GrapheneOS [Unofficial]

Changes in version 115.0.5790.166.0:

• update to Chromium 115.0.5790.166

A full list of changes from the previous release (version 115.0.5790.138.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

We've added support for Bitcoin donations to the non-profit GrapheneOS Foundation via a BIP47 payment code and PayNym due to high demand:

https://grapheneos.org/donate#bitcoin

We'll need to regularly sweep these to a fresh address from our hardware wallet since we can't yet use it directly.

It would be nice if hardware wallets implemented this so we could avoid the current compromise.

https://nitter.net/craigraw/status/1685887118235557890

We recently started using Sparrow wallet to generate Child Pays for Parent (CPFP) transactions with our hardware wallet but sadly can't do this with it yet.

PayPal has restored our non-profit GrapheneOS Foundation account. We should be able to withdraw all donations made through it in the past few weeks. We received no info on why our account was permanently banned with funds held for 180 days or why they now restored our account.

We understand people want to donate via credit cards and bank transfers. GitHub Sponsors has worked very well for us as the main credit card donation option. GitHub covers processing fees for donations from individuals so we pay 0% instead of 30¢ + ~4% fees for most donations.

We're going to open a GitHub Sponsors account for the non-profit GrapheneOS Foundation. It's currently the only remaining donation option not yet moved over to the GrapheneOS Foundation. It may take a couple weeks to approve us based on our experience with PayPal and our bank.

We also plan to add support for Wise in order to support local bank transfers internationally instead of only within Canada.

We could also add our own Stripe donation option, but it would have 30¢ + ~4% fees instead of 0% fees for donations from individuals like GitHub Sponsors.

Changes in version 65:

• update max supported version of Play services to 23.30
• update max supported version of Play Store to 36.8

A full list of changes from the previous release (version 64) is available through the Git commit log between the releases (only changes to the gmscompat_config text file and config-holder/ directory are part of GmsCompatConfig).

Unfortunately, PayPal permanently locked our GrapheneOS Foundation account today. No reason has been provided for the account being locked. All we've done is accept donations. We added our bank account information yesterday in order to begin withdrawing money and it was locked.

GrapheneOS Foundation is a non-profit organization incorporated federally in Canada. PayPal required us to provide both proof of identity and address for each director along with other documents, etc. to have our account approved. We received CA$3,950.75 of donations through it.

We accept cryptocurrency donations to the GrapheneOS Foundation, but PayPal was currently the only way to donate to it via credit card:

https://grapheneos.org/donate

GrapheneOS as a project accepts credit card donations with 0% fees for donations from individuals via GitHub Sponsors.

We can try to set up GitHub Sponsors for the GrapheneOS Foundation. It takes a long time to go through the KYC process for a non-profit organization since they require it for each director and more beyond that. This is why these things are taking so long for us to set up.

GitHub Sponsors still has 0% fees for donations from individuals compared to 30 cents + 2.9% + 1% for international PayPal donations along with their 3%/4% currency conversion fee. Stripe is only slightly cheaper than PayPal: 0.8% international fee and 2% for currency conversion.

We believe our account was shut down because we accept cryptocurrency donations including via Monero. PayPal partially locked our account and demanded proof for source and purpose of each transaction. We provided a link to https://grapheneos.org/donate. Our account was then force closed.

Our GrapheneOS Foundation non-profit finally has official bank accounts and can directly accept Interac e-Transfers in Canada:

https://grapheneos.org/donate

We'll be adding more donation options in the near future and also a simpler way to donate via credit card without an account.

GitHub Sponsors still charges 0% fees for credit card donations from individuals so we want to keep it as an option. We'll look into setting up an account for the GrapheneOS Foundation. We plan to add Stripe as another option for people who don't want to make a GitHub account.

