KindnessInfinity

Changes in version 121.0.6167.143.0:

• update to Chromium 121.0.6167.143

A full list of changes from the previous release (version 121.0.6167.101.3) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

https://grapheneos.social/@GrapheneOS/111847146949645864

Our previous Camera app release moved away from using deprecated Parcel APIs. These new APIs were introduced in Android 13, but some had a serious bug in Android 13 causing a null pointer exception. They fixed that in Android 14 where we do most testing.

They chose not to ship the fix in a monthly or quarterly release of Android 13 based on the reasoning that most non-Pixel OEMs don't ship monthly/quarterly updates (only partial security patch backports) and they didn't want fragmentation for this issue.

https://issuetracker.google.com/issues/240585930

That may be reasonable, but then they should have undone the deprecation until Android 14 and raised the minimum API level for these APIs to Android 14. The documentation doesn't mention this. Every developer is expected to hit it and then somehow notice IntentCompat in AndroidX.

Notable changes in version 66:

• work around an Android 13 OS bug not fixed until Android 14 which is causing crashes when resuming certain activities by using the AndroidX IntentCompat interface

A full list of changes from the previous release (version 66) is available through the Git commit log between the releases.

This app is available through the Play Store with the app.grapheneos.camera.play app id. Play Store releases go through review and it usually takes around 1 to 3 days before the Play Store pushes out the update to users. Play Store releases use Play Signing, so we use a separate app id from the releases we publish ourselves to avoid conflicts and to distinguish between them.

Releases of the app signed by GrapheneOS with the app.grapheneos.camera app id are published in the GrapheneOS app repository and on GitHub. You can use the GrapheneOS app repository client on Android 12 or later for automatic updates.

Releases are initially pushed out through the Beta channel for both the Play Store and our app repository and then get moved to the Stable channel.

GrapheneOS users must obtain GrapheneOS app updates through our app repository since fs-verity metadata is now required for out-of-band system app updates on GrapheneOS as part of extending verified boot to them.

Changes in version 121.0.6167.101.3:

• revert minimum API level increase due to it potentially causing issues with resource loading for the browser app for certain users due to Chromium resource optimization quirks (the planned changes requiring this can be approached another way)

A full list of changes from the previous release (version 121.0.6167.101.3) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Notable changes in version 65:

• add lockscreen support to QR code scanner shortcut activity to support standard lockscreen shortcut for QR scanning
• improve ImageSaver error dialog (include OS version, include app package name and versionCode, use the standard stack trace format)
• in-app gallery: do not overwrite the original item after editing
• in-app gallery: specify Uri type in editIntent to support editing videos with Google Photos
• update Material Components library to 1.11.0
• update CameraX library to 1.4.0-alpha04
• update Gradle to 8.5
• update Android Gradle plugin to 8.2.1
• update Kotlin to 1.9.22
• replace deprecated APIs

A full list of changes from the previous release (version 64) is available through the Git commit log between the releases.

This app is available through the Play Store with the app.grapheneos.camera.play app id. Play Store releases go through review and it usually takes around 1 to 3 days before the Play Store pushes out the update to users. Play Store releases use Play Signing, so we use a separate app id from the releases we publish ourselves to avoid conflicts and to distinguish between them.

Releases of the app signed by GrapheneOS with the app.grapheneos.camera app id are published in the GrapheneOS app repository and on GitHub. You can use the GrapheneOS app repository client on Android 12 or later for automatic updates.

Releases are initially pushed out through the Beta channel for both the Play Store and our app repository and then get moved to the Stable channel.

GrapheneOS users must obtain GrapheneOS app updates through our app repository since fs-verity metadata is now required for out-of-band system app updates on GrapheneOS as part of extending verified boot to them.

Changes in version 121.0.6167.101.2:

• rebuild to fix arm64 32-bit WebView support which was omitted in the last build and not noticed even days after making it to the stable channel due to the few remaining obsolete 32-bit still being used which use the WebView (these apps mostly aren't allowed to be installed anymore since Android 14 without using a special ADB command due to minimum API level 23)

A full list of changes from the previous release (version 121.0.6167.101.1) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

GrapheneOS has a list of security requirements for future devices based on the status quo of the current generation devices we support:

https://grapheneos.org/faq#future-devices

Other than security patches, hardware memory tagging support is easily the most important feature on this list.

