KindnessInfinity

joined 2 years ago
MODERATOR OF
 

Notable changes in version 74:

  • only try to enable preview stabilization as part of enabling video stabilization when it's marked as supported by the device to address compatibility issues
  • update Kotlin to 2.0.10

A full list of changes from the previous release (version 73) is available through the Git commit log between the releases.

This app is available through the Play Store with the app.grapheneos.camera.play app id. Play Store releases go through review and it usually takes around 1 to 3 days before the Play Store pushes out the update to users. Play Store releases use Play Signing, so we use a separate app id from the releases we publish ourselves to avoid conflicts and to distinguish between them. Each release is initially pushed out through the Beta channel followed by the Stable channel.

Releases of the app signed by GrapheneOS with the app.grapheneos.camera app id are published in the GrapheneOS App Store and on GitHub. You can use the GrapheneOS App Store on Android 12 or later for automatic updates. Each release is initially pushed out through the Alpha channel, followed by the Beta channel and then finally the Stable channel.

GrapheneOS users must either obtain GrapheneOS app updates through our App Store or install it with adb install-multiple with both the APK and fs-verity metadata since fs-verity metadata is now required for out-of-band system app updates on GrapheneOS as part of extending verified boot to them.

 

Changes in version 127.0.6533.103.0:

  • update to Chromium 127.0.6533.103.0
  • enable -fstack-clash-protection on arm64 with the standard 64kiB stack probes since GrapheneOS raises the secondary stack guard size to 64kiB and Vanadium only currently supports GrapheneOS (AOSP should do this too, but it's not our problem)
  • use 64-bit toolchain for generating resource allowlist

A full list of changes from the previous release (version 127.0.6533.84.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

 

https://arstechnica.com/tech-policy/2024/08/google-loses-dojs-big-monopoly-trial-over-search-business/

Action is still urgently needed to address the highly anti-competitive Google Mobiles Services licensing system and the Play Integrity API which are a major part of Google maintaining their monopolies over search and many parts of the mobile market.

We recently published a detailed thread about this here:

https://grapheneos.social/@GrapheneOS/112878067304840664

We're in contact with the regulators in MULTIPLE countries about this. Don't fall for Google pretending Play Integrity API is security related or that their licensing system is about compatibility.

Android and Chromium would massively benefit from proper collaboration between stakeholders without Google's business model getting in the way. Should be forced to deal with both following the model of the LLVM Foundation and also spin off Google Play into an independent company.

Google is actively cracking down on competition in the mobile space by convincing app developers to use their Play Integrity API. Play Integrity API bans using operating systems not licensing Google's apps/services and agreeing to highly restrictive and anti-competitive terms.

Google's licensing agreement directly bans OEMs from working with GrapheneOS and producing phones with it. Google sabotages their own products such as the Play Store to boost core monopolies. If it was a competitive market, they'd want their apps and services available to any OS.

GrapheneOS has demonstrated Google Play works well as regular sandboxed apps without any special integration into the OS via our sandboxed Google Play feature. Google should be forced to spin off Google Play into an independent company competing with other app stores / services.

 

Windows 11 recently included a basic fastboot driver, removing the need for Windows users to install a fastboot driver to install GrapheneOS.

Our new web installer takes advantage of this and we've now updated the instructions for up-to-date Windows 11:

https://grapheneos.org/install/web#connecting-device

This is one of the benefits of our new web installer. New install process is also quicker and more efficient, reducing the memory and storage requirements below what's currently documented as required. We also overhauled CLI install to do it the same way, which speeds it up too.

Edge supports our web installer, so Windows users can simply use the default browser similar to using Android or ChromeOS. Apple refuses to support WebUSB so macOS users need a non-default browser. Non-ChromeOS desktop Linux still needs udev rules due to handling USB incorrectly.

12
submitted 1 year ago* (last edited 1 year ago) by KindnessInfinity@lemmy.ml to c/grapheneos@lemmy.ml
 

This is an early August security update release based on the August 2024 security patch backports. This month's release of the Android Open Source Project and stock Pixel OS should be available later today or tomorrow and we'll quickly release an update based on it following this one.

