GrapheneOS

GrapheneOS hardening guide: every setting explained

## Who this guide is for

GrapheneOS hardening guide: every setting explained

Who this guide is for

This guide is for people who already installed GrapheneOS and want to decide deliberately how far to harden it instead of just toggling settings blindly.

It fits especially:

privacy-conscious daily users who want a stronger baseline
readers moving beyond the first setup and into actual hardening choices
higher-risk users who need to understand what the settings really do before going stricter

What you gain, and what it costs

If you harden GrapheneOS with intention, you gain:

a phone that is materially harder to misuse or compromise than stock Android
clearer boundaries around network access, app behavior, sensors, and physical access
a setup that reflects your real risk model instead of default settings

What it costs:

setup time and reading
some convenience, depending on how strict you go
the need to choose settings based on your own use case rather than copying a maximalist checklist

When this is overkill

If you only just installed GrapheneOS, do not treat this as a race to turn on every hardening option. A stable, understandable setup is better than a stricter one you later undo because it gets in the way.

This guide becomes most useful once you are ready to move from “it runs” to “I know why these security choices matter for me.”

You’ve installed GrapheneOS. First setup is done. Now: how far do you go?

GrapheneOS has dozens of security and privacy settings that do not exist on standard Android or are disabled there by default. This guide walks through the important ones so you understand what they do and can decide deliberately.

Level: You’ve already installed GrapheneOS and done the basic setup. Reading time: ~20 minutes

How to read this guide

Each section covers:

What the setting does
Why it matters
Recommendation (→)

The recommendations are for an average privacy-conscious user. Journalists, activists or other high-risk users can go stricter.

1. Screen lock and access

PIN vs password vs biometrics

GrapheneOS offers three unlock options:

PIN (6+ digits) Good for daily use. Minimum six digits. Avoid birthdays or 123456.

Alphanumeric password Strongest option. Harder to guess, harder to shoulder-surf. Slower to enter.

Fingerprint / face recognition Convenient, but: biometrics have no legal protection in most countries. Police or border control can hold your phone against your finger. A PIN is different — it’s knowledge, not a physical trait.

→ Use at minimum a 6-digit PIN. Add fingerprint as a supplement, not a replacement.

Setting auto-lock

Settings → Display → Lock screen

After the screen turns off, the phone locks immediately. No delay, no window.

→ Set to Immediately.

Lockdown mode

GrapheneOS has a lockdown button: hold the power button → Lockdown. This:

Temporarily disables biometrics
Requires PIN to unlock
Hides notifications on lock screen

Use this if you expect your phone to be inspected — at a border crossing, police stop, or if you hand it to someone.

→ Know this feature and use it when relevant.

2. USB and physical access

Restrict USB connections

Settings → Security → Exploit protection → USB-C port

GrapheneOS already defaults to “Charging-only when locked”, which is stricter than stock Android. New USB connections are blocked as soon as the phone is locked, at both the hardware and OS level.

→ Keep the default, or disable USB entirely if you charge wirelessly and do not need it.

Disable USB entirely

You can turn USB off entirely: no charging, no data.

Settings → Security → Exploit protection → USB-C port → Never allow

Useful if you charge wirelessly only. You can re-enable temporarily when needed.

→ Consider this if you charge wirelessly and don’t need USB.

3. Network and connections

MAC address randomisation

GrapheneOS randomises the MAC address per connection by default. That is stricter than standard Android, which usually uses one random MAC per network.

You can still review the setting per network:

Settings → Wi-Fi → [network] → Advanced → Privacy → Use randomised MAC

If per-connection randomisation causes compatibility issues with a router, you can fall back to per-network randomisation.

→ Keep the default. Only fall back to per-network randomisation if you actually need it.

Set private DNS

By default your phone uses your carrier’s DNS. They can see which domains you look up.

GrapheneOS supports Private DNS via DNS-over-TLS (DoT):

Settings → Network and internet → Private DNS → Private DNS provider hostname

Reliable options:

dns.quad9.net — Quad9, no logging, filters malware
base.dns.mullvad.net — Mullvad, no logging, no filtering
1dot1dot1dot1.cloudflare-dns.com — Cloudflare, fast, policy-based privacy guarantees

→ Choose Quad9 or Mullvad. Avoid Google (8.8.8.8) for privacy.

