Your smartphone is one of the most invasive surveillance devices ever created. Every app, every sensor, every background process can be reporting data back to advertisers, data brokers, and platform operators. GrapheneOS changes that equation entirely. It is a hardened, privacy-focused operating system built on Android that strips away Google’s surveillance infrastructure while retaining the usability of a modern smartphone. This guide walks you through installing it on a Pixel device in 2026.
Why GrapheneOS?
GrapheneOS is not just a de-Googled Android fork — it is a security-hardened operating system developed with features that go beyond what stock Android offers. The project implements a hardened memory allocator, stronger sandboxing for apps, exploit mitigations, and a verified boot chain that protects against firmware tampering. Unlike CalyxOS or LineageOS, GrapheneOS maintains full hardware-backed verified boot, which means the bootloader can be re-locked after installation to restore the full security model.
The Sandboxed Google Play feature is a standout innovation. It lets you run the official Google Play Store inside a fully isolated sandbox, giving you access to Play apps without granting Google privileged system access.
Requirements
Before you start, make sure you have:
- A supported Google Pixel phone (Pixel 6 or newer is recommended; Pixel 9 series as of 2026)
- A Windows, macOS, or Linux computer with a USB-A or USB-C port
- The Android Platform Tools installed (
adbandfastboot) - A USB cable that supports data transfer (not charge-only)
- At least 50% battery on the phone
The web-based installer at grapheneos.org/install/web is the easiest method and works in Chromium-based browsers. It uses WebUSB to flash the phone directly from your browser without needing to install additional software beyond Platform Tools.
Step 1: Enable Developer Options and OEM Unlocking
- Open Settings on your Pixel.
- Navigate to About phone and tap Build number seven times until you see “You are now a developer!”
- Go back to Settings > System > Developer options.
- Enable OEM unlocking. If this option is greyed out, you may need to insert a SIM or connect to Wi-Fi to verify carrier unlock status.
- Enable USB debugging as well.
Step 2: Boot into Fastboot Mode
Power off the phone completely. Hold Volume Down + Power simultaneously until the Fastboot menu appears. Alternatively, from a terminal with adb connected:
adb reboot bootloaderYour phone should now show the Fastboot interface with the Android mascot and a warning about the bootloader state.
Step 3: Unlock the Bootloader
Warning: Unlocking the bootloader erases all data on the device. Back up anything important first.
With the phone in Fastboot mode and connected via USB, run:
fastboot flashing unlockUse the volume buttons to confirm the unlock on the phone’s screen and press the Power button to accept. The device will factory reset and reboot.
After it reboots, go through the initial setup minimally (skip Google sign-in), then re-enable Developer options and USB debugging as in Step 1.
Step 4: Flash GrapheneOS Using the Web Installer
Navigate to grapheneos.org/install/web in Chrome or a Chromium-based browser. Click Connect device and select your Pixel when it appears. The installer will:
- Detect your device model and download the correct GrapheneOS factory image
- Verify the download using cryptographic signatures
- Flash the bootloader, radio, and system partitions automatically
- Re-lock the bootloader when complete
The entire process takes 10–20 minutes depending on your internet speed. Do not disconnect the USB cable during flashing.
If you prefer the CLI method, download the signed factory images from grapheneos.org/releases, verify the SHA-256 checksums, and run the included flash-all.sh script (Linux/macOS) or flash-all.bat (Windows).
Step 5: Re-lock the Bootloader
Re-locking the bootloader is essential for full security. With the phone back in Fastboot mode:
fastboot flashing lockConfirm on the device. This re-enables verified boot and ensures the OS cannot be tampered with without your knowledge.
Step 6: Initial GrapheneOS Setup
Boot into GrapheneOS. The setup wizard is minimal by design. Key decisions to make:
- Skip adding a Google account at this stage — you can add one later inside the sandbox
- Set a strong PIN or passphrase (avoid pattern locks)
- Enable automatic updates under Settings > System > System update — GrapheneOS ships updates frequently
- Review Settings > Security to confirm verified boot is active
Step 7: Configure Sandboxed Google Play (Optional)
If you need Google Play apps, GrapheneOS provides them without giving Google root or system access.
- Go to Settings > Apps and install the Google Play Store profile from the GrapheneOS app repository.
- This installs Play Services and the Play Store as normal sandboxed applications — they have no special permissions.
- Sign into a Google account inside Play and install apps as normal.
Apps installed this way are still subject to GrapheneOS’s sandboxing and will request permissions just like any other app.
Step 8: Essential Privacy Apps to Install
| App | Source | Purpose |
|---|---|---|
| Vanadium | Built-in | Hardened Chromium browser |
| Orbot | F-Droid or Play | Tor routing for apps |
| Molly | F-Droid | Hardened Signal fork |
| Aegis Authenticator | F-Droid | TOTP 2FA manager |
| Obtainium | GitHub | Update apps from source |
| Mullvad VPN | Play (sandboxed) | VPN with no-log policy |
Install F-Droid for access to free and open source apps without Google infrastructure. The GrapheneOS App Store (built-in) also provides curated, verified apps.
Managing Permissions
GrapheneOS enforces strict permission controls. Go to Settings > Privacy > Permission manager regularly to audit what each app can access. GrapheneOS adds extra toggles not found in stock Android:
- Network permission — deny internet access per app
- Sensors permission — block access to accelerometer, gyroscope, etc.
- Contact scopes — share only selected contacts with an app instead of your whole address book
Keeping GrapheneOS Updated
GrapheneOS releases security updates rapidly, often within days of upstream Android patches. Enable automatic updates and reboot promptly when notified. You can manually check for updates under Settings > System > System update.
Common Issues
OEM unlock is greyed out: The phone may be carrier-locked or require a brief period of activation. Try inserting a SIM and connecting to a network for a few minutes.
Fastboot does not detect the device: Install the correct USB drivers (Windows), try a different USB port, or switch cables. Only data-capable cables work.
Web installer fails mid-flash: Do not panic. Re-enter Fastboot mode and restart the web installer. It will detect where to resume.
GrapheneOS transforms a consumer surveillance device into a genuinely private communications tool. The installation takes under an hour and the security model you gain — hardened OS, re-locked bootloader, verified boot, isolated app sandboxes — is unmatched by any commercial smartphone offering. Once set up, day-to-day use feels virtually identical to stock Android, but without the invisible data harvest running in the background.