KindnessInfinity

We've started work on adding support for the Pixel 9, Pixel 9 Pro and Pixel 9 Pro XL. We haven't received our test devices yet but they should arrive within a couple days. Pixel 9 Pro Fold will be supported like the earlier Pixel Fold but it's launching later than the others.

Our device testing lab now has a Pixel 9 and Pixel 9 Pro XL. Pixel 9 Pro Fold is preordered and we should receive it at launch.

The regular Pixel 9 Pro was out-of-stock so we haven't ordered one yet. We can buy one later and use up the credit from buying the other 3 devices.

GrapheneOS support for Pixel 9, Pixel 9 Pro and Pixel 9 Pro XL is coming along nicely. It will be ready for public experimental testing soon. It's currently being delayed by Chromium v128 reaching Stable today. We also need another regular OS release due to a minor UI regression.

Our initial port to the Pixel 9, Pixel 9 Pro and Pixel 9 Pro XL is complete and is going to begin going through internal testing. There will likely be at least a few issues to resolve. We'll likely be able to publish a public experimental release in around 12 to 14 hours.

We're working on resolving an early boot crash with 9th generation Pixels caused by porting our hardware-level USB-C port control to them. If necessary, we can partially omit this feature for an initial experimental release. Our aim is to have a public experimental release today.

It's available now:

https://grapheneos.social/@GrapheneOS/113010526089814611

Changes in version 130:

• add stub for PackageManager.getPackagesForUid() to cover our GmcPackageManager.getPackagesForUid() shim still throwing a security exception when handling passing an invalid negative UID due to how the OS APIs work instead of the error expected by Play services

A full list of changes from the previous release (version 129) is available through the Git commit log between the releases (only changes to the gmscompat_config text file and config-holder/ directory are part of GmsCompatConfig).

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.

Reflects extremely poorly on Apple that several of their employees have been involved in spreading fabricated claims about Pixels. Convincing companies/governments to strictly use Apple products with clearly fraudulent claims about Pixels is scandalous.

https://x.com/GerzerSoftware/status/1825226770079244361

We directly talked about iVerify being a sandboxed app fundamentally incapable of providing significant defenses against sophisticated attackers:

https://x.com/GrapheneOS/status/1824194291591417961

It does not mean you should trust them to run code on your device, view your DNS requests, etc.

iVerify fabricated a fake Pixel vulnerability in order to promote their company/product alongside Palantir and Trail of Bits. It has been completely debunked by multiple researchers. Many people were previously aware of the app, the conditions for enabling it and had analyzed it.

Multiple privacy and security researchers have previously talked about this set of apps for supporting Verizon's network functionality on Android. We analyzed these apps years ago and have publicly talked about it. We checked CarrierSettings and Showcase again before our thread.

Showcase (com.customermobile.preload.vzw) is Verizon's retail demo app and is completely disabled at a package level with the other Verizon apps on Pixels unless someone has a Verizon SIM. The way they're disabled is comparable to installing and uninstalling the apps on demand.

Showcase additionally requires a privileged OS setting in order to enable it. This setting has more limited access than other settings which are part of the public API. The level of access to enable it would be greater than the access the app has available for itself.

Using iVerify means trusting a Palantir partner with code execution, access to your DNS requests, etc.

Palantir is a surveillance company and is largely based around acquiring access to data mined by other companies. That's reason enough to avoid code from them or their partners.

Here's some background on Palantir:

https://privacyinternational.org/sites/default/files/2021-11/All%20roads%20lead%20to%20Palantir%20with%20Palantir%20response%20v3.pdf

Regardless of whether you share the views of most of the open source and privacy communities on Palantir and their partners, a security company like iVerify promoting products via fraudulent claims isn't trustworthy.

Installing an app from their app store is giving arbitrary code execution within the app sandbox to the app developers. The app sandbox is far weaker than the browser sandbox for a website. It's also easy enough for apps to do arbitrary things based on configuration and many do.

iVerify has been actively marketing to journalists while working with groups many journalists consider among their main adversaries.

Using an app is trusting the developers with arbitrary remote code execution in the app sandbox, which is a lot weaker than the web sandbox.

App sandbox simultaneously prevents iVerify from providing any significant value against a sophisticated attacker while also not being nearly strong enough to put up a serious defense against sophisticated adversaries. The value is oversold and it brings more risk than reward.

