KindnessInfinity

Changes in version 126.0.6478.50.1:

• restore past Password Manager settings behavior from before v126, although Chromium has deprecated it with the intention to remove it in 6 months so we'll need to talk to them about it
• enable feature flag for passkey support (already handled via Vanadium Config update)
• enable skipping autofill compatibility checks (already handled via Vanadium Config update)
• explicitly disable include_both_v8_snapshots for the upcoming v127 release since it will increase build time and APK size for a feature that's only available as an opt-in experiment

A full list of changes from the previous release (version 126.0.6478.50.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

CVE-2024-32896 which is marked as being actively exploited in the wild in the June 2024 Pixel Update Bulletin is the 2nd part of the fix for CVE-2024-29748 vulnerability we described here:

https://grapheneos.social/@GrapheneOS/112204428984003954

As we explained there, none of this is actually Pixel specific.

Bulletin:

https://source.android.com/docs/security/bulletin/pixel/2024-06-01

Attribution to us:

https://source.android.com/docs/security/overview/acknowledgements

CVE-2024-32896 and CVE-2024-29748 refer to the same vulnerability of interrupting reboot for wipes via the device admin API, which applies to all devices.

CVE-2024-32896 is a full fix in AOSP as part of Android 14 QPR3. It's not at all Pixel specific.

This is being widely incorrectly reported in tech news coverage. Pixel Update Bulletins are almost entirely patches for vulnerabilities which apply to other devices too. Android Security Bulletins are the list of what other OEMs are required to fix, not the full list of patches.

We explained this in our previous thread:

https://grapheneos.social/@GrapheneOS/112204437363495338

CVE-2024-29748 was a mitigation for the issue implemented in the Pixel bootloader. Full solution is implementing wipe-without-reboot, which is now a standard feature in Android 14 QPR3 released as part of AOSP.

Our 2024052100 release backported the upstream wipe-without-reboot feature being shipped in the June 2024 release of Android (Android 14 QPR3): https://grapheneos.org/releases#2024052100.

We extended it to make it more robust via extra redundancy in our 2024060400 release: https://grapheneos.org/releases#2024060400.

There were 2 main issues:

1. memory not wiped when booting firmware-based fastboot mode, allowing exploiting it to get previous OS memory
2. AOSP device admin API depends on reboot-to-recovery to wipe before Android 14 QPR3

Neither is issue is being fixed outside Pixels yet.

Each month, Android has a new version released. These are the monthly, quarterly (QPR) and yearly releases. The baseline monthly security patches are NOT the monthly releases of Android. They're backports of a SUBSET of the patches with High/Critical severity, not all patches.

Most devices only ship the backported patches to older Android releases (12, 13 and 14). Pixels ship the monthly, quarterly and yearly releases. Other devices will mostly get the 2nd vulnerability fix when they update to Android 15. They'll have to fix the 1st issue on their own.

We have a thread about forensic company capabilities at https://grapheneos.social/@GrapheneOS/112462756293586146 based on leaked Cellebrite documentation. Shows GrapheneOS does a much better job than iOS/Android blocking exploits and only Pixel 6 and later or iPhone 12 and later successfully stop brute forcing.

This is the first release of GrapheneOS based on Android 14 QPR3, the 3rd quarterly maintenance/feature release for Android 14.

We've found at least one new issue with the Android Open Source Project 14 QPR3 Bluetooth module and are already working on resolving it. We'll have a quick follow-up release fixing the Bluetooth regression and other issues discovered during public Alpha testing.

Pixel 8a is now supported as part of the standard Android releases instead of having a device branch based on Android 14 QPR1. We've had stable releases for it available since May 15th (1 day after launch) based on our last QPR1-based release (2024030300). Pixel 8a users will be getting the GrapheneOS improvements from March, April, May and June along with the Android 14 QPR2 and QPR3 improvements so it's a much larger release for the Pixel 8a.

Tags:

• 2024061200 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, emulator, generic, other targets)

Changes since the 2024060500 release:

• full 2024-06-05 security patch level
• rebased onto AP2A.240605.024 Android Open Source Project release, which is the 3rd quarterly maintenance/feature release for Android 14 (QPR3)
• temporarily enable system crash notifications unconditionally for the initial QPR3-based release
• change default USB-C port mode to "Charging-only when locked", from "Charging-only when locked, except before first unlock"
• stop disabling memory tagging and hardened_malloc for surfaceflinger
• Settings: fix regression permitting disabling apps when it shouldn't be allowed due to device manager policy
• Vanadium: update to version 126.0.6478.50.0
• GmsCompatConfig: update to version 117

Changes in version 126.0.6478.50.0:

• update to Chromium 126.0.6478.50

A full list of changes from the previous release (version 125.0.6422.165.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Changes in version 117:

• update max Play services version to 24.22 for GmsCompat >= 1008
• update max supported version of Play Store to 41.3

A full list of changes from the previous release (version 116) is available through the Git commit log between the releases (only changes to the gmscompat_config text file and config-holder/ directory are part of GmsCompatConfig).

