1
49
submitted 1 month ago* (last edited 1 month ago) by [email protected] to c/[email protected]

We need an Android OEM or someone working at one to provide us with early access to the Android 16 sources in order to have a smooth port this year. We need this before June. We requested it to help with this very difficult situation (see the linked thread) and still need it.

https://grapheneos.social/@GrapheneOS/114359660453627718

GrapheneOS Foundation can sign an NDA for this. We can act as a contractor for an Android OEM or one of their contractors. We need this early access so that we can start early due to the developer who usually does most of it being unavailable. If you can get us this, please help.

Since we still haven't received early access to Android 16 sources, we'll need to begin deciding which subset of the GrapheneOS features must be ported and which ones could be initially dropped and added back in the following weeks in order to keep doing full security patches.

For example, our 2-factor fingerprint unlock feature is going to be particularly hard to port due to massive changes to the lockscreen code in Android 16. We can drop it for the initial release and add it back later with user configuration being preserved so it works as before.

Without early access, our porting process is likely going to involve making an initial release with dozens of GrapheneOS features missing to get initial Alpha testing going, then adding back features alongside fixing many upstream regressions and a small number of porting issues.

In the past few years, we've typically been able to make an experimental release with all of our features ported within a day or two of the new yearly release being pushed to the Android Open Source Project. It tends to take a week to reach Stable, which was already too long.

Over time, we've added many more features including ones which are harder to port including sandboxed Google Play compatibility layer, Storage Scopes, Contact Scopes, 2-factor unlock and much more. Some MUST be ported for an initial release, others could be temporarily omitted.

We hired an extremely talented developer in 2021 who later became our lead developer. He was doing the majority of this porting work from 2022 on. He's currently stuck in a military training camp due to being forcibly conscripted so we need standard early OEM access this year.

If you want to see GrapheneOS continue, please help us get early access to Android 16 sources before the end of the month. We ideally need all of it so we can do early builds for the emulator, but even just having a few of the most important repositories early would help a lot.

In exchange for an OEM providing us with early access, we can help with fixing multiple severe vulnerabilities and weaknesses fixed by GrapheneOS which are not being reported to Google due to them blocking us from having partner access. We can help in far more ways than that too.

Every Android OEM licensing GMS has access to what we need and could provide it to us under a contract where we're working on GrapheneOS with it for their benefit. Every Android OEM has substantially benefited from our upstream work, and could benefit more if they worked with us.

2
47
submitted 1 month ago by [email protected] to c/[email protected]

GRAPHENEOS IS HIRING

Are you an experienced AOSP developer?

Interested in working full time, fully remotely on GrapheneOS?

Can you hit the ground running?

https://grapheneos.org/hiring

Global opportunity paid via Wise (local bank transfers), BTC, ETH or XMR.

3
15
submitted 3 years ago* (last edited 3 years ago) by [email protected] to c/[email protected]

Hello and welcome to [email protected] !

Our Lemmy GrapheneOS community is currently unofficial, reserved, and used for announcements/news.

GrapheneOS is a privacy and security focused mobile OS with Android app compatibility.

https://grapheneos.org/

https://attestation.app/

https://github.com/GrapheneOS

Official chat rooms: #grapheneos:grapheneos.org and #offtopic:grapheneos.org

This is a community based around the GrapheneOS projects including the hardened Android Open Source Project fork, Auditor, AttestationServer, the hardened malloc implementation and other projects.


All installs should follow the Official Install Guide. No other guides are recommended or supported.

If your question is related to device support, please see the Which devices will be supported in the future? for criteria and the Which devices are recommended? for recommend devices from the FAQ section of the official site.

If your question is related to app support, please check the Usage Guide. Sections like Bugs uncovered by security features should help if you have a native app with a security issue uncovered by hardening. If you want to know what browser to use please reference Web browsing. In general, Vanadium is almost always the recommendation for security and privacy.

If your question is related to a feature request, please check the issue trackers. OS issue tracker, Vanadium for other GrapheneOS project check the Reporting issue.


GrapheneOS has a very active community primarily based around the official chat rooms on Matrix and where most of the core community, including contributors, to the project have discussions. Most of those people are not active here on Lemmy's [email protected] community.

