GrapheneOS [Unofficial]

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

• 2024051500-redfin (Pixel 4a (5G), Pixel 5)
• 2024051500 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, emulator, generic, other targets)

Changes since the 2024050900 release:

• revert our initial approach to blocking DNS leaks with third party Android VPN apps since it changed the behavior in a slightly different way than intended and caused compatibility issues with certain apps (particularly Proton VPN) which blocked us from releasing 2024050900 to the Stable channel (will be replaced in the near future with another approach)
• improve GrapheneOS Predicted Satellite Data Service (PSDS) infrastructure with better logging, cleaner code and more generic code to support Samsung PSDS for the Pixel 8a in addition to Qualcomm and Broadcom PSDS
• Auditor: update to version 80
• GmsCompatConfig: update to version 110
• Vanadium: update to version 125.0.6422.51.0
• Vanadium: update to version 125.0.6422.53.0

Changes in version 125.0.6422.53.0:

• update to Chromium 125.0.6422.53

A full list of changes from the previous release (version 125.0.6422.51.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

An experimental prerelease of GrapheneOS for the Pixel 8a is now available via https://staging.grapheneos.org/ including web installer support. It will be made available via https://grapheneos.org/ after we've done basic testing including testing the upgrade path to a future release.

Pixel 8a currently uses Android 14 QPR1 instead of Android 14 QPR2, meaning it's missing many improvements from the 2nd quarterly release including important privacy and security enhancements. It's likely Android 14 QPR3 will be released in June which should resolve this problem.

Android 14 QPR2 is the largest ever quarterly release of Android, because it's the first trunk-based development release. It brought a lot of what Android 15 is going to ship, largely under the hood with new user-facing features largely disabled but present in the code.

Android 14 QPR2 was released on March 4th but had a delay in publishing to AOSP due to issues with pushing the code which was finished by March 5th. GrapheneOS had a release based on it within a day of that, but it took a couple days to reach staging due to regressions we found.

One of those regressions was the High severity Bluetooth vulnerability we found which was introduced in Android 14 QPR2:

https://grapheneos.social/@GrapheneOS/112400427658505385

This issue slipped into our Stable channel release due to only coming up with rare configurations but we got it fixed on March 9th.

Since the Pixel 8a is still using Android 14 QPR1, our initial release is based on porting our changes from our 2024030300 release which was the last one based on QPR1 (https://grapheneos.org/releases#2024030300). It has a current May security patch level, but this doesn't meet our usual standards.

It's missing improvements to GrapheneOS from March, April and May in addition to Android 14 QPR2 changes. We backported our change enabling PAC/BTI for userspace and are using a current GrapheneOS 5.15 LTS common kernel source tree. SHOULD be fixed with June update, QPR3 or not.

We've tested basic functionality including over-the-air updates so our Pixel 8a prerelease is now available via grapheneos.org.

Pixel 8a switched to Samsung GNSS (GPS, etc.) from Broadcom so we need to add Samsung PSDS support to our network services for PSDS to work.

Pixel 8a with the latest May 2024 update is running Android 14 QPR1 with backported security patches instead of Android 14 QPR2.

Android 14 QPR2 was released in March 2024 and is by far the largest quarterly release so far due to being the first trunk-based quarterly release.

We're definitely not going to backport all the changes we've made since March to Android 14 QPR1. That means we can't simply make the usual device support branch to support it. It's going to need to start out being treated as if it's an end-of-life device in extended support.

We're working on making an experimental pre-release build of GrapheneOS for the Pixel 8a. It will have the 2024-05-05 security patch level but it will initially be missing the Android 14 QPR2 improvements and also the many GrapheneOS improvements since our March 3rd release.

There's a high chance Android 14 QPR3 will be released in June, and they likely decided it didn't make sense to go through all the work of getting QPR2 ready for release. Launching a brand new Pixel with backports to a previous quarterly release is still quite a strange choice.

