GrapheneOS [Unofficial]

https://arstechnica.com/tech-policy/2024/08/google-loses-dojs-big-monopoly-trial-over-search-business/

Action is still urgently needed to address the highly anti-competitive Google Mobiles Services licensing system and the Play Integrity API which are a major part of Google maintaining their monopolies over search and many parts of the mobile market.

We recently published a detailed thread about this here:

https://grapheneos.social/@GrapheneOS/112878067304840664

We're in contact with the regulators in MULTIPLE countries about this. Don't fall for Google pretending Play Integrity API is security related or that their licensing system is about compatibility.

Android and Chromium would massively benefit from proper collaboration between stakeholders without Google's business model getting in the way. Should be forced to deal with both following the model of the LLVM Foundation and also spin off Google Play into an independent company.

Google is actively cracking down on competition in the mobile space by convincing app developers to use their Play Integrity API. Play Integrity API bans using operating systems not licensing Google's apps/services and agreeing to highly restrictive and anti-competitive terms.

Google's licensing agreement directly bans OEMs from working with GrapheneOS and producing phones with it. Google sabotages their own products such as the Play Store to boost core monopolies. If it was a competitive market, they'd want their apps and services available to any OS.

GrapheneOS has demonstrated Google Play works well as regular sandboxed apps without any special integration into the OS via our sandboxed Google Play feature. Google should be forced to spin off Google Play into an independent company competing with other app stores / services.

Windows 11 recently included a basic fastboot driver, removing the need for Windows users to install a fastboot driver to install GrapheneOS.

Our new web installer takes advantage of this and we've now updated the instructions for up-to-date Windows 11:

https://grapheneos.org/install/web#connecting-device

This is one of the benefits of our new web installer. New install process is also quicker and more efficient, reducing the memory and storage requirements below what's currently documented as required. We also overhauled CLI install to do it the same way, which speeds it up too.

Edge supports our web installer, so Windows users can simply use the default browser similar to using Android or ChromeOS. Apple refuses to support WebUSB so macOS users need a non-default browser. Non-ChromeOS desktop Linux still needs udev rules due to handling USB incorrectly.

This is an early August security update release based on the August 2024 security patch backports. This month's release of the Android Open Source Project and stock Pixel OS should be available later today or tomorrow and we'll quickly release an update based on it following this one.

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

• 2024080500-redfin (Pixel 4a (5G), Pixel 5)
• 2024080500 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, emulator, generic, other targets)

Changes since the 2024080200 release:

• full 2024-08-01 security patch level
• suppress crash notifications for 2 harmless crashes occuring on service shutdown for the Android Bluetooth service and Pixel wifi_ext service
• enable memory tagging for the Pixel wifi_ext service again
• Settings: disable predictive back gesture in PIN/password input activities to fix an upstream Android vulnerability
• flash-all: remove unnecessary sleep after flashing AVB key
• flash-all: exit on errors
• flash-all.sh: avoid false negative for device model check
• flash-all.bat: pause before exiting after an error
• fastboot: add support for CLI install with the GrapheneOS optimized factory images format already used by the web installer (will reduce memory/storage usage for CLI installs and will reduce storage usage on the update servers by avoiding multiple factory image formats)
• hardened_malloc: update libdivide to 5.1
• kernel (6.6): update to latest GKI LTS branch revision including update to 6.6.43

Our latest release with prevention for most VPN app DNS leaks is currently available in our Alpha and Beta channels:

https://grapheneos.social/@GrapheneOS/112896412987587996

We need more feedback from testing VPN apps and services with leak blocking toggled on, which GrapheneOS already enables by default.

This new temporary approach should be compatible with any normal VPN apps and services. Only VPN apps which don't provide DNS and depend on sending all DNS requests to the local network will be incompatible but it doesn't really make much sense to support leak blocking for those.

