Releases

About the releases

These releases are available as both tags in the source code repositories and official builds.

The factory images are used for the initial installation and can be verified with signify. See the installation page for details.

GrapheneOS uses automatic over-the-air updates, but full update packages are listed below for uncommon use cases like never connecting the device to the internet. A full update package can upgrade from any past version to the new version. The over-the-air updates use delta update packages when available. Those aren't currently linked below but may be in the future once they're being used more consistently. Update packages are not for performing the initial installation and you should ignore incorrect guides trying to use them to install the OS.

The update packages have an internal signature verified by the update client (or recovery when sideloading). Downgrade attacks are also prevented, and downgrades cannot be done unless a special downgrade update package has been signed with the release key. The internal payload for update_engine is also signed, providing another layer of signature verification and downgrade protection. Verified boot and the hardware-backed keystore also act as a final layer of protection.

Releases are tested by the developers and are then pushed out via the Beta channel. The release is then pushed out via the Stable channel after being tested by some users using the Beta channel. In some cases, problems are caught during Beta channel testing and a new release is made via the Beta channel to replace the aborted one. In general, it's not possible to downgrade unless a downgrade update package is generated, so use the Stable channel if you cannot tolerate dealing with temporary issues while a new release for the Beta channel is being created.

Release announcements

Releases are announced on this page including via an atom feed, via our @GrapheneOS Twitter account, on the official subreddit and in the official GrapheneOS chat room A release announcement indicates that the source code tags are available and that the official builds will soon be pushed out via the Beta channel.

Stable channel

Pixel 6 Pro (highly experimental)

Version: SD1A.210817.037.2021120117

Pixel 6 (highly experimental)

Version: SD1A.210817.037.2021120117

Pixel 5a

Version: SP1A.211105.003.2021112404

Pixel 5

Version: SP1A.211105.004.2021112404

Pixel 4a (5G)

Version: SP1A.211105.004.2021112404

Pixel 4a

Version: SP1A.211105.004.2021112404

Pixel 4 XL

Version: SP1A.211105.004.2021112404

Pixel 4

Version: SP1A.211105.004.2021112404

Pixel 3a XL

Version: SP1A.211105.002.2021112404

Pixel 3a

Version: SP1A.211105.002.2021112404

Pixel 3 XL (legacy)

Version: SP1A.210812.015.2021112404

Pixel 3 (legacy)

Version: SP1A.210812.015.2021112404

Beta channel

Pixel 6 Pro (highly experimental)

Version: SD1A.210817.037.2021120117

Pixel 6 (highly experimental)

Version: SD1A.210817.037.2021120117

Pixel 5a

Version: SP1A.211105.003.2021112404

Pixel 5

Version: SP1A.211105.004.2021112404

Pixel 4a (5G)

Version: SP1A.211105.004.2021112404

Pixel 4a

Version: SP1A.211105.004.2021112404

Pixel 4 XL

Version: SP1A.211105.004.2021112404

Pixel 4

Version: SP1A.211105.004.2021112404

Pixel 3a XL

Version: SP1A.211105.002.2021112404

Pixel 3a

Version: SP1A.211105.002.2021112404

Pixel 3 XL (legacy)

Version: SP1A.210812.015.2021112404

Pixel 3 (legacy)

Version: SP1A.210812.015.2021112404

Changelog

List of tagged releases. Snapshot releases without tags such as early releases of the project and early device support releases are not listed.

The changelog is also available as an atom feed usable in any standard feed reader.

The legacy changelog page has the release notes from before the rebranding of the project in 2018 and 2019.

2021112404

Tags:

Changes since the 2021112123 release:

  • Sandboxed Play services compatibility layer: add another UserManager shim to fix issue with FCM in secondary user profiles
  • Sandboxed Play services compatibility layer: mark the compatibility layer's Play Store confirmation notification as ongoing to avoid users dismissing the notification and then being unable to accept or reject the install/update/uninstall action
  • Camera: update to version 6

2021112123

Tags:

Changes since the 2021112021 release:

2021112021

Tags:

Changes since the 2021111414 release:

  • Sandboxed Play services compatibility layer: expand Play Store compatibility layer to fully support app installation, uninstallation and unattended updates via the standard unprivileged APIs
  • Sandboxed Play services compatibility layer: expand Play Store compatibility layer to support the Play Store updating itself via the standard unprivileged APIs
  • Settings: clearer wording for the default GrapheneOS per-connection MAC randomization
  • Vanadium: update Chromium base to 96.0.4664.45
  • Auditor: update to version 35
  • Auditor: update to version 36
  • Auditor: update to version 37
  • Camera: update to version 4
  • TalkBack (screen reader): update dependencies and tools

2021111414

Tags:

Changes since the 2021110617 release:

  • Sandboxed Play services compatibility layer: improve AppOps compatibility layer for long-lived operations via the new startProxyOp/finishProxyOp API which previously had to be mimicked via the existing APIs
  • Updater: only allow privileged apps including Settings to open the settings activity since other apps like the launcher have no reason to open it
  • android-prepare-vendor carriersettings-extractor: strip out carrier provisioning configuration (OMA device management is not included in GrapheneOS so this references an app that's not present)
  • android-prepare-vendor carriersettings-extractor: always enable the ability to disable 2G
  • android-prepare-vendor carriersettings-extractor: remove unused Google Dialer configuration for Wi-Fi calling
  • android-prepare-vendor: improve Pixel 5a support
  • add CameraX vendor extensions library to compile-time class loader path for GrapheneOS Camera to make dexpreopt usable

2021110617

Tags:

Changes since the 2021110507 release:

  • Camera: update to version 3
  • revert hard-wiring camera gesture handler as a workaround for AOSP 12 bug with the gesture on the lockscreen (only has an impact when multiple camera apps are installed and can be worked around, so we'll just wait for an upstream resolution)
  • Vanadium: add workaround for upstream bug with login when sandboxed Play services is present
  • android-prepare-vendor: overhaul Pixel 4a (5G), Pixel 5 and Pixel 5a support including building more AOSP modules

2021110507

Tags:

Changes since the 2021110122 release:

  • replace AOSP Camera app with next-generation GrapheneOS Camera app
  • set GrapheneOS Camera app as the hard-wired handler for camera gesture, similar to Android 11+ hard-wiring it as the camera media intent handler (should work around AOSP 12 lockscreen camera bugs) — note: this will be undone in a follow-up release before this reaches the Stable channel
  • invalidate icon cache between OS releases instead of only between major Android versions so that system theme/icon changes take effect immediately
  • system theme: switch to a more unique blue Material You color palette based around #1565C0
  • Updater: adjust colors to match Settings app
  • Vanadium: update Chromium base to 95.0.4638.74

2021110122

Tags:

Changes since the 2021102613 release:

  • full 2021-11-01 security patch level
  • full 2021-11-05 security patch level
  • full 2021-11-06 security patch level
  • rebased onto SP1A.211105.004 release
  • system theme: switch to pure blue Material You color palette as a starting point for a GrapheneOS theme
  • Updater: drop unused androidx legacy support library
  • Updater: raise minSdkVersion to 31 (Android 12)
  • Updater: stop marking settings activity as direct boot aware since it's never used before unlocking
  • Updater: remove obsolete receiver from manifest
  • android-prepare-vendor: overhaul Pixel 4, Pixel 4 XL and Pixel 4a support including building more AOSP modules