Changes in version 127.0.6533.104.3:

• temporarily disable Shadow Call Stack due to causing app compatibility issue with Discover Mobile despite the main compatibility issues being resolved

A full list of changes from the previous release (version 127.0.6533.104.2) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Changes in version 129:

• update max supported version of Play services to 24.32
• update max supported version of Play Store to 42.3
• update Gradle to 8.10

A full list of changes from the previous release (version 128) is available through the Git commit log between the releases (only changes to the gmscompat_config text file and config-holder/ directory are part of GmsCompatConfig).

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.

Changes in version 127.0.6533.104.2:

• enable Shadow Call Stack on 64-bit ARM in addition to pointer authentication since pointer authentication is probabilistic and only supported on ARMv9 devices such as 8th/9th generation Pixels
• keep stack canaries enabled via -fstack-protector-strong when Shadow Call Stack is enabled as we already do in the kernel to preserve the minor security benefits it still provides and to work around crashes occurring in certain apps using the WebView with it disabled

A full list of changes from the previous release (version 127.0.6533.104.1) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

https://x.com/cryps1s/status/1824077327577591827

This is a fake story. Turns out that getting security information from the CISO of a mass surveillance company trying to build a dystopian police state providing police with "predictive policing" software largely based on racial stereotypes is a bad move.

Trail of Bits iVerify EDR product runs in the standard app sandbox on iOS and Android. It can hardly do anything beyond static scanning of APKs. It's a crippled antivirus app marketed as detecting sophisticated attackers. It's a scam and Trail of Bits has lost all credibility.

Trail of Bits is working closely with Palantir and is focused on getting government contracts. They've created a fake news story to promote their EDR product which has been propagated across mainstream media. Journalists didn't do basic due diligence and spread false marketing.

One of the apps in this suite is the Showcase retail demo app for Verizon to show off phones in their store. It requires manually up the phone as a retail demo device. Verizon says they don't use it anymore. This demo app is where Trail of Bits / iVerify found an HTTP connection.

In order to exploit Verizon's demo app not verifying a signature for the downloaded config or even fetching it via HTTPS, it would already need to be set up to use retail demo mode. The contractors Verizon paid to implement it did a bad job, but it's not a Pixel security issue.

Since it's an obsolete app that Verizon isn't using anymore, the stock Pixel OS already removed it in Android 15 which is visible in the Android 15 Beta. The other Verizon apps needed to fully use their network which get activated with a Verizon SIM are of course still included.

GrapheneOS has been omitting these carrier apps since around 2015. This meant GrapheneOS users weren't able to use Sprint and can't use certain features on Verizon like Wi-Fi calling. Apple has a special deal with Verizon and implements what the control they want as part of iOS.

The restrictions set in Verizon's carrier configuration and the functionality implemented by these apps is a major part of why they prevent installing an alternate OS on any device sold by Verizon. They want to control how people use features like tethering and Wi-Fi calling.

Every month, a bunch of real vulnerabilities are patched for Android on Pixels. A subset of these including all High and Critical severity issues in Android itself get backported to older Android releases for non-Pixels too. iVerify's finding isn't even a Low severity issue.

Supposedly reputable news organizations including the Washington Post, New York Times, Wired, etc. are largely acting as press release distribution service for governments and corporations. If it fits a narrative they want to tell, there's no attempt to question or confirm it.

Trail of Bits employees should think over whether they want to be part of building a police state with pervasive surveillance as Palantir partners. You're not even working at a reputable security company anymore. Trail of Bits has become the charlatans they used to criticize.

Wired was manipulated into spreading misinformation to market Palantir and iVerify by misrepresenting a vulnerability in a disabled demo app as being a serious problem which could be exploited in the real world. They should retract the article but won't.

https://wired.com/story/google-android-pixel-showcase-vulnerability/

iVerify are scammers and anyone paying them money should rapidly stop doing it and remove their malware from their devices. The real security risk is giving remote code execution on your devices to one of these sketchy EDR companies lying about their capabilities and discoveries.

This is one of multiple carrier apps in the stock Pixel OS which we don't include in GrapheneOS. We were aware of it already since we had to go through them and figure out why they exist. We could embrace this fearmongering and leverage it for marketing, but we aren't dishonest.

"iVerify vice president of research [...] points out that while Showcase represents a concerning exposure for Pixel devices, it is turned off by default. This means that an attacker would first need to turn the application on in a target's device before being able to exploit it."