We still want to ship our previous stricter approach, but it causes issues establishing the initial VPN connection with Proton VPN for certain users. This is either an app bug or an OS bug triggered by certain apps. We want to resolve that to ship our stricter approach from May.

The best place to give feedback on releases that are still in the Alpha and Beta channels is our Alpha/Beta testing chat room. You can choose between Discord, Telegram or Matrix and can talk with the users in the room on other platforms from each of them:

https://grapheneos.org/contact#community-chat

Our current approach to DNS leak blocking appears to work well without breaking compatibility.

We've made progress towards fixing a related issue for some VPN apps where rare connections are made to VPN DNS outside of the tunnel.

We can hopefully ship stricter enforcement soon.

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

• 2024080200-redfin (Pixel 4a (5G), Pixel 5)
• 2024080200 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, emulator, generic, other targets)

Changes since the 2024080100 release:

• prevent VPN apps from having leaks to non-VPN DNS servers while not yet strictly preventing leaks to VPN DNS outside the VPN tunnel due to multiple VPN apps including Proton VPN not connecting reliably with stricter enforcement (in a future release, we can do strict blocking by default with an opt-out toggle and a list of known incompatible apps such as Proton VPN until the compatibility issue is resolved)
• GmsCompatConfig: update to version 126
• GmsCompatConfig: update to version 127
• Camera: update to version 73

Notable changes in version 73:

• enable mirroring images and videos from the front camera by default for fresh installs to match the preview
• avoid trying to use extension modes with unsupported cameras on devices only supporting them with specific cameras to avoid crashes

A full list of changes from the previous release (version 72) is available through the Git commit log between the releases.

This app is available through the Play Store with the app.grapheneos.camera.play app id. Play Store releases go through review and it usually takes around 1 to 3 days before the Play Store pushes out the update to users. Play Store releases use Play Signing, so we use a separate app id from the releases we publish ourselves to avoid conflicts and to distinguish between them. Each release is initially pushed out through the Beta channel followed by the Stable channel.

Releases of the app signed by GrapheneOS with the app.grapheneos.camera app id are published in the GrapheneOS App Store and on GitHub. You can use the GrapheneOS App Store on Android 12 or later for automatic updates. Each release is initially pushed out through the Alpha channel, followed by the Beta channel and then finally the Stable channel.

GrapheneOS users must either obtain GrapheneOS app updates through our App Store or install it with adb install-multiple with both the APK and fs-verity metadata since fs-verity metadata is now required for out-of-band system app updates on GrapheneOS as part of extending verified boot to them.

Changes in version 127:

• update max supported version of Play Store to 42.1

A full list of changes from the previous release (version 126) is available through the Git commit log between the releases (only changes to the gmscompat_config text file and config-holder/ directory are part of GmsCompatConfig).

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.

We've become aware of another company selling devices with GrapheneOS while spreading harmful misinformation about it to promote insecure products. We're making our usual attempt at resolving things privately. However, we need to quickly address what has been claimed regardless.

Downloading and installing an app followed by entering sensitive data into it or granting it powerful permissions isn't a vulnerability/exploit. Accessibility service access can't be directly requested but rather has to be granted via Settings app in the accessibility section.

Accessibility service access is extremely powerful and essentially gives the same control available to the user to the app. This is explained with clear warnings. It's also not possible to enable it for an app not installed from a modern app store without an extra hidden menu.

Apps not installed through a modern app store have extremely dangerous settings including accessibility service access restricted. Users have to navigate to a semi-hidden menu to enable this. UI doesn't explain how to do it. It's a higher barrier than simply phishing info, etc.

Accessibility services are required by many users and the feature can't simply be removed. It's possible to disable this and other dangerous features for end users via a device management app. This is the right approach if you have a userbase you want to protect from themselves.

If you purchase a device with GrapheneOS, we strongly recommend booting it into recovery and wiping data before using it. Next, verify it's running genuine GrapheneOS:

https://grapheneos.org/install/web#verifying-installation

Due to complete verified boot, wiping provides the same assurance as a fresh install.

