Table of Contents
It may come as a surprise to learn that the most secure phone setup currently possible (without manufacturing your own device and operating system) is a hardware solution provided by Google and a software solution in the form of an AOSP derivative named GrapheneOS provided by a group of independent developers.
If I were configuring a smartphone today, I'd use @DanielMicay's @GrapheneOS as the base operating system. I'd desolder the microphones and keep the radios (cellular, wifi, and bluetooth) turned off when I didn't need them. I would route traffic through the @torproject network.
— Edward Snowden (@Snowden) September 21, 2019
Compatible Devices
Google is known as one of the most privacy invasive companies on the planet, yet their Pixel phones are the only devices deemed worthy enough by GrapheneOS developers and for a very good reason.
They are the most private and secure phones commercially available on the smartphone market and allow verified boot, hardware backed keystores, attestation and other hardware-based exploit mitigation features.
For the non-techies this just means they are extremely security conscious devices by default and with a little modification and paired with the GrapheneOS ROM, their full potential is being leveraged.
Currently Supported Devices
Pixel 7a (lynx)
Pixel 7 Pro (cheetah)
Pixel 7 (panther)
Pixel 6a (bluejay)
Pixel 6 Pro (raven)
Pixel 6 (oriole)
Pixel 5a (barbet)
Pixel 5 (redfin)
Pixel 4a (5G) (bramble)
Pixel 4a (sunfish)
According to the developers, support for future Pixel devices like the 8, 8 Pro and Pixel Fold is planned.
Custom ROM's
Before diving into the details of GrapheneOS, it’s important to take a moment to discuss custom ROMs.
ROM, an acronym for “read-only memory,” refers to the operating system that is stored on your device.
They are custom operating systems developed by third-party developers such as Daniel Micay, the creator of GrapheneOS, who recently decided on stepping down and letting others take the lead.
Android phones and tablets come with an operating system developed by the manufacturer.
These stock OS’s are usually loaded with bloatware and other privacy invasive software.
The kinds of data collected and sent are used for purposes from targeted advertising to law enforcement tracking capabilities.
GrapheneOS
GrapheneOS is a revolutionary operating system that aims to provide a secure and private Android experience while still offering the user a streamlined and intuitive user interface that they are accustomed to.
Privacy Without Sacrificing Usability
Unlike other operating systems, GrapheneOS completely removes all Google services by default but also gives you the option to create a sandboxed environment that allows users to access these services while eliminating the risk of Google collecting data on their device.
This means that you can still download apps from the Google Play Store, receive push notifications and sync data with the cloud, all while enjoying the peace of mind that comes from knowing your data is secure.
It’s worth noting that using the Play Store to download and update your apps is something we highly discourage you from doing.
There are alternatives you should use instead such as F-Droid and the Aurora Store.
Sandboxing Google Services
While sandboxing is common on Android, Google apps are allowed special privileges. GrapheneOS changes this by allowing users to install Google PlayStore and Play Services as regular apps, forcing them to use the same sandbox settings and being restricted just as other apps are.
This enables users to control sensitive app permissions, such as sensors, network, camera, microphone, location and storage access, effectively protecting their privacy even further from the over-reaching eyes of Google.
We still highly recommend to stay away from Google Services whenever you are able to and to use FOSS (Fully Open Source Software) when available, there are several alternatives to everyday apps (most are much better) than their non privacy respecting counterparts.
Features and Advantages of GrapheneOS
Beyond its privacy-centric approach and being the most secure phone software in the world, GrapheneOS offers many notable features that you will need when operating with the need for extreme security and privacy.
Storage Scopes
GrapheneOS uses a unique file permission system called Storage Scopes, it allows users to selectively share files and folders with specific apps or make that app believe that it has storage permission when in reality it doesn’t.
Contact Scopes
Contact Scopes are a new feature added recently to GrapheneOS, they work similarly to Storage Scopes but for your contact list.
You can selectively choose which contacts the app will show and which it will not. As with Storage Scopes you can also make an app believe it has contact permissions even when no contacts are shared at all.
Permissions and Application Layer Firewall
You can select which permissions an app has access too, such as the network for example.
You can limit an apps network access completely. It’s the same for a variety of other permissions such as location, notifications, camera, microphone and sensors.
We highly recommend disabling network access for apps which do not require it and configuring your VPN app to work on a kill-switch, in which if the VPN connection is not active, no data is permitted through the network.
Multiple User Profiles
This feature allows extreme isolation of apps and data. You can create secondary profiles to separate apps from each other.
This will benefit those of you who need Google Services installed on your device, you can create a separate profile for just those services and limit the IPC (inter-process communication) between the Google apps and your other ones.
Additional Security Measures
GrapheneOS incorporates too many security and privacy-oriented features to include all of them in this article, but here is a highlight of some of our favorites.
- Pin Scrambling: This moves the numbers for PIN unlock around at random ensuring someone attempting to watch your movements doesn’t establish a pattern. However we still highly recommend using a high entropy long-character password instead.
- Auto-Rebooting: This feature auto-reboots your phone after a defined period of time without a successful unlock. This helps to clear the encryption key from memory and resets your device to BFU (Before first unlock) mode.
- Mac Address Randomization: This technique allows you to have a randomized MAC address on a per-connection basis and the DCHP client state is automatically flushed before you reconnect to the network. This prevents the host network from realizing you’re using the same device.
Installation Process and App Compatibility
Installing
Installing GrapheneOS is incredibly easy, there is a web application you can use to download and install the software with guided prompts.
The other option is a standard command line installation for more technical users. The method you choose does not matter as they both install the same operating system and both do it in a secure way.
App Compatibility
GrapheneOS does have some limitations regarding app compatibility.
Not all apps are guaranteed to work correctly, this will depend both on your setup and the app’s necessary functionality requirements.
This can be problematic for those who use Google services with all their apps. There are some workarounds to these problems and from our personal experience, we haven’t run into any issues while using GrapheneOS.
We have been using it for years since they split from the original project, CopperheadOS.
Additionally, there are device specific limitations unless you have the time and knowledge to port the OS to work with another device.
Overall, as tacticians, survivalists and preppers, it is vital we don’t ignore the capabilities of the global surveillance community.
We’re not just referring to the big 3 letter agencies that spy on you, we’re talking about privately owned data giants in the corporate sector, everything most people do online is slowly building a pattern of life on them, using a secure and private device and having good OPSEC will allow you to remain un-monitored with your privacy and security intact.