"The most straightforward way to do this would involve having physical access to a victim's phone as well as their system password or another exploitable vulnerability that would allow them to make changes to settings. Google's Fernandez emphasized this limiting factor as well."

Wired should retract the article and explain how they're going to do better. They keep publishing this kind of fearmongering misinformation from information security industry charlatans. There are real remote code execution flaws being fixed in Android and iOS but they push this.

GrapheneOS has gone through each of the carrier apps included on Pixel generation to determine their purpose and consequences of including or excluding them. Here it is being excluded from the new adevtool project for ProtonAOSP and GrapheneOS in 2021:

https://github.com/GrapheneOS/adevtool/commit/9c5ac945f#diff-95eb7b50f2781158146e721436d7c5d6f7421755906307a6b7a1f727bb20d53eR109

GrapheneOS has publicly posted about the carrier apps included on Pixels and their privileged permissions on numerous occasions. We talked about the ones which get enabled automatically based on using a SIM from a carrier rather than a disabled demo without an automatic trigger.

Here's a thread from 2017 posted from our project's previous Twitter account which was stolen in 2018:

https://x.com/CopperheadOS/status/903362108053704704

Incredibly important to note that this thread directly involves the CEO of Trail of Bits that's now claiming their iVerify team discovered these apps.

Stock Pixel OS no longer gives the same level of access to the active carrier. This disabled demo app was never a real part of the problem but it was part of the apps we referring to and excluding. We didn't claim credit for discovering this when we became aware of it in 2015.

Dan Guido, CEO of the company behind iVerify, has repeatedly called out charlatans in the infosec industry. It's incredibly hypocritical to use the same tactics and expect not to be held to the same standard. We're not doing anything he hasn't done himself many times before.

It's ridiculous to falsely claim something is a backdoor and then get upset your EDR software remotely monitoring devices and opening up new security holes is called malware. An app running within an increasingly strict sandbox trying to defend devices is an unworkable approach.

Someone linked this article not taking claims from the company promoting themselves at face value, which is far better than most of the news coverage which got completely duped into believing in a completely a fabricated threat:

https://therecord.media/google-to-remove-app-pixel-vulnerable

Still not good enough.

Palantir is a mass surveillance company aiding with egregious human rights violations. CEO of Trail of Bits that's working with them is a diehard Apple fanboy and has been dismissing GrapheneOS for years. Here's some real data to ponder:

https://grapheneos.social/@GrapheneOS/112826067364945164

2nd thread including a better explanation of the actual situation:

https://grapheneos.social/@GrapheneOS/112972984066659887

Changes in version 127.0.6533.104.1:

• temporarily disable Shadow Call Stack due to causing app compatibility issues with certain apps using the WebView

A full list of changes from the previous release (version 127.0.6533.104.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Changes in version 127.0.6533.104.0:

• update to Chromium 127.0.6533.104 (no changes from 127.0.6533.103)
• enable Shadow Call Stack on 64-bit ARM in addition to pointer authentication since pointer authentication is probabilistic and only supported on ARMv9 devices such as 8th/9th generation Pixels
• respect GrapheneOS dynamic code execution toggle
• improve support for 64-bit-only build targets
• disable predictive back gesture globally since it breaks Incognito lock privacy

A full list of changes from the previous release (version 127.0.6533.103.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Changes in version 128:

• update max supported version of Play services to 24.31
• update max supported version of Play Store to 42.2
• update Android Gradle plugin to 8.5.2

A full list of changes from the previous release (version 127) is available through the Git commit log between the releases (only changes to the gmscompat_config text file and config-holder/ directory are part of GmsCompatConfig).

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

• 2024080600-redfin (Pixel 4a (5G), Pixel 5)
• 2024080600 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, emulator, generic, other targets)

Changes since the 2024080500 release:

• full 2024-08-05 security patch level
• rebased onto AP2A.240805.005 Android Open Source Project release
• adevtool: update dependencies
• adevtool: improve code quality
• adevtool: use fastboot packs to extract firmware images to avoid the need to download over-the-air updates, which also removes the dependency on python and python-protobuf for extracting vendor files
• kernel (6.6): update to latest GKI LTS branch revision
• Vanadium: update to version 127.0.6533.103.0
• Camera: update to version 74