GrapheneOS

GrapheneOS, 1 month ago to random

We'll be blacklisting mailbox.org and websites using it for email hosting for registration on discuss.grapheneos.org and as an alert email for attestation.app. They're blocking emails from our mail server for a convoluted, nonsensical reason and won't stop.

GrapheneOS, 2 months ago to random

April release of the Pixel boot chain firmware includes fixes for 2 vulnerabilities reported by GrapheneOS which are being actively exploited in the wild by forensic companies:

https://source.android.com/docs/security/bulletin/pixel/2024-04-01
https://source.android.com/docs/security/overview/acknowledgements

These are assigned CVE-2024-29745 and CVE-2024-29748.

GrapheneOS, 25 days ago to random

XRY and Cellebrite say they can do consent-based full filesystem extraction with iOS, Android and GrapheneOS. It means they can extract data from the device once the user provides the lock method, which should always be expected. They unlock, enable developer options and use ADB.

GrapheneOS, 20 days ago to random

Linux kernel becoming their own CVE Numbering Authority (CNA) is wasting resources they'd have previously put towards higher quantity and quality backporting. We've noticed a drop in both for the stable/longterm branches and particularly Android Generic Kernel Image LTS branches.

GrapheneOS, 10 days ago to random

Latest release of GrapheneOS finally shipped the long awaited duress PIN/password implementation. If you have a spare device, we recommend trying it out.

We've added initial documentation to the features page:

https://grapheneos.org/features#duress

It near instantly wipes and shuts down.

GrapheneOS, 1 month ago to random

Due to frequent DDoS attacks, we're enforcing stricter limits on the number of connections to our servers. By default, each server enforces a limit of 16 or 32 TCP connections from each IPv4 address and IPv6 /64 block. During persistent attacks, these limits will be adjusted.

#netfilter #nftables #synproxy #ddos

GrapheneOS, 1 month ago to random

One of our community members has been doing testing of Android VPN apps to check for leaks. They've found and reported 2 issues where leak blocking functionality doesn't appear to work as intended: one occurs with local network multicast and the other with DNS while VPN is down.

GrapheneOS, 1 month ago to random

Our latest OS release that's currently in the Beta channel implements a new feature for blocking DNS leaks by third party VPN service app implementations which were discovered by our community:

https://github.com/GrapheneOS/os-issue-tracker/issues/3442

The good news is this does successfully block these leaks.

GrapheneOS, 1 month ago to random

Every patch in the May 2024 Pixel Update Bulletin is also relevant to a lot of other devices including the High severity Bluetooth issue we reported:

https://source.android.com/docs/security/bulletin/pixel/2024-05-01
https://grapheneos.social/@GrapheneOS/112066872276203917

Android Security Bulletin SHOULD be expanded. All of this should be in it.

GrapheneOS, 8 days ago to random

Yesterday, we made a post linking to the leader of Privacy Guides (Jonah Aragon) repeatedly pushing the false claim GrapheneOS is marketing itself as making people untouchable by law enforcement and trying to appeal to criminals. It's a thoroughly dishonest attempt to harm us.

GrapheneOS, 27 days ago to random

An experimental prerelease of GrapheneOS for the Pixel 8a is now available via https://staging.grapheneos.org/ including web installer support. It will be made available via https://grapheneos.org/ after we've done basic testing including testing the upgrade path to a future release.

GrapheneOS, 1 month ago to random

We've received the Pixel 8a for our device testing farm already even though it officially ships May 14th.

Both Android Open Source Project source code tags and stock OS factory images / updates will likely be published on May 14th. We'll need those to add GrapheneOS support.

GrapheneOS, 3 months ago to random

Our hardware memory tagging support for Pixel 8 and Pixel 8 Pro has uncovered a memory corruption bug introduced in Android 14 QPR2 for Bluetooth LE. We're currently investigating it to determine how to fix or temporarily disable the newly introduced feature as a workaround.