Our Vanadium browser (https://grapheneos.org/features#vanadium) is based on the stable releases of Chromium. We port to the new releases when they're still in Beta/Dev/Canary but we wait until it's Stable to upgrade, particularly since Stable is the only branch with proper security support.

Within release channels, Chromium uses staged rollouts where initially only a random subset of users get the new release. Recently, the initial Stable channel release started being done 1 week early and only rolled out to a tiny number of users:

https://developer.chrome.com/blog/early-stable

Current release status for Android is at https://chromiumdash.appspot.com/releases?platform=Android. There are 2 variants of a regular Stable release and 2 of an early one, since they enjoy A/B testing changes so much.

We've been following the early Stable, but this month they failed to support it properly...

After the pair of early Stable releases based on v125 for Android, there were 2 pairs of releases based on v124 with 2 rounds of security patches for issues being exploited in the wild. They failed to update the early Stable release as they have before, so we had to deal with it.

Strangely, it appears that the early Stable channel release was only rolled out for Android and the Safari-based iOS app. The 0.2% of Android users receiving the early Stable release aren't getting patches for those 2 vulnerabilities being exploited in the wild. That's not great.

These are the 2 patches missing for Android users who get updated to 125.0.6422.34 or 125.0.6422.35:

https://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_9.htmlhttps://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_13.html

Both are marked as having an exploit in the wild. They should really simply make 1 tag and stop making things overly complex.

Changes in version 125.0.6422.51.0:

• update to Chromium 125.0.6422.51

A full list of changes from the previous release (version 125.0.6422.35.1) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Changes in version 110:

• update max supported version of Play Store to 40.9

A full list of changes from the previous release (version 109) is available through the Git commit log between the releases (only changes to the gmscompat_config text file and config-holder/ directory are part of GmsCompatConfig).

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.

Notable changes in version 80:

• add support for Pixel 8a with either the stock OS or GrapheneOS
• update Kotlin to 1.9.24
• update Android Gradle plugin to 8.4.0
• update Guava library to 33.2.0
• update AndroidX Core library to 1.13.1
• update Material Components library to 1.12.0
• remove redundant style configuration found by lint

A full list of changes from the previous release (version 79) is available through the Git commit log between the releases.

The Auditor app uses hardware security features on supported devices to validate the integrity of the operating system from another Android device. It will verify that the device is running the stock operating system with the bootloader locked and that no tampering with the operating system has occurred. It will also detect downgrades to a previous version.

It cannot be bypassed by modifying or tampering with the operating system (OS) because it receives signed device information from the device's Trusted Execution Environment (TEE) or Hardware Security Module (HSM) including the verified boot state, operating system variant and operating system version. The verification is much more meaningful after the initial pairing as the app primarily relies on Trust On First Use via pinning. It also verifies the identity of the device after the initial verification. Trust is chained through the verified OS to the app to bootstrap software checks with results displayed in a separate section.

This app is available through the Play Store with the app.attestation.auditor.play app id. Play Store releases go through review and it usually takes around 1 to 3 days before the Play Store pushes out the update to users. Play Store releases use Play Signing, so we use a separate app id from the releases we publish ourselves to avoid conflicts and to distinguish between them. Each release is initially pushed out through the Beta channel followed by the Stable channel.

Releases of the app signed by GrapheneOS with the app.attestation.auditor app id are published in the GrapheneOS app repository and on GitHub. These releases are also bundled as part of GrapheneOS. You can use the GrapheneOS app repository client on Android 12 or later for automatic updates. Each release is initially pushed out through the Alpha channel, followed by the Beta channel and then finally the Stable channel.

GrapheneOS users must either obtain GrapheneOS app updates through our app repository or install it with adb install-multiple with both the APK and fs-verity metadata since fs-verity metadata is now required for out-of-band system app updates on GrapheneOS as part of extending verified boot to them.

We've received the Pixel 8a for our device testing farm already even though it officially ships May 14th.

Both Android Open Source Project source code tags and stock OS factory images / updates will likely be published on May 14th. We'll need those to add GrapheneOS support.

