GrapheneOS [Unofficial]

Changes in version 124.0.6367.82.1:

• enable hybrid post-quantum cryptography support

A full list of changes from the previous release (version 124.0.6367.82.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Changes in version 124.0.6367.54.0:

• update to Chromium 124.0.6367.82
• enable CredentialManager flag by default in the browser instead of only via settings the flags via the configuration app
• support for respecting OS configuration for restricting dynamic code execution
• clean up our infrastructure for content filter updates

A full list of changes from the previous release (version 124.0.6367.54.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Changes in version 106:

• revert feature flag override from the previous release
• add temporary stub for ActivityManager.getPackageImportance() which requires the usage stats special access permission since a new feature flag depends on it without checking for the permission or handling the SecurityException (this is temporary because we plan to find a way to provide the foreground check it's trying to do for battery usage throttling without giving it any additional data similar to how AppOps foreground access checks work fine already)

A full list of changes from the previous release (version 105) is available through the Git commit log between the releases (only changes to the gmscompat_config text file and config-holder/ directory are part of GmsCompatConfig).

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.

Changes in version 105:

• disable feature flag causing a reported crash due to sandboxed Play services not having the usage stats permission by default (the permission can be revoked on the stock OS so they may revert this change or have it handle the error)

A full list of changes from the previous release (version 104) is available through the Git commit log between the releases (only changes to the gmscompat_config text file and config-holder/ directory are part of GmsCompatConfig).

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.

One of our community members has been doing testing of Android VPN apps to check for leaks. They've found and reported 2 issues where leak blocking functionality doesn't appear to work as intended: one occurs with local network multicast and the other with DNS while VPN is down.

We're actively looking into these issues. Local network multicast not being blocked as expected is likely an OS bug caused by special handling of multicast. DNS issue may be another missed special case or a race condition, but it's possible the apps are handling it incorrectly.

One of the two issues (DNS) has spread to discussions about VPN apps elsewhere. Responsibility for blocking leaks is shared between the OS and VPN apps. It's a good thing that the OS provides standard infrastructure for this. Since the OS controls most of it, we can improve this.

This release is only being done for the Pixel 8 and Pixel 8 Pro due to lack of changes relevant to other devices.

Tags:

• 2024042200 (Pixel 8, Pixel 8 Pro, emulator, generic, other targets)

Changes since the 2024042100 release:

• kernel (5.15): revert another broken f2fs change from the 5.15.149 release (entirely separate from what was fixed in our last release)

We found another regression introduced by a recent f2fs change in the Linux 5.15 LTS branch so we'll have to make another release for Pixel 8 and Pixel 8 Pro before it can reach Beta. Only 2 users doing Alpha channel testing ran into this and one has confirmed reverting it works.

It's possible that this change in the upcoming Linux 6.9 release may resolve the issue properly rather than needing to revert another fix: https://github.com/torvalds/linux/commit/42a80aacb76bed85f453b10f662877ed60d37164. The issue is that we only had 2 users able to reproduce this and now neither can help test potential fixes.

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

• 2024042100-redfin (Pixel 4a (5G), Pixel 5)
• 2024042100 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, emulator, generic, other targets)

Changes since the 2024042000 release:

• kernel (5.10): update to latest GKI LTS branch revision
• kernel (5.15): backport upstream f2fs patch for a kernel panic caused by another upstream f2fs patch included in the last GKI LTS update
• kernel (6.1): update to latest GKI LTS branch revision including update to 6.1.78

https://grapheneos.social/@GrapheneOS/112307439457892688

Our latest release will remain in the Alpha channel due to upstream Linux kernel regressions in the latest 5.15 GKI LTS release causing crashes on the Pixel 8 and Pixel 8 Pro for some users. Very likely caused by f2fs backports in the newer LTS release.

If you're having any crashes with the most recent Alpha channel release on the Pixel 8 and Pixel 8 Pro, please join our testing chat room and help test an official build with a potential fix. We'll only be making a new release after confirming we have a working fix for the issue.

