What exploit protections are most likely to lead to apps having issues?

catsandencryption

So currently I am looking though the GrapheneOS settings and I see the exploit protection settings, I have these settings:
Auto-reboot: 12 hours
USB-C port: charging only when locked
Turn off Wi-FI automatically: 2 hours
Turn off Bluetooth automatically: 10 minutes
Hardened memory allocator: on (enabled for all)
Memory tagging: off by default
Ext virtual address space: on
Native code debugging: blocked by default
Webview JIT: Enabled for 3rd party by default
Dynamic code loading by memory/storage: both allowed for third party apps by default
Secure app spawning: on

Are there any features from these that I can enable to improve device security without a lot of my apps breaking? What are the higher risk ones to enable that might break more apps? Also is there anything else I can do to harden my device further against potential adversaries, or to make it more private?

Franco

catsandencryption Are there any features from these that I can enable to improve device security without a lot of my apps breaking?

Hello, the approach I take is to enable all the exploit protections by default initially. Then, if an app crashes due to a specific setting when I first open it, I'll grant that particular permission on a case-by-case basis. I'm also careful when installing new apps, I make sure that they come from the developer and I have no shady app installed. I also try to have as few as apps installed as possible (less is more, it reduces the attack surface).

I my case, almost everything works with those setting enabled by default:
-Hardened memory allocator: on by default (except 1 banking app )
-Memory tagging: on by default (except 2 banking apps )
-Native code debugging: blocked by default (except 1 banking app )
-Webview JIT: Disabled for for all (except the PDF Viewer of GoS )
-Secure app spawning: on

But I need to grant exceptions for a couple of applications for those settings:
-> Dynamic code loading by memory/storage: restricted by default, allowed only if the app crashes.
Sometimes an app displays a notification stating that it tried to use Dynamic code loading by memory/storage, but the app still works well. Then I keep the setting disabled for this app.

Franco

Edit: WhatsApp occasionally crashes because of MTE, but I accept it and relaunch the app when it happens.

oci3o

You will be notified if an app needs a specific setting the toggles stop.

The only ones I've seen cause crashes are Memory tagging, native code debugging and DCL, banks usually need native code debugging for example, so I just tap the notification and enable it for that app.
Once you've launched all your apps for the first time, and changed the required toggles, it shouldn't cause more issues unless something changes, or you install / reinstall an app.