Our web installer is very easy to use. If you're able to use a web browser and follow basic instructions, you have the skill set required to install it:

https://grapheneos.org/install/web

However, if you do buy a device with GrapheneOS, you can verify it's the real deal without malware.

Simply going to a mainstream local business and purchasing a device to install GrapheneOS is the most secure way to obtain a device.

Consider the risk of buying a device from a company marketing to cryptocurrency users, and at least follow our wiping and verification advice.

Purchasing a device with malware installed is something we defend against. We provide a way to block this through verified boot and the verification process recommended on the site. Can't prevent something like replacing battery with one including a standalone tracking device...

We're going to be making another attempt at shipping DNS leak prevention for third party VPN apps. The last attempt resolved a lot of the compatibility issues with the previous approach, so we've made some progress. We don't what's wrong with Proton VPN and certain other apps.

This release is only for the Alpha channel to replace the previous release.

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

• 2024080100-redfin (Pixel 4a (5G), Pixel 5)
• 2024080100 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, emulator, generic, other targets)

Changes since the 2024073100 release:

• revert VPN DNS leak protection again since it's still partially incompatible with Proton VPN and certain other apps for unknown reasons, although we did avoid a lot of the compatibility issues from last time

We're included a less strict variation of our previous VPN DNS leak prevention for third party VPN apps. The new approach only aims to prevent leaks in apps handling DNS configuration correctly. It should avoid causing the compatibility issues which blocked us shipping it before.

We shipped a stricter approach in our 2024050900 release but compatibility issues were reporting during Beta testing so it didn't reach the Stable channel. It was reverted in 2024051500. Proton VPN may now be compatible with it but not all apps will be so we can't be that strict.

The hardest part of shipping privacy and security improvements is often fully preserving compatibility with the massive number of Android apps. We try to avoid needing toggles to work around compatibility issues, but we make an exception for apps with memory corruption bugs.

Our changes to this resolved most of the compatibility issues with obscure VPN apps. However, Proton VPN is still partially incompatible and doesn't work properly for all users with this leak blocking in place. We aren't sure how to move forward yet. Other apps are compatible.

This release was only pushed out to the Alpha channel.

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

• 2024073100-redfin (Pixel 4a (5G), Pixel 5)
• 2024073100 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, emulator, generic, other targets)

Changes since the 2024072800 release:

• add back our change to prevent app-based VPN implementations from leaking DNS requests when the VPN is down/connecting but without enforcement for VPN apps without DNS configured to avoid breaking compatibility in rare cases (our previous implementation in 2024050900 had to be reverted before it reached Stable)
• kernel (6.6): update to latest GKI LTS branch revision
• Camera: update to version 72
• Vanadium: update to version 127.0.6533.84.0

Changes in version 126:

• add stub for BluetoothLeAdvertiser.startAdvertisingSet()

A full list of changes from the previous release (version 125) is available through the Git commit log between the releases (only changes to the gmscompat_config text file and config-holder/ directory are part of GmsCompatConfig).

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.

https://arstechnica.com/gadgets/2024/07/loss-of-popular-2fa-tool-puts-security-minded-grapheneos-in-a-paradox/

The article unfortunately leaves out most of the points we made in the thread.

GrapheneOS supports hardware-based attestation and it's entirely possible for Google to allow it as part of the Play Integrity API. They choose to ban using GrapheneOS.

Play Integrity API has no minimum security patch level and nearly all these apps use weak software-based checks that are easily bypassed by attackers. The hardware-based checks rely on trusting every key distributed to every certified Android device, which are often leaked.

Hardware-based attestation can be used for security purposes such as verifying device integrity with a pinning-based approach without the weakness of being vulnerable to leaked keys from the whole Android ecosystem since specific per-app keys in the secure element can be pinned.