They typically ship pre-ordered devices a few days early to provide most people with an estimated delivery date on the launch day. It's a bit odd they don't publish everything on the day they ship instead of the planned arrival day since many do arrive early. It's fine with us.

Today, we're going to be adding support for the Pixel 8a in Auditor along with generating and backing up official GrapheneOS signing keys which are separate for each device for security reasons. We can't do much else before the official launch day when the code is published.

Once code is published, it will only take us a couple hours to add support for the device. We'll just need to largely automatically generate a device support branch, port over our work from the earlier 8th generation Pixels, make an adevtool state build and then a real release.

https://grapheneos.social/deck/@GrapheneOS/112401228331673501

Response we've received is the Bluetooth vulnerability we reported in March they fixed for Pixels in May will be included in the SEPTEMBER Android Security Bulletin.

Android Security Bulletin should be expanded to include Pixel Update Bulletin patches...

Our latest OS release that's currently in the Beta channel implements a new feature for blocking DNS leaks by third party VPN service app implementations which were discovered by our community:

https://github.com/GrapheneOS/os-issue-tracker/issues/3442

The good news is this does successfully block these leaks.

The bad news is that we currently don't feel comfortable moving this to the Stable channel due to a few reports of compatibility issues with @protonvpn's app. Doesn't appear to cause issues with any other VPN app after two days of public testing so it's likely a @protonvpn bug.

@protonprivacy

We'll give it another couple days of testing. Unless our users find an issue with another VPN app, we'll likely ship this to the Stable channel instead of cancelling the current change. We can't hold back an important improvement based on a single app which appears to be buggy.

Android monthly security backports were released this Monday. We expect the full monthly release to be released much later today (Tuesday). It's what happened last month, but last time we expected the monthly release to be delayed a week so we did an early release with backports.

Monthly/quarterly/yearly releases include Low/Moderate severity patches not backported to older releases and are needed for Pixel firmware/driver patches. Those aren't published/disclosed for May yet. We'll do an early release with the ASB backports if it's not released today.

We've reviewed the backports and can easily ship them if needed. We've included the next set of Linux kernel GKI LTS updates too.

We'll have mitigations for the 3rd party VPN app DNS leaks discovered by our community soon, but likely not today's release.

https://grapheneos.social/@GrapheneOS/112316307560525598

May 2024 release of Android 14 QPR2 is now available for Pixels and the release in the process of being pushed to the Android Open Source Project. We're currently building a new release of Vanadium based on Chromium 124.0.6367.159 which will be followed by the monthly OS update.

Changes in version 124.0.6367.82.1:

• enable hybrid post-quantum cryptography support

A full list of changes from the previous release (version 124.0.6367.82.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Changes in version 124.0.6367.54.0:

• update to Chromium 124.0.6367.82
• enable CredentialManager flag by default in the browser instead of only via settings the flags via the configuration app
• support for respecting OS configuration for restricting dynamic code execution
• clean up our infrastructure for content filter updates

A full list of changes from the previous release (version 124.0.6367.54.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Changes in version 106:

• revert feature flag override from the previous release
• add temporary stub for ActivityManager.getPackageImportance() which requires the usage stats special access permission since a new feature flag depends on it without checking for the permission or handling the SecurityException (this is temporary because we plan to find a way to provide the foreground check it's trying to do for battery usage throttling without giving it any additional data similar to how AppOps foreground access checks work fine already)

A full list of changes from the previous release (version 105) is available through the Git commit log between the releases (only changes to the gmscompat_config text file and config-holder/ directory are part of GmsCompatConfig).

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.

Changes in version 105:

• disable feature flag causing a reported crash due to sandboxed Play services not having the usage stats permission by default (the permission can be revoked on the stock OS so they may revert this change or have it handle the error)

A full list of changes from the previous release (version 104) is available through the Git commit log between the releases (only changes to the gmscompat_config text file and config-holder/ directory are part of GmsCompatConfig).

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.

