KindnessInfinity

Changes in version 103:

• update max supported version of Play services to 24.15
• update max supported version of Play Store to 40.5
• update Android Gradle plugin to 8.3.2

A full list of changes from the previous release (version 102) is available through the Git commit log between the releases (only changes to the gmscompat_config text file and config-holder/ directory are part of GmsCompatConfig).

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.

Changes in version 124.0.6367.42.0:

• update to Chromium 124.0.6367.42

A full list of changes from the previous release (version 123.0.6312.118.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Changes in version 123.0.6312.118.0:

• update to Chromium 123.0.6312.118

A full list of changes from the previous release (version 123.0.6312.99.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

• 2024040900-redfin (Pixel 4a (5G), Pixel 5)
• 2024040900 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, emulator, generic, other targets)

Changes since the 2024040300 release:

• rebased onto AP1A.240405.002.A1 Android Open Source Project release (includes a launcher taskbar improvement)
• avoid crashes in Chromium-based web browsers and the WebView in their sandboxed processes caused by an incompatibility between exec-based spawning and the new userfaultfd-based garbage collector enabled by Android 14 QPR2
• DNS resolver: fix upstream bug resulting in NUL byte being included in the random string for the DNS-over-TLS test query
• allow privileged installers to use getSharedLibraries(MATCH_ANY_USER) in order to enable Apps to handle an edge case involving shared libraries (Vanadium Trichrome library) updated in other users while avoiding adding the INTERACT_ACROSS_USERS permission used for this purpose by the Play Store
• kernel (5.10, 6.1): update to latest GKI LTS branch revision
• kernel (5.10): reapply reverted upstream f2fs and irq changes now that the regressions are resolved
• GmsCompatConfig: update to version 102
• fix our infrastructure for testing our CarrierConfig2 app

SSL Labs (https://www.ssllabs.com/ssltest) from Qualys used to be a useful HTTPS testing tool. However, it hasn't received significant updates since 2019 and is now holding back HTTPS security. The biggest issue is that many of the tests don't support TLSv1.3 so it penalizes disabling legacy TLSv1.2.

It was supposed to be increasing grading requirements over time. It only requires HSTS for A+, doesn't require HSTS preloading, doesn't require CAA, is completely unaware of CAA account/method binding + DNSSEC to secure issuance. It still has obsolete HPKP but is unaware of DANE.

t's also unaware of (hybrid) post-quantum cryptography, which probably shouldn't be part of grading yet but it should be able to detect it.

Sites need to start disabling TLSv1.2 to push many tools and crawlers to update to TLSv1.3 and penalizing it holds back that happening.

It's unaware of Encrypted ClientHello which shouldn't be part of grading but simply detected.

It should also be able to detect an 'HTTPS' record which should be required as part of grading, along with the other DNS-based features of CAA, CAA account/method binding and DNSSEC.

Changes in version 102:

• update max supported version of Play services to 24.13
• update max supported version of Play Store to 40.4

A full list of changes from the previous release (version 101) is available through the Git commit log between the releases (only changes to the gmscompat_config text file and config-holder/ directory are part of GmsCompatConfig).

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.

April release of the Pixel boot chain firmware includes fixes for 2 vulnerabilities reported by GrapheneOS which are being actively exploited in the wild by forensic companies:

https://source.android.com/docs/security/bulletin/pixel/2024-04-01 https://source.android.com/docs/security/overview/acknowledgements

These are assigned CVE-2024-29745 and CVE-2024-29748.

CVE-2024-29745 refers to a vulnerability in the fastboot firmware used to support unlocking/flashing/locking. Forensic companies are rebooting devices in After First Unlock state into fastboot mode on Pixels and other devices to exploit vulnerabilities there and then dump memory.

We proposed zeroing memory in firmware when rebooting to fastboot mode to wipe out the whole class of attacks. They implemented this by zeroing memory when booting fastboot mode. USB is only enabled by fastboot mode after zeroing the memory is completed, blocking these attacks.

GrapheneOS already implemented defenses against this attack before we became aware of it. After becoming aware of this attack against Pixels running the stock OS, we improved our existing defenses and added new ones alongside reporting the firmware weaknesses to get those fixed.

CVE-2024-29748 refers to a vulnerability providing the ability to interrupt a factory reset triggered by a device admin app. It appears they've implemented a partial solution in firmware. See https://grapheneos.social/@GrapheneOS/112162304896898942 about ongoing work we spotted on wipe-without-reboot support.

GrapheneOS has been working on a duress PIN/password feature for a while, and as part of that we already implemented our own wipe-without-reboot system. We care a lot about doing things properly and the way this was done in existing apps and operating systems was highly insecure.

Can see the announcement of these being exploited in the wild at https://source.android.com/docs/security/bulletin/pixel/2024-04-01#Announcements.

In addition to them working on our proposal to implement wipe-without-reboot, we've spotted work on our other suggestions such as wiping key derivation results from memory after unlocking.