GrapheneOS is the first platform using ARM hardware memory tagging in production. This provides a form of memory safety for memory unsafe languages. It has a high random chance of catching most memory corruption and always catches certain major classes of memory corruption bugs.

Hardware memory tagging is such an important feature that we highly prioritized integrating it and enabling it by default once it became available.

Snapdragon 8 Gen 3 still lacks memory tagging support so Snapdragon devices likely won't meet our requirements until 2025 or later.

Qualcomm usually does a good job with security but they've dropped the ball on this. Even MediaTek recently released an SoC platform with MTE support.

Other than memory tagging, the requirements on our list can be met by a theoretical security-focused Snapdragon-based device.

Samsung has committed to providing 7 years of security support with 7 generations of major OS updates, which matches current Pixels. We previously limited our update requirement to 4 years to enable using Snapdragon. We'll be raising it to 5 years for phones and 7 for tablets.

We'll be adding reset attack mitigation via memory zeroing for firmware-based boot modes to our list of requirements once it's shipped for Pixels in a few months. We recently filed upstream reports about vulnerabilities in firmware being exploited on stock OS Pixels due to this.

GrapheneOS implements memory zeroing in the kernel page and slab allocators which does zero most OS memory on reboot, but we don't consider that adequate. It's possible for the OS to lock up or crash in a way that it doesn't get an opportunity to zero. The firmware should do it.

A few of the existing features on our list of hardware requirements were implemented based on our proposals. We filed a bug about earlier Pixel generations using an overly truncated verified boot key hash, and we proposed pinning-based hardware attestation support (attest keys).

We have to do a lot of device-specific hardening work such as fixing or working around bugs uncovered by security features like hardened_malloc and MTE. We also do research into hardware/firmware issues despite not making it. Pixels have benefited from us regularly filing issues.

Our latest release provides another enhancement for our protection against firmware-based attacks on devices by forensics companies.

https://grapheneos.social/@GrapheneOS/111825976031359694

This replaces emergency reboots triggered by overheating with regular reboots. We're going to be doing more similar work.

GrapheneOS has zero-on-free for the main allocator used by native code (malloc) along with the kernel page allocator and slab allocator. In particular, zeroing data in the kernel page allocator heavily limits the lifetime of data and clean reboots clear most of the OS memory.

We believe that our zero-on-free features are why forensics companies are announcing support for obtaining data in After First Unlock state for the stock OS via firmware exploits while seemingly not being able to target GrapheneOS yet, but we're rolling our more improvements.

In an earlier release this month, we replaced our auto-reboot feature with a new implementation in the init process to prevent a potential bypass through crashing core system processes. We also made it stop chain in Before First Unlock state to make low timers much more usable.

The default auto-reboot timer was reduced from our initial choice of 72 hours to 18 hours.

GrapheneOS has provided a feature for disabling USB peripherals for years. By default, we disable USB peripherals while locked. USB is very complex and has other uses than this though.

Fast charging and the low-level protocol for USB-C are extremely complex. These are largely implemented by Linux kernel drivers and the core kernel USB support along with another implementation in the non-OS firmware boot modes, not the isolated USB controller hardware/firmware.

Android 12 added a device administration setting to supposedly disable USB data and a low level USB Hardware Abstraction Layer (HAL) implementation to go along with it. This does not really work as you would expect and only disables high level USB functionality like peripherals.

It also disables USB gadget support, which is already disabled by default other than device advertising itself as supporting MTP to be detected by computers by default without having MTP enabled until the user enables it. We investigated it near 12 launch but found it lacking.

USB gadget support is how MTP/PTP, MIDI, tethering (Ethernet), Android 14 QPR1 webcam support and the developer options Android Debug Bridge function. By default, Android uses MTP mode with MTP disabled until user unlocks and enables it. This adds no significant attack surface.

