GrapheneOS [Unofficial]

Notable changes in version 67:

• add support for 4:3 aspect ratio video recording
• use new blur bitmap implementation based on RenderEffect for Android 12+
• avoid crashes in rare case when tabParent is not initialized
• update CameraX library to 1.4.0-alpha05
• update ZXing (barcode library) to 3.5.3
• update AndroidX Core library to 1.13.0
• update Gradle to 8.7
• update Android Gradle plugin to 8.3.2
• update Kotlin to 1.9.23
• replace deprecated APIs

A full list of changes from the previous release (version 66) is available through the Git commit log between the releases.

This app is available through the Play Store with the app.grapheneos.camera.play app id. Play Store releases go through review and it usually takes around 1 to 3 days before the Play Store pushes out the update to users. Play Store releases use Play Signing, so we use a separate app id from the releases we publish ourselves to avoid conflicts and to distinguish between them. Each release is initially pushed out through the Beta channel followed by the Stable channel.

Releases of the app signed by GrapheneOS with the app.grapheneos.camera app id are published in the GrapheneOS app repository and on GitHub. You can use the GrapheneOS app repository client on Android 12 or later for automatic updates. Each release is initially pushed out through the Alpha channel, followed by the Beta channel and then finally the Stable channel.

GrapheneOS users must either obtain GrapheneOS app updates through our app repository or install it with adb install-multiple with both the APK and fs-verity metadata since fs-verity metadata is now required for out-of-band system app updates on GrapheneOS as part of extending verified boot to them.

Changes in version 124.0.6367.54.0:

• update to Chromium 124.0.6367.54

A full list of changes from the previous release (version 124.0.6367.42.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

There's a site impersonating the GrapheneOS project for scamming people (grapheneos dot fr). GrapheneOS does not currently sell phones or work with any company/individual selling phones.

We strongly recommend using the very easy to use web installer: https://grapheneos.org/install/web.

The site is hosted via Wix and uses Tucows as the domain registrar.

Tucows permits using their services for scamming, impersonation, harassment, etc. until they get a court order to stop doing it (https://tucows.com/news/why-tucows-doesnt-take-down-domains-for-website-content-issues) so that's a dead end.

Do we know anyone at Wix?

Wix has taken down the site, but nothing has been done about the domain by Tucows or AFNIC yet. They may simply point the domain at another host. We'll continue trying to get AFNIC to deal with it. We're currently aware of 8 grapheneos.tld domains people registered...

Changes in version 103:

• update max supported version of Play services to 24.15
• update max supported version of Play Store to 40.5
• update Android Gradle plugin to 8.3.2

A full list of changes from the previous release (version 102) is available through the Git commit log between the releases (only changes to the gmscompat_config text file and config-holder/ directory are part of GmsCompatConfig).

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.

Changes in version 124.0.6367.42.0:

• update to Chromium 124.0.6367.42

A full list of changes from the previous release (version 123.0.6312.118.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Changes in version 123.0.6312.118.0:

• update to Chromium 123.0.6312.118

A full list of changes from the previous release (version 123.0.6312.99.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

• 2024040900-redfin (Pixel 4a (5G), Pixel 5)
• 2024040900 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, emulator, generic, other targets)

Changes since the 2024040300 release:

• rebased onto AP1A.240405.002.A1 Android Open Source Project release (includes a launcher taskbar improvement)
• avoid crashes in Chromium-based web browsers and the WebView in their sandboxed processes caused by an incompatibility between exec-based spawning and the new userfaultfd-based garbage collector enabled by Android 14 QPR2
• DNS resolver: fix upstream bug resulting in NUL byte being included in the random string for the DNS-over-TLS test query
• allow privileged installers to use getSharedLibraries(MATCH_ANY_USER) in order to enable Apps to handle an edge case involving shared libraries (Vanadium Trichrome library) updated in other users while avoiding adding the INTERACT_ACROSS_USERS permission used for this purpose by the Play Store
• kernel (5.10, 6.1): update to latest GKI LTS branch revision
• kernel (5.10): reapply reverted upstream f2fs and irq changes now that the regressions are resolved
• GmsCompatConfig: update to version 102
• fix our infrastructure for testing our CarrierConfig2 app

SSL Labs (https://www.ssllabs.com/ssltest) from Qualys used to be a useful HTTPS testing tool. However, it hasn't received significant updates since 2019 and is now holding back HTTPS security. The biggest issue is that many of the tests don't support TLSv1.3 so it penalizes disabling legacy TLSv1.2.

