KindnessInfinity

We've become aware of another company selling devices with GrapheneOS while spreading harmful misinformation about it to promote insecure products. We're making our usual attempt at resolving things privately. However, we need to quickly address what has been claimed regardless.

Downloading and installing an app followed by entering sensitive data into it or granting it powerful permissions isn't a vulnerability/exploit. Accessibility service access can't be directly requested but rather has to be granted via Settings app in the accessibility section.

Accessibility service access is extremely powerful and essentially gives the same control available to the user to the app. This is explained with clear warnings. It's also not possible to enable it for an app not installed from a modern app store without an extra hidden menu.

Apps not installed through a modern app store have extremely dangerous settings including accessibility service access restricted. Users have to navigate to a semi-hidden menu to enable this. UI doesn't explain how to do it. It's a higher barrier than simply phishing info, etc.

Accessibility services are required by many users and the feature can't simply be removed. It's possible to disable this and other dangerous features for end users via a device management app. This is the right approach if you have a userbase you want to protect from themselves.

If you purchase a device with GrapheneOS, we strongly recommend booting it into recovery and wiping data before using it. Next, verify it's running genuine GrapheneOS:

https://grapheneos.org/install/web#verifying-installation

Due to complete verified boot, wiping provides the same assurance as a fresh install.

Our web installer is very easy to use. If you're able to use a web browser and follow basic instructions, you have the skill set required to install it:

https://grapheneos.org/install/web

However, if you do buy a device with GrapheneOS, you can verify it's the real deal without malware.

Simply going to a mainstream local business and purchasing a device to install GrapheneOS is the most secure way to obtain a device.

Consider the risk of buying a device from a company marketing to cryptocurrency users, and at least follow our wiping and verification advice.

Purchasing a device with malware installed is something we defend against. We provide a way to block this through verified boot and the verification process recommended on the site. Can't prevent something like replacing battery with one including a standalone tracking device...

We're going to be making another attempt at shipping DNS leak prevention for third party VPN apps. The last attempt resolved a lot of the compatibility issues with the previous approach, so we've made some progress. We don't what's wrong with Proton VPN and certain other apps.

This release is only for the Alpha channel to replace the previous release.

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

• 2024080100-redfin (Pixel 4a (5G), Pixel 5)
• 2024080100 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, emulator, generic, other targets)

Changes since the 2024073100 release:

• revert VPN DNS leak protection again since it's still partially incompatible with Proton VPN and certain other apps for unknown reasons, although we did avoid a lot of the compatibility issues from last time

We're included a less strict variation of our previous VPN DNS leak prevention for third party VPN apps. The new approach only aims to prevent leaks in apps handling DNS configuration correctly. It should avoid causing the compatibility issues which blocked us shipping it before.

We shipped a stricter approach in our 2024050900 release but compatibility issues were reporting during Beta testing so it didn't reach the Stable channel. It was reverted in 2024051500. Proton VPN may now be compatible with it but not all apps will be so we can't be that strict.

The hardest part of shipping privacy and security improvements is often fully preserving compatibility with the massive number of Android apps. We try to avoid needing toggles to work around compatibility issues, but we make an exception for apps with memory corruption bugs.

Our changes to this resolved most of the compatibility issues with obscure VPN apps. However, Proton VPN is still partially incompatible and doesn't work properly for all users with this leak blocking in place. We aren't sure how to move forward yet. Other apps are compatible.

This release was only pushed out to the Alpha channel.

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

• 2024073100-redfin (Pixel 4a (5G), Pixel 5)
• 2024073100 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, emulator, generic, other targets)

Changes since the 2024072800 release:

• add back our change to prevent app-based VPN implementations from leaking DNS requests when the VPN is down/connecting but without enforcement for VPN apps without DNS configured to avoid breaking compatibility in rare cases (our previous implementation in 2024050900 had to be reverted before it reached Stable)
• kernel (6.6): update to latest GKI LTS branch revision
• Camera: update to version 72
• Vanadium: update to version 127.0.6533.84.0

Changes in version 126:

• add stub for BluetoothLeAdvertiser.startAdvertisingSet()

A full list of changes from the previous release (version 125) is available through the Git commit log between the releases (only changes to the gmscompat_config text file and config-holder/ directory are part of GmsCompatConfig).

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.

https://arstechnica.com/gadgets/2024/07/loss-of-popular-2fa-tool-puts-security-minded-grapheneos-in-a-paradox/

The article unfortunately leaves out most of the points we made in the thread.

GrapheneOS supports hardware-based attestation and it's entirely possible for Google to allow it as part of the Play Integrity API. They choose to ban using GrapheneOS.

