Security Guide book

In this book we will try to keep up with the latest security features and best practices.

We have 3 chapters so far, for iOS, Android and GrapheneOS. You can access them from the left sidebar.

iOS 26.4 Security and Privacy Settings Guide

A comprehensive guide to configuring security and privacy settings on iOS 26.4 (the latest version as of March 24, 2026) to protect your personal data and secure your iPhone.

What’s New in iOS 26

iOS 26 (released September 15, 2025) represents Apple’s biggest security and privacy update in years. Apple jumped from iOS 18 to iOS 26 to align version numbers with the year across all operating systems.

Major Security & Privacy Additions in iOS 26

Wi-Fi Aware – Secure peer-to-peer connections without internet access points
Post-Quantum Cryptography – Hybrid key exchange protecting against future quantum computing threats
Expanded Passkey Support – Automatic passkey creation and migration from passwords
Advanced Tracking Protection for All Browsing – Anti-fingerprinting expanded beyond Private Browsing
Wired Accessories Security – Explicit permission controls for USB-C/Lightning accessories
Enhanced Parental Controls – Stronger child account management and content filtering
Password Version History – Track changes to saved passwords over time
Secure Password Export – FIDO Alliance standard for moving credentials between managers
Liquid Glass Design – New translucent interface (including privacy-focused opacity controls)

iOS 26.2 Security Updates (December 2025)

26+ security vulnerabilities patched, including two actively exploited WebKit zero-days
AirDrop security codes – One-time codes for sharing with unknown contacts
Hidden Photos fix – Addressed vulnerability allowing unauthorized access
FaceTime caller ID spoofing – Patched to prevent impersonation attacks
iMessage privacy controls – Improved data handling

iOS 26.2.1 (January 26, 2026)

iOS 26.2.1 is a minor update focused on new hardware support and bug fixes.

New Features:

AirTag (2nd Generation) support – Required for the new AirTag with:
- Second-generation Ultra Wideband (UWB) chip for 50% longer Precision Finding range
- Precision Finding on Apple Watch (Series 9+, Ultra 2+) for the first time
- 50% louder speaker for easier locating and enhanced anti-stalking measures
- Expanded Bluetooth range for better Find My network detection
- Share Item Location with 36+ airlines for lost luggage recovery

Bug Fixes:

Emergency calling fix for older mobile phones
Unspecified stability improvements

Security Notes:

No published CVE entries for iOS 26.2.1 itself
Users on iOS 26-compatible devices should update to maintain security (older iOS versions only receive certificate updates)

Also Released:

iOS 18.7.4, iOS 16.7.13, iOS 15.8.6, iOS 12.5.8 – Certificate updates for iMessage, FaceTime, and Apple account sign-in (valid until January 2027)

Critical

iOS 26.2.1 is required for AirTag (2nd Generation). Update via Settings > General > Software Update.

iOS 26.3 (February 11, 2026)

iOS 26.3 addresses 37 security vulnerabilities including one actively exploited zero-day, adds new privacy controls, and introduces a data transfer tool for users switching to Android.

Security Fixes:

Actively exploited zero-day (CVE-2026-20700) – A memory corruption flaw in the dyld dynamic link editor that allowed arbitrary code execution. Apple says it “may have been exploited in an extremely sophisticated attack against specific targeted individuals” on versions before iOS 26.
3 kernel/privilege escalation flaws – Including CVE-2026-20617 and CVE-2026-20615 (CoreServices race condition and path handling bugs allowing root privileges) and CVE-2026-20626 (kernel root privilege escalation)
Sandbox escape (CVE-2026-20667) – A logic flaw in libxpc allowing apps to break out of the sandbox
Remote file write (CVE-2026-20660) – A CFNetwork path handling vulnerability allowing remote attackers to write arbitrary files
Lock screen photo access (CVE-2026-20642) – A bug in Photos allowing someone with physical access to view photos from the lock screen
Accessibility data leaks (CVE-2026-20674) – Sensitive user information viewable on a locked device
Additional fixes in WebKit, ImageIO, CoreAudio, Game Center, Messages, Shortcuts, and StoreKit

Critical

The dyld zero-day (CVE-2026-20700) was actively exploited in targeted attacks. Update to iOS 26.3 immediately via Settings > General > Software Update.

New Features:

Limit Precise Location – Reduces what cellular carriers can infer about your location to neighborhood-level instead of street-level precision. Requires iPhone 16e or iPhone Air (C1/C1X modem). Currently supported by Boost Mobile (US), EE/BT (UK), Telekom (Germany), and AIS/True (Thailand).
Transfer to Android – A new proximity-based tool for migrating photos, messages, notes, apps, passwords, and phone number to an Android device. Health data and locked notes remain on iPhone.
Encrypted RCS messaging support – System-level support for encrypted Rich Communication Services messaging is now present in the OS code, pending carrier activation.

EU-Only Features (Digital Markets Act compliance):

Notification forwarding – Forward iPhone notifications to third-party wearables (not just Apple Watch)
Proximity pairing – One-tap pairing for third-party headphones and smartwatches, similar to AirPods

iOS 26.3.1 (March 4, 2026)

iOS 26.3.1 is a minor maintenance update released alongside Apple’s March 2026 product announcements. It focuses on new hardware support, performance improvements, and bug fixes.

New Hardware Support:

iPhone 17e – Full support for the newly announced iPhone 17e
Studio Display (2026) – Compatibility with the new Studio Display
Studio Display XDR – Compatibility with the new Studio Display XDR

Improvements:

Improved app responsiveness and smoother multitasking
Minor storage optimization compared to iOS 26.3
Unspecified bug fixes and stability improvements

Security Notes:

No published CVE entries for iOS 26.3.1 itself
Users on older iOS versions can update to iOS 18.7.6 for legacy security patches

Note

iOS 26.3.1 was released without a beta testing phase, alongside the iPhone 17e and new Studio Display announcements. While it contains no new CVEs, it builds on the 37 security fixes in iOS 26.3 — users should update to stay current.

iOS 26.4 (March 24, 2026)

iOS 26.4 addresses 41 security vulnerabilities across Critical (7), High (17), Medium (15), and Low (2) severity levels, and makes Stolen Device Protection automatically enabled for all users.

Security Fixes:

Kernel memory corruption (CVE-2026-20698) – Critical memory corruption flaw in the kernel allowing system termination or kernel memory corruption
Kernel use-after-free (CVE-2026-20687) – Critical use-after-free vulnerability in the kernel with improved memory management
Printing sandbox escape (CVE-2026-20688) – Critical path handling flaw in the printing subsystem allowing sandbox escape
Keychain access (CVE-2026-28864) – Critical vulnerability allowing a local attacker to access Keychain items
Telephony buffer overflow (CVE-2026-28858) – Critical buffer overflow in the telephony stack
WebKit Same Origin Policy bypass (CVE-2026-20643) – Critical flaw allowing malicious web content to circumvent the Same Origin Policy
WebKit sandbox escape (CVE-2026-28859) – Critical vulnerability allowing restricted web content to escape the WebKit sandbox
Stolen Device Protection bypass (CVE-2026-28895) – Physical access vulnerability bypassing Stolen Device Protection
Siri information disclosure (CVE-2026-28856) – Information disclosure from a locked device via Siri
Mail privacy bypass (CVE-2026-20692) – Bypass of Mail Privacy Protection settings for IP hiding and remote content blocking
Additional 31 fixes across Accounts, Audio, Baseband, CoreMedia, Crash Reporter, curl, GeoServices, iCloud, libxpc, 802.1X, and more

Critical

iOS 26.4 patches 7 Critical and 17 High severity vulnerabilities including kernel, WebKit, Keychain, and telephony flaws. Update immediately via Settings > General > Software Update.

Stolen Device Protection — Now Auto-Enabled:

Note

Starting with iOS 26.4, Stolen Device Protection is automatically enabled for all users. Previously, users had to manually enable this feature. If you had it disabled, it will be turned on after updating. You can still adjust settings in Settings > Face ID & Passcode > Stolen Device Protection.

Other Changes:

Playlist Playground – AI-powered playlist creation from text descriptions in Apple Music
8 new emoji – Including orca, trombone, ballet dancer, and landslide
Offline Music Recognition – Identify songs in Control Center without internet
CarPlay chatbot support – Third-party AI chatbot integration in CarPlay
Keyboard typo fix and general stability improvements

1. Device Authentication

Face ID / Touch ID Setup

Biometric authentication provides secure and convenient device access.