The official GrapheneOS space groups together all of the official rooms along with members of the community who join the space. You can join the space at #community:grapheneos.org

Links to join our new official chat rooms via the Element web client:

Matrix Room Description
#grapheneos:grapheneos.org Best place to request support, ask questions or get involved in the project
#offtopic:grapheneos.org Discuss topics not strictly related to GrapheneOS
#dev:grapheneos.org Discuss GrapheneOS app and OS development
#testing:grapheneos.org Provide feedback on Beta channel releases
#releases:grapheneos.org Release announcements
#infra:grapheneos.org Infrastructure monitoring and discussion

You can use the client and home server of your choice. For new users, the Element web app or mobile app with matrix.org as your home server is a sensible choice.

Please contact the moderators of this community if you have any questions or concerns.

4
59
submitted 8 hours ago by [email protected] to c/[email protected]

In May, we began preparing to port to Android 16 despite our most active senior developer responsible for leading OS development being unavailable (https://grapheneos.social/@GrapheneOS/114359660453627718). Android 16 launched today and porting is going to be significantly more difficult than we were expecting.

We did far more preparation for Android 16 than we've ever done for any previous yearly release. Since we weren't able to obtain OEM partner access, we did extensive reverse engineering of the upcoming changes. Developers also practiced by redoing previous quarterly/yearly ports.

Unfortunately, Android has made changes which will make it much harder for us to port to Android 16 and future releases. It will also make adding support for new Pixels much more difficult. We're likely going to need to focus on making GrapheneOS devices sooner than we expected.

We don't understand why these changes were made and it's a major turn in the wrong direction. Google is in the process of losing multiple antitrust cases in the US. Android and Chrome being split into separate companies has been requested by the DOJ. They may be preparing for it.

We're hard at work on getting the port to Android 16 done but there's a large amount of additional work we weren't expecting. It can be expected to take longer than our usual ports due to the conscription issue combined with this. It's not good, but we have to deal with it.

Having our own devices meeting our hardware requirements (https://grapheneos.org/faq#future-devices) would reduce the time pressure to migrate to new releases and could be used to obtain early access ourselves. Based on talks with OEMs, paying for what we need will cost millions of dollars.

We've made a lot of progress on porting to Android 16 already. If things hadn't been made harder for us, we would likely be able to publish an experimental release tomorrow and quickly get a release into the Alpha and then Beta channels to start ironing out the bugs in the port.

Our speculation about this is that a result of Google losing a US antitrust case and likely losing several more soon, they're preparing for Android and Chrome being split into separate companies. If Android gets split off, they want to retain Pixels.

https://www.nytimes.com/2025/04/21/technology/google-search-remedies-hearing.html

Google seems to be in the process of splitting up Android and Pixels along with moving towards treating other Android-based platforms as their competitors instead of their partners. Pixels retain first class alternate OS support with Android 16 firmware so it's not about that.

We have early builds of GrapheneOS based on Android 16 booting in the emulator. We would usually be working on quickly porting over device support and getting the kernels ready including doing the production kernel builds now. Unfortunately, that will be harder than usual.

5
19
submitted 8 hours ago by [email protected] to c/[email protected]

We're going to be moving forward under the expectation that future Pixel devices may not meet the requirements to run GrapheneOS (https://grapheneos.org/faq#future-devices) and may not support using another OS. We've been in talks with a couple OEMs about making devices and what it would cost.

In April 2025, we received leaked information about Google taking steps to strip down the Android Open Source Project. We were told the first step would be removal of device support with the launch of Android 16. We didn't get details or confirmation so we didn't prepare early.

We spent most of May preparing for the Android 16 release. Due to our extensive preparation work, our initial port to Android 16 has been completed and is being tested in the emulator. We could have published experimental releases yesterday if this was a regular AOSP release.

Due to AOSP no longer having device support, we need to build it ourselves. We can start from the Android 15 QPR2 device support, remove the outdated code and update the configurations. We have tooling to automate generating device support setups which will need major expansions.

Since our port to Android 16 is going to be delayed by a week or more, we're in the process of backporting the Android 16 firmware/drivers released on June 10 to the previous releases. This is not something we can do in general so we still need to port to Android 16 this month.

Despite our lead developer who has done 90% of the ports for several years being conscripted into an army, we were still able to complete the initial port to Android 16 in under 2 days, but without device support. Our extensive preparation in April and especially May paid off.

