KindnessInfinity

Changes in version 128.0.6613.88.0:

• update to Chromium 128.0.6613.88

A full list of changes from the previous release (version 127.0.6533.104.3) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Notable changes in version 83:

• add support for Pixel 9, Pixel 9 Pro and Pixel 9 Pro XL with either the stock OS or GrapheneOS
• mark legacy devices which are no longer supported as explicit unsupported
• update Android Gradle plugin to 8.5.2
• update Android NDK to 27.0.12077973
• update Gradle to 8.10
• update Guava library to 33.3.0

A full list of changes from the previous release (version 82) is available through the Git commit log between the releases.

The Auditor app uses hardware security features on supported devices to validate the integrity of the operating system from another Android device. It will verify that the device is running the stock operating system with the bootloader locked and that no tampering with the operating system has occurred. It will also detect downgrades to a previous version.

It cannot be bypassed by modifying or tampering with the operating system (OS) because it receives signed device information from the device's Trusted Execution Environment (TEE) or Hardware Security Module (HSM) including the verified boot state, operating system variant and operating system version. The verification is much more meaningful after the initial pairing as the app primarily relies on Trust On First Use via pinning. It also verifies the identity of the device after the initial verification. Trust is chained through the verified OS to the app to bootstrap software checks with results displayed in a separate section.

This app is available through the Play Store with the app.attestation.auditor.play app id. Play Store releases go through review and it usually takes around 1 to 3 days before the Play Store pushes out the update to users. Play Store releases use Play Signing, so we use a separate app id from the releases we publish ourselves to avoid conflicts and to distinguish between them. Each release is initially pushed out through the Beta channel followed by the Stable channel.

Releases of the app signed by GrapheneOS with the app.attestation.auditor app id are published in the GrapheneOS App Store and on GitHub. These releases are also bundled as part of GrapheneOS. You can use the GrapheneOS App Store on Android 12 or later for automatic updates. Each release is initially pushed out through the Alpha channel, followed by the Beta channel and then finally the Stable channel.

GrapheneOS users must either obtain GrapheneOS app updates through our App Store or install it with adb install-multiple with both the APK and fs-verity metadata since fs-verity metadata is now required for out-of-band system app updates on GrapheneOS as part of extending verified boot to them.

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

• 2024082000-redfin (Pixel 4a (5G), Pixel 5)
• 2024082000 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, emulator, generic, other targets)

Changes since the 2024080600 release:

• Settings: enable Safety Center and port all of the relevant GrapheneOS settings to it both to provide the more modern user interface and to prepare for the release of Android 15
• hide Safety Center camera extensions fallback toggle when it's not relevant (not used on Pixels)
• Package Installer: fix upstream bug causing null pointer exception in rare edge cases including a rare race condition
• require Owner user credential to check whether a duress PIN/password is enabled as hardening against potential UI bugs such as the upstream predictive back gesture issue we patched in the Settings app
• apply upstream change for 6th generation Pixels making snapuserd available in recovery to avoid a problem in a rare edge case where a factory reset occurs before finishing booting a new update
• apply minor upstream fixes for Settings which were temporarily only shipped for certain Pixels
• add fastboot to otatools.zip for optimized factory images generation
• flash-all: raise minimum fastboot version to 35.0.1
• kernel (5.10): update to latest GKI LTS branch revision including update to 5.10.223
• kernel (5.15): update to latest GKI LTS branch revision including update to 5.15.164
• kernel (6.1): update to latest GKI LTS branch revision including update to 6.1.95
• kernel (6.6): update to latest GKI LTS branch revision including update to 6.6.45
• remove duplicate Android.bp from unpacked otatools.zip to avoid breaking subsequent builds when it's unpacked in the source tree
• add Android 15 Beta build configuration for early development/testing of our Android 15 port via an ap2f release configuration enabling all of the available Android 15 feature flags
• port GrapheneOS changes to new code for Android 15 used by our Android 15 Beta build configuration
• Vanadium: update to version 127.0.6533.104.0
• Vanadium: update to version 127.0.6533.104.1
• Vanadium: update to version 127.0.6533.104.2
• Vanadium: update to version 127.0.6533.104.3
• GmsCompatConfig: update to version 128
• GmsCompatConfig: update to version 129
• GmsCompatConfig: update to version 130

We've started work on adding support for the Pixel 9, Pixel 9 Pro and Pixel 9 Pro XL. We haven't received our test devices yet but they should arrive within a couple days. Pixel 9 Pro Fold will be supported like the earlier Pixel Fold but it's launching later than the others.

Our device testing lab now has a Pixel 9 and Pixel 9 Pro XL. Pixel 9 Pro Fold is preordered and we should receive it at launch.

The regular Pixel 9 Pro was out-of-stock so we haven't ordered one yet. We can buy one later and use up the credit from buying the other 3 devices.

GrapheneOS support for Pixel 9, Pixel 9 Pro and Pixel 9 Pro XL is coming along nicely. It will be ready for public experimental testing soon. It's currently being delayed by Chromium v128 reaching Stable today. We also need another regular OS release due to a minor UI regression.

