GrapheneOS: Beyond Compliance

Intro

GrapheneOS is the most secure mobile operating system to date. By default, it has mitigations that would suit most threat models. This user guide has been written to address software configuration of the handset.

The concepts of system hardening include minimizing architecture and operating on a zero-trust model, or otherwise known as limiting trust in all parties.

Treat All Signals as Hostile

Rule number 1 of the security commandments - limit incoming signals. When connected to Wi-Fi, reduce incoming connections by enabling airplane mode. Complementing this, set a wireless timeout when no longer in proximity of an access point.

Settings ➔ Internet > Network Preferences ➔ Turn off Wi-Fi Automatically ➔ Set to something reasonable such as 5 to 10 minutes

Only enable Bluetooth when needed. This can also be configured with a timeout option:

Settings ➔ Connected Devices ➔ Bluetooth timeout ➔ Set to something reasonable such as 2 to 10 minutes.

Cellular has legacy protocols such as 2G/3G that could lead to packet injection or other means of compromise. Limit the use of these Cellular protocols with the following setting alteration:

Settings ➔ Network & Internet ➔ Mobile Network ➔ Preferred Network Type ➔ Select LTE Only

Randomization

Rule number 2 - avoid fingerprinting. All device names should be randomized with varying lengths and characters to avoid creating a discernible pattern. You are free to change the device name as you wish. Validate that the name has been changed for Bluetooth by going to:

Settings ➔ Connected Devices ➔ Connection Preferences ➔ Bluetooth (must be on to alter/view setting) ➔ Device Name

Personal / device information should be avoided. Use misinformation as you see fit. You could mimic other common vendor names as misinformation such as printers/scanners/alternate cellphones.

Account Isolation

Rule number 3 - keep your users and your processes completely isolated. A secondary user account should be created and used as your main profile. The built-in Owner profile does not have file access to your created user profile and vice versa. The Owner account has administrative privileges where developer options can be enabled. This can open the device up to exploitation by allowing all USB peripherals to mount (and perhaps execute arbitrary code), identifying all running processes, issuing an OEM unlock, tacks on functionality with Bluetooth (a protocol historically riddled with vulnerabilities), and enabling other debugging tools that vastly increase attack surface. Developer tools cannot be accessed as a non-privileged user, and they are password protected with the Owner’s credentials. Best practice is to set a passphrase such as “sever the serpents tongue.” This provides the necessary bit length needed for strong encryption.

Traffic Routing

Whether you use a transparent proxy such as Orbot or a VPN, a software-based killswitch is advised to reduce the chance of traffic leakage.

Settings ➔ Network & Internet ➔ VPN ➔ Enable “Always-on VPN”

Settings ➔ Network & Internet ➔ VPN ➔ Enable “Block Connections without VPN”

Auditing Permissions

Applications should be audited proactively (ideally as they’re installed) to assign the least privileges necessary to function. For example, why should the Contact application need the Network permission assigned?

To audit permissions in bulk, navigate to the following:

Settings ➔ Privacy ➔ Permission Manager

Individual applications can be audited with the following:

Highlight the app icon ➔ App info ➔ Permissions

Disable Sensors

Applications should rarely be provided the Sensor permission. All smartphones today possess embedded microphones, cameras, squeeze sensor(s), proximity sensor(s), fingerprint sensor(s), speaker(s), etc. If you wish to keep these hardware components intact on the device, there are software configurations that can temporarily render them inoperable.

From the Owner (privileged) account, go to Settings ➔ About Phone ➔ Tap Build number 5 times

Settings ➔ System ➔ Advanced ➔ Developer Options ➔ Quick Settings Developer Tiles ➔ Sensors Off

This setting will ensure that no sensor values are changed, no sensor data is transmitted to installed applications, the microphone will return white noise, and the cameras will be inoperable. If you have no desire to keep the sensors off, turn off the developer options.

More recently, GrapheneOS has included the following settings to disable the camera and microphones temporarily without having to enable developer options.

Settings ➔ Privacy ➔ Camera Access

Settings ➔ Privacy ➔ Microphone Access

Storage Scopes: Least Privilege

During the permissions audit, you will see applications with the permission to access device storage. Best practice is to restrict the storage scope to exactly what is needed and nothing more.

Take Spotify for example with a specific usecase for local storage access (offline music):

Add folder ➔ Select ‘Main Storage/Music’

Additional Applications

Minimalism cannot be preached enough; the less applications installed on the device, the better off you are. Every installed application imposes its own risks and increases the attack surface of the device. GrapheneOS has a strong sandboxing implementation (isolation of applications) that could prevent full compromise of the device if an application happens to be malicious. The safest approach to installing applications is to use Aurora Droid (mirror of F-Droid) & Aurora Playstore (mirror of Google Playstore). There have been times where these services or specific repositories have went offline. In this event, the application installation files (.apk) can be found from the specific application’s website (if it exists). The .apk file should be validated by checking its hash value (unique identifier that can determine tampering) or validating with the developer’s signing key.