It's important to get an experimental release out quickly to begin extensive public testing. There are usually many issues found in testing. For a yearly release, we usually get out an experimental release in a day, an Alpha channel release in 2 days and need 4-6 more releases.

Google has released a statement claiming AOSP is not being discontinued. This should be taken with a grain of salt, especially considering that they made similar public statements recently followed by discontinuing significant parts of AOSP on June 10.

https://x.com/seangchau/status/1933029688202703062

Google is in the process of likely having the company broken up due to losing an antitrust lawsuit from the US government and being in the process of losing several more. There's a high chance of Google losing control of Android in the next couple years.

https://www.nytimes.com/2025/04/21/technology/google-search-remedies-hearing.html

The leaked information we received in April 2025 indicates that the reasoning they're making substantial cuts to Android is primarily cutting costs, perhaps in anticipation of it being split from Google. The courts should investigate Google's recent changes and cuts to Android.

Google has been accelerating their crackdown on alternate mobile hardware and software with the Play Integrity API combined with laying off many people working on Android and cutting parts of the project. They disallow their OEM partners from competing so others cannot take over.

It's no wonder that Android and Chrome engineers at Google are leaking tons of information when the company is in an extraction mode trying to get as much out of each as possible prior to Google being broken up. Regulatory action needs to move faster and take this into account.

A successful mobile OS will need near perfect iOS or Android app compatibility. For Android, compatibility means a solid fork of AOSP even if it's only used within a VM on a more modern microkernel-based OS. Google made an open platform, unlike Apple, and could not prevent this.

For years, Google has been using extraordinarily anti-competitive Google Mobile Services (GMS) licensing agreements with OEMs to disallow competition. To further prevent competition, they made the Play Integrity API where apps devs are convinced to check for valid GMS licensing.

If the Pixel 10 does meet our requirements, we'll support it, but it will take significantly more time and effort to develop support for it. At the end of the year, Qualcomm should finally release a new SoC providing hardware memory tagging. If they do, we can shift focus to it.

Once an OEM offering the service of making custom devices has a platform based on a new Qualcomm Snapdragon SoC with hardware memory tagging support, we can do a crowdfunding campaign to raise the money needed to have them build a device for us. We have talked with a couple OEMs.

The baseline will be several million dollars, which can be spread out across the cost of preordered devices. This is the cost of making a modern, secure device with a secure element and the other requirements we have for one instead of a low-end device with outdated hardware.

There will be a cost of a million or more dollars per year of additional support. Providing 7 years of proper support like Pixels would be very expensive. We definitely wouldn't be releasing a new device every year as the overlapping costs for all of it would be ridiculous.

6
22
submitted 8 hours ago by [email protected] to c/[email protected]

This will likely be the final release based on Android 15 QPR2 since Android 16 has been released today.

Tags:

  • 2025061000 (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold, emulator, generic, other targets)

Changes since the 2025060200 release:

  • expand our code for checking Google Play Store source stamp signatures to checking each split APK in order to prepare it for future security-relevant usage including optionally marking apps as installed from the Play Store after verifying the source stamp (this is currently used for stripping Play Store inserted checks for apps being installed from the Play Store which had looser security requirements)
  • remove Chunghwa Telecom and Netlock Certificate Authorities (CAs) based on the decision by the Chrome Root Store (this does not impact Vanadium since it uses a more sophisticated browser root store rather than the OS root store and will distrust certificates from these CAs not added to Certificate Transparency logs before 2025-08-01 to avoid website compatibility issues)
  • kernel (6.1): update to latest GKI LTS branch revision including update to 6.1.141
  • kernel (6.6): update to latest GKI LTS branch revision
  • Vanadium: update to version 137.0.7151.72.0
  • Vanadium: update to version 137.0.7151.72.1
  • Network Location: increase difficulty of position estimation tests to help avoid regressions
7
6
submitted 8 hours ago by [email protected] to c/[email protected]

Changes in version 137.0.7151.89.0:

  • update to Chromium 137.0.7151.89
  • drop backport of Picture In Picture (PiP) patch now present upstream

A full list of changes from the previous release (version 137.0.7151.72.2) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

8
9
submitted 2 days ago by [email protected] to c/[email protected]

Changes in version 137.0.7151.72.2:

  • disable permission prompt for Local Network Access until it's supported on Android to avoid rare crashes impacting some users
  • backport upstream patches for the Local Network Access checks feature we're enabling early
  • replace our patch for an upstream Picture in Picture (PIP) bug with a backport of an upstream patch

A full list of changes from the previous release (version 137.0.7151.72.1) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

9
7
submitted 2 days ago by [email protected] to c/[email protected]

Changes in version 137.0.7151.72.1:

  • enable Local Network Access checks by default (this was already shipped in Vanadium Config 95 so it doesn't change anything for users with up-to-date Vanadium Config)
  • add chrome://flags toggle for Android for the Local Network Access flag we're enabling by default so users can disable it (will be replaced by a site setting UI in the future)
  • drop change for testing Android 16 support prior to Android 16 release to prepare for the upcoming Android 16 stable release

A full list of changes from the previous release (version 137.0.7151.72.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

10
12
submitted 2 days ago by [email protected] to c/[email protected]

WebRTC is a peer-to-peer communications protocol for web sites and therefore causes numerous privacy issues through making direct connections between participants. By default our Vanadium browser disables the peer-to-peer aspect by only using server-based (proxied) connections.

Vanadium provides a user-facing setting at Privacy and security > WebRTC IP handling policy.

From least to most strict:

DefaultDefault public and private interfacesDefault public interface onlyDisable non-proxied UDP

For Vanadium, "Disabled non-proxied UDP" is the default.

The tracking technique described at https://arstechnica.com/security/2025/06/meta-and-yandex-are-de-anonymizing-android-users-web-browsing-identifiers/ is prevented by Vanadium's default "Disabled non-proxied UDP" value. It's also prevented by "Default public interface only", which does permit peer-to-peer connections but won't try to use the loopback interface for it.

We have a list of most of the features provided by Vanadium at https://grapheneos.org/features#vanadium. There are dozens of additional privacy and security features planned along with data import/export and improved support for system backups. It takes time to implement these things properly.

Vanadium doesn't have billions or even millions of users which limits our ability to prevent fingerprinting. We plan to address this by launching it for use outside GrapheneOS including publishing it through the Play Store. We want to implement more of the planned features first.

For the non-WebRTC issue being abused by Yandex, Chromium 137 shipped a fix for it behind a feature flag that's being gradually rolled out. We can roll this out to 100% of Vanadium users through a Vanadium Config update. We can start Alpha testing for that new flag later today.

Vanadium Config version 95 enables protection for local networks and loopback. The user interface for making per-site exceptions isn't available for Android yet. The overall feature can be disabled via chrome://flags if for some reason someone needs that functionality right now.

11
4
submitted 1 week ago by [email protected] to c/[email protected]

Changes in version 137.0.7151.72.0:

  • update to Chromium 137.0.7151.72
  • disable using in-browser PDF Viewer by default since it's much less secure than our own PDF Viewer, but we plan to add a toggle to enable it in a future release for people who want it regardless

A full list of changes from the previous release (version 137.0.7151.61.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

12
16
submitted 1 week ago by [email protected] to c/[email protected]

This is an early June security update release based on the June 2025 security patch backports since the yearly Android Open Source Project and stock Pixel OS release scheduled for this month hasn't been published yet.

Tags:

  • 2025060200 (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold, emulator, generic, other targets)

Changes since the 2025060100 release:

  • full 2025-06-01 security patch level
  • System Updater: temporarily revert notification protection due to upstream Android UI issues for this feature with privileged apps (we still plan to do this but it will need to wait until we resolve the OS issue)
  • remove Chunghwa Telecom and Netlock Certificate Authorities (CAs) for fresh installs (will need another change to trigger removal for existing installs) based on the decision by the Chrome Root Store (this does not impact Vanadium since it uses a more sophisticated browser root store rather than the OS root store and will distrust certificates from these CAs not added to Certificate Transparency logs before 2025-08-01 to avoid website compatibility issues)
13
14
submitted 1 week ago by [email protected] to c/[email protected]

Tags:

  • 2025060100 (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold, emulator, generic, other targets)

Changes since the 2025052800 release:

  • Media Provider: expand our existing protection against CVE-2024-50089 which is still not addressed upstream (we added generic hardening in 2022 as a prerequisite for Storage Scopes which along with fixing information leaks still unfixed upstream blocked exploiting CVE-2024-50089 for the common cases of not granting permissions, granting media permissions or using our Storage Scopes feature but we didn't fully cover "All files access" or the legacy API level equivalent when not using Storage Scopes)
  • System Updater: prevent disabling overall notifications due to lack of a use case and many users doing it by accident, but continue allowing disabling the individual notification channels other than the reboot notification
  • kernel (6.6): update to latest GKI LTS branch revision including update to 6.6.92
  • Messaging: update to version 8
  • Vanadium: update to version 137.0.7151.61.0
14
6
submitted 1 week ago by [email protected] to c/[email protected]

Notable changes in version 8:

  • associate contact URIs with notifications to fix starred contacts bypassing Do Not Disturb
  • respect "Incoming messages" notification settings when creating notification channels for conversations
  • prevent conversation deleted toast spam
  • update Guava library to 33.4.8
  • update AndroidX RecyclerView library to 1.4.0
  • update Android Gradle plugin to 8.10.1
  • update Gradle to 8.14.1
  • update Kotlin to 2.1.21
  • update Android build tools to 36.0.0
  • migrate to AndroidX Nullable annotations

A full list of changes from the previous release (version 8) is available through the Git commit log between the releases.

15
10
submitted 2 weeks ago by [email protected] to c/[email protected]

Changes in version 137.0.7151.61.0:

  • update to Chromium 137.0.7151.61

A full list of changes from the previous release (version 137.0.7151.44.1) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

16
16
submitted 2 weeks ago by [email protected] to c/[email protected]

Our Contact Scopes and Storage Scopes features provide essential privacy functionality that's missing on standard Android. Scopes are a replacement for the standard contacts, storage and media permissions. We offer these as an alternative when apps request access to any of those.

When you enable Contact Scopes or Storage Scopes, GrapheneOS makes the app believe you've granted the requested permissions. However, it doesn't receive access to any more additional data not created by itself. Most apps work by simply enabling these without doing anything more.

For Contact Scopes, you can choose to give the app read access to a subset of the data for specific contacts. For more convenience, we support grouping contacts together and granting access to a group. It's very useful even without granting access to anything to pretend you have.

Storage Scopes functions differently depending on which permissions are requested. It acts as if the permissions were granted but only allows accessing files created by the app itself and doesn't provide additional info on files created by other apps compared to not enabling it.

Adding scopes after enabling Storage Scopes is only needed to provide access to files created by other apps. For example, if you regularly create files in a directory with both app A and app B and access them with app C, a scope can be granted to app C to access files from there.

Contact Scopes and Storage Scopes work around the fact that most app developers do not use the system contact picker, file picker, etc. but rather request broad access via permissions. We're going to be adding more similar features providing an alternative for more permissions.

Following our port to Android 16, providing similar features for Camera, Microphone and Location will be among our top priorities.

For Location, it will allow setting a per-app location instead of granting the permission. Android has Mock Location already, but it's a global.

For Camera, you'll be able to set a picture or video file to loop for the app as an alternative to granting the permission. For Microphone, you'll be able to set an audio file to loop for the app.

We plan to expand this approach to other permissions further in the future too.

We recommend not granting storage or media permissions to user installed apps. Storage Scopes should be a full substitute for those already.

Contact Scopes is not quite a full substitute yet since it can't permit write access or shared accounts, but we plan to expand it later.

Storage Scopes can even be used as a full replacement for Android's file manager permission ("All files access") giving access to the entire home directory. Android acknowledges that is dangerous and tried to restrict access to a couple special use directories but nothing else.

Android's only restrictions on apps granted file management access are not allowing access to Android/data and Android/obb. Android/data is an alternative to internal app storage where users get file access. Android/obb is a long time deprecated way to distribute large files.

Due to an upstream Linux kernel vulnerability, Android's attempt at restricting access to Android/data and Android/obb for the file management permission didn't work (https://nvd.nist.gov/vuln/detail/CVE-2024-50089). A fix was implemented in the Linux kernel, then reverted due to breaking compatibility.

Fix:

https://github.com/torvalds/linux/commit/5c26d2f1d3f5e4be3e196526bead29ecb139cf91

Revert:

https://github.com/torvalds/linux/commit/231825b2e1ff6ba799c5eaf396d3ab2354e37c6b

CVE assigned to this (CVE-2024-50089) was then rejected, since the Linux kernel project took over managing Linux kernel CVEs and only allows CVEs for their backported patches, not as a vulnerability tracking system.

