GrapheneOS

Tags:

• 2025073000 (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold, Pixel 9a, emulator, generic, other targets)

Changes since the 2025072800 release:

• extend our workaround for the upstream Android asynchronous dexopt optimization issue to handle original-package package renaming which we used to rename Vanadium's package name from org.chromium.chrome to app.vanadium.browser years ago and users on 6th gen Pixels with installs prior to it could have a crash caused by our fix for the upstream issue
• add a temporary workaround for AOSP Dialer still using a legacy approach to notifications which interacts badly with notification grouping
• remove support for switching to a pseudo-locale when developer options are enabled since it can cause major issues
• Sandboxed Google Play compatibility layer: add stub for BluetoothDevice.getBondState() to avoid Android Auto crash
• Settings: fix upstream Android null pointer exception in UserAspectRatioDetails.launchApplication()
• System Updater: update minimum and target API level to 36 (Android 16)

Changes in version 138.0.7204.179.0:

• update to Chromium 138.0.7204.179

A full list of changes from the previous release (version 138.0.7204.168.1) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Tags:

• 2025072800 (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold, Pixel 9a, emulator, generic, other targets)

Changes since the 2025072700 release:

• add missing multi-user handling to the package information query used by both of the new VPN leak protections which was discovered during Alpha channel testing from app crashes in secondary users for apps not installed in the Owner user
• fix implementation of INsdServiceConnector stub used as part of our NsdService#connect VPN leak protection to avoid an edge case resulting in app crashes found during Alpha channel testing
• include additional overlays from the stock Pixel OS for Settings animations and Settings/SystemUI strings mostly related to documentation

Changes in version 160:

• disable feature flags for Play services Android Advanced Protection since sandboxed Play services can't control OS security features and we have stronger security features enabled by default along with a per-feature / per-app toggles instead of an overly coarse global toggle (we can provide a toggle for Advanced Protection as part of the OS to replace this for enabling security features implemented by user installed apps tied to this mode)
• update Gradle to 8.14.3
• update SDK to 36 (Android 16)

A full list of changes from the previous release (version 159) is available through the Git commit log between the releases (only changes to the gmscompat_config text file and config-holder/ directory are part of GmsCompatConfig).

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.

GmsCompatConfig is the text-based configuration for the GrapheneOS sandboxed Google Play compatibility layer. It provides a large portion of the compatibility shims.

Rolling out our most recent OS release has been cancelled prior to it reaching our Beta channel due to a couple reports of app crashes. We've found the likely causes of the issues and can hopefully fix those and make another release with the fixes today.

https://grapheneos.social/@GrapheneOS/114928364696534363

Thanks to our testers helping to avoid these kinds of issues reaching our Stable channel and in this case even the Beta channel. We think the issues are caused by the 2 improvements we made to VPN lockdown mode which we should be able to fix today while keeping both improvements.

Changes in version 138.0.7204.168.1:

• prevent rare crash with certain sites caused by Web Reporting API bug
• disable search engine configuration menu icons since it requires dynamically fetching the icons and search engines can be added so it's not simply a fixed list (there were previously no icons so it's just a switch back to how this worked in Chromium before)

A full list of changes from the previous release (version 138.0.7204.168.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Our community manager has provided a response to the recent LWN article on GrapheneOS with important corrections and context:

https://lwn.net/Articles/1031454/

The article had significant inaccuracies about the history of GrapheneOS, our organization and the details of what we provide.

Prior to the publication of the article, LWN contacted us with a few basic questions. Our community manager replied. It was a short email from them and a short reply from us. We weren't given a chance to address most of the claims made by the article and our response was presented quite strangely.

Following the article being published, our community manager sent an earlier version of what's written at https://lwn.net/Articles/1031454/ as a follow-up email with the hope the article would receive corrections. The response was LWN has a policy against substantive changes to articles after publication.

We would have greatly preferred the article being improved based on verifiable facts over replying to it. LWN suggested that we reply to the article since they were unwilling to edit it and provided our community manager with a subscriber account to provide our response, which we recommend reading.