Changes in version 130:

• add stub for PackageManager.getPackagesForUid() to cover our GmcPackageManager.getPackagesForUid() shim still throwing a security exception when handling passing an invalid negative UID due to how the OS APIs work instead of the error expected by Play services

A full list of changes from the previous release (version 129) is available through the Git commit log between the releases (only changes to the gmscompat_config text file and config-holder/ directory are part of GmsCompatConfig).

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.

Reflects extremely poorly on Apple that several of their employees have been involved in spreading fabricated claims about Pixels. Convincing companies/governments to strictly use Apple products with clearly fraudulent claims about Pixels is scandalous.

https://x.com/GerzerSoftware/status/1825226770079244361

We directly talked about iVerify being a sandboxed app fundamentally incapable of providing significant defenses against sophisticated attackers:

https://x.com/GrapheneOS/status/1824194291591417961

It does not mean you should trust them to run code on your device, view your DNS requests, etc.

iVerify fabricated a fake Pixel vulnerability in order to promote their company/product alongside Palantir and Trail of Bits. It has been completely debunked by multiple researchers. Many people were previously aware of the app, the conditions for enabling it and had analyzed it.

Multiple privacy and security researchers have previously talked about this set of apps for supporting Verizon's network functionality on Android. We analyzed these apps years ago and have publicly talked about it. We checked CarrierSettings and Showcase again before our thread.

Showcase (com.customermobile.preload.vzw) is Verizon's retail demo app and is completely disabled at a package level with the other Verizon apps on Pixels unless someone has a Verizon SIM. The way they're disabled is comparable to installing and uninstalling the apps on demand.

Showcase additionally requires a privileged OS setting in order to enable it. This setting has more limited access than other settings which are part of the public API. The level of access to enable it would be greater than the access the app has available for itself.

Using iVerify means trusting a Palantir partner with code execution, access to your DNS requests, etc.

Palantir is a surveillance company and is largely based around acquiring access to data mined by other companies. That's reason enough to avoid code from them or their partners.

Here's some background on Palantir:

https://privacyinternational.org/sites/default/files/2021-11/All%20roads%20lead%20to%20Palantir%20with%20Palantir%20response%20v3.pdf

Regardless of whether you share the views of most of the open source and privacy communities on Palantir and their partners, a security company like iVerify promoting products via fraudulent claims isn't trustworthy.

Installing an app from their app store is giving arbitrary code execution within the app sandbox to the app developers. The app sandbox is far weaker than the browser sandbox for a website. It's also easy enough for apps to do arbitrary things based on configuration and many do.

iVerify has been actively marketing to journalists while working with groups many journalists consider among their main adversaries.

Using an app is trusting the developers with arbitrary remote code execution in the app sandbox, which is a lot weaker than the web sandbox.

App sandbox simultaneously prevents iVerify from providing any significant value against a sophisticated attacker while also not being nearly strong enough to put up a serious defense against sophisticated adversaries. The value is oversold and it brings more risk than reward.

Changes in version 127.0.6533.104.3:

• temporarily disable Shadow Call Stack due to causing app compatibility issue with Discover Mobile despite the main compatibility issues being resolved

A full list of changes from the previous release (version 127.0.6533.104.2) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Changes in version 129:

• update max supported version of Play services to 24.32
• update max supported version of Play Store to 42.3
• update Gradle to 8.10

A full list of changes from the previous release (version 128) is available through the Git commit log between the releases (only changes to the gmscompat_config text file and config-holder/ directory are part of GmsCompatConfig).

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.

Changes in version 127.0.6533.104.2:

• enable Shadow Call Stack on 64-bit ARM in addition to pointer authentication since pointer authentication is probabilistic and only supported on ARMv9 devices such as 8th/9th generation Pixels
• keep stack canaries enabled via -fstack-protector-strong when Shadow Call Stack is enabled as we already do in the kernel to preserve the minor security benefits it still provides and to work around crashes occurring in certain apps using the WebView with it disabled

A full list of changes from the previous release (version 127.0.6533.104.1) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

https://x.com/cryps1s/status/1824077327577591827

This is a fake story. Turns out that getting security information from the CISO of a mass surveillance company trying to build a dystopian police state providing police with "predictive policing" software largely based on racial stereotypes is a bad move.

Trail of Bits iVerify EDR product runs in the standard app sandbox on iOS and Android. It can hardly do anything beyond static scanning of APKs. It's a crippled antivirus app marketed as detecting sophisticated attackers. It's a scam and Trail of Bits has lost all credibility.

Trail of Bits is working closely with Palantir and is focused on getting government contracts. They've created a fake news story to promote their EDR product which has been propagated across mainstream media. Journalists didn't do basic due diligence and spread false marketing.

One of the apps in this suite is the Showcase retail demo app for Verizon to show off phones in their store. It requires manually up the phone as a retail demo device. Verizon says they don't use it anymore. This demo app is where Trail of Bits / iVerify found an HTTP connection.