Fixing this outside the kernel is problematic. Most approaches will end up having bypasses. Android has struggled to do that and seems unwilling to temporarily apply a kernel patch. Some other AOSP-based projects are adopting an approach to this we don't believe is correct.

Android 16 appears to have an attempt at a full fix in userspace. "All files access" grants will still be dangerous and privacy invasive.

Storage Scopes is our way of making the best out of maintaining compatibility with a messy coarse permission model with odd special cases.

In Android 4.4, support was added for apps using the system file picker to have users choose files for them. In Android 5, it was extended to directories. Adoption of this was extremely poor until they began coercing apps to use it. There's now also forced photo picker support.

Our Storage Scopes feature is not a restriction but rather a better alternative to granting storage and media permissions. It's better if apps support the system file picker. Apps prefer demanding bulk data access over that. On GrapheneOS, you can say no and still use the apps.

Our Storage Scopes feature includes additional hardening which caused the serious Linux kernel CVE-2024-50089 vulnerability to be much less severe with GrapheneOS due to mostly limited the impact to the "All files access" permission rather than cases without that being granted.

17
16
submitted 2 weeks ago by [email protected] to c/[email protected]

Tags:

  • 2025052800 (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold, emulator, generic, other targets)

Changes since the 2025052000 release:

  • disable anti-competitive code being injected by the Play Store into apps choosing to enable "App integrity > Automatic protection" when there's a valid Play Store source stamp signature (proving that it's an unmodified app from the Play Store, so we aren't disabling an integrity check) since it prevents using the apps on GrapheneOS when apps also choose to enable "App integrity > Store listing visibility" with either the "Device integrity checks" or "Strong integrity checks" values enforcing having a device licensing Google Mobile Services and running the stock OS (circumventing this is protected by the DMCA exemption for jailbreaking)
  • Private Space: fix further issues with quiet/locking state changes in secondary users
  • extend NFC auto-turn-off to work when logged into a secondary user
  • kernel (6.6): update to latest GKI LTS branch revision
  • kernel (6.1): update to latest GKI LTS branch revision including update to 6.1.140
  • Vanadium: update to version 137.0.7151.44.0
  • Vanadium: update to version 137.0.7151.44.1
18
8
submitted 2 weeks ago by [email protected] to c/[email protected]

Changes in version 137.0.7151.44.1:

  • fix upstream picture-in-picture regression in Chromium 137

A full list of changes from the previous release (version 137.0.7151.44.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

19
27
submitted 2 weeks ago by [email protected] to c/[email protected]

We're looking into using https://github.com/k2-fsa/sherpa-onnx to provide built-in text-to-speech and speech-to-text to greatly improve the out-of-the-box accessibility of GrapheneOS for blind users. We already have a screen reader included via our fork of the open source variant of TalkBack.

To have text-to-speech functioning out-of-the-box, we can choose one of the models with open source training code and data as the default to be included within the OS. We wouldn't need to include anything that's not truly open source. It's the only reasonable option we've found.

There are over 100 models for 40 languages. Some research is going to be required to figure out which of the English ones are fully open source (open training data and code) and then which of those works best for basic text-to-speech to have as the default bundled in the OS.

If we had text-to-speech support included in GrapheneOS, we could also provide an automatic captions feature.

We'll need to do a basic review of the code for text-to-speech, speech-to-text, shared code and any other parts we decide to use. We'll need at least a minor fork of it.

We want to stick to a model with open source training code/data for what we bundle, so we're likely not going to be able to use one of the best options by default. Having a tolerable open source model by default with the option to switch to great "open" models seems good enough.

We could use help narrowing down which of the available English models with open training data would be best (least bad) for basic text-to-speech usage including for TalkBack. We could also collect feedback somewhere on which ones people think are best overall across languages.

20
15
submitted 2 weeks ago by [email protected] to c/[email protected]

In order to provide better support for blind users, we maintain a fork of the open source TalkBack app fixing serious issues with it, modernizing it and making the builds reproducible. One of the goals of making our own Setup Wizard has also been integrating TalkBack support.

Google unfortunately doesn't publish the source code for each stable release of TalkBack as they do for Android itself. The open source release of the app lags significantly behind. It also has a bunch of missing and broken features. We plan to gradually improve this situation.

