Releases

About the releases

These releases are available as both tags in the source code repositories and official builds.

The factory images are used for the initial installation and can be verified with signify. See the installation page for details.

GrapheneOS uses automatic over-the-air updates, but full update packages are listed below for uncommon use cases like never connecting the device to the internet. A full update package can upgrade from any past version to the new version. The over-the-air updates use delta update packages when available. Those aren't currently linked below but may be in the future once they're being used more consistently. Update packages are not for performing the initial installation and you should ignore incorrect guides trying to use them to install the OS.

The update packages have an internal signature verified by the update client (or recovery when sideloading). Downgrade attacks are also prevented, and downgrades cannot be done unless a special downgrade update package has been signed with the release key. The internal payload for update_engine is also signed, providing another layer of signature verification and downgrade protection. Verified boot and the hardware-backed keystore also act as a final layer of protection.

Releases are tested by the developers and are then pushed out via the Alpha channel. The release is then pushed out via the Beta channel shortly afterwards. Finally, the release is then pushed out via the Stable channel after being tested by some users using the Beta channel. In some cases, problems are caught during Beta channel testing and a new release is made via the Beta channel to replace the aborted one. In general, it's not possible to downgrade unless a downgrade update package is generated, so use the Stable channel if you cannot tolerate dealing with temporary issues while a new release for the Beta channel is being created.

Release announcements

Releases are announced on this page including via an atom feed, via our @GrapheneOS Twitter account, on the official subreddit, on our discussion forum and in the official GrapheneOS chat room. A release announcement indicates that the source code tags are available and that the official builds will soon be pushed out via the Alpha channel.

Stable channel

Pixel 6a

Version: TP1A.220905.004.A2.2022092300

Pixel 6 Pro

Version: TP1A.220905.004.A1.2022092300

Pixel 6

Version: TP1A.220905.004.A1.2022092300

Pixel 5a

Version: TP1A.220905.004.2022092300

Pixel 5

Version: TP1A.220905.004.2022092300

Pixel 4a (5G)

Version: TP1A.220905.004.2022092300

Pixel 4a

Version: TP1A.220905.004.2022092300

Pixel 4 XL

Version: TP1A.220905.004.2022092300

Pixel 4

Version: TP1A.220905.004.2022092300

Pixel 3a XL (legacy)

Version: SP2A.220505.008.2022090700

Pixel 3a (legacy)

Version: SP2A.220505.008.2022090700

Pixel 3 XL (legacy)

Version: SP1A.210812.016.C2.2022090700

Pixel 3 (legacy)

Version: SP1A.210812.016.C2.2022090700

Beta channel

Pixel 6a

Version: TP1A.220905.004.A2.2022092300

Pixel 6 Pro

Version: TP1A.220905.004.A1.2022092300

Pixel 6

Version: TP1A.220905.004.A1.2022092300

Pixel 5a

Version: TP1A.220905.004.2022092300

Pixel 5

Version: TP1A.220905.004.2022092300

Pixel 4a (5G)

Version: TP1A.220905.004.2022092300

Pixel 4a

Version: TP1A.220905.004.2022092300

Pixel 4 XL

Version: TP1A.220905.004.2022092300

Pixel 4

Version: TP1A.220905.004.2022092300

Pixel 3a XL (legacy)

Version: SP2A.220505.008.2022090700

Pixel 3a (legacy)

Version: SP2A.220505.008.2022090700

Pixel 3 XL (legacy)

Version: SP1A.210812.016.C2.2022090700

Pixel 3 (legacy)

Version: SP1A.210812.016.C2.2022090700

Changelog

List of tagged releases. Snapshot releases without tags such as early releases of the project and early device support releases are not listed.

The changelog is also available as an atom feed usable in any standard feed reader.

The legacy changelog page has the release notes from before the rebranding of the project in 2018 and 2019.

2022092300

Tags:

Changes since the 2022092200 release:

  • Sandboxed Google Play compatibility layer: add back Bluetooth shim unable to be covered by GmsCompatConfig hooks
  • Sandboxed Google Play compatibility layer: redirect privileged settings APIs to partial implementation by GmsCompat app
  • Sandboxed Google Play compatibility layer: stub out PermissionController activity starts
  • Sandboxed Google Play compatibility layer: prevent triggering throttling of silent package updates

2022092200

Tags:

Changes since the 2022092000 release:

  • GmsCompatConfig: set version name based on version code and change app name to a string resource for compatibility with aapt2 retrieval of application-label
  • GmsCompatConfig: fix regressions caused by the port to text file configuration of hooks
  • Sandboxed Google Play compatibility layer: fix regression caused by recent change
  • Sandboxed Google Play compatibility layer: notify about missing battery optimization exception for Play services resulting in delayed push notifications, etc.
  • Settings: show version code, target SDK version, min SDK version, install time and last update time in app info in addition to version name

2022092000

Tags:

Changes since the 2022091400 release:

  • Storage Scopes: deny storage permissions when Storage Scopes is enabled and then permit enabling storage permissions in combination with it for hybrid setups such as permitting access to all images while using storage scopes for other storage permissions
  • Storage Scopes: improve compatibility with apps checking storage permission app ops for themselves by spoofing the results
  • Sandboxed Google Play compatibility layer: skip app restart after permission grant in some cases
  • Sandboxed Google Play compatibility layer: move many compatibility shims to a text file with the possibility of dynamic updates of GmsCompatConfig along with triggering update checks via Apps after a Play services crash
  • Sandboxed Google Play compatibility layer: move away from deprecated PackageManager APIs
  • Sandboxed Google Play compatibility layer: add report to developers button to Google Play crash notifications
  • Sandboxed Google Play compatibility layer: improve compatibility shims to fix some remaining app compatibility issues
  • add GrapheneOS logo to boot animation
  • Contacts: add themed icon support
  • TalkBack (screen reader): update dependencies
  • Vanadium: update Chromium base to 105.0.5195.136
  • Auditor: update to version 58

2022091400

Tags:

Changes since the 2022091300 release:

  • hardened_malloc: disable self-init to fix exploit protection compatibility mode which regressed in the previous release
  • Vanadium: update Chromium base to 105.0.5195.124
  • Vanadium: backport fix for favicon links leak
  • Calculator, Clock, Dialer, Files, Gallery, Messaging, Settings: add themed icon support
  • Launcher: disable white gradient at the top of the home screen
  • Camera: update to version 48

2022091300

Tags:

Changes since the 2022090600 release:

  • rebased onto TP1A.220905.004.A2 release
  • hardened_malloc: increase arm64 class region size to 32GB from 2GB to provide higher entropy random bases and higher memory allocation limits since all supported devices have a 48 bit address space now
  • add missing permission to allow Settings search (SettingsIntelligence) to query all apps
  • update GrapheneOS mask used for boot animation
  • change default build target from aosp_arm to aosp_arm64
  • increase maximum users to 32 across all devices since it has been confirmed the Pixel 4 and later support 64 Weaver slots
  • Launcher: set up themed icon support (caveat: we still need to provide themeable icons for the AOSP apps and several of our own apps)
  • implement Android 13 color picker support
  • kernel (Pixel 6, Pixel 6 Pro): switch to raviole kernel/build tag as the base instead of the previously newer bluejay tag
  • Pixel 6, Pixel 6 Pro: update to mid-September TP1A.220905.004.A2 vendor files for Verizon carrier configuration updates
  • Pixel 6a: update to mid-September TP1A.220905.004.A2 vendor files for multiple improvements including the patch for CVE-2022-20231 in the TEE firmware raising patch level from 2022-09-01 to 2022-09-05 like the other devices
  • Auditor: update to version 56
  • Auditor: update to version 57

2022090600

Tags:

  • TP1A.220624.021.A1.2022090600 (Pixel 6a) — 2022-09-01 patch level until the September AOSP and stock OS release is available for bluejay to provide updated Trusty TEE firmware fixing CVE-2022-20231
  • TP1A.220905.004.2022090600 (Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, emulator, generic, other targets)

Changes since the 2022090400 release:

  • full 2022-09-01 security patch level
  • full 2022-09-05 security patch level
  • rebased onto TP1A.220905.004 release
  • kernel (Pixel 6, Pixel 6 Pro, Pixel 6a): update GKI base to ASB-2022-09-05_13-5.10
  • kernel (Pixel 6, Pixel 6 Pro, Pixel 6a): split raviole (Pixel 6, Pixel 6 Pro) and bluejay (Pixel 6a) kernels for now due to AOSP / stock OS differences
  • fix for Bluetooth timeout feature with BLE devices
  • remove conflicting permission from GSF when parsing the package since it appears to be set incorrectly by a build system bug and conflicts with Shannon IMS on 6th generation Pixels and is blocking us upgrading to GSF v33 via our app repository
  • Vanadium: update Chromium base to 105.0.5195.79
  • Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro: use stock OS copyright notices for product/system_ext/vendor instead of AOSP-generated ones since AOSP doesn't have modules with the notices for all of them (September 2022 release is the first release including these notices, which is why the Pixel 6a is not included yet)

2022090400

Tags:

Changes since the 2022083000 release:

  • Settings: enable install available apps feature for installing apps in a secondary user profile from the Owner profile
  • System Updater: update target API level to 33
  • System Updater: replace Material library with SettingsLib to match Settings app theme
  • System Updater: add app icon
  • Vanadium: update Chromium base to 105.0.5195.77
  • Auditor: update to version 55
  • Camera: update to version 46
  • Camera: update to version 47

2022083000

Tags:

Changes since the 2022082400 release:

  • add per-app toggle to relax memory corruption exploit protections for an app to allow users to work around buggy apps with latent bugs including many games like Diablo Immortal (uses 39-bit address space and Scudo instead of 48-bit address space and hardened_malloc along with forcing exec spawning for the app since the Zygote is always fully hardened)
  • Sandboxed Google Play compatibility layer: expand existing shims to further improve compatibility
  • improve infrastructure for GrapheneOS package state
  • improve safety of factory images flashing scripts by flashing the SoC firmware to the inactive slot, switching it to active, rebooting to it and then repeating the same thing again to get the current firmware flashed and safely boot tested for both slots (this provides a high level of safety for devices like 6th generation Pixels doing boot chain anti-rollback despite the fact that they neglected to provide firmware handling flashing safely)
  • Pixel 6, Pixel 6 Pro, Pixel 6a: erase DPM partitions in factory images flashing scripts
  • drop unused flash-base.sh from factory images to reduce maintenance burden for our safer flashing procedure
  • System Updater: catch ServiceSpecificException thrown by UpdateEngine.applyPayload(...) in some cases to properly report the error via a notification
  • System Updater: reduce connect/read timeouts from 60s to 30s
  • carriersettings-extractor: fix handling currently mostly unused field (not going to make any difference to users in practice, but may become more relevant in the future)
  • Seedvault: fix apk backups on Android 13
  • Storage Scopes: add support for Android 13 image picker
  • Storage Scopes: add link to storage scopes configuration from launcher recent apps activity for apps with it enabled for convenient configuration of file/directory scopes
  • improve app compatibility with Network toggle for DownloadManager and NsdManager
  • use 1.1.1.1 instead of 8.8.8.8 as the arbitrary IP for MTU detection in CLAT initialization (could be made configurable in the future)
  • Vanadium: update Chromium base to 105.0.5195.68

2022082400

Tags:

Changes since the 2022082301 release:

  • Pixel 6, Pixel 6 Pro, Pixel 6a: rewrite under display fingerprint scanner integration
  • Sandboxed Google Play compatibility layer: don't report spurious DeadSystemRuntimeException exceptions
  • Contacts: stop hiding local storage when a Google account is present in the profile and no contacts are saved locally
  • kernel (Pixel 4a (5G), Pixel 5, Pixel 5a): add several changes missed in Android 13 port (which is why we didn't push out the last release for them)

2022082301

Tags:

Changes since the 2022082300 release:

  • Seedvault: add missing notification permission
  • pre-grant notification permission to Contacts, Apps, Camera, Auditor and Seedvault
  • kernel (Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a): patch CVE-2022-2588 which is not exposed to anything other than the privileged (CAP_NET_ADMIN) netd process, network HALs (Bluetooth, Wi-Fi, cellular, etc.) and network helper services within the OS such as ppp
  • Pixel 6, Pixel 6a, Pixel 6 Pro: fix Wi-Fi HAL configuration to fix Wi-Fi hotspot
  • Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a: fix inclusion of our kernel builds in published manifest

2022082300

Tags:

Changes since the 2022082200 release:

  • add back LTE only mode support for world mode (dual CDMA + GSM networks)
  • ThemePicker: add missing null check for Monet toggle
  • grant notifications permission to System Updater by default for fresh installs

2022082200

Tags:

Changes since the 2022082100 release:

  • pre-grant notifications permission to the Clock app
  • fix automatic notification grants
  • Clock: use correct intent for opening notification settings
  • Clock: protect broadcast receivers including not allowing other apps to snooze or dismiss alarms (upstream problem)
  • Contacts: fix VCF import due by removing obsolete READ_EXTERNAL_STORAGE permission usage
  • Theme Picker: fix our added wallpaper color scheme toggle not showing updated status
  • Sandboxed Google Play compatibility layer: disable Play services promotion of exposure notification feature unless the user grants Location access since this crashes with the default/normal state of Location not being granted to Play services (normal privileged Play services cannot have Location revoked so it doesn't handle this properly across multiple areas and we have multiple compatibility shims for it)

2022082100

This is the initial release of GrapheneOS based on Android 13. All of our features have been ported to Android 13. We've made many improvements as part of porting to Android 13 including improved compatibility for the Google Play compatibility layer.

For a great overview of the new improvements in Android 13, check out the great Android 13 changelog article from esper. We don't document the Android Open Source Project (AOSP) changes in our release notes beyond noting the version upgrades and our changes made in response to AOSP changes.

Tags:

Changes since the 2022081800 release:

  • rebased onto TP1A.220624.021.A1 release
  • full port of all existing GrapheneOS features to Android 13
  • full 2022-08-05 security patch level
  • enable Android 13 location indicator feature by default as a replacement for the earlier location indicators we had enabled (on the stock OS this is an opt-in developer option only shown if a feature flag is enabled)
  • change new location indicators to show all location accesses instead of only showing high power (GNSS) accesses (preserves existing GrapheneOS behavior)
  • change new location indicators to show for all apps instead of only user installed apps (preserves existing GrapheneOS behavior)
  • show system app location access history by default rather than requiring opt-in (preserves existing GrapheneOS behavior)
  • Sandboxed Google Play compatibility layer: add more shims to further improve compatibility
  • fix issue with prototype device check causing the warning to be shown on non-Pixel phones without the ro.boot.secure_boot property
  • add back AvoidAppsInCutoutOverlay since this cutout mode is no longer broken on Android 13
  • fix upstream Android 13 user logout bug causing end session to be broken
  • drop workaround for slow lockscreen animation which is fixed in Android 13
  • drop workaround for SystemUI ANR (App Not Responding) false positives caused by screenshot service in Android 12
  • Vanadium: revert removal of mremap system call from the sandbox allowlist for now since libc is using it internally
  • Dialer: temporarily disable R8 optimization to work around missing annotations / exceptions upstream
  • kernel (Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a): switch to kernel manifests instead of including the kernel source trees in the OS source tree with submodules for the module repositories
  • kernel (Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a): switch to AOSP kernel build system
  • kernel (Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a): use dynamic kernel modules matching AOSP / stock OS instead of using monolithic kernel builds to avoid further issues from driver bugs with monolithic kernel builds (this was a useful feature but maintenance has become too difficult and the advantages of Generic Kernel Images for 6th generation Pixels and beyond outweigh the benefits so this was already phased out for 6th generation devices)
  • kernel (Pixel 6, Pixel 6 Pro, Pixel 6a): temporarily use ThinLTO instead of LTO due to an upstream kernel or toolchain bug we have yet to resolve or work around in a better way

2022081800

This is the final release of GrapheneOS based on Android 12.1. Android 13 was released on August 15th and GrapheneOS is now fully focused on our port to Android 13. We aim to release GrapheneOS based on Android 13 before the end of August. We've fulfilled our commitment to providing extended support releases for the end-of-life 3rd generation Pixels until the next major OS release and all users on those devices should have moved to devices receiving full privacy and security updates such as the highly recommended 6th generation Pixels with at least 5 years of full security support from launch. After we finish porting GrapheneOS to Android 13, we may continue extended support releases for legacy 3rd generation Pixels based on Android 12.1 in a more limited capacity, but we haven't determined how we'll handle it going forward.

