Skip to content
DownloadAPK

GrapheneOS vs LineageOS 2026: Custom ROM Comparison for Privacy Users

Detailed 2026 comparison of GrapheneOS and LineageOS: threat model, supported devices, security features, app compatibility, Play Services handling, daily-driver realism, verdict by user profile.

GrapheneOS and LineageOS are the two custom Android ROMs that come up first in any 2026 privacy conversation. They both run on top of AOSP, both are free and open-source, and both claim to be better than stock Android for privacy. They are not, however, competing for the same user.

GrapheneOS is built for a sophisticated-attacker threat model and supports only the Google Pixel hardware line. LineageOS is built for the broad-compatibility long-tail and runs on devices the manufacturer abandoned years ago. The two projects’ technical bets, design choices, and daily-driver feel are different in ways that matter once you actually live with them for a few months.

This comparison walks through both, with a focus on the 2026 reality of running them on real devices, with real banking apps, real work apps, and real DRM streaming services.

Brief history: LineageOS 2016 fork + GrapheneOS 2019 launch

LineageOS was forked from the CyanogenMod project in December 2016 after the Cyngn Inc. corporate entity behind CyanogenMod announced it was shutting down its services. CyanogenMod itself dated to 2009 and had been the canonical custom Android ROM for a generation. LineageOS inherited the codebase, the contributor community, and the device tree library.

The LineageOS project is genuinely community-run, hosted on its own infrastructure, with builds released for hundreds of devices over the years. Through 2026 the project continues to ship builds based on Android 14 and Android 15 AOSP, with active maintenance for around 200 currently-supported devices and historical builds for many more.

GrapheneOS traces its origin to the CopperheadOS project (founded 2014, forked in 2018) and was relaunched as GrapheneOS in 2019 by Daniel Micay. The project is a deliberate departure from the LineageOS lineage. Rather than maximising device support, GrapheneOS focuses exclusively on Google Pixel hardware, because Pixels are the only Android devices that ship the hardware features GrapheneOS depends on: a Titan M2 secure element with verified boot for custom OS images, full bootloader unlocking with the ability to re-lock after flashing a third-party signing key, and long-term firmware support from Google.

The supported Pixel device list as of 2026 includes the Pixel 6, 6 Pro, 6a, Pixel 7, 7 Pro, 7a, Pixel 8, 8 Pro, 8a, Pixel 9, 9 Pro, and 9 Pro XL. The Pixel 9a was added shortly after its release. Older Pixels (5a and earlier) reach end-of-life on the project’s seven-year support window.

Threat models: GrapheneOS sophisticated attackers vs LineageOS broad device support

The clearest difference between the two projects is what threat they design against.

GrapheneOS explicitly designs against sophisticated state and non-state attackers with targeting capability: NSO Group’s Pegasus, Cytrox’s Predator, and the broader commercial spyware ecosystem that has been targeting journalists, activists, dissidents, and political figures since at least 2016. The project’s threat model document (published on the website and updated regularly) names specific adversary capabilities (zero-click exploit chains, kernel privilege escalation, persistence through reboots) and the mitigations the OS ships against them.

LineageOS does not publish a comparable threat model. The implicit threat model is closer to “stock Android plus vendor bloatware and telemetry, minus the manufacturer’s freedom to drop security updates after 2 to 3 years”. The project’s value proposition is broad device support, longer security update windows than the original vendor, and the option of running without Google Play Services. It is a privacy improvement over stock Android, but it is not designed for a high-risk operational environment.

The practical consequence: a journalist working a sensitive source in 2026 should use GrapheneOS. A general user wanting to escape Samsung bloatware on a Galaxy S10 should use LineageOS. These are not the same problem.

Supported devices 2026 (Pixel-only for Graphene vs 200+ for Lineage)

GrapheneOS officially supports only Google Pixel devices. The justification is hardware-backed verified boot and the ability to re-lock the bootloader after flashing a third-party signing key, both of which require Google’s bootloader cooperation. Pixels are the only Android phones in 2026 that consistently allow this. Some Fairphones and some OnePlus models allow bootloader unlock but do not allow re-locking with a third-party key, which means GrapheneOS cannot be installed in a secure-boot configuration.