In order to use GrapheneOS, blind users need to successfully install the OS and set up the device to be usable with a screen reader. This is an area we've been thinking about and working on improving for a while. Our new Setup Wizard provides a better base for integrating this.

The first barrier to someone using GrapheneOS without sight is installing the OS. We've done what we can to make our web installer as accessible as possible (https://grapheneos.org/install/web). However, users need to interact with the device's firmware interface which the user can see.

Due to the inaccessible firmware user interface, it's difficult to perform the installation correctly and safety, particularly confirming unlocking and then confirming locking. Confirming the verified boot key matches after installing/locking would require OCR on another device.

The next issue is the Android Open Source Project no longer includes a text-to-speech app. Pico TTS used to be included in AOSP but was not what Google Mobile Services devices use. It was quite primitive, awful to use and AOSP removed it after security issues were found.

We've wanted to include a text-to-speech app and bundle a language pack to have it working out-of-the-box for a long time. We could then add a shortcut for enabling TalkBack in our new Setup Wizard to make things accessible from the start of the post-install setup process.

To provide what we need, the TTS app needs to be built into the OS, enabled and set up to work by default without configuration. It doesn't do any good if you need to connect to a network and download a language pack. It also needs to work Before First Unlock via Direct Boot.

Since it will be enabled by default, security is quite relevant. It shouldn't be a bunch of C++ code without a modern coding style, use of sanitizers, decent tests, etc. It needs to be actively developed and properly maintained. This is why Pico TTS had to be removed from AOSP.

GrapheneOS is intended to be a drop-in replacement for the Android Open Source Project usable by companies to make all kinds of products. Due to this, we avoid non-commercial usage licenses. Lots of the language packs for TTS implementations have non-commercial usage licenses.

We also avoid including GPLv3 code in the base OS since it would add restrictions on how it can be used. We do add new GPLv2 licensed code. This doesn't mean we have issues with using GPLv3 code or making forks of GPLv3 projects, we just don't bundle it within GrapheneOS itself.

Neither eSpeak NG or RHVoice meets our security expectations (piles of problematic C and C++ code) and both have licensing issues. Both were previously also missing Direct Boot support to function Before First Unlock, but we requested it from both and eSpeak NG implemented it.

There were previously no good options available. Things have changed and there are multiple open source text-to-speech implementations which could be turned into a suitable Android app and integrated into the OS. This involves significant work and we haven't gotten to this yet.

We have hundreds of planned features. We've been working on some features for months or even years. We try to focus on features which would provide the most overall benefit to our users with a focus on improving privacy, security, compatibility and usability. It's subjective.

For example, built-in support for network location was a feature we wanted to integrate for years. Last year, we made it a top priority, and assigned a developer to solely work on it, so it got done. This is still being worked on to add cellular fallback and full offline support.

21
11
submitted 2 weeks ago by [email protected] to c/[email protected]

Changes in version 137.0.7151.44.0:

  • update to Chromium 137.0.7151.44

A full list of changes from the previous release (version 136.0.7103.125.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

22
66
submitted 2 weeks ago* (last edited 2 weeks ago) by [email protected] to c/[email protected]

A growing number of apps are using the Play Integrity API to enforce installation from the Play Store. This is clearly highly illegal anti-competitive behavior. It doesn't impact GrapheneOS users installing apps with the sandboxed Play Store but does impact other install sources.

This is being done alongside Google recommending app developers forbid installing their apps from the Play Store on operating systems not licensing Google Mobile Services. The combination of these feature ends up blocking users from easily using the apps without modifying them.

We're going to add a secure way of working around this without breaking the app source security model. We'll be adding support for having the OS automatically verify the Play Store signing metadata and then inform Play services those apps were installed from the Play Store.

It's worth noting Android has a standard hardware attestation API for verifying the hardware, firmware, OS and app. This supports alternate roots of trust and non-stock operating systems if apps choose to support it. Apps could perform stronger checks while allowing GrapheneOS.

Android's hardware attestation API has anti-competition issues due to the official verification libraries hard-wiring the Google roots and encouraging only permitting the stock OS. However, it does fully support any other OS with verified boot and can be used with other root CAs.

Google's Play Integrity API is quite different and only supports verifying devices licensing Google Mobile Devices with the stock OS. It has support for enforcing installing apps from the Play Store. None of this has anything to do with security. It's purely anti-competitive.