Tags:

Changes since the 2022081600 release:

  • Sandboxed Google Play compatibility layer: conditionally stub out LocationManager#requestLocationUpdates() to avoid crashes from not having the Location permission granted (cannot be revoked on stock OS due to stock OS using Play services as a backend) which started happening with the deployment of a Play services change via a feature flag to a subset of users and will likely ramp up soon

2022081600

Tags:

Changes since the 2022080900 release:

  • ship our frameworks/av changes as intended in earlier releases
  • fastbootd: stop displaying serial number since it can already be obtained in fastboot mode and users are prone to leaking this by sharing a photo of the screen in these modes
  • Vanadium: backport using Android 13 SDK and changes to support using Android 13
  • Vanadium: update Chromium base to 104.0.5112.97
  • Vanadium: restore previous launcher icon
  • Pixel 6a: switch to SD2A.220601.004.B2 (July 2022) device sources and vendor files (AOSP / stock OS patch level for Pixel 6a is still 2022-06-01 until Android 13)

2022080900

Tags:

Changes since the 2022080500 release:

  • update displayed patch level since we shipped all the 2022-08-01 patches in the previous release without changing the displayed patch level
  • allow selecting the Download directory via Storage Scopes
  • Sandboxed Google Play compatibility layer: stub out getPrivilegedConfiguredNetworks() to fix sharing Wi-Fi credentials with a WearOS device and other features
  • Sandboxed Google Play compatibility layer: add workaround for another power exemption whitelist use tied to WearOS
  • Sandboxed Google Play compatibility layer: notify the user about GMS crashes
  • Sandboxed Google Play compatibility layer: improved robust / future proofing
  • Sandboxed Google Play compatibility layer: add support for installing Google Chrome via Play Store via the unprivileged package installation API by safely breaking up the multi-package session
  • Sandboxed Google Play compatibility layer: improve compatibility with Nearby Share
  • exec spawning: don't close binder connection when an app crashes to fix debugging features including the crash dialog

2022080500

Tags:

Changes since the 2022080300 release:

  • full 2022-08-01 security patch level (note: displayed patch level will be updated in the next release)
  • partial 2022-08-05 security patch level (full set of fixes aren't public yet due to the August release of AOSP and the stock Pixel OS being delayed)
  • rebased onto SQ3A.220705.004 release
  • improve compatibility of our fix for the upstream step counter/detector privacy issue for API < 29 apps by using our OTHER_SENSORS (Sensors toggle) permission for it

2022080300

Tags:

  • SP1A.210812.016.C2.2022080300 (Pixel 3, Pixel 3 XL) — extended support release for legacy devices with frozen 2021-11-01 patch level
  • SP2A.220505.006.2022080300 (Pixel 3a, Pixel 3a XL) — extended support release for legacy devices with frozen 2022-06-01 patch level
  • SD2A.220601.004.2022080300 (Pixel 6a) — early release for Pixel 6a with 2022-06-01 patch level which is the latest available until there's a normal AOSP / stock OS release for it on the latest patch level
  • SQ3A.220705.003.A1.2022080300 (Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, emulator, generic, other targets)

Changes since the 2022072700 release:

  • overhaul the implementation of multiple features to prepare for the Android 13 migration
  • fix enabling VPN always on and lockdown by default before the first reboot after the VPN is added
  • fix for Bluetooth timeout feature with BLE devices
  • kernel (Pixel 6, Pixel 6 Pro): update GKI base to ASB-2022-08-05_12-5.10
  • Vanadium: update Chromium base to 104.0.5112.69
  • Camera: update to version 45
  • Auditor: update to version 54

2022073000

Tags:

  • SP1A.210812.016.C2.2022073000 (Pixel 3, Pixel 3 XL) — extended support release for legacy devices with frozen 2021-11-01 patch level
  • SP2A.220505.006.2022073000 (Pixel 3a, Pixel 3a XL) — extended support release for legacy devices with frozen 2022-06-01 patch level
  • SD2A.220601.004.2022073000 (Pixel 6a) — early release for Pixel 6a with 2022-06-01 patch level which is the latest available until there's a normal AOSP / stock OS release for it on the latest patch level
  • SQ3A.220705.003.A1.2022073000 (Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, emulator, generic, other targets)

Changes since the 2022072700 release:

  • add support for Pixel 6a
  • fix regression caused by spoofing INTERNET permission self checks when the Network toggle is disabled by still reporting connectivity is unavailable as before
  • Auditor: update to version 53
  • Pixel 6, Pixel 6 Pro: add missing google_dock kernel module which we were building but not including in the official builds

2022072700

Tags:

Changes since the 2022072000 release:

  • improve compatibility with apps when the Network toggle is disabled by pretending INTERNET is still granted as a permission for self checks of the permission
  • Sandboxed Google Play compatibility layer: avoid crash in TelephonyManager#getCallState()
  • Sandboxed Google Play compatibility layer: handle updating power allowlist in broadcast PendingIntents
  • reorganize Storage Scopes implementation
  • enforce ACTIVITY_RECOGNITION sensor permission for target API < 29 apps (fixes upstream Android privacy flaw)
  • do not forward notifications from foreground user

2022072000

Tags:

Changes since the 2022071300 release:

  • fix Storage Scopes feature with system gallery app
  • skip triggering permission prompts from apps requesting storage permissions when Scoped Storage is enabled since some apps request permissions even when the system tells the app they have the permissions
  • reduce minimum Night Light color temperature from 2596K to 686K
  • Vanadium: update Chromium base to 103.0.5060.129
  • Auditor: update to version 52
  • Camera: update to version 44

2022071300

Tags:

Changes since the 2022071100 release:

  • do not forward other forwarded notifications between users
  • add learn more link to the GrapheneOS documentation for the Storage Scopes feature
  • Sandboxed Google Play compatibility layer: add a non-user-facing option to allow the Play Store to update itself and Play services
  • Sandboxed Google Play compatibility layer: conditionally stub out TelephonyManager##registerTelephonyCallback to make the Phone permission optional for the device discovery service

2022071100

Tags:

Changes since the 2022070800 release:

  • fix adding access to files with our Storage Scopes feature on devices using the new shared storage implementation (Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro)
  • improve permission UI instructing the user to revoke all storage permissions before enabling storage scopes
  • Sandboxed Google Play compatibility layer: unblock Play Store installing Play Store and Play services in order to allow it to fetch additional split APK components
  • Sandboxed Google Play compatibility layer: disable Play Store updates for Play Store and Play services to replace blocking installation as a friendlier approach to preventing it from taking over these updates without the downsides of blocking installation
  • Sandboxed Google Play compatibility layer: disable Play Store attempting to auto-install components like Play Services for AR since the request for approval is an annoyance
  • Settings: do not initialize OBB toggle for non-attachable (privileged) apps

2022070800

Tags:

Changes since the 2022070600 release:

  • add new Storage Scopes feature for granting limited access to shared storage for apps normally requiring granting the storage permission (Files and Media for legacy apps, Media for modern apps), the file management special access permission (All files access) or the media management special access permission where these apps will think they've been granted those permissions but will only have access to specific scopes you've chosen to grant to them, as if they supported granting case-by-case consent through the system file manager themselves (which is not impacted by this feature and you can still grant case-by-case access to any file / directory through it)
  • split out a new toggle for OBB (Opaque Binary Blob) installation (legacy approach to distributing large assets primarily used by games) so that the Play Store and other app stores with asset delivery support can be granted OBB access instead of Media access (or Files and Media for legacy apps)
  • fix upstream Android bug in DeviceIdleJobsController which was preventing battery optimization exceptions from fully working for system apps and resulting in delays in some cases for the Messaging app and other system apps
  • respect user switchability for forwarded notification UI
  • kernel (Pixel 6, Pixel 6 Pro): update GKI base to ASB-2022-07-05_12-5.10
  • kernel (Pixel 4, Pixel 4 XL, Pixel 4a): drop unnecessary NETLABEL feature

2022070600

Tags:

Changes since the 2022063000 release:

  • full 2022-07-01 security patch level
  • full 2022-07-05 security patch level
  • rebased onto SQ3A.220705.003.A1 release
  • Vanadium: update Chromium base to 103.0.5060.71

2022063000

Tags:

Changes since the 2022062200 release:

  • add opt-in support for forwarding notifications to the active user from users in the background with information censored in the same way as on the lockscreen (can be enabled in Settings ➔ System ➔ Multiple users for each user you want to forward their notifications)
  • set correct tile label for our battery share quick tile
  • Vanadium: update Chromium base to 103.0.5060.70
  • Vanadium: disable reporting support (Report-To, report-uri) again
  • Vanadium: add toggle for closing tabs on exit
  • Vanadium: add toggle for opening external links in Incognito by default (does not currently include custom tabs)
  • Vanadium: add toggle for WebRTC IP handling policy so that users can use a less strict value than our default disabling non-proxied (peer-to-peer) WebRTC completely
  • Pixel 3, Pixel 3 XL: switch to SP1A.210812.016.C2 (June 2022) vendor files

2022062200

Tags:

Changes since the 2022061600 release:

  • Vanadium: update Chromium base to 103.0.5060.53
  • implement reverse wireless charging feature for devices supporting it

2022061600

Tags:

Changes since the 2022060701 release:

  • Sandboxed Google Play compatibility layer: make dynamite module loading shims less intrusive
  • Sandboxed Google Play compatibility layer: allow Vanadium to use GMS FIDO2 implementation
  • Vanadium: update Chromium base to 102.0.5005.125
  • Vanadium: enable process isolated sandboxed iframes by default
  • Vanadium: replace global JIT toggle with a site setting with global configuration for the default and per-site overrides
  • Vanadium: disable JIT compiler by default
  • Vanadium: remove mremap from system call whitelist
  • add indicator exemption for OS cell broadcast service which uses location services to determine if alerts should be shown
  • Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL: update end-of-life kernel source tree with backported patches
  • enable always-on VPN and lockdown mode by default when adding a VPN
  • add warning notification about insecure prototype Pixel devices since users are ending up getting prototype phones second hand that were stolen or sold by employees instead of returning / disposing of them (this is of course much more robustly detected by Auditor for users verifying with it)
  • Pixel 4a (5G), Pixel 5, Pixel 5a: update kernel build tools revision

2022060701

Tags:

Changes since the 2022060700 release:

  • Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro: update adevtool state
  • Auditor: update to version 51
  • kernel (Pixel 4a (5G), Pixel 5, Pixel 5a): temporarily disable slab canary feature added by GrapheneOS due to an upstream commit incompatible with it until we find the underlying upstream bug, which we're now much closer to understanding with this latest case

2022060700

Tags:

Changes since the 2022053100 release:

  • full 2022-06-01 security patch level
  • full 2022-06-05 security patch level
  • rebased onto SQ3A.220605.009.B1 release, which is the third quarterly maintenance/feature release for Android 12
  • kernel (Pixel 6, Pixel 6 Pro): update GKI base to ASB-2022-06-05_12-5.10
  • Sandboxed Google Play compatibility layer: remove obsolete shims and infrastructure
  • Camera: update to version 42
  • Camera: update to version 43
  • Auditor: update to version 49
  • Auditor: update to version 50
  • SELinux policy: remove unused domain for com.android.vzwomatrigger
  • add indicator exemption for Fused Location Provider which is part of the OS location implementation wrapping the GNSS and Network location providers into a Fused provider using the best available data (GrapheneOS does not have an OS Network Location provider so it just wraps GNSS)
  • remove unused android-prepare-vendor repository from the main branch (kept in legacy device branches)
  • hardened_malloc: remove workarounds for camera service bugs for the Qualcomm SoC generation used by 3rd generation Pixels (kept in legacy device branches)
  • kernel (Pixel 4, Pixel 4 XL, Pixel 4a): drop IPv6 privacy address fix now that upstream has backported IPv6 temporary address (RFC4941) support as a replacement which we already did for 5th generation Pixels (implemented in the baseline kernel.org LTS for 6th generation)

2022053100

Tags:

  • SP1A.210812.016.C1.2022053100 (Pixel 3, Pixel 3 XL) — extended support release for legacy devices with frozen 2021-11-01 patch level
  • SP2A.220505.002.2022053100 (Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, emulator, generic, other targets)

Changes since the 2022052500 release:

  • extend Network/Sensors permission handling for legacy apps not targeting Android 6 or above (API 23) to resolve a UI issue where the user choosing to grant the Network/Sensors permissions via the legacy permission review interface doesn't appear in the Settings app info page
  • Gallery: use date added as a fallback for sort order when date taken is unset which is particularly important on GrapheneOS due to GrapheneOS Camera and GrapheneOS screenshots not including EXIF timestamps or other sensitive metadata by default
  • Sandboxed Google Play compatibility layer: stub out reads of privileged settings values to avoid security exceptions
  • Sandboxed Google Play compatibility layer: stub out privileged media session management functionality to avoid security exceptions
  • Sandboxed Google Play compatibility layer: simplify implementation of many shims and remove obsolete shims
  • Sandboxed Google Play compatibility layer: simplify implementation of adding the standard unprivileged package permissions as requested permissions for the Play Store
  • Sandboxed Google Play compatibility layer: improve compatibility with Google Search app
  • Contacts: don't prompt to add account when creating a contact
  • Contacts: use common intent for getting directions instead of opening a Google Maps URL
  • Messaging: backport change to allow selecting text inside the selected message
  • fix upstream SMS/MMS database upgrade issue (meant to be shipped in a previous GrapheneOS release)
  • backport fix for unnecessary wake lock in telephony service (meant to be shipped in a previous GrapheneOS release)
  • backport fix for crash in telephony service with null subscription display name (meant to be shipped in a previous GrapheneOS release)
  • Dialer: add missing permission declaration
  • Vanadium: update Chromium base to 102.0.5005.78
  • TalkBack (screen reader): update base code to 12.2 and switch versioning scheme
  • TalkBack (screen reader): update dependencies
  • Camera: update to version 41
  • Auditor: update to version 48
  • Apps: update to version 7

2022052500

Tags:

  • SP1A.210812.016.C1.2022052500 (Pixel 3, Pixel 3 XL) — extended support release for legacy devices with frozen 2021-11-01 patch level
  • SP2A.220505.002.2022052500 (Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, emulator, generic, other targets)

Changes since the 2022051100 release:

  • Sandboxed Google Play compatibility layer: improve compatibility with the Nearby Share feature
  • Sandboxed Google Play compatibility layer: add non-privileged approach for bringing apps out of standby to avoid delays for FCM and other features
  • Sandboxed Google Play compatibility layer: extend compatibility layer to support making the Google Search app work as a regular sandboxed app
  • Sandboxed Google Play compatibility layer: generic telephony compatibility improvement
  • Sandboxed Google Play compatibility layer: add support for Play Store in Direct Boot mode
  • add indicator exemption for Default Print Service since the nearby device access is considered location access but it doesn't make sense to show this for a core OS component only using the access internally
  • add toggle for disallowing a user from installing apps from unknown sources which will become increasingly useful as we flesh out our app repository
  • Messaging: fix notification sounds in secondary users (upstream AOSP bug)
  • Vanadium: update Chromium base to 102.0.5005.59
  • Camera: update to version 35
  • Camera: update to version 36
  • Camera: update to version 37
  • Camera: update to version 38
  • Camera: update to version 39
  • Camera: update to version 40
  • Auditor: update to version 46
  • Auditor: update to version 47

2022051100

Tags:

  • SP1A.210812.016.C1.2022051100 (Pixel 3, Pixel 3 XL) — extended support release for legacy devices with frozen 2021-11-01 patch level
  • SP2A.220505.002.2022051100 (Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, emulator, generic, other targets)

Changes since the 2022050800 release:

  • Sandboxed Google Play compatibility layer (GmsCompat): further improve location rerouting compatibility
  • Sandboxed Google Play compatibility layer (GmsCompat): add logging to help with debugging issues with location rerouting in the future
  • Vanadium: update Chromium base to 101.0.4951.61
  • improve compatibility with buggy apps trying to use the non-existent OS network location provider when it isn't available and reroute them to the passive provider
  • add hidden setting for sandboxed Google Play compatibility layer developers to bypass blocking the Play Store from updating the Google Play apps
  • Camera: update to version 34

2022050800

Tags:

  • SP1A.210812.016.C1.2022050800 (Pixel 3, Pixel 3 XL) — extended support release for legacy devices with frozen 2021-11-01 patch level
  • SP2A.220505.002.2022050800 (Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, emulator, generic, other targets)

Changes since the 2022050700 release:

  • Sandboxed Google Play compatibility layer (GmsCompat): restore compatibility of location rerouting with old versions of the Play services client library
  • Sandboxed Google Play compatibility layer: fix minor background activity UX regression from several releases ago
  • fix adding emergency contacts
  • adevtool: detect outdated Node.js and report an error

2022050700

Tags:

  • SP1A.210812.016.C1.2022050700 (Pixel 3, Pixel 3 XL) — extended support release for legacy devices with frozen 2021-11-01 patch level
  • SP2A.220505.002.2022050700 (Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, emulator, generic, other targets)

Changes since the 2022050301 release:

  • Sandboxed Google Play compatibility layer (GmsCompat): significantly improve compatibility of the default enabled geolocation API rerouting feature
  • remove timestamp from screenshot EXIF metadata by default and add a toggle to Settings ➔ Privacy for enabling it
  • work around slow unlock animation
  • kernel (Pixel 6, Pixel 6 Pro): update GKI base to ASB-2022-05-05_12-5.10
  • Dialer: add fixes for Bluetooth audio call redirection and BLE devices
  • Settings: fix Wi-Fi timeout string issue in Settings search
  • Settings: add missing face unlock strings (used by the Pixel 4 and Pixel 4 XL but the fix is generic)
  • Pixel 6, Pixel 6 Pro: fix Settings string for boosted color mode
  • restore compatibility with non-bash /bin/sh for *nix factory images flashing script (was fixed for the previous release's factory images after the release was initially published)
  • TalkBack (screen reader): update Material library
  • Camera: update to version 31
  • Camera: update to version 32
  • Camera: update to version 33
  • PDF Viewer: update to version 14
  • adevtool (Pixel 4a): drop unused non-flattened APEX from vendor
  • adevtool: improve Android 13 compatibility

2022050301

Tags:

  • SP1A.210812.016.C1.2022050301 (Pixel 3, Pixel 3 XL) — extended support release for legacy devices with frozen 2021-11-01 patch level
  • SP2A.220505.002.2022050301 (Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, emulator, generic, other targets)

Changes since the 2022050300 release:

  • add Phone services privacy indicator exemption since the cellular service information it accesses is now considered location information and triggers a spurious location indicator which doesn't make sense for the OS cellular implementation

2022050300

Tags:

  • SP1A.210812.016.C1.2022050300 (Pixel 3, Pixel 3 XL) — extended support release for legacy devices with frozen 2021-11-01 patch level
  • SP2A.220505.002.2022050300 (Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, emulator, generic, other targets)

Changes since the 2022043000 release:

  • full 2022-05-01 security patch level
  • full 2022-05-05 security patch level
  • rebased onto SP2A.220505.002 release
  • Camera: update to version 30
  • adevtool: explicitly use python3 for OTA extraction script instead of python to work around distributions still using the end-of-life python2 as python

2022043000

Tags:

Changes since the 2022042600 release:

  • Sandboxed Google Play compatibility layer (GmsCompat): improve user interface
  • Sandboxed Google Play compatibility layer: improve behavior when Nearby devices permission isn't granted to Play services
  • remove build fingerprint from screenshot EXIF metadata
  • Vanadium: update Chromium base to 101.0.4951.41
  • carriersettings-extractor: reuse protocol buffer definitions from AOSP and improve code quality
  • System Updater: add user-facing Alpha channel for very basic / quick public testing after our internal testing before we release to the Beta channel
  • Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro: stop declaring next generation assistant support as an included feature
  • Camera: update to version 25
  • Camera: update to version 26
  • Camera: update to version 28
  • Camera: update to version 29

2022042600

Tags:

Changes since the 2022042000 release:

  • Settings: add support for disabling non-system apps as you can do with system apps instead of only uninstalling them
  • Sandboxed Google Play compatibility layer: fix compatibility with the network location implementation in recent versions of Play services (only relevant for users disabling location redirection toggle and toggling on Play services network location)
  • add missing change for using the GrapheneOS attestation key provisioning proxy
  • backport upstream workaround for hardware-based attestation on devices with a broken implementation of the CREATION_DATETIME feature (disables CREATION_DATETIME on devices without Keymint V1 (100) or later since it was only tested starting with Keymint V1 and is often broken on devices with earlier versions including the Pixel 3 and Pixel 3 XL)
  • Pixel 3, Pixel 3 XL: drop workaround for broken hardware-based attestation now that there's a generic solution backported
  • Messaging: update MMS configuration database to the one from Android Messages messages.android_20220405_01_RC04.phone_dynamic
  • Dialer: update visual voicemail configuration based on Google Phone 79.0.438914483
  • Dialer: switch to default VVM OMTP version for carriers with broken visual voicemail in an attempt to fix it
  • Vanadium: disable fetching optimization guides by default
  • Apps: update to version 6
  • Camera: update to version 22
  • Camera: update to version 23
  • Camera: update to version 24
  • TalkBack (screen reader): dependency updates
  • adevtool: remove more unnecessary components
  • add warning to factory images flashing scripts strongly recommending against modifying the scripts based on misguided unofficial installation guides, along with encouraging using the web installer instead
  • add earlier device model check to factory images flashing scripts on Linux and macOS (Windows support is planned)

2022042000

Tags:

Changes since the 2022041900 release:

  • load CarrierConfig data from standalone file in the /product partition (missed in previous release, which was detected during early Beta testing)

2022041900

Tags:

Changes since the 2022041600 release:

  • Sandboxed Google Play compatibility layer: improve Play Store uninstallation hook to avoid stalling if the user rejects the request
  • Sandboxed Google Play compatibility layer: improve work profile support via new compatibility shims
  • Sandboxed Google Play compatibility layer: fix regression resulting in the FIDO2 service not working without Nearby Devices permission being granted by improving Bluetooth compatibility shims
  • Sandboxed Google Play compatibility layer: fix early initialization issue occurring in some cases for Play services
  • Sandboxed Google Play compatibility layer: overall compatibility improvements via the added compatibility shims
  • Sandboxed Google Play compatibility layer: simplify initialization
  • fix com.android.bluetooth privacy indicator exemption (Bluetooth scanning is considered Location access but the Bluetooth implementation itself shouldn't be listed)
  • Pixel 6, Pixel 6 Pro: cleaner approach for the com.shannon.imsservice privacy indicator exemption by defining a new telephony exemption role (this service locally caches location for emergency calls)
  • Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a: switch from the obsolete android-prepare-vendor to the much more modern adevtool resulting in substantial improvements to device support (3rd generation devices will keep using android-prepare-vendor since they're all going to be end-of-life after May and won't be migrated to newer major OS versions)
  • Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro: use the default carrier configuration as a base for each configuration to match the behavior of Google's CarrierSettings app, providing various minor improvements and greatly improved GNSS on 6th generation Pixels since Predicted Satellite Data Service (PSDS) for downloading GNSS almanacs was disabled with most carriers
  • Pixel 6, Pixel 6 Pro: use GrapheneOS Predicted Satellite Data Service (PSDS) server by default with a toggle added to Settings to choose the server similar to connectivity checks and attestation key provisioning (can be made into generic code for other Broadcom GPS devices and extended to Qualcomm GPS devices in the future)

2022041300

Tags:

Changes since the 2022041100 release:

  • temporarily enable verbose logging in DeviceIdleController in order to work towards resolving upstream bugs
  • Sandboxed Google Play compatibility layer: resolve DownloadManager incompatibility
  • revert upstream change to fix spellchecking language detection with the AOSP keyboard
  • GrapheneOS Keyboard: fix exception fetching theme resulting in spellchecking issues
  • GrapheneOS Keyboard: remove legacy Holo themes
  • GrapheneOS Keyboard: follow system dark mode setting by default
  • GrapheneOS Keyboard: properly refresh summary
  • Vanadium: update Chromium base to 100.0.4896.88
  • Camera: update to version 19
  • Camera: update to version 20
  • Auditor: update to version 45

2022041100

Tags:

Changes since the 2022040400 release:

  • kernel (Pixel 6, Pixel 6 Pro): update GKI base to ASB-2022-04-05_12-5.10 to start using the latest Android 12 GKI as a base
  • Sandboxed Google Play compatibility layer: add additional compatibility shims to restore compatibility with the latest Google Play Games and to fix other issues
  • Sandboxed Google Play compatibility layer: restart GMS processes when permission gets granted since it has bad handling of being given permissions dynamically
  • Sandboxed Google Play compatibility layer: notify user when GMS needs an extra permission or a companion app
  • Sandboxed Google Play compatibility layer: improve code quality and performance
  • Sandboxed Google Play compatibility layer (GmsCompat): improve user interface
  • Sandboxed Google Play compatibility layer: add sandboxed Google Play link for the work profile
  • backport upstream fixes for MAC randomization (more important for GrapheneOS due to per-connection MAC randomization and other improvements providing proper Wi-Fi anonymity)

2022040400

Tags:

Changes since the 2022033013 release:

  • full 2022-04-01 security patch level
  • full 2022-04-05 security patch level
  • rebased onto SP2A.220405.004 release
  • kernel (Pixel 6, Pixel 6 Pro): update GKI base to android12-5.10-2022-03_r1 from android12-5.10-2021-12_r8 for a bunch of upstream and downstream improvements (stock OS still uses android12-5.10-2021-12_r6 and is missing a bunch of important security fixes)
  • Sandboxed Google Play compatibility layer: add additional compatibility shims to improve compatibility with recent Play services
  • Sandboxed Google Play compatibility layer: drop org.grapheneos.pdfviewer from blocked updates list since that app id is no longer being used
  • Sandboxed Google Play compatibility layer (GmsCompat): improve code quality and robustness
  • Sandboxed Google Play compatibility layer (GmsCompat): stop listing having always-on scanning enabled as a potential issue especially since it can be used by other apps
  • Sandboxed Google Play compatibility layer (GmsCompat): prevent infinite loop in location service, which would break location services and result in battery drain
  • Sandboxed Google Play compatibility layer (GmsCompat): fix Google Location Accuracy state check
  • Pixel 3, Pixel 3 XL: remove leftover upstream iorapd testing prop
  • adevtool: fix hang when there are existing files to overwrite
  • fix upstream SMS/MMS database upgrade issue
  • backport fix for unnecessary wake lock in telephony service
  • backport fix for crash in telephony service with null subscription display name
  • backport Wi-Fi APEX module fix to improve robustness when chip reconfiguration fails
  • Settings: improve title/summary for attestation key provisioning server
  • Pixel 3, Pixel 3 XL: fix hardware-based attestation by rolling back an Android 12.1 change for these devices depending on updates to the firmware / device support code since these are end-of-life devices and don't receive those updates so it broke attestation support
  • Camera: update to version 18
  • Vanadium: update Chromium base to 100.0.4896.79
  • TalkBack (screen reader): dependency updates and crash fix
  • Settings: allow sorting applications by size
  • Settings: remove empty security status header
  • Settings: use framework text colors for SwitchBar
  • backport AOSP fix for edit button in screenshot share activity
  • display two rows of max ranked targets for sharesheet
  • fix uneven volume icon padding in status bar
  • remove nav bar background in Quick Settings customizer
  • fix Quick Settings status font weight mismatch in dark mode
  • switch build number style from YYYYMMDDHH to YYYYMMDDCC where CC is a counter starting at 0

2022033013

Tags:

Changes since the 2022032715 release:

  • Sandboxed Google Play compatibility layer: substantially improve dynamite module support
  • use GrapheneOS hardware attestation key provisioning server by default with a toggle added to Settings to choose the server similar to connectivity checks
  • extend eSIM management code with disabling the apps in secondary users due to prior GrapheneOS releases enabling them in all users
  • move early boot eSIM integration code later in an attempt to fix a potential regression
  • Vanadium: update Chromium base to 100.0.4896.58
  • Pixel 6, Pixel 6 Pro: resolve problem generating over-the-air updates which led to us not being able to use incrementals for updates to this release or the previous release

2022032715

Tags:

Changes since the 2022032110 release:

  • ThemePicker: add toggle for using wallpaper-extracted colors as the color scheme (Monet)
  • add toggle for exec-based spawning in Settings ➔ Security
  • GrapheneOS Keyboard: enable spellchecking for Czech and Dutch languages
  • Vanadium: update Chromium base to 99.0.4844.88
  • Camera: update to version 17
  • Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro: remove unnecessary configuration/permissions for apps not included in AOSP/GrapheneOS
  • Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro: add RCS packages
  • Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro: remove AOSP / stock OS configuration pinning the system camera and launcher in memory since it's wasteful
  • Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro: stop forcing camera shutter sound on the Japanese hardware SKUs

2022032110

Tags:

Changes since the 2022031103 release:

  • Pixel 6, Pixel 6 Pro: full Pixel 2022-03-05 security patch level (Android 2022-03-05 security patch level was already provided early by GrapheneOS)
  • Pixel 6, Pixel 6 Pro: rebased onto SP2A.220305.013.A3 release
  • kernel (Pixel 6, Pixel 6 Pro): update GKI base to android12-5.10-2021-12_r8 from the android12-5.10-2021-12_r6 version still used by the AOSP / stock Pixel OS March release for a few additional security fixes beyond the ones already backported early by GrapheneOS along with latency improvements under certain heavy real-time loads
  • add eSIM activation support as an optional toggle available when using sandboxed Google Play in the Owner profile (note: regular apps including sandboxed Google Play do not have additional access in the Owner profile)
  • Sandboxed Google Play compatibility layer: expand PhenoTypeFlags workaround to all Play services clients
  • GmsCompat: call startForegroundService from the main thread to avoid potential issues
  • Vanadium: restore new tab page behavior by working around regressions in Chromium 99
  • Vanadium: update certain Chromium dependencies to avoid crashes caused by incompatibilities with Android 12 (will allow for multiple kinds of FIDO2 support via sandboxed Google Play once we extend the sandboxed Google Play compatibility layer to support it or once Play services whitelists Vanadium as a browser allowed to use FIDO2)
  • Vanadium: update Chromium base to 99.0.4844.73
  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 5a): temporarily revert disabling SECURITY_SELINUX_DEVELOP to work around upstream AOSP bug in early userspace (Pixel 4a (5G), Pixel 5, Pixel 6 and Pixel 6 Pro had this change made in the previous release since it blocked the over-the-air update path for them despite not blocking it for these devices)
  • kernel (Pixel 6, Pixel 6 Pro): backport CVE-2021-41073 fix (not reachable from apps due to standard AOSP seccomp-bpf allowlist)
  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro): backport CVE-2022-25375 fix
  • enable conversations feature flag
  • enable charging ripple feature flag
  • skip screen-on animation
  • Dialer: fix theme colors in dark mode
  • Apps: update to version 5
  • PDF Viewer: update to version 13
  • improve Android 12 PendingIntent security check compatibility due to buggy apps including Chromium targeting API 31+ with outdated Play services client libraries lacking Android 12 support (triggered much more frequently on GrapheneOS due to PendingIntent being used to request runtime permissions on behalf of Play services)
  • fix compatibility of PIN scrambling with physical keyboards
  • Settings: convert PIN scrambling toggle into a switch preference from a list preference
  • improve USB connection icon
  • backport fixes for battery usage history
  • add fix for Monet color generation

2022031103

This release is only being pushed out for the Pixel 6 and Pixel 6 Pro due to lack of changes applicable to other devices.

Tags:

Changes since the 2022030801 release:

  • Pixel 6, Pixel 6 Pro: temporarily exclude our work on eSIM support since the full implementation requires Google services and we're taking a new approach which will result in full eSIM support including activation across all supported devices in the near future as part of sandboxed Google Play (in the long term, it can be supported without using these Google eSIM apps from the stock Pixel OS)

2022030801

Tags:

Pixel 6 and Pixel 6 Pro release is a preliminary March release with the 2022-03-01 security update since there isn't an AOSP or stock OS release for it yet. It also includes several other vulnerability fixes.

Changes since the 2022030501 release:

  • full 2022-03-01 security patch level
  • full 2022-03-05 security patch level (Pixel 6 and Pixel 6 Pro can reach the 2022-03-05 Android patch level but not the 2022-03-05 Pixel patch level until the March AOSP/Android release for them is available, and the upstream release is delayed)
  • rebased onto SP2A.220305.012 release, the initial release of Android 12.1 (Android 12L) which is the second quarterly maintenance/feature release for Android 12
  • disable Monet (color scheme based on wallpaper) by default since AOSP 12.1 has no way to opt-out of the feature or to manually choose colors instead (we'll add a toggle for enabling it later this month and we could also include a color picker before AOSP 13 but likely not this month)
  • kernel (Pixel 6, Pixel 6 Pro): apply downstream fix for CVE-2022-0847
  • kernel (Pixel 5a): re-apply January audio driver security patch which was accidentally dropped upstream for 12L due to it being branched earlier than January and this patch not being applied again as it was for other 5th generation devices (consequence of AOSP having the Pixel 5a kernel unnecessarily separate from the other 5th generation devices instead of merging them a year ago)
  • kernel (Pixel 4a (5G), Pixel 5): fix audio driver build reproducibility issue
  • Sandboxed Google Play compatibility layer: extend, optimize and improve the robustness of the compatiblity shims to improve the compatibility layer in general
  • Sandboxed Google Play compatibility layer: fix regressions in compatibility with the Google Play geolocation service for users choosing to disable redirection to the OS geolocation service in order to use their network location and other features
  • Sandboxed Google Play compatibility layer: prevent Play services from trying to update OS fonts since it requires a privileged permission and the service will crash from the SecurityException
  • make DownloadManager even friendlier to apps with the Network permission revoked by avoiding SecurityExceptions in more cases and giving them errors they know how to handle instead
  • Camera: update to version 14
  • Camera: update to version 15
  • Camera: update to version 16
  • Settings: always show ICCID in SIM status
  • Settings: show hardware SKU
  • Settings (Pixel 6, Pixel 6 Pro): add saturated color mode
  • Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a: mark IncFS as being built into the kernel
  • add support code for Pixel 6 and Pixel 6 Pro APEX enablement and under display fingerprint reader to the main branch as preparation for eliminating the device branch
  • SELinux policy: add missing auditallow for base untrusted_app domains
  • SELinux policy: add missing seinfo=base rules
  • kernel (Pixel 4a (5G), Pixel 5, Pixel 6, Pixel 6 Pro): temporarily revert disabling SECURITY_SELINUX_DEVELOP to work around upstream AOSP bug in early userspace

2022030219

Tags:

Changes since the 2022022818 release:

  • Vanadium: update Chromium base to 99.0.4844.48
  • GmsCompat: fix typo
  • Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a: disable broken Google Camera sepolicy for now to restore it back to how it previously worked (also fixes Google Photos when Google Camera is installed)

2022022818

Tags:

Changes since the 2022021721 release:

  • include beta release (v4) of GrapheneOS app repository client which is still in early development but now robust enough to be ready for inclusion in the OS and production use
  • Sandboxed Google Play compatibility layer: prevent Play Store from trying to update Auditor, PDF Viewer, Google Services Framework, Google Play services and the Play Store since we'll be updating these via our own app repository client (we'll be regularly updating the mirror of Google Play in our repository once the staged rollouts reach our test devices and it passes basic testing)
  • Auditor: update to version 43
  • Auditor: update to version 44
  • Camera: update to version 13
  • PDF Viewer: update to version 11
  • PDF Viewer: update to version 12
  • Contacts: add support for vCard 4.0
  • Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro: include current eSIM firmware, EuiccPixel and EuiccPixel integration (this improves eSIM support by keeping the eSIM firmware up-to-date but does not provide eSIM activation yet)
  • Sandboxed Google Play compatibility layer: improve code quality / robustness
  • mark Bluetooth service as an extra location package to avoid showing misleading/unhelpful location indicators (Bluetooth scanning is considered location access for apps, but it makes no sense to show it for the Bluetooth implementation itself rather than only actual apps using it)
  • Pixel 6, Pixel 6 Pro: mark Shannon IMS service as an extra location package to avoid showing unhelpful location indicators (it retrieves location information regularly in order to have it ready for an emergency call)

2022021721

Tags:

Changes since the 2022021602 release:

  • Pixel 6, Pixel 6 Pro: rebased onto SQ1D.220205.004 release (2nd February update for 6th generation Pixels with additional security fixes separate from the February security update)
  • Sandboxed Google Play compatibility layer: add shim to stop Play services from trying to use the privileged android.hardware.uwb API to prevent a SecurityException on the Pixel 6 Pro and future devices with the feature
  • Clock: use clock icon for the app icon instead of alarm icon

2022021602

Tags:

Changes since the 2022021415 release:

  • Sandboxed Google Play compatibility layer: add shim for compatibility with on-demand dynamite modules
  • Sandboxed Google Play compatibility layer: update dynamite module compatibility layer for upcoming changes to Play services
  • Sandboxed Google Play compatibility layer: friendlier error for apps without Location permission attempting to use redirected Play services geolocation to match Play services behavior
  • Vanadium: update Chromium base to 98.0.4758.101
  • cancel pending over-the-air update snapshot when flashing factory images via flash-all.sh / flash-all.bat
  • Pixel 6, Pixel 6 Pro: add missing camera shutter sound change from the 2022021314 release

2022021415

Tags:

Changes since the 2022021314 release:

  • GmsCompat: handle edge cases for network location opt-in mode preventing settings menu from loading

2022021314

Tags:

Changes since the 2022020800 release:

  • Sandboxed Google Play compatibility layer: simplify and optimize initialization
  • Sandboxed Google Play compatibility layer: add support for redirecting apps from the Google Play geolocation service to the GrapheneOS geolocation service with a toggle added to the "Sandboxed Google Play settings" configuration menu for disabling redirection to use the Google Play implementation (redirection is enabled by default at first launch unless Play services has been granted the Location permission)
  • GmsCompat: add suggestions to the settings menu
  • fix editing APNs in certain edge cases with certain carriers
  • Pixel 6, Pixel 6 Pro: bind power + volume up key chord to mute like other devices, since long pressing power already opens the power menu
  • stop enforcing camera sound when using a carrier based in India/Japan/Korea since we aren't required to enforce it and is trivially bypassed in multiple ways so it's nothing more than an annoyance
  • Auditor: update to version 42
  • Camera: update to version 12
  • PDF Viewer: update to version 10
  • Calculator: improve app icon
  • Clock: improve app icon
  • Contacts: improve app icon
  • Dialer: improve app icon
  • Files: improve app icon
  • Gallery: improve app icon
  • Messaging: improve app icon
  • Settings: improve app icon

