GrapheneOS [Unofficial]

https://bsky.app/profile/iceblock.app/post/3lmzykc7rb42d

Apple stores which devices/users install which apps. They have the device IDs. US government could obtain a list of people who installed the app if a court authorized it. Not clear what they mean by having to store device IDs. Those IDs aren't accessible to Android apps.

ANDROID_ID is a per-app-per-profile random ID. Not clear why they would need it. Android has privacy-preserving hardware-based attestation if they're talking about making it harder to spoof a location. Can't prevent either iOS or Android users making false reports via attestation APIs regardless.

https://bsky.app/profile/iceblock.app/post/3lswryqarlk2l

Making posts with inaccurate technical claims about Android doesn't inspire confidence. It's a closed source app with a closed source service fully under their control. Why is that the approach if their goal is helping people rather than monetizing interest in it?

https://bsky.app/profile/iceblock.app/post/3lpewifycls27

Apple records which apps people install and requires an account to use their app store. Apple Push Notification Service (APNs) has comparable privacy to Firebase Cloud Messaging (FCM). However, iOS apps must use APNs for push while Android apps do not have to use FCM.

Android apps can implement their own push service or allow the user to choose a service via the UnifiedPush framework. Play Store has a policy of requiring FCM for most use cases for battery reasons but there are exceptions. Unlike iOS, Android allows installing apps from other app stores / sources.

ICEBlock app is very clearly misleading people about privacy and their safety. Apple has a list of which accounts/devices have installed the app. They will provide it to the US government if they receive a court order. FCM is also not less private than APNS and FCM doesn't work the way they claim.

iPhones have good overall privacy and security but Apple does collect telemetry, forces people to have accounts and knows which apps each user/device has installed. They do not have magical privacy and security properties. An app like this claiming iOS gives them 100% anonymity is very strange.

iOS has significantly worse support for VPNs than Android and requires using Apple services. Android exists without Google services and people can install apps from elsewhere. The mandatory or effectively mandatory services on Google Mobile Services devices and iOS have comparable privacy.

Tags:

• 2025070100 (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold, Pixel 9a, emulator, generic, other targets)

Changes since the 2025063000 release:

• Exynos 5400 modem Pixels (Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold): temporarily disable hardened_malloc and hardware memory tagging for shared_modem_platform executable due to an upstream write-after-free bug
• Launcher: fix upstream bug causing a crash for the interface to add lockscreen widgets (currently a tablet only feature until Android 16 QPR1)
• Vanadium: update to version 138.0.7204.63.0
• add debug build functionality for toggling off hardened_malloc usage for vendor processes to make narrowing down issues quicker

Changes in version 138.0.7204.45.2:

• backport upstream port of Local Network Checks site settings to Android to provide per-site control with a prompt when sites try to use it instead of the status quo where Vanadium enforces Local Network Checks for the browser with only a global toggle for disabling it

A full list of changes from the previous release (version 138.0.7204.45.1) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

This is the initial official release of GrapheneOS based on Android 16 after the June 10th release of Android 16. Device support for Pixels was removed from the Android Open Source Project for Android 16 and had to be reimplemented which is why it took so much longer than usual. Please join our testing chat room if you're interesting in testing this experimental release. We'll be making a series of releases this week to fix several known issues and other issues.

Tags:

• 2025063000 (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold, Pixel 9a, emulator, generic, other targets)

Changes since the 2025062700 release:

• full Android 16 port with all GrapheneOS features available (we previously shipped some parts of Android 16 backported to Android 15 QPR2 to provide the 2025-06-05 and then 2025-07-01 Pixel patch level)
• migrate to using adevtool to handle a much larger portion of device support since the Android Open Source Project no longer includes device support for Pixels
• adevtool: add new arcslib infrastructure for extracting resource overlays from the stock Pixel OS
• adevtool: use fixed build number and build date for state regeneration to reduce diffs
• don't disable external ports at boot on debug builds for internal development for debugging early boot failures

Our initial highly experimental release based on Android 16 has been published for all sixteen of the supported devices (Pixel 6 through Pixel 9a). It should only be installed on a spare device you don't depend on. It won't brick devices but there will be broken functionality.

If you have a spare device and want to help test, join our testing chat room. It can be installed either by updating an existing GrapheneOS installation or doing a CLI install. We'll make the staging site web installer use it a bit later. Don't put it on your daily driver yet.

We've received enough feedback for the initial experimental release. There were recent regressions in the port due to SELinux policy changes which resulted in the testing being less useful than expected due to major issues with third party apps which weren't present previously.

We've implemented a workaround for this issue and are also addressing lockscreen UI issues caused by porting our 2-factor fingerprint authentication feature to Android 16. We'll also try to get fixes for various issues related to device-specific configuration being missing too.