Google Play Integrity permits highly insecure devices with years of missing High/Critical severity security patches. They pretend any device licensing Google Mobile Services is secure while running the stock OS and anything else is insecure. This is a lie to lock out competition.

There's no security value to enforcing using devices licensing Google Mobile Services. The vast majority of those devices are highly insecure. Software-based attestation (device integrity) is also highly insecure and easy for attackers to bypass. This is only hurting competition.

Hardware-based attestation can be secure, but the way the Play Integrity API uses it is also highly insecure. It can be bypassed via leaked keys from the most insecure Android devices in the ecosystem. Secure way to use it is pinning, not trusting everything chaining to a root.

Even if apps insist on doing these kinds of integrity checks, they can still permit GrapheneOS. We provide a guide on verifying GrapheneOS via hardware attestation at https://grapheneos.org/articles/attestation-compatibility-guide. They can still fall back to Play Integrity API for insecure devices without this.

Multiple prominent banking apps in Europe have already implemented support for GrapheneOS via hardware attestation. The pace of apps adopting the Play Integrity API is unfortunately currently faster than apps adding support for GrapheneOS. This is due to Google marketing it.

If you run into apps banning using GrapheneOS with Play Integrity, make a Play Store review with no links asking to stop banning a more secure OS. Next, make a customer support request linking https://grapheneos.org/articles/attestation-compatibility-guide. Multiple apps have permitted GrapheneOS due to these efforts.

23
58
submitted 2 weeks ago by [email protected] to c/[email protected]

We still need help getting early access to Android 16 sources prior to the stable release in June. Every mainstream Android OEM has it. We're currently spending significant time on reverse engineering Android 16 Beta releases. It's a huge waste compared to having what we need.

24
15
submitted 3 weeks ago by [email protected] to c/[email protected]

Tags:

  • 2025052000 (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold, emulator, generic, other targets)

Changes since the 2025051900 release:

  • Private Space: set correct state on user start or stop for secondary users
  • Private Space: make sure nested profiles in secondary users have their storage put at rest when the parent profile's session is ended
  • Keyboard: remove dedicated language switch key from the phone layout since it's already shown by the OS itself and uses up too much space with the emoji key already next to the space bar
25
28
submitted 3 weeks ago by [email protected] to c/[email protected]

Tags:

  • 2025051900 (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold, emulator, generic, other targets)

Changes since the 2025050700 release:

  • add NFC auto-turn-off setting to go along with the existing addition of Wi-Fi and Bluetooth auto-turn-off settings
  • Private Space: add new setting for disabling delayed locking of storage to make locking work like secondary user end session feature we enable, similar to the toggle we add for disabling secondary users running in the background (standard Private Space doesn't work this way to keep fingerprint unlock available after it's locked/stopped)
  • Private Space: add new setting for blocking sharing the clipboard to and/or from the parent profile and other nested profiles within it
  • Private Space: add support for the Install available apps feature we currently enable to support installing apps available in the Owner user to secondary users
  • Private Space: add support for secondary users including all standard features with the exception of auto-locking support since our implementation of that is too complex/invasive to properly review and test while we're focused on Android 16 porting
  • kernel (6.1): update to latest GKI LTS branch revision including update to 6.1.138
  • kernel (6.6): update to latest GKI LTS branch revision including update to 6.6.89
  • Keyboard: move the emoji key to the left of the space bar for the phone layout instead of putting it behind a long press or replacing the enter key with it when put into the emoji mode by apps like AOSP Messaging
  • Keyboard: stop replacing the emoji key with the .com key for the email and URL input types
  • Vanadium: update to version 136.0.7103.125.0
  • add support for testing Android 16 Beta 4.1 feature flags for development builds
view more: next ›

GrapheneOS [Unofficial]

2562 readers
75 users here now

Welcome to the GrapheneOS (Unofficial) community

This feed is currently only used for announcements and news.

Official support available on our forum and matrix chat rooms

GrapheneOS is a privacy and security focused mobile OS with Android app compatibility.

Links

More Site links

Social Media

This is a community based around the GrapheneOS projects including the hardened Android Open Source Project fork, Auditor, AttestationServer, the hardened malloc implementation and other projects.

founded 4 years ago
MODERATORS