Play Integrity API is claimed to be based on devices complying with the Compatibility Test Suite and Compatibility Definition Document. We have irrefutable proof that the majority of certified Android devices do not comply with the CTS/CDD. Play Integrity API is based on lies.

Essentially every non-Pixel device has important CTS failures not caused by CTS bugs. OEMs are cheating to obtain certification. Google claims GrapheneOS can't be permitted because we don't have a certification where they freely allow cheating and don't ban non-compliant devices.

Since Play Integrity doesn't even have a minimum security patch level, it permits a device with multiple years of missing patches. Hardware attestation was required on all devices launched with Android 8 or later, but they don't enforce it to permit non-compliant devices.

The reality is that the Play Integrity API permits devices from companies partnered with Google with privileged Google Play integration when they're running the stock OS. It's easy to bypass, but they'll make changes to block it being done at scale long term such as if we did it.

It does not matter if these devices have years of missing security patches. It doesn't matter if the companies skipped or improperly implemented mandatory security features despite that being required by CDD compliance. Failing even very important CTS tests doesn't matter either.

Google can either permit GrapheneOS in the Play Integrity API in the near future via the approach documented at https://grapheneos.org/articles/attestation-compatibility-guide or we'll be taking legal action against them and their partners. We've started the process of talking to regulators and they're interested.

We're not going to give Google veto power over what we're allowed to do in GrapheneOS. We comply with CTS and CDD except when it limits our ability to provide our users with privacy and security. Google wants to be in charge of which privacy/security features can be added. Nope.

Google's behavior in the mobile space is highly anti-competitive. Google should be forbidden from including Google Mobile Services with privileged access unavailable to regular apps and services. GrapheneOS sandboxed Google Play proves that hardly anything even needs to change.

Google should also be forbidden from participating in blocking using alternate hardware/firmware/software. They've abused their market position to reinforce their monopolies. They've used security as an excuse despite what they're doing having no relevance to it and REDUCING it.

Google is forbidding people from using a growing number of apps and services on an objectively far more private and secure OS that's holding up much better against multiple commercial exploit developers:

https://grapheneos.social/@GrapheneOS/112826067364945164

They're holding back security, not protecting it.

We've put a lot of effort into collaborating with Google to improve privacy and security for all Android users. Their business team has repeatedly vetoed even considering giving us partner access. They rolled back us being granted security partner access by the security team.

As with how they handle giving out partner access, the Play Integrity API serves the interests of Google's business model. They have no valid excuse for not allowing GrapheneOS to pass device and strong integrity. If app developers want to ban it, they can still do it themselves.

After our security partner access was revoked, we stopped most of our work on improving Android security. We continued reporting vulnerabilities upstream. However, we're going to stop reporting most vulnerabilities until GrapheneOS is no longer blocked by the Play Integrity API.

This year, we reported multiple serious vulnerabilities to Android used by widely used commercial exploit tools:

https://source.android.com/docs/security/overview/acknowledgements

If Google wants more of that in the future, they can use hardware attestation to permit GrapheneOS for their device/strong integrity checks.

Authy's response about their usage of the Play Integrity API shows their service is highly insecure and depends on having client side validation. Play Integrity is thoroughly insecure and easily bypassed, so it's unfortunate that according to Authy their security depends on it.

If Authy insists on using it, they should use the standard Android hardware attestation API to permit using GrapheneOS too. It's easy to do:

https://grapheneos.org/articles/attestation-compatibility-guide

Banning 250k+ people with the most secure smartphones from using your app is anti-security, not pro-security.

It's very unfortunate when new apps adopt the Play Integrity API and stop working. Authy isn't a very good choice for 2FA but many people use it and it's a problem for us for a widely used app to be incompatible. A single widely used app losing compatibility is a big deal to us.

Our greatly improved web installer is now available through our official site:

https://grapheneos.org/install/web

For everything other than legacy extended support releases for 4th generation Pixels, it uses a new installation process. Main benefit is higher tolerance for bad USB support.

