GrapheneOS [Unofficial]

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

• 2023123100-redfin (Pixel 4a (5G), Pixel 5)
• 2023123100 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, emulator, generic, other targets)

Changes since the 2023123000 release:

• Keyboard: avoid spell checker crash after keyboard's spell checking service is stopped by the OS (regression in the last Alpha channel only release fixing multi-locale spell checking)
• backport upstream fix for Wi-Fi background scan system_server crash
• hardened_malloc / bionic: restore default SIGABRT handler in fatal_error to work around crashlytics bug caused by it using fork instead of clone which triggers a deadlock when malloc locks are held already
• skip missing sensors permission notification with wrong app id
• Sandboxed Google Play compatibility layer: avoid crashes in Android Auto and potentially elsewhere from missing Google Search app to make it a proper optional dependency
• Sandboxed Google Play compatibility layer: fix handling of while-in-use permissions
• Sandboxed Google Play compatibility layer: drop ACCESS_BACKGROUND_LOCATION permission for Android Auto now that while-in-use permission works
• Sandboxed Google Play compatibility layer: add workaround for rare foreground service crash (may be upstream bug)

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

• 2023123000-redfin (Pixel 4a (5G), Pixel 5)
• 2023123000 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, emulator, generic, other targets

Changes since the 2023121200 release:

• Keyboard: add new implementation of multi-locale spell checking support to fix crashes and other issues
• Sandboxed Google Play compatibility layer: add Android Auto support with the compatibility layer eliminating the need for most of the permissions and a permission menu with 4 toggles for granting the minimal special access required for wired Android Auto, wireless Android Auto, audio routing and phone calls
• Settings: remove confusing mention of Android Auto from Connected devices screen
• exempt non-app system processes from Sensors permission enforcement (fixes some issues including gpsd crashes)
• fix Bluetooth auto-turn-off race condition to avoid crashes
• work around upstream race condition bug in biometric service
• disable support for pre-approving PackageInstaller sessions due to incompatibility with Network permission toggle
• fix several upstream bugs in handling crash reports mainly to improve our user-facing crash reporting system
• use GrapheneOS Widevine provisioning proxy by default
• add settings for changing Widevine provisioning server
• add configuration for setupdesign and setupcompat libraries to improve system UI theme
• kernel (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Generic 5.10): update to latest GKI LTS branch revision including update to 5.10.204
• kernel (Pixel 8, Pixel 8 Pro, Generic 5.15): update to latest GKI LTS branch revision including update to 5.15.142
• kernel (Generic 6.1): initial port of GrapheneOS changes for use with emulator builds
• force disable network ADB in early boot to improve verified boot security (no user-facing change since it's currently disabled by default later in the boot process, but not robustly)
• Vanadium: update to version 120.0.6099.115.0
• Vanadium: update to version 120.0.6099.144.0
• AppCompatConfig: update to version 2
• GmsCompatConfig: update to version 88
• GmsCompatConfig: update to version 89
• GmsCompatConfig: update to version 90
• Auditor: update to version 78

Changes in version 2:

• suppress harmless native debugging notification for Vanadium, Brave and Chrome
• enable all exploit protections for Android Auto by default
• update Gradle to 8.5
• update Android Gradle plguin to 8.2.0

A full list of changes from the previous release (version 1) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.

Android Auto support for our sandboxed Google Play compatibility layer has been merged into GrapheneOS and should be available in the next release. It's currently going through final review and internal testing leading up to being able to make a public Alpha channel release.

The implementation uses the compatibility layer to eliminate most of the special privileges that are usually required. It provides 4 permission toggles for enabling different access for wired Android Auto, wireless Android Auto, audio routing control and phone call control.

No special access is granted by default. We've made subsets of the standard privileged permissions for these toggles for granting only minimal required access. Wired Android Auto is close to working with 0 special access required but not quite so it still needs a toggle.

Changes in version 90:

• add shims for Android Auto support which will provide support for it alongside changes in the next OS release
• update Gradle to 8.5
• update Android Gradle plguin to 8.2.0

A full list of changes from the previous release (version 89) is available through the Git commit log between the releases (only changes to the gmscompat_config text file and config-holder/ directory are part of GmsCompatConfig)

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release

Changes in version 120.0.6099.144.0:

• update to Chromium 120.0.6099.144

A full list of changes from the previous release (version 120.0.6099.115.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Notable changes in version 78:

• update CameraX library to 1.3.1
• update Bouncy Castle library to 1.77
• update Guava library to 33.0.0
• update Material Components library to 1.11.0
• update Gradle to 8.5
• replace deprecated Gradle functionality

A full list of changes from the previous release (version 77) is available through the Git commit log between the releases.

