GrapheneOS [Unofficial]

Changes in version 110:

• update max supported version of Play Store to 40.9

A full list of changes from the previous release (version 109) is available through the Git commit log between the releases (only changes to the gmscompat_config text file and config-holder/ directory are part of GmsCompatConfig).

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.

Notable changes in version 80:

• add support for Pixel 8a with either the stock OS or GrapheneOS
• update Kotlin to 1.9.24
• update Android Gradle plugin to 8.4.0
• update Guava library to 33.2.0
• update AndroidX Core library to 1.13.1
• update Material Components library to 1.12.0
• remove redundant style configuration found by lint

A full list of changes from the previous release (version 79) is available through the Git commit log between the releases.

The Auditor app uses hardware security features on supported devices to validate the integrity of the operating system from another Android device. It will verify that the device is running the stock operating system with the bootloader locked and that no tampering with the operating system has occurred. It will also detect downgrades to a previous version.

It cannot be bypassed by modifying or tampering with the operating system (OS) because it receives signed device information from the device's Trusted Execution Environment (TEE) or Hardware Security Module (HSM) including the verified boot state, operating system variant and operating system version. The verification is much more meaningful after the initial pairing as the app primarily relies on Trust On First Use via pinning. It also verifies the identity of the device after the initial verification. Trust is chained through the verified OS to the app to bootstrap software checks with results displayed in a separate section.

This app is available through the Play Store with the app.attestation.auditor.play app id. Play Store releases go through review and it usually takes around 1 to 3 days before the Play Store pushes out the update to users. Play Store releases use Play Signing, so we use a separate app id from the releases we publish ourselves to avoid conflicts and to distinguish between them. Each release is initially pushed out through the Beta channel followed by the Stable channel.

Releases of the app signed by GrapheneOS with the app.attestation.auditor app id are published in the GrapheneOS app repository and on GitHub. These releases are also bundled as part of GrapheneOS. You can use the GrapheneOS app repository client on Android 12 or later for automatic updates. Each release is initially pushed out through the Alpha channel, followed by the Beta channel and then finally the Stable channel.

GrapheneOS users must either obtain GrapheneOS app updates through our app repository or install it with adb install-multiple with both the APK and fs-verity metadata since fs-verity metadata is now required for out-of-band system app updates on GrapheneOS as part of extending verified boot to them.

We've received the Pixel 8a for our device testing farm already even though it officially ships May 14th.

Both Android Open Source Project source code tags and stock OS factory images / updates will likely be published on May 14th. We'll need those to add GrapheneOS support.

They typically ship pre-ordered devices a few days early to provide most people with an estimated delivery date on the launch day. It's a bit odd they don't publish everything on the day they ship instead of the planned arrival day since many do arrive early. It's fine with us.

Today, we're going to be adding support for the Pixel 8a in Auditor along with generating and backing up official GrapheneOS signing keys which are separate for each device for security reasons. We can't do much else before the official launch day when the code is published.

Once code is published, it will only take us a couple hours to add support for the device. We'll just need to largely automatically generate a device support branch, port over our work from the earlier 8th generation Pixels, make an adevtool state build and then a real release.

https://grapheneos.social/deck/@GrapheneOS/112401228331673501

Response we've received is the Bluetooth vulnerability we reported in March they fixed for Pixels in May will be included in the SEPTEMBER Android Security Bulletin.

Android Security Bulletin should be expanded to include Pixel Update Bulletin patches...

Our latest OS release that's currently in the Beta channel implements a new feature for blocking DNS leaks by third party VPN service app implementations which were discovered by our community:

https://github.com/GrapheneOS/os-issue-tracker/issues/3442

The good news is this does successfully block these leaks.

The bad news is that we currently don't feel comfortable moving this to the Stable channel due to a few reports of compatibility issues with @protonvpn's app. Doesn't appear to cause issues with any other VPN app after two days of public testing so it's likely a @protonvpn bug.

@protonprivacy

We'll give it another couple days of testing. Unless our users find an issue with another VPN app, we'll likely ship this to the Stable channel instead of cancelling the current change. We can't hold back an important improvement based on a single app which appears to be buggy.

