Follow ZDNET: Add us as a preferred source on Google.
ZDNET key takeaways
- GrapheneOS is a secure take on Android.
- With stronger sandboxing, this mobile OS is rock solid.
- The installation isn’t exactly easy, but it’s worth the effort.
Recently, I decided it was time to give GrapheneOS a try. I’d read about it plenty of times, but never had the inclination to give it a go.
I had no idea what I was missing.
If you’ve never heard of GrapheneOS, think of it as a privacy and security-focused mobile operating system that includes Android compatibility and is developed as a non-profit, open-source project.
GrapheneOS, which began in 2014 as CopperheadOS, achieves its heightened security by way of sandboxing, exploit mitigations, and the Android permission model.
Also: How I use this hidden Android security feature to easily turn off sensors – and where to enable it
This alternative mobile OS mitigates entire classes of vulnerabilities to make exploiting the OS exponentially more difficult. The OS improves on Android sandboxing with the help of both SELinux and seccomp-bpf policies, along with hardening of components like the kernel implementation of the app sandbox.
You might think all of these security improvements and mitigation would get in the way of usability, but that is not the case. The development team behind GrapheneOS takes usability seriously, so the OS works well, without having to jump through a ton of hoops to make it so.
That’s not to say GrapheneOS is as simple as buying a new Android phone, logging into an account, and using it. No. You have to install GrapheneOS on a supported Android phone (Pixel 6 through 9 devices), which is done via a handy web installer.
Also: Your Android phone’s most critical security feature is turned off by default – how to enable it ASAP
There are also several prerequisites for installation, such as a supported web browser (mostly Chromium-based). You have to enable OEM unlocking, then boot into the boot loader interface, connect the device to your computer, and then walk through the steps on the web installer.
It sounds difficult, but it’s really not. It took me roughly ten minutes to complete the installation. When everything was finished, I booted my Pixel 7 Pro to see what was what.
The first surprise
After booting up the phone, my first surprise was that GrapheneOS actually looked similar to Android. Maybe I was expecting something radically different, but what I was greeted by not only looked like Android but behaved like it as well. There’s an app drawer, a notification shade, and app launchers. GrapheneOS looks and feels very much the part of Android.
As you can see, GrapheneOS looks very much like Android.
Jack Wallen/ZDNET
Don’t be fooled, as it’s much more than that. For example, if I open Settings and go to Privacy & Security, there’s a section you won’t find in Android OS called Exploit Protection, where you can schedule auto reboots, USB-C charging only when the device is locked, the hardened memory allocator, and much more.
Also: Updated to Android 16? You should enable these 2 critical security features ASAP – here’s why
This section alone details how seriously the developers take security, while also putting on display the need to actually understand a bit more how an OS works.
You won’t find this settings section in Android.
Jack Wallen/ZDNET
Yeah, GrapheneOS isn’t exactly for the average user. That’s not to say that the average user couldn’t adopt this powerfully secure OS, but it will require a bit of reading (start out with the GrapheneOS FAQ).
The next surprise
When I first pulled up the App Drawer, I saw a scant 14 preinstalled apps, which included: App Store, Security Auditor, Calculator, Clock, Contacts, Files, Gallery, Info, Messaging, PDF Viewer, Phone, Settings, and Vanadium (a Chromium-based browser).
GrapheneOS ships with very few preinstalled apps.
Jack Wallen/ZDNET
That’s it. If you open the App Store, you’ll find it includes just a few extra apps, including the Google Play Store.
GrapheneOS includes a minimal app store.
Jack Wallen/ZDNET
Huh? Yeah, the GrapheneOS App Store is very limited (with a total of 12 apps, most of which are already installed), so installing a third-party app store is required. There are several ways you can do this.
First, you can simply install the Google Play Store and be done with it. Just by installing Android’s official app store does not mean you are compromising the GrapheneOS security model; it just means you’re installing the official (and most reliable) method of adding Android apps.
Also: Why you should power off your phone at least once a week – according to the NSA
And that’s important to understand: GrapheneOS is Android compatible. This is not a brand-new mobile OS trying to reinvent the wheel. Think of GrapheneOS as a port of Android with extra security measures in place.
Within the GrapheneOS App Store, there’s an app called Accrescent, which is a private and secure Android app store. I installed Accrescent to see what it was like and found that it had a few apps, but nothing I needed.
I guess it’s off to the Google Play Store. I went ahead and installed that app. The good news is that GrapheneOS installs it, without modification, and runs it as a regular sandboxed app with zero special access or privileges.
Also: How to clear your Android phone cache (and wipe out lag for good)
After the installation (it took longer than expected), I fired it up, signed into my Google account (fortunately, 2FA worked as expected), and started installing the apps I need.
On GrapheneOS, the Google Play Store looks and behaves exactly as it would on Android, so there are no surprises there. The only difference is that you have to allow installation from the Google Play Store (which GrapheneOS will prompt you to enable).
You have to grant the Google Play Store permissions before it can be used.
Jack Wallen/ZDNET
I installed a few apps from within the Google Play Store and found the experience exactly as it is on Android. The only difference was that every time I would install an app, GrapheneOS would prompt me to verify the installation. Other than that, it was identical to Android. Every installed app ran as well and easily as it would on Android.
GrapheneOS is outstanding
If I had to use one word to describe GrapheneOS, it would be outstanding. I love that I can have what is essentially Android, only with heightened security, and that it hands over control of most things to me.
Also: The easiest way to send and receive Android texts on your Windows PC – for free
Although GrapheneOS may not be the easiest to install (it’s also not that hard), it is very much worth giving a try.
If you have a spare Pixel 6 through Pixel 9 phone lying around, and you’d like to experience a mobile OS that takes security very seriously, I would highly recommend you go through the process of installing GrapheneOS and finally discovering what it’s like to have a truly secure mobile operating system.
–>