Only 2 users have reported kernel crashes with the new release for Pixel 8 and Pixel 8 Pro. Based on the error logs from the kernel, we suspect the cause is one of 3 f2fs kernel changes in the latest 5.15 GKI LTS release. We aren't getting the feedback we need to determine this.

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

• 2024042000-redfin (Pixel 4a (5G), Pixel 5)
• 2024042000 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, emulator, generic, other targets)

Changes since the 2024040900 release:

• add toggle in Settings > Security for opting into memory tagging in vendor processes currently excluded from it with the end goal of having it force enabled without a toggle as we do for the rest of the base OS
• allow eSIM activation app to interact with Google Fi app when installed to fix Google Fi activation
• use ro.vendor.build.svn system property from adevtool instead of AOSP to make sure it always matches the stock OS
• Pixel Fold: update to AP1A.240405.002.A2 vendor files
• Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel 8, Pixel 8 Pro: update to AP1A.240405.002.B1 vendor files
• Log Viewer: include kernel log buffer in default log output
• Log Viewer: show "Save" instead of "Copy" button for logs that are over ~50 KB
• Log Viewer: improve handling of log saving
• backport mainline APEX module patches for Android Health, ART, DNS Resolver, Media Provider, Network Stack, PermissionController and Wi-Fi
• TalkBack (screen reader): update base code to 14.1 and massively overhaul our changes to it
• kernel (5.10): update to latest GKI LTS branch revision
• kernel (5.15): update to latest GKI LTS branch revision including update to 5.15.148
• kernel (6.1): update to latest GKI LTS branch revision including update to 6.1.76
• Vanadium: update to version 123.0.6312.118.0
• Vanadium: update to version 124.0.6367.42.0
• Vanadium: update to version 124.0.6367.54.0
• Camera: update to version 67
• Camera: update to version 68
• Auditor: update to version 79
• GmsCompatConfig: update to version 103
• GmsCompatConfig: update to version 104
• Setup Wizard: layout and style improvements
• Setup Wizard: add functionality for testing on debug builds

Changes in version 104:

• update max supported version of Play Store to 40.6

A full list of changes from the previous release (version 103) is available through the Git commit log between the releases (only changes to the gmscompat_config text file and config-holder/ directory are part of GmsCompatConfig).

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.

Notable changes in version 79:

• modern Material 3 UI overhaul
• use edge-to-edge layout
• update CameraX library to 1.3.3
• update AndroidX Core library to 1.13.0
• update Bouncy Castle library to 1.78
• update Guava library to 33.1.0
• update ZXing library to 3.5.3
• update Gradle to 8.7
• update Android Gradle plugin to 8.3.2
• update Kotlin to 1.9.23

A full list of changes from the previous release (version 78) is available through the Git commit log between the releases.

The Auditor app uses hardware security features on supported devices to validate the integrity of the operating system from another Android device. It will verify that the device is running the stock operating system with the bootloader locked and that no tampering with the operating system has occurred. It will also detect downgrades to a previous version.

It cannot be bypassed by modifying or tampering with the operating system (OS) because it receives signed device information from the device's Trusted Execution Environment (TEE) or Hardware Security Module (HSM) including the verified boot state, operating system variant and operating system version. The verification is much more meaningful after the initial pairing as the app primarily relies on Trust On First Use via pinning. It also verifies the identity of the device after the initial verification. Trust is chained through the verified OS to the app to bootstrap software checks with results displayed in a separate section.

This app is available through the Play Store with the app.attestation.auditor.play app id. Play Store releases go through review and it usually takes around 1 to 3 days before the Play Store pushes out the update to users. Play Store releases use Play Signing, so we use a separate app id from the releases we publish ourselves to avoid conflicts and to distinguish between them. Each release is initially pushed out through the Beta channel followed by the Stable channel.