How to set up Face ID:

Open Settings
Tap Face ID & Passcode
Enter your passcode
Tap Set Up Face ID
Follow on-screen instructions to position your face
Move your head in a circle to complete the scan

Configure Face ID uses:

iPhone Unlock
iTunes & App Store purchases
Apple Pay
Password AutoFill
Other Apps (toggle individually)

Strong Passcode Configuration

How to set a strong passcode:

Go to Settings > Face ID & Passcode
Tap Change Passcode
Tap Passcode Options
Select Custom Alphanumeric Code (8-12 random characters recommended)

Two-Factor Authentication (2FA)

How to enable 2FA:

Go to Settings > [Your Name] > Sign-In & Security
Tap Turn On Two-Factor Authentication
Tap Continue
Enter a trusted phone number
Verify with the code sent to your phone

Auto-Lock Settings

Go to Settings > Display & Brightness > Auto-Lock
Select a time interval (30 seconds to 5 minutes recommended)

Security Keys for Apple Account

Security keys are small external devices that look like a thumb drive or tag. They provide extra protection for your Apple Account by replacing the standard six-digit verification code with a physical device as the second factor in two-factor authentication. Because they are physical, they help prevent attackers from intercepting or requesting your second factor through phishing.

Requirements:

At least two FIDO® Certified security keys (e.g., YubiKey 5C NFC, YubiKey 5Ci, or FEITIAN ePass K9 NFC)
iOS 16.3 or later
Two-factor authentication already enabled on your Apple Account
A modern web browser

Compatible connector types:

NFC — Works with iPhone via tap (contactless)
USB-C — Works with iPhone 15 or later and most Mac models
Lightning — Works with iPhone 14 and earlier
USB-A — Works with older Mac models

How to add security keys:

Go to Settings > [Your Name] > Sign-In & Security
Tap Two-Factor Authentication
Tap Security Keys
Tap Add Security Keys
Follow the on-screen instructions
You can add up to six keys total

What security keys protect:

Signing in to your Apple Account on a new device or on the web
Resetting your Apple Account password or unlocking your account
Adding or removing security keys

Important

You must keep at least two security keys in safe places. If you lose all your trusted devices and security keys, you could be locked out of your account permanently.
Security keys are not compatible with child accounts or Managed Apple Accounts.
Apple Watch paired using a family member’s iPhone is not supported.
Devices signed in with your account that have not been used for more than 90 days will be signed out when you add security keys. You can sign back in to those devices using a security key.

2. Stolen Device Protection

Stolen Device Protection adds security when your iPhone is away from familiar locations.

Key Features

Biometric Authentication Required (no passcode fallback):

Accessing passwords stored in iCloud Keychain
Using saved payment methods in Safari
Turning off Lost Mode
Erasing all content and settings
Viewing Apple Card virtual card number
Opening locked and hidden apps

Security Delay (1-hour wait + second biometric scan):

Changing Apple Account password
Signing out of Apple Account
Turning off Stolen Device Protection
Changing Face ID or Touch ID settings
Changing device passcode
Resetting all settings
Turning off Find My

How to Enable

Go to Settings > Face ID & Passcode
Enter your passcode
Scroll down and tap Stolen Device Protection
Toggle on

Note: As of iOS 26.4, Stolen Device Protection is automatically enabled for all users after updating. The steps above are only needed if you previously disabled it.

Configuration Options

Away from Familiar Locations – Security features activate only when away from home/work
Always – Security features are always active

Requirements

iOS 17.3 or later (enhanced in iOS 26, auto-enabled in iOS 26.4)
Two-factor authentication enabled
Face ID or Touch ID configured
Device passcode set
Find My enabled
Significant Locations enabled

3. App Privacy Controls

App Tracking Transparency

How to configure:

Go to Settings > Privacy & Security > Tracking
Toggle Allow Apps to Request to Track off to block all tracking
Or manage individual app permissions below

App Privacy Report

View detailed app data access:

Go to Settings > Privacy & Security > App Privacy Report
Toggle on App Privacy Report
Review 7-day history of sensor, camera, microphone, and network access

Clipboard Access Alerts

iOS 26 continues to notify you whenever apps access your clipboard, preventing silent data harvesting.

Review All Permissions

Go to Settings > Privacy & Security
Review each category: Location, Contacts, Photos, Microphone, Camera, etc.
Revoke unnecessary permissions

4. Location Services

Per-App Location Settings

For each app, choose:

Never – No location access
Ask Next Time Or When I Share – Prompts each time
While Using the App – Access only when app is open
Always – Background access (use sparingly)

Precise vs. Approximate Location

Go to Settings > Privacy & Security > Location Services
Select an app
Toggle Precise Location off for approximate area sharing

Significant Locations

Go to Settings > Privacy & Security > Location Services > System Services
Tap Significant Locations
View, toggle off, or clear history

5. Lock and Hide Apps

How to Lock an App

Touch and hold the app icon on Home Screen
Tap Require Face ID (or Touch ID/Passcode)
Confirm your choice

How to Lock and Hide an App

Touch and hold the app icon
Select Hide and Require Face ID
App moves to Hidden folder in App Library

To access hidden apps:

Swipe left to App Library
Scroll to bottom, tap Hidden folder
Authenticate with Face ID/Touch ID

What Happens When Apps Are Locked

No notification previews
Hidden from Spotlight search
Hidden from Siri suggestions
Call history from locked apps is hidden

Integration with Stolen Device Protection

When Stolen Device Protection is enabled, locked apps can only be opened with Face ID/Touch ID—passcode fallback is disabled.

6. Safari Privacy Settings

Advanced Tracking and Fingerprinting Protection (NEW in iOS 26)

iOS 26 expands anti-fingerprinting protection to all browsing, not just Private Browsing:

Go to Settings > Apps > Safari > Advanced
Set Advanced Tracking and Fingerprinting Protection to All Browsing

This normalizes browser data to make your device look generic to tracking scripts, significantly reducing fingerprinting effectiveness.

Private Browsing with Face ID Lock

Go to Settings > Apps > Safari
Enable Require Face ID to Unlock Private Browsing

Hide IP Address

Go to Settings > Apps > Safari > Hide IP Address
Choose:
- Trackers Only – Hides IP from known trackers
- Trackers and Websites – Hides IP from all sites (requires iCloud+ Private Relay)

Intelligent Tracking Prevention

Go to Settings > Apps > Safari
Enable Prevent Cross-Site Tracking

Fraudulent Website Warning

Go to Settings > Apps > Safari
Enable Fraudulent Website Warning

Link Tracking Protection

iOS 26 automatically strips tracking parameters (UTMs) from URLs in Safari Private Browsing, Messages, and Mail.

7. Mail Privacy Protection

Features

Hides your IP address from senders
Prevents open tracking
Blocks invisible tracking pixels

How to Enable

Go to Settings > Apps > Mail > Privacy Protection
Enable Protect Mail Activity

Or configure separately:

Hide IP Address
Block All Remote Content

8. Passwords App

iOS 26 significantly enhances the standalone Passwords app.

New Features in iOS 26

Password Version History – View previous passwords for any account with timestamps
Secure Export – FIDO Alliance standard for moving passwords, passkeys, and verification codes to other managers
Automatic Passkey Upgrades – When you sign in with a password, system can create a passkey for next time
Credential Management Endpoints – Prompts to upgrade passwords to passkeys
Websites to Exclude – Manage sites where passwords shouldn’t be saved

How to Access

Open the Passwords app
Authenticate with Face ID/Touch ID

View Password History

Open Passwords
Select a saved login
Tap View History (appears when multiple versions exist)

Export Passwords Securely

Open Passwords
Tap Settings (gear icon)
Select Export Passwords
Choose destination app (uses encrypted FIDO Alliance format)

Security Alerts

The app warns about:

Credentials in known data breaches
Weak passwords
Reused passwords

9. Advanced Data Protection for iCloud

End-to-end encryption for the majority of your iCloud data.

Cannot be encrypted:

iCloud Mail, Contacts, Calendars (due to interoperability requirements)

How to Enable

Go to Settings > [Your Name] > iCloud
Tap Advanced Data Protection
Tap Turn On Advanced Data Protection
Set up recovery method first:
- Recovery Contact – Trusted person to help regain access
- Recovery Key – 28-character code to store securely

Important

Apple cannot recover your data if you lose access
All devices must run supported OS versions
iCloud.com access is disabled by default

10. Lockdown Mode

Important

Extreme protection for users who may be targeted by sophisticated attacks. This mode significantly restricts device functionality to reduce attack surfaces, but also provides robust defense against mercenary spyware.

Who Should Use It

Journalists, activists, diplomats
High-profile individuals
Anyone targeted by mercenary spyware

What Lockdown Mode Does

Messages: Most attachments blocked
Web: Complex technologies disabled (JIT JavaScript)
FaceTime: Incoming calls blocked from unknown contacts
Photos: Location excluded from shared photos
Device: Wired connections blocked when locked
Wireless: 2G cellular disabled, won’t auto-join insecure Wi-Fi

How to Enable

Go to Settings > Privacy & Security
Scroll down and tap Lockdown Mode
Tap Turn On Lockdown Mode
Tap Turn On & Restart
Enter your passcode

11. Communication Safety & Parental Controls

Enhanced Parental Controls (iOS 26)

iOS 26 significantly strengthens parental controls:

Child Accounts – Create or move kids into managed accounts easily
Communication Controls – Decide who children can text/call
Third-Party App Management – Control messaging in gaming and social apps
Unknown Number Blocking – Block calls/messages from unknown numbers
Age Limits – Set strict age limits for app downloads
Explicit Content Detection – Blurs inappropriate content in shared albums and FaceTime

Communication Safety

Protects children from sensitive content in Messages:

Go to Settings > Screen Time
Tap Communication Safety
Toggle on Communication Safety

Sensitive Content Warning (Adults)

Go to Settings > Privacy & Security > Sensitive Content Warning
Toggle on to blur sensitive images

12. Safety Check

Quickly review and reset access you’ve granted to others.