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

• 2024060500-redfin (Pixel 4a (5G), Pixel 5)
• 2024060500 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, emulator, generic, other targets)

Changes since the 2024060400 release:

• Sandboxed Google Play compatibility layer: adjust to DynamiteLoader changes being deployed with a new feature flag in Play services 24.22
• stop treating pressing the spacebar on a physical keyboard as submitting the lockscreen password since it prevents entering passphrases with spaces (upstream Android bug which has existed for around 8.5 years)
• Vanadium: update to version 125.0.6422.165.0
• GmsCompatConfig: update to version 116

Changes in version 116:

• reduce max supported version of Play services to 24.21 until we resolve a regression with a new feature flag
• update Gradle to 8.8

A full list of changes from the previous release (version 115) is available through the Git commit log between the releases (only changes to the gmscompat_config text file and config-holder/ directory are part of GmsCompatConfig).

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.

Changes in version 125.0.6422.165.0:

• update to Chromium 125.0.6422.165

A full list of changes from the previous release (version 125.0.6422.147.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

This is an early June security update release based on the May 2024 security patch backports since this month's release of the Android Open Source Project and stock Pixel OS with Android 14 QPR3 isn't available yet.

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

• 2024060400-redfin (Pixel 4a (5G), Pixel 5)
• 2024060400 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, emulator, generic, other targets)

Changes since the 2024053100 release:

• full 2024-06-01 security patch level
• extend the standard wipe-without-reboot implementation beyond wiping the hardware keystores (which prevents recovering any OS data by preventing deriving the key encryption keys) by also wiping the secdiscardable data on the SSD needed to derive key encryption keys, the encrypted storage keys on the SSD and the Weaver slots in the secure element needed to derive per-user key encryption keys via a secure element erase
• kernel (5.10): update to latest GKI LTS branch revision
• kernel (5.15): update to latest GKI LTS branch revision
• kernel (6.1): update to latest GKI LTS branch revision

Latest release of GrapheneOS finally shipped the long awaited duress PIN/password implementation. If you have a spare device, we recommend trying it out.

We've added initial documentation to the features page:

https://grapheneos.org/features#duress

It near instantly wipes and shuts down.

We've also finally added documentation on our USB-C port control to our features page:

https://grapheneos.org/features#usb-c-port-control

Most users can set this to "Charging-only when locked" without a loss of functionality or even "Charging-only" if you don't use USB accessories, DisplayPort or MTP.

Default is "Charging-only when locked, except before first unlock" to avoid locking users out of devices with a broken touchscreen. The main threat model for this is defending the device until the auto-reboot timer started when the screen is locked gets user data back at rest.

Our upcoming 2-factor fingerprint unlock will make using a strong passphrase as primary unlock method practical via fingerprint+PIN secondary unlock instead of fingerprint-only. Great for people who want to avoid relying on secure element throttling but don't want fp-only unlock.

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

• 2024053100-redfin (Pixel 4a (5G), Pixel 5)
• 2024053100 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, emulator, generic, other targets)

Changes since the 2024052100 release:

• add support for setting a duress password and PIN for quickly wiping all hardware keystore keys including keys used as part of deriving the key encryption keys for disk encryption to make all OS data unrecoverable followed by wiping eSIMs and then shutting down
• disable unused adoptable storage support since it would complicate duress password feature (can be added if we ever support a device able to use it)
• increase default max password length to 128 to improve support for strong diceware passphrases, which will become more practical for people who don't want biometric-only secondary unlock with our upcoming 2-factor fingerprint unlock feature
• disable camera lockscreen shortcut functionality when camera access while locked is disabled to avoid the possibility of misconfiguration by adding the camera lockscreen shortcut and then forgetting to remove it when disabling camera access
• kernel (5.15): update to latest GKI LTS branch revision including update to 5.15.153
• kernel (6.1): update to latest GKI LTS branch revision
• Vanadium: update to version 125.0.6422.72.0
• Vanadium: update to version 125.0.6422.72.1
• Vanadium: update to version 125.0.6422.113.0
• Vanadium: update to version 125.0.6422.147.0
• GmsCompatConfig: update to version 112
• GmsCompatConfig: update to version 113
• GmsCompatConfig: update to version 114
• GmsCompatConfig: update to version 115
• make SystemUI tests compatible with GrapheneOS changes

GrapheneOS has been working towards providing accessibility for blind users so we include our own build of TalkBack. We plan to include a text-to-speech (TTS) app and Setup Wizard integration to make it usable out-of-the-box. We can't do much to make installing more accessible.

Unfortunately, some banks are trying to make life harder for blind people and others reliant on accessibility services. A few have started banning using their app if a non-Google accessibility service app is installed, even if it's not activated (TalkBack is off by default).

Our users have determined that this is easy to work around by disabling the app rather than the accessibility service not being activated. It's possible for those apps to see that it's not activated and they can see it's a first party OS component so it makes very little sense.

We've been working on an App Communication Scopes feature for disallowing apps from seeing or communicating with apps in the same profile with toggles to allow specific cases. We have some of the infrastructure in the OS already for specific cases and can start using it for this.

So far, only EU banks appear to be doing this which is convenient since we already have contact with the EU Commission with a focus on the anti-competitive Play Integrity API many banks have adopted. They're not going to be impressed by banks banning open source screen readers...