KindnessInfinity

Tags:

• 2023120800 (Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, emulator, generic, other targets)

Changes since the 2023120701 release:

• Package Installer: fix crash introduced upstream in Android 14 QPR1 for handling pending user action
• Package Installer: fix crash introduced upstream in Android 14 QPR1 by limiting maximum app snippet icon size
• avoid false positives for our kernel crash reporting when running in the Android emulator

Android 14 QPR1 has some regressions for the package installer interface. They were aware of these issues for months and they're already fixed in the QPR2 Beta. It's unfortunate their release process is too slow to incorporate fixes, largely defeating the purpose of beta testing.

GrapheneOS will have another OS update later today with fixes for these issues. Stock Pixel OS users will hopefully only need to wait for the January monthly release to resolve the package installer interface crashes. They need to fix many things about their release processes.

Tags:

• 2023120701 (Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, emulator, generic, other targets)

Changes since the 2023120700 release:

• adevtool (Pixel 8, Pixel 8 Pro): update system property removal

This is the first quarterly release of Android 14 and includes a bunch of nice improvements including using the phone as a webcam.

Starting with this release, the Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. Certain driver patches will remain available until the Pixel 5a is end-of-life due to shared code. We'll continue providing all of the Android Open Source Project and GrapheneOS changes for them until the release of Android 15. After Android 15 is released, they'll remain on a legacy Android 14 branch with only the AOSP security patch backports to Android 14 and some additional changes backported by us on a best effort basis. This is the same kind of extended support we provided for the Pixel 4 and Pixel 4 XL.

Tags:

• 2023120700 (Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, emulator, generic, other targets)

Changes since the 2023120400 release:

• full 2023-12-01 security patch level for 6th/7th generation Pixels too
• full 2023-12-05 security patch level
• rebased onto UQ1A.231205.015 Android Open Source Project releases, which is the first quarterly maintenance/feature release for Android 14
• kernel (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Generic 5.10): update to latest GKI LTS branch revision
• Sandboxed Google Play compatibility layer: disable privileged AlarmManager.FLAG_PRIORITIZE to prevent crashes (this API is a no-op when Unrestricted battery mode is granted anyway)
• GmsCompatConfig: update to version 86

Changes in version 86:

• disable feature flag enabling using a privileged AlarmManager API to avoid crashes

A full list of changes from the previous release (version 85) is available through the Git commit log between the releases (only changes to the gmscompat_config text file and ``|config-holder/``` directory are part of GmsCompatConfig).

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.

The December release of the Android Open Source Project and stock Pixel OS will be the first quarterly release of Android 14. It will likely be available this week, but hasn't been published yet. Since there hasn't been a release yet this month, we're publishing an early December security update based on the AOSP backports to Android 14.

It's unclear if 6th/7th generation Pixels received a specific Mali GPU kernel driver patch so we aren't raising the patch level for these until the official December release is available. We often backport these patches early but we don't know which patch corresponds to which CVE ID so we can't raise the claimed patch level. ARM covers up the details publicly and only releases tarballs for each major revision without the Git commit history or individual security patch backports they make available to partners, despite partners being allowed to apply those in public Git repositories. We can often figure out the patch corresponding to a CVE ID or vice versa through ARM partners publishing it, but we haven't been able to in this case.

Pixel 4, Pixel 4 XL and Pixel 4a are end-of-life and shouldn't be used anymore due to lack of most security patches for firmware and drivers. We're currently supporting them via a legacy Android 13 branch separate from these mainline GrapheneOS releases. We're considering porting them to Android 14 to continue providing extended support longer than initially planned to keep them as a way to preview the current version of the OS.

Tags:

• 2023120400 (Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, emulator, generic, other targets)
• 2023120400-shusky (Pixel 8, Pixel 8 Pro)

Changes since the 2023112900 release:

• full 2023-12-01 security patch level (6th/7th generation Pixels may be missing a 2023-11-05 Mali GPU patch so we've frozen the patch level string until the official December update)
• Pixel 8, Pixel 8 Pro: use more modern target CPU configuration
• System Updater: enable non-low (currently 20% or higher) battery requirement for the update job by default (will not change for users who have previously opened the update settings due to how they're implemented)
• kernel (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Generic 5.10): update to latest GKI LTS branch revision
• Vanadium: update to version 120.0.6099.43.0
• GmsCompatConfig: update to version 85

Consider joining the GrapheneOS community in our official forum and chat rooms!

Forum: https://discuss.grapheneos.org

There are 7 chat rooms bridged across the main 3 chat platforms.

Discord: https://grapheneos.org/discord Telegram: https://t.me/GrapheneOS Matrix: https://matrix.to/#/#community:graphen

Changes in version 85:

• update max supported version of Play Store to 38.6

A full list of changes from the previous release (version 84) is available through the Git commit log between the releases (only changes to the gmscompat_config text file and config-holder/ directory are part of GmsCompatConfig).

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.

Selling people devices with GrapheneOS is permitted. However, please don't sell people end-of-life or near end-of-life devices. This is essentially scamming customers and goes against our strong recommendation to not purchase devices older than the Pixel 6. This needs to stop.

We've brought this up with several of the stores selling GrapheneOS phones. Several have listened to us and changed their approach. Others have doubled down on it and even blocked us for making this request. If you're using our trademarked name/logo, this is more than a request.

GrapheneOS supports hardware attestation and has much stronger security than even the stock Pixel OS but isn't Google certified. Play Integrity and legacy SafetyNet Attestation check for Google certification, not any form of security. We have concrete plans to address this issue.

Due to hardware attestation and the support for it via the strong mode for Play Integrity and legacy SafetyNet Attestation, spoofing the Google certification checks is a lost cause over the long term. This is why we refrained from spoofing the much more commonly used basic mode.

Long term, the solution will be to convince organizations to support GrapheneOS by switching to directly using the hardware attestation API which has alternate OS support. See https://grapheneos.org/articles/attestation-compatibility-guide. This is much easier to use now that there's an official library for it.

We're aware that an SDK used by many banking apps has recently adopted the weak software Google certification checks. This has greatly increased the priority of a short term workaround. When we have time, we'll contact company making the SDK and some of the banks with our guide.

At some point, these SDKs are going to start using the strong mode and it's going to end the ability to spoof the checks. It's why we refrained from doing it because we know it's setting up events in the future where many apps suddenly lose compatibility from server side updates.

Extending our Sandboxed Google Play compatibility layer to support Android Auto is currently a top priority. It's nearly ready to ship, and after that the developer working on it will move on to a workaround for this to delay needing app developers or governments to solve it.

Changes in version 120.0.6099.43.0:

• update to Chromium 120.0.6099.43

A full list of changes from the previous release (version 119.0.6045.193.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Changes in version 119.0.6045.193.0:

• update to Chromium 119.0.6045.193

A full list of changes from the previous release (version 119.0.6045.163.2) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.