The Auditor app uses hardware security features on supported devices to validate the integrity of the operating system from another Android device. It will verify that the device is running the stock operating system with the bootloader locked and that no tampering with the operating system has occurred. It will also detect downgrades to a previous version.

It cannot be bypassed by modifying or tampering with the operating system (OS) because it receives signed device information from the device's Trusted Execution Environment (TEE) or Hardware Security Module (HSM) including the verified boot state, operating system variant and operating system version. The verification is much more meaningful after the initial pairing as the app primarily relies on Trust On First Use via pinning. It also verifies the identity of the device after the initial verification. Trust is chained through the verified OS to the app to bootstrap software checks with results displayed in a separate section.

This app is available through the Play Store with the app.attestation.auditor.play app id. Play Store releases go through review and it usually takes around 1 to 3 days before the Play Store pushes out the update to users. Play Store releases use Play Signing, so we use a separate app id from the releases we publish ourselves to avoid conflicts and to distinguish between them.

Releases of the app signed by GrapheneOS with the app.attestation.auditor app id are published in the GrapheneOS app repository and on GitHub. These releases are also bundled as part of GrapheneOS. You can use the GrapheneOS app repository client on Android 12 or later for automatic updates.

Releases are initially pushed out through the Alpha channel channel for both the Play Store and our app repository, then get moved to the Beta channel and finally the Stable channel.

GrapheneOS users must either obtain GrapheneOS app updates through our app repository or install it with adb install-multiple with both the APK and fs-verity metadata since fs-verity metadata is now required for out-of-band system app updates on GrapheneOS as part of extending verified boot to them.

Changes in version 88:

• suppress sendBroadcastAsUser() crashes on GrapheneOS 12.1 (end-of-life 3rd generation Pixels

A full list of changes from the previous release (version 87) is available through the Git commit log between the releases (only changes to the gmscompat_config text file and config-holder/ directory are part of GmsCompatConfig).

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.

Changes in version 120.0.6099.115.0:

• update to Chromium 120.0.6099.115

A full list of changes from the previous release (version 120.0.6099.43.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

• 2023121200-redfin (Pixel 4a (5G), Pixel 5)
• 2023121200 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, emulator, generic, other targets

Changes since the 2023120800 release:

• stop reporting forced reboot (long press power) as a kernel crash
• filter out SoC ID from kernel crash logs (logged by Little Kernel firmware boot stage before the OS)
• temporarily disable memory tagging and hardened_malloc for surfaceflinger process to work around upstream use-after-free bug(s)
• raise max open files for system_server to 256k from the baseline 32k limit used for all processes on Android due to situations where the 32k limit is exhausted, which has become much more common for a small number of users with Android 14 QPR1
• kernel (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold): backport fix for glibc 2.38 build error to device-specific driver source tree too to end the need for mounting a modified features.h for building host executables
• kernel (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Generic 5.10): update to latest GKI LTS branch revision including update to 5.10.201
• kernel (Pixel 8, Pixel 8 Pro, Generic 5.15): update to latest GKI LTS branch revision including update to 5.15.138
• GmsCompatConfig: update to version 87
• suppress repetitive sendHistogramChannelIoctl logging (upstream issue)

Changes in version 87:

• update max supported version of Play services to 23.49
• update max supported version of Play Store to 38.7

A full list of changes from the previous release (version 86) is available through the Git commit log between the releases (only changes to the gmscompat_config text file and config-holder/ directory are part of GmsCompatConfig).

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.

Tags:

• 2023120800 (Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, emulator, generic, other targets)

Changes since the 2023120701 release:

• Package Installer: fix crash introduced upstream in Android 14 QPR1 for handling pending user action
• Package Installer: fix crash introduced upstream in Android 14 QPR1 by limiting maximum app snippet icon size
• avoid false positives for our kernel crash reporting when running in the Android emulator

Android 14 QPR1 has some regressions for the package installer interface. They were aware of these issues for months and they're already fixed in the QPR2 Beta. It's unfortunate their release process is too slow to incorporate fixes, largely defeating the purpose of beta testing.

GrapheneOS will have another OS update later today with fixes for these issues. Stock Pixel OS users will hopefully only need to wait for the January monthly release to resolve the package installer interface crashes. They need to fix many things about their release processes.