Tags:

• 2023072600-coral (Pixel 4, Pixel 4 XL) — extended support release for legacy devices with frozen 2022-11-01 patch level
• 2023072600 (Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, emulator, generic, other targets)
• 2023072600-tangorpro (Pixel Tablet)
• 2023072600-felix (Pixel Fold)

Changes since the 2023072400 release:

• Sandboxed Google Play compatibility layer: fix crash caused by regression in the previous release which was caught in Alpha/Beta testing and blocked us from releasing it to the Stable channel
• Settings: improve GrapheneOS user management setting infrastructure
• Settings: move run in background settings right below switch user settings
• Settings: unify app install settings into three options for non-guest users and two for guest users and move them right above the install available apps settings
• Settings: remove incorrect caching of default guest user manager restrictions
• Vanadium: update to version 115.0.5790.138.0

Changes in version 115.0.5790.138.0:

• update to Chromium 115.0.5790.138

A full list of changes from the previous release (version 115.0.5790.138.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Tags:

• 2023072400-coral (Pixel 4, Pixel 4 XL) — extended support release for legacy devices with frozen 2022-11-01 patch level
• 2023072400 (Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, emulator, generic, other targets
• 2023072400-tangorpro (Pixel Tablet)
• 2023072400-felix (Pixel Fold

Changes since the 2023071100 release:

• replace our changes to AOSP APN and CarrierConfig configurations with a GrapheneOS CarrierConfig2 app for easier maintenance, improved MVNO support and support for recently added configuration options
• add infrastructure for comparing CarrierConfig2 against Google's CarrierSettings app
• show installer package name in error reports to help with identifying issues caused by broken installers
• update timezone module to Android mainline 331910000
• Sandboxed Google Play compatibility layer: support overriding ComponentEnabledSettings via GmsCompatConfig
• Sandboxed Google Play compatibility layer: add missing string for "Missing Play Games app" notification channel name
• Sandboxed Google Play compatibility layer: avoid uncaught exceptions with location rerouting when client only has coarse location permission
• Vanadium: update to version 115.0.5790.85.0
• Vanadium: update to version 115.0.5790.136.0
• GmsCompatConfig: update to version 63
• GmsCompatConfig: update to version 64
• Auditor: update to version 74

Notable changes in version 74:

• move to official Android key attestation library
• update CameraX library to 1.3.0-beta01
• update Bouncy Castle library to 1.75
• update Gradle to 8.2.1
• update Android Gradle plugin to 8.0.2
• update Kotlin to 1.8.22
• simplify certificate validation error handling

A full list of changes from the previous release (version 73) is available through the Git commit log between the releases.

The Auditor app uses hardware security features on supported devices to validate the integrity of the operating system from another Android device. It will verify that the device is running the stock operating system with the bootloader locked and that no tampering with the operating system has occurred. It will also detect downgrades to a previous version.

It cannot be bypassed by modifying or tampering with the operating system (OS) because it receives signed device information from the device's Trusted Execution Environment (TEE) or Hardware Security Module (HSM) including the verified boot state, operating system variant and operating system version. The verification is much more meaningful after the initial pairing as the app primarily relies on Trust On First Use via pinning. It also verifies the identity of the device after the initial verification. Trust is chained through the verified OS to the app to bootstrap software checks with results displayed in a separate section.

This app is available through the Play Store with the app.attestation.auditor.play app id. Play Store releases go through review and it usually takes around 1 to 3 days before the Play Store pushes out the update to users. Play Store releases use Play Signing, so we use a separate app id from the releases we publish ourselves to avoid conflicts and to distinguish between them.

Releases of the app signed by GrapheneOS with the app.attestation.auditor app id are published in the GrapheneOS app repository and on GitHub. These releases are also bundled as part of GrapheneOS. You can use the GrapheneOS app repository client on Android 12 or later for automatic updates.

Releases are initially pushed out through the Alpha channel channel for both the Play Store and our app repository, then get moved to the Beta channel and finally the Stable channel.

GrapheneOS users must either obtain GrapheneOS app updates through our app repository or install it with adb install-multiple with both the APK and fs-verity metadata since fs-verity metadata is now required for out-of-band system app updates on GrapheneOS as part of extending verified boot to them.

Changes in version 64:

• update max supported version of Play Store to 36.7

A full list of changes from the previous release (version 63) is available through the Git commit log between the releases (only changes to the gmscompat_config text file and config-holder/ directory are part of GmsCompatConfig).

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.

Changes in version 115.0.5790.136.0:

• update to Chromium 115.0.5790.13

A full list of changes from the previous release (version 115.0.5790.85.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Our non-profit GrapheneOS Foundation organization now handles donations via Bitcoin, Monero, Zcash, Ethereum and Cardano in addition to PayPal.

https://grapheneos.org/donate

For now, credit card donations can either be made via PayPal or to GrapheneOS developers via GitHub Sponsors.