Changes in version 125.0.6422.35.1:

• backport patch for CVE-2024-4671

A full list of changes from the previous release (version 125.0.6422.35.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

• 2024050900-redfin (Pixel 4a (5G), Pixel 5)
• 2024050900 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, emulator, generic, other targets)

Changes since the 2024050700 release:

• prevent app-based VPN implementations from leaking DNS requests when the VPN is down/connecting (this is a preliminary defense against this issue and more research is required, along with apps preventing the leaks on their end or they'll still have leaks outside of GrapheneOS)
• exclude Settings app from visible Location indicator too since it gets triggered from accessing Wi-Fi data when enabling Wi-Fi hotspot and potentially other info tied to Wi-Fi and Bluetooth
• Vanadium: update to version 125.0.6422.35.0
• PDF Viewer: update to version 19

Our PDF Viewer isn't impacted by issues like this in pdf.js. We use a strict Content Security Policy allowlisting the app's static CSS and JavaScript without permitting unsafe-eval or unsafe-inline. It's blocked from using eval or including dynamic JS.

https://github.com/advisories/GHSA-wgrm-67xf-hhpq

Even if we didn't set a Content Security Policy, the whole point of the app is that it renders a PDF in a sandboxed WebView instance without network, file or content access. It exposes a fairly small subset of the attack surface exposed by a web browser to any web site you visit.

The only data in the sandboxed WebView instance is the PDF which is written into it by the app without giving it access to the file/content. Even if an attacker somehow got JavaScript code execution despite our strict CSP, they couldn't do anything beyond attacking the browser.

The reason we use pdf.js is because it's designed to run efficiently in the browser sandbox. However, unlike opening a website in the browser, we use a restricted environment: no network/file/other access, no dynamic JS or CSS, many features disabled via Permissions Policy, etc.

JavaScript is memory safe but normally has pervasive dynamic code execution via inline JavaScript, dynamically included files and eval. It runs inside a restricted browser sandbox. The browser renderer implementing that sandbox runs inside of the browser's OS level sandbox.

GrapheneOS uses a hardened WebView provided by Vanadium. On Google certified Android OSes, it's provided by Chrome. Either way, our approach is far safer than a C++ PDF library in an OS sandbox (isolatedProcess). It provides 2 extra layers of strong security against most attacks.

Exploiting a vulnerability in the PDF library doesn't really work against our PDF Viewer app since there's an allowlist for the code. In practice, an attacker would need to exploit Chromium's rendering indirectly through pdf.js such as targeting browser font/image rendering.

Android uses isolatedProcess for the official PDF rendering library, which lacks our additional layers of protection and is far easier to exploit. Nearly all Android PDF apps bundle their own C or C++ PDF rendering library and don't bother even using an isolatedProcess sandbox.

Changes in version 125.0.6422.35.0:

• update to Chromium 125.0.6422.35

A full list of changes from the previous release (version 124.0.6367.159.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Every patch in the May 2024 Pixel Update Bulletin is also relevant to a lot of other devices including the High severity Bluetooth issue we reported:

https://source.android.com/docs/security/bulletin/pixel/2024-05-01 https://grapheneos.social/@GrapheneOS/112066872276203917

Android Security Bulletin SHOULD be expanded. All of this should be in it.

OEMs are only required to fix the issues listed in the Android Security Bulletin (ASB). The main section is a list of what gets backported to older AOSP releases, but they should include all Pixel Update Bulletin patches relevant to other devices in the 2nd section of the ASB.

Android Security Bulletin simply assumes other OEMs don't bother shipping monthly and quarterly updates but rather only use the initial yearly release and backport a subset of the security patches to it. Having such low expectations for other OEMs plays a role in what they do.

Low/Moderate severity AOSP patches are no longer listed in bulletins and rarely backported to the older versions.

Quarterly and yearly releases used to list dozens of Low/Moderate severity AOSP patches in Pixel bulletins, often over a 100, all needed by other devices too.

Android security patches are essentially 2 different worlds. There are Pixels shipping all of the AOSP and other Android security patches and then everything else shipping only the subset backported to older releases including Android 14 which is NOT the current Android version.

In general, other OEMs are missing nearly all Low/Moderate security patches until they move to the next yearly release. They won't get most of the Moderate severity patches released this month until they move to Android 15. Many significant privacy issues are classified Moderate.

Notable changes in version 19:

• avoid crash from unhandled exception in PDF date parsing for displaying metadata (was not a regression in version 18)
• update eslint to 0.21.1
• avoid false positive lint checks

A full list of changes from the previous release (version 18) is available through the Git commit log between the releases.

Simple Android PDF viewer based on pdf.js and content providers. The app doesn't require any permissions. The PDF stream is fed into the sandboxed WebView without giving it access to content or files. Content-Security-Policy is used to enforce that the JavaScript and styling properties within the WebView are entirely static content from the apk assets. It reuses the hardened Chromium rendering stack while only exposing a tiny subset of the attack surface compared to actual web content. The PDF rendering code itself is memory safe with dynamic code evaluation disabled, and even if an attacker did gain code execution by exploiting the underlying web rendering engine, they're within the Chromium renderer sandbox with no access to the network (unlike a browser), files, or other content.

