websec.gr logo websec.gr Guides & Defensive Playbooks
Mobile guide

GrapheneOS hardening baseline

Profiles, app minimization, permission discipline, and a calm baseline that raises exploit cost without promising invisibility.

Difficulty: starter Time: ~35 min Updated: 2025-12-30

Threat model first

Before changing settings, decide what you are defending against. For most people the realistic threats are credential theft, phishing, stalkerware, commodity spyware, and opportunistic device theft. A small group of users also face targeted spyware and zero-click attempts.

  • Define your “high-value” data: accounts, photos, contacts, messages, work files.
  • Define likely attackers: criminals, abusive partners, data brokers, targeted spyware operators.
  • Define acceptable tradeoffs: usability, battery, app compatibility, audit needs.

Rule of thumb

Hardening works best when it removes whole classes of risk (fewer apps, fewer permissions, fewer always-on sensors), not when it tries to “outsmart” attackers with tricks.

Baseline setup

GrapheneOS is designed around a hardened Android baseline: strong sandboxing, stricter permissions, and modern exploit mitigations. The goal here is a clean install, strong authentication, and a small attack surface.

Baseline checklist

  • Use a supported device model (Pixel class devices are typical).
  • Install from official GrapheneOS documentation and verify what you download.
  • Set a strong device unlock (long PIN or strong passphrase) and enable biometric only if you accept the legal/operational tradeoff.
  • Enable auto-updates for OS and apps. Patching speed is a major security control.
  • Keep the app set minimal. Every app is a potential new attack surface.

Profiles and app isolation

Use multiple profiles to contain risk. Think of profiles as “separate worlds” with separate app data. High-risk apps live away from your primary identity.

Profile layout that works

  • Owner profile: minimal apps, core accounts, security settings.
  • Work profile: work apps, work comms, separate storage and notifications.
  • “Risky apps” profile: social media, large chat apps, browsers you do not trust.

Practical effect: if an app gets compromised, there is less lateral movement. This doesn’t guarantee safety, but it changes outcomes.

Permissions and sensors

Most real-world spyware outcomes come from endpoint access: microphone, camera, location, accessibility services, notification access, and storage. Tight permissions reduce what a compromised app can do silently.

Permission discipline

  • Disable microphone/camera access by default, enable only when needed.
  • Prefer “While in use” for location. Avoid “Always” unless there is a strong reason.
  • Avoid granting Accessibility permissions to apps unless you fully trust them.
  • Review notification access and “read notifications” capabilities.
  • Use storage scopes (only grant access to specific folders) where supported.

Network, browsers, and updates

Keep your browsing surface small and predictable. Use one primary browser, keep it updated, and avoid random extensions. If you use VPNs, treat them as privacy tools, not invisibility cloaks.

Network hygiene

  • Use a reputable DNS resolver you trust, or a local resolver you control.
  • Disable per-app network access for apps that do not need it (especially “offline” tools).
  • Keep the baseband/modem firmware updated via the OS update channel.

Keep it boring

“Boring security” wins: fast patching, fewer apps, fewer permissions. Fancy tweaks are optional, not the core.

Backups you can restore

A hardened phone is still a phone. If you lose it or it breaks, you need an encrypted backup you can restore. Test restores. Most backup plans fail during the first real emergency.

Backup minimum

  • Keep an encrypted backup (local or your own cloud) for critical data.
  • Document recovery steps in a password manager or offline note.
  • Test restore once per quarter on a spare device or fresh profile.

Red flags and what to do

Some signs are noisy (crashes, heat, battery drain) and some are subtle (unexpected prompts, new device admin apps, unknown accessibility services enabled). None of these prove compromise by themselves, but they justify caution.

When you suspect compromise

  • Stop using the device for sensitive comms until you regain confidence.
  • Preserve notes: time window, symptoms, suspicious messages, account alerts.
  • Update OS and apps immediately, then review permissions and device admin settings.
  • If the risk is high, consult a professional incident responder or a trusted lab for device evaluation.

References

  • GrapheneOS official documentation (install, releases, FAQ).
  • Android security patch guidance and update best practices.
  • Threat modelling basics: define assets, adversaries, and acceptable tradeoffs.

Scope note

This guide focuses on defensive hardening and incident readiness. Guidance about hiding wrongdoing, destroying evidence, or evading lawful investigation is intentionally not provided.