Play Integrity API has no minimum security patch level and nearly all these apps use weak software-based checks that are easily bypassed by attackers. The hardware-based checks rely on trusting every key distributed to every certified Android device, which are often leaked.

Hardware-based attestation can be used for security purposes such as verifying device integrity with a pinning-based approach without the weakness of being vulnerable to leaked keys from the whole Android ecosystem since specific per-app keys in the secure element can be pinned.

Play Integrity API is claimed to be based on devices complying with the Compatibility Test Suite and Compatibility Definition Document. We have irrefutable proof that the majority of certified Android devices do not comply with the CTS/CDD. Play Integrity API is based on lies.

Essentially every non-Pixel device has important CTS failures not caused by CTS bugs. OEMs are cheating to obtain certification. Google claims GrapheneOS can't be permitted because we don't have a certification where they freely allow cheating and don't ban non-compliant devices.

Since Play Integrity doesn't even have a minimum security patch level, it permits a device with multiple years of missing patches. Hardware attestation was required on all devices launched with Android 8 or later, but they don't enforce it to permit non-compliant devices.

The reality is that the Play Integrity API permits devices from companies partnered with Google with privileged Google Play integration when they're running the stock OS. It's easy to bypass, but they'll make changes to block it being done at scale long term such as if we did it.

It does not matter if these devices have years of missing security patches. It doesn't matter if the companies skipped or improperly implemented mandatory security features despite that being required by CDD compliance. Failing even very important CTS tests doesn't matter either.

Google can either permit GrapheneOS in the Play Integrity API in the near future via the approach documented at https://grapheneos.org/articles/attestation-compatibility-guide or we'll be taking legal action against them and their partners. We've started the process of talking to regulators and they're interested.

We're not going to give Google veto power over what we're allowed to do in GrapheneOS. We comply with CTS and CDD except when it limits our ability to provide our users with privacy and security. Google wants to be in charge of which privacy/security features can be added. Nope.

Google's behavior in the mobile space is highly anti-competitive. Google should be forbidden from including Google Mobile Services with privileged access unavailable to regular apps and services. GrapheneOS sandboxed Google Play proves that hardly anything even needs to change.

Google should also be forbidden from participating in blocking using alternate hardware/firmware/software. They've abused their market position to reinforce their monopolies. They've used security as an excuse despite what they're doing having no relevance to it and REDUCING it.

Google is forbidding people from using a growing number of apps and services on an objectively far more private and secure OS that's holding up much better against multiple commercial exploit developers:

https://grapheneos.social/@GrapheneOS/112826067364945164

They're holding back security, not protecting it.

We've put a lot of effort into collaborating with Google to improve privacy and security for all Android users. Their business team has repeatedly vetoed even considering giving us partner access. They rolled back us being granted security partner access by the security team.

As with how they handle giving out partner access, the Play Integrity API serves the interests of Google's business model. They have no valid excuse for not allowing GrapheneOS to pass device and strong integrity. If app developers want to ban it, they can still do it themselves.

After our security partner access was revoked, we stopped most of our work on improving Android security. We continued reporting vulnerabilities upstream. However, we're going to stop reporting most vulnerabilities until GrapheneOS is no longer blocked by the Play Integrity API.

This year, we reported multiple serious vulnerabilities to Android used by widely used commercial exploit tools:

https://source.android.com/docs/security/overview/acknowledgements

If Google wants more of that in the future, they can use hardware attestation to permit GrapheneOS for their device/strong integrity checks.

Authy's response about their usage of the Play Integrity API shows their service is highly insecure and depends on having client side validation. Play Integrity is thoroughly insecure and easily bypassed, so it's unfortunate that according to Authy their security depends on it.

If Authy insists on using it, they should use the standard Android hardware attestation API to permit using GrapheneOS too. It's easy to do:

https://grapheneos.org/articles/attestation-compatibility-guide

Banning 250k+ people with the most secure smartphones from using your app is anti-security, not pro-security.

It's very unfortunate when new apps adopt the Play Integrity API and stop working. Authy isn't a very good choice for 2FA but many people use it and it's a problem for us for a widely used app to be incompatible. A single widely used app losing compatibility is a big deal to us.

Our greatly improved web installer is now available through our official site:

https://grapheneos.org/install/web

For everything other than legacy extended support releases for 4th generation Pixels, it uses a new installation process. Main benefit is higher tolerance for bad USB support.

The new installation process uses our optimized factory images format. Main benefit is avoiding rebooting fastbootd mode, which will improve portability to systems with USB connectivity issues. It also greatly reduces memory/storage usage by streaming images from the zip.

