GrapheneOS: All about security, privacy, and how to install this operating system on Android Pixel

  • GrapheneOS is a privacy and security-focused Android ROM, officially supported only on Google Pixel devices.
  • It allows for optional, isolated use of Google services and apps, as well as comprehensive control over permissions and access to sensors.
  • It includes advanced auditing tools, granular privacy settings, and a simple web installer for easy deployment.
  • It offers a minimal selection of pre-installed apps, recommending the use of alternative stores such as F-Droid and Aurora Store to maximize security.
Joaquin RomeroUpdated on

5 minutes

GrapheneOS: Security and Privacy on Android Pixel

La security and privacy On mobile devices, these issues have become crucial for millions of Android users looking for a more controlled alternative to their personal data. Android, due to its open-source nature, allows for alternative ROMs that enhance privacy and user control over the system. However, most of these alternatives tend to lack Google services, limiting access to many popular features and applications.

In the face of this panorama, appears Graphene OS as one of the most powerful, advanced, and secure options. Through a unique combination of maximum privacy, compatibility with Android apps, and strict permission management, GrapheneOS is currently the benchmark for those seeking a mobile operating system that minimizes data exposure while retaining the Android experience and ecosystem.

What is GrapheneOS?

Graphene OS is an open-source mobile operating system based on Android, developed as a non-profit project focused on the privacy and the to maximise security and your enjoyment.It was born as an evolution of the "Android Hardening" project and is primarily aimed at devices Google Pixel, as these models offer the best hardware support and continuous firmware updates necessary to maintain a secure and up-to-date environment.

The system includes Substantial improvements in sandboxing, an optimized permissions model, exploit mitigations, and additional layers of encryptionAll of this makes GrapheneOS one of the most robust ROMs on the market today in terms of protection against real threats.

One distinguishing feature of GrapheneOS compared to other privacy-focused ROMs is that allows the use of Google applications and services optionally and completely isolatedThat is, you can install Google Play, Google Services Framework and other apps, but these run in a "sandboxed" environment that prevents unnecessary data collection and limits their privileges, functioning as user applications instead of system apps. So, if you want to maintain the Android experience without completely giving up Google, here's a balanced solution.

The GrapheneOS development team has also created its own applications such as vanadium (a Chromium-based browser with hardened security), a secure PDF viewer, an audit app to verify system integrity, and Seedvault for encrypted backups. All tools are designed with Minimizing tracking, strict permission control, and protecting personal data.

Graphene OS It is, according to multiple experts, one of the most robust mobile operating systems against threats, recommended even by figures such as Edward Snowden, and in various internationally renowned technological media.

Devices compatible with GrapheneOS

One of the key aspects of GrapheneOS is that only offers official support and updates for Google Pixel devicesThe main reason is that Pixels include advanced hardware-level security features (such as the Titan M2 chip, Verified Boot support, and an open but secure bootloader) that help maintain a trustworthy environment for the user.

The official list of compatible terminals includes recent and older models:

  • Pixel 9 Pro Fold
  • Pixel 9 Pro XL
  • Pixel 9Pro
  • Pixel 9
  • Pixel 8a
  • Pixel 8Pro
  • Pixel 8
  • Pixel Fold
  • Pixel Tablets
  • Pixel 7a
  • Pixel 7Pro
  • Pixel 7
  • Pixel 6a
  • Pixel 6Pro
  • Pixel 6

There is also limited support for older generations (Pixel 5a, Pixel 5, Pixel 4a 5G, Pixel 4a, Pixel 4 XL, Pixel 4), though these devices may only receive basic maintenance due to a lack of firmware updates from Google.

Important Note: It's not possible to officially install GrapheneOS on non-Pixel devices, and security is not guaranteed if you try to port the system to other manufacturers' models.

