GrapheneOS [Unofficial]

Changes in version 116:

• reduce max supported version of Play services to 24.21 until we resolve a regression with a new feature flag
• update Gradle to 8.8

A full list of changes from the previous release (version 115) is available through the Git commit log between the releases (only changes to the gmscompat_config text file and config-holder/ directory are part of GmsCompatConfig).

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.

Changes in version 125.0.6422.165.0:

• update to Chromium 125.0.6422.165

A full list of changes from the previous release (version 125.0.6422.147.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

This is an early June security update release based on the May 2024 security patch backports since this month's release of the Android Open Source Project and stock Pixel OS with Android 14 QPR3 isn't available yet.

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

• 2024060400-redfin (Pixel 4a (5G), Pixel 5)
• 2024060400 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, emulator, generic, other targets)

Changes since the 2024053100 release:

• full 2024-06-01 security patch level
• extend the standard wipe-without-reboot implementation beyond wiping the hardware keystores (which prevents recovering any OS data by preventing deriving the key encryption keys) by also wiping the secdiscardable data on the SSD needed to derive key encryption keys, the encrypted storage keys on the SSD and the Weaver slots in the secure element needed to derive per-user key encryption keys via a secure element erase
• kernel (5.10): update to latest GKI LTS branch revision
• kernel (5.15): update to latest GKI LTS branch revision
• kernel (6.1): update to latest GKI LTS branch revision

Latest release of GrapheneOS finally shipped the long awaited duress PIN/password implementation. If you have a spare device, we recommend trying it out.

We've added initial documentation to the features page:

https://grapheneos.org/features#duress

It near instantly wipes and shuts down.

We've also finally added documentation on our USB-C port control to our features page:

https://grapheneos.org/features#usb-c-port-control

Most users can set this to "Charging-only when locked" without a loss of functionality or even "Charging-only" if you don't use USB accessories, DisplayPort or MTP.

Default is "Charging-only when locked, except before first unlock" to avoid locking users out of devices with a broken touchscreen. The main threat model for this is defending the device until the auto-reboot timer started when the screen is locked gets user data back at rest.

Our upcoming 2-factor fingerprint unlock will make using a strong passphrase as primary unlock method practical via fingerprint+PIN secondary unlock instead of fingerprint-only. Great for people who want to avoid relying on secure element throttling but don't want fp-only unlock.

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

• 2024053100-redfin (Pixel 4a (5G), Pixel 5)
• 2024053100 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, emulator, generic, other targets)

Changes since the 2024052100 release:

• add support for setting a duress password and PIN for quickly wiping all hardware keystore keys including keys used as part of deriving the key encryption keys for disk encryption to make all OS data unrecoverable followed by wiping eSIMs and then shutting down
• disable unused adoptable storage support since it would complicate duress password feature (can be added if we ever support a device able to use it)
• increase default max password length to 128 to improve support for strong diceware passphrases, which will become more practical for people who don't want biometric-only secondary unlock with our upcoming 2-factor fingerprint unlock feature
• disable camera lockscreen shortcut functionality when camera access while locked is disabled to avoid the possibility of misconfiguration by adding the camera lockscreen shortcut and then forgetting to remove it when disabling camera access
• kernel (5.15): update to latest GKI LTS branch revision including update to 5.15.153
• kernel (6.1): update to latest GKI LTS branch revision
• Vanadium: update to version 125.0.6422.72.0
• Vanadium: update to version 125.0.6422.72.1
• Vanadium: update to version 125.0.6422.113.0
• Vanadium: update to version 125.0.6422.147.0
• GmsCompatConfig: update to version 112
• GmsCompatConfig: update to version 113
• GmsCompatConfig: update to version 114
• GmsCompatConfig: update to version 115
• make SystemUI tests compatible with GrapheneOS changes

GrapheneOS has been working towards providing accessibility for blind users so we include our own build of TalkBack. We plan to include a text-to-speech (TTS) app and Setup Wizard integration to make it usable out-of-the-box. We can't do much to make installing more accessible.

Unfortunately, some banks are trying to make life harder for blind people and others reliant on accessibility services. A few have started banning using their app if a non-Google accessibility service app is installed, even if it's not activated (TalkBack is off by default).