How to Access

Go to Settings > Privacy & Security
Tap Safety Check

Options

Manage Sharing & Access: Granular control over individual permissions

Emergency Reset: Immediately stops all sharing, resets permissions, signs out of iCloud on other devices

Quick Exit: Instantly returns to Home Screen (progress saved)

13. Find My iPhone

How to Enable

Go to Settings > [Your Name] > Find My
Tap Find My iPhone
Enable:
- Find My iPhone
- Find My Network (locate even when offline)
- Send Last Location

Activation Lock for Parts (iOS 26)

iOS 26 extends Activation Lock to individual components (batteries, cameras, displays), making stolen parts unusable.

AirTag (2nd Generation) - iOS 26.2.1 Required

The new AirTag (released January 26, 2026) requires iOS 26.2.1 or later and includes significant security and tracking improvements:

Enhanced Finding Capabilities:

50% longer Precision Finding range via second-generation Ultra Wideband chip
Precision Finding on Apple Watch – Works on Apple Watch Series 9+, Ultra 2+ (first time on wrist)
Expanded Bluetooth range – Better detection by Find My network devices
50% louder speaker – Easier to locate and harder for stalkers to mask

Anti-Stalking Improvements:

Louder alert sounds when separated from owner’s device
Improved detection notifications on iPhones
Same separation alert timing (approximately 8 hours)

Share Item Location:

Securely share AirTag location with airlines for lost luggage
36 airlines supported at launch, 15+ more coming
End-to-end encrypted sharing

How to Set Up AirTag (2nd Gen):

Ensure iOS 26.2.1 is installed
Bring AirTag near your iPhone
Tap Connect when prompted
Name your AirTag and assign an emoji
Register to your Apple ID

14. Advertising and Tracking Controls

Disable Advertising Identifier

Go to Settings > Privacy & Security > Tracking
Toggle off Allow Apps to Request to Track

Disable Apple Personalized Ads

Go to Settings > Privacy & Security > Apple Advertising
Toggle off Personalized Ads

Analytics & Improvements

Go to Settings > Privacy & Security > Analytics & Improvements
Toggle off data sharing options

15. Apple Intelligence Privacy

On-Device Processing

Most Apple Intelligence features process data locally on your device.

Private Cloud Compute

For complex requests:

Uses Apple’s Private Cloud Compute
Data never stored on servers
Cryptographically verified privacy

Control AI Learning

Go to Settings > Apple Intelligence & Siri
Scroll to Apps
Toggle off Learn from this App for sensitive apps

16. Wi-Fi Aware & Network Security (NEW in iOS 26)

Wi-Fi Aware

A new peer-to-peer networking framework allowing secure connections without access points:

Direct encrypted links between devices
Ideal for file transfers, gaming, media streaming
No internet connection required
Third-party apps can use this for secure local sharing

Post-Quantum Cryptography (iOS 26)

iOS 26 adds hybrid post-quantum key exchange to TLS connections:

Pairs classic elliptic curve math with lattice-based schemes
Protects current data against future quantum computing threats
Works automatically with Apple’s networking frameworks

Limit Precise Location (NEW in iOS 26.3)

Reduces the location precision available to your cellular carrier from street-level to neighborhood-level.

How to enable:

Go to Settings > Privacy & Security > Location Services > System Services
Tap Limit Precise Location
Toggle on

Requirements:

iPhone 16e or iPhone Air (devices with Apple C1/C1X modem)
Carrier support: Boost Mobile (US), EE/BT (UK), Telekom (Germany), AIS/True (Thailand) at launch

Captive Assist

When you connect to public Wi-Fi by filling out a form, iOS 26 can automatically share that form information with your other Apple devices, making it easier to connect securely.

17. Wired Accessories Security (NEW in iOS 26)

Enhanced USB-C/Lightning Port Security

iOS 26 gives you explicit control over what happens when accessories connect:

How to configure:

Go to Settings > Face ID & Passcode
Scroll to Accessories
Choose behavior:
- Allow when unlocked (default)
- Always ask
- Never allow

Why This Matters

Malicious cables can extract data while appearing to charge
Compromised chargers in public places pose real risks
You now get immediate notification when a cable tries to do more than charge
Stops “juice jacking” attacks at airports, hotels, and other public charging stations

18. AirDrop Security (NEW in iOS 26.2)

One-Time AirDrop Codes

iOS 26.2 introduces secure codes for sharing with unknown contacts:

How it works:

When sharing with someone not in your contacts, generate a temporary code
The receiver displays the code on their device
Sender enters the code to complete transfer
Code is valid for 30 days for that contact

Tighter Proximity Detection

AirDrop now shows only devices within close physical proximity, reducing:

Accidental transfers
Unsolicited content (“AirDrop spam”)
Faster peer-to-peer connections in crowded areas

19. Additional Security Recommendations

Lock Screen Security

Disable Control Center from lock screen:

Go to Settings > Face ID & Passcode
Under Allow Access When Locked, toggle off:
- Control Center
- Notification Center
- USB Accessories

Automatic Software Updates

Go to Settings > General > Software Update
Tap Automatic Updates
Enable all options including Security Responses & System Files

Lock Screen Notifications

Go to Settings > Notifications > Show Previews
Select When Unlocked or Never

Liquid Glass Opacity (iOS 26)

For better readability and reduced glare:

Go to Settings > Display & Brightness > Liquid Glass
Choose Clear (sharper) or Tinted (softer, less glare)

Restart After Security Updates

After installing iOS 26.2 or any security update, restart your device. Some spyware lives only in volatile memory and is cleared by a reboot.

Erase Data After Failed Attempts

Go to Settings > Face ID & Passcode
Enable Erase Data (erases after 10 failed passcode attempts)

Quick Reference: Essential Settings Checklist

Setting	Location	Recommended
Face ID/Touch ID	Settings > Face ID & Passcode	✅ Enable
Strong Passcode	Settings > Face ID & Passcode	✅ Alphanumeric
Two-Factor Authentication	Settings > [Name] > Sign-In & Security	✅ Enable
Stolen Device Protection	Settings > Face ID & Passcode	✅ Enable
App Tracking	Settings > Privacy & Security > Tracking	❌ Disable
Advanced Tracking Protection	Settings > Apps > Safari > Advanced	✅ All Browsing
Mail Privacy	Settings > Apps > Mail > Privacy Protection	✅ Enable
Advanced Data Protection	Settings > [Name] > iCloud > Advanced Data Protection	✅ Enable
Find My	Settings > [Name] > Find My	✅ Enable
Automatic Updates	Settings > General > Software Update	✅ Enable
Wired Accessories	Settings > Face ID & Passcode > Accessories	⚙️ Always Ask
Lock Screen Previews	Settings > Notifications > Show Previews	⚙️ When Unlocked

Conclusion

iOS 26.4 represents the latest in Apple’s most comprehensive security and privacy update cycle to date. Key priorities:

Update to iOS 26.4 immediately – Patches 41 CVEs including 7 Critical kernel, WebKit, and Keychain vulnerabilities
Enable lockdown mode – Prevents sophisticated spyware attacks
Stolen Device Protection (auto-enabled in 26.4) – Prevents thieves from accessing data even with your passcode
Turn on Advanced Data Protection – End-to-end encrypts your iCloud data
Enable Advanced Tracking Protection for All Browsing – Major anti-fingerprinting improvement
Configure Wired Accessories security – Protects against malicious charging cables
Use Passkeys – Let iOS 26 automatically upgrade your passwords to phishing-resistant passkeys
Restart after updates – Clears memory-resident threats

By configuring these settings, you significantly strengthen your privacy and security against both common and sophisticated threats.

Last updated: March 24, 2026 | Applies to iOS 26.4 Device requirements: iPhone 11 or later (A13 Bionic chip minimum) AirTag (2nd Generation) requires iOS 26.2.1 or later Limit Precise Location requires iPhone 16e or iPhone Air

Android 16 Security and Privacy Settings Guide

A comprehensive guide to configuring security and privacy settings on Android 16 to protect your personal data and secure your device.

What’s New in Android 16

Android 16, released in June 2025, represents Google’s most significant security update, featuring a comprehensive “Advanced Protection Mode” that consolidates multiple security features into one easy toggle.