GrapheneOS was started as an open source project in 2014. One of the previous names of the project was CopperheadOS and a company called Copperhead was co-founded by the founder of GrapheneOS in late 2015. We split from Copperhead in 2018 after their takeover attempt and continued development.

If you want to read the LWN article, https://lwn.net/SubscriberLink/1030004/898017c7953c0946/ is a link they provide for sharing articles with non-subscribers. Please read our response at https://lwn.net/Articles/1031454/ too.

Information from the privacy and security researcher who founded the divested projects on the insecurity of /e/OS including hard data on update delays and skipped updates:

Issues with /e/OS: https://codeberg.org/divested-mobile/divestos-website/raw/commit/c7447de50bc8fadd20a30d4cbf1dcd8cf14805a0/static/misc/e.txt

ASB update history: https://web.archive.org/web/20241231003546/https://divestos.org/pages/patch_history

Chromium update history: https://web.archive.org/web/20250119212018/https://divestos.org/misc/ch-dates.txt

Chromium update summary: https://infosec.exchange/@divested/112815308307602739

For the Chromium update summary from July 2024, note 128/135 was shipping each update on a given update path. /e/OS only shipped 12/135.

Changes in version 138.0.7204.168.0:

• update to Chromium 138.0.7204.168
• simplify parsing for Vanadium Config

A full list of changes from the previous release (version 138.0.7204.157.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

YouTube revanced and yt music revanced have been god sends. Am I able to use them with Graphene?

This release resolves 2 upstream Android VPN leaks discovered by GrapheneOS and our community testers. We aren't aware of any other outbound Android VPN leaks when Private DNS is set to Off. Android's Private DNS feature needs a significant overhaul for how it works with secondary profiles and VPNs.

Tags:

• 2025072700 (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold, Pixel 9a, emulator, generic, other targets)

Changes since the 2025071900 release:

• prevent using SO_BINDTODEVICE to bypass VPN lockdown mode (leak protection) to resolve an upstream Android VPN leak discovered by GrapheneOS testers where code specifies a specific interface via a special system call to bypass the VPN
• prevent using NsdService#connect for components restricted by VPN lockdown mode to prevent a very limited upstream Android local network VPN leak discovered by GrapheneOS
• add workaround for upstream Android asynchronous dexopt bug causing concurrent installs of the same package to be handled incorrectly which then causes crashes when attempting to uninstall
• temporarily disable asynchronous pre-reboot OS update app optimization (dexopt) added in Android 16 to avoid the Finalizing step completing before apps are recompiled which can then result in it causing a very long initial boot of the new OS version if the user reboots before the background app optimization completes (this will not apply to updating to this release but rather only updating to future releases from this one and onwards)
• MediaMetadata: fix upstream Android bug by using shared bitmaps to avoid serialized metadata going beyond the Binder transaction size limit and causing system service failures including Bluetooth service crashes (this issue existed prior to Android 16)
• Sandboxed Google Play compatibility layer: revert change for dropping phenotype flag overrides before applying new ones since it can cause flag values to be set inconsistently due to a race
• kernel (6.1): update to latest GKI LTS branch revision including update to 6.1.146
• kernel (6.6): update to latest GKI LTS branch revision including update to 6.6.99
• AppCompatConfig: update to version 4
• GmsCompatConfig: update to version 160
• Vanadium: update to version 138.0.7204.168.0
• Vanadium: update to version 138.0.7204.168.1

HN discussion of an LWN article.

https://foxnews.com/tech/new-android-attack-tricks-you-giving-dangerous-permissions

GrapheneOS, a security-focused operating system based on Android, confirmed that its current version is also affected. However, it plans to release a fix in its next update.

No, we said that on July 7 and then shipped https://grapheneos.org/releases#2025070700 fixing it.

They likely found https://x.com/GrapheneOS/status/1942235186923499549 but didn't realize our next release was shipped later that day. The TapTrap site from the researchers at https://taptrap.click/ documents that we fixed it. Our fix works well and many users tried the proof of concept app to confirm it.