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

  • 2024080500-redfin (Pixel 4a (5G), Pixel 5)
  • 2024080500 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, emulator, generic, other targets)

Changes since the 2024080200 release:

  • full 2024-08-01 security patch level
  • suppress crash notifications for 2 harmless crashes occuring on service shutdown for the Android Bluetooth service and Pixel wifi_ext service
  • enable memory tagging for the Pixel wifi_ext service again
  • Settings: disable predictive back gesture in PIN/password input activities to fix an upstream Android vulnerability
  • flash-all: remove unnecessary sleep after flashing AVB key
  • flash-all: exit on errors
  • flash-all.sh: avoid false negative for device model check
  • flash-all.bat: pause before exiting after an error
  • fastboot: add support for CLI install with the GrapheneOS optimized factory images format already used by the web installer (will reduce memory/storage usage for CLI installs and will reduce storage usage on the update servers by avoiding multiple factory image formats)
  • hardened_malloc: update libdivide to 5.1
  • kernel (6.6): update to latest GKI LTS branch revision including update to 6.6.43
 

Our latest release with prevention for most VPN app DNS leaks is currently available in our Alpha and Beta channels:

https://grapheneos.social/@GrapheneOS/112896412987587996

We need more feedback from testing VPN apps and services with leak blocking toggled on, which GrapheneOS already enables by default.

This new temporary approach should be compatible with any normal VPN apps and services. Only VPN apps which don't provide DNS and depend on sending all DNS requests to the local network will be incompatible but it doesn't really make much sense to support leak blocking for those.

We still want to ship our previous stricter approach, but it causes issues establishing the initial VPN connection with Proton VPN for certain users. This is either an app bug or an OS bug triggered by certain apps. We want to resolve that to ship our stricter approach from May.

The best place to give feedback on releases that are still in the Alpha and Beta channels is our Alpha/Beta testing chat room. You can choose between Discord, Telegram or Matrix and can talk with the users in the room on other platforms from each of them:

https://grapheneos.org/contact#community-chat

Our current approach to DNS leak blocking appears to work well without breaking compatibility.

We've made progress towards fixing a related issue for some VPN apps where rare connections are made to VPN DNS outside of the tunnel.

We can hopefully ship stricter enforcement soon.

 

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

  • 2024080200-redfin (Pixel 4a (5G), Pixel 5)
  • 2024080200 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, emulator, generic, other targets)

Changes since the 2024080100 release:

  • prevent VPN apps from having leaks to non-VPN DNS servers while not yet strictly preventing leaks to VPN DNS outside the VPN tunnel due to multiple VPN apps including Proton VPN not connecting reliably with stricter enforcement (in a future release, we can do strict blocking by default with an opt-out toggle and a list of known incompatible apps such as Proton VPN until the compatibility issue is resolved)
  • GmsCompatConfig: update to version 126
  • GmsCompatConfig: update to version 127
  • Camera: update to version 73
 

Notable changes in version 73:

  • enable mirroring images and videos from the front camera by default for fresh installs to match the preview
  • avoid trying to use extension modes with unsupported cameras on devices only supporting them with specific cameras to avoid crashes

A full list of changes from the previous release (version 72) is available through the Git commit log between the releases.

This app is available through the Play Store with the app.grapheneos.camera.play app id. Play Store releases go through review and it usually takes around 1 to 3 days before the Play Store pushes out the update to users. Play Store releases use Play Signing, so we use a separate app id from the releases we publish ourselves to avoid conflicts and to distinguish between them. Each release is initially pushed out through the Beta channel followed by the Stable channel.

Releases of the app signed by GrapheneOS with the app.grapheneos.camera app id are published in the GrapheneOS App Store and on GitHub. You can use the GrapheneOS App Store on Android 12 or later for automatic updates. Each release is initially pushed out through the Alpha channel, followed by the Beta channel and then finally the Stable channel.

GrapheneOS users must either obtain GrapheneOS app updates through our App Store or install it with adb install-multiple with both the APK and fs-verity metadata since fs-verity metadata is now required for out-of-band system app updates on GrapheneOS as part of extending verified boot to them.

 

Changes in version 127:

  • update max supported version of Play Store to 42.1

A full list of changes from the previous release (version 126) is available through the Git commit log between the releases (only changes to the gmscompat_config text file and config-holder/ directory are part of GmsCompatConfig).

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.

 

We've become aware of another company selling devices with GrapheneOS while spreading harmful misinformation about it to promote insecure products. We're making our usual attempt at resolving things privately. However, we need to quickly address what has been claimed regardless.

Downloading and installing an app followed by entering sensitive data into it or granting it powerful permissions isn't a vulnerability/exploit. Accessibility service access can't be directly requested but rather has to be granted via Settings app in the accessibility section.

