HardenedOS Secure. Private. Managed.

v0.1 · alpha · actively in development

Hardened Android.
Branded as yours.

A privacy-first OS for Pixel devices. Built on the same hardening that protects journalists, dissidents, and security researchers — packaged for resellers who need to ship a managed mobile platform under their own brand.

Try the MDM demo → Read the features

Built on bedrock.

Verified
Boot

Memory
Tagging

Hardened
Kernel

Built-in
MDM

Surveillance
Ceiling

Pixel
Hardware

Security isn't a static measure,
but a dynamic standard.

Hardware-rooted defense

Every binary loaded at boot is hash-checked against a measurement signed at build time. Pixel's Titan M2 secure element holds the root of trust. Tamper with the bootloader, system partition, or recovery image — and the device refuses to boot. Hardware attestation makes the chain remotely verifiable.

Built-in device management

The Device Policy Controller is a system app, not an add-on. It enforces the tier policy bag (Basic / Corporate / Government), drives manifest sync, verifies branding-bundle signatures, and writes an audit-grade event stream you can pipe straight to your SIEM. One vendor, one signing chain.

Privacy floor, by design

Even at the highest tier, the OS refuses to silently record audio, screen-capture, log keystrokes, or hide its management UI from the user. Seven forbidden keys live in the kernel policy schema and are rejected before the tier filter even runs. Not optional. Not toggleable. Hardware-enforced.

What HardenedOS protects you from

The same Pixel. The threats you can't see.

Every app on a regular Android home screen is a relationship: a deal you made (or didn't) about your data, your sensors, your mic, your network. Toggle a threat below to see which apps expose you to it. HardenedOS blocks all of these by default.

Device policy & MDM

Built-in management. Not bolted on.

Most mobile MDM is an admin agent installed onto stock Android — fighting Android for permissions, racing the user to apply policy. HardenedOS's Device Policy Controller is a system app, signed by the same chain as the OS itself. Policy is enforced at boot, before user-space apps see the request.

System-app DPC

Runs as Android Device Owner from first boot. Signed in the same release chain as the OS. Cannot be disabled, sideloaded over, or escaped by a rogue user-space app — policy enforcement happens below them, not alongside.

Three policy tiers

Basic / Corporate / Government — each unlocks a defined permission matrix. Tier is set per device, changeable over the air on next manifest sync, never requires re-provisioning. Government transitions can require on-device user consent.

Required app catalog

Upload APKs you require, recommend, or whitelist. Each pinned to a known signing-cert SHA-256. Silent install on activation, OTA install of new entries, automatic uninstall when removed from your manifest.

Per-app permission scopes

Network, sensors, storage, contacts — each can be denied, granted, or scoped per app per tier. Storage scopes mean an app sees one folder. Contact scopes mean an app sees one group. Toggleable from your admin panel.

Hardware attestation

Every heartbeat carries a Titan-M2-signed attestation: bootloader state, OS image identity, build fingerprint. Your admin panel can refuse policy enforcement on a device whose chain doesn't verify — the device can't fake its way back in.

HMAC-signed event stream

Activation, tier change, install, wipe, heartbeat-attested — every device event delivered to your webhook with HMAC-SHA256 signing. Drop-in for SIEM ingestion. Retries with exponential back-off; 24-hour delivery runway before abandonment.

Three policy tiers, one OS image

Basic

Privacy-first daily driver. User owns installs and permissions. Reseller branding applied; no remote management of user data.

Corporate

Managed work device. Required apps push silently. Categories disable-able (cameras, USB, install-from-store). Tier change OTA. Full audit log.

Government

Mission-issued. Whitelist-only apps. Mandatory encryption + biometric gate. Tier transitions require on-device consent. Attestation on every heartbeat.

Surveillance ceiling, kernel-enforced. No tier — including Government — can silently capture audio, screen-record, log keystrokes, or hide the management UI from the user. Seven forbidden keys live in the policy schema and are rejected before the tier filter runs. Request the policy spec →

For resellers

Ship a managed mobile platform under your brand. Without rebuilding the OS.

HardenedOS gives you the management primitives, the device fleet API, and the white-label surface — so your customers see your name, your colors, your support page, and your app catalog.

  • White-labeled OS

    Boot screen, lock screen, wallpaper, accent colors, OS name override — your brand from first boot.

  • Prepaid balance billing

    Top up your account, draw down per active device per month. No surprise bills, no per-API-call charges.

  • Activation codes & APIs

    Mint activation codes in batches. Distribute APKs through your channel. Push branding updates over the air.

  • Webhooks & audit

    Every device event — activation, tier change, install — delivered to your endpoint with HMAC signing.

Try the MDM demo → Talk to us

Supported devices

Pixel-only. By design.

HardenedOS targets Pixel hardware exclusively because Pixel is the only mass-market Android with a verified-boot model that lets a third party (us, you, the user) lock the device to a non-Google OS. Other vendors don't expose this.

  • Pixel 9 Pro / 9 Pro XL / 9 Pro Fold
  • Pixel 9 / 9a
  • Pixel 8 Pro / 8 / 8a
  • Pixel 7 Pro / 7 / 7a
  • Pixel Fold
  • Pixel 6 Pro / 6 / 6a

Newer devices generally get longer hardware support. Pixel 8 series and later have ~7-year guaranteed update commitment from Google; HardenedOS rides that lifecycle.