Releases

About the releases

These releases are available as both tags in the source code repositories and official builds.

The factory images are used for the initial installation and can be verified with signify. See the installation page for details.

GrapheneOS uses automatic over-the-air updates, but full update packages are listed below for uncommon use cases like never connecting the device to the internet. A full update package can upgrade from any past version to the new version. The over-the-air updates use delta update packages when available. Those aren't currently linked below but may be in the future once they're being used more consistently. Update packages are not for performing the initial installation and you should ignore incorrect guides trying to use them to install the OS.

The update packages have an internal signature verified by the update client (or recovery when sideloading). Downgrade attacks are also prevented, and downgrades cannot be done unless a special downgrade update package has been signed with the release key. The internal payload for update_engine is also signed, providing another layer of signature verification and downgrade protection. Verified boot and the hardware-backed keystore also act as a final layer of protection.

Releases are tested by the developers and are then pushed out via the Alpha channel. The release is then pushed out via the Beta channel shortly afterwards. Finally, the release is then pushed out via the Stable channel after being tested by some users using the Beta channel. In some cases, problems are caught during Beta channel testing and a new release is made via the Beta channel to replace the aborted one. In general, it's not possible to downgrade unless a downgrade update package is generated, so use the Stable channel if you cannot tolerate dealing with temporary issues while a new release for the Beta channel is being created.

Release announcements

Releases are announced on this page and included in an atom feed usable from any standard feed reader app. A release announcement indicates that the source code tags are available and that the official builds will soon be pushed out via the Alpha channel.

The main place to discuss the releases are the threads posted on our our discussion forum with the Announcements tag.

The announcements are also posted from the @GrapheneOS X account, the @GrapheneOS Mastodon account, the @grapheneos.org Bluesky account, the official subreddit, and in the official GrapheneOS chat rooms including the dedicated releases room/channel on the respective chat platform (Matrix, Discord, Telegram). Each of these links to the main discussion thread on our discussion forum.

Devices

Pixel 9 Pro Fold

ChannelVersionDownloads
Stable2024111800
Beta2024111800
Alpha2024111800

Pixel 9 Pro XL

ChannelVersionDownloads
Stable2024111800
Beta2024111800
Alpha2024111800

Pixel 9 Pro

ChannelVersionDownloads
Stable2024111800
Beta2024111800
Alpha2024111800

Pixel 9

ChannelVersionDownloads
Stable2024111800
Beta2024111800
Alpha2024111800

Pixel 8a

ChannelVersionDownloads
Stable2024111800
Beta2024111800
Alpha2024111800

Pixel 8 Pro

ChannelVersionDownloads
Stable2024111800
Beta2024111800
Alpha2024111800

Pixel 8

ChannelVersionDownloads
Stable2024111800
Beta2024111800
Alpha2024111800

Pixel Fold

ChannelVersionDownloads
Stable2024111800
Beta2024111800
Alpha2024111800

Pixel Tablet

ChannelVersionDownloads
Stable2024111800
Beta2024111800
Alpha2024111800

Pixel 7a

ChannelVersionDownloads
Stable2024111800
Beta2024111800
Alpha2024111800

Pixel 7 Pro

ChannelVersionDownloads
Stable2024111800
Beta2024111800
Alpha2024111800

Pixel 7

ChannelVersionDownloads
Stable2024111800
Beta2024111800
Alpha2024111800

Pixel 6a

ChannelVersionDownloads
Stable2024111800
Beta2024111800
Alpha2024111800

Pixel 6 Pro

ChannelVersionDownloads
Stable2024111800
Beta2024111800
Alpha2024111800

Pixel 6

ChannelVersionDownloads
Stable2024111800
Beta2024111800
Alpha2024111800

Pixel 5a (legacy extended support)

ChannelVersionDownloads
Stable2024101200
Beta2024101200
Alpha2024101200

Pixel 5 (legacy extended support)

ChannelVersionDownloads
Stable2024101200
Beta2024101200
Alpha2024101200

Pixel 4a (5G) (legacy extended support)

ChannelVersionDownloads
Stable2024101200
Beta2024101200
Alpha2024101200

Pixel 4a (legacy extended support)

ChannelVersionDownloads
Stable2024092100
Beta2024092100
Alpha2024092100

Pixel 4 XL (legacy extended support)

ChannelVersionDownloads
Stable2024092100
Beta2024092100
Alpha2024092100

Pixel 4 (legacy extended support)

ChannelVersionDownloads
Stable2024092100
Beta2024092100
Alpha2024092100

Changelog

List of tagged releases. Snapshot releases without tags such as early releases of the project and early device support releases are not listed.

The changelog is also available as an atom feed usable in any standard feed reader.

The legacy changelog page has the release notes from before the rebranding of the project in 2018 and 2019.

2024111800

Tags:

  • 2024111800 (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold, emulator, generic, other targets)

Changes since the 2024111700 release:

  • temporarily revert putting Private Space data at rest when locking it because some users want to be able to unlock it with their fingerprint so we need to make this into a toggle rather than hard-wired (will be added back in a near future release as an option)
  • switch default display color mode to Natural for fresh installs for more accurate image/video colors and to avoid bugs tied to the other options

2024111700

Tags:

  • 2024111700 (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold, emulator, generic, other targets)

Changes since the 2024110700 release:

  • Private Space: put data at rest immediately after stopping the profile to match user profile behavior instead of only on reboot
  • fix Mock Location on devices without any standard location providers (only Pixel Tablet)
  • backport mainline APEX module patches for ART, DNS Resolver, DocumentsUI, Media, Media Provider, Network Stack, PermissionController, Remote Key Provisioning and Wi-Fi
  • raise maximum running users from the standard 3 to 4 for 6GB memory, 6 for 8GB memory, 10 for 12GB memory and 14 for 16GB memory
  • Settings: disable Bluetooth contact sharing by default
  • Settings: fix Private Space handling in Passwords & accounts > Additional services
  • Settings: fix multiple cases of missing user profiles handling for added settings
  • Dialer: fix RTT related crash from not using the correct theme configuration
  • Contacts Provider: work around upstream bug causing deadlock with contact scopes
  • temporarily don't report harmless fingerprint-service.goodix crash
  • temporarily disable hardened_malloc for vendor audio service due to Pixel Tablet bug
  • Sandboxed Google Play compatibility layer: significantly rework client side compatibility layer to avoid deadlocks and to avoid allowing starting apps with no exported components (i.e. not even a launcher activity)
  • Sandboxed Google Play compatibility layer: overhaul approach to raising Google Play components to the foreground to avoid it always being considered in the foreground while also solving an issue triggered in a rare edge case at startup
  • Sandboxed Google Play compatibility layer: stop Play Store from attempting to auto-install some system component packages, such as "Android System SafetyCore" (com.google.android.safetycore) and "Android System Key Verifier" (com.google.android.contactkeys)
  • Sandboxed Google Play compatibility layer: fix Android Auto voice commands not working in some cases
  • Sandboxed Google Play compatibility layer: fix one of the Android Auto permission toggle checks for companion devices
  • Sandboxed Google Play compatibility layer: extend opt-in Android Auto "Allow permissions for handling phone calls" toggle to allow access to Bluetooth adapter hardware address access for hands-free audio support with wired Android Auto rather than only wireless Android Auto where the baseline toggle already grants access to that
  • Sandboxed Google Play compatibility layer: don't stop apps that use Dynamite modules when Play services stops since the new version of the Dynamite client library handles dynamic re-connection without app restart and older ones will handle this by stopping
  • kernel (5.10, 5.15, 6.1, 6.6): disable unused TIPC protocol support
  • kernel (5.10): update to latest GKI LTS branch revision
  • kernel (5.15): update to latest GKI LTS branch revision including update to 5.15.170
  • kernel (6.1): update to latest GKI LTS branch revision including update to 6.1.115
  • kernel (6.6): update to latest GKI LTS branch revision
  • System Updater: show failure notification for update_engine errors
  • System Updater: add missing UpdateEngine.unbind() to avoid extra callbacks for progress and error reporting
  • System Updater: avoid treating non-404 errors such as a connection failure as lack of an incremental update
  • System Updater: handle a partially downloaded incremental update being removed from the server by falling back to the full update instead of retrying resuming the incremental download until the next update (this will allow us to remove an incremental for the latest available version to save storage space or work around a potential update_engine bug without it causing download resumption errors)
  • System Updater: delete stale update from a failed download of a previous release slightly earlier
  • Vanadium: update to version 130.0.6723.102.1
  • Vanadium: update to version 131.0.6778.39.0
  • GmsCompatConfig: update to version 149

2024110700

Tags:

  • 2024110700 (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold, emulator, generic, other targets)

Changes since the 2024110400 release:

  • full 2024-11-05 security patch level
  • rebased onto AP3A.241105.007 Android Open Source Project release (November monthly release of Android 15)
  • ignore Person.Builder.setUri() when Contact Scopes is enabled since apps can't access the contact's URI with Contact Scopes enabled (this resolves the incompatibility between Contact Scopes and apps attaching contact information to notifications which was introduced by a November Android Security Bulletin patch)
  • fix "App info" uninstall dialog link added by GrapheneOS not working in some cases for secondary profile apps
  • GmsCompatConfig: update to version 147
  • Vanadium: update to version 130.0.6723.102.0

2024110400

This is an early November security update release based on the November 2024 security patch backports since a monthly Android Open Source Project and stock Pixel OS release hasn't been published yet.

Tags:

  • 2024110400 (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold, emulator, generic, other targets)

Changes since the 2024103100 release:

  • full 2024-11-01 security patch level
  • fix a bunch of upstream Android bugs breaking SMS and MMS functionality in secondary profiles, including both Android 15 regressions and pre-existing issues
  • backport upstream Android fix for UsageStatsDatabase locking from the AOSP main branch
  • Sandboxed Google Play compatibility layer: fix flag overrides being partly ignored on recent versions
  • add workaround for rare system_server null pointer exception crash in showShutdownDialog()
  • add missing null handling for extended application error report
  • fix upstream bug causing App Not Responding link to not work properly outside of Owner
  • Settings: avoid opening parent user log viewer in nested profiles (Private Space, work profile)
  • System Updater, GmsCompat: reduce included SettingsLib components to reduce the size of these apps from around 10MB each to below 4MB each
  • GmsCompatConfig: update to version 146

2024103100

Tags:

  • 2024103100 (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold, emulator, generic, other targets)

Changes since the 2024102400 release:

  • improve our existing fix for an upstream Android bug impacting apps using the telephony service in secondary users to fix support for disabling re-routing of Google Play location requests to the OS for fresh installs of sandboxed Google Play since the release of Android 15
  • Sandboxed Google Play compatibility layer: extend wired Android Auto toggle to additional methods used in edge cases
  • fix changing USB-C port control setting to a lower security level not fully applying until after locking and unlocking
  • Settings: fix per-app exploit protection toggles for Private Space
  • Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold: disable Wi-Fi HAL debug logging to avoid memory corruption caught by hardware memory tagging on GrapheneOS
  • raise system log buffer size from 256KiB to 512KiB to make logs obtained by users reporting issues more useful
  • enable stamp configuration for microdroid kernel builds to set LOCALVERSION based on version control information as expected
  • kernel (6.6): disable unused hibernation support
  • kernel (6.6): disable unused TIOCSTI ioctl (already blocked via standard Android SELinux ioctl filtering)
  • kernel (6.6): disable unused cachestat system call (already blocked for apps via standard Android seccomp-bpf policy)
  • kernel (6.6): enable random kmalloc caches for x86_64 and microdroid too, not only bare metal arm64
  • kernel (6.6): enable full struct randomization for x86_64 and microdroid too, not only bare metal arm64
  • kernel (6.6): enable DEBUG_SG for microdroid too, not only bare metal
  • kernel (6.6): enable FORTIFY_SOURCE for microdroid too, not only bare metal
  • kernel (6.6): disable BINFMT_MISC for microdroid too, not only bare metal
  • kernel (6.6): disable RSEQ for microdroid too, not only bare metal
  • kernel (6.6): add SYSRQ restrictions for microdroid too, not only bare metal
  • kernel (6.6): use the same KFENCE configuration for microdroid as bare metal
  • mark Sensors permission as implicitly added
  • avoid adding Sensors permission to hasCode=false packages
  • improve our implementation of extending verified boot to out-of-band shared library APK updates
  • Log Viewer: add userType line to header in non-Owner users
  • Log Viewer: add targetSdk and sharedUid to package info header
  • System Updater: update minimum and target API level to 35 (Android 15)
  • adevtool: update carrier settings
  • Vanadium: update to version 130.0.6723.86.0
  • Info: update to version 5
  • Auditor: update to version 87
  • Sandboxed Google Play compatibility layer: fix development support in OS debug builds

2024102400

Notice which will not impact most users: apps which were only installed in secondary users but not Owner before updating to Android 15 and which were then installed in Owner after updating to Android 15 will have a one-time revocation of their Network/Sensors permissions after updating to this release as a minor consequence of migrating them from Android 14 again.

Tags:

  • 2024102400 (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold, emulator, generic, other targets)

Changes since the 2024102100 release:

  • switch back our original stricter approach to DNS leak blocking from our 2024050900 release with an additional fix for an Android DNS routing bug causing requests to the VPN DNS servers to be routed incorrectly, which should avoid the compatibility issues experienced with certain VPN apps when we tried to ship it before
  • avoid resetting Network or Sensors back to the global default after app updates in a specific case when migrating the state from Android 14 or earlier
  • add an extra one-time migration of Network and Sensors being disabled in Android 14 to Android 15 to work around an issue with the previous migration of the permission state which occurred for some users with some of their apps
  • fix ancient Android bug causing widgets to disappear from the user's home screen when the user stops, which was a major usability issue for secondary users
  • Keyboard: extend fix for upstream layout bug in landscape mode to fully fix it for 3-button navigation in addition to the default gesture navigation
  • Gallery: fix upstream cropping activity bug when both the input and output URI is the same to fix setting profile pictures for user profiles
  • raise backup service transport (Seedvault) timeout from 10 minutes / 5 minutes to 60 minutes / 30 minutes to handle very large backups, particularly for the device-to-device mode which includes nearly all app data
  • temporarily revert enforcing minimum 64kiB stack guard size for arm64 since Facebook recently included a buggy stack overflow check for the React Native Hermes runtime that's incompatible with larger gap sizes and beginning to be shipped by apps (revert was not applied for Android 15 port)
  • Sandboxed Google Play compatibility layer: add stubs for update_engine wrapper API to avoid potential Play services crashes if the existing approaches to disable the update service fail
  • Pixel 8, Pixel 8 Pro, Pixel 8a: disable Wi-Fi HAL debug logging to avoid memory corruption caught by hardware memory tagging on GrapheneOS
  • kernel (6.1): update to latest GKI LTS branch revision
  • use hardened GrapheneOS 6.6 LTS kernel for microdroid virtual machines for both arm64 and x86_64
  • Vanadium: update to version 130.0.6723.73.0
  • GmsCompatConfig: update to version 144
  • GmsCompatConfig: update to version 145

2024102100

Tags:

  • 2024102100 (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold, emulator, generic, other targets)

Changes since the 2024102000 release:

  • Keyboard: fix upstream bug triggered by Android 15 causing layout to be cut off in landscape mode on devices with a display cutout
  • enforce stack clash protection for arm64

2024102000

Tags:

  • 2024102000 (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold, emulator, generic, other targets)

Changes since the 2024101900 release:

  • Sandboxed Google Play compatibility layer: adjust one of the stubs for the NearbyManager API to resolve a remaining issue
  • Sandboxed Google Play compatibility layer: use per-network MAC randomization and enable send device name for wireless Android Auto networks to avoid introducing compatibility issues by default for certain cars with either our per-connection MAC randomization feature or default disabled DHCP device name
  • adjust hasSendDhcpHostnameEnabledChanged() based on new "Send device name" setting value to avoid introducing a permission issue
  • temporarily disable memory tagging for the Pixel Camera Services app until memory corruption bugs are resolved
  • extend one-time removal of leftover Vanadium library state to handle it for Alpha/Beta users who removed it from Owner themselves but still have it in other users

2024101900

Tags:

  • 2024101900 (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold, emulator, generic, other targets)

Changes since the 2024101801 release:

  • drop existing "Send device name" setting value for all Wi-Fi networks to start from our default of disabled for all users including people who updated to the Beta and Alpha releases already (we already switched the default to off for new networks in 2024101800)
  • limit removal of shared library updates as part of our system APK verified boot feature to those equal to the OS version since older versions are already dealt with and removing them this way leaves behind stale package state cluttering the UI
  • run a one-time task to remove leftover Vanadium library state to avoid showing a list of old versions
  • Settings: fix upstream Android 15 bug causing a crash for the network privacy menu when the AP name has special characters
  • Sandboxed Google Play compatibility layer: add stubs for NearbyManager API to avoid crashes from Find My Device feature
  • Dialer: fix new upstream crashes in Android 15 caused by R8 optimization
  • fix upstream Android 15 bug causing a Wallet quick tile provided by a user installed app to be automatically added, which isn't intended
  • fix upstream Android bug causing crash when showing app's first confirmation prompt for PackageInstaller

2024101801

Tags:

  • 2024101801 (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold, emulator, generic, other targets)

Changes since the 2024101800 release:

  • Sandboxed Google Play compatibility layer: only check for SET_BIOMETRIC_DIALOG_ADVANCED permission for GmsCompat apps to avoid causing crashes elsewhere

2024101800

Tags:

  • 2024101800 (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold, emulator, generic, other targets)

Changes since the 2024101701 release:

  • stop enabling the new Android 15 "Send device name" toggle for Wi-Fi networks by default to continue avoiding sending the device model (default) or user configured device name as a DHCP client hostname (Alpha channel testers on our previous Android 15 releases need to toggle it off for each existing network themselves if they don't want it)
  • Sandboxed Google Play compatibility layer: handle lack of SET_BIOMETRIC_DIALOG_ADVANCED permission

2024101701

Tags:

  • 2024101701 (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold, emulator, generic, other targets)

Changes since the 2024101700 release:

  • Sandboxed Google Play compatibility layer: declare C2DM SEND permission ourselves in addition to the already covered READ_GSERVICES and C2DM RECEIVE to avoid issues with Firebase Cloud Messaging for fresh installs of sandboxed Google Play without the Google Services Framework (GSF) app that's no longer a dependency in our App Store for Android 15
  • Settings: enable our per-connection Wi-Fi MAC randomization feature by default for new networks again on Android 15 instead of the standard per-network approach
  • Settings: extend change in the previous release for hiding inaccurate Private Space information
  • persist GrapheneOS-specific package state when archiving an app
  • Radio Info, Wi-Fi testing (Settings): opt-out of Android 15 edge-to-edge since it's not properly supported yet (upstream bug)
  • stop excluding Gallery from Private Space

2024101700

This is the second release of GrapheneOS based on Android 15 based on the October 15th stable release of Android 15. It fixes nearly all of the reported regressions, but we have a couple more things to fix in another release later today before the release will be able to reach Beta and Stable.

Tags:

  • 2024101700 (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold, emulator, generic, other targets)

Changes since the 2024101600 release:

  • fix upstream Android 15 bug in InputMethodManagerService.resetDefaultImeLocked() causing system_server crash from null pointer exception
  • fix upstream Android 15 bug in KeyguardUpdateMonitor.onPostureChanged() causing SystemUI crash on foldable devices from null pointer exception due to GrapheneOS currently only having fingerprint unlock and not face unlock
  • Messaging: add new permissions needed on Android 15 (READ_CELL_BROADCASTS and RECEIVE_WAP_PUSH) which avoids it prompting to be set as the default app instead of completing certain actions requiring privileges it was missing
  • Settings: port our default enabled per-connection MAC randomization option to the new Compose-based UI in Android 15 so the default mode displays properly and it can be restored back to the default value
  • fix Android 15 port of our toggle for disabling granting our Sensors permission by default
  • Storage Manager, Emergency Info: opt-out of Android 15 edge-to-edge since it's not properly supported yet (upstream bugs)
  • Sandboxed Google Play compatibility layer: replace GmsCompatConfig Bluetooth stubs with in-place checks for improved reliability and readability
  • ignore the standard stock OS configured Factory Reset Protection since installing GrapheneOS implies the ability to bypass it via the device being unlocked and if we added our own anti-theft system it would not use the same approach using Google account recovery
  • disable temporary unconditional system crash notifications since we've gotten the initial feedback we needed via the previous release
  • Launcher: remove "Install in private" shortcut for now since the standard behavior of opening the app in the first party app store isn't currently useful on GrapheneOS right now and is confusing to users
  • Settings: hide inaccurate "access private space when hidden" text that's not currently relevant to GrapheneOS since AOSP doesn't have this launcher feature yet
  • Keyboard: remove launcher icon to avoid it temporarily showing up in new users/profiles (not a recent regression)
  • GmsCompatConfig: update to version 142
  • GmsCompatConfig: update to version 143

2024101600

This is the initial release of GrapheneOS based on Android 15 based on the October 15th stable release of Android 15. We had previously ported all of our features to Android 15 based on the Beta releases and have been finishing it up based on the early September release of the source code for Android 15. Our initial port of all our features was completed on September 3rd and we've been polishing it up while we've been working on regular development.

Tags:

  • 2024101600 (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold, emulator, generic, other targets)

Changes since the 2024101200 release:

  • full 2024-10-05 security patch level since the Pixel patches were disclosed in the Pixel Update Bulletin today
  • rebased onto AP3A.241005.015 Android Open Source Project release (Android 15)
  • full port of GrapheneOS features to Android 15 including integration of our features with the new Android 15 features including Private Space
  • Sandboxed Google Play compatibility layer: add stubs to fully remove the need for the Google Services Framework (GSF) app for fresh installs of sandboxed Google Play, which has been removed as a dependency in our app repository for Android 15+, but it should still be kept for existing installs to avoid potential issues
  • Pixel 9 Pro Fold: add assorted device-specific Settings and SystemUI changes to better match the stock OS
  • disable Bluetooth auto-on feature by default
  • temporarily enable system crash notifications unconditionally for the initial release based on Android 15 release
  • kernel (6.6): update to latest GKI LTS branch revision including update to 6.6.56
  • Seedvault: update to a newer revision (will be replaced with a better backup implementation in the future)
  • Seedvault: minor changes to prepare for a complete fork and overhaul in the future
  • Vanadium: update to version 130.0.6723.58.0
  • GmsCompatConfig: update to version 141

2024101200

Pixel 4a (5G), Pixel 5 and Pixel 5a are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

  • 2024101200-redfin (Pixel 4a (5G), Pixel 5)
  • 2024101200 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, emulator, generic, other targets)
  • 2024101200-caimito (Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold)

Changes since the 2024100800 release:

  • hardened_malloc: preserve hardware memory tagging enforcement flag for slab mappings when releasing free slabs
  • hardened_malloc: improve accuracy of probability hint for hardware memory tagging branches
  • temporarily revert enforcing minimum 64kiB stack guard size for arm64 since Facebook recently included a buggy stack overflow check for the React Native Hermes runtime that's incompatible with larger gap sizes and beginning to be shipped by apps
  • Log Viewer: add "bootloader unlocked" and "dev options enabled" flags to header
  • Log Viewer: add "More info" button to native crash reports
  • Log Viewer: include contents of App Not Responding (ANR) stack traces file in ANR error reports
  • Log Viewer: omit processUptime header line when it's unknown
  • Settings Intelligence (Settings search): fix upstream bug resulting in corruption of the query history database which leads to the search crashing
  • Launcher: mark 2x2 workspace option as being for phones
  • kernel (6.6): update to latest GKI LTS branch revision including update to 6.6.54
  • adevtool: update carrier settings
  • Vanadium: update to version 129.0.6668.100.0

2024100800

This is an early October security update release based on the October 2024 security patch backports since a monthly Android Open Source Project and stock Pixel OS release based on Android 14 QPR3 hasn't been published yet. Android 15 is scheduled for release around October 15th and they may not have a monthly release based on Android 14 QPR3 before then.

Pixel 4a (5G), Pixel 5 and Pixel 5a are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

  • 2024100800-redfin (Pixel 4a (5G), Pixel 5)
  • 2024100800 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, emulator, generic, other targets)
  • 2024100800-caimito (Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold)

Changes since the 2024092900 release:

  • full 2024-10-01 security patch level
  • overhaul the implementation of our USB-C port control feature to improve robustness and error reporting
  • fix an upstream Android Bluetooth use-after-free bug uncovered by GrapheneOS hardware memory tagging that's triggered when obtaining internet access from another device via Bluetooth
  • fix an upstream Android race condition bug in handling of system error files to avoid using the wrong timestamps for system errors and then reporting them as new errors after reboot
  • work around an upstream Android bug causing our Log Viewer feature to stop working after system_server restarts
  • add handling for early boot-time system journal notifications
  • kernel (5.10, 5.15, 6.1, 6.6): backport upstream patch fixing a hole in SELinux W^X enforcement
  • kernel (5.10): update to latest GKI LTS branch revision including update to 5.10.226
  • kernel (5.15): update to latest GKI LTS branch revision including update to 5.15.167
  • kernel (6.1): update to latest GKI LTS branch revision including update to 6.1.112
  • kernel (6.6): update to latest GKI LTS branch revision including update to 6.6.53
  • TalkBack (screen reader): update dependencies
  • Vanadium: update to version 129.0.6668.81.0
  • GmsCompatConfig: update to version 140

2024092900

Pixel 4a (5G), Pixel 5 and Pixel 5a are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

  • 2024092900-redfin (Pixel 4a (5G), Pixel 5)
  • 2024092900 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, emulator, generic, other targets)
  • 2024092900-caimito (Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold)

Changes since the 2024091900 release:

  • extend standard Android eBPF filter to prevent apps sending multicast packets outside of the VPN tunnel either directly or indirectly via kernel-generated multicast traffic (IGMP, MLD) when leak blocking is enabled (2nd generation implementation with improved app compatibility)
  • add netfilter-based multicast firewall only permitting sending multicast packets to permitted tunnel interfaces for the process to prevent apps sending multicast packets through a VPN tunnel for another profile (2nd generation implementation with improved IPv6 and app compatibility)
  • Sandboxed Google Play compatibility layer: add stub for Bluetooth AdvertisingSetParameters.setOwnAddressType() API needed for receiving files through Quick Share
  • Sandboxed Google Play compatibility layer: ignore GattServer in BTLeAdvertiser.startAdvertisingSet() needed for receiving files through Quick Share
  • Auditor: add battery optimization exception to avoid delays for the opt-in scheduled remote verification since users rarely interact with the app resulting in it being placed into semi-restricted standby buckets
  • kernel (6.6): update to latest GKI LTS branch revision
  • Auditor: update to version 86
  • App Store: update to version 26
  • Vanadium: update to version 129.0.6668.70.0
  • GmsCompatConfig: update to version 138
  • GmsCompatConfig: update to version 139

2024091900

Pixel 4a (5G), Pixel 5 and Pixel 5a are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

  • 2024091900-redfin (Pixel 4a (5G), Pixel 5)
  • 2024091900 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, emulator, generic, other targets)
  • 2024091900-caimito (Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold)

Changes since the 2024091700 release:

  • temporarily revert multicast leak blocking firewall due to causing legacy 5th gen devices to lose compatibility with IPv6-only carriers along with causing certain compatibility issues with IPv6 on Wi-Fi
  • temporarily revert multicast leak blocking eBPF filter extensions until app compatibility is addressed in a similar way as the Network permission mimics non-security errors

2024091700

Pixel 4a (5G), Pixel 5 and Pixel 5a are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

  • 2024091700-redfin (Pixel 4a (5G), Pixel 5)
  • 2024091700 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, emulator, generic, other targets)
  • 2024091700-caimito (Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold)

Changes since the 2024090400 release:

  • Sandboxed Google Play compatibility layer: handle the updated client dynamite module initialization sequence
  • extend standard Android eBPF filter to prevent apps sending multicast packets outside of the VPN tunnel either directly or indirectly via kernel-generated multicast traffic (IGMP, MLD) when leak blocking is enabled
  • add netfilter-based multicast firewall only permitting sending multicast packets to permitted interfaces for the process to prevent apps sending multicast packets through a disallowed interface such as a VPN tunnel for another profile
  • exclude com.android.rkpdapp from backup/restore to avoid breaking key provisioning for hardware key attestation including for Auditor (users can clear RemoteProvisioner system app data via Settings if they restored data for it and have this issue)
  • Pixel 9 Fold Pro: temporarily manually add resource overlays not yet automatically handled by adevtool from the stock Pixel OS to use the correct layout for quick settings, status bar, etc. and to provide the split folded/unfolded auto-rotate settings (this will be replaced by adevtool improvements before the end of the month since we'll need it for more resources in Android 15)
  • hardened_malloc: fix microdroid virtual machine compatibility by using armv8a+dotprod+memtag when enabling memory tagging instead of armv9+memtag
  • init: disable auto-reboot setup for microdroid virtual machines
  • expat: backport patches for CVE-2024-28757, CVE-2024-45490, CVE-2024-45491 and CVE-2024-45492 (none of these is exploitable on official GrapheneOS since the DoS bug involves a feature Android doesn't use, the integer overflows require that size_t is 32-bit which is never going to be the case due to the code only being used in 64-bit processes and the negative parameter API issue requires a usage pattern not done by Android, but the integer overflows would be exploitable on an official build for a 32-bit device or a 64-bit device still partially using 32-bit drivers)
  • kernel (5.10): update to latest GKI LTS branch revision including update to 5.10.225
  • kernel (5.15): update to latest GKI LTS branch revision including update to 5.15.165
  • kernel (6.1): update to latest GKI LTS branch revision including update to 6.1.104
  • kernel (6.6): update to latest GKI LTS branch revision including update to 6.6.51
  • TalkBack (screen reader): update dependencies
  • Vanadium: update to version 128.0.6613.127.0
  • Vanadium: update to version 128.0.6613.146.0
  • Vanadium: update to version 129.0.6668.54.0
  • App Store: update to version 25
  • Auditor: update to version 85
  • Info: update to version 4
  • GmsCompatConfig: update to version 136
  • GmsCompatConfig: update to version 137

2024090400

Pixel 4a (5G), Pixel 5 and Pixel 5a are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

  • 2024090400-redfin (Pixel 4a (5G), Pixel 5)
  • 2024090400 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, emulator, generic, other targets)
  • 2024090400-caimito (Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold)

Changes since the 2024083100 release:

  • full 2024-09-05 security patch level
  • rebased onto AP2A.240905.003 (generic) and AD1A.240905.004 (caimito) Android Open Source Project releases
  • Sandboxed Google Play compatibility layer: add support for using GSF 34 on SDK 35 (Android 15) to handle the case where users have just upgraded the OS but haven't yet updated GSF
  • Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold: fix an upstream use-after-free bug present in 2 drivers
  • allow Pixel Thermometer and Fitbit to see each other as a special case
  • allow current launcher to see the Pixel Thermometer app as a special case
  • kernel (6.6): update to latest GKI LTS branch revision including update to 6.6.47
  • GmsCompatConfig: update to version 134
  • GmsCompatConfig: update to version 135

2024083100

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

  • 2024083100-redfin (Pixel 4a (5G), Pixel 5)
  • 2024083100 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, emulator, generic, other targets)
  • 2024083100-caimito (Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold)

Changes since the 2024082200 release:

  • don't hide Exploit protection Safety Center item in secondary users
  • Settings: improve UI for GrapheneOS app toggles including adding a screen for viewing the values across apps for each toggle
  • add more infrastructure for blocking dynamic code loading
  • Settings: add per-app memory dynamic code loading restriction toggle (applies to both native code and Android Runtime class loading for Java/Kotlin)
  • Settings: add per-app storage dynamic code loading restriction toggle (applies to both native code and Android Runtime class loading for Java/Kotlin), temporarily without a global toggle until Google phases out the old dynamite module system for Google Play due to many apps temporarily depending on this through it
  • Settings: add per-app WebView JIT restriction toggle
  • add production support for the Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL and Pixel 9 Pro Fold
  • add support for enabling app association restrictions without exemptions (currently for use with Pixel Thermometer)
  • add support for Pixel Thermometer app available from our App Store for the Pixel 8 Pro, Pixel 9 Pro and Pixel 9 Pro XL with strict isolation from other apps
  • add missing feature compatibility matrix definitions (mainly for 9th generation Pixels)
  • Contact Scopes: explicitly set initialization order after ContactsProvider2 to avoid uncaught exceptions from a race
  • kernel (6.1): disable unused hibernation support
  • kernel (6.1, 6.6): enable struct randomization in the full mode with a deterministic seed based on kernel commit timestamp (we plan to also incorporate the device family and eventually make the seed specific to each device model, but it will increase our build/testing workload)
  • kernel (6.6): enable random kmalloc caches
  • kernel (5.10): update to latest GKI LTS branch revision
  • kernel (6.1): update to latest GKI LTS branch revision including update to 6.1.96
  • kernel (6.6): update to latest GKI LTS branch revision including update to 6.6.46
  • Vanadium: update to version 128.0.6613.88.1
  • Vanadium: update to version 128.0.6613.99.0
  • Auditor: update to version 84
  • GmsCompatConfig: update to version 131
  • GmsCompatConfig: update to version 132
  • GmsCompatConfig: update to version 133
  • drop restriction on modifying GrapheneOS-specific per-package settings via ADB shell since it makes certain important testing require debug builds and has no real security value
  • flash-all.sh: restore POSIX sh compatibility to allow using sh instead of bash on systems where sh is dash or another non-bash-compatible shell
  • add support for using backslashes in the passphrases for encrypting the keys for signing OS releases

2024082200

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

  • 2024082200-redfin (Pixel 4a (5G), Pixel 5)
  • 2024082200 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, emulator, generic, other targets)

Changes since the 2024082000 release:

  • Settings: fix regression in the previous release which blocked it reaching the Stable channel by making the duress PIN/password configuration unavailable in secondary users again (it was only usable when the secondary user had the same unlock PIN/password as the Owner user)
  • adevtool: remove non-functional repair mode support
  • adevtool: remove non-functional digital car key support (requires privileged Google Play)
  • adevtool: remove invalid clock font family overlay (google-sans-clock font not included)
  • adevtool: update carrier settings
  • Pixel 8a: add Let's Encrypt (ISRG) roots for Samsung gnssd SUPL connections via adevtool instead to share the implementation with 9th generation Pixels
  • kernel (6.1): update to latest GKI LTS branch revision
  • Auditor: update to version 83
  • Vanadium: update to version 128.0.6613.88.0

2024082000

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

  • 2024082000-redfin (Pixel 4a (5G), Pixel 5)
  • 2024082000 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, emulator, generic, other targets)

Changes since the 2024080600 release:

  • Settings: enable Safety Center and port all of the relevant GrapheneOS settings to it both to provide the more modern user interface and to prepare for the release of Android 15
  • hide Safety Center camera extensions fallback toggle when it's not relevant (not used on Pixels)
  • Package Installer: fix upstream bug causing null pointer exception in rare edge cases including a rare race condition
  • require Owner user credential to check whether a duress PIN/password is enabled as hardening against potential UI bugs such as the upstream predictive back gesture issue we patched in the Settings app
  • apply upstream change for 6th generation Pixels making snapuserd available in recovery to avoid a problem in a rare edge case where a factory reset occurs before finishing booting a new update
  • apply minor upstream fixes for Settings which were temporarily only shipped for certain Pixels
  • add fastboot to otatools.zip for optimized factory images generation
  • flash-all: raise minimum fastboot version to 35.0.1
  • kernel (5.10): update to latest GKI LTS branch revision including update to 5.10.223
  • kernel (5.15): update to latest GKI LTS branch revision including update to 5.15.164
  • kernel (6.1): update to latest GKI LTS branch revision including update to 6.1.95
  • kernel (6.6): update to latest GKI LTS branch revision including update to 6.6.45
  • remove duplicate Android.bp from unpacked otatools.zip to avoid breaking subsequent builds when it's unpacked in the source tree
  • add Android 15 Beta build configuration for early development/testing of our Android 15 port via an ap2f release configuration enabling all of the available Android 15 feature flags
  • port GrapheneOS changes to new code for Android 15 used by our Android 15 Beta build configuration
  • Vanadium: update to version 127.0.6533.104.0
  • Vanadium: update to version 127.0.6533.104.1
  • Vanadium: update to version 127.0.6533.104.2
  • Vanadium: update to version 127.0.6533.104.3
  • GmsCompatConfig: update to version 128
  • GmsCompatConfig: update to version 129
  • GmsCompatConfig: update to version 130

2024080600

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

  • 2024080600-redfin (Pixel 4a (5G), Pixel 5)
  • 2024080600 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, emulator, generic, other targets)

Changes since the 2024080500 release:

  • full 2024-08-05 security patch level
  • rebased onto AP2A.240805.005 Android Open Source Project release
  • adevtool: update dependencies
  • adevtool: improve code quality
  • adevtool: use fastboot packs to extract firmware images to avoid the need to download over-the-air updates, which also removes the dependency on python and python-protobuf for extracting vendor files
  • kernel (6.6): update to latest GKI LTS branch revision
  • Vanadium: update to version 127.0.6533.103.0
  • Camera: update to version 74

2024080500

This is an early August security update release based on the August 2024 security patch backports. This month's release of the Android Open Source Project and stock Pixel OS should be available later today or tomorrow and we'll quickly release an update based on it following this one.

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

  • 2024080500-redfin (Pixel 4a (5G), Pixel 5)
  • 2024080500 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, emulator, generic, other targets)

Changes since the 2024080200 release:

  • full 2024-08-01 security patch level
  • suppress crash notifications for 2 harmless crashes occuring on service shutdown for the Android Bluetooth service and Pixel wifi_ext service
  • enable memory tagging for the Pixel wifi_ext service again
  • Settings: disable predictive back gesture in PIN/password input activities to fix an upstream Android vulnerability
  • flash-all: remove unnecessary sleep after flashing AVB key
  • flash-all: exit on errors
  • flash-all.sh: avoid false negative for device model check
  • flash-all.bat: pause before exiting after an error
  • fastboot: add support for CLI install with the GrapheneOS optimized factory images format already used by the web installer (will reduce memory/storage usage for CLI installs and will reduce storage usage on the update servers by avoiding multiple factory image formats)
  • hardened_malloc: update libdivide to 5.1
  • kernel (6.6): update to latest GKI LTS branch revision including update to 6.6.43

2024080200

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

  • 2024080200-redfin (Pixel 4a (5G), Pixel 5)
  • 2024080200 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, emulator, generic, other targets)

Changes since the 2024080100 release:

  • prevent VPN apps from having leaks to non-VPN DNS servers while not yet strictly preventing leaks to VPN DNS outside the VPN tunnel due to multiple VPN apps including Proton VPN not connecting reliably with stricter enforcement (in a future release, we can do strict blocking by default with an opt-out toggle and a list of known incompatible apps such as Proton VPN until the compatibility issue is resolved)
  • GmsCompatConfig: update to version 126
  • GmsCompatConfig: update to version 127
  • Camera: update to version 73

2024080100

This release is only for the Alpha channel to replace the previous release.

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

  • 2024080100-redfin (Pixel 4a (5G), Pixel 5)
  • 2024080100 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, emulator, generic, other targets)

Changes since the 2024073100 release:

  • revert VPN DNS leak protection again since it's still partially incompatible with Proton VPN and certain other apps for unknown reasons, although we did avoid a lot of the compatibility issues from last time

2024073100

This release was only pushed out to the Alpha channel.

