KindnessInfinity

September 2024 Android Security Bulletin includes a patch for the wipe bypass we reported: CVE-2024-32896. It's actively exploited by forensic companies across devices. Pixels patched it in June 2024...

September ASB: https://source.android.com/docs/security/bulletin/2024-09-01June PUB: https://source.android.com/docs/security/bulletin/pixel/2024-06-01

We reported several vulnerabilities exploited by forensic companies in January 2024. We proposed implementing firmware reset attack mitigation and wipe-without-reboot. Pixels shipped reset attack mitigation in April 2024 and also a firmware mitigation making wipe bypasses harder.

In June 2024, Pixels shipped our wipe-without-reboot proposal to fully eliminate wipe bypasses. The full solution is a set of AOSP patches (https://android.googlesource.com/platform/frameworks/base/+/8b7b2c66ca96d711fb364cbcc9d655197d9743e0) but they still classified it as a firmware patch since it was treated as phase 2 of the Pixel firmware patches.

We pointed out that it was actually an AOSP patch which should be shipped for all devices, and they agreed with us and scheduled it for inclusion in September. Wipe bypass is now finally going to be fixed for non-Pixels. Reset attack mitigation will still be missing elsewhere.

We extended wipe-without-reboot with extra wiping and use it as part of our duress PIN/password feature.

Forensic companies are still able to exploit stock OS Pixels, but reset attack mitigation helps prevent bypassing GrapheneOS security via firmware.

https://grapheneos.social/@GrapheneOS/112826160880324005

Each month, there's a new Android monthly, quarterly or yearly release. This month is a monthly release of Android 14 QPR3, the 3rd quarterly release of Android 14 from June 2024. Android Security Bulletins have a subset of overall privacy/security patches. This is one example.

Android Security Bulletins include the High and Critical severity patches for the Android Open Source Project backported to older releases (12, 12.1, 13, 14) and a small selection of firmware/driver patches for specific hardware. Non-Pixels ship these backports. Pixels ship more.

Android OEMs are responsible for making their own more complete set of patches and incorporating patches from the SoC vendor and other hardware vendors for their devices. The Pixel Update Bulletins largely consist of these extra patches from Samsung, Qualcomm, Broadcom, etc.

Low and Moderate severity patches are almost entirely not backported to older Android releases and aren't listed in the Android Security Bulletins.

Android 14 QPR3 from June is the current major release, not Android 14. Monthly updates since then are more than ASB patches.

Patch for CVE-2024-32896 was included in an upcoming major release (Android 14 QPR3 in June 2024) and that's why non-Pixel devices didn't get it, because they don't actually update to the new monthly/quarterly releases. Now that it's in the ASB, they'll apply the backport.

GrapheneOS support for the Pixel 9 Pro Fold is no longer marked experimental and is now available through our production site:

https://grapheneos.org/releases https://grapheneos.org/install/web

Our 2024083100 release has been confirmed to be working and to have a working future upgrade path.

Changes in version 135:

• update max supported version of Play services to 24.35
• update max supported version of Play Store to 42.5
• enable generation of v4 APK signatures

A full list of changes from the previous release (version 134) is available through the Git commit log between the releases (only changes to the gmscompat_config text file and config-holder/ directory are part of GmsCompatConfig).

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.

Changes in version 134:

• add new approach to disabling Play services OS update service required by 24.31 onwards to avoid uncaught exceptions in rare cases it tries to run
• update Android Gradle plugin to 8.6.0

A full list of changes from the previous release (version 133) is available through the Git commit log between the releases (only changes to the gmscompat_config text file and config-holder/ directory are part of GmsCompatConfig).

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

• 2024083100-redfin (Pixel 4a (5G), Pixel 5)
• 2024083100 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, emulator, generic, other targets)
• 2024083100-caimito (Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold)

Changes since the 2024082200 release:

• don't hide Exploit protection Safety Center item in secondary users
• Settings: improve UI for GrapheneOS app toggles including adding a screen for viewing the values across apps for each toggle
• add more infrastructure for blocking dynamic code loading
• Settings: add per-app memory dynamic code loading restriction toggle (applies to both native code and Android Runtime class loading for Java/Kotlin)
• Settings: add per-app storage dynamic code loading restriction toggle (applies to both native code and Android Runtime class loading for Java/Kotlin), temporarily without a global toggle until Google phases out the old dynamite module system for Google Play due to many apps temporarily depending on this through it
• Settings: add per-app WebView JIT restriction toggle
• add production support for the Pixel 9, Pixel 9 Pro and Pixel 9 Pro XL
• add experimental support for the Pixel 9 Pro Fold (we haven't received our preordered device for testing yet)
• add support for enabling app association restrictions without exemptions (currently for use with Pixel Thermometer)
• add support for Pixel Thermometer app available from our App Store for the Pixel 8 Pro, Pixel 9 Pro and Pixel 9 Pro XL with strict isolation from other apps
• add missing feature compatibility matrix definitions (mainly for 9th generation Pixels)
• Contact Scopes: explicitly set initialization order after ContactsProvider2 to avoid uncaught exceptions from a race
• kernel (6.1): disable unused hibernation support
• kernel (6.1, 6.6): enable struct randomization in the full mode with a deterministic seed based on kernel commit timestamp (we plan to also incorporate the device family and eventually make the seed specific to each device model, but it will increase our build/testing workload)
• kernel (6.6): enable random kmalloc caches
• kernel (5.10): update to latest GKI LTS branch revision
• kernel (6.1): update to latest GKI LTS branch revision including update to 6.1.96
• kernel (6.6): update to latest GKI LTS branch revision including update to 6.6.46
• Vanadium: update to version 128.0.6613.88.1
• Vanadium: update to version 128.0.6613.99.0
• Auditor: update to version 84
• GmsCompatConfig: update to version 131
• GmsCompatConfig: update to version 132
• GmsCompatConfig: update to version 133
• drop restriction on modifying GrapheneOS-specific per-package settings via ADB shell since it makes certain important testing require debug builds and has no real security value
• flash-all.sh: restore POSIX sh compatibility to allow using sh instead of bash on systems where sh is dash or another non-bash-compatible shell
• add support for using backslashes in the passphrases for encrypting the keys for signing OS releases