2021102613

Tags:

  • SP1A.210812.015.2021102613 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, emulator, generic, other targets)

Changes since the 2021102503 release:

  • Updater: split up install progress notification into stages
  • include standard display cutout overlays across all devices
  • temporarily disable broken 'Render apps below cutout area' display cutout developer option to avoid it breaking loading SystemUI on boot
  • temporarily disable user-facing crash reporting for com.android.systemui due to an upstream AOSP 12 bug causing false positive reports of it being frozen (this change didn't end up successfully silencing the false positives so a different approach will be needed)

2021102503

Tags:

  • SP1A.210812.015.2021102503 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, emulator, generic, other targets)

Changes since the 2021102300 release:

  • enable gestural navigation overlay to match default nav mode (fixes navigation bar style after factory reset or provisioning new users)
  • Launcher: temporarily disable new animation feature flags (these appear to be buggy)
  • Clock: roll back to GrapheneOS Android 11 Clock app since the AOSP 12 Clock app is buggy
  • Dialer: revert to prior visual voicemail configuration until the new configuration is properly handled

2021102300

Tags:

  • SP1A.210812.015.2021102300 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, emulator, generic, other targets)

Changes since the 2021102203 release:

  • revert our change enabling the legacy wifi/cellular quick tiles until the upstream code is fixed
  • improve delta generation script
  • Messaging: add built-in battery optimization exception
  • Messaging: fix cellbroadcast package name
  • Messaging: stop using platform certificate
  • Dialer: update visual voicemail configuration for SP1A.210812.015
  • keep PIN scrambling keypad number descriptions in sync with digits
  • update PIN UI appearance for Android 12 in PIN scrambling implementation

2021102203

Tags:

  • SP1A.210812.015.2021102203 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, emulator, generic, other targets)

Changes since the 2021102020 release:

  • Settings: add back reset text change lost in the port to Android 12
  • fix inclusion of up-to-date per-device APN database for Pixels
  • Pixel 4a: fix build system issue causing device specific APN / carrier configuration to be omitted
  • support using the legacy wifi/cellular quick tiles (combined internet quick tile will still be used by default)
  • Dialer: improve swipe to accept/reject calls
  • Dialer: fix issue with USB headset audio routing
  • Dialer: add dark theme and fix issues tied to it
  • improve release signing and delta generation scripts

2021102020

This is the initial production release of GrapheneOS based on Android 12. It's already fully functional and quite stable. Android 12 brings substantial improvements to privacy, security, functionality, performance and aesthetics. GrapheneOS features have been fully ported to Android 12 and also substantially improved as part of the migration process. The release notes below cover the full port of our features to Android 12 as a single entry in the list and improvements beyond porting are listed separately.

Tags:

  • SP1A.210812.015.2021102020 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, emulator, generic, other targets)

Changes since the 2021100606 release:

  • full port of all existing GrapheneOS features to Android 12
  • full 2021-10-05 security patch level for userspace device support code (kernel already on 2021-10-05)
  • rebased onto SP1A.210812.015 release
  • Sandboxed Play services compatibility layer: add support for Play services Android 12 releases (Android 11 releases still mostly work but we'll be recommending/mirroring the Android 12 releases)
  • make release signing otacerts.zip generation reproducible
  • Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a: target ARMv8.2-DotProd architecture and Cortex-A76 CPU for ART and native code instead of producing generic ARMv8 code
  • use modern rounded corners by default
  • use new privacy indicators for location
  • raise permission usage history from 1 day to 7 days
  • enable permission history for all permission groups
  • use speed compiler filter for dexpreopt by default (converted from build configuration to build system to cover product/vendor/system_ext)
  • temporarily disable user-facing crash reporting for com.android.statementservice (Intent Filter Verification Service) due to an upstream AOSP 12 bug causing an uncaught exception when it tries to send too much data in the intents for jobs it runs via WorkManager
  • Launcher: backport multiple fixes from AOSP master
  • Launcher: enable new app open/close animations
  • Launcher: enable crossfade when changing theme
  • Launcher: enable new keyguard-to-launcher animation
  • Launcher: add Settings to center of default 5x5 dock
  • Launcher: add 2x2 workspace grid option
  • Launcher: reduce app label text size
  • Launcher: fix upstream issue causing missing screenshot button
  • Launcher: add ripple animation to task menu items
  • Launcher: fix all apps header color in dark mode
  • Launcher: fix Personal/Work profile tab colors in All Apps
  • Launcher: improve search bar UI in All Apps
  • SystemUI: change default quick tiles and quick tile order
  • Settings: update screen reader configuration for TalkBack so it shows up as a system screen reader again
  • Settings: add dark mode support for app installation restriction icon
  • SetupWizard: update to latest upstream code
  • SetupWizard: remove mention of pattern unlock in strings
  • Updater: update to target API level 31 (Android 12)
  • Updater: use Android 12 foreground service setup
  • Vanadium: update Chromium base to 94.0.4606.80
  • Vanadium: update Chromium base to 94.0.4606.85
  • Vanadium: update Chromium base to 95.0.4638.50
  • Vanadium: temporarily disable dexpreopt for browser and WebView (but not the library) due to lack of support in the Android 12 dexpreopt system
  • Seedvault: update to latest revision
  • TalkBack (screen reader): set app label to TalkBack
  • Auditor: update to version 34

2021100606

Tags:

Changes since the 2021100502 release:

  • backport of the Android 12 GrapheneOS Pixel kernels to Android 11 GrapheneOS including the full 2021-10-05 kernel patch level (full set of fixes for firmware and userspace aren't public yet and will be provided by the upcoming release of Android 12 for Pixels)
  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 5, Pixel 5a): rebase onto Android 12 SP1A.210812.016 kernel releases
  • kernel (Pixel 4, Pixel 4 XL, Pixel 5, Pixel 5a): temporarily disable unnecessary DEBUG_NOTIFIERS feature (type-based CFI obsoletes it as a security feature) due to an incompatibility with the updated Android 12 kernel LLVM toolchain (discovered issue is benign but we'll be fixing it in a future release)

2021100502

Tags:

Changes since the 2021100103 release:

  • full 2021-10-01 security patch level
  • partial 2021-10-05 security patch level (full set of fixes aren't public yet and will be provided by the upcoming release of Android 12 for Pixels)
  • rebased onto RQ3A.211001.001 and RD2A.211001.002 releases
  • drop our downstream workaround for use-after-free vulnerability in init now that the issue we reported is fixed upstream

2021100103

Tags:

Changes since the 2021092612 release:

  • Vanadium: update Chromium base to 94.0.4606.71
  • change generated carrier configurations to always allow editing APNs
  • always show APN settings on CDMA carriers
  • automate APN / carrier settings updates

2021092612

Tags:

Changes since the 2021092220 release:

  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): apply upstream fix for ION use-after-free vulnerability
  • Vanadium: update Chromium base to 94.0.4606.61
  • android-prepare-vendor: remove a bunch of unused code / functionality
  • android-prepare-vendor: skip all kernel modules

2021092220

Tags:

Changes since the 2021091407 release:

  • Auditor: update to version 32
  • Auditor: update to version 33
  • Vanadium: update Chromium base to 94.0.4606.50
  • TalkBack (screen reader): update SDK and build tools versions
  • clean up build scripts

2021091407

Tags:

Changes since the 2021090819 release:

  • Sandboxed Play services compatibility layer: stub out DeviceConfig APIs by ignoring device configuration writes instead of throwing a SecurityException
  • Sandboxed Play services compatibility layer: stub out DropBoxManager API by pretending no crash dumps, logs, etc. are available instead of throwing a SecurityException
  • Sandboxed Play services compatibility layer: stub out getImei API by pretending IMEI cannot be retrieved instead of throwing a SecurityException
  • Seedvault: add missing permission needed for UserManager restriction security fix in the last release
  • Seedvault: update to latest revision
  • TalkBack (screen reader): update base version to 370044210 and port our changes (Switch Access service has been dropped upstream)
  • Auditor: update to version 30
  • Auditor: update to version 31
  • Vanadium: update Chromium base to 93.0.4577.82

2021090819

Tags:

Changes since the 2021090401 release:

  • full 2021-09-01 security patch level
  • full 2021-09-05 security patch level
  • rebased onto RQ3A.210905.001 and RD2A.210905.003 releases
  • kernel (Pixel 4a (5G), Pixel 5): use device-specific dtbo.img
  • Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a: update APNs
  • Pixel 5a: add missing configuration for biometric sensors (fingerprint sensor)
  • Pixel 5a: declare Pixel features are available so that apps with Pixel-specific features will use them
  • Seedvault: respect UserManager restrictions on app installation to avoid providing a way to bypass device management restrictions
  • Seedvault: show experimental restore backup option in backup settings instead of only supporting restore in the initial setup wizard

2021090401

Tags:

Changes since the 2021082501 release:

  • add experimental Pixel 5a support via device support branch
  • Settings: add back past GrapheneOS feature for toggling whether secondary users can install new apps
  • Vanadium: update Chromium base to 92.0.4515.166
  • Vanadium: update Chromium base to 93.0.4577.62
  • Vanadium: hide sign in preference when disallowed
  • Vanadium: disable using Play services as a source for certain Google fonts
  • automatically disable UART debugging when flashing factory images (GrapheneOS already extends the notification about it to production builds)
  • Auditor: update to version 29
  • SetupWizard: properly disable system UI navigation for the entire setup process
  • kernel (Pixel 4a (5G), Pixel 5): drop unnecessary Wi-Fi driver change from our previous downstream security fixes
  • Pixel 4, Pixel 4 XL: enable saturated color option

2021082501

Tags:

  • RQ3A.210805.001.A1.2021082501 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, emulator, generic, other targets)

Changes since the 2021081822 release:

  • Updater: move settings into a preference category
  • Updater: add detailed information to the error messages
  • Auditor: update to version 28
  • Vanadium: move search suggestions toggle to privacy menu
  • Vanadium: remove empty account category and Services menu from the main menu
  • Sandboxed Play services compatibility layer: add shim to make Play services use the regular cellular geolocation API instead of attempting and failing to use a special API requiring MODIFY_PHONE_STATE to attribute power consumption to the app responsible for the request to Play services
  • Sandboxed Play services compatibility layer: add shims making Play services use the unprivileged AppOps proxy API instead of attempting and failing to use the privileged APIs for blaming other apps (it can still blame other apps via the proxy API, but the OS treats it as an untrusted claim)
  • Sandboxed Play services compatibility layer: add shim making Play services use UserManager.hasUserRestriction instead of UserManager.hasBaseUserRestriction to avoid requiring privileged permissions and to return correct answers since it can't bypass device management

2021081822

Tags:

  • RQ3A.210805.001.A1.2021081822 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, emulator, generic, other targets)

Changes since the 2021081411 release:

  • Vanadium: update Chromium base to 92.0.4515.159
  • Vanadium: improved implementation of not giving the default search engine permissions now that Chromium has support for it
  • Updater: avoid error messages being truncated by using expandable notifications for them
  • Settings: fix upstream bug preventing setting pictures for user profiles
  • Settings: backport upstream fix for user edit dialog breaking from rotation
  • Settings: add LTE only mode entry when carrier enables world mode too
  • Sandboxed Play services compatibility layer: fix detection of system processes in secondary users
  • Sandboxed Play services compatibility layer: handle edge case of packages without data directories

2021081411

Tags:

  • RQ3A.210805.001.A1.2021081411 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, emulator, generic, other targets)

Changes since the 2021.08.09.02 release:

  • remove periods from build number (2nd half of the full version) to improve compatibility with apps wrongly assuming they can parse it as an integer (including Google Camera for Night Sight feature detection)
  • Settings: add 3rd option to connectivity check setting for disabling it (will prevent falling back to other networks from a broken one and handling captive portals)
  • Settings: ignore carrier asking the OS not to show the preferred network setting, similar to how we already ignore being instructed to disallow tethering
  • further fixes for the upstream code implementing the eBPF-based INTERNET permission (fixes cases where it was overly restrictive for secondary users, but we already prevented it from being overly permissive by adding back the simpler pre-eBPF approach as a 2nd layer of enforcement)
  • Sandboxed Google Play compatibility layer: disable shared user id check since it isn't relevant to GrapheneOS and it appears that it may be causing issues

2021.08.09.02

Tags:

  • RQ3A.210805.001.A1.2021.08.09.02 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, emulator, generic, other targets)

Changes since the 2021.08.03.03 release:

  • Sandboxed Google Play compatibility layer: add infrastructure / shims to support dynamite modules (dynamically loaded modules including Maps API support)
  • Vanadium: update Chromium base to 92.0.4515.131
  • Vanadium: disable trials of privacy-aware analytics/advertising APIs
  • Vanadium: remove unwanted sync and services link
  • Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5: update APNs
  • Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5: update CarrierConfig vendor.xml

2021.08.03.03

Tags:

  • RQ3A.210805.001.A1.2021.08.03.03 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, emulator, generic, other targets)

Changes since the 2021.07.26.20 release:

  • full 2021-08-01 security patch level
  • full 2021-08-05 security patch level
  • rebased onto RQ3A.210805.001.A1 release
  • kernel (Pixel 4a (5G), Pixel 5): backport implementation of IPv6 temporary addresses (RFC4941) as a replacement for the legacy privacy address implementation, removing the need for our work on mitigating the issues with them (still used for older generation devices)
  • Updater: use System Updater as the app name
  • Updater: show when status notifications occurred
  • Updater: add notification settings shortcut to update settings
  • Sandboxed Google Play compatibility layer: add compatibility shims for secondary user support
  • Sandboxed Google Play compatibility layer: use unified GmsCompat/ prefix for log tags
  • Sandboxed Google Play compatibility layer: add shim for AppOpsManager#startOpNoThrow
  • Sandboxed Google Play compatibility layer: move foreground service notification channel to dedicated Compatibility notification channel group
  • Sandboxed Google Play compatibility layer: add proper description to foreground service notification
  • Sandboxed Google Play compatibility layer: add shortcut for opening the notification channel settings from the foreground service notifications

2021.07.26.20

Tags:

  • RQ3A.210705.001.2021.07.26.20 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, emulator, generic, other targets)

