GrapheneOS [Unofficial]

Pixel 4, Pixel 4 XL and Pixel 4a are end-of-life and shouldn't be used anymore due to lack of most security patches for firmware and drivers. We're considering porting them to Android 14 to continue providing extended support longer than initially planned to keep them as a way to preview the current version of the OS despite them not being secure. It will be a significant effort to port them properly without lost functionality and we're looking for a new developer to fund rather than reassigning any developers from their existing work on the OS.

Tags:

• 2023103100 (Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, emulator, generic, other targets)
• 2023103100-shusky (Pixel 8, Pixel 8 Pro)

Changes since the 2023103000 release:

• Keyboard: include words from all active locales in spell checking to support multiple locales again after the port to Android 14
• Gallery: revert one of the 3 improvements to preview resolution due to it causing out-of-memory errors
• Vanadium: update to version 119.0.6045.66.0

Changes in version 119.0.6045.66.0:

• update to Chromium 119.0.6045.66

A full list of changes from the previous release (version 119.0.6045.53.1) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Pixel 4, Pixel 4 XL and Pixel 4a are end-of-life and shouldn't be used anymore due to lack of most security patches for firmware and drivers. We're considering porting them to Android 14 to continue providing extended support longer than initially planned to keep them as a way to preview the current version of the OS despite them not being secure. It will be a significant effort to port them properly without lost functionality and we're looking for a new developer to fund rather than reassigning any developers from their existing work on the OS.

Tags:

• 2023103000 (Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, emulator, generic, other targets)
• 2023103000-shusky (Pixel 8, Pixel 8 Pro)

Changes since the 2023102300 release:

• add infrastructure for hardware memory tagging support
• hardened_malloc: add support for hardware memory tagging launched with the ARMv9 cores on the Pixel 8 and Pixel 8 Pro
• Settings: enable memory tagging toggle at Settings -> Security -> More security settings -> Advanced memory protection beta
• Pixel 8, Pixel 8 Pro: enable memory tagging support for everything built by GrapheneOS (other than Vanadium, since Chromium currently disables it) and also user installed apps without native libraries (will be expanded to Vanadium later along with the option to use it for all user installed apps)
• Pixel 8, Pixel 8 Pro: use asymmetric memory tagging mode on all cores to provide much higher security than asynchronous mode without much more overhead unlike the very expensive synchronous mode without any clear security benefits over asymmetric
• enable parallel compilation of non-precompiled bytecode to native code for first-boot and first-boot-after-update with 2 processes for now (can be increased later)
• improve user interface for reporting background package compilation progress
• show crash dialog for first crash of an app since boot instead of waiting until the second crash like upstream Android
• Gallery: fix low resolution image preview in editor
• restore Android 13 behavior for installing APKs from the file manager by requesting permission for the app which created the APK (current Google Files behavior is a bit different and requests permission for Google Files, but the AOSP Files approach seems more useful)
• SELinux policy: use per-app-instance MLS level for the update client domain as used for regular apps to provide better isolation from other system components
• kernel (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Generic 5.10): update to latest GKI LTS branch revision including update to 5.10.198
• kernel (Generic 5.15): update to latest GKI LTS branch revision including update to 5.15.137
• Vanadium: update to version 118.0.5993.111.0
• Vanadium: update to version 119.0.6045.53.1
• Vanadium: update to version 119.0.6045.53.1
• GmsCompatConfig: update to version 80

Our first experimental release based on Android 14 was published on October 6th. We think we already had this issue resolved for that release:

https://arstechnica.com/gadgets/2023/10/android-14s-ransomware-data-storage-bug-locks-out-users-remains-unfixed/

We've made additional fixes for upstream user profile issues still impacting the stock Pixel OS since then too

We've run into multiple Linux kernel f2fs data corruption issues before Android 14 while testing new Linux kernel LTS revisions. We avoided any of the serious issues slipping past our internal testing. The only one to make it into the Alpha channel only caused update rollback.