GrapheneOS, 28 days ago to random

Our Vanadium browser (https://grapheneos.org/features#vanadium) is based on the stable releases of Chromium. We port to the new releases when they're still in Beta/Dev/Canary but we wait until it's Stable to upgrade, particularly since Stable is the only branch with proper security support.

GrapheneOS, 2 months ago to random

SSL Labs (https://www.ssllabs.com/ssltest) from Qualys used to be a useful HTTPS testing tool. However, it hasn't received significant updates since 2019 and is now holding back HTTPS security. The biggest issue is that many of the tests don't support TLSv1.3 so it penalizes disabling legacy TLSv1.2.

GrapheneOS, 2 months ago to random

We're looking for people with a spare Pixel 4a (5G) or Pixel 5 willing to test experimental QPR2-based releases. It would be easier for us to continue extended support than shifting them to a legacy extended support branch. Join testing chat room to help: https://grapheneos.org/contact#community-chat.

GrapheneOS, 1 month ago to random

Our PDF Viewer isn't impacted by issues like this in pdf.js. We use a strict Content Security Policy allowlisting the app's static CSS and JavaScript without permitting unsafe-eval or unsafe-inline. It's blocked from using eval or including dynamic JS.

https://github.com/advisories/GHSA-wgrm-67xf-hhpq

GrapheneOS, 1 year ago to random

Per our request, NitroKey has fixed one of the main issues in https://www.nitrokey.com/news/2023/smartphones-popular-qualcomm-chip-secretly-share-private-information-us-chip-maker. XTRA downloads are done by xtra-daemon in the OS, not firmware. It also does use HTTPS by default, but the OS can override the default URLs via gps.conf and some OSes do override to HTTP URLs.

#gnss #gps #xtra #psds #qualcomm

GrapheneOS, 1 month ago to random

We've pre-ordered a Pixel 8a for our official device testing farm. They push the Android Open Source Project tags and stock OS factory images on the official release day. Should take us a couple hours to add support for it. We'll build, test and make an official release quickly.

GrapheneOS, 1 year ago to random

We currently sign our factory images releases with the signify tool from OpenBSD. It provides tiny signatures that are easy to verify on any distribution with signify in their repositories. This is much less important than in the past because you can verify the completed install.

#GrapheneOS #privacy #security #android #attestation #VerifiedBoot #MeasuredBoot #HSM #SecureElement #auditor #signify #openssh

GrapheneOS, 28 days ago to random

Pixel 8a with the latest May 2024 update is running Android 14 QPR1 with backported security patches instead of Android 14 QPR2.

Android 14 QPR2 was released in March 2024 and is by far the largest quarterly release so far due to being the first trunk-based quarterly release.

GrapheneOS, 6 months ago to random

In the latest release of GrapheneOS, you can now enable hardware memory tagging for all user installed apps on the Pixel 8 and Pixel 8 Pro to make them substantially harder to exploit. This is particularly useful for apps like Signal and WhatsApp.

https://grapheneos.social/deck/@GrapheneOS/111479244810981775

GrapheneOS, 1 month ago (edited 1 month ago) to random

Google has listed the CVE-2024-23694 vulnerability we reported in the security acknowledgements for May 2024:

https://source.android.com/docs/security/overview/acknowledgements

This is the Bluetooth issue we found with memory tagging which they assigned a High severity:

https://grapheneos.social/@GrapheneOS/112066872276203917

We fixed this on March 9th.

GrapheneOS, 2 months ago to random

Android Open Source Project (AOSP) provides open source infrastructure for device management used to manage enterprise device deployments, kiosks and other situations where a company is considered to own a specific profile or the device as a whole if it's not a personal device.

GrapheneOS, 11 days ago to random

GrapheneOS has been working towards providing accessibility for blind users so we include our own build of TalkBack. We plan to include a text-to-speech (TTS) app and Setup Wizard integration to make it usable out-of-the-box. We can't do much to make installing more accessible.