Our users have determined that this is easy to work around by disabling the app rather than the accessibility service not being activated. It's possible for those apps to see that it's not activated and they can see it's a first party OS component so it makes very little sense.

We've been working on an App Communication Scopes feature for disallowing apps from seeing or communicating with apps in the same profile with toggles to allow specific cases. We have some of the infrastructure in the OS already for specific cases and can start using it for this.

So far, only EU banks appear to be doing this which is convenient since we already have contact with the EU Commission with a focus on the anti-competitive Play Integrity API many banks have adopted. They're not going to be impressed by banks banning open source screen readers...

Changes in version 115:

• update max supported version of Play services to 24.22
• update max supported version of Play Store to 41.2

A full list of changes from the previous release (version 114) is available through the Git commit log between the releases (only changes to the gmscompat_config text file and config-holder/ directory are part of GmsCompatConfig).

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.

Changes in version 125.0.6422.147.0:

• update to Chromium 125.0.6422.147

A full list of changes from the previous release (version 125.0.6422.113.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Changes in version 114:

• add stub for BluetoothManager.openGattServer()

A full list of changes from the previous release (version 113) is available through the Git commit log between the releases (only changes to the gmscompat_config text file and config-holder/ directory are part of GmsCompatConfig).

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.

Changes in version 125.0.6422.113.0:

• update to Chromium 125.0.6422.113

A full list of changes from the previous release (version 125.0.6422.72.1) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Changes in version 113:

• update max supported version of Play services to 24.20
• update max supported version of Play Store to 41.1
• new approach for development builds to avoid deprecation warning

A full list of changes from the previous release (version 112) is available through the Git commit log between the releases (only changes to the gmscompat_config text file and config-holder/ directory are part of GmsCompatConfig).

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.

Linux kernel becoming their own CVE Numbering Authority (CNA) is wasting resources they'd have previously put towards higher quantity and quality backporting. We've noticed a drop in both for the stable/longterm branches and particularly Android Generic Kernel Image LTS branches.

We've had around 2.5 years to evaluate impact of Generic Kernel Images. Our conclusion is that this caused more harm than good to GrapheneOS.

Generic Kernel Images are supposed to make kernel updates easier via a stable ABI, but Pixels update all drivers for GKI updates anyway.

The stability of the ABI isn't perfect and many changes get reverted due to breaking the ABI. It also leads to even the GKI LTS branch with the latest merges of LTS releases to lag behind, particularly recently. We attribute some of that to the resources wasted on their CNA work.

CVE system did not work for the Linux kernel either way, but it's certainly not fixed through making nearly every backport into a CVE and ignoring anything not backported. We don't particularly care about it but rather our concern is wasting scarce resources on something useless.

Barely any resources are dedicated to stable Linux kernel releases. There's very little testing and review. There have been multiple filesystem corruption bugs backported to ext4 and f2fs recently. Some didn't exist in mainline but rather are from missing interdependent changes.

GKI LTS branch reverting a bunch of commits changing the ABI, working around the changed ABI in other cases and lagging behind is making it harder for us to deal with these issues. It'd be smoother upgrading the kernel and fixing API/ABI conflicts. ABI isn't fully stable anyway.

Android reached the point where mainline kernels were usable beyond needing out-of-tree drivers for hardware and the Tensor Pixel drivers are way less invasive and easier to port to new releases. GKI has made a mess of it, and it doesn't even make it easier for Pixels but harder.

5.10 kernel drivers for Pixel 6 were ported to 5.15, 6.1 and 6.6. They simply haven't decided to move to a newer branch yet. The kernel for Pixel 8 doesn't bother having a device kernel tree anyway but rather uses generic sources for GKI and all the drivers, so what's the point?

We're increasingly scared of updating LTS revisions and it does not help that the GKI LTS branch is lagging a bit behind since it's not lagging behind due to any further stabilization but rather lack of resources to keep up. Any LTS revision with f2fs changes is terrifying now.

Unlike the stock Pixel OS, we've avoided shipping common f2fs corruption bugs in production by being way ahead on LTS adoption while narrowing avoiding shipping new serious issues. Has been way too close for comfort and we have low confidence in any LTS release with f2fs changes.