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

  • 2024073100-redfin (Pixel 4a (5G), Pixel 5)
  • 2024073100 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, emulator, generic, other targets)

Changes since the 2024072800 release:

  • add back our change to prevent app-based VPN implementations from leaking DNS requests when the VPN is down/connecting but without enforcement for VPN apps without DNS configured to avoid breaking compatibility in rare cases (our previous implementation in 2024050900 had to be reverted before it reached Stable)
  • kernel (6.6): update to latest GKI LTS branch revision
  • Camera: update to version 72
  • Vanadium: update to version 127.0.6533.84.0

2024072800

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

  • 2024072800-redfin (Pixel 4a (5G), Pixel 5)
  • 2024072800 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, emulator, generic, other targets)

Changes since the 2024071600 release:

  • avoid isolating eUICC LPA (eSIM activation) app from third party apps to allow carrier activation apps to work (we still block communication with Google Play to avoid sending telemetry data to Google services when sandboxed Google Play is installed)
  • Pixel 8a: fix GNSS configuration to avoid occasional crashes of the service (Pixel 8a is currently the only Samsung GNSS device)
  • Settings: don't allow disabling user installed apps when uninstall is disallowed
  • Settings: drop code for supporting the legacy Settings UI
  • Sandboxed Google Play compatibility layer: avoid infinite wait for GmsCompatConfig update when call to App Store fails
  • enforce stack clash protection for x86_64
  • enforce minimum 64kiB stack guard size for arm64 due to the standard stack probe size of 64kiB
  • future proof our Bionic libc changes for dynamic 64k pages (hardened_malloc still doesn't support it)
  • flash-all: remove unnecessary reboot after flashing Android Verified Boot (AVB) key
  • kernel (5.10): update to latest GKI LTS branch revision including update to 5.10.222
  • kernel (5.15): update to latest GKI LTS branch revision including update to 5.15.163
  • kernel (6.1): update to latest GKI LTS branch revision including update to 6.1.92
  • kernel (6.6): update to latest GKI LTS branch revision including update to 6.6.42
  • adevtool: update to latest carrier settings
  • App Store: update to version 24
  • Camera: update to version 69
  • Camera: update to version 70
  • Camera: update to version 71
  • Auditor: update to version 81
  • Auditor: update to version 82
  • Vanadium: update to version 127.0.6533.64.0
  • Vanadium: update to version 127.0.6533.64.1
  • GmsCompatConfig: update to version 124
  • GmsCompatConfig: update to version 125
  • fastboot: add support for generating web installer optimized factory images zip for an improved web install approach not requiring fastbootd
  • integrate generating web installation optimized factory images zip into release signing script
  • split script/release.sh to remove dependency on build output and the OS source tree (see the new instructions for signing releases)
  • rename script/release.sh to script/generate-release.sh
  • add script/generate-releases.sh wrapper script

2024071600

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

  • 2024071600-redfin (Pixel 4a (5G), Pixel 5)
  • 2024071600 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, emulator, generic, other targets)

Changes since the 2024071200 release:

  • fix touch-to-unlock setting on devices with a power button fingerprint scanner (Pixel Fold, Pixel Tablet) which is normally always active with AOSP
  • avoid race for setting USB port mode when the lock method is set to none (lockscreen disabled)
  • Pixel Tablet: add non-standard toggle for enabling touchscreen frequency hopping to reduce ghost touches for users with problematic touchscreen hardware
  • kernel (5.10, 5.15): revert a USB change backported to kernel.org LTS that's causing DisplayPort alternate mode compatibility issues
  • Pixel 8a: fix GNSS configuration to avoid occasional crashes of the service (Pixel 8a is currently the only Samsung GNSS device)
  • backport mainline APEX module patches for Media Provider, Network Stack, Remote Key Provisioning and Wi-Fi
  • kernel (5.10): update to latest GKI LTS branch revision including update to 5.10.221
  • kernel (5.15): update to latest GKI LTS branch revision including update to 5.15.161
  • kernel (6.1): update to latest GKI LTS branch revision
  • kernel (6.6): update to latest GKI LTS branch revision
  • GmsCompatConfig: update to version 123

2024071200

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

  • 2024071200-redfin (Pixel 4a (5G), Pixel 5)
  • 2024071200 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, emulator, generic, other targets)

Changes since the 2024070900 release:

  • kernel (Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a): temporarily revert disabling 32-bit ABI support due to rare cases of apps using a buggy anti-tampering library incorrectly calling 32-bit versions of system calls from 64-bit code even on devices with no 32-bit support in hardware
  • kernel (5.15): update to latest GKI LTS branch revision including update to 5.15.160
  • kernel (6.6): update to latest GKI LTS branch revision including update to 6.6.38
  • TalkBack (screen reader): update dependencies
  • TalkBack (screen reader): remove more unused resources
  • TalkBack (screen reader): drop 32-bit OS support

2024070900

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

  • 2024070900-redfin (Pixel 4a (5G), Pixel 5)
  • 2024070900 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, emulator, generic, other targets)

Changes since the 2024070201 release:

  • Settings: extend standard fingerprint enrollment stages with proper support for devices with power button fingerprint scanners (Pixel Fold, Pixel Tablet) which is not present in AOSP (Pixel Fold was still usable, but it had become incredibly hard to successfully register new fingerprints on the Pixel Tablet)
  • improve warning for 32-bit-only apps by explaining why the warning is shown, how to resolve it for apps that are still developed and that we plan to phase out support for it on 5th/6th generation Pixels where it's still available
  • show warning for 32-bit-only apps on each launch instead of only once
  • kernel (Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a): disable 32-bit ABI support to substantially decrease kernel size and attack surface and raise mmap_min_addr to the standard 65536 for 64-bit-only ARM
  • kernel (5.15): update to latest GKI LTS branch revision including update to 5.15.158
  • adevtool: update file removal for 8th gen Pixels to skip Family Space related files
  • GmsCompatConfig: update to version 122
  • Vanadium: update to version 126.0.6478.122.3

2024070201

Tags:

  • 2024070201 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, emulator, generic, other targets)

Changes since the 2024070200 release:

  • full 2024-07-05 security patch level
  • rebased onto AP2A.240705.005 Android Open Source Project release
  • avoid skipping toggling USB port after unlock in certain edge cases to make sure devices connected while locked are always detected when unlocking
  • fix upstream bug causing first party app stores using the package install dialog to be blocked when the user isn't allowed to install apps from third party sources
  • fix notification suppression check in currently unused code to prepare for our per-app clipboard toggle
  • adevtool: download and use latest Pixel carrier settings from the API for use by our CarrierConfig2 app instead of using the snapshot included in the latest Pixel stock OS release since it lags months behind
  • Settings: fully fix regression permitting disabling apps when it shouldn't be allowed due to device manager policy
  • Sandboxed Google Play compatibility layer: stub out reads of hidden system settings in Google's speech services app to avoid uncaught security exceptions
  • Sandboxed Google Play compatibility layer: don't allow the Play Store to abort pending package installation to avoid it cancelling install/update attempts after 10 minutes of waiting for requested user approval it hasn't been designed to handle
  • kernel (5.10): update to latest GKI LTS branch revision including update to 5.10.218
  • kernel (5.15): update to latest GKI LTS branch revision including update to 5.15.155
  • kernel (6.6): update to latest GKI LTS branch revision including update to 6.6.36

2024070200

This is an early July security update release based on the July 2024 security patch backports. This month's release of the Android Open Source Project and stock Pixel OS will be available later today and we'll quickly release an update based on it following this one.

Tags:

  • 2024070200 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, emulator, generic, other targets)

Changes since the 2024062700 release:

2024062700

Tags:

  • 2024062700 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, emulator, generic, other targets)

Changes since the 2024062000 release:

  • add new GrapheneOS Info app through which you can get information about the latest releases of GrapheneOS, links to our community spaces, and details on how to make donations
  • Pixel 8a: add Let's Encrypt roots to Samsung gnssd CA root store for supl.grapheneos.org
  • Pixel 8a: configure Samsung gnssd to use TLSv1.2 for SUPL instead of TLSv1.1 (TLSv1.3 would work but the config doesn't offer it)
  • Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold: fully remove 32-bit ARM support to significantly reduce build time and update download size with no loss of functionality (7th gen Pixels launched with 32-bit app support disabled after several years of the Play Store blocking uploading 32-bit-only apps or installing them on 64-bit devices, and 8th gen Pixels use 2nd gen ARMv9 cores with no 32-bit support)
  • Settings: fix several cases of UI state being lost when resuming activity after configuration changes, etc. for GrapheneOS settings
  • kernel (5.10): update to latest GKI LTS branch revision including update to 5.10.216
  • kernel (6.1): update to latest GKI LTS branch revision including update to 6.1.90
  • kernel (6.6): update to latest GKI LTS branch revision including update to 6.6.35
  • Vanadium: update to version 126.0.6478.122.0
  • GmsCompatConfig: update to version 120

2024062000

Tags:

  • 2024062000 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, emulator, generic, other targets)

Changes since the 2024061400 release:

  • remove our USB peripheral security setting on devices supporting our much better USB-C port mode (Pixel 6 and later)
  • extend USB-C port setting to also handle pogo pins on the Pixel Tablet
  • kernel (5.10, 5.15, 6.1, 6.6): replace our deny_new_usb feature with a new deny_new_usb2 feature also disabling USB gadgets
  • extend USB-C port setting to enable deny_new_usb2 as a second layer of defense disabling new USB connections in the kernel (the existing implementation disables new connections and USB data at a hardware level via the USB controller, which disables more attack surface, but we want to keep around the higher level kernel approach too)
  • Files: fix upstream null pointer exception triggered on resuming activity
  • Settings: require user authentication for changing auto-reboot, USB peripheral and USB-C port security settings
  • Settings: avoid prompting for user authentication when selecting the same value as before for GrapheneOS settings requiring it
  • temporarily add back memory tagging exception for Pixel wifi_ext service
  • simplify implementation of our auto-reboot feature and properly handle the first lock after the user first sets up a lock method
  • avoid resetting USB-C port after first unlock if it was already connected Before First Unlock (fix for regression caused by upstream changes)
  • add GrapheneOS Linux kernel port to the 6.6 GKI LTS branch
  • kernel (5.10): update to latest GKI LTS branch revision including update to 5.10.215
  • kernel (6.1): update to latest GKI LTS branch revision including update to 6.1.87
  • kernel (6.1, 6.6): add script for building emulator kernel
  • kernel (6.1, 6.6): enable forced module signing for x86_64 (emulator builds)
  • System Updater: increase update check interval to 6 hours from 4 hours
  • Vanadium: update to version 126.0.6478.110.0
  • GmsCompatConfig: update to version 118
  • GmsCompatConfig: update to version 119
  • fix cast in GrapheneOS package management infrastructure needed for upcoming App Communication Scopes work

2024061400

Tags:

  • 2024061400 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, emulator, generic, other targets)

Changes since the 2024061300 release:

  • revert upstream refactoring of the device association code in Android 14 QPR3 due to it introducing a chain crash bug at boot in edge cases with associated devices such as paired Android Wear devices
  • kernel (5.10): update to latest GKI LTS branch revision
  • Vanadium: update to version 126.0.6478.71.0

2024061300

We've found at least one new issue with the Android Open Source Project 14 QPR3 Bluetooth module and are already working on resolving it. We'll have a quick follow-up release fixing the Bluetooth regression and other issues discovered during public Alpha and Beta testing.

Tags:

  • 2024061300 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, emulator, generic, other targets)

Changes since the 2024061200 release:

  • fix upstream Android 14 QPR3 regression which breaks updating certain apps with our app repository client
  • fix boot-time optimizing apps progress UI with Android 14 QPR3 and enable it again
  • fix regression in our Android 14 QPR3 port resulting in PIN scrambling in secondary users being determined by the Owner user setting
  • revert upstream Android 14 QPR3 Internet quick tile overhaul since it broke the functionality in secondary users
  • temporarily add back disabling memory tagging and hardened_malloc for surfaceflinger since Android 14 QPR3 didn't fix it as expected
  • disable temporary unconditional system crash notifications since we've gotten the initial feedback we needed via the previous release
  • add additional null check for eSIM wiping done as part of the duress PIN/password wipe implementation to avoid harmless exception
  • Settings: remove blank illustration from "Screen resolution" screen
  • Vanadium: update to version 126.0.6478.50.1
  • make duress PIN/password tests faster and more reliable

2024061200

This is the first release of GrapheneOS based on Android 14 QPR3, the 3rd quarterly maintenance/feature release for Android 14.

We've found at least one new issue with the Android Open Source Project 14 QPR3 Bluetooth module and are already working on resolving it. We'll have a quick follow-up release fixing the Bluetooth regression and other issues discovered during public Alpha testing.

Pixel 8a is now supported as part of the standard Android releases instead of having a device branch based on Android 14 QPR1. We've had stable releases for it available since May 15th (1 day after launch) based on our last QPR1-based release (2024030300). Pixel 8a users will be getting the GrapheneOS improvements from March, April, May and June along with the Android 14 QPR2 and QPR3 improvements so it's a much larger release for the Pixel 8a.

Since Android 14 QPR3 is a major release, the end-of-life Pixel 4a (5G) and Pixel 5 receiving extended support releases from GrapheneOS will need to be ported to it with additional work in a future release, which is done as a low priority. Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

  • 2024061200 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, emulator, generic, other targets)

Changes since the 2024060500 release:

  • full 2024-06-05 security patch level
  • rebased onto AP2A.240605.024 Android Open Source Project release, which is the 3rd quarterly maintenance/feature release for Android 14 (QPR3)
  • temporarily disable boot-time optimizing apps progress UI due to upstream Android 14 QPR3 regression (our own post-boot background optimizing apps progress notification works fine)
  • temporarily enable system crash notifications unconditionally for the initial QPR3-based release
  • change default USB-C port mode to "Charging-only when locked" from "Charging-only when locked, except before first unlock"
  • stop disabling memory tagging and hardened_malloc for surfaceflinger
  • Settings: fix regression permitting disabling apps when it shouldn't be allowed due to device manager policy
  • Vanadium: update to version 126.0.6478.50.0
  • GmsCompatConfig: update to version 117

2024060500

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

  • 2024060500-redfin (Pixel 4a (5G), Pixel 5)
  • 2024060500 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, emulator, generic, other targets)

Changes since the 2024060400 release:

  • Sandboxed Google Play compatibility layer: adjust to DynamiteLoader changes being deployed with a new feature flag in Play services 24.22
  • stop treating pressing the spacebar on a physical keyboard as submitting the lockscreen password since it prevents entering passphrases with spaces (upstream Android bug which has existed for around 8.5 years)
  • Vanadium: update to version 125.0.6422.165.0
  • GmsCompatConfig: update to version 116

2024060400

This is an early June security update release based on the June 2024 security patch backports since this month's release of the Android Open Source Project and stock Pixel OS with Android 14 QPR3 isn't available yet.

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

  • 2024060400-redfin (Pixel 4a (5G), Pixel 5)
  • 2024060400 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, emulator, generic, other targets)

Changes since the 2024053100 release:

  • full 2024-06-01 security patch level
  • extend the standard wipe-without-reboot implementation beyond wiping the hardware keystores (which prevents recovering any OS data by preventing deriving the key encryption keys) by also wiping the secdiscardable data on the SSD needed to derive key encryption keys, the encrypted storage keys on the SSD and the Weaver slots in the secure element needed to derive per-user key encryption keys via a secure element erase
  • kernel (5.10): update to latest GKI LTS branch revision
  • kernel (5.15): update to latest GKI LTS branch revision
  • kernel (6.1): update to latest GKI LTS branch revision

2024053100

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

  • 2024053100-redfin (Pixel 4a (5G), Pixel 5)
  • 2024053100 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, emulator, generic, other targets)

Changes since the 2024052100 release:

  • add support for setting a duress password and PIN for quickly wiping all hardware keystore keys including keys used as part of deriving the key encryption keys for disk encryption to make all OS data unrecoverable followed by wiping eSIMs and then shutting down
  • disable unused adoptable storage support since it would complicate duress password feature (can be added if we ever support a device able to use it)
  • increase default max password length to 128 to improve support for strong diceware passphrases, which will become more practical for people who don't want biometric-only secondary unlock with our upcoming 2-factor fingerprint unlock feature
  • disable camera lockscreen shortcut functionality when camera access while locked is disabled to avoid the possibility of misconfiguration by adding the camera lockscreen shortcut and then forgetting to remove it when disabling camera access
  • kernel (5.15): update to latest GKI LTS branch revision including update to 5.15.153
  • kernel (6.1): update to latest GKI LTS branch revision
  • Vanadium: update to version 125.0.6422.72.0
  • Vanadium: update to version 125.0.6422.72.1
  • Vanadium: update to version 125.0.6422.113.0
  • Vanadium: update to version 125.0.6422.147.0
  • GmsCompatConfig: update to version 112
  • GmsCompatConfig: update to version 113
  • GmsCompatConfig: update to version 114
  • GmsCompatConfig: update to version 115
  • make SystemUI tests compatible with GrapheneOS changes

2024052100

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

  • 2024052100-redfin (Pixel 4a (5G), Pixel 5)
  • 2024052100 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, emulator, generic, other targets)

Changes since the 2024051500 release:

  • add backport of the upstream Android implementation of wipe-without-reboot, which is the full fix for the ability to interrupt factory resets triggered by device admin apps (CVE-2024-29748 reported by GrapheneOS) and provides the infrastructure needed for our upcoming duress PIN/password feature in a much simpler way via existing HAL APIs
  • temporarily disable memory tagging for the Pixel camera provider and wifi_ext services due to incompatibilities found by users which should be addressed in an upcoming release of AOSP and the stock Pixel OS
  • Pixel 4a (5G), Pixel 5: omit Pixel Camera Services since it doesn't provide useful functionality and is broken due to these devices not being supported anymore by the current releases
  • kernel (5.10): update to latest GKI LTS branch revision including update to 5.10.214
  • kernel (5.15): update to latest GKI LTS branch revision including update to 5.15.152
  • kernel (6.1): update to latest GKI LTS branch revision including update to 6.1.84
  • Setup Wizard: fix typo in data restore description
  • GmsCompatConfig: update to version 111

2024051500

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

  • 2024051500-redfin (Pixel 4a (5G), Pixel 5)
  • 2024051500 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, emulator, generic, other targets)

Changes since the 2024050900 release:

  • revert our initial approach to blocking DNS leaks with third party Android VPN apps since it changed the behavior in a slightly different way than intended and caused compatibility issues with certain apps (particularly Proton VPN) which blocked us from releasing 2024050900 to the Stable channel (will be replaced in the near future with another approach)
  • improve GrapheneOS Predicted Satellite Data Service (PSDS) infrastructure with better logging, cleaner code and more generic code to support Samsung PSDS for the Pixel 8a in addition to Qualcomm and Broadcom PSDS
  • Auditor: update to version 80
  • GmsCompatConfig: update to version 110
  • Vanadium: update to version 125.0.6422.51.0
  • Vanadium: update to version 125.0.6422.53.0

2024050900

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

  • 2024050900-redfin (Pixel 4a (5G), Pixel 5)
  • 2024050900 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, emulator, generic, other targets)

Changes since the 2024050700 release:

  • prevent app-based VPN implementations from leaking DNS requests when the VPN is down/connecting (this is a preliminary defense against this issue and more research is required, along with apps preventing the leaks on their end or they'll still have leaks outside of GrapheneOS)
  • exclude Settings app from visible Location indicator too since it gets triggered from accessing Wi-Fi data when enabling Wi-Fi hotspot and potentially other info tied to Wi-Fi and Bluetooth
  • Vanadium: update to version 125.0.6422.35.0
  • PDF Viewer: update to version 19

2024050700

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

  • 2024050700-redfin (Pixel 4a (5G), Pixel 5)
  • 2024050700 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, emulator, generic, other targets)

Changes since the 2024050300 release:

  • full 2024-05-05 security patch level
  • rebased onto AP1A.240505.005 Android Open Source Project release
  • update our backports of mainline APEX Health Fitness patches
  • kernel (5.10): update to latest GKI LTS branch revision including update to 5.10.213
  • kernel (5.15): update to latest GKI LTS branch revision including update to 5.15.151
  • TalkBack (screen reader): update dependencies
  • Vanadium: update to version 124.0.6367.159.0
  • PDF Viewer: update to version 18

2024050300

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

  • 2024050300-redfin (Pixel 4a (5G), Pixel 5)
  • 2024050300 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, emulator, generic, other targets)

Changes since the 2024042200 release:

  • remove special handling of the resolver activity ("Open with..." dialog) which was added to Android in order to support instant apps as preparation for our in-development App Communication Scopes feature
  • fix Google Fi eSIM activation
  • improve isolation of the eSIM activation apps
  • improve GrapheneOS infrastructure for per-app state
  • enable heap memory tagging for vendor processes by default, remove the user-facing toggle in the Settings and restrict toggling the value to debug builds
  • disable most handling for instant apps in the package manager as attack surface reduction
  • disable out-of-band APEX updates as attack surface reduction
  • only allow first party app source and shell to update system packages
  • improve robustness of original-package handling
  • Settings: hide GNSS SUPL and PSDS settings on devices without GNSS hardware
  • fix regression from our Android 14 QPR2 port causing Storage/Contact Scopes link to disappear after going back to the permissions screen
  • improve setup wizard theme to more closely match the stock Pixel OS configuration
  • backport mainline APEX module patches for Android Health, Media Provider, Network Stack, and Wi-Fi
  • kernel (5.10): update to latest GKI LTS branch revision including update to 5.10.212
  • kernel (5.15): update to latest GKI LTS branch revision including update to 5.15.150
  • kernel (6.1): update to latest GKI LTS branch revision including update to 6.1.80
  • Log Viewer: use human readable UTC time for logcat timestamps
  • GmsCompatConfig: update to version 105
  • GmsCompatConfig: update to version 106
  • GmsCompatConfig: update to version 107
  • GmsCompatConfig: update to version 108
  • GmsCompatConfig: update to version 109
  • Vanadium: update to version 124.0.6367.82.0
  • Vanadium: update to version 124.0.6367.82.1
  • Vanadium: update to version 124.0.6367.82.2
  • Vanadium: update to version 124.0.6367.113.0
  • Apps: update to version 23
  • work around our app repository client taking ownership of updates for the debug toggle we use to test new Android Auto releases
  • fix debug build option for testing same versionCode package updates

2024042200

This release is only being done for the Pixel 8 and Pixel 8 Pro due to lack of changes relevant to other devices.

Tags:

  • 2024042200 (Pixel 8, Pixel 8 Pro, emulator, generic, other targets)

Changes since the 2024042100 release:

  • kernel (5.15): revert another broken f2fs change from the 5.15.149 release (entirely separate from what was fixed in our last release)

2024042100

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

  • 2024042100-redfin (Pixel 4a (5G), Pixel 5)
  • 2024042100 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, emulator, generic, other targets)

Changes since the 2024042000 release:

  • kernel (5.10): update to latest GKI LTS branch revision
  • kernel (5.15): backport upstream f2fs patch for a kernel panic caused by another upstream f2fs patch included in the last GKI LTS update (this fix is not included in any Linux stable release yet but rather only the release candidates for Linux 6.9)
  • kernel (6.1): update to latest GKI LTS branch revision including update to 6.1.78

2024042000

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

  • 2024042000-redfin (Pixel 4a (5G), Pixel 5)
  • 2024042000 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, emulator, generic, other targets)

Changes since the 2024040900 release:

  • for devices with hardware memory tagging support, add a toggle in Settings > Security for opting into memory tagging in vendor processes currently excluded from it with the end goal of having it force enabled without a toggle as we do for the rest of the base OS
  • allow eSIM activation app to interact with Google Fi app when installed to fix Google Fi activation
  • use ro.vendor.build.svn system property from adevtool instead of AOSP to make sure it always matches the stock OS
  • Pixel Fold: update to AP1A.240405.002.A2 vendor files
  • Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel 8, Pixel 8 Pro: update to AP1A.240405.002.B1 vendor files
  • Log Viewer: include kernel log buffer in default log output
  • Log Viewer: show "Save" instead of "Copy" button for logs that are over ~50 KB
  • Log Viewer: improve handling of log saving
  • backport mainline APEX module patches for Android Health, ART, DNS Resolver, Media Provider, Network Stack, PermissionController and Wi-Fi
  • TalkBack (screen reader): update base code to 14.1 and massively overhaul our changes to it
  • kernel (5.10): update to latest GKI LTS branch revision
  • kernel (5.15): update to latest GKI LTS branch revision including update to 5.15.149
  • kernel (6.1): update to latest GKI LTS branch revision including update to 6.1.76
  • Vanadium: update to version 123.0.6312.118.0
  • Vanadium: update to version 124.0.6367.42.0
  • Vanadium: update to version 124.0.6367.54.0
  • Camera: update to version 67
  • Camera: update to version 68
  • Auditor: update to version 79
  • GmsCompatConfig: update to version 103
  • GmsCompatConfig: update to version 104
  • Setup Wizard: layout and style improvements
  • Setup Wizard: add functionality for testing on debug builds

2024040900

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

  • 2024040900-redfin (Pixel 4a (5G), Pixel 5)
  • 2024040900 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, emulator, generic, other targets)

Changes since the 2024040300 release:

  • rebased onto AP1A.240405.002.A1 Android Open Source Project release (includes a launcher taskbar improvement)
  • avoid crashes in Chromium-based web browsers and the WebView in their sandboxed processes caused by an incompatibility between exec-based spawning and the new userfaultfd-based garbage collector enabled by Android 14 QPR2
  • DNS resolver: fix upstream bug resulting in NUL byte being included in the random string for the DNS-over-TLS test query
  • allow privileged installers to use getSharedLibraries(MATCH_ANY_USER) in order to enable Apps to handle an edge case involving shared libraries (Vanadium Trichrome library) updated in other users while avoiding adding the INTERACT_ACROSS_USERS permission used for this purpose by the Play Store
  • kernel (5.10, 6.1): update to latest GKI LTS branch revision
  • kernel (5.10): reapply reverted upstream f2fs and irq changes now that the regressions are resolved
  • GmsCompatConfig: update to version 102
  • fix our infrastructure for testing our CarrierConfig2 app

2024040300

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

  • 2024040300-redfin (Pixel 4a (5G), Pixel 5)
  • 2024040300 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, emulator, generic, other targets)

Changes since the 2024040200 release:

  • full 2024-04-05 security patch level
  • rebased onto AP1A.240405.002 Android Open Source Project release
  • fix upstream OS limitation preventing using emergency dialer from setup wizard in secondary users
  • Vanadium: update to version 123.0.6312.99.0

2024040200

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

  • 2024040200-redfin (Pixel 4a (5G), Pixel 5)
  • 2024040200 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, emulator, generic, other targets)

Changes since the 2024032100 release:

  • full 2024-04-01 security patch level (early release based on AOSP 14 April security backports since the official April AOSP and stock Pixel OS monthly releases aren't available yet)
  • fix race condition for Wi-Fi and Bluetooth auto-turn-off leading to the first auto-turn-off timer after the first Wi-Fi or Bluetooth state update potentially not being scheduled
  • fix Wi-Fi auto-turn-off no longer handling Wi-Fi state change events not involving a Wi-Fi network
  • DocumentsUI (Files): do not delegate handling of downloaded APKs to DownloadProvider to avoid confusing install permission prompt
  • flash-all: raise minimum fastboot version to 34.0.5
  • kernel (Pixel 8, Pixel 8 Pro): sign vendor modules after building them instead of only signing generic (GKI) modules
  • kernel (6.1): update to latest GKI LTS branch revision
  • fix upstream bug breaking pressing power button 5 times to make an emergency call
  • fix upstream bug causing 5 second delay to start the emergency dialer for the first time
  • CarrierConfig2 (app created by GrapheneOS to replace Google CarrierSettings): add stub implementation of VendorConfigProvider
  • Setup Wizard: use new API for emergency calls
  • Setup Wizard: add prompt for unlocked bootloader triggering reboot to fastboot mode to lock
  • Setup Wizard: add prompt for disabling OEM unlocking after the device is locked (will be disabled by default)
  • GmsCompatConfig: update to version 100
  • GmsCompatConfig: update to version 101
  • Vanadium: update to version 123.0.6312.80.0
  • Vanadium: update to version 123.0.6312.80.1

2024032100

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

  • 2024032100-redfin (Pixel 4a (5G), Pixel 5)
  • 2024032100 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, emulator, generic, other targets)

Changes since the 2024031400 release:

  • Bluetooth: revert broken upstream change and changes depending on it to fix Galaxy Watch 6 Classic and likely other devices impacted by the same issue (this was a failure of upstream testing and release engineering for AOSP and doesn't impact the stock Pixel OS because it uses a different APEX module revision branched from an older revision of AOSP but it will impact every other Android-based OS on Android 14 QPR2 since there isn't a Bluetooth mainline module published in the Play Store and AOSP yet)
  • revert disabling hardened_malloc for Broadcom Bluetooth HAL (we've fixed the upstream issue and this wasn't needed)
  • revert allowing users to disable hardened_malloc for Bluetooth system app (we've fixed the upstream issue and this wasn't needed)
  • Android Runtime: disable stripping symbols for libart to restore compatibility with some popular obfuscated Chinese apps using a specific obfuscation SDK depending on private APIs which was broken by Android 14 QPR2 when not using the mainline ART module based on older code like the stock Pixel OS (does not result in any lost storage space, just slightly larger factory images / updates as if we'd bundled another small app)
  • Android Runtime: remove Android's hard-wired speed-profile compilation for launcher apps which was limiting ahead-of-time compilation for user installed launcher apps to the parts of the code included in baseline and/or cloud profiles rather than compiling the whole app via our default speed compilation which we use to replace JIT compilation and JIT profiles guiding background AOT compilation
  • backport 12 upstream fixes from the mainline MediaProvider, Wifi, NetworkStack and HealthFitness APEX modules
  • allow using device controls quick tile when unlocked since it already has a toggle for controlling availability so our new default requirement of the device being unlocked needs to be overridden for it
  • more complete setup design configuration to improve appearance of Setup Wizard, etc.
  • Settings: fix upstream footer formatting issue for App pinning screen
  • update timezone module to Android mainline 341510010 (based on tzdata 2024a)
  • kernel (5.15, 6.1): improve support for hosting servers by enabling SYN cookies as we do for the older kernels
  • kernel (6.1): drop obsolete usage of YAMA which we replaced with our dynamic SELinux flag extension
  • kernel (5.10): update to latest GKI LTS branch revision
  • GmsCompatConfig: update to version 99

2024031400

Tags:

  • 2024031400 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, emulator, generic, other targets)

Changes since the 2024031100 release:

  • allow users to disable GrapheneOS hardened_malloc for the Bluetooth system app via the Settings app to help with debugging upstream bugs (still enabled by default)
  • temporarily disable hardened_malloc for Broadcom Bluetooth HAL as a potential workaround for upstream bugs in Android 14 QPR2 (will be reverted if it doesn't help and reverted after fixes are implemented if it does help)
  • fix upstream bug in Android 14 QPR2 breaking Wi-Fi tethering on fresh installs before Wi-Fi is enabled for the first time, which didn't occur on the stock OS in practice due to it enabling Wi-Fi by default
  • fix upstream system_server crash in Android 14 QPR2 when installing updates to packages with an original-package application id such as Vanadium (was reported by users helping with Vanadium Alpha channel testing and we released Apps version 22 with a workaround avoiding the crash prior to this fix)
  • Apps: update to version 22
  • Vanadium: update to version 122.0.6261.119.0
  • Vanadium: update to version 123.0.6312.40.0
  • drop legacy script/envsetup.sh (see current build instructions)

2024031100

Tags:

  • 2024031100 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, emulator, generic, other targets)

Changes since the 2024030900 release:

  • toggle USB port after device unlock to automatically detect a device plugged in while it was in charging-only mode while locked, etc.
  • Tensor Pixels: change default mode for our USB-C port control feature able to truly disable USB at a hardware level to "Charging-only when locked, except before first unlock" (doesn't apply to connections that were made before locking or first unlock) which can be changed by users in Settings > Security > USB-C port
  • fix Wi-Fi auto-turn-off issues leading to it not triggering in certain cases caused by backwards incompatible changes in Android 14 QPR2
  • Pixel 8, Pixel 8 Pro: fix enabling DisplayPort alternate mode support
  • Pixel 8, Pixel 8 Pro: fully enable PAC and BTI for userspace too, especially since ShadowCallStack is not currently used in userspace and Clang type-based CFI is only used for a large subset of the important userspace code
  • GmsCompatConfig: update to version 98
  • improve internal infrastructure used by GrapheneOS features

2024030900

Tags:

  • 2024030900 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, emulator, generic, other targets)

Changes since the 2024030800 release:

  • fix upstream Android 14 QPR2 use-after-free bug impacting Bluetooth LE audio with certain devices (reliably caught by our hardware memory tagging integration on the Pixel 8 and Pixel 8 Pro, but also impacts previous devices which still have the standard hardened_malloc mitigations for use-after-free)
  • Settings: hide placeholder dates for Battery information screen in Settings > About device due to 6th/7th generation Pixel batteries having a placeholder value for the first use date

2024030800

Tags:

  • 2024030800 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, emulator, generic, other targets)

Changes since the 2024030700 release:

  • add back unlocking requirement for the new Internet quick tile in QPR2
  • ThemePicker: restore themed icon and grid settings for QPR2 port
  • DocumentsUI (Files): work around crashes caused by QPR2 R8 changes resulting in code used via reflection being removed

2024030700

Tags:

  • 2024030700 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, emulator, generic, other targets)

Changes since the 2024030600 release:

  • Pixel 6, Pixel 6 Pro, Pixel 6a: fix USB-C mode control issue introduced by QPR2 port which prevented pushing out the last release
  • Gallery: work around crashes caused by QPR2 R8 changes resulting in code used via reflection being removed
  • Settings: enable Battery information screen in Settings > About device for QPR2 including Manufacture date, Date of first use and Cycle count
  • Settings: make the style for settings consistent between Compose and non-Compose settings
  • fixes for certain GrapheneOS notifications in QPR2

2024030600

This is the first release of GrapheneOS based on Android 14 QPR2. Android 14 QPR2 is the first Android release following the new development model where quarterly releases follow the development branch. This release is a massive overhaul of the OS almost as large as the migration from Android 13 QPR3 to Android 14 despite fewer user facing changes. This release includes a large part of the migration to Android 15. The new development model will be very beneficial for GrapheneOS by spreading out the porting process throughout the year between major releases as part of the 3 quarterly releases between the yearly major releases.

Since this is a major release, the Pixel 4a (5G) and Pixel 5 have not been ported to Android 14 QPR2 as part our initial release. We need to determine whether it makes sense to move these end-of-life devices to Android 14 QPR2 or keep them on a legacy extended support release branch based on the last Android 14 QPR1 release.

Tags:

  • 2024030600 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, emulator, generic, other targets)

Changes since the 2024030300 release:

  • full 2024-03-05 security patch level
  • rebased onto AP1A.240305.019.A1 Android Open Source Project release, which is the 2nd quarterly maintenance/feature release for Android 14 (QPR2)
  • continue to allow disabling cell broadcast extreme alerts with all carriers contrary to QPR2 change
  • Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a: add back launcher app pinning to potentially work around launcher bugs
  • Vanadium: update to version 122.0.6261.105.0
  • Pixel 6 Pro: remove unnecessary product name, model and brand overrides for attestation since we use the official ones
  • System Updater: fix typo in error message
  • System Updater: update summary for check for updates button now that it always checks immediately

2024030300

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

  • 2024030300-redfin (Pixel 4a (5G), Pixel 5)
  • 2024030300 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, emulator, generic, other targets)

Changes since the 2024022800 release:

  • System Updater: ignore configured constraints for user-initiated update checks
  • System Updater: avoid automatic retry for user-initiated update checks
  • Settings: migrate to new Compose-based Settings infrastructure in preparation for Android 14 QPR2
  • improve GrapheneOS infrastructure for per-app notifications
  • Setup Wizard: improve wording for secondary user setup word
  • adevtool: fix overlay parsing issues
  • adevtool: include missing "Learn more" fingerprint setup text
  • GmsCompatConfig: update to version 97

2024022800

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

  • 2024022800-redfin (Pixel 4a (5G), Pixel 5)
  • 2024022800 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, emulator, generic, other targets)

Changes since the 2024022600 release:

  • Tensor Pixels: fix issue with the USB-C changes breaking recovery sideloading and the fastbootd flashing mode used by the web installer which blocked us being able to release the previous release to all users
  • Settings: change "Charging only" to "Charging-only" for the USB-C port mode options to make the meaning clearer
  • Vanadium: update to version 122.0.6261.90.0

2024022600

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

  • 2024022600-redfin (Pixel 4a (5G), Pixel 5)
  • 2024022600 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, emulator, generic, other targets)

Changes since the 2024022300 release:

  • Tensor Pixels: add new USB-C port mode setting to Settings > Security providing a high level of control over USB functionality with hardware-specific integration for disabling USB controller functionality including fully disabling the data lines. There are 5 modes: On (current default during testing), Charging-only when locked except before first unlock (likely near future default), Charging-only when locked, Charging-only and Off (which even disables charging while booted into the normal OS mode). The modes tied to lock state permit already connected devices to continue working after locking and disable the data lines at a USB controller level after disconnecting. This is much different from the existing USB features including the Android 12 USB HAL toggle which only disable high-level kernel functionality and leave all the low-level kernel driver, USB protocol and USB controller attack surface enabled.
  • kernel (5.10, 5.15): add support for ignoring USB alt modes
  • kernel (Tensor Pixels): extend max77759 USB-C controller driver used by Tensor Pixels with support for a sysfs node providing fine-grained control over the USB-C data path at the USB controller level
  • Setup Wizard: fix crash for SIM locales not recognized by com.android.internal.app.LocalePicker

2024022300

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

  • 2024022300-redfin (Pixel 4a (5G), Pixel 5)
  • 2024022300 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, emulator, generic, other targets)

Changes since the 2024020500 release:

  • completely new GrapheneOS Setup Wizard implementation for the initial setup of the device and secondary user profiles
  • Theme Picker: update color schemes including adding the monochromatic colorscheme option
  • Sandboxed Google Play compatibility layer: always apply PhenotypeFlag overrides to avoid regressions for some users
  • Sandboxed Google Play compatibility layer: catch SecurityException from setApplicationEnabledSetting() instead of relying on PhenotypeFlag override
  • Sandboxed Google Play compatibility layer: add support for Android Auto 11.3 by extending the wireless Android Auto and phone call handling toggles to also allow BluetoothAdapter#getActiveDevices
  • Sandboxed Google Play compatibility layer: add developer functionality for updating Android Auto via the Play Store for testing
  • Storage Scopes: avoid legacy apps using legacy storage crashing when trying to access the wallpaper
  • remove legacy AOSP Search app now that Vanadium provides the global search intent in addition to the more common web search intent also implemented by other browsers including Brave
  • fix upstream bug breaking package manager support for uninstalling apps only installed in other profiles from the Owner user
  • Settings: improve strings for network connection toggles
  • kernel (5.10, 5.15, 6.1): temporarily ignore sysrq_always_enabled to avoid sysrq being enabled on devices passing it on the kernel line unconditionally
  • kernel (5.10): update to latest GKI LTS branch revision
  • kernel (5.15): update to latest GKI LTS branch revision
  • kernel (6.1): update to latest GKI LTS branch revision including update to 6.1.75
  • Pixel 4a (5G), Pixel 5: update to UP1A.231105.001.B2 vendor files
  • Vanadium: update to version 121.0.6167.164.0
  • Vanadium: update to version 121.0.6167.178.0
  • Vanadium: update to version 122.0.6261.43.0
  • Vanadium: update to version 122.0.6261.43.1
  • Vanadium: update to version 122.0.6261.64.0
  • GmsCompatConfig: update to version 94
  • GmsCompatConfig: update to version 95
  • GmsCompatConfig: update to version 96
  • only use build number for build display id to simplify the value shown at Settings > About device > Build number

2024020500

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

  • 2024020500-redfin (Pixel 4a (5G), Pixel 5)
  • 2024020500 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, emulator, generic, other targets)

Changes since the 2024012600 release:

  • full 2024-02-01 security patch level
  • full 2024-02-05 security patch level
  • rebased onto UQ1A.240205.004 Android Open Source Project release
  • run full compacting garbage collection purging all regular Java heaps of dead objects in SystemUI and system_server after locking (this is already done after unlocking to purge data tied to the lock method and derived data, but it makes sense to do it after locking too)
  • kernel (Pixel 4a (5G), Pixel 5, Pixel 5a): update to latest Android 14 QPR2 Beta release including additional security fixes
  • kernel (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Generic 5.10): update to latest GKI LTS branch revision including update to 5.10.209
  • kernel (Pixel 8, Pixel 8 Pro, Generic 5.15): update to latest GKI LTS branch revision including update to 5.15.148
  • kernel (Pixel 8, Pixel 8 Pro, Generic 5.15, Generic 6.1): enable both software Shadow Call Stack (SCS) and Pointer Authentication Code (PAC) protection for kernel return addresses instead of only using SCS when PAC is unavailable
  • kernel (Pixel 8, Pixel 8 Pro, Generic 5.15, Generic 6.1): enable Branch Target Identification (BTI) protection for the kernel in addition to Clang type-based CFI to provide coarse-grained CFI coverage for indirect calls excluded from type-based CFI
  • kernel (Generic 6.1): apply sysrq hardening changes
  • kernel (Generic 6.1): update to latest GKI LTS branch revision including update to 6.1.74
  • Settings: enable SIM deletion confirmation by default
  • System Updater: clarify name of the notification channel for already being up to date
  • Messaging: update MMS configuration database based on Google Messages 20240123_01_RC02
  • Dialer: update visual voicemail (VVM) configuration database based on Google Phone 121.0.603393336
  • Vanadium: update to version 121.0.6167.101.2
  • Vanadium: update to version 121.0.6167.101.3
  • Vanadium: update to version 121.0.6167.143.0
  • Vanadium: update to version 121.0.6167.143.1
  • Camera: update to version 65
  • Camera: update to version 66

2024012600

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

  • 2024012600-redfin (Pixel 4a (5G), Pixel 5)
  • 2024012600 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, emulator, generic, other targets)

Changes since the 2024011600 release:

  • isolate eSIM activation app from non-system apps to avoid it sharing data with sandboxed Google Play
  • make eSIM activation toggle available without sandboxed Google Play installed (eSIM management no longer requires sandboxed Google Play)
  • make the eSIM activation app toggle persistent instead of it being disabled at boot
  • remove misleading message about device info being sent to Google message before eSIM download
  • hardened_malloc: use tag 0 for freed slots instead of reserving a tag to allow using 15 of 16 possible tag values for random tags (there are 3 dynamic exclusions of the random values for the previous tag along with the 2 current or previous adjacent tags)
  • Settings: prevent disabling Camera2/CameraX extension provider app (Pixel Camera Services for Pixels) since it breaks apps using CameraX
  • kernel (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro): use a normal reboot on overheating instead of an emergency reboot to harden against physical attacks
  • kernel: enable reset attack mitigation for UEFI systems supporting it (Tensor Pixels use minimalistic littlekernel-based boot firmware rather than UEFI and the previous Snapdragon Pixels using UEFI didn't implement this but we may need this for future devices)
  • kernel (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Generic 5.10): update to latest GKI LTS branch revision including update to 5.10.208
  • kernel (Pixel 8, Pixel 8 Pro, Generic 5.15): update to latest GKI LTS branch revision including update to 5.15.147
  • kernel (Generic 6.1): update to latest GKI LTS branch revision including update to 6.1.73
  • Launcher: disable gradient at the top of the home screen again (change lost with Android 14 QPR1 due to it being reimplemented upstream)
  • rewrite HTTPS network time implementation to make it much more maintainable and robust along with providing better debug output via ADB
  • Vanadium: update to version 120.0.6099.230.0
  • Vanadium: update to version 121.0.6167.71.0
  • Vanadium: update to version 121.0.6167.101.0
  • Vanadium: update to version 121.0.6167.101.1
  • GmsCompatConfig: update to version 93
  • Seedvault: update to latest revision (will be replaced with a better backup implementation in the future)