Major Security & Privacy Additions

Advanced Protection Mode – One-tap activation of all major security features
Identity Check – Biometric authentication required for sensitive settings when away from trusted locations
AI-Powered Privacy Controls – Contextual permission management based on usage patterns
Enhanced Theft Protection – Theft Detection Lock, Offline Device Lock, Inactivity Reboot
Intrusion Logging – Encrypted activity logs for post-breach analysis (coming in QPR3, March 2026)
USB Protection – Default charging-only mode when locked
Improved Scam Detection – Real-time AI-powered scam call and message protection
Enhanced Factory Reset Protection – Stolen devices become harder to use
Trade-in Mode – Secure device preparation for resale
Fixed Approximate Location – Prevents apps from inferring precise location through workarounds
Local Network Protection – New runtime permission for local network access
Restore Credentials – Seamless passkey migration to new devices

Device Requirements

Android 16 stable released June 2025
Available on Google Pixel and expanding to other manufacturers
Some features require specific hardware (e.g., motion sensors for Theft Detection Lock)

1. Advanced Protection Mode

Advanced Protection Mode is Android 16’s flagship security feature—a single toggle that activates Google’s strongest device protections.

What It Enables

Device Security:

Theft Detection Lock (AI-powered theft detection)
Offline Device Lock (locks when disconnected)
Inactivity Reboot (restarts after 72 hours locked)
USB Protection (charging-only when locked)

App Security:

Google Play Protect (cannot be disabled)
Blocks installation from unknown sources
Android Safe Browsing

Network Security:

Disables 2G connections
Blocks auto-reconnect to insecure networks
Forces HTTPS in Chrome

Communication Protection:

Scam Detection in Phone app
Spam filtering in Google Messages
Unsafe link warnings

Coming Soon:

Intrusion Logging (encrypted activity logs)
Enhanced app permission controls

How to Enable

Open Settings
Tap Security & Privacy
Tap Advanced Protection
Toggle on Device Protection
Tap Turn on and then Restart

Who Should Use It

Journalists, activists, public figures
Anyone wanting maximum protection
Users who don’t need to sideload apps

Considerations

Cannot sideload apps from unknown sources
JavaScript optimizer disabled in Chrome (may break some websites)
Some call screening may flag legitimate calls
Easy to turn on/off, so no harm in trying

Google Advanced Protection Program

The Advanced Protection Program is Google’s strongest account-level security offering, separate from the device-level Advanced Protection Mode above. It is designed for people at high risk of targeted online attacks, such as journalists, activists, political campaign staff, and anyone managing sensitive information.

What it protects:

Phishing defense — Requires a passkey or FIDO-compliant security key to sign in. Unauthorized users cannot access your account even if they have your password.
Download safety — Enhanced screening for file downloads; app installations restricted to verified sources like Google Play Store and device manufacturer app stores.
Third-party access control — Only Google apps and verified third-party apps can access your Google Account data, and only with your permission.

How to enroll:

Go to Google Advanced Protection Program
Sign in with the Google Account you want to protect
Set up a passkey or register a FIDO-compliant security key (e.g., Google Titan Security Key)
Follow the enrollment steps

Requirements:

A passkey or FIDO-compliant security key
A Google Account with 2-Step Verification enabled

Important

The Advanced Protection Program enforces strict restrictions. Third-party apps that require access to Gmail or Drive data may stop working. Account recovery is intentionally harder — if you lose your passkey or security key, regaining access will require additional verification steps.

2. Device Authentication

Screen Lock Options

Android 16 supports multiple screen lock methods:

How to configure:

Go to Settings > Security & Privacy > Device Unlock > Screen Lock
Choose your lock type:
- PIN – 6+ digits recommended
- Password – Most secure (alphanumeric)
- Pattern – Less secure, avoid simple patterns
- Fingerprint – Convenient biometric
- Face Unlock – Available on supported devices

Best Practice: Use a PIN with 6+ digits or an alphanumeric password. Add fingerprint for convenience.

Two-Factor Authentication (2FA) for Google Account

How to enable:

Go to Settings > Google > Manage your Google Account
Tap Security
Under “How you sign in to Google,” tap 2-Step Verification
Follow setup instructions
Add multiple verification methods (authenticator app, backup codes, security key)

Biometric Settings

Go to Settings > Security & Privacy > Device Unlock > Fingerprint (or Face Unlock)
Add your biometrics
Configure what biometrics can unlock (device, apps, payments)

Security Keys for Google Account

Security keys are physical devices that serve as a second authentication factor for your Google Account. They replace SMS or authenticator app codes with a physical device you must have present, making phishing attacks ineffective.

Requirements:

A FIDO2-compliant security key (e.g., Google Titan Security Key, YubiKey 5 series)
Google Account with 2-Step Verification enabled

Compatible connector types:

NFC — Tap the key against the back of your Android phone
USB-C — Plug directly into your phone or computer
USB-A — For computers with USB-A ports
Bluetooth — Google Titan Security Key supports BLE pairing

How to add a security key:

Go to Settings > Google > Manage your Google Account
Tap Security
Under “How you sign in to Google,” tap 2-Step Verification
Tap Security key
Follow the on-screen instructions to register your key

What security keys protect:

Signing in to your Google Account on a new device or browser
Accessing sensitive account settings
Signing in to apps and services that use Google authentication

Using your security key on Android:

NFC keys: When prompted, tap the key against the back of your phone
USB keys: Plug the key into your phone’s USB-C port when prompted
Bluetooth keys: Pair once, then press the button on the key when prompted

Important

Register at least two security keys and store the backup in a safe place. If you lose all your security keys and have no other recovery method, you could be locked out of your Google Account.

3. Identity Check

Identity Check requires biometric authentication for sensitive actions when you’re away from trusted locations—similar to iOS’s Stolen Device Protection.

What It Protects

When outside trusted locations, biometric authentication is required for:

Changing device PIN or password
Changing biometric settings
Disabling theft protection
Accessing passkeys
Factory resetting the device
Changing Google Account settings

How to Enable

Go to Settings > Security & Privacy > Device Unlock > Theft Protection
Tap Identity Check
Follow setup instructions
Add trusted locations (home, work)

Requirements

Android 16 on supported devices (Pixel, Samsung One UI 7, others)
Screen lock and biometrics enabled
Location services enabled

Best Practice

Only add truly trusted private locations
Never add public places as trusted locations

4. Theft Protection

Android 16 consolidates multiple theft protection features.

Theft Detection Lock

Uses AI and device sensors to detect if someone snatches your phone and runs.

How to enable:

Go to Settings > Google > All services > Theft Protection
Toggle on Theft Detection Lock

How it works:

Monitors motion sensors, Wi-Fi, and Bluetooth
Automatically locks screen if theft is detected
Won’t trigger during stable connections

Offline Device Lock

Automatically locks your device if it goes offline (thief turns off internet).

How to enable:

Go to Settings > Google > All services > Theft Protection
Toggle on Offline Device Lock

Failed Authentication Lock

Locks device after repeated failed unlock attempts.

How to enable:

Go to Settings > Google > All services > Theft Protection
Toggle on Failed Authentication Lock (may be on by default)

Inactivity Reboot

Automatically restarts device after 72 hours of being locked, making data unreadable until fresh unlock.

Enabled automatically with Advanced Protection

Remote Lock

Lock your device remotely via Find My Device with security challenge question.

Factory Reset Protection

Enhanced in Android 16 to restrict all functions on devices reset without authorization.

5. App Permissions

Permission Manager

Review and control what data apps can access:

Go to Settings > Security & Privacy > Privacy Controls > Permission Manager
Review each category:
- Location
- Camera
- Microphone
- Contacts
- Files and media
- Calendar
- Phone
- SMS
- Body sensors / Health
- Nearby devices

Permission Options

For each app, you can choose:

Allow all the time – Background access (use sparingly)
Allow only while using the app – Access only when app is open
Ask every time – Prompts each use
Don’t allow – No access

One-Time Permissions

For camera, microphone, and location, you can grant one-time access that revokes when you close the app.

Auto-Reset Unused App Permissions

Android automatically resets permissions for apps you haven’t used in a while.

Go to Settings > Apps > [App name] > Permissions
Ensure Pause app activity if unused is enabled

AI-Powered Permission Controls (Android 16)

Android 16 introduces contextual permission management:

System evaluates if permission requests match your usage patterns
Unusual requests (e.g., location at midnight) may trigger additional confirmation
Detailed permission logs explain automated decisions

Local Network Protection (New in Android 16)

Apps now need explicit permission to access your local network (smart home devices, etc.):

Go to Settings > Security & Privacy > Privacy Controls > Permission Manager
Review Nearby devices and Local network permissions

6. Location Services

Global Location Settings

Go to Settings > Location
Toggle Use location on or off

Per-App Location Permissions

Go to Settings > Location > App location permissions
For each app, choose:
- Allowed all the time
- Allowed only while using
- Ask every time
- Not allowed

Precise vs. Approximate Location

Android 16 fixes a flaw that allowed apps to infer precise location even with approximate permission.