Advanced security and privacy features of GrapheneOS

GrapheneOS incorporates a long list of improvements and protections which far exceed those offered by standard Android (AOSP) and most alternative ROMs:

  • Reinforced Sandboxing: All applications, including Google apps if you choose to install them, run in sandboxes, which prevents communication between them and limits access to system resources.
  • Revocable network and sensor permissions: You can grant or revoke an app's access to the internet and sensors (microphone, camera, location, accelerometer, etc.) at any time, something that isn't available on most stock Android devices.
  • Randomizing the PIN unlock keypad: To prevent someone from reading your PIN by watching your finger movements, the position of the numbers on the keypad changes every time you unlock your phone.
  • Advanced audit tools: The Auditor app allows you to locally and remotely verify that the device is intact and has not been modified or accessed without authorization.
  • Secure Backup: With Seedvault, you can make encrypted backups of your data, compatible with other Android-based systems.
  • Scheduled auto-restart: You can configure the system to automatically reboot every certain period (hours, days), which forces the deletion of temporary encryption keys, making attacks difficult even if someone gains physical access to your phone.
  • Advanced profile management: It is possible to create multiple user profiles (e.g., work, personal, guest) and keep them active simultaneously, increasing isolation and preventing cross-application tracking.
  • Restriction on network connections and USB devices: Detailed control over peripheral connections and USB port access to prevent data extraction when the device is locked.
  • Vanadium: Web browser and WebView engine with security measures far superior to standard Chromium, integrating additional isolation and protection against web exploits.
  • Fast and continuous updates: Security updates arrive very quickly, sometimes even before official Pixels, since GrapheneOS follows Google's patch schedule.

All this makes the attack surface is minimal, so that even if you install apps from less reliable sources, the risk of data exposure or leakage is much lower than on a standard Android.

How GrapheneOS Protects Your Privacy: An In-Depth Explanation

Let's go into even more detail about How GrapheneOS strengthens your privacy:

  • Comprehensive permit control: You can disable access to the Internet, sensors, storage, camera, location, calls, contacts, etc. for each app, and do so not only when you install the app, but at any time thereafter.
  • Storage Scopes System: Allows you to define exactly which storage folders each app can access, preventing a single app from reading your entire gallery, documents, or downloads.
  • Disabling Google Services: While you can install Play Store and related services, they operate as user apps, without extra privileges, and you can block their network or sensor access if you wish, keeping them completely under your control.
  • OTA (Over-The-Air) Updates: Updates arrive directly from the project's servers, without intermediaries and with cryptographic verification, ensuring that the system has not been altered by third parties.
  • Unique key for encryption: A unique, hardened key is used to encrypt your personal data, adding a layer of defense against forensic extraction attempts even with physical access to the device.
  • Automatic sensor deactivation: When you lock your screen or under certain conditions, GrapheneOS can completely turn off GPS, Wi-Fi, and Bluetooth, and limit access to sensors to prevent passive tracking.
  • Protection against USB attacks: The system allows you to automatically deny any new USB device if the phone is locked, preventing juice jacking attacks or data theft via public chargers.

GrapheneOS is a platform where User privacy and control are top priorities, even at the cost of sacrificing certain “smart” features that depend on full integration with Google’s proprietary services.

What apps does GrapheneOS include by default?

GrapheneOS bets on the minimal amount of pre-installed apps, only those essential for the operation of the device and secure access to the system:

  • Settings
  • App Store (Apps): allows you to install Google Play and associated services if desired
  • Archives
  • Auditor of
  • Calculator
  • GrapheneOS's own camera
  • Contacts
  • Gallery
  • Messages
  • PDF Viewer: Secure and untrackable PDF document viewer
  • Clock
  • Phone Number
  • vanadium: secure web browser

No proprietary software or Google plug-ins come pre-installed outside of the project's own "Apps" system. The gallery is from AOSP, not Google Photos, and the camera has been developed to minimize access to and retention of sensitive metadata.

From the Apps app, you can install Google Play Services in a sandboxed manner, as well as other utilities (Android Auto, Google Markup, etc.), but always under user control and with automatic system updates.

Recommended app stores and sources on GrapheneOS

The focus of GrapheneOS is that Applications can be installed from multiple sources:

  • Google Play StoreIf you install Google services from Apps, you can use the Play Store in isolation and download the most popular or essential apps.
  • F-Droid: A repository of free and open source (FOSS) applications, highly recommended for those seeking maximum privacy protection. From here you can install Aurora Store, NewPipe, Signal, Organic Maps, AntennaPod, and many other apps.
  • Aurora Store: Alternative front-end for the Google Play Store, allowing you to download any app from Google Play anonymously, without having to log in with a Google account.
  • APKs verified from official sources: You can directly install APK files downloaded from each project's official website, always verifying the signatures and source to ensure security.