2024011600

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

  • 2024011600-redfin (Pixel 4a (5G), Pixel 5)
  • 2024011600 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, emulator, generic, other targets)

Changes since the 2024011300 release:

  • work around upstream Android bug causing system_server crash due to failed security-related assertion by denying the action without crashing system_server, which avoids turning a buggy security check into a denial of service issue
  • add workaround for upstream Android crash reporting bug recording clean f2fs filesystem check results as errors which is resulting in many users receiving filesystem check error reports on GrapheneOS due to our user-facing notifications for serious errors/crashes
  • add workaround for upstream Android crash reporting bug causing old crashes to be reported again
  • add workaround for upstream Android crash reporting bug wrongly attributing certain app crashes to system_server
  • only show kernel crashes when the user opts into showing all system crashes as notifications since there are many false positives caused by hardware issues such as some users having devices which sometimes fail to resume from sleep while idle
  • only show report button in log viewer for system_server Java/native crashes, MTE crashes and filesystem check errors (which now have non-error results properly filtered out) due to receiving too many reports about upstream bugs and hardware issues
  • hide specific system apps and also sandboxed Google Play from Aurora Store so users don't try to update them through it and receive errors
  • Log Viewer: explicitly set status bar color to fix light mode icon colors
  • kernel (Pixel 4a (5G), Pixel 5, Pixel 5a): add missing kernel changes from the past 2 releases

2024011300

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

  • 2024011300-redfin (Pixel 4a (5G), Pixel 5)
  • 2024011300 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, emulator, generic, other targets)

Changes since the 2024010400 release:

  • replace auto-reboot implementation with a new more hardened implementation based on a timer in the init process (since init crashing reboots the device, unlike system_server) which also avoids rebooting when the device hasn't been unlocked since boot
  • reduce default auto-reboot timer from 72 hours to 18 hours
  • add log viewer available at Settings > System > View logs to avoid needing developer options for making useful bug reports and inspecting the device for issues
  • reimplement our user-facing crash reporting infrastructure with our new log viewer app
  • Settings: add links to log viewer in app info and system settings
  • show report button in sandboxed Google Play crash report UI
  • adevtool: integrate support for Pixel Camera Services (currently provides Night mode for GrapheneOS Camera and other apps on Pixel 6 and later)
  • adevtool: improve and clean up infrastructure for device support
  • adevtool: drop devices not supported with Android 14
  • adevtool: remove unused default permissions configuration
  • Contact Scopes: add handling of malformed contact data subtype names to avoid crash
  • show notification after hardened_malloc detects memory corruption via a direct check (does not cover memory corruption detected via memory protected address space)
  • kernel: disable sysrq by default rather than waiting for init to disable it
  • kernel: disable unused sysrq serial support
  • kernel (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Generic 5.10): update to latest GKI LTS branch revision including update to 5.10.206
  • kernel (Pixel 8, Pixel 8 Pro, Generic 5.15): update to latest GKI LTS branch revision including update to 5.15.145
  • kernel (Generic 6.1): update to latest GKI LTS branch revision including update to 6.1.69
  • GmsCompatConfig: update to version 91
  • GmsCompatConfig: update to version 92
  • Vanadium: update to version 120.0.6099.210.0
  • System Updater: use sentence case for notification channel names

2024010400

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

  • 2024010400-redfin (Pixel 4a (5G), Pixel 5)
  • 2024010400 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, emulator, generic, other targets)

Changes since the 2023123100 release:

  • full 2024-01-01 security patch level
  • full 2024-01-05 security patch level
  • rebased onto UQ1A.240105.004 Android Open Source Project release
  • kernel (Generic 6.1): update to latest GKI LTS branch revision including update to 6.1.67
  • Sandboxed Google Play compatibility layer: stop hiding Android Auto from the Play Store since it breaks Play Store dependent functionality
  • Sandboxed Google Play compatibility layer: mark Android Auto as owned by our app repository client to stop the Play Store from updating it
  • Sandboxed Google Play compatibility layer: add Network permission to baseline permissions needed for wireless Android Auto
  • Sandboxed Google Play compatibility layer: add list of requirements for Android Auto voice commands
  • Sandboxed Google Play compatibility layer: add back dedicated name for Sandboxed Google Play crash notification channel
  • Sandboxed Google Play compatibility layer: skip Android Auto crash reports when it lacks baseline permissions and show a dedicated notification about the problem instead
  • Keyboard: add workaround for multi-locale spell checking and remove our attempt at implementing it properly in the keyboard itself for now
  • AppCompatConfig: update to version 3
  • Vanadium: update to version 120.0.6099.193.0
  • adevtool: remove unused permission configuration

2023123100

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

  • 2023123100-redfin (Pixel 4a (5G), Pixel 5)
  • 2023123100 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, emulator, generic, other targets)

Changes since the 2023123000 release:

  • Keyboard: avoid spell checker crash after keyboard's spell checking service is stopped by the OS (regression in the last Alpha channel only release fixing multi-locale spell checking)
  • backport upstream fix for Wi-Fi background scan system_server crash
  • hardened_malloc / bionic: restore default SIGABRT handler in fatal_error to work around crashlytics bug caused by it using fork instead of clone which triggers a deadlock when malloc locks are held already
  • skip missing sensors permission notification with wrong app id
  • Sandboxed Google Play compatibility layer: avoid crashes in Android Auto and potentially elsewhere from missing Google Search app to make it a proper optional dependency
  • Sandboxed Google Play compatibility layer: fix handling of while-in-use permissions
  • Sandboxed Google Play compatibility layer: drop ACCESS_BACKGROUND_LOCATION permission for Android Auto now that while-in-use permission works
  • Sandboxed Google Play compatibility layer: add workaround for rare foreground service crash (may be upstream bug)

2023123000

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

  • 2023123000-redfin (Pixel 4a (5G), Pixel 5)
  • 2023123000 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, emulator, generic, other targets)

Changes since the 2023121200 release:

  • Keyboard: add new implementation of multi-locale spell checking support to fix crashes and other issues
  • Sandboxed Google Play compatibility layer: add Android Auto support with the compatibility layer eliminating the need for most of the permissions and a permission menu with 4 toggles for granting the minimal special access required for wired Android Auto, wireless Android Auto, audio routing and phone calls
  • Settings: remove confusing mention of Android Auto from Connected devices screen
  • exempt non-app system processes from Sensors permission enforcement (fixes some issues including gpsd crashes)
  • fix Bluetooth auto-turn-off race condition to avoid crashes
  • work around upstream race condition bug in biometric service
  • disable support for pre-approving PackageInstaller sessions due to incompatibility with Network permission toggle
  • fix several upstream bugs in handling crash reports mainly to improve our user-facing crash reporting system
  • use GrapheneOS Widevine provisioning proxy by default
  • add settings for changing Widevine provisioning server
  • add configuration for setupdesign and setupcompat libraries to improve system UI theme
  • kernel (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Generic 5.10): update to latest GKI LTS branch revision including update to 5.10.204
  • kernel (Pixel 8, Pixel 8 Pro, Generic 5.15): update to latest GKI LTS branch revision including update to 5.15.142
  • kernel (Generic 6.1): initial port of GrapheneOS changes for use with emulator builds
  • force disable network ADB (Android Debug Bridge) developer option in early boot to improve verified boot security (no user-facing change since it's currently disabled by default later in the boot process, but not robustly)
  • Vanadium: update to version 120.0.6099.115.0
  • Vanadium: update to version 120.0.6099.144.0
  • AppCompatConfig: update to version 2
  • GmsCompatConfig: update to version 88
  • GmsCompatConfig: update to version 89
  • GmsCompatConfig: update to version 90
  • Auditor: update to version 78

2023121200

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

  • 2023121200-redfin (Pixel 4a (5G), Pixel 5)
  • 2023121200 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro emulator, generic, other targets)

Changes since the 2023120800 release:

  • stop reporting forced reboot (long press power) as a kernel crash
  • filter out SoC ID from kernel crash logs (logged by Little Kernel firmware boot stage before the OS)
  • temporarily disable memory tagging and hardened_malloc for surfaceflinger process to work around upstream use-after-free bug(s)
  • raise max open files for system_server to 256k from the baseline 32k limit used for all processes on Android due to situations where the 32k limit is exhausted, which has become much more common for a small number of users with Android 14 QPR1
  • kernel (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold): backport fix for glibc 2.38 build error to device-specific driver source tree too to end the need for mounting a modified features.h for building host executables
  • kernel (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Generic 5.10): update to latest GKI LTS branch revision including update to 5.10.201
  • kernel (Pixel 8, Pixel 8 Pro, Generic 5.15): update to latest GKI LTS branch revision including update to 5.15.138
  • GmsCompatConfig: update to version 87
  • suppress repetitive sendHistogramChannelIoctl logging (upstream issue)

2023120800

Tags:

  • 2023120800 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, emulator, generic, other targets)

Changes since the 2023120701 release:

  • Package Installer: fix crash introduced upstream in Android 14 QPR1 for handling pending user action
  • Package Installer: fix crash introduced upstream in Android 14 QPR1 by limiting maximum app snippet icon size
  • avoid false positives for our kernel crash reporting when running in the Android emulator

2023120701

Tags:

  • 2023120701 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, emulator, generic, other targets)

Changes since the 2023120700 release:

  • adevtool (Pixel 8, Pixel 8 Pro): update system property removal

2023120700

This is the first quarterly release of Android 14 and includes a bunch of nice improvements including using the phone as a webcam.

Starting with this release, the Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. Certain driver patches will remain available until the Pixel 5a is end-of-life due to shared code. We'll continue providing all of the Android Open Source Project and GrapheneOS changes for them until the release of Android 15. After Android 15 is released, they'll remain on a legacy Android 14 branch with only the AOSP security patch backports to Android 14 and some additional changes backported by us on a best effort basis. This is the same kind of extended support we provided for the Pixel 4 and Pixel 4 XL.

Tags:

  • 2023120700 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, emulator, generic, other targets)

Changes since the 2023120400 release:

  • full 2023-12-01 security patch level for 6th/7th generation Pixels too
  • full 2023-12-05 security patch level
  • rebased onto UQ1A.231205.015 Android Open Source Project release, which is the first quarterly maintenance/feature release for Android 14
  • kernel (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Generic 5.10): update to latest GKI LTS branch revision
  • Sandboxed Google Play compatibility layer: disable privileged AlarmManager.FLAG_PRIORITIZE to prevent crashes (this API is a no-op when Unrestricted battery mode is granted anyway)
  • GmsCompatConfig: update to version 86

2023120400

The December release of the Android Open Source Project and stock Pixel OS will be the first quarterly release of Android 14. It will likely be available this week, but hasn't been published yet. Since there hasn't been a release yet this month, we're publishing an early December security update based on the AOSP backports to Android 14.

It's unclear if 6th/7th generation Pixels received a specific Mali GPU kernel driver patch so we aren't raising the patch level for these until the official December release is available. We often backport these patches early but we don't know which patch corresponds to which CVE ID so we can't raise the claimed patch level. ARM covers up the details publicly and only releases tarballs for each major revision without the Git commit history or individual security patch backports they make available to partners, despite partners being allowed to apply those in public Git repositories. We can often figure out the patch corresponding to a CVE ID or vice versa through ARM partners publishing it, but we haven't been able to in this case.

Tags:

  • 2023120400 (Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, emulator, generic, other targets)
  • 2023120400-shusky (Pixel 8, Pixel 8 Pro)

Changes since the 2023112900 release:

  • full 2023-12-01 security patch level (6th/7th generation Pixels may be missing a 2023-11-05 Mali GPU patch so we've frozen the patch level string until the official December update)
  • Pixel 8, Pixel 8 Pro: use more modern target CPU configuration
  • System Updater: enable non-low (currently 20% or higher) battery requirement for the update job by default (will not change for users who have previously opened the update settings due to how they're implemented)
  • kernel (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Generic 5.10): update to latest GKI LTS branch revision
  • Vanadium: update to version 120.0.6099.43.0
  • GmsCompatConfig: update to version 85

2023112900

Tags:

  • 2023112900 (Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, emulator, generic, other targets)
  • 2023112900-shusky (Pixel 8, Pixel 8 Pro)

Changes since the 2023112600 release:

  • improve compatibility of the opt-in forced hardware memory tagging mode for user installed apps
  • add AppCompatConfig for out-of-band updates to app compatibility configuration such as enabling memory tagging by default for apps compatible with it in the default mode and disabling it for apps not compatible with it when users globally enable it
  • suppress native debugging notification for sandboxed Google Play services since it works without it
  • kernel (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Generic 5.10): update to latest GKI LTS branch revision including update to 5.10.200
  • Settings: hide global memory tagging setting from secondary users
  • Settings: add toggle for system process crash notifications and disable it by default since it uncovers a lot of upstream bugs
  • Settings: clarify description for third party app memory tagging toggle in the Security settings menu
  • Settings: fix typo in the extended virtual address space explanation
  • Vanadium: update to version 119.0.6045.193.0

2023112600

Tags:

  • 2023112600 (Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, emulator, generic, other targets)
  • 2023112600-shusky (Pixel 8, Pixel 8 Pro)

Changes since the 2023111500 release:

  • improve existing infrastructure and settings for per-app hardening control
  • add new infrastructure for dynamic SELinux flags for apps
  • replace static SELinux policy disabling dynamic native code generation for base system apps with dynamic SELinux flag
  • replace YAMA LSM with dynamic SELinux flag for ptrace access
  • add per-app toggle for native debugging
  • add global toggle to disable native debugging for user installed apps by default
  • add per-app memory tagging toggle for user installed apps
  • add global toggle to enable memory tagging for user installed apps by default
  • add logging infrastructure for dynamic GrapheneOS SELinux flags
  • raise post-boot audit message rate limit from 5 to 50 per second
  • add more infrastructure and tests for per-app hardening control
  • fix Android bug with rate limiting for non-app tombstones (crash info for reporting bugs)
  • notify the user about notable system journal entries including kernel crash, file system check error, system_server crash, system app native crash and non-app process native crash
  • notify the user after memory tagging detects memory corruption in an app
  • notify the user after an app is blocked from accessing ptrace by the native debugging toggle
  • Pixel 8, Pixel 8 Pro: migrate to using our standard 5.15.137 GKI LTS kernel as the base with reverts for changes that are not compatible with the driver tree yet
  • include more info about Java and native crashes, ANRs, low memory conditions. kernel crash logs and filesystem check errors in bug report zips manually captured by users which on the stock OS is uploaded by Play services
  • Sandboxed Google Play compatibility layer: allow compatibility layer to show the error report UI
  • GmsCompatConfig: update to version 84
  • Vanadium: update to version 119.0.6045.163.2

2023111500

Tags:

  • 2023111500 (Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, emulator, generic, other targets)
  • 2023111500-shusky (Pixel 8, Pixel 8 Pro)

Changes since the 2023110700 release:

  • Sandboxed Google Play compatibility layer: replace cross-user intent broadcasts with user-local ones to avoid occasional background service crashes
  • fix upstream bug causing crash for previewing live wallpapers
  • kernel (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Generic 5.10): update to latest GKI LTS branch revision
  • Seedvault: update to latest revision (will be replaced with a better backup implementation in the future)
  • Vanadium: update to version 119.0.6045.134.0
  • Vanadium: update to version 119.0.6045.163.0
  • Vanadium: update to version 119.0.6045.163.1
  • GmsCompatConfig: update to version 83
  • Camera: update to version 64
  • Auditor: update to version 77

2023110700

Tags:

  • 2023110700 (Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, emulator, generic, other targets)
  • 2023110700-shusky (Pixel 8, Pixel 8 Pro)

Changes since the 2023103100 release:

  • full 2023-11-01 security patch level
  • full 2023-11-05 security patch level for generic targets and 5th/8th generation Pixels (6th/7th generation Pixels are marked as 2023-11-01 upstream which may be due to a missing Mali GPU kernel patch we can work on obtaining to apply early)
  • rebased onto UP1A.231105.003 (generic) and UD1A.231105.004 (shusky) Android Open Source Project releases
  • Pixel 8, Pixel 8 Pro: always enable hardware memory tagging (there is no longer an opt-in toggle) which is currently used everywhere other than Vanadium (coming soon), vendor executables and user installed apps with their own native code not marked as compatible with memory tagging
  • disable GWP-ASan since it's a bug finding feature rather than a hardening feature and doesn't preserve all the hardened_malloc security properties for the random allocations in random system processes where it gets activated especially now that memory tagging is supported
  • Launcher: add missing catch for null pointer exception (upstream bug) triggered by Signal
  • revert change to show crash dialog for first crash of an app since boot since this results in a high support burden from the many third party app crashes it uncovers especially since it's not enabled on the stock OS
  • always compile VPN service packages with speed filter to avoid background recompilation since many of these apps only automatically connect at boot and the user has to manually reconnect if the OS restarts them such as when users manually trigger app restart via the background recompilation notification
  • kernel (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Generic 5.10): update to latest GKI LTS branch revision including update to 5.10.199
  • backport health permission UI fixes from AOSP
  • backport DocumentsUI (Files) fix from AOSP preventing bypassing restrictions via initial open directory
  • GmsCompatConfig: update to version 81
  • GmsCompatConfig: update to version 82
  • use sdk_phone_x86_64 (emulator) target as the default one for convenience
  • flash-all: raise minimum fastboot version to 34.0.4

2023103100

Tags:

  • 2023103100 (Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, emulator, generic, other targets)
  • 2023103100-shusky (Pixel 8, Pixel 8 Pro)

Changes since the 2023103000 release:

  • Keyboard: include words from all active locales in spell checking to support multiple locales again after the port to Android 14
  • Gallery: revert one of the 3 improvements to preview resolution due to it causing out-of-memory errors
  • Vanadium: update to version 119.0.6045.66.0

2023103000

Tags:

  • 2023103000 (Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, emulator, generic, other targets)
  • 2023103000-shusky (Pixel 8, Pixel 8 Pro)

Changes since the 2023102300 release:

  • add infrastructure for hardware memory tagging support
  • hardened_malloc: add support for hardware memory tagging launched with the ARMv9 cores on the Pixel 8 and Pixel 8 Pro
  • Settings: enable memory tagging toggle at Settings > Security > More security settings > Advanced memory protection beta on supported devices (Pixel 8 and Pixel 8 Pro)
  • Pixel 8, Pixel 8 Pro: enable memory tagging support for everything built by GrapheneOS (other than Vanadium, since Chromium currently disables it) and also user installed apps without native libraries (will be expanded to Vanadium later along with the option to use it for all user installed apps)
  • Pixel 8, Pixel 8 Pro: use asymmetric memory tagging mode on all cores to provide much higher security than asynchronous mode without much more overhead unlike the very expensive synchronous mode without any clear security benefits over asymmetric
  • enable parallel compilation of non-precompiled bytecode to native code for first-boot and first-boot-after-update with 2 processes for now (can be increased later)
  • improve user interface for reporting background package compilation progress
  • show crash dialog for first crash of an app since boot instead of waiting until the second crash like upstream Android
  • Gallery: fix low resolution image preview in editor
  • restore Android 13 behavior for installing APKs from the file manager by requesting permission for the app which created the APK (current Google Files behavior is a bit different and requests permission for Google Files, but the AOSP Files approach seems more useful)
  • SELinux policy: use per-app-instance MLS level for the update client domain as used for regular apps to provide better isolation from other system components
  • kernel (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Generic 5.10): update to latest GKI LTS branch revision including update to 5.10.198
  • kernel (Generic 5.15): update to latest GKI LTS branch revision including update to 5.15.137
  • Vanadium: update to version 118.0.5993.111.0
  • Vanadium: update to version 119.0.6045.53.0
  • Vanadium: update to version 119.0.6045.53.1
  • GmsCompatConfig: update to version 80

2023102300

Tags:

  • 2023102300 (Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, emulator, generic, other targets)
  • 2023102300-shusky (Pixel 8, Pixel 8 Pro)

Changes since the 2023101300 release:

  • initial non-experimental release for Pixel 8 and Pixel 8 Pro support
  • speed up skipping compilation of system packages with dexpreopt (precompilation to native code) to improve post-update boot time
  • backport assorted dexpreopt fixes to make it work for more system packages again to improve verified boot security, free up wasted disk space and reduce post-update boot time
  • use speed-profile compilation for user installed packages for first boot of an update to significantly improve boot time, then recompile with full speed optimization in the background with a progress notification and a notification when it's finished for respawning apps
  • temporarily disable otapreopt (precompilation of apps in the background in update Finalizing step) due to it being broken in Android 14
  • Gallery: remove optional dependency to fix dexpreopt (precompilation to native code)
  • Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold: fix support for Widevine L1 on Android 14
  • fix PIN scrambling for SIM PIN (regression from port to Android 14)
  • handle new Android 14 network time code path for our feature making the automatic time toggle control whether network time connections are made
  • remove standard special case enabling Android 14 auto-confirm PIN by default for 6 digit PINs
  • allow system apps to make sticky notifications again (important for System Updater to avoid users missing the notice to reboot after update installation)
  • System Updater: add option to require that the device is charging
  • kernel (Generic 5.15): update to latest GKI LTS branch revision including update to 5.15.134
  • Auditor: update to version 76
  • Apps: update to version 21
  • Vanadium: update to version 118.0.5993.80.0
  • GmsCompatConfig: update to version 79
  • improve GrapheneOS system_server infrastructure

2023101300

Tags:

  • 2023101300 (Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, emulator, generic, other targets)

Changes since the 2023101100 release:

  • exempt non-app system packages from new package visibility restrictions to fix many APIs in secondary users
  • Sandboxed Google Play compatibility layer: expand background activity launch shim to all the core Google Play apps to fix sandboxed Play Store compatibility issues with Android 14
  • Sandboxed Google Play compatibility layer: fix "Don't show again" notification action which broke after Android 14 port
  • Pixel 5: add back support for battery share (reverse wireless charging) via the new infrastructure in Android 14 which we already adopted for 6th/7th/8th generation Pixels
  • GmsCompatConfig: update to version 78
  • Settings: reorder auto-reboot options from least disruptive to most secure
  • Settings: add 18 hours as an auto-reboot option

2023101100

Tags:

  • 2023101100 (Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, emulator, generic, other targets)

Changes since the 2023100900 release:

  • enable customizing lock screen shortcuts
  • Launcher: set target API level to 33 since it doesn't properly support 34 and it prevents adding widgets among other potential issues (Pixel Launcher fork in the stock Pixel OS still uses 33 too, so this is an AOSP-specific upstream bug)
  • Launcher: delete broken legacy shortcuts instead of crashing (upstream bug)
  • Sandboxed Google Play compatibility layer: enable DynamiteLoader v2
  • fix per-app hardening configuration for apps missing from the Owner user
  • fix Bluetooth auto-turn-off
  • Settings: avoid crashes when changing user restrictions for guest users (upstream bug)
  • do not delete compiled code of hibernated apps
  • curl: update to 8.4.0 to fix CVE-2023-38545 and assorted minor issues (Android may not use this functionality, but it should be fixed in case it does)
  • Vanadium: update to version 118.0.5993.65.0
  • remove unnecessary wrapper for registering receivers

2023100900

Tags:

  • 2023100900 (Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, emulator, generic, other targets)

Changes since the 2023100800 release:

  • temporarily unsuspend work profiles when resuming them to avoid our stricter pause approach causing issues
  • Settings: split title/summary for automatic exploit protection compatibility mode
  • Settings: fix upstream bug causing crash when accessing tethering settings from secondary users where they're unavailable
  • System Updater: set foreground service type to special
  • System Updater: update minimum and target API level to 34 (Android 14)
  • fix port of our change enabling usage timeline for all permission groups
  • add back compiling code not built with signed integer overflow checking using -fwrapv to make it well defined
  • add back very minor hardening involving making more data read only
  • Seedvault: update to latest revision (will be replaced with a better backup implementation in the future)
  • Health Fitness: disable functionality for showing available apps, updating apps and sending feedback when Google Play is unavailable (these options may be removed completely in the future)
  • Health Fitness: check for Google Play via signature instead of whether it's a system app to support sandboxed Google Play

2023100800

This is the initial non-experimental release of GrapheneOS based on Android 14. Our initial public experimental release (2023100600) was published on October 6th so there have already been a couple days of public testing. All of our documented features are now ported to Android 14. We'll be continuing to work on fixing regressions including new Android bugs and new compatibility issues caused by our features. However, it's already stable and usable.

This release provides the full 2023-10-06 patch level for all supported devices along with the recommended security patches only included in Android 14.

Android 13 is no longer actively developed upstream and now only receives backports of the Android Security Bulletin patches, not the recommended patches included in the latest stable release of Android. Pixels are also now only supported via Android 14 and require Android 14 to achieve a patch level above 2023-10-01. Android 14 has had publicly available experimental releases since February 2023 and is already a mature OS. It also contains significant privacy and security enhancements which more than offset the attack surface from added features. These reasons are why we have so heavily prioritized porting to Android 14 and began to defer more and more of our other work until after Android 14 since around July 2023.

Pixel 4, Pixel 4 XL and Pixel 4a are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

  • 2023100800 (Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, emulator, generic, other targets)

Changes since the 2023100300 release:

  • full 2023-10-06 security patch level
  • rebased onto UP1A.231005.007 Android Open Source Project release as the initial port of all GrapheneOS features to Android 14
  • add default-enabled toggle for automatic per-app exploit protection compatibility mode configuration
  • temporarily add Google Camera to automatic exception list for hardened_malloc
  • add back support for displaying app compilation progress at boot
  • restore Android 13 work profile pause behavior by stopping the profile from running instead of only suspending apps
  • fix cosmetic issue for adevtool envsetup.sh integration
  • adevtool: download: add option to unpack factory images
  • adevtool: collect-state: fix the output file name format
  • adevtool: collect-state: add an option to automatically make prep OS build
  • Vanadium: update to version 117.0.5938.153.0
  • Vanadium: update to version 118.0.5993.48.0
  • GmsCompatConfig: update to version 77
  • Auditor: update to version 75

2023100300

Android 14 is replacing Android 13 this month. There will no longer be any monthly or quarterly releases of Android 13, only the monthly backports of Android Security Bulletin patches. This is an early October release based on the Android Security Bulletin backports. We'll need to port to Android 14 to provide the full 2023-10-06 patch level. We've spent months porting to Android 14 in advance in order to make this migration as smooth and quick as possible. We weren't accepted as an Android partner so we don't have full early access to new major releases, but we've had partial early access to the sources and were able to do a lot of the porting in advance.

There wasn't a proper Android Open Source Project or stock Pixel OS release for September since Android 14 was meant to be released. They only shipped a release marked as having the 2023-09-01 patch level, but most patches which were going to be included in 2023-09-05 were deferred to October and most of the devices ended up providing the published 2023-09-05 patch level. Devices with a Qualcomm SoC (Pixel 4a (5G), Pixel 5, Pixel 5a) or standalone Qualcomm Wi-Fi (Pixel 7a) still need firmware/driver patches for 2023-09-05. Other supported devices (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel Tablet, Pixel Fold) were already on the 2023-09-05 patch level and will now be on the 2023-10-01 patch level. All of these devices will be quickly upgraded to the full Android 14 2023-10-05 patch level once it's released.

Pixel 4, Pixel 4 XL and Pixel 4a are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

Changes since the 2023100100 release:

  • full 2023-10-01 security patch level (early release based on AOSP 13 security backports since the AOSP/stock monthly release is not available yet)

2023100100

Pixel 4, Pixel 4 XL and Pixel 4a are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

Changes since the 2023091800 release:

  • fix upstream bug auto-dismissing crash dialogs
  • improve readability of native crash reports
  • Settings: remove Private DNS setting for secondary users since it's not currently per-profile like VPN configuration but rather is global like Wi-Fi configuration
  • Settings: remove connectivity check setting for secondary users
  • Dialer: disable false gesture detection for answering calls until the faulty implementation in the AOSP Dialer app is replaced
  • hardened_malloc: improve fatal error reporting to include the abort message in Android crash reports
  • Messaging: work around upstream null pointer exception bug
  • libvpx: apply patch for CVE-2023-5217 to the standalone AOSP libvpx library, which was already fixed in the 117.0.5938.140.0 release of Vanadium
  • Pixel 4, Pixel 4 XL: add upstream sensor-related app compatibility fix from the September release already included for other devices
  • kernel (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold): add upstream build reproducibility fix
  • GmsCompatConfig: update to version 75
  • GmsCompatConfig: update to version 76
  • Vanadium: update to version 117.0.5938.140.0
  • replace GrapheneOS themes stub app with AOSP themes stub app with our configuration ported over to it (AOSP didn't used to include a themes stub app)

2023091800

The September releases of AOSP and the stock OS came out on 2023-09-18 and are incorporated into this release. Unusually, they still set the patch level to 2023-09-01 despite having all listed patches for 2023-09-05 for some of the devices such as the Pixel 6 and Pixel 7. We left the listed patch level alone to avoid delaying the release for aesthetic reasons while we figured out where it could be raised due to delayed Qualcomm firmware patches. We shipped 2023-09-01 in our much earlier 2023090600 release but this is the official September release from AOSP and the stock OS rather than just applying the Android Security Bulletin backports to Android 13.

The strange timing and inclusion of only a single patch (Mali GPU kernel driver fix) in the September Pixel Update Bulletin is due to Android 14 being scheduled for this month but delayed to October. The Pixel Update Bulletin for Android 14 will include a large number of recommended AOSP security patches and many hardware related patches, neither of which will be backported to Android 13, so we've already put a significant effort into porting to Android 14 via our limited early access to the source code. We aim to have our Android 14 port available as soon as possible after the stable release is published due to the importance for security. It's unfortunate we don't have full access to the sources in advance like Android partners, but we've had access to more than we usually do this year and for longer due to the delay.

We've also included additional Mali GPU kernel driver patches and a libwebp patch in this release, similar to the kernel.org LTS patches we ship on a regular basis many months before Android. We'll do more of this in the future as our resources and partnerships grow, but we don't have much ability to ship firmware patches earlier until there's hardware built to run GrapheneOS.

Pixel 4, Pixel 4 XL and Pixel 4a are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

Changes since the 2023090600 release:

  • integrate official September update as a replacement for the backports in the last release
  • rebased onto TQ3A.230901.001 (generic, coral), TQ3A.230901.001.B1 (tangorpro) and TQ3C.230901.001.A1 (felix) Android Open Source Project releases
  • kernel (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold): backport additional Mali GPU driver security fixes from Android 14 Beta 5.3
  • webp: backport fix for CVE-2023-4863 not included in the Android September security patch level
  • Settings: remove Storage manager toggle since it lacks an implementation without Play services integrated into the OS
  • kernel (Generic 5.15): update to latest GKI LTS branch revision including update to 5.15.131
  • Vanadium: update to version 117.0.5938.44.0
  • Vanadium: update to version 117.0.5938.44.1
  • Vanadium: update to version 117.0.5938.60.0
  • GmsCompatConfig: update to version 73
  • GmsCompatConfig: update to version 74
  • adevtool: add command for fetching info about stock OS kernels from AOSP repositories

2023090600

Tags:

  • 2023090600-coral (Pixel 4, Pixel 4 XL) — extended support release for legacy devices with frozen 2022-11-01 patch level
  • 2023090600 (Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, emulator, generic, other targets)
  • 2023090600-tangorpro (Pixel Tablet)
  • 2023090600-felix (Pixel Fold)

Changes since the 2023090200 release:

  • full 2023-09-01 security patch level (early release based on AOSP 13 security backports since the AOSP/stock monthly release is not available yet)
  • kernel (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Generic 5.10): update to latest GKI LTS branch revision including update to 5.10.194
  • kernel (Generic 5.15): update to latest GKI LTS branch revision including update to 5.15.130
  • Vanadium: update to version 116.0.5845.172.0

2023090200

Tags:

  • 2023090200-coral (Pixel 4, Pixel 4 XL) — extended support release for legacy devices with frozen 2022-11-01 patch level
  • 2023090200 (Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, emulator, generic, other targets)
  • 2023090200-tangorpro (Pixel Tablet)
  • 2023090200-felix (Pixel Fold)

Changes since the 2023080800 release:

  • add support for viewing 7 days of history in the privacy dashboard via the official toggle instead of our previous approach
  • Sandboxed Google Play compatibility layer: hide eSIM activation app from Play Store since it can't update it
  • kernel (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Generic 5.10): update to latest GKI LTS branch revision including update to 5.10.192
  • kernel (Generic 5.15): update to latest GKI LTS branch revision including update to 5.15.128
  • adevtool: fix 6th generation Pixel builds with PRODUCT_ENFORCE_RRO_TARGETS to make vendor generation easier
  • adevtool: major overhaul fixing resource parsing bugs via protobuf aapt2 output, removing depencency on BUILD_BROKEN_ELF_PREBUILT_PRODUCT_COPY_FILES, verifying hashes of vendor files, unpacking via debugfs/fsck.erofs to avoid needing mount privileges on the workstation and other UX / error checking improvements
  • Vanadium: update to version 116.0.5845.78.0
  • Vanadium: update to version 116.0.5845.92.0
  • Vanadium: update to version 116.0.5845.114.0
  • Vanadium: update to version 116.0.5845.114.1
  • Vanadium: update to version 116.0.5845.163.0
  • Vanadium: update to version 116.0.5845.163.1
  • GmsCompatConfig: update to version 67
  • GmsCompatConfig: update to version 68
  • GmsCompatConfig: update to version 69
  • GmsCompatConfig: update to version 70
  • GmsCompatConfig: update to version 71
  • GmsCompatConfig: update to version 72

2023080800

Tags:

  • 2023080800-coral (Pixel 4, Pixel 4 XL) — extended support release for legacy devices with frozen 2022-11-01 patch level
  • 2023080800 (Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, emulator, generic, other targets)
  • 2023080800-tangorpro (Pixel Tablet)
  • 2023080800-felix (Pixel Fold)

Changes since the 2023080700 release:

  • Sandboxed Google Play compatibility layer: fix handling of app install confirmation for the sandboxed Play Store in background processes since they're moving towards it with a partially deployed feature flag

2023080700

Tags:

  • 2023080700-coral (Pixel 4, Pixel 4 XL) — extended support release for legacy devices with frozen 2022-11-01 patch level
  • 2023080700 (Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, emulator, generic, other targets)
  • 2023080700-tangorpro (Pixel Tablet)
  • 2023080700-felix (Pixel Fold)

Changes since the 2023072600 release:

  • full 2023-08-01 security patch level
  • full 2023-08-05 security patch level
  • rebased onto TQ3A.230805.001 (generic, coral), TQ3A.230805.001.B1 (tangorpro) and TQ3C.230805.001.A3 (felix) Android Open Source Project releases
  • add workarounds for upstream Android issue with user profiles causing screenshots to break the recent app list and launcher
  • kernel (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Generic 5.10): update to latest GKI LTS branch revision including update to 5.10.187
  • kernel (Generic 5.15): update to latest GKI LTS branch revision including update to 5.15.120
  • Updater: add low-level ACCESS_NETWORK_STATE permission to prepare for it being required to run scheduled jobs depending on network state in Android 14
  • Vanadium: update to version 115.0.5790.166.0
  • GmsCompatConfig: update to version 65
  • GmsCompatConfig: update to version 66

2023072600

Tags:

  • 2023072600-coral (Pixel 4, Pixel 4 XL) — extended support release for legacy devices with frozen 2022-11-01 patch level
  • 2023072600 (Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, emulator, generic, other targets)
  • 2023072600-tangorpro (Pixel Tablet)
  • 2023072600-felix (Pixel Fold)

Changes since the 2023072400 release:

  • Sandboxed Google Play compatibility layer: fix crash caused by regression in the previous release which was caught in Alpha/Beta testing and blocked us from releasing it to the Stable channel
  • Settings: improve GrapheneOS user management setting infrastructure
  • Settings: move run in background settings right below switch user settings
  • Settings: unify app install settings into three options for non-guest users and two for guest users and move them right above the install available apps settings
  • Settings: remove incorrect caching of default guest user manager restrictions
  • Vanadium: update to version 115.0.5790.138.0

2023072400

Tags:

  • 2023072400-coral (Pixel 4, Pixel 4 XL) — extended support release for legacy devices with frozen 2022-11-01 patch level
  • 2023072400 (Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, emulator, generic, other targets)
  • 2023072400-tangorpro (Pixel Tablet)
  • 2023072400-felix (Pixel Fold)

Changes since the 2023071100 release:

  • replace our changes to AOSP APN and CarrierConfig configurations with a GrapheneOS CarrierConfig2 app for easier maintenance, improved MVNO support and support for recently added configuration options
  • add infrastructure for comparing CarrierConfig2 against Google's CarrierSettings app
  • show installer package name in error reports to help with identifying issues caused by broken installers
  • update timezone module to Android mainline 331910000
  • Sandboxed Google Play compatibility layer: support overriding ComponentEnabledSettings via GmsCompatConfig
  • Sandboxed Google Play compatibility layer: add missing string for "Missing Play Games app" notification channel name
  • Sandboxed Google Play compatibility layer: avoid uncaught exceptions with location rerouting when client only has coarse location permission
  • Vanadium: update to version 115.0.5790.85.0
  • Vanadium: update to version 115.0.5790.136.0
  • GmsCompatConfig: update to version 63
  • GmsCompatConfig: update to version 64
  • Auditor: update to version 74

2023071100

Tags:

  • 2023071100-coral (Pixel 4, Pixel 4 XL) — extended support release for legacy devices with frozen 2022-11-01 patch level
  • 2023071100 (Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, emulator, generic, other targets)
  • 2023071100-tangorpro (Pixel Tablet)
  • 2023071100-felix (Pixel Fold)

Changes since the 2023070500 release:

  • Pixel Fold: rebased onto TQ3C.230705.001.C1 Android Open Source Project release
  • fix incomplete eSIM activation app initialization
  • do not allow enabling eSIM activation app on first boot due to issues from not including the Google Setup Wizard (UI explains that a reboot is required)
  • kernel (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Generic 5.10): update to latest GKI LTS branch revision including update to 5.10.186
  • SELinux policy (Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Fold): allow OemRilHookService to access IOemSlsiRadioExternal hwservice in order to avoid occasional battery drain from retries
  • Sandboxed Google Play compatibility layer: handle location rerouting inside the app using the Google Play location service to have the location permission usage and battery consumption properly attributed among other improvements
  • Sandboxed Google Play compatibility layer: notify user when "Nearby devices" perm is needed to connect to Wear OS
  • Sandboxed Google Play compatibility layer: show name of calling app in "Missing Play Games app" notification
  • GmsCompatConfig: update to version 62

2023070500

July release of the Android Open Source Project and stock OS for the Pixel Fold is delayed, likely only for a few days. The device was just released on June 27th with official support shipped in a GrapheneOS release on June 28th so it doesn't make sense to do an incomplete early release. We'll include it as part of this release when the official July release is available.

