Table of Contents

Introduction


Welcome to the Secure Mobile Setup Guide, in the following sections you will learn how to set up a secure mobile device. While reading this guide please keep the following legend in mind to maximize your learning proficiency. Text that is bold is considered IMPORTANT and should always be understood, text that is italic is optional reading that provides additional information on a section.

What is GrapheneOS?


GrapheneOS is a mobile OS focused on privacy and security, with an Android app compatibility layer. Its primarily focused on the research and development of privacy and security technologies. These technologies include sandboxing, exploit mitigation, and a permission model.

How does GrapheneOS work?


Graphene improves security and privacy from the ground up by deploying various technologies to mitigate entire classes of vulnerabilities. This makes exploiting common sources of vulnerabilities more difficult and less sustainable. These improvements better the security of the operating system and apps running on it. The system will also never ship with any google apps or services to further increase security.

How can I run GrapheneOS?


Graphene is exclusively built for Google Pixel devices, however many other devices are supported at a source level and can be built for them without modifications to the existing GrapheneOS source tree. Most cases beyond that will require substancial work to reach the same standards; For most devices hardware and firmware will prevent providing a reasonably secure device regardless of work put into device support. At the time of writing the following devices are officially supported.

Supported Devices

  • Pixel 7 Pro (cheetah) — experimental
  • Pixel 7 (panther) — experimental
  • Pixel 6a (bluejay)
  • Pixel 6 Pro (raven)
  • Pixel 6 (oriole)
  • Pixel 5a (barbet)
  • Pixel 5 (redfin)
  • Pixel 4a (5G) (bramble)
  • Pixel 4a (sunfish)
  • Pixel 4 XL (coral)
  • Pixel 4 (flame)

What makes GrapheneOS secure?


Security and privacy are deeply rooted in the foundations of the Graphene operating system. Completely de-googled and de-bloated, Graphene takes advantage of all existing android security features with numerous additions on top. Disk encryption, clipboard security, hardware identifier protection, IOMMU baseband isolation, and a system integrated firewall with custom rulings keep Graphene protected from adversaries.

Installation


Graphene has two officially supported installation methods, this guide will cover the recommended method.

  • WebUSB-based Installer – recommended for most users
  • Command Line Install – recommended for advanced users

Prerequisites

Install an officially supported operating system, you should have at least 4GB of free memory available and 32GB of free storage.

  • Windows 10
  • Windows 11
  • macOS Catalina (10.15)
  • macOS Big Sur (11)
  • macOS Monterey (12)
  • Arch Linux
  • Debian 10 (buster)
  • Debian 11 (bullseye)
  • Ubuntu 20.04 LTS
  • Ubuntu 22.04 LTS
  • ChromeOS
  • GrapheneOS
  • Google Android (stock Pixel OS) and other certified Android variants

Ensure your system is up to date before proceeding.

Start the Install

Install an officially supported browser on your computer

  • Chromium (outside Ubuntu, since they ship a broken Snap package without working WebUSB)
  • Vanadium (GrapheneOS)
  • Google Chrome
  • Microsoft Edge
  • Brave

Ensure your browser is up to date before proceeding.

Do NOT use incognito or other private modes for installation.

Enable OEM Unlocking

  • Enable developer options by going to Settings -> About this phone -> tap the build number option until developer mode is enabled.
  • Go to Settings -> Developer options -> Toggle OEM unlocking

Flashing as non-root (Linux specific)

  • On Arch Linux, install the android-udev package. On Debian and Ubuntu, install the android-sdk-platform-tools-common package.

Arch Linux:
sudo pacman -Syy android-udev

Ubuntu:

sudo apt-get install android-sdk-platform-tools-common

Boot into the bootloader interface

  • Reboot the device and hold the volume down button while the phone boots. Continue holding volume down until the phone boots into the bootloader interface

Connecting the phone

  • Connect the phone to the computer. On Linux, you’ll need to do this again if you didn’t have the udev rules set up when you connected it.

On Windows devices if you don’t have the fastboot driver already installed you will need to install them to move forward. Alternatively you can also install the latest drivers for pixels.

Proceed to the official GrapheneOS website, and navigate to install -> web installer.

Jump to the ‘Unlocking the bootloader’ section.

Follow the remaining installation steps on the page. (listing the next steps would be pointless as you need to click page buttons to initiate WebUSB commands)

Post Installation Setup
Once GrapheneOS installation is completed, it is recommended that you change the following settings.

  • Navigate to Settings -> Privacy -> disable camera/microphone access.
  • Go to Settings -> Location -> Turn off use location.
  • Go to Settings -> Security -> Auto reboot and select an auto reboot time.
  • Go to Settings -> Security -> Pin scrambling and enable it.
  • Go to Settings -> Security -> Screen lock camera access and disable it.

Once your settings have been updated, open the browser and download F-Droid. This will act as your app store on your device.

Recommended Apps

  • OpenKeychain: Easy PGP
  • AuthPass – KeePass compatible
  • InviZible Pro
  • Fennec F-Droid
  • Tor Browser for Android
  • (Look for F-Droid (FOSS) alternatives for PlayStore apps)

Conclusion


Congratulations, you have successfully set up your secured mobile device! It is important to remember that your devices security is only as secure as you are; be careful of the applications you install, the permissions you provide, and the settings you enable. Using Cellular Service will always de-anonymize you. If you must use it, it is recommended to use a faraday bag or box to limit tracking. Be sure to keep your system up to date with the latest GrapheneOS updates.

PLEASE follow all guides and read all FAQ questions on grapheneos.org

Steve Dark

By Steve Dark

Steve Dark is a seasoned cybersecurity professional with over 10 years of experience in the field. He holds a Bachelor's degree in Computer Science from Stanford University and a Master's degree in Cybersecurity from MIT. Steve is known for his meticulous attention to detail and his ability to identify even the most subtle security vulnerabilities. When he's not researching protocols or playing in HackTheBox, Steve enjoys sipping on his favorite tea blend while munching on his favorite cookies. Despite his serious profession, Steve has a playful side and loves engaging in friendly hacking competitions with colleagues and peers