Releases of the app signed by GrapheneOS with the app.attestation.auditor app id are published in the GrapheneOS app repository and on GitHub. These releases are also bundled as part of GrapheneOS. You can use the GrapheneOS app repository client on Android 12 or later for automatic updates. Each release is initially pushed out through the Alpha channel, followed by the Beta channel and then finally the Stable channel.

GrapheneOS users must either obtain GrapheneOS app updates through our app repository or install it with adb install-multiple with both the APK and fs-verity metadata since fs-verity metadata is now required for out-of-band system app updates on GrapheneOS as part of extending verified boot to them.

Notable changes in version 68:

• temporarily disable support for 4:3 aspect ratio video recording added in version 67 due to breaking on devices where it's not supported

A full list of changes from the previous release (version 67) is available through the Git commit log between the releases.

This app is available through the Play Store with the app.grapheneos.camera.play app id. Play Store releases go through review and it usually takes around 1 to 3 days before the Play Store pushes out the update to users. Play Store releases use Play Signing, so we use a separate app id from the releases we publish ourselves to avoid conflicts and to distinguish between them. Each release is initially pushed out through the Beta channel followed by the Stable channel.

Releases of the app signed by GrapheneOS with the app.grapheneos.camera app id are published in the GrapheneOS app repository and on GitHub. You can use the GrapheneOS app repository client on Android 12 or later for automatic updates. Each release is initially pushed out through the Alpha channel, followed by the Beta channel and then finally the Stable channel.

GrapheneOS users must either obtain GrapheneOS app updates through our app repository or install it with adb install-multiple with both the APK and fs-verity metadata since fs-verity metadata is now required for out-of-band system app updates on GrapheneOS as part of extending verified boot to them.

Notable changes in version 67:

• add support for 4:3 aspect ratio video recording
• use new blur bitmap implementation based on RenderEffect for Android 12+
• avoid crashes in rare case when tabParent is not initialized
• update CameraX library to 1.4.0-alpha05
• update ZXing (barcode library) to 3.5.3
• update AndroidX Core library to 1.13.0
• update Gradle to 8.7
• update Android Gradle plugin to 8.3.2
• update Kotlin to 1.9.23
• replace deprecated APIs

A full list of changes from the previous release (version 66) is available through the Git commit log between the releases.

This app is available through the Play Store with the app.grapheneos.camera.play app id. Play Store releases go through review and it usually takes around 1 to 3 days before the Play Store pushes out the update to users. Play Store releases use Play Signing, so we use a separate app id from the releases we publish ourselves to avoid conflicts and to distinguish between them. Each release is initially pushed out through the Beta channel followed by the Stable channel.

Releases of the app signed by GrapheneOS with the app.grapheneos.camera app id are published in the GrapheneOS app repository and on GitHub. You can use the GrapheneOS app repository client on Android 12 or later for automatic updates. Each release is initially pushed out through the Alpha channel, followed by the Beta channel and then finally the Stable channel.

GrapheneOS users must either obtain GrapheneOS app updates through our app repository or install it with adb install-multiple with both the APK and fs-verity metadata since fs-verity metadata is now required for out-of-band system app updates on GrapheneOS as part of extending verified boot to them.

Changes in version 124.0.6367.54.0:

• update to Chromium 124.0.6367.54

A full list of changes from the previous release (version 124.0.6367.42.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

There's a site impersonating the GrapheneOS project for scamming people (grapheneos dot fr). GrapheneOS does not currently sell phones or work with any company/individual selling phones.

We strongly recommend using the very easy to use web installer: https://grapheneos.org/install/web.

The site is hosted via Wix and uses Tucows as the domain registrar.

Tucows permits using their services for scamming, impersonation, harassment, etc. until they get a court order to stop doing it (https://tucows.com/news/why-tucows-doesnt-take-down-domains-for-website-content-issues) so that's a dead end.

