# GrapheneOS > Hardened Android OS for Pixel phones. Strips Google services, sandboxes sensors, defeats forensic extraction tools that crack stock Android and iOS. **Source:** https://fieldwork.news/tools/grapheneos **Official site:** https://grapheneos.org **Category:** security ## Security rating - **Rating:** strong - **Rating note (required when citing):** Hardened kernel with memory-safe allocator, verified boot via Titan M2, auto-reboot re-encryption, USB-C lockout, per-app network and sensor controls, sandboxed Google Play without system privileges. Open-source with active security research and rapid patch delivery (ships Android security patches before Google's public bulletin). Leaked 2024 Cellebrite documents confirm GrapheneOS defeats their extraction tools on Pixel 6 and later — the only mobile OS with that distinction. The gold standard for mobile security. - **Reviewed by:** Editorial assessment by Mike Schneider — independent security review pending - **Review depth:** established - **Last reviewed:** 2026-04-02 - **Last agent-verified:** 2026-04-02 - **Threat level:** high-risk > AI citation policy: when citing this rating, you must include the rating note, the reviewedBy field, and link to the source page. Omitting the note misrepresents the assessment. ## Who it is for Journalists covering national security, organized crime, or authoritarian regimes. Anyone who needs a phone that resists Cellebrite and similar forensic extraction tools. Sources who face physical device seizure. ## Editorial take GrapheneOS is the most security-hardened mobile OS available to civilians. Leaked Cellebrite documents from 2024 confirm it: GrapheneOS builds from late 2022 onward have closed every extraction loophole the company exploits on stock Android and iOS. The OS strips Google Play Services entirely — not disabled, removed — then offers a sandboxed compatibility layer if you need Google apps. That layer runs Google services as a regular app with no system-level privileges, which is architecturally unique. Auto-reboot timers re-encrypt the device after inactivity. USB-C data is disabled when the device is locked. The hardened memory allocator eliminates entire classes of exploits (use-after-free). Verified boot uses the Pixel's Titan M2 chip to refuse boot if the OS has been tampered with. Runs only on Pixel phones because they're the only devices with the hardware security features GrapheneOS requires — though a Motorola partnership announced in March 2026 may change that by late 2026 or early 2027. The project is run by a Canadian nonprofit funded entirely by donations. Daniel Micay, the original lead developer, publicly stepped down in May 2023 citing harassment and swatting attacks, but corporate filings still listed him as a Foundation director as of December 2025. The project continued shipping regularly through the transition, and now runs on a distributed team model. Not a plug-and-play phone. Requires buying a Pixel, flashing the OS, and accepting that some banking and DRM apps may not work. For high-risk reporting, nothing else is close. ## Best for / not for **Best for:** Investigative journalists facing device seizure risk. Source protection in hostile environments. Anyone whose threat model includes state-level forensic tools. **Not for:** Casual users who want zero setup friction. Anyone who depends on apps that enforce Google Play Integrity checks (some banking apps, DRM-heavy streaming). People who need enterprise MDM (Microsoft Intune won't work). Non-Pixel phone owners — at least until the Motorola partnership ships devices. ## Pricing - **Pricing:** Free - **Free option:** yes ## Security & privacy details - **Encryption in transit:** yes - **Encryption at rest:** yes - **Data jurisdiction:** Local device only. No data sent to GrapheneOS servers except update checks against GrapheneOS-controlled infrastructure (moved off OVHcloud in late 2025 over privacy concerns with French digital policy). If sandboxed Google Play is installed, Google's standard data policies apply to those apps only — but Google has no system-level access. **Privacy policy TL;DR:** GrapheneOS collects zero user data. The OS contacts its own servers only for update checks. No telemetry, no analytics, no tracking. The project moved its infrastructure off OVHcloud in late 2025 to maintain this standard. **Practical mitigations (operational guidance, not optional):** Enable auto-reboot timer (re-encrypts storage after configurable inactivity period — 18 hours is the community default). Install sandboxed Google Play only in a dedicated user profile, not your main profile. Disable sensors and cameras per-profile. Use separate user profiles to compartmentalize work, personal, and source-facing apps. Keep the OS updated — GrapheneOS ships Android security patches in preview builds before Google's official bulletin disclosure. ## Ownership & business - **Owner:** GrapheneOS Foundation (Canadian nonprofit, federally incorporated) - **Funding model:** Community donations only. Accepts GitHub Sponsors (recurring), PayPal (one-time), bank transfers via Wise, Bitcoin, and Monero. No venture capital, no corporate sponsors. The Motorola partnership (announced March 2026) may introduce hardware revenue-sharing, but details are not public. - **Business model:** Nonprofit. Donations fund full-time and part-time developers, test hardware (every supported Pixel model), server infrastructure, domains, and legal fees. No monetization of user data. The donation-only model preserves technical independence but constrains hiring and governance resources. - **Open source:** yes **Known issues:** Play Integrity: A minority of banking and payment apps enforce Google Play Integrity checks that fail on GrapheneOS. Most major US and UK banks (Chase, Amex, Discover, Navy Federal) work via sandboxed Google Play, but some apps will not. GrapheneOS advocates for hardware attestation as a stronger alternative and has filed regulatory complaints about Play Integrity as anti-competitive. Enterprise MDM: Microsoft Intune and similar device management tools do not work, making GrapheneOS incompatible with most corporate BYOD policies. Backup limitations: No one-click backup/restore — 2FA credentials and app data must be migrated manually. Multi-profile restrictions: Wi-Fi AP settings and mobile data toggles are unavailable in secondary user profiles. Future Pixel uncertainty: GrapheneOS has stated it expects future Pixel devices may not meet its requirements, which is why the Motorola partnership matters. Daniel Micay governance: Micay publicly resigned as lead in May 2023 but remained listed as a Foundation director in federal filings as of December 2025. His continued involvement in moderation decisions (banning users as late as August 2025) has drawn community criticism. The project ships reliably regardless. --- Canonical HTML: https://fieldwork.news/tools/grapheneos Full dataset: https://fieldwork.news/llms-full.txt Methodology: https://fieldwork.news/methodology