How to configure:

Go to Settings > Location > App location permissions > [App]
Toggle Use precise location off for apps that don’t need exact coordinates

Location History

Go to Settings > Google > Manage your Google Account > Data & privacy
Under “History settings,” review Location History
Turn off or set auto-delete (3 months, 18 months, 36 months)

7. Private Space

Private Space lets you hide and secure sensitive apps behind a separate authentication.

Features

Hidden apps in a separate space
Separate Google account for private apps
Requires PIN/biometric to access
Apps don’t appear in app drawer, search, or notifications

How to Set Up

Go to Settings > Security & Privacy > Private Space
Follow setup instructions
Create or sign into a Google account for Private Space
Set up lock (PIN, pattern, or password)

Adding Apps to Private Space

Open Private Space (swipe up and scroll to bottom of app list)
Tap Install apps
Install or move apps to Private Space

Best Practice

Use Private Space for:

Banking and financial apps
Personal health apps
Sensitive documents
Apps you want to keep private

8. Google Play Protect

Play Protect scans your device for harmful apps.

Features

Automatic app scanning
Real-time threat protection
Identifies harmful apps and malware
Cannot be disabled when Advanced Protection is on

How to Check Status

Open Google Play Store
Tap your profile icon
Tap Play Protect
Tap Scan to run manual scan

Settings

In Play Protect, tap Settings (gear icon)
Ensure Scan apps with Play Protect is on
Enable Improve harmful app detection to send unknown apps to Google

Live Threat Protection (Android 16)

Enhanced scanning detects apps that:

Change their icon to hide
Attempt to evade detection
Show malicious behavior

Available on Pixel 6+ and newer devices from other manufacturers.

9. Google Password Manager & Passkeys

Google Password Manager

Built-in password manager that syncs across devices.

How to access:

Go to Settings
Search for Password Manager
Or open the Passwords app

Features:

Save and autofill passwords
Generate strong passwords
Password checkup (finds weak, reused, compromised passwords)
Syncs to Google Account

Passkeys

Passkeys are phishing-resistant replacements for passwords.

Benefits:

More secure than passwords
Cannot be phished
Synced across devices via Google Password Manager
Authenticate with fingerprint, face, or PIN

How to use passkeys:

When a site/app supports passkeys, you’ll be prompted to create one
Confirm with your screen lock (fingerprint, face, PIN)
Passkey is saved to Google Password Manager
Sign in using your device’s biometric/PIN

Automatic Passkey Creation (Android 16):

When you sign in with a password, Android can automatically create a passkey for future use

Restore Credentials (Android 16):

When setting up a new device, passkeys and app credentials transfer automatically

Settings

Go to Settings > Passwords, passkeys & accounts
Configure your password manager
Enable Offer to save passwords
Enable Automatically create a passkey to sign in faster

10. Scam & Spam Protection

In-Call Protection (Android 16)

Blocks dangerous actions during calls with non-contacts:

Cannot sideload apps for the first time
Cannot disable Google Play Protect
Cannot grant accessibility permissions
Screen-sharing reminder when call ends

Scam Detection in Phone App

AI-powered real-time scam detection warns you during suspicious calls.

Types detected:

Package delivery scams
Job-seeking scams
Toll road and billing scams
Crypto scams
Financial impersonation
Gift card and prize scams
Tech support scams

How to enable:

Open Phone app
Tap More (⋮) > Settings > Caller ID & spam
Enable See caller and spam ID
Enable Filter spam calls

Scam Detection in Messages

Detects suspicious conversation patterns and unsafe links.

How to enable:

Open Messages app
Tap More (⋮) > Settings > Spam protection
Enable Enable spam protection

OTP Protection (Android 16)

One-time passwords won’t show on lock screen for devices that:

Haven’t been recently unlocked
Aren’t connected to known Wi-Fi

11. Network Security

Disable 2G

2G networks are vulnerable to interception and cell site simulators.

How to disable (if not using Advanced Protection):

Go to Settings > Network & internet > SIMs > [Your SIM]
Toggle off Allow 2G

Wi-Fi Security

Disable auto-join for insecure networks:

Go to Settings > Network & internet > Internet
Tap Network preferences
Disable Connect to open networks

Forget insecure networks:

Go to Settings > Network & internet > Internet > Saved networks
Remove networks you don’t trust

VPN

Use a VPN on public Wi-Fi:

Go to Settings > Network & internet > VPN
Configure your VPN provider

DNS Settings

Use encrypted DNS:

Go to Settings > Network & internet > Private DNS
Select Private DNS provider hostname
Enter a provider (e.g., dns.google or cloudflare-dns.com)

12. USB Protection

Android 16 defaults USB connections to charging-only when locked.

Features

Prevents data transfer via USB when device is locked
Protects against “juice jacking” attacks at public charging stations
Blocks physical data extraction attempts

How It Works

When Advanced Protection is enabled:

USB defaults to charging-only when locked
Must unlock device to enable data transfer

Manual Configuration

Go to Settings > Connected devices > USB
When connected, choose Charging only unless you need data transfer

13. Find My Device

How to Enable

Go to Settings > Security & Privacy > Find My Device
Toggle on Use Find My Device
Ensure location is enabled

Features

Locate your device on a map
Play sound to find nearby device
Secure device (lock with message)
Erase device remotely
Locate offline devices using nearby Android devices

Find My Device Network

Android can find your device even when offline using Bluetooth signals from nearby Android devices.

Go to Settings > Google > All services > Find My Device
Toggle on Find your offline devices

Using Find My Device

Go to android.com/find or use Find My Device app on another device
Sign in with your Google Account
Select your device
Choose action: Locate, Play Sound, Secure Device, Erase Device

14. Advertising & Tracking Controls

Delete Advertising ID

Disabling AAID makes it harder for advertisers to track you.

How to delete:

Go to Settings > Security & Privacy > Privacy Controls > Ads
Tap Delete advertising ID
Confirm

Disable Personalized Ads

Go to Settings > Google > Ads
Toggle off Opt out of Ads Personalization

Unknown Tracker Alerts

Android detects unfamiliar tracking devices (like AirTags) moving with you.

How to check:

Go to Settings > Security & Privacy > More security & privacy > Unknown tracker alerts
Ensure it’s enabled

15. Google Account Privacy

Privacy Checkup

Go to Settings > Google > Manage your Google Account
Tap Data & privacy
Tap Review your privacy settings

Activity Controls

Control what Google saves about your activity:

Go to Settings > Google > Manage your Google Account > Data & privacy
Under “History settings,” review:
- Web & App Activity – Search and app activity
- Location History – Places you’ve been
- YouTube History – Videos watched

For each:

Turn off to stop saving
Enable auto-delete (3, 18, or 36 months)

Privacy Dashboard

View recent permission usage:

Go to Settings > Security & Privacy > Privacy Controls > Privacy dashboard
See which apps accessed location, camera, microphone in last 24 hours

16. Chrome & Browser Privacy

Safe Browsing

Enable Enhanced Protection:

Open Chrome
Tap More (⋮) > Settings > Privacy and security > Safe Browsing
Select Enhanced protection

Privacy Settings

Open Chrome > Settings > Privacy and security
Configure:
- Clear browsing data – Regularly clear history, cookies, cache
- Always use secure connections – Forces HTTPS
- Do Not Track – Send request to sites (limited effectiveness)
- Preload pages – Disable for more privacy

Incognito Mode

For private browsing:

Open Chrome
Tap More (⋮) > New Incognito tab

Note

Incognito doesn’t make you anonymous—your ISP and websites can still see your activity.

Third-Party Cookies

Go to Chrome > Settings > Site settings > Cookies
Select Block third-party cookies

17. Additional Security Recommendations

Software Updates

Go to Settings > System > Software update
Enable automatic updates
Install security patches promptly

Lock Screen Notifications

Go to Settings > Notifications > Notifications on lock screen
Choose Show sensitive content only when unlocked or Don’t show any notifications

App Installation from Unknown Sources

Go to Settings > Apps > Special app access > Install unknown apps
Ensure all apps show Not allowed
Only enable temporarily when needed, then disable

Backup Encryption

Go to Settings > Google > Backup
Ensure Backup by Google One is on
Backups are encrypted with your screen lock

SIM Lock

Go to Settings > Security & Privacy > More security & privacy > SIM lock
Toggle on Lock SIM
Set a PIN (different from screen lock)

Repair Mode (Android 16)

Securely prepare device for repair without exposing data:

Go to Settings > System > Repair Mode
Follow instructions to wipe data while allowing hardware diagnostics

Trade-in Mode (Android 16)

Safely prepare device for resale:

Go to Settings > System > Trade-in Mode
Allows buyer to test hardware without accessing personal data

