GrapheneOS finds Bluetooth memory corruption via ARM MTE

GrapheneOS security model and hardware requirements

  • Many commenters view GrapheneOS (GOS) as significantly more secure than other Android-based systems, mainly due to hardware-backed features (MTE, PAC, BTI, strong attestation, etc.).
  • Pixels are currently the only devices meeting GOS’s published hardware and update requirements; other Android OEMs are said to lack key features or proper alternate-OS support.
  • GOS maintainers repeatedly stress that their work is primarily to improve privacy via stronger security, not just “security for its own sake.”
  • They argue that ports like “GrapheneOS Minus” on weaker hardware would mostly reduce security, especially on devices where unlocking disables or permanently downgrades hardware protections.

Support windows and extended support

  • GOS matches vendor support windows and sometimes provides 1–2 years of “extended support” for EOL Pixels, but explicitly labels these builds as insecure and tries to discourage long-term use.
  • Some users argue for extended support on e‑waste and affordability grounds; GOS replies that insecure devices for poorer users is a serious concern and that 5–7 year support on newer Pixels largely solves this going forward.

GrapheneOS vs other custom ROMs (CalyxOS, Lineage, etc.)

  • Several comments contrast GOS with CalyxOS and others:
    • GOS is described as a hardened OS with extensive mitigations (hardened_malloc, MTE integration, strong SELinux, strict verified boot, app-scoped permissions).
    • CalyxOS is criticized by some for added attack surface, rolled-back security, slower patches, and reliance on microG.
  • GOS claims to offer better privacy than these ROMs via features like Contact/Storage Scopes, per-app network/sensor toggles, and per-connection MAC randomization.

MTE (Memory Tagging Extension) and exploit mitigation

  • Thread centers on GOS using ARM MTE on Pixel 8 devices to detect a Bluetooth memory corruption bug.
  • GOS uses a custom MTE-backed allocator with stronger tagging strategies and user-facing crash reporting; it also fixed Chromium’s MTE integration.
  • Pixel stock OS exposes MTE as a developer option but, according to GOS, does not enable it broadly in production due to performance, memory, and compatibility concerns.
  • There is debate over whether Google should at least enable low-overhead “async” MTE for the base OS and Google apps; GOS strongly advocates this, while others highlight ecosystem and regression risks.

Usability, installation, and app compatibility

  • Many report installation via the web-based installer as straightforward, requiring only a supported browser and USB cable.
  • As a daily driver, GOS is generally described as stable and “like stock Android,” especially with sandboxed Google Play.
  • Main functional pain points:
    • Google Pay NFC payments are blocked because Google will not certify non-stock OSes.
    • Some banking, theme-park, and DRM apps may break due to Play Integrity checks or misconfigured app listings.
    • No root is provided; GOS actively discourages rooting on security grounds.

iOS, security, and privacy comparisons

  • Several comments note that modern Pixels with stock OS and iOS have comparable high security.
  • GOS aims to exceed both on privacy via additional controls, while acknowledging iOS still does better in a few areas.
  • Apple’s Lockdown Mode is framed as mostly reducing Apple-service attack surface, whereas many such services don’t exist on GOS devices.