We plan to add credit card donations to the GrapheneOS Foundation via Stripe to avoid the need for a PayPal or GitHub account. We also plan to have Interac e-Transfer donations go to the GrapheneOS Foundation. Both of these changes are currently stalled by our bank's KYC process.

Changes in version 63:

• update max supported version of Play services to 23.26
• update max supported version of Play Store to 36.6
• add stub for UsbManager.grantPermission() to keep FIDO2 working with Play services 23.26
• add support for disabling Pixel Tablet Homegraph service via the new generic component enabled settings infrastructure in the upcoming GrapheneOS release to replace our hard-wired implementation
• update Gradle to 8.2.1

A full list of changes from the previous release (version 62) is available through the Git commit log between the releases (only changes to the gmscompat_config text file and config-holder/ directory are part of GmsCompatConfig).

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.

Changes in version 115.0.5790.85.0:

• update to Chromium 115.0.5790.85
• update to Android build tools 34.0.0 for release signing
• disable VR features for now since it currently depends on Google Play

A full list of changes from the previous release (version 114.0.5735.196.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Tags:

• 2023071100-coral (Pixel 4, Pixel 4 XL) — extended support release for legacy devices with frozen 2022-11-01 patch level
• 2023071100 (Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, emulator, generic, other targets)
• 2023071100-tangorpro (Pixel Tablet)
• 2023071100-felix (Pixel Fold)

Changes since the 2023070500 release:

• Pixel Fold: rebased onto TQ3C.230705.001.C1 Android Open Source Project release
• fix incomplete eSIM activation app initialization
• do not allow enabling eSIM activation app on first boot due to issues from not including the Google Setup Wizard (UI explains that a reboot is required)
• kernel (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Generic 5.10): update to latest GKI LTS branch revision including update to 5.10.186
• SELinux policy (Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Fold): allow OemRilHookService to access IOemSlsiRadioExternal hwservice in order to avoid occasional battery drain from retries
• Sandboxed Google Play compatibility layer: handle location rerouting inside the app using the Google Play location service to have the location permission usage and battery consumption properly attributed among other improvements
• Sandboxed Google Play compatibility layer: notify user when "Nearby devices" perm is needed to connect to Wear OS
• Sandboxed Google Play compatibility layer: show name of calling app in "Missing Play Games app" notification
• GmsCompatConfig: update to version 62

Changes in version 62:

• update max supported version of Play Store to 36.5
• update Gradle to 8.2
• update Android Gradle plugin to 8.0.2

A full list of changes from the previous release (version 61) is available through the Git commit log between the releases (only changes to the gmscompat_config text file and config-holder/ directory are part of GmsCompatConfig).

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.

July release of the Android Open Source Project and stock OS for the Pixel Fold is delayed, likely only for a few days. The device was just released on June 27th with official support shipped in a GrapheneOS release on June 28th so it doesn't make sense to do an incomplete early release. We'll include it as part of this release when the official July release is available.

Tags:

• 2023070500-coral (Pixel 4, Pixel 4 XL) — extended support release for legacy devices with frozen 2022-11-01 patch level
• 2023070500 (Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, emulator, generic, other targets
• 2023070500-tangorpro (Pixel Tablet)

Changes since the 2023062800 release:

• full 2023-07-01 security patch level
• full 2023-07-05 security patch level
• rebased onto TQ3A.230705.001 (generic, coral) and TQ3A.230705.001.B4 (tangorpro) Android Open Source Project releases
• do not report pseudo-"network" location provider to be always disabled (resolves regression with network location compatibility from 2023062300)
• kernel (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Generic 5.10): update to latest GKI LTS branch revision including update to 5.10.185
• kernel (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Generic 5.10): revert 2 f2fs garbage collection optimizations backported in the Android GKI tree since at least one of them appears to be broken which we ran into in our previous 2023061400 release and now multiple OEMs including Xiaomi have encountered the issue in their own testing too
• kernel (Generic 5.15): update to latest GKI LTS branch revision including update to 5.15.119
• disable unused instant app features at boot
• disable problematic "Add users from lock screen" setting at boot
• Settings: remove problematic "Add users from lock screen" setting
• Dialer: re-enable false gesture detection for answering calls, which can be replaced with a newer implementation in the near future instead of it being removed
• Settings: require device restart to disable eSIM activation app via our toggle
• Seedvault: update to latest revision (we plan on replacing this with a new backup implementation since Seedvault is buggy/unreliable, has consistently needed security fixes applied downstream, has failed to provide the originally planned core features and despite being initially created by a GrapheneOS community member for GrapheneOS was taken over by a group hostile towards it)
• PDF Viewer: update to version 17
• GmsCompatConfig: update to version 61