It was supposed to be increasing grading requirements over time. It only requires HSTS for A+, doesn't require HSTS preloading, doesn't require CAA, is completely unaware of CAA account/method binding + DNSSEC to secure issuance. It still has obsolete HPKP but is unaware of DANE.

t's also unaware of (hybrid) post-quantum cryptography, which probably shouldn't be part of grading yet but it should be able to detect it.

Sites need to start disabling TLSv1.2 to push many tools and crawlers to update to TLSv1.3 and penalizing it holds back that happening.

It's unaware of Encrypted ClientHello which shouldn't be part of grading but simply detected.

It should also be able to detect an 'HTTPS' record which should be required as part of grading, along with the other DNS-based features of CAA, CAA account/method binding and DNSSEC.

Changes in version 102:

• update max supported version of Play services to 24.13
• update max supported version of Play Store to 40.4

A full list of changes from the previous release (version 101) is available through the Git commit log between the releases (only changes to the gmscompat_config text file and config-holder/ directory are part of GmsCompatConfig).

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.

April release of the Pixel boot chain firmware includes fixes for 2 vulnerabilities reported by GrapheneOS which are being actively exploited in the wild by forensic companies:

https://source.android.com/docs/security/bulletin/pixel/2024-04-01 https://source.android.com/docs/security/overview/acknowledgements

These are assigned CVE-2024-29745 and CVE-2024-29748.

CVE-2024-29745 refers to a vulnerability in the fastboot firmware used to support unlocking/flashing/locking. Forensic companies are rebooting devices in After First Unlock state into fastboot mode on Pixels and other devices to exploit vulnerabilities there and then dump memory.

We proposed zeroing memory in firmware when rebooting to fastboot mode to wipe out the whole class of attacks. They implemented this by zeroing memory when booting fastboot mode. USB is only enabled by fastboot mode after zeroing the memory is completed, blocking these attacks.

GrapheneOS already implemented defenses against this attack before we became aware of it. After becoming aware of this attack against Pixels running the stock OS, we improved our existing defenses and added new ones alongside reporting the firmware weaknesses to get those fixed.

CVE-2024-29748 refers to a vulnerability providing the ability to interrupt a factory reset triggered by a device admin app. It appears they've implemented a partial solution in firmware. See https://grapheneos.social/@GrapheneOS/112162304896898942 about ongoing work we spotted on wipe-without-reboot support.

GrapheneOS has been working on a duress PIN/password feature for a while, and as part of that we already implemented our own wipe-without-reboot system. We care a lot about doing things properly and the way this was done in existing apps and operating systems was highly insecure.

Can see the announcement of these being exploited in the wild at https://source.android.com/docs/security/bulletin/pixel/2024-04-01#Announcements.

In addition to them working on our proposal to implement wipe-without-reboot, we've spotted work on our other suggestions such as wiping key derivation results from memory after unlocking.

In the near future, we'll be shipping a properly secure implementation of a duress PIN/password along with a properly secure panic wipe based on wiping without requiring a reboot. We also plan to make device admin API use our wipe-without-reboot approach until Android ships one.

Our baseline defenses against attacks aiming to extract data from After First Unlock state devices are our generic exploit protection features:

https://grapheneos.org/features#exploit-protection

Wiping freed memory in kernel/userspace helps beyond exploit mitigation by avoiding having data kept around.

Our auto-reboot feature starts a timer after the device is locked which will reboot the device is it isn't unlocked successfully before the timer elapses. This is set to 18 hours by default but can be set between 10 minutes and 72 hours. It won't chain reboot the device anymore.

All of our defenses against obtaining data from After First Unlock state devices are centered around auto-reboot. Our goal is preventing exploitation long enough for the device to cleanly reboot and get the data back at rest as if it had been obtained while it was powered off.

Due to the importance of auto-reboot, we recently reimplemented it as a low-level timer in the init process. This makes it much harder to prevent the device from rebooting. Previously, crashing system_server would restart the timer. It also allowed us to avoid it chain rebooting.

Our USB-C port control is set to "Charging-only when locked, except before first unlock" by default. New USB connections can only be made while unlocked, except BFU. After locking, new connections are blocked immediately and data lines are disabled when existing connections end.

