Secure Element / Titan M2
Key storage, throttled auth, attestation keys.
Verified Boot (AVB)
Signed images; tamper detection from bootloader โ OS.
Auditor / Remote Attestation
Hardware-backed verification of firmware/OS state.
GKI Kernel + LTS
Up-to-date LTS; hardened configs; zeroing freed memory.
Exploit Mitigations
Hardened libc & malloc; secure app spawning; CFI/SSP.
SELinux & seccomp
Tighter policies fortify sandbox boundaries.
Vanadium (WebView / Browser)
Hardened Chromium; strict site isolation; per-site JIT off by default.
Sandboxed Google Play
Runs as regular apps via GmsCompat; no special OS privileges.
Privacy by Default
HermesOS servers for connectivity, PSDS/SUPL proxy, network time.
Owner Profile
Per-app permissions, network & sensors toggles, scopes.
Secondary Profile
Isolated workspace for untrusted apps; optional Play.
App A
Standard app sandbox (no shared data by default).
App B (uses Play)
Opt-in IPC to sandboxed Play within the same profile.
Welcome ๐
Select a component to see how it strengthens security / privacy. Use the toggles to simulate per-app controls.