This app is available through the Play Store with the app.grapheneos.pdfviewer.play app id. Play Store releases go through review and it usually takes around 1 to 3 days before the Play Store pushes out the update to users. Play Store releases use Play Signing, so we use a separate app id from the releases we publish ourselves to avoid conflicts and to distinguish between them. Each release is initially pushed out through the Beta channel followed by the Stable channel.

Releases of the app signed by GrapheneOS with the app.grapheneos.pdfviewer id are published in the GrapheneOS app repository and on GitHub. These releases are also bundled as part of GrapheneOS. You can use the GrapheneOS app repository client on Android 12 or later for automatic updates. Each release is initially pushed out through the Alpha channel, followed by the Beta channel and then finally the Stable channel.

GrapheneOS users must either obtain GrapheneOS app updates through our app repository or install it with adb install-multiple with both the APK and fs-verity metadata since fs-verity metadata is now required for out-of-band system app updates on GrapheneOS as part of extending verified boot to them.

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

• 2024050700-redfin (Pixel 4a (5G), Pixel 5)
• 2024050700 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, emulator, generic, other targets)

Changes since the 2024050300 release:

• full 2024-05-05 security patch level
• rebased onto AP1A.240505.005 Android Open Source Project release
• update our backports of mainline APEX Health Fitness patches
• kernel (5.10): update to latest GKI LTS branch revision including update to 5.10.213
• kernel (5.15): update to latest GKI LTS branch revision including update to 5.15.151
• TalkBack (screen reader): update dependencies
• Vanadium: update to version 124.0.6367.159.0
• PDF Viewer: update to version 18

We've pre-ordered a Pixel 8a for our official device testing farm. They push the Android Open Source Project tags and stock OS factory images on the official release day. Should take us a couple hours to add support for it. We'll build, test and make an official release quickly.

Notable changes in version 18:

• update pdf.js to 4.2.67
• handle backwards incompatible pdf.js changes
• use esbuild to handle building the viewer code
• reorganize code, improve code quality and avoid deprecated APIs
• update eslint to 9.2.0
• update dependencies of npm dependencies
• update Gradle to 8.7
• update Android Gradle plugin to 8.4.0
• update Android build tools to 34.0.0
• update SDK to 34 (Android 14)
• update target API level to 34 (Android 14)
• update Kotlin to 1.9.24
• update Material Components library to 1.12.0
• update AndroidX Core to 1.13.1

A full list of changes from the previous release (version 17) is available through the Git commit log between the releases.

Simple Android PDF viewer based on pdf.js and content providers. The app doesn't require any permissions. The PDF stream is fed into the sandboxed WebView without giving it access to content or files. Content-Security-Policy is used to enforce that the JavaScript and styling properties within the WebView are entirely static content from the apk assets. It reuses the hardened Chromium rendering stack while only exposing a tiny subset of the attack surface compared to actual web content. The PDF rendering code itself is memory safe with dynamic code evaluation disabled, and even if an attacker did gain code execution by exploiting the underlying web rendering engine, they're within the Chromium renderer sandbox with no access to the network (unlike a browser), files, or other content.

This app is available through the Play Store with the app.grapheneos.pdfviewer.play app id. Play Store releases go through review and it usually takes around 1 to 3 days before the Play Store pushes out the update to users. Play Store releases use Play Signing, so we use a separate app id from the releases we publish ourselves to avoid conflicts and to distinguish between them. Each release is initially pushed out through the Beta channel followed by the Stable channel.

Releases of the app signed by GrapheneOS with the app.grapheneos.pdfviewer id are published in the GrapheneOS app repository and on GitHub. These releases are also bundled as part of GrapheneOS. You can use the GrapheneOS app repository client on Android 12 or later for automatic updates. Each release is initially pushed out through the Alpha channel, followed by the Beta channel and then finally the Stable channel.

GrapheneOS users must either obtain GrapheneOS app updates through our app repository or install it with adb install-multiple with both the APK and fs-verity metadata since fs-verity metadata is now required for out-of-band system app updates on GrapheneOS as part of extending verified boot to them.

Changes in version 124.0.6367.159.0:

• update to Chromium 124.0.6367.159
• prepare our content filter generation script for handling language-specific content filters
• fix Python 3.12 warnings during build

A full list of changes from the previous release (version 124.0.6367.113.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Google has listed the CVE-2024-23694 vulnerability we reported in the security acknowledgements for May 2024:

https://source.android.com/docs/security/overview/acknowledgements

This is the Bluetooth issue we found with memory tagging which they assigned a High severity:

https://grapheneos.social/@GrapheneOS/112066872276203917

We fixed this on March 9th.