Changes in version 119.0.6045.53.1:

• disable Privacy Guides feature since we already have third party cookies disabled by default and the other problematic features it covers aren't supported by Vanadium and aren't meant to be offered as options

A full list of changes from the previous release (version 119.0.6045.53.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Changes in version 119.0.6045.53.0:

• update to Chromium 119.0.6045.53
• drop our change making disabling third party cookies (which is our default) apply to partitioned cookies since it has few benefits, is difficult to maintain and will lose the compatibility benefits of replacing this with full cookie partitioning

A full list of changes from the previous release (version 118.0.5993.111.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Changes in version 80:

• update max supported version of Play services to 23.42
• update max supported version of Play Store to 38.1

A full list of changes from the previous release (version 79) is available through the Git commit log between the releases (only changes to the gmscompat_config text file and config-holder/ directory are part of GmsCompatConfig

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.

We've been making more progress on hardware memory tagging support for Pixel 8 and Pixel 8 Pro. Our initial hardened_malloc integration has no noticeable overhead in fastest asynchronous mode and the asymmetric mode is lower overhead than legacy mitigations like stack canaries.

Asynchronous is very fast but can be bypassed via races. Synchronous is very high overhead and aimed at debugging. It's still much faster than HWAsan (based on Top Byte Ignore) and especially ASan. Asymmetric is nearly as fast as asynchronous and as secure as synchronous.

There isn't any clear way to bypass asynchronous write checks for the asymmetric mode since they're checked immediately on reads and system calls. io_uring might be able to bypass it, but it's not relevant since it's only allowed for 2 core SELinux domains (fastbootd, snapuserd).

Memory tagging is going to be a huge game changer and GrapheneOS will be on the leading edge deploying it. Stock Pixel OS has it as a developer option which isn't usable in practice since it breaks far too much. The implementation is also much less powerful than hardened_malloc.

Use-after-free is detected until another allocation is made in the same slot with the same random tag chosen for it. hardened_malloc already defends this by quarantining freed allocations by default. They go through a First-In-First-Out ring buffer and a swap with a random array.

Arbitrary read/write via buffer overflows are caught by the random tags. They're unfortunately currently only 4 bit, but a future architecture revision could raise them to 8 bit. CFI, PAC, etc. only try to defend specific targets and don't work well against arbitrary read/write.

Nearly all remote code execution vulnerabilities in the OS are memory corruption bugs: either use-after-free or buffer overflows. The majority involves the malloc heap and the rest mostly involves the stack which could also use MTE-based defenses to replace SSP + ShadowCallStack.

Most apps are a similar story as the base OS. Chromium has pervasive type confusion bugs which MTE doesn't explicitly protect against, but CFI and PartitionAlloc already do. Vanadium already has CFI enabled unlike Android Chrome, but there are more CFI features we need to enable.

After the initial hardened_malloc memory tagging implementation is shipped and enabled by default for the OS and many user installed apps, we can consider using more selection of tags (see https://github.com/GrapheneOS/hardened_malloc/blob/main/README.md#memory-tagging). We can also consider using MTE beyond inside hardened_malloc.

Changes in version 118.0.5993.111.0:

• update to Chromium 118.0.5993.111

A full list of changes from the previous release (version 118.0.5993.80.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Pixel 8 and Pixel 8 Pro are ARMv9 devices supporting hardware memory tagging. Stock OS currently has a very primitive experimental implementation available as a developer option. We're going to be deploying a more advanced implementation for hardened_malloc in production soon.

Hardware memory tagging is going to provide a massive increase to protection against remote exploitation for GrapheneOS users. It's the biggest security feature we'll be shipping since we started in 2014. We want to have it enabled by default in async (fast) mode for the base OS.

We can provide a toggle for choosing between asynchronous (fast) and synchronous (more secure).

Many user installed apps have latent memory corruption bugs so we aren't going to enable it for them initially. We'll provide a toggle for setting the default (disabled, async, sync).