One of our community members has been doing testing of Android VPN apps to check for leaks. They've found and reported 2 issues where leak blocking functionality doesn't appear to work as intended: one occurs with local network multicast and the other with DNS while VPN is down.

We're actively looking into these issues. Local network multicast not being blocked as expected is likely an OS bug caused by special handling of multicast. DNS issue may be another missed special case or a race condition, but it's possible the apps are handling it incorrectly.

One of the two issues (DNS) has spread to discussions about VPN apps elsewhere. Responsibility for blocking leaks is shared between the OS and VPN apps. It's a good thing that the OS provides standard infrastructure for this. Since the OS controls most of it, we can improve this.

This release is only being done for the Pixel 8 and Pixel 8 Pro due to lack of changes relevant to other devices.

Tags:

• 2024042200 (Pixel 8, Pixel 8 Pro, emulator, generic, other targets)

Changes since the 2024042100 release:

• kernel (5.15): revert another broken f2fs change from the 5.15.149 release (entirely separate from what was fixed in our last release)

We found another regression introduced by a recent f2fs change in the Linux 5.15 LTS branch so we'll have to make another release for Pixel 8 and Pixel 8 Pro before it can reach Beta. Only 2 users doing Alpha channel testing ran into this and one has confirmed reverting it works.

It's possible that this change in the upcoming Linux 6.9 release may resolve the issue properly rather than needing to revert another fix: https://github.com/torvalds/linux/commit/42a80aacb76bed85f453b10f662877ed60d37164. The issue is that we only had 2 users able to reproduce this and now neither can help test potential fixes.

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

• 2024042100-redfin (Pixel 4a (5G), Pixel 5)
• 2024042100 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, emulator, generic, other targets)

Changes since the 2024042000 release:

• kernel (5.10): update to latest GKI LTS branch revision
• kernel (5.15): backport upstream f2fs patch for a kernel panic caused by another upstream f2fs patch included in the last GKI LTS update
• kernel (6.1): update to latest GKI LTS branch revision including update to 6.1.78

https://grapheneos.social/@GrapheneOS/112307439457892688

Our latest release will remain in the Alpha channel due to upstream Linux kernel regressions in the latest 5.15 GKI LTS release causing crashes on the Pixel 8 and Pixel 8 Pro for some users. Very likely caused by f2fs backports in the newer LTS release.

If you're having any crashes with the most recent Alpha channel release on the Pixel 8 and Pixel 8 Pro, please join our testing chat room and help test an official build with a potential fix. We'll only be making a new release after confirming we have a working fix for the issue.

Only 2 users have reported kernel crashes with the new release for Pixel 8 and Pixel 8 Pro. Based on the error logs from the kernel, we suspect the cause is one of 3 f2fs kernel changes in the latest 5.15 GKI LTS release. We aren't getting the feedback we need to determine this.

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

• 2024042000-redfin (Pixel 4a (5G), Pixel 5)
• 2024042000 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, emulator, generic, other targets)

Changes since the 2024040900 release:

• add toggle in Settings > Security for opting into memory tagging in vendor processes currently excluded from it with the end goal of having it force enabled without a toggle as we do for the rest of the base OS
• allow eSIM activation app to interact with Google Fi app when installed to fix Google Fi activation
• use ro.vendor.build.svn system property from adevtool instead of AOSP to make sure it always matches the stock OS
• Pixel Fold: update to AP1A.240405.002.A2 vendor files
• Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel 8, Pixel 8 Pro: update to AP1A.240405.002.B1 vendor files
• Log Viewer: include kernel log buffer in default log output
• Log Viewer: show "Save" instead of "Copy" button for logs that are over ~50 KB
• Log Viewer: improve handling of log saving
• backport mainline APEX module patches for Android Health, ART, DNS Resolver, Media Provider, Network Stack, PermissionController and Wi-Fi
• TalkBack (screen reader): update base code to 14.1 and massively overhaul our changes to it
• kernel (5.10): update to latest GKI LTS branch revision
• kernel (5.15): update to latest GKI LTS branch revision including update to 5.15.148
• kernel (6.1): update to latest GKI LTS branch revision including update to 6.1.76
• Vanadium: update to version 123.0.6312.118.0
• Vanadium: update to version 124.0.6367.42.0
• Vanadium: update to version 124.0.6367.54.0
• Camera: update to version 67
• Camera: update to version 68
• Auditor: update to version 79
• GmsCompatConfig: update to version 103
• GmsCompatConfig: update to version 104
• Setup Wizard: layout and style improvements
• Setup Wizard: add functionality for testing on debug builds

