Hardware memory tagging
ARM MTE on supported Pixels probabilistically catches use-after-free and inter-object overflows in real time. Both kernel and user-space.
Features
Privacy and security,
every layer.
A list of what HardenedOS actually does — kernel hardening, exploit mitigations, per-app permission controls, lock-screen defenses, network privacy, and a hardened browser. Everything below is on by default; most things are opt-out, not opt-in.
Hardware-rooted
It starts at the silicon.
The Pixel's secure element holds the root of trust. Every binary loaded at boot — bootloader, kernel, system, recovery — is hash-checked against a measurement signed at build time. Tamper anywhere and the device refuses to boot.
-
Verified boot
Continuous, end-to-end verification from the boot ROM up. Failed signatures halt the boot.
-
Hardware attestation
Remote-verifiable proof of firmware version, bootloader state, and OS identity, signed by the secure element.
-
Bootloader fingerprint pin
Bootloader, radio, and boot-partition fingerprints are checked at boot; mismatch is fatal.
-
USB-C data lock when locked
USB data lines are blocked at the OS level when the device is locked. Configurable per device profile.
Device verified
attested 2 minutes ago
- Bootloaderlocked
- Verified bootgreen
- OS imageHardenedOS 0.1
- Build2026050700
- Secure elementTitan M2
- Signed byeb25 39e4 …
Memory & exploits
The bug class is dead before the exploit can use it.
The hard problem in mobile OS security is memory-corruption bugs in C/C++. HardenedOS stacks defenses so a single bug rarely turns into code execution.
Hardened allocator
Custom heap allocator with metadata isolation, quarantining, canaries, and randomized free lists. Slows attacks; turns silent corruption into hard crashes.
Zero-on-free
Memory is wiped the moment it's deallocated. Prevents an attacker from grabbing residue from a freed buffer.
Early-boot wipe
Memory is zeroed during startup so nothing carries over from a previous boot — no residual keys, plaintexts, or stale heap state.
JIT disabled
Java JIT off by default; JavaScript JIT off in the system browser. Closes a category of escape vectors at the cost of some compute speed.
seccomp-bpf syscall filter
Each app process is restricted to the syscalls it actually needs. Sandbox escapes that depend on rare syscalls don't get the chance.
BTI & PAC on ARMv9
Branch Target Identification and Pointer Authentication are enabled for OS userspace. Cuts the legs out from common ROP/JOP exploitation.
Kernel stack zeroing
Kernel stack memory is automatically cleared. Closes information-leak side channels that depend on uninitialized stack reads.
Per-app permissions
Real toggles for things Android pretends are permanent.
Stock Android lets you deny "location" and call it a day. HardenedOS lets you deny network, sensors, and scope file or contact access to a single folder or person — all per-app, all reversible, all visible.
-
Network access toggle
Block direct and indirect network access for any app. Yes — including apps that thought it was a given. Apps continue to function offline.
-
Sensors toggle
Deny accelerometer, gyroscope, compass, and the rest of the non-standard sensors per app. Useful for anti-fingerprinting.
-
Storage scopes
Grant access to specific folders, not all storage. The app sees only what you point at.
-
Contact scopes
Grant access to specific contacts or groups, not the whole address book. The app sees only those.
-
App-installation lockout
Owners can block secondary users from installing apps. A device handed to a kid stays clean.
Compass · v3.2.1
requesting access
-
Network access
App still launches. No data leaves the device.
-
Sensors (gyro, compass)
Required for the app's purpose. Granted.
-
Storage Scope:
/Documents/TripsApp sees one folder. Everything else is invisible.
-
Contacts
App can't enumerate your address book.
Physical security & duress
Defenses for when someone has the phone in their hand.
Most phone breaches don't involve zero-days — they involve a person standing over your shoulder, or a border agent demanding the PIN. HardenedOS plans for that.
-
PIN scrambling
Every unlock attempt randomizes the keypad layout. Shoulder-surfing the position of your finger no longer reveals the digits.
-
Two-factor fingerprint
Fingerprint unlocks the device and the PIN must follow. A forced fingerprint scan alone doesn't grant access.
-
Duress PIN
Set a second PIN that, when entered, irreversibly wipes the device. Looks identical to a wrong PIN; doesn't tell the operator.
-
Auto reboot
If the device sits locked for a configurable interval, it reboots — clearing decryption keys from RAM and forcing full re-authentication.
-
Long passwords
Up to 128 characters without needing a Device Manager workaround. Cold-storage-grade lock-screen secrets work.
Enter PIN
Layout randomized · keys reshuffle on next attempt
Network privacy
Your phone stops broadcasting who it is.
Mobile devices leak identity in places most people don't think about — Wi-Fi probes, cellular fallback to insecure radios, DNS bypassing the VPN. HardenedOS closes those.
Per-connection MAC randomization
Every Wi-Fi network gets a fresh, random MAC address. Coffee-shop trackers can't recognize your device next time.
DHCP state flushing
DHCP state is wiped between reconnections, so the same network can't fingerprint the device by its lease history.
LTE-only mode
Disable 2G, 3G, and 5G. Reduces baseband attack surface and dodges the well-known weaknesses of 2G fallback.
DNS leak prevention
System resolver respects the active VPN; multicast and direct-interface bypasses are blocked at the OS level.
VPN tunnel enforcement
Apps can't specify a tunnel interface to bypass the user's VPN. The tunnel is the only path out.
Network location, no cloud
Position estimation runs on-device against open data. No cell-tower or Wi-Fi-fingerprint requests sent to a third party.
Hardened web
The bundled browser is the most-attacked surface — so it gets the most-aggressive defenses.
A Chromium-derived web view, hardened beyond stock. Same defenses as the rest of the OS plus browser-specific work to deny attackers the cheapest path in.
Memory tagging in the browser
MTE applies to the browser's main allocator on supported Pixels. Catches heap exploits in the highest-risk process.
Site isolation
Each origin runs in its own renderer process. A compromise in one site can't reach across to another.
Built-in content filter
Tracker and ad lists ship with the browser. Toggleable per site if a page genuinely needs them to load.
JIT off by default
JavaScript JIT disabled out of the box; opt back in per site. Trades JS performance for closing a major exploit category.
Reduced user agent
The UA string strips OS version, device model, and patch level. Cuts a chunk of fingerprinting signal.
No third-party content
OS-bundled web services forbid embedded third-party content via CSP. Can't load a tracker through the back door.
Profiles & identities
Run multiple "phones" on one phone.
Real isolation between profiles, not just separate launchers. Decryption keys are per-profile; ending a session purges them from RAM.
-
32 secondary profiles
Stock Android caps at 4. We raise to 32 — enough for a family, a small organization, or a daily-driver split between use-cases.
-
End session
Log out of a profile to disable its apps and purge encryption keys from RAM. Re-entry requires the profile's lock secret.
-
Hide notifications on lock
Sensitive notification content is masked on the lock screen by default. Notifications still arrive, sender names just don't preview.
-
Disable apps without uninstalling
Hide apps you can't or don't want to uninstall — they don't run, don't appear, but config is preserved if you flip it back later.
Switch profile
-
Pin use
Personal
-
Wlocked
Work
-
Tlocked
Travel
+ 29 more profile slots available
This is what's on by default.
The features above ship with every HardenedOS device, every reseller, every tier. Not optional. Not upsold.