We encourage users to use "Changing-only when locked" if they don't need USB devices when the device boots or "Charging-only" if they don't use USB beyond charging. There's also an "Off" value disabling charging when OS is booted into the main OS boot mode for high threat models.

To clarify something that's being misunderstood, neither of these 2 weaknesses are specific to Pixels. The mitigations they added are specific to Pixels. We aren't aware of another Android device implementing the reset attack mitigation shipped by Pixels based on our proposal.

The specific vulnerabilities being exploited in fastboot mode are likely littlekernel USB vulnerabilities. If you look in the Pixel security bulletins, you can see many of the patches there are for components also used on other devices like the Samsung modem and littlekernel.

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

• 2024040300-redfin (Pixel 4a (5G), Pixel 5)
• 2024040300 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, emulator, generic, other targets)

Changes since the 2024040200 release:

• full 2024-04-05 security patch level
• rebased onto AP1A.240405.002 Android Open Source Project release
• fix upstream OS limitation preventing using emergency dialer from setup wizard in secondary users
• Vanadium: update to version 123.0.6312.99.0

Changes in version 123.0.6312.99.0:

• update to Chromium 123.0.6312.99

A full list of changes from the previous release (version 123.0.6312.80.1) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

• 2024040200-redfin (Pixel 4a (5G), Pixel 5)
• 2024040200 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, emulator, generic, other targets)

Changes since the 2024032100 release:

• full 2024-04-01 security patch level (early release based on AOSP 14 April security backports since the official April AOSP and stock Pixel OS monthly releases aren't available yet)
• fix race condition for Wi-Fi and Bluetooth auto-turn-off leading to the first auto-turn-off timer after the first Wi-Fi or Bluetooth state update potentially not being scheduled
• fix Wi-Fi auto-turn-off no longer handling Wi-Fi state change events not involving a Wi-Fi network
• DocumentsUI (Files): do not delegate handling of downloaded APKs to DownloadProvider to avoid confusing install permission prompt
• flash-all: raise minimum fastboot version to 34.0.5
• kernel (Pixel 8, Pixel 8 Pro): sign vendor modules after building them instead of only signing generic (GKI) modules
• kernel (6.1): update to latest GKI LTS branch revision
• fix upstream bug breaking pressing power button 5 times to make an emergency call
• fix upstream bug causing 5 second delay to start the emergency dialer for the first time
• CarrierConfig2 (app created by GrapheneOS to replace Google CarrierSettings): add stub implementation of VendorConfigProvider
• Setup Wizard: use new API for emergency calls
• Setup Wizard: add prompt for unlocked bootloader triggering reboot to fastboot mode to lock
• Setup Wizard: add prompt for disabling OEM unlocking after the device is locked (will be disabled by default)
• GmsCompatConfig: update to version 100
• GmsCompatConfig: update to version 101
• Vanadium: update to version 123.0.6312.80.0
• Vanadium: update to version 123.0.6312.80.1

Changes in version 101:

• update max supported version of Play services to 24.12
• update max supported version of Play Store to 40.3
• update Gradle to 8.7

A full list of changes from the previous release (version 99) is available through the Git commit log between the releases (only changes to the gmscompat_config text file and config-holder/ directory are part of GmsCompatConfig).

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.

Changes in version 123.0.6312.80.1:

• backport new Chromium autofill implementation to replace our native Android autofill integration with Chromium's implementation of a choice between browser autofill or app-based autofill with app-based autofill automatically used when the user has activated it

A full list of changes from the previous release (version 123.0.6312.80.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Android Open Source Project (AOSP) provides open source infrastructure for device management used to manage enterprise device deployments, kiosks and other situations where a company is considered to own a specific profile or the device as a whole if it's not a personal device.

GrapheneOS has the standard device management infrastructure including the open source Device Lock Controller APEX module.

The only thing we don't implement is preventing someone from wiping the device and using it as a fresh install, since we don't tie devices to accounts.

Recently, a whole lot of misinformation is being spread about GrapheneOS based on this infrastructure being included. The inclusion of the open source code for supporting these use cases does not mean that it's being used. If you don't want it, simply do nothing and it's unused.

Android implements Factory Reset Protection by tying devices to an account and then requiring that account to use the device after wiping it from the recovery mode. This is meant to deter theft but doesn't help you get back your device once someone wipes it and is stuck at login.

We used to prevent wiping without the passphrase, but we realized it was a bad idea and quickly removed it. It led to users bricking their devices. Apple and Google work around this with their standard account recovery, but devices still get bricked including used phone sales.