Generic Kernel Images have directly interfered with both hardening and performance due to the impact of vendor hooks working around not being able to change core kernel code. We don't want dynamic kernel modules but we're essentially forced into using them to avoid init bugs.

They've made the usual mistake of burning resources on branches by having 2 variants of each LTS branch (Android 12/13 variants of 5.10, Android 13/14 variants of 5.15, Android 14/15 variants of 6.1, etc.) and then making many overlapping branches from those to stabilize them.

We're unconvinced that the Linux kernel is headed in the right direction. It's not truly getting more robust or secure. The accelerating complexity and churn is opposed to both, as are the culture and tools. We're hitting more issues including on our workstations and servers.

Changes in version 125.0.6422.72.1:

• fix regression breaking Chrome Custom Tab support when opening links in Incognito is enabled

A full list of changes from the previous release (version 125.0.6422.72.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Changes in version 113:

• add stub for LocationManager.registerGnssMeasurementsCallback()
• update Android Gradle plugin to 8.4.1

A full list of changes from the previous release (version 111) is available through the Git commit log between the releases (only changes to the gmscompat_config text file and config-holder/ directory are part of GmsCompatConfig).

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.

Changes in version 125.0.6422.72.0:

• update to Chromium 125.0.6422.72

A full list of changes from the previous release (version 125.0.6422.53.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

https://grapheneos.social/@GrapheneOS/112481434513090992

The latest release of GrapheneOS adds the first piece of our ongoing work on duress/panic features. It makes standard factory resets including by device admin APIs wipe the device near instantly before it reboots to recovery to wipe and format it.

We made our own wipe-without-reboot but we're backporting the Android 15 implementation instead of using ours. They made it in response to our vulnerability report about this (CVE-2024-29748):

https://grapheneos.social/@GrapheneOS/112204428984003954

Pixels added a firmware mitigation against it in April too.

The April release added 2 Pixel specific protections against the 2 vulnerabilities we reported, but both vulnerabilities essentially impact all Android devices and were only addressed for Pixels. The factory reset interruption also isn't fully addressed until they ship this part.

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

• 2024052100-redfin (Pixel 4a (5G), Pixel 5)
• 2024052100 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, emulator, generic, other targets)

Changes since the 2024051500 release:

• add backport of the upstream Android implementation of wipe-without-reboot, which is the full fix for the ability to interrupt factory resets triggered by device admin apps (CVE-2024-29748 reported by GrapheneOS) and provides the infrastructure needed for our upcoming duress PIN/password feature in a much simpler way via existing HAL APIs
• temporarily disable memory tagging for the Pixel camera provider and wifi_ext services due to incompatibilities found by users which should be addressed in an upcoming release of AOSP and the stock Pixel OS
• Pixel 4a (5G), Pixel 5: omit Pixel Camera Services since it doesn't provide useful functionality and is broken due to these devices not being supported anymore by the current releases
• kernel (5.10): update to latest GKI LTS branch revision including update to 5.10.214
• kernel (5.15): update to latest GKI LTS branch revision including update to 5.15.152
• kernel (6.1): update to latest GKI LTS branch revision including update to 6.1.84
• Setup Wizard: fix typo in data restore description
• GmsCompatConfig: update to version 111

XRY and Cellebrite say they can do consent-based full filesystem extraction with iOS, Android and GrapheneOS. It means they can extract data from the device once the user provides the lock method, which should always be expected. They unlock, enable developer options and use ADB.

Cellebrite's list of capabilities provided to customers in April 2024 shows they can successfully exploit every non-GrapheneOS Android device brand both BFU and AFU, but not GrapheneOS if patch level is past late 2022. It shows only Pixels stop brute force via the secure element.

Cellebrite has similar capabilities for iOS devices. This is also from April 2024. We can get the same information from newer months. In the future, we'll avoid sharing screenshots and will simply communicate it via text since to prevent easily tracking down the ongoing leaks.

Pixel 6 and later or the latest iPhones are the only devices where a random 6 digit PIN can't be brute forced in practice due to the secure element. Use a strong passphrase such as 6-8 diceware words for a user profile with data you need secured forever regardless of exploits.

Pixels are doing a bit better on the secure element front and iPhones are doing a bit better against OS exploitation, but not by much.

