GrapheneOS [Unofficial]
- GrapheneOS To Temporarily Have Kernel 32-bit Compatibility Layer Change Revertedgrapheneos.social GrapheneOS (@GrapheneOS@grapheneos.social)
Unfortunately, it means we need to temporarily revert the removal of the kernel's 32-bit compatibility layer on devices without 32-bit support. Banking apps are holding back security with their anti-tampering libraries. They do this to make it harder to audit their insecure apps.
Certain banking apps use a buggy anti-tampering library which was broken by a security improvement in the most recent GrapheneOS release. It wasn't reported during 2 days of Alpha/Beta testing. We've paused rolling it out to the Stable channel and we're working on resolving it.
Compatibility issue is caused by these apps having hand-written 64-bit ARM assembly code that's making system calls with the 32-bit ARM compatibility layer even on devices unable to run 32-bit ARM code at a CPU level. They depend on a quirk of how 32-bit ARM compatibility works.
Unfortunately, it means we need to temporarily revert the removal of the kernel's 32-bit compatibility layer on devices without 32-bit support. Banking apps are holding back security with their anti-tampering libraries. They do this to make it harder to audit their insecure apps.
- GrapheneOS version 2024071200 releasedgrapheneos.org GrapheneOS releases
Official releases of GrapheneOS, a security and privacy focused mobile OS with Android app compatibility.
Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.
Tags:
- 2024071200-redfin (Pixel 4a (5G), Pixel 5)
- 2024071200 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, emulator, generic, other targets)
Changes since the 2024070900 release:
- kernel (Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a): temporarily revert disabling 32-bit ABI support due to rare cases of apps using a buggy anti-tampering library incorrectly calling 32-bit versions of system calls from 64-bit code even on devices with no 32-bit support in hardware
- kernel (5.15): update to latest GKI LTS branch revision including update to 5.15.160
- kernel (6.6): update to latest GKI LTS branch revision including update to 6.6.38
- TalkBack (screen reader): update dependencies
- TalkBack (screen reader): remove more unused resources
- TalkBack (screen reader): drop 32-bit OS support
- GrapheneOS version 2024070900 releasedgrapheneos.org GrapheneOS releases
Official releases of GrapheneOS, a security and privacy focused mobile OS with Android app compatibility.
Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.
Tags:
- 2024070900-redfin (Pixel 4a (5G), Pixel 5)
- 2024070900 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, emulator, generic, other targets)
Changes since the 2024070201 release:
- Settings: extend standard fingerprint enrollment stages with proper support for devices with power button fingerprint scanners (Pixel Fold, Pixel Tablet) which is not present in AOSP (Pixel Fold was still usable, but it had become incredibly hard to successfully register new fingerprints on the Pixel Tablet)
- improve warning for 32-bit-only apps by explaining why the warning is shown, how to resolve it for apps that are still developed and that we plan to phase out support for it on 5th/6th generation Pixels where it's still available
- show warning for 32-bit-only apps on each launch instead of only once
- kernel (Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a): disable 32-bit ABI support to substantially decrease kernel size and attack surface and raise mmap_min_addr to the standard 65536 for 64-bit-only ARM
- kernel (5.15): update to latest GKI LTS branch revision including update to 5.15.158
- adevtool: update file removal for 8th gen Pixels to skip Family Space related files
- GmsCompatConfig: update to version 122
- Vanadium: update to version 126.0.6478.122.3
- Phasing Out 32-bit-only App Support For Older Devicesgrapheneos.social GrapheneOS (@GrapheneOS@grapheneos.social)
It hasn't been possible to install 32-bit-only apps from the Play Store on 64-bit-capable devices since August 2021 and they blocked uploading either new apps or app updates without 64-bit support since August 2019. Discussion: https://discuss.grapheneos.org/d/14004-phasing-out-32-bit-only-app-sup...
Phasing out 32-bit-only app support for older devices too:
We're planning on phasing out support for 32-bit apps on 5th/6th generation Pixels where they're still supported. They were already phased out by Android for 7th generation Pixels and later, and by ARM for 2nd generation ARMv9 Cortex cores onwards.
Since 7th/8th generation Pixel users are doing fine without them, we want to bring the improved security to users on 6th generation Pixels which still have a lot of support ahead of them. It will also save a significant amount of build time and bandwidth, particularly when we can move to 64-bit-only builds of Vanadium.
The main benefit is dropping all the 32-bit ABI support from the kernel including a bunch of awful legacy cruft for emulating legacy ARM features no longer supported by hardware.
The next release will add a clear warning to each launch of 32-bit-only apps. In nearly all cases, people just need to switch to proper builds of apps which aren't 32-bit-only such as the ones distributed by certain 3rd party mirror sites where users accidentally ended up on 32-bit-only builds.
It hasn't been possible to install 32-bit-only apps from the Play Store on 64-bit-capable devices since August 2021 and they blocked uploading either new apps or app updates without 64-bit support since August 2019.
Discussion:
https://discuss.grapheneos.org/d/14004-phasing-out-32-bit-only-app-support-for-older-devices-too
- Vanadium version 126.0.6478.122.3 releasedgithub.com Release 126.0.6478.122.3 · GrapheneOS/Vanadium
Changes in version 126.0.6478.122.3: switch to using API 35 (Android 15) SDK and build tools set target API level to 35 (Android 15) to support providing the WebView on Android 15 add support for ...
Changes in version 126.0.6478.122.3:
- switch to using API 35 (Android 15) SDK and build tools
- set target API level to 35 (Android 15) to support providing the WebView on Android 15
- add support for newer protobuf versions
- switch to 64-bit-only builds for x86_64 since the only supported x86_64 build targets for GrapheneOS are 64-bit-only
A full list of changes from the previous release (version 126.0.6478.122.2) is available through the Git commit log between the releases.
This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.
- GmsCompatConfig (sandboxed Google Play compatibility layer configuration) version 122 releasedgithub.com Release config-122 · GrapheneOS/platform_packages_apps_GmsCompat
Changes in version 122: update max supported version of Play services to 24.26 update max supported version of Play Store to 41.7 A full list of changes from the previous release (version 121) is...