Our aim is to have another much more robust and functional experimental Android 16 release in around 8 hours. SELinux policy issue breaking third party app compatibility was unexpected. It only occurred on production builds, not debug builds, so we missed it in earlier testing.

We've found a proper solution rather than a workaround for the SELinux issue. It was caused by an upstream Android 16 change incompatible with how we provided compatibility with several apps banning GrapheneOS including Revolut. We've also included our new overlay automation.

Tags:

• 2025062700 (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold, emulator, generic, other targets)

Changes since the 2025062000 release:

• raise security patch level to 2025-07-01 since it's already provided without applying any additional patches
• kernel (6.1): update to latest GKI LTS branch revision
• Pixel 6, Pixel 6 Pro, Pixel 6a: remove AOSP configuration marking android.hardware.location.network as unavailable since it has meant to be declared available since our 2023062300 release adding emulated network location and we also have our own opt-in network location implementation since our 2025022700 release
• Vanadium: update to version 138.0.7204.35.0
• Vanadium: update to version 138.0.7204.45.0
• Vanadium: update to version 138.0.7204.45.1
• Vanadium: update to version 138.0.7204.45.2

Changes in version 138.0.7204.45.2:

• backport upstream port of Local Network Checks site settings to Android to provide per-site control with a prompt when sites try to use it instead of the status quo where Vanadium enforces Local Network Checks for the browser with only a global toggle for disabling it

A full list of changes from the previous release (version 138.0.7204.45.1) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Changes in version 138.0.7204.45.1:

• update to Chromium 138.0.7204.45
• temporarily revert backport of site settings functionality for granting local network access to sites due to a crash (this goes back to only being able to globally disable Local Network Checks via a chrome://flags toggle instead of having a per-site toggle / prompt to permit local network access)

A full list of changes from the previous release (version 138.0.7204.45.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Changes in version 138.0.7204.45.0:

• update to Chromium 138.0.7204.45
• backport upstream port of Local Network Checks site settings to Android to provide per-site control with a prompt when sites try to use it

A full list of changes from the previous release (version 138.0.7204.35.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Tags:

• 2025062000 (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold, emulator, generic, other targets)

Changes since the 2025061900 release:

• fix an issue with our added infrastructure for overriding the minimum SDK version for APK-based components backported from Android 16 (Samsung Shannon IMS/RCS was not active resulting in VoLTE, VoNR, VoWi-Fi, SMS via LTE/NR/Wi-Fi and RCS not working so the 2025061900 release was quickly cancelled before being rolled out to a large number of Alpha channel users)

We need help testing our experimental Android 16 support. If you have a spare 6th, 7th, 8th or 9th generation Pixel, you can help us test early builds for Android 16 soon. You can join our testing chat room via Matrix or Discord if you want to help. https://grapheneos.org/contact#community-chat.

Changes in version 138.0.7204.35.0:

• update to Chromium 138.0.7204.35

A full list of changes from the previous release (version 137.0.7151.115.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Tags:

• 2025061900 (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold, emulator, generic, other targets)

Changes since the 2025061600 release:

• full 2025-06-05 Pixel security patch level based on Android 16 backports (full Android 2025-06-05 patch level was provided in an earlier release)
• Pixels: backport Android 16 Wi-Fi firmware, Bluetooth firmware and TPU firmware
• Pixels: backport Android 16 Samsung Radio Interface Layer (RIL) code
• Sandboxed Google Play compatibility layer: fix rare system_server crash reported with Android Auto by adding check for a null calling package
• Vanadium: update to version 137.0.7151.115.0

We previously shipped our builds of Android 16 kernel drivers along with the new Pixel SoC firmware and cellular radio firmware. Today, we'll be making a release with the new Wi-Fi/Bluetooth firmware, TPU firmware and RIL code. This will provide the Pixel 2025-06-05 patch level.

We want to backport a few more things such as the userspace Mali driver library to make sure we have all the important patches.

Our initial Android 16 port was finished days ago and we've made a lot of progress towards replacing the device support which was dropped from AOSP 16.

Pixel patch levels include more than the baseline Android patch levels and we intend to include all of that before claiming to have the latest patch level. It's not supposed to only mean the Android Security Bulletin patches but rather ASB + a bulletin from the device vendor.

June 2025 Android Security Bulletin was released June 2nd and our 2025060200 release incorporated those Android Open Source Project patches. Pixel stock OS released those and additional Pixel firmware/driver patches for the month on June 10th as part of the Android 16 release.

We ported to the new major OS release quickly and would have had an experimental release out on June 12th if AOSP 16 hadn't made things harder. Backporting the driver/firmware patches is problematic so we don't usually try but rather get the new release out very quickly instead.