There can be a per-app toggle for overriding the global default alongside the toggles we already provide for using the full 48-bit address space (enabled by default) and hardened malloc (enabled by default, requires 48-bit address space). This will be a security game changer.

ARM memory tagging support provides a limited form of memory safety for both memory unsafe languages (C, C++) and the small subset of unsafe code in memory safe languages (Rust, Java, Kotlin). hardened_malloc was designed to use memory tagging and will be making great use of it.

MTE uses 4 bit tags for each 16 bytes of memory. hardened_malloc will be using memory tagging for all small allocations, which means 128k and below by default. hardened_malloc already places random guards around large allocations and quarantines their address space on free.

Pixel 4, Pixel 4 XL and Pixel 4a are end-of-life and shouldn't be used anymore due to lack of most security patches for firmware and drivers. We're considering porting them to Android 14 to continue providing extended support longer than initially planned to keep them as a way to preview the current version of the OS despite them not being secure. It will be a significant effort to port them properly without lost functionality and we're looking for a new developer to fund rather than reassigning any developers from their existing work on the OS.

Tags:

• 2023102300 (Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, emulator, generic, other targets)
• 2023102300-shusky (Pixel 8, Pixel 8 Pro)

Changes since the 2023101300 release:

• initial non-experimental release for Pixel 8 and Pixel 8 Pro support
• speed up skipping compilation of system packages with dexpreopt (precompilation to native code) to improve post-update boot time
• backport assorted dexpreopt fixes to make it work for more system packages again to improve verified boot security, free up wasted disk space and reduce post-update boot time
• use speed-profile compilation for user installed packages for first boot of an update to significantly improve boot time, then recompile with full speed optimization in the background with a progress notification and a notification when it's finished for respawning apps
• temporarily disable otapreopt (precompilation of apps in the background in update Finalizing step) due to it being broken in Android 14
• Gallery: remove optional dependency to fix dexpreopt (precompilation to native code)
• Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold: fix support for Widevine L1 on Android 14
• fix PIN scrambling for SIM PIN (regression from port to Android 14)
• handle new Android 14 network time code path for our feature making the automatic time toggle control whether network time connections are made
• remove standard special case enabling Android 14 auto-confirm PIN by default for 6 digit PINs
• allow system apps to make sticky notifications again (important for System Updater to avoid users missing the notice to reboot after update installation)
• System Updater: add option to require that the device is charging
• kernel (Generic 5.15): update to latest GKI LTS branch revision including update to 5.15.134
• Apps: update to version 21
• Vanadium: update to version 118.0.5993.80.0
• GmsCompatConfig: update to version 79
• improve GrapheneOS system_server infrastructure

Our next release for the Pixel 8 and Pixel 8 Pro will have DisplayPort output enabled now that we've tested it. The next release for these will also no longer be considered experimental but rather will be part of a regular production release alongside the other supported devices.

Changes in version 79:

• update max supported version of Play services to 23.41
• update max supported version of Play Store to 38.0

A full list of changes from the previous release (version 78) is available through the Git commit log between the releases (only changes to the gmscompat_config text file and config-holder/ directory are part of GmsCompatConfig)

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.

Notable changes in version 21:

• properly handle split APKs having their own density split APKs (fixes fully installing recent Play services releases)
• support updating disabled packages on Android 14+
• fix static dependencies for app variants
• remove non-descriptive app icon label to improve screen reader support
• set channel chip as not checkable to improve screen reader support
• update AndroidX Core KTX library to 1.12.0
• update AndroidX Activity KTX library to 1.8.0
• update AndroidX Navigation libraries to 2.7.4
• update AndroidX Preference KTX library to 1.2.1
• update AndroidX lifecycle libraries to 2.6.2
• update Glide library to 4.16.0
• switch to Kotlin Symbol Processing (KSP) variant of Glide library
• update Material library to 1.10.0
• update Bouncy Castle library to 1.76
• update Kotlin Coroutines libraries to 1.7.3
• update Gradle to 8.3
• update Kotlin to 1.9.10
• update AndroidX navigation safeargs plugin to 2.6.0
• update Android Gradle plugin to 8.1.2
• update Android build tools to 34.0.0
• update SDK to 34 (Android 14)
• update target API level to 34 (Android 14)
• add low-level ACCESS_NETWORK_STATE permission required by API 34 to schedule jobs depending on network availability
• add low-level FOREGROUND_SERVICE_DATA_SYNC permission required by API 34 to set foreground service type