Changes since the 2021.07.19.18 release:

  • Updater: add detailed failure / success notifications. The next release will enable the timestamp to show when it happened. You can turn off the 'Already Updated' notification channel if you don't want those minimum priority notifications with no status icon collapsed at the bottom.
  • Vanadium: update Chromium base to 92.0.4515.105
  • Vanadium: update Chromium base to 92.0.4515.115
  • Vanadium: drop removal of speculative service worker start for search
  • init: fix use-after-free from event handling callbacks (issue uncovered by hardened_malloc in certain situations like unplugging a USB keyboard, etc.)
  • fix PermissionController UI for Sensors/Network permissions with legacy API < 23 apps (i.e. apps without proper support for Android Marshmallow and beyond)
  • Sandboxed Google Play compatibility layer: disable badge for foreground service notification by default
  • Settings: drop support for showing nearby devices from Play since it can't function without Play having any special privileges
  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL): improve support for hosting servers by enabling SYN cookies for denial of service resistance like newer generation devices
  • hardened_malloc: update libdivide to 5.0.0

2021.07.19.18

Tags:

  • RQ3A.210705.001.2021.07.19.18 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, emulator, generic, other targets)

Changes since the 2021.07.16.19 release:

  • Settings: fix displaying setting for GrapheneOS USB accessory policy (deny new usb)
  • Settings: hide insecure pattern lock option (either use a randomly generated 6-8 digit PIN for secure encryption based on secure element throttling or a strong randomly generated passphrase to avoid depending on the secure element, not this misguided pattern option with ridiculously low entropy)
  • Sandboxed Google Play compatibility layer: return false for SIM card lock check rather than throwing a SecurityException
  • Sandboxed Google Play compatibility layer: avoid throwing an exception in certain edge cases for secondary users when checking whether the compatibility shims should be enabled for a process (i.e. when checking if the process is one of the 3 core Play apps)
  • Vanadium: update Chromium base to 91.0.4472.164

2021.07.16.19

Tags:

  • RQ3A.210705.001.2021.07.16.19 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, emulator, generic, other targets)

Changes since the 2021.07.07.19 release:

  • add experimental support for running Play services and friends as sandboxed user-installed apps without any special privileges
  • Settings: use alternate implementation of Wi-Fi auto-turn-off setting matching the Bluetooth auto-turn-off UX
  • overhaul Wi-Fi auto-turn-off implementation including handling the case of Wi-Fi being turned on without connecting to a network
  • add lower auto-reboot timeout options
  • display notification when UART is enabled in the bootloader configuration for user builds too (where it isn't supported by userspace, but still provides firmware and kernel logs) rather than only in userdebug builds
  • Seedvault: update to latest revision
  • Seedvault: switch to GrapheneOS fork with intent access restricted to prevent other apps from spawning the activities
  • Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5: set product brand to hardware brand
  • Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5: remove aosp_ prefix from product names

2021.07.07.19

Tags:

  • RQ3A.210705.001.2021.07.07.19 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, emulator, generic, other targets)

Changes since the 2021.06.20.20 release:

  • full 2021-07-01 security patch level
  • full 2021-07-05 security patch level
  • rebased onto RQ3A.210705.001 release
  • reimplement Bluetooth auto-turn-off feature to avoid using the Settings app for the implementation (fixes reliability issues)
  • add experimental Wi-Fi auto-turn-off feature based on reimplementation of Bluetooth auto-turn-off (will not kick in when Wi-Fi is turned on without connecting to a network until the next release)
  • Updater: display progress for the short phase of verifying the update
  • Updater: reuse the same progress notification for downloading, verifying and installing the update
  • Updater: only alert once for progress notifications if the user raises the notification importance level
  • Updater: use foreground service via progress notification
  • Vanadium: update Chromium base to 91.0.4472.120
  • Vanadium: update Chromium base to 91.0.4472.134
  • Seedvault: update to latest revision

2021.06.20.20

Tags:

  • RQ3A.210605.005.2021.06.20.20 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, emulator, generic, other targets)

Changes since the 2021.06.09.13 release:

  • Vanadium: update Chromium base to 91.0.4472.101
  • Vanadium: update Chromium base to 91.0.4472.114
  • Vanadium: add toggle to Privacy and security settings for disabling JIT compilation and using fully interpreted JavaScript via fast interpreter
  • kernel (Pixel 4a (5G), Pixel 5): fix upstream module load order issues when modules are built into the kernel
  • kernel (Pixel 4a (5G), Pixel 5): build in every module and disable dynamic kernel module support again to restore finer-grained Control Flow Integrity (CFI) and attack surface reduction
  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5): generate a new privacy address when connecting to a network as a temporary partial workaround for the broken upstream privacy address implementation before Linux 5.8 (the privacy address standard itself was flawed and Linux 5.8+ has an implementation of the fixed standard, which we've suggested that Android backport in our upstream report)
  • Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5: declare Pixel features are available so that apps with Pixel-specific features will use them

2021.06.09.13

Tags:

  • RQ3A.210605.005.2021.06.09.13 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, emulator, generic, other targets)

Changes since the 2021.06.08.06 release:

  • re-enable current camera/microphone privacy indicator implementation
  • kernel (Pixel 4a (5G), Pixel 5): use new GNU assembler (gas) prebuilts and drop all other usage of the GNU toolchain since LLVM provides everything else (LLVM assembler is used for userspace, but can't yet handle the Linux kernel)
  • kernel (Pixel 4a (5G), Pixel 5): temporarily move to building and using dynamic kernel modules (same list as AOSP) to work around new issues with monolithic builds until we have time to resolve it to improve CFI granularity again
  • android-prepare-vendor (Pixel 4a (5G), Pixel 5): remove previously unused stock OS kernel modules now that we're temporarily enabling dynamic kernel module support so that only our builds of kernel modules are being used
  • Updater: add support for custom accent color

2021.06.08.06

Tags:

  • RQ3A.210605.005.2021.06.08.06 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, emulator, generic, other targets)

Changes since the 2021.05.29.09 release:

  • full 2021-06-01 security patch level
  • full 2021-06-05 security patch level
  • rebased onto RQ3A.210605.005 release, initial release of Android 11 QPR3 (Quarterly Platform Release 3)
  • experimental new feature for configuring auto-reboot after N hours of the device being locked to put all logged in user profiles back at rest (i.e. data inaccessible to the OS until logged in again) when the device isn't in your possession
  • kernel (Pixel 4a (5G), Pixel 5): apply fixes for 2 Qualcomm Wi-Fi driver vulnerabilities from CAF missed in the upstream December 2020 security update for Pixels
  • Vanadium: update Chromium base to 91.0.4472.88
  • android-prepare-vendor: fix resuming image downloads due to broken HTTP/2 server semantics
  • Settings: fix hardcoded black text in storage summary
  • remove redundant property for disabling OpenGL preloading
  • update kernel build tools used for Pixel 4a (5G), Pixel 5 and beyond

2021.05.29.09

Tags:

Changes since the 2021.05.19.06 release:

  • prevent DHCP (IPv4) from reusing state across connections to the same network when full MAC randomization is enabled
  • Vanadium: update Chromium base to 91.0.4472.77
  • Vanadium: enable opportunistic HTTPS by default
  • Vanadium: disable mobile identity consistency by default
  • revert our change adding the screenshot button to the power menu for 3-button navigation since it's provided by the recent apps activity for both gesture and 3-button navigation (we originally added it back for both 2-button and 3-button navigation even though it was only needed for 2-button navigation, and then the stock OS implemented the same fix only for 2-button navigation, which makes more sense)

2021.05.19.06

Tags:

Changes since the 2021.05.16.04 release:

  • Settings: remove field referencing the mainline module (APEX) version (also known as the Google Play system update version) since we ship these changes as part of the OS and have out-of-band module updates disabled since we have no use for them
  • remove legacy Calendar widget
  • add toggle for disabling fingerprint unlock while having fingerprints registered for usage in apps (authentication and protecting hardware keystore keys)
  • Auditor: update to version 27

2021.05.16.04

Tags:

Changes since the 2021.05.04.01 release:

  • enable gesture navigation by default (see our guide on system navigation for details on using gesture navigation and switching to a button-based navigation)
  • Updater: fix minor theme issue for light theme when pressing preferences
  • replace our workaround for an upstream user profile crash issue with a proper upstream fix from Sony
  • replace our workaround for another upstream user profile crash issue with a proper fix based on the approach of the fix from Sony
  • Vanadium: update Chromium base to 90.0.4430.210
  • hardened_malloc: purge memory even if VMA exhaustion causes munmap or MAP_FIXED mmap calls to fail
  • hardened_malloc: increase class region size on x86_64 to 32GiB
  • hardened_malloc: increase class region size on arm64 to 2GiB (should be 32GiB on devices where we've enabled 4-level page tables but that requires setting up build configuration infrastructure)
  • raise vm.max_map_count further to have even more leeway before VMA exhaustion occurs from fine-grained guard regions
  • kernel (Pixel 4a (5G), Pixel 5): fix build reproducibility issue by backporting upstream fix
  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5): make CONFIG_LOCALVERSION_AUTO ignore Git tags so adding tags doesn't change the result of a build
  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5): apply fixes for 2 Qualcomm audio driver vulnerabilities from CAF including one missed in the upstream May 2021 security update for Pixels
  • kernel (Pixel 4a): apply fix for use-after-free in GPU driver missed in the upstream security updates for the Pixel 4a
  • switch HTTPS network time URL from / to /generate_204 to allow for a future / redirect

2021.05.04.01

Tags:

Changes since the 2021.04.22.20 release:

  • full 2021-05-01 security patch level
  • full 2021-05-05 security patch level
  • rebased onto RQ2A.210505.003 release
  • enable backup service for non-owner users so that secondary users can be backed up
  • add SetupWizard activities for secondary users including support for restoring backups
  • Settings (Accessibility): add Monochromacy (grayscale) option to color correction
  • improve the newer generation eBPF-based implementation of the INTERNET permission to properly support revoking the permission in secondary profiles (we'll be keeping our restoration of the much simpler non-eBPF-based approach to avoid relying on this on devices using our hardened kernels)
  • Vanadium: update Chromium base to 90.0.4430.91
  • Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5: set slot number for eSIM (still need an eSIM activation app since it's one of the remaining missing components from not including Google apps and services)
  • hardened_malloc: use 1 slot for all extended size classes (reduces memory usage and improves security in combination with the guard slab feature)
  • use system theme accent color for fingerprint dialog instead of teal
  • integrate modern Android theme and wallpaper configuration
  • remove legacy WallpaperPicker app
  • Updater: modernize update settings via androidx preference library (new theme has minor quirks we'll be fixing in the next release)
  • use alternate grapheneos.online domain for connectivity check / captive portal fallback URLs to improve handling of future issues comparable to Quad9 temporarily blocking grapheneos.network due to some kind of false positive
  • Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5: update APNs
  • Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5: update CarrierConfig vendor.xml

2021.04.22.20

Tags:

  • RQ2A.210405.005.2021.04.22.20 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, emulator, generic, other targets)

Changes since the 2021.04.16.04 release:

  • kernel (Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5): update our change to use max ASLR entropy before the init process enables it for the larger address space enabled by GrapheneOS
  • kernel (Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5): add back hard-wired check for the INTERNET permission on socket creation at least until the eBPF code is improved and fixed to work properly for secondary profiles
  • Vanadium: disable unused FLOC feature
  • Vanadium: update Chromium base to 90.0.4430.82

2021.04.16.04

Tags:

  • RQ2A.210405.005.2021.04.16.04 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, emulator, generic, other targets)

Changes since the 2021.04.05.20 release:

  • kernel (Pixel 4a (5G), Pixel 5): rebuild with updated techpack/camera submodule
  • add back support for fully disabling native debugging (ptrace) support in Settings → Security
  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5): enable support for native debugging (ptrace) toggle via Yama
  • Settings: add back extra field with bootloader version
  • Settings: only allow disabling Vanadium WebView library via developer tools since disabling it breaks app compatibility and almost always results in crashes rather than user friendly errors, including for base OS components using it
  • Vanadium: update Chromium base to 90.0.4430.66
  • Vanadium: fully disable autofill assistant
  • Vanadium: disable unused autofill assistant configuration
  • Vanadium: disable speculative service worker start by default
  • Vanadium: disable safety check for Android by default
  • Vanadium: disable new interest feed feature too
  • Vanadium: disable unused password check feature

2021.04.05.20

Tags:

  • RQ2A.210405.005.2021.04.05.20 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, emulator, generic, other targets)

Changes since the 2021.03.30.02 release:

  • full 2021-04-01 security patch level
  • full 2021-04-05 security patch level
  • rebased onto RQ2A.210405.005 release
  • SetupWizard: rebrand to GrapheneOS for other languages

2021.03.30.02

Tags:

  • RQ2A.210305.006.2021.03.30.02 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, emulator, generic, other targets)

Changes since the 2021.03.19.14 release:

  • hardened_malloc: add initial malloc_trim slab quarantine purging to reduce system memory usage from the slab quarantine without sacrificing security
  • Vanadium: update Chromium base to 89.0.4389.105
  • android-prepare-vendor (Pixel 4a (5G), Pixel 5): stop incorrectly treating new vendor_boot partition as a firmware partition and use our own build
  • SetupWizard: update to latest upstream code

2021.03.19.14

Tags:

  • RQ2A.210305.006.2021.03.19.14 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, emulator, generic, other targets)

Changes since the 2021.03.06.00 release:

  • integrate the latest open source release of TalkBack and Switch Access as first party accessibility services again (a text-to-speech service like RHVoice needs to be installed, configured and enabled to be able to use TalkBack)
  • SELinux policy: add back removing tmpfs execute for all base system app domains
  • SELinux policy: expand exception from ashmem execute restriction to legacy non-base system app domains (was more strict than currently intended since we don't want to break app compatibility)
  • add Bluetooth timeout feature with a security fix applied to the original implementation
  • Updater: rename title of the management activity launched via Settings
  • set GrapheneOS launcher as a default notification listener on fresh installs so that the default enabled notification integration is permitted by default like the stock OS (existing users still need to manually enable the permission for the built-in launcher)
  • add back removing DUN requirement for tethering
  • add back ignoring tethering provisioning requirement
  • enable app compaction by default
  • enable app freezer by default
  • enable camera/microphone usage indicators by default
  • kernel (Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5): switch from standard 39-bit address space to 48-bit address space via 4-level page tables
  • Vanadium: update Chromium base to 89.0.4389.86
  • Vanadium: update Chromium base to 89.0.4389.90
  • Vanadium: enable partitioning connections by default
  • hardened_malloc: update libdivide to 4.0.0
  • hardened_malloc: use longer region quarantine random array (256 regions instead of 128)
  • Auditor: update to version 26

