.
542 |
543 |
546 |
"Out of the box", the operating system comes with an app for SMS messages and a Phone app, a
547 | search app, Vanadium Browser, Auditor, Mail, Calendar, Photo Gallery, Calculator, Camera, and a
548 | File Browser.
549 |
550 |
Disabling the default apps is not recommended, as other apps may depend on them.
551 |
552 |
555 |
The Google Camera application which uses software compositing to take pictures that are of
556 | much higher quality than the phone's Megapixel rating would otherwise do without are non-free,
557 | and cannot be included in GrapheneOS at this time. In the future, it is likely several of the
558 | dependencies that Google Camera uses will be removed from the OS to further increase the security
559 | and privacy of the platform, and will preclude the use of Google Camera.
560 |
561 |
564 |
GrapheneOS will run most apps for Android, with the exception of some very old Android apps
565 | that may have been written for obsolete versions of Android and are written insecurely or make
566 | unsafe calls. Most apps from F-Droid will run. GrapheneOS will run proprietary apps such as
567 | Spotify and some banking apps if they are loaded from .apk so long as they do not have a hard
568 | dependency on the absent Google Software Frameworks. Some apps that are dependent on Google
569 | Software Frameworks may run, but may not display notifications until the apps are opened.
570 |
571 |
Apps that make unsafe calls or attempt to violate the security policies that GrapheneOS has put
572 | in placewill be halted immediately by the operating system, and a notification that the application
573 | has stopped working delivered to the user as if the app crashed. Generally, apps that exhibit
574 | this behaviour tend to be for very old or obsolete versions of Android.
575 |
576 |
579 |
Yes, Signal Private Messenger has been extensively tested and is working fine on GrapheneOS.
580 | If you already have Signal installed on your existing device, prior to flashing it, you may opt
581 | to migrate your existing Signal keys using the Backup function in the application under settings.
582 | This will save your Signal data to the phone storage encrypted with a 30-digit passcode which is
583 | generated randomly and only displayed to the user once. It includes not only your chat histories,
584 | but also your cryptographic keys, so when you restore, you won't have to start over with no
585 | verified contacts.
586 |
587 |
If you have set a registration lock, be sure that you have not forgotten your registration
588 | lock pincode prior to flashing the device, as it will ask you for the registration pincode when
589 | you install and set up the application on your new device. Make sure that the backup is copied
590 | into the directory you obtained it from when you start Signal for the first time on the new
591 | device. If you do not restore your old backup, you will not have the option to do so later.
592 |
593 |
597 |
Unfortunately not, it is a part of the boot loader.
598 |
599 |
603 |
The F-Droid Privileged extension which bypasses the security checks to allow for unattended
604 | application installs is not installed. In the future a different application store may be
605 | implemented.
606 |
607 |
610 |
Yes. Orbot, OpenVPN for Android, the userspace implementation of WireGuard, and the Private
611 | Internet Access VPN app have all been tested and reported working. GrapheneOS implements its
612 | own means to utilize VPNs under Settings -> Network & Internet -> Advanced -> VPN.
613 |
614 |
617 |
Yes, Trezor Model Ts are tested and working with GrapheneOS.
618 |
619 |
622 |
Yes, Yubikeys work by both USB and NFC with OpenKeyChain and K-9 Mail for GPG Mail Encryption,
623 | Signing and Decryption. No additional configuration is required. Download and import your PGP
624 | Public Key Blocks (aka OpenPGP Digital Certificates), tap the option to add secret keys from a
625 | token, follow the steps onscreen and they will be detected and linked automatically.
626 |
627 |
630 |
Sorry, they haven't been working yet. Keep checking back!
631 |
632 |
636 |
While it could be done at the cost of requiring the user to build the OS from source and
637 | insert signature spoofing functionality at that time, signature spoofing is not supported. It
638 | destroys the application security model by allowing the apps to bypass signature checks, which
639 | could open up the possibility for a single app to install malware to the phone. Both security
640 | and privacy-wise, you would be better off using Google's OS than spoofing signatures.
641 |
642 |
645 |
Absolutely. Hotspot and tethering have been tested and work fine.
646 |
647 |
650 |
Yes, under the Seamless Update App, set it for unmetered networks only to prevent the update
651 | client from using up your cellular data plan.
652 |
653 |
656 |
GrapheneOS uses its own version, Vanadium. The included browser is used for webview and
657 | adding other browsers will add an increase in attack surface. Vanadium will have more hardening
658 | work done to it that will require integration with the operating system. Chromium was chosen as
659 | a base for security reasons for its better sandboxing and architecture.
660 |
661 |
A more detailed answer is available from Daniel Micay on the
662 | project subreddit
663 | which discusses issues such as browser fingerprinting issues common to both Tor Browser and
664 | Firefox, sandboxing, sidechannel attacks, and why Chromium was chosen to be the base for
665 | Vanadium and as GrapheneOS' browser.
666 |
667 |
668 |
669 |
672 |
673 |
677 |
There are a number of reasons that the auditor app could fail.