Important recommendation: Always install your apps from F-Droid, the Aurora Store, or the developer's official source. Avoid unverified APK download sites, as they pose a risk to your privacy and security.

Recommended apps to get the most out of GrapheneOS

For advanced users, the community and experts recommend several must-have apps to enhance the privacy and versatility of GrapheneOS, all preferably available on F-Droid:

  • Signal: Private, end-to-end encrypted messaging.
  • Organic Maps and OSMand+: Offline maps and navigation without tracking.
  • DuckDuckGo Privacy Browser and Tor Browser: Browsers with enhanced tracker protection and ad blockers.
  • NewPipe: Lightweight YouTube client with no ads or tracking.
  • Mullvad VPN and ProtonVPN: No-log VPNs to anonymize your connection.
  • Aegis Authenticator and andOTP: Open source, telemetry-free 2FA authenticators.
  • PilferShush Jammer: Blocks the device's microphone from unauthorized eavesdropping.
  • UntrackMe: Clean tracking URLs to preserve private browsing.
  • Scrambled Exif: Remove hidden metadata from shared photos.
  • Shelter: Create isolated workspaces to separate sensitive apps and data.
  • K-9 Mail: Manage multiple email accounts without tracking, ideal for professional emails.
  • Forecastie, Suntimes: Privacy-enhanced weather apps.
  • Fossify Gallery, Free Birds: Alternative galleries that do not extract or share personal information.
  • Fossify Music Player, mpv-android: Free, ad-free music and video players.

This way, you can cover all your usual needs (messaging, maps, navigation, multimedia playback, office automation, authentication, VPN, etc.) without relying on proprietary services or services that compromise your personal information.

How to install GrapheneOS step by step on your Pixel phone

Installing GrapheneOS It is much simpler than installing other ROMs, thanks to its web installer based on WebUSB and the very detailed official guides. Important: You can only install it on a Pixel that is compatible and allows the bootloader to be unlocked.

  1. Update your Pixel: Perform a quick install of stock Android and make sure you have the latest version of the system available before continuing.
  2. Activate developer options: Go to Settings > About phone > tap “Build number” several times to activate the developer menu.
  3. Unlock the bootloader: Settings > System > Developer Options > Enable "OEM Unlocking." Reboot your phone into bootloader mode (power off and on while holding the volume down button) and connect your phone to your computer via USB cable.
  4. Open the official GrapheneOS website: https://grapheneos.org/install/web and follow the step-by-step guide (choose the WebUSB installer).
  5. Install the necessary driver (if you are using Windows, install the Google USB Driver).
  6. Unlock the bootloader from the web following the instructions and confirm on screen using the volume and power buttons.
  7. Download and install the GrapheneOS image (Flash release option). The process is guided and automatic.
  8. Re-lock the bootloader: Once the installation is complete, re-lock the bootloader using the Lock bootloader option from the website.
  9. Set up your Pixel: Once GrapheneOS is booted, complete the basic setup wizard. Repeat the process of disabling OEM unlocking in the developer options for security.

Tip: Before installing, back up your important data, as everything on your phone will be erased. Although the process is safe and quick (about 10 minutes), it's important to follow each step of the official guide.

You also have the option of installing GrapheneOS from Linux via the command line, following the project documentation, or from macOS systems. The process is similar but requires installing tools like adb and fastboot.

  • Configure network and sensor permissions in each app.
  • Enables PIN pad randomization.
  • Disable automatic connection to open WiFi networks.
  • Configure auto-reboot to force automatic reboot and key deletion periodically.
  • Use private DNS (e.g., Quad9) to enhance privacy.
  • Consider disabling location services at the system level if you don't need them.

These small changes will allow you maximize the level of privacy and minimize exposure to risks.

Thanks to transparency and the work of a large community, GrapheneOS keeps its repository and documentation up-to-date, providing detailed information on new features, fixes, and future updates.

Don't hesitate to explore the official user guides, documentation, forums, and lists of safe applications to take full advantage of an operating system that prioritizes your privacy, autonomy, and security in your daily life.