Changes in version 122:
- update max supported version of Play services to 24.26
- update max supported version of Play Store to 41.7
A full list of changes from the previous release (version 121) is available through the Git commit log between the releases (only changes to the
gmscompat_config
text file andconfig-holder/
directory are part of GmsCompatConfig).This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.
- GrapheneOS version 2024070201 releasedgrapheneos.org GrapheneOS releases
Official releases of GrapheneOS, a security and privacy focused mobile OS with Android app compatibility.
Since Android 14 QPR3 is a major release, the end-of-life Pixel 4a (5G) and Pixel 5 receiving extended support releases from GrapheneOS will need to be ported to it with additional work in a future release, which is done as a low priority. Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.
Tags:
- 2024070201 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, emulator, generic, other targets)
Changes since the 2024070200 release:
- full 2024-07-05 security patch level
- rebased onto AP2A.240705.005 Android Open Source Project release
- avoid skipping toggling USB port after unlock in certain edge cases to make sure devices connected while locked are always detected when unlocking
- fix upstream bug causing first party app stores using the package install dialog to be blocked when the user isn't allowed to install apps from third party sources
- fix notification suppression check in currently unused code to prepare for our per-app clipboard toggle
- adevtool: download and use latest Pixel carrier settings from the API for use by our CarrierConfig2 app instead of using the snapshot included in the latest Pixel stock OS release since it lags months behind
- Settings: fully fix regression permitting disabling apps when it shouldn't be allowed due to device manager policy
- Sandboxed Google Play compatibility layer: stub out reads of hidden system settings in Google's speech services app to avoid uncaught security exceptions
- Sandboxed Google Play compatibility layer: don't allow the Play Store to abort pending package installation to avoid it cancelling install/update attempts after 10 minutes of waiting for requested user approval it hasn't been designed to handle
- kernel (5.10): update to latest GKI LTS branch revision including update to 5.10.218
- kernel (5.15): update to latest GKI LTS branch revision including update to 5.15.155
- kernel (6.6): update to latest GKI LTS branch revision including update to 6.6.36
- GrapheneOS version 2024070200 releasedgrapheneos.org GrapheneOS releases
Official releases of GrapheneOS, a security and privacy focused mobile OS with Android app compatibility.
This is an early July security update release based on the July 2024 security patch backports. This month's release of the Android Open Source Project and stock Pixel OS will be available later today and we'll quickly release an update based on it following this one.
Since Android 14 QPR3 is a major release, the end-of-life Pixel 4a (5G) and Pixel 5 receiving extended support releases from GrapheneOS will need to be ported to it with additional work in a future release, which is done as a low priority. Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.
Tags:
- 2024070200 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, emulator, generic, other targets)
Changes since the 2024062700 release:
- full 2024-07-01 security patch level
- Vanadium: update to version 126.0.6478.122.1
- Vanadium: update to version 126.0.6478.122.2
- Info: update to version 3
- GmsCompatConfig: update to version 121
- GrapheneOS Organization Addresses Unplugged Selling Insecure Hardwaregrapheneos.social GrapheneOS (@GrapheneOS@grapheneos.social)
Their messaging service is simply Matrix. Matrix is not a good private messaging system because it doesn't encrypt any metadata or even emoji reactions, and all that metadata is stored on each server for each room: room members, power levels, time/size/sender of messages, etc.
Unplugged are a recent entry in the crowded space of selling insecure hardware with significantly worse privacy and security than an iPhone as highly private and secure. Bottom of the barrel MediaTek device with outdated AOSP is worse than status quo. All marketing, no substance.
As part of marketing their products, Unplugged are spreading unsubstantiated spin and misinformation about GrapheneOS and the much more secure hardware we target. We've been aware of it for a while but chose not to respond to it until they began doing it in direct response to us.
GrapheneOS is a hardened OS built on the latest release of the Android Open Source Project rather than older releases with inferior privacy/security and incomplete privacy/security patches. We substantially improve privacy/security with our changes rather than making it worse.
The work we do in GrapheneOS is highly regarded by privacy and security researchers. We've made major upstream contributions to the Android Open Source Project, Linux kernel and other projects, both through submitting privacy/security improvements and reporting vulnerabilities.
We've also reported numerous vulnerabilities in hardware/firmware along with making multiple suggestions for new features which were implemented for Pixels. They're the only devices meeting our security requirements (https://grapheneos.org/faq#future-devices). We target them because of security.
Pixels have first class alternate OS support, which does not come at the expense of security. Support for installing an alternate OS is implemented securely as part of best in class boot chain and secure element security for Android devices. Supporting it has benefited security.
Unplugged has claimed open source and support for alternate operating systems reduces security. Pixel security has benefited from many external security researchers along with contributions from GrapheneOS because of it. They'll benefit more as they publish more firmware sources.
GrapheneOS not only leverages the same hardware-based security features as the OS but implements major hardware-based features unavailable elsewhere.
Hardware memory tagging for production hardening is an exclusive GrapheneOS feature with a best-in-class implementation.
Our USB-C port and pogo pins control feature does hardware-level attack surface reduction with code written for the drivers on each device:
https://grapheneos.org/features#usb-c-port-and-pogo-pins-control
Our Auditor app leverages the pinning-based hardware attestation available on Pixels based on our proposal for it.
Many of our other features are hardware-based, and some of these exist because of features we proposals or helped to secure against weaknesses.
In April, Pixels shipped reset attack protection for firmware based on our proposal, which is not available on other Android devices.
That reset attack protection blocks real world attacks by forensic data extraction companies, which we reported to Android. In April, Pixels also shipped a mitigation against interrupted factory resets used by those companies based on our report, not yet available on non-Pixels.
In June, Android 14 QPR3 was released with a hardware-based OS feature fully blocking interrupting factory resets. This was based on our initial proposal we made as part of our reports of active exploits in January, similar to the reset attack protection shipped in April.
Unplugged uses an older Android release. They do not have this AOSP patch. Their hardware is missing many standard security features including these recent 2 improvements shipped on Pixels. Their hardware doesn't even close to meeting our list of security standards even on paper.