A full list of changes from the previous release (version 20) is available through the Git commit log between the releases.

Apps is the client for the GrapheneOS app repository. It's included in GrapheneOS but can also be used on other Android 12+ operating systems. Our app repository currently provides our standalone apps, out-of-band updates to certain GrapheneOS components and a mirror of the core Google Play apps to make it easy for GrapheneOS users to install sandboxed Google Play with versions of the Google Play apps we've tested with our sandboxed Google Play compatibility layer.

GrapheneOS users must either obtain GrapheneOS app updates through our app repository or install it with adb install-multiple with both the APK and fs-verity metadata since fs-verity metadata is now required for out-of-band system app updates on GrapheneOS as part of extending verified boot to them.

Changes in version 118.0.5993.80.0:

• update to Chromium 118.0.5993.80

A full list of changes from the previous release (version 118.0.5993.65.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Experimental GrapheneOS support for the Pixel 8 and Pixel 8 Pro is available. Please join #testing:grapheneos.org on Matrix if you want to help with testing it. Most functionality should be working but fingerprint unlock support isn't available yet. We're working on it.

One of our core developers who primarily works on device support has had their Amazon account locked after purchasing a Pixel 8 with Amazon gift cards. Can an Amazon employee please contact us and help escalate their case? Amazon support isn't helping and it's time sensitive.

We'll have a fix for Widevine L1 on 6th/7th generation Pixels in our next release.

Only other remaining major regression we've been able to confirm is ahead-of-time compilation work being redone on the first boot after updating. Fully restoring this to how it was will take time.

We're currently doing very frequent updates to get out fixes for Android 14 regressions quickly. Releases will be slowing down again now that all the known serious issues are resolved. We'll be working on completing Pixel 8 and Pixel 8 Pro alongside fixing more 14 regressions.

Pixel 4, Pixel 4 XL and Pixel 4a are end-of-life and shouldn't be used anymore due to lack of most security patches for firmware and drivers. We're considering porting them to Android 14 to continue providing extended support longer than initially planned to keep them as a way to preview the current version of the OS despite them not being secure. It will be a significant effort to port them properly without lost functionality and we're looking for a new developer to fund rather than reassigning any developers from their existing work on the OS.

Tags:

• 2023101300 (Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, emulator, generic, other targets)

Changes since the 2023101100 release:

• exempt non-app system packages from new package visibility restrictions to fix many APIs in secondary users
• Sandboxed Google Play compatibility layer: expand background activity launch shim to all the core Google Play apps to fix sandboxed Play Store compatibility issues with Android 14
• Sandboxed Google Play compatibility layer: fix "Don't show again" notification action which broke after Android 14 port
• Pixel 5: add back support for battery share (reverse wireless charging) via the new infrastructure in Android 14 which we already adopted for 6th/7th/8th generation Pixels
• GmsCompatConfig: update to version 78

We've fixed 3/5 of the remaining max priority regressions in Android 14 for today's release. The only remaining ones are restoring ahead-of-time compilation to how it worked before and restoring support for Widevine L1 on 6th/7th generation Pixels.

https://grapheneos.social/deck/@Graphe

We're working to restoring AOT compilation to how it was before: precompilation for base OS and background compilation (Finalizing step) for user installed apps. Full AOT is an important part of our exploit mitigations and precompilation is an important verified boot improvement.