The new installation process uses our optimized factory images format. Main benefit is avoiding rebooting fastbootd mode, which will improve portability to systems with USB connectivity issues. It also greatly reduces memory/storage usage by streaming images from the zip.

It's hard to determine exactly how much memory and storage is required so we haven't adjusted the prerequisites section from 2GB free memory and 32GB free storage yet. It never needed anywhere close to 32GB but sites can only use a fraction of free storage via a complex formula.

Notable changes in version 72:

• use default CameraX camera selection to avoid compatibility issues with some multi-camera setups
• avoid video recording not working after audio permission change
• use CameraX to determine the video timer instead of a separate timer which can get slightly out of sync
• animate the start of video recording
• dynamically show/hide EIS settings based on current configuration

A full list of changes from the previous release (version 71) is available through the Git commit log between the releases.

This app is available through the Play Store with the app.grapheneos.camera.play app id. Play Store releases go through review and it usually takes around 1 to 3 days before the Play Store pushes out the update to users. Play Store releases use Play Signing, so we use a separate app id from the releases we publish ourselves to avoid conflicts and to distinguish between them. Each release is initially pushed out through the Beta channel followed by the Stable channel.

Releases of the app signed by GrapheneOS with the app.grapheneos.camera app id are published in the GrapheneOS App Store and on GitHub. You can use the GrapheneOS App Store on Android 12 or later for automatic updates. Each release is initially pushed out through the Alpha channel, followed by the Beta channel and then finally the Stable channel.

GrapheneOS users must either obtain GrapheneOS app updates through our App Store or install it with adb install-multiple with both the APK and fs-verity metadata since fs-verity metadata is now required for out-of-band system app updates on GrapheneOS as part of extending verified boot to them.

We've developed a new factory images format optimized for web installation which avoids the need for fastbootd mode and greatly reduces memory/storage usage. The new approach is compatible with 5th gen Pixels and later. It's deployed on our staging site:

https://staging.grapheneos.org/install/web

We'd appreciate help with testing the new web installer on our staging site. It should reduce issues caused by low quality USB connections/drivers by avoiding switching to a different mode. It should also eliminate the need to install a fastboot driver on up-to-date Windows 11.

We'll wait for feedback from people using it successfully across different operating systems and devices.

Sections for working around Debian, Ubuntu and Windows USB deficiencies should be unnecessary other than the legacy extended support devices so we'll likely remove those.

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

• 2024072800-redfin (Pixel 4a (5G), Pixel 5)
• 2024072800 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, emulator, generic, other targets)

Changes since the 2024071600 release:

• avoid isolating eUICC LPA (eSIM activation) app from third party apps to allow carrier activation apps to work (we still block communication with Google Play to avoid sending telemetry data to Google services when sandboxed Google Play is installed)
• Pixel 8a: fix GNSS configuration to avoid occasional crashes of the service (Pixel 8a is currently the only Samsung GNSS device)
• Settings: don't allow disabling user installed apps when uninstall is disallowed
• Settings: drop code for supporting the legacy Settings UI
• Sandboxed Google Play compatibility layer: avoid infinite wait for GmsCompatConfig update when call to App Store fails
• enforce stack clash protection for x86_64
• enforce minimum 64kiB stack guard size for arm64 due to the standard stack probe size of 64kiB
• future proof our Bionic libc changes for dynamic 64k pages (hardened_malloc still doesn't support it)
• flash-all: remove unnecessary reboot after flashing Android Verified Boot (AVB) key
• kernel (5.10): update to latest GKI LTS branch revision including update to 5.10.222
• kernel (5.15): update to latest GKI LTS branch revision including update to 5.15.163
• kernel (6.1): update to latest GKI LTS branch revision including update to 6.1.92
• kernel (6.6): update to latest GKI LTS branch revision including update to 6.6.42
• adevtool: update to latest carrier settings
• App Store: update to version 24
• Camera: update to version 69
• Camera: update to version 70
• Camera: update to version 71
• Auditor: update to version 81
• Auditor: update to version 82
• Vanadium: update to version 127.0.6533.64.0
• Vanadium: update to version 127.0.6533.64.1
• GmsCompatConfig: update to version 124
• GmsCompatConfig: update to version 125
• fastboot: add support for generating web installer optimized factory images zip for an improved web install approach not requiring fastbootd
• integrate generating web installation optimized factory images zip into release signing script
• split script/release.sh to remove dependency on build output and the OS source tree (see the new instructions for signing releases)
• rename script/release.sh to script/generate-release.sh
• add script/generate-releases.sh wrapper script

