Graphene OS includes Vanadium Browser, its hardened privacy and security enhanced version of the popular Chromium Browser. Vanadium is both a browser app and the Graphene OS WebView Service used by other apps as a browser engine to render web content.

HARDENING

Vanadium provides the strongest sandbox implementation, acting as a barrier to compromising the rest of the OS, and is leagues ahead of the alternatives. Vanadium also turns on strict site isolation which is critical, as browsers without site isolation are very vulnerable to attacks. Vanadium has excellent exploit mitigations [e.g. it enables type-based CFI, uses a stronger SSP configuration, zero initializes variables by default, etc.]

EXTENSIONS

We recommend against trying to achieve browser privacy and security through piling on browser extensions and modifications. Most privacy features for browsers are privacy theater without a clear threat model and these features often reduce privacy by aiding fingerprinting and adding more state shared between sites. Every change you make results in you standing out from the crowd and generally provides more ways to track you.

AVOID FIREFOX

Avoid Gecko-based browsers like Firefox as they’re currently much more vulnerable to exploitation and inherently add a huge amount of attack surface. Firefox / Gecko browsers also bypass or cripple a significant portion of the Graphene OS hardening work for apps. Worst of all, Firefox does not have internal sandboxing on Android.

ADDITIONAL PRIVACY FEATURES

Vanadium was primarily focused on security hardening, however has begun adding additional privacy features. In the near future, we plan to add support for always incognito mode, content filtering [ad blocking], improved state partitioning and many other features.

Yes. The Pixel phone with Graphene OS installed, is running the latest version of Android, currently version 13. Android 12 introduced ‘Global Toggles’ for disabling the camera and microphone in addition to the existing bluetooth, location services, wifi and the cellular network toggles. When not in use, you can disable these features. Apps cannot use disabled features (even if granted individual permission) until you re-enabled them.

Carriers can track your course location via cell towers using the IMSI and IMEI broadcasted by your baseband modem. In order to avoid this type of tracking, you can enable the airplane mode which would disable the baseband modem. This will stop the network carrier tracking you AND also stop any calls and text messages until you re-enable your connection by disabiling airplane mode.

Graphene OS uses a combination of Verified Boot features to verify that the hardware, firmware and operating system are genuine and have NOT been tampered with. You can compare your phone’s Verified Boot Number displayed on your phone’s screen, against the official Graphene OS Verified Boot Numbers to confirm your phone has not been tampered with.

If you have chosen to use a VPN, from Android 7 and above supports a VPN killswitch and it is available without the need to install third-party apps. This feature can prevent leaks if the VPN is disconnected. It can be found in Settings → Network & internet → VPN → Block connections without VPN. We will have installed and configured this if you chose to use a VPN when we discussed your preferred apps.

By default, your baseband modem will typically be set to support just about every generation of mobile cellular technology, from 2G to 5G. This gives a large attack surface. You can reduce this attack surface by limiting the baseband modem to just using the generation that you needs. In most cases, this would be 4G/LTE or 5G if you prefer. Graphene OS has the LTE only mode exposed in settings. We will set this for you to 4G / LTE though you can adjust this by going to Settings → Internet → Your carrier name → Preferred network type.

Installing a custom Android-based operating system can help increase your privacy and security. However the vast majority of these operating systems do exactly the opposite – breaking the Android security model, ruining your security while providing no or dubious privacy benefits. If you are using a modern Pixel phone, the best choice is to use GrapheneOS. If you are on a device supported by DivestOS, use DivestOS. Otherwise, do not blindly use an Custom OS just because it is advertised as “degoogled”.

It’s important to not use an end-of-life version of Android. Newer versions of Android not only receive security updates for the operating system but also important privacy enhancing updates too. For example, prior to Android 10, any apps with the READ_PHONE_STATE permission could access sensitive and unique serial numbers of your phone such as IMEI, MEID, your SIM card’s IMSI, whereas now they must be system apps to do so. System apps are only provided by the OEM or Android distribution.
All our Pixel phones are now based on Android 13, the latest version, then deGoogled only with Graphene OS ensuring we end up retaining all the latest security and privacy enhancements.

On Android, the phone unlock (Password, Pin, Pattern) is used to protect the encryption key for your device. Thus, it is vital that your unlock secret is secure and can withstand Bruteforce attacks. Pattern unlock is extremely insecure and should be avoided at all cost. This is discussed in detail in the Cracking Android Pattern Lock in Five Attempts research paper. If you trust the hardware enforced rate limiting features (typically done by the Secure Element or Trusted Execution Environment) of your device, a 8+ digit PIN may be sufficient. Ideally, you should be using a 8-10 word diceware passphrase to secure your phone. This would make your phone unlock practically impossible to bruteforce, regardless of whether there is proper rate limiting or not.

Rooting Android phones can decrease security significantly as it weakens the complete Android security model. This can decrease privacy should there be an exploit that is assisted by the decreased security. Common rooting methods involve directly tampering with the boot partition, making it impossible to perform successful Verified Boot. Apps that require root will also modify the system partition meaning that Verified Boot would have to remain disabled. Having root exposed directly in the user interface also increases the attack surface of your device and may assist in privilege escalation vulnerabilities and SELinux policy bypasses.

Multiple user profiles can be found in Settings → System → Multiple users and are the simplest way to isolate in Android. With user profiles, you can impose restrictions on a specific profile, such as: making calls, using SMS, or installing apps on the device. Each profile is encrypted using its own encryption key and cannot access the data of any other profiles. Even the device owner cannot view the data of other profiles without knowing their password. Multiple user profiles are a more secure method of isolation.

Permissions on Graphene OS / Android grant you control over what apps are allowed to access. Google regularly makes improvements on the permission system in each successive version. All apps you install are strictly sandboxed, therefore, there is no need to install any antivirus apps. You can manage Android permissions by going to Settings → Privacy → Permission Manager. Be sure to remove from apps any permissions that they do not need.

Auditor provides attestation for Graphene OS phones and the stock operating systems on a number of devices including our Pixel phones. It uses hardware security features to make sure that the firmware and operating system have not been downgraded or tampered with. Attestation can be done locally by pairing with another Android 8+ device or remotely using the remote attestation service. To make sure that your hardware and operating system is genuine, we perform local attestation immediately after your device has been setup and prior to any internet connection.