Do we know anyone at Wix?

Wix has taken down the site, but nothing has been done about the domain by Tucows or AFNIC yet. They may simply point the domain at another host. We'll continue trying to get AFNIC to deal with it. We're currently aware of 8 grapheneos.tld domains people registered...

Changes in version 103:

• update max supported version of Play services to 24.15
• update max supported version of Play Store to 40.5
• update Android Gradle plugin to 8.3.2

A full list of changes from the previous release (version 102) is available through the Git commit log between the releases (only changes to the gmscompat_config text file and config-holder/ directory are part of GmsCompatConfig).

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.

Changes in version 124.0.6367.42.0:

• update to Chromium 124.0.6367.42

A full list of changes from the previous release (version 123.0.6312.118.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Changes in version 123.0.6312.118.0:

• update to Chromium 123.0.6312.118

A full list of changes from the previous release (version 123.0.6312.99.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

• 2024040900-redfin (Pixel 4a (5G), Pixel 5)
• 2024040900 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, emulator, generic, other targets)

Changes since the 2024040300 release:

• rebased onto AP1A.240405.002.A1 Android Open Source Project release (includes a launcher taskbar improvement)
• avoid crashes in Chromium-based web browsers and the WebView in their sandboxed processes caused by an incompatibility between exec-based spawning and the new userfaultfd-based garbage collector enabled by Android 14 QPR2
• DNS resolver: fix upstream bug resulting in NUL byte being included in the random string for the DNS-over-TLS test query
• allow privileged installers to use getSharedLibraries(MATCH_ANY_USER) in order to enable Apps to handle an edge case involving shared libraries (Vanadium Trichrome library) updated in other users while avoiding adding the INTERACT_ACROSS_USERS permission used for this purpose by the Play Store
• kernel (5.10, 6.1): update to latest GKI LTS branch revision
• kernel (5.10): reapply reverted upstream f2fs and irq changes now that the regressions are resolved
• GmsCompatConfig: update to version 102
• fix our infrastructure for testing our CarrierConfig2 app

SSL Labs (https://www.ssllabs.com/ssltest) from Qualys used to be a useful HTTPS testing tool. However, it hasn't received significant updates since 2019 and is now holding back HTTPS security. The biggest issue is that many of the tests don't support TLSv1.3 so it penalizes disabling legacy TLSv1.2.

It was supposed to be increasing grading requirements over time. It only requires HSTS for A+, doesn't require HSTS preloading, doesn't require CAA, is completely unaware of CAA account/method binding + DNSSEC to secure issuance. It still has obsolete HPKP but is unaware of DANE.

t's also unaware of (hybrid) post-quantum cryptography, which probably shouldn't be part of grading yet but it should be able to detect it.

Sites need to start disabling TLSv1.2 to push many tools and crawlers to update to TLSv1.3 and penalizing it holds back that happening.

It's unaware of Encrypted ClientHello which shouldn't be part of grading but simply detected.

It should also be able to detect an 'HTTPS' record which should be required as part of grading, along with the other DNS-based features of CAA, CAA account/method binding and DNSSEC.

Changes in version 102:

• update max supported version of Play services to 24.13
• update max supported version of Play Store to 40.4

A full list of changes from the previous release (version 101) is available through the Git commit log between the releases (only changes to the gmscompat_config text file and config-holder/ directory are part of GmsCompatConfig).

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.

April release of the Pixel boot chain firmware includes fixes for 2 vulnerabilities reported by GrapheneOS which are being actively exploited in the wild by forensic companies:

https://source.android.com/docs/security/bulletin/pixel/2024-04-01 https://source.android.com/docs/security/overview/acknowledgements

These are assigned CVE-2024-29745 and CVE-2024-29748.

CVE-2024-29745 refers to a vulnerability in the fastboot firmware used to support unlocking/flashing/locking. Forensic companies are rebooting devices in After First Unlock state into fastboot mode on Pixels and other devices to exploit vulnerabilities there and then dump memory.