Android 16 was released June 10 and we'd already done our final Android 15 QPR2 releases with backports of Android 16 drivers/firmware when we were informed about TapTrap near the end of June. Once our port to 16 was near Stable, one of our devs spent a few hours fixing TapTrap.

The researchers reported it to Android on October 31, 2024 and Android still hasn't fixed it. We fixed the vulnerability by only allowing third party apps to use custom activity animations for their own activities. It's likely Android doesn't want to remove part of the feature.

Changes in version 4:

• temporarily allow Dynamic Code Loading via memory for the sandboxed Play Store by default until it's resolved upstream or by us coercing it to stop doing it (users can still disallow Dynamic Code Loading via memory for it as it doesn't appear to cause many issues but we don't want to have errors occurring for regular users)
• update Gradle to 8.14.3
• update Android Gradle plugin to 8.11.1
• update Protobuf Gradle plugin to 0.9.5
• update Protobuf library to 4.31.1
• update Kotlin to 2.1.21
• update SDK to 36 (Android 16)
• update target API level to 36 (Android 16)
• switch modern Gradle Java toolchain configuration
• improve code style

A full list of changes from the previous release (version 3) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.

Tags:

• 2025071900 (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold, Pixel 9a, emulator, generic, other targets)

Changes since the 2025070800 release:

• Dialer: always show scrollbar for button grid when there are more than 6 buttons to make it clear it can be scrolled
• Dialer: move RTT button to the end since it's rarely used
• Network Location: improve position estimation implementation to provide better performance, accuracy and stability
• Network Location: add support for detecting location based on cell towers when Wi-Fi-based location can't obtain any position estimate
• add back "Prevent ringing" gesture via Power + Volume Up which was lost in the port to Android 16
• Settings: fix discharge time estimates not being shown when charging optimization (charging limit) enabled
• Settings: avoid explanation in per-app Play Integrity API settings being cut off
• fully prevent empty end session button being shown
• kernel (6.1): update to latest GKI LTS branch revision including update to 6.1.145
• kernel (6.6): update to latest GKI LTS branch revision including update to 6.6.98
• include more color overlays from the stock Pixel OS
• add back desktop mode toggle to developer options which was missing due to Android 16 requiring enabling config_isDesktopModeDevOptionSupported in addition to the config_isDesktopModeSupported feature we were already enabling
• adevtool: add infrastructure for defining synthetic overlays and migrate to using it (automates more of device support and results in the battery charging limit text being updated)
• adevtool: heavily optimize state collection by only calculating what gets built instead of building it
• enable optimization of pausing wallpaper rendering for Pixel Camera
• Terminal (virtual machine management app): temporarily disable GUI support until Android 16 regression causing surfaceflinger crash is resolved
• Seedvault: update to 15-5.6 (will be replaced with a better backup implementation in the future)
• Vanadium: update to version 138.0.7204.157.0
• GmsCompatConfig: update to version 159

Apple and Google both provide support for offline speech-to-text using local models. Users can configure it to be fully offline.

The Murena Voice to Text service in /e/OS sends the user's audio to OpenAI which is hidden away in their terms of service:

https://community.e.foundation/t/voice-to-text-feature-using-open-ai/70509

/e/OS is heavily marketed as private but in reality it has enormous privacy issues like this with their default apps and services. It's also heavily marketed as avoiding Google services but yet has privileged integration for Google services and connects to multiple by default.

/e/OS doesn't keep up with basic privacy or security patches for the OS or browser engine used not only for the default browser but also the WebView used by many apps including email clients and far more for rendering web-based content. For more info see https://discuss.grapheneos.org/d/24134-devices-lacking-standard-privacysecurity-patches-and-protections-arent-private.

/e/OS is not a threat to mass surveillance but rather significantly helps with it by making exploiting devices to extract data or take remote control over them far easier. They do not keep up with basic High and Critical severity patches. All devices sold by Murena are insecure.