Tags:

  • 2023070500-coral (Pixel 4, Pixel 4 XL) — extended support release for legacy devices with frozen 2022-11-01 patch level
  • 2023070500 (Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, emulator, generic, other targets)
  • 2023070500-tangorpro (Pixel Tablet)

Changes since the 2023062800 release:

  • full 2023-07-01 security patch level
  • full 2023-07-05 security patch level
  • rebased onto TQ3A.230705.001 (generic, coral) and TQ3A.230705.001.B4 (tangorpro) Android Open Source Project releases
  • do not report pseudo-"network" location provider to be always disabled (resolves regression with network location compatibility from 2023062300)
  • kernel (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Generic 5.10): update to latest GKI LTS branch revision including update to 5.10.185
  • kernel (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Generic 5.10): revert 2 f2fs garbage collection optimizations backported in the Android GKI tree since at least one of them appears to be broken which we ran into in our previous 2023061400 release and now multiple OEMs including Xiaomi have encountered the issue in their own testing too
  • kernel (Generic 5.15): update to latest GKI LTS branch revision including update to 5.15.119
  • disable unused instant app features at boot
  • disable problematic "Add users from lock screen" setting at boot
  • Settings: remove problematic "Add users from lock screen" setting
  • Dialer: re-enable false gesture detection for answering calls, which can be replaced with a newer implementation in the near future instead of it being removed
  • Settings: require device restart to disable eSIM activation app via our toggle
  • Seedvault: update to latest revision (will be replaced with a better backup implementation in the future)
  • PDF Viewer: update to version 17
  • GmsCompatConfig: update to version 61

2023062800

Tags:

  • 2023062800-coral (Pixel 4, Pixel 4 XL) — extended support release for legacy devices with frozen 2022-11-01 patch level
  • 2023062800 (Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, emulator, generic, other targets)
  • 2023062800-tangorpro (Pixel Tablet)
  • 2023062800-felix (Pixel Fold)

Changes since the 2023062300 release:

  • add initial Pixel Fold support
  • replace unused BUILD_ID field with device name in release channel metadata
  • System Updater: add enforcement of device name in release channel metadata as a misuse resistance improvement
  • Settings: mark DSUs (Dynamic System Updates) as unsupported
  • Launcher: add back Storage Scopes and Contact Scopes links to launcher icon shortcuts since this is now separate from the recent apps screen
  • Pixel Tablet: set default screen rotation to landscape mode (270 degrees) since we disable auto-rotation by default (due to the manual rotate button appearing after rotation) and the current default means that the device starts locked in portrait mode in the initial setup which gives a bad impression
  • kernel (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Generic 5.10): add missing non-security patch
  • Vanadium: update to version 114.0.5735.196.0
  • Auditor: update to version 73

2023062300

Tags:

  • 2023062300-coral (Pixel 4, Pixel 4 XL) — extended support release for legacy devices with frozen 2022-11-01 patch level
  • 2023062300 (Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, emulator, generic, other targets)
  • 2023062301-tangorpro (Pixel Tablet)

Changes since the 2023061402 release:

  • Sandboxed Google Play compatibility layer: fix compatibility with Nearby Share with current Play services versions
  • add production ready Pixel Tablet support (we published our initial release for it on June 21st, but this is the first production release with tags)
  • ignore non-system packages for location indicator exemptions, getLocationBypassPackages(), Qualified Network Services, telephony data services, device provisioning and wlan/wwan wireless network services to resolve an upstream vulnerability in the approach to exemptions impacting the Pixel Tablet
  • Settings: hide eSIM activation app toggle when the app isn't included in the OS such as the Pixel Tablet
  • prevent adding guest user on lockscreen via adding new users on lockscreen is disabled (UI only appears on large screens such as the Pixel Tablet)
  • improve compatibility with apps trying to use a network location provider when none is available
  • fix work profile screenshot crash caused by missing configuration in AOSP
  • use unified tags based on our build number rather than the standard BUILD_ID.BUILD_NUMBER
  • Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a: set BUILD_ID to match stock OS again
  • Settings: improve our infrastructure for user management toggles
  • Settings: add toggle for preventing a user from running in the background
  • kernel (Generic 5.15): update to latest GKI LTS branch revision including update to 5.15.110
  • adevtool: add support for devices without a cellular baseband
  • adevtool: make adding vendor_kernel_boot partition-exists generic
  • adevtool: disable broken support for file reference overlays
  • simplify Pixel prototype check by comparing brand instead of device model
  • GmsCompatConfig: update to version 58
  • GmsCompatConfig: update to version 59
  • GmsCompatConfig: update to version 60
  • Auditor: update to version 72

2023061402

Tags:

  • TP1A.221005.002.B2.2023061402 (Pixel 4, Pixel 4 XL) — extended support release for legacy devices with frozen 2022-11-01 patch level
  • TQ3A.230605.012.2023061402 (Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, emulator, generic, other targets)

Changes since the 2023061400 release:

  • enable "Enhanced PIN privacy" feature by default to disable lockscreen PIN animations (configurable via PIN screen lock settings using the gear icon)
  • fix upstream bug in Android 13 QPR3 causing crash when selecting a wallpaper
  • kernel (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Generic 5.10): revert update to latest GKI LTS branch revision due to it potentially causing very rare update failures that are successfully rolled back (note: this is not part of the June Android 13 QPR3 release but rather we are normally months ahead on core kernel updates due to using a bleeding edge GKI release and we'll be a little bit less ahead now)

2023061400

Tags:

  • TP1A.221005.002.B2.2023061400 (Pixel 4, Pixel 4 XL) — extended support release for legacy devices with frozen 2022-11-01 patch level
  • TQ3A.230605.012.2023061400 (Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, emulator, generic, other targets)

Changes since the 2023060700 release:

  • full 2023-06-05 security patch level (official AOSP and stock OS June security update was earlier today)
  • rebased onto TQ3A.230605.012 release, which is the third quarterly maintenance/feature release for Android 13 (released earlier today)
  • kernel (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Generic 5.10): update to latest GKI LTS branch revision
  • Gallery: remove broken widgets (AOSP Gallery will eventually be replaced with a much better app)
  • Vanadium: update to version 114.0.5735.131.0
  • GmsCompatConfig: update to version 57

2023060700

Tags:

Changes since the 2023052900 release:

  • full 2023-06-01 security patch level (early release based on AOSP 13 security backports since the AOSP/stock QPR3 release is not available yet)
  • partial 2023-06-05 security patch level (full firmware and userspace patches will not be available until the AOSP/stock QPR3 release and some of the kernel changes depend on those too)
  • fix Contact Scopes UI handling of absent number/email type
  • remove E-Tugra Certificate Authority
  • Vanadium: update to version 114.0.5735.58.0
  • Vanadium: update to version 114.0.5735.61.0
  • Auditor: update to version 71
  • Camera: update to version 63
  • GmsCompatConfig: update to version 56

2023052900

Tags:

Changes since the 2023052800 release:

  • avoid disabling DNS-over-TLS resolver test queries as part of disabling connectivity checks since it breaks automatic mode
  • fix Contact Scopes regression blocking granting Contacts permission via the permission screen
  • fix native debug toggle regression
  • Pixel 7a: keep standalone project repositories in sync for the device branch

2023052800

Tags:

Changes since the 2023051600 release:

  • use GrapheneOS name by default for remaining DNS resolver name resolution tests
  • extend GrapheneOS toggle to remaining DNS resolver name resolution tests
  • port remaining GrapheneOS settings to modern GrapheneOS settings infrastructure
  • improve compatibility of revoking the Network permission by treating the network as down for more APIs
  • improve infrastructure for the Network permission
  • improve Contact Scopes user interface, fix various minor bugs and improve app compatibility
  • Dialer: support up to 12 buttons instead of 6 to work around call recording going beyond the limit
  • Messaging: update MMS configuration database based on Google Messages 20230502_01_RC04
  • Vanadium: update to version 113.0.5672.132.0
  • Vanadium: update to version 113.0.5672.163.0
  • Vanadium: update to version 114.0.5735.53.0
  • GmsCompatConfig: update to version 53
  • GmsCompatConfig: update to version 54
  • GmsCompatConfig: update to version 55

2023051600

Tags:

Changes since the 2023050500 release:

  • add initial Contact Scopes feature as an alternative to granting the Contacts permission
  • improve Storage Scopes performance and robustness
  • improve GrapheneOS package state infrastructure
  • add production ready Pixel 7a support
  • Settings: fix obtaining maximum peak refresh rate for smooth display field for devices without smooth display enabled by default (Pixel 7a)
  • factory images flash-all script: raise minimum fastboot version for Windows to 33.0.3 too
  • factory images flash-all script: add device model check to Windows too
  • carriersettings-extractor: drop unused android-prepare-vendor support (all supported devices use adevtool)
  • enable non-flattened APEX modules for all targets (previously only enabled for 6th/7th generation Pixels which have hard dependencies on it)
  • extend making userspace function pointer tables read-only
  • kernel (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Generic 5.10): update to latest GKI LTS branch revision including update to 5.10.178
  • Auditor: update to version 70
  • GmsCompatConfig: update to version 52

2023050500

Tags:

  • TP1A.221005.002.B2.2023050500 (Pixel 4, Pixel 4 XL) — extended support release for legacy devices with frozen 2022-11-01 patch level
  • TQ2A.230505.002.2023050500 (Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, emulator, generic, other targets)

Changes since the 2023050100 release:

  • add support for disabling PSDS in addition to the GrapheneOS server and standard server options
  • Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a: add support for controlling PSDS on Qualcomm SoC devices to extend PSDS configuration to them along with using the GrapheneOS PSDS cache by default
  • Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a: disable User-Agent for Qualcomm PSDS (XTRA) via xtra-daemon hooking to avoid providing device information to the server (we already removed the hardware identifier via SELinux policy in a previous release)
  • Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a: use time.grapheneos.org for XTRA NTP and qualcomm.psds.grapheneos.org for XTRA PSDS downloads by default
  • Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a: always use most complete / generic Qualcomm PSDS (XTRA) variant via xtra-daemon hooking to avoid leaking info on radio variant or region
  • Settings: improve infrastructure for GrapheneOS settings
  • Settings: port remote key provisioning setting to new infrastructure
  • Settings: move PSDS configuration to Location settings with our SUPL configuration
  • Settings: port SUPL setting to new infrastructure
  • Settings: remove icon for Internet connectivity check and remote key provisioning settings for now
  • kernel (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro): Mali GPU driver update
  • System Updater: add TLS key pinning with expiration 2 months in the future to make TLS more useful as an additional layer of security before the 3 layers of offline update signing with downgrade protection (update package signature, update_engine payload signature and verified boot signatures) while also avoiding blocking updates on out-of-date installs falling behind changes to our TLS certificate approach
  • update timezone module to Android mainline 331314030 (based on tzdata 2023a)
  • kernel (Generic 5.15): update to latest GKI LTS branch revision including update to 5.15.106
  • Vanadium: update to version 113.0.5672.77.0
  • Apps: update to version 19
  • Apps: update to version 20
  • GmsCompatConfig: update to version 51

2023050100

Tags:

  • TP1A.221005.002.B2.2023050100 (Pixel 4, Pixel 4 XL) — extended support release for legacy devices with frozen 2022-11-01 patch level
  • TQ2A.230505.002.2023050100 (Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, emulator, generic, other targets)

Changes since the 2023042900 release:

  • full 2023-05-01 security patch level
  • full 2023-05-05 security patch level
  • rebased onto TQ2A.230505.002 release
  • GmsCompatConfig: update to version 50

2023042900

Tags:

Changes since the 2023041100 release:

  • add Storage Scopes link to "All files access" screen
  • Launcher: revert additional padding (will need a different workaround for the upstream issue)
  • disable UWB (Ultra Wide Band) by default
  • Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a: enforce XTRA version 3 for PSDS downloads (GNSS satellite almanacs)
  • Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a: fix generic certificate authority configuration for future use with our Qualcomm PSDS proxy
  • Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a: remove access to SoC information from GPS user to prevent xtra-daemon from reading SoC serial number and including it in User-Agent
  • hwui: backport null pointer check from AOSP master
  • keystore: backport generating fallback operation challenge with SecureRandom from AOSP master
  • Launcher: backport null pointer check from AOSP master
  • backport fix for Bluetooth related system_server crash
  • backport 8 media framework memory corruption fixes from AOSP master
  • kernel (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Generic 5.10): update to latest GKI LTS branch revision including update to 5.10.177
  • kernel (Generic 5.15): update to latest GKI LTS branch revision including update to 5.15.104
  • kernel (5.15): enable RANDOMIZE_KSTACK_OFFSET_DEFAULT
  • kernel (5.10, 5.15): panic on memory corruption detected by kfence
  • kernel (5.10, 5.15): use hardened configuration for x86_64 GKI used by the emulator
  • GmsCompatConfig: update to version 47
  • GmsCompatConfig: update to version 48
  • GmsCompatConfig: update to version 49
  • Vanadium: update to version 112.0.5615.101.0
  • Vanadium: update to version 112.0.5615.136.0
  • Vanadium: update to version 113.0.5672.62.0
  • Vanadium: update to version 113.0.5672.62.1
  • Apps: update to version 18
  • Auditor: update to version 69
  • Camera: update to version 62

2023041100

As with the March release, the monthly Android Open Source Project and stock Pixel OS release were rescheduled to the 2nd Monday of the month instead of the 1st Monday.

Tags:

Changes since the 2023040400 release:

  • full 2023-04-01 security patch level
  • full 2023-04-05 security patch level
  • rebased onto TQ2A.230405.003.E1 release
  • Settings: add toggle for controlling direct access to Tensor hardware accelerators (TPU, GXP) by certain Google apps for users to choose whether Google apps can use more than the portable Android hardware acceleration features such as the Neural Networks API (direct access does not give them any additional data)
  • Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro: add dynamic control over direct TPU access
  • Pixel 7, Pixel 7 Pro: add dynamic control over GXP access by Google Camera
  • add support for providing Camera vendor extensions on Pixels via Pixel Camera Services app (at the moment, only the Camera2 Night extension is available for certain devices and CameraX extensions aren't available yet)
  • add support for runtime resource overlays (RROs) to exec spawning
  • remove support for disabling app visibility filtering since our Pixel eSIM firmware app integration depends on it
  • change standard Android package installer behavior to preserving packages being disabled after updating them
  • Launcher: add padding to background behind app drawer search bar to work around upstream layout issue
  • Contacts: use proper theme for AndroidX dialogs to fix crash
  • System Updater: directly enforce respecting network type parameter instead of it solely depending on the JobScheduler constraint
  • System Updater: improve code quality and robustness
  • System Updater: ask the OS to allocate required storage space before starting update download
  • SELinux policy: add back app_data_file execute for adb shell run-as domain
  • Sandboxed Google Play compatibility layer: coerce Play Store into updating disabled apps by hiding disabled state from it
  • Sandboxed Google Play compatibility layer: add infrastructure for bypassing permission requirements of services provided by Play services
  • GmsCompatConfig: update to version 45
  • GmsCompatConfig: update to version 46
  • TalkBack (screen reader): update base code to 13.0 and overhaul our changes for it including removing proprietary library dependency
  • TalkBack (screen reader): update dependencies
  • kernel (5.10, 5.15): fix build for non-arm64 architectures

2023040400

Tags:

Changes since the 2023032600 release:

  • Keyboard: apply fix for upstream spell checking bug causing words followed by periods to be flagged as invalid for some configurations
  • enable auto-reboot feature by default with a very conservative 72 hour timer (i.e. the device will automatically reboot after 3 days without a successful unlock of any profile by default with users encouraged to set a shorter value to get their data automatically back at rest faster)
  • Dialer: add modernized call recording implementation using modern Android storage (no files permission) and with unnecessary cruft removed including not locking availability or playing a recording tone based on region (users are responsible for respecting regional laws including informing the other party or obtaining explicit consent if required)
  • Dialer: replace disabling bytecode optimization with a specific rule to keep fragment constructors
  • add generic compatibility shim catching the exception from the Gservices provider being missing to enable apps like Google Camera and the Pixel eSIM firmware app (Google eSIM activation app is separate) to work without GSF installed since they don't have any actual hard dependency on either GSF or Play services
  • remove unnecessary INTERNET (Network) permission from Pixel eSIM firmware app
  • enable Pixel eSIM firmware app by default instead of it being part of the eSIM activation toggle which is now only used for the eSIM activation app (Google eUICC LPA)
  • restrict Pixel eSIM firmware app from communication with non-system components to prevent it trying to get flags from GSF or a fake GSF
  • Settings: add Pixel eSIM firmware app to the list of apps which can't be disabled via GUI since it updates firmware
  • Launcher: hide "all apps" view when search starts to avoid upstream race condition where the wrong app can be opened when pressing too quickly
  • Launcher, Keyboard: drop GrapheneOS prefix from naming to match other GrapheneOS apps
  • update timezone module to Android mainline 331314020 (based on tzdata 2022g)
  • kernel (Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Generic 5.10, Generic 5.15): add back our slab allocator canary feature
  • kernel (Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Generic 5.10, Generic 5.15): align with linux-hardened BPF JIT configuration (always on with JIT hardening enabled in all cases)
  • kernel (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Generic 5.10): update to latest GKI LTS branch revision including update to 5.10.176
  • kernel (Generic 5.15): update to latest GKI LTS branch revision including update to 5.15.98
  • Settings: reimplement remote attestation key provisioning toggle via modern GrapheneOS settings infrastructure
  • Vanadium: update to version 112.0.5615.48.0
  • GmsCompatConfig: update to version 44
  • Sandboxed Google Play compatibility layer: improve support for compatibility layer development

2023032600

Tags:

Changes since the 2023032000 release:

  • kernel (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Generic 5.10): update to latest GKI LTS branch revision including update to 5.10.169
  • allow toggling VoWiFi while roaming by default
  • ignore carrier configuration disabling VoWiFi, VoLTE and VoNR toggles to make them available for all newly provisioned setups
  • Pixel 6, Pixel 6 Pro, Pixel 6a: add missing SELinux policy context for resku_rescue_kicker (only currently used on Pixel 6a)
  • improve infrastructure for GosPackageState and permission self-check spoofing
  • fix work profile Storage Scopes link
  • only strip out carrier configuration refering to carrier apps that are not included in GrapheneOS to improve compatibility
  • Pixel 6, Pixel 6 Pro, Pixel 6a: ship pvmfw as part of over-the-air updates for future use
  • Pixel 4, Pixel 4 XL: revert incompatible display mode change
  • Dialer: update visual voicemail (VVM) configuration database based on Google Phone 100.0.512999549
  • GmsCompatConfig: update to version 41
  • GmsCompatConfig: update to version 42
  • GmsCompatConfig: update to version 43
  • Vanadium: update to version 111.0.5563.116.0
  • Camera: update to version 61

2023032000

Extended support for the end-of-life Pixel 4 and Pixel 4 XL will continue but time is needed to resolve compatibility issues with Android 13 QPR2.

Tags:

Changes since the 2023031500 release:

  • Pixel 6, Pixel 6 Pro, Pixel 6a: switch to QPR2 stable release vendor files instead of using the QPR2 3.2 Beta release
  • Pixel 6, Pixel 6 Pro, Pixel 6a: stop freezing the patch level at a lower value which we were doing in case QPR2 3.2 Beta was missing firmware and other updates from the 2023-03-05 Pixel patch level
  • disable screenshot sound when touch sounds are disabled
  • adevtool: add support for converting privileged apps to unprivileged apps
  • adevtool: include PixelNfc app on all supported Pixels to enable support for FeliCa on Japanese Pixel models
  • adevtool: convert PixelNfc app into an unprivileged app since it doesn't need any privileged APIs
  • adevtool: implementation quality improvements
  • Settings: remove missing display resolution animation
  • CellBroadcastReceiver: drop out-of-sync translations for presidential alerts string
  • disable unnecessary auto-grant of Camera permission to eSIM activation app
  • Settings: revoke Camera permission from eSIM activation app before enabling it since it was auto-granted in the past
  • Sandboxed Google Play compatibility layer: don't spoof self permission checks that come from the compatibility layer itself
  • Sandboxed Google Play compatibility layer: add missing CHANGE_WIFI_STATE (Wi-Fi control) special access permission to the list of potential issues shown to users
  • GmsCompatConfig: update to version 39
  • GmsCompatConfig: update to version 40
  • Apps: update to version 17

2023031500

Extended support for the end-of-life Pixel 4 and Pixel 4 XL will continue but time is needed to resolve compatibility issues with Android 13 QPR2.

Tags:

  • T2B3.230109.009.2023031500 (Pixel 6, Pixel 6 Pro, Pixel 6a) — 2023-03-05 Android patch level but only 2023-03-01 Pixel patch until a March stock OS release is published with updated firmware, etc. (marked as 2023-03-01 overall patch level in the OS)
  • TQ2A.230305.008.2023031500 (Pixel 7)
  • TQ2A.230305.008.C1.2023031500 (Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 7 Pro, emulator, generic, other targets)

Changes since the 2023031300 release:

  • keep PIN scrambling state up-to-date in all cases to make toggling it on or off kick in immediately instead of next time it opens
  • adevtool: remove overlay setting config_systemBluetoothStack to the wrong value (caused Bluetooth to break for users with exec-based spawning disabled, which is why the previous release only made it to Beta and not Stable)
  • adevtool: remove other unnecessary overlays
  • Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro: disable GSI keys

2023031300

This release includes the 2nd quarterly release of Android 13 (QPR2) and is why the March release of the Android Open Source Project and stock Pixel OS ended up rescheduled to the 2nd Monday of the month rather than the 1st Monday of the month. QPR2 includes dozens of additional recommended privacy/security patches beyond the baseline March Android Security Bulletin. Shipping the full monthly, quarterly and yearly releases rather than only the subset of patches backported to older releases and listed in the Android Security Bulletins is quite important.

We expect the official March release of the stock OS and Android Open Source Project for the Pixel 6, Pixel 6 Pro and Pixel 6a to be on March 20th (3rd Monday of the month). This release provides the full March Android Security Bulletin patches for them but the Pixel bulletin patches require an official release since the full set of changes isn't published yet.

Extended support for the end-of-life Pixel 4 and Pixel 4 XL will continue but time is needed to resolve compatibility issues with Android 13 QPR2.

Tags:

  • T2B3.230109.009.2023031300 (Pixel 6, Pixel 6 Pro, Pixel 6a) — 2023-03-05 Android patch level but only 2023-03-01 Pixel patch until a March stock OS release is published with updated firmware, etc. (marked as 2023-03-01 overall patch level in the OS)
  • TQ2A.230305.008.2023031300 (Pixel 7)
  • TQ2A.230305.008.C1.2023031300 (Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 7 Pro, emulator, generic, other targets)

Changes since the 2023030400 release:

  • full 2023-03-01 security patch level
  • full 2023-03-05 security patch level
  • rebased onto TQ2A.230305.008.C1 release, which is the second quarterly maintenance/feature release for Android 13
  • Pixel 6a: enable and enforce TLSv1.2 for Broadcom gpsd SUPL connections rather than using SSLv2, SSLv3, TLSv1 and TLSv1.1 without TLSv1.2 enabled like the stock OS
  • disable compressed APEX support since it only wastes space when not heavily using out-of-band APEX updates and adds more verified boot attack surface
  • Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a: switch Qualcomm xtra-daemon service to standard time.xtracloud.net server from Pixel-specific time.google.com (we plan to provide the option to use GrapheneOS servers for XTRA time and PSDS data on Qualcomm devices in the future as we do for newer generation Tensor Pixels already, and we have the server-side part implemented already)
  • add infrastructure for allowing apps with INSTALL_PACKAGES to avoid trying to install the same package at the same time
  • new PIN scrambling implementing extending PIN scrambling to SIM PIN/PUK and redoing PIN scrambling each time the PIN UI is opened
  • Settings: reimplement PIN scrambling toggle via modern GrapheneOS settings infrastructure
  • Vanadium: update to version 111.0.5563.58.0
  • Camera: update to version 60
  • GmsCompatConfig: update to version 37

2023030400

Tags:

  • TP1A.221005.002.B2.2023030400 (Pixel 4, Pixel 4 XL) — extended support release for legacy devices with frozen 2022-11-01 patch level
  • TQ1A.230205.002.2023030400 (Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, emulator, generic, other targets)

Changes since the 2023022300 release:

  • override carrier selected SUPL server (usually the fallback supl.google.com) to supl.grapheneos.org by default
  • Settings: replace toggle for disabling SUPL with a new toggle for choosing between GrapheneOS proxy (default), Standard (carrier choice, usually supl.google.com) and Disabled (users with our previous disable toggle enabled will have their setting preserved as Disabled and users who had disabled it then enabled it will have Standard as the default while anyone who hasn't touched it will have the new GrapheneOS proxy as the initial setting since it's the default)
  • Pixel 6, Pixel 6 Pro, Pixel 7, Pixel 7 Pro: enable and enforce TLSv1.2 for Broadcom gpsd SUPL connections rather than using SSLv2, SSLv3, TLSv1 and TLSv1.1 without TLSv1.2 enabled like the stock OS (Pixel 6a will be changed in the next release)
  • GmsCompatConfig: update to version 35
  • GmsCompatConfig: update to version 36
  • Sandboxed Google Play compatibility layer: add debugging option to skip GNSS location updates
  • Sandboxed Google Play compatibility layer: support forcing PhenotypeFlags to their default values
  • Sandboxed Google Play compatibility layer: support spoofing self permission checks
  • Sandboxed Google Play compatibility layer: add support for GmsCompatConfig force_default_flags section
  • Sandboxed Google Play compatibility layer: add support for GmsCompatConfig spoof_self_permission_checks section
  • Vanadium: update to version 110.0.5481.154.1
  • Vanadium: update to version 111.0.5563.49.0
  • System Updater: simplify the title for the silent/collapsed already up-to-date notification
  • disallow apps reading Global/Secure settings added by GrapheneOS via the new infrastructure since we currently have no settings apps need to read
  • skip INTERNET pre-grant checkbox when installing a system app in a profile where it isn't considered installed since it doesn't work correctly
  • add infrastructure for properly handling initial installation of system apps in Apps (our app repository client)
  • improve OS debug build developer option for skipping install time fs-verity requirement
  • reuse shared infrastructure for our implementation of enforcing a greater rather than greater or equal version for package updates
  • replace disabling install time greater versionCode check in OS debug builds with a similar debug build developer option as we use for skipping fs-verity checks at install time
  • Apps: update to version 16

2023022300

Tags:

  • TP1A.221005.002.B2.2023022300 (Pixel 4, Pixel 4 XL) — extended support release for legacy devices with frozen 2022-11-01 patch level
  • TQ1A.230205.002.2023022300 (Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, emulator, generic, other targets)

Changes since the 2023021000 release:

  • kernel (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Generic 5.10): update to latest GKI LTS branch revision including update to 5.10.168
  • kernel (Generic 5.15): update to latest GKI LTS branch revision including update to 5.15.94
  • HTTPS-based network time: switch to custom X-Time header with UTC time in milliseconds to improve precision
  • HTTPS-based network time: establish HTTPS connection with another request in advance and then reuse it to improve accuracy
  • HTTPS-based network time: set clock offset field used by tests
  • HTTPS-based network time: improve logging
  • HTTPS-based network time: simplify implementation
  • reduce time update threshold to 50ms from Android's default 2000ms instead of allowing the clock to get up to 2s out-of-date
  • reduce system clock drift warning to 250ms from Android's default 2000ms
  • simplify our implementation of disabling cellular-based automatic time by using the standard permitted origin configuration
  • simplify our implementation of disabling network time refresh when automatic time is disabled (unlike GrapheneOS, Android always performs network time checks and the user only controls whether the results from any of the automatic time methods are used)
  • Messaging: avoid crash caused by upstream bug when forwarding a message
  • Seedvault: add back restore action in settings without marking it experimental
  • Settings: fix accessibility settings links for SetupWizard
  • add shared infrastructure for GrapheneOS settings and port the settings to it (improves UI of Settings)
  • Settings: only allow Owner to control our added toggle for camera availability on lockscreen since it's global
  • hardened_malloc: preserve errno for free calls (future POSIX requirement)
  • simplify infrastructure for special runtime permissions (Network, Sensors)
  • Sandboxed Google Play compatibility layer: remove obsolete shim now handled by GmsCompatConfig
  • GmsCompatConfig: update to version 33
  • GmsCompatConfig: update to version 34
  • Vanadium: update to version 110.0.5481.65
  • Vanadium: update to version 110.0.5481.154
  • use C.UTF-8 locale for build environment to avoid dependency of the en_US.UTF-8 locale being available

2023021000

Tags:

  • TP1A.221005.002.B2.2023021000 (Pixel 4, Pixel 4 XL) — extended support release for legacy devices with frozen 2022-11-01 patch level
  • TQ1A.230205.002.2023021000 (Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, emulator, generic, other targets)

Changes since the 2023020600 release:

  • add toggle to Settings > Location for force disabling SUPL as a carrier-independent replacement for editing APN configuration since editing APN configuration is unintuitive, not fully respected on Tensor SoC devices and users with no carrier should be able to disable it without using airplane mode
  • Vanadium: update Chromium base to 110.0.5481.64
  • GmsCompatConfig: update max supported version of Play Store
  • Apps: update to version 15

2023020600

Tags:

  • TP1A.221005.002.B2.2023020600 (Pixel 4, Pixel 4 XL) — extended support release for legacy devices with frozen 2022-11-01 patch level
  • TQ1A.230205.002.2023020600 (Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, emulator, generic, other targets)

Changes since the 2023020200 release:

  • full 2023-02-01 security patch level
  • full 2023-02-05 security patch level
  • rebased onto TQ1A.230205.002 release
  • kernel (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Generic 5.10): update to latest GKI LTS branch revision including update to 5.10.162
  • kernel (Generic 5.15): update to latest GKI LTS branch revision including update to 5.15.91
  • Seedvault: update to latest revision (will be replaced with a better backup implementation in the future)
  • Seedvault: require lock method to enable backups to prevent accessing internal app data for a device that has been unlocked without the lock method for the user profile, similar to how enabling developer options requires the lock method
  • SetupWizard: update GrapheneOS string branding
  • fix renaming of original-package Vanadium provider authorities regressed in the previous release due to the fix for an upstream Android 13 bug
  • Dialer: add dark mode to call UI dial pad
  • Pixel 4, Pixel 4 XL: switch to TP1A.221005.002.B2 (February 2022) vendor files
  • GmsCompatConfig: update max supported version of Play services and Play Store

2023020200

Tags:

This release fixes major weaknesses in Android's verified boot. Android has working protection of the firmware images, OS images and out-of-band updates to APEX components through verified boot and provides verification for every read of the data rather than actually only verifying at boot. Firmware and core OS images are fully read and verified before use. High level OS images and out-of-band APEX updates are verified dynamically when data is read via dm-verity. Unfortunately, Android doesn't have anywhere near complete/correct verification of non-APEX APK-based components including many privileged OS components implemented as apps and the apps bundled with the OS. GrapheneOS now provides an implementation of this verification to extend verified boot and hardware-based attestation to these components correctly. We previously enhanced the downgrade protection check for system updates to require a greater version rather than equal or greater due to most Android OS components not having their versionCode consistently increased when they're changed, and this is now integrated into our new verification. Fully verifying signatures of system app updates at boot isn't enough to fully extend the verified boot guarantees to them, so we're shipping signed fs-verity metadata for all our system app updates through our app repository and we're enforcing having valid fs-verity metadata for system app updates at install time and boot time. This provides continuous verification of the data provided by out-of-band package updates.

Since fs-verity is now fully enforced for installing system app updates, they can only be installed from our app repository providing the fs-verity metadata. This happens automatically via our app repository client, but you could manually download packages and fs-verity metadata to manually install them. OS releases bundle the latest releases of the bundled components so the out-of-band updates are simply a way to get updates quicker.

This release also supports out-of-band updates for Vanadium going forward due to replacing incompatible SELinux hardening with these far superior verified boot improvements along with fixing a major upstream Android 13 regression in the original-package feature causing out-of-band updates to system apps using this feature to be rolled back on reboot. Vanadium used original-package to rename the browser app from org.chromium.chrome to app.vanadium.browser so it still uses the org.chromium.chrome app id for compatibility on older installs (factory reset counts as a fresh install). Both app ids will be able to receive out-of-band updates due to our bug fix.

Changes since the 2023012500 release:

  • Settings: fix issue preventing users from re-enabling system apps they previously disabled which can no longer be disabled
  • fix upstream Android bug causing out-of-band updates to system components using original-package to be rolled back after reboot if they're still using the old package name, which will allow us to ship Vanadium updates out-of-band without the browser package updates being rolled back for users with an older install where it's still org.chromium.chrome instead of app.vanadium.browser
  • SELinux policy: drop base OS apk_data_file restrictions to avoid blocking out-of-band updates to APK-based system components (this was a minor security feature that's being replaced with our recent and ongoing improvements to package manager and verified boot security to close major weaknesses in the standard Android verified boot security model)
  • disable package parser cache since it provides a verified boot bypass for system component updates for regular boots while saving less than a second of boot time
  • perform additional boot-time checks on system package updates in order to extend verified boot to out-of-band system package updates including enforcing having valid signed fs-verity metadata for continuous verification (Android does not even provide working boot-time verification for out-of-band APK updates for non-APEX components)
  • reimplement requiring fs-verity when installing system package updates in a better way
  • remove unnecessary warning for failed virtual A/B sideloaded updates since it's atomic just like A/B updates
  • drop our extension to the install available apps feature (which is still available, without this extension) making it work for apps not installed in Owner since this is risky in a situation where there are actually separate people using secondary users and while we want to provide this feature, we'd need to come up with a way to address this to add it back
  • SetupWizard: stop enabling Wi-Fi automatically
  • SetupWizard: stop sending unused sticky broadcast
  • kernel (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Generic 5.10): update to latest GKI LTS branch revision
  • kernel (Generic 5.15): update to latest GKI LTS branch revision including update to 5.15.89
  • kernel (Pixel 7, Pixel 7 Pro): update Mali GPU driver to QPR2 Beta 3 release
  • kernel (Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a): update base kernel to Android 13 QPR2 Beta 3 providing 2023-02-05 security patch level for the kernel
  • Apps: update to version 14
  • Auditor: update to version 68
  • Camera: update to version 59
  • Vanadium: update Chromium base to 110.0.5481.61
  • GmsCompatConfig: update max supported version of Play services and Play Store

2023012500

Tags:

Changes since the 2023011000 release:

  • don't send IMSI / Phone number to SUPL server when SUPL is enabled (note: using SUPL is always an optional choice on GrapheneOS, unlike AOSP and the stock OS)
  • SELinux policy: drop auditing for apk_data_file execute/execute_no_trans (research is done)
  • SELinux policy: add back apk_data_file execute/execute_no_trans for adb shell for debugging use cases (removing it isn't really useful for hardening and we plan on hardening ADB for the verified boot model another way)
  • Settings: revert to standard Android 13 minimum threshold of 10% for automatic battery saver since lowering it below 10% doesn't work as intended without more invasive changes outside the scope of GrapheneOS
  • fully disallow installing instant apps instead of permitting ADB shell and system apps to do it (this will simplify future work)
  • extend self app-op spoofing used for Network permission compatibility to unsafeCheckOpRaw()
  • fix upstream bug causing crash from isServiceTokenValidLocked() being called without holding the lock
  • Sandboxed Google Play compatibility layer: support enabling compatibility layer for any package on debuggable builds to help with development
  • Sandboxed Google Play compatibility layer: coerce Play Store into not attempting to auto install AR services
  • Sandboxed Google Play compatibility layer: fix issues with Play Store updates of Play services
  • Sandboxed Google Play compatibility layer: avoid our implementation of the Play services location API returning null for getCurrentLocation() to avoid crashes in apps not handling it
  • Sandboxed Google Play compatibility layer: increment compatibility layer version to 1001
  • Sandboxed Google Play compatibility layer: use the most recent available version map in GmsCompatConfig to simplify defining configuration
  • Sandboxed Google Play compatibility layer: improve stack trace parser used for dynamic exception shims
  • Sandboxed Google Play compatibility layer: add shim for making Bluetooth adapter discoverable
  • Sandboxed Google Play compatibility layer: improve UX for "Action required in Play Store" notification
  • Sandboxed Google Play compatibility layer: add new shims to support requesting temporary screen capture from the user via the standard unprivileged approach for Chromecast screen casting (currently lacks shims to support audio capture)
  • GmsCompatConfig: add stub for LocationManager.registerGnssStatusCallback()
  • GmsCompatConfig: update max supported version of Play services and Play Store
  • stop re-enabling deprecated 2-button navigation option since Android no longer has official support for it and is gradually breaking support for it including making changes knowingly introducing bugs with it since it's not meant to be used (traditional 3-button navigation is still fully supported)
  • Settings: add GrapheneOS Camera to list of mandatory components since only system camera apps can provide the media capture intents required by other apps on Android 11 and above (can still be disabled via ADB but we want to avoid easy ways to break the OS in the UI)
  • kernel (Generic 5.15): update to latest GKI LTS branch revision including update to 5.15.80
  • extend the install available apps feature (allows Owner user to install apps in other users) to apps only installed in secondary profiles
  • Apps: update to version 13
  • add GrapheneOS fs-verity public key as a supported key
  • require fs-verity for installing system app updates (will be enforced at boot for verified boot enhancement in a future release due to the need to phase in the feature properly because of future out-of-band app updates on earlier OS releases)
  • Vanadium: update Chromium base to 109.0.5414.118
  • SettingsIntelligence: drop no longer required QUERY_ALL_PACKAGES permission now that more precise queries are defined upstream providing the necessary package visibility for Settings app search

2023011000

Tags:

Changes since the 2023010300 release:

  • fix upstream bug leading to AppOps being reset after reboot (may occur for users one last time due to corrupt state from before this update)
  • add more logging to resolve another upstream AppOps bug
  • enable adaptive brightness by default
  • Sandboxed Google Play compatibility layer: improve logging of GmsCompatConfig parser errors
  • Sandboxed Google Play compatibility layer: update BluetoothAdapter.enable() shim for Android 13
  • Sandboxed Google Play compatibility layer: fix deadlock when reading state of "Google Location Accuracy" toggle
  • Sandboxed Google Play compatibility layer: delay notification about Google Play crash until after potential config update
  • Sandboxed Google Play compatibility layer: allow bound Google Play apps to request update of GmsCompatConfig
  • Sandboxed Google Play compatibility layer: don't block Play Store from installing APK splits for Play services and itself
  • Sandboxed Google Play compatibility layer: try to update GmsCompatConfig before update of Play services or Play Store
  • GmsCompatConfig: update max supported versions of Play services and Play Store
  • kernel (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Generic 5.10): update to latest GKI LTS branch revision including update to 5.10.161
  • Settings: hide missing illustration for quickly open camera not covered by our earlier fix
  • kernel (Pixel 7, Pixel 7 Pro): update Mali GPU driver to QPR2 Beta 2 release
  • kernel (Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a): update base kernel to Android 13 QPR2 Beta 2
  • Vanadium: update Chromium base to 109.0.5414.86
  • Apps: update to version 12
  • switch to signing OS source releases (Git tags) with OpenSSH instead of GPG to fully phase out usage of our GPG key (public key list: allowed_signers, key rotation proof via signify: allowed_signers.sig, key rotation proof via GPG: allowed_signers.asc)

2023010300

Tags:

Changes since the 2022122700 release:

  • full 2023-01-01 security patch level
  • full 2023-01-05 security patch level
  • rebased onto TQ1A.230105.002 release
  • kernel (Pixel 4, Pixel 4 XL, Pixel 4a): add Valve Steam Controller driver security fix from the January release not already included in the QPR2 Beta 1 kernel we use as the base (was already included for other devices)
  • add sandboxed Play Store to the dependencies of Google's eUICC packages (eSIM)
  • eUICC compat toggle (eSIM): listen and react to changes to relevant packages
  • add extra logging to debug upstream issue causing AppOps to be reset after reboot
  • fix upstream bug in lite package parser causing targetSdkVersion to not be read in all cases which among other things was causing Android 12+ unattended update support to fail for updating PayPal without user intervention
  • TalkBack (screen reader): revert base code update due to multiple upstream regressions such as Braille keyboard crashes until these issues are resolved
  • System Updater: replace icons with new Material symbols
  • System Updater: use dedicated icons for success and failure notifications
  • Vanadium: enable new third party storage partitioning
  • Storage Scopes: don't show the link for system components with force enabled storage permissions
  • Apps: update to version 8
  • Apps: update to version 9
  • Apps: update to version 10
  • Apps: update to version 11
  • GmsCompatConfig: update max supported versions of Play services and Play Store

2022122700

Tags:

  • TP1A.221005.002.2022122700 (Pixel 4, Pixel 4 XL) — extended support release for legacy devices with frozen 2022-11-01 patch level
  • TQ1A.221205.011.2022122700 (Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, emulator, generic, other targets)

Changes since the 2022122000 release:

  • fix upstream Android 13 QPR1 recent apps list bug mainly triggered after user profile switches (Android 13 QPR1 "App not available" bug)
  • kernel (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Generic 5.10): update to latest GKI LTS branch revision which provides a proper fix for a backport mistake we discovered and reported
  • block updating system packages to versions with the same versionCode since system packages without releases outside the OS rarely have their versionCode increased when changes are made and therefore it makes it possible to downgrade them which is a security weakness in Android's approach
  • prefer package from OS image over equal version packages installed as an update to improve security by dropping potentially downgraded packages particularly for the verified boot security model, with the bonus of saving disk space by dropping out-of-band updates installed from our app repository once they're redundant
  • add an API for system apps with the privileged INSTALL_PACKAGES permission to search for packages across all profiles in order to avoid redownloading packages that are already installed in another user and to prevent attempting to downgrade a package with a newer version already installed in another user (used by the GrapheneOS app repository client within GrapheneOS to provide a better experience than it can when not integrated into the OS)
  • restore previous lockscreen clock font from before Android Open Source Project 13 QPR1 since the stock Pixel OS overrides it and most people seem to prefer the previous font
  • TalkBack (screen reader): update base code to 13
  • TalkBack (screen reader): update dependencies

2022122000

Tags:

  • TP1A.221005.002.2022122000 (Pixel 4, Pixel 4 XL) — extended support release for legacy devices with frozen 2022-11-01 patch level
  • TQ1A.221205.011.2022122000 (Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, emulator, generic, other targets)

Changes since the 2022121400 release:

  • kernel (Generic 5.15): update to latest GKI LTS branch revision including update to 5.15.78
  • kernel (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Generic 5.10): update to latest GKI LTS branch revision including update to 5.10.157
  • kernel (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Generic 5.10): revert 5.10.157 IRQ changes breaking boot on Pixel 7 and Pixel 7 Pro
  • adevtool: stop including unused install constraint configuration
  • adevtool: stop including stock OS root CA database
  • include Apps (app repository client) in managed profiles by default in order to support installing / updating sandboxed Google Play
  • change DNS-over-TLS connectivity check to querying for randomstring-dnsotls-ds.dnscheck.grapheneos.org rather than randomstring-dnsotls-ds.metric.gstatic.com when the connectivity check mode is set to the default GrapheneOS mode (note: no connection is made to the resolved IP based on the DNS query, this is only used to check if the DNS resolver works and we're mainly changing this for aesthetic reasons)
  • Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro: switch to more generic broadcom.psds.grapheneos.org name for our Predicted Satellite Data Service (PSDS) cache instead of google.psds.grapheneos.org since we're obtaining it directly from Broadcom rather than Google's cache and it isn't Pixel specific but rather could be used with any Broadcom GNSS (GPS, GLONASS, etc.) chip
  • Dialer: disable showing homescreen wallpaper
  • fix Storage Scopes interaction with pre-granted storage permissions for system apps
  • fix upstream issue causing factory images flashing script to break with paths containing spaces on systems where /bin/sh isn't bash such as Debian-based distributions where dash is used instead

2022121400

Tags:

  • TP1A.221005.002.2022121400 (Pixel 4, Pixel 4 XL) — extended support release for legacy devices with frozen 2022-11-01 patch level
  • TQ1A.221205.011.2022121400 (Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, emulator, generic, other targets)

Changes since the 2022121100 release:

  • kernel (Pixel 7, Pixel 7 Pro): update Mali GPU driver to r38p1 along with other changes included in the QPR2 Beta 1 including a bunch of security fixes previously neglected upstream (GrapheneOS will continue applying further updates downstream)
  • kernel (Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a): update base kernel to Android 13 QPR2 Beta 1 to ship many security patches early
  • fix app label for draw over other apps in secondary profiles
  • fix toast color not changing with theme changes
  • Settings: hide missing illustrations
  • SELinux policy (Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro): remove unused domains and keys to reduce attack surface
  • Messaging: add dark theme
  • Vanadium: update Chromium base to 108.0.5359.128
  • adevtool: avoid needing manual changes for vendor state generation builds
  • use clone-depth="1" for prebuilts repositories in the pantah kernel manifest for a much more lightweight repo sync

2022121100

Tags:

  • TP1A.221005.002.2022121100 (Pixel 4, Pixel 4 XL) — extended support release for legacy devices with frozen 2022-11-01 patch level
  • TQ1A.221205.011.2022121100 (Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, emulator, generic, other targets)

Changes since the 2022120700 release:

  • resolve upstream bug in Android 13 QPR1 causing screen brightness dimming on user profile changes
  • Settings: replace hard-wired refresh rate in the text for the smooth display toggle with the actual max refresh rate used for the device model (Android has the string hard-wired to say 90Hz and expects the device to provide an overlay with the correct string which isn't present in AOSP for Pixels)
  • kernel (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Generic 5.10): update to latest GKI LTS branch revision including update to 5.10.156
  • kernel (Generic 5.15): update to latest GKI LTS branch revision including update to 5.15.77
  • Sandboxed Google Play compatibility layer: new infrastructure for controlling Play Store updates of Play Store and Play services with a max version of Play services and the Play Store set via GmsCompatCompat and an override toggle for allowing it to update to any version
  • Sandboxed Google Play compatibility layer: hide GrapheneOS Auditor variant (app.attestation.auditor) from the Play Store so it doesn't try to update it (note: we plan to fully switch to app.grapheneos.auditor.play for the Play Store and we can remove this workaround once we unpublish the GrapheneOS variant of the app there and stop updating it)
  • Pixel 7, Pixel 7 Pro: remove unused Google Camera SELinux policy
  • Auditor: update to version 67
  • Camera: update to version 58

2022120700

Tags:

  • TP1A.221005.002.2022120700 (Pixel 4, Pixel 4 XL) — extended support release for legacy devices with frozen 2022-11-01 patch level
  • TQ1A.221205.011.2022120700 (Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, emulator, generic, other targets)

Changes since the 2022120600 release:

  • Launcher: fix Recent Apps activity crashing when using the TalkBack screen reader due to an incorrect port of the Storage Scopes shortcut to Android 13 QPR1

2022120600

Tags:

  • TP1A.221005.002.2022120600 (Pixel 4, Pixel 4 XL) — extended support release for legacy devices with frozen 2022-11-01 patch level
  • TQ1A.221205.011.2022120600 (Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, emulator, generic, other targets)

Changes since the 2022120300 release:

  • full 2022-12-01 security patch level
  • full 2022-12-05 security patch level
  • rebased onto TQ1A.221205.011 release, which is the first quarterly maintenance/feature release for Android 13
  • Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro: rewrite under display fingerprint scanner integration
  • Sandboxed Google Play compatibility layer: set GmsCompat versionCode to 1000 (v1) to prepare for defining dependencies on the compatibility layer version for the Google Play apps mirrored in our app repository
  • Pixel 6, Pixel 6 Pro, Pixel 6a: use Scudo instead of hardened_malloc for camera service for consistency with the Pixel 7 and Pixel 7 Pro until memory corruption issues with it are resolved
  • add back support for OS device controls and wallet quick tiles
  • kernel (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Generic 5.10): update to latest GKI LTS branch revision including update to 5.10.152
  • PDF Viewer: update to version 16

2022120300

Tags:

Changes since the 2022113000 release:

  • kernel (Pixel 4, Pixel 4 XL, Pixel 4a): add back our change enabling ARM64_SSBD now that upstream issues with it are resolved for this branch
  • Sandboxed Google Play compatibility layer: avoid chain crash of GmsCompat app following process death from OOM killer, etc.
  • Vanadium: update Chromium base to 108.0.5359.79
  • kernel (Generic 5.15): update to latest GKI LTS branch revision including update to 5.15.76
  • kernel (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Generic 5.10): update to latest GKI LTS branch revision
  • kernel (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro): update Mali GPU driver to r37p0 (current release is r41p0 but there are substantial changes to the driver for the Tensor SoC on Pixels and it will take substantial work to upgrade all the way)
  • remove broken, obsolete upstream code causing install permissions defined by user install apps not being automatically granted for user installed apps installed before the app defining the permissions unless the app is reinstalled
  • Messaging: update MMS configuration database based on Google Messages 20221115_01_RC01
  • Dialer: update visual voicemail (VVM) configuration database based on Google Phone 90.0.477356402
  • Dialer: adjust VVM configuration database entries for compatibility with AOSP

2022113000

Tags:

Changes since the 2022112500 release:

  • Vanadium: update Chromium base to 108.0.5359.61
  • Pixel 7, Pixel 7 Pro: set QNS package name to fix compatibility issues with Wi-Fi calling
  • kernel (Generic 5.15): update to latest GKI LTS branch revision including update to Linux 5.15.75
  • kernel (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Generic 5.10, Generic 5.15): apply patches for remotely exploitable Bluetooth vulnerabilities (CVE-2022-42895, CVE-2022-42896)

2022112500

Tags:

Changes since the 2022111800 release:

  • Sandboxed Google Play compatibility layer: fix missing handling of APEX ListSlices in dynamic stubs (improves compatibility when granting Nearby devices permission to Play services with a WearOS device connected)
  • Sandboxed Google Play compatibility layer: mark PackageInstallerStatusForwarder as not exported
  • Settings: avoid OBB toggle unnecessarily force stopping app
  • extend original-package renaming to static launcher shortcuts to fix Vanadium new tab shortcut for users with an install predating the package rename
  • Camera: update to version 57
  • Vanadium: update Chromium base to 107.0.5304.141
  • Contacts: add support for dark mode
  • kernel (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro): restore fix for CVE-2022-3176 which was reverted upstream (GKI LTS branch) due to not being marked as a security fix and changing the GKI ABI
  • Pixel 4, Pixel 4 XL: set frozen patch level string to 2022-11-01 (has been provided since the 2022110800 release but we initially left the patch level string at the previous value)
  • port GrapheneOS changes to Linux 5.15 GKI LTS branch in order to prepare for 6th/7th generation Pixels potentially moving to the Linux 5.15 LTS and late 2023 devices which will be based on it

2022111800

Tags:

Changes since the 2022111000 release:

  • don't skip ahead-of-time (AOT) compilation of apps that weren't recently used since we depend on full AOT compilation being done for performance rather than JIT compilation with background JIT profile guided AOT compilation like Android
  • battery usage UI: use fallback name for unknown components
  • change minimal value of battery saver schedule to 5% again as it was before Android 13
  • enable the post-upgrade "Optimizing apps" progress indication UI
  • app crash UI: show process uptime and optional extra text
  • Sandboxed Google Play compatibility layer: show version of GmsCompatConfig in the crash UI
  • Sandboxed Google Play compatibility layer: stop splitting multi-package PackageInstaller sessions
  • Sandboxed Google Play compatibility layer: improve handling of activity starts
  • Sandboxed Google Play compatibility layer: bugfix: Parcel position wasn't reset by dynamic stubs
  • Sandboxed Google Play compatibility layer: bugfix: missing handling of ListSlices in dynamic stub
  • GmsCompatConfig: make sure Play Store PhenotypeFlags are overridable by Gservices flags (further deterring Play Store trying to update Play services / Play Store beyond supported versions)
  • Pixel 7, Pixel 7 Pro (adevtool): drop unused face unlock components since we have no plans to enable support for an insecure face unlock implementation incapable providing reasonable security due to lack of dedicated face unlock hardware (Pixel 4 and Pixel 4 XL had dual infrared cameras, IR dot projector and IR flood illuminator providing a more secure biometric unlock system than fingerprint unlock as opposed to simply using the front camera in a way that could be done on any device)
  • Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 7, Pixel 7 Pro: include gril library to avoid qns crash on Pixel 7 and Pixel 7 Pro
  • Pixel 7, Pixel 7 Pro: include vendor_kernel_boot partition requirement in factory images metadata to force an error with an incompatible fastboot such as the currently buggy Arch Linux package
  • kernel (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro): update GKI to Linux 5.10.150
  • Auditor: update to version 66

2022111000

Tags:

Changes since the 2022110800 release:

  • remove TrustCor Certificate Authority due to malicious domain squatting and ties to entites involved in surveillance which should have very little impact on web compatibility due to this CA barely being used by anyone other than a specific dynamic DNS provider
  • ignore wireless alert channels being marked as always-on to prevent channel configuration overriding presidential alert toggle
  • GmsCompatConfig: change app label from "GmsCompat config" to "GmsCompatConfig"
  • GmsCompatConfig: disable TelecomTaskService to resolve sandboxed Google Play services crash caused by feature flag
  • kernel (Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a): update base kernel to Android 13 QPR1 Beta 3 to ship the December security update and many other search patches early
  • Vanadium: update Chromium base to 107.0.5304.105

2022110800

Tags:

Changes since the 2022110600 release:

  • full 2022-11-01 security patch level
  • full 2022-11-05 security patch level
  • rebased onto TP1A.221105.002 and TD1A.221105.001 releases
  • DocumentsUI: fix crash in "Get info" screen for images with location metadata caused by upstream bug

2022110600

Tags:

Changes since the 2022110400 release:

  • extend original-package renaming to provider authorities for Vanadium
  • remove upstream workaround added in 2016 for legacy launchers since it creates a device-wide package list leak for apps installed in the owner user when a work profile is active
  • block updates of GSF, Play services and the Play Store by any app other than the GrapheneOS app repository or the Play Store itself to prevent users updating to unsupported versions from Aurora Store or elsewhere before the sandboxed Google Play compatibility layer has well tested official support for them
  • show presidential alerts toggle for all carriers without the alert channels disabled

2022110400

Tags:

Changes since the 2022102800 release:

  • GmsCompatConfig: stub out privileged UserManager.getUserName() needed by a newer version of Play services than we currently mirror in our app repository
  • set up Android 13 QR scan quick tile for GrapheneOS Camera
  • kernel (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro): disable BINFMT_MISC
  • kernel (Pixel 4, Pixel 4 XL, Pixel 4a): add back our change enabling UNMAP_KERNEL_AT_EL0 now that upstream issues with it are resolved for this branch
  • allow toggling presidential alerts (toggle will not yet be shown for most carriers until the next release)
  • Vanadium: change app id to app.vanadium.browser while using original-package to keep using org.chromium.chrome for existing installs (until factory reset) to preserve compatibility and user data
  • Pixel 7, Pixel 7 Pro: replace UWB and EUICC certificates
  • Messaging: update MMS configuration database based on Google Messages 20221018_01_RC01
  • Camera: update to version 53
  • Camera: update to version 54
  • Camera: update to version 55
  • Camera: update to version 56
  • Auditor: update to version 65

2022102800

Tags:

Changes since the 2022102600 release:

  • kernel (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro): enable DEBUG_SG
  • kernel (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro): enable DEBUG_CREDENTIALS
  • Vanadium: update Chromium base to 107.0.5304.91
  • backport many upstream fixes for clat including a more complete set of fixes for the compatibility issue impacting all Android 13 operating systems between VPN lockdown and certain IPv6-only mobile data configurations along with fixing other issues with these setups

2022102600

Tags:

Changes since the 2022102300 release:

  • kernel (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro): fix upstream compatibility issue preventing using better hashing algorithms than sha1 for kernel module signing with BoringSSL
  • kernel (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro): switch from standard GKI kernel module signing (used to enforce protected symbol rules for vendor modules) to forced kernel module signing as an additional lower level layer of security beyond the verification already provided by verified boot and SELinux
  • kernel (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro): enable lockdown LSM in forced confidentiality mode as an additional lower level layer of security beyond the verification already provided by verified boot and SELinux
  • Pixel 7, Pixel 7 Pro: handle readlink system call failing in a friendlier way for detection of the camera service executable
  • Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro: add back Pixel charger mode animation override removed in the 2022101600 release (fallback images aren't included on the Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7 and Pixel 7 Pro so this was completely missing on those devices)
  • disable unnecessary ldisc_autoload feature (no relevant modules available for it to load anyway)
  • backport fix for crosvm locking up after suspend/resume
  • Vanadium: update Chromium base to 107.0.5304.54
  • Sandboxed Google Play compatibility layer: stop special casing GmsCompat as force queryable by marking that way directly
  • Sandboxed Google Play compatibility layer: improve shim for background activity starts
  • Sandboxed Google Play compatibility layer: add PackageManager.getPackagesForUid() shim
  • Sandboxed Google Play compatibility layer: update link to "Google Location Accuracy" activity to match the style of the Settings app
  • Sandboxed Google Play compatibility layer: add early rejection of getCurrentLocation() requests to avoid unnecessary battery usage and location indicator when we're going to reject the request anyway
  • Sandboxed Google Play compatibility layer: check request granularity when issuing app-op checks to fix a case where apps can be blamed for doing a fine location check when they only did a coarse location check (no user-facing impact since the location history / indicator makes no distinction and it was correctly enforced for permission enforcement already)

2022102300

Tags:

Changes since the 2022101800 release:

  • GmsCompatConfig: stub out privileged BluetoothDevice#setSilenceMode
  • GmsCompatConfig: disable CAST_CONNECTION_NOTIFY popup dialogs
  • GmsCompatConfig: fix crash in FastPair service
  • kernel (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro): update GKI to Linux 5.10.149
  • kernel (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro): replace upstream default of sha1 with sha256 for module signing (GKI devices rely on verified boot for vendor modules and only use module signing for GKI modules of which there are currently 0, but it should be using a secure hash in case there are ever GKI modules and for when we extend it to vendor modules as a lower level 2nd layer of security not depending on userspace)
  • kernel (Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a): enable forced kernel module signing with a per-build signing key (RSA 4096 / sha256) as an additional lower level layer of security beyond the verification already provided by dm-verity and SELinux
  • kernel (Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a): disable IP_SCTP
  • kernel (Pixel 4a): enable REFCOUNT_FULL
  • Pixel 7, Pixel 7 Pro: fix bug in detection of the camera service executable for the memory corruption workaround added in the previous release (inconsequential in practice for this specific case of the bug)
  • Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro: load AoC firmware via daemon (aocd) to match stock OS
  • Auditor: update to version 64

2022101800

Tags:

Changes since the 2022101600 release:

  • Pixel 7, Pixel 7 Pro: work around memory corruption bug(s) in the camera service by using Scudo instead of hardened_malloc for the camera service process
  • Sandboxed Google Play compatibility layer: fix location rerouting API compatibility issue with the new Play services update that's currently in our app repository Alpha and Beta channels
  • Settings: add PSDS server configuration for Pixel 7 and Pixel 7 Pro
  • Auditor (Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a): update to version 63

2022101600

Tags:

Changes since the 2022101500 release:

  • Vanadium: add back 32-bit WebView support primarily due to a certain F-Droid repository distributing 32-bit-only APKs to save storage space since they lack of split APK support and are incorrectly assuming 64-bit devices support 32-bit apps (Pixel 7 and Pixel 7 Pro have finally dropped 32-bit app support so we'll be able to build and ship 64-bit-only Vanadium on those devices, but we don't want to break existing setups on previous generation devices)
  • don't auto-revoke Sensors/Network permissions when 'freezing' apps with device managers
  • GmsCompatConfig: disable WearableDataListenerService
  • raise minimum supported fastboot version for the factory images flashing scripts to 33.0.3
  • adevtool: exclude additional prebuilt files
  • Auditor (Pixel 7, Pixel 7 Pro): update to version 63 (update was not released in time to be bundled with older devices)

2022101500

Tags:

Changes since the 2022101400 release:

  • improve wording for sensor access notification
  • use parent profile settings for Sensors permission auto-grant toggle in work profile
  • Sandboxed Google Play compatibility layer: ability to override SharedPreferences-backed PhenotypeFlags
  • Sandboxed Google Play compatibility layer: overhaul reimplementation of the Play services geolocation API used by the default enabled location request rerouting mode to support new APIs added by recent Play services releases along with fixing compatibility issues in the existing implementation
  • raise minimum supported fastboot version for the factory images flashing scripts to 33.0.1 since it will be required for the Pixel 7 and Pixel 7 Pro
  • Settings: backport and configure intent configuration related to styles and wallpaper configuration activities to make the device branch for the Pixel 7 and Pixel 7 Pro easier to maintain
  • prepare for future Pixel 7 and Pixel 7 Pro support by adding them to the device lists for device prototype checks and PSDS configuration
  • Auditor: update to version 61
  • Auditor: update to version 62

2022101400

Tags:

Changes since the 2022101200 release:

  • kernel (Pixel 6, Pixel 6 Pro, Pixel 6a): apply patches for remotely exploitable upstream Linux kernel Wi-Fi vulnerabilities disclosed on October 13th (CVE-2022-41674, CVE-2022-42719, CVE-2022-42720, CVE-2022-42721, CVE-2022-42722) along with additional related fixes
  • revert exploit protection compatibility mode suggestion notification since there are too many false positives and it encourages unnecessarily disabling many of our added exploit protections for an app along with creating the concern that we'll be suggesting disabling protections after they successfully block exploitation
  • Vanadium: update Chromium base to 106.0.5249.126
  • Vanadium: switch to 64-bit only releases without 32-bit WebView support. 32-bit-only apps haven't been obtainable through the Play Store on 64-bit devices since 2021-09-01, haven't been possible to publish since 2019-08-01 and the Pixel 7, Pixel 7 Pro and upcoming Pixel Tablet have fully dropped 32-bit app support. Most of the legacy 32-bit-only apps people want to run are old games which will still work fine since almost none of them require the WebView.

2022101200

Tags:

Changes since the 2022100300 release:

  • notify the user when sensors access is denied by disabled Sensors permission
  • Settings: add a toggle for auto grants of Sensors permission
  • avoid restarting process when Sensors permission is granted since it fully supports runtime toggling
  • add a toggle for turning off auto grant of Network permission to package installation UI
  • don't auto-grant denied special runtime permissions (Sensors, Network) after app data reset
  • Storage Scopes: fix denial of app ops that are allowed by default
  • Storage Scopes: fix showing storage permission prompt in certain cases
  • add notification with suggestion to try exploit protection compatibility mode when apps die in certain ways (will require some thought on wording, etc. to reduce the chance of users enabling this after an actual exploit is successfully mitigated)
  • Sandboxed Google Play compatibility layer: support intercepting SynchronousResultReceiver exceptions
  • Sandboxed Google Play compatibility layer: improve handling of pending intents
  • Sandboxed Google Play compatibility layer: silence notification channels by default
  • Sandboxed Google Play compatibility layer: improve infrastructure for GmsCompatConfig shims
  • Sandboxed Google Play compatibility layer: notify the user that Contacts sync can be enabled
  • Sandboxed Google Play compatibility layer: notify when an app requires the Speech Services app
  • Sandboxed Google Play compatibility layer: fix Google account removal caused by attempt to use privileged APIs leading to an error blocking it
  • GmsCompatConfig: fully disable com.google.android.westworld
  • GmsCompatConfig: disable OS update service to prevent it crashing from lack of access
  • GmsCompatConfig: add BluetoothDevice shims
  • kernel (Pixel 6, Pixel 6 Pro, Pixel 6a): update GKI base to ASB-2022-10-05_13-5.10
  • kernel (Pixel 6, Pixel 6 Pro, Pixel 6a): switch back to full LTO from thin LTO now that the compilation compatibility issue is resolved
  • Pixel 4a: raise maximum number of users to 32 to match other devices (was being overridden by device overlay)
  • Dialer: update visual voicemail (VVM) configuration database based on Google Phone 90.0.477356402
  • Messaging: update MMS configuration database based on Google Messages 20220926_01_RC01
  • Vanadium: update Chromium base to 106.0.5249.118
  • Camera: update to version 52
  • Auditor: update to version 60

2022100300

Tags:

Changes since the 2022092800 release:

  • full 2022-10-01 security patch level
  • full 2022-10-05 security patch level
  • rebased onto TP1A.221005.003 release
  • kernel (Pixel 6, Pixel 6 Pro, Pixel 6a): update GKI base to android13-5.10-2022-09_r1 (October maintenance release of September GKI)
  • Vanadium: update Chromium base to 106.0.5249.79
  • Auditor: update to version 59
  • Camera: update to version 49
  • Camera: update to version 50
  • Camera: update to version 51
  • PDF Viewer: update to version 15

2022092800

Tags:

Changes since the 2022092300 release:

  • GmsCompatConfig: disable com.google.android.westworld to avoid Play services crashes
  • backport fix for clat on restricted networks (note: does not fix Android 13 compatibility issue between VPN lockdown and certain IPv6 only carrier configurations, which can be worked around by switching to an IPv4/IPv6 APN from a pure IPv6 APN)
  • Sandboxed Google Play compatibility layer: hide Stats Manager service
  • Sandboxed Google Play compatibility layer: don't report CannotDeliverBroadcastException to the user
  • Gallery: hide obsolete menu items
  • Vanadium: update Chromium base to 106.0.5249.65
  • Vanadium: add handling for ACTION_WEB_SEARCH intent
  • QuickSearchBox: drop handling for ACTION_WEB_SEARCH since Vanadium now handles it directly along with certain other browsers like Brave which makes more sense than having a search app pass it to the browser with a separate default search engine
  • kernel (Pixel 4a (5G), Pixel 5, Pixel 5a): rebuild production kernel with updated metadata (no changes to code)

2022092300

Tags:

Changes since the 2022092200 release:

  • Sandboxed Google Play compatibility layer: add back Bluetooth shim unable to be covered by GmsCompatConfig hooks
  • Sandboxed Google Play compatibility layer: redirect privileged settings APIs to partial implementation by GmsCompat app
  • Sandboxed Google Play compatibility layer: stub out PermissionController activity starts
  • Sandboxed Google Play compatibility layer: prevent triggering throttling of silent package updates

2022092200

Tags:

Changes since the 2022092000 release:

  • GmsCompatConfig: set version name based on version code and change app name to a string resource for compatibility with aapt2 retrieval of application-label
  • GmsCompatConfig: fix regressions caused by the port to text file configuration of hooks
  • Sandboxed Google Play compatibility layer: fix regression caused by recent change
  • Sandboxed Google Play compatibility layer: notify about missing battery optimization exception for Play services resulting in delayed push notifications, etc.
  • Settings: show version code, target SDK version, min SDK version, install time and last update time in app info in addition to version name

2022092000

Tags:

Changes since the 2022091400 release:

  • Storage Scopes: deny storage permissions when Storage Scopes is enabled and then permit enabling storage permissions in combination with it for hybrid setups such as permitting access to all images while using storage scopes for other storage permissions
  • Storage Scopes: improve compatibility with apps checking storage permission app ops for themselves by spoofing the results
  • Sandboxed Google Play compatibility layer: skip app restart after permission grant in some cases
  • Sandboxed Google Play compatibility layer: move many compatibility shims to a text file with the possibility of dynamic updates of GmsCompatConfig along with triggering update checks via Apps after a Play services crash
  • Sandboxed Google Play compatibility layer: move away from deprecated PackageManager APIs
  • Sandboxed Google Play compatibility layer: add report to developers button to Google Play crash notifications
  • Sandboxed Google Play compatibility layer: improve compatibility shims to fix some remaining app compatibility issues
  • add GrapheneOS logo to boot animation
  • Contacts: add themed icon support
  • TalkBack (screen reader): update dependencies
  • Vanadium: update Chromium base to 105.0.5195.136
  • Auditor: update to version 58

2022091400

Tags:

Changes since the 2022091300 release:

  • hardened_malloc: disable self-init to fix exploit protection compatibility mode which regressed in the previous release
  • Vanadium: update Chromium base to 105.0.5195.124
  • Vanadium: backport fix for favicon links leak
  • Calculator, Clock, Dialer, Files, Gallery, Messaging, Settings: add themed icon support
  • Launcher: disable white gradient at the top of the home screen
  • Camera: update to version 48

2022091300

Tags:

Changes since the 2022090600 release:

  • rebased onto TP1A.220905.004.A2 release
  • hardened_malloc: increase arm64 class region size to 32GB from 2GB to provide higher entropy random bases and higher memory allocation limits since all supported devices have a 48 bit address space now
  • add missing permission to allow Settings search (SettingsIntelligence) to query all apps
  • update GrapheneOS mask used for boot animation
  • change default build target from aosp_arm to aosp_arm64
  • increase maximum users to 32 across all devices since it has been confirmed the Pixel 4 and later support 64 Weaver slots
  • Launcher: set up themed icon support (caveat: we still need to provide themeable icons for the AOSP apps and several of our own apps)
  • implement Android 13 color picker support
  • kernel (Pixel 6, Pixel 6 Pro): switch to raviole kernel/build tag as the base instead of the previously newer bluejay tag
  • Pixel 6, Pixel 6 Pro: update to mid-September TP1A.220905.004.A2 vendor files for Verizon carrier configuration updates
  • Pixel 6a: update to mid-September TP1A.220905.004.A2 vendor files for multiple improvements including the patch for CVE-2022-20231 in the TEE firmware raising patch level from 2022-09-01 to 2022-09-05 like the other devices
  • Auditor: update to version 56
  • Auditor: update to version 57

2022090600

Tags:

  • TP1A.220624.021.A1.2022090600 (Pixel 6a) — 2022-09-01 patch level until the September AOSP and stock OS release is available for bluejay to provide updated Trusty TEE firmware fixing CVE-2022-20231
  • TP1A.220905.004.2022090600 (Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, emulator, generic, other targets)

Changes since the 2022090400 release:

  • full 2022-09-01 security patch level
  • full 2022-09-05 security patch level
  • rebased onto TP1A.220905.004 release
  • kernel (Pixel 6, Pixel 6 Pro, Pixel 6a): update GKI base to ASB-2022-09-05_13-5.10
  • kernel (Pixel 6, Pixel 6 Pro, Pixel 6a): split raviole (Pixel 6, Pixel 6 Pro) and bluejay (Pixel 6a) kernels for now due to AOSP / stock OS differences
  • fix for Bluetooth timeout feature with BLE devices
  • remove conflicting permission from GSF when parsing the package since it appears to be set incorrectly by a build system bug and conflicts with Shannon IMS on 6th generation Pixels and is blocking us upgrading to GSF v33 via our app repository
  • Vanadium: update Chromium base to 105.0.5195.79
  • Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro: use stock OS copyright notices for product/system_ext/vendor instead of AOSP-generated ones since AOSP doesn't have modules with the notices for all of them (September 2022 release is the first release including these notices, which is why the Pixel 6a is not included yet)

2022090400

Tags:

Changes since the 2022083000 release:

  • Settings: enable install available apps feature for installing apps in a secondary user profile from the Owner profile
  • System Updater: update target API level to 33
  • System Updater: replace Material library with SettingsLib to match Settings app theme
  • System Updater: add app icon
  • Vanadium: update Chromium base to 105.0.5195.77
  • Auditor: update to version 55
  • Camera: update to version 46
  • Camera: update to version 47

2022083000

Tags:

Changes since the 2022082400 release:

  • add per-app toggle to relax memory corruption exploit protections for an app to allow users to work around buggy apps with latent bugs including many games like Diablo Immortal (uses 39-bit address space and Scudo instead of 48-bit address space and hardened_malloc along with forcing exec spawning for the app since the Zygote is always fully hardened)
  • Sandboxed Google Play compatibility layer: expand existing shims to further improve compatibility
  • improve infrastructure for GrapheneOS package state
  • improve safety of factory images flashing scripts by flashing the SoC firmware to the inactive slot, switching it to active, rebooting to it and then repeating the same thing again to get the current firmware flashed and safely boot tested for both slots (this provides a high level of safety for devices like 6th generation Pixels doing boot chain anti-rollback despite the fact that they neglected to provide firmware handling flashing safely)
  • Pixel 6, Pixel 6 Pro, Pixel 6a: erase DPM partitions in factory images flashing scripts
  • drop unused flash-base.sh from factory images to reduce maintenance burden for our safer flashing procedure
  • System Updater: catch ServiceSpecificException thrown by UpdateEngine.applyPayload(...) in some cases to properly report the error via a notification
  • System Updater: reduce connect/read timeouts from 60s to 30s
  • carriersettings-extractor: fix handling currently mostly unused field (not going to make any difference to users in practice, but may become more relevant in the future)
  • Seedvault: fix apk backups on Android 13
  • Storage Scopes: add support for Android 13 image picker
  • Storage Scopes: add link to storage scopes configuration from launcher recent apps activity for apps with it enabled for convenient configuration of file/directory scopes
  • improve app compatibility with Network toggle for DownloadManager and NsdManager
  • use 1.1.1.1 instead of 8.8.8.8 as the arbitrary IP for MTU detection in CLAT initialization (could be made configurable in the future)
  • Vanadium: update Chromium base to 105.0.5195.68

2022082400

Tags:

Changes since the 2022082301 release:

  • Pixel 6, Pixel 6 Pro, Pixel 6a: rewrite under display fingerprint scanner integration
  • Sandboxed Google Play compatibility layer: don't report spurious DeadSystemRuntimeException exceptions
  • Contacts: stop hiding local storage when a Google account is present in the profile and no contacts are saved locally
  • kernel (Pixel 4a (5G), Pixel 5, Pixel 5a): add several changes missed in Android 13 port (which is why we didn't push out the last release for them)

2022082301

Tags:

  • TP1A.220624.014.2022082301 (Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a)
  • TP1A.220624.021.2022082301 (Pixel 6, Pixel 6 Pro)
  • TP1A.220624.021.A1.2022082301 (Pixel 6a, emulator, generic, other targets)

Changes since the 2022082300 release:

  • Seedvault: add missing notification permission
  • pre-grant notification permission to Contacts, Apps, Camera, Auditor and Seedvault
  • kernel (Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a): patch CVE-2022-2588 which is not exposed to anything other than the privileged (CAP_NET_ADMIN) netd process, network HALs (Bluetooth, Wi-Fi, cellular, etc.) and network helper services within the OS such as ppp
  • Pixel 6, Pixel 6a, Pixel 6 Pro: fix Wi-Fi HAL configuration to fix Wi-Fi hotspot
  • Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a: fix inclusion of our kernel builds in published manifest

2022082300

Tags:

Changes since the 2022082200 release:

  • add back LTE only mode support for world mode (dual CDMA + GSM networks)
  • ThemePicker: add missing null check for Monet toggle
  • grant notifications permission to System Updater by default for fresh installs

2022082200

Tags:

Changes since the 2022082100 release:

  • pre-grant notifications permission to the Clock app
  • fix automatic notification grants
  • Clock: use correct intent for opening notification settings
  • Clock: protect broadcast receivers including not allowing other apps to snooze or dismiss alarms (upstream problem)
  • Contacts: fix VCF import due by removing obsolete READ_EXTERNAL_STORAGE permission usage
  • Theme Picker: fix our added wallpaper color scheme toggle not showing updated status
  • Sandboxed Google Play compatibility layer: disable Play services promotion of exposure notification feature unless the user grants Location access since this crashes with the default/normal state of Location not being granted to Play services (normal privileged Play services cannot have Location revoked so it doesn't handle this properly across multiple areas and we have multiple compatibility shims for it)

2022082100

This is the initial release of GrapheneOS based on Android 13. All of our features have been ported to Android 13. We've made many improvements as part of porting to Android 13 including improved compatibility for the Google Play compatibility layer.

For a great overview of the new improvements in Android 13, check out the great Android 13 changelog article from esper. We don't document the Android Open Source Project (AOSP) changes in our release notes beyond noting the version upgrades and our changes made in response to AOSP changes.

Tags:

Changes since the 2022081800 release:

  • rebased onto TP1A.220624.021.A1 release
  • full port of all existing GrapheneOS features to Android 13
  • full 2022-08-05 security patch level
  • enable Android 13 location indicator feature by default as a replacement for the earlier location indicators we had enabled (on the stock OS this is an opt-in developer option only shown if a feature flag is enabled)
  • change new location indicators to show all location accesses instead of only showing high power (GNSS) accesses (preserves existing GrapheneOS behavior)
  • change new location indicators to show for all apps instead of only user installed apps (preserves existing GrapheneOS behavior)
  • show system app location access history by default rather than requiring opt-in (preserves existing GrapheneOS behavior)
  • Sandboxed Google Play compatibility layer: add more shims to further improve compatibility
  • fix issue with prototype device check causing the warning to be shown on non-Pixel phones without the ro.boot.secure_boot property
  • add back AvoidAppsInCutoutOverlay since this cutout mode is no longer broken on Android 13
  • fix upstream Android 13 user logout bug causing end session to be broken
  • drop workaround for slow lockscreen animation which is fixed in Android 13
  • drop workaround for SystemUI ANR (App Not Responding) false positives caused by screenshot service in Android 12
  • Vanadium: revert removal of mremap system call from the sandbox allowlist for now since libc is using it internally
  • Dialer: temporarily disable R8 optimization to work around missing annotations / exceptions upstream
  • kernel (Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a): switch to kernel manifests instead of including the kernel source trees in the OS source tree with submodules for the module repositories
  • kernel (Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a): switch to AOSP kernel build system
  • kernel (Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a): use dynamic kernel modules matching AOSP / stock OS instead of using monolithic kernel builds to avoid further issues from driver bugs with monolithic kernel builds (this was a useful feature but maintenance has become too difficult and the advantages of Generic Kernel Images for 6th generation Pixels and beyond outweigh the benefits so this was already phased out for 6th generation devices)
  • kernel (Pixel 6, Pixel 6 Pro, Pixel 6a): temporarily use ThinLTO instead of LTO due to an upstream kernel or toolchain bug we have yet to resolve or work around in a better way

2022081800

This is the final release of GrapheneOS based on Android 12.1. Android 13 was released on August 15th and GrapheneOS is now fully focused on our port to Android 13. We aim to release GrapheneOS based on Android 13 before the end of August. We've fulfilled our commitment to providing extended support releases for the end-of-life 3rd generation Pixels until the next major OS release and all users on those devices should have moved to devices receiving full privacy and security updates such as the highly recommended 6th generation Pixels with at least 5 years of full security support from launch. After we finish porting GrapheneOS to Android 13, we may continue extended support releases for legacy 3rd generation Pixels based on Android 12.1 in a more limited capacity, but we haven't determined how we'll handle it going forward.

Tags:

Changes since the 2022081600 release:

  • Sandboxed Google Play compatibility layer: conditionally stub out LocationManager#requestLocationUpdates() to avoid crashes from not having the Location permission granted (cannot be revoked on stock OS due to stock OS using Play services as a backend) which started happening with the deployment of a Play services change via a feature flag to a subset of users and will likely ramp up soon

2022081600

Tags:

Changes since the 2022080900 release:

  • ship our frameworks/av changes as intended in earlier releases
  • fastbootd: stop displaying serial number since it can already be obtained in fastboot mode and users are prone to leaking this by sharing a photo of the screen in these modes
  • Vanadium: backport using Android 13 SDK and changes to support using Android 13
  • Vanadium: update Chromium base to 104.0.5112.97
  • Vanadium: restore previous launcher icon
  • Pixel 6a: switch to SD2A.220601.004.B2 (July 2022) device sources and vendor files (AOSP / stock OS patch level for Pixel 6a is still 2022-06-01 until Android 13)

2022080900

Tags:

Changes since the 2022080500 release:

  • update displayed patch level since we shipped all the 2022-08-01 patches in the previous release without changing the displayed patch level
  • allow selecting the Download directory via Storage Scopes
  • Sandboxed Google Play compatibility layer: stub out getPrivilegedConfiguredNetworks() to fix sharing Wi-Fi credentials with a WearOS device and other features
  • Sandboxed Google Play compatibility layer: add workaround for another power exemption whitelist use tied to WearOS
  • Sandboxed Google Play compatibility layer: notify the user about GMS crashes
  • Sandboxed Google Play compatibility layer: improved robust / future proofing
  • Sandboxed Google Play compatibility layer: add support for installing Google Chrome via Play Store via the unprivileged package installation API by safely breaking up the multi-package session
  • Sandboxed Google Play compatibility layer: improve compatibility with Nearby Share
  • exec spawning: don't close binder connection when an app crashes to fix debugging features including the crash dialog

2022080500

Tags:

Changes since the 2022080300 release:

  • full 2022-08-01 security patch level (note: displayed patch level will be updated in the next release)
  • partial 2022-08-05 security patch level (full set of fixes aren't public yet due to the August release of AOSP and the stock Pixel OS being delayed)
  • rebased onto SQ3A.220705.004 release
  • improve compatibility of our fix for the upstream step counter/detector privacy issue for API < 29 apps by using our OTHER_SENSORS (Sensors toggle) permission for it

2022080300

Tags:

  • SP1A.210812.016.C2.2022080300 (Pixel 3, Pixel 3 XL) — extended support release for legacy devices with frozen 2021-11-01 patch level
  • SP2A.220505.006.2022080300 (Pixel 3a, Pixel 3a XL) — extended support release for legacy devices with frozen 2022-06-01 patch level
  • SD2A.220601.004.2022080300 (Pixel 6a) — early release for Pixel 6a with 2022-06-01 patch level which is the latest available until there's a normal AOSP / stock OS release for it on the latest patch level
  • SQ3A.220705.003.A1.2022080300 (Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, emulator, generic, other targets)

Changes since the 2022072700 release:

  • overhaul the implementation of multiple features to prepare for the Android 13 migration
  • fix enabling VPN always on and lockdown by default before the first reboot after the VPN is added
  • fix for Bluetooth timeout feature with BLE devices
  • kernel (Pixel 6, Pixel 6 Pro): update GKI base to ASB-2022-08-05_12-5.10
  • Vanadium: update Chromium base to 104.0.5112.69
  • Camera: update to version 45
  • Auditor: update to version 54

2022073000

Tags:

  • SP1A.210812.016.C2.2022073000 (Pixel 3, Pixel 3 XL) — extended support release for legacy devices with frozen 2021-11-01 patch level
  • SP2A.220505.006.2022073000 (Pixel 3a, Pixel 3a XL) — extended support release for legacy devices with frozen 2022-06-01 patch level
  • SD2A.220601.004.2022073000 (Pixel 6a) — early release for Pixel 6a with 2022-06-01 patch level which is the latest available until there's a normal AOSP / stock OS release for it on the latest patch level
  • SQ3A.220705.003.A1.2022073000 (Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, emulator, generic, other targets)

Changes since the 2022072700 release:

  • add support for Pixel 6a
  • fix regression caused by spoofing INTERNET permission self checks when the Network toggle is disabled by still reporting connectivity is unavailable as before
  • Auditor: update to version 53
  • Pixel 6, Pixel 6 Pro: add missing google_dock kernel module which we were building but not including in the official builds

2022072700

Tags:

  • SP1A.210812.016.C2.2022072700 (Pixel 3, Pixel 3 XL) — extended support release for legacy devices with frozen 2021-11-01 patch level
  • SP2A.220505.006.2022072700 (Pixel 3a, Pixel 3a XL) — extended support release for legacy devices with frozen 2022-06-01 patch level
  • SQ3A.220705.003.A1.2022072700 (Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, emulator, generic, other targets)

Changes since the 2022072000 release:

  • improve compatibility with apps when the Network toggle is disabled by pretending INTERNET is still granted as a permission for self checks of the permission
  • Sandboxed Google Play compatibility layer: avoid crash in TelephonyManager#getCallState()
  • Sandboxed Google Play compatibility layer: handle updating power allowlist in broadcast PendingIntents
  • reorganize Storage Scopes implementation
  • enforce ACTIVITY_RECOGNITION sensor permission for target API < 29 apps (fixes upstream Android privacy flaw)
  • do not forward notifications from foreground user

2022072000

Tags:

  • SP1A.210812.016.C2.2022072000 (Pixel 3, Pixel 3 XL) — extended support release for legacy devices with frozen 2021-11-01 patch level
  • SP2A.220505.006.2022072000 (Pixel 3a, Pixel 3a XL) — extended support release for legacy devices with frozen 2022-06-01 patch level
  • SQ3A.220705.003.A1.2022072000 (Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, emulator, generic, other targets)

Changes since the 2022071300 release:

  • fix Storage Scopes feature with system gallery app
  • skip triggering permission prompts from apps requesting storage permissions when Scoped Storage is enabled since some apps request permissions even when the system tells the app they have the permissions
  • reduce minimum Night Light color temperature from 2596K to 686K
  • Vanadium: update Chromium base to 103.0.5060.129
  • Auditor: update to version 52
  • Camera: update to version 44

2022071300

Tags:

  • SP1A.210812.016.C2.2022071300 (Pixel 3, Pixel 3 XL) — extended support release for legacy devices with frozen 2021-11-01 patch level
  • SP2A.220505.006.2022071300 (Pixel 3a, Pixel 3a XL) — extended support release for legacy devices with frozen 2022-06-01 patch level
  • SQ3A.220705.003.A1.2022071300 (Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, emulator, generic, other targets)

Changes since the 2022071100 release:

  • do not forward other forwarded notifications between users
  • add learn more link to the GrapheneOS documentation for the Storage Scopes feature
  • Sandboxed Google Play compatibility layer: add a non-user-facing option to allow the Play Store to update itself and Play services
  • Sandboxed Google Play compatibility layer: conditionally stub out TelephonyManager##registerTelephonyCallback to make the Phone permission optional for the device discovery service

2022071100

Tags:

  • SP1A.210812.016.C2.2022071100 (Pixel 3, Pixel 3 XL) — extended support release for legacy devices with frozen 2021-11-01 patch level
  • SP2A.220505.006.2022071100 (Pixel 3a, Pixel 3a XL) — extended support release for legacy devices with frozen 2022-06-01 patch level
  • SQ3A.220705.003.A1.2022071100 (Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, emulator, generic, other targets)