Per-app network access

GrapheneOS has built-in per-app network control. This is binary: network access is either allowed or fully blocked for that app, including indirect access through OS components.

Settings → Apps → [app] → Permissions → Network

Use this for apps that don’t need internet. A note app, calculator, or photo editor has no reason to send data.

→ Go through your apps. Block internet for everything that doesn’t need it.

Turn off Bluetooth and NFC when not in use

Bluetooth and NFC are attack surfaces. Bluetooth exploits exist. NFC can trigger unintended payments or data transfers.

Turn them off via quick settings when not in use. Or:

Settings → Connected devices → Connection preferences → NFC → Off

→ Off when not needed. On when you need them.

4. Sensor permissions and access

Sensor access per app

GrapheneOS gives you control over which sensors an app can use: camera, microphone, location, accelerometer, barometer.

Settings → Privacy → Permission manager

Go through each category:

Location

Use “Only while using” — never “Always allow” unless essential
Turn off “Precise location” for apps that don’t need it
Revoke location entirely for apps with no clear reason

Camera and microphone

Grant only when the app actively needs it
GrapheneOS shows an indicator when camera or microphone is active

Sensors GrapheneOS has an extra “Sensors” category that controls access to motion sensors, barometer, and other hardware. This does not exist on standard Android.

Settings → Privacy → Permission manager → Sensors

Many apps request sensor access for tracking purposes (step counters, activity monitoring for ad profiles).

→ Revoke sensor permissions for all apps that don’t clearly need them.

Camera and microphone toggles

GrapheneOS has hardware-level toggles for camera and microphone:

Settings → Privacy → Camera access (Off = no app can use the camera) Settings → Privacy → Microphone access (Off = no audio input)

This is different from per-app permissions: it’s a global block, hardware-independent.

→ Use this when you don’t need the camera or microphone for an extended period.

5. Notifications and lock screen

Notifications on lock screen

Settings → Notifications → Sensitive notifications on lock screen → Don’t show content

Without this, messages, names, and content can be visible when your phone is on a table.

→ Set to “No content” or “Hide sensitive content”.

Notification history

Settings → Notifications → Notification history → Off

Android stores notifications by default. Someone with access to your unlocked phone can see the history.

→ Off.

6. Exploit mitigations

This is one of the areas where GrapheneOS meaningfully differs from standard Android.

Memory tagging (MTE)

On supported Pixels (Pixel 8 and newer), GrapheneOS offers Memory Tagging Extension — hardware-level protection against a class of attacks (buffer overflows, use-after-free). This can crash poorly written apps.

Settings → Security → Exploit protection

GrapheneOS already uses MTE for the kernel and most OS components. On Pixel 8 and newer, you can extend it to all installed apps, and disable it per app only if something crashes.

→ On Pixel 8+, consider enabling MTE for all apps. Disable it only for the rare app that breaks.

Hardened malloc

GrapheneOS uses a custom memory allocator (hardened malloc) that makes a class of memory exploits harder. This is active by default — no action needed.

Auto-reboot

Settings → Security → Exploit protection → Auto-reboot

After a configurable period (default 18 hours), the phone automatically restarts if it has not been unlocked. This returns encryption to “Before First Unlock” (BFU) — the strongest encryption state.

Forensic tools like Cellebrite have significantly less access when the phone is in BFU state.

→ Leave it on at the default 18 hours. Lower it to 8-12 hours if you want stricter protection.

Secure delete

GrapheneOS overwrites data on deletion. This makes recovery of deleted files harder.

Active by default, no setting needed.

7. Apps and installation

Unknown sources per app

Settings → Apps → Special app access → Install unknown apps

On standard Android this is a general setting. GrapheneOS makes it per-app: only the apps you designate can install APKs (such as F-Droid or Obtainium).

→ Grant only to F-Droid or Obtainium. Never to a browser.

App sandboxing and profiles

Each app runs in its own sandbox. Additionally, you can separate apps into profiles (see the profiles guide).