Even on Pixels, /e/OS is extremely far behind on providing the current High and Critical severity privacy and security patches due to being so far behind on OS updates. They mislead users by setting a fake security patch level and changing the UI to mask what's happening.

Murena is a for-profit company and /e/OS is very clearly built and managed for the benefit of Murena. Despite this, /e/OS receives a huge amount of EU government funding. If you're an EU taxpayer, your money is being used to build this extraordinarily insecure and non-private OS.

Changes in version 159:

• add stubs for AdvancedProtectionManager which was preventing us moving the post-Android-16 sandboxed Google Play services to our App Store's Stable channel (GrapheneOS enables far better security features by default with per-feature and per-app controls where that makes sense instead of the all or nothing iOS Lockdown Mode approach copied by Android 16 which we don't plan to imitate)
• update target API level to 36 (Android 16)
• update Android Gradle plugin to 8.11.1
• update Gradle to 8.14.2

A full list of changes from the previous release (version 158) is available through the Git commit log between the releases (only changes to the gmscompat_config text file and config-holder/ directory are part of GmsCompatConfig).

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.

GmsCompatConfig is the text-based configuration for the GrapheneOS sandboxed Google Play compatibility layer. It provides a large portion of the compatibility shims.

We published this response to a recent article promoting insecure devices with /e/OS with inaccurate claims, including inaccurate comparisons to GrapheneOS:

https://discuss.grapheneos.org/d/24134-devices-lacking-standard-privacysecurity-patches-and-protections-arent-private

The founder of /e/OS has responded with misinformation promoting /e/OS and attacking GrapheneOS.

We made a post with accurate info on our forum in response to inaccurate information, that's all. There's a lot more we could have covered. See https://kuketz-blog.de/e-datenschutzfreundlich-bedeutet-nicht-zwangslaeufig-sicher-custom-roms-teil6/ for several examples such as /e/OS having unique user tracking in their update client not communicated to users.

The founder of /e/OS responded to the post we made on our forum here:

https://mastodon.social/@gael/114874688715085353

Gaël Duval has repeatedly personally targeted the founder of GrapheneOS in response to us posting accurate information responding to misinformation from /e/OS and their supporters.

Contrary to what's claimed in this thread, /e/OS does not improve privacy. /e/OS massively reduces privacy compared to the Android Open Source Project in multiple ways. /e/OS is consistently very far behind on shipping important privacy improvements in new major Android releases.

/e/OS regularly lags many weeks, months and even years behind on shipping important privacy and security patches. They roll back various parts of the privacy and security model, add a bunch of privileged Google service integration and their own privacy invasive services too.

The link posted at https://mastodon.social/@gael/114875028964272029 shows /e/OS shipping the previous round of Chromium privacy/security patches a couple weeks late. It regularly takes them months instead of weeks. They take far longer to ship many of the important driver, firmware and AOSP patches.

The link also shows they're using the wrong Chromium tags for Android and frequently results in missing Android-specific privacy/security patches. Chromium 138.0.7204.97 was a June 30th release for Windows, not Android. The Android tag for June 30th was 138.0.7204.63.

https://chromereleases.googleblog.com/2025/07/stable-channel-update-for-desktop_15.htmlhttps://chromereleases.googleblog.com/2025/06/chrome-for-android-update_30.html

Patches in Chromium Stable channel updates for Android are often only in the Android tags, not the Windows ones.

The current Android release is 138.0.7204.157, with security patches beyond 138.0.7204.63:

https://chromiumdash.appspot.com/releases?platform=Android

These were minor releases of Chromium. It's trivial to incorporate the changes and ship them on release day within hours. Even major releases of Chromium every ~4 weeks are easy to ship on release day because major releases are open source for weeks in advance, unlike Android.

As can be seen by looking back through https://github.com/GrapheneOS/Vanadium/releases and comparing it to the Android release dashboard linked above, we ship the Chromium Stable and Early Stable releases on release day. This is not impressive. Shipping privacy/security patches is the bare minimum.

