The private and secure mobile OS, honestly reviewed. No surveillance capitalism angle, just what it’s actually like to swap your stock Android for it.

TL;DR

What it is: A non-profit, open-source Android fork built from the ground up around security and privacy — sandboxed apps, hardened permissions, no Google services baked in [website].
Who it’s for: Privacy-conscious users who want to escape Google’s data collection without giving up Android app compatibility. Journalists, founders handling sensitive client data, anyone who’s read one too many data broker reports about their own phone [3].
Cost: The OS is free (MIT license). The catch: it only runs on Google Pixel hardware, which starts around $300 for a used Pixel 7 and goes up to $1,800+ for a Pixel Fold [website][2].
Key strength: The most hardened consumer Android alternative available. Sandboxed Google Play lets you run Play Store apps without giving them OS-level access [website][3].
Key weakness: Pixel-only hardware requirement, meaningful learning curve for profile management, and the setup friction is real enough that one hands-on reviewer called their initial three-profile configuration “I chose… poorly” [3].

What is GrapheneOS

GrapheneOS is a privacy and security focused mobile operating system built on top of the Android Open Source Project (AOSP). It was founded in 2014 under the name CopperheadOS, rebranded, and has been developed since as a non-profit open source project [website][4]. The core thesis is that Android’s security model is strong enough to build on — but that the stock OS, and especially the manufacturer and Google layers on top of it, introduce attack surface and data collection that users can’t opt out of. GrapheneOS tries to fix both.

The project’s approach is substrate-level. It’s not a launcher swap or a privacy app installed on top of AOSP. It deploys hardened memory allocators, improved exploit mitigations, a redesigned permission model, and a fortified app sandbox. The permission model notably adds toggles that don’t exist in stock Android: per-app Network permission (you can revoke an app’s internet access entirely), Sensors permission, and granular control over what USB-C and pogo pins can do when the screen is locked [website/features].

The project also ships its own apps. Vanadium is a hardened Chromium fork used as the default browser and WebView. There’s a minimal PDF viewer built for security, an Auditor app for hardware-based device attestation, and a privacy-focused Camera app. Seedvault encrypted backup is included for anyone who wants encrypted off-device backups without routing data through Google [website].

The headline feature that makes GrapheneOS usable for normal people is sandboxed Google Play. Google Play services normally run with near-OS-level privileges — they’re the reason apps can ask for location and get it even when you’ve revoked it elsewhere. GrapheneOS installs Play services and the Play Store as ordinary sandboxed apps with no special permissions. You get access to the Play Store app catalog. Google gets to see what a sandboxed app sees, not an OS-level privileged process [website/faq].

As of this review, the project is active, regularly releases security patch updates, and maintains a detailed changelog going back to Android KitKat in 2014 [4].

Why people choose it

The reviews and forum posts cluster around two motivations: escaping Google, and wanting the highest-security option available.

The de-Googling angle. One RebelTechAlliance reviewer [3] describes a years-long trajectory: leaving Meta products in 2017, moving to Proton Mail, then eventually arriving at GrapheneOS as the deepest layer of the stack. Stock Android — even on a Pixel with Google’s promises about security — still routes enormous amounts of data through Google’s infrastructure. GrapheneOS removes that by design, not by configuration.

The “most secure” reputation. Among the available Android forks — CalyxOS, LineageOS, /e/OS, DivestOS — GrapheneOS is consistently described as the most security-hardened option [3]. The RebelTechAlliance post explicitly notes: “GrapheneOS is often touted as the most secure of them all. If your only purpose is to just de-Google then it may be worth exploring the above as well.” That’s an honest framing: GrapheneOS is the maximum-security option, not necessarily the minimum-friction one.

Real-world daily driving. Matthew Brunelle documented 8.4 months of daily driving GrapheneOS on a Pixel Fold [2]. The existence of that post matters because it answers the practical question that most privacy OS projects can’t answer: can you actually live on this thing? The answer, apparently, is yes — with adjustments. Brunelle covers backup and restore, which apps he kept, and which he dropped. The backup experience is described as having “gotten much better” and working well in his experience [2]. That’s the kind of granular, real-usage signal that marketing pages don’t give you.