Tags:

• 2023120701 (Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, emulator, generic, other targets)

Changes since the 2023120700 release:

• adevtool (Pixel 8, Pixel 8 Pro): update system property removal

This is the first quarterly release of Android 14 and includes a bunch of nice improvements including using the phone as a webcam.

Starting with this release, the Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. Certain driver patches will remain available until the Pixel 5a is end-of-life due to shared code. We'll continue providing all of the Android Open Source Project and GrapheneOS changes for them until the release of Android 15. After Android 15 is released, they'll remain on a legacy Android 14 branch with only the AOSP security patch backports to Android 14 and some additional changes backported by us on a best effort basis. This is the same kind of extended support we provided for the Pixel 4 and Pixel 4 XL.

Tags:

• 2023120700 (Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, emulator, generic, other targets)

Changes since the 2023120400 release:

• full 2023-12-01 security patch level for 6th/7th generation Pixels too
• full 2023-12-05 security patch level
• rebased onto UQ1A.231205.015 Android Open Source Project releases, which is the first quarterly maintenance/feature release for Android 14
• kernel (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Generic 5.10): update to latest GKI LTS branch revision
• Sandboxed Google Play compatibility layer: disable privileged AlarmManager.FLAG_PRIORITIZE to prevent crashes (this API is a no-op when Unrestricted battery mode is granted anyway)
• GmsCompatConfig: update to version 86

Changes in version 86:

• disable feature flag enabling using a privileged AlarmManager API to avoid crashes

A full list of changes from the previous release (version 85) is available through the Git commit log between the releases (only changes to the gmscompat_config text file and ``|config-holder/``` directory are part of GmsCompatConfig).

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.

The December release of the Android Open Source Project and stock Pixel OS will be the first quarterly release of Android 14. It will likely be available this week, but hasn't been published yet. Since there hasn't been a release yet this month, we're publishing an early December security update based on the AOSP backports to Android 14.

It's unclear if 6th/7th generation Pixels received a specific Mali GPU kernel driver patch so we aren't raising the patch level for these until the official December release is available. We often backport these patches early but we don't know which patch corresponds to which CVE ID so we can't raise the claimed patch level. ARM covers up the details publicly and only releases tarballs for each major revision without the Git commit history or individual security patch backports they make available to partners, despite partners being allowed to apply those in public Git repositories. We can often figure out the patch corresponding to a CVE ID or vice versa through ARM partners publishing it, but we haven't been able to in this case.

Pixel 4, Pixel 4 XL and Pixel 4a are end-of-life and shouldn't be used anymore due to lack of most security patches for firmware and drivers. We're currently supporting them via a legacy Android 13 branch separate from these mainline GrapheneOS releases. We're considering porting them to Android 14 to continue providing extended support longer than initially planned to keep them as a way to preview the current version of the OS.

Tags:

• 2023120400 (Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, emulator, generic, other targets)
• 2023120400-shusky (Pixel 8, Pixel 8 Pro)

Changes since the 2023112900 release:

• full 2023-12-01 security patch level (6th/7th generation Pixels may be missing a 2023-11-05 Mali GPU patch so we've frozen the patch level string until the official December update)
• Pixel 8, Pixel 8 Pro: use more modern target CPU configuration
• System Updater: enable non-low (currently 20% or higher) battery requirement for the update job by default (will not change for users who have previously opened the update settings due to how they're implemented)
• kernel (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Generic 5.10): update to latest GKI LTS branch revision
• Vanadium: update to version 120.0.6099.43.0
• GmsCompatConfig: update to version 85

Consider joining the GrapheneOS community in our official forum and chat rooms!

Forum: https://discuss.grapheneos.org

There are 7 chat rooms bridged across the main 3 chat platforms.

Discord: https://grapheneos.org/discord Telegram: https://t.me/GrapheneOS Matrix: https://matrix.to/#/#community:graphen

Changes in version 85:

• update max supported version of Play Store to 38.6

A full list of changes from the previous release (version 84) is available through the Git commit log between the releases (only changes to the gmscompat_config text file and config-holder/ directory are part of GmsCompatConfig).

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.

Selling people devices with GrapheneOS is permitted. However, please don't sell people end-of-life or near end-of-life devices. This is essentially scamming customers and goes against our strong recommendation to not purchase devices older than the Pixel 6. This needs to stop.

We've brought this up with several of the stores selling GrapheneOS phones. Several have listened to us and changed their approach. Others have doubled down on it and even blocked us for making this request. If you're using our trademarked name/logo, this is more than a request.