Unplugged has tried to misrepresent these improvements and falsely claimed they're uniquely relevant to Pixels due to alternate OS support. That's not true. Their device is missing these and many other security features, and is not more secure due to lacking alternate OS support.
Unplugged has tried to spread fear, uncertainty and doubt about the hardware we support despite it being much more secure and trustworthy. MediaTek does not have a good security reputation and has repeatedly shipped real backdoors unlike the unsubstantiated claims from Unplugged.
Unplugged was founded by Erik Prince, the same person who founded Blackwater. Erik and others involved in UP are deeply tied to human rights abuses and surveillance around the world. Best case scenario is they're simply grifting like the Freedom Phone. Worst case is much worse.
Our initial response to someone asking about them is here, where we were avoided saying more than necessary:
https://x.com/GrapheneOS/status/1804551479484645421
Unplugged followed up with spin and misinformation about GrapheneOS, which we debunked, and then they doubled down on doing even more of it.
Since they posted huge tweets, we replied with our own huge tweets with inline quotes of everything they wrote for ease of understanding:
1/2:
https://x.com/GrapheneOS/status/1804634097442324989
2/2:
https://x.com/GrapheneOS/status/1808159435245646046
Unplugged in also infringing on the open source licensing multiple projects including DivestOS where they ripped off their AV from without attribution. They even still use DivestOS servers without permission. SkewedZeppelin is lead developer of DivestOS (URLs are in alt text):
Their messaging service is simply Matrix. Matrix is not a good private messaging system because it doesn't encrypt any metadata or even emoji reactions, and all that metadata is stored on each server for each room: room members, power levels, time/size/sender of messages, etc.
- GmsCompatConfig (sandboxed Google Play compatibility layer configuration) version 121 releasedgithub.com Release 3 · GrapheneOS/Info
Notable changes in version 3: avoid donate tab getting reset back to the start screen in an edge case add network security configuration with key pinning for grapheneos.org update AndroidX Lifecyc...
Changes in version 121:
- update max supported version of Play services to 24.24
- update max supported version of Play Store to 41.6
A full list of changes from the previous release (version 120) is available through the Git commit log between the releases (only changes to the
gmscompat_config
text file andconfig-holder/
directory are part of GmsCompatConfig).This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.
- GrapheneOS Info app version 3 releasedgithub.com Release 3 · GrapheneOS/Info
Notable changes in version 3: avoid donate tab getting reset back to the start screen in an edge case add network security configuration with key pinning for grapheneos.org update AndroidX Lifecyc...
Notable changes in version 3:
- avoid donate tab getting reset back to the start screen in an edge case
- add network security configuration with key pinning for grapheneos.org
- update AndroidX Lifecycle libraries to 2.8.3
- development environment improvements
A full list of changes from the previous release (version 2) is available through the Git commit log between the releases.
Releases of the app are published in the GrapheneOS app repository. You can use the GrapheneOS app repository client on Android 12 or later for automatic updates. Each release is initially pushed out through the Alpha channel, followed by the Beta channel and then finally the Stable channel.
- GrapheneOS Organization Discusses Upcoming Chromium Changes To JITgrapheneos.social GrapheneOS (@GrapheneOS@grapheneos.social)
In theory, we could add 4 choices instead of 2: Disabled, Baseline JIT, Baseline JIT + Tier 2 and Full JIT. However, it's likely far too complicated and we're likely going to stick with having it either enabled or disabled. Chromium will hopefully add a WASM interpreter soon...
Chromium's V8 Optimizer toggle for disabling JavaScript JIT compilation was changed to only disable the 2 higher tiers of JIT compilation while still leaving the baseline JIT compiler enabled. This also caused the device management policy for JIT predating this to change meaning.
They did this because they decided having a toggle which breaks WebAssembly support is unacceptable. We had to revert these changes.
Microsoft Edge implemented a WebAssembly interpreter instead, but it's not open source and there's no ongoing attempt to upstream it to Chromium.
Vanadium disables JS JIT by default and provides a convenient per-site toggle available in the drop down menu next to the URL. We've restored the previous meaning of disabling the JIT so you'll need to add exceptions for sites requiring WebAssembly again.
https://grapheneos.social/@GrapheneOS/112707958275115758
In theory, we could add 4 choices instead of 2: Disabled, Baseline JIT, Baseline JIT + Tier 2 and Full JIT. However, it's likely far too complicated and we're likely going to stick with having it either enabled or disabled. Chromium will hopefully add a WASM interpreter soon...
This is good news:
- Vanadium version 126.0.6478.122.1 releasedgithub.com Release 126.0.6478.122.1 · GrapheneOS/Vanadium
Users will need to enable JavaScript JIT compilation for sites requiring WebAssembly again via the permission menu next to the URL due to us reverting the upstream security regression which resulte...
Users will need to enable JavaScript JIT compilation for sites requiring WebAssembly again via the permission menu next to the URL due to us reverting the upstream security regression which resulted in this working by default. Unfortunately, Chromium still doesn't have a WebAssembly interpreter like Edge and got this working by rolling back the security of the API used to disable JIT compilation for their desktop V8 Optimizer toggle.
Changes in version 126.0.6478.122.1:
- restore fully disabling the JavaScript JIT compiler by default since Chromium changed the definition of disabling the JIT compiler into only disabling the 2 higher tiers of JIT compilation without disabling baseline JIT compilation which does not avoid dynamically creating executable native code
- add support for language-specific content filters automatically enabled when the language is selected (EasyList Germany has been added to the configuration app for testing the implementation)
A full list of changes from the previous release (version 126.0.6478.122.0) is available through the Git commit log between the releases.
This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.
- GrapheneOS version 2024062700 releasedgrapheneos.org GrapheneOS releases
Official releases of GrapheneOS, a security and privacy focused mobile OS with Android app compatibility.
Since Android 14 QPR3 is a major release, the end-of-life Pixel 4a (5G) and Pixel 5 receiving extended support releases from GrapheneOS will need to be ported to it with additional work in a future release, which is done as a low priority. Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.