Cellebrite and others in their industry use logical extraction to refer to extracting data from a device after unlocking it, enabling developer options (requires PIN/password), enabling ADB and permitting access for the ADB key of the attached device. See https://cellebrite.com/en/glossary/logical-extraction-mobile-forensics/ The baseline doesn't involve exploitation. The next step up is exploitation via ADB to obtain more data than ADB makes available.

Obtaining data from a locked device requires an exploit. If it was unlocked since boot, the OS can access most data of the currently logged in users.

GrapheneOS includes our auto-reboot feature to automatically get data back at rest so that it's not obtainable even if the device is exploited. Can set this to a much lower value than the default 72 hours. 12 hours won't cause inconveniences for most users, but you can go lower.

User profiles that are not currently active have their data at rest. GrapheneOS provides the option to put secondary users back at rest via end session for convenience. Sensitive global system data is stored by the Owner user, which is why you can't log into another user first.

GrapheneOS also provides the option to disable keeping a secondary user active in the background, to force ending the session when switching away from it.

We provide substantial exploit protection features (https://grapheneos.org/features#exploit-protection), and we're working on some major improvements.

For user profiles that are not currently logged in, their data is protected by encryption even if the device is exploited. An attacker needs to brute force the password. If you use a strong random passphrase, they cannot do it. Otherwise, you depend on hardware-based security.

Most Android devices don't have decent hardware-based encryption security. If a typical Android device has the OS exploited, the attacker can trivially bypass any typical PIN/passphrase via brute force. We only support devices defending against this (https://grapheneos.org/faq#encryption).

iPhones, Pixels and certain other Android devices provide hardware-based throttling of unlock attempts via a secure element. We explain how this works at https://grapheneos.org/faq#encryption. This protection depends on security of the secure element, which is quite good for Pixel 6 and later.

Notable changes in version 17:

• set zoom ratio to fit document to window size by default
• decrease minimum zoom ratio to 0.2 from 0.5 (can zoom out much further)
• replace custom file size parsing with Android implementation
• avoid uncaught exception when parsing file sizes from certain Storage Access Framework providers
• new text layer rotation implementation based on CSS transforms
• update pdf.js to 3.8.162
• update Material library to 1.9.0
• update Kotlin to 1.8.22
• update Gradle to 8.2
• update Android Gradle plugin to 8.0.2 -:add Gradle verification metadata
• remove legacy roundIcon attribute
• add eslint integration
• improve implementation quality including porting some code to Kotlin

A full list of changes from the previous release (version 16) is available through the Git commit log between the releases.

Simple Android PDF viewer based on pdf.js and content providers. The app doesn't require any permissions. The PDF stream is fed into the sandboxed WebView without giving it access to content or files. Content-Security-Policy is used to enforce that the JavaScript and styling properties within the WebView are entirely static content from the apk assets. It reuses the hardened Chromium rendering stack while only exposing a tiny subset of the attack surface compared to actual web content. The PDF rendering code itself is memory safe with dynamic code evaluation disabled, and even if an attacker did gain code execution by exploiting the underlying web rendering engine, they're within the Chromium renderer sandbox with no access to the network (unlike a browser), files, or other content.

This app is available through the Play Store with the app.grapheneos.pdfviewer.play app id. Play Store releases go through review and it usually takes around 1 to 3 days before the Play Store pushes out the update to users. Play Store releases use Play Signing, so we use a separate app id from the releases we publish ourselves to avoid conflicts and to distinguish between them.

Releases of the app signed by GrapheneOS with the app.grapheneos.pdfviewer app id are published in the GrapheneOS app repository and on GitHub. You can use the GrapheneOS app repository client on Android 12 or later for automatic updates.

Releases are initially pushed out through the Beta channel for both the Play Store and our app repository and then get moved to the Stable channel.

GrapheneOS users must either obtain GrapheneOS app updates through our app repository or install it with adb install-multiple with both the APK and fs-verity metadata since fs-verity metadata is now required for out-of-band system app updates on GrapheneOS as part of extending verified boot to them.