Changes in version 104:

• update max supported version of Play Store to 40.6

A full list of changes from the previous release (version 103) is available through the Git commit log between the releases (only changes to the gmscompat_config text file and config-holder/ directory are part of GmsCompatConfig).

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.

Notable changes in version 79:

• modern Material 3 UI overhaul
• use edge-to-edge layout
• update CameraX library to 1.3.3
• update AndroidX Core library to 1.13.0
• update Bouncy Castle library to 1.78
• update Guava library to 33.1.0
• update ZXing library to 3.5.3
• update Gradle to 8.7
• update Android Gradle plugin to 8.3.2
• update Kotlin to 1.9.23

A full list of changes from the previous release (version 78) is available through the Git commit log between the releases.

The Auditor app uses hardware security features on supported devices to validate the integrity of the operating system from another Android device. It will verify that the device is running the stock operating system with the bootloader locked and that no tampering with the operating system has occurred. It will also detect downgrades to a previous version.

It cannot be bypassed by modifying or tampering with the operating system (OS) because it receives signed device information from the device's Trusted Execution Environment (TEE) or Hardware Security Module (HSM) including the verified boot state, operating system variant and operating system version. The verification is much more meaningful after the initial pairing as the app primarily relies on Trust On First Use via pinning. It also verifies the identity of the device after the initial verification. Trust is chained through the verified OS to the app to bootstrap software checks with results displayed in a separate section.

This app is available through the Play Store with the app.attestation.auditor.play app id. Play Store releases go through review and it usually takes around 1 to 3 days before the Play Store pushes out the update to users. Play Store releases use Play Signing, so we use a separate app id from the releases we publish ourselves to avoid conflicts and to distinguish between them. Each release is initially pushed out through the Beta channel followed by the Stable channel.

Releases of the app signed by GrapheneOS with the app.attestation.auditor app id are published in the GrapheneOS app repository and on GitHub. These releases are also bundled as part of GrapheneOS. You can use the GrapheneOS app repository client on Android 12 or later for automatic updates. Each release is initially pushed out through the Alpha channel, followed by the Beta channel and then finally the Stable channel.

GrapheneOS users must either obtain GrapheneOS app updates through our app repository or install it with adb install-multiple with both the APK and fs-verity metadata since fs-verity metadata is now required for out-of-band system app updates on GrapheneOS as part of extending verified boot to them.

Notable changes in version 68:

• temporarily disable support for 4:3 aspect ratio video recording added in version 67 due to breaking on devices where it's not supported

A full list of changes from the previous release (version 67) is available through the Git commit log between the releases.

This app is available through the Play Store with the app.grapheneos.camera.play app id. Play Store releases go through review and it usually takes around 1 to 3 days before the Play Store pushes out the update to users. Play Store releases use Play Signing, so we use a separate app id from the releases we publish ourselves to avoid conflicts and to distinguish between them. Each release is initially pushed out through the Beta channel followed by the Stable channel.

Releases of the app signed by GrapheneOS with the app.grapheneos.camera app id are published in the GrapheneOS app repository and on GitHub. You can use the GrapheneOS app repository client on Android 12 or later for automatic updates. Each release is initially pushed out through the Alpha channel, followed by the Beta channel and then finally the Stable channel.

GrapheneOS users must either obtain GrapheneOS app updates through our app repository or install it with adb install-multiple with both the APK and fs-verity metadata since fs-verity metadata is now required for out-of-band system app updates on GrapheneOS as part of extending verified boot to them.