In the near future, we'll be shipping a properly secure implementation of a duress PIN/password along with a properly secure panic wipe based on wiping without requiring a reboot. We also plan to make device admin API use our wipe-without-reboot approach until Android ships one.

Our baseline defenses against attacks aiming to extract data from After First Unlock state devices are our generic exploit protection features:

https://grapheneos.org/features#exploit-protection

Wiping freed memory in kernel/userspace helps beyond exploit mitigation by avoiding having data kept around.

Our auto-reboot feature starts a timer after the device is locked which will reboot the device is it isn't unlocked successfully before the timer elapses. This is set to 18 hours by default but can be set between 10 minutes and 72 hours. It won't chain reboot the device anymore.

All of our defenses against obtaining data from After First Unlock state devices are centered around auto-reboot. Our goal is preventing exploitation long enough for the device to cleanly reboot and get the data back at rest as if it had been obtained while it was powered off.

Due to the importance of auto-reboot, we recently reimplemented it as a low-level timer in the init process. This makes it much harder to prevent the device from rebooting. Previously, crashing system_server would restart the timer. It also allowed us to avoid it chain rebooting.

Our USB-C port control is set to "Charging-only when locked, except before first unlock" by default. New USB connections can only be made while unlocked, except BFU. After locking, new connections are blocked immediately and data lines are disabled when existing connections end.

We encourage users to use "Changing-only when locked" if they don't need USB devices when the device boots or "Charging-only" if they don't use USB beyond charging. There's also an "Off" value disabling charging when OS is booted into the main OS boot mode for high threat models.

To clarify something that's being misunderstood, neither of these 2 weaknesses are specific to Pixels. The mitigations they added are specific to Pixels. We aren't aware of another Android device implementing the reset attack mitigation shipped by Pixels based on our proposal.

The specific vulnerabilities being exploited in fastboot mode are likely littlekernel USB vulnerabilities. If you look in the Pixel security bulletins, you can see many of the patches there are for components also used on other devices like the Samsung modem and littlekernel.

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

• 2024040300-redfin (Pixel 4a (5G), Pixel 5)
• 2024040300 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, emulator, generic, other targets)

Changes since the 2024040200 release:

• full 2024-04-05 security patch level
• rebased onto AP1A.240405.002 Android Open Source Project release
• fix upstream OS limitation preventing using emergency dialer from setup wizard in secondary users
• Vanadium: update to version 123.0.6312.99.0

Changes in version 123.0.6312.99.0:

• update to Chromium 123.0.6312.99

A full list of changes from the previous release (version 123.0.6312.80.1) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

• 2024040200-redfin (Pixel 4a (5G), Pixel 5)
• 2024040200 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, emulator, generic, other targets)

Changes since the 2024032100 release:

• full 2024-04-01 security patch level (early release based on AOSP 14 April security backports since the official April AOSP and stock Pixel OS monthly releases aren't available yet)
• fix race condition for Wi-Fi and Bluetooth auto-turn-off leading to the first auto-turn-off timer after the first Wi-Fi or Bluetooth state update potentially not being scheduled
• fix Wi-Fi auto-turn-off no longer handling Wi-Fi state change events not involving a Wi-Fi network
• DocumentsUI (Files): do not delegate handling of downloaded APKs to DownloadProvider to avoid confusing install permission prompt
• flash-all: raise minimum fastboot version to 34.0.5
• kernel (Pixel 8, Pixel 8 Pro): sign vendor modules after building them instead of only signing generic (GKI) modules
• kernel (6.1): update to latest GKI LTS branch revision
• fix upstream bug breaking pressing power button 5 times to make an emergency call
• fix upstream bug causing 5 second delay to start the emergency dialer for the first time
• CarrierConfig2 (app created by GrapheneOS to replace Google CarrierSettings): add stub implementation of VendorConfigProvider
• Setup Wizard: use new API for emergency calls
• Setup Wizard: add prompt for unlocked bootloader triggering reboot to fastboot mode to lock
• Setup Wizard: add prompt for disabling OEM unlocking after the device is locked (will be disabled by default)
• GmsCompatConfig: update to version 100
• GmsCompatConfig: update to version 101
• Vanadium: update to version 123.0.6312.80.0
• Vanadium: update to version 123.0.6312.80.1

Changes in version 101:

• update max supported version of Play services to 24.12
• update max supported version of Play Store to 40.3
• update Gradle to 8.7

A full list of changes from the previous release (version 99) is available through the Git commit log between the releases (only changes to the gmscompat_config text file and config-holder/ directory are part of GmsCompatConfig).

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.

Changes in version 123.0.6312.80.1:

• backport new Chromium autofill implementation to replace our native Android autofill integration with Chromium's implementation of a choice between browser autofill or app-based autofill with app-based autofill automatically used when the user has activated it

A full list of changes from the previous release (version 123.0.6312.80.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.