Accessibility service access is extremely powerful and essentially gives the same control available to the user to the app. This is explained with clear warnings. It's also not possible to enable it for an app not installed from a modern app store without an extra hidden menu.

Apps not installed through a modern app store have extremely dangerous settings including accessibility service access restricted. Users have to navigate to a semi-hidden menu to enable this. UI doesn't explain how to do it. It's a higher barrier than simply phishing info, etc.

Accessibility services are required by many users and the feature can't simply be removed. It's possible to disable this and other dangerous features for end users via a device management app. This is the right approach if you have a userbase you want to protect from themselves.

If you purchase a device with GrapheneOS, we strongly recommend booting it into recovery and wiping data before using it. Next, verify it's running genuine GrapheneOS:

https://grapheneos.org/install/web#verifying-installation

Due to complete verified boot, wiping provides the same assurance as a fresh install.

Our web installer is very easy to use. If you're able to use a web browser and follow basic instructions, you have the skill set required to install it:

https://grapheneos.org/install/web

However, if you do buy a device with GrapheneOS, you can verify it's the real deal without malware.

Simply going to a mainstream local business and purchasing a device to install GrapheneOS is the most secure way to obtain a device.

Consider the risk of buying a device from a company marketing to cryptocurrency users, and at least follow our wiping and verification advice.

Purchasing a device with malware installed is something we defend against. We provide a way to block this through verified boot and the verification process recommended on the site. Can't prevent something like replacing battery with one including a standalone tracking device...

 

We're going to be making another attempt at shipping DNS leak prevention for third party VPN apps. The last attempt resolved a lot of the compatibility issues with the previous approach, so we've made some progress. We don't what's wrong with Proton VPN and certain other apps.

 

This release is only for the Alpha channel to replace the previous release.

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

  • 2024080100-redfin (Pixel 4a (5G), Pixel 5)
  • 2024080100 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, emulator, generic, other targets)

Changes since the 2024073100 release:

  • revert VPN DNS leak protection again since it's still partially incompatible with Proton VPN and certain other apps for unknown reasons, although we did avoid a lot of the compatibility issues from last time
[–] KindnessInfinity@lemmy.ml 1 points 2 years ago (2 children)

You mentioned, firefox. The app could be updated to better support tablet UI. That's what I meant.

[–] KindnessInfinity@lemmy.ml 1 points 2 years ago (4 children)

Well if I have a tablet, it wouldn't be for Linux based apps, unless maybe some SSH/terminal stuff anyway. The apps mentioned would need to update to properly support tablets, if they haven't been yet.

[–] KindnessInfinity@lemmy.ml 1 points 2 years ago

You get the latest release straight from the source, best benefit

[–] KindnessInfinity@lemmy.ml 4 points 2 years ago

I use newpipe or libretube on mobile.

[–] KindnessInfinity@lemmy.ml 3 points 2 years ago

When you use Play App Signing, your keys are stored on the same secure infrastructure that Google uses to store its own keys. Keys are protected by Google’s Key Management Service. If you want to learn more about

For apps created before August 2021, you can still upload an APK and manage your own keys instead of using Play App Signing and publishing with an Android App Bundle

Source: Google Support

[–] KindnessInfinity@lemmy.ml 4 points 2 years ago* (last edited 2 years ago) (6 children)

I would recommend buying a pixel tablet and installing !grapheneos@lemmy.ml on it. !grapheneos@lemmy.ml is private and doesn't send anything to Google. You can get a pixel tab second-hand.

[–] KindnessInfinity@lemmy.ml 4 points 2 years ago

Doing so may not have the intended results. It seems like some of these features require the Tensor G3 processor

Google explained that part of the initial processing for Video Boost is done by the Tensor G3 chip on the Pixel 8 Pro. The video is then offloaded to the cloud to handle the rest of the processing heavy lifting. But if that’s the only criteria for how Video Boost functions, surely the Pixel 8 should also have had the feature. Unfortunately, that’s not the case. Video Boost is currently exclusive to the Pixel 8 Pro, and for good reason.

“We’re still figuring some elements of that particular feature, and so we felt that given what it accomplishes and what it’s giving to our users, we start at the top of our portfolio,” Soniya Jobanputra, Director of Product Management at Google, told Android Authority.

Source: Android Authority

[–] KindnessInfinity@lemmy.ml 5 points 2 years ago (2 children)

It probably lacks a lot of the grapheneos security features though, like memory hardening kernel hardening etc. They don't even have an official website. Seems unprofessional

view more: ‹ prev next ›