LineageOS supports a much larger device list. The official supported-devices page in 2026 lists around 200 active devices and a long tail of community-maintained ones. Devices that come up regularly: Google Pixel 4 to Pixel 9 (community builds), Sony Xperia 1 III to XQ-EC54 family, Samsung Galaxy S10, S20, S21, S22, OnePlus 6T to OnePlus 11, Fairphone 4 and 5, Xiaomi Mi 10, Mi 11, Poco F3, F4, F5, ASUS Zenfone 8 and 9, and a handful of less-common models.

The build matrix changes constantly. Devices get added when a maintainer adopts them and dropped when the maintainer stops. The active-vs-discontinued line is fuzzy. Always check the current LineageOS device support page before assuming your device is covered.

Security features deep-dive (storage scoping, network permission, sandboxed Google Play)

GrapheneOS ships several security features that AOSP does not have. The ones that matter most in daily use in 2026:

  • Hardened memory allocator (hardened_malloc): replaces the AOSP allocator with one designed against the heap-corruption exploit class. Reduces successful exploitation of memory-safety bugs. Performance impact is small (1 to 3 percent in most measurements).
  • Storage scopes: per-app file access scoping. By default GrapheneOS denies an app access to your full storage, even if it requests it. You explicitly grant access to specific folders. The default-deny posture catches a lot of overcollection by apps that ask for “All files access” without needing it.
  • Network permission: a per-app toggle that revokes internet access entirely. Useful for apps that should not phone home: calculators, image viewers, offline games, single-purpose tools. The toggle is present on stock Android but is much more discoverable on GrapheneOS.
  • Sensor permission: per-app toggle to revoke microphone, camera, location, and other sensor access. Stock Android has runtime permissions, but GrapheneOS makes them harder to circumvent and easier to manage.
  • Sandboxed Google Play: this is the headline feature. GrapheneOS runs Google Play Services as a regular app, in the standard user profile, with no system privileges. The user installs Sandboxed Play from the GrapheneOS App Store, signs in, and Play Services runs with the same permission model as any other app. Banking apps that require Play Integrity see a near-stock environment and pass. Apps that require system-level Google Play (a small minority) do not work.
  • Duress PIN: a designated PIN that, when entered at the lock screen, wipes the device. Useful at border crossings or hostile arrest scenarios.
  • Faster security patches: GrapheneOS often ships AOSP security patches faster than Google’s own Pixel firmware, sometimes by a few days, sometimes by a week or two.

LineageOS ships closer to vanilla AOSP. The project does its own quality assurance, includes upstream AOSP security patches, and offers optional features (Privacy Guard, network statistics, F-Droid as the recommended store, microG as a Play Services replacement). It does not ship the GrapheneOS-specific hardening (hardened_malloc, storage scopes, fine-grained network and sensor permissions). For a non-targeted user this is fine. For a targeted user it is not enough.

App compatibility (banking apps, work apps, DRM streaming)

This is the question that decides whether either ROM is realistic as a daily driver.

GrapheneOS with Sandboxed Play: the majority of apps work, including most banking apps. The GrapheneOS community maintains a public app-compatibility wiki that lists known-working and known-failing apps. As of 2026, common problem cases are a small number of European retail banks (notably some French, Belgian, and Dutch banks that explicitly check for stock firmware), a handful of fintech and neobank apps, some government identity apps in jurisdictions with strict device attestation requirements, and a few DRM-heavy streaming services that require Widevine L1 hardware-backed DRM (most work, but some refuse on custom ROMs).

LineageOS without root: passes basic ctsProfileMatch SafetyNet in most cases, but increasingly fails the hardware-backed strong attestation that Google has been pushing apps to require since 2022. By 2026, more banking apps require strong attestation, so LineageOS pass-rates on banking have dropped. Workarounds (Magisk + Universal SafetyNet Fix) work intermittently but require root, which trades one risk class for another.

Work apps (Slack, Microsoft Teams, Google Workspace, Zoom): work fine on both ROMs, both with and without Google Play Services. These apps do not require attestation.

Streaming services (Netflix, Disney+, HBO Max, Amazon Prime Video): vary. Netflix typically works at SD resolution on both, but HD or 4K requires Widevine L1 which is hardware-locked. GrapheneOS on Pixel typically gets Widevine L1, LineageOS on most devices gets Widevine L3 only. Spotify works on both.