Quick Reference: Essential Settings Checklist

Setting	Location	Recommended
Advanced Protection	Settings > Security & Privacy > Advanced Protection	✅ Enable
Strong Screen Lock	Settings > Security & Privacy > Device Unlock	✅ PIN 6+ digits or password
Two-Factor Authentication	Google Account > Security	✅ Enable
Identity Check	Settings > Security & Privacy > Theft Protection	✅ Enable
Theft Detection Lock	Settings > Google > Theft Protection	✅ Enable
Play Protect	Play Store > Play Protect	✅ Ensure active
Passkeys	Settings > Passwords, passkeys & accounts	✅ Use where available
App Permissions	Settings > Security & Privacy > Permission Manager	⚙️ Review regularly
Location	Settings > Location > App permissions	⚙️ Minimize “All the time”
Advertising ID	Settings > Security & Privacy > Ads	❌ Delete
2G	Settings > Network & internet > SIMs	❌ Disable
Find My Device	Settings > Security & Privacy > Find My Device	✅ Enable
Unknown Sources	Settings > Apps > Install unknown apps	❌ Disable all
Lock Screen Notifications	Settings > Notifications	⚙️ Hide sensitive

Conclusion

Android 16 represents Google’s most comprehensive security update, with Advanced Protection Mode making it easy to enable maximum security with one toggle. Key priorities:

Enable Advanced Protection Mode – Activates all major security features at once
Set up Identity Check – Protects sensitive settings when away from trusted locations
Enable Theft Protection features – Theft Detection Lock, Offline Device Lock, Remote Lock
Use Passkeys – More secure than passwords, phishing-resistant
Review app permissions regularly – Revoke unnecessary access
Delete your Advertising ID – Reduces tracking
Keep software updated – Security patches are critical

By configuring these settings, you significantly strengthen your privacy and security against both common threats and sophisticated attacks.

Last updated: January 2026 | Applies to Android 16 Note: Settings may vary slightly by device manufacturer (Pixel, Samsung, etc.)

GrapheneOS Security & Privacy Settings Guide

Latest Stable Release: 2026012100 (January 21, 2026)

Latest Beta/Alpha Release: 2026012800 (January 28, 2026)

Based on Android 16 QPR2

Current Version Information:

Stable Release: 2026012100 (January 21, 2026)
Beta/Alpha Release: 2026012800 (January 28, 2026)
Security Preview: 2026012801 (includes patches through June 2026 ASB)
Android Base: Android 16 QPR2 (BP4A.251205.006)
Kernel Versions: 6.1.161 (GKI LTS), 6.6 LTS, 6.12.67 LTS
Vanadium Browser: 144.0.7559.109.0

1. Overview

GrapheneOS is a privacy and security-focused mobile operating system based on the Android Open Source Project (AOSP). It is designed for users who require the highest level of mobile security, including journalists, activists, security researchers, and privacy-conscious individuals. Notably, Edward Snowden has publicly endorsed GrapheneOS as his mobile OS of choice.

Note

I personally did not verify all details as I am running an older version of GrapheneOS.

What’s New in 2025-2026

Latest Beta Release (2026012800 - January 28, 2026):

FusedLocationProvider: Restored pre-16-QPR1 GNSS usage policy (uses GNSS for both balanced and high power requests)
Sandboxed Google Play: Added special case for SMS permission to enable SMS-based authentication for apps using Google Play services
Sandboxed Google Play: Prevented Play Store from attempting to install unnecessary “Device configuration” package
Improved secure app spawning compatibility with anti-tampering checks in certain apps
Settings: Now requires device restart after changing secure app spawning setting
Network Location: Renamed “GrapheneOS proxy” to “GrapheneOS Apple proxy” for clarity
Network Location: Added “Apple China” server choice for China data compliance
Pixel 8a, 9th/10th gen: Disabled NTP usage in Samsung gnssd
Improved UI for Network/Sensors permissions in permission manager
Fixed Material 3 Expressive styling for Contact/Storage Scopes UI
Kernel 6.12 updated to 6.12.67
Vanadium updated to 144.0.7559.109.0

Current Stable Release (2026012100 - January 21, 2026):

Fixed upstream infinite loop bug in ProtoFieldFilter.skipBytes() causing system unusability in early boot
libpng: Backported security patches
Removed unused INTERNET permission from Pixel Camera Services
Kernel 6.1 updated to 6.1.161, Kernel 6.12 updated to 6.12.66
Vanadium updated through version 144.0.7559.90.0

Security Preview Release (2026012801):

Includes patches through June 2026 Android Security Bulletin
8 Critical CVEs patched (CVE-2026-0039 through CVE-2026-0049)
38+ High-severity CVEs patched ahead of public disclosure
Enable via Settings > System > System update > Receive security preview releases

Recent Major Features:

Android 16 QPR2 base - Latest security patches and features
Security Preview Releases - Get security patches months ahead of public disclosure
Pixel 10 support - Full support for Pixel 10 family (no longer experimental as of January 2026)
Private Space integration - Android 15+ feature fully supported as replacement for work profiles
Enhanced memory tagging - Expanded MTE support for hardware-level memory safety
Post-quantum cryptography - Hybrid key exchange in Vanadium browser
Improved VPN leak protection - Comprehensive protection against all forms of VPN bypasses
OEM partnership announced - Non-Pixel devices expected Q4 2026 or Q1 2027
Lockscreen widget support - Enabled in December 2025 release

Key Differentiators from Stock Android

Feature	Stock Android	GrapheneOS
Google Services	Deeply integrated with privileged access	Optional, fully sandboxed, no special privileges
Network Permission	Not available	Per-app toggle to completely block network
Sensors Permission	Limited	Per-app toggle for accelerometer, gyroscope, etc.
Auto-Reboot	Not available	Configurable 10 min to 72 hours (default: 18 hours)
Duress PIN	Not available	Instantly wipes device when entered
USB Protection	Software-only	Hardware + software, blocks data lines
Exploit Mitigations	Standard	Hardened malloc, kernel hardening, MTE
Update Speed	Monthly patches	Security patches months ahead via preview releases

2. Supported Devices

GrapheneOS exclusively supports Google Pixel devices due to their hardware security features, including the Titan M2 security chip and hardware-backed attestation.

Currently Supported (Full Support)

Device	Codename	Support Until
Pixel 10 Pro Fold	rango	~2032
Pixel 10 Pro XL	mustang	~2032
Pixel 10 Pro	blazer	~2032
Pixel 10	frankel	~2032
Pixel 9a	toki	~2031
Pixel 9 Pro Fold	comet	~2031
Pixel 9 Pro XL	komodo	~2031
Pixel 9 Pro	caiman	~2031
Pixel 9	tokay	~2031
Pixel 8a	akita	~2031
Pixel 8 Pro	husky	~2030
Pixel 8	shiba	~2030
Pixel Fold	felix	~2028
Pixel Tablet	tangorpro	~2028
Pixel 7a	lynx	~2028
Pixel 7 Pro	cheetah	~2027
Pixel 7	panther	~2027
Pixel 6a	bluejay	~2027
Pixel 6 Pro	raven	~2026
Pixel 6	oriole	~2026

Device Requirements

OEM-unlockable bootloader - Carrier-locked devices (e.g., Verizon) are NOT supported
Titan M/M2 security chip - Required for hardware-based security features
Google hardware - Only official Pixel devices meet security requirements

Future Support

GrapheneOS announced in October 2025 a partnership with a “major Android OEM” to support Snapdragon-powered flagship devices, expected Q4 2026 or Q1 2027.

3. Installation

Prerequisites

Unlocked Pixel device (not carrier-locked)
Computer with Chrome/Chromium browser (for web installer)
USB cable

Web Installer (Recommended)

Go to https://grapheneos.org/install/web
Connect your Pixel via USB
Follow on-screen instructions to:
- Enable OEM unlocking in Developer Options
- Unlock the bootloader
- Flash GrapheneOS
- Lock the bootloader (critical for security)

Important Notes

Always lock the bootloader after installation - An unlocked bootloader defeats security
Installation takes approximately 10-15 minutes
All data will be erased during installation
The web installer prevents bricking - it’s very safe

4. Initial Setup

Setup Wizard Security Features

GrapheneOS’s Setup Wizard includes enhanced security checks:

Bootloader Warning - Alerts if bootloader is unlocked with option to reboot to fastboot
OEM Unlocking Auto-Disable - Disables OEM unlocking at end of setup (toggle to opt-out)

Recommended Initial Configuration

After completing basic setup:

Set a strong lock method
- Settings > Security & privacy > Device unlock > Screen lock
- Use a strong password (16+ characters) or secure PIN (6+ digits)
- Consider enabling Scramble PIN input layout
Configure fingerprint with 2FA PIN (optional)
- Adds requirement to enter short PIN after fingerprint
- Provides strong passphrase security with fingerprint convenience
Enable Duress PIN/Password
- Settings > Security & privacy > Device unlock > Duress Password
- Set BOTH a duress PIN and password
- This will wipe the device instantly when entered
Review exploit protection defaults
- Settings > Security & privacy > Exploit protection
- Default settings are secure; customize as needed

5. Device Unlock & Authentication

Screen Lock Options

Location: Settings > Security & privacy > Device unlock > Screen lock

Method	Security Level	Notes
Password	Highest	Up to 128 characters (vs 16 on stock Android)
PIN	High	Use 6+ random digits
Pattern	Medium	Not recommended
None	None	Never use