2021.03.06.00

Tags:

  • RQ2A.210305.006.2021.03.06.00 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, emulator, generic, other targets)

Changes since the 2021.03.02.10 release:

  • Vanadium: update Chromium base to 89.0.4389.72
  • Vanadium: enable user agent freeze by default
  • Vanadium: disable building code as dynamic feature modules
  • kernel (Pixel 4a): fix techpack/audio build reproducibility issue
  • backport upstream fix for building on compressed filesystems
  • Calendar: remove launcher icon since the app exists for compatibility / testing
  • Seedvault: update to latest revision

2021.03.02.10

Tags:

  • RQ2A.210305.006.2021.03.02.10 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, emulator, generic, other targets)

Changes since the 2021.02.26.16 release:

  • full 2021-03-01 security patch level
  • full 2021-03-05 security patch level
  • rebased onto RQ2A.210305.006 release, initial release of Android 11 QPR2 (Quarterly Platform Release 2)
  • Settings (Pixel 4, Pixel 4 XL, Pixel 5): enable refresh rate control
  • Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5: update APNs
  • Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5: update CarrierConfig vendor.xml
  • Pixel 4a: fix SystemUI memory pinning

2021.02.26.16

Tags:

  • RQ1A.210205.004.2021.02.26.16 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, emulator, generic, other targets)

Changes since the 2021.02.23.15 release:

  • hardened_malloc: add back workarounds for camera driver bugs on the Pixel 3, Pixel 3 XL, Pixel 3a and Pixel 3a XL

2021.02.23.15

Tags:

  • RQ1A.210205.004.2021.02.23.15 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, emulator, generic, other targets)

Changes since the 2021.02.19.15 release:

  • Camera: set flash mode to off by default (camera flash causes a substantial delay and substantially lower image quality so it generally isn't desirable)
  • system theme: use black for settings background in the dark theme
  • drop legacy code for setting Seedvault as the enabled backup service
  • hardened_malloc: drop workarounds for camera driver bugs on the Pixel 3, Pixel 3 XL, Pixel 3a and Pixel 3a XL
  • hardened_malloc: drop workaround for USB audio bug

2021.02.19.15

Tags:

  • RQ1A.210205.004.2021.02.19.15 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, emulator, generic, other targets)

Changes since the 2021.02.07.17 release:

  • Vanadium: update Chromium base to 88.0.4324.181
  • Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5: update APNs
  • Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5: update CarrierConfig vendor.xml
  • Auditor: update to version 24
  • Auditor: update to version 25
  • Pixel 4a: set boot security patch level to leverage the YYYY-MM-01 vs. YYYY-MM-05 distinction for attestation
  • Pixel 4a (5G), Pixel 5: complete initial device support including porting hardening features
  • kernel (Pixel 4a (5G), Pixel 5): enable slab canary feature
  • kernel (Pixel 4a (5G), Pixel 5): set correct variable for 32-bit vdso toolchain
  • kernel (Pixel 5): disable unnecessary touch driver
  • kernel (Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5): use LLVM toolchain for everything other than the assembler
  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): use LLVM toolchain for everything other than the assembler and target linker
  • kernel (Pixel 4a (5G), Pixel 5): use new kernel build-tools prebuilts repository

2021.02.07.17

Tags:

  • RQ1A.210205.004.2021.02.07.17 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, emulator, generic, other targets)

Changes since the 2021.02.06.05 release:

  • fix added error reporting code for HTTPS-based network time updates
  • Seedvault: update to latest revision

2021.02.06.05

Tags:

  • RQ1A.210205.004.2021.02.06.05 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, emulator, generic, other targets)

Changes since the 2021.02.02.09 release:

  • Vanadium: update Chromium base to 88.0.4324.152
  • rework the GrapheneOS HTTPS-based network time updates to enforce certificate expiry based on the OS build date for the whole certificate chain to avoid failing to fix significant time sync issues while still having a reasonable expiry check

2021.02.02.09

Tags:

Changes since the 2021.01.23.03 release:

  • full 2021-02-01 security patch level
  • full 2021-02-05 security patch level
  • rebased onto RQ1A.210205.004 release
  • Vanadium: update Chromium base to 88.0.4324.141
  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): make more data read-only per newer device kernels

2021.01.23.03

Tags:

Changes since the 2021.01.05.03 release:

  • system theme: use slightly different accent color for the dark theme
  • Dialer: add carrier-specific visual voicemail configurations
  • Vanadium: update Chromium base to 87.0.4280.141
  • Vanadium: update Chromium base to 88.0.4324.93
  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a): use UTC for kernel timestamp to make reproducible builds easier
  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a): update toolchain's toybox prebuilt for various fixes including fixing an issue with the date command causing a build reproducibility issue
  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a): apply upstream patch avoiding truncation of kernel debug symbol names generated when using Clang type-based CFI
  • adjust kernel configuration tests to permit disabling dynamic kernel modules for new kernel variants
  • fix dark theme issue with Settings app search panel
  • Camera2: backport fix for interaction with lockscreen
  • Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a: update APNs with carriersettings-extractor
  • Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a: add CarrierConfig vendor.xml from the stock OS with entries depending on Google and carrier apps stripped out

2021.01.05.03

Tags:

Changes since the 2020.12.12.03 release:

  • full 2021-01-01 security patch level
  • full 2021-01-05 security patch level
  • rebased onto RQ1A.210105.003 release
  • Settings: update GrapheneOS connectivity check URLs to match NetworkStack
  • Camera: remove unused Wi-Fi state permissions
  • Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a: update APNs with carriersettings-extractor
  • adjust kernel configuration tests to permit not having BPF_JIT since we don't have it enabled
  • add check for empty TTS engine name to address upstream bug
  • Vanadium: enable split cache by default
  • Vanadium: add back legacy media file access support for now
  • Vanadium: rename WebView and library apps based on the vanadium.app domain
  • Seedvault: update to latest revision
  • remove unnecessary vendor overlays
  • SetupWizard: change OS name to GrapheneOS for backup activity strings again
  • fix use-after-free in adbd authentication which was breaking support for persistently trusting keys due to zero-on-free
  • system theme: use blue accent color
  • replace default AOSP wallpaper with a solid black wallpaper — may get a bit fancier in the near future
  • update round icon mask
  • Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a: always use dark theme for boot chain firmware
  • Pixel 3a, Pixel 3a XL: disable unused dynamic kernel module support to match other devices
  • Updater: disconnect keepalive connection when service is done

2020.12.12.03

Tags:

Changes since the 2020.12.08.08 release:

  • Vanadium: disable WebView variations support
  • SetupWizard: update to latest upstream code
  • NetworkStack: switch to grapheneos.network for connectivity checks to improve compatibility with captive portals lacking support for the built-in login interface (HSTS preloading for grapheneos.org breaks the fallback browser login notification)

