GrapheneOS Enhancing Secure Android Platform

The recent release of a secure mobile platform, Grapheneos 2024011300, is now available. Grapheneos is a branch from the Android code base (AOSP) that has been expanded and altered to enhance safety and ensure confidentiality. Previously known as Androidhardening, the project originated from the Copperheados project after a conflict between its founders. GrapheneOS officially supports most current Google Pixel devices, including Pixel 4/5/7/8, Pixel Fold, and Pixel Tablet.

The project’s code is distributed under the MIT license and can be found on their GitHub page.

Grapheneos incorporates many experimental technologies aimed at increasing the insulation of applications. These include detailed access control, prevention of typical vulnerabilities, and the introduction of measures to complicate the work of exploits. The platform utilizes its own implementations of malloc and libc to protect against memory damage. Additionally, the address space of processes is more strictly separated, and proactive (Ahead-Of-Time) compilation is used instead of just-in-time (JIT) compilation in Android Runtime. The Linux core includes various additional protection mechanisms, such as SLUB canary marks for blocking buffer overflow and the use of Selinux and secComp-bpf for enhancing application isolation.

Grapheneos also provides granular control over app permissions. Users can selectively grant network access, sensor access, address book access, and access to peripheral devices like USB and the camera. Reading from the exchange buffer is only permitted for applications with the active input focus. By default, sensitive hardware identifiers like IMEI, MAC address, and SIM card serial number are blocked. Measures have been taken to isolate Wi-Fi and Bluetooth processes and prevent leaks resulting from wireless activity. Many of these safety strengthening mechanisms have been contributed back to the main Android codebase.

/Reports, release notes, official announcements.