This vulnerability isn't listed in the baseline Android Security Bulletin despite being an Android Open Source Project issue. It will likely be listed in the Pixel Update Bulletin which should be today with the monthly update of AOSP and the Pixel OS:

https://grapheneos.social/@GrapheneOS/112398434880567630

This vulnerability only impacts Android 14 QPR2 and later. It's possible they only list issues impacting the initial release of Android 14 in Android Security Bulletins and put the rest in Pixel bulletins. It's odd how Pixel bulletins are mostly issues impacting other devices.

Last month, Pixels fixed 2 vulnerabilities we reported which were both classified as High severity and were both exploited in the wild by forensic companies:

https://grapheneos.social/@GrapheneOS/112204428984003954

Both also impact non-Pixels but were only fixed for Pixels and listed in the Pixel bulletin.

We understand why they didn't list those firmware patches in the Android Security Bulletin (ASB) since other devices with the same issues need their own firmware patches for them.

The AOSP 14 QPR2 Bluetooth bug not being listed means ASB is less complete than we thought though.

As we expected, it's listed in the Pixel Update Bulletin despite being an Android Open Source Project vulnerability and patch:

https://source.android.com/docs/security/bulletin/pixel/2024-05-01

Android Security Bulletins only cover the subset of High/Critical severity patches backported to the baseline yearly releases.

Android monthly security backports were released this Monday. We expect the full monthly release to be released much later today (Tuesday). It's what happened last month, but last time we expected the monthly release to be delayed a week so we did an early release with backports.

Monthly/quarterly/yearly releases include Low/Moderate severity patches not backported to older releases and are needed for Pixel firmware/driver patches. Those aren't published/disclosed for May yet. We'll do an early release with the ASB backports if it's not released today.

We've reviewed the backports and can easily ship them if needed. We've included the next set of Linux kernel GKI LTS updates too.

We'll have mitigations for the 3rd party VPN app DNS leaks discovered by our community soon, but likely not today's release.

https://grapheneos.social/@GrapheneOS/112316307560525598

May 2024 release of Android 14 QPR2 is now available for Pixels and the release in the process of being pushed to the Android Open Source Project. We're currently building a new release of Vanadium based on Chromium 124.0.6367.159 which will be followed by the monthly OS update.

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

• 2024050300-redfin (Pixel 4a (5G), Pixel 5)
• 2024050300 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, emulator, generic, other targets)

Changes since the 2024042200 release:

• remove special handling of the resolver activity ("Open with..." dialog) which was added to Android in order to support instant apps as preparation for our in-development App Communication Scopes feature
• fix Google Fi eSIM activation
• improve isolation of the eSIM activation apps
• improve GrapheneOS infrastructure for per-app state
• enable heap memory tagging for vendor processes by default, remove the user-facing toggle in the Settings and restrict toggling the value to debug builds
• disable most handling for instant apps in the package manager as attack surface reduction
• disable out-of-band APEX updates as attack surface reduction
• only allow first party app source and shell to update system packages
• improve robustness of original-package handling
• Settings: hide GNSS SUPL and PSDS settings on devices without GNSS hardware
• fix regression from our Android 14 QPR2 port causing Storage/Contact Scopes link to disappear after going back to the permissions screen
• improve setup wizard theme to more closely match the stock Pixel OS configuration
• backport mainline APEX module patches for Android Health, Media Provider, Network Stack, and Wi-Fi
• kernel (5.10): update to latest GKI LTS branch revision including update to 5.10.212
• kernel (5.15): update to latest GKI LTS branch revision including update to 5.15.150
• kernel (6.1): update to latest GKI LTS branch revision including update to 6.1.80
• Log Viewer: use human readable UTC time for logcat timestamps
• GmsCompatConfig: update to version 105
• GmsCompatConfig: update to version 106
• GmsCompatConfig: update to version 107
• GmsCompatConfig: update to version 108
• GmsCompatConfig: update to version 109
• Vanadium: update to version 124.0.6367.82.0
• Vanadium: update to version 124.0.6367.82.1
• Vanadium: update to version 124.0.6367.82.2
• Vanadium: update to version 124.0.6367.113.0
• Apps: update to version 23
• work around our app repository client taking ownership of updates for the debug toggle we use to test new Android Auto releases
• fix debug build option for testing same versionCode package updates

We'll be blacklisting mailbox.org and websites using it for email hosting for registration on discuss.grapheneos.org and as an alert email for attestation.app. They're blocking emails from our mail server for a convoluted, nonsensical reason and won't stop.

