GrapheneOS [Unofficial]

Notable changes in version 24:

• avoid reading the entire file into memory for "Save as"
• handle edge case errors for opening and saving files mainly caused by bugs in the OS or the apps sending/receiving files
• avoid a redundant cycle of opening and closing of the file before loading it
• improve error message text for errors encountered while opening or saving a file
• update JavaScript development dependencies
• set WebView layout algorithm to the NORMAL mode since the default NARROW_COLUMNS is deprecated
• minor improvements to code quality and efficiency

A full list of changes from the previous release (version 23) is available through the Git commit log between the releases.

Simple Android PDF viewer based on pdf.js and content providers. The app doesn't require any permissions. The PDF stream is fed into the sandboxed WebView without giving it access to content or files. Content Security Policy is used to enforce that the JavaScript and styling properties within the WebView are entirely static content from the apk assets. It reuses the hardened Chromium rendering stack while only exposing a tiny subset of the attack surface compared to actual web content. The PDF rendering code itself is memory safe with dynamic code evaluation disabled, and even if an attacker did gain code execution by exploiting the underlying web rendering engine, they're within the Chromium renderer sandbox with no access to the network (unlike a browser), files, or other content.

This app is available through the Play Store with the app.grapheneos.pdfviewer.play app id. Play Store releases go through review and it usually takes around 1 to 3 days before the Play Store pushes out the update to users. Play Store releases use Play Signing, so we use a separate app id from the releases we publish ourselves to avoid conflicts and to distinguish between them. Each release is initially pushed out through the Beta channel followed by the Stable channel.

Releases of the app signed by GrapheneOS with the app.grapheneos.pdfviewer id are published in the GrapheneOS App Store which provides fully automatic updates. Each release is initially pushed out through the Alpha channel, followed by the Beta channel and then finally the Stable channel. These releases are also bundled as part of GrapheneOS and published on GitHub.

GrapheneOS users must obtain GrapheneOS app updates through our App Store since verified boot metadata is required for out-of-band system app updates on GrapheneOS as part of extending verified boot to them.

Notable changes in version 24:

• avoid reading the entire file into memory for "Save as"
• handle edge case errors for opening and saving files mainly caused by bugs in the OS or the apps sending/receiving files
• avoid a redundant cycle of opening and closing of the file before loading it
• improve error message text for errors encountered while opening or saving a file
• update JavaScript development dependencies
• set WebView layout algorithm to the NORMAL mode since the default NARROW_COLUMNS is deprecated
• minor improvements to code quality and efficiency

A full list of changes from the previous release (version 23) is available through the Git commit log between the releases.

Simple Android PDF viewer based on pdf.js and content providers. The app doesn't require any permissions. The PDF stream is fed into the sandboxed WebView without giving it access to content or files. Content Security Policy is used to enforce that the JavaScript and styling properties within the WebView are entirely static content from the apk assets. It reuses the hardened Chromium rendering stack while only exposing a tiny subset of the attack surface compared to actual web content. The PDF rendering code itself is memory safe with dynamic code evaluation disabled, and even if an attacker did gain code execution by exploiting the underlying web rendering engine, they're within the Chromium renderer sandbox with no access to the network (unlike a browser), files, or other content.

This app is available through the Play Store with the app.grapheneos.pdfviewer.play app id. Play Store releases go through review and it usually takes around 1 to 3 days before the Play Store pushes out the update to users. Play Store releases use Play Signing, so we use a separate app id from the releases we publish ourselves to avoid conflicts and to distinguish between them. Each release is initially pushed out through the Beta channel followed by the Stable channel.

Releases of the app signed by GrapheneOS with the app.grapheneos.pdfviewer id are published in the GrapheneOS App Store which provides fully automatic updates. Each release is initially pushed out through the Alpha channel, followed by the Beta channel and then finally the Stable channel. These releases are also bundled as part of GrapheneOS and published on GitHub.

GrapheneOS users must obtain GrapheneOS app updates through our App Store since verified boot metadata is required for out-of-band system app updates on GrapheneOS as part of extending verified boot to them.

Notable changes in version 80:

• work around regression in CameraX 1.5.0-alpha05 tied to R8 optimization which is causing crashes when capturing photos on 6th and 7th generation Pixels where users haven't installed updates since before October 2023 and are still on Android 13

A full list of changes from the previous release (version 79) is available through the Git commit log between the releases.

This app is available through the Play Store with the app.grapheneos.camera.play app id. Play Store releases go through review and it usually takes around 1 to 3 days before the Play Store pushes out the update to users. Play Store releases use Play Signing, so we use a separate app id from the releases we publish ourselves to avoid conflicts and to distinguish between them. Each release is initially pushed out through the Beta channel followed by the Stable channel.

Releases of the app signed by GrapheneOS with the app.grapheneos.camera app id are published in the GrapheneOS App Store which provides fully automatic updates. Each release is initially pushed out through the Alpha channel, followed by the Beta channel and then finally the Stable channel. These releases are also bundled as part of GrapheneOS and published on GitHub.

GrapheneOS users must obtain GrapheneOS app updates through our App Store since verified boot metadata is required for out-of-band system app updates on GrapheneOS as part of extending verified boot to them.

Changes in version 133.0.6943.121.0:

• update to Chromium 133.0.6943.121

A full list of changes from the previous release (version 133.0.6943.89.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Notable changes in version 28:

• remove default release channel setting added in version 27 since it doesn't provide the intended convenience and needs a new design

A full list of changes from the previous release (version 27) is available through the Git commit log between the releases.

App Store is the client for the GrapheneOS app repository. It's included in GrapheneOS but can also be used on other Android 12+ operating systems. Our app repository currently provides our standalone apps, out-of-band updates to certain GrapheneOS components and a mirror of the core Google Play apps and Android Auto to make it easy for GrapheneOS users to install sandboxed Google Play with versions of the Google Play apps we've tested with our sandboxed Google Play compatibility layer.

GrapheneOS users must obtain GrapheneOS app updates through our App Store since verified boot metadata is required for out-of-band system app updates on GrapheneOS as part of extending verified boot to them.

Notable changes in version 79:

• improve prevention of starting video recording when it's already recording in an attempt to fix rare crashes reported through Play Store crash reporting (this may not help since it may be a CameraX or OS bug outside of our direct control)
• update Android Gradle plugin to 8.8.1
• update NDK to 28.0.13004108

A full list of changes from the previous release (version 78) is available through the Git commit log between the releases.

This app is available through the Play Store with the app.grapheneos.camera.play app id. Play Store releases go through review and it usually takes around 1 to 3 days before the Play Store pushes out the update to users. Play Store releases use Play Signing, so we use a separate app id from the releases we publish ourselves to avoid conflicts and to distinguish between them. Each release is initially pushed out through the Beta channel followed by the Stable channel.

Releases of the app signed by GrapheneOS with the app.grapheneos.camera app id are published in the GrapheneOS App Store which provides fully automatic updates. Each release is initially pushed out through the Alpha channel, followed by the Beta channel and then finally the Stable channel. These releases are also bundled as part of GrapheneOS and published on GitHub.

GrapheneOS users must obtain GrapheneOS app updates through our App Store since verified boot metadata is required for out-of-band system app updates on GrapheneOS as part of extending verified boot to them.

Notable changes in version 27:

• add default release channel setting (does not currently kick in until restarting the app, will be improved)
• reverse release channel order (Stable, Beta, Alpha instead of Alpha, Beta, Stable)
• capitalize release channel names
• adapt swipe to refresh indicator to system theme for improved dark mode
• fix popup theme color to follow Material You
• update Android SDK to 35 (Android 15)
• update target SDK to 35 (Android 15)
• switch foreground service type to special use from data sync to avoid 6 hour time limit per 24 hours with target API 35 (will not happen in real world usage but could theoretically happen in a testing environment)
• update AndroidX Core KTX library to 1.15.0
• update AndroidX Activity KTX library to 1.10.0
• update AndroidX Fragment KTX library to 1.8.6
• update AndroidX Constraint Layout library to 2.2.0
• update AndroidX Navigation libraries/plugin to 2.8.7
• update Android Gradle plugin to 8.8.1
• update Kotlin to 2.1.10
• update Kotlin Symbol Processing plugin to 1.0.30
• update Gradle to 8.12
• raise TLS key pinning expiry date
• replace deprecated APIs

A full list of changes from the previous release (version 26) is available through the Git commit log between the releases.

App Store is the client for the GrapheneOS app repository. It's included in GrapheneOS but can also be used on other Android 12+ operating systems. Our app repository currently provides our standalone apps, out-of-band updates to certain GrapheneOS components and a mirror of the core Google Play apps and Android Auto to make it easy for GrapheneOS users to install sandboxed Google Play with versions of the Google Play apps we've tested with our sandboxed Google Play compatibility layer.

GrapheneOS users must obtain GrapheneOS app updates through our App Store since verified boot metadata is required for out-of-band system app updates on GrapheneOS as part of extending verified boot to them.

Notable changes in version 23:

• add standard fonts to improve rendering of PDFs expecting certain fonts to be available at the expense of increasing the app size, similar to bundling character maps for legacy character sets in version 21

A full list of changes from the previous release (version 22) is available through the Git commit log between the releases.

Simple Android PDF viewer based on pdf.js and content providers. The app doesn't require any permissions. The PDF stream is fed into the sandboxed WebView without giving it access to content or files. Content Security Policy is used to enforce that the JavaScript and styling properties within the WebView are entirely static content from the apk assets. It reuses the hardened Chromium rendering stack while only exposing a tiny subset of the attack surface compared to actual web content. The PDF rendering code itself is memory safe with dynamic code evaluation disabled, and even if an attacker did gain code execution by exploiting the underlying web rendering engine, they're within the Chromium renderer sandbox with no access to the network (unlike a browser), files, or other content.

This app is available through the Play Store with the app.grapheneos.pdfviewer.play app id. Play Store releases go through review and it usually takes around 1 to 3 days before the Play Store pushes out the update to users. Play Store releases use Play Signing, so we use a separate app id from the releases we publish ourselves to avoid conflicts and to distinguish between them. Each release is initially pushed out through the Beta channel followed by the Stable channel.

Releases of the app signed by GrapheneOS with the app.grapheneos.pdfviewer id are published in the GrapheneOS App Store which provides fully automatic updates. Each release is initially pushed out through the Alpha channel, followed by the Beta channel and then finally the Stable channel. These releases are also bundled as part of GrapheneOS and published on GitHub.

GrapheneOS users must obtain GrapheneOS app updates through our App Store since verified boot metadata is required for out-of-band system app updates on GrapheneOS as part of extending verified boot to them.

Initial out-of-band update with dependency updates and under-the-hood modernization.

Notable changes in version 22:

• hide outline menu entry if there's no outline
• fix system back navigation not going back into the outline tree

A full list of changes from the previous release (version 21) is available through the Git commit log between the releases.

Simple Android PDF viewer based on pdf.js and content providers. The app doesn't require any permissions. The PDF stream is fed into the sandboxed WebView without giving it access to content or files. Content Security Policy is used to enforce that the JavaScript and styling properties within the WebView are entirely static content from the apk assets. It reuses the hardened Chromium rendering stack while only exposing a tiny subset of the attack surface compared to actual web content. The PDF rendering code itself is memory safe with dynamic code evaluation disabled, and even if an attacker did gain code execution by exploiting the underlying web rendering engine, they're within the Chromium renderer sandbox with no access to the network (unlike a browser), files, or other content.

This app is available through the Play Store with the app.grapheneos.pdfviewer.play app id. Play Store releases go through review and it usually takes around 1 to 3 days before the Play Store pushes out the update to users. Play Store releases use Play Signing, so we use a separate app id from the releases we publish ourselves to avoid conflicts and to distinguish between them. Each release is initially pushed out through the Beta channel followed by the Stable channel.

Releases of the app signed by GrapheneOS with the app.grapheneos.pdfviewer id are published in the GrapheneOS App Store which provides fully automatic updates. Each release is initially pushed out through the Alpha channel, followed by the Beta channel and then finally the Stable channel. These releases are also bundled as part of GrapheneOS and published on GitHub.

GrapheneOS users must obtain GrapheneOS app updates through our App Store since verified boot metadata is required for out-of-band system app updates on GrapheneOS as part of extending verified boot to them.

Notable changes in version 21:

• increase zoom range to 10x from 1.5x and use a maximum resolution for rendering instead of relying on limited zoom
• fix orientation of landscape pages
• add support for PDF outlines
• integrate support for binary character maps to support legacy PDF character sets at the expense of increasing the app size
• update pdf.js library to 4.10.38
• update JavaScript development dependencies
• update AndroidX Fragment KTX library to 1.8.6
• update Android Gradle plugin to 8.8.1
• update Kotlin to 2.1.10
• use new API for enabling edge to edge to avoid deprecation warning
• update Gradle to 8.12

A full list of changes from the previous release (version 20) is available through the Git commit log between the releases.

Simple Android PDF viewer based on pdf.js and content providers. The app doesn't require any permissions. The PDF stream is fed into the sandboxed WebView without giving it access to content or files. Content Security Policy is used to enforce that the JavaScript and styling properties within the WebView are entirely static content from the apk assets. It reuses the hardened Chromium rendering stack while only exposing a tiny subset of the attack surface compared to actual web content. The PDF rendering code itself is memory safe with dynamic code evaluation disabled, and even if an attacker did gain code execution by exploiting the underlying web rendering engine, they're within the Chromium renderer sandbox with no access to the network (unlike a browser), files, or other content.

This app is available through the Play Store with the app.grapheneos.pdfviewer.play app id. Play Store releases go through review and it usually takes around 1 to 3 days before the Play Store pushes out the update to users. Play Store releases use Play Signing, so we use a separate app id from the releases we publish ourselves to avoid conflicts and to distinguish between them. Each release is initially pushed out through the Beta channel followed by the Stable channel.

Releases of the app signed by GrapheneOS with the app.grapheneos.pdfviewer id are published in the GrapheneOS App Store which provides fully automatic updates. Each release is initially pushed out through the Alpha channel, followed by the Beta channel and then finally the Stable channel. These releases are also bundled as part of GrapheneOS and published on GitHub.

GrapheneOS users must obtain GrapheneOS app updates through our App Store since verified boot metadata is required for out-of-band system app updates on GrapheneOS as part of extending verified boot to them.

Changes in version 133.0.6943.89.0:

• update to Chromium 133.0.6943.89

A full list of changes from the previous release (version 133.0.6943.49.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Our Mastodon server stopped working after around 22:37 UTC time yesterday. It appears Mastodon spun out of control consuming lots of CPU, disk and memory. It locked up the server with a massive amount of I/O. There isn't a lot of information about what happened since logging stopped persisting to storage shortly after it started. It was quickly detected by our service monitoring but we just weren't around to fix it for 7 hours. It's working again after a server restart but nothing was changed.

OS release announcement we posted several hours earlier never got processed and actually posted, so it appears something was wrong with it for at least around 4 hours before it stopped responding to requests. It seems to be working fine now.

We're not sure what happened. It might have been a small scale denial of service attack of some kind which started disrupting the service and took a while to fully take it down...

We posted this OS release announcement again:

https://grapheneos.social/@GrapheneOS/113989429747672108

Tags:

• 2025021100 (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold, emulator, generic, other targets)

Changes since the 2025020500 release:

• kernel (5.10, 5.15, 6.1, 6.6): zero memory in early boot in case it wasn't zeroed by the OS as part of a clean reboot or shutdown since there isn't fully encrypted RAM with a per-boot key yet (early boot zeroing is implemented by Pixel boot firmware since April 2024 for booting into fastboot mode but not booting into the OS since they only partially implemented our January 2024 reset attack protection proposal, so we need to handle the OS part ourselves)
• kernel (6.1): add back revert for upstream Linux kernel fix which was reapplied in our 2025020200 release without any reports of issues for days because it has been found to break DisplayPort alternate mode on 9th generation Pixels
• kernel (6.1): update to latest GKI LTS branch revision including update to 6.1.128
• kernel (6.6): update to latest GKI LTS branch revision including update to 6.6.76
• kernel (Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold): backport Wi-Fi driver patch from Android 15 QPR2 Beta 3 in an attempt to avoid a rare invalid read-after-free detected by hardware memory tagging
• Launcher: add 4x5 grid option
• remove infrastructure for our legacy software-based USB peripheral blocking since we've replaced it with a far better feature using both hardware and software USB connection/data blocking across all supported devices
• Camera: update to version 78

Notable changes in version 78:

• auto-finish lockscreen (secure mode) activities if the screen is turned off for situations where the phone is taken
• fix rotation for mute toggle and audio indication
• update CameraX library to 1.5.0-alpha05
• update Kotlin to 2.1.10
• update Android Gradle plugin to 8.8.0
• improve code for back navigation
• replace resourceConfigurations with localeFilters

A full list of changes from the previous release (version 77) is available through the Git commit log between the releases.

This app is available through the Play Store with the app.grapheneos.camera.play app id. Play Store releases go through review and it usually takes around 1 to 3 days before the Play Store pushes out the update to users. Play Store releases use Play Signing, so we use a separate app id from the releases we publish ourselves to avoid conflicts and to distinguish between them. Each release is initially pushed out through the Beta channel followed by the Stable channel.

Releases of the app signed by GrapheneOS with the app.grapheneos.camera app id are published in the GrapheneOS App Store which provides fully automatic updates. Each release is initially pushed out through the Alpha channel, followed by the Beta channel and then finally the Stable channel. These releases are also bundled as part of GrapheneOS and published on GitHub.

GrapheneOS users must obtain GrapheneOS app updates through our App Store since verified boot metadata is required for out-of-band system app updates on GrapheneOS as part of extending verified boot to them.

The functionality provided by Google's new Android System SafetyCore app available through the Play Store is covered here:

https://security.googleblog.com/2024/10/5-new-protections-on-google-messages.html

Neither this app or the Google Messages app using it are part of GrapheneOS and neither will be, but GrapheneOS users can choose to install and use both. Google Messages still works without the new app.

The app doesn't provide client-side scanning used to report things to Google or anyone else. It provides on-device machine learning models usable by applications to classify content as being spam, scams, malware, etc. This allows apps to check content locally without sharing it with a service and mark it with warnings for users.

It's unfortunate that it's not open source and released as part of the Android Open Source Project and the models also aren't open let alone open source. It won't be available to GrapheneOS users unless they go out of the way to install it.

We'd have no problem with having local neural network features for users, but they'd have to be open source. We wouldn't want anything saving state by default. It'd have to be open source to be included as a feature in GrapheneOS though, and none of it has been so it's not included.

Google Messages uses this new app to classify messages as spam, malware, nudity, etc. Nudity detection is an optional feature which blurs media detected as having nudity and makes accessing it require going through a dialog.

Apps have been able to ship local AI models to do classification forever. Most apps do it remotely by sharing content with their servers. Many apps have already have client or server side detection of spam, malware, scams, nudity, etc.

Classifying things like this is not the same as trying to detect illegal content and reporting it to a service. That would greatly violate people's privacy in multiple ways and false positives would still exist. It's not what this is and it's not usable for it.

GrapheneOS has all the standard hardware acceleration support for neural networks but we don't have anything using it. All of the features they've used it for in the Pixel OS are in closed source Google apps. A lot is Pixel exclusive. The features work if people install the apps.

In April 2024, Pixels shipped a partial implementation of our January 2024 proposal for firmware-based reset attack protection. Fastboot mode now zeroes RAM before enabling USB. This successfully wiped out the After First Unlock state exploit capabilities of two commercial exploit tools.

Several other improvements were made based on our January 2024 vulnerability reports and proposals including an implementation of wiping data before rebooting when a wipe is triggered. We shipped an improved version of this for our duress PIN/password feature before the feature shipped for Android.

We made massive improvements in GrapheneOS to defend against these attacks since January 2024.

For ARMv9 devices, we greatly improved our hardware memory tagging implementation in hardened_malloc, deployed it for the Linux kernel allocators and greatly expanded the use of PAC and BTI across the OS.

We replaced our decade old feature for blocking new USB peripherals while locked with a greatly expanded and far more secure feature. The new approach blocks USB-C connections and USB-C data at a hardware level with expanded software-based blocking as a fallback (https://grapheneos.org/features#usb-c-port-and-pogo-pins-control).

We started deploying RANDSTRUCT for the kernel, which will eventually be used to have multiple possible struct memory layouts for each device model chosen randomly at boot. Our work on reducing kernel attack surface also continued.

We plan to focus more on Linux kernel security going forward.

Our locked device auto-reboot feature from 2021 was replaced with a more secure approach preventing bypasses via crashes (https://grapheneos.org/features#auto-reboot). It also avoids chain reboots without introducing a security weakness which makes low timer values such as the minimum 10 minutes far more usable.

We shipped our 2-factor fingerprint unlock feature planned since 2015 (https://grapheneos.org/features#Two-factor-fingerprint-unlock). It allows people to avoid reliance on secure element security with a strong passphrase while keeping convenience. Fingerprint + scrambled PIN also defends well against being recorded unlocking.

Several more major improvements specifically against the physical data extraction attack vector are planned. Our next release adds an implementation of zeroing RAM at boot in the kernel to match what fastboot mode does. We also plan to add a toggle for essentially toggling off Device Encrypted data.

Tags:

• 2025020500 (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold, emulator, generic, other targets)

Changes since the 2025020300 release:

• full 2025-02-05 security patch level
• rebased onto AP4A.250205.002 Android Open Source Project release
• drop our workaround for upstream audio routing permission bug impacting Android Auto and likely other apps that's no longer required due to an upstream fix in the monthly February release
• kernel (Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold): switch to Mali GPU kernel driver from Android 15 QPR2 Beta 3 to include additional security fixes
• Vanadium: update to version 133.0.6943.49.0
• GmsCompatConfig: update to version 154

Yesterday (2025-02-03), we released an early update based on the Android Security Bulletin backports of High/Critical severity vulnerabilities to older Android Open Source Project releases. The actual monthly AOSP and Pixel update was published today and we're building that now.

They do things based on the time in California (PST) and it takes many hours for AOSP tags to get pushed. We use UTC for our build timestamps and version numbers so the release we're building now is called 2025020500 even though it's still February 4th where we're building it.

Our releases after the monthly updates are built on the same day they release it. It takes them so long to push the code that by the time we get to start building, it's already the next day in UTC. Would be great if they pushed in parallel so we could start 6+ hours earlier...

They seem to push the Git tags one by one to multiple copies of each repository. The massive amount of time this takes could be a factor in why they've started releasing the monthly update the day after the security backports. Strange way of doing things and wastes our resources.

Changes in version 133.0.6943.49.0:

• update to Chromium 133.0.6943.49

A full list of changes from the previous release (version 133.0.6943.39.1) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Changes in version 154:

• add stub for RecoveryController.initRecoveryService()

A full list of changes from the previous release (version 153) is available through the Git commit log between the releases (only changes to the gmscompat_config text file and config-holder/ directory are part of GmsCompatConfig).

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.

GmsCompatConfig is the text-based configuration for the GrapheneOS sandboxed Google Play compatibility layer. It provides a large portion of the compatibility shims and sets the maximum supported versions for Play services and the Play Store.

This is an early February security update release based on the February 2025 security patch backports since the monthly Android Open Source Project and stock Pixel OS release scheduled for this month hasn't been published yet.

Tags:

• 2025020300 (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold, emulator, generic, other targets)

Changes since the 2025020200 release:

• full 2025-02-01 security patch level

February 2025 Android Security Bulletin includes a heap buffer overflow in a Linux kernel USB peripheral driver (CVE-2024-53104) marked exploited in the wild. It's likely one of the USB bugs exploited by forensic data extraction tools. We block them using these.

https://source.android.com/docs/security/bulletin/2025-02-01

By default, GrapheneOS blocks new USB connections when the device is locked in the Linux kernel and at a lower level via the USB-C and pogo pins controllers to defend the firmware and lower-level Linux kernel code too. Data is blocked in hardware once connections end.

https://grapheneos.org/features#usb-c-port-and-pogo-pins-control

If a user connected a malicious USB device while unlocked which tried to exploit this, general purpose exploit protections come into play. For the majority of the OS, our hardened_malloc project provides strong protections against heap corruption exploits. Kernel heap hardening is a separate thing.

One of the stronger defenses in hardened_malloc is our own implementation of hardware memory tagging (MTE) which integrated shortly after it shipped in production with the Pixel 8 (https://grapheneos.org/releases#2023103000) and we had it enabled by default in around a month (https://grapheneos.org/releases#2023110700).

Linux kernel has a standard disabled by default implementation of hardware memory tagging. We very recently began enabling to defend it from issues like this USB heap corruption vulnerability (https://grapheneos.org/releases#2025011500). It's a major improvement but still not nearly as good as hardened_malloc.

We also already had CVE-2024-53104 patched prior to this month since we ship the kernel.org LTS revisions long before the Android Open Source Project / stock Pixel OS. Our systemic defenses are far more important because they work before vulnerabilities are known, so we didn't lead with that fact.

Many people have the misconception that security is about patching vulnerabilities. That's the bare minimum. Security should to be part of the design and implementation from the beginning. Linux kernel is an example where that wasn't the case at all and it's hard to provide it.

Linux kernel is a large monolithic kernel, meaning it has no internal isolation. All of the code including obscure drivers enabled in the build have access to everything it does. It's almost entirely written in C, a memory unsafe language where many tiny mistakes are code execution vulnerabilities.

Linux kernel is currently a major weak point for Android's security. It's the easiest way out of both the app sandbox and the more constrained sandboxes used for Android media processing and Chromium renderer processes. The Linux kernel is also a major physical and remote attack vector itself.

Android is moving towards writing new Linux kernel device drivers in Rust to prevent most of these vulnerabilities. We'll leave that to them and will be focusing on deploying better exploit protections and more heavily using hardware-based virtualization for better sandboxing than Linux can provide.

Tags:

• 2025020200 (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold, emulator, generic, other targets)

Changes since the 2025012700 release:

• reimplement our fix for an upstream audio routing regression in Android 15 QPR1 impacting sandboxed Android Auto and likely other apps to avoid blocking another subset of apps from changing audio routing when granted permission
• Sandboxed Google Play compatibility layer: add support for enabling Google's credential service via Settings > Passwords, passkeys & accounts by making it function as an unprivileged service (non-Chromium-based apps tend to require this to use Google as the passkey service and it's needed by certain apps for their Sign in with Google option despite Android intending to fully support other credential services)
• Sandboxed Google Play compatibility layer: allow disabling all Play Integrity API notifications instead of only disabling them per-app
• Sandboxed Google Play compatibility layer: override Play services update owner value to the GrapheneOS App Store to fully handle updates for it ourselves
• work around upstream Android issue caused by an optimization which was adding a 10 second delay to certain setting changes before they kick in for background system packages
• kernel (5.15): update to latest GKI LTS branch revision
• kernel (6.1): update to latest GKI LTS branch revision including update to 6.1.126
• kernel (6.1): drop revert for upstream USB fix to test if it's still needed due to lots of other backported changes
• kernel (6.6): update to latest GKI LTS branch revision including update to 6.6.74
• Vanadium: update to version 133.0.6943.39.0
• Vanadium: update to version 133.0.6943.39.1
• remove same version ABI stability check not useful for GrapheneOS