Government apps (eID, tax filing, healthcare portals): highly jurisdiction-dependent. Some require stock firmware. Some accept Sandboxed Play. Check before committing.

Daily-driver realism (battery, camera, updates, support)

Battery: GrapheneOS on Pixel typically matches stock Pixel battery within 5 percent. LineageOS varies more by device, with battery life often slightly worse than stock on heavily customised Samsung or Xiaomi devices, sometimes better than stock when the vendor was running aggressive background tasks.

Camera: this is the GrapheneOS weakness. The Pixel camera app and the Google Photos pipeline depend on Google Camera and Google Photo’s HDR+ processing, which is part of Google Play Services in a way that GrapheneOS’s sandboxed Play does not fully reproduce. Photos taken on GrapheneOS look slightly less polished than the same Pixel running stock Pixel firmware. The GrapheneOS team has been working on camera quality through 2024 and 2025, and the gap has narrowed, but it has not closed entirely.

LineageOS camera quality is device-dependent. Some devices have excellent LineageOS camera builds (Pixel devices in particular). Others (Sony Xperia, some Samsung models) suffer because the camera HAL is partially closed-source.

Updates: GrapheneOS ships AOSP security patches usually within days of release. LineageOS ships monthly builds and is usually 1 to 3 weeks behind AOSP. For most users this is fine. For a targeted user, GrapheneOS’s update cadence is one of its strongest arguments.

Support: GrapheneOS has a paid support option, a community Matrix/IRC channel, extensive documentation. LineageOS support is community-only, distributed across XDA-Developers and per-device threads. Quality varies widely by device.

Verdict by user profile: journalist/activist (GrapheneOS) vs general user (LineageOS)

The choice between GrapheneOS and LineageOS is not really a matter of “which is better in absolute terms”. They serve different users.

Pick GrapheneOS if you are:

  • A journalist working on sensitive stories, especially with sources who could be targeted.
  • An activist in a hostile or contested political environment.
  • A security professional, penetration tester, or threat researcher who needs a hardened personal device.
  • A high-net-worth individual or executive with a credible targeting risk.
  • A general privacy-conscious user who is willing to buy a Google Pixel and live within its ecosystem trade-offs (no SD card, no headphone jack, accepting Google as the hardware vendor).

Pick LineageOS if you are:

  • A general user wanting to escape vendor bloatware and continue using an older device after manufacturer support ends.
  • A tinkerer who wants a customisable AOSP base for daily use.
  • A user with a non-Pixel device (Sony, OnePlus, Fairphone, Samsung) where GrapheneOS is not an option.
  • A user who values broad app compatibility over hardened security guarantees.

The two projects complement each other more than they compete. GrapheneOS occupies the top of the security pyramid, with the tightest threat model and the narrowest device support. LineageOS occupies the breadth-of-compatibility middle, with a broader user base and more relaxed security guarantees. The user who picks correctly is the user who matches their own threat model to the ROM that was designed for it.

For background on the broader Android security landscape and the sideloading practices that complement either ROM choice, see our sideloading Android security guide 2026 and the Android privacy hardening checklist. For the wider power user topic page on this site, GrapheneOS and LineageOS are recurring reference points across our ADB, Termux, and custom-launcher coverage.

In 2026 the choice is more defensible than it was five years ago: both projects have matured significantly, both have credible track records of security patching and community governance, and the worst-case “your custom ROM ate your phone” scenarios from 2018-2020 are rare. The hardest part of the decision is no longer whether to switch; it is figuring out which of the two matches your actual risk and tolerance for trade-offs.

FAQ

Yes. GrapheneOS is open-source software released under the MIT and Apache 2.0 licenses, freely downloadable from grapheneos.org. Installing it on your own Google Pixel device is legal in every jurisdiction we are aware of. Most major banks, telecoms, and employers do not require any specific operating system on personal devices. The only practical considerations are that some carrier-locked Pixels in the United States may have additional steps to unlock the bootloader (a contractual issue with the carrier rather than a legal one), and that a small number of work-issued devices managed under MDM (Mobile Device Management) may have policies that forbid custom ROMs. On a personal Pixel that you own outright, you are free to install GrapheneOS.