PIN Scrambling

Location: Settings > Security & privacy > Device unlock > Scramble PIN input layout

Randomizes keypad layout each time
Prevents shoulder-surfing and smudge attacks
Recommended: Enable

Two-Factor Fingerprint Unlock

Location: Settings > Security & privacy > Device unlock

When enabled:

Authenticate with fingerprint
Then enter a short PIN to complete unlock

Benefits:

Use a strong passphrase as primary unlock
Convenience of fingerprint + short PIN for daily use
Failed PIN attempts count toward lockout limit

Duress PIN/Password

Location: Settings > Security & privacy > Device unlock > Duress Password

Both a duress PIN and password are required
When entered anywhere credentials are requested (lockscreen, settings prompts):
- Device is immediately and irreversibly wiped
- All installed eSIMs are wiped
- Wipe cannot be interrupted
- Device is NOT bricked - can reinstall GrapheneOS

Critical Rules:

If duress PIN equals your real PIN, the real PIN takes precedence (no wipe)
Check local laws regarding evidence destruction before using
Do NOT use simple sequences like 1234 that others might guess

Fingerprint Security Improvements

GrapheneOS limits fingerprint attempts to 5 total (vs 20 on stock Android with delays):

Makes intentional lockout easy (use wrong finger 5 times)
Significantly reduces brute-force risk

6. Exploit Protection

Location: Settings > Security & privacy > Exploit protection

GrapheneOS includes extensive hardening against memory corruption and other exploits.

Auto Reboot

Purpose: Returns device to “at rest” state, clearing encryption keys from memory

Setting	Effect
10 minutes - 72 hours	Device reboots if not unlocked within this time
Off	Disabled (not recommended)
Default: 18 hours	Good balance for most users

Recommendation: Set to 8-12 hours for higher security, or keep default 18 hours

How it works:

Timer starts when device locks
Unlocking any profile resets timer
After timeout, device reboots to Before First Unlock (BFU) state
All encryption keys cleared, data fully at rest

USB-C Port

See Section 12 for detailed configuration.

Wi-Fi Auto-Off

Purpose: Disables Wi-Fi after disconnect to reduce attack surface

Options: 10 minutes, 30 minutes, 1 hour, 2 hours, Off
Recommendation: 10 minutes

Bluetooth Auto-Off

Purpose: Disables Bluetooth after disconnect to reduce attack surface

Options: Same as Wi-Fi
Recommendation: 10 minutes

Secure App Spawning

Purpose: Each app gets unique randomized memory layout (ASLR secrets)

Default: Enabled
Effect: Prevents cross-app identifier leaks, hardens exploit mitigations
Trade-off: Slightly slower cold app starts, slightly higher memory
Recommendation: Keep enabled

Native Code Debugging

Purpose: Controls ptrace access for debugging

Bundled apps: Always blocked
User apps: Allowed by default (for compatibility)
Recommendation: Disable for all apps unless needed for development

Dynamic Code Loading Toggles

Control JIT compilation and dynamic code loading:

Toggle	Default	Purpose
Dynamic code loading from memory	Varies	Blocks in-memory code execution
Dynamic code loading from storage	Varies	Blocks loading code from files
WebView JIT	Enabled for user apps	JavaScript JIT in WebView

Recommendation: Disable all for apps that don’t need them

7. Network Permission

Location: App info > Permissions > Network (per-app)

GrapheneOS adds a Network permission not available in stock Android.

How It Works

When disabled, app sees network as “down” (not permission denied)
Blocks both direct network access and localhost (prevents cross-profile communication)
Apps handle gracefully since they think network is unavailable

Configuration

During app installation, toggle Network off if not needed
Or go to Settings > Apps > [App] > Permissions > Network

Use Cases

Calculator apps: Don’t need network
Offline games: Don’t need network
Document editors: May not need network
Privacy-sensitive apps: Prevent data exfiltration

8. Sensors Permission

Location: Settings > Apps > [App] > Permissions > Sensors

GrapheneOS adds a Sensors permission for:

Accelerometer
Gyroscope
Compass/magnetometer
Barometer
Thermometer
Other device sensors

How It Works

When denied, apps receive zeroed sensor data
Notification appears when app tries to access blocked sensors
Does NOT affect Camera, Microphone, or Body Sensors (separate permissions)

Global Default

Location: Settings > Security & privacy > More security & privacy

Toggle: Deny Sensors permission by default for newly installed apps

Recommendation: Enable, then grant to apps that need it

9. Storage Scopes

Location: Settings > Apps > [App] > Permissions > Storage Scopes

A privacy-preserving alternative to granting full storage access.

How It Works

Instead of granting storage permission, enable Storage Scopes
App believes it has full storage access
App can only see files it created
Optionally add specific files/folders as “scopes” for app to access

Configuration

Go to app’s permissions
Instead of granting Files/Media, enable Storage Scopes
Add specific files/folders if app needs access to existing files

Limitations

If app is uninstalled and reinstalled, it loses access to its previously created files
Workaround: Grant access via SAF (Storage Access Framework) picker

Use Cases

Photo editors: Give access only to specific folders
Music players: Access only your music directory
Document apps: Access only Documents folder

10. Contact Scopes

Location: Settings > Apps > [App] > Permissions > Contact Scopes

Alternative to granting full contacts access.

How It Works

Enable Contact Scopes instead of granting Contacts permission
App believes it has contacts access
By default, app sees empty contact list
Selectively add specific contacts or groups

Configuration

Go to app’s permissions
Enable Contact Scopes (don’t grant Contacts permission)
Add specific contacts the app should see

Use Cases

Messaging apps: Share only contacts you message
Social apps: Share only relevant contacts
Business apps: Share only work contacts

11. User Profiles & Private Space

GrapheneOS significantly enhances Android’s profile system.

User Profiles

Location: Settings > System > Multiple users

GrapheneOS supports 32 profiles (vs 4 on stock Android).

Key Features:

Each profile has completely separate apps, data, encryption keys
Apps cannot communicate across profiles
Separate VPN configurations per profile

Creating a Profile

Settings > System > Multiple users
Tap “Add user”
Configure profile name and settings

End Session

Completely shuts down a profile:

Removes encryption keys from memory
Stops all background processes
Returns profile to “at rest” state

Private Space (Android 15+)

Location: Settings > Security & privacy > Private Space

An isolated workspace nested inside any user profile.

Advantages over Work Profile:

Better OS integration
Stronger isolation
Lockable with separate authentication
Hidden from app drawer when locked

Setup

Settings > Security & privacy > Private Space
Enter current PIN/password
Configure Private Space authentication

Key Behaviors

When locked: Apps don’t run, no notifications
Separate VPN configuration possible
Apps show shield icon in launcher
Can install apps directly or via Google Play (if installed in Private Space)

Recommendation: Use Private Space instead of work profiles managed by third-party apps

Notification Forwarding

Location: Within each profile’s settings

Forward notifications from background profiles to active profile:

Disabled by default
Enable per-profile where needed

12. USB-C Port & Pogo Pins Control

Location: Settings > Security & privacy > Exploit protection > USB-C port

Modes

Mode	Description
Off	USB fully disabled (including charging) - maximum security
Charging-only	Always data disabled, charging only
Charging-only when locked	Data works when unlocked, charging-only when locked (DEFAULT)
Charging-only when locked, except before first unlock	Same as above but allows data in BFU state
On	USB always enabled

How It Differs from Stock Android

Aspect	Stock Android	GrapheneOS
Level	Software only	Hardware + software
Data lines	OS-level block	Hardware disabled
New connections	Allowed until toggle	Blocked immediately when locked
Alternate modes (DisplayPort)	Still work	Disabled when locked

Recommendation

Default (Charging-only when locked) - Good for most users
Charging-only - If you never use USB data
Off - Maximum security, charge only when powered off

13. Wi-Fi & Bluetooth Privacy

Wi-Fi MAC Randomization

Location: Settings > Network & internet > Wi-Fi > [Network] > Privacy

GrapheneOS uses per-connection MAC randomization by default:

New random MAC for each connection (not just per-network)
DHCP state flushed before reconnecting
Significantly harder to track across reconnections

Wi-Fi Auto-Off

Location: Settings > Security & privacy > Exploit protection

Automatically disables Wi-Fi after disconnection
Reduces attack surface when not actively using Wi-Fi

Bluetooth Privacy

Set device name to something generic: Settings > Bluetooth > Device name
Recommendation: Set to “Device” or similar
Enable Bluetooth auto-off in Exploit protection

Scanning Settings

Location: Settings > Location > Location services

Setting	Recommendation
Wi-Fi scanning	OFF
Bluetooth scanning	OFF

These allow location tracking even when Wi-Fi/Bluetooth are “off.”