Changes since the 2022070800 release:

  • fix adding access to files with our Storage Scopes feature on devices using the new shared storage implementation (Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro)
  • improve permission UI instructing the user to revoke all storage permissions before enabling storage scopes
  • Sandboxed Google Play compatibility layer: unblock Play Store installing Play Store and Play services in order to allow it to fetch additional split APK components
  • Sandboxed Google Play compatibility layer: disable Play Store updates for Play Store and Play services to replace blocking installation as a friendlier approach to preventing it from taking over these updates without the downsides of blocking installation
  • Sandboxed Google Play compatibility layer: disable Play Store attempting to auto-install components like Play Services for AR since the request for approval is an annoyance
  • Settings: do not initialize OBB toggle for non-attachable (privileged) apps

2022070800

Tags:

  • SP1A.210812.016.C2.2022070800 (Pixel 3, Pixel 3 XL) — extended support release for legacy devices with frozen 2021-11-01 patch level
  • SP2A.220505.006.2022070800 (Pixel 3a, Pixel 3a XL) — extended support release for legacy devices with frozen 2022-06-01 patch level
  • SQ3A.220705.003.A1.2022070800 (Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, emulator, generic, other targets)

Changes since the 2022070600 release:

  • add new Storage Scopes feature for granting limited access to shared storage for apps normally requiring granting the storage permission (Files and Media for legacy apps, Media for modern apps), the file management special access permission (All files access) or the media management special access permission where these apps will think they've been granted those permissions but will only have access to specific scopes you've chosen to grant to them, as if they supported granting case-by-case consent through the system file manager themselves (which is not impacted by this feature and you can still grant case-by-case access to any file / directory through it)
  • split out a new toggle for OBB (Opaque Binary Blob) installation (legacy approach to distributing large assets primarily used by games) so that the Play Store and other app stores with asset delivery support can be granted OBB access instead of Media access (or Files and Media for legacy apps)
  • fix upstream Android bug in DeviceIdleJobsController which was preventing battery optimization exceptions from fully working for system apps and resulting in delays in some cases for the Messaging app and other system apps
  • respect user switchability for forwarded notification UI
  • kernel (Pixel 6, Pixel 6 Pro): update GKI base to ASB-2022-07-05_12-5.10
  • kernel (Pixel 4, Pixel 4 XL, Pixel 4a): drop unnecessary NETLABEL feature

2022070600

Tags:

  • SP1A.210812.016.C2.2022070600 (Pixel 3, Pixel 3 XL) — extended support release for legacy devices with frozen 2021-11-01 patch level
  • SP2A.220505.006.2022070600 (Pixel 3a, Pixel 3a XL) — extended support release for legacy devices with frozen 2022-06-01 patch level
  • SQ3A.220705.003.A1.2022070600 (Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, emulator, generic, other targets)

Changes since the 2022063000 release:

  • full 2022-07-01 security patch level
  • full 2022-07-05 security patch level
  • rebased onto SQ3A.220705.003.A1 release
  • Vanadium: update Chromium base to 103.0.5060.71

2022063000

Tags:

Changes since the 2022062200 release:

  • add opt-in support for forwarding notifications to the active user from users in the background with information censored in the same way as on the lockscreen (can be enabled in Settings > System > Multiple users for each user you want to forward their notifications)
  • set correct tile label for our battery share quick tile
  • Vanadium: update Chromium base to 103.0.5060.70
  • Vanadium: disable reporting support (Report-To, report-uri) again
  • Vanadium: add toggle for closing tabs on exit
  • Vanadium: add toggle for opening external links in Incognito by default (does not currently include custom tabs)
  • Vanadium: add toggle for WebRTC IP handling policy so that users can use a less strict value than our default disabling non-proxied (peer-to-peer) WebRTC completely
  • Pixel 3, Pixel 3 XL: switch to SP1A.210812.016.C2 (June 2022) vendor files

2022062200

Tags:

Changes since the 2022061600 release:

  • Vanadium: update Chromium base to 103.0.5060.53
  • implement reverse wireless charging feature for devices supporting it

2022061600

Tags:

Changes since the 2022060701 release:

  • Sandboxed Google Play compatibility layer: make dynamite module loading shims less intrusive
  • Sandboxed Google Play compatibility layer: allow Vanadium to use GMS FIDO2 implementation
  • Vanadium: update Chromium base to 102.0.5005.125
  • Vanadium: enable process isolated sandboxed iframes by default
  • Vanadium: replace global JIT toggle with a site setting with global configuration for the default and per-site overrides
  • Vanadium: disable JIT compiler by default
  • Vanadium: remove mremap from system call whitelist
  • add indicator exemption for OS cell broadcast service which uses location services to determine if alerts should be shown
  • Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL: update end-of-life kernel source tree with backported patches
  • enable always-on VPN and lockdown mode by default when adding a VPN
  • add warning notification about insecure prototype Pixel devices since users are ending up getting prototype phones second hand that were stolen or sold by employees instead of returning / disposing of them (this is of course much more robustly detected by Auditor for users verifying with it)
  • Pixel 4a (5G), Pixel 5, Pixel 5a: update kernel build tools revision

2022060701

Tags:

Changes since the 2022060700 release:

  • Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro: update adevtool state
  • Auditor: update to version 51
  • kernel (Pixel 4a (5G), Pixel 5, Pixel 5a): temporarily disable slab canary feature added by GrapheneOS due to an upstream commit incompatible with it until we find the underlying upstream bug, which we're now much closer to understanding with this latest case

2022060700

Tags:

Changes since the 2022053100 release:

  • full 2022-06-01 security patch level
  • full 2022-06-05 security patch level
  • rebased onto SQ3A.220605.009.B1 release, which is the third quarterly maintenance/feature release for Android 12
  • kernel (Pixel 6, Pixel 6 Pro): update GKI base to ASB-2022-06-05_12-5.10
  • Sandboxed Google Play compatibility layer: remove obsolete shims and infrastructure
  • Camera: update to version 42
  • Camera: update to version 43
  • Auditor: update to version 49
  • Auditor: update to version 50
  • SELinux policy: remove unused domain for com.android.vzwomatrigger
  • add indicator exemption for Fused Location Provider which is part of the OS location implementation wrapping the GNSS and Network location providers into a Fused provider using the best available data (GrapheneOS does not have an OS Network Location provider so it just wraps GNSS)
  • remove unused android-prepare-vendor repository from the main branch (kept in legacy device branches)
  • hardened_malloc: remove workarounds for camera service bugs for the Qualcomm SoC generation used by 3rd generation Pixels (kept in legacy device branches)
  • kernel (Pixel 4, Pixel 4 XL, Pixel 4a): drop IPv6 privacy address fix now that upstream has backported IPv6 temporary address (RFC4941) support as a replacement which we already did for 5th generation Pixels (implemented in the baseline kernel.org LTS for 6th generation)

2022053100

Tags:

  • SP1A.210812.016.C1.2022053100 (Pixel 3, Pixel 3 XL) — extended support release for legacy devices with frozen 2021-11-01 patch level
  • SP2A.220505.002.2022053100 (Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, emulator, generic, other targets)

Changes since the 2022052500 release:

  • extend Network/Sensors permission handling for legacy apps not targeting Android 6 or above (API 23) to resolve a UI issue where the user choosing to grant the Network/Sensors permissions via the legacy permission review interface doesn't appear in the Settings app info page
  • Gallery: use date added as a fallback for sort order when date taken is unset which is particularly important on GrapheneOS due to GrapheneOS Camera and GrapheneOS screenshots not including EXIF timestamps or other sensitive metadata by default
  • Sandboxed Google Play compatibility layer: stub out reads of privileged settings values to avoid security exceptions
  • Sandboxed Google Play compatibility layer: stub out privileged media session management functionality to avoid security exceptions
  • Sandboxed Google Play compatibility layer: simplify implementation of many shims and remove obsolete shims
  • Sandboxed Google Play compatibility layer: simplify implementation of adding the standard unprivileged package permissions as requested permissions for the Play Store
  • Sandboxed Google Play compatibility layer: improve compatibility with Google Search app
  • Contacts: don't prompt to add account when creating a contact
  • Contacts: use common intent for getting directions instead of opening a Google Maps URL
  • Messaging: backport change to allow selecting text inside the selected message
  • fix upstream SMS/MMS database upgrade issue (meant to be shipped in a previous GrapheneOS release)
  • backport fix for unnecessary wake lock in telephony service (meant to be shipped in a previous GrapheneOS release)
  • backport fix for crash in telephony service with null subscription display name (meant to be shipped in a previous GrapheneOS release)
  • Dialer: add missing permission declaration
  • Vanadium: update Chromium base to 102.0.5005.78
  • TalkBack (screen reader): update base code to 12.2 and switch versioning scheme
  • TalkBack (screen reader): update dependencies
  • Camera: update to version 41
  • Auditor: update to version 48
  • Apps: update to version 7

2022052500

Tags:

  • SP1A.210812.016.C1.2022052500 (Pixel 3, Pixel 3 XL) — extended support release for legacy devices with frozen 2021-11-01 patch level
  • SP2A.220505.002.2022052500 (Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, emulator, generic, other targets)

Changes since the 2022051100 release:

  • Sandboxed Google Play compatibility layer: improve compatibility with the Nearby Share feature
  • Sandboxed Google Play compatibility layer: add non-privileged approach for bringing apps out of standby to avoid delays for FCM and other features
  • Sandboxed Google Play compatibility layer: extend compatibility layer to support making the Google Search app work as a regular sandboxed app
  • Sandboxed Google Play compatibility layer: generic telephony compatibility improvement
  • Sandboxed Google Play compatibility layer: add support for Play Store in Direct Boot mode
  • add indicator exemption for Default Print Service since the nearby device access is considered location access but it doesn't make sense to show this for a core OS component only using the access internally
  • add toggle for disallowing a user from installing apps from unknown sources which will become increasingly useful as we flesh out our app repository
  • Messaging: fix notification sounds in secondary users (upstream AOSP bug)
  • Vanadium: update Chromium base to 102.0.5005.59
  • Camera: update to version 35
  • Camera: update to version 36
  • Camera: update to version 37
  • Camera: update to version 38
  • Camera: update to version 39
  • Camera: update to version 40
  • Auditor: update to version 46
  • Auditor: update to version 47

2022051100

Tags:

  • SP1A.210812.016.C1.2022051100 (Pixel 3, Pixel 3 XL) — extended support release for legacy devices with frozen 2021-11-01 patch level
  • SP2A.220505.002.2022051100 (Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, emulator, generic, other targets)

Changes since the 2022050800 release:

  • Sandboxed Google Play compatibility layer (GmsCompat): further improve location rerouting compatibility
  • Sandboxed Google Play compatibility layer (GmsCompat): add logging to help with debugging issues with location rerouting in the future
  • Vanadium: update Chromium base to 101.0.4951.61
  • improve compatibility with buggy apps trying to use the non-existent OS network location provider when it isn't available and reroute them to the passive provider
  • add hidden setting for sandboxed Google Play compatibility layer developers to bypass blocking the Play Store from updating the Google Play apps
  • Camera: update to version 34

2022050800

Tags:

  • SP1A.210812.016.C1.2022050800 (Pixel 3, Pixel 3 XL) — extended support release for legacy devices with frozen 2021-11-01 patch level
  • SP2A.220505.002.2022050800 (Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, emulator, generic, other targets)

Changes since the 2022050700 release:

  • Sandboxed Google Play compatibility layer (GmsCompat): restore compatibility of location rerouting with old versions of the Play services client library
  • Sandboxed Google Play compatibility layer: fix minor background activity UX regression from several releases ago
  • fix adding emergency contacts
  • adevtool: detect outdated Node.js and report an error

2022050700

Tags:

  • SP1A.210812.016.C1.2022050700 (Pixel 3, Pixel 3 XL) — extended support release for legacy devices with frozen 2021-11-01 patch level
  • SP2A.220505.002.2022050700 (Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, emulator, generic, other targets)

Changes since the 2022050301 release:

  • Sandboxed Google Play compatibility layer (GmsCompat): significantly improve compatibility of the default enabled geolocation API rerouting feature
  • remove timestamp from screenshot EXIF metadata by default and add a toggle to Settings > Privacy for enabling it
  • work around slow unlock animation
  • kernel (Pixel 6, Pixel 6 Pro): update GKI base to ASB-2022-05-05_12-5.10
  • Dialer: add fixes for Bluetooth audio call redirection and BLE devices
  • Settings: fix Wi-Fi timeout string issue in Settings search
  • Settings: add missing face unlock strings (used by the Pixel 4 and Pixel 4 XL but the fix is generic)
  • Pixel 6, Pixel 6 Pro: fix Settings string for boosted color mode
  • restore compatibility with non-bash /bin/sh for *nix factory images flashing script (was fixed for the previous release's factory images after the release was initially published)
  • TalkBack (screen reader): update Material library
  • Camera: update to version 31
  • Camera: update to version 32
  • Camera: update to version 33
  • PDF Viewer: update to version 14
  • adevtool (Pixel 4a): drop unused non-flattened APEX from vendor
  • adevtool: improve Android 13 compatibility

2022050301

Tags:

  • SP1A.210812.016.C1.2022050301 (Pixel 3, Pixel 3 XL) — extended support release for legacy devices with frozen 2021-11-01 patch level
  • SP2A.220505.002.2022050301 (Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, emulator, generic, other targets)

Changes since the 2022050300 release:

  • add Phone services privacy indicator exemption since the cellular service information it accesses is now considered location information and triggers a spurious location indicator which doesn't make sense for the OS cellular implementation

2022050300

Tags:

  • SP1A.210812.016.C1.2022050300 (Pixel 3, Pixel 3 XL) — extended support release for legacy devices with frozen 2021-11-01 patch level
  • SP2A.220505.002.2022050300 (Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, emulator, generic, other targets)

Changes since the 2022043000 release:

  • full 2022-05-01 security patch level
  • full 2022-05-05 security patch level
  • rebased onto SP2A.220505.002 release
  • Camera: update to version 30
  • adevtool: explicitly use python3 for OTA extraction script instead of python to work around distributions still using the end-of-life python2 as python

2022043000

Tags:

Changes since the 2022042600 release:

  • Sandboxed Google Play compatibility layer (GmsCompat): improve user interface
  • Sandboxed Google Play compatibility layer: improve behavior when Nearby devices permission isn't granted to Play services
  • remove build fingerprint from screenshot EXIF metadata
  • Vanadium: update Chromium base to 101.0.4951.41
  • carriersettings-extractor: reuse protocol buffer definitions from AOSP and improve code quality
  • System Updater: add user-facing Alpha channel for very basic / quick public testing after our internal testing before we release to the Beta channel
  • Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro: stop declaring next generation assistant support as an included feature
  • Camera: update to version 25
  • Camera: update to version 26
  • Camera: update to version 28
  • Camera: update to version 29

2022042600

Tags:

Changes since the 2022042000 release:

  • Settings: add support for disabling non-system apps as you can do with system apps instead of only uninstalling them
  • Sandboxed Google Play compatibility layer: fix compatibility with the network location implementation in recent versions of Play services (only relevant for users disabling location redirection toggle and toggling on Play services network location)
  • add missing change for using the GrapheneOS attestation key provisioning proxy
  • backport upstream workaround for hardware-based attestation on devices with a broken implementation of the CREATION_DATETIME feature (disables CREATION_DATETIME on devices without Keymint V1 (100) or later since it was only tested starting with Keymint V1 and is often broken on devices with earlier versions including the Pixel 3 and Pixel 3 XL)
  • Pixel 3, Pixel 3 XL: drop workaround for broken hardware-based attestation now that there's a generic solution backported
  • Messaging: update MMS configuration database to the one from Android Messages 20220405_01_RC04
  • Dialer: update visual voicemail configuration based on Google Phone 79.0.438914483
  • Dialer: adjust VVM configuration database entries for compatibility with AOSP
  • Vanadium: disable fetching optimization guides by default
  • Apps: update to version 6
  • Camera: update to version 22
  • Camera: update to version 23
  • Camera: update to version 24
  • TalkBack (screen reader): dependency updates
  • adevtool: remove more unnecessary components
  • add warning to factory images flashing scripts strongly recommending against modifying the scripts based on misguided unofficial installation guides, along with encouraging using the web installer instead
  • add earlier device model check to factory images flashing scripts on Linux and macOS (Windows support is planned)

2022042000

Tags:

Changes since the 2022041900 release:

  • load CarrierConfig data from standalone file in the /product partition (missed in previous release, which was detected during early Beta testing)

2022041900

Tags:

Changes since the 2022041600 release:

  • Sandboxed Google Play compatibility layer: improve Play Store uninstallation hook to avoid stalling if the user rejects the request
  • Sandboxed Google Play compatibility layer: improve work profile support via new compatibility shims
  • Sandboxed Google Play compatibility layer: fix regression resulting in the FIDO2 service not working without Nearby Devices permission being granted by improving Bluetooth compatibility shims
  • Sandboxed Google Play compatibility layer: fix early initialization issue occurring in some cases for Play services
  • Sandboxed Google Play compatibility layer: overall compatibility improvements via the added compatibility shims
  • Sandboxed Google Play compatibility layer: simplify initialization
  • fix com.android.bluetooth privacy indicator exemption (Bluetooth scanning is considered Location access but the Bluetooth implementation itself shouldn't be listed)
  • Pixel 6, Pixel 6 Pro: cleaner approach for the com.shannon.imsservice privacy indicator exemption by defining a new telephony exemption role (this service locally caches location for emergency calls)
  • Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a: switch from the obsolete android-prepare-vendor to the much more modern adevtool resulting in substantial improvements to device support (3rd generation devices will keep using android-prepare-vendor since they're all going to be end-of-life after May and won't be migrated to newer major OS versions)
  • Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro: use the default carrier configuration as a base for each configuration to match the behavior of Google's CarrierSettings app, providing various minor improvements and greatly improved GNSS on 6th generation Pixels since Predicted Satellite Data Service (PSDS) for downloading GNSS almanacs was disabled with most carriers
  • Pixel 6, Pixel 6 Pro: use GrapheneOS Predicted Satellite Data Service (PSDS) server by default with a toggle added to Settings to choose the server similar to connectivity checks and attestation key provisioning (can be made into generic code for other Broadcom GPS devices and extended to Qualcomm GPS devices in the future)

2022041300

Tags:

Changes since the 2022041100 release:

  • temporarily enable verbose logging in DeviceIdleController in order to work towards resolving upstream bugs
  • Sandboxed Google Play compatibility layer: resolve DownloadManager incompatibility
  • revert upstream change to fix spellchecking language detection with the AOSP keyboard
  • GrapheneOS Keyboard: fix exception fetching theme resulting in spellchecking issues
  • GrapheneOS Keyboard: remove legacy Holo themes
  • GrapheneOS Keyboard: follow system dark mode setting by default
  • GrapheneOS Keyboard: properly refresh summary
  • Vanadium: update Chromium base to 100.0.4896.88
  • Camera: update to version 19
  • Camera: update to version 20
  • Auditor: update to version 45

2022041100

Tags:

Changes since the 2022040400 release:

  • kernel (Pixel 6, Pixel 6 Pro): update GKI base to ASB-2022-04-05_12-5.10 to start using the latest Android 12 GKI as a base
  • Sandboxed Google Play compatibility layer: add additional compatibility shims to restore compatibility with the latest Google Play Games and to fix other issues
  • Sandboxed Google Play compatibility layer: restart GMS processes when permission gets granted since it has bad handling of being given permissions dynamically
  • Sandboxed Google Play compatibility layer: notify user when GMS needs an extra permission or a companion app
  • Sandboxed Google Play compatibility layer: improve code quality and performance
  • Sandboxed Google Play compatibility layer (GmsCompat): improve user interface
  • Sandboxed Google Play compatibility layer: add sandboxed Google Play link for the work profile
  • backport upstream fixes for MAC randomization (more important for GrapheneOS due to per-connection MAC randomization and other improvements providing proper Wi-Fi anonymity)

2022040400

Tags:

Changes since the 2022033013 release:

  • full 2022-04-01 security patch level
  • full 2022-04-05 security patch level
  • rebased onto SP2A.220405.004 release
  • kernel (Pixel 6, Pixel 6 Pro): update GKI base to android12-5.10-2022-03_r1 from android12-5.10-2021-12_r8 for a bunch of upstream and downstream improvements (stock OS still uses android12-5.10-2021-12_r6 and is missing a bunch of important security fixes)
  • Sandboxed Google Play compatibility layer: add additional compatibility shims to improve compatibility with recent Play services
  • Sandboxed Google Play compatibility layer: drop org.grapheneos.pdfviewer from blocked updates list since that app id is no longer being used
  • Sandboxed Google Play compatibility layer (GmsCompat): improve code quality and robustness
  • Sandboxed Google Play compatibility layer (GmsCompat): stop listing having always-on scanning enabled as a potential issue especially since it can be used by other apps
  • Sandboxed Google Play compatibility layer (GmsCompat): prevent infinite loop in location service, which would break location services and result in battery drain
  • Sandboxed Google Play compatibility layer (GmsCompat): fix Google Location Accuracy state check
  • Pixel 3, Pixel 3 XL: remove leftover upstream iorapd testing prop
  • adevtool: fix hang when there are existing files to overwrite
  • fix upstream SMS/MMS database upgrade issue
  • backport fix for unnecessary wake lock in telephony service
  • backport fix for crash in telephony service with null subscription display name
  • backport Wi-Fi APEX module fix to improve robustness when chip reconfiguration fails
  • Settings: improve title/summary for attestation key provisioning server
  • Pixel 3, Pixel 3 XL: fix hardware-based attestation by rolling back an Android 12.1 change for these devices depending on updates to the firmware / device support code since these are end-of-life devices and don't receive those updates so it broke attestation support
  • Camera: update to version 18
  • Vanadium: update Chromium base to 100.0.4896.79
  • TalkBack (screen reader): dependency updates and crash fix
  • Settings: allow sorting applications by size
  • Settings: remove empty security status header
  • Settings: use framework text colors for SwitchBar
  • backport AOSP fix for edit button in screenshot share activity
  • display two rows of max ranked targets for sharesheet
  • fix uneven volume icon padding in status bar
  • remove nav bar background in Quick Settings customizer
  • fix Quick Settings status font weight mismatch in dark mode
  • switch build number style from YYYYMMDDHH to YYYYMMDDCC where CC is a counter starting at 0

2022033013

Tags:

Changes since the 2022032715 release:

  • Sandboxed Google Play compatibility layer: substantially improve dynamite module support
  • use GrapheneOS hardware attestation key provisioning server by default with a toggle added to Settings to choose the server similar to connectivity checks
  • extend eSIM management code with disabling the apps in secondary users due to prior GrapheneOS releases enabling them in all users
  • move early boot eSIM integration code later in an attempt to fix a potential regression
  • Vanadium: update Chromium base to 100.0.4896.58
  • Pixel 6, Pixel 6 Pro: resolve problem generating over-the-air updates which led to us not being able to use incrementals for updates to this release or the previous release

2022032715

Tags:

Changes since the 2022032110 release:

  • ThemePicker: add toggle for using wallpaper-extracted colors as the color scheme (Monet)
  • add toggle for exec-based spawning in Settings > Security
  • GrapheneOS Keyboard: enable spellchecking for Czech and Dutch languages
  • Vanadium: update Chromium base to 99.0.4844.88
  • Camera: update to version 17
  • Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro: remove unnecessary configuration/permissions for apps not included in AOSP/GrapheneOS
  • Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro: add RCS packages
  • Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro: remove AOSP / stock OS configuration pinning the system camera and launcher in memory since it's wasteful
  • Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro: stop forcing camera shutter sound on the Japanese hardware SKUs

2022032110

Tags:

Changes since the 2022031103 release:

  • Pixel 6, Pixel 6 Pro: full Pixel 2022-03-05 security patch level (Android 2022-03-05 security patch level was already provided early by GrapheneOS)
  • Pixel 6, Pixel 6 Pro: rebased onto SP2A.220305.013.A3 release
  • kernel (Pixel 6, Pixel 6 Pro): update GKI base to android12-5.10-2021-12_r8 from the android12-5.10-2021-12_r6 version still used by the AOSP / stock Pixel OS March release for a few additional security fixes beyond the ones already backported early by GrapheneOS along with latency improvements under certain heavy real-time loads
  • add eSIM activation support as an optional toggle available when using sandboxed Google Play in the Owner profile (note: regular apps including sandboxed Google Play do not have additional access in the Owner profile)
  • Sandboxed Google Play compatibility layer: expand PhenoTypeFlags workaround to all Play services clients
  • GmsCompat: call startForegroundService from the main thread to avoid potential issues
  • Vanadium: restore new tab page behavior by working around regressions in Chromium 99
  • Vanadium: update certain Chromium dependencies to avoid crashes caused by incompatibilities with Android 12 (will allow for multiple kinds of FIDO2 support via sandboxed Google Play once we extend the sandboxed Google Play compatibility layer to support it or once Play services whitelists Vanadium as a browser allowed to use FIDO2)
  • Vanadium: update Chromium base to 99.0.4844.73
  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 5a): temporarily revert disabling SECURITY_SELINUX_DEVELOP to work around upstream AOSP bug in early userspace (Pixel 4a (5G), Pixel 5, Pixel 6 and Pixel 6 Pro had this change made in the previous release since it blocked the over-the-air update path for them despite not blocking it for these devices)
  • kernel (Pixel 6, Pixel 6 Pro): backport CVE-2021-41073 fix (not reachable from apps due to standard AOSP seccomp-bpf allowlist)
  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro): backport CVE-2022-25375 fix
  • enable conversations feature flag
  • enable charging ripple feature flag
  • skip screen-on animation
  • Dialer: fix theme colors in dark mode
  • Apps: update to version 5
  • PDF Viewer: update to version 13
  • improve Android 12 PendingIntent security check compatibility due to buggy apps including Chromium targeting API 31+ with outdated Play services client libraries lacking Android 12 support (triggered much more frequently on GrapheneOS due to PendingIntent being used to request runtime permissions on behalf of Play services)
  • fix compatibility of PIN scrambling with physical keyboards
  • Settings: convert PIN scrambling toggle into a switch preference from a list preference
  • improve USB connection icon
  • backport fixes for battery usage history
  • add fix for Monet color generation

2022031103

This release is only being pushed out for the Pixel 6 and Pixel 6 Pro due to lack of changes applicable to other devices.

Tags:

Changes since the 2022030801 release:

  • Pixel 6, Pixel 6 Pro: temporarily exclude our work on eSIM support since the full implementation requires Google services and we're taking a new approach which will result in full eSIM support including activation across all supported devices in the near future as part of sandboxed Google Play (in the long term, it can be supported without using these Google eSIM apps from the stock Pixel OS)

2022030801

Tags:

Pixel 6 and Pixel 6 Pro release is a preliminary March release with the 2022-03-01 security update since there isn't an AOSP or stock OS release for it yet. It also includes several other vulnerability fixes.

Changes since the 2022030501 release:

  • full 2022-03-01 security patch level
  • full 2022-03-05 security patch level (Pixel 6 and Pixel 6 Pro can reach the 2022-03-05 Android patch level but not the 2022-03-05 Pixel patch level until the March AOSP/Android release for them is available, and the upstream release is delayed)
  • rebased onto SP2A.220305.012 release, the initial release of Android 12.1 (Android 12L) which is the second quarterly maintenance/feature release for Android 12
  • disable Monet (color scheme based on wallpaper) by default since AOSP 12.1 has no way to opt-out of the feature or to manually choose colors instead (we'll add a toggle for enabling it later this month and we could also include a color picker before AOSP 13 but likely not this month)
  • kernel (Pixel 6, Pixel 6 Pro): apply downstream fix for CVE-2022-0847
  • kernel (Pixel 5a): re-apply January audio driver security patch which was accidentally dropped upstream for 12L due to it being branched earlier than January and this patch not being applied again as it was for other 5th generation devices (consequence of AOSP having the Pixel 5a kernel unnecessarily separate from the other 5th generation devices instead of merging them a year ago)
  • kernel (Pixel 4a (5G), Pixel 5): fix audio driver build reproducibility issue
  • Sandboxed Google Play compatibility layer: extend, optimize and improve the robustness of the compatiblity shims to improve the compatibility layer in general
  • Sandboxed Google Play compatibility layer: fix regressions in compatibility with the Google Play geolocation service for users choosing to disable redirection to the OS geolocation service in order to use their network location and other features
  • Sandboxed Google Play compatibility layer: prevent Play services from trying to update OS fonts since it requires a privileged permission and the service will crash from the SecurityException
  • make DownloadManager even friendlier to apps with the Network permission revoked by avoiding SecurityExceptions in more cases and giving them errors they know how to handle instead
  • Camera: update to version 14
  • Camera: update to version 15
  • Camera: update to version 16
  • Settings: always show ICCID in SIM status
  • Settings: show hardware SKU
  • Settings (Pixel 6, Pixel 6 Pro): add saturated color mode
  • Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a: mark IncFS as being built into the kernel
  • add support code for Pixel 6 and Pixel 6 Pro APEX enablement and under display fingerprint reader to the main branch as preparation for eliminating the device branch
  • SELinux policy: add missing auditallow for base untrusted_app domains
  • SELinux policy: add missing seinfo=base rules
  • kernel (Pixel 4a (5G), Pixel 5, Pixel 6, Pixel 6 Pro): temporarily revert disabling SECURITY_SELINUX_DEVELOP to work around upstream AOSP bug in early userspace

2022030219

Tags:

Changes since the 2022022818 release:

  • Vanadium: update Chromium base to 99.0.4844.48
  • GmsCompat: fix typo
  • Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a: disable broken Google Camera sepolicy for now to restore it back to how it previously worked (also fixes Google Photos when Google Camera is installed)

2022022818

Tags:

Changes since the 2022021721 release:

  • include beta release (v4) of GrapheneOS app repository client which is still in early development but now robust enough to be ready for inclusion in the OS and production use
  • Sandboxed Google Play compatibility layer: prevent Play Store from trying to update Auditor, PDF Viewer, Google Services Framework, Google Play services and the Play Store since we'll be updating these via our own app repository client (we'll be regularly updating the mirror of Google Play in our repository once the staged rollouts reach our test devices and it passes basic testing)
  • Auditor: update to version 43
  • Auditor: update to version 44
  • Camera: update to version 13
  • PDF Viewer: update to version 11
  • PDF Viewer: update to version 12
  • Contacts: add support for vCard 4.0
  • Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro: include current eSIM firmware, EuiccPixel and EuiccPixel integration (this improves eSIM support by keeping the eSIM firmware up-to-date but does not provide eSIM activation yet)
  • Sandboxed Google Play compatibility layer: improve code quality / robustness
  • mark Bluetooth service as an extra location package to avoid showing misleading/unhelpful location indicators (Bluetooth scanning is considered location access for apps, but it makes no sense to show it for the Bluetooth implementation itself rather than only actual apps using it)
  • Pixel 6, Pixel 6 Pro: mark Shannon IMS service as an extra location package to avoid showing unhelpful location indicators (it retrieves location information regularly in order to have it ready for an emergency call)

2022021721

Tags:

Changes since the 2022021602 release:

  • Pixel 6, Pixel 6 Pro: rebased onto SQ1D.220205.004 release (2nd February update for 6th generation Pixels with additional security fixes separate from the February security update)
  • Sandboxed Google Play compatibility layer: add shim to stop Play services from trying to use the privileged android.hardware.uwb API to prevent a SecurityException on the Pixel 6 Pro and future devices with the feature
  • Clock: use clock icon for the app icon instead of alarm icon

2022021602

Tags:

Changes since the 2022021415 release:

  • Sandboxed Google Play compatibility layer: add shim for compatibility with on-demand dynamite modules
  • Sandboxed Google Play compatibility layer: update dynamite module compatibility layer for upcoming changes to Play services
  • Sandboxed Google Play compatibility layer: friendlier error for apps without Location permission attempting to use redirected Play services geolocation to match Play services behavior
  • Vanadium: update Chromium base to 98.0.4758.101
  • cancel pending over-the-air update snapshot when flashing factory images via flash-all.sh / flash-all.bat
  • Pixel 6, Pixel 6 Pro: add missing camera shutter sound change from the 2022021314 release

2022021415

Tags:

Changes since the 2022021314 release:

  • GmsCompat: handle edge cases for network location opt-in mode preventing settings menu from loading

2022021314

Tags:

Changes since the 2022020800 release:

  • Sandboxed Google Play compatibility layer: simplify and optimize initialization
  • Sandboxed Google Play compatibility layer: add support for redirecting apps from the Google Play geolocation service to the GrapheneOS geolocation service with a toggle added to the "Sandboxed Google Play settings" configuration menu for disabling redirection to use the Google Play implementation (redirection is enabled by default at first launch unless Play services has been granted the Location permission)
  • GmsCompat: add suggestions to the settings menu
  • fix editing APNs in certain edge cases with certain carriers
  • Pixel 6, Pixel 6 Pro: bind power + volume up key chord to mute like other devices, since long pressing power already opens the power menu
  • stop enforcing camera sound when using a carrier based in India/Japan/Korea since we aren't required to enforce it and is trivially bypassed in multiple ways so it's nothing more than an annoyance
  • Auditor: update to version 42
  • Camera: update to version 12
  • PDF Viewer: update to version 10
  • Calculator: improve app icon
  • Clock: improve app icon
  • Contacts: improve app icon
  • Dialer: improve app icon
  • Files: improve app icon
  • Gallery: improve app icon
  • Messaging: improve app icon
  • Settings: improve app icon

2022020800

Tags:

Changes since the 2022013120 release:

  • full 2022-02-01 security patch level
  • full 2022-02-05 security patch level
  • rebased onto SQ1A.220205.002 and SQ1D.220205.003 releases
  • Pixel 3, Pixel 3 XL: switch to SP1A.210812.016.C1 (February 2022) vendor files
  • Vanadium: update Chromium base to 98.0.4758.87
  • Vanadium: enable CFI cast checks
  • change GmsCompat app label from "Sandboxed Google Play" to "GmsCompat" and the activity name to "Sandboxed Google Play settings"
  • add GmsCompat to list of essential system components in Settings
  • Camera: update to version 11
  • restrict granting the special added GrapheneOS runtime permissions (Network, Sensors) on upgrades to system apps (only relevant to Network in practice)
  • add workaround for Microsoft apps detecting that Network is revoked and crashing the app with a runtime exception due to them adding this to a library as a debugging check for development to detect the INTERNET permission not being declared (we've asked them to fix the compatibility issue)
  • do not mark dun APN types as read-only (allows editing more carrier APNs)
  • temporarily suppress SystemUI ANRs due to AOSP 12 screenshot service bug which triggers an ANR in SystemUI by not handling an event some time after taking a screenshot (also occurs on the stock OS and elsewhere, and the main issue is the error message since it's otherwise harmless)
  • disable running clang-tidy as part of regular builds by default since it wastes time and isn't very useful to us
  • kernel (Pixel 6, Pixel 6 Pro): make Wi-Fi driver module build reproducible
  • kernel (Pixel 6, Pixel 6 Pro): make tarball generation reproducible
  • Settings: add package name to app overview page
  • Settings: add GrapheneOS icon
  • Files: add GrapheneOS icon
  • Files: define app category (productivity)
  • Clock: add GrapheneOS icon
  • Clock: define app category (productivity)
  • Contacts: add GrapheneOS icon
  • Contacts: define app category (productivity)
  • Gallery: add GrapheneOS icon
  • Gallery: define app category (image)
  • Messaging: add GrapheneOS icon
  • Messaging: define app category (social)
  • Dialer: add GrapheneOS icon
  • Dialer: define app category (social)
  • Calculator: add GrapheneOS icon
  • Calculator: define app category (productivity)
  • PDF Viewer: update to version 8
  • PDF Viewer: update to version 9

2022013120

Tags:

Changes since the 2022013010 release:

  • Pixel 3, Pixel 3 XL: add GmsCompat app which was meant to be added by the previous release
  • Pixel 6, Pixel 6 Pro: revert accidental enabling of dark mode by default, which we plan to do by default in the future across devices once the Contacts and Messaging apps are updated to support it (you can set your own preference in Settings > Display > Dark theme)

2022013010

Tags:

Changes since the 2022011423 release:

  • make DownloadManager friendlier to apps with the Network permission revoked instead of triggering SecurityException
  • Sandboxed Google Play compatibility layer: revert marking location service as a foreground location service (not necessary)
  • Sandboxed Google Play compatibility layer: add compatibility shims enabling full support for using Play services geolocation
  • Sandboxed Google Play compatibility layer: add GmsCompat app providing infrastructure for the compatibility layer and shortcuts to Google Play configuration activities (will provide a toggle for redirecting the Google Play geolocation API to the OS API in a future release)
  • Sandboxed Google Play compatibility layer: replace converting Google Play services to foreground services with keeping them alive using the GmsCompat app (improves compatibility with apps calling Play services or the Play Store in the background)
  • Dialer: update visual voicemail configuration based on Google Phone 73.0.414822266
  • Messaging: replace obsolete AOSP MMS configuration database with one generated from the stock OS app
  • Vanadium: update Chromium base to 97.0.4692.98
  • Vanadium: use Google Chrome branding for client hints to help with blending in
  • Vanadium: enable HTTPS-only mode by default (can connect via HTTP through the warning screen if HTTPS upgrade fails)
  • Vanadium: enable strict origin isolation by default
  • Vanadium: disable appending variations header
  • Camera: update to version 10
  • Auditor: update to version 41
  • hardened_malloc: code cleanup and micro-optimizations
  • adevtool: initial public release replacing pre-generated vendor trees
  • adevtool: overhaul of GrapheneOS specific configuration

2022011423

Tags:

Changes since the 2022011009 release:

  • Pixel 6, Pixel 6 Pro: Pixel 2022-01-05 patch level (instead of the Android 2022-01-05 patch level and Pixel 2022-01-01 patch level)
  • Pixel 6, Pixel 6 Pro: rebased onto SQ1D.211205.017 release
  • Sandboxed Google Play compatibility layer: add support for Play Asset Delivery and Play Feature Delivery by extending relevant hooks to the Play Store in addition to Play services
  • Sandboxed Google Play compatibility layer: improve getSharedLibraries shim by disabling MATCH_ANY_USER instead of stubbing it out completely (stops the Play Store from filtering out apps with dependencies it thinks are missing)
  • remove g.co/wallpaper link support from wallpaper app which had an incorrect autoVerify="true" property despite not being authorized by g.co
  • Vanadium: update Chromium base to 97.0.4692.87
  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): backport USB security patch for CVE-2021-30313 which was missed upstream
  • adevtool: improve Pixel 6 and Pixel 6 Pro device support scripting

2022011009

Tags:

Changes since the 2022010500 release:

  • remove obsolete AOSP CarrierConfig resources to greatly improve support for many carriers
  • fix handling of MVNOs in CarrierConfig database generation to greatly improve out-of-the-box MVNO support
  • Camera: update to version 9
  • TalkBack (screen reader): update base version to 370044210 and port our changes (other than Play services vision library removal since it now provides useful OCR functionality we need to replace rather than removing)
  • Sandboxed Google Play compatibility layer: extend compatibility layer to Play Games Services (Google Play Games can be installed from the Play Store)
  • Sandboxed Google Play compatibility layer: always allow removing Google account to bypass broken check for whether removal is allowed
  • Sandboxed Google Play compatibility layer: improve account sign in UX by pretending the backup service is inactive so Play services doesn't try to access it
  • Pixel 4a (5G), Pixel 5, Pixel 5a: add SELinux policy to allow the hardware keystore secure confirmation UI
  • Pixel 3, Pixel 3 XL: switch to SP1A.210812.016.A2 vendor files (minor APN update for 1 carrier)

2022010500

Tags:

  • SP1A.210812.015.2022010500 (Pixel 3, Pixel 3 XL) — extended support release for legacy devices with frozen 2021-11-01 patch level
  • SQ1A.220105.002.2022010500 (Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, emulator, generic, other targets)
  • SQ1D.211205.017.2022010500 (Pixel 6, Pixel 6 Pro) — early release with the full Android 2022-01-05 patch level but only the 2022-01-01 Pixel patch level since the AOSP / stock OS January update for the Pixel 6 and Pixel 6 Pro is happening in late January so the patches specific to them aren't publicly available yet

Changes since the 2021122018 release:

  • full 2022-01-01 security patch level
  • full 2022-01-05 security patch level
  • rebased onto SQ1A.220105.002 release
  • Camera: update to version 8
  • Auditor: update to version 39
  • Auditor: update to version 40
  • Pixel 6, Pixel 6 Pro: add SoC SELinux policy extensions from December release
  • Pixel 6, Pixel 6 Pro: remove support for FIPS disk encryption mode
  • hardened_malloc: minor code cleanups
  • Vanadium: update Chromium base to 97.0.4692.70

2021122018

Tags:

Changes since the 2021121602 release:

  • initial production support for the Pixel 6 and Pixel 6 Pro
  • Auditor: update to version 38
  • Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a: erase both apdp partition slots as part of flashing factory images to wipe persistent debugging policy
  • Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a: erase both msadp partition slots as part of flashing factory images to wipe persistent debugging policy
  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): enable BUG_ON_DATA_CORRUPTION since it was backported upstream
  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a): enable legacy Qualcomm PANIC_ON_DATA_CORRUPTION since it hasn't been fully phased out yet
  • Seedvault: temporarily revert change to restore requiring that the profile is unlocked for the hardware keystore key (uncovers an upstream bug)

2021121602

Tags:

  • SP1A.210812.015.2021121602 (Pixel 3, Pixel 3 XL) — extended support release for legacy devices with frozen 2021-11-01 patch level
  • SQ1A.211205.008.2021121602 (Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, emulator, generic, other targets)