Changes in version 125:

• update max supported version of Play Store to 42.0

A full list of changes from the previous release (version 124) is available through the Git commit log between the releases (only changes to the gmscompat_config text file and config-holder/ directory are part of GmsCompatConfig).

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.

Notable changes in version 82:

• update minimum Android version in introduction to 12
• raise minimum OS version for verification to 12
• raise minimum patch level for verification to 2021-10-05
• drop support for device models without Android 12

A full list of changes from the previous release (version 81) is available through the Git commit log between the releases.

The Auditor app uses hardware security features on supported devices to validate the integrity of the operating system from another Android device. It will verify that the device is running the stock operating system with the bootloader locked and that no tampering with the operating system has occurred. It will also detect downgrades to a previous version.

It cannot be bypassed by modifying or tampering with the operating system (OS) because it receives signed device information from the device's Trusted Execution Environment (TEE) or Hardware Security Module (HSM) including the verified boot state, operating system variant and operating system version. The verification is much more meaningful after the initial pairing as the app primarily relies on Trust On First Use via pinning. It also verifies the identity of the device after the initial verification. Trust is chained through the verified OS to the app to bootstrap software checks with results displayed in a separate section.

This app is available through the Play Store with the app.attestation.auditor.play app id. Play Store releases go through review and it usually takes around 1 to 3 days before the Play Store pushes out the update to users. Play Store releases use Play Signing, so we use a separate app id from the releases we publish ourselves to avoid conflicts and to distinguish between them. Each release is initially pushed out through the Beta channel followed by the Stable channel.

Releases of the app signed by GrapheneOS with the app.attestation.auditor app id are published in the GrapheneOS App Store and on GitHub. These releases are also bundled as part of GrapheneOS. You can use the GrapheneOS App Store on Android 12 or later for automatic updates. Each release is initially pushed out through the Alpha channel, followed by the Beta channel and then finally the Stable channel.

GrapheneOS users must either obtain GrapheneOS app updates through our App Store or install it with adb install-multiple with both the APK and fs-verity metadata since fs-verity metadata is now required for out-of-band system app updates on GrapheneOS as part of extending verified boot to them.

Changes in version 127.0.6533.64.1:

• enable per-site isolation for sandboxed iframes instead of per-origin isolation
• avoid rare uncaught exception from attempting to load content filters from the Vanadium Config app when native code isn't loaded yet

A full list of changes from the previous release (version 127.0.6533.64.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Notable changes in version 81:

• add dedicated error message explaining how to work around an attestation failure occurring after a system_server crash by rebooting the device
• reword error message for an invalid number of Auditor app signing keys reported by the attestation data
• add more info to error messages for package info
• raise minimum supported Android version to 12 (API level 31) based on it being the oldest release with security support
• update CameraX library to 1.3.4
• update Guava library to 33.2.1
• update AndroidX AppCompat library to 1.7.0
• update Android Gradle plugin to 8.5.1
• update Android NDK to 26.3.11579264
• update Android build tools to 35.0.0
• update Gradle to 8.9

A full list of changes from the previous release (version 80) is available through the Git commit log between the releases.