There will temporarily be a long boot time after installing an update based on how many apps you have installed. It's unfortunate Android 14 broke a bunch of this functionality. It impacts us a lot more than the stock OS. For now, reboot into new version when you can wait for it.

Changes in version 78:

• update max supported version of Play services to 23.40
• update max supported version of Play Store to 37.9

A full list of changes from the previous release (version 77) is available through the Git commit log between the releases (only changes to the gmscompat_config text file and config-holder/ directory are part of GmsCompatConfig).

We're continuing to work on addressing the remaining regressions in Android 14:

https://github.com/GrapheneOS/os-issue-tracker/labels/priority-max

We'll likely have a release available by tomorrow with fixes for both issues impacting sandboxed Google Play.

We've also made major progress on Pixel 8 / 8 Pro support.

It will be very difficult to restore ahead-of-time compilation to the way it worked before. There are significant upstream regressions in Android 14. They broke background compilation as part of the Finalizing step for updates and also broke precompiled Java/Kotlin code support.

For the moment, we're going to work on adding support for compiling apps in the background after boot and displaying a progress bar. This will avoid boots being delayed by compiling apps which is a major issue due to the background Finalizing and precompilation not working in 14.

We still need to restore precompilation and work towards it providing complete coverage to fully provide our verified boot improvements.

Android 14 fixed a bunch of information leaks between profiles which they didn't test properly and causes regressions which we're addressing.

The user profile isolation improvements in Android 14 are causing one of the sandboxed Google Play issues. Simply don't grant Location permission to sandboxed Google Play in secondary users to work around it. You don't need to grant that for working location in apps anyway.

Wise sent us an email 4 hours ago informing us that our US bank account information has changed without warning. They changed bank partners in the US. We've updated the donation page at https://grapheneos.org/donate#wise-us. If you use the old information or your donation will get refunded.

Notable changes in version 76:

• add support for Pixel 8 and Pixel 8 Pro
• update Guava library to 32.1.3

A full list of changes from the previous release (version 75) is available through the Git commit log between the releases.

The Auditor app uses hardware security features on supported devices to validate the integrity of the operating system from another Android device. It will verify that the device is running the stock operating system with the bootloader locked and that no tampering with the operating system has occurred. It will also detect downgrades to a previous version.

It cannot be bypassed by modifying or tampering with the operating system (OS) because it receives signed device information from the device's Trusted Execution Environment (TEE) or Hardware Security Module (HSM) including the verified boot state, operating system variant and operating system version. The verification is much more meaningful after the initial pairing as the app primarily relies on Trust On First Use via pinning. It also verifies the identity of the device after the initial verification. Trust is chained through the verified OS to the app to bootstrap software checks with results displayed in a separate section.

This app is available through the Play Store with the app.attestation.auditor.play app id. Play Store releases go through review and it usually takes around 1 to 3 days before the Play Store pushes out the update to users. Play Store releases use Play Signing, so we use a separate app id from the releases we publish ourselves to avoid conflicts and to distinguish between them.

Releases of the app signed by GrapheneOS with the app.attestation.auditor app id are published in the GrapheneOS app repository and on GitHub. These releases are also bundled as part of GrapheneOS. You can use the GrapheneOS app repository client on Android 12 or later for automatic updates.

Releases are initially pushed out through the Alpha channel channel for both the Play Store and our app repository, then get moved to the Beta channel and finally the Stable channel.

GrapheneOS users must either obtain GrapheneOS app updates through our app repository or install it with adb install-multiple with both the APK and fs-verity metadata since fs-verity metadata is now required for out-of-band system app updates on GrapheneOS as part of extending verified boot to them.

You can see our max priority issues here, which are all Android 14 regressions:

https://github.com/GrapheneOS/os-issue-tracker/labels/priority-max

None of these is a severe problem, but we plan to get them all fixed for our next release in a couple days. They're being prioritized over Pixel 8 and Pixel 8 Pro support.