We've published an initial experimental release for the Pixel 9 Pro Fold on our staging site:

https://staging.grapheneos.org/releases#comet-stablehttps://staging.grapheneos.org/install/web

Our preordered Pixel 9 Pro Fold for our device testing farm hasn't arrived yet so we'll be relying on others to test the early builds.

Everything has been ported for it already and there's nothing else to do for it without testing feedback from users. There's a high chance everything is already fine for it since we have production quality support for the other 9th gen Pixels and the original 7th gen Pixel Fold.

Source code and factory images for the Pixel 9 Pro Fold have been published. We've added support for it to our Auditor app: https://grapheneos.social/@GrapheneOS/113047519006891751. We're beginning work on adding GrapheneOS support but our test device hasn't arrived yet so we won't be able to test ourselves yet.

Notable changes in version 84:

• add support for Pixel 9 Pro Fold with either the stock OS or GrapheneOS
• update Android Gradle plugin to 8.6.0
• update Kotlin to 2.0.20

A full list of changes from the previous release (version 83) is available through the Git commit log between the releases.

The Auditor app uses hardware security features on supported devices to validate the integrity of the operating system from another Android device. It will verify that the device is running the stock operating system with the bootloader locked and that no tampering with the operating system has occurred. It will also detect downgrades to a previous version.

It cannot be bypassed by modifying or tampering with the operating system (OS) because it receives signed device information from the device's Trusted Execution Environment (TEE) or Hardware Security Module (HSM) including the verified boot state, operating system variant and operating system version. The verification is much more meaningful after the initial pairing as the app primarily relies on Trust On First Use via pinning. It also verifies the identity of the device after the initial verification. Trust is chained through the verified OS to the app to bootstrap software checks with results displayed in a separate section.

This app is available through the Play Store with the app.attestation.auditor.play app id. Play Store releases go through review and it usually takes around 1 to 3 days before the Play Store pushes out the update to users. Play Store releases use Play Signing, so we use a separate app id from the releases we publish ourselves to avoid conflicts and to distinguish between them. Each release is initially pushed out through the Beta channel followed by the Stable channel.

Releases of the app signed by GrapheneOS with the app.attestation.auditor app id are published in the GrapheneOS App Store and on GitHub. These releases are also bundled as part of GrapheneOS. You can use the GrapheneOS App Store on Android 12 or later for automatic updates. Each release is initially pushed out through the Alpha channel, followed by the Beta channel and then finally the Stable channel.

GrapheneOS users must either obtain GrapheneOS app updates through our App Store or install it with adb install-multiple with both the APK and fs-verity metadata since fs-verity metadata is now required for out-of-band system app updates on GrapheneOS as part of extending verified boot to them.

Changes in version 128.0.6613.99.0:

• update to Chromium 128.0.6613.99
• backport upstream implementation of enforcing blob URL partitioning
• enforce dynamic code execution restrictions with seccomp-bpf when JIT is disabled (prevent creating executable anonymous mappings, writable and executable file mappings or marking a non-executable mapping executable)
• explicitly declare queries to Vanadium Config package for both the WebView and browser

A full list of changes from the previous release (version 128.0.6613.88.1) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Changes in version 133:

• update max supported version of Play services to 24.34

A full list of changes from the previous release (version 132) is available through the Git commit log between the releases (only changes to the gmscompat_config text file and config-holder/ directory are part of GmsCompatConfig).

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.

Our 5th release for Pixel 9, Pixel 9 Pro and Pixel 9 Pro XL is available. Main improvement is replacing Linux 6.1.75 with latest GKI LTS (6.1.95). Remaining gap should go away soon. Pixel Thermometer is now supported for 9 Pro / 9 Pro XL and can be installed via our App Store.

Pixel Thermometer is also supported on the Pixel 8 Pro now too. 9th gen Pixel users are getting it early since we needed another early release to port them to our standard 6.1 GKI LTS branch. With the next official release, 9th gen Pixel should be on the regular release cycle.

Our 4th release for the Pixel 9, Pixel 9 Pro and Pixel 9 Pro XL is now available. It adds two Bluetooth bug fixes missing from the temporary Android Open Source Project branch for 9th generation Pixels. One of those is a Bluetooth issue we reported.

https://grapheneos.social/@GrapheneOS/112095059145360678