We've considered providing our own account-based factory reset protection but there's no clear reason to do it beyond spite towards thieves. It won't deter thefts in practice. One person having their device bricked by it would likely hurt our users more than it would ever help...

Companies rely on this anti-theft approach to prevent their employees wiping the devices, stealing them and using them as a personal device.

Device Lock Controller is a specialized form of it to prevent theft by someone that has been loaned a phone but otherwise has control.

We'd have no issue with providing opt-in anti-theft for either an individual owning a device or an organization's fleet of deployed devices. It's simply not as useful as it seems because the device can still be stolen and sold for a lower price than without the feature.

Changes in version 123.0.6312.80.0:

• update to Chromium 123.0.6312.80

A full list of changes from the previous release (version 123.0.6312.40.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Google is publicly working on a fix for the factory reset vulnerability we reported:

https://android-review.googlesource.com/c/platform/frameworks/base/+/3008138

Currently, apps using device admin API to wipe do not provide any security against a local attacker since you can interrupt them. Forensic companies are aware of this.

We weren't sure if they would even consider this to be a valid vulnerability but it was accepted as a High severity issue with a $5000 bounty. We also reported what we consider a far more serious firmware vulnerability which received a $3000 bounty due to not having full info.

They're going to be shipping the mitigation we proposed for preventing obtaining data via exploiting vulnerabilities in firmware boot modes in the April security update. We also proposed software improvements which may ship soon. We aren't sure when factory reset will be fixed.

GrapheneOS provides substantial defenses against obtaining data from devices in the After First Unlock state. We recently made major improvements in this area including our new USB-C port control feature able to disable data lines at a hardware level, unlike the standard feature.

Our USB-C port control is set to "Charging-only when locked, except before first unlock" by default. New USB connections can only be made while unlocked, except BFU. After locking, new connections are blocked immediately and data lines are disabled when existing connections end.

We encourage users to use "Changing-only when locked" if they don't need USB devices when the device boots or "Charging-only" if they don't use USB beyond charging. There's also an "Off" value disabling charging when OS is booted into the main OS boot mode for high threat models.

Our auto-reboot feature starts a timer after the device is locked which will reboot the device is it isn't unlocked successfully before the timer elapses. This is set to 18 hours by default but can be set between 10 minutes and 72 hours. It won't chain reboot the device anymore.

Our main defenses against this are our standard exploit protection features:

https://grapheneos.org/features#exploit-protection

Wiping freed memory in kernel/userspace also helps beyond exploit mitigation. We also added full compacting GC for core processes when locking and we're working on much more.

We've planned to support adding a PIN as a 2nd factor for fingerprint unlock since 2016. A new contributor has recently made a lot of progress on it. We'll get it done after duress PIN/password. It will allow using passphrase primary unlock with fingerprint+PIN secondary unlock.

Changes in version 100:

• update max supported version of Play Store to 40.2
• update Android Gradle plugin to 8.3.1

A full list of changes from the previous release (version 99) is available through the Git commit log between the releases (only changes to the gmscompat_config text file and config-holder/ directory are part of GmsCompatConfig).

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.

Our latest release has been confirmed to resolve Android 14 QPR2 Bluetooth module issues causing connectivity issues with 5th/6th generation Galaxy Watch devices. 2nd set of upstream Bluetooth bugs we've fixed this month. Please provide feedback here:

https://discuss.grapheneos.org/d/11383-request-for-testing-and-feedback-with-bluetooth-on-android-14-qpr2-grapheneos

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

• 2024032100-redfin (Pixel 4a (5G), Pixel 5)
• 2024032100 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, emulator, generic, other targets)

Changes since the 2024031400 release:

• Bluetooth: revert broken upstream change and changes depending on it to fix Galaxy Watch 6 Classic and likely other devices impacted by the same issue (this was a failure of upstream testing and release engineering for AOSP and doesn't impact the stock Pixel OS because it uses a different APEX module revision branched from an older revision of AOSP but it will impact every other Android-based OS on Android 14 QPR2 since there isn't a Bluetooth mainline module published in the Play Store and AOSP yet)
• revert disabling hardened_malloc for Broadcom Bluetooth HAL (we've fixed the upstream issue and this wasn't needed) revert allowing users to disable hardened_malloc for Bluetooth system app (we've fixed the upstream issue and this wasn't needed)
• revert allowing users to disable hardened_malloc for Bluetooth system app (we've fixed the upstream issue and this wasn't needed)
• Android Runtime: disable stripping symbols for libart to restore compatibility with some popular obfuscated Chinese apps using a specific obfuscation SDK depending on private APIs which was broken by Android 14 QPR2 when not using the mainline ART module based on older code like the stock Pixel OS (does not result in any lost storage space, just slightly larger factory images / updates as if we'd bundled another small app)
• Android Runtime: remove Android's hard-wired speed-profile compilation for launcher apps which was limiting ahead-of-time compilation for user installed launcher apps to the parts of the code included in baseline and/or cloud profiles rather than compiling the whole app via our default speed compilation which we use to replace JIT compilation and JIT profiles guiding background AOT compilation
• backport 12 upstream fixes from the mainline MediaProvider, Wifi, NetworkStack and HealthFitness APEX modules
• allow using device controls quick tile when unlocked since it already has a toggle for controlling availability so our new default requirement of the device being unlocked needs to be overridden for it
• more complete setup design configuration to improve appearance of Setup Wizard, etc.
• Settings: fix upstream footer formatting issue for App pinning screen
• update timezone module to Android mainline 341510010 (based on tzdata 2024a)
• kernel (5.15, 6.1): improve support for hosting servers by enabling SYN cookies as we do for the older kernels
• kernel (6.1): drop obsolete usage of YAMA which we replaced with our dynamic SELinux flag extension
• kernel (5.10): update to latest GKI LTS branch revision
• GmsCompatConfig: update to version 99

This series of attacks on Internet infrastructure has made it difficult for some users in Africa and South Asia to download GrapheneOS app and OS releases.

https://blog.cloudflare.com/undersea-cable-failures-cause-internet-disruptions-across-africa-march-14-2024

We have a Singapore location for the website and update server already but not the update servers.

OVH has standard unmetered bandwidth for VPS instances and dedicated servers in North America and Europe but not Singapore or Sydney. It's possible to purchase unmetered bandwidth for a dedicated server but it's insanely expensive. New India DC appears to be a similar situation.

We're looking into our options. Lowest end server in their India DC (Xeon-E 2386G, 32GB memory, 1Gbps) would be around $60/month but then becomes around $550/month for unmetered bandwidth. Peering situation must be awful for Asia considering that's part of base price in EU/NA.

Changes in version 99:

• update max supported version of Play services to 24.10
• update max supported version of Play Store to 40.1

A full list of changes from the previous release (version 98) is available through the Git commit log between the releases (only changes to the gmscompat_config text file and config-holder/ directory are part of GmsCompatConfig).

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.

Due to mainline modules, the Stock Pixel OS is currently using a much older release of the Bluetooth module than the current release in the Android Open Source Project without current security patches. We believe this is the reason for remaining issues not occurring for stock.

The remaining compatibility issues with a small number of devices such as the past couple generations of Galaxy Watch hardware appear to be the consequence of the March security patches and other changes in QPR2. There's a solid chance the Bluetooth devices are what's buggy.

GrapheneOS is on Bluetooth module version 990090000 from the Android 14 QPR2 release. Stock Pixel OS is still using 341313030, without tags available for that. Needs to be addressed even if simply by tagging the older Bluetooth module release being separately built/shipped.

Tags:

• 2024031400 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, emulator, generic, other targets)

Changes since the 2024031100 release:

• allow users to disable GrapheneOS hardened_malloc for the Bluetooth system app via the Settings app to help with debugging upstream bugs (still enabled by default)
• temporarily disable hardened_malloc for Broadcom Bluetooth HAL as a potential workaround for upstream bugs in Android 14 QPR2 (will be reverted if it doesn't help and reverted after fixes are implemented if it does help)
• fix upstream bug in Android 14 QPR2 breaking Wi-Fi tethering on fresh installs before Wi-Fi is enabled for the first time, which didn't occur on the stock OS in practice due to it enabling Wi-Fi by default
• fix upstream system_server crash in Android 14 QPR2 when installing updates to packages with an original-package application id such as Vanadium (was reported by users helping with Vanadium Alpha channel testing and we released Apps version 22 with a workaround avoiding the crash prior to this fix)
• Apps: update to version 22
• Vanadium: update to version 122.0.6261.119.0
• Vanadium: update to version 123.0.6312.40.0
• drop legacy script/envsetup.sh (see current build instructions)