Senior GrapheneOS Security Engineer

Key Responsibilities

1. GrapheneOS Deployment & Hardening

• Build, flash, and maintain GrapheneOS using deterministic, reproducible builds
• Configure hardened system components:
  • Memory tagging (MTE)
  • Hardened libc, kernel protections
  • Enhanced sandboxing and app isolation
• Optimize OS security posture without compromising usability for mission workflows
• Maintain strict separation between personal profiles, work profiles, and secure compartments

2. Secure Android Application Architecture (No Google Dependencies)

• Deploy and manage applications using:
  • F-Droid privileged extension
  • Aurora services (anonymous mode)
  • Custom internal app repositories
• Build or integrate end-to-end encrypted communication applications that run without Google Play, push services, or Firebase
• Configure per-application network routing, VPN restrictions, and firewall rules
• Implement a no-analytics, no-telemetry, and no-crash-reporting application infrastructure

3. Private, Self-Hosted Backend & Sync Layer

• Configure secure backend infrastructure (self-hosted; no third-party cloud):
  • Nextcloud (documents, encrypted backups)
  • Matrix Synapse (private messaging)
  • Vaultwarden (encrypted secrets)
  • Custom Tor hidden services for secure sync
• Establish Tor-only, metadata-minimized connectivity between phones and servers
• Build workflows where the device:
  • Only syncs on approved networks
  • Never leaks metadata
  • Maintains full sovereignty over backup locations and encryption keys

4. Zero-Trust Mobile Security Engineering

• Implement system-wide isolation mechanisms:
  • Hardened user profiles
  • Per-app storage scopes
  • Hardened toggles (camera, mic, sensors)
• Configure and maintain:
  • Verified boot
  • Integrity checks
  • Hardware-backed key storage
• Build provisioning pipelines for employees, VIP clients, or high-risk users

5. Threat Modeling, Monitoring & Red-Teaming

• Conduct adversarial threat modeling against:
  • Network attacks
  • Side-channel attacks
  • Baseband exploitation
  • Physical access attempts
• Test resistance to:
  • SIM-based hijacking
  • IMSI catchers
  • Rogue access points
  • App-level exfiltration
• Provide executive intelligence reports on vulnerabilities and risk exposure

Required Technical Skills

GrapheneOS & Android Security

• Expert knowledge of GrapheneOS internals, permissions, toggles, and threat model
• Experience with AOSP, Android kernel hardening, and system-level security patches
• Strong understanding of secure boot, verified boot, and hardware-backed key attestation

Networks & Privacy

• Strong foundation in:
  • Tor routing
  • VPN chaining
  • DNS over Tor/HTTPS
  • Firewall isolation
  • Zero-metadata communication workflows

Backend Sovereign Infrastructure

• Comfortable with:
  • Linux server security
  • Nextcloud with encrypted storage
  • Matrix Synapse
  • Vaultwarden
  • Custom private app stores

Cryptography

• Solid understanding of:
  • Hardware key storage
  • End-to-end encryption
  • Key rotation
  • Backup encryption
  • Secure file sharing

Personal Attributes

• Zero-trust mindset, assuming compromise until proven otherwise
• Surgical precision in configurations and security workflows
• Strong discipline in documentation and operational hygiene
• Ability to translate complex technical security risks into clear, executive-level guidance
• Extreme discretion and respect for confidentiality

What This Role Enables

A fully sovereign, Big-Tech-free Android mobile ecosystem

• Mobile devices resistant to advanced surveillance, interception, and network-based attacks
• GrapheneOS-hardened communication channels with zero metadata leakage
• A secure, private backend infrastructure outside U.S. or EU jurisdiction
• A system architecture capable of withstanding state-level threat models