The Auditor app uses hardware security features on supported devices to validate the integrity of the operating system from another Android device. It will verify that the device is running the stock operating system with the bootloader locked and that no tampering with the operating system has occurred. It will also detect downgrades to a previous version.

It cannot be bypassed by modifying or tampering with the operating system (OS) because it receives signed device information from the device's Trusted Execution Environment (TEE) or Hardware Security Module (HSM) including the verified boot state, operating system variant and operating system version. The verification is much more meaningful after the initial pairing as the app primarily relies on Trust On First Use via pinning. It also verifies the identity of the device after the initial verification. Trust is chained through the verified OS to the app to bootstrap software checks with results displayed in a separate section.

This app is available through the Play Store with the app.attestation.auditor.play app id. Play Store releases go through review and it usually takes around 1 to 3 days before the Play Store pushes out the update to users. Play Store releases use Play Signing, so we use a separate app id from the releases we publish ourselves to avoid conflicts and to distinguish between them. Each release is initially pushed out through the Beta channel followed by the Stable channel.

Releases of the app signed by GrapheneOS with the app.attestation.auditor app id are published in the GrapheneOS App Store and on GitHub. These releases are also bundled as part of GrapheneOS. You can use the GrapheneOS App Store on Android 12 or later for automatic updates. Each release is initially pushed out through the Alpha channel, followed by the Beta channel and then finally the Stable channel.

GrapheneOS users must either obtain GrapheneOS app updates through our App Store or install it with adb install-multiple with both the APK and fs-verity metadata since fs-verity metadata is now required for out-of-band system app updates on GrapheneOS as part of extending verified boot to them.

Chromium has merged the WebAssembly interpreter submitted by a Microsoft Edge engineer:

https://chromium-review.googlesource.com/c/v8/v8/+/5509903

Once this reaches a Chromium stable release, Vanadium will support WebAssembly by default instead of requiring turning on JS JIT via drop-down site settings.

Chromium has a V8 Optimizer toggle for disabling the 2 optimized tiers of the Just-In-Time (JIT) compiler to greatly reduce attack surface. However, it doesn't disable baseline JIT and therefore still does dynamic native code generation. They did this to avoid breaking Wasm.

In Vanadium, our JIT toggle fully disables the JIT and therefore currently loses Wasm support. An increasing number of sites are depending on Wasm with no fallback to JavaScript. Most of these sites perform perfectly fine with only the fast V8 interpreter and no JIT compilation.

Vanadium has JIT compilation disabled by default as part of the security focus. This Wasm interpreter will be a nice usability improvement for sites depending on it with no fallback code since users won't need to toggle on the JIT compiler for the site unless it performs badly.

Changes in version 127.0.6533.64.0:

• update to Chromium 127.0.6533.64
• enable visited link partitioning

A full list of changes from the previous release (version 126.0.6478.186.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Notable changes in version 71:

• only allow toggling include audio while recording when it was initially enabled, since CameraX doesn't currently support enabling it if it didn't start out enabled

A full list of changes from the previous release (version 70) is available through the Git commit log between the releases.

This app is available through the Play Store with the app.grapheneos.camera.play app id. Play Store releases go through review and it usually takes around 1 to 3 days before the Play Store pushes out the update to users. Play Store releases use Play Signing, so we use a separate app id from the releases we publish ourselves to avoid conflicts and to distinguish between them. Each release is initially pushed out through the Beta channel followed by the Stable channel.

Releases of the app signed by GrapheneOS with the app.grapheneos.camera app id are published in the GrapheneOS App Store and on GitHub. You can use the GrapheneOS App Store on Android 12 or later for automatic updates. Each release is initially pushed out through the Alpha channel, followed by the Beta channel and then finally the Stable channel.

GrapheneOS users must either obtain GrapheneOS app updates through our App Store or install it with adb install-multiple with both the APK and fs-verity metadata since fs-verity metadata is now required for out-of-band system app updates on GrapheneOS as part of extending verified boot to them.