Use a separate profile for:

Apps you don’t fully trust but need
Work-related apps
Apps with sandboxed Google Play

→ See the profiles guide for full explanation.

Check app permissions after install

After installing any app: go to its permissions and revoke everything it doesn’t need.

Settings → Apps → [app] → Permissions

Ask yourself for each permission: does this app actually need this to function?

8. Encryption

GrapheneOS encrypts storage by default. There’s no setting to enable it — it’s always on.

What you can check:

Encryption status

Settings → Security → Encryption and credentials

Shows whether storage is fully encrypted.

Before First Unlock (BFU) vs After First Unlock (AFU)

An important concept:

BFU: Phone just booted, not yet unlocked. Encryption at maximum. Forensic tools have very limited access.
AFU: Phone has been unlocked at least once. Keys loaded into memory. More attack surface.

Auto-reboot (see above) periodically returns you to BFU.

9. Network isolation and anonymity

Tor integration

GrapheneOS supports direct Tor routing per app via Orbot. Install Orbot from F-Droid (Guardian Project repo) and assign apps to run through Tor.

Tor is slower but anonymises your IP address. Use it for apps where IP anonymity matters.

→ Use Orbot + Tor for browsers and communication where IP anonymity matters.

VPN

Do not choose a VPN specifically “for GrapheneOS”. Provider choice is the same as on other devices: start with the VPN comparison and, if needed, what a VPN does and does not do. Short summary:

VPN hides your traffic from your provider
VPN shifts trust to the VPN provider
Mullvad is the most privacy-friendly choice (no-log, no account required, payable with cash or Monero)

What is GrapheneOS-specific: Android’s always-on VPN and kill switch work cleanly per profile. If the VPN drops, GrapheneOS can block internet for that profile.

Settings → Network and internet → VPN → [your VPN] → Lock icon (always-on + kill switch)

→ Enable the kill switch if you use a VPN. But do not treat a VPN as a required GrapheneOS setting.

10. Recommended apps

Apps that fit well with a hardened GrapheneOS setup:

Browser

Vanadium — GrapheneOS’s default browser. Hardened Chromium, no telemetry, sandboxed.

Tor Browser — via Guardian Project repo on F-Droid. For anonymous browsing.

Communication

Molly — hardened Signal fork. On-device database encryption, RAM wipe on lock. Via Molly’s own F-Droid repo.

Element — Matrix client for decentralised chat.

Passwords

KeePassDX — local password manager. No cloud, no sync unless you set it up yourself.

DNS and Tor

Orbot — Tor proxy. Route specific apps through Tor network.

App store

F-Droid — open-source app store. See the F-Droid guide.

Obtainium — get apps directly from GitHub releases. Useful addition to F-Droid for apps not in a repo.

11. Checklist — summary

Copy this as a working list:

Access and lock

PIN 6+ digits (or password)
Auto-lock set to Immediately
USB set to Charging-only when locked, or disabled entirely
Lock screen notifications disabled

Network

Private DNS configured (Quad9 or Mullvad)
Per-app network access reviewed
Bluetooth and NFC off when not in use
VPN kill switch on (if using VPN)

Privacy

Location permissions reviewed per app
Camera/microphone permissions minimal
Sensor permissions revoked where not needed
Notification history off

Security

Auto-reboot on (default 18h, lower if needed)
MTE enabled on Pixel 8+ (optional)
Unknown sources only for F-Droid/Obtainium

How far should you go?

That depends on your situation. A useful rule of thumb:

Basic privacy: Do the USB, DNS, PIN and per-app network settings. That covers 80% of the risk for most users.

Advanced: Add per-app sensor permissions, auto-reboot, VPN with kill switch, and Tor.

Maximum: Everything above plus: BFU-only usage (power off when not using), profiles for isolation, no sandboxed Google Play.

There’s no wrong choice — every step makes it harder. Do what’s sustainable for daily use, and build from there.

Next step

Go further

Profiles on GrapheneOS — move from device-level settings to app-level separation
Install GrapheneOS — the installation step before this guide
First setup — the basic setup before hardening
VPN comparison — choosing a VPN provider
F-Droid: recommended apps — open-source apps without Google Play

← Back to guides