GrapheneOS [Unofficial]

Changes in version 133.0.6943.39.1:

• remove upstream V8 Optimizer toggle for toggling the 2 highest tiers of the JIT compiler with a manual list of exceptions since it does not fully disable the JIT compiler as widely misunderstood and doesn't make sense to have alongside our actual JIT toggle with a proper per-site setting (WebAssembly will be supported with the JIT fully disabled once we get the WebAssembly interpreter from Microsoft Edge working)

A full list of changes from the previous release (version 133.0.6943.39.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Changes in version 133.0.6943.39.0:

• update to Chromium 133.0.6943.39

A full list of changes from the previous release (version 132.0.6834.163.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Changes in version 132.0.6834.163.0:

• update to Chromium 132.0.6834.163

A full list of changes from the previous release (version 132.0.6834.122.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Our next OS release has support for enabling and using Google's credential service via sandboxed Google Play by making it an unprivileged service. This has become a requirement for the "Sign in with Google" option in a subset of apps although most provide a least one alternative.

Tags:

• 2025012700 (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold, emulator, generic, other targets)

Changes since the 2025012600 release:

• fix regression in the previous release for configuring per-app settings added by GrapheneOS for apps in the work profile or Private Space when the Settings app is launched from the Owner user rather than the work profile or Private Space (this was caught during Alpha channel testing and is why it didn't proceed to Beta channel testing)
• Sandboxed Google Play compatibility layer: improve Play Integrity API description

A post from the developer of WireGuard on the severe security flaws and lack of trustworthiness of F-Droid:

https://gitlab.com/fdroid/fdroiddata/-/issues/3110#note_1613430404

This led to them including a self-update system which was openly implemented and documented. F-Droid was unaware they'd shipped it for half a year, and by then WireGuard had essentially escaped from in their words being held hostage by F-Droid.

This was a rare case where an app used developer signing keys via their flawed reproducible builds system. Most don't.

For the vast majority of apps they package, F-Droid downloads and builds whatever developers publish, then sign it with their own keys and release it. They aren't doing any real review as people believe. What they really do is run things through basic scans looking for libraries they've disallowed, primitive antivirus checks for common Android malware as if that's what malicious code in an open source project would be, etc. It took them that long just to realize an app openly took over updates.

F-Droid has incredibly poor security practices and a strong anti-security attitude held by most of the people involved. They've consistently engaged in coverups of vulnerabilities and targeting multiple security researchers with libel and harassment.

It's a massive single point of failure and not worthy of the trust many people are placing in it. It's adding another trusted party compared to using the apps built and signed by the developers. It is not avoiding trust in the developers of apps.

Regularly not shipping critical Firefox security patches for months is the norm for the main F-Droid repository. Whether or not they sign the apps themselves as they do for the vast majority of apps, updates can be indefinitely delayed based on issues with their outdated infrastructure or their Debian-style downstream patches needing to be updated.

For the small subset signed by the app developers, many kinds of disagreements between F-Droid and developers will mean an end to receiving updates.

Tags:

• 2025012600 (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold, emulator, generic, other targets)

Changes since the 2025011500 release:

• disable standard Android feature holding a 10 minute screen wake lock after the screen brightness is raised at least 2 times within 5 minutes since this is confusing for users and it's far better if keep awake is done explicitly
• always show Linux kernel crash notifications from hardware memory tagging (Hardware Tag-Based KASAN) instead of only when system crash reporting is enabled by users
• Messaging: begin under the hood overhaul including fully porting to target API 35 (Android 15)
• recovery: remove spurious warning after sideloading an update fails on A/B update devices
• change build username and hostname to match the stock Pixel OS format instead of setting both to grapheneos due to bad actors using it to ban using GrapheneOS
• return green as the value of ro.boot.verifiedbootstate for user installed apps (not the base OS or system apps) due to bad actors using it to ban using GrapheneOS
• SettingsIntelligence: don't show preference summaries in search results since it doesn't work properly for ones depending on dynamic string formatting and isn't done by SettingsIntelligenceGoogle on the stock Pixel OS
• Contact Scopes: fix spoofing of OP_GET_CONTACTS for apps not requesting WRITE_CONTACTS
• Sandboxed Google Play compatibility layer: improve infrastructure
• Sandboxed Google Play compatibility layer: allow blocking the Sandboxed Google Play is running notification
• Sandboxed Google Play compatibility layer: add per-app Play Integrity menu in the per-app Settings configuration that's shown after an app uses the Play Integrity API
• Sandboxed Google Play compatibility layer: add per-app toggle for blocking using the Play Integrity API via the per-app Play Integrity menu as a workaround for apps which ban devices based on it but don't require providing it to their service yet
• Sandboxed Google Play compatibility layer: add shortcut to the per-app Play Integrity API menu for contacting the app developer by leaving a review through the Play Store page
• Sandboxed Google Play compatibility layer: add menu for viewing all apps which have used the Play Integrity API with a shortcut in the per-app Play Integrity API menu
• Sandboxed Google Play compatibility layer: show optional notification upon detection of Play Integrity usage providing a shortcut to the per-app Play Integrity API menu and another for hiding further notifications for the app which is also available as a toggle in the per-menu
• hardened_malloc: update libdivide to 5.2.0
• TalkBack (screen reader): update dependencies
• TalkBack (screen reader): make builds fully reproducible by removing the use of DATE and TIME by brltty along with making the liblouis translation table zip use deterministic file order and timestamps
• kernel (6.1): update to latest GKI LTS branch revision including update to 6.1.124
• kernel (6.6): update to latest GKI LTS branch revision including update to 6.6.68
• Vanadium: update to version 132.0.6834.79.0
• Vanadium: update to version 132.0.6834.79.1
• Vanadium: update to version 132.0.6834.79.2
• Vanadium: update to version 132.0.6834.122.0
• GmsCompatConfig: update to version 153

Changes in version 153:

• update max supported version of Play Store to 44.5
• disable update_install_enable_resume_on_reboot flag to work around crashes on end-of-life devices still on Android 13

A full list of changes from the previous release (version 152) is available through the Git commit log between the releases (only changes to the gmscompat_config text file and config-holder/ directory are part of GmsCompatConfig).

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.

GmsCompatConfig is the text-based configuration for the GrapheneOS sandboxed Google Play compatibility layer. It provides a large portion of the compatibility shims and sets the maximum supported versions for Play services and the Play Store.

Android's Private DNS feature originally used DNS-over-TLS (DoT) before Google decided to focus on DNS-over-HTTPS (DoH) over DoT or the newer DNS-over-QUIC (DoQ).

They're migrating Android to always using DoH when available. They started by always using it when the network or user configures Cloudflare or Google DNS for initial testing. Using it for everything else is behind multiple feature flags enabling newer asynchronous DNS resolution code and automatic detection of DNS-over-HTTPS support.

DoT and DoQ are leaner than doing DNS via HTTP using TLS or QUIC. The only reason DoH is winning out is because reusing HTTPS means the standard port is TCP/UDP 443 so it bypasses misguided filtering.

It's entirely possible to host DoT/DoQ on port 443 and it looks the same as HTTPS since it's TLS or QUIC either way. It's just not the standard port so they lost for client side usage despite being superior protocols. DoQ will very likely win for usage on authoritative DNS servers though.

We could enable support for automatically detecting DoH support early but it would be risky. We're planning on following along with Android's schedule for enabling these and nearly all other features. DoT does usually work perfectly fine.

Android's DoH implementation is newer than DoT so they wrote it with fancy async Rust. Rust has become the preferred language for new low-level code in Android. DoT would have been Rust if it was added today. DoT/DoQ are just losing to DoH due to the port.

DoQ will likely be the winner for server-side usage on authoritative DNS servers where the clients are DNS resolver servers rather than end users. DoT/DoQ are generally preferred by server/network engineers and DoH by browser/OS engineers.

Worth noting encrypted DNS doesn't hide much from networks since they can still see the IPs. Host names are also in plain text for TLS without the barely deployed ECH. If you use a VPN to have a shared IP for privacy, using a different DNS resolver makes you stand out from other users of the VPN.

Changes in version 138:

• update max supported version of Play services to 24.37
• update max supported version of Play Store to 42.8
• update Gradle to 8.10.1
• update Android Gradle plugin to 8.6.1

A full list of changes from the previous release (version 137) is available through the Git commit log between the releases (only changes to the gmscompat_config text file and config-holder/ directory are part of GmsCompatConfig).

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.

Revolut is specifically banning GrapheneOS by checking for the build machine hostname and username being set to grapheneos. We've changed these to build-host and build-user. Combined with another change, this allow our users to log in to it again until they roll out Play Integrity API enforcement.

There's no legitimate excuse for banning using a much more private and secure operating system while permitting devices with no security patches for a decade. Meanwhile, Revolut's shoddily made app tells users they're banning GrapheneOS because they're "serious about keeping your data secure".

Revolut's app will stop working against once they start enforcing having a Play Integrity API result showing it's a Google certified device. This is not a security feature but rather anti-competitive behavior from Google deployed by apps like Revolut wanting to pretend they care about security.

Revolut uses a bunch of shady closed source third party libraries in their app and it's one of these libraries banning GrapheneOS. These libraries are a major security risk and put user data at risk of being compromised. Revolut is not taking user security seriously at all and is cutting corners.

There's no legitimate reason for any app to ban GrapheneOS users. It has the full standard security model and massive security improvements. There's no logic in banning GrapheneOS. It makes no sense for them to ban anything when they permit a device with no patches for 10 years. It's performative.

GrapheneOS fully supports standard Android hardware attestation for verifying the hardware, firmware and operating system along with the app that's using it. See https://grapheneos.org/articles/attestation-compatibility-guide. If apps insist on checking device integrity, that's the only way they should do it.

Play Integrity API checks that Google's monopolies are supported through devices licensing Google Mobile Services and integrating their browser, search engine, advertising, etc. It's anti-competitive and clearly illegal. Multiple governments are taking regulatory action and are in contact with us.

Revolut insecurely checks the ro.boot.verifiedbootstate property and forbids it being yellow, which means a locked device with an aftermarket OS that's being cryptographically verified by the firmware. They permit it being orange, which means an unlocked device with any OS.

They're specifically banning having a device that's locked with an aftermarket OS rather than banning having an unlocked device or an aftermarket OS in general. Similarly, they're specifically banning the value grapheneos for ro.build/.user/ro.build.host.

Both of these things and other similar insecure, useless checks are being done by several different SDKs. Revolut's app is full of sketchy, insecure third party libraries. They certainly don't take security seriously as they claim in their message about banning GrapheneOS.

We've fixed both of the ways they're banning GrapheneOS for our next release. Since third party SDKs are what's being used to do it, our hope is that this fixes a few other poorly written banking/financial apps doing similar stuff to ban aftermarket operating systems.

These are the full set of changes fixing Revolut's ban on GrapheneOS:

https://github.com/GrapheneOS/platform_build/commit/bcd027b1273db32d6361092c635bf52a5d08c0e7

https://github.com/GrapheneOS/platform_build_soong/pull/24/commits/cc62edd5c3af000a6089fe2cceef10b9458f8aae https://github.com/GrapheneOS/platform_system_core/commit/971110e37d73b5acb6e806b62146dcdcb29277b2 https://github.com/GrapheneOS/platform_frameworks_base/commit/5c85337ba0c4f5e40811a5a753754f7ccc2bc72f https://github.com/GrapheneOS/platform_frameworks_base/commit/29c31dcdb5f826f1032a1a4da4dc584dbee8f01d

Other banking apps banning GrapheneOS will need to be retested after the next release.

Due to these changes, Revolut works with our latest release that's currently in the Alpha channel and will reach the Beta channel very soon:

https://grapheneos.social/@GrapheneOS/113895124919882463

Should be in the Stable channel within 24 hours.

We also added a Play Integrity API notification + per-app menu.

Users are already reporting that other banking apps which were previously detecting and banning GrapheneOS are now working properly. This is what we anticipated since Revolut is using insecure 3rd party SDKs for this which are likely used by other banking apps for the same thing.

A chat server running on powerful hardware collapsing when handling more than 100 events per second isn't acceptable. Events scale up based on room activity from non-local users including spammers too. It's an issue for a server with 12 users too.

https://element.io/blog/scaling-to-millions-of-users-requires-synapse-pro/

Choosing to write the Matrix server software in Python in the first place was a huge mistake. It's now far harder to develop and maintain the software. It heavily contributes to it being buggy and fragile. It's the biggest factor in it being so incredibly slow and hard to scale.

Changes in version 132.0.6834.79.2:

• remove upstream code added in Chromium 132 generating debug information when memory tagging is disabled to avoid trying to use native debugging to log debug information when a user installed app using the WebView has memory tagging disabled since this will trigger a notice of an attempt to use native debugging if the user has it disabled

A full list of changes from the previous release (version 132.0.6834.79.1) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Android uses Clang type-based forward edge Control Flow Integrity (CFI) for the kernel and a subset of userspace. It isn't a high impact security feature. We used to have changes expanding userspace coverage but Android is already doing it and we moved this effort to higher impact work.

Unlike Chrome, we enable type-based forward edge CFI for our Vanadium browser to cover the default browser and WebView. Other than that, the usage of Clang CFI has the same scope as the stock Pixel OS and our focus is on higher impact areas. Expanding it causes regressions we have to address.

Unlike the stock Pixel OS, we enable branch target identification (BTI) to address holes in Clang CFI coverage in the kernel and the lack of full deployment in userspace. BTI is coarse grained CFI and is an extremely weak security feature but it's easy to enable and doesn't cause regressions.

Unlike the stock Pixel OS, we enable pointer authentication (PAC) return protection for userspace instead of only the kernel. Similar to BTI, this is easy to enable and doesn't cause regressions. Unlike the stock Pixel OS, we use Shadow Call Stack as an extra layer on top of PAC in the kernel.

Instead of working on expanding CFI coverage, our focus is on higher impact features including hardware memory tagging (MTE). We have a best-in-class implementation of MTE for heap protection in hardened_malloc and we deploy MTE for all but a single userspace process (camera HAL).

Our most recent release enabled MTE for Linux kernel allocators too: https://grapheneos.org/releases#2025011500. We need to improve the kernel implementation to enforce deterministic guarantees with it as hardened_malloc does. We're also planning to deploy stack allocation MTE for both the kernel and userspace.

MTE directly uncovers memory corruption bugs which are often security bugs. Type-based CFI uncovers type mismatches which block deploying it but rarely have any direct security impact. These are major ongoing areas of work as software changes, not only for the initial deployment.

The recently published paper "Twenty years later: Evaluating the Adoption of Control Flow Integrity" has major inaccuracies due to flaws in their tools and methodology. They inaccurately claim we don't expand coverage of CFI and wrongly claim we reduce it on end-of-life 4th/5th gen Pixels.

4th/5th gen Pixels are end-of-life. We make it clear that our releases for them are unofficial extended support releases for harm reduction. Regardless, we do not reduce CFI coverage on them. We also don't increase the number of executable code as they claim but rather greatly reduce it.

They didn't look into what was actually happening and resulting in their tools reporting what they are. Their claims are likely based on the way we handle device support ending up placing the same executables and libraries in more locations. They also miss a whole lot including Chromium.

The paper also wrongly portrays largely ending up with the same end result for compiled code on devices where there aren't major differences such as PAC and BTI as us reusing the code from the stock OS. No, that's not what is happening. Android builds are reproducible. That's not reuse.

The paper describes Android 13 is the most recent release of Android and lists releases from April 2023 as what they analyzed, so there's also the issue of it being very outdated. This does not explain the inaccuracies, but does partially explain why it doesn't cover PAC and BTI.

There are other inaccuracies including about GrapheneOS but we don't need to go through all of it point by point. We'll be contacting the authors asking for corrections but our expectations are low based on past experience. Posting this is our main way to address it.

Similar to ASLR, forward-edge type-based CFI exists to make exploiting memory corruption vulnerabilities harder in the general case. It protects specific data (function pointers and virtual function tables) from attacks and only outright blocks attacks in a small subset of cases.

Clang CFI is least powerful in the Linux kernel and browser engine due to major holes in what it protects and many alternatives to function pointers for taking over control. Unfortunately, those are 2 of the places in the most need of much better exploit protections.

Android initially deployed CFI in the media stack and that's still where they focus on it. It was then added for the whole kernel. They're gradually expanding it in userspace starting in higher impact areas. We don't see much value in us focusing on gradually bringing it to lower impact areas.

Turning CFI from a weak or mediocre protection largely acting as an annoyance for attackers into a strong protection would require additional compiler features and a massive overhaul to software. There are too many holes in these protections and other exploit targets. It's ultimately a dead end.

Rather than making enormous changes to protect or remove exploit targets bit by bit, we need a strong general purpose protection. Memory tagging provides that, with the major caveat that MTE is only 4 bits. A future version can be given the bits from PAC. A far future one can use fat pointers.

Memory tagging with fat pointers will be usable to bolt on low overhead memory safety to massive legacy software stacks and to protect against remaining holes in memory safe languages. It's too bad there's so much focus on piling on more and more weak mitigations instead of building solutions.

Tags:

• 2025011500 (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold, emulator, generic, other targets)

Changes since the 2025010700 release:

• fix upstream Android lockscreen bug triggered by the combination of fully disabling animations (via Settings > Accessibility > Color and motion > Remove animations) and enabling always-on display (Settings > Display > Lock screen > Always show time and info) which results in the locking process getting stuck and not considering the device locked until it wakes again due to not skipping animations as intended (this did not create a lockscreen bypass but did result in valid biometric unlock credentials skipping restrictions)
• add protection against upstream lockscreen bugs bypassing restrictions on biometric unlocking while the device is asleep including the standard restrictions and our recently added 2-factor fingerprint unlock feature
• kernel (Pixel 8, Pixel 8 Pro, Pixel 8a, Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold): enable hardware memory tagging for the main kernel allocators via the upstream Hardware Tag-Based KASAN implementation (which is intended for production usage, unlike the other KASAN modes)
• kernel (Pixel 8, Pixel 8 Pro, Pixel 8a, Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold): switch KASAN fault handling from report to panic to use it as a hardening feature instead of only a bug finding tool
• kernel (Pixel 8, Pixel 8 Pro, Pixel 8a, Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold): switch KASAN hardware memory tagging mode from synchronous to asymmetric for the initial deployment to reduce the performance cost and match our existing hardware memory tagging usage in userspace (synchronous mode is potentially more useful in the kernel than it is for userspace which is something we can investigate and potentially offer as an option)
• kernel (Pixel 8, Pixel 8 Pro, Pixel 8a, Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold): disable our slab canary feature since it's incompatible with the kernel's hardware memory tagging and will be fully obsolete after we've made basic improvements to the upstream hardware memory tagging implementation
• kernel (5.10): update to latest GKI LTS branch revision including update to 5.10.233
• kernel (5.15): update to latest GKI LTS branch revision including update to 5.15.176
• kernel (5.15): merge latest GKI tag to incorporate important security and other patches including the patch for CVE-2024-56556 which are not included in the latest kernel.org release (5.15.176) or the latest GKI LTS branch revision
• kernel (6.6): update to latest GKI LTS branch revision
• Updater: require TLSv1.3 instead of either TLSv1.2 or TLSv1.3
• Seedvault: update to a newer revision (will be replaced with a better backup implementation in the future)
• System UI Tuner: opt-out of Android 15 edge-to-edge since it's not properly supported yet (upstream bug)
• make eng builds more consistent with user/userdebug builds by extending the GrapheneOS additions of the ro.control_privapp_permissions=enforce, net.tethering.noprovisioning=true and ro.sys.time_detector_update_diff=50 system properties to all build variants
• show a system error notification for privileged permission allowlist violations in development builds (userdebug and eng builds) instead of breaking booting the device to make developing device support and porting to new OS versions easier

Changes in version 132.0.6834.79.0:

• update to Chromium 132.0.6834.79

A full list of changes from the previous release (version 131.0.6778.260.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Chromium 132.0.6834.79 moved from early stable to stable today. This is unusual since there's usually a bug fix release after a week of early stable instead of it ever moving directly into the stable channel. There will be a new Vanadium release shortly.

https://chromiumdash.appspot.com/releases?platform=Android

Can see from the dashboard above they did the usual no changes (https://chromium.googlesource.com/chromium/src/+log/e5f87164633afb3ab0e1d2fb08831f249cc6f03f) release of the previous stable branch today (131.0.6778.261). That's usually done alongside a stable release of the new version replacing the early stable rather than rolling it out to stable.

We've implemented a system for notifying users when apps use the Play Integrity API. This will help users determine which apps are banning using a non-stock OS. Some of these will still work if they only enforce basic integrity rather than requiring a Google certified device running the stock OS.

Using Play Integrity is an incredibly anti-privacy and anti-security practice despite being wrongly portrayed as a security feature. The notification will include a link for leaving a rating and review for the app via sandboxed Play Store to make it very convenient for people to send complaints.

App developers can implement support using standard hardware-based attestation and allowlist the GrapheneOS signing keys if they insist on checking device integrity. There's a guide for this at https://grapheneos.org/articles/attestation-compatibility-guide. There's no good excuse for only permitting a device/OS licensing GMS.

Most apps using the Play Integrity API are enforcing the device integrity level. This enforces having a device licensing Google Mobile Services with the stock OS. It has no issue with a device behind on patches by a decade. Strong integrity level checks for the same thing via hardware attestation.

We may also add a way to block the Play Integrity API with a per-app toggle if we determine this helps improve compatibility due to some apps still having a fallback to other approaches. Spoofing device integrity level is possible but increasingly problematic and will get worse.

Tags:

• 2025010700 (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold, emulator, generic, other targets)

Changes since the 2024123000 release:

• full 2025-01-05 security patch level
• rebased onto AP4A.250105.002 Android Open Source Project release
• provide standard haptic feedback for fingerprint authentication success when 2nd factor PIN is enabled
• add workaround for upstream SystemServiceManager.newTargetUser null pointer exception bug crashing system_server
• add workaround for upstream BatteryStatsImpl.updateWifiBatteryStats divide by zero bug crashing system_server
• Contacts: improve dark theme contrast for empty contacts list background
• backport mainline APEX module patches for Media Provider, Network Stack and Wi-Fi
• kernel (5.15): update to latest GKI LTS branch revision including update to 5.15.175
• kernel (6.1): update to latest GKI LTS branch revision including update to 6.1.123
• kernel (6.6): update to latest GKI LTS branch revision including update to 6.6.65
• Camera: update to version 76
• Camera: update to version 77
• Vanadium: update to version 131.0.6778.260.0

Changes in version 131.0.6778.260.0:

• update to Chromium 131.0.6778.260

A full list of changes from the previous release (version 131.0.6778.200.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

The monthly update for AOSP and the stock Pixel OS was released today along with a Chromium update. We're currently building the Chromium update and then we'll build the OS release. They haven't pushed kernel tags for the new OS release to AOSP yet so we can't start yet anyway.

Lately, we've been putting together early releases with the Android Security Bulletin backports on the day those are released so we have that ready in case the monthly release doesn't come out within 24h. We had it prepared today but cancelled it since the monthly update is out.

They're now often publishing the monthly updates 1 day after Android Security Bulletin backports. We've done early ASB backport releases several times just to end up replacing it the next day. However, they've had several 1 or 2 week delays which definitely justifies doing it.

Notable changes in version 77:

• add back legacy back gesture/button handling due to it still being needed on legacy Android versions (older than 13) which haven't been dropped yet

A full list of changes from the previous release (version 76) is available through the Git commit log between the releases.

This app is available through the Play Store with the app.grapheneos.camera.play app id. Play Store releases go through review and it usually takes around 1 to 3 days before the Play Store pushes out the update to users. Play Store releases use Play Signing, so we use a separate app id from the releases we publish ourselves to avoid conflicts and to distinguish between them. Each release is initially pushed out through the Beta channel followed by the Stable channel.

Releases of the app signed by GrapheneOS with the app.grapheneos.camera app id are published in the GrapheneOS App Store which provides fully automatic updates. Each release is initially pushed out through the Alpha channel, followed by the Beta channel and then finally the Stable channel. These releases are also bundled as part of GrapheneOS and published on GitHub.

GrapheneOS users must obtain GrapheneOS app updates through our App Store since verified boot metadata is required for out-of-band system app updates on GrapheneOS as part of extending verified boot to them.

Now that DivestOS is discontinued, it's possible another project will take on their goal of harm reduction for end-of-life devices. DivestOS was started before Treble, Generic Kernel Images and other improvements making device support far easier. A new project should avoid being based on LineageOS.

DivestOS inherited a lot of security and stability regressions from LineageOS. It also meant they ended up with a lot of questionable features they didn't really want. They ported over a small subset of GrapheneOS privacy and security features. A newer project could port current GrapheneOS instead.

We aren't going to support insecure devices without proper security patches for firmware/drivers. We also don't plan to support devices without important security features we need to properly defend users (https://grapheneos.org/faq#future-devices). Still possible to do a port with partial features elsewhere.

DivestOS didn't have that option initially and was stuck on the path they chose since many of the devices they supported needed it. It didn't end up going past Android 13 or supporting more recent devices. A project extending the life of devices recently reaching end-of-life can just rely on Treble.

We'd also recommend using the adevtool project maintained as part of GrapheneOS:https://github.com/GrapheneOS/adevtool. It's now a GrapheneOS project but was previously a ProtonAOSP project before it was discontinued. We were collaborating with them and they did a fair bit of paid work on GrapheneOS.

Notable changes in version 76:

• explicitly disable Electronic Image Stabilization (EIS) for non-video modes again to avoid it being enabled for devices with it turned on by default everywhere such as Pixels (version 69 missed this when porting from Camera2Interop to the new native CameraX EIS API)
• stop generating links for detected addresses in the QR scanning result since Android deprecated this due having far too many false positives and only supporting US addresses
• port modified AndroidX ExifInterface library classes to ExifInterface 1.3.7
• port modified CameraX Exif class to CameraX 1.5.0-alpha04
• update Gradle to 8.12
• migrate to more modern Android APIs

A full list of changes from the previous release (version 75) is available through the Git commit log between the releases.

This app is available through the Play Store with the app.grapheneos.camera.play app id. Play Store releases go through review and it usually takes around 1 to 3 days before the Play Store pushes out the update to users. Play Store releases use Play Signing, so we use a separate app id from the releases we publish ourselves to avoid conflicts and to distinguish between them. Each release is initially pushed out through the Beta channel followed by the Stable channel.

Releases of the app signed by GrapheneOS with the app.grapheneos.camera app id are published in the GrapheneOS App Store which provides fully automatic updates. Each release is initially pushed out through the Alpha channel, followed by the Beta channel and then finally the Stable channel. These releases are also bundled as part of GrapheneOS and published on GitHub.

GrapheneOS users must obtain GrapheneOS app updates through our App Store since verified boot metadata is required for out-of-band system app updates on GrapheneOS as part of extending verified boot to them.

Tags:

• 2024123000 (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold, emulator, generic, other targets)

Changes since the 2024121200 release:

• add support for adding a PIN as a 2nd factor to fingerprint unlock to enable our new recommended high threat model configuration of a random diceware passphrase as the primary unlock method and fingerprint+PIN with a random 4-6 digit PIN as the regularly used secondary unlock method (the usual limitations of secondary unlock only being usable for 48 hours after successful primary unlock and our limit of 5 total secondary unlock attempts apply)
• add support for limiting charging the battery to 80% with support for bypass charging similar to the new Android 15 QPR1 stock Pixel OS feature, although unlike the stock Pixel OS our implementation still works while using a secondary user (the limit is currently hard-wired to 80% due to that being what's fully supported for the stock OS usage, but we can eventually make it configurable)
• add support for disabling dynamic code loading via storage for all user installed apps by default as we already do for the dynamic code loading via memory setting instead of only being able to opt-in to the restriction on a per-app basis
• allow dynamic code loading from storage by default for apps depending on Play services due to the legacy dynamite module implementation not yet being fully replaced by split APKs to avoid users encountering a huge number of issues if they disable it by default for user installed apps (users can still disable it for these apps manually and we won't need to keep this exception forever since Google is moving to split APKs for dynamite modules)
• add support for partially recompiling apps (speed-profile) in the Finalizing step of OS updates to skip partially recompiling them during boot, but while still doing most of the work after boot in the background (speed) to avoid slowing down OS update installation too much
• remove adding back boot-time display of app compilation progress now that it's no longer heavily used
• use 2 threads instead of 1 for background compilation of apps
• switch to the new upstream default of 4 threads for compiling apps during boot instead of our previous 2 threads which we set to replace the previous upstream default of a single thread
• Settings: add back battery optimization settings link to Battery screen which was removed by Android a long time ago
• Settings: don't disable App info > Battery usage item while its summary is loading
• Settings: temporarily stop showing battery usage info in App info item summary due to an upstream regression causing it to take more than 5 seconds to load in many cases
• add back our fix for an upstream Android bug causing null pointer exception system_server crash in InputMethodManagerService triggered when ending user sessions because it turns out to still be required after Android 15 QPR1
• fix upstream Android bug causing null pointer exception system_server crash in NotificationManagerService
• Contacts: improve dark theme color contrast
• kernel (5.10): update to latest GKI LTS branch revision including update to 5.10.232
• kernel (5.15): update to latest GKI LTS branch revision including update to 5.15.173
• kernel (6.1): update to latest GKI LTS branch revision including update to 6.1.119
• kernel (6.6): update to latest GKI LTS branch revision including update to 6.6.61
• kernel (Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold): fix very minor Android 15 QPR1 regression causing the kernel commit hash to be omitted from the kernel version string and the Unix epoch to be used as the build time instead of the kernel commit timestamp
• Camera: update to version 75
• Vanadium: update to version 131.0.6778.200.0
• add developer option to log binder transactions
• fix ignoring harmless fingerprint-service.goodix crash for our system service crash reporting