GrapheneOS supports hardware attestation and has much stronger security than even the stock Pixel OS but isn't Google certified. Play Integrity and legacy SafetyNet Attestation check for Google certification, not any form of security. We have concrete plans to address this issue.

Due to hardware attestation and the support for it via the strong mode for Play Integrity and legacy SafetyNet Attestation, spoofing the Google certification checks is a lost cause over the long term. This is why we refrained from spoofing the much more commonly used basic mode.

Long term, the solution will be to convince organizations to support GrapheneOS by switching to directly using the hardware attestation API which has alternate OS support. See https://grapheneos.org/articles/attestation-compatibility-guide. This is much easier to use now that there's an official library for it.

We're aware that an SDK used by many banking apps has recently adopted the weak software Google certification checks. This has greatly increased the priority of a short term workaround. When we have time, we'll contact company making the SDK and some of the banks with our guide.

At some point, these SDKs are going to start using the strong mode and it's going to end the ability to spoof the checks. It's why we refrained from doing it because we know it's setting up events in the future where many apps suddenly lose compatibility from server side updates.

Extending our Sandboxed Google Play compatibility layer to support Android Auto is currently a top priority. It's nearly ready to ship, and after that the developer working on it will move on to a workaround for this to delay needing app developers or governments to solve it.

Changes in version 120.0.6099.43.0:

• update to Chromium 120.0.6099.43

A full list of changes from the previous release (version 119.0.6045.193.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Changes in version 119.0.6045.193.0:

• update to Chromium 119.0.6045.193

A full list of changes from the previous release (version 119.0.6045.163.2) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

In the latest release of GrapheneOS, you can now enable hardware memory tagging for all user installed apps on the Pixel 8 and Pixel 8 Pro to make them substantially harder to exploit. This is particularly useful for apps like Signal and WhatsApp.

Everyone on GrapheneOS has hardened_malloc and our other baseline exploit protections. hardened_malloc has great support for hardware memory tagging to provide a form of memory safety for memory unsafe code with a mix of deterministic guarantees and randomized general protection.

We've also replaced the Linux kernel version on the Pixel 8 and Pixel 8 Pro. AOSP and the stock Pixel OS use 5.15.110 while GrapheneOS is now using 5.15.137 and will be closely following along with kernel.org LTS releases after they go through appropriate testing.

We mentioned Signal/WhatsApp because despite having end-to-end encryption, they both have a massive amount of remote attack surface, use tons of memory unsafe code for handling media, voice/video calls, etc. along with not using sandboxing. E2EE does no good if app is exploited.

GrapheneOS now has near full coverage for using memory tagging to defend against heap memory corruption outside the Linux kernel.

Future work will be converting Linux kernel's MTE-based debugging into hardening and enabling Clang stack allocation tagging for userspace/kernel.

Pixel 4, Pixel 4 XL and Pixel 4a are end-of-life and shouldn't be used anymore due to lack of most security patches for firmware and drivers. We're currently supporting them via a legacy Android 13 branch separate from these mainline GrapheneOS releases. We're considering porting them to Android 14 to continue providing extended support longer than initially planned to keep them as a way to preview the current version of the OS.

Tags:

• 2023112600 (Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, emulator, generic, other targets)
• 2023112600-shusky (Pixel 8, Pixel 8 Pro)

Changes since the 2023111500 release:

• improve existing infrastructure and settings for per-app hardening control
• add new infrastructure for dynamic SELinux flags for apps
• replace static SELinux policy disabling dynamic native code generation for base system apps with dynamic SELinux flag
• replace YAMA LSM with dynamic SELinux flag for ptrace access
• add per-app toggle for native debugging
• add global toggle to disable native debugging for user installed apps by default
• add per-app memory tagging toggle for user installed apps
• add global toggle to enable memory tagging for user installed apps by default
• add logging infrastructure for dynamic GrapheneOS SELinux flags
• raise post-boot audit message rate limit from 5 to 50 per second
• add more infrastructure and tests for per-app hardening control
• Pixel 8, Pixel 8 Pro: migrate to using our standard 5.15.137 GKI LTS kernel as the base with reverts for changes that are not compatible with the driver tree yet
• include more info about Java and native crashes, ANRs, low memory conditions. kernel crash logs and filesystem check errors in bug report zips manually captured by users which on the stock OS is uploaded by Play services
• Sandboxed Google Play compatibility layer: allow compatibility layer to show the error report UI
• GmsCompatConfig: update to version 84
• Vanadium: update to version 119.0.6045.163.2