Tags:
- 2024062700 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, emulator, generic, other targets)
Changes since the 2024062000 release:
- add new GrapheneOS Info app through which you can get information about the latest releases of GrapheneOS, links to our community spaces, and details on how to make donations
- Pixel 8a: add Let's Encrypt roots to Samsung gnssd CA root store for supl.grapheneos.org
- Pixel 8a: configure Samsung gnssd to use TLSv1.2 for SUPL instead of TLSv1.1 (TLSv1.3 would work but the config doesn't offer it)
- Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold: fully remove 32-bit ARM support to significantly reduce build time and update download size with no loss of functionality (7th gen Pixels launched with 32-bit app support disabled after several years of the Play Store blocking uploading 32-bit-only apps or installing them on 64-bit devices, and 8th gen Pixels use 2nd gen ARMv9 cores with no 32-bit support
- Settings: fix several cases of UI state being lost when resuming activity after configuration changes, etc. for GrapheneOS settings
- kernel (5.10): update to latest GKI LTS branch revision including update to 5.10.216
- kernel (6.1): update to latest GKI LTS branch revision including update to 6.1.90
- kernel (6.6): update to latest GKI LTS branch revision including update to 6.6.35
- Vanadium: update to version 126.0.6478.122.0
- GmsCompatConfig: update to version 120
- GrapheneOS Info app version 2 releasedgithub.com Release 2 · GrapheneOS/Info
Notable changes in version 2: handle top bar title text overflow with ellipsis instead of wrapping handle rename of Twitter to X and replace twitter.com with x.com update AndroidX Compose UI libra...
Notable changes in version 2:
- handle top bar title text overflow with ellipsis instead of wrapping
- handle rename of Twitter to X and replace twitter.com with x.com
- update AndroidX Compose UI library to 1.7.0-beta04
- fixes for state restoration when resuming or changing configuration
A full list of changes from the previous release (version 1) is available through the Git commit log between the releases.
Releases of the app are published in the GrapheneOS app repository. You can use the GrapheneOS app repository client on Android 12 or later for automatic updates. Each release is initially pushed out through the Alpha channel, followed by the Beta channel and then finally the Stable channel.
- GrapheneOS Organization Notifies Community About Wise Payment Option Issues Now Being Resolvedgrapheneos.social GrapheneOS (@GrapheneOS@grapheneos.social)
Wise has quietly started allowing people to add our EUR account and send us money again. https://grapheneos.social/deck/@GrapheneOS/112672843944152400 Issue appears to be fully resolved. Similarly to how they quietly started blocking that without any notice, it has stopped without a reply to our s...
Wise has quietly started allowing people to add our EUR account and send us money again.
https://grapheneos.social/deck/@GrapheneOS/112672843944152400
Issue appears to be fully resolved. Similarly to how they quietly started blocking that without any notice, it has stopped without a reply to our support request.
- GrapheneOS Organization Counters Claims Made By Forensic Companiesgrapheneos.social GrapheneOS (@GrapheneOS@grapheneos.social)
For more information on those 2 vulnerabilities: https://discuss.grapheneos.org/d/11860-vulnerabilities-exploited-in-the-wild-fixed-based-on-grapheneos-reports https://discuss.grapheneos.org/d/13494-cve-2024-32896-wipe-without-reboot-added-to-aosp-due-to-reports-by-grapheneos For detailed info on ...
https://poppopret.org/2024/06/24/google-stop-burning-counterterrorism-operations/
"counterterrorism operation being conducted by a U.S.-allied Western government"
Selectively leaking info to sway public opinion is a classic move. Over 3 years after https://technologyreview.com/2021/03/26/1021318/google-security-shut-down-counter-terrorist-us-ally/, no info about which US ally or supposed terrorist group.
Here's an example of a "counterterrorism operation" by a U.S.-allied Western government targeting political opponents with NSO exploits:
Is this what's being referenced? Perhaps they mean the Polish government targeting the political opposition this way.
Is this the "counterterrorism operation" by a U.S.-allied Western government that's being referenced? If saying the country and "terrorist" group involved paints a flattering picture of these exploit tools, why aren't they saying which ones are involved?
A more extreme example of a US ally doing a "counterterrorism operation" using NSO exploits:
https://en.wikipedia.org/wiki/Assassination_of_Jamal_Khashoggi
Sure, not a "Western government". Does "U.S.-allied Western government" include Hungary, Turkey, Israel, Japan and South Korea? "Western" meaning what exactly?
Forensic data extraction tools are similar. They use exploits to extract data from devices. Many people claim that since they're primarily used by law enforcement it means they're primarily used for good. They're widely used to target arbitrary people at protests, borders, etc.
GrapheneOS is heavily focused on defending against both remote exploitation and local data extraction. As part of that work, we recently reported 2 vulnerabilities being actively exploited by forensic companies. These are now fixed for Pixels, but not yet other Android devices.
For more information on those 2 vulnerabilities:
https://discuss.grapheneos.org/d/11860-vulnerabilities-exploited-in-the-wild-fixed-based-on-grapheneos-reportshttps://discuss.grapheneos.org/d/13494-cve-2024-32896-wipe-without-reboot-added-to-aosp-due-to-reports-by-grapheneos
For detailed info on Cellebrite's capabilities based on leaked documentation which explicitly covers GrapheneOS:
We certainly support fixing these bugs...
- Vanadium version 126.0.6478.122.0 releasedgithub.com Release 126.0.6478.122.0 · GrapheneOS/Vanadium
Changes in version 126.0.6478.122.0: update to Chromium 126.0.6478.122 A full list of changes from the previous release (version 126.0.6478.110.0) is available through the Git commit log between ...
Changes in version 126.0.6478.122.0:
- update to Chromium 126.0.6478.122
A full list of changes from the previous release (version 126.0.6478.110.0) is available through the Git commit log between the releases.
This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.
- AOSP To Backport Critical Security Issues Reported By GrapheneOS Organizationgrapheneos.social GrapheneOS (@GrapheneOS@grapheneos.social)
These patched vulnerabilities and other currently unpatched vulnerabilities are being exploited by forensic tools used by states to target journalists, political opponents, activists, arbitrary people crossing borders, etc. Sure, they target lots of drug users / dealers too...
https://grapheneos.social/@GrapheneOS/112609239806949074
We questioned why this was only listed in the Pixel Update Bulletin and they agree:
> After review we agree with your assessment that this is an Android issue and as such we are working on backports to include this in a future Android Security Bulletin.