As always, this shows the importance of our auto-reboot feature which gets the data back at rest after a timer since the device was locked.

Our focus in this area is defending against exploitation long enough for auto-reboot to work. It's set to 18 hours since the device was locked by default, but users can set it as low as 10 minutes. Since around January, we massively improved security against these attacks.

By default, our recently added USB-C port control feature disallows new USB connections in AFU mode after the device is locked and fully disables USB data at a hardware level once there aren't active USB connections. Users can set it to also do this in BFU or even when unlocked.

Users with a high threat model can fully disable USB including USB-PD/charging while the OS is booted to only allow charging while powered off or booted into the fastboot/fastbootd/recovery/charging modes.

GrapheneOS on 8th gen Pixels is ideal due to hardware memory tagging.

Consent-based data extraction (FFS) is not in the scope of what we're trying to defend against beyond shipping our secure duress PIN/password implementation to replace insecure approaches via apps. Data users can backup is inherently obtainable with consent, which is nearly all.

Within the past 24 hours, there has been an attack on GrapheneOS across social media platforms misrepresenting consent-based data extraction as GrapheneOS being compromised/penetrated. The person doing it is pretending to be multiple people and falsely claiming we covered it up.

GrapheneOS is the only OS having success defending against these attacks. We could do more with a successful hardware partnership such as having encrypted memory with a per-boot key instead of relying on our kernel memory zeroing combined with auto-reboot and fastboot zeroing.

New versions of iOS and Pixel OS often invalidate their existing exploits, but devices in AFU are stuck in AFU mode waiting for new exploits.

Random 6 digit PIN is only secure on a Pixel/iPhone and only due to secure element throttling. Use a strong passphrase to avoid this.

If you wonder why duress PIN/password is taking so long, it's because we aren't doing it for show like existing implementations. It needs to work properly and guarantee data will be unrecoverable with no way to interrupt it. Slowly rebooting to recovery to wipe isn't acceptable.

See https://grapheneos.social/@GrapheneOS/112204428984003954 for our thread covering the firmware improvements we helped get implemented in the April 2024 release for Pixels. It doesn't currently really help the stock Pixel OS because they haven't blocked the OS exploits that are being used yet but it helps us.

Our hope is that our upcoming 2-factor fingerprint unlock feature combined with a UI for random passphrase and PIN generation will encourage most users to use a 6-8 diceware word passphrase for primary unlock and fingerprint + random 6-digit PIN for convenient secondary unlock.

One of our community members has uploaded the Cellebrite documentation and has stated they'll upload future versions of it if you want to look at the rest of it:

https://discuss.grapheneos.org/d/12848-claims-made-by-forensics-companies-their-capabilities-and-how-grapheneos-fares/4

We have info on XRY, Graykey and others but not the same level of reliable details as this.

Changes in version 111:

• update max supported version of Play Store to 41.0

A full list of changes from the previous release (version 110) is available through the Git commit log between the releases (only changes to the gmscompat_config text file and config-holder/ directory are part of GmsCompatConfig).

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

• 2024051500-redfin (Pixel 4a (5G), Pixel 5)
• 2024051500 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, emulator, generic, other targets)

Changes since the 2024050900 release:

• revert our initial approach to blocking DNS leaks with third party Android VPN apps since it changed the behavior in a slightly different way than intended and caused compatibility issues with certain apps (particularly Proton VPN) which blocked us from releasing 2024050900 to the Stable channel (will be replaced in the near future with another approach)
• improve GrapheneOS Predicted Satellite Data Service (PSDS) infrastructure with better logging, cleaner code and more generic code to support Samsung PSDS for the Pixel 8a in addition to Qualcomm and Broadcom PSDS
• Auditor: update to version 80
• GmsCompatConfig: update to version 110
• Vanadium: update to version 125.0.6422.51.0
• Vanadium: update to version 125.0.6422.53.0

Changes in version 125.0.6422.53.0:

• update to Chromium 125.0.6422.53

A full list of changes from the previous release (version 125.0.6422.51.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

An experimental prerelease of GrapheneOS for the Pixel 8a is now available via https://staging.grapheneos.org/ including web installer support. It will be made available via https://grapheneos.org/ after we've done basic testing including testing the upgrade path to a future release.