Our forum post and this thread were both posted in response to inaccurate info about GrapheneOS posted to promote /e/OS. Once again personally targeting our founder with fabricated stories and harassment from their community is what /e/OS has done before and continues doing.

/e/OS targeted the founder of DivestOS in a similar way and /e/OS supporters directed a massive amount of harassment towards him. It played a significant role in DivestOS being discontinued. /e/OS will not achieve the same thing targeting our founder and should stop doing it.

/e/OS is extraordinarily insecure and non-private due to lagging so far behind on patches and crippling Android Open Source Project privacy/security protections. Selling many devices many months or even years of missing Critical severity patches and hiding it in the UI is wrong.

Murena's services are not nearly as private as claimed and not at all on the same level as serious options such as Proton's software suite. Many of their services recently went down from early October 2024 through March 2025:

https://community.e.foundation/t/update-on-murena-io-service-outage/61781

It's somehow a paid service.

Swissquote Bank is in the process of adding official support for GrapheneOS to their main app. They've published a Beta version of the app with GrapheneOS support for us to share with our users. Can use https://appdistribution.firebase.google.com/testerapps/1:922102381011:android:b7cac4eab8e5776d/releases/4rp8ha7plvg00 to obtain it via the sandboxed Play Store.

Swissquote previously added GrapheneOS support to their Yuh financial app. They're following our guide on using hardware attestation as an alternative to Play Integrity able to support more than Google Mobile Services hardware and operating systems: https://grapheneos.org/articles/attestation-compatibility-guide.

The link we provided might not work in Vanadium since Firebase appears to use the Client Hints headers to detect the OS version. We set the OS version in the Client Hints headers to the frozen User Agent value which is Android 10. May need to install and use Chrome to access it.

We've previously seen an issue where a site used the Client Hints provided OS version to ban using incredibly out-of-date Android versions. We didn't remove the Client Hints headers because that trips bot detection. Reusing the frozen User Agent values was working quite well.

A Dutch bank (Triodos Bankieren NL) has added explicit support for GrapheneOS and will be testing it going forward:

https://github.com/PrivSec-dev/banking-apps-compat-report/issues/133#issuecomment-3087638715

They join a growing number of banking apps actively permitting users to use a much more secure device instead of trying to ban it instead.

Every single time I get out of my car I get this damn notification asking to rate my audio quality on my drive.

Doesn't matter if I answer the survey or not it always asks every time. It's driving me nuts, I don't want this unnecessary notification on my phone every time I get out of my car. Going to the notification settings for the app for Feedback & Surveys, you can't disable them. They're locked to always being on.

Is there a workaround for this? Do I need to submit a ticket with GrapheneOS to maybe get this looked at? Is it simply out of GOS's control because Google sucks?I use Android Auto all the time and this is exhausting. I'm a person who doesn't like unnecessary notifications, only like 4 or 5 apps are allowed to send notifications on my phone. Searching this issue just pulls up r*ddit threads from 5 years ago that have deleted comments or outdated answers or just how to disable AA entirely.

Any guidance or suggestions greatly appreciated 🧡

I'm assuming I'm tethering the tablet to the phone via hotspot. Both devices are running GrapheneOS.

We've published a response with corrections to iFixit article presenting a highly insecure and non-private option as being the best choice for people who care about privacy:

https://discuss.grapheneos.org/d/24134-devices-lacking-standard-privacysecurity-patches-and-protections-arent-private

Not bundling Google Mobile Services doesn't mean a device/OS has good privacy.

Changes in version 138.0.7204.157.0:

• update to Chromium 138.0.7204.157
• change default value for "Protected content" (DRM) site setting to ASK instead of BLOCK (we changed this from ALLOW to BLOCK because ASK wasn't an option at the time we changed it)
• stop marking 64-bit-only builds as multiArch to enable installation on devices supporting 32-bit apps such as 6th generation Pixels
• use Vanadium Config version as the subresource filter rules version instead of having a separate version for it

A full list of changes from the previous release (version 138.0.7204.63.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.