April 2024 monthly update for Pixels included a partial mitigation for this vulnerability in firmware (CVE-2024-29748).
Android 14 QPR3 released in June 2024 includes a full solution for all Android devices by implementing the wipe-without-reboot proposal we made in our report.
The issue is that in practice, only Pixels ship the monthly and quarterly updates. Other devices only ship monthly security backports, not the monthly/quarterly releases of AOSP. They were only going to get the patch when they updated to Android 15. They're now going to backport.
The other vulnerability we reported at the same time for reset attacks was assigned CVE-2024-29745 but that's a firmware/hardware issue without a software solution available so we can't get them to include it in the Android Security Bulletin unless we convince Qualcomm to fix it.
Every vulnerability in the Android Open Source Project that's deemed to be High/Critical severity is meant to be backported to yearly releases from the past 3 years (currently Android 12, 13 and 14). Low/Moderate severity vulnerabilities are NOT generally backported though.
The issue is that they're really listing patches rather than vulnerabilities. Both of the vulnerabilities we originally reported impact all Android devices, but both got Pixel specific patches in April 2024 and therefore got treated as Pixel specific vulnerabilities instead.
Since the complete solution for the device admin API is an Android Open Source Project (AOSP) patch, they're going to backport it. Since there's no way to frame the reset attack issue as an AOSP issue, there isn't a good way to get it fixed for other devices through this system.
These patched vulnerabilities and other currently unpatched vulnerabilities are being exploited by forensic tools used by states to target journalists, political opponents, activists, arbitrary people crossing borders, etc. Sure, they target lots of drug users / dealers too...
- GrapheneOS Organization Discusses Wise Payment Problemgrapheneos.social GrapheneOS (@GrapheneOS@grapheneos.social)
Appears to be a Wise software bug causing our EUR account to show up as deleted to other Wise users, but it otherwise works for receiving from external banks and sending money. Wise's support staff simply appear to badly trained and stonewall referring to irrelevant AML policy.
Wise silently disabled adding our EUR account as a contact on Wise, blocking people from transferring us money on the platform. They're stonewalling us about it. We've received 3 donations via EUR today, so transfers from other banks to our Wise account are still working fine...
Wise's initial response was they're unable to talk to us about it for security/regulatory reasons and needed to talk to the people trying to send us money instead. Fine, but they stonewalled each of those people and said they couldn't say anything for security/regulatory reasons.
Wise won't tell us which of our accounts has disabled functionality or which functionality has been disabled. It only appears to impact receiving EUR via Wise, not sending it and not other currencies. We likely triggered a false positive and they simply default to stonewalling.
Our experience with financial services is that the only way to solve the problems is to post on social media about it, get significant traction and eventually someone who works with the company prods them internally to get it sorted out, which ends up being a quick/simple fix.
Appears to be a Wise software bug causing our EUR account to show up as deleted to other Wise users, but it otherwise works for receiving from external banks and sending money. Wise's support staff simply appear to badly trained and stonewall referring to irrelevant AML policy.
- New Info App Announced For GrapheneOSgrapheneos.social GrapheneOS (@GrapheneOS@grapheneos.social)
We recently completely replaced the Setup Wizard shown during the initial installation with a modern replacement following the standard setup design style. We'll be adding more functionality there and our app repository to help people get started including obtaining their apps.
GrapheneOS Info app is now available through our app repository and will be included in the next release of the OS. It supports viewing recent OS release notes, provides info on our chat rooms, forum and active social media accounts along with offering all the donations methods. !Screenshot of the GrapheneOS Info app showing the latest 2024061400 release notes in the Release Notes tab. It also has tabs for Community and Donate. It's a modern Material 3 app design with Material You support.
This will be included in the next release of GrapheneOS. We also plan to make significant improvements to the other GrapheneOS apps in the near future. We'll also be working towards replacing or overhauling each of the user-facing AOSP apps as we already did with the Camera app.
We recently completely replaced the Setup Wizard shown during the initial installation with a modern replacement following the standard setup design style. We'll be adding more functionality there and our app repository to help people get started including obtaining their apps.
- GmsCompatConfig (sandboxed Google Play compatibility layer configuration) version 120 releasedgithub.com Release config-120 · GrapheneOS/platform_packages_apps_GmsCompat
Changes in version 120: update max supported version of Play Store to 41.5 A full list of changes from the previous release (version 119) is available through the Git commit log between the relea...
Changes in version 120:
- update max supported version of Play Store to 41.5
A full list of changes from the previous release (version 119) is available through the Git commit log between the releases (only changes to the
gmscompat_config
text file andconfig-holder/
directory are part of GmsCompatConfig).This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.
- Improved USB Port Attack Surface Reduction Releasedgrapheneos.social GrapheneOS (@GrapheneOS@grapheneos.social)
Several operating systems previously included a port of our legacy software-based approach and mistakenly moved to the less secure approach of disabling USB via the standard USB HAL after the last USB connection ends. It's less secure than simply extending our legacy feature...
Our latest release improves our hardware-based USB-C port attack surface reduction. Our previous software-based feature has been extended and merged into it as a 2nd layer of enforcement. We've also extended it to disable pogo pins data at a hardware level on the Pixel Tablet.
Our previous feature is now fully obsolete and has been removed on devices with the newer approach, which is a nice simplification. We've rewritten the documentation here:
https://grapheneos.org/features#usb-c-port-and-pogo-pins-control
Older approach is now only used on the Pixel 5a and earlier end-of-life devices.
Our documentation explains why our approach is much better than the standard Android USB HAL toggle available to device admin apps since Android 12. Standard approach only disables USB connections in the OS. It leaves USB-C and pogo pins enabled at both the OS and hardware level.
The standard approach also can't block new USB connections without ending existing USB connections. It has no distinction between those things. It forces a choice between ending existing USB connections when locking or delaying using it at all until the last USB connection ends.