2020.12.08.08

Tags:

Changes since the 2020.11.27.15 release:

  • full 2020-12-01 security patch level
  • full 2020-12-05 security patch level
  • rebased onto RQ1A.201205.010 release
  • script: support any number of source versions for deltas
  • set read timeout for HTTPS network time connections
  • disable keepalive for HTTPS network time connections
  • always disconnect HTTPS network time connections
  • remove unnecessary Accept-Charset header for HTTPS network time requests
  • Vanadium: ask permission to play protected media by default
  • Vanadium: disable autofill server communication by default
  • Vanadium: update Chromium base to 87.0.4280.86
  • Vanadium: update Chromium base to 87.0.4280.101
  • Settings: remove partial MAC randomization translations
  • Auditor: update to version 23
  • downstream fix for VPN lockdown being overridden when stopping users replaced by upstream fix

2020.11.27.15

Tags:

Changes since the 2020.11.25.22 release:

  • Vanadium: disable autofill assistant by default (restores previous Vanadium behavior)
  • Vanadium: backport upstream fix for missing manifest changes (this fixes issues with opening URLs in external apps)
  • Vanadium: disable component updater pings by default
  • Settings: disallow configuring connectivity checks for users disallowed to configure Private DNS by the administrator (in theory, it could be a separate option, but we need to use one that's already part of the public API)

2020.11.25.22 preview

Tags:

Changes since the 2020.11.05.18 release:

  • PDF Viewer: update to version 6
  • NFC: backport compatibility fix for certain broken apps from AOSP master
  • Bluetooth: backport fix for Bluetooth capacity string
  • Vanadium: update Chromium base to 86.0.4240.198
  • Vanadium: update Chromium base to 87.0.4280.66
  • Vanadium: disable new high-level functionality for fetching variations
  • Vanadium: disable unused Omaha update check support
  • Vanadium: disable GaiaAuthFetcher code due to upstream bug
  • Vanadium: disable deprecated FTP support by default
  • Pixel 4 XL: correctly mark certain unsupported features as unavailable per the Pixel 4
  • Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a: use device-specific NFC configuration
  • add initial runtime flags handling for exec-based spawning to improve compatibility
  • Pixel 3, Pixel 3 XL, Pixel 4, Pixel 4 XL, Pixel 4a: disable chained vbmeta to simplify verified boot and improve attestation (Pixel 3a and Pixel 3a XL never used this)
  • Seedvault: update to latest revision
  • NetworkStack: remove change to connectivity check handling that's no longer required with Android 11
  • use GrapheneOS connectivity check server by default for connectivity checks in the OS
  • Settings: add setting to toggle between GrapheneOS connectivity check server and the standard Android connectivity check URLs to continue supporting blending in with other Android devices without a VPN
  • Updater: remove unused READ_PHONE_STATE permission

2020.11.05.18

While waiting for this release to become available, you can manually add a battery optimization exemption for the Clock app via Settings ➔ Apps & notifications ➔ Special app access ➔ Battery optimization where you can select "All apps", scroll down to the Clock app and manually add an exemption. Should get this added upstream.

Tags:

Changes since the 2020.11.03.03 release:

  • Clock: add battery optimization exemption required for the new target API level (this is missing in AOSP)

2020.11.03.03

Pixel 2 and Pixel 2 XL support will now be provided via separate extended support releases for obsolete devices. We'll be making the first one based on an official release in the near future. They can only reach the 2020-11-01 security patch this month due to the lack of a release with changes outside the scope of AOSP such as new GPU firmware.

Tags:

Changes since the 2020.10.23.04 release:

  • full 2020-11-01 security patch level
  • full 2020-11-05 security patch level
  • rebased onto RP1A.201105.002 release
  • Vanadium: update Chromium base to 86.0.4240.110
  • Vanadium: update Chromium base to 86.0.4240.114
  • Vanadium: update Chromium base to 86.0.4240.185
  • Vanadium: enable prefetch privacy changes by default
  • Vanadium: enable reduced referrer granularity by default
  • Camera: request fine location instead of coarse location for the disabled-by-default geotagging feature
  • Camera: remove unused INTERNET permission
  • Clock: apply assorted fixes from upstream
  • add explicit detection of fastboot being missing to the factory images flash-all scripts
  • Gallery: apply upstream fix from NXP for null pointer dereference bug
  • Auditor: update to version 22
  • script: make generate_deltas ask for the password only once
  • enable screenshot action for 3 button nav too (the upstream release limited it to being enabled for 2 button navigation)

2020.10.23.04

Tags:

Changes since the 2020.10.06.02 release:

  • Vanadium: update Chromium base to 86.0.4240.75
  • Vanadium: update Chromium base to 86.0.4240.99
  • Vanadium: remove deprecated, unused storage permissions
  • replace standard WebView with Vanadium WebView again
  • Pixel 4, Pixel 4 XL: disable unsupported aware feature so that ambient display is available
  • Seedvault: switch to upstream development branch now that it supports Android 11
  • SELinux policy: port hardening from Android 10
  • hardened_malloc: log fatal errors (detected memory corruption bugs) to Android's log system
  • fix minor issues with Android 11 port of Wi-Fi and Bluetooth quick tile unlock requirement
  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a): apply Bluetooth fixes from the stable kernel branch including fixes for CVE-2020-12351, CVE-2020-12352 and CVE-2020-24490
  • improve experimental support for the Pixel 4a including porting most device-specific changes implemented for other devices

2020.10.06.02

Tags:

Changes since the 2020.10.01.23 release:

  • full 2020-10-01 security patch level
  • full 2020-10-05 security patch level
  • rebased onto RP1A.201005.006 release
  • hardened_malloc: optimize and harden initialization sanity checks
  • work around upstream bug causing null pointer crashes from media notifications in secondary profiles
  • enable secondary user logout support by default (purges credential encrypted storage keys from memory)
  • add back screenshot action to global action list as an alternative to the key chord (power button + volume down) and screenshot button in the gesture navigation recent apps list
  • reject received unix timestamps before build unix time for HTTPS-based network time implementation
  • Clock: apply fixes for various upstream issues
  • Updater: harden PendingIntent usage

2020.10.01.23

Tags:

Changes since the 2020.09.29.20 release:

  • Pixel 4 (non-XL): stop overriding default Bluetooth toggle to disable it by default like other devices
  • use otatools.zip for generating delta updates
  • Settings: fix integration of LTE only mode option to preferred network setting
  • Auditor: update to version 21

2020.09.29.20

Tags:

Changes since the 2020.09.25.00 release:

  • add overlay to show 2 button navigation option in Settings again
  • Calculator: gesture compatibility fix
  • Auditor: update to version 20
  • WebView: update to 85.0.4183.120
  • WebView: update to 85.0.4183.127
  • Vanadium: update Chromium base to 85.0.4183.127
  • fix syncing time for the port of our HTTPS-based network time update implementation to Android 11
  • stop using dedicated keys for signing OsuLogin and ServiceWifiResources rather than simply using the regular testkey/releasekey

2020.09.25.00

Tags:

Changes since the 2020.09.18.13 release:

  • fix Wi-Fi MAC randomization settings for translations that were missing our added option
  • Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL: add missing configuration for biometric sensors in Android 11
  • fix upstream bug in the NFC quick settings tile for Android 11 breaking it after reboot
  • fix NFC quick settings tile icon handling for Android 11
  • Settings: fix upstream NFC preference so that it listens for changes and can see it being toggled via the NFC tile
  • Vanadium: update Chromium base to 85.0.4183.120
  • Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL: update APNs with carriersettings-extractor
  • add back SetupWizard
  • Settings: fix launching WifiSettings

We're no longer going to be listing out restored past features in a separate section for the release notes.