Can I install banking apps on GrapheneOS?

Mostly yes in 2026. GrapheneOS supports Sandboxed Google Play, which runs Google Play Services and the Play Store as regular apps without elevated privileges. In this configuration, most banking apps that use Play Integrity for attestation will pass and run normally. A small minority of banking apps (notably some neobanks and a handful of European retail banks, including some French, Belgian, and Dutch institutions) check for stock firmware specifically and refuse to run on any custom ROM, including GrapheneOS. The GrapheneOS community maintains a public app-compatibility wiki that lists known-working and known-failing apps. Check your specific bank before switching, and keep your old phone available for a week or two until you have verified all the apps you depend on work.

Does LineageOS pass SafetyNet 2026?

Partially. LineageOS without root typically passes the basic ctsProfileMatch attestation, which is enough for many apps in 2026. It usually fails the hardware-backed strong attestation (basicIntegrity with hardware-attested key), which Google has been pushing apps to require since 2022. As more apps adopt strong attestation through 2024 to 2026, SafetyNet pass-rates on LineageOS have dropped compared to 2023. Banking apps in particular increasingly fail. The workarounds (Magisk module installation plus Universal SafetyNet Fix) work intermittently and require rooting the device, which has its own trust trade-offs (Magisk modules can compromise the entire OS if misused). For users who need reliable banking app support on a custom ROM, GrapheneOS with Sandboxed Play is a more dependable option in 2026.

Which is better for journalists?

GrapheneOS, almost always. The threat model GrapheneOS designs against (sophisticated state and non-state actors with targeting capability, including the commercial spyware ecosystem represented by NSO Pegasus and Cytrox Predator) matches the operational risk of investigative journalism in 2026. Specific features that matter: hardened malloc and runtime exploit mitigations reduce successful spyware infection, network and sensor permission toggles let you turn off location and microphone reliably and per-app, the duress PIN feature wipes data on entry of a designated PIN (useful at hostile border crossings), and the security audits and timely upstream patches are stronger than LineageOS. LineageOS is a reasonable privacy improvement for general users but does not target the same threat model and should not be the default choice for journalists, activists, or anyone in a high-targeting-risk situation.

FAQ

Is GrapheneOS legal?
Yes. GrapheneOS is open-source software released under the MIT and Apache 2.0 licenses, freely downloadable from grapheneos.org. Installing it on your own Google Pixel device is legal in every jurisdiction we are aware of. Most major banks, telecoms, and employers do not require any specific operating system on personal devices. The only practical consideration is that some carrier-locked Pixels in the United States may have additional steps to unlock the bootloader, which is a contractual issue with the carrier rather than a legal one.
Can I install banking apps on GrapheneOS?
Mostly yes in 2026. GrapheneOS supports sandboxed Google Play, which runs the Google Play Services and Play Store as regular apps without elevated privileges. In this configuration, most banking apps that use Play Integrity for attestation will pass and run normally. A small minority of banking apps (notably some neobanks and a handful of European retail banks) check for a stock-firmware device and refuse to run on any custom ROM, including GrapheneOS. The GrapheneOS community maintains a public compatibility list that you should check before switching.
Does LineageOS pass SafetyNet 2026?
Partially. LineageOS without root typically passes the basic ctsProfileMatch attestation, which is enough for many apps. It usually fails the hardware-backed strong attestation (basicIntegrity with hardware-attested key), which Google has been pushing apps to require since 2022. In 2026, more apps use strong attestation, so SafetyNet pass-rates on LineageOS have dropped compared to 2023. Banking apps in particular increasingly fail. The workarounds (Magisk + Universal SafetyNet Fix) work intermittently and require root, which has its own trust trade-offs.
Which is better for journalists?
GrapheneOS, almost always. The threat model GrapheneOS designs against (sophisticated state and non-state actors with targeting capability) matches the operational risk of investigative journalism in 2026. Specific features that matter: hardened malloc and runtime exploit mitigations reduce successful spyware infection, network and sensor permission toggles let you turn off location and microphone reliably, the duress PIN feature wipes data on entry of a designated PIN, and the security audits and timely upstream patches are stronger than LineageOS. LineageOS is fine for general privacy but does not target the same threat model.