It's hard to determine exactly how much memory and storage is required so we haven't adjusted the prerequisites section from 2GB free memory and 32GB free storage yet. It never needed anywhere close to 32GB but sites can only use a fraction of free storage via a complex formula.

Notable changes in version 72:

• use default CameraX camera selection to avoid compatibility issues with some multi-camera setups
• avoid video recording not working after audio permission change
• use CameraX to determine the video timer instead of a separate timer which can get slightly out of sync
• animate the start of video recording
• dynamically show/hide EIS settings based on current configuration

A full list of changes from the previous release (version 71) is available through the Git commit log between the releases.

This app is available through the Play Store with the app.grapheneos.camera.play app id. Play Store releases go through review and it usually takes around 1 to 3 days before the Play Store pushes out the update to users. Play Store releases use Play Signing, so we use a separate app id from the releases we publish ourselves to avoid conflicts and to distinguish between them. Each release is initially pushed out through the Beta channel followed by the Stable channel.

Releases of the app signed by GrapheneOS with the app.grapheneos.camera app id are published in the GrapheneOS App Store and on GitHub. You can use the GrapheneOS App Store on Android 12 or later for automatic updates. Each release is initially pushed out through the Alpha channel, followed by the Beta channel and then finally the Stable channel.

GrapheneOS users must either obtain GrapheneOS app updates through our App Store or install it with adb install-multiple with both the APK and fs-verity metadata since fs-verity metadata is now required for out-of-band system app updates on GrapheneOS as part of extending verified boot to them.

We've developed a new factory images format optimized for web installation which avoids the need for fastbootd mode and greatly reduces memory/storage usage. The new approach is compatible with 5th gen Pixels and later. It's deployed on our staging site:

https://staging.grapheneos.org/install/web

We'd appreciate help with testing the new web installer on our staging site. It should reduce issues caused by low quality USB connections/drivers by avoiding switching to a different mode. It should also eliminate the need to install a fastboot driver on up-to-date Windows 11.

We'll wait for feedback from people using it successfully across different operating systems and devices.

Sections for working around Debian, Ubuntu and Windows USB deficiencies should be unnecessary other than the legacy extended support devices so we'll likely remove those.

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

• 2024072800-redfin (Pixel 4a (5G), Pixel 5)
• 2024072800 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, emulator, generic, other targets)

Changes since the 2024071600 release:

• avoid isolating eUICC LPA (eSIM activation) app from third party apps to allow carrier activation apps to work (we still block communication with Google Play to avoid sending telemetry data to Google services when sandboxed Google Play is installed)
• Pixel 8a: fix GNSS configuration to avoid occasional crashes of the service (Pixel 8a is currently the only Samsung GNSS device)
• Settings: don't allow disabling user installed apps when uninstall is disallowed
• Settings: drop code for supporting the legacy Settings UI
• Sandboxed Google Play compatibility layer: avoid infinite wait for GmsCompatConfig update when call to App Store fails
• enforce stack clash protection for x86_64
• enforce minimum 64kiB stack guard size for arm64 due to the standard stack probe size of 64kiB
• future proof our Bionic libc changes for dynamic 64k pages (hardened_malloc still doesn't support it)
• flash-all: remove unnecessary reboot after flashing Android Verified Boot (AVB) key
• kernel (5.10): update to latest GKI LTS branch revision including update to 5.10.222
• kernel (5.15): update to latest GKI LTS branch revision including update to 5.15.163
• kernel (6.1): update to latest GKI LTS branch revision including update to 6.1.92
• kernel (6.6): update to latest GKI LTS branch revision including update to 6.6.42
• adevtool: update to latest carrier settings
• App Store: update to version 24
• Camera: update to version 69
• Camera: update to version 70
• Camera: update to version 71
• Auditor: update to version 81
• Auditor: update to version 82
• Vanadium: update to version 127.0.6533.64.0
• Vanadium: update to version 127.0.6533.64.1
• GmsCompatConfig: update to version 124
• GmsCompatConfig: update to version 125
• fastboot: add support for generating web installer optimized factory images zip for an improved web install approach not requiring fastbootd
• integrate generating web installation optimized factory images zip into release signing script
• split script/release.sh to remove dependency on build output and the OS source tree (see the new instructions for signing releases)
• rename script/release.sh to script/generate-release.sh
• add script/generate-releases.sh wrapper script

Changes in version 125:

• update max supported version of Play Store to 42.0

A full list of changes from the previous release (version 124) is available through the Git commit log between the releases (only changes to the gmscompat_config text file and config-holder/ directory are part of GmsCompatConfig).

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.