In hindsight, it would have made sense to focus on the backports first since the port is taking much longer than planned. It'll be done this month and that's crucial to continue providing further security patches for July onwards along with security improvements beyond bug fixes.

Changes in version 137.0.7151.115.0:

• update to Chromium 137.0.7151.115
• disable Local Network Checks for WebView since apps may not be compatible with it, with one example being the captive portal handling app built into the OS which is only partially compatible (this was previously shipped as part of Vanadium Config version 101 by changing the feature flag for the WebView)

A full list of changes from the previous release (version 137.0.7151.89.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Tags:

• 2025061600 (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold, emulator, generic, other targets)

Changes since the 2025061500 release:

• update to Android 16 kernel drivers and build system to ship the Pixel kernel driver patches from Android 16 while we're still reimplementing device support for Pixels due to AOSP removing it

Tags:

• 2025061500 (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold, emulator, generic, other targets)

Changes since the 2025061300 release:

• adjust our hard-wired Android 16 cellular radio version string to pass the case sensitive check done by the install process
• adjust the SUPL disabled mode to work around Samsung gnssd (Pixel 8a and all 9th gen Pixels) not implementing SUPL_MODE properly (reboot is required for the Off mode to kick in on these devices)
• Messaging: update to version 11

We need to do a large number of generate-prep and development builds as part of finishing up our new approach and automation for Pixel device support. Can anyone get us cloud computing credits? Otherwise, we need to start paying for multiple new Hetzner dedicated servers.

We do all production builds on 3 local GrapheneOS Foundation machines and each OS developer has at least one powerful local workstation. However, we need a lot more computing power than usual due to the way we're adding back device support to AOSP requiring many clean builds.

Notable changes in version 11:

• temporarily revert AndroidX fragment/loader/preference library migration due to what appears to be an upstream Messaging or AndroidX bug causing the app to go back to the conversation list when returning to it

A full list of changes from the previous release (version 10) is available through the Git commit log between the releases.

Notable changes in version 10:

• revert change to process message data in secondary users since it caused a regression (duplicate received messages from secondary users) and needs to be done another way

A full list of changes from the previous release (version 9) is available through the Git commit log between the releases.

Notable changes in version 9:

• process message data in secondary users
• avoid creating conversation channels prior to users configuring notifications for them
• mark bubbled conversations as read
• remove duplicate observable conversation sound
• migrate to AndroidX Fragment, Loader and Preference libraries
• update AndroidX Appcompat library to 1.7.1
• update Gradle to 8.14.2

A full list of changes from the previous release (version 8) is available through the Git commit log between the releases.

Tags:

• 2025061300 (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold, emulator, generic, other targets)

Changes since the 2025061000 release:

• update SoC and cellular radio firmware to the Android 16 releases to ship the security patches prior to our Android 16 port
• Vanadium: update to version 137.0.7151.89.0
• Messaging: update to version 10

We'll be making at least one more Android 15 QPR2 release soon to ship backports of important firmware and driver security patches released with Android 16. This wouldn't usually be required since we'd have Android 16 released to end users using the Alpha channel and soon Beta.

We've ported all of our features to Android 16. However, part of our hardware-based USB-C and pogo pins port control feature may need to be reimplemented due to being part of device support code. We have a lot of work remaining reimplementing device support removed by AOSP 16.

We have early builds based on Android 16 booting on Pixels but will need to do a lot more work to reach production quality.

We're also beginning building/testing backports of Android 16 firmware updates to Android 15 QPR2 with the aim of releasing those patches to Alpha today.

Our initial port to Android 16 has been completed and can be built for the emulator from our 16 branch. All of the device-independent GrapheneOS code has been ported. There are some parts of the port which will be redone better and a lot of testing and fixing regressions to do.

Normally, we would have announced the availability experimental releases based on Android 16 already. Unfortunately, Android 16 dropped device/hardware support from the Android Open Source Project and we're going to need to put it together ourselves without being prepared for it.

We'll be starting from the Android 15 QPR2 device support code and stripping it down to a bare minimum. Pixel 9a is a special case and will be more work.

Our hardware-based USB-C port control feature will no longer work with this approach and we need to replace half of the code.

We received early notice of Android 16 removing the device support code from AOSP but were unable to confirm it or determine the details. We have existing automated tooling for this we can significantly extend to generate what we need. It will be difficult and a major regression.

Paying an ODM to make a Snapdragon device for us is increasingly appealing. We would have all the device support code we need, could build it with compiler-based hardening and would be able to harden a lot of the device's firmware. We could also make secure element applets.

We want to be building privacy and security features. We don't want to be wasting our efforts on adding device support and other basic functionality to AOSP. It appears the only way we're going to be able to do that is paying millions of dollars to an ODM to have a proper base.

