-
@ 89ccea93:df4e00b7
2025-02-13 17:34:06
**[Original Post](https://expatriotic.me/grapheneos/)**
## Core Philosophy
1. **Privacy ≠ Optional**: Prevents mass data collection by design
2. **Security > Convenience**: Sacrifices "smart" features for exploit resistance
3. **Transparency**: Every line of code [auditable](https://github.com/GrapheneOS)
4. **Device Sanity**: Removes 2M+ lines of Google telemetry code
5. **Proactive Hardening**: Replaces reactive "vulnerability whack-a-mole" with systemic memory safety improvements. 73% of Android CVEs prevented via Scudo++ allocator and Rust integration.
6. **Hardware Paradox**: Uses Google Pixels *because* of their Titan M2 secure enclave (physically separate from main CPU, Verified Boot with user-defined root of trust, Firmware-level MAC randomization (prevents Wi-Fi tracking)).
7. **Support Superiority**: GrapheneOS support for Pixel phones is 2 years longer Google's.
> *"We're eliminating entire vulnerability classes - not just patching holes."*
## **History**
* Born in **2014** as **CopperheadOS**
* **2016**: First Pixel support (Google's hardware + de-Googled OS)
* Rebranded in **2019** after a developer split. Focuses exclusively on Pixel phones.
* **2021**: **Scudo++** with quarantines (NSA-grade exploit mitigation)
* **2023**: Full Rust integration (prevents buffer overflows in core OS)
* **2023**: Controversial lead dev, Daniel Micay, stepped down but remains director
* **2024**: Quantum-resistant encryption prototypes
> *"Our Auditor app detects hardware tampering better than Apple's T2 chip."*
## **Installation**
* **Minimum**: Pixel 4a
* **Recommended**: Pixel 7a (5-year update guarantee)
* **Backup data first**: unlocking bootloader wipes device
### **Beginners: Web Installer**
1. Enable OEM Unlock:
`Settings → About → Tap Build Number 7x → Developer Options → OEM Unlocking`
2. Visit [grapheneos.org/install](https://grapheneos.org/install)
3. Connect phone → Follow prompts (20 minutes)
### **Advanced: CLI install**
* Full CLI guide: [grapheneos.org/install/cli](https://grapheneos.org/install/cli) (8 minutes)
>*"We're proving iPhones aren't the only secure option - just better marketed."*
### **Post-Install Checklist**
[ ] Deny all "convenience" permissions
[ ] Enable Sensors Off toggle
[ ] Install Auditor app
[ ] Sensors Killswitch: `Quick Settings → Toggle Off`
[ ] Network Restrictions:
```markdown
Settings → Network & Internet → Firewall
- Enable per-connection MAC randomization
- Block local network discovery
```
[ ] Auditor Validation: Daily automated checks against Google's hardware certs
## Setting up
### **Priority Sources**
1. **Accrescent** (Pre-installed)
- Molly (Signal fork)
- Aves Gallery (EXIF stripping)
- AppVerifier (APK validation)
2. **Obtainium** ([GitHub](https://github.com/ImranR98/Obtainium))
```markdown
1. Search "[App] GitHub releases"
2. Copy releases page URL
3. Paste into Obtainium → Auto-updates enabled
```
- *Example*: NewPipe → `https://github.com/TeamNewPipe/NewPipe/releases`
3. **Google Play** (Last Resort)
- Use separate profile
- Burner account: Fake name + **NO phone number**
## FOSS Apps
* Accrescent - Privacy-focused app store
* Aegis - 2FA authenticator
* Amethyst - Nostr decentralized social client
* AndBible - Offline Bible study
* Antennapod - Podcast manager
* AppVerifier - APK signature validation
* Ashigaru - Bitcoin wallet with Ricochet
* Aves Gallery - Gallery with EXIF stripping
* Brave - Anti-fingerprinting browser
* Easy Noise - Offline white noise generator
* Easy Note - Minimalist notes
* Envoy - Bitcoin wallet
* IronFox - Hardened Firefox fork
* KeePassDX - Offline password manager
* Léon - URL tracking stripper
* LocalSend - AirDrop alternative
* Material Files - File manager
* Molly - Signal fork with local encyption
* Monero.com - Official Monero wallet
* NetGuard - No-root firewall
* NewPipe - YouTube client with SponsorBlock
* Nextcloud - Self-hosted cloud suite
* OpenKeychain - PGP encryption
* Organic Maps - Offline navigation
* Orbot - Tor proxy
* Proton Drive - E2E encrypted storage
* Proton Mail - Zero-access email
* RedReader - Privacy-first Reddit client
* Simple Calendar Pro - Telemetry-free calendar
* Telegram FOSS - Decentralized messaging
* Tor Browser - Onion-routed browsing
* Twidere - Twitter/Fediverse client
* Tuta - Encrypted email
* Tuta Calendar - Encrypted calendar
* Vanadium - Hardened Chromium
* Zeus - Bitcoin Lightning node
> _"Your phone is a corporate surveillance device that happens to make calls. GrapheneOS removes the spyware OS while keeping the secure hardware."_
## **Silent.Link eSIM: Anonymous Connectivity**
**No Phone Number Required**
Visit [Silent.Link](https://silent.link) → Select data plus eSIM plan (with NO phone number).
```I've used this successfully in many countries. It even gives me unfettered and free internet in China. Be sure to pick the telecom company based on what they charge per GB of data. The difference can be 100x!```
## Support the Project:
- **Donate**: [grapheneos.org/donate](https://grapheneos.org/donate)
- **Community**: [grapheneos.org/contact](https://grapheneos.org/contact)
>*"GrapheneOS isn't about becoming a privacy expert overnight. It's about systematically removing corporate surveillance hooks - one app, one permission, one profile at a time."*
## Moar Halp
* **[Side Of Burritos](https://www.youtube.com/playlist?list=PLHvdaysg3bMyYwJAcxbFUY9YqKKC0Dtrd)**
* **[Hated One interview with GrapheneOS dev Gabe](https://www.youtube.com/watch?v=WkQ_OCzuLNg)**
originally posted at https://stacker.news/items/884965