Changes in version 61:

• update max supported version of Play services to 23.25
• update max supported version of Play Store to 36.4

A full list of changes from the previous release (version 60) is available through the Git commit log between the releases (only changes to the gmscompat_config text file and config-holder/ directory are part of GmsCompatConfig).

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS releas

We recently formed the GrapheneOS Foundation as a non-profit organization and we'll be using it for accepting most donations to the project.

We'll be accepting Stripe donations directly instead of needing to go through GitHub Sponsors once we get through our bank's KYC process.

PayPal approved our application today but we're still waiting on the bank. Each bank and financial service has their own take on KYC (Know Your Customer) compliance. Each of our directors is in a different country with different languages and in some cases incompatible laws...

We've added links to make one-time, monthly or yearly donations to our non-profit via PayPal:

https://grapheneos.org/donate#paypal

Stripe's base fee is the same (2.9% + 30 cents) but their fees for international transactions (0.6%) and currency conversion (2%) are better. We'll add it ASAP.

Tags:

• 2023062800-coral (Pixel 4, Pixel 4 XL) — extended support release for legacy devices with frozen 2022-11-01 patch level
• 2023062800 (Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, emulator, generic, other targets)
• 2023062800-tangorpro (Pixel Tablet)
• 2023062800-felix (Pixel Fold)

Changes since the 2023062300 release:

• add initial Pixel Fold support
• replace unused BUILD_ID field with device name in release channel metadata
• System Updater: add enforcement of device name in release channel metadata as a misuse resistance improvement
• Settings: mark DSUs (Dynamic System Updates) as unsupported
• Launcher: add back Storage Scopes and Contact Scopes links to launcher icon shortcuts since this is now separate from the recent apps screen
• Pixel Tablet: set default screen rotation to landscape mode (270 degrees) since we disable auto-rotation by default (due to the manual rotate button appearing after rotation) and the current default means that the device starts locked in portrait mode in the initial setup which gives a bad impression
• kernel (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Generic 5.10): add missing non-security patch
• Vanadium: update to version 114.0.5735.196.0
• Auditor: update to version 73

GrapheneOS now has experimental support for the Pixel Fold. It's available for download on our staging site:

https://staging.grapheneos.org/releases

It can also be installed with our easy to use web installer:

https://staging.grapheneos.org/install/web

It will be included in our upcoming production release.

Notable changes in version 73:

• add Pixel Fold support
• add new attestation protocol version 5 with updated DEFLATE dictionary to make QR codes easier to scan from current generation devices using remote key provisioning (protocol version 4 is still supported)

A full list of changes from the previous release (version 72) is available through the Git commit log between the releases.

The Auditor app uses hardware security features on supported devices to validate the integrity of the operating system from another Android device. It will verify that the device is running the stock operating system with the bootloader locked and that no tampering with the operating system has occurred. It will also detect downgrades to a previous version.

It cannot be bypassed by modifying or tampering with the operating system (OS) because it receives signed device information from the device's Trusted Execution Environment (TEE) or Hardware Security Module (HSM) including the verified boot state, operating system variant and operating system version. The verification is much more meaningful after the initial pairing as the app primarily relies on Trust On First Use via pinning. It also verifies the identity of the device after the initial verification. Trust is chained through the verified OS to the app to bootstrap software checks with results displayed in a separate section.

This app is available through the Play Store with the app.attestation.auditor.play app id. Play Store releases go through review and it usually takes around 1 to 3 days before the Play Store pushes out the update to users. Play Store releases use Play Signing, so we use a separate app id from the releases we publish ourselves to avoid conflicts and to distinguish between them.

Releases of the app signed by GrapheneOS with the app.attestation.auditor app id are published in the GrapheneOS app repository and on GitHub. These releases are also bundled as part of GrapheneOS. You can use the GrapheneOS app repository client on Android 12 or later for automatic updates.

Releases are initially pushed out through the Alpha channel channel for both the Play Store and our app repository, then get moved to the Beta channel and finally the Stable channel.

Releases are initially pushed out through the Alpha channel channel for both the Play Store and our app repository, then get moved to the Beta channel and finally the Stable channel.

GrapheneOS users must obtain GrapheneOS app updates through our app repository since fs-verity metadata is now required for out-of-band system app updates on GrapheneOS as part of extending verified boot to them.