← All Guides

Device Hardening Guide

Beyond installing GrapheneOS, proper device hardening involves reviewing every permission, network setting, and system behaviour. This guide covers the key hardening steps applied to every Privacy Devices phone.

What Is Device Hardening?

Device hardening is the process of reducing the attack surface of your phone. This means disabling unnecessary services, restricting app permissions, controlling network behaviour, and configuring the OS for maximum security rather than convenience.

GrapheneOS provides the foundation. Hardening is what turns it into a truly secure system.

Bootloader & Verified Boot

Every Privacy Devices phone ships with:

  • Bootloader relocked — prevents unauthorised OS modifications
  • Verified boot active — the OS verifies its own integrity on every boot
  • No unlockable bootloader warning — the device behaves identically to a factory Pixel in terms of boot verification

Permission Controls

GrapheneOS extends Android's permission system with additional controls:

  • Network permission — per-app control over internet access (unique to GrapheneOS)
  • Sensors permission — control which apps can access accelerometer, gyroscope, etc.
  • Storage scopes — apps see only the files you explicitly share, not your entire storage
  • Contact scopes — share individual contacts rather than your entire address book
  • Clipboard access — restricted to prevent apps from reading copied text

Network Hardening

  • VPN always-on — Mullvad VPN configured with kill switch, so no traffic leaks if the VPN drops
  • Private DNS — configured to a trusted DNS provider that blocks trackers
  • MAC randomisation — enabled by default for all Wi-Fi connections
  • Wi-Fi auto-off — disabled auto-connect to previously known networks
  • Bluetooth off by default — only enabled when explicitly needed

System-Level Hardening

  • Auto-reboot timer — device reboots after a configurable period of inactivity, forcing re-authentication and clearing memory
  • USB-C restricted — USB data connections disabled when locked (prevents forensic extraction tools)
  • Camera/mic indicators — system indicators show when camera or microphone is in use
  • Scrambled PIN layout — PIN entry keypad is randomised to prevent shoulder surfing and smudge analysis
  • Duress PIN — part of Phantom Protocol, triggers protective actions when entered

App-Level Hardening

  • Remove or disable all apps you do not actively use
  • Review permissions after every app update
  • Use separate profiles for apps with different trust levels
  • Prefer apps that work without Google Play Services
  • Use Vanadium (the GrapheneOS browser) as the default — it includes security patches ahead of Chrome

Ongoing Maintenance

Hardening is not a one-time action. Maintain your security posture by:

  • Keeping GrapheneOS updated (automatic by default)
  • Reviewing app permissions monthly
  • Checking VPN status before sensitive activity
  • Periodically clearing unused profiles and app data

Want a professionally hardened device? Browse our pre-configured devices — every phone ships fully hardened.

Contact support | All guides