The trust model. One thread on the GrapheneOS forum [1] gets into the network connections the OS makes by default — connectivity checks, GPS, update servers. The project’s position is that the update client verifies signatures cryptographically, meaning a compromised update server couldn’t push a malicious update: “The update server isn’t a trusted party since updates are signed and verified along with downgrade attacks being prevented” [1]. For the 0.1% who want to point their installation at their own update server or build from source, the tooling exists [1]. For everyone else, the trust model is better than stock Android by design — not by a promise.

Features

Core OS hardening:

Hardened memory allocator (malloc) — makes heap exploitation significantly harder [website/features]
Improved exploit mitigations: stronger ASLR, stack canaries, control flow integrity [website/features]
Per-app Network permission toggle — you can block an app’s internet access entirely [website/features]
Per-app Sensors permission — prevents background sensor fingerprinting [website/features]
USB-C and pogo pin restrictions when device is locked [website/features]
Verified boot with rollback protection [1]
Fortified app sandbox with reduced cross-process attack surface [website/features]

Sandboxed Google Play:

Install Google Play services and Play Store as fully sandboxed, unprivileged apps [website/faq]
Play apps work; Google doesn’t get OS-level access
Separate user profile recommended for Play apps to isolate them further [3]

Bundled apps:

Vanadium — hardened Chromium browser and WebView [website]
PDF Viewer — minimal, security-audited [website]
Auditor app — hardware-based device attestation and remote verification [website]
Camera app — modern CameraX-based, replaces AOSP Camera [GitHub README]
Seedvault encrypted backup [website]

User profiles:

Multiple isolated user profiles with separate app installs, clipboard, permissions [3]
Owner profile manages what apps are shared across profiles [3]
Each profile is a sandbox — clipboard doesn’t cross profiles by default [3]

Updates:

Regular security patches aligned with Android patch schedule [4]
OTA updates via the built-in updater, cryptographically signed [1]
Beta and stable channels [4]

Cost reality

GrapheneOS itself is free. There is no subscription, no commercial license required for use, no per-device fee. The MIT license means you can even build and distribute modified versions [website].

The cost is in the hardware. GrapheneOS only supports Google Pixel devices. The supported device list changes over time as older Pixels lose Android security support; currently it covers Pixel 6 through Pixel 9 series and the Pixel Fold. Rough hardware cost:

Used Pixel 6: ~$150–200 (older, still functional)
New Pixel 8a: ~$400–500
New Pixel 9 Pro: ~$900–1,000
Pixel Fold: ~$1,200–1,800

If you already own a supported Pixel, the cost to install GrapheneOS is zero. If you need to buy hardware to run it, that’s the real spend.

What you save: harder to quantify, but real. Stock Android with Google services means your location history, app usage, contacts, and browsing behavior flow through Google’s infrastructure. The business model monetizes that data. GrapheneOS doesn’t have a parallel cost — but the counterfactual (what Google does with that data, and what it’s worth in terms of targeted advertising and data broker exposure) is non-trivial for anyone handling sensitive information professionally.

For comparison, CalyxOS is also free and runs on a broader set of hardware. LineageOS runs on even more devices but is less security-hardened. If Pixel hardware cost is the blocker, those alternatives are worth evaluating.

Deployment reality check

Installation is done via a web-based installer at grapheneos.org. The experience, for a Pixel 9a on Brave browser [3]: you need to disable browser shields before running the web installer, enable OEM unlocking in developer settings, and allow flashing. With those steps done, the installer is described as “very straight forward and smooth. No hiccups and it worked first time” [3].

There’s also a command-line installation path for anyone who prefers terminal over browser-based tools [3].

Where things get complicated: user profiles. The RebelTechAlliance reviewer [3] made a mistake that’s worth repeating so you don’t repeat it. They set up three profiles immediately: owner, daily use, and a separate profile for Google Play apps. The friction was high enough to cause real usability problems:

Apps installed in one profile don’t appear in another unless explicitly allowed by the owner account
Clipboard doesn’t cross profiles — copying an OTP code in one profile to paste it in another doesn’t work
Permissions are restrictive by default and must be set per-app per-profile
Network access, location, camera, and storage all require explicit grants [3]

Their retrospective: “If this is your first time installing GrapheneOS just use one profile and install the Play services.” Start simple, add complexity later [3].

What actually requires attention:

OEM unlocking must be enabled before install and can be disabled after (security best practice)
Apps that require Google Play services but aren’t installed in a sandboxed Play profile will fail silently or with cryptic errors
Banking apps are the classic pain point — many run attestation checks that detect non-standard OS environments
Backup setup (Seedvault) requires a destination: a Nextcloud server, USB storage, or similar. It doesn’t back up to Google Drive by default, which is the point, but you need an alternative ready [2]

Realistic time estimate for a technical user with a compatible Pixel: 45–90 minutes including backup of current device, install, and initial profile setup. For a non-technical user following the web installer guide: 2–3 hours, assuming someone talked them through the OEM unlock step.

Pros and cons

Pros

Most hardened Android available. No competitor in the open-source Android space matches GrapheneOS’s security model. The combination of kernel hardening, improved exploit mitigations, and the hardened malloc implementation is genuinely research-grade work [website/features][3].
Sandboxed Google Play actually works. This is the feature that makes GrapheneOS practical. You don’t have to choose between security and the app catalog. Play apps run, just without OS-level privilege [website].
MIT license, non-profit. No commercial agenda, no monetization model to protect. The project exists to ship a better OS, not to upsell you on a SaaS tier.
Web installer lowers the bar. The grapheneos.org web installer has made the process accessible to non-developers. One reviewer got through it on first attempt with a supported browser [3].
Regular security patches. The project tracks Android security patches closely. Changelog history going back to 2014 shows sustained development cadence [4].
Verified boot with OS-level signature verification. Updates are cryptographically signed. A compromised update server can’t push malicious updates — the device won’t install something it can’t verify [1].
Transparency about network connections. The project documents what servers the OS connects to and why [1]. That’s table stakes for a privacy OS but not universal.

Cons

Pixel-only. This is the biggest structural limitation. If you don’t own or aren’t willing to buy a supported Google Pixel, you can’t run GrapheneOS. The irony of buying a Google device to escape Google is not lost on anyone [3].
Profile complexity is a real friction point. The multi-profile system is powerful but confusing on first setup. The clipboard isolation, per-profile permissions, and app availability rules caught at least one experienced technical user off guard [3]. First-timers will hit this.
Banking app compatibility is hit-or-miss. Many banking apps run Play Integrity API checks that detect non-standard environments. Some work fine in sandboxed Play profiles; others don’t. There’s no master list, and the situation changes as banks update their apps.
Trust in GrapheneOS itself still required. The forum discussion [1] is worth reading. You’ve replaced trust in Google with trust in the GrapheneOS project. The cryptographic verification model limits the blast radius of a compromised server, but you’re still trusting that the OS binaries are what they claim to be unless you build from source.
No Google services outside sandboxed Play. If any workflow in your life relies on Google Play services running with elevated system privileges (certain push notification systems, some Wear OS integrations, some AR features), that workflow breaks.
Backup requires setup. No Google Drive backup out of the box. Seedvault works, but you need a destination. If you don’t run Nextcloud or have USB storage ready, your backup story has a gap.

Who should use this / who shouldn’t

Use GrapheneOS if:

You handle sensitive client communications, financial data, or work where device compromise is a meaningful risk.
You’re already committed to de-Googling your stack (Proton Mail, self-hosted everything, etc.) and the phone is the remaining gap.
You own or are willing to buy a supported Google Pixel.
You’re technically comfortable or have someone who can walk you through first-time setup.
You want Google Play app compatibility without Google having OS-level access.

Consider CalyxOS or LineageOS instead if:

You don’t own a Pixel and aren’t buying one — GrapheneOS simply won’t run.
Your primary goal is de-Googling rather than maximum security hardening. CalyxOS is easier to set up and has broader hardware support [3].
You want a more community-supported, mainstream alternative that’s more forgiving of first-time mistakes.

Skip it entirely (stay on stock Android) if:

Banking apps and Google Pay are critical daily tools and you’re not willing to debug compatibility.
You’re handing the phone to a non-technical household member who won’t navigate profile-based permission prompts.
You need Google services running with full system integration (certain enterprise MDM setups, corporate device management).

Alternatives worth considering

CalyxOS — also runs on Pixels (and some other devices), includes microG as a Google services replacement, easier initial setup. Less security-hardened than GrapheneOS but easier to live with for most users [3].
LineageOS — broadest hardware support in the Android fork space, runs on hundreds of devices. Less focused on security hardening than GrapheneOS. Good if Pixel hardware isn’t an option.
/e/OS — explicitly focused on replacing Google services wholesale with open-source alternatives, ships with its own app store. The de-Googling experience is more complete out of the box; the security model is less rigorous than GrapheneOS [3].
DivestOS — a LineageOS fork with security improvements, supports more hardware than GrapheneOS at the cost of some security depth.
Stock Android with hardened settings — not a real alternative for serious threat models, but for the average founder who just wants to stop advertising ID leakage: disabling ad ID, revoking background location for most apps, and using a hardened browser gets you 60% of the way without any install process.

The realistic shortlist for someone seriously considering GrapheneOS is GrapheneOS vs. CalyxOS. The decision turns on one question: do you need the maximum-security OS (GrapheneOS) or the easiest de-Googled daily driver (CalyxOS)?

Bottom line

GrapheneOS is the right answer for a specific question: “I want the most hardened, privacy-respecting Android available and I’m willing to buy a Pixel and learn the profile system to get it.” For that audience, it’s not close — the security model is genuinely stronger than anything else in the consumer Android space, the sandboxed Google Play compatibility layer is well-designed, and the web installer has made the setup process accessible to non-security-engineers.

The catch is that GrapheneOS isn’t a plugin you install. It’s a commitment to a different way of managing a phone. Profile complexity, app compatibility debugging, and the Pixel hardware requirement are all real costs. The people who daily-drive it successfully are the ones who treated the first few weeks as a learning curve rather than an emergency [2][3]. For a non-technical founder whose threat model is “I don’t want Google reading my client conversations,” the time investment pays off. For someone who just wants the Zapier equivalent of mobile privacy — set it and forget it — CalyxOS is probably the more honest recommendation.

Sources

GrapheneOS Discussion Forum — “GrapheneOS network requests and privacy policy” (thread with project documentation on server trust model). https://discuss.grapheneos.org/d/11553-grapheneos-network-requests-and-privacy-policy
Matthew Brunelle’s Blog — “8.4 Months of Daily Driving GrapheneOS” and related GrapheneOS posts. https://blog.matthewbrunelle.com/tag/grapheneos/
Rebel Tech Alliance Blog — “So, you want to install GrapheneOS” (installation and daily use experience on Pixel 9a). https://blog.rebeltechalliance.org/so-you-want-to-install-grapheneos/
GrapheneOS — “Legacy changelog | History” (development history from 2014 through Oreo era). https://grapheneos.org/history/legacy-changelog

Primary sources:

Official website: https://grapheneos.org
Features overview: https://grapheneos.org/features
Install guide: https://grapheneos.org/install/
GitHub (Camera app): https://github.com/grapheneos/camera
FAQ (sandboxed Google Play, device support): https://grapheneos.org/faq

Features

Mobile & Desktop

Mobile App

Replaces

Google Camera

1 tools

Related Security & Authentication Tools

View all 159 →

Ghidra

66K

A free, open-source software reverse engineering framework created by the NSA — disassemble, decompile, and analyze compiled code on any platform.

security Apache-2.0

PocketBase

58K

Open-source backend in a single 12 MB binary — realtime database, auth, file storage, and admin dashboard. No Docker, no Postgres, just run it.

security MIT Easy to deploy

Vaultwarden

57K

Lightweight, self-hosted Bitwarden-compatible password manager written in Rust. Uses 10x less RAM than the official server and works with all Bitwarden clients.

security AGPL-3.0

Zen Browser

41K

Zen Browser is a privacy-focused, beautifully designed Firefox fork with a unique sidebar tab layout, split views, and built-in content blocking — no telemetry, no tracking.

security MPL-2.0