We proposed zeroing memory in firmware when rebooting to fastboot mode to wipe out the whole class of attacks. They implemented this by zeroing memory when booting fastboot mode. USB is only enabled by fastboot mode after zeroing the memory is completed, blocking these attacks.

GrapheneOS already implemented defenses against this attack before we became aware of it. After becoming aware of this attack against Pixels running the stock OS, we improved our existing defenses and added new ones alongside reporting the firmware weaknesses to get those fixed.

CVE-2024-29748 refers to a vulnerability providing the ability to interrupt a factory reset triggered by a device admin app. It appears they've implemented a partial solution in firmware. See https://grapheneos.social/@GrapheneOS/112162304896898942 about ongoing work we spotted on wipe-without-reboot support.

GrapheneOS has been working on a duress PIN/password feature for a while, and as part of that we already implemented our own wipe-without-reboot system. We care a lot about doing things properly and the way this was done in existing apps and operating systems was highly insecure.

Can see the announcement of these being exploited in the wild at https://source.android.com/docs/security/bulletin/pixel/2024-04-01#Announcements.

In addition to them working on our proposal to implement wipe-without-reboot, we've spotted work on our other suggestions such as wiping key derivation results from memory after unlocking.

In the near future, we'll be shipping a properly secure implementation of a duress PIN/password along with a properly secure panic wipe based on wiping without requiring a reboot. We also plan to make device admin API use our wipe-without-reboot approach until Android ships one.

Our baseline defenses against attacks aiming to extract data from After First Unlock state devices are our generic exploit protection features:

https://grapheneos.org/features#exploit-protection

Wiping freed memory in kernel/userspace helps beyond exploit mitigation by avoiding having data kept around.

Our auto-reboot feature starts a timer after the device is locked which will reboot the device is it isn't unlocked successfully before the timer elapses. This is set to 18 hours by default but can be set between 10 minutes and 72 hours. It won't chain reboot the device anymore.

All of our defenses against obtaining data from After First Unlock state devices are centered around auto-reboot. Our goal is preventing exploitation long enough for the device to cleanly reboot and get the data back at rest as if it had been obtained while it was powered off.

Due to the importance of auto-reboot, we recently reimplemented it as a low-level timer in the init process. This makes it much harder to prevent the device from rebooting. Previously, crashing system_server would restart the timer. It also allowed us to avoid it chain rebooting.

Our USB-C port control is set to "Charging-only when locked, except before first unlock" by default. New USB connections can only be made while unlocked, except BFU. After locking, new connections are blocked immediately and data lines are disabled when existing connections end.

We encourage users to use "Changing-only when locked" if they don't need USB devices when the device boots or "Charging-only" if they don't use USB beyond charging. There's also an "Off" value disabling charging when OS is booted into the main OS boot mode for high threat models.

To clarify something that's being misunderstood, neither of these 2 weaknesses are specific to Pixels. The mitigations they added are specific to Pixels. We aren't aware of another Android device implementing the reset attack mitigation shipped by Pixels based on our proposal.

The specific vulnerabilities being exploited in fastboot mode are likely littlekernel USB vulnerabilities. If you look in the Pixel security bulletins, you can see many of the patches there are for components also used on other devices like the Samsung modem and littlekernel.

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

• 2024040300-redfin (Pixel 4a (5G), Pixel 5)
• 2024040300 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, emulator, generic, other targets)

Changes since the 2024040200 release:

• full 2024-04-05 security patch level
• rebased onto AP1A.240405.002 Android Open Source Project release
• fix upstream OS limitation preventing using emergency dialer from setup wizard in secondary users
• Vanadium: update to version 123.0.6312.99.0

Changes in version 123.0.6312.99.0:

• update to Chromium 123.0.6312.99

A full list of changes from the previous release (version 123.0.6312.80.1) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.