Changes since the 2021121012 release:

  • Vanadium: update Chromium base to 96.0.4664.104
  • skip reporting network connectivity to the OS from apps with the Network (INTERNET) permission revoked to avoid triggering a SecurityException
  • remove special case of throwing SecurityException for socket errors caused by EACCES/EPERM as a debugging aid since it causes compatibility issues when the Network (INTERNET) permission is revoked
  • kernel (Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a): fix incorrect alloc_size annotation (already fixed in older kernels and no real world impact)

2021121012

Tags:

  • SP1A.210812.015.2021121012 (Pixel 3, Pixel 3 XL) — extended support release for legacy devices with frozen 2021-11-01 patch level
  • SQ1A.211205.008.2021121012 (Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, emulator, generic, other targets)

Changes since the 2021120717 release:

  • Sandboxed Google Play compatibility layer: mark location service as a foreground location service
  • Vanadium: update Chromium base to 96.0.4664.92
  • TalkBack (screen reader): update dependencies
  • Seedvault: restore requiring that the profile is unlocked for the hardware keystore key
  • Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a: add support for increased touch sensitivity option
  • fix overly aggressive fastboot version check in flash-all.bat triggered by version requirement increase in the SQ1A.211205.008 update (was also fixed for the factory images for the last official release)

2021120717

Tags:

  • SP1A.210812.015.2021120717 (Pixel 3, Pixel 3 XL) — extended support release for legacy devices with frozen 2021-11-01 patch level
  • SQ1A.211205.008.2021120717 (Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, emulator, generic, other targets)

Changes since the 2021112404 release:

  • full 2021-12-01 security patch level
  • full 2021-12-05 security patch level
  • rebased onto SQ1A.211205.008 release, the first quarterly maintenance/feature release for Android 12
  • Sandboxed Google Play compatibility layer: improve robustness of Play Store compatibility layer
  • Camera: update to version 7
  • TalkBack (screen reader): update dependencies
  • avoid per-network randomization mode (AOSP default) being displayed as per-connection randomization mode (GrapheneOS default not available in AOSP) after rebooting despite persisting and working properly (caused by an additional abstraction layer introduced in Android 12)

2021112404

Tags:

Changes since the 2021112123 release:

  • Sandboxed Google Play compatibility layer: add another UserManager shim to fix issue with FCM in secondary user profiles
  • Sandboxed Google Play compatibility layer: mark the compatibility layer's Play Store confirmation notification as ongoing to avoid users dismissing the notification and then being unable to accept or reject the install/update/uninstall action
  • Camera: update to version 6

2021112021

Tags:

Changes since the 2021111414 release:

  • Sandboxed Google Play compatibility layer: expand Play Store compatibility layer to fully support app installation, uninstallation and unattended updates via the standard unprivileged APIs
  • Sandboxed Google Play compatibility layer: expand Play Store compatibility layer to support the Play Store updating itself via the standard unprivileged APIs
  • Settings: clearer wording for the default GrapheneOS per-connection MAC randomization
  • Vanadium: update Chromium base to 96.0.4664.45
  • Auditor: update to version 35
  • Auditor: update to version 36
  • Auditor: update to version 37
  • Camera: update to version 4
  • TalkBack (screen reader): update dependencies and tools

2021111414

Tags:

Changes since the 2021110617 release:

  • Sandboxed Google Play compatibility layer: improve AppOps compatibility layer for long-lived operations via the new startProxyOp/finishProxyOp API which previously had to be mimicked via the existing APIs
  • System Updater: only allow privileged apps including Settings to open the settings activity since other apps like the launcher have no reason to open it
  • android-prepare-vendor carriersettings-extractor: strip out carrier provisioning configuration (OMA device management is not included in GrapheneOS so this references an app that's not present)
  • android-prepare-vendor carriersettings-extractor: always enable the ability to disable 2G
  • android-prepare-vendor carriersettings-extractor: remove unused Google Dialer configuration for Wi-Fi calling
  • android-prepare-vendor: improve Pixel 5a support
  • add CameraX vendor extensions library to compile-time class loader path for GrapheneOS Camera to make dexpreopt usable

2021110617

Tags:

Changes since the 2021110507 release:

  • Camera: update to version 3
  • revert hard-wiring camera gesture handler as a workaround for AOSP 12 bug with the gesture on the lockscreen (only has an impact when multiple camera apps are installed and can be worked around, so we'll just wait for an upstream resolution)
  • Vanadium: add workaround for upstream bug with login when sandboxed Play services is present
  • android-prepare-vendor: overhaul Pixel 4a (5G), Pixel 5 and Pixel 5a support including building more AOSP modules

2021110507

Tags:

Changes since the 2021110122 release:

  • replace AOSP Camera app with next-generation GrapheneOS Camera app
  • set GrapheneOS Camera app as the hard-wired handler for camera gesture, similar to Android 11+ hard-wiring it as the camera media intent handler (should work around AOSP 12 lockscreen camera bugs) — note: this will be undone in a follow-up release before this reaches the Stable channel
  • invalidate icon cache between OS releases instead of only between major Android versions so that system theme/icon changes take effect immediately
  • system theme: switch to a more unique blue Material You color palette based around #1565C0
  • System Updater: adjust colors to match Settings app
  • Vanadium: update Chromium base to 95.0.4638.74

2021110122

Tags:

Changes since the 2021102613 release:

  • full 2021-11-01 security patch level
  • full 2021-11-05 security patch level
  • full 2021-11-06 security patch level
  • rebased onto SP1A.211105.004 release
  • system theme: switch to pure blue Material You color palette as a starting point for a GrapheneOS theme
  • System Updater: drop unused androidx legacy support library
  • System Updater: raise minSdkVersion to 31 (Android 12)
  • System Updater: stop marking settings activity as direct boot aware since it's never used before unlocking
  • System Updater: remove obsolete receiver from manifest
  • android-prepare-vendor: overhaul Pixel 4, Pixel 4 XL and Pixel 4a support including building more AOSP modules

2021102613

Tags:

  • SP1A.210812.015.2021102613 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, emulator, generic, other targets)

Changes since the 2021102503 release:

  • System Updater: split up install progress notification into stages
  • include standard display cutout overlays across all devices
  • temporarily disable broken 'Render apps below cutout area' display cutout developer option to avoid it breaking loading SystemUI on boot
  • temporarily disable user-facing crash reporting for com.android.systemui due to an upstream AOSP 12 bug causing false positive reports of it being frozen (this change didn't end up successfully silencing the false positives so a different approach will be needed)

2021102503

Tags:

  • SP1A.210812.015.2021102503 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, emulator, generic, other targets)

Changes since the 2021102300 release:

  • enable gestural navigation overlay to match default nav mode (fixes navigation bar style after factory reset or provisioning new users)
  • Launcher: temporarily disable new animation feature flags (these appear to be buggy)
  • Clock: roll back to GrapheneOS Android 11 Clock app since the AOSP 12 Clock app is buggy
  • Dialer: revert to prior visual voicemail configuration until the new configuration is properly handled

2021102300

Tags:

  • SP1A.210812.015.2021102300 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, emulator, generic, other targets)

Changes since the 2021102203 release:

  • revert our change enabling the legacy wifi/cellular quick tiles until the upstream code is fixed
  • improve delta generation script
  • Messaging: add built-in battery optimization exception
  • Messaging: fix cellbroadcast package name
  • Messaging: stop using platform certificate
  • Dialer: update visual voicemail configuration for SP1A.210812.015
  • keep PIN scrambling keypad number descriptions in sync with digits
  • update PIN UI appearance for Android 12 in PIN scrambling implementation

2021102203

Tags:

  • SP1A.210812.015.2021102203 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, emulator, generic, other targets)

Changes since the 2021102020 release:

  • Settings: add back reset text change lost in the port to Android 12
  • fix inclusion of up-to-date per-device APN database for Pixels
  • Pixel 4a: fix build system issue causing device specific APN / carrier configuration to be omitted
  • support using the legacy wifi/cellular quick tiles (combined internet quick tile will still be used by default)
  • Dialer: improve swipe to accept/reject calls
  • Dialer: fix issue with USB headset audio routing
  • Dialer: add dark theme and fix issues tied to it
  • improve release signing and delta generation scripts

2021102020

This is the initial production release of GrapheneOS based on Android 12. It's already fully functional and quite stable. Android 12 brings substantial improvements to privacy, security, functionality, performance and aesthetics. GrapheneOS features have been fully ported to Android 12 and also substantially improved as part of the migration process. The release notes below cover the full port of our features to Android 12 as a single entry in the list and improvements beyond porting are listed separately.

Tags:

  • SP1A.210812.015.2021102020 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, emulator, generic, other targets)

Changes since the 2021100606 release:

  • full port of all existing GrapheneOS features to Android 12
  • full 2021-10-05 security patch level for userspace device support code (kernel already on 2021-10-05)
  • rebased onto SP1A.210812.015 release
  • Sandboxed Google Play compatibility layer: add support for Play services Android 12 releases (Android 11 releases still mostly work but we'll be recommending/mirroring the Android 12 releases)
  • make release signing otacerts.zip generation reproducible
  • Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a: target ARMv8.2-DotProd architecture and Cortex-A76 CPU for ART and native code instead of producing generic ARMv8 code
  • use modern rounded corners by default
  • use new privacy indicators for location
  • raise permission usage history from 1 day to 7 days
  • enable permission history for all permission groups
  • use speed compiler filter for dexpreopt by default (converted from build configuration to build system to cover product/vendor/system_ext)
  • temporarily disable user-facing crash reporting for com.android.statementservice (Intent Filter Verification Service) due to an upstream AOSP 12 bug causing an uncaught exception when it tries to send too much data in the intents for jobs it runs via WorkManager
  • Launcher: backport multiple fixes from AOSP master
  • Launcher: enable new app open/close animations
  • Launcher: enable crossfade when changing theme
  • Launcher: enable new keyguard-to-launcher animation
  • Launcher: add Settings to center of default 5x5 dock
  • Launcher: add 2x2 workspace grid option
  • Launcher: reduce app label text size
  • Launcher: fix upstream issue causing missing screenshot button
  • Launcher: add ripple animation to task menu items
  • Launcher: fix all apps header color in dark mode
  • Launcher: fix Personal/Work profile tab colors in All Apps
  • Launcher: improve search bar UI in All Apps
  • SystemUI: change default quick tiles and quick tile order
  • Settings: update screen reader configuration for TalkBack so it shows up as a system screen reader again
  • Settings: add dark mode support for app installation restriction icon
  • SetupWizard: update to latest upstream code
  • SetupWizard: remove mention of pattern unlock in strings
  • System Updater: update to target API level 31 (Android 12)
  • System Updater: use Android 12 foreground service setup
  • Vanadium: update Chromium base to 94.0.4606.80
  • Vanadium: update Chromium base to 94.0.4606.85
  • Vanadium: update Chromium base to 95.0.4638.50
  • Vanadium: temporarily disable dexpreopt for browser and WebView (but not the library) due to lack of support in the Android 12 dexpreopt system
  • Seedvault: update to latest revision
  • TalkBack (screen reader): set app label to TalkBack
  • Auditor: update to version 34

2021100606

Tags:

Changes since the 2021100502 release:

  • backport of the Android 12 GrapheneOS Pixel kernels to Android 11 GrapheneOS including the full 2021-10-05 kernel patch level (full set of fixes for firmware and userspace aren't public yet and will be provided by the upcoming release of Android 12 for Pixels)
  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 5, Pixel 5a): rebase onto Android 12 SP1A.210812.016 kernel releases
  • kernel (Pixel 4, Pixel 4 XL, Pixel 5, Pixel 5a): temporarily disable unnecessary DEBUG_NOTIFIERS feature (type-based CFI obsoletes it as a security feature) due to an incompatibility with the updated Android 12 kernel LLVM toolchain (discovered issue is benign but we'll be fixing it in a future release)

2021100502

Tags:

Changes since the 2021100103 release:

  • full 2021-10-01 security patch level
  • partial 2021-10-05 security patch level (full set of fixes aren't public yet and will be provided by the upcoming release of Android 12 for Pixels)
  • rebased onto RQ3A.211001.001 and RD2A.211001.002 releases
  • drop our downstream workaround for use-after-free vulnerability in init now that the issue we reported is fixed upstream

2021100103

Tags:

Changes since the 2021092612 release:

  • Vanadium: update Chromium base to 94.0.4606.71
  • change generated carrier configurations to always allow editing APNs
  • always show APN settings on CDMA carriers
  • automate APN / carrier settings updates

2021092612

Tags:

Changes since the 2021092220 release:

  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): apply upstream fix for ION use-after-free vulnerability
  • Vanadium: update Chromium base to 94.0.4606.61
  • android-prepare-vendor: remove a bunch of unused code / functionality
  • android-prepare-vendor: skip all kernel modules

2021092220

Tags:

Changes since the 2021091407 release:

  • Auditor: update to version 32
  • Auditor: update to version 33
  • Vanadium: update Chromium base to 94.0.4606.50
  • TalkBack (screen reader): update SDK and build tools versions
  • clean up build scripts

2021091407

Tags:

Changes since the 2021090819 release:

  • Sandboxed Google Play compatibility layer: stub out DeviceConfig APIs by ignoring device configuration writes instead of throwing a SecurityException
  • Sandboxed Google Play compatibility layer: stub out DropBoxManager API by pretending no crash dumps, logs, etc. are available instead of throwing a SecurityException
  • Sandboxed Google Play compatibility layer: stub out getImei API by pretending IMEI cannot be retrieved instead of throwing a SecurityException
  • Seedvault: add missing permission needed for UserManager restriction security fix in the last release
  • Seedvault: update to latest revision
  • TalkBack (screen reader): update base version to 370044210 and port our changes (Switch Access service has been dropped upstream)
  • Auditor: update to version 30
  • Auditor: update to version 31
  • Vanadium: update Chromium base to 93.0.4577.82

2021090819

Tags:

Changes since the 2021090401 release:

  • full 2021-09-01 security patch level
  • full 2021-09-05 security patch level
  • rebased onto RQ3A.210905.001 and RD2A.210905.003 releases
  • kernel (Pixel 4a (5G), Pixel 5): use device-specific dtbo.img
  • Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a: update APNs
  • Pixel 5a: add missing configuration for biometric sensors (fingerprint sensor)
  • Pixel 5a: declare Pixel features are available so that apps with Pixel-specific features will use them
  • Seedvault: respect UserManager restrictions on app installation to avoid providing a way to bypass device management restrictions
  • Seedvault: show experimental restore backup option in backup settings instead of only supporting restore in the initial setup wizard

2021090401

Tags:

Changes since the 2021082501 release:

  • add experimental Pixel 5a support via device support branch
  • Settings: add back past GrapheneOS feature for toggling whether secondary users can install new apps
  • Vanadium: update Chromium base to 92.0.4515.166
  • Vanadium: update Chromium base to 93.0.4577.62
  • Vanadium: hide sign in preference when disallowed
  • Vanadium: disable using Play services as a source for certain Google fonts
  • automatically disable UART debugging when flashing factory images (GrapheneOS already extends the notification about it to production builds)
  • Auditor: update to version 29
  • SetupWizard: properly disable system UI navigation for the entire setup process
  • kernel (Pixel 4a (5G), Pixel 5): drop unnecessary Wi-Fi driver change from our previous downstream security fixes
  • Pixel 4, Pixel 4 XL: enable saturated color option

2021082501

Tags:

  • RQ3A.210805.001.A1.2021082501 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, emulator, generic, other targets)

Changes since the 2021081822 release:

  • System Updater: move settings into a preference category
  • System Updater: add detailed information to the error messages
  • Auditor: update to version 28
  • Vanadium: move search suggestions toggle to privacy menu
  • Vanadium: remove empty account category and Services menu from the main menu
  • Sandboxed Google Play compatibility layer: add shim to make Play services use the regular cellular geolocation API instead of attempting and failing to use a special API requiring MODIFY_PHONE_STATE to attribute power consumption to the app responsible for the request to Play services
  • Sandboxed Google Play compatibility layer: add shims making Play services use the unprivileged AppOps proxy API instead of attempting and failing to use the privileged APIs for blaming other apps (it can still blame other apps via the proxy API, but the OS treats it as an untrusted claim)
  • Sandboxed Google Play compatibility layer: add shim making Play services use UserManager.hasUserRestriction instead of UserManager.hasBaseUserRestriction to avoid requiring privileged permissions and to return correct answers since it can't bypass device management

2021081822

Tags:

  • RQ3A.210805.001.A1.2021081822 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, emulator, generic, other targets)

Changes since the 2021081411 release:

  • Vanadium: update Chromium base to 92.0.4515.159
  • Vanadium: improved implementation of not giving the default search engine permissions now that Chromium has support for it
  • System Updater: avoid error messages being truncated by using expandable notifications for them
  • Settings: fix upstream bug preventing setting pictures for user profiles
  • Settings: backport upstream fix for user edit dialog breaking from rotation
  • Settings: add LTE only mode entry when carrier enables world mode too
  • Sandboxed Google Play compatibility layer: fix detection of system processes in secondary users
  • Sandboxed Google Play compatibility layer: handle edge case of packages without data directories

2021081411

Tags:

  • RQ3A.210805.001.A1.2021081411 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, emulator, generic, other targets)

Changes since the 2021.08.09.02 release:

  • remove periods from build number (2nd half of the full version) to improve compatibility with apps wrongly assuming they can parse it as an integer (including Google Camera for Night Sight feature detection)
  • Settings: add 3rd option to connectivity check setting for disabling it (will prevent falling back to other networks from a broken one and handling captive portals)
  • Settings: ignore carrier asking the OS not to show the preferred network setting, similar to how we already ignore being instructed to disallow tethering
  • further fixes for the upstream code implementing the eBPF-based INTERNET permission (fixes cases where it was overly restrictive for secondary users, but we already prevented it from being overly permissive by adding back the simpler pre-eBPF approach as a 2nd layer of enforcement)
  • Sandboxed Google Play compatibility layer: disable shared user id check since it isn't relevant to GrapheneOS and it appears that it may be causing issues

2021.08.09.02

Tags:

  • RQ3A.210805.001.A1.2021.08.09.02 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, emulator, generic, other targets)

Changes since the 2021.08.03.03 release:

  • Sandboxed Google Play compatibility layer: add infrastructure / shims to support dynamite modules (dynamically loaded modules including Maps API support)
  • Vanadium: update Chromium base to 92.0.4515.131
  • Vanadium: disable trials of privacy-aware analytics/advertising APIs
  • Vanadium: remove unwanted sync and services link
  • Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5: update APNs
  • Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5: update CarrierConfig vendor.xml

2021.08.03.03

Tags:

  • RQ3A.210805.001.A1.2021.08.03.03 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, emulator, generic, other targets)

Changes since the 2021.07.26.20 release:

  • full 2021-08-01 security patch level
  • full 2021-08-05 security patch level
  • rebased onto RQ3A.210805.001.A1 release
  • kernel (Pixel 4a (5G), Pixel 5): backport implementation of IPv6 temporary addresses (RFC4941) as a replacement for the legacy privacy address implementation, removing the need for our work on mitigating the issues with them (still used for older generation devices)
  • System Updater: use System Updater as the app name
  • System Updater: show when status notifications occurred
  • System Updater: add notification settings shortcut to update settings
  • Sandboxed Google Play compatibility layer: add compatibility shims for secondary user support
  • Sandboxed Google Play compatibility layer: use unified GmsCompat/ prefix for log tags
  • Sandboxed Google Play compatibility layer: add shim for AppOpsManager#startOpNoThrow
  • Sandboxed Google Play compatibility layer: move foreground service notification channel to dedicated Compatibility notification channel group
  • Sandboxed Google Play compatibility layer: add proper description to foreground service notification
  • Sandboxed Google Play compatibility layer: add shortcut for opening the notification channel settings from the foreground service notifications

2021.07.26.20

Tags:

  • RQ3A.210705.001.2021.07.26.20 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, emulator, generic, other targets)

Changes since the 2021.07.19.18 release:

  • System Updater: add detailed failure / success notifications. The next release will enable the timestamp to show when it happened. You can turn off the 'Already Updated' notification channel if you don't want those minimum priority notifications with no status icon collapsed at the bottom.
  • Vanadium: update Chromium base to 92.0.4515.105
  • Vanadium: update Chromium base to 92.0.4515.115
  • Vanadium: drop removal of speculative service worker start for search
  • init: fix use-after-free from event handling callbacks (issue uncovered by hardened_malloc in certain situations like unplugging a USB keyboard, etc.)
  • fix PermissionController UI for Sensors/Network permissions with legacy API < 23 apps (i.e. apps without proper support for Android Marshmallow and beyond)
  • Sandboxed Google Play compatibility layer: disable badge for foreground service notification by default
  • Settings: drop support for showing nearby devices from Play since it can't function without Play having any special privileges
  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL): improve support for hosting servers by enabling SYN cookies for denial of service resistance like newer generation devices
  • hardened_malloc: update libdivide to 5.0

2021.07.19.18

Tags:

  • RQ3A.210705.001.2021.07.19.18 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, emulator, generic, other targets)

Changes since the 2021.07.16.19 release:

  • Settings: fix displaying setting for GrapheneOS USB accessory policy (deny new usb)
  • Settings: hide insecure pattern lock option (either use a randomly generated 6-8 digit PIN for secure encryption based on secure element throttling or a strong randomly generated passphrase to avoid depending on the secure element, not this misguided pattern option with ridiculously low entropy)
  • Sandboxed Google Play compatibility layer: return false for SIM card lock check rather than throwing a SecurityException
  • Sandboxed Google Play compatibility layer: avoid throwing an exception in certain edge cases for secondary users when checking whether the compatibility shims should be enabled for a process (i.e. when checking if the process is one of the 3 core Play apps)
  • Vanadium: update Chromium base to 91.0.4472.164

2021.07.16.19

Tags:

  • RQ3A.210705.001.2021.07.16.19 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, emulator, generic, other targets)

Changes since the 2021.07.07.19 release:

  • add experimental support for running Play services and friends as sandboxed user-installed apps without any special privileges
  • Settings: use alternate implementation of Wi-Fi auto-turn-off setting matching the Bluetooth auto-turn-off UX
  • overhaul Wi-Fi auto-turn-off implementation including handling the case of Wi-Fi being turned on without connecting to a network
  • add lower auto-reboot timeout options
  • display notification when UART is enabled in the bootloader configuration for user builds too (where it isn't supported by userspace, but still provides firmware and kernel logs) rather than only in userdebug builds
  • Seedvault: update to latest revision
  • Seedvault: switch to GrapheneOS fork with intent access restricted to prevent other apps from spawning the activities
  • Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5: set product brand to hardware brand
  • Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5: remove aosp_ prefix from product names

2021.07.07.19

Tags:

  • RQ3A.210705.001.2021.07.07.19 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, emulator, generic, other targets)

Changes since the 2021.06.20.20 release:

  • full 2021-07-01 security patch level
  • full 2021-07-05 security patch level
  • rebased onto RQ3A.210705.001 release
  • reimplement Bluetooth auto-turn-off feature to avoid using the Settings app for the implementation (fixes reliability issues)
  • add experimental Wi-Fi auto-turn-off feature based on reimplementation of Bluetooth auto-turn-off (will not kick in when Wi-Fi is turned on without connecting to a network until the next release)
  • System Updater: display progress for the short phase of verifying the update
  • System Updater: reuse the same progress notification for downloading, verifying and installing the update
  • System Updater: only alert once for progress notifications if the user raises the notification importance level
  • System Updater: use foreground service via progress notification
  • Vanadium: update Chromium base to 91.0.4472.120
  • Vanadium: update Chromium base to 91.0.4472.134
  • Seedvault: update to latest revision

2021.06.20.20

Tags:

  • RQ3A.210605.005.2021.06.20.20 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, emulator, generic, other targets)

Changes since the 2021.06.09.13 release:

  • Vanadium: update Chromium base to 91.0.4472.101
  • Vanadium: update Chromium base to 91.0.4472.114
  • Vanadium: add toggle to Privacy and security settings for disabling JIT compilation and using fully interpreted JavaScript via fast interpreter
  • kernel (Pixel 4a (5G), Pixel 5): fix upstream module load order issues when modules are built into the kernel
  • kernel (Pixel 4a (5G), Pixel 5): build in every module and disable dynamic kernel module support again to restore finer-grained Control Flow Integrity (CFI) and attack surface reduction
  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5): generate a new privacy address when connecting to a network as a temporary partial workaround for the broken upstream privacy address implementation before Linux 5.8 (the privacy address standard itself was flawed and Linux 5.8+ has an implementation of the fixed standard, which we've suggested that Android backport in our upstream report)
  • Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5: declare Pixel features are available so that apps with Pixel-specific features will use them

2021.06.09.13

Tags:

  • RQ3A.210605.005.2021.06.09.13 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, emulator, generic, other targets)

Changes since the 2021.06.08.06 release:

  • re-enable current camera/microphone privacy indicator implementation
  • kernel (Pixel 4a (5G), Pixel 5): use new GNU assembler (gas) prebuilts and drop all other usage of the GNU toolchain since LLVM provides everything else (LLVM assembler is used for userspace, but can't yet handle the Linux kernel)
  • kernel (Pixel 4a (5G), Pixel 5): temporarily move to building and using dynamic kernel modules (same list as AOSP) to work around new issues with monolithic builds until we have time to resolve it to improve CFI granularity again
  • android-prepare-vendor (Pixel 4a (5G), Pixel 5): remove previously unused stock OS kernel modules now that we're temporarily enabling dynamic kernel module support so that only our builds of kernel modules are being used
  • System Updater: add support for custom accent color

2021.06.08.06

Tags:

  • RQ3A.210605.005.2021.06.08.06 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, emulator, generic, other targets)

Changes since the 2021.05.29.09 release:

  • full 2021-06-01 security patch level
  • full 2021-06-05 security patch level
  • rebased onto RQ3A.210605.005 release, initial release of Android 11 QPR3 (Quarterly Platform Release 3)
  • experimental new feature for configuring auto-reboot after N hours of the device being locked to put all logged in user profiles back at rest (i.e. data inaccessible to the OS until logged in again) when the device isn't in your possession
  • kernel (Pixel 4a (5G), Pixel 5): apply fixes for 2 Qualcomm Wi-Fi driver vulnerabilities from CAF missed in the upstream December 2020 security update for Pixels
  • Vanadium: update Chromium base to 91.0.4472.88
  • android-prepare-vendor: fix resuming image downloads due to broken HTTP/2 server semantics
  • Settings: fix hardcoded black text in storage summary
  • remove redundant property for disabling OpenGL preloading
  • update kernel build tools used for Pixel 4a (5G), Pixel 5 and beyond

2021.05.29.09

Tags:

Changes since the 2021.05.19.06 release:

  • prevent DHCP (IPv4) from reusing state across connections to the same network when full MAC randomization is enabled
  • Vanadium: update Chromium base to 91.0.4472.77
  • Vanadium: enable opportunistic HTTPS by default
  • Vanadium: disable mobile identity consistency by default
  • revert our change adding the screenshot button to the power menu for 3-button navigation since it's provided by the recent apps activity for both gesture and 3-button navigation (we originally added it back for both 2-button and 3-button navigation even though it was only needed for 2-button navigation, and then the stock OS implemented the same fix only for 2-button navigation, which makes more sense)

2021.05.19.06

Tags:

Changes since the 2021.05.16.04 release:

  • Settings: remove field referencing the mainline module (APEX) version (also known as the Google Play system update version) since we ship these changes as part of the OS and have out-of-band module updates disabled since we have no use for them
  • remove legacy Calendar widget
  • add toggle for disabling fingerprint unlock while having fingerprints registered for usage in apps (authentication and protecting hardware keystore keys)
  • Auditor: update to version 27

2021.05.16.04

Tags:

Changes since the 2021.05.04.01 release:

  • enable gesture navigation by default (see our guide on system navigation for details on using gesture navigation and switching to a button-based navigation)
  • System Updater: fix minor theme issue for light theme when pressing preferences
  • replace our workaround for an upstream user profile crash issue with a proper upstream fix from Sony
  • replace our workaround for another upstream user profile crash issue with a proper fix based on the approach of the fix from Sony
  • Vanadium: update Chromium base to 90.0.4430.210
  • hardened_malloc: purge memory even if VMA exhaustion causes munmap or MAP_FIXED mmap calls to fail
  • hardened_malloc: increase class region size on x86_64 to 32GiB
  • hardened_malloc: increase class region size on arm64 to 2GiB (should be 32GiB on devices where we've enabled 4-level page tables but that requires setting up build configuration infrastructure)
  • raise vm.max_map_count further to have even more leeway before VMA exhaustion occurs from fine-grained guard regions
  • kernel (Pixel 4a (5G), Pixel 5): fix build reproducibility issue by backporting upstream fix
  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5): make CONFIG_LOCALVERSION_AUTO ignore Git tags so adding tags doesn't change the result of a build
  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5): apply fixes for 2 Qualcomm audio driver vulnerabilities from CAF including one missed in the upstream May 2021 security update for Pixels
  • kernel (Pixel 4a): apply fix for use-after-free in GPU driver missed in the upstream security updates for the Pixel 4a
  • switch HTTPS network time URL from / to /generate_204 to allow for a future / redirect

2021.05.04.01

Tags:

Changes since the 2021.04.22.20 release:

  • full 2021-05-01 security patch level
  • full 2021-05-05 security patch level
  • rebased onto RQ2A.210505.003 release
  • enable backup service for non-owner users so that secondary users can be backed up
  • add SetupWizard activities for secondary users including support for restoring backups
  • Settings (Accessibility): add Monochromacy (grayscale) option to color correction
  • improve the newer generation eBPF-based implementation of the INTERNET permission to properly support revoking the permission in secondary profiles (we'll be keeping our restoration of the much simpler non-eBPF-based approach to avoid relying on this on devices using our hardened kernels)
  • Vanadium: update Chromium base to 90.0.4430.91
  • Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5: set slot number for eSIM (still need an eSIM activation app since it's one of the remaining missing components from not including Google apps and services)
  • hardened_malloc: use 1 slot for all extended size classes (reduces memory usage and improves security in combination with the guard slab feature)
  • use system theme accent color for fingerprint dialog instead of teal
  • integrate modern Android theme and wallpaper configuration
  • remove legacy WallpaperPicker app
  • System Updater: modernize update settings via androidx preference library (new theme has minor quirks we'll be fixing in the next release)
  • use alternate grapheneos.online domain for connectivity check / captive portal fallback URLs to improve handling of future issues comparable to Quad9 temporarily blocking grapheneos.network due to some kind of false positive
  • Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5: update APNs
  • Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5: update CarrierConfig vendor.xml

2021.04.22.20

Tags:

  • RQ2A.210405.005.2021.04.22.20 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, emulator, generic, other targets)

Changes since the 2021.04.16.04 release:

  • kernel (Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5): update our change to use max ASLR entropy before the init process enables it for the larger address space enabled by GrapheneOS
  • kernel (Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5): add back hard-wired check for the INTERNET permission on socket creation at least until the eBPF code is improved and fixed to work properly for secondary profiles
  • Vanadium: disable unused FLOC feature
  • Vanadium: update Chromium base to 90.0.4430.82

2021.04.16.04

Tags:

  • RQ2A.210405.005.2021.04.16.04 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, emulator, generic, other targets)

Changes since the 2021.04.05.20 release:

  • kernel (Pixel 4a (5G), Pixel 5): rebuild with updated techpack/camera submodule
  • add back support for fully disabling native debugging (ptrace) support in Settings > Security
  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5): enable support for native debugging (ptrace) toggle via Yama
  • Settings: add back extra field with bootloader version
  • Settings: only allow disabling Vanadium WebView library via developer tools since disabling it breaks app compatibility and almost always results in crashes rather than user friendly errors, including for base OS components using it
  • Vanadium: update Chromium base to 90.0.4430.66
  • Vanadium: fully disable autofill assistant
  • Vanadium: disable unused autofill assistant configuration
  • Vanadium: disable speculative service worker start by default
  • Vanadium: disable safety check for Android by default
  • Vanadium: disable new interest feed feature too
  • Vanadium: disable unused password check feature

2021.04.05.20

Tags:

  • RQ2A.210405.005.2021.04.05.20 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, emulator, generic, other targets)

Changes since the 2021.03.30.02 release:

  • full 2021-04-01 security patch level
  • full 2021-04-05 security patch level
  • rebased onto RQ2A.210405.005 release
  • SetupWizard: rebrand to GrapheneOS for other languages

2021.03.30.02

Tags:

  • RQ2A.210305.006.2021.03.30.02 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, emulator, generic, other targets)

Changes since the 2021.03.19.14 release:

  • hardened_malloc: add initial malloc_trim slab quarantine purging to reduce system memory usage from the slab quarantine without sacrificing security
  • Vanadium: update Chromium base to 89.0.4389.105
  • android-prepare-vendor (Pixel 4a (5G), Pixel 5): stop incorrectly treating new vendor_boot partition as a firmware partition and use our own build
  • SetupWizard: update to latest upstream code

2021.03.19.14

Tags:

  • RQ2A.210305.006.2021.03.19.14 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, emulator, generic, other targets)

Changes since the 2021.03.06.00 release:

  • integrate the latest open source release of TalkBack and Switch Access as first party accessibility services again (a text-to-speech service like RHVoice needs to be installed, configured and enabled to be able to use TalkBack)
  • SELinux policy: add back removing tmpfs execute for all base system app domains
  • SELinux policy: expand exception from ashmem execute restriction to legacy non-base system app domains (was more strict than currently intended since we don't want to break app compatibility)
  • add Bluetooth timeout feature with a security fix applied to the original implementation
  • System Updater: rename title of the management activity launched via Settings
  • set GrapheneOS launcher as a default notification listener on fresh installs so that the default enabled notification integration is permitted by default like the stock OS (existing users still need to manually enable the permission for the built-in launcher)
  • add back removing DUN requirement for tethering
  • add back ignoring tethering provisioning requirement
  • enable app compaction by default
  • enable app freezer by default
  • enable camera/microphone usage indicators by default
  • kernel (Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5): switch from standard 39-bit address space to 48-bit address space via 4-level page tables
  • Vanadium: update Chromium base to 89.0.4389.86
  • Vanadium: update Chromium base to 89.0.4389.90
  • Vanadium: enable partitioning connections by default
  • hardened_malloc: update libdivide to 4.0.0
  • hardened_malloc: use longer region quarantine random array (256 regions instead of 128)
  • Auditor: update to version 26

2021.03.06.00

Tags:

  • RQ2A.210305.006.2021.03.06.00 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, emulator, generic, other targets)

Changes since the 2021.03.02.10 release:

  • Vanadium: update Chromium base to 89.0.4389.72
  • Vanadium: enable user agent freeze by default
  • Vanadium: disable building code as dynamic feature modules
  • kernel (Pixel 4a): fix techpack/audio build reproducibility issue
  • backport upstream fix for building on compressed filesystems
  • Calendar: remove launcher icon since the app exists for compatibility / testing
  • Seedvault: update to latest revision

2021.03.02.10

Tags:

  • RQ2A.210305.006.2021.03.02.10 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, emulator, generic, other targets)

Changes since the 2021.02.26.16 release:

  • full 2021-03-01 security patch level
  • full 2021-03-05 security patch level
  • rebased onto RQ2A.210305.006 release, initial release of Android 11 QPR2 (Quarterly Platform Release 2)
  • Settings (Pixel 4, Pixel 4 XL, Pixel 5): enable refresh rate control
  • Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5: update APNs
  • Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5: update CarrierConfig vendor.xml
  • Pixel 4a: fix SystemUI memory pinning

2021.02.26.16

Tags:

  • RQ1A.210205.004.2021.02.26.16 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, emulator, generic, other targets)

Changes since the 2021.02.23.15 release:

  • hardened_malloc: add back workarounds for camera driver bugs on the Pixel 3, Pixel 3 XL, Pixel 3a and Pixel 3a XL

2021.02.23.15

Tags:

  • RQ1A.210205.004.2021.02.23.15 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, emulator, generic, other targets)

Changes since the 2021.02.19.15 release:

  • Camera: set flash mode to off by default (camera flash causes a substantial delay and substantially lower image quality so it generally isn't desirable)
  • system theme: use black for settings background in the dark theme
  • drop legacy code for setting Seedvault as the enabled backup service
  • hardened_malloc: drop workarounds for camera driver bugs on the Pixel 3, Pixel 3 XL, Pixel 3a and Pixel 3a XL
  • hardened_malloc: drop workaround for USB audio bug

2021.02.19.15

Tags:

  • RQ1A.210205.004.2021.02.19.15 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, emulator, generic, other targets)

Changes since the 2021.02.07.17 release:

  • Vanadium: update Chromium base to 88.0.4324.181
  • Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5: update APNs
  • Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5: update CarrierConfig vendor.xml
  • Auditor: update to version 24
  • Auditor: update to version 25
  • Pixel 4a: set boot security patch level to leverage the YYYY-MM-01 vs. YYYY-MM-05 distinction for attestation
  • Pixel 4a (5G), Pixel 5: complete initial device support including porting hardening features
  • kernel (Pixel 4a (5G), Pixel 5): enable slab canary feature
  • kernel (Pixel 4a (5G), Pixel 5): set correct variable for 32-bit vdso toolchain
  • kernel (Pixel 5): disable unnecessary touch driver
  • kernel (Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5): use LLVM toolchain for everything other than the assembler
  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): use LLVM toolchain for everything other than the assembler and target linker
  • kernel (Pixel 4a (5G), Pixel 5): use new kernel build-tools prebuilts repository

2021.02.07.17

Tags:

  • RQ1A.210205.004.2021.02.07.17 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, emulator, generic, other targets)

Changes since the 2021.02.06.05 release:

  • fix added error reporting code for HTTPS-based network time updates
  • Seedvault: update to latest revision

2021.02.06.05

Tags:

  • RQ1A.210205.004.2021.02.06.05 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, emulator, generic, other targets)

Changes since the 2021.02.02.09 release:

  • Vanadium: update Chromium base to 88.0.4324.152
  • rework the GrapheneOS HTTPS-based network time updates to enforce certificate expiry based on the OS build date for the whole certificate chain to avoid failing to fix significant time sync issues while still having a reasonable expiry check

2021.02.02.09

Tags:

Changes since the 2021.01.23.03 release:

  • full 2021-02-01 security patch level
  • full 2021-02-05 security patch level
  • rebased onto RQ1A.210205.004 release
  • Vanadium: update Chromium base to 88.0.4324.141
  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): make more data read-only per newer device kernels

2021.01.23.03

Tags:

Changes since the 2021.01.05.03 release:

  • system theme: use slightly different accent color for the dark theme
  • Dialer: add carrier-specific visual voicemail configurations
  • Vanadium: update Chromium base to 87.0.4280.141
  • Vanadium: update Chromium base to 88.0.4324.93
  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a): use UTC for kernel timestamp to make reproducible builds easier
  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a): update toolchain's toybox prebuilt for various fixes including fixing an issue with the date command causing a build reproducibility issue
  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a): apply upstream patch avoiding truncation of kernel debug symbol names generated when using Clang type-based CFI
  • adjust kernel configuration tests to permit disabling dynamic kernel modules for new kernel variants
  • fix dark theme issue with Settings app search panel
  • Camera2: backport fix for interaction with lockscreen
  • Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a: update APNs with carriersettings-extractor
  • Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a: add CarrierConfig vendor.xml from the stock OS with entries depending on Google and carrier apps stripped out

2021.01.05.03

Tags:

Changes since the 2020.12.12.03 release:

  • full 2021-01-01 security patch level
  • full 2021-01-05 security patch level
  • rebased onto RQ1A.210105.003 release
  • Settings: update GrapheneOS connectivity check URLs to match NetworkStack
  • Camera: remove unused Wi-Fi state permissions
  • Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a: update APNs with carriersettings-extractor
  • adjust kernel configuration tests to permit not having BPF_JIT since we don't have it enabled
  • add check for empty TTS engine name to address upstream bug
  • Vanadium: enable split cache by default
  • Vanadium: add back legacy media file access support for now
  • Vanadium: rename WebView and library apps based on the vanadium.app domain
  • Seedvault: update to latest revision
  • remove unnecessary vendor overlays
  • SetupWizard: change OS name to GrapheneOS for backup activity strings again
  • fix use-after-free in adbd authentication which was breaking support for persistently trusting keys due to zero-on-free
  • system theme: use blue accent color
  • replace default AOSP wallpaper with a solid black wallpaper — may get a bit fancier in the near future
  • update round icon mask
  • Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a: always use dark theme for boot chain firmware
  • Pixel 3a, Pixel 3a XL: disable unused dynamic kernel module support to match other devices
  • System Updater: disconnect keepalive connection when service is done

2020.12.12.03

Tags:

Changes since the 2020.12.08.08 release:

  • Vanadium: disable WebView variations support
  • SetupWizard: update to latest upstream code
  • NetworkStack: switch to grapheneos.network for connectivity checks to improve compatibility with captive portals lacking support for the built-in login interface (HSTS preloading for grapheneos.org breaks the fallback browser login notification)

2020.12.08.08

Tags:

Changes since the 2020.11.27.15 release:

  • full 2020-12-01 security patch level
  • full 2020-12-05 security patch level
  • rebased onto RQ1A.201205.010 release
  • script: support any number of source versions for deltas
  • set read timeout for HTTPS network time connections
  • disable keepalive for HTTPS network time connections
  • always disconnect HTTPS network time connections
  • remove unnecessary Accept-Charset header for HTTPS network time requests
  • Vanadium: ask permission to play protected media by default
  • Vanadium: disable autofill server communication by default
  • Vanadium: update Chromium base to 87.0.4280.86
  • Vanadium: update Chromium base to 87.0.4280.101
  • Settings: remove partial MAC randomization translations
  • Auditor: update to version 23
  • downstream fix for VPN lockdown being overridden when stopping users replaced by upstream fix

2020.11.27.15

Tags:

Changes since the 2020.11.25.22 release:

  • Vanadium: disable autofill assistant by default (restores previous Vanadium behavior)
  • Vanadium: backport upstream fix for missing manifest changes (this fixes issues with opening URLs in external apps)
  • Vanadium: disable component updater pings by default
  • Settings: disallow configuring connectivity checks for users disallowed to configure Private DNS by the administrator (in theory, it could be a separate option, but we need to use one that's already part of the public API)

2020.11.25.22

Tags:

Changes since the 2020.11.05.18 release:

  • PDF Viewer: update to version 6
  • NFC: backport compatibility fix for certain broken apps from AOSP master
  • Bluetooth: backport fix for Bluetooth capacity string
  • Vanadium: update Chromium base to 86.0.4240.198
  • Vanadium: update Chromium base to 87.0.4280.66
  • Vanadium: disable new high-level functionality for fetching variations
  • Vanadium: disable unused Omaha update check support
  • Vanadium: disable GaiaAuthFetcher code due to upstream bug
  • Vanadium: disable deprecated FTP support by default
  • Pixel 4 XL: correctly mark certain unsupported features as unavailable per the Pixel 4
  • Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a: use device-specific NFC configuration
  • add initial runtime flags handling for exec-based spawning to improve compatibility
  • Pixel 3, Pixel 3 XL, Pixel 4, Pixel 4 XL, Pixel 4a: disable chained vbmeta to simplify verified boot and improve attestation (Pixel 3a and Pixel 3a XL never used this)
  • Seedvault: update to latest revision
  • NetworkStack: remove change to connectivity check handling that's no longer required with Android 11
  • use GrapheneOS connectivity check server by default for connectivity checks in the OS
  • Settings: add setting to toggle between GrapheneOS connectivity check server and the standard Android connectivity check URLs to continue supporting blending in with other Android devices without a VPN
  • System Updater: remove unused READ_PHONE_STATE permission

2020.11.05.18

While waiting for this release to become available, you can manually add a battery optimization exemption for the Clock app via Settings > Apps & notifications > Special app access > Battery optimization where you can select All apps, scroll down to the Clock app and manually add an exemption. Should get this added upstream.