In order to exploit Verizon's demo app not verifying a signature for the downloaded config or even fetching it via HTTPS, it would already need to be set up to use retail demo mode. The contractors Verizon paid to implement it did a bad job, but it's not a Pixel security issue.

Since it's an obsolete app that Verizon isn't using anymore, the stock Pixel OS already removed it in Android 15 which is visible in the Android 15 Beta. The other Verizon apps needed to fully use their network which get activated with a Verizon SIM are of course still included.

GrapheneOS has been omitting these carrier apps since around 2015. This meant GrapheneOS users weren't able to use Sprint and can't use certain features on Verizon like Wi-Fi calling. Apple has a special deal with Verizon and implements what the control they want as part of iOS.

The restrictions set in Verizon's carrier configuration and the functionality implemented by these apps is a major part of why they prevent installing an alternate OS on any device sold by Verizon. They want to control how people use features like tethering and Wi-Fi calling.

Every month, a bunch of real vulnerabilities are patched for Android on Pixels. A subset of these including all High and Critical severity issues in Android itself get backported to older Android releases for non-Pixels too. iVerify's finding isn't even a Low severity issue.

Supposedly reputable news organizations including the Washington Post, New York Times, Wired, etc. are largely acting as press release distribution service for governments and corporations. If it fits a narrative they want to tell, there's no attempt to question or confirm it.

Trail of Bits employees should think over whether they want to be part of building a police state with pervasive surveillance as Palantir partners. You're not even working at a reputable security company anymore. Trail of Bits has become the charlatans they used to criticize.

Wired was manipulated into spreading misinformation to market Palantir and iVerify by misrepresenting a vulnerability in a disabled demo app as being a serious problem which could be exploited in the real world. They should retract the article but won't.

https://wired.com/story/google-android-pixel-showcase-vulnerability/

iVerify are scammers and anyone paying them money should rapidly stop doing it and remove their malware from their devices. The real security risk is giving remote code execution on your devices to one of these sketchy EDR companies lying about their capabilities and discoveries.

This is one of multiple carrier apps in the stock Pixel OS which we don't include in GrapheneOS. We were aware of it already since we had to go through them and figure out why they exist. We could embrace this fearmongering and leverage it for marketing, but we aren't dishonest.

"iVerify vice president of research [...] points out that while Showcase represents a concerning exposure for Pixel devices, it is turned off by default. This means that an attacker would first need to turn the application on in a target's device before being able to exploit it."

"The most straightforward way to do this would involve having physical access to a victim's phone as well as their system password or another exploitable vulnerability that would allow them to make changes to settings. Google's Fernandez emphasized this limiting factor as well."

Wired should retract the article and explain how they're going to do better. They keep publishing this kind of fearmongering misinformation from information security industry charlatans. There are real remote code execution flaws being fixed in Android and iOS but they push this.

GrapheneOS has gone through each of the carrier apps included on Pixel generation to determine their purpose and consequences of including or excluding them. Here it is being excluded from the new adevtool project for ProtonAOSP and GrapheneOS in 2021:

https://github.com/GrapheneOS/adevtool/commit/9c5ac945f#diff-95eb7b50f2781158146e721436d7c5d6f7421755906307a6b7a1f727bb20d53eR109

GrapheneOS has publicly posted about the carrier apps included on Pixels and their privileged permissions on numerous occasions. We talked about the ones which get enabled automatically based on using a SIM from a carrier rather than a disabled demo without an automatic trigger.

Here's a thread from 2017 posted from our project's previous Twitter account which was stolen in 2018:

https://x.com/CopperheadOS/status/903362108053704704

Incredibly important to note that this thread directly involves the CEO of Trail of Bits that's now claiming their iVerify team discovered these apps.

Stock Pixel OS no longer gives the same level of access to the active carrier. This disabled demo app was never a real part of the problem but it was part of the apps we referring to and excluding. We didn't claim credit for discovering this when we became aware of it in 2015.

Dan Guido, CEO of the company behind iVerify, has repeatedly called out charlatans in the infosec industry. It's incredibly hypocritical to use the same tactics and expect not to be held to the same standard. We're not doing anything he hasn't done himself many times before.

It's ridiculous to falsely claim something is a backdoor and then get upset your EDR software remotely monitoring devices and opening up new security holes is called malware. An app running within an increasingly strict sandbox trying to defend devices is an unworkable approach.

Someone linked this article not taking claims from the company promoting themselves at face value, which is far better than most of the news coverage which got completely duped into believing in a completely a fabricated threat:

https://therecord.media/google-to-remove-app-pixel-vulnerable

Still not good enough.

Palantir is a mass surveillance company aiding with egregious human rights violations. CEO of Trail of Bits that's working with them is a diehard Apple fanboy and has been dismissing GrapheneOS for years. Here's some real data to ponder:

https://grapheneos.social/@GrapheneOS/112826067364945164

2nd thread including a better explanation of the actual situation:

https://grapheneos.social/@GrapheneOS/112972984066659887

Changes in version 127.0.6533.104.1:

• temporarily disable Shadow Call Stack due to causing app compatibility issues with certain apps using the WebView

A full list of changes from the previous release (version 127.0.6533.104.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.