678 | - If the camera is shaking around too much or looking at the QR code from a skewed
679 | perspective, it could cause the QR code to be read incorrectly. This will cause the auditor
680 | app to fail.
681 | - Bad lighting conditions or being too far away could cause the camera to pick up the QR
682 | code incorrectly, which will also result in a failed audit.
683 | - Holding either device at too much of an angle when scanning the QR codes may cause the
684 | QR code to be read wrong and the audit to fail.
685 | - The most common culprit for the attestation server to think a device has failed remote
686 | attestation is time difference. If the time and date on your phone is not set correctly,
687 | attestation will fail.
688 |
689 |
690 |
691 |
692 |
695 |
696 |
700 |
You can use the attestation server, which is also
701 | operated by the project. You will need an E-mail address you trust. Periodically, at a time
702 | interval set by you, the attestation server will ping your device and issue it a challenge it
703 | must respond to using the hardware-backed remote attestation. If the device fails to check in
704 | after the timer is up, or the operating system has been tampered with and the remote attestation
705 | fails, the attestation server will send you an E-mail to warn you that the phone has for any
706 | reason failed the audit.
707 |
708 |
You should make sure that the E-mail account you receive your attestation notifications on is
709 | not the same E-mail account accessible from your phone.
710 |
711 |
712 |
713 |
716 |
717 |
722 |
This is a known bug which is common for the first boot after flashing. The current 'fix' is to
723 | simply reboot the phone a second time.
724 |
725 |
729 |
GrapheneOS maintains a number of community outlets. To get in touch with the project directly,
730 | head to the contact page.
731 |
732 | - There is a subreddit available at
733 | /r/GrapheneOS.
734 | - There is an IRC channel. Drop in at any time on the channel
#GrapheneOS
735 | on irc.freenode.net to say hello, or if you prefer Matrix, the channel is
736 | bridged to it at #Graphene-OS:matrix.org!
737 | - The project has a source repository on
738 | Github for source review where the code may be reviewed and reports filed.
739 |
740 |
741 |
742 |
747 |
This is also a known bug, as the camera app is borrowed from the Android Open Source Project
748 | camera app and lacks many of the Google Camera software improvements. A somewhat ugly workaround
749 | is to close, then restart the camera app after changing from the front to the rear camera. If
750 | other applications dependent on the camera stop working with the camera, close and restart them.
751 | A new camera app will be found soon, as the one included is just an interim measure. This should
752 | not affect the security of the rest of the phone but occasionally may be inconvenient.
753 |
754 |
757 |
Bugs may be reported for their respective projects at the
758 | Github page by filing an issue with the 'bug' tag.
759 |
760 |
761 |
765 |
Sprint, Google Fi, Verizon and some mobile networks require proprietary drivers to be
766 | installed in the operating system. These drivers occupy highly privileged positions in the
767 | operating system and present a security (read: service provider backdoor) hazard. GrapheneOS
768 | does not include them for this reason. These networks are not compatible with GrapheneOS.
769 |
770 |
774 |
If your carrier does not require proprietary and privileged drivers to operate with their
775 | network, GrapheneOS will work with it so long as your handset supports the frequency your
776 | carrier uses. This is set by the baseband processor in your cellphone's software-defined
777 | cellular radio, and is not set by the operating system.
778 |
779 |
785 |
This is normal and expected behaviour, as the phone is now running a different operating
786 | system than the factory one to the one installed on the phone by the manufacturer. If you see
787 | this screen, it is a good sign, as it indicates that the Android Verified Boot is switched on
788 | and working.
789 |
790 |
If you successfully verified the installer you downloaded, and verified that the keys that
791 | signed it really were Daniel Micay's keys, simply skip the warning, as everything is working as
792 | it was originally intended to. If you have doubts about the integrity of the operating system,
793 | utilize the Auditor App for remote attestation to verify whether or not it worked. The Auditor
794 | App utilizes the phone's hardware remote attestation features to detect compromise or
795 | unauthorized changes to the OS and report them if they are detected.
796 |
797 |
802 |
If you see this orange screen, the phone is telling you that the boot loader has been left
803 | unlocked, which disables security measures such as Android Verified Boot. This allows persistent
804 | changes to be written to the operating system at will. During the installation process of
805 | GrapheneOS, unlocking the bootloader is a prerequisite to allowing the installer to run, but it
806 | is crucially important that as soon as the installer has completed, the bootloader should be
807 | locked again immediately. Your phone should never be used if your bootloader is unlocked; doing
808 | so nullifies all the security benefits of having Verified Boot, and is very unsafe!
809 |
810 |
Visit the installation guide
811 | on locking the bootloader to find out how to fix this issue. Each time the bootloader is
812 | locked or unlocked, as a safeguard the phone will be reset and all the data stored on the phone's
813 | drive, such as photos, E-mails, text messages, saved passwords, and your Two-Factor
814 | Authentication Tokens will be lost forever. If you have accidentally started using a phone with
815 | an unlocked bootloader and saved data to it that you do not want to lose, you should save the
816 | data by either utilizing the adb backup or adb pull utilities from
817 | Android Debug Bridge to retrieve the files from the phone.
818 |