2022020800

Tags:

Changes since the 2022013120 release:

  • full 2022-02-01 security patch level
  • full 2022-02-05 security patch level
  • rebased onto SQ1A.220205.002 and SQ1D.220205.003 release
  • Pixel 3, Pixel 3 XL: switch to SP1A.210812.016.C1 (February 2022) vendor files
  • Vanadium: update Chromium base to 98.0.4758.87
  • Vanadium: enable CFI cast checks
  • change GmsCompat app label from "Sandboxed Google Play" to "GmsCompat" and the activity name to "Sandboxed Google Play settings"
  • add GmsCompat to list of essential system components in Settings
  • Camera: update to version 11
  • restrict granting the special added GrapheneOS runtime permissions (Network, Sensors) on upgrades to system apps (only relevant to Network in practice)
  • add workaround for Microsoft apps detecting that Network is revoked and crashing the app with a runtime exception due to them adding this to a library as a debugging check for development to detect the INTERNET permission not being declared (we've asked them to fix the compatibility issue)
  • do not mark dun APN types as read-only (allows editing more carrier APNs)
  • temporarily suppress SystemUI ANRs due to AOSP 12 screenshot service bug which triggers an ANR in SystemUI by not handling an event some time after taking a screenshot (also occurs on the stock OS and elsewhere, and the main issue is the error message since it's otherwise harmless)
  • disable running clang-tidy as part of regular builds by default since it wastes time and isn't very useful to us
  • kernel (Pixel 6, Pixel 6 Pro): make Wi-Fi driver module build reproducible
  • kernel (Pixel 6, Pixel 6 Pro): make tarball generation reproducible
  • Settings: add package name to app overview page
  • Settings: add GrapheneOS icon
  • Files: add GrapheneOS icon
  • Files: define app category (productivity)
  • Clock: add GrapheneOS icon
  • Clock: define app category (productivity)
  • Contacts: add GrapheneOS icon
  • Contacts: define app category (productivity)
  • Gallery: add GrapheneOS icon
  • Gallery: define app category (image)
  • Messaging: add GrapheneOS icon
  • Messaging: define app category (social)
  • Dialer: add GrapheneOS icon
  • Dialer: define app category (social)
  • Calculator: add GrapheneOS icon
  • Calculator: define app category (productivity)
  • PDF Viewer: update to version 8
  • PDF Viewer: update to version 9

2022013120

Tags:

Changes since the 2022013010 release:

  • Pixel 3, Pixel 3 XL: add GmsCompat app which was meant to be added by the previous release
  • Pixel 6, Pixel 6 Pro: revert accidental enabling of dark mode by default, which we plan to do by default in the future across devices once the Contacts and Messaging apps are updated to support it (you can set your own preference in Settings ➔ Display ➔ Dark theme)

2022013010

Tags:

Changes since the 2022011423 release:

  • make DownloadManager friendlier to apps with the Network permission revoked instead of triggering SecurityException
  • Sandboxed Google Play compatibility layer: revert marking location service as a foreground location service (not necessary)
  • Sandboxed Google Play compatibility layer: add compatibility shims enabling full support for using Play services geolocation
  • Sandboxed Google Play compatibility layer: add GmsCompat app providing infrastructure for the compatibility layer and shortcuts to Google Play configuration activities (will provide a toggle for redirecting the Google Play geolocation API to the OS API in a future release)
  • Sandboxed Google Play compatibility layer: replace converting Google Play services to foreground services with keeping them alive using the GmsCompat app (improves compatibility with apps calling Play services or the Play Store in the background)
  • Dialer: update visual voicemail configuration based on Google Phone 73.0.414822266
  • Messaging: replace obsolete AOSP MMS configuration database with one generated from the stock OS app
  • Vanadium: update Chromium base to 97.0.4692.98
  • Vanadium: use Google Chrome branding for client hints to help with blending in
  • Vanadium: enable HTTPS-only mode by default (can connect via HTTP through the warning screen if HTTPS upgrade fails)
  • Vanadium: enable strict origin isolation by default
  • Vanadium: disable appending variations header
  • Camera: update to version 10
  • Auditor: update to version 41
  • hardened_malloc: code cleanup and micro-optimizations
  • adevtool: initial public release replacing pre-generated vendor trees
  • adevtool: overhaul of GrapheneOS specific configuration

2022011423

Tags:

Changes since the 2022011009 release:

  • Pixel 6, Pixel 6 Pro: Pixel 2022-01-05 patch level (instead of the Android 2022-01-05 patch level and Pixel 2022-01-01 patch level)
  • Pixel 6, Pixel 6 Pro: rebased onto SQ1D.211205.017 release
  • Sandboxed Google Play compatibility layer: add support for Play Asset Delivery and Play Feature Delivery by extending relevant hooks to the Play Store in addition to Play services
  • Sandboxed Google Play compatibility layer: improve getSharedLibraries shim by disabling MATCH_ANY_USER instead of stubbing it out completely (stops the Play Store from filtering out apps with dependencies it thinks are missing)
  • remove g.co/wallpaper link support from wallpaper app which had an incorrect autoVerify="true" property despite not being authorized by g.co
  • Vanadium: update Chromium base to 97.0.4692.87
  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): backport USB security patch for CVE-2021-30313 which was missed upstream
  • adevtool: improve Pixel 6 and Pixel 6 Pro device support scripting

2022011009

Tags:

Changes since the 2022010500 release:

  • remove obsolete AOSP CarrierConfig resources to greatly improve support for many carriers
  • fix handling of MVNOs in CarrierConfig database generation to greatly improve out-of-the-box MVNO support
  • Camera: update to version 9
  • TalkBack (screen reader): update base version to 370044210 and port our changes (other than Play services vision library removal since it now provides useful OCR functionality we need to replace rather than removing)
  • Sandboxed Google Play compatibility layer: extend compatibility layer to Play Games Services (Google Play Games can be installed from the Play Store)
  • Sandboxed Google Play compatibility layer: always allow removing Google account to bypass broken check for whether removal is allowed
  • Sandboxed Google Play compatibility layer: improve account sign in UX by pretending the backup service is inactive so Play services doesn't try to access it
  • Pixel 4a (5G), Pixel 5, Pixel 5a: add SELinux policy to allow the hardware keystore secure confirmation UI
  • Pixel 3, Pixel 3 XL: switch to SP1A.210812.016.A2 vendor files (minor APN update for 1 carrier)

2022010500

Tags:

  • SP1A.210812.015.2022010500 (Pixel 3, Pixel 3 XL) — extended support release for legacy devices with frozen 2021-11-01 patch level
  • SQ1A.220105.002.2022010500 (Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, emulator, generic, other targets)
  • SQ1D.211205.017.2022010500 (Pixel 6, Pixel 6 Pro) — early release with the full Android 2022-01-05 patch level but only the 2022-01-01 Pixel patch level since the AOSP / stock OS January update for the Pixel 6 and Pixel 6 Pro is happening in late January so the patches specific to them aren't publicly available yet

Changes since the 2021122018 release:

  • full 2022-01-01 security patch level
  • full 2022-01-05 security patch level
  • rebased onto SQ1A.220105.002 release
  • Camera: update to version 8
  • Auditor: update to version 39
  • Auditor: update to version 40
  • Pixel 6, Pixel 6 Pro: add SoC SELinux policy extensions from December release
  • Pixel 6, Pixel 6 Pro: remove support for FIPS disk encryption mode
  • hardened_malloc: minor code cleanups
  • Vanadium: update Chromium base to 97.0.4692.70

2021122018

Tags:

Changes since the 2021121602 release:

  • initial production support for the Pixel 6 and Pixel 6 Pro
  • Auditor: update to version 38
  • Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a: erase both apdp partition slots as part of flashing factory images to wipe persistent debugging policy
  • Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a: erase both msadp partition slots as part of flashing factory images to wipe persistent debugging policy
  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): enable BUG_ON_DATA_CORRUPTION since it was backported upstream
  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a): enable legacy Qualcomm PANIC_ON_DATA_CORRUPTION since it hasn't been fully phased out yet
  • Seedvault: temporarily revert change to restore requiring that the profile is unlocked for the hardware keystore key (uncovers an upstream bug)

2021121602

Tags:

  • SP1A.210812.015.2021121602 (Pixel 3, Pixel 3 XL) — extended support release for legacy devices with frozen 2021-11-01 patch level
  • SQ1A.211205.008.2021121602 (Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, emulator, generic, other targets)

Changes since the 2021121012 release:

  • Vanadium: update Chromium base to 96.0.4664.104
  • skip reporting network connectivity to the OS from apps with the Network (INTERNET) permission revoked to avoid triggering a SecurityException
  • remove special case of throwing SecurityException for socket errors caused by EACCES/EPERM as a debugging aid since it causes compatibility issues when the Network (INTERNET) permission is revoked
  • kernel (Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a): fix incorrect alloc_size annotation (already fixed in older kernels and no real world impact)

2021121012

Tags:

  • SP1A.210812.015.2021121012 (Pixel 3, Pixel 3 XL) — extended support release for legacy devices with frozen 2021-11-01 patch level
  • SQ1A.211205.008.2021121012 (Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, emulator, generic, other targets)

Changes since the 2021120717 release:

  • Sandboxed Google Play compatibility layer: mark location service as a foreground location service
  • Vanadium: update Chromium base to 96.0.4664.92
  • TalkBack (screen reader): update dependencies
  • Seedvault: restore requiring that the profile is unlocked for the hardware keystore key
  • Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a: add support for increased touch sensitivity option
  • fix overly aggressive fastboot version check in flash-all.bat triggered by version requirement increase in the SQ1A.211205.008 update (was also fixed for the factory images for the last official release)

2021120717

Tags:

  • SP1A.210812.015.2021120717 (Pixel 3, Pixel 3 XL) — extended support release for legacy devices with frozen 2021-11-01 patch level
  • SQ1A.211205.008.2021120717 (Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, emulator, generic, other targets)

Changes since the 2021112404 release:

  • full 2021-12-01 security patch level
  • full 2021-12-05 security patch level
  • rebased onto SQ1A.211205.008 release, the first quarterly maintenance/feature release for Android 12
  • Sandboxed Google Play compatibility layer: improve robustness of Play Store compatibility layer
  • Camera: update to version 7
  • TalkBack (screen reader): update dependencies
  • avoid per-network randomization mode (AOSP default) being displayed as per-connection randomization mode (GrapheneOS default not available in AOSP) after rebooting despite persisting and working properly (caused by an additional abstraction layer introduced in Android 12)

2021112404

Tags:

Changes since the 2021112123 release:

  • Sandboxed Google Play compatibility layer: add another UserManager shim to fix issue with FCM in secondary user profiles
  • Sandboxed Google Play compatibility layer: mark the compatibility layer's Play Store confirmation notification as ongoing to avoid users dismissing the notification and then being unable to accept or reject the install/update/uninstall action
  • Camera: update to version 6

2021112021

Tags:

Changes since the 2021111414 release:

  • Sandboxed Google Play compatibility layer: expand Play Store compatibility layer to fully support app installation, uninstallation and unattended updates via the standard unprivileged APIs
  • Sandboxed Google Play compatibility layer: expand Play Store compatibility layer to support the Play Store updating itself via the standard unprivileged APIs
  • Settings: clearer wording for the default GrapheneOS per-connection MAC randomization
  • Vanadium: update Chromium base to 96.0.4664.45
  • Auditor: update to version 35
  • Auditor: update to version 36
  • Auditor: update to version 37
  • Camera: update to version 4
  • TalkBack (screen reader): update dependencies and tools

2021111414

Tags:

Changes since the 2021110617 release:

  • Sandboxed Google Play compatibility layer: improve AppOps compatibility layer for long-lived operations via the new startProxyOp/finishProxyOp API which previously had to be mimicked via the existing APIs
  • System Updater: only allow privileged apps including Settings to open the settings activity since other apps like the launcher have no reason to open it
  • android-prepare-vendor carriersettings-extractor: strip out carrier provisioning configuration (OMA device management is not included in GrapheneOS so this references an app that's not present)
  • android-prepare-vendor carriersettings-extractor: always enable the ability to disable 2G
  • android-prepare-vendor carriersettings-extractor: remove unused Google Dialer configuration for Wi-Fi calling
  • android-prepare-vendor: improve Pixel 5a support
  • add CameraX vendor extensions library to compile-time class loader path for GrapheneOS Camera to make dexpreopt usable

2021110617

Tags:

Changes since the 2021110507 release:

  • Camera: update to version 3
  • revert hard-wiring camera gesture handler as a workaround for AOSP 12 bug with the gesture on the lockscreen (only has an impact when multiple camera apps are installed and can be worked around, so we'll just wait for an upstream resolution)
  • Vanadium: add workaround for upstream bug with login when sandboxed Play services is present
  • android-prepare-vendor: overhaul Pixel 4a (5G), Pixel 5 and Pixel 5a support including building more AOSP modules

2021110507

Tags:

Changes since the 2021110122 release:

  • replace AOSP Camera app with next-generation GrapheneOS Camera app
  • set GrapheneOS Camera app as the hard-wired handler for camera gesture, similar to Android 11+ hard-wiring it as the camera media intent handler (should work around AOSP 12 lockscreen camera bugs) — note: this will be undone in a follow-up release before this reaches the Stable channel
  • invalidate icon cache between OS releases instead of only between major Android versions so that system theme/icon changes take effect immediately
  • system theme: switch to a more unique blue Material You color palette based around #1565C0
  • System Updater: adjust colors to match Settings app
  • Vanadium: update Chromium base to 95.0.4638.74

2021110122

Tags:

Changes since the 2021102613 release:

  • full 2021-11-01 security patch level
  • full 2021-11-05 security patch level
  • full 2021-11-06 security patch level
  • rebased onto SP1A.211105.004 release
  • system theme: switch to pure blue Material You color palette as a starting point for a GrapheneOS theme
  • System Updater: drop unused androidx legacy support library
  • System Updater: raise minSdkVersion to 31 (Android 12)
  • System Updater: stop marking settings activity as direct boot aware since it's never used before unlocking
  • System Updater: remove obsolete receiver from manifest
  • android-prepare-vendor: overhaul Pixel 4, Pixel 4 XL and Pixel 4a support including building more AOSP modules

2021102613

Tags:

  • SP1A.210812.015.2021102613 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, emulator, generic, other targets)

Changes since the 2021102503 release:

  • System Updater: split up install progress notification into stages
  • include standard display cutout overlays across all devices
  • temporarily disable broken 'Render apps below cutout area' display cutout developer option to avoid it breaking loading SystemUI on boot
  • temporarily disable user-facing crash reporting for com.android.systemui due to an upstream AOSP 12 bug causing false positive reports of it being frozen (this change didn't end up successfully silencing the false positives so a different approach will be needed)

2021102503

Tags:

  • SP1A.210812.015.2021102503 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, emulator, generic, other targets)

Changes since the 2021102300 release:

  • enable gestural navigation overlay to match default nav mode (fixes navigation bar style after factory reset or provisioning new users)
  • Launcher: temporarily disable new animation feature flags (these appear to be buggy)
  • Clock: roll back to GrapheneOS Android 11 Clock app since the AOSP 12 Clock app is buggy
  • Dialer: revert to prior visual voicemail configuration until the new configuration is properly handled

2021102300

Tags:

  • SP1A.210812.015.2021102300 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, emulator, generic, other targets)

Changes since the 2021102203 release:

  • revert our change enabling the legacy wifi/cellular quick tiles until the upstream code is fixed
  • improve delta generation script
  • Messaging: add built-in battery optimization exception
  • Messaging: fix cellbroadcast package name
  • Messaging: stop using platform certificate
  • Dialer: update visual voicemail configuration for SP1A.210812.015
  • keep PIN scrambling keypad number descriptions in sync with digits
  • update PIN UI appearance for Android 12 in PIN scrambling implementation

2021102203

Tags:

  • SP1A.210812.015.2021102203 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, emulator, generic, other targets)

Changes since the 2021102020 release:

  • Settings: add back reset text change lost in the port to Android 12
  • fix inclusion of up-to-date per-device APN database for Pixels
  • Pixel 4a: fix build system issue causing device specific APN / carrier configuration to be omitted
  • support using the legacy wifi/cellular quick tiles (combined internet quick tile will still be used by default)
  • Dialer: improve swipe to accept/reject calls
  • Dialer: fix issue with USB headset audio routing
  • Dialer: add dark theme and fix issues tied to it
  • improve release signing and delta generation scripts

2021102020

This is the initial production release of GrapheneOS based on Android 12. It's already fully functional and quite stable. Android 12 brings substantial improvements to privacy, security, functionality, performance and aesthetics. GrapheneOS features have been fully ported to Android 12 and also substantially improved as part of the migration process. The release notes below cover the full port of our features to Android 12 as a single entry in the list and improvements beyond porting are listed separately.