14. VPN Configuration

Always-On VPN

Location: Settings > Network & internet > VPN > [Your VPN] > gear icon

GrapheneOS enables these toggles by default:

Always-on VPN
Block connections without VPN

Improved Leak Protection

GrapheneOS fixes multiple VPN leak vectors:

Leak Type	Stock Android	GrapheneOS
DNS before VPN up	Can leak	Fixed
DNS to VPN server outside tunnel	Can leak	Fixed
Multicast packets	Can bypass	Blocked
Cross-profile multicast	Possible	Blocked
Interface bypass (setsockopt)	Possible	Blocked

Per-Profile VPN

Each profile (user profile, Private Space) has independent VPN configuration:

Can use different VPNs
Can have different exit IPs/countries
Complete isolation

Private DNS

Location: Settings > Network & internet > Private DNS

Recommendation: Use a privacy-respecting DNS provider:

dns.quad9.net (Quad9)
Custom NextDNS configuration
Or your VPN’s DNS

Internet Connectivity Checks

Location: Settings > Network & internet > Internet connectivity checks

Options:

GrapheneOS server (default) - Privacy-preserving
Standard (Google) - For blending in
Off - May cause issues with captive portals

15. Sandboxed Google Play

GrapheneOS allows running Google Play as a regular sandboxed app with no special privileges.

Key Properties

Google Play runs as normal app - no system-level access
Cannot access device identifiers (IMEI, etc.)
All permissions revocable
Only available within the profile where installed
Location requests rerouted to GrapheneOS implementation by default

Installation

Open Apps (GrapheneOS app store)
Select Google Play services
Install (automatically includes Play Store)
Grant battery optimization exception for push notifications

Configuration

Location: Settings > Apps > Sandboxed Google Play

Setting	Purpose
Reroute location requests	Uses GrapheneOS location instead of Google’s (default: on)

Profile Strategy

Option 1: Owner profile - Simplest, all apps can use Play services

Option 2: Separate profile - Install Play in secondary profile for isolation:

Create secondary user
Install sandboxed Google Play there
Install apps needing Play services there
Keep main profile Google-free

What Works

App installations and updates
In-app purchases
Push notifications (with battery exception)
Play Games services
Play Asset/Feature Delivery
Most apps requiring Play services

Revoking Permissions

You can revoke ANY permission from Google Play services:

Location, Contacts, Camera, etc.
May break specific functionality but app won’t crash

16. GrapheneOS Apps

GrapheneOS includes privacy and security-focused alternatives to standard apps.

Apps (App Store)

The GrapheneOS app repository:

Updates GrapheneOS apps
Provides sandboxed Google Play installation
Will distribute hardened open-source apps in future

Vanadium Browser

Hardened Chromium-based browser with:

Security Features:

Hardware memory tagging (MTE)
Type-based Control Flow Integrity (CFI)
JavaScript JIT disabled by default (per-site toggle)
Dynamic code execution blocked for non-JIT processes
Strict site isolation

Privacy Features:

Built-in ad/tracker blocking (EasyList + EasyPrivacy)
Third-party cookies disabled by default
Enhanced state partitioning
Reduced user agent / client hints
DuckDuckGo default search

Configuration:

JIT: Disabled by default, enable per-site via address bar menu
Content filtering: Enabled by default, toggle per-site

Auditor

Hardware-based attestation app:

Purpose:

Verify device authenticity and integrity
Detect bootloader unlocking or OS tampering
Monitor for security regressions

Setup:

Use another device as “Auditor”
On device to verify, open Auditor > Auditee
Scan QR code with Auditor device
Optionally set up remote attestation at attestation.app

Secure Camera

Privacy-focused camera app:

EXIF metadata stripped by default
Location tagging disabled by default
No unnecessary permissions
Open source

Secure PDF Viewer

Sandboxed PDF viewer:

Isolated rendering
Protection against malicious PDFs
Pinch to zoom, text selection
Encrypted PDF support

17. Backup & Encryption

Seedvault Encrypted Backup

Location: Settings > System > Backup

GrapheneOS includes Seedvault for encrypted backups.

Features:

End-to-end encryption
Local backup support
Cloud storage support (any provider with storage app)

Setup:

Settings > System > Backup
Choose backup location
Set encryption password
Select apps to back up

Full-Disk Encryption

GrapheneOS uses Android’s file-based encryption with enhancements:

32-byte file name padding (vs 16 bytes)
Per-profile encryption keys
Hardware-backed key storage (Titan M2)

Data at Rest

Before First Unlock (BFU):

Most data encrypted and inaccessible
Only critical functions available

After First Unlock (AFU):

Credential-encrypted data accessible
Auto-reboot returns device to BFU state

18. System Updates

Automatic Updates

Location: Settings > System > System update

GrapheneOS provides seamless automatic updates:

Downloads in background
Installs without interrupting usage
Automatic rollback if update fails
A/B partition system for safety

Security Preview Releases

Location: Settings > System > System update > Receive security preview releases

Benefits:

Get security patches months before public disclosure
Currently includes patches through June 2026 ASB
Same stability as regular releases

How It Works:

GrapheneOS participates in Android security embargo
Can ship patches before disclosure (unlike stock OS)
Preview releases increment build number by 1

Recommendation: Enable for maximum security

Update Frequency

Regular releases: Within days of Android security bulletin
Preview releases: Months ahead of disclosure
Feature updates: As developed

19. Advanced Settings

Connectivity Checks

Location: Settings > Network & internet > Internet connectivity checks

Controls which server verifies internet connectivity:

GrapheneOS (default, private)
Standard Android (Google, for blending in)
Disabled

Attestation Provisioning

Location: Settings > Security & privacy > More security & privacy

Controls attestation key provisioning:

GrapheneOS proxy (default, private)
Direct (Google)

GNSS / Location

Network Location:

GrapheneOS provides opt-in network location
Uses proxy to Apple’s service (or direct)
Building own database for future offline support

SUPL (Assisted GPS):

Proxied through GrapheneOS by default
Can switch to carrier default or disable

Clipboard Privacy

Location: Settings > Security & privacy > Privacy controls > Show clipboard access

Shows notification when apps access clipboard content from other apps.

Privacy Indicators

GrapheneOS enables location indicator (in addition to camera/mic):

Green dot shows when any app accesses location
Works for all location APIs (not just GNSS)

Accessibility Warning

NEVER grant Accessibility permission unless absolutely required:

Extremely dangerous permission
Can read all screen content
Can perform actions on your behalf

20. Quick Reference Checklist

Essential Security Settings

Lock bootloader after installation
Strong password/PIN - 6+ digit PIN or 16+ char password
Enable Scramble PIN - Settings > Security & privacy > Device unlock
Set Duress PIN/Password - Both required
Auto-reboot: 8-18 hours - Settings > Security & privacy > Exploit protection
USB-C: Charging-only when locked (default)
Wi-Fi/Bluetooth auto-off: 10 minutes
Enable VPN with lockdown - Block connections without VPN
Enable Security Preview releases - Get patches early

Privacy Settings

Disable Wi-Fi/Bluetooth scanning - Settings > Location
Use per-connection MAC randomization (default)
Set generic Bluetooth name - “Device”
Use Private DNS - Quad9 or similar
GrapheneOS connectivity checks (default)
Review app Network permissions - Deny where not needed
Enable Sensors deny by default - Settings > Security & privacy

Per-App Best Practices

Deny Network for apps that don’t need internet
Deny Sensors for apps that don’t need motion data
Use Storage Scopes instead of full storage access
Use Contact Scopes instead of full contacts access
Disable native debugging - Settings > Security & privacy > Exploit protection
Review all permissions after installation

Advanced Hardening

Separate profile for Google Play - Isolate from main profile
Use Private Space for sensitive apps
Enable Auditor remote attestation - attestation.app
Disable all dynamic code loading for apps that don’t need it
Set auto-reboot to minimum tolerable (4-8 hours for high security)
Consider Charging-only USB if you never use data transfer

Additional Resources

Official Documentation: https://grapheneos.org
Features Overview: https://grapheneos.org/features
Usage Guide: https://grapheneos.org/usage
FAQ: https://grapheneos.org/faq
Releases: https://grapheneos.org/releases
Discussion Forum: https://discuss.grapheneos.org
Community:
- Matrix: #community:grapheneos.org
- Discord: discord.com/invite/grapheneos
- Reddit: r/GrapheneOS
- X/Twitter: @GrapheneOS
- Mastodon: @GrapheneOS@grapheneos.social
- Bluesky: @grapheneos.org

Document Information:

Guide Version: 1.2
Last Updated: January 31, 2026
GrapheneOS Stable Release: 2026012100 (January 21, 2026)
GrapheneOS Beta Release: 2026012800 (January 28, 2026)
Android Base: Android 16 QPR2 (BP4A.251205.006)
Vanadium Browser: 144.0.7559.109.0
Supported Devices: Pixel 6 through Pixel 10 families

GrapheneOS is under active development. Security preview releases provide patches months ahead of public disclosure (currently through June 2026). Check official documentation at grapheneos.org for the latest features and recommendations.

Keyboard shortcuts

Security Guidebook