PrivacyGear.nl
NL
GrapheneOS

GrapheneOS hardening guide: every setting explained

The complete guide to securing GrapheneOS. Every privacy and security setting step by step — from screen lock to exploit mitigations.

GrapheneOS hardening guide: every setting explained

GrapheneOS hardening guide: every setting explained

You’ve installed GrapheneOS. First setup is done. Now: how far do you go?

GrapheneOS has dozens of security and privacy settings that don’t exist on standard Android or are off by default. This guide walks through all of them. Not as a mandatory checklist — but so you understand what each setting does and can choose for yourself.

Level: You’ve already installed GrapheneOS and done the basic setup. Reading time: ~20 minutes

How to read this guide

Each section covers:

  • What the setting does
  • Why it matters
  • Recommendation (→)

The recommendations are for an average privacy-conscious user. Journalists, activists or other high-risk users can go stricter.

1. Screen lock and access

PIN vs password vs biometrics

GrapheneOS offers three unlock options:

PIN (6+ digits) Good for daily use. Minimum six digits. Avoid birthdays or 123456.

Alphanumeric password Strongest option. Harder to guess, harder to shoulder-surf. Slower to enter.

Fingerprint / face recognition Convenient, but: biometrics have no legal protection in most countries. Police or border control can hold your phone against your finger. A PIN is different — it’s knowledge, not a physical trait.

Use at minimum a 6-digit PIN. Add fingerprint as a supplement, not a replacement.

Setting auto-lock

Settings → Security → Screen automatically locks → Immediately

After the screen turns off, the phone locks immediately. No delay, no window.

Set to Immediately.

Lockdown mode

GrapheneOS has a lockdown button: hold the power button → Lockdown. This:

  • Temporarily disables biometrics
  • Requires PIN to unlock
  • Hides notifications on lock screen

Use this if you expect your phone to be inspected — at a border crossing, police stop, or if you hand it to someone.

Know this feature and use it when relevant.

2. USB and physical access

Restrict USB connections

Settings → Security → Allow USB connections → Charging only

By default, USB is set to “always allow.” That means a malicious USB port — in a hotel, airport, or public charging station — could potentially read data or install malware.

With “Charging only,” the phone does not communicate via USB unless you actively unlock it.

Set to Charging only.

Disable USB entirely

You can turn USB off entirely: no charging, no data.

Settings → Security → Allow USB connections → Never allow

Useful if you charge wirelessly only. You can re-enable temporarily when needed.

Consider this if you charge wirelessly and don’t need USB.

3. Network and connections

MAC address randomisation

Every Wi-Fi connection identifies you by default with the same MAC address — a unique number from your network card. Networks and trackers can use this to follow you, even without your name.

GrapheneOS randomises the MAC address by default per network. This is already good. You can also randomise per-connection (new MAC for every connection):

Settings → Wi-Fi → [network] → Advanced → Privacy → Use randomised MAC

Keep MAC randomisation on. Per-connection is the strictest option.

Set private DNS

By default your phone uses your carrier’s DNS. They can see which domains you look up.

GrapheneOS supports DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT):

Settings → Network and internet → Private DNS → Private DNS provider hostname

Reliable options:

  • dns.quad9.net — Quad9, no logging, filters malware
  • base.dns.mullvad.net — Mullvad, no logging, no filtering
  • 1dot1dot1dot1.cloudflare-dns.com — Cloudflare, fast, policy-based privacy guarantees

Choose Quad9 or Mullvad. Avoid Google (8.8.8.8) for privacy.

Per-app network access

GrapheneOS has a built-in per-app firewall. You can restrict each app to:

  • Wi-Fi only
  • Mobile data only
  • No internet

Settings → Apps → [app] → Permissions → Network

Use this for apps that don’t need internet. A note app, calculator, or photo editor has no reason to send data.

Go through your apps. Block internet for everything that doesn’t need it.

Turn off Bluetooth and NFC when not in use

Bluetooth and NFC are attack surfaces. Bluetooth exploits exist. NFC can trigger unintended payments or data transfers.

Turn them off via quick settings when not in use. Or:

Settings → Connected devices → Connection preferences → NFC → Off

Off when not needed. On when you need them.

4. Sensor permissions and access

Sensor access per app

GrapheneOS gives you control over which sensors an app can use: camera, microphone, location, accelerometer, barometer.

Settings → Privacy → Permission manager

Go through each category:

Location

  • Use “Only while using” — never “Always allow” unless essential
  • Turn off “Precise location” for apps that don’t need it
  • Revoke location entirely for apps with no clear reason

Camera and microphone

  • Grant only when the app actively needs it
  • GrapheneOS shows an indicator when camera or microphone is active

Sensors GrapheneOS has an extra “Sensors” category that controls access to motion sensors, barometer, and other hardware. This does not exist on standard Android.

Settings → Privacy → Permission manager → Sensors

Many apps request sensor access for tracking purposes (step counters, activity monitoring for ad profiles).

Revoke sensor permissions for all apps that don’t clearly need them.

Camera and microphone toggles

GrapheneOS has hardware-level toggles for camera and microphone:

Settings → Privacy → Camera access (Off = no app can use the camera) Settings → Privacy → Microphone access (Off = no audio input)

This is different from per-app permissions: it’s a global block, hardware-independent.

Use this when you don’t need the camera or microphone for an extended period.

5. Notifications and lock screen

Notifications on lock screen

Settings → Notifications → Sensitive notifications on lock screen → Don’t show content

Without this, messages, names, and content can be visible when your phone is on a table.