Avoid Proprietary (Closed-Source) Software

Black box or closed-source code places a substantial amount of trust in the software developer(s). Android Open-Source Software (AOSS) is preferred. However, open-source does not guarantee privacy or security. Validate application signatures with the developer when available.

Reduce Running Services

Close out applications when no longer in use. Stop the NFC & printing service:

Settings ➔ Connected Devices ➔ Connection preferences ➔ NFC ➔ Switch Off

Settings ➔ Connected Devices ➔ Connection preferences ➔ Printing ➔ Default Print Service ➔ Switch Off

USB Restriction

For Owner:

Settings ➔ Security ➔ USB Peripherals ➔ Allow new USB Peripherals when unlocked

If USB is not necessary, set to deny new USB peripherals.

Keyboard Configuration

Settings ➔ System ➔ Languages & Input ➔ On-screen keyboard ➔ GrapheneOS Keyboard ➔ Preferences ➔ Disable Auto-capitalization

Settings ➔ System ➔ Languages & Input ➔ On-screen keyboard ➔ GrapheneOS Keyboard ➔ Preferences ➔ Disable Voice input key

Settings ➔ System ➔ Languages & Input ➔ On-screen keyboard ➔ GrapheneOS Keyboard ➔ Preferences ➔ Text Correction ➔ Turn off all suggestions/auto-corrections

Cache Cleaning

Cache cleaning does not have any substantial security benefits, but it can enhance the performance the device. To delete the cache for an application:

Highlight the icon ➔ App info ➔ Storage & cache ➔ Clear Cache

Internet Connectivity Check

Settings ➔ Network & Internet ➔ Disabled

Periodic Reboots

This is advisable due to the nature of mobile malware often lacking a persistence mechanism. This will restart all system processes and clear volatile memory. Reboots can be done via routine or automation.

Settings ➔ Security ➔ Auto Reboot

Communications

Encrypted communications should always be used for anything sensitive. Signal has undergone significant vetting and has respect from experts in the Information Security industry. It utilizes end-to-end encryption (e2ee), perfect forward secrecy (meaning if a single key is compromised, the entire exchange cannot decrypted), zero trust where Signal does not possess the keys. Ephemeral messaging (timed deletion) should be set to delete the messages from both devices, along with their servers once the time limit is reached. Molly developers have been working on a Signal fork that moves away from phone numbers, however this option is not available yet. If anonymity is of utmost concern, opt for a Voice Over IP (VOIP) number with Signal for the time being.

Signal will be set as the default messaging application. This configuration will make non-encrypted text messages appear inside the application. If the contact does not use Signal, do not send a sensitive message, as it will not be encrypted. Signal will display “Unsecure MMS” and the “+” in the bottom right will display the color grey rather than blue which signifies the contact does not have Signal set up. For added security, Pretty Good Privacy (PGP) encryption can be used through Signal for an additional layer of encryption. PGP encryption is native in the Protonmail application. Go to settings and set the RSA key to 4096 bits.

Password Management

KeePassDX is an offline password management tool which will have the Network permission revoked. KeePassDX can generate complex passwords for specific accounts. The manager can be protected by a password/phrase alone, or it can be configured to require a key stored on your filesystem in conjunction with a passphrase. The use of a manager can ensure that you do not lock yourself out while implementing password complexity that will stunt all current password cracking methods. Do not use the same password across platforms. Many platforms have incorporated two-factor authentication (2FA) into account security. If you choose to have this setting enabled for an account, you should be provided with a QR code and a string of text. KeePassDX has the feature to set up a one-time password (TOTP). Paste the received code into the Secret box. KeePassDX will now generate 2FA codes for logins.

Scenario: Under Duress

There are a few routes to go depending on the scenario’s severity. Do you lock the phone or wipe the entire device? This variance is dependent on your threat model: Who are you protecting your data from and what damage could be incurred?

Lockdown Mode provides the same security features as would be in place after reboot (before the first unlock). It renders USB peripherals unusable, displays no notifications, and turns off biometric unlocking.

Settings ➔ Display ➔ Lock screen ➔ Show Lockdown Option

If you suspect device seizure and there is little to no sensitive information, setting the device to lockdown mode or shutting down should protect you from those ends. If critical information that could result in costly damage to property/personnel are likely in the event of compromise, err on the side of safety and factory reset the device.

Settings ➔ System ➔ Reset Options ➔ Erase All Data (Factory Reset)

Physical destruction will always be preferred to removing/overwriting data in high-stakes scenarios.

Noteworthy Applications: