Since Android 14 QPR3 is a major release, the end-of-life Pixel 4a (5G) and Pixel 5 receiving extended support releases from GrapheneOS will need to be ported to it with additional work in a future release, which is done as a low priority. Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

• 2024070201 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, emulator, generic, other targets)

Changes since the 2024070200 release:

• full 2024-07-05 security patch level
• rebased onto AP2A.240705.005 Android Open Source Project release
• avoid skipping toggling USB port after unlock in certain edge cases to make sure devices connected while locked are always detected when unlocking
• fix upstream bug causing first party app stores using the package install dialog to be blocked when the user isn't allowed to install apps from third party sources
• fix notification suppression check in currently unused code to prepare for our per-app clipboard toggle
• adevtool: download and use latest Pixel carrier settings from the API for use by our CarrierConfig2 app instead of using the snapshot included in the latest Pixel stock OS release since it lags months behind
• Settings: fully fix regression permitting disabling apps when it shouldn't be allowed due to device manager policy
• Sandboxed Google Play compatibility layer: stub out reads of hidden system settings in Google's speech services app to avoid uncaught security exceptions
• Sandboxed Google Play compatibility layer: don't allow the Play Store to abort pending package installation to avoid it cancelling install/update attempts after 10 minutes of waiting for requested user approval it hasn't been designed to handle
• kernel (5.10): update to latest GKI LTS branch revision including update to 5.10.218
• kernel (5.15): update to latest GKI LTS branch revision including update to 5.15.155
• kernel (6.6): update to latest GKI LTS branch revision including update to 6.6.36

This is an early July security update release based on the July 2024 security patch backports. This month's release of the Android Open Source Project and stock Pixel OS will be available later today and we'll quickly release an update based on it following this one.

Since Android 14 QPR3 is a major release, the end-of-life Pixel 4a (5G) and Pixel 5 receiving extended support releases from GrapheneOS will need to be ported to it with additional work in a future release, which is done as a low priority. Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

• 2024070200 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, emulator, generic, other targets)

Changes since the 2024062700 release:

• full 2024-07-01 security patch level
• Vanadium: update to version 126.0.6478.122.1
• Vanadium: update to version 126.0.6478.122.2
• Info: update to version 3
• GmsCompatConfig: update to version 121

Unplugged are a recent entry in the crowded space of selling insecure hardware with significantly worse privacy and security than an iPhone as highly private and secure. Bottom of the barrel MediaTek device with outdated AOSP is worse than status quo. All marketing, no substance.

As part of marketing their products, Unplugged are spreading unsubstantiated spin and misinformation about GrapheneOS and the much more secure hardware we target. We've been aware of it for a while but chose not to respond to it until they began doing it in direct response to us.

GrapheneOS is a hardened OS built on the latest release of the Android Open Source Project rather than older releases with inferior privacy/security and incomplete privacy/security patches. We substantially improve privacy/security with our changes rather than making it worse.

The work we do in GrapheneOS is highly regarded by privacy and security researchers. We've made major upstream contributions to the Android Open Source Project, Linux kernel and other projects, both through submitting privacy/security improvements and reporting vulnerabilities.

We've also reported numerous vulnerabilities in hardware/firmware along with making multiple suggestions for new features which were implemented for Pixels. They're the only devices meeting our security requirements (https://grapheneos.org/faq#future-devices). We target them because of security.

Pixels have first class alternate OS support, which does not come at the expense of security. Support for installing an alternate OS is implemented securely as part of best in class boot chain and secure element security for Android devices. Supporting it has benefited security.

Unplugged has claimed open source and support for alternate operating systems reduces security. Pixel security has benefited from many external security researchers along with contributions from GrapheneOS because of it. They'll benefit more as they publish more firmware sources.

GrapheneOS not only leverages the same hardware-based security features as the OS but implements major hardware-based features unavailable elsewhere.

Hardware memory tagging for production hardening is an exclusive GrapheneOS feature with a best-in-class implementation.

Our USB-C port and pogo pins control feature does hardware-level attack surface reduction with code written for the drivers on each device:

https://grapheneos.org/features#usb-c-port-and-pogo-pins-control

Our Auditor app leverages the pinning-based hardware attestation available on Pixels based on our proposal for it.

Many of our other features are hardware-based, and some of these exist because of features we proposals or helped to secure against weaknesses.

In April, Pixels shipped reset attack protection for firmware based on our proposal, which is not available on other Android devices.

That reset attack protection blocks real world attacks by forensic data extraction companies, which we reported to Android. In April, Pixels also shipped a mitigation against interrupted factory resets used by those companies based on our report, not yet available on non-Pixels.

In June, Android 14 QPR3 was released with a hardware-based OS feature fully blocking interrupting factory resets. This was based on our initial proposal we made as part of our reports of active exploits in January, similar to the reset attack protection shipped in April.

Unplugged uses an older Android release. They do not have this AOSP patch. Their hardware is missing many standard security features including these recent 2 improvements shipped on Pixels. Their hardware doesn't even close to meeting our list of security standards even on paper.

Unplugged has tried to misrepresent these improvements and falsely claimed they're uniquely relevant to Pixels due to alternate OS support. That's not true. Their device is missing these and many other security features, and is not more secure due to lacking alternate OS support.

Unplugged has tried to spread fear, uncertainty and doubt about the hardware we support despite it being much more secure and trustworthy. MediaTek does not have a good security reputation and has repeatedly shipped real backdoors unlike the unsubstantiated claims from Unplugged.

Unplugged was founded by Erik Prince, the same person who founded Blackwater. Erik and others involved in UP are deeply tied to human rights abuses and surveillance around the world. Best case scenario is they're simply grifting like the Freedom Phone. Worst case is much worse.

Our initial response to someone asking about them is here, where we were avoided saying more than necessary:

https://x.com/GrapheneOS/status/1804551479484645421

Unplugged followed up with spin and misinformation about GrapheneOS, which we debunked, and then they doubled down on doing even more of it.

Since they posted huge tweets, we replied with our own huge tweets with inline quotes of everything they wrote for ease of understanding:

1/2:

https://x.com/GrapheneOS/status/1804634097442324989

2/2:

https://x.com/GrapheneOS/status/1808159435245646046

Unplugged in also infringing on the open source licensing multiple projects including DivestOS where they ripped off their AV from without attribution. They even still use DivestOS servers without permission. SkewedZeppelin is lead developer of DivestOS (URLs are in alt text):

Their messaging service is simply Matrix. Matrix is not a good private messaging system because it doesn't encrypt any metadata or even emoji reactions, and all that metadata is stored on each server for each room: room members, power levels, time/size/sender of messages, etc.

Changes in version 121:

• update max supported version of Play services to 24.24
• update max supported version of Play Store to 41.6

A full list of changes from the previous release (version 120) is available through the Git commit log between the releases (only changes to the gmscompat_config text file and config-holder/ directory are part of GmsCompatConfig).

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.

Notable changes in version 3:

• avoid donate tab getting reset back to the start screen in an edge case
• add network security configuration with key pinning for grapheneos.org
• update AndroidX Lifecycle libraries to 2.8.3
• development environment improvements

A full list of changes from the previous release (version 2) is available through the Git commit log between the releases.

Releases of the app are published in the GrapheneOS app repository. You can use the GrapheneOS app repository client on Android 12 or later for automatic updates. Each release is initially pushed out through the Alpha channel, followed by the Beta channel and then finally the Stable channel.

Chromium's V8 Optimizer toggle for disabling JavaScript JIT compilation was changed to only disable the 2 higher tiers of JIT compilation while still leaving the baseline JIT compiler enabled. This also caused the device management policy for JIT predating this to change meaning.

They did this because they decided having a toggle which breaks WebAssembly support is unacceptable. We had to revert these changes.

Microsoft Edge implemented a WebAssembly interpreter instead, but it's not open source and there's no ongoing attempt to upstream it to Chromium.

Vanadium disables JS JIT by default and provides a convenient per-site toggle available in the drop down menu next to the URL. We've restored the previous meaning of disabling the JIT so you'll need to add exceptions for sites requiring WebAssembly again.

https://grapheneos.social/@GrapheneOS/112707958275115758

In theory, we could add 4 choices instead of 2: Disabled, Baseline JIT, Baseline JIT + Tier 2 and Full JIT. However, it's likely far too complicated and we're likely going to stick with having it either enabled or disabled. Chromium will hopefully add a WASM interpreter soon...

This is good news:

https://chromium-review.googlesource.com/c/v8/v8/+/5509903

Users will need to enable JavaScript JIT compilation for sites requiring WebAssembly again via the permission menu next to the URL due to us reverting the upstream security regression which resulted in this working by default. Unfortunately, Chromium still doesn't have a WebAssembly interpreter like Edge and got this working by rolling back the security of the API used to disable JIT compilation for their desktop V8 Optimizer toggle.

Changes in version 126.0.6478.122.1:

• restore fully disabling the JavaScript JIT compiler by default since Chromium changed the definition of disabling the JIT compiler into only disabling the 2 higher tiers of JIT compilation without disabling baseline JIT compilation which does not avoid dynamically creating executable native code
• add support for language-specific content filters automatically enabled when the language is selected (EasyList Germany has been added to the configuration app for testing the implementation)

A full list of changes from the previous release (version 126.0.6478.122.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Since Android 14 QPR3 is a major release, the end-of-life Pixel 4a (5G) and Pixel 5 receiving extended support releases from GrapheneOS will need to be ported to it with additional work in a future release, which is done as a low priority. Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

• 2024062700 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, emulator, generic, other targets)

Changes since the 2024062000 release:

• add new GrapheneOS Info app through which you can get information about the latest releases of GrapheneOS, links to our community spaces, and details on how to make donations
• Pixel 8a: add Let's Encrypt roots to Samsung gnssd CA root store for supl.grapheneos.org
• Pixel 8a: configure Samsung gnssd to use TLSv1.2 for SUPL instead of TLSv1.1 (TLSv1.3 would work but the config doesn't offer it)
• Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold: fully remove 32-bit ARM support to significantly reduce build time and update download size with no loss of functionality (7th gen Pixels launched with 32-bit app support disabled after several years of the Play Store blocking uploading 32-bit-only apps or installing them on 64-bit devices, and 8th gen Pixels use 2nd gen ARMv9 cores with no 32-bit support
• Settings: fix several cases of UI state being lost when resuming activity after configuration changes, etc. for GrapheneOS settings
• kernel (5.10): update to latest GKI LTS branch revision including update to 5.10.216
• kernel (6.1): update to latest GKI LTS branch revision including update to 6.1.90
• kernel (6.6): update to latest GKI LTS branch revision including update to 6.6.35
• Vanadium: update to version 126.0.6478.122.0
• GmsCompatConfig: update to version 120

Notable changes in version 2:

• handle top bar title text overflow with ellipsis instead of wrapping
• handle rename of Twitter to X and replace twitter.com with x.com
• update AndroidX Compose UI library to 1.7.0-beta04
• fixes for state restoration when resuming or changing configuration

A full list of changes from the previous release (version 1) is available through the Git commit log between the releases.

Releases of the app are published in the GrapheneOS app repository. You can use the GrapheneOS app repository client on Android 12 or later for automatic updates. Each release is initially pushed out through the Alpha channel, followed by the Beta channel and then finally the Stable channel.

Wise has quietly started allowing people to add our EUR account and send us money again.

https://grapheneos.social/deck/@GrapheneOS/112672843944152400

Issue appears to be fully resolved. Similarly to how they quietly started blocking that without any notice, it has stopped without a reply to our support request.

https://poppopret.org/2024/06/24/google-stop-burning-counterterrorism-operations/

"counterterrorism operation being conducted by a U.S.-allied Western government"

Selectively leaking info to sway public opinion is a classic move. Over 3 years after https://technologyreview.com/2021/03/26/1021318/google-security-shut-down-counter-terrorist-us-ally/, no info about which US ally or supposed terrorist group.

Here's an example of a "counterterrorism operation" by a U.S.-allied Western government targeting political opponents with NSO exploits:

https://citizenlab.ca/2022/04/catalangate-extensive-mercenary-spyware-operation-against-catalans-using-pegasus-candiru/

Is this what's being referenced? Perhaps they mean the Polish government targeting the political opposition this way.

https://theguardian.com/world/2022/feb/17/more-polish-opposition-figures-found-to-have-been-targeted-by-pegasus-spyware

Is this the "counterterrorism operation" by a U.S.-allied Western government that's being referenced? If saying the country and "terrorist" group involved paints a flattering picture of these exploit tools, why aren't they saying which ones are involved?

A more extreme example of a US ally doing a "counterterrorism operation" using NSO exploits:

https://en.wikipedia.org/wiki/Assassination_of_Jamal_Khashoggi

Sure, not a "Western government". Does "U.S.-allied Western government" include Hungary, Turkey, Israel, Japan and South Korea? "Western" meaning what exactly?

Forensic data extraction tools are similar. They use exploits to extract data from devices. Many people claim that since they're primarily used by law enforcement it means they're primarily used for good. They're widely used to target arbitrary people at protests, borders, etc.

GrapheneOS is heavily focused on defending against both remote exploitation and local data extraction. As part of that work, we recently reported 2 vulnerabilities being actively exploited by forensic companies. These are now fixed for Pixels, but not yet other Android devices.

For more information on those 2 vulnerabilities:

https://discuss.grapheneos.org/d/11860-vulnerabilities-exploited-in-the-wild-fixed-based-on-grapheneos-reportshttps://discuss.grapheneos.org/d/13494-cve-2024-32896-wipe-without-reboot-added-to-aosp-due-to-reports-by-grapheneos

For detailed info on Cellebrite's capabilities based on leaked documentation which explicitly covers GrapheneOS:

https://discuss.grapheneos.org/d/12848-claims-made-by-forensics-companies-their-capabilities-and-how-grapheneos-fares

We certainly support fixing these bugs...

cross-posted from: https://lemmy.ml/post/17265164

https://grapheneos.social/@GrapheneOS/112609239806949074

We questioned why this was only listed in the Pixel Update Bulletin and they agree:

After review we agree with your assessment that this is an Android issue and as such we are working on backports to include this in a future Android Security Bulletin.

April 2024 monthly update for Pixels included a partial mitigation for this vulnerability in firmware (CVE-2024-29748).

Android 14 QPR3 released in June 2024 includes a full solution for all Android devices by implementing the wipe-without-reboot proposal we made in our report.

The issue is that in practice, only Pixels ship the monthly and quarterly updates. Other devices only ship monthly security backports, not the monthly/quarterly releases of AOSP. They were only going to get the patch when they updated to Android 15. They're now going to backport.

The other vulnerability we reported at the same time for reset attacks was assigned CVE-2024-29745 but that's a firmware/hardware issue without a software solution available so we can't get them to include it in the Android Security Bulletin unless we convince Qualcomm to fix it.

Every vulnerability in the Android Open Source Project that's deemed to be High/Critical severity is meant to be backported to yearly releases from the past 3 years (currently Android 12, 13 and 14). Low/Moderate severity vulnerabilities are NOT generally backported though.

The issue is that they're really listing patches rather than vulnerabilities. Both of the vulnerabilities we originally reported impact all Android devices, but both got Pixel specific patches in April 2024 and therefore got treated as Pixel specific vulnerabilities instead.

Since the complete solution for the device admin API is an Android Open Source Project (AOSP) patch, they're going to backport it. Since there's no way to frame the reset attack issue as an AOSP issue, there isn't a good way to get it fixed for other devices through this system.

These patched vulnerabilities and other currently unpatched vulnerabilities are being exploited by forensic tools used by states to target journalists, political opponents, activists, arbitrary people crossing borders, etc. Sure, they target lots of drug users / dealers too...