2020.09.18.13 preview

Tags:

Changes since the 2020.09.11.14 release:

  • initial port to Android 11 with most GrapheneOS changes ported over (missing most SELinux policy hardening, some Pixel 4 / 4 XL kernel side channel mitigations, finer-grained Pixel 4 kernel Control Flow Integrity and the setup wizard)
  • full 2020-09-05 security patch level
  • temporarily use stock WebView until the next release of Chromium is available with public support for Android 11 to provide the WebView via Vanadium again
  • fix VPN lockdown setting getting overridden on user stop
  • SELinux policy: disable gmscore_app domain
  • SELinux policy: use dedicated SELinux domain for Updater app based on the modern untrusted_app domain
  • stop disabling support for stable local privacy addresses since Android 11 handles it better by only using it when MAC randomization is disabled
  • update to a new version of Seedvault for Android 11
  • build and use otatools.zip for signing releases instead of an ad-hoc approach
  • Auditor: update to version 19
  • Updater: update targetSdkVersion to 30
  • disable Scudo on 64-bit since we use the substantially more secure hardened_malloc
  • fully replace jemalloc with Scudo on 32-bit
  • hardened_malloc: improve stats implementation

Installations made before this project was renamed to GrapheneOS and before the first official release of the Android Hardening project will be forced to factory reset as part of this upgrade, due to lack of backwards compatibility with the unaltered AOSP encryption format.

2020.09.11.14

Tags:

  • QQ3A.200805.001.2020.09.11.14 (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, emulator, generic, other targets)

Testing the Android 11 kernels was useful, but we weren't able to ship the previous release due to issues uncovered during testing. The Android 11 kernels have minor backwards incompatible changes in the drivers for at least a subset of the devices so we'll need to ship them with the rest of the changes. Thanks to our testers for helping us with this. This will be the new final Android 10 release, assuming no further problems are uncovered during testing.

Changes since the 2020.09.10.05 release:

  • revert to using the Android 10 kernels on the devices that were switched over early due to backwards incompatible changes in some drivers

2020.09.10.05 preview

Tags:

  • QQ3A.200805.001.2020.09.10.05 (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, emulator, generic, other targets)

This should be the final GrapheneOS release based on Android 10. It ships the device-independent monthly security patches and migrates over to using the Android 11 branch of the GrapheneOS kernels for most devices, which brings all the upstream kernel hardening in Android 11 along with the full September kernel updates. The remaining patches for the full 2020-09-05 patch level require finishing the migration to Android 11 in order to ship the September update for the other device support code. It's possible we could ship some of this early, but instead we're going to be focusing on finishing the enormous task of migrating to Android 11. Further help with bringing up support for the devices with Android 11 and porting over each of the GrapheneOS hardening features to it would be greatly appreciated. Donations are also extremely helpful. GrapheneOS has brought on another full time developer using donated funds and there are 3 part time developers helping with Android 11.

Changes since the 2020.08.07.01 release:

  • full 2020-09-01 security patch level
  • partial 2020-09-05 security patch level (missing userspace device support changes until port to Android 11 is finished)
  • Vanadium: update Chromium base to 84.0.4147.125
  • Vanadium: update Chromium base to 85.0.4183.81
  • Vanadium: update Chromium base to 85.0.4183.101
  • Vanadium: remove unused learn more link from Incognito page
  • recovery: reject updates with serialno constraints to match the GrapheneOS Updater app
  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): update base kernel to Android 11
  • SetupWizard: update to latest upstream code
  • conscrypt: drop temporary upstream revert of version code which was accidentally kept during a rebase
  • backport fix for USB audio regression from Android 11

Restoration of past features since the 2020.07.06.20 release:

  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL): enable intra-object FORTIFY_SOURCE overflow checks

2020.08.07.01

Tags:

  • QQ3A.200805.001.2020.08.07.01 (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, emulator, generic, other targets)

Changes since the 2020.08.03.22 release:

  • SELinux policy: fix executing apk libraries as executables for third party applications

2020.08.03.22

Tags:

  • QQ3A.200805.001.2020.08.03.22 (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, emulator, generic, other targets)

Changes since the 2020.07.06.20 release:

  • full 2020-08-01 security patch level
  • full 2020-08-05 security patch level
  • rebased onto QQ3A.200805.001 release
  • fix build for Pixel 3 when Pixel 3 XL kernel is not built
  • fix secondary stack hardening when a non-page-size multiple stack size is specified
  • fix picking up previous build date when doing incremental builds
  • Vanadium: update Chromium base to 84.0.4147.89
  • Vanadium: update Chromium base to 84.0.4147.105
  • Vanadium: update Chromium base to 84.0.4147.111
  • Vanadium: remove Chromium logo in chrome://version

Restoration of past features since the 2020.07.06.20 release:

  • kernel (Pixel 4, Pixel 4 XL): read-only data expansion

2020.07.06.20

Tags:

  • QQ3A.200705.002.2020.07.06.20 (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, emulator, generic, other targets)

Changes since the 2020.06.22.21 release:

  • full 2020-07-01 security patch level
  • full 2020-07-05 security patch level
  • rebased onto QQ3A.200705.002 release
  • change TrichromeLibrary package name
  • drop MAC randomization preference migration code
  • Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL: update APNs with carriersettings-extractor
  • disable network time refresh when network time is disabled (previous behavior inherited from upstream)
  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL): make reproducible builds simpler
  • kernel (Pixel 4, Pixel 4 XL): use max ASLR entropy before the init process enables it

Restoration of past features since the 2020.06.22.21 release:

  • kernel (Pixel 4, Pixel 4 XL): enable UNMAP_KERNEL_AT_EL0 Meltdown mitigation (KPTI)
  • kernel (Pixel 4, Pixel 4 XL): enable ARM64_SSBD Spectre v4 mitigation
  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL): enable PANIC_ON_OOPS
  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL): set PANIC_TIMEOUT to -1
  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL): disable SECURITY_SELINUX_DEVELOP

2020.06.22.21

Tags:

Changes since the 2020.06.02.02 release:

  • SystemUI: handle non-SRGB wallpapers
  • Vanadium: update Chromium base to 83.0.4103.96
  • Vanadium: update Chromium base to 83.0.4103.101
  • Vanadium: update Chromium base to 83.0.4103.106
  • script/generate_metadata.py: add channel name to update channel metadata
  • Updater: sanity check channel name in update channel metadata
  • Updater: raise minSdkVersion to 29
  • Updater: extract care_map.pb rather than care_map.txt
  • Updater: use a different zip for streaming updates (still an experimental / hidden feature)
  • disable RFC 7217 support (stable link-local IPv6 privacy addresses) and stick to link-local IP addresses based on the (random) MAC addresses
  • SetupWizