DEV.co
Open-Source Observability · GrapheneOS

Auditor

Auditor is an Android app that verifies the integrity and authenticity of your device using hardware-backed cryptographic attestation. It can run local peer-to-peer checks via QR codes or schedule remote server-based verification with email alerts.

Source: GitHub — github.com/GrapheneOS/Auditor
673
GitHub stars
110
Forks
Java
Primary language
MIT
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
RepositoryGrapheneOS/Auditor
OwnerGrapheneOS
Primary languageJava
LicenseMIT — OSI-approved
Stars673
Forks110
Open issues47
Latest release92 (2026-05-30)
Last updated2026-06-26
Sourcehttps://github.com/GrapheneOS/Auditor

What Auditor is

A Java-based Android application leveraging hardware-backed keys (StrongBox), verified boot, and secure boot chains to perform local and remote attestation. Chains hardware trust to software integrity checks and supports both QR-code-based peer verification and optional server-side scheduled attestation.

Quickstart

Get the Auditor source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/GrapheneOS/Auditor.gitcd Auditor# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Device Integrity Verification for Security-Conscious Users

Organizations or individuals managing GrapheneOS or hardened Android devices can perform periodic integrity checks to detect unauthorized modifications or intrusions without external infrastructure.

Peer-to-Peer Trust Establishment

Two Android devices can mutually verify each other's authenticity and state via QR code exchange, useful for organizations with small user bases or high-security environments requiring offline verification.

Remote Device Monitoring with Optional Alerting

Organizations can opt into scheduled server-based attestation with email notifications for fleet monitoring, incident response workflows, or compliance logging of device state changes.

Implementation considerations

  • Hardware attestation availability varies by device, OEM, and Android version; validation on target device models is required before deployment.
  • QR-code-based peer verification is manual; scale beyond small teams requires automation or the optional server backend.
  • Server-based attestation requires infrastructure setup and email configuration; vendor/hosting choice affects alerting reliability and latency.
  • App requires appropriate Android permissions and may conflict with MDM policies if device management is already enforced.
  • Attestation chain verification is only as strong as the underlying hardware; compromised bootloader or firmware bypasses app-level guarantees.

When to avoid it — and what to weigh

  • Non-Android or Non-Hardware-Backed Platforms — Auditor requires Android and hardware attestation support (StrongBox, Titan, or equivalent). Devices without secure enclaves cannot use core functionality.
  • Centralized Management Without Server Commitment — If you need large-scale fleet attestation with zero server infrastructure, peer-to-peer QR verification does not scale; the optional server component is required.
  • Require Pre-Built Commercial Support or SLAs — This is an open-source project without stated commercial support, SLAs, or guaranteed response times. Maintenance is community-driven.
  • Non-GrapheneOS Ecosystems Primarily — While compatible with standard Android, the project is optimized for GrapheneOS. Compatibility and feature parity on other ROM distributions requires separate validation.

License & commercial use

MIT License. Permissive OSI-approved license allowing modification and redistribution with attribution.

MIT is permissive and generally suitable for commercial products; however, consult legal counsel on your specific use case (e.g., bundling in a commercial product, liability disclaimers). No commercial support, warranty, or licensing guarantees are stated in the provided data.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationLimited
License clarityClear
Deployment complexityModerate
DEV.co fitPossible
Assessment confidenceMedium
Security considerations

Auditor relies on hardware-backed attestation chains and secure boot. Effectiveness depends on device bootloader integrity, firmware updates, and absence of hardware exploits. App-level verification cannot detect compromises below the attestation root of trust. Remote server attestation introduces network and endpoint security: ensure TLS, certificate pinning, and server security hardening. QR verification is replay-resistant if implemented correctly; review protocol details independently.

Alternatives to consider

Google Play Integrity API

Cloud-based attestation from Google; centralized, no self-hosted infrastructure. Trade-off: less transparency, dependent on Google infrastructure and policies.

Samsung Knox Vault / Qualcomm Snapdragon Secure Processing Unit

OEM-specific hardware security modules with vendor tooling. Trade-off: OEM lock-in, less open-source control, may not support peer verification workflows.

Custom Attestation Using Android Attestation API

Build in-house attestation if you need full control and tight integration with existing infrastructure. Trade-off: significant engineering effort, maintainability burden, slower iteration.

Software development agency

Build on Auditor with DEV.co software developers

Review the full documentation at attestation.app/about. Validate hardware compatibility on your target devices. For custom integration or server deployment support, contact our technical team.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

Auditor FAQ

Does Auditor work on devices without StrongBox?
Auditor requires hardware-backed attestation. Devices without StrongBox, Titan, or equivalent secure enclaves cannot provide the same guarantees. Fallback behavior is not clearly documented in the provided data.
Is the server-based attestation optional?
Yes. Local peer verification via QR codes requires no server. Server-based scheduled verification is optional and requires infrastructure setup.
Can I use Auditor in a commercial product?
MIT License permits commercial use. However, ensure you comply with attribution requirements and consult legal on liability. No commercial support is provided.
What is the deployment effort for the server component?
Not fully detailed in provided data. Review https://attestation.app/about and project documentation for infrastructure, dependencies, and configuration requirements.

Work with a software development agency

DEV.co is a software development agency delivering custom software development services to companies building on open source. Our software developers and web developers design, integrate, and ship production systems — spanning web development, APIs, AI, data, and cloud. If Auditor is part of your open-source observability roadmap, our team can implement, customize, migrate, and maintain it.

Evaluate Auditor for Your Device Security Needs

Review the full documentation at attestation.app/about. Validate hardware compatibility on your target devices. For custom integration or server deployment support, contact our technical team.