Tags:

Changes since the 2020.11.03.03 release:

  • Clock: add battery optimization exemption required for the new target API level (this is missing in AOSP)

2020.11.03.03

Pixel 2 and Pixel 2 XL support will now be provided via separate extended support releases for obsolete devices. We'll be making the first one based on an official release in the near future. They can only reach the 2020-11-01 security patch this month due to the lack of a release with changes outside the scope of AOSP such as new GPU firmware.

Tags:

Changes since the 2020.10.23.04 release:

  • full 2020-11-01 security patch level
  • full 2020-11-05 security patch level
  • rebased onto RP1A.201105.002 release
  • Vanadium: update Chromium base to 86.0.4240.110
  • Vanadium: update Chromium base to 86.0.4240.114
  • Vanadium: update Chromium base to 86.0.4240.185
  • Vanadium: enable prefetch privacy changes by default
  • Vanadium: enable reduced referrer granularity by default
  • Camera: request fine location instead of coarse location for the disabled-by-default geotagging feature
  • Camera: remove unused INTERNET permission
  • Clock: apply assorted fixes from upstream
  • add explicit detection of fastboot being missing to the factory images flash-all scripts
  • Gallery: apply upstream fix from NXP for null pointer dereference bug
  • Auditor: update to version 22
  • script: make generate_deltas ask for the password only once
  • enable screenshot action for 3 button nav too (the upstream release limited it to being enabled for 2 button navigation)

2020.10.23.04

Tags:

Changes since the 2020.10.06.02 release:

  • Vanadium: update Chromium base to 86.0.4240.75
  • Vanadium: update Chromium base to 86.0.4240.99
  • Vanadium: remove deprecated, unused storage permissions
  • replace standard WebView with Vanadium WebView again
  • Pixel 4, Pixel 4 XL: disable unsupported aware feature so that ambient display is available
  • Seedvault: switch to upstream development branch now that it supports Android 11
  • SELinux policy: port hardening from Android 10
  • hardened_malloc: log fatal errors (detected memory corruption bugs) to Android's log system
  • fix minor issues with Android 11 port of Wi-Fi and Bluetooth quick tile unlock requirement
  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a): apply Bluetooth fixes from the stable kernel branch including fixes for CVE-2020-12351, CVE-2020-12352 and CVE-2020-24490
  • improve experimental support for the Pixel 4a including porting most device-specific changes implemented for other devices

2020.10.06.02

Tags:

Changes since the 2020.10.01.23 release:

  • full 2020-10-01 security patch level
  • full 2020-10-05 security patch level
  • rebased onto RP1A.201005.006 release
  • hardened_malloc: optimize and harden initialization sanity checks
  • work around upstream bug causing null pointer crashes from media notifications in secondary profiles
  • enable secondary user logout support by default (purges credential encrypted storage keys from memory)
  • add back screenshot action to global action list as an alternative to the key chord (power button + volume down) and screenshot button in the gesture navigation recent apps list
  • reject received unix timestamps before build unix time for HTTPS-based network time implementation
  • Clock: apply fixes for various upstream issues
  • System Updater: harden PendingIntent usage

2020.10.01.23

Tags:

Changes since the 2020.09.29.20 release:

  • Pixel 4 (non-XL): stop overriding default Bluetooth toggle to disable it by default like other devices
  • use otatools.zip for generating delta updates
  • Settings: fix integration of LTE only mode option to preferred network setting
  • Auditor: update to version 21

2020.09.29.20

Tags:

Changes since the 2020.09.25.00 release:

  • add overlay to show 2 button navigation option in Settings again
  • Calculator: gesture compatibility fix
  • Auditor: update to version 20
  • WebView: update to 85.0.4183.120
  • WebView: update to 85.0.4183.127
  • Vanadium: update Chromium base to 85.0.4183.127
  • fix syncing time for the port of our HTTPS-based network time update implementation to Android 11
  • stop using dedicated keys for signing OsuLogin and ServiceWifiResources rather than simply using the regular testkey/releasekey

2020.09.25.00

Tags:

Changes since the 2020.09.18.13 release:

  • fix Wi-Fi MAC randomization settings for translations that were missing our added option
  • Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL: add missing configuration for biometric sensors in Android 11
  • fix upstream bug in the NFC quick settings tile for Android 11 breaking it after reboot
  • fix NFC quick settings tile icon handling for Android 11
  • Settings: fix upstream NFC preference so that it listens for changes and can see it being toggled via the NFC tile
  • Vanadium: update Chromium base to 85.0.4183.120
  • Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL: update APNs with carriersettings-extractor
  • add back SetupWizard
  • Settings: fix launching WifiSettings

We're no longer going to be listing out restored past features in a separate section for the release notes.

2020.09.18.13

Tags:

Changes since the 2020.09.11.14 release:

  • initial port to Android 11 with most GrapheneOS changes ported over (missing most SELinux policy hardening, some Pixel 4 / 4 XL kernel side channel mitigations, finer-grained Pixel 4 kernel Control Flow Integrity and the setup wizard)
  • full 2020-09-05 security patch level
  • temporarily use stock WebView until the next release of Chromium is available with public support for Android 11 to provide the WebView via Vanadium again
  • fix VPN lockdown setting getting overridden on user stop
  • SELinux policy: disable gmscore_app domain
  • SELinux policy: use dedicated SELinux domain for Updater app based on the modern untrusted_app domain
  • stop disabling support for stable local privacy addresses since Android 11 handles it better by only using it when MAC randomization is disabled
  • update to a new version of Seedvault for Android 11
  • build and use otatools.zip for signing releases instead of an ad-hoc approach
  • Auditor: update to version 19
  • System Updater: update targetSdkVersion to 30
  • disable Scudo on 64-bit since we use the substantially more secure hardened_malloc
  • fully replace jemalloc with Scudo on 32-bit
  • hardened_malloc: improve stats implementation

Installations made before this project was renamed to GrapheneOS and before the first official release of the Android Hardening project will be forced to factory reset as part of this upgrade, due to lack of backwards compatibility with the unaltered AOSP encryption format.

2020.09.11.14

Tags:

  • QQ3A.200805.001.2020.09.11.14 (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, emulator, generic, other targets)

Testing the Android 11 kernels was useful, but we weren't able to ship the previous release due to issues uncovered during testing. The Android 11 kernels have minor backwards incompatible changes in the drivers for at least a subset of the devices so we'll need to ship them with the rest of the changes. Thanks to our testers for helping us with this. This will be the new final Android 10 release, assuming no further problems are uncovered during testing.

Changes since the 2020.09.10.05 release:

  • revert to using the Android 10 kernels on the devices that were switched over early due to backwards incompatible changes in some drivers

2020.09.10.05

Tags:

  • QQ3A.200805.001.2020.09.10.05 (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, emulator, generic, other targets)

This should be the final GrapheneOS release based on Android 10. It ships the device-independent monthly security patches and migrates over to using the Android 11 branch of the GrapheneOS kernels for most devices, which brings all the upstream kernel hardening in Android 11 along with the full September kernel updates. The remaining patches for the full 2020-09-05 patch level require finishing the migration to Android 11 in order to ship the September update for the other device support code. It's possible we could ship some of this early, but instead we're going to be focusing on finishing the enormous task of migrating to Android 11. Further help with bringing up support for the devices with Android 11 and porting over each of the GrapheneOS hardening features to it would be greatly appreciated. Donations are also extremely helpful. GrapheneOS has brought on another full time developer using donated funds and there are 3 part time developers helping with Android 11.

Changes since the 2020.08.07.01 release:

  • full 2020-09-01 security patch level
  • partial 2020-09-05 security patch level (missing userspace device support changes until port to Android 11 is finished)
  • Vanadium: update Chromium base to 84.0.4147.125
  • Vanadium: update Chromium base to 85.0.4183.81
  • Vanadium: update Chromium base to 85.0.4183.101
  • Vanadium: remove unused learn more link from Incognito page
  • recovery: reject updates with serialno constraints to match the GrapheneOS Updater app
  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): update base kernel to Android 11
  • SetupWizard: update to latest upstream code
  • conscrypt: drop temporary upstream revert of version code which was accidentally kept during a rebase
  • backport fix for USB audio regression from Android 11

Restoration of past features since the 2020.07.06.20 release:

  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL): enable intra-object FORTIFY_SOURCE overflow checks

2020.08.07.01

Tags:

  • QQ3A.200805.001.2020.08.07.01 (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, emulator, generic, other targets)

Changes since the 2020.08.03.22 release:

  • SELinux policy: fix executing apk libraries as executables for third party applications

2020.08.03.22

Tags:

  • QQ3A.200805.001.2020.08.03.22 (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, emulator, generic, other targets)

Changes since the 2020.07.06.20 release:

  • full 2020-08-01 security patch level
  • full 2020-08-05 security patch level
  • rebased onto QQ3A.200805.001 release
  • fix build for Pixel 3 when Pixel 3 XL kernel is not built
  • fix secondary stack hardening when a non-page-size multiple stack size is specified
  • fix picking up previous build date when doing incremental builds
  • Vanadium: update Chromium base to 84.0.4147.89
  • Vanadium: update Chromium base to 84.0.4147.105
  • Vanadium: update Chromium base to 84.0.4147.111
  • Vanadium: remove Chromium logo in chrome://version

Restoration of past features since the 2020.07.06.20 release:

  • kernel (Pixel 4, Pixel 4 XL): read-only data expansion

2020.07.06.20

Tags:

  • QQ3A.200705.002.2020.07.06.20 (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, emulator, generic, other targets)

Changes since the 2020.06.22.21 release:

  • full 2020-07-01 security patch level
  • full 2020-07-05 security patch level
  • rebased onto QQ3A.200705.002 release
  • change TrichromeLibrary package name
  • drop MAC randomization preference migration code
  • Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL: update APNs with carriersettings-extractor
  • disable network time refresh when network time is disabled (previous behavior inherited from upstream)
  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL): make reproducible builds simpler
  • kernel (Pixel 4, Pixel 4 XL): use max ASLR entropy before the init process enables it

Restoration of past features since the 2020.06.22.21 release:

  • kernel (Pixel 4, Pixel 4 XL): enable UNMAP_KERNEL_AT_EL0 Meltdown mitigation (KPTI)
  • kernel (Pixel 4, Pixel 4 XL): enable ARM64_SSBD Spectre v4 mitigation
  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL): enable PANIC_ON_OOPS
  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL): set PANIC_TIMEOUT to -1
  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL): disable SECURITY_SELINUX_DEVELOP

2020.06.22.21

Tags:

Changes since the 2020.06.02.02 release:

  • SystemUI: handle non-SRGB wallpapers
  • Vanadium: update Chromium base to 83.0.4103.96
  • Vanadium: update Chromium base to 83.0.4103.101
  • Vanadium: update Chromium base to 83.0.4103.106
  • script/generate_metadata.py: add channel name to update channel metadata
  • System Updater: sanity check channel name in update channel metadata
  • System Updater: raise minSdkVersion to 29
  • System Updater: extract care_map.pb rather than care_map.txt
  • System Updater: use a different zip for streaming updates (still an experimental / hidden feature)
  • disable RFC 7217 support (stable link-local IPv6 privacy addresses) and stick to link-local IP addresses based on the (random) MAC addresses
  • SetupWizard: update to latest upstream code
  • SetupWizard: use system captive portal URL, rather than a custom Google URL
  • NetworkStack: ignore captive portal fallbacks when one is set at runtime
  • factory images flash-all script: reboot to bootloader after installing update
  • make_key: use 4096-bit RSA keys
  • script/release.sh: auto-detect AVB algorithm to support 4096-bit RSA keys for verified boot
  • add experimental Pixel 4 and Pixel 4 XL support
  • Auditor: update to version 18

Restoration of past features since the 2020.06.02.02 release:

  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): add back FORTIFY_SOURCE enhancements
  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): add back userspace ASLR improvements

2020.06.02.02

Tags:

Changes since the 2020.05.29.00 release:

  • full 2020-06-01 security patch level
  • full 2020-06-05 security patch level
  • rebased onto QQ3A.200605.002 release
  • Vanadium: update Chromium base to 83.0.4103.83
  • factory images: add fastboot version detection to flash-all.bat on Windows

2020.05.23.12

Tags:

Changes since the 2020.05.05.02 release:

  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): use Clang for compiling code for the host too
  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): add build-tools prebuilts to PATH to reduce external dependencies and avoid potential reproducibility issues
  • add build-tools prebuilts to PATH in the release signing and delta generation scripts to reduce external dependencies and avoid potential reproducibility issues
  • fix upstream bug relying on malloc addresses for sort order of 3 items, causing Bluetooth A2DP audio to fail 2/3 of the time with hardened_malloc when the expected item isn't first
  • use the same datetime for build number and build date
  • always use UTC as the time zone for build dates
  • update GrapheneOS fork of android-prepare-vendor to the collaborative AOSPAlliance fork
  • raise minimum supported API level to 28 from 23, producing a warning for apps targeting API < 28 (the Play Store disallows uploading new apps or app updates targeting API < 28 so this isn't an aggressive warning)
  • Vanadium: update Chromium base to 81.0.4044.138
  • Vanadium: update Chromium base to 83.0.4103.60
  • Vanadium: disable media DRM preprovisioning
  • Vanadium: most private WebRTC IP handling policy by default
  • set SCHED_BATCH in the kernel build scripts

Restoration of past features since the 2020.05.05.02 release:

  • Settings: allow disabling Vanadium browser app via the Settings UI now that Trichrome (browser, WebView, shared library) has replaced Monochrome (monolithic app) for providing the WebView without having 2 copies of the browser engine

2020.05.05.02

Tags:

Changes since the 2020.04.14.23 release:

  • full 2020-05-01 security patch level
  • full 2020-05-05 security patch level
  • rebased onto QQ2A.200501.001.B3 release
  • Vanadium: update Chromium base to 81.0.4044.111
  • Vanadium: update Chromium base to 81.0.4044.117
  • disable safe volume feature everywhere instead of only the US
  • hardened_malloc: implement slab allocation memory corruption checks for malloc_usable_size
  • set SCHED_BATCH in the build system and release generation scripts instead of the interactive shell
  • use more sensible factory images zip naming scheme
  • Settings: add missing title for top_level_settings to fix showing it as null in search results

Restoration of past features since the 2020.04.14.23 release:

  • Vanadium: use 64-bit Trichrome browser processes

2020.04.14.23

Tags:

Changes since the 2020.04.13.21 release:

  • Settings: adjust wifi_privacy_values to the new values
  • Settings: remove unnecessary workaround for MAC randomization preference
  • Settings: tweak MAC randomization preference wording

2020.04.13.21

Tags:

Changes since the 2020.04.07.10 release:

  • Vanadium: update Chromium base to 81.0.4044.96
  • Vanadium: remove unsupported password leak detection option
  • Vanadium: expand automated string rebranding
  • Vanadium: remove Google prefix from storage settings label
  • reword random MAC options to make them clearer
  • start the final phase of the migration process for random MAC preference values
  • generate manifests for stable releases directly referencing revisions by hash instead of tag name to simplify signature verification for the sources

Restoration of past features since the 2020.04.07.10 release:

  • globally enable -ftrivial-auto-var-init=zero rather than porting our downstream -fsanitize=local-init feature
  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): globally enable -ftrivial-auto-var-init=zero rather than porting our downstream -fsanitize=local-init feature
  • Vanadium: enable -ftrivial-auto-var-init=zero rather than porting our downstream -fsanitize=local-init feature

2020.04.07.10

Tags:

Changes since the 2020.03.23.22 release:

  • full 2020-04-01 security patch level
  • full 2020-04-05 security patch level
  • rebased onto QQ2A.200405.005 release
  • Pixel 3a, Pixel 3a XL: fix SystemUI paths in memory pinning configuration
  • only include Updater app when OFFICIAL_BUILD=true is set in the environment to avoid accidental use of the default update server with unofficial builds that are not compatible
  • Vanadium: update Chromium base to 80.0.3987.162
  • PDF Viewer: update to version 3
  • update SELinux policy for officially supported devices based on isolated_app domain split
  • raise protected_fifos / protected_regular from 1 (world-writable directories) to 2 (group-writable directories too)
  • remove use of "Hey Google" as an example feature for battery saver in Settings

2020.03.23.22

Tags:

Changes since the 2020.03.04.16 release:

  • integrate Seedvault backup app as the default backup service
  • integrate SetupWizard app to support restoring with Seedvault and other initial setup
  • Vanadium: disable unused safe browsing feature by default (Safe Browsing is currently a no-op due to the lack of Play services, and support for using the local database backend hasn't been implemented. Various changes would be needed to make it available and to make sure that privacy is preserved.)
  • Vanadium: disable unused Google VR support
  • Vanadium: disable content feed suggestions by default
  • Vanadium: update Chromium base to 80.0.3987.149
  • Settings: fix broken upstream MAC randomization value mapping uncovered by the always randomize option value
  • make_key: use scrypt for key derivation used to encrypt keys
  • add script/encrypt_keys.sh and script/decrypt_keys.sh for handling key encryption
  • improve UX, performance and algorithm support for encrypted keys in script/release.sh and script/generate_delta.sh
  • dexpreopt: disable BOARD_USES_SYSTEM_OTHER_ODEX for mainline devices, which was causing odex files to be unintentionally omitted from the system image for modern devices
  • dexpreopt: use speed filter for boot images and non-prebuilts rather than unintentionally only setting it for prebuilts
  • dexpreopt: disable pre-optimization for apps bundled by android-prepare-vendor to work around unresolved issues with conflicting inlined definitions

2020.03.04.16

Tags:

Changes since the 2020.03.03.03 release:

  • Vanadium: backport upstream fix for Android 10 downloads
  • Vanadium: update Chromium base to 80.0.3987.132
  • Settings: avoid overriding MAC address with random persistent MAC address when viewing MAC address
  • finish porting support for per-connection random MAC rather than using the per-network random address

2020.03.03.03

Tags:

Changes since the 2020.02.07.19 release:

  • full 2020-03-01 security patch level
  • full 2020-03-05 security patch level
  • rebased onto QQ2A.200305.002 release
  • use time.grapheneos.org instead of grapheneos.org for HTTPS-based time updates
  • Vanadium: migrate to Trichrome for unified builds of separate browser and WebView apps with a shared library app
  • Vanadium: use org.grapheneos.vanadium.webview instead of com.android.webview as the WebView package name
  • Vanadium: rename WebView to Vanadium System WebView from Android System WebView
  • Vanadium: update Chromium base to 80.0.3987.99
  • Vanadium: update Chromium base to 80.0.3987.117
  • Vanadium: update Chromium base to 80.0.3987.119
  • SELinux policy: remove base system app apk_data_file execute
  • SELinux policy: remove zygote access to apk_data_file

Restoration of past features since the 2020.02.07.19 release:

  • Vanadium: stop replacing signature from the Vanadium signing key with the OS release key
  • Settings: add back control over camera access while the screen is locked
  • fix MAC randomization after reboot for the always randomize MAC option
  • SELinux policy: split out base system untrusted_app (normal unprivileged apps) and isolated_app (isolatedProcess sandbox) SELinux policy domains for future work
  • SELinux policy: remove base system app execmod
  • SELinux policy: remove base system app execmem
  • SELinux policy: remove base system app execute_no_trans
  • SELinux policy: remove base system app app_data_file execute
  • SELinux policy: remove base system app ashmem execute
  • SELinux policy: remove base system app tmpfs execute
  • SELinux policy: remove zygote execmem
  • SELinux policy: remove system_server_startup domain
  • add LTE only mobile network configuration option

2020.02.07.19

Tags:

Changes since the 2020.02.04.01 release:

  • rebuild crosshatch kernel to correct build environment issue
  • Vanadium (including WebView): update Chromium base to 80.0.3987.87
  • Vanadium (including WebView): drop partially working AImageReader workarounds
  • fully work around bug with AImageReader caught by CFI on 64-bit to fix crashes during video rendering in Vanadium and other Chromium-based browsers

Restoration of past features since the 2020.02.04.01 release:

  • WebView: use Vanadium WebView as provider

2020.02.04.01

Tags:

Changes since the 2019.01.06.21 release:

  • full 2020-02-01 security patch level
  • full 2020-02-05 security patch level
  • rebased onto QQ1A.200205.002 release
  • remove obsolete Email app
  • Vanadium: update Chromium base to 79.0.3945.116
  • WebView: update to 79.0.3945.116
  • Vanadium: update Chromium base to 79.0.3945.136
  • WebView: update to 79.0.3945.136
  • Vanadium: fully disable AImageReader to fix remaining issues with video playback uncovered by CFI on 64-bit
  • Settings: fix MAC randomization setting for other locales by removing incomplete translations

Restoration of past features since the 2019.01.06.21 release:

  • add PIN scrambling feature

2020.01.06.21

Tags:

Changes since the 2019.12.02.23 release:

  • full 2020-01-01 security patch level
  • full 2020-01-05 security patch level
  • rebased onto QQ1A.200105.002 release
  • Vanadium: update Chromium base to 79.0.3945.93
  • Vanadium: disable hiding trivial subdomains
  • WebView: update to 79.0.3945.93
  • add the option to randomize the MAC address for each connection instead of per-network
  • authenticated network time updates via HTTPS

Restoration of past features since the 2019.12.02.23 release:

  • Settings: expose control over USB peripheral denial feature

2019.12.02.23

Tags:

Changes since the 2019.11.05.23 release:

  • full 2019-12-01 security patch level
  • full 2019-12-05 security patch level
  • rebased onto QQ1A.191205.011 release
  • Pixel 3a, Pixel 3a XL: fix userspace hw_random stirring service
  • Vanadium: update Chromium base to 78.0.3904.96
  • WebView: update to 78.0.3904.96
  • Vanadium: update Chromium base to 78.0.3904.108
  • WebView: update to 78.0.3904.108
  • Auditor: update to version 17
  • QuickSearchBox: disable widget
  • QuickSearchBox: disable launcher icon
  • Launcher: rebranding
  • require unlocking to use work tile

2019.11.04.23

Tags:

Changes since the 2019.09.25.00 release:

  • full 2019-11-01 security patch level
  • full 2019-11-05 security patch level
  • rebased onto QP1A.191105.004 release
  • Settings: disable legacy suggestions mode
  • recovery: GrapheneOS branding for fastboot mode
  • Vanadium: update Chromium base to 77.0.3865.116
  • WebView: update to 77.0.3865.116
  • Vanadium: update Chromium base to 78.0.3904.62
  • WebView: update to 78.0.3904.62
  • Vanadium: update Chromium base to 78.0.3904.90
  • WebView: update to 78.0.3904.90
  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): mark functions with address taken via assembly (this fixes compatibility with CFI in a build with !CONFIG_MODULES)
  • protect static TLS from stack buffer overflows
  • drop legacy Pixel and Pixel XL support due to absence of any GrapheneOS device maintainers, the end of vendor support and an increasingly large security gap with current generation devices for the hardware, firmware and device / generation specific software

Restoration of past features since the 2019.09.25.00 release:

  • Bluetooth: add alloc_size attribute to OSI allocator
  • protect pthread_internal_t from stack buffer overflows
  • add secondary stack randomization
  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): disable dynamic kernel module support (resulting in substantially improved CFI granularity)

2019.10.07.21

Tags:

Changes since the 2019.09.25.00 release:

  • full 2019-10-01 security patch level
  • full 2019-10-05 security patch level
  • full 2019-10-06 security patch level
  • rebased onto QP1A.191005.007.A1 release
  • add changes to support disabling full preloading with exec spawning to the public libcore API
  • add OTHER_SENSORS to the public frameworks/base API
  • Messaging app: fix notifications with a backport
  • Vanadium: switch back to ChromeModern (standalone browser app) from Monochrome (monolithic browser + WebView app, no longer supported for Android 10) until Vanadium is moved to Trichrome (separate browser and WebView apps with a third shared library app)
  • unified kernel tree (kernel/google/crosshatch) for Pixel 3, Pixel 3 XL, Pixel 3a and Pixel 3a XL

Restoration of past features since the 2019.09.25.00 release:

  • begin generating / uploading delta updates from the last release to the current release

2019.09.25.00

Tags:

Changes since the 2019.09.23.19 release:

  • update to QP1A.190711.020.C3 bug fix release
  • fix granting Network and Sensors permissions at install time
  • fix wording for Network permission group

2019.09.23.19

Tags:

  • QP1A.190711.020.2019.09.23.19 (Pixel, Pixel XL, Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, emulator, generic, other targets)

Changes since the 2019.09.21.18 release:

  • disable enforcing Runtime Resource Overlays for baseline overlays to work around incompatibility with exec spawning
  • enable exec spawning for com.android.phone again

2019.09.21.18

Tags:

  • QP1A.190711.020.2019.09.21.18 (Pixel, Pixel XL, Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, emulator, generic, other targets)

Changes since the 2019.09.18.14 release:

  • Settings: use Mainline branding for APEX components
  • Vanadium: update Chromium base to 77.0.3865.92
  • WebView: update to 77.0.3865.92
  • temporarily disable exec spawning for com.android.phone
  • Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, mainline: disable updatable apex for simplicity
  • Pixel 2, Pixel 2 XL: enable increased system.img inode count
  • script: replace networkstack key

2019.09.18.14

Tags:

  • QP1A.190711.020.2019.09.18.14 (Pixel, Pixel XL, Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, emulator, generic, other targets)

Changes since the 2019.08.25.15 release:

  • full port to Android 10 with some exceptions (listed below)
  • full 2019-08-05 security patch level
  • full 2019-09-01 security patch level
  • full 2019-09-05 security patch level
  • temporarily add back standalone WebView (77.0.3865.73) until Vanadium supports it for Android 10
  • Vanadium: update Chromium base to 76.0.3809.132
  • Vanadium: update Chromium base to 77.0.3865.73
  • System Updater: update targetSdkVersion to 29
  • retrofit dynamic partitions for Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL
  • disable GSI keys
  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): temporarily disable slab canary implementation until an issue is narrowed down and addressed
  • kernel (Pixel 3, Pixel 3 XL): temporarily re-enable dynamic kernel module support until an issue is narrowed down and addressed (no dynamic kernel modules are ever actually loaded but something breaks internally with it disabled)
  • add guard page between the stack and the new static TLS region
  • bionic: pthread_internal_t changes have not yet been ported over so that feature is temporarily gone

2019.08.25.15

Tags:

Changes since the 2019.08.05.19 release:

  • add missing privileged permission whitelist for SdkSetup in SDK emulator builds
  • set up Vanadium for other architectures (arm, x86, x86_64)
  • hardened_malloc (GrapheneOS only): remove workaround for use-after-free in the citadel (Titan M) driver's key attestation support since it was fixed upstream
  • hardened_malloc: update libdivide to 2.0
  • Vanadium (browser and WebView): update Chromium base to 76.0.3809.111
  • Vanadium: redirect settings help icon
  • Vanadium: set default search engine to DuckDuckGo
  • apply partial fix for package manager original-package feature
  • PDF Viewer: update to version 2
  • Auditor: update to version 16
  • add Vanadium to the apps that cannot be disabled via Settings (can still be disabled) since the warning isn't enough to deter people from unknowingly breaking apps using the WebView
  • System Updater: add settings entry to manually trigger check for updates
  • System Updater: reschedule update check job on channel change
  • arm, x86 and x86_64 are now supported / tested architectures
  • generic and emulator build targets are now supported / tested for development usage (not suitable for secure production releases)

2019.08.05.19

Tags:

Changes since the 2019.07.16.22 release:

  • full 2019-08-01 security patch level
  • partial 2019-08-05 security patch level (not yet fully available)
  • Vanadium (browser and WebView): update Chromium base to 76.0.3809.89
  • Vanadium: expand string rebranding including covering translations
  • Vanadium: rename Sync and Google services to Services
  • Vanadium: remove data reduction preference
  • Vanadium: remove translate offer preference
  • Vanadium: remove sync preferences
  • Vanadium: remove navigation error preference
  • Vanadium: remove safe browsing reporting preference
  • Vanadium: remove usage and crash reports preference
  • Vanadium: remove url keyed anonymized data preference
  • Vanadium: disable contextual search by default
  • Vanadium: remove redundant services preference category
  • Vanadium (browser and WebView): use a unified Vanadium signing key instead of the device-specific release key
  • rename WebView provider to Vanadium
  • SELinux policy: label protected_{fifos,regular} as proc_security (this is needed for init to override the default values)

2019.07.16.22

Tags:

Changes since the 2019.07.01.21 release:

  • Vanadium (browser and WebView): update Chromium base to 75.0.3770.143
  • Vanadium: disable media router media remoting by default
  • Vanadium: disable media router by default (avoids the triggering warning about not having Play services)
  • Vanadium: remove Help & feedback menu entry
  • Vanadium: further string rebranding from Chromium / Chrome to Vanadium
  • Vanadium: disable unused reporting feature at compile-time
  • Vanadium: disable unused remoting feature at compile-time
  • Vanadium (browser and WebView): move from external/chromium to external/vanadium in the GrapheneOS source tree and rename module from Chromium to Vanadium
  • Vanadium: disable offering translations by default
  • Vanadium: disable prefetching suggested pages by default
  • Vanadium: disable browser sign in feature by default
  • Vanadium: disable safe browsing reporting opt-in by default
  • extend release.sh to call the script for signing factory images
  • extend release.sh to call the script for generating update channel metadata
  • kernel build script (Pixel, Pixel XL, Pixel 3a, Pixel 3a XL): verify that no arguments are passed
  • kernel build script (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL): verify that a single argument (device variant) is passed
  • enable kernel mitigations for file spoofing

Restoration of past features since the 2019.07.01.21 release:

  • Vanadium (browser and WebView): enable type-based CFI for virtual calls
  • enable kernel mitigations for link races
  • kernel (Pixel 2, Pixel 2 XL): backport fixes for SLAB_FREELIST_RANDOM
  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): enable SLAB_FREELIST_RANDOM
  • kernel (Pixel 2, Pixel 2 XL): backport slub dynamic DEBUG_PAGEALLOC setting
  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): backport slub free list pointer obfuscation
  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): backport slub free list pointer obfuscation prefetch fix
  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): backport slub native double free detection
  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): enable SLAB_FREELIST_HARDENED
  • kernel (Pixel, Pixel XL, Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): enable DEBUG_LIST
  • kernel (Pixel, Pixel XL, Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): enable DEBUG_SG
  • kernel (Pixel, Pixel XL): reduce DEBUG_SG virt_addr_valid check to a warning (this works around a bug in the legacy QCE driver)
  • kernel (Pixel, Pixel XL, Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): enable DEBUG_NOTIFIERS
  • kernel (Pixel, Pixel XL, Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): enable DEBUG_CREDENTIALS
  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): enable SCHED_STACK_END_CHECK
  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): bug on !PageSlab && !PageCompound in ksize
  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): always perform cache_from_obj consistency checks
  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): bug on kmem_cache_free with the wrong cache
  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): real slab_equal_or_root check for !MEMCG_KMEM
  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): add missing cache_from_obj !PageSlab check
  • kernel (Pixel 2, Pixel 2 XL): backport upstreamed FORTIFY_SOURCE implementation
  • kernel (Pixel 2, Pixel 2 XL): backport upstreamed leading zero byte for stack canary
  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): add simpler page sanitization
  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): add support for verifying page sanitization
  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): slub: add basic full slab sanitization
  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): slub: add support for verifying slab sanitization
  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): slub: add multi-purpose random canaries

2019.07.01.21

Tags:

Changes since the 2019.06.23.05 release:

  • full 2019-07-01 security patch level
  • full 2019-07-05 security patch level
  • rebased onto PQ3A.190705.003/PQ3B.190705.003 releases
  • Auditor: update to version 15

Restoration of past features since the 2019.06.23.05 release:

  • add GrapheneOS PDF Viewer app (version 1)
  • Vanadium: stop ignoring download location prompt setting
  • Vanadium: show download prompt again by default

2019.06.23.05

Tags:

Changes since the 2019.06.14.02 release:

  • hardened_malloc: use copy_size to check for canaries (tiny performance / hardening fix and avoids an erroneous abort in a corner case with realloc from 0 byte allocations)
  • hardened_malloc: update libdivide to 1.1
  • Pixel 3a, Pixel 3a XL: raise maximum users to 16
  • Pixel 3a, Pixel 3a XL: disable system_other odex
  • Pixel 3a, Pixel 3a XL: disable system_other preloads_copy
  • Pixel 3a, Pixel 3a XL: show connected mac randomization feature
  • Pixel 3a, Pixel 3a XL: move to custom kernel
  • Pixel 3a, Pixel 3a XL: use monolithic kernel builds
  • kernel (Pixel 3a, Pixel 3a XL): disable slab merging
  • kernel (Pixel 3a, Pixel 3a XL): add toggle for disabling newly added USB devices
  • kernel (Pixel 3a, Pixel 3a XL): replace SECURITY_SMACK with SECURITY_NETWORK
  • kernel (Pixel 3a, Pixel 3a XL): mark qcedev data const
  • Vanadium (browser and WebView): update Chromium base to 75.0.3770.101
  • Vanadium: disable sensors access by default
  • Vanadium: disable third party cookies by default
  • Vanadium: disable background sync by default
  • Vanadium (browser and WebView): stub out battery API
  • Vanadium: disable search logo
  • Vanadium: always use local new tab page
  • Vanadium: disable payment support by default

Restoration of past features since the 2019.06.14.02 release:

  • Vanadium: do not enable default search engine notification permission by default

2019.06.14.02

Tags:

Changes since the 2019.06.03.18 release:

  • Vanadium (browser and WebView): update Chromium base to 75.0.3770.67
  • add back brk system call to the seccomp whitelist for compatibility with Go
  • Auditor: update to version 13
  • Auditor: update to version 14
  • Music: backport bug fix for passing CTS
  • System Updater: replace seamlessupdate.app with releases.grapheneos.org alias
  • add initial experimental support for the Pixel 3a and Pixel 3a XL
  • Pixel 2, Pixel 2 XL: set AVB rollback index to security patch timestamp (backport of the implementation for the Pixel 3)

Restoration of past features since the 2019.06.03.18 release:

  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL): replace SECURITY_SMACK with SECURITY_NETWORK

2019.06.03.18

Tags:

Changes since the 2019.05.18.20 release:

  • full 2019-06-01 security patch level
  • full 2019-06-05 security patch level
  • rebased onto PQ3A.190605.003 release
  • Auditor: update to version 11
  • Auditor: update to version 12
  • hardened_malloc (GrapheneOS only): further expand workaround for Pixel 3 and Pixel 3 XL camera issues

Restoration of past features since the 2019.05.18.20 release:

  • disable exec spawning when using debugging options
  • enable exec spawning by default
  • enable Verizon visual voicemail support
  • kernel (Pixel, Pixel XL, Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL): add toggle for disabling newly added USB devices
  • add properties for controlling deny_new_usb
  • implement dynamic deny_new_usb toggle mode
  • set deny_new_usb feature to dynamic by default
  • sepolicy: deny_new_usb sysctl and system property policy

2019.05.18.20

Tags:

Changes since the 2019.05.08.15 release:

  • GrapheneOS logo mask
  • Auditor: update to version 10
  • add preload parameter for avoiding full preload with exec
  • raise maximum users to 16
  • Vanadium (browser and WebView): update Chromium base to 74.0.3729.157
  • hardened_malloc (GrapheneOS only): apply temporary workaround for citadel HAL use-after-free (need to start building vendor HALs from the sources to fix issues like this)

Restoration of past features since the 2019.05.08.15 release:

  • disable OpenGL preloading for exec spawning
  • disable resource preloading for exec spawning
  • disable ICU cache pinning for exec spawning
  • disable class preloading for exec spawning
  • disable WebView reservation for exec spawning
  • disable JCA provider warm up for exec spawning
  • avoid AssetManager errors with exec spawning

2019.05.07.00

Tags:

Changes since the 2019.04.01.19 release:

  • full 2019-05-01 security patch level
  • full 2019-05-05 security patch level
  • rebased onto PQ3A.190505.002 release
  • add Pixel and Pixel XL support including standard changes to kernel and device code
  • Pixel, Pixel XL, Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL: fix hw_random permissions
  • bundle Auditor (version 9)
  • Chromium (browser and WebView): update to 74.0.3729.136
  • Chromium: enable strict site isolation by default
  • Chromium: initial rebranding to Vanadium including icon recolor
  • hardened_malloc: extensive work on refactoring, micro-optimization and documentation (see commits for details)
  • hardened_malloc: implement mallinfo and mallinfo extensions for Android
  • hardened_malloc: implement Android API for requesting purging
  • hardened_malloc: implement the option of large size classes (enabled by default)
  • hardened_malloc: support extended range of small size classes (enabled by default)
  • hardened_malloc: support for slabs with 1 slot for largest sizes
  • hardened_malloc: use round-robin assignment to arenas
  • hardened_malloc: disable current in-place growth code path
  • hardened_malloc: harden arena implementation
  • hardened_malloc: fix non-init size for malloc_object_size extension
  • hardened_malloc: shrink initial region table size to fit in 1 page
  • hardened_malloc (GrapheneOS only): expand workaround for Pixel 3 and Pixel 3 XL camera issues
  • Pixel 3, Pixel 3 XL: change SystemUIGoogle pinning to SystemUI

Restoration of past features since the 2019.04.01.19 release:

  • use -fwrapv when signed overflow checking is off
  • add exec-based spawning support (disabled by default for now)
  • require unlocking to use battery saver quick tile
  • require unlocking to use cellular quick tile
  • require unlocking to use hotspot quick tile
  • require unlocking to use data saver quick tile
  • require unlocking to use rotation lock quick tile
  • require unlocking to use wifi quick tile
  • require unlocking to use airplane mode quick tile
  • require unlocking to use bluetooth quick tile
  • require unlocking to use nfc quick tile
  • add support for kernels without module support enabled to the VTS and compatibility tests
  • kernel (Pixel, Pixel XL, Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL): disable slab merging
  • kernel (Pixel, Pixel XL, Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL): disable loadable kernel module support
  • kernel (Pixel, Pixel XL, Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL): mark qcedev data const
  • kernel (Pixel 2, Pixel 2 XL): disable unused ramdisk compression formats
  • SELinux policy: remove priv_app app_data_file execute
  • SELinux policy: remove dumpstate ashmem execute and execmem (GrapheneOS doesn't use the ART JIT compiler)
  • SELinux policy: remove healthd ashmem execute and execmem (GrapheneOS doesn't use the ART JIT compiler)
  • SELinux policy: auditallow app execmem (moving back towards an exception system)
  • SELinux policy: auditallow app ashmem execute (moving back towards an exception system)
  • SELinux policy: auditallow ephemeral_app app_data_file execute (moving back towards an exception system)
  • SELinux policy: auditallow untrusted_app_all execmod (moving back towards an exception system)
  • SELinux policy: auditallow untrusted_app_all app_data_file execute (moving back towards an exception system)
  • SELinux policy: auditallow untrusted_app_all app_data_file execute_no_trans (moving back towards an exception system)

2019.04.01.19

Tags:

Initial rebranding to GrapheneOS. This was not the initial release of the project but rather when we switched away from the Android Hardening branding used as a temporary placeholder while we chose a new name to replace our prior CopperheadOS branding.

Detailed changelogs were not written at this point.

2019.03.05.03

Tags:

Final and only tagged release branded as the Android Hardening project before it was renamed to GrapheneOS. Earlier AndroidHardening releases were only snapshots and are not listed here. Prior to the AndroidHardening placeholder name, the project was known as CopperheadOS. For more details, see the page on the project's history.

Detailed changelogs were not written at this point.