Tags:

  • SP1A.210812.015.2021102020 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, emulator, generic, other targets)

Changes since the 2021100606 release:

  • full port of all existing GrapheneOS features to Android 12
  • full 2021-10-05 security patch level for userspace device support code (kernel already on 2021-10-05)
  • rebased onto SP1A.210812.015 release
  • Sandboxed Google Play compatibility layer: add support for Play services Android 12 releases (Android 11 releases still mostly work but we'll be recommending/mirroring the Android 12 releases)
  • make release signing otacerts.zip generation reproducible
  • Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a: target ARMv8.2-DotProd architecture and Cortex-A76 CPU for ART and native code instead of producing generic ARMv8 code
  • use modern rounded corners by default
  • use new privacy indicators for location
  • raise permission usage history from 1 day to 7 days
  • enable permission history for all permission groups
  • use speed compiler filter for dexpreopt by default (converted from build configuration to build system to cover product/vendor/system_ext)
  • temporarily disable user-facing crash reporting for com.android.statementservice (Intent Filter Verification Service) due to an upstream AOSP 12 bug causing an uncaught exception when it tries to send too much data in the intents for jobs it runs via WorkManager
  • Launcher: backport multiple fixes from AOSP master
  • Launcher: enable new app open/close animations
  • Launcher: enable crossfade when changing theme
  • Launcher: enable new keyguard-to-launcher animation
  • Launcher: add Settings to center of default 5x5 dock
  • Launcher: add 2x2 workspace grid option
  • Launcher: reduce app label text size
  • Launcher: fix upstream issue causing missing screenshot button
  • Launcher: add ripple animation to task menu items
  • Launcher: fix all apps header color in dark mode
  • Launcher: fix Personal/Work profile tab colors in All Apps
  • Launcher: improve search bar UI in All Apps
  • SystemUI: change default quick tiles and quick tile order
  • Settings: update screen reader configuration for TalkBack so it shows up as a system screen reader again
  • Settings: add dark mode support for app installation restriction icon
  • SetupWizard: update to latest upstream code
  • SetupWizard: remove mention of pattern unlock in strings
  • System Updater: update to target API level 31 (Android 12)
  • System Updater: use Android 12 foreground service setup
  • Vanadium: update Chromium base to 94.0.4606.80
  • Vanadium: update Chromium base to 94.0.4606.85
  • Vanadium: update Chromium base to 95.0.4638.50
  • Vanadium: temporarily disable dexpreopt for browser and WebView (but not the library) due to lack of support in the Android 12 dexpreopt system
  • Seedvault: update to latest revision
  • TalkBack (screen reader): set app label to TalkBack
  • Auditor: update to version 34

2021100606

Tags:

Changes since the 2021100502 release:

  • backport of the Android 12 GrapheneOS Pixel kernels to Android 11 GrapheneOS including the full 2021-10-05 kernel patch level (full set of fixes for firmware and userspace aren't public yet and will be provided by the upcoming release of Android 12 for Pixels)
  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 5, Pixel 5a): rebase onto Android 12 SP1A.210812.016 kernel releases
  • kernel (Pixel 4, Pixel 4 XL, Pixel 5, Pixel 5a): temporarily disable unnecessary DEBUG_NOTIFIERS feature (type-based CFI obsoletes it as a security feature) due to an incompatibility with the updated Android 12 kernel LLVM toolchain (discovered issue is benign but we'll be fixing it in a future release)

2021100502

Tags:

Changes since the 2021100103 release:

  • full 2021-10-01 security patch level
  • partial 2021-10-05 security patch level (full set of fixes aren't public yet and will be provided by the upcoming release of Android 12 for Pixels)
  • rebased onto RQ3A.211001.001 and RD2A.211001.002 releases
  • drop our downstream workaround for use-after-free vulnerability in init now that the issue we reported is fixed upstream

2021100103

Tags:

Changes since the 2021092612 release:

  • Vanadium: update Chromium base to 94.0.4606.71
  • change generated carrier configurations to always allow editing APNs
  • always show APN settings on CDMA carriers
  • automate APN / carrier settings updates

2021092612

Tags:

Changes since the 2021092220 release:

  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): apply upstream fix for ION use-after-free vulnerability
  • Vanadium: update Chromium base to 94.0.4606.61
  • android-prepare-vendor: remove a bunch of unused code / functionality
  • android-prepare-vendor: skip all kernel modules

2021092220

Tags:

Changes since the 2021091407 release:

  • Auditor: update to version 32
  • Auditor: update to version 33
  • Vanadium: update Chromium base to 94.0.4606.50
  • TalkBack (screen reader): update SDK and build tools versions
  • clean up build scripts

2021091407

Tags:

Changes since the 2021090819 release:

  • Sandboxed Google Play compatibility layer: stub out DeviceConfig APIs by ignoring device configuration writes instead of throwing a SecurityException
  • Sandboxed Google Play compatibility layer: stub out DropBoxManager API by pretending no crash dumps, logs, etc. are available instead of throwing a SecurityException
  • Sandboxed Google Play compatibility layer: stub out getImei API by pretending IMEI cannot be retrieved instead of throwing a SecurityException
  • Seedvault: add missing permission needed for UserManager restriction security fix in the last release
  • Seedvault: update to latest revision
  • TalkBack (screen reader): update base version to 370044210 and port our changes (Switch Access service has been dropped upstream)
  • Auditor: update to version 30
  • Auditor: update to version 31
  • Vanadium: update Chromium base to 93.0.4577.82

2021090819

Tags:

Changes since the 2021090401 release:

  • full 2021-09-01 security patch level
  • full 2021-09-05 security patch level
  • rebased onto RQ3A.210905.001 and RD2A.210905.003 releases
  • kernel (Pixel 4a (5G), Pixel 5): use device-specific dtbo.img
  • Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a: update APNs
  • Pixel 5a: add missing configuration for biometric sensors (fingerprint sensor)
  • Pixel 5a: declare Pixel features are available so that apps with Pixel-specific features will use them
  • Seedvault: respect UserManager restrictions on app installation to avoid providing a way to bypass device management restrictions
  • Seedvault: show experimental restore backup option in backup settings instead of only supporting restore in the initial setup wizard

2021090401

Tags:

Changes since the 2021082501 release:

  • add experimental Pixel 5a support via device support branch
  • Settings: add back past GrapheneOS feature for toggling whether secondary users can install new apps
  • Vanadium: update Chromium base to 92.0.4515.166
  • Vanadium: update Chromium base to 93.0.4577.62
  • Vanadium: hide sign in preference when disallowed
  • Vanadium: disable using Play services as a source for certain Google fonts
  • automatically disable UART debugging when flashing factory images (GrapheneOS already extends the notification about it to production builds)
  • Auditor: update to version 29
  • SetupWizard: properly disable system UI navigation for the entire setup process
  • kernel (Pixel 4a (5G), Pixel 5): drop unnecessary Wi-Fi driver change from our previous downstream security fixes
  • Pixel 4, Pixel 4 XL: enable saturated color option

2021082501

Tags:

  • RQ3A.210805.001.A1.2021082501 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, emulator, generic, other targets)

Changes since the 2021081822 release:

  • System Updater: move settings into a preference category
  • System Updater: add detailed information to the error messages
  • Auditor: update to version 28
  • Vanadium: move search suggestions toggle to privacy menu
  • Vanadium: remove empty account category and Services menu from the main menu
  • Sandboxed Google Play compatibility layer: add shim to make Play services use the regular cellular geolocation API instead of attempting and failing to use a special API requiring MODIFY_PHONE_STATE to attribute power consumption to the app responsible for the request to Play services
  • Sandboxed Google Play compatibility layer: add shims making Play services use the unprivileged AppOps proxy API instead of attempting and failing to use the privileged APIs for blaming other apps (it can still blame other apps via the proxy API, but the OS treats it as an untrusted claim)
  • Sandboxed Google Play compatibility layer: add shim making Play services use UserManager.hasUserRestriction instead of UserManager.hasBaseUserRestriction to avoid requiring privileged permissions and to return correct answers since it can't bypass device management

2021081822

Tags:

  • RQ3A.210805.001.A1.2021081822 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, emulator, generic, other targets)

Changes since the 2021081411 release:

  • Vanadium: update Chromium base to 92.0.4515.159
  • Vanadium: improved implementation of not giving the default search engine permissions now that Chromium has support for it
  • System Updater: avoid error messages being truncated by using expandable notifications for them
  • Settings: fix upstream bug preventing setting pictures for user profiles
  • Settings: backport upstream fix for user edit dialog breaking from rotation
  • Settings: add LTE only mode entry when carrier enables world mode too
  • Sandboxed Google Play compatibility layer: fix detection of system processes in secondary users
  • Sandboxed Google Play compatibility layer: handle edge case of packages without data directories

2021081411

Tags:

  • RQ3A.210805.001.A1.2021081411 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, emulator, generic, other targets)

Changes since the 2021.08.09.02 release:

  • remove periods from build number (2nd half of the full version) to improve compatibility with apps wrongly assuming they can parse it as an integer (including Google Camera for Night Sight feature detection)
  • Settings: add 3rd option to connectivity check setting for disabling it (will prevent falling back to other networks from a broken one and handling captive portals)
  • Settings: ignore carrier asking the OS not to show the preferred network setting, similar to how we already ignore being instructed to disallow tethering
  • further fixes for the upstream code implementing the eBPF-based INTERNET permission (fixes cases where it was overly restrictive for secondary users, but we already prevented it from being overly permissive by adding back the simpler pre-eBPF approach as a 2nd layer of enforcement)
  • Sandboxed Google Play compatibility layer: disable shared user id check since it isn't relevant to GrapheneOS and it appears that it may be causing issues

2021.08.09.02

Tags:

  • RQ3A.210805.001.A1.2021.08.09.02 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, emulator, generic, other targets)

Changes since the 2021.08.03.03 release:

  • Sandboxed Google Play compatibility layer: add infrastructure / shims to support dynamite modules (dynamically loaded modules including Maps API support)
  • Vanadium: update Chromium base to 92.0.4515.131
  • Vanadium: disable trials of privacy-aware analytics/advertising APIs
  • Vanadium: remove unwanted sync and services link
  • Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5: update APNs
  • Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5: update CarrierConfig vendor.xml

2021.08.03.03

Tags:

  • RQ3A.210805.001.A1.2021.08.03.03 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, emulator, generic, other targets)

Changes since the 2021.07.26.20 release:

  • full 2021-08-01 security patch level
  • full 2021-08-05 security patch level
  • rebased onto RQ3A.210805.001.A1 release
  • kernel (Pixel 4a (5G), Pixel 5): backport implementation of IPv6 temporary addresses (RFC4941) as a replacement for the legacy privacy address implementation, removing the need for our work on mitigating the issues with them (still used for older generation devices)
  • System Updater: use System Updater as the app name
  • System Updater: show when status notifications occurred
  • System Updater: add notification settings shortcut to update settings
  • Sandboxed Google Play compatibility layer: add compatibility shims for secondary user support
  • Sandboxed Google Play compatibility layer: use unified GmsCompat/ prefix for log tags
  • Sandboxed Google Play compatibility layer: add shim for AppOpsManager#startOpNoThrow
  • Sandboxed Google Play compatibility layer: move foreground service notification channel to dedicated Compatibility notification channel group
  • Sandboxed Google Play compatibility layer: add proper description to foreground service notification
  • Sandboxed Google Play compatibility layer: add shortcut for opening the notification channel settings from the foreground service notifications

2021.07.26.20

Tags:

  • RQ3A.210705.001.2021.07.26.20 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, emulator, generic, other targets)

Changes since the 2021.07.19.18 release:

  • System Updater: add detailed failure / success notifications. The next release will enable the timestamp to show when it happened. You can turn off the 'Already Updated' notification channel if you don't want those minimum priority notifications with no status icon collapsed at the bottom.
  • Vanadium: update Chromium base to 92.0.4515.105
  • Vanadium: update Chromium base to 92.0.4515.115
  • Vanadium: drop removal of speculative service worker start for search
  • init: fix use-after-free from event handling callbacks (issue uncovered by hardened_malloc in certain situations like unplugging a USB keyboard, etc.)
  • fix PermissionController UI for Sensors/Network permissions with legacy API < 23 apps (i.e. apps without proper support for Android Marshmallow and beyond)
  • Sandboxed Google Play compatibility layer: disable badge for foreground service notification by default
  • Settings: drop support for showing nearby devices from Play since it can't function without Play having any special privileges
  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL): improve support for hosting servers by enabling SYN cookies for denial of service resistance like newer generation devices
  • hardened_malloc: update libdivide to 5.0.0

2021.07.19.18

Tags:

  • RQ3A.210705.001.2021.07.19.18 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, emulator, generic, other targets)

Changes since the 2021.07.16.19 release:

  • Settings: fix displaying setting for GrapheneOS USB accessory policy (deny new usb)
  • Settings: hide insecure pattern lock option (either use a randomly generated 6-8 digit PIN for secure encryption based on secure element throttling or a strong randomly generated passphrase to avoid depending on the secure element, not this misguided pattern option with ridiculously low entropy)
  • Sandboxed Google Play compatibility layer: return false for SIM card lock check rather than throwing a SecurityException
  • Sandboxed Google Play compatibility layer: avoid throwing an exception in certain edge cases for secondary users when checking whether the compatibility shims should be enabled for a process (i.e. when checking if the process is one of the 3 core Play apps)
  • Vanadium: update Chromium base to 91.0.4472.164

2021.07.16.19

Tags:

  • RQ3A.210705.001.2021.07.16.19 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, emulator, generic, other targets)

Changes since the 2021.07.07.19 release:

  • add experimental support for running Play services and friends as sandboxed user-installed apps without any special privileges
  • Settings: use alternate implementation of Wi-Fi auto-turn-off setting matching the Bluetooth auto-turn-off UX
  • overhaul Wi-Fi auto-turn-off implementation including handling the case of Wi-Fi being turned on without connecting to a network
  • add lower auto-reboot timeout options
  • display notification when UART is enabled in the bootloader configuration for user builds too (where it isn't supported by userspace, but still provides firmware and kernel logs) rather than only in userdebug builds
  • Seedvault: update to latest revision
  • Seedvault: switch to GrapheneOS fork with intent access restricted to prevent other apps from spawning the activities
  • Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5: set product brand to hardware brand
  • Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5: remove aosp_ prefix from product names

2021.07.07.19

Tags:

  • RQ3A.210705.001.2021.07.07.19 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, emulator, generic, other targets)

Changes since the 2021.06.20.20 release:

  • full 2021-07-01 security patch level
  • full 2021-07-05 security patch level
  • rebased onto RQ3A.210705.001 release
  • reimplement Bluetooth auto-turn-off feature to avoid using the Settings app for the implementation (fixes reliability issues)
  • add experimental Wi-Fi auto-turn-off feature based on reimplementation of Bluetooth auto-turn-off (will not kick in when Wi-Fi is turned on without connecting to a network until the next release)
  • System Updater: display progress for the short phase of verifying the update
  • System Updater: reuse the same progress notification for downloading, verifying and installing the update
  • System Updater: only alert once for progress notifications if the user raises the notification importance level
  • System Updater: use foreground service via progress notification
  • Vanadium: update Chromium base to 91.0.4472.120
  • Vanadium: update Chromium base to 91.0.4472.134
  • Seedvault: update to latest revision

2021.06.20.20

Tags:

  • RQ3A.210605.005.2021.06.20.20 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, emulator, generic, other targets)

Changes since the 2021.06.09.13 release:

  • Vanadium: update Chromium base to 91.0.4472.101
  • Vanadium: update Chromium base to 91.0.4472.114
  • Vanadium: add toggle to Privacy and security settings for disabling JIT compilation and using fully interpreted JavaScript via fast interpreter
  • kernel (Pixel 4a (5G), Pixel 5): fix upstream module load order issues when modules are built into the kernel
  • kernel (Pixel 4a (5G), Pixel 5): build in every module and disable dynamic kernel module support again to restore finer-grained Control Flow Integrity (CFI) and attack surface reduction
  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5): generate a new privacy address when connecting to a network as a temporary partial workaround for the broken upstream privacy address implementation before Linux 5.8 (the privacy address standard itself was flawed and Linux 5.8+ has an implementation of the fixed standard, which we've suggested that Android backport in our upstream report)
  • Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5: declare Pixel features are available so that apps with Pixel-specific features will use them

2021.06.09.13

Tags:

  • RQ3A.210605.005.2021.06.09.13 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, emulator, generic, other targets)

Changes since the 2021.06.08.06 release:

  • re-enable current camera/microphone privacy indicator implementation
  • kernel (Pixel 4a (5G), Pixel 5): use new GNU assembler (gas) prebuilts and drop all other usage of the GNU toolchain since LLVM provides everything else (LLVM assembler is used for userspace, but can't yet handle the Linux kernel)
  • kernel (Pixel 4a (5G), Pixel 5): temporarily move to building and using dynamic kernel modules (same list as AOSP) to work around new issues with monolithic builds until we have time to resolve it to improve CFI granularity again
  • android-prepare-vendor (Pixel 4a (5G), Pixel 5): remove previously unused stock OS kernel modules now that we're temporarily enabling dynamic kernel module support so that only our builds of kernel modules are being used
  • System Updater: add support for custom accent color

2021.06.08.06

Tags:

  • RQ3A.210605.005.2021.06.08.06 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, emulator, generic, other targets)

Changes since the 2021.05.29.09 release:

  • full 2021-06-01 security patch level
  • full 2021-06-05 security patch level
  • rebased onto RQ3A.210605.005 release, initial release of Android 11 QPR3 (Quarterly Platform Release 3)
  • experimental new feature for configuring auto-reboot after N hours of the device being locked to put all logged in user profiles back at rest (i.e. data inaccessible to the OS until logged in again) when the device isn't in your possession
  • kernel (Pixel 4a (5G), Pixel 5): apply fixes for 2 Qualcomm Wi-Fi driver vulnerabilities from CAF missed in the upstream December 2020 security update for Pixels
  • Vanadium: update Chromium base to 91.0.4472.88
  • android-prepare-vendor: fix resuming image downloads due to broken HTTP/2 server semantics
  • Settings: fix hardcoded black text in storage summary
  • remove redundant property for disabling OpenGL preloading
  • update kernel build tools used for Pixel 4a (5G), Pixel 5 and beyond

2021.05.29.09

Tags:

Changes since the 2021.05.19.06 release:

  • prevent DHCP (IPv4) from reusing state across connections to the same network when full MAC randomization is enabled
  • Vanadium: update Chromium base to 91.0.4472.77
  • Vanadium: enable opportunistic HTTPS by default
  • Vanadium: disable mobile identity consistency by default
  • revert our change adding the screenshot button to the power menu for 3-button navigation since it's provided by the recent apps activity for both gesture and 3-button navigation (we originally added it back for both 2-button and 3-button navigation even though it was only needed for 2-button navigation, and then the stock OS implemented the same fix only for 2-button navigation, which makes more sense)

2021.05.19.06

Tags:

Changes since the 2021.05.16.04 release:

  • Settings: remove field referencing the mainline module (APEX) version (also known as the Google Play system update version) since we ship these changes as part of the OS and have out-of-band module updates disabled since we have no use for them
  • remove legacy Calendar widget
  • add toggle for disabling fingerprint unlock while having fingerprints registered for usage in apps (authentication and protecting hardware keystore keys)
  • Auditor: update to version 27

2021.05.16.04

Tags:

Changes since the 2021.05.04.01 release:

  • enable gesture navigation by default (see our guide on system navigation for details on using gesture navigation and switching to a button-based navigation)
  • System Updater: fix minor theme issue for light theme when pressing preferences
  • replace our workaround for an upstream user profile crash issue with a proper upstream fix from Sony
  • replace our workaround for another upstream user profile crash issue with a proper fix based on the approach of the fix from Sony
  • Vanadium: update Chromium base to 90.0.4430.210
  • hardened_malloc: purge memory even if VMA exhaustion causes munmap or MAP_FIXED mmap calls to fail
  • hardened_malloc: increase class region size on x86_64 to 32GiB
  • hardened_malloc: increase class region size on arm64 to 2GiB (should be 32GiB on devices where we've enabled 4-level page tables but that requires setting up build configuration infrastructure)
  • raise vm.max_map_count further to have even more leeway before VMA exhaustion occurs from fine-grained guard regions
  • kernel (Pixel 4a (5G), Pixel 5): fix build reproducibility issue by backporting upstream fix
  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5): make CONFIG_LOCALVERSION_AUTO ignore Git tags so adding tags doesn't change the result of a build
  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5): apply fixes for 2 Qualcomm audio driver vulnerabilities from CAF including one missed in the upstream May 2021 security update for Pixels
  • kernel (Pixel 4a): apply fix for use-after-free in GPU driver missed in the upstream security updates for the Pixel 4a
  • switch HTTPS network time URL from / to /generate_204 to allow for a future / redirect

2021.05.04.01

Tags:

Changes since the 2021.04.22.20 release:

  • full 2021-05-01 security patch level
  • full 2021-05-05 security patch level
  • rebased onto RQ2A.210505.003 release
  • enable backup service for non-owner users so that secondary users can be backed up
  • add SetupWizard activities for secondary users including support for restoring backups
  • Settings (Accessibility): add Monochromacy (grayscale) option to color correction
  • improve the newer generation eBPF-based implementation of the INTERNET permission to properly support revoking the permission in secondary profiles (we'll be keeping our restoration of the much simpler non-eBPF-based approach to avoid relying on this on devices using our hardened kernels)
  • Vanadium: update Chromium base to 90.0.4430.91
  • Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5: set slot number for eSIM (still need an eSIM activation app since it's one of the remaining missing components from not including Google apps and services)
  • hardened_malloc: use 1 slot for all extended size classes (reduces memory usage and improves security in combination with the guard slab feature)
  • use system theme accent color for fingerprint dialog instead of teal
  • integrate modern Android theme and wallpaper configuration
  • remove legacy WallpaperPicker app
  • System Updater: modernize update settings via androidx preference library (new theme has minor quirks we'll be fixing in the next release)
  • use alternate grapheneos.online domain for connectivity check / captive portal fallback URLs to improve handling of future issues comparable to Quad9 temporarily blocking grapheneos.network due to some kind of false positive
  • Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5: update APNs
  • Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5: update CarrierConfig vendor.xml

2021.04.22.20

Tags:

  • RQ2A.210405.005.2021.04.22.20 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, emulator, generic, other targets)

Changes since the 2021.04.16.04 release:

  • kernel (Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5): update our change to use max ASLR entropy before the init process enables it for the larger address space enabled by GrapheneOS
  • kernel (Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5): add back hard-wired check for the INTERNET permission on socket creation at least until the eBPF code is improved and fixed to work properly for secondary profiles
  • Vanadium: disable unused FLOC feature
  • Vanadium: update Chromium base to 90.0.4430.82

2021.04.16.04

Tags:

  • RQ2A.210405.005.2021.04.16.04 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, emulator, generic, other targets)

Changes since the 2021.04.05.20 release:

  • kernel (Pixel 4a (5G), Pixel 5): rebuild with updated techpack/camera submodule
  • add back support for fully disabling native debugging (ptrace) support in Settings ➔ Security
  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5): enable support for native debugging (ptrace) toggle via Yama
  • Settings: add back extra field with bootloader version
  • Settings: only allow disabling Vanadium WebView library via developer tools since disabling it breaks app compatibility and almost always results in crashes rather than user friendly errors, including for base OS components using it
  • Vanadium: update Chromium base to 90.0.4430.66
  • Vanadium: fully disable autofill assistant
  • Vanadium: disable unused autofill assistant configuration
  • Vanadium: disable speculative service worker start by default
  • Vanadium: disable safety check for Android by default
  • Vanadium: disable new interest feed feature too
  • Vanadium: disable unused password check feature

2021.04.05.20

Tags:

  • RQ2A.210405.005.2021.04.05.20 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, emulator, generic, other targets)

Changes since the 2021.03.30.02 release:

  • full 2021-04-01 security patch level
  • full 2021-04-05 security patch level
  • rebased onto RQ2A.210405.005 release
  • SetupWizard: rebrand to GrapheneOS for other languages

2021.03.30.02

Tags:

  • RQ2A.210305.006.2021.03.30.02 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, emulator, generic, other targets)

Changes since the 2021.03.19.14 release:

  • hardened_malloc: add initial malloc_trim slab quarantine purging to reduce system memory usage from the slab quarantine without sacrificing security
  • Vanadium: update Chromium base to 89.0.4389.105
  • android-prepare-vendor (Pixel 4a (5G), Pixel 5): stop incorrectly treating new vendor_boot partition as a firmware partition and use our own build
  • SetupWizard: update to latest upstream code

2021.03.19.14

Tags:

  • RQ2A.210305.006.2021.03.19.14 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, emulator, generic, other targets)

Changes since the 2021.03.06.00 release:

  • integrate the latest open source release of TalkBack and Switch Access as first party accessibility services again (a text-to-speech service like RHVoice needs to be installed, configured and enabled to be able to use TalkBack)
  • SELinux policy: add back removing tmpfs execute for all base system app domains
  • SELinux policy: expand exception from ashmem execute restriction to legacy non-base system app domains (was more strict than currently intended since we don't want to break app compatibility)
  • add Bluetooth timeout feature with a security fix applied to the original implementation
  • System Updater: rename title of the management activity launched via Settings
  • set GrapheneOS launcher as a default notification listener on fresh installs so that the default enabled notification integration is permitted by default like the stock OS (existing users still need to manually enable the permission for the built-in launcher)
  • add back removing DUN requirement for tethering
  • add back ignoring tethering provisioning requirement
  • enable app compaction by default
  • enable app freezer by default
  • enable camera/microphone usage indicators by default
  • kernel (Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5): switch from standard 39-bit address space to 48-bit address space via 4-level page tables
  • Vanadium: update Chromium base to 89.0.4389.86
  • Vanadium: update Chromium base to 89.0.4389.90
  • Vanadium: enable partitioning connections by default
  • hardened_malloc: update libdivide to 4.0.0
  • hardened_malloc: use longer region quarantine random array (256 regions instead of 128)
  • Auditor: update to version 26

2021.03.06.00

Tags:

  • RQ2A.210305.006.2021.03.06.00 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, emulator, generic, other targets)

Changes since the 2021.03.02.10 release:

  • Vanadium: update Chromium base to 89.0.4389.72
  • Vanadium: enable user agent freeze by default
  • Vanadium: disable building code as dynamic feature modules
  • kernel (Pixel 4a): fix techpack/audio build reproducibility issue
  • backport upstream fix for building on compressed filesystems
  • Calendar: remove launcher icon since the app exists for compatibility / testing
  • Seedvault: update to latest revision

2021.03.02.10

Tags:

  • RQ2A.210305.006.2021.03.02.10 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, emulator, generic, other targets)

Changes since the 2021.02.26.16 release:

  • full 2021-03-01 security patch level
  • full 2021-03-05 security patch level
  • rebased onto RQ2A.210305.006 release, initial release of Android 11 QPR2 (Quarterly Platform Release 2)
  • Settings (Pixel 4, Pixel 4 XL, Pixel 5): enable refresh rate control
  • Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5: update APNs
  • Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5: update CarrierConfig vendor.xml
  • Pixel 4a: fix SystemUI memory pinning

2021.02.26.16

Tags:

  • RQ1A.210205.004.2021.02.26.16 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, emulator, generic, other targets)

Changes since the 2021.02.23.15 release:

  • hardened_malloc: add back workarounds for camera driver bugs on the Pixel 3, Pixel 3 XL, Pixel 3a and Pixel 3a XL

2021.02.23.15

Tags:

  • RQ1A.210205.004.2021.02.23.15 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, emulator, generic, other targets)

Changes since the 2021.02.19.15 release:

  • Camera: set flash mode to off by default (camera flash causes a substantial delay and substantially lower image quality so it generally isn't desirable)
  • system theme: use black for settings background in the dark theme
  • drop legacy code for setting Seedvault as the enabled backup service
  • hardened_malloc: drop workarounds for camera driver bugs on the Pixel 3, Pixel 3 XL, Pixel 3a and Pixel 3a XL
  • hardened_malloc: drop workaround for USB audio bug

2021.02.19.15

Tags:

  • RQ1A.210205.004.2021.02.19.15 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, emulator, generic, other targets)

Changes since the 2021.02.07.17 release:

  • Vanadium: update Chromium base to 88.0.4324.181
  • Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5: update APNs
  • Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5: update CarrierConfig vendor.xml
  • Auditor: update to version 24
  • Auditor: update to version 25
  • Pixel 4a: set boot security patch level to leverage the YYYY-MM-01 vs. YYYY-MM-05 distinction for attestation
  • Pixel 4a (5G), Pixel 5: complete initial device support including porting hardening features
  • kernel (Pixel 4a (5G), Pixel 5): enable slab canary feature
  • kernel (Pixel 4a (5G), Pixel 5): set correct variable for 32-bit vdso toolchain
  • kernel (Pixel 5): disable unnecessary touch driver
  • kernel (Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5): use LLVM toolchain for everything other than the assembler
  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): use LLVM toolchain for everything other than the assembler and target linker
  • kernel (Pixel 4a (5G), Pixel 5): use new kernel build-tools prebuilts repository

2021.02.07.17

Tags:

  • RQ1A.210205.004.2021.02.07.17 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, emulator, generic, other targets)

Changes since the 2021.02.06.05 release:

  • fix added error reporting code for HTTPS-based network time updates
  • Seedvault: update to latest revision

2021.02.06.05

Tags:

  • RQ1A.210205.004.2021.02.06.05 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, emulator, generic, other targets)

Changes since the 2021.02.02.09 release:

  • Vanadium: update Chromium base to 88.0.4324.152
  • rework the GrapheneOS HTTPS-based network time updates to enforce certificate expiry based on the OS build date for the whole certificate chain to avoid failing to fix significant time sync issues while still having a reasonable expiry check

2021.02.02.09

Tags:

Changes since the 2021.01.23.03 release:

  • full 2021-02-01 security patch level
  • full 2021-02-05 security patch level
  • rebased onto RQ1A.210205.004 release
  • Vanadium: update Chromium base to 88.0.4324.141
  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): make more data read-only per newer device kernels

2021.01.23.03

Tags:

Changes since the 2021.01.05.03 release:

  • system theme: use slightly different accent color for the dark theme
  • Dialer: add carrier-specific visual voicemail configurations
  • Vanadium: update Chromium base to 87.0.4280.141
  • Vanadium: update Chromium base to 88.0.4324.93
  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a): use UTC for kernel timestamp to make reproducible builds easier
  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a): update toolchain's toybox prebuilt for various fixes including fixing an issue with the date command causing a build reproducibility issue
  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a): apply upstream patch avoiding truncation of kernel debug symbol names generated when using Clang type-based CFI
  • adjust kernel configuration tests to permit disabling dynamic kernel modules for new kernel variants
  • fix dark theme issue with Settings app search panel
  • Camera2: backport fix for interaction with lockscreen
  • Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a: update APNs with carriersettings-extractor
  • Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a: add CarrierConfig vendor.xml from the stock OS with entries depending on Google and carrier apps stripped out

2021.01.05.03

Tags:

Changes since the 2020.12.12.03 release:

  • full 2021-01-01 security patch level
  • full 2021-01-05 security patch level
  • rebased onto RQ1A.210105.003 release
  • Settings: update GrapheneOS connectivity check URLs to match NetworkStack
  • Camera: remove unused Wi-Fi state permissions
  • Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a: update APNs with carriersettings-extractor
  • adjust kernel configuration tests to permit not having BPF_JIT since we don't have it enabled
  • add check for empty TTS engine name to address upstream bug
  • Vanadium: enable split cache by default
  • Vanadium: add back legacy media file access support for now
  • Vanadium: rename WebView and library apps based on the vanadium.app domain
  • Seedvault: update to latest revision
  • remove unnecessary vendor overlays
  • SetupWizard: change OS name to GrapheneOS for backup activity strings again
  • fix use-after-free in adbd authentication which was breaking support for persistently trusting keys due to zero-on-free
  • system theme: use blue accent color
  • replace default AOSP wallpaper with a solid black wallpaper — may get a bit fancier in the near future
  • update round icon mask
  • Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a: always use dark theme for boot chain firmware
  • Pixel 3a, Pixel 3a XL: disable unused dynamic kernel module support to match other devices
  • System Updater: disconnect keepalive connection when service is done

2020.12.12.03

Tags:

Changes since the 2020.12.08.08 release:

  • Vanadium: disable WebView variations support
  • SetupWizard: update to latest upstream code
  • NetworkStack: switch to grapheneos.network for connectivity checks to improve compatibility with captive portals lacking support for the built-in login interface (HSTS preloading for grapheneos.org breaks the fallback browser login notification)

2020.12.08.08

Tags:

Changes since the 2020.11.27.15 release:

  • full 2020-12-01 security patch level
  • full 2020-12-05 security patch level
  • rebased onto RQ1A.201205.010 release
  • script: support any number of source versions for deltas
  • set read timeout for HTTPS network time connections
  • disable keepalive for HTTPS network time connections
  • always disconnect HTTPS network time connections
  • remove unnecessary Accept-Charset header for HTTPS network time requests
  • Vanadium: ask permission to play protected media by default
  • Vanadium: disable autofill server communication by default
  • Vanadium: update Chromium base to 87.0.4280.86
  • Vanadium: update Chromium base to 87.0.4280.101
  • Settings: remove partial MAC randomization translations
  • Auditor: update to version 23
  • downstream fix for VPN lockdown being overridden when stopping users replaced by upstream fix

2020.11.27.15

Tags:

Changes since the 2020.11.25.22 release:

  • Vanadium: disable autofill assistant by default (restores previous Vanadium behavior)
  • Vanadium: backport upstream fix for missing manifest changes (this fixes issues with opening URLs in external apps)
  • Vanadium: disable component updater pings by default
  • Settings: disallow configuring connectivity checks for users disallowed to configure Private DNS by the administrator (in theory, it could be a separate option, but we need to use one that's already part of the public API)

2020.11.25.22 preview

Tags:

Changes since the 2020.11.05.18 release:

  • PDF Viewer: update to version 6
  • NFC: backport compatibility fix for certain broken apps from AOSP master
  • Bluetooth: backport fix for Bluetooth capacity string
  • Vanadium: update Chromium base to 86.0.4240.198
  • Vanadium: update Chromium base to 87.0.4280.66
  • Vanadium: disable new high-level functionality for fetching variations
  • Vanadium: disable unused Omaha update check support
  • Vanadium: disable GaiaAuthFetcher code due to upstream bug
  • Vanadium: disable deprecated FTP support by default
  • Pixel 4 XL: correctly mark certain unsupported features as unavailable per the Pixel 4
  • Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a: use device-specific NFC configuration
  • add initial runtime flags handling for exec-based spawning to improve compatibility
  • Pixel 3, Pixel 3 XL, Pixel 4, Pixel 4 XL, Pixel 4a: disable chained vbmeta to simplify verified boot and improve attestation (Pixel 3a and Pixel 3a XL never used this)
  • Seedvault: update to latest revision
  • NetworkStack: remove change to connectivity check handling that's no longer required with Android 11
  • use GrapheneOS connectivity check server by default for connectivity checks in the OS
  • Settings: add setting to toggle between GrapheneOS connectivity check server and the standard Android connectivity check URLs to continue supporting blending in with other Android devices without a VPN
  • System Updater: remove unused READ_PHONE_STATE permission

2020.11.05.18

While waiting for this release to become available, you can manually add a battery optimization exemption for the Clock app via Settings ➔ Apps & notifications ➔ Special app access ➔ Battery optimization where you can select "All apps", scroll down to the Clock app and manually add an exemption. Should get this added upstream.

Tags:

Changes since the 2020.11.03.03 release:

  • Clock: add battery optimization exemption required for the new target API level (this is missing in AOSP)

2020.11.03.03

Pixel 2 and Pixel 2 XL support will now be provided via separate extended support releases for obsolete devices. We'll be making the first one based on an official release in the near future. They can only reach the 2020-11-01 security patch this month due to the lack of a release with changes outside the scope of AOSP such as new GPU firmware.

Tags:

Changes since the 2020.10.23.04 release:

  • full 2020-11-01 security patch level
  • full 2020-11-05 security patch level
  • rebased onto RP1A.201105.002 release
  • Vanadium: update Chromium base to 86.0.4240.110
  • Vanadium: update Chromium base to 86.0.4240.114
  • Vanadium: update Chromium base to 86.0.4240.185
  • Vanadium: enable prefetch privacy changes by default
  • Vanadium: enable reduced referrer granularity by default
  • Camera: request fine location instead of coarse location for the disabled-by-default geotagging feature
  • Camera: remove unused INTERNET permission
  • Clock: apply assorted fixes from upstream
  • add explicit detection of fastboot being missing to the factory images flash-all scripts
  • Gallery: apply upstream fix from NXP for null pointer dereference bug
  • Auditor: update to version 22
  • script: make generate_deltas ask for the password only once
  • enable screenshot action for 3 button nav too (the upstream release limited it to being enabled for 2 button navigation)

2020.10.23.04

Tags:

Changes since the 2020.10.06.02 release:

  • Vanadium: update Chromium base to 86.0.4240.75
  • Vanadium: update Chromium base to 86.0.4240.99
  • Vanadium: remove deprecated, unused storage permissions
  • replace standard WebView with Vanadium WebView again
  • Pixel 4, Pixel 4 XL: disable unsupported aware feature so that ambient display is available
  • Seedvault: switch to upstream development branch now that it supports Android 11
  • SELinux policy: port hardening from Android 10
  • hardened_malloc: log fatal errors (detected memory corruption bugs) to Android's log system
  • fix minor issues with Android 11 port of Wi-Fi and Bluetooth quick tile unlock requirement
  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a): apply Bluetooth fixes from the stable kernel branch including fixes for CVE-2020-12351, CVE-2020-12352 and CVE-2020-24490
  • improve experimental support for the Pixel 4a including porting most device-specific changes implemented for other devices

2020.10.06.02

Tags:

Changes since the 2020.10.01.23 release:

  • full 2020-10-01 security patch level
  • full 2020-10-05 security patch level
  • rebased onto RP1A.201005.006 release
  • hardened_malloc: optimize and harden initialization sanity checks
  • work around upstream bug causing null pointer crashes from media notifications in secondary profiles
  • enable secondary user logout support by default (purges credential encrypted storage keys from memory)
  • add back screenshot action to global action list as an alternative to the key chord (power button + volume down) and screenshot button in the gesture navigation recent apps list
  • reject received unix timestamps before build unix time for HTTPS-based network time implementation
  • Clock: apply fixes for various upstream issues
  • System Updater: harden PendingIntent usage

2020.10.01.23

Tags:

Changes since the 2020.09.29.20 release:

  • Pixel 4 (non-XL): stop overriding default Bluetooth toggle to disable it by default like other devices
  • use otatools.zip for generating delta updates
  • Settings: fix integration of LTE only mode option to preferred network setting
  • Auditor: update to version 21

2020.09.29.20

Tags:

Changes since the 2020.09.25.00 release:

  • add overlay to show 2 button navigation option in Settings again
  • Calculator: gesture compatibility fix
  • Auditor: update to version 20
  • WebView: update to 85.0.4183.120
  • WebView: update to 85.0.4183.127
  • Vanadium: update Chromium base to 85.0.4183.127
  • fix syncing time for the port of our HTTPS-based network time update implementation to Android 11
  • stop using dedicated keys for signing OsuLogin and ServiceWifiResources rather than simply using the regular testkey/releasekey

2020.09.25.00

Tags:

Changes since the 2020.09.18.13 release:

  • fix Wi-Fi MAC randomization settings for translations that were missing our added option
  • Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL: add missing configuration for biometric sensors in Android 11
  • fix upstream bug in the NFC quick settings tile for Android 11 breaking it after reboot
  • fix NFC quick settings tile icon handling for Android 11
  • Settings: fix upstream NFC preference so that it listens for changes and can see it being toggled via the NFC tile
  • Vanadium: update Chromium base to 85.0.4183.120
  • Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL: update APNs with carriersettings-extractor
  • add back SetupWizard
  • Settings: fix launching WifiSettings

We're no longer going to be listing out restored past features in a separate section for the release notes.