Several operating systems previously included a port of our legacy software-based approach and mistakenly moved to the less secure approach of disabling USB via the standard USB HAL after the last USB connection ends. It's less secure than simply extending our legacy feature...
- GrapheneOS version 2024062000 releasedgrapheneos.org GrapheneOS releases
Official releases of GrapheneOS, a security and privacy focused mobile OS with Android app compatibility.
Since Android 14 QPR3 is a major release, the end-of-life Pixel 4a (5G) and Pixel 5 receiving extended support releases from GrapheneOS will need to be ported to it with additional work in a future release, which is done as a low priority. Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.
Tags:
- 2024062000 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, emulator, generic, other targets)
Changes since the 2024061400 release:
- remove our USB peripheral security setting on devices supporting our much better USB-C port mode (Pixel 6 and later)
- extend USB-C port setting to also handle pogo pins on the Pixel Tablet
- kernel (5.10, 5.15, 6.1, 6.6): replace our deny_new_usb feature with a new deny_new_usb2 feature also disabling USB gadgets
- extend USB-C port setting to enable deny_new_usb2 as a second layer of defense disabling new USB connections in the kernel (the existing implementation disables new connections and USB data at a hardware level via the USB controller, which disables more attack surface, but we want to keep around the higher level kernel approach too)
- Files: fix upstream null pointer exception triggered on resuming activity
- Settings: require user authentication for changing auto-reboot, USB peripheral and USB-C port security settings
- Settings: avoid prompting for user authentication when selecting the same value as before for GrapheneOS settings requiring it
- temporarily add back memory tagging exception for Pixel wifi_ext service
- simplify implementation of our auto-reboot feature and properly handle the first lock after the user first sets up a lock method
- avoid resetting USB-C port after first unlock if it was already connected Before First Unlock (fix for regression caused by upstream changes)
- add GrapheneOS Linux kernel port to the 6.6 GKI LTS branch
- kernel (5.10): update to latest GKI LTS branch revision including update to 5.10.215
- kernel (6.1): update to latest GKI LTS branch revision including update to 6.1.87
- kernel (6.1, 6.6): add script for building emulator kernel
- kernel (6.1, 6.6): enable forced module signing for x86_64 (emulator builds)
- System Updater: increase update check interval to 6 hours from 4 hours
- Vanadium: update to version 126.0.6478.110.0
- GmsCompatConfig: update to version 118
- GmsCompatConfig: update to version 119
- fix cast in GrapheneOS package management infrastructure needed for upcoming App Communication Scopes work
- GmsCompatConfig (sandboxed Google Play compatibility layer configuration) version 119 releasedgithub.com Release config-119 · GrapheneOS/platform_packages_apps_GmsCompat
Changes in version 119: add stub for WifiManager.getSoftApConfiguration() A full list of changes from the previous release (version 118) is available through the Git commit log between the releas...
Changes in version 119:
- add stub for WifiManager.getSoftApConfiguration()
A full list of changes from the previous release (version 118) is available through the Git commit log between the releases (only changes to the
gmscompat_config
text file andconfig-holder/
directory are part of GmsCompatConfig).This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.
- Vanadium version 126.0.6478.110.0 releasedgithub.com Release 126.0.6478.110.0 · GrapheneOS/Vanadium
Changes in version 126.0.6478.71.0: update to Chromium 126.0.6478.110 A full list of changes from the previous release (version 126.0.6478.110.0) is available through the Git commit log between t...
Changes in version 126.0.6478.71.0:
- update to Chromium 126.0.6478.110
A full list of changes from the previous release (version 126.0.6478.110.0) is available through the Git commit log between the releases.
This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.
- GmsCompatConfig (sandboxed Google Play compatibility layer configuration) version 118 releasedgithub.com Release config-118 · GrapheneOS/platform_packages_apps_GmsCompat
Changes in version 118: update max supported version of Play services to 24.23 update max supported version of Play Store to 41.4 update Android Gradle plugin to 8.5.0 A full list of changes from...
Changes in version 118:
- update max supported version of Play services to 24.23
- update max supported version of Play Store to 41.4
- update Android Gradle plugin to 8.5.0
A full list of changes from the previous release (version 117) is available through the Git commit log between the releases (only changes to the
gmscompat_config
text file andconfig-holder/
directory are part of GmsCompatConfig).This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.
- GrapheneOS Organization Discusses This Months QPR3 Release Improvements For TEEgrapheneos.social GrapheneOS (@GrapheneOS@grapheneos.social)
This is closely related to publishing the rest of the Trusty code used for Pixels, since they implement communication using authenticated encryption between the SoC secure core and the standalone secure element. Non-Pixel Android ecosystem could benefit a lot from all this code.
Pixel 6 and later use the open source Trusty OS for the Trusted Execution Environment (TrustZone) and secure core firmware.
Starting with this month's quarterly release (Android 14 QPR3), Trusty sources and baseline applets are part of the Android Open Source Project in trusty/.
Not everything is published, particularly Tensor specific portions. It'd be helpful to publish the rest to make it easier to audit and propose improvements.
They still need to publish the Titan M2 fork of OpenTitan too, which they committed to eventually doing several years ago.
OpenTitan was created to replace their secure elements based on ARM secure cores with a custom RISC-V design across their servers, Chromebooks and Pixel phones/tablets. Pixel 6 and later have a RISC-V secure element (Titan M2), but they still need to publish Pixel specific code.
Upstream OpenTitan project is currently focused on implementing the TPM specification for desktop/server use. TPM is a horrible secure element API. It isn't what's used on Pixels where they got to design APIs for usage by the Android Open Source Project based on what it needs.
This is closely related to publishing the rest of the Trusty code used for Pixels, since they implement communication using authenticated encryption between the SoC secure core and the standalone secure element. Non-Pixel Android ecosystem could benefit a lot from all this code.
- GrapheneOS version 2024061400 releasedgrapheneos.org GrapheneOS releases
Official releases of GrapheneOS, a security and privacy focused mobile OS with Android app compatibility.