Attack surface for low-level USB-C and charging is massive. Vulnerabilities being leveraged by forensics companies are often USB bugs. Working reset attack mitigation is barely deployed by devices meaning they can target firmware USB while device is booted into a special mode.

We proposed improvements for Pixels in Android security bug reports we filed recently. They're already working on it and we expect it will be shipped in a few months, ending the ability to get data from After First Unlock mode via special firmware modes, but not the OS itself.

We proposed improvements for Pixels in Android security bug reports we filed recently. They're already working on it and we expect it will be shipped in a few months, ending the ability to get data from After First Unlock mode via special firmware modes, but not the OS itself.

We've also discussed the possibility of offering a toggle for disabling fast charging while locked or as a whole for further attack surface reduction. This would certainly not be enabled by default and our focus is on the always enabled or at least default enabled protections.

Our existing default-enabled USB protection disables adding new peripherals while locked. Peripherals you add while unlocked work after locking. Android's standard USB gadget control is based around approval while unlocked, which is similar. We just need to make this lower level.

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

• 2024012600-redfin (Pixel 4a (5G), Pixel 5)
• 2024012600 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, emulator, generic, other targets)

Changes since the 2024011600 release:

• isolate eSIM activation app from non-system apps to avoid it sharing data with sandboxed Google Play
• make eSIM activation toggle available without sandboxed Google Play installed (eSIM management no longer requires sandboxed Google Play)
• make the eSIM activation app toggle persistent instead of it being disabled at boot
• remove misleading message about device info being sent to Google message before eSIM download
• hardened_malloc: use tag 0 for freed slots instead of reserving a tag to allow using 15 of 16 possible tag values for random tags (there are 3 dynamic exclusions of the random values for the previous tag along with the 2 current or previous adjacent tags)
• Settings: prevent disabling Camera2/CameraX extension provider app (Pixel Camera Services for Pixels) since it breaks apps using CameraX
• kernel (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro): use a normal reboot on overheating instead of an emergency reboot to harden against physical attacks
• kernel: enable reset attack mitigation for UEFI systems supporting it (Tensor Pixels use minimalistic littlekernel-based boot firmware rather than UEFI and the previous Snapdragon Pixels using UEFI didn't implement this but we may need this for future devices)
• kernel (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Generic 5.10): update to latest GKI LTS branch revision including update to 5.10.208
• kernel (Pixel 8, Pixel 8 Pro, Generic 5.15): update to latest GKI LTS branch revision including update to 5.15.147
• kernel (Generic 6.1): update to latest GKI LTS branch revision including update to 6.1.73
• Launcher: disable gradient at the top of the home screen again (change lost with Android 14 QPR1 due to it being reimplemented upstream)
• rewrite HTTPS network time implementation to make it much more maintainable and robust along with providing better debug output via ADB
• Vanadium: update to version 120.0.6099.230.0
• Vanadium: update to version 121.0.6167.71.0
• Vanadium: update to version 121.0.6167.101.0
• Vanadium: update to version 121.0.6167.101.1
• GmsCompatConfig: update to version 93
• Seedvault: update to latest revision (will be replaced with a better backup implementation in the future)

Changes in version 93:

• update max supported version of Play services to 24.03
• update max supported version of Play Store to 39.3

A full list of changes from the previous release (version 92) is available through the Git commit log between the releases (only changes to the gmscompat_config text file and config-holder/ directory are part of GmsCompatConfig).

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.

Changes in version 121.0.6167.101.1:

• fix implementation of temporarily using default client hints for WebView until it has a frozen user agent

A full list of changes from the previous release (version 121.0.6167.101.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Changes in version 121.0.6167.101.0:

• update to Chromium 121.0.6167.101
• replace high entropy client hints with placeholders from the frozen user agent (form factor as Mobile, device model as K, platform version as Android 10 and a reduced version number with zero for the minor parts) to improve compatibility with problematic bot detection checks while not providing any additional information
• raise minimum API level to 33 (Android 13) from the default API level 29 (Android 10) to reduce the work required for our upcoming features

A full list of changes from the previous release (version 121.0.6167.71.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.