2020.09.18.13 preview

Tags:

Changes since the 2020.09.11.14 release:

  • initial port to Android 11 with most GrapheneOS changes ported over (missing most SELinux policy hardening, some Pixel 4 / 4 XL kernel side channel mitigations, finer-grained Pixel 4 kernel Control Flow Integrity and the setup wizard)
  • full 2020-09-05 security patch level
  • temporarily use stock WebView until the next release of Chromium is available with public support for Android 11 to provide the WebView via Vanadium again
  • fix VPN lockdown setting getting overridden on user stop
  • SELinux policy: disable gmscore_app domain
  • SELinux policy: use dedicated SELinux domain for Updater app based on the modern untrusted_app domain
  • stop disabling support for stable local privacy addresses since Android 11 handles it better by only using it when MAC randomization is disabled
  • update to a new version of Seedvault for Android 11
  • build and use otatools.zip for signing releases instead of an ad-hoc approach
  • Auditor: update to version 19
  • System Updater: update targetSdkVersion to 30
  • disable Scudo on 64-bit since we use the substantially more secure hardened_malloc
  • fully replace jemalloc with Scudo on 32-bit
  • hardened_malloc: improve stats implementation

Installations made before this project was renamed to GrapheneOS and before the first official release of the Android Hardening project will be forced to factory reset as part of this upgrade, due to lack of backwards compatibility with the unaltered AOSP encryption format.

2020.09.11.14

Tags:

  • QQ3A.200805.001.2020.09.11.14 (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, emulator, generic, other targets)

Testing the Android 11 kernels was useful, but we weren't able to ship the previous release due to issues uncovered during testing. The Android 11 kernels have minor backwards incompatible changes in the drivers for at least a subset of the devices so we'll need to ship them with the rest of the changes. Thanks to our testers for helping us with this. This will be the new final Android 10 release, assuming no further problems are uncovered during testing.

Changes since the 2020.09.10.05 release:

  • revert to using the Android 10 kernels on the devices that were switched over early due to backwards incompatible changes in some drivers

2020.09.10.05 preview

Tags:

  • QQ3A.200805.001.2020.09.10.05 (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, emulator, generic, other targets)

This should be the final GrapheneOS release based on Android 10. It ships the device-independent monthly security patches and migrates over to using the Android 11 branch of the GrapheneOS kernels for most devices, which brings all the upstream kernel hardening in Android 11 along with the full September kernel updates. The remaining patches for the full 2020-09-05 patch level require finishing the migration to Android 11 in order to ship the September update for the other device support code. It's possible we could ship some of this early, but instead we're going to be focusing on finishing the enormous task of migrating to Android 11. Further help with bringing up support for the devices with Android 11 and porting over each of the GrapheneOS hardening features to it would be greatly appreciated. Donations are also extremely helpful. GrapheneOS has brought on another full time developer using donated funds and there are 3 part time developers helping with Android 11.

Changes since the 2020.08.07.01 release:

  • full 2020-09-01 security patch level
  • partial 2020-09-05 security patch level (missing userspace device support changes until port to Android 11 is finished)
  • Vanadium: update Chromium base to 84.0.4147.125
  • Vanadium: update Chromium base to 85.0.4183.81
  • Vanadium: update Chromium base to 85.0.4183.101
  • Vanadium: remove unused learn more link from Incognito page
  • recovery: reject updates with serialno constraints to match the GrapheneOS Updater app
  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): update base kernel to Android 11
  • SetupWizard: update to latest upstream code
  • conscrypt: drop temporary upstream revert of version code which was accidentally kept during a rebase
  • backport fix for USB audio regression from Android 11

Restoration of past features since the 2020.07.06.20 release:

  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL): enable intra-object FORTIFY_SOURCE overflow checks

2020.08.07.01

Tags:

  • QQ3A.200805.001.2020.08.07.01 (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, emulator, generic, other targets)

Changes since the 2020.08.03.22 release:

  • SELinux policy: fix executing apk libraries as executables for third party applications

2020.08.03.22

Tags:

  • QQ3A.200805.001.2020.08.03.22 (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, emulator, generic, other targets)

Changes since the 2020.07.06.20 release:

  • full 2020-08-01 security patch level
  • full 2020-08-05 security patch level
  • rebased onto QQ3A.200805.001 release
  • fix build for Pixel 3 when Pixel 3 XL kernel is not built
  • fix secondary stack hardening when a non-page-size multiple stack size is specified
  • fix picking up previous build date when doing incremental builds
  • Vanadium: update Chromium base to 84.0.4147.89
  • Vanadium: update Chromium base to 84.0.4147.105
  • Vanadium: update Chromium base to 84.0.4147.111
  • Vanadium: remove Chromium logo in chrome://version

Restoration of past features since the 2020.07.06.20 release:

  • kernel (Pixel 4, Pixel 4 XL): read-only data expansion

2020.07.06.20

Tags:

  • QQ3A.200705.002.2020.07.06.20 (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, emulator, generic, other targets)

Changes since the 2020.06.22.21 release:

  • full 2020-07-01 security patch level
  • full 2020-07-05 security patch level
  • rebased onto QQ3A.200705.002 release
  • change TrichromeLibrary package name
  • drop MAC randomization preference migration code
  • Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL: update APNs with carriersettings-extractor
  • disable network time refresh when network time is disabled (previous behavior inherited from upstream)
  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL): make reproducible builds simpler
  • kernel (Pixel 4, Pixel 4 XL): use max ASLR entropy before the init process enables it

Restoration of past features since the 2020.06.22.21 release:

  • kernel (Pixel 4, Pixel 4 XL): enable UNMAP_KERNEL_AT_EL0 Meltdown mitigation (KPTI)
  • kernel (Pixel 4, Pixel 4 XL): enable ARM64_SSBD Spectre v4 mitigation
  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL): enable PANIC_ON_OOPS
  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL): set PANIC_TIMEOUT to -1
  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL): disable SECURITY_SELINUX_DEVELOP

2020.06.22.21

Tags:

Changes since the 2020.06.02.02 release:

  • SystemUI: handle non-SRGB wallpapers
  • Vanadium: update Chromium base to 83.0.4103.96
  • Vanadium: update Chromium base to 83.0.4103.101
  • Vanadium: update Chromium base to 83.0.4103.106
  • script/generate_metadata.py: add channel name to update channel metadata
  • System Updater: sanity check channel name in update channel metadata
  • System Updater: raise minSdkVersion to 29
  • System Updater: extract care_map.pb rather than care_map.txt
  • System Updater: use a different zip for streaming updates (still an experimental / hidden feature)
  • disable RFC 7217 support (stable link-local IPv6 privacy addresses) and stick to link-local IP addresses based on the (random) MAC addresses
  • SetupWizard: update to latest upstream code
  • SetupWizard: use system captive portal URL, rather than a custom Google URL
  • NetworkStack: ignore captive portal fallbacks when one is set at runtime
  • factory images flash-all script: reboot to bootloader after installing update
  • make_key: use 4096-bit RSA keys
  • script/release.sh: auto-detect AVB algorithm to support 4096-bit RSA keys for verified boot
  • add experimental Pixel 4 and Pixel 4 XL support
  • Auditor: update to version 18

Restoration of past features since the 2020.06.02.02 release:

  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): add back FORTIFY_SOURCE enhancements
  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): add back userspace ASLR improvements

2020.06.02.02

Tags:

Changes since the 2020.05.29.00 release:

  • full 2020-06-01 security patch level
  • full 2020-06-05 security patch level
  • rebased onto QQ3A.200605.002 release
  • Vanadium: update Chromium base to 83.0.4103.83
  • factory images: add fastboot version detection to flash-all.bat on Windows

2020.05.23.12

Tags:

Changes since the 2020.05.05.02 release:

  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): use Clang for compiling code for the host too
  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): add build-tools prebuilts to PATH to reduce external dependencies and avoid potential reproducibility issues
  • add build-tools prebuilts to PATH in the release signing and delta generation scripts to reduce external dependencies and avoid potential reproducibility issues
  • fix upstream bug relying on malloc addresses for sort order of 3 items, causing Bluetooth A2DP audio to fail 2/3 of the time with hardened_malloc when the expected item isn't first
  • use the same datetime for build number and build date
  • always use UTC as the time zone for build dates
  • update GrapheneOS fork of android-prepare-vendor to the collaborative AOSPAlliance fork
  • raise minimum supported API level to 28 from 23, producing a warning for apps targeting API < 28 (the Play Store disallows uploading new apps or app updates targeting API < 28 so this isn't an aggressive warning)
  • Vanadium: update Chromium base to 81.0.4044.138
  • Vanadium: update Chromium base to 83.0.4103.60
  • Vanadium: disable media DRM preprovisioning
  • Vanadium: most private WebRTC IP handling policy by default
  • set SCHED_BATCH in the kernel build scripts

Restoration of past features since the 2020.05.05.02 release:

  • Settings: allow disabling Vanadium browser app via the Settings UI now that Trichrome (browser, WebView, shared library) has replaced Monochrome (monolithic app) for providing the WebView without having 2 copies of the browser engine

2020.05.05.02

Tags:

Changes since the 2020.04.14.23 release:

  • full 2020-05-01 security patch level
  • full 2020-05-05 security patch level
  • rebased onto QQ2A.200501.001.B3 release
  • Vanadium: update Chromium base to 81.0.4044.111
  • Vanadium: update Chromium base to 81.0.4044.117
  • disable safe volume feature everywhere instead of only the US
  • hardened_malloc: implement slab allocation memory corruption checks for malloc_usable_size
  • set SCHED_BATCH in the build system and release generation scripts instead of the interactive shell
  • use more sensible factory images zip naming scheme
  • Settings: add missing title for top_level_settings to fix showing it as null in search results

Restoration of past features since the 2020.04.14.23 release:

  • Vanadium: use 64-bit Trichrome browser processes

2020.04.14.23

Tags:

Changes since the 2020.04.13.21 release:

  • Settings: adjust wifi_privacy_values to the new values
  • Settings: remove unnecessary workaround for MAC randomization preference
  • Settings: tweak MAC randomization preference wording

2020.04.13.21

Tags:

Changes since the 2020.04.07.10 release:

  • Vanadium: update Chromium base to 81.0.4044.96
  • Vanadium: remove unsupported password leak detection option
  • Vanadium: expand automated string rebranding
  • Vanadium: remove Google prefix from storage settings label
  • reword random MAC options to make them clearer
  • start the final phase of the migration process for random MAC preference values
  • generate manifests for stable releases directly referencing revisions by hash instead of tag name to simplify signature verification for the sources

Restoration of past features since the 2020.04.07.10 release:

  • globally enable -ftrivial-auto-var-init=zero rather than porting our downstream -fsanitize=local-init feature
  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): globally enable -ftrivial-auto-var-init=zero rather than porting our downstream -fsanitize=local-init feature
  • Vanadium: enable -ftrivial-auto-var-init=zero rather than porting our downstream -fsanitize=local-init feature

2020.04.07.10

Tags:

Changes since the 2020.03.23.22 release:

  • full 2020-04-01 security patch level
  • full 2020-04-05 security patch level
  • rebased onto QQ2A.200405.005 release
  • Pixel 3a, Pixel 3a XL: fix SystemUI paths in memory pinning configuration
  • only include Updater app when OFFICIAL_BUILD=true is set in the environment to avoid accidental use of the default update server with unofficial builds that are not compatible
  • Vanadium: update Chromium base to 80.0.3987.162
  • PDF Viewer: update to version 3
  • update SELinux policy for officially supported devices based on isolated_app domain split
  • raise protected_fifos / protected_regular from 1 (world-writable directories) to 2 (group-writable directories too)
  • remove use of "Hey Google" as an example feature for battery saver in Settings

2020.03.23.22

Tags:

Changes since the 2020.03.04.16 release:

  • integrate Seedvault backup app as the default backup service
  • integrate SetupWizard app to support restoring with Seedvault and other initial setup
  • Vanadium: disable unused safe browsing feature by default (Safe Browsing is currently a no-op due to the lack of Play services, and support for using the local database backend hasn't been implemented. Various changes would be needed to make it available and to make sure that privacy is preserved.)
  • Vanadium: disable unused Google VR support
  • Vanadium: disable content feed suggestions by default
  • Vanadium: update Chromium base to 80.0.3987.149
  • Settings: fix broken upstream MAC randomization value mapping uncovered by the always randomize option value
  • make_key: use scrypt for key derivation used to encrypt keys
  • add script/encrypt_keys.sh and script/decrypt_keys.sh for handling key encryption
  • improve UX, performance and algorithm support for encrypted keys in script/release.sh and script/generate_delta.sh
  • dexpreopt: disable BOARD_USES_SYSTEM_OTHER_ODEX for mainline devices, which was causing odex files to be unintentionally omitted from the system image for modern devices
  • dexpreopt: use speed filter for boot images and non-prebuilts rather than unintentionally only setting it for prebuilts
  • dexpreopt: disable pre-optimization for apps bundled by android-prepare-vendor to work around unresolved issues with conflicting inlined definitions

2020.03.04.16

Tags:

Changes since the 2020.03.03.03 release:

  • Vanadium: backport upstream fix for Android 10 downloads
  • Vanadium: update Chromium base to 80.0.3987.132
  • Settings: avoid overriding MAC address with random persistent MAC address when viewing MAC address
  • finish porting support for per-connection random MAC rather than using the per-network random address

2020.03.03.03

Tags:

Changes since the 2020.02.07.19 release:

  • full 2020-03-01 security patch level
  • full 2020-03-05 security patch level
  • rebased onto QQ2A.200305.002 release
  • use time.grapheneos.org instead of grapheneos.org for HTTPS-based time updates
  • Vanadium: migrate to Trichrome for unified builds of separate browser and WebView apps with a shared library app
  • Vanadium: use org.grapheneos.vanadium.webview instead of com.android.webview as the WebView package name
  • Vanadium: rename WebView to Vanadium System WebView from Android System WebView
  • Vanadium: update Chromium base to 80.0.3987.99
  • Vanadium: update Chromium base to 80.0.3987.117
  • Vanadium: update Chromium base to 80.0.3987.119
  • SELinux policy: remove base system app apk_data_file execute
  • SELinux policy: remove zygote access to apk_data_file

Restoration of past features since the 2020.02.07.19 release:

  • Vanadium: stop replacing signature from the Vanadium signing key with the OS release key
  • Settings: add back control over camera access while the screen is locked
  • fix MAC randomization after reboot for the always randomize MAC option
  • SELinux policy: split out base system untrusted_app (normal unprivileged apps) and isolated_app (isolatedProcess sandbox) SELinux policy domains for future work
  • SELinux policy: remove base system app execmod
  • SELinux policy: remove base system app execmem
  • SELinux policy: remove base system app execute_no_trans
  • SELinux policy: remove base system app app_data_file execute
  • SELinux policy: remove base system app ashmem execute
  • SELinux policy: remove base system app tmpfs execute
  • SELinux policy: remove zygote execmem
  • SELinux policy: remove system_server_startup domain
  • add LTE only mobile network configuration option

2020.02.07.19

Tags:

Changes since the 2020.02.04.01 release:

  • rebuild crosshatch kernel to correct build environment issue
  • Vanadium (including WebView): update Chromium base to 80.0.3987.87
  • Vanadium (including WebView): drop partially working AImageReader workarounds
  • fully work around bug with AImageReader caught by CFI on 64-bit to fix crashes during video rendering in Vanadium and other Chromium-based browsers

Restoration of past features since the 2020.02.04.01 release:

  • WebView: use Vanadium WebView as provider

2020.02.04.01

Tags:

Changes since the 2019.01.06.21 release:

  • full 2020-02-01 security patch level
  • full 2020-02-05 security patch level
  • rebased onto QQ1A.200205.002 release
  • remove obsolete Email app
  • Vanadium: update Chromium base to 79.0.3945.116
  • WebView: update to 79.0.3945.116
  • Vanadium: update Chromium base to 79.0.3945.136
  • WebView: update to 79.0.3945.136
  • Vanadium: fully disable AImageReader to fix remaining issues with video playback uncovered by CFI on 64-bit
  • Settings: fix MAC randomization setting for other locales by removing incomplete translations

Restoration of past features since the 2019.01.06.21 release:

  • add PIN scrambling feature

2020.01.06.21

Tags:

Changes since the 2019.12.02.23 release:

  • full 2020-01-01 security patch level
  • full 2020-01-05 security patch level
  • rebased onto QQ1A.200105.002 release
  • Vanadium: update Chromium base to 79.0.3945.93
  • Vanadium: disable hiding trivial subdomains
  • WebView: update to 79.0.3945.93
  • add the option to randomize the MAC address for each connection instead of per-network
  • authenticated network time updates via HTTPS

Restoration of past features since the 2019.12.02.23 release:

  • Settings: expose control over USB peripheral denial feature

2019.12.02.23

Tags:

Changes since the 2019.11.05.23 release:

  • full 2019-12-01 security patch level
  • full 2019-12-05 security patch level
  • rebased onto QQ1A.191205.011 release
  • Pixel 3a, Pixel 3a XL: fix userspace hw_random stirring service
  • Vanadium: update Chromium base to 78.0.3904.96
  • WebView: update to 78.0.3904.96
  • Vanadium: update Chromium base to 78.0.3904.108
  • WebView: update to 78.0.3904.108
  • Auditor: update to version 17
  • QuickSearchBox: disable widget
  • QuickSearchBox: disable launcher icon
  • Launcher: rebranding
  • require unlocking to use work tile

2019.11.04.23

Tags:

Changes since the 2019.09.25.00 release:

  • full 2019-11-01 security patch level
  • full 2019-11-05 security patch level
  • rebased onto QP1A.191105.004 release
  • Settings: disable legacy suggestions mode
  • recovery: GrapheneOS branding for fastboot mode
  • Vanadium: update Chromium base to 77.0.3865.116
  • WebView: update to 77.0.3865.116
  • Vanadium: update Chromium base to 78.0.3904.62
  • WebView: update to 78.0.3904.62
  • Vanadium: update Chromium base to 78.0.3904.90
  • WebView: update to 78.0.3904.90
  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): mark functions with address taken via assembly (this fixes compatibility with CFI in a build with !CONFIG_MODULES)
  • protect static TLS from stack buffer overflows
  • drop legacy Pixel and Pixel XL support due to absence of any GrapheneOS device maintainers, the end of vendor support and an increasingly large security gap with current generation devices for the hardware, firmware and device / generation specific software

Restoration of past features since the 2019.09.25.00 release:

  • Bluetooth: add alloc_size attribute to OSI allocator
  • protect pthread_internal_t from stack buffer overflows
  • add secondary stack randomization
  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): disable dynamic kernel module support (resulting in substantially improved CFI granularity)

2019.10.07.21

Tags:

Changes since the 2019.09.25.00 release:

  • full 2019-10-01 security patch level
  • full 2019-10-05 security patch level
  • full 2019-10-06 security patch level
  • rebased onto QP1A.191005.007.A1 release
  • add changes to support disabling full preloading with exec spawning to the public libcore API
  • add OTHER_SENSORS to the public frameworks/base API
  • Messaging app: fix notifications with a backport
  • Vanadium: switch back to ChromeModern (standalone browser app) from Monochrome (monolithic browser + WebView app, no longer supported for Android 10) until Vanadium is moved to Trichrome (separate browser and WebView apps with a third shared library app)
  • unified kernel tree (kernel/google/crosshatch) for Pixel 3, Pixel 3 XL, Pixel 3a and Pixel 3a XL

Restoration of past features since the 2019.09.25.00 release:

  • begin generating / uploading delta updates from the last release to the current release

2019.09.25.00

Tags:

Changes since the 2019.09.23.19 release:

  • update to QP1A.190711.020.C3 bug fix release
  • fix granting Network and Sensors permissions at install time
  • fix wording for Network permission group

2019.09.23.19

Tags:

  • QP1A.190711.020.2019.09.23.19 (Pixel, Pixel XL, Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, emulator, generic, other targets)

Changes since the 2019.09.21.18 release:

  • disable enforcing Runtime Resource Overlays for baseline overlays to work around incompatibility with exec spawning
  • enable exec spawning for com.android.phone again

2019.09.21.18 preview

Tags:

  • QP1A.190711.020.2019.09.21.18 (Pixel, Pixel XL, Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, emulator, generic, other targets)

Changes since the 2019.09.18.14 release:

  • Settings: use Mainline branding for APEX components
  • Vanadium: update Chromium base to 77.0.3865.92
  • WebView: update to 77.0.3865.92
  • temporarily disable exec spawning for com.android.phone
  • Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, mainline: disable updatable apex for simplicity
  • Pixel 2, Pixel 2 XL: enable increased system.img inode count
  • script: replace networkstack key

2019.09.18.14 preview

Tags:

  • QP1A.190711.020.2019.09.18.14 (Pixel, Pixel XL, Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, emulator, generic, other targets)

Changes since the 2019.08.25.15 release:

  • full port to Android 10 with some exceptions (listed below)
  • full 2019-08-05 security patch level
  • full 2019-09-01 security patch level
  • full 2019-09-05 security patch level
  • temporarily add back standalone WebView (77.0.3865.73) until Vanadium supports it for Android 10
  • Vanadium: update Chromium base to 76.0.3809.132
  • Vanadium: update Chromium base to 77.0.3865.73
  • System Updater: update targetSdkVersion to 29
  • retrofit dynamic partitions for Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL
  • disable GSI keys
  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): temporarily disable slab canary implementation until an issue is narrowed down and addressed
  • kernel (Pixel 3, Pixel 3 XL): temporarily re-enable dynamic kernel module support until an issue is narrowed down and addressed (no dynamic kernel modules are ever actually loaded but something breaks internally with it disabled)
  • add guard page between the stack and the new static TLS region
  • bionic: pthread_internal_t changes have not yet been ported over so that feature is temporarily gone

2019.08.25.15

Tags:

Changes since the 2019.08.05.19 release:

  • add missing privileged permission whitelist for SdkSetup in SDK emulator builds
  • set up Vanadium for other architectures (arm, x86, x86_64)
  • hardened_malloc (GrapheneOS only): remove workaround for use-after-free in the citadel (Titan M) driver's key attestation support since it was fixed upstream
  • hardened_malloc: update libdivide to 2.0
  • Vanadium (browser and WebView): update Chromium base to 76.0.3809.111
  • Vanadium: redirect settings help icon
  • Vanadium: set default search engine to DuckDuckGo
  • apply partial fix for package manager original-package feature
  • PDF Viewer: update to version 2
  • Auditor: update to version 16
  • add Vanadium to the apps that cannot be disabled via Settings (can still be disabled) since the warning isn't enough to deter people from unknowingly breaking apps using the WebView
  • System Updater: add settings entry to manually trigger check for updates
  • System Updater: reschedule update check job on channel change
  • arm, x86 and x86_64 are now supported / tested architectures
  • generic and emulator build targets are now supported / tested for development usage (not suitable for secure production releases)

2019.08.05.19

Tags:

Changes since the 2019.07.16.22 release:

  • full 2019-08-01 security patch level
  • partial 2019-08-05 security patch level (not yet fully available)
  • Vanadium (browser and WebView): update Chromium base to 76.0.3809.89
  • Vanadium: expand string rebranding including covering translations
  • Vanadium: rename Sync and Google services to Services
  • Vanadium: remove data reduction preference
  • Vanadium: remove translate offer preference
  • Vanadium: remove sync preferences
  • Vanadium: remove navigation error preference
  • Vanadium: remove safe browsing reporting preference
  • Vanadium: remove usage and crash reports preference
  • Vanadium: remove url keyed anonymized data preference
  • Vanadium: disable contextual search by default
  • Vanadium: remove redundant services preference category
  • Vanadium (browser and WebView): use a unified Vanadium signing key instead of the device-specific release key
  • rename WebView provider to Vanadium
  • SELinux policy: label protected_{fifos,regular} as proc_security (this is needed for init to override the default values)

2019.07.16.22

Tags:

Changes since the 2019.07.01.21 release:

  • Vanadium (browser and WebView): update Chromium base to 75.0.3770.143
  • Vanadium: disable media router media remoting by default
  • Vanadium: disable media router by default (avoids the triggering warning about not having Play services)
  • Vanadium: remove Help & feedback menu entry
  • Vanadium: further string rebranding from Chromium / Chrome to Vanadium
  • Vanadium: disable unused reporting feature at compile-time
  • Vanadium: disable unused remoting feature at compile-time
  • Vanadium (browser and WebView): move from external/chromium to external/vanadium in the GrapheneOS source tree and rename module from Chromium to Vanadium
  • Vanadium: disable offering translations by default
  • Vanadium: disable prefetching suggested pages by default
  • Vanadium: disable browser sign in feature by default
  • Vanadium: disable safe browsing reporting opt-in by default
  • extend release.sh to call the script for signing factory images
  • extend release.sh to call the script for generating update channel metadata
  • kernel build script (Pixel, Pixel XL, Pixel 3a, Pixel 3a XL): verify that no arguments are passed
  • kernel build script (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL): verify that a single argument (device variant) is passed
  • enable kernel mitigations for file spoofing

Restoration of past features since the 2019.07.01.21 release:

  • Vanadium (browser and WebView): enable type-based CFI for virtual calls
  • enable kernel mitigations for link races
  • kernel (Pixel 2, Pixel 2 XL): backport fixes for SLAB_FREELIST_RANDOM
  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): enable SLAB_FREELIST_RANDOM
  • kernel (Pixel 2, Pixel 2 XL): backport slub dynamic DEBUG_PAGEALLOC setting
  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): backport slub free list pointer obfuscation
  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): backport slub free list pointer obfuscation prefetch fix
  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): backport slub native double free detection
  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): enable SLAB_FREELIST_HARDENED
  • kernel (Pixel, Pixel XL, Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): enable DEBUG_LIST
  • kernel (Pixel, Pixel XL, Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): enable DEBUG_SG
  • kernel (Pixel, Pixel XL): reduce DEBUG_SG virt_addr_valid check to a warning (this works around a bug in the legacy QCE driver)
  • kernel (Pixel, Pixel XL, Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): enable DEBUG_NOTIFIERS
  • kernel (Pixel, Pixel XL, Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): enable DEBUG_CREDENTIALS
  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): enable SCHED_STACK_END_CHECK
  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): bug on !PageSlab && !PageCompound in ksize
  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): always perform cache_from_obj consistency checks
  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): bug on kmem_cache_free with the wrong cache
  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): real slab_equal_or_root check for !MEMCG_KMEM
  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): add missing cache_from_obj !PageSlab check
  • kernel (Pixel 2, Pixel 2 XL): backport upstreamed FORTIFY_SOURCE implementation
  • kernel (Pixel 2, Pixel 2 XL): backport upstreamed leading zero byte for stack canary
  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): add simpler page sanitization
  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): add support for verifying page sanitization
  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): slub: add basic full slab sanitization
  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): slub: add support for verifying slab sanitization
  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): slub: add multi-purpose random canaries

2019.07.01.21

Tags:

Changes since the 2019.06.23.05 release:

  • full 2019-07-01 security patch level
  • full 2019-07-05 security patch level
  • rebased onto PQ3A.190705.003/PQ3B.190705.003 releases
  • Auditor: update to version 15

Restoration of past features since the 2019.06.23.05 release:

  • add GrapheneOS PDF Viewer app (version 1)
  • Vanadium: stop ignoring download location prompt setting
  • Vanadium: show download prompt again by default

2019.06.23.05

Tags:

Changes since the 2019.06.14.02 release:

  • hardened_malloc: use copy_size to check for canaries (tiny performance / hardening fix and avoids an erroneous abort in a corner case with realloc from 0 byte allocations)
  • hardened_malloc: update libdivide to 1.1
  • Pixel 3a, Pixel 3a XL: raise maximum users to 16
  • Pixel 3a, Pixel 3a XL: disable system_other odex
  • Pixel 3a, Pixel 3a XL: disable system_other preloads_copy
  • Pixel 3a, Pixel 3a XL: show connected mac randomization feature
  • Pixel 3a, Pixel 3a XL: move to custom kernel
  • Pixel 3a, Pixel 3a XL: use monolithic kernel builds
  • kernel (Pixel 3a, Pixel 3a XL): disable slab merging
  • kernel (Pixel 3a, Pixel 3a XL): add toggle for disabling newly added USB devices
  • kernel (Pixel 3a, Pixel 3a XL): replace SECURITY_SMACK with SECURITY_NETWORK
  • kernel (Pixel 3a, Pixel 3a XL): mark qcedev data const
  • Vanadium (browser and WebView): update Chromium base to 75.0.3770.101
  • Vanadium: disable sensors access by default
  • Vanadium: disable third party cookies by default
  • Vanadium: disable background sync by default
  • Vanadium (browser and WebView): stub out battery API
  • Vanadium: disable search logo
  • Vanadium: always use local new tab page
  • Vanadium: disable payment support by default

Restoration of past features since the 2019.06.14.02 release:

  • Vanadium: do not enable default search engine notification permission by default

2019.06.14.02

Tags:

Changes since the 2019.06.03.18 release:

  • Vanadium (browser and WebView): update Chromium base to 75.0.3770.67
  • add back brk system call to the seccomp whitelist for compatibility with Go
  • Auditor: update to version 13
  • Auditor: update to version 14
  • Music: backport bug fix for passing CTS
  • System Updater: replace seamlessupdate.app with releases.grapheneos.org alias
  • add initial experimental support for the Pixel 3a and Pixel 3a XL
  • Pixel 2, Pixel 2 XL: set AVB rollback index to security patch timestamp (backport of the implementation for the Pixel 3)

Restoration of past features since the 2019.06.03.18 release:

  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL): replace SECURITY_SMACK with SECURITY_NETWORK

2019.06.03.18

Tags:

Changes since the 2019.05.18.20 release:

  • full 2019-06-01 security patch level
  • full 2019-06-05 security patch level
  • rebased onto PQ3A.190605.003 release
  • Auditor: update to version 11
  • Auditor: update to version 12
  • hardened_malloc (GrapheneOS only): further expand workaround for Pixel 3 and Pixel 3 XL camera issues

Restoration of past features since the 2019.05.18.20 release:

  • disable exec spawning when using debugging options
  • enable exec spawning by default
  • enable Verizon visual voicemail support
  • kernel (Pixel, Pixel XL, Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL): add toggle for disabling newly added USB devices
  • add properties for controlling deny_new_usb
  • implement dynamic deny_new_usb toggle mode
  • set deny_new_usb feature to dynamic by default
  • sepolicy: deny_new_usb sysctl and system property policy

2019.05.18.20

Tags:

Changes since the 2019.05.08.15 release:

  • GrapheneOS logo mask
  • Auditor: update to version 10
  • add preload parameter for avoiding full preload with exec
  • raise maximum users to 16
  • Vanadium (browser and WebView): update Chromium base to 74.0.3729.157
  • hardened_malloc (GrapheneOS only): apply temporary workaround for citadel HAL use-after-free (need to start building vendor HALs from the sources to fix issues like this)

Restoration of past features since the 2019.05.08.15 release:

  • disable OpenGL preloading for exec spawning
  • disable resource preloading for exec spawning
  • disable ICU cache pinning for exec spawning
  • disable class preloading for exec spawning
  • disable WebView reservation for exec spawning
  • disable JCA provider warm up for exec spawning
  • avoid AssetManager errors with exec spawning

2019.05.07.00

Tags:

Changes since the 2019.04.01.19 release:

  • full 2019-05-01 security patch level
  • full 2019-05-05 security patch level
  • rebased onto PQ3A.190505.002 release
  • add Pixel and Pixel XL support including standard changes to kernel and device code
  • Pixel, Pixel XL, Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL: fix hw_random permissions
  • bundle Auditor (version 9)
  • Chromium (browser and WebView): update to 74.0.3729.136
  • Chromium: enable strict site isolation by default
  • Chromium: initial rebranding to Vanadium including icon recolor
  • hardened_malloc: extensive work on refactoring, micro-optimization and documentation (see commits for details)
  • hardened_malloc: implement mallinfo and mallinfo extensions for Android
  • hardened_malloc: implement Android API for requesting purging
  • hardened_malloc: implement the option of large size classes (enabled by default)
  • hardened_malloc: support extended range of small size classes (enabled by default)
  • hardened_malloc: support for slabs with 1 slot for largest sizes
  • hardened_malloc: use round-robin assignment to arenas
  • hardened_malloc: disable current in-place growth code path
  • hardened_malloc: harden arena implementation
  • hardened_malloc: fix non-init size for malloc_object_size extension
  • hardened_malloc: shrink initial region table size to fit in 1 page
  • hardened_malloc (GrapheneOS only): expand workaround for Pixel 3 and Pixel 3 XL camera issues
  • Pixel 3, Pixel 3 XL: change SystemUIGoogle pinning to SystemUI

Restoration of past features since the 2019.04.01.19 release:

  • use -fwrapv when signed overflow checking is off
  • add exec-based spawning support (disabled by default for now)
  • require unlocking to use battery saver quick tile
  • require unlocking to use cellular quick tile
  • require unlocking to use hotspot quick tile
  • require unlocking to use data saver quick tile
  • require unlocking to use rotation lock quick tile
  • require unlocking to use wifi quick tile
  • require unlocking to use airplane mode quick tile
  • require unlocking to use bluetooth quick tile
  • require unlocking to use nfc quick tile
  • add support for kernels without module support enabled to the VTS and compatibility tests
  • kernel (Pixel, Pixel XL, Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL): disable slab merging
  • kernel (Pixel, Pixel XL, Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL): disable loadable kernel module support
  • kernel (Pixel, Pixel XL, Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL): mark qcedev data const
  • kernel (Pixel 2, Pixel 2 XL): disable unused ramdisk compression formats
  • SELinux policy: remove priv_app app_data_file execute
  • SELinux policy: remove dumpstate ashmem execute and execmem (GrapheneOS doesn't use the ART JIT compiler)
  • SELinux policy: remove healthd ashmem execute and execmem (GrapheneOS doesn't use the ART JIT compiler)
  • SELinux policy: auditallow app execmem (moving back towards an exception system)
  • SELinux policy: auditallow app ashmem execute (moving back towards an exception system)
  • SELinux policy: auditallow ephemeral_app app_data_file execute (moving back towards an exception system)
  • SELinux policy: auditallow untrusted_app_all execmod (moving back towards an exception system)
  • SELinux policy: auditallow untrusted_app_all app_data_file execute (moving back towards an exception system)
  • SELinux policy: auditallow untrusted_app_all app_data_file execute_no_trans (moving back towards an exception system)

2019.03.05.03

Tags:

Final and only tagged release of the AndroidHardening project before it was renamed to GrapheneOS. Earlier AndroidHardening releases were only snapshots and are not listed here. Prior to the AndroidHardening placeholder name, the project was known as CopperheadOS. For more details, see the page on the project's history.

Detailed changelogs were not written at this point.