Tags:
- 2024061400 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, emulator, generic, other targets)
Changes since the 2024061300 release:
- revert upstream refactoring of the device association code in Android 14 QPR3 due to it introducing a chain crash bug at boot in edge cases with associated devices such as paired Android Wear devices
- kernel (5.10): update to latest GKI LTS branch revision Vanadium: update to version 126.0.6478.71.0
- GrapheneOS Planned Release For Today To Resolve Upstream Regressiongrapheneos.social GrapheneOS (@GrapheneOS@grapheneos.social)
If you don't depend on Bluetooth, you might as well update to the current OS release in the Beta channel and then switch back to Stable. Only reason it's not in the Stable channel yet is these 2 issues. There's another minor upstream Settings UI style issue which doesn't matter.
We've found a serious bug in Android 14 QPR3 which can lead to devices getting stuck in a crash loop on boot after adding a device association such as a WearOS pairing. This impacts both stock Pixel OS and AOSP. Google is aware and reverted the broken change in Android 15 Beta 2.
Today, we plan to do a release fixing this serious issue and the AOSP Bluetooth module regression breaking pairing with the Galaxy Watch6 device we purchased for testing due to previous Bluetooth regressions in Android 14 QPR2 breaking it. Today's release should reach Stable.
If you don't depend on Bluetooth, you might as well update to the current OS release in the Beta channel and then switch back to Stable. Only reason it's not in the Stable channel yet is these 2 issues. There's another minor upstream Settings UI style issue which doesn't matter.
- Vanadium version 126.0.6478.71.0 releasedgithub.com Release 126.0.6478.71.0 · GrapheneOS/Vanadium
Changes in version 126.0.6478.71.0: update to Chromium 126.0.6478.71 set default toolbar shortcut to new tab A full list of changes from the previous release (version 126.0.6478.50.1) is availabl...
Changes in version 126.0.6478.71.0:
- update to Chromium 126.0.6478.71
- set default toolbar shortcut to new tab
A full list of changes from the previous release (version 126.0.6478.50.1) is available through the Git commit log between the releases.
This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.
- GrapheneOS version 2024061300 releasedgrapheneos.org GrapheneOS releases
Official releases of GrapheneOS, a security and privacy focused mobile OS with Android app compatibility.
We've found at least one new issue with the Android Open Source Project 14 QPR3 Bluetooth module and are already working on resolving it. We'll have a quick follow-up release fixing the Bluetooth regression and other issues discovered during public Alpha testing.
Tags:
- 2024061300 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, emulator, generic, other targets)
Changes since the 2024061200 release:
- fix upstream Android 14 QPR3 regression which breaks updating certain apps with our app repository client
- fix boot-time optimizing apps progress UI with Android 14 QPR3 and enable it again
- fix regression in our Android 14 QPR3 port resulting in PIN scrambling in secondary users being determined by the Owner user setting
- revert major upstream Android 14 QPR3 Internet quick tile overhaul since it broke the functionality in secondary users
- temporarily add back disabling memory tagging and hardened_malloc for surfaceflinger since Android 14 QPR3 didn't fix it as expected
- disable temporary unconditional system crash notifications since we've gotten the initial feedback we needed via the previous release
- add additional null check for eSIM wiping done as part of the duress PIN/password wipe implementation to avoid harmless exception
- Settings: remove blank illustration from "Screen resolution" screen
- Vanadium: update to version 126.0.6478.50.1
- make duress PIN/password tests faster and more reliable
- GrapheneOS Organization Discusses Upstream Chromium Breakages and Asks For Help With App Testing From Communitygrapheneos.social GrapheneOS (@GrapheneOS@grapheneos.social)
There are a lot of people helping with testing the OS releases in the Alpha and Beta channels, but very few people helping with the apps. We expect most people aren't aware there are Alpha and Beta channels for the app repository too, since it's tucked away in the Apps menu.
Chromium v126 broke support for the built-in password manager on Android. We've fixed it in Vanadium 126.0.6478.50.1:
https://grapheneos.social/@GrapheneOS/112609618525601248
We'll be filing a Chromium issue. We've had success reporting similar regressions for Android operating systems without Google Play.
We'd greatly appreciate if more GrapheneOS users helped with the Alpha/Beta testing of Vanadium releases. Can enable the Alpha/Beta channel by selecting Vanadium in the app repository client (Apps) and changing release channel with the menu. We might need to make it more visible.
If you decide to help with testing for our apps or the OS, please join our Alpha/Beta testing chat room and report regressions there right away. See https://grapheneos.org/contact#community-chat for details. Can use Matrix, Discord, Telegram or even IRC (libera.chat) since it's bridged.
There are a lot of people helping with testing the OS releases in the Alpha and Beta channels, but very few people helping with the apps. We expect most people aren't aware there are Alpha and Beta channels for the app repository too, since it's tucked away in the Apps menu.
- Vanadium version 126.0.6478.50.1 releasedgithub.com Release 126.0.6478.50.1 · GrapheneOS/Vanadium
Changes in version 126.0.6478.50.1: restore past Password Manager settings behavior from before v126, although Chromium has deprecated it with the intention to remove it in 6 months so we'll need ...
Changes in version 126.0.6478.50.1:
- restore past Password Manager settings behavior from before v126, although Chromium has deprecated it with the intention to remove it in 6 months so we'll need to talk to them about it
- enable feature flag for passkey support (already handled via Vanadium Config update)
- enable skipping autofill compatibility checks (already handled via Vanadium Config update)
- explicitly disable include_both_v8_snapshots for the upcoming v127 release since it will increase build time and APK size for a feature that's only available as an opt-in experiment
A full list of changes from the previous release (version 126.0.6478.50.0) is available through the Git commit log between the releases.
This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.
- CVE-2024-32896: wipe-without-reboot added to AOSP due to reports by GrapheneOS Organizationgrapheneos.social GrapheneOS (@GrapheneOS@grapheneos.social)
We have a thread about forensic company capabilities at https://grapheneos.social/@GrapheneOS/112462756293586146 based on leaked Cellebrite documentation. Shows GrapheneOS does a much better job than iOS/Android blocking exploits and only Pixel 6 and later or iPhone 12 and later successfully stop br...