Our mail server has a clean IPv4 address not on any reasonable blacklist. We've had the IP address for a long time and have moved it between multiple servers. We don't send marketing emails and don't even have a mailing list. The only automated emails are services users request.

mailbox.org says they're blocking our confirmation emails from discuss.grapheneos.org via the IPv4 address for mail.grapheneos.org because the IPv6 /64 address for our website (not our mail server) (grapheneos.org) is listed as suspicious by Spamhaus...

We host our website and network services via geographically distributed VPS instances and direct traffic to them via GeoDNS with failover. It's essentially a self-hosted CDN. They're VPS instances with only a single IPv6 address. The /64 doesn't belong to us, they give us a /128.

Our emails are accepted by Google, Microsoft, Apple and nearly all small providers. Other than mailbox.org, only tiny mail providers entirely blocking emails from the OVH address space or refusing to whitelist IPv4 addresses within /24 blocks are blocking our emails.

The blacklist will improve usability since users will get an error message on discuss.grapheneos.org registration, changing their forum email address or setting an alert email for attestation.app instead of mailbox.org rejecting emails without telling users.

mailbox.org has whitelisted the GrapheneOS domains so emails are now always getting through to our users instead of being rejected. We still disagree with blocking emails based on IPv6 addresses used by website server instances but at least it's no longer our problem.

Changes in version 109:

• update max supported version of Play services to 24.17
• update max supported version of Play Store to 40.8
• update Android Gradle plugin to 8.4.0

A full list of changes from the previous release (version 108) is available through the Git commit log between the releases (only changes to the gmscompat_config text file and config-holder/ directory are part of GmsCompatConfig).

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.

Changes in version 124.0.6367.113.0:

• update to Chromium 124.0.6367.113

A full list of changes from the previous release (version 124.0.6367.82.2) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Changes in version 108:

• improve temporary ActivityManager.getPackageImportance() stub to keep support for Google Play network location service and device orientation API fully working with current Google Play services releases (network location functionality isn't used without disabling our Location request rerouting toggle and setting up the Google Play location service)

A full list of changes from the previous release (version 107) is available through the Git commit log between the releases (only changes to the gmscompat_config text file and config-holder/ directory are part of GmsCompatConfig).

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.

Notable changes in version 23:

• request package update ownership by default (our mirrors of Play services and Play Store for sandboxed Google Play have been excluded in our app repository's metadata)
• drop removed packages from the user interface after repository update rather than on next app restart
• add a way to mark a dependency being missing as ignored
• add caching for system feature checks
• add support for static dependencies on the device model
• verify shared library declaration during package installation to prevent a compromise of the repository signing key and server from being able to install new packages by adding them as dependencies of other apps
• use MATCH_ANY_USER flag for getSharedLibraries() when allowed to in order to detect already completed shared library updates on GrapheneOS to avoid conflicts when updating Vanadium browser in one profile and then Vanadium WebView in another profile or vice versa
• fix search bar chips padding
• dismiss keyboard when searching
• update Gradle to 8.7
• update Android Gradle plugin to 8.3.2
• update Kotlin Symbol Processing 1.0.20
• update AndroidX Activity KTX library to 1.9.0
• update AndroidX Core KTX library to 1.13.0
• update Bouncy Castle library to 1.78.1
• work around potentially buggy Android APIs
• improve code style, robustness and comments

A full list of changes from the previous release (version 22) is available through the Git commit log between the releases.

Apps is the client for the GrapheneOS app repository. It's included in GrapheneOS but can also be used on other Android 12+ operating systems. Our app repository currently provides our standalone apps, out-of-band updates to certain GrapheneOS components and a mirror of the core Google Play apps and Android Auto to make it easy for GrapheneOS users to install sandboxed Google Play with versions of the Google Play apps we've tested with our sandboxed Google Play compatibility layer.

GrapheneOS users must either obtain GrapheneOS app updates through our app repository or install it with adb install-multiple with both the APK and fs-verity metadata since fs-verity metadata is now required for out-of-band system app updates on GrapheneOS as part of extending verified boot to them.

Changes in version 124.0.6367.82.2:

• revert integration with GrapheneOS dynamic code generation toggle since the current implementation is buggy

A full list of changes from the previous release (version 124.0.6367.82.1) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Changes in version 107:

• update max supported version of Play services to 24.16
• update max supported version of Play Store to 40.7

A full list of changes from the previous release (version 106) is available through the Git commit log between the releases (only changes to the gmscompat_config text file and config-holder/ directory are part of GmsCompatConfig).

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.