GrapheneOS vs CalyxOS: which privacy OS is actually stronger?

GrapheneOS and CalyxOS are the two most discussed privacy-focused alternatives to standard Android. Both remove Google services. Both are designed for users who want more control over their data. But their underlying philosophies — and the security trade-offs they make — are meaningfully different. This article explains what those differences are and why they matter.

What they have in common

Both GrapheneOS and CalyxOS are built on the Android Open Source Project (AOSP). Neither ships with Google Play Services as a system-level component. Both are free, open-source, and installable on compatible hardware. Both offer a significantly more private experience than stock Android.

For a user moving from a standard Android phone to either OS, the difference in data collection will be substantial and immediately meaningful. That's worth acknowledging before getting into the distinctions.

The core difference: microG vs sandboxed Google Play

This is where the two projects diverge most significantly.

CalyxOS includes microG — an open-source reimplementation of Google Play Services. microG allows apps that require Google services to function without the full Google Play Services package. This improves app compatibility, but it comes with a security trade-off: microG runs with elevated system privileges, similar to real Google Play Services. It has greater access to the system than a normal app, and its codebase is substantially smaller and less audited than Google's. Apps interact with it believing they're interacting with Google services, which introduces a layer of compatibility shims that can themselves be attack vectors.

GrapheneOS offers sandboxed Google Play — an approach that installs real Google Play Services as an unprivileged, sandboxed application. It has no special system access. It runs like any other app, subject to the same permission model. This means Google Play Services cannot exfiltrate data in the background with system-level access, because it doesn't have system-level access. App compatibility is equivalent to or better than CalyxOS, because you're running the real Google services rather than a reimplementation — but without the privilege escalation.

From a security standpoint, this is a meaningful difference. GrapheneOS's approach gives you app compatibility without granting elevated trust to any Google component.

Security hardening: where GrapheneOS goes further

Beyond the Google services question, GrapheneOS applies security hardening that CalyxOS does not match:

• Hardened memory allocator: GrapheneOS replaces the standard Android memory allocator with a hardened version that makes heap-based exploits significantly more difficult. CalyxOS uses the standard AOSP allocator.
• Stronger app sandboxing: GrapheneOS applies more aggressive isolation between apps and between apps and the system. This limits what a compromised app can do.
• Reduced attack surface: GrapheneOS removes or disables unused kernel features and system components. Fewer components means fewer potential vulnerabilities.
• Verified boot: Both support verified boot, but GrapheneOS maintains stricter requirements for hardware support, which is part of why it is exclusively supported on Google Pixel devices.
• Extended permission controls: GrapheneOS adds permission categories not present in stock Android or CalyxOS — including network access permissions (preventing apps from accessing the internet at all), sensor permissions (blocking access to accelerometer, gyroscope, etc.), and storage/contact scopes.

Hardware support

GrapheneOS officially supports only Google Pixel devices. This is intentional: Pixel hardware is currently the only Android hardware that meets GrapheneOS's requirements for a dedicated security chip (Titan M2), a re-lockable bootloader, and a long-term security update commitment. The re-lockable bootloader is particularly important — it allows GrapheneOS to be installed and then the bootloader re-locked, so verified boot works exactly as it would on stock Android, protecting the entire boot chain.

CalyxOS supports a wider range of devices, including some Fairphone models and a selection of older hardware. This broader compatibility is useful for users who don't want a Pixel, but it means the security properties vary significantly by device.

Update cadence and long-term support

GrapheneOS has a consistent record of shipping security updates promptly after Google releases them — often within days. CalyxOS has historically had longer delays in delivering updates. For a security-focused OS, update latency matters: the window between a vulnerability being disclosed and a patch being available is when devices are most exposed.

Which should you choose?

If your primary concern is maximum security combined with strong privacy, GrapheneOS is the stronger choice. The sandboxed Google Play approach, hardened memory allocator, and stricter permission model give it a meaningfully better security profile than CalyxOS.

If you prioritise device compatibility and don't want to use a Pixel, CalyxOS's wider hardware support may be the deciding factor — and it still provides a substantially more private experience than stock Android.

Norypt uses GrapheneOS. The security properties — particularly the hardware-backed verified boot on Pixel hardware, the sandboxed Google Play approach, and the extended permission controls — align with what we consider correct configuration for a privacy device used in professional contexts.

If you're considering a Norypt Pixel Secure, it ships with GrapheneOS fully configured, bootloader re-locked, and all privacy defaults set before it reaches you.