Set to “No content” or “Hide sensitive content”.

Notification history

Settings → Notifications → Notification history → Off

Android stores notifications by default. Someone with access to your unlocked phone can see the history.

Off.

6. Exploit mitigations

This is where GrapheneOS fundamentally differs from other Android versions.

Memory tagging (MTE)

On supported Pixels (Pixel 8 and newer), GrapheneOS offers Memory Tagging Extension — hardware-level protection against a class of attacks (buffer overflows, use-after-free). This can crash poorly written apps.

Settings → Security → Exploit protection

You can enable MTE per app. Start with apps you trust less.

Enable for apps from unknown sources. On Pixel 8+, consider enabling broadly.

Hardened malloc

GrapheneOS uses a custom memory allocator (hardened malloc) that makes a class of memory exploits harder. This is active by default — no action needed.

Auto-reboot

Settings → Security → Auto-reboot

After a configurable period (default 72 hours), the phone automatically restarts if it hasn’t been unlocked. This returns encryption to “Before First Unlock” (BFU) — the strongest encryption state.

Forensic tools like Cellebrite have significantly less access when the phone is in BFU state.

Leave on. Lower to 18-24 hours for higher security.

Secure delete

GrapheneOS overwrites data on deletion. This makes recovery of deleted files harder.

Active by default, no setting needed.

7. Apps and installation

Unknown sources per app

Settings → Apps → Special app access → Install unknown apps

On standard Android this is a general setting. GrapheneOS makes it per-app: only the apps you designate can install APKs (such as F-Droid or Obtainium).

Grant only to F-Droid or Obtainium. Never to a browser.

App sandboxing and profiles

Each app runs in its own sandbox. Additionally, you can separate apps into profiles (see the profiles guide).

Use a separate profile for:

  • Apps you don’t fully trust but need
  • Work-related apps
  • Apps with sandboxed Google Play

See the profiles guide for full explanation.

Check app permissions after install

After installing any app: go to its permissions and revoke everything it doesn’t need.

Settings → Apps → [app] → Permissions

Ask yourself for each permission: does this app actually need this to function?

8. Encryption

GrapheneOS encrypts storage by default. There’s no setting to enable it — it’s always on.

What you can check:

Encryption status

Settings → Security → Encryption and credentials

Shows whether storage is fully encrypted.

Before First Unlock (BFU) vs After First Unlock (AFU)

An important concept:

  • BFU: Phone just booted, not yet unlocked. Encryption at maximum. Forensic tools have very limited access.
  • AFU: Phone has been unlocked at least once. Keys loaded into memory. More attack surface.

Auto-reboot (see above) periodically returns you to BFU.

9. Network isolation and anonymity

Tor integration

GrapheneOS supports direct Tor routing per app via Orbot. Install Orbot from F-Droid (Guardian Project repo) and assign apps to run through Tor.

Tor is slower but anonymises your IP address. Use it for apps where IP anonymity matters.

Use Orbot + Tor for browsers and communication where IP anonymity matters.

VPN

See the VPN guide for full explanation. Short summary:

  • VPN hides your traffic from your provider
  • VPN shifts trust to the VPN provider
  • Mullvad is the most privacy-friendly choice (no-log, no account required, payable with cash or Monero)

GrapheneOS has a built-in VPN kill switch: if the VPN drops, it automatically blocks internet.

Settings → Network and internet → VPN → [your VPN] → Lock icon (always-on + kill switch)

Enable kill switch if you use a VPN.

Apps that fit well with a hardened GrapheneOS setup:

Browser

Vanadium — GrapheneOS’s default browser. Hardened Chromium, no telemetry, sandboxed.

Tor Browser — via Guardian Project repo on F-Droid. For anonymous browsing.

Communication

Molly — hardened Signal fork. On-device database encryption, RAM wipe on lock. Via Molly’s own F-Droid repo.

Element — Matrix client for decentralised chat.

Passwords

KeePassDX — local password manager. No cloud, no sync unless you set it up yourself.

DNS and Tor

Orbot — Tor proxy. Route specific apps through Tor network.

App store

F-Droid — open-source app store. See the F-Droid guide.

Obtainium — get apps directly from GitHub releases. Useful addition to F-Droid for apps not in a repo.

11. Checklist — summary

Copy this as a working list:

Access and lock

  • PIN 6+ digits (or password)
  • Auto-lock set to Immediately
  • USB set to Charging only
  • Lock screen notifications disabled

Network

  • Private DNS configured (Quad9 or Mullvad)
  • Per-app network access reviewed
  • Bluetooth and NFC off when not in use
  • VPN kill switch on (if using VPN)

Privacy

  • Location permissions reviewed per app
  • Camera/microphone permissions minimal
  • Sensor permissions revoked where not needed
  • Notification history off

Security

  • Auto-reboot on (72h or lower)
  • MTE enabled on Pixel 8+ (optional)
  • Unknown sources only for F-Droid/Obtainium

How far should you go?

That depends on your situation. A useful rule of thumb:

Basic privacy: Do the USB, DNS, PIN and per-app network settings. That covers 80% of the risk for most users.

Advanced: Add per-app sensor permissions, auto-reboot, VPN with kill switch, and Tor.

Maximum: Everything above plus: BFU-only usage (power off when not using), profiles for isolation, no sandboxed Google Play.

There’s no wrong choice — every step makes it harder. Do what’s sustainable for daily use, and build from there.

See also:

← Back to GrapheneOS