CVE-2024-32896 which is marked as being actively exploited in the wild in the June 2024 Pixel Update Bulletin is the 2nd part of the fix for CVE-2024-29748 vulnerability we described here:
https://grapheneos.social/@GrapheneOS/112204428984003954
As we explained there, none of this is actually Pixel specific.
Bulletin:
https://source.android.com/docs/security/bulletin/pixel/2024-06-01
Attribution to us:
https://source.android.com/docs/security/overview/acknowledgements
CVE-2024-32896 and CVE-2024-29748 refer to the same vulnerability of interrupting reboot for wipes via the device admin API, which applies to all devices.
CVE-2024-32896 is a full fix in AOSP as part of Android 14 QPR3. It's not at all Pixel specific.
This is being widely incorrectly reported in tech news coverage. Pixel Update Bulletins are almost entirely patches for vulnerabilities which apply to other devices too. Android Security Bulletins are the list of what other OEMs are required to fix, not the full list of patches.
We explained this in our previous thread:
https://grapheneos.social/@GrapheneOS/112204437363495338
CVE-2024-29748 was a mitigation for the issue implemented in the Pixel bootloader. Full solution is implementing wipe-without-reboot, which is now a standard feature in Android 14 QPR3 released as part of AOSP.
Our 2024052100 release backported the upstream wipe-without-reboot feature being shipped in the June 2024 release of Android (Android 14 QPR3): https://grapheneos.org/releases#2024052100.
We extended it to make it more robust via extra redundancy in our 2024060400 release: https://grapheneos.org/releases#2024060400.
There were 2 main issues:
- memory not wiped when booting firmware-based fastboot mode, allowing exploiting it to get previous OS memory
- AOSP device admin API depends on reboot-to-recovery to wipe before Android 14 QPR3
Neither is issue is being fixed outside Pixels yet.
Each month, Android has a new version released. These are the monthly, quarterly (QPR) and yearly releases. The baseline monthly security patches are NOT the monthly releases of Android. They're backports of a SUBSET of the patches with High/Critical severity, not all patches.
Most devices only ship the backported patches to older Android releases (12, 13 and 14). Pixels ship the monthly, quarterly and yearly releases. Other devices will mostly get the 2nd vulnerability fix when they update to Android 15. They'll have to fix the 1st issue on their own.
We have a thread about forensic company capabilities at https://grapheneos.social/@GrapheneOS/112462756293586146 based on leaked Cellebrite documentation. Shows GrapheneOS does a much better job than iOS/Android blocking exploits and only Pixel 6 and later or iPhone 12 and later successfully stop brute forcing.
- GrapheneOS version 2024061200 releasedgrapheneos.org GrapheneOS releases
Official releases of GrapheneOS, a security and privacy focused mobile OS with Android app compatibility.
This is the first release of GrapheneOS based on Android 14 QPR3, the 3rd quarterly maintenance/feature release for Android 14.
We've found at least one new issue with the Android Open Source Project 14 QPR3 Bluetooth module and are already working on resolving it. We'll have a quick follow-up release fixing the Bluetooth regression and other issues discovered during public Alpha testing.
Pixel 8a is now supported as part of the standard Android releases instead of having a device branch based on Android 14 QPR1. We've had stable releases for it available since May 15th (1 day after launch) based on our last QPR1-based release (2024030300). Pixel 8a users will be getting the GrapheneOS improvements from March, April, May and June along with the Android 14 QPR2 and QPR3 improvements so it's a much larger release for the Pixel 8a.
Tags:
- 2024061200 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, emulator, generic, other targets)
Changes since the 2024060500 release:
- full 2024-06-05 security patch level
- rebased onto AP2A.240605.024 Android Open Source Project release, which is the 3rd quarterly maintenance/feature release for Android 14 (QPR3)
- temporarily enable system crash notifications unconditionally for the initial QPR3-based release
- change default USB-C port mode to "Charging-only when locked", from "Charging-only when locked, except before first unlock"
- stop disabling memory tagging and hardened_malloc for surfaceflinger
- Settings: fix regression permitting disabling apps when it shouldn't be allowed due to device manager policy
- Vanadium: update to version 126.0.6478.50.0
- GmsCompatConfig: update to version 117
- Vanadium version 126.0.6478.50.0 releasedgithub.com Release 126.0.6478.50.0 · GrapheneOS/Vanadium
Changes in version 126.0.6478.50.0: update to Chromium 126.0.6478.50 A full list of changes from the previous release (version 125.0.6422.165.0) is available through the Git commit log between th...
Changes in version 126.0.6478.50.0:
- update to Chromium 126.0.6478.50
A full list of changes from the previous release (version 125.0.6422.165.0) is available through the Git commit log between the releases.
This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.
- GmsCompatConfig (sandboxed Google Play compatibility layer configuration) version 117 releasedgithub.com Release config-117 · GrapheneOS/platform_packages_apps_GmsCompat
Changes in version 117: update max Play services version to 24.22 for GmsCompat >= 1008 update max supported version of Play Store to 41.3 A full list of changes from the previous release (versio...
Changes in version 117:
- update max Play services version to 24.22 for GmsCompat >= 1008
- update max supported version of Play Store to 41.3
A full list of changes from the previous release (version 116) is available through the Git commit log between the releases (only changes to the
gmscompat_config
text file andconfig-holder/
directory are part of GmsCompatConfig).This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.
- GrapheneOS version 2024060500 releasedgrapheneos.org GrapheneOS releases
Official releases of GrapheneOS, a security and privacy focused mobile OS with Android app compatibility.
Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.
Tags:
- 2024060500-redfin (Pixel 4a (5G), Pixel 5)
- 2024060500 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, emulator, generic, other targets)
Changes since the 2024060400 release:
- Sandboxed Google Play compatibility layer: adjust to DynamiteLoader changes being deployed with a new feature flag in Play services 24.22
- stop treating pressing the spacebar on a physical keyboard as submitting the lockscreen password since it prevents entering passphrases with spaces (upstream Android bug which has existed for around 8.5 years)
- Vanadium: update to version 125.0.6422.165.0
- GmsCompatConfig: update to version 116