Features
About
AXP.OS is a more private and secure mobile operating system that is based on AOSP & LineageOS and has emerged from the well-known but discontinued operating system DivestOS.In particular AXP.OS aims to support devices that would otherwise no longer receive any (Android/Kernel) updates and are therefore easily vulnerable. All this is based on a best-effort principle, also because outdated devices no longer receive updates for proprietary firmware and are therefore insecure by definition.
AXP.OS at least tries to close all the gaps that are possible.
In addition to this main goal, this project attempts to strike a balance between a
privacy and
security-oriented
yet usable
operating system - not least for advanced* users.
*i.e. including full control over your own device - if explicitly desired.
For this reason, there are so-called flavors, namely “Slim” and “Pro”, from which users can choose based on their personal requirements.
For more details checkout the
Features page
Flavor comparison
| Feature | Pro ⚙️ | Slim 🛡️ |
|---|---|---|
| Using Graphene’s hardened malloc (comparison) | X | X |
| OTA (Over The Air) updates | X | X |
| Including ASB patches (see AXP.OS patch level for details) | X | X |
| Hardened and focusing on security and privacy | X | X |
| Hardened Browser & WebView by EXTENDROM_PACKAGES | X | X |
| Extra hardened Kernel for Pixel devices (GrapheneOS based, plus CVE patches, since A15) | X | X |
| Hardened Kernel for any device | X | X |
| CVE patched Kernel for any device | X | X |
| Extra Privacy by extensive deblobbing and privacy-focused settings (config) | X | |
| Super Privacy by even more extensive deblobbing and privacy-focused settings (config) (while reducing usability) | X | |
| SELinux enforced | X | X |
| Data encryption enforced | X | X |
| Signed (by AXP.OS keys) | X | X |
| Increased key size + hash (8192 / sha512) for AVB, APK signing and dm-verity (incl. adjustments in recovery and OTA Updater to support higher hash algo) | X | X |
| Advanced boot debug log (EXTENDROM_BOOT_DEBUG) | X | X |
| Advanced Signature spoofing support by EXTENDROM_SIGNATURE_SPOOFING (must be explicitly enabled) | X | X |
| Using the AOSmium System WebView by EXTENDROM_PACKAGES | X | X |
| Extra Apps included by EXTENDROM_PACKAGES (F-Droid, AuroraStore, FossifyGallery) | X | X |
| extended list of F-Droid repositories (1,2,3,4) (must be explicitly enabled) | X | X |
| eSIM support (A10 and later) for devices supporting euicc (must be explicitly enabled) | X | X |
| Internal DNS content blocker (blocklist) | X | X |
| Disable call recording restrictions (by EXTENDROM) (must be explicitly enabled) | X | X |
| Re-locking the bootloader on supported devices | X | X |
| Reproducible builds - see the details | X | X |
| microG included (requires to explicitly enable signature spoofing) | X | ¹ |
| Current and microG compatible Google Play Store included (must be explicitly enabled) | X | ¹ |
| WireGuard VPN Kernel module | X | ² |
| Pre-rooted (Magisk) by EXTENDROM_PREROOT_BOOT - Bootloader re-lock compatible (must be explicitly enabled and activated first) | X | |
| Basic (i.e. w/o SafetyNet) support for Widevine DRM | X | |
| Supporting a FULL(!) app & settings backup & restore | X | |
| Advanced Usability Support by EXTENDROM_PACKAGES (Magisk, MicrogGmsCore, GsfProxy, Phonesky, NeoLauncher) | X | |
| On device* testing before release (*for devices marked as “verified by the AXP Team”) | X |
- ¹ while not supported (and not possible on bootloader-locked devices) you can flash microG as in LineageOS.
AXP.OS Phonesky can be installed manually (via a custom recovery: place it in/system/priv-app/Phonesky/).
Regardless if using the microG FakeStore or AXP.OS Phonesky you need to follow the setup guide) as well. - ² some kernels have the wireguard patches already included - the Slim flavor will not remove them while you need root to activate it
Which flavor to choose?
Freedom of choice also brings with it a sometimes overwhelming flood of information. The table above may not be helpful for everyone. Here are some rough decision-making aids:
| Feature | Flavor |
|---|---|
| Purchasing apps (incl. In-App) via Google Play required? | Pro ⚙️ |
| Root/Magisk required? | Pro ⚙️ |
| Debugging required (really own your device)? | Pro ⚙️ |
| Full(!) backup of any(!) app needed? | Pro ⚙️ |
| Installing Google Play apps required (no purchase)? | Pro ⚙️ / Slim 🛡️ |
| Installing FOSS apps by F-Droid | Pro ⚙️ / Slim 🛡️ |
| Security is more important than usability? | Slim 🛡️ |
| Privacy is more important than usability? | Slim 🛡️ |
| … still uncertain? | Slim 🛡️ |
Pro flavor
The Pro flavor of AXP.OS comes pre-rooted which is a major difference between many (if not all) other custom OS and requires to read the documentation properly and acting wisely (i.e. not installing APKs from random sources, open every link in mails you get, installing OS and app updates quickly, etc). Also main parts are directly integrated into the OS, i.e. you do not need to care about installing “compatibility layers” like microG and can even use the official Google Play store (btw, another unique feature of AXP.OS Pro that no other OS offers).
While the OS comes pre-rooted root is not active at all and requires to actively enable it (downloading Magisk companion app, starting app, choose to activate Magisk, reboot) to make it usable first. That means if you do not need root you can simply skip that step and there will be no root (even no su binary) available at all. No app can access/detect root then. If the user decides not to activate root, there is still a chance it can become problematic:
- you get infected by malware and/or getting hacked (see above on how to reduce risks)
- if you then also get tricked into activating root:
- with user interaction: lets say the malwares shows a button which then silently downloads magisk, it also must silently install(!) magisk which is nothing an user app can do by default (installing apps is a dangerous permission no user app gets by default). but lets say it can also install Magisk, it still requires you to open Magisk and choose to enable root AND to reboot. Here latest you should be aware of something is unusual if an app prompts you there. So ok lets say a more advanced attack could also act as an overlay over other apps (this is also a dangerous permission no user app can get by default) and trick you by clicking even that button well then.. it still requires to get root permissions which means Magisk will prompt you allowing/denying root for that specific malware app. If all that went through then yes, an app has all full access to the device. A more likely attack would be that you get tricked to install a custom Magisk app which comes pre-configured to skip all these manual activation steps. So, the “installing apps” permission request is your best (and only!) protection then.
TL;DR: If your device is infected AND you grant this permission (“allow to install apps”) without thinking, there is nothing to stop the malware/attacker from doing what it wants. - without user interaction the malware/attacker must perform all the mentioned manual activation steps behind your back. This requires unpatched exploit(s) (see AXP.OS patch level) which is what AXP.OS tries to reduce with several actions, while there is no guarantee at all. Of course this requires the user to install any update quickly as well.
- with user interaction: lets say the malwares shows a button which then silently downloads magisk, it also must silently install(!) magisk which is nothing an user app can do by default (installing apps is a dangerous permission no user app gets by default). but lets say it can also install Magisk, it still requires you to open Magisk and choose to enable root AND to reboot. Here latest you should be aware of something is unusual if an app prompts you there. So ok lets say a more advanced attack could also act as an overlay over other apps (this is also a dangerous permission no user app can get by default) and trick you by clicking even that button well then.. it still requires to get root permissions which means Magisk will prompt you allowing/denying root for that specific malware app. If all that went through then yes, an app has all full access to the device. A more likely attack would be that you get tricked to install a custom Magisk app which comes pre-configured to skip all these manual activation steps. So, the “installing apps” permission request is your best (and only!) protection then.
The Pro flavor symbol ⚙️ should reflect that it comes pre-configured and includes engineering tools like being pre-rooted. Besides this all major security and privacy mechanism and pre-cautions are mostly similiar (see above feature comparison) between Pro and Slim.
Slim flavor
The Slim flavor on the other side, does not come pre-rooted and offer you an OS without compromise regarding security and privacy (compared to Pro). Unfortunately this comes with some drawbacks regarding usability.
Examples are:
- longer first-time GPS (location) fix
- using several Google apps require to manually install microG
- some apps do not work or functionality is not available/reduced due to the more extensive deblobbing
These might sound more problematic than it is in real-life. Usually it does not have such a big impact (depends on the device and Android version) and as shown in the “Which flavor to choose” table above, Slim is still the recommended choice if you are uncertain where to start. It is highly recommended to fully test all your apps & requirements before using it as a daily driver though so you could switch to Pro if it fits better for your needs.
The Slim flavor symbol 🛡️ should reflect that it comes with all possible pre-cautions in terms of security and privacy.
Divest Notice
Up to Dec 2024 AXP.OS was based on DivestOS, see the EOL notice for Divest and its impact on AXP.OS here.
For this reason, AXP.OS started at the beginning of 2025 with different flavors, where Slim represents a Divest-like experience (Slim uses 99% of the DivestOS setup and configuration).
Simplified(!) OS comparison
The following is just a simplified comparison between some popular custom OS and is meant to give a short overview only (there are dozens of detailed comparisons available elsewhere).
Examples of more detailed comparisons (even though without AXP.OS) can be found:
- here or
- here (hint: AXP.OS has always been based on DivestOS and therefore always contained all of its features. Since January 2025, AXP.OS has been developed independently on this last available DivestOS code base.)
The Main(!) focus column is a bit vague or better said subjective as all OS claim to be all of these 3: user-friendly, secure and privacy-friendly.
Yes, Privacy always requires having a secure device, too! Although security and privacy are often mentioned in the same breath, the two terms are not synonymous (details). OS in the following table having Privacy as their main focus doing this more intensively than others. See Privacy Examples to get an idea.
| OS | Main(!) focus | Pro | Contra |
|---|---|---|---|
| LineageOS | Usability | wide range of supported devices, very high usability | no focus on privacy + security, only latest 2-3 major releases supported |
| CalyxOS | Usability, Privacy | high usability, customizable | no focus on security, does not support older Android versions, recently paused development, mostly Pixel devices focussed |
| GrapheneOS | Security | best in class focus on security, good usability | Google Pixel devices only, usually does not support older Android versions |
| /e/ OS | Usability, Privacy | wide range of supported devices, very high usability | no focus on security, does not support devices with older Android versions, late ASB patches |
| AXP.OS - Pro ⚙️ | Usability, Privacy | best balance between modding, usability, security and privacy, supports devices with older Android versions, good range of supported devices, extensive testing (no blind builds!) | only a subset of LineageOS devices currently supported, reduced security compared to the Slim flavor |
| AXP.OS - Slim 🛡️ | Security, Privacy | provides good usability while focussing strictly on security and privacy, supports devices with older Android versions, good range of supported devices, extensive testing (no blind builds!) | only a subset of LineageOS devices currently supported, reduced usability compared to the Pro flavor |
Privacy examples:
- reducing/disabling Call-Home functions
- reducing/removing Google dependencies
- deblobbing of proprietary parts
- …
Usability examples:
- allow or even include custom extensions (e.g. microG)
- pre-configurations
- including certain Apps
- support installing Apps from F-Droid
- …
Security examples:
- ASB patching/backporting
- (CVE related) Kernel patching
- intensive hardening (e.g. malloc replacement)
- …