Pixel 8a currently uses Android 14 QPR1 instead of Android 14 QPR2, meaning it's missing many improvements from the 2nd quarterly release including important privacy and security enhancements. It's likely Android 14 QPR3 will be released in June which should resolve this problem.

Android 14 QPR2 is the largest ever quarterly release of Android, because it's the first trunk-based development release. It brought a lot of what Android 15 is going to ship, largely under the hood with new user-facing features largely disabled but present in the code.

Android 14 QPR2 was released on March 4th but had a delay in publishing to AOSP due to issues with pushing the code which was finished by March 5th. GrapheneOS had a release based on it within a day of that, but it took a couple days to reach staging due to regressions we found.

One of those regressions was the High severity Bluetooth vulnerability we found which was introduced in Android 14 QPR2:

https://grapheneos.social/@GrapheneOS/112400427658505385

This issue slipped into our Stable channel release due to only coming up with rare configurations but we got it fixed on March 9th.

Since the Pixel 8a is still using Android 14 QPR1, our initial release is based on porting our changes from our 2024030300 release which was the last one based on QPR1 (https://grapheneos.org/releases#2024030300). It has a current May security patch level, but this doesn't meet our usual standards.

It's missing improvements to GrapheneOS from March, April and May in addition to Android 14 QPR2 changes. We backported our change enabling PAC/BTI for userspace and are using a current GrapheneOS 5.15 LTS common kernel source tree. SHOULD be fixed with June update, QPR3 or not.

We've tested basic functionality including over-the-air updates so our Pixel 8a prerelease is now available via grapheneos.org.

Pixel 8a switched to Samsung GNSS (GPS, etc.) from Broadcom so we need to add Samsung PSDS support to our network services for PSDS to work.

Pixel 8a with the latest May 2024 update is running Android 14 QPR1 with backported security patches instead of Android 14 QPR2.

Android 14 QPR2 was released in March 2024 and is by far the largest quarterly release so far due to being the first trunk-based quarterly release.

We're definitely not going to backport all the changes we've made since March to Android 14 QPR1. That means we can't simply make the usual device support branch to support it. It's going to need to start out being treated as if it's an end-of-life device in extended support.

We're working on making an experimental pre-release build of GrapheneOS for the Pixel 8a. It will have the 2024-05-05 security patch level but it will initially be missing the Android 14 QPR2 improvements and also the many GrapheneOS improvements since our March 3rd release.

There's a high chance Android 14 QPR3 will be released in June, and they likely decided it didn't make sense to go through all the work of getting QPR2 ready for release. Launching a brand new Pixel with backports to a previous quarterly release is still quite a strange choice.

Our Vanadium browser (https://grapheneos.org/features#vanadium) is based on the stable releases of Chromium. We port to the new releases when they're still in Beta/Dev/Canary but we wait until it's Stable to upgrade, particularly since Stable is the only branch with proper security support.

Within release channels, Chromium uses staged rollouts where initially only a random subset of users get the new release. Recently, the initial Stable channel release started being done 1 week early and only rolled out to a tiny number of users:

https://developer.chrome.com/blog/early-stable

Current release status for Android is at https://chromiumdash.appspot.com/releases?platform=Android. There are 2 variants of a regular Stable release and 2 of an early one, since they enjoy A/B testing changes so much.

We've been following the early Stable, but this month they failed to support it properly...

After the pair of early Stable releases based on v125 for Android, there were 2 pairs of releases based on v124 with 2 rounds of security patches for issues being exploited in the wild. They failed to update the early Stable release as they have before, so we had to deal with it.

Strangely, it appears that the early Stable channel release was only rolled out for Android and the Safari-based iOS app. The 0.2% of Android users receiving the early Stable release aren't getting patches for those 2 vulnerabilities being exploited in the wild. That's not great.

These are the 2 patches missing for Android users who get updated to 125.0.6422.34 or 125.0.6422.35:

https://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_9.htmlhttps://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_13.html

Both are marked as having an exploit in the wild. They should really simply make 1 tag and stop making things overly complex.

Changes in version 125.0.6422.51.0:

• update to Chromium 125.0.6422.51

A full list of changes from the previous release (version 125.0.6422.35.1) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.