As an example of what we would be able to do even with an entirely standard reference device, we could add hardware support for our duress PIN/password feature to the secure element so that successfully exploiting the OS could not bypass it. We could do a whole lot with firmware.

Pixels meeting our requirements is why many of them were and are being purchased. We've reported MANY vulnerabilities over the years which have been fixed for Android and Pixels. We've proposed hardware, firmware and many software level security enhancements they've adopted.

We would prefer not having to pay millions of dollars to have a phone produced for us. It's entirely doable but we would need to repeat it every few years. We'd rather work with an OEM with aligned goals and willing to provide first class GrapheneOS support to sell more devices.

Pixels have substantially benefited from meeting our requirements and having GrapheneOS available for them. We know there's a significant market for an OEM working with us to make a more secure device with hardware-based security features not available on Pixels or iPhones.

We're going to be moving forward under the expectation that future Pixel devices may not meet the requirements to run GrapheneOS (https://grapheneos.org/faq#future-devices) and may not support using another OS. We've been in talks with a couple OEMs about making devices and what it would cost.

In April 2025, we received leaked information about Google taking steps to strip down the Android Open Source Project. We were told the first step would be removal of device support with the launch of Android 16. We didn't get details or confirmation so we didn't prepare early.

We spent most of May preparing for the Android 16 release. Due to our extensive preparation work, our initial port to Android 16 has been completed and is being tested in the emulator. We could have published experimental releases yesterday if this was a regular AOSP release.

Due to AOSP no longer having device support, we need to build it ourselves. We can start from the Android 15 QPR2 device support, remove the outdated code and update the configurations. We have tooling to automate generating device support setups which will need major expansions.

Since our port to Android 16 is going to be delayed by a week or more, we're in the process of backporting the Android 16 firmware/drivers released on June 10 to the previous releases. This is not something we can do in general so we still need to port to Android 16 this month.

Despite our lead developer who has done 90% of the ports for several years being conscripted into an army, we were still able to complete the initial port to Android 16 in under 2 days, but without device support. Our extensive preparation in April and especially May paid off.

It's important to get an experimental release out quickly to begin extensive public testing. There are usually many issues found in testing. For a yearly release, we usually get out an experimental release in a day, an Alpha channel release in 2 days and need 4-6 more releases.

Google has released a statement claiming AOSP is not being discontinued. This should be taken with a grain of salt, especially considering that they made similar public statements recently followed by discontinuing significant parts of AOSP on June 10.

https://x.com/seangchau/status/1933029688202703062

Google is in the process of likely having the company broken up due to losing an antitrust lawsuit from the US government and being in the process of losing several more. There's a high chance of Google losing control of Android in the next couple years.

https://www.nytimes.com/2025/04/21/technology/google-search-remedies-hearing.html

The leaked information we received in April 2025 indicates that the reasoning they're making substantial cuts to Android is primarily cutting costs, perhaps in anticipation of it being split from Google. The courts should investigate Google's recent changes and cuts to Android.

Google has been accelerating their crackdown on alternate mobile hardware and software with the Play Integrity API combined with laying off many people working on Android and cutting parts of the project. They disallow their OEM partners from competing so others cannot take over.

It's no wonder that Android and Chrome engineers at Google are leaking tons of information when the company is in an extraction mode trying to get as much out of each as possible prior to Google being broken up. Regulatory action needs to move faster and take this into account.

A successful mobile OS will need near perfect iOS or Android app compatibility. For Android, compatibility means a solid fork of AOSP even if it's only used within a VM on a more modern microkernel-based OS. Google made an open platform, unlike Apple, and could not prevent this.

For years, Google has been using extraordinarily anti-competitive Google Mobile Services (GMS) licensing agreements with OEMs to disallow competition. To further prevent competition, they made the Play Integrity API where apps devs are convinced to check for valid GMS licensing.

If the Pixel 10 does meet our requirements, we'll support it, but it will take significantly more time and effort to develop support for it. At the end of the year, Qualcomm should finally release a new SoC providing hardware memory tagging. If they do, we can shift focus to it.

Once an OEM offering the service of making custom devices has a platform based on a new Qualcomm Snapdragon SoC with hardware memory tagging support, we can do a crowdfunding campaign to raise the money needed to have them build a device for us. We have talked with a couple OEMs.

The baseline will be several million dollars, which can be spread out across the cost of preordered devices. This is the cost of making a modern, secure device with a secure element and the other requirements we have for one instead of a low-end device with outdated hardware.

There will be a cost of a million or more dollars per year of additional support. Providing 7 years of proper support like Pixels would be very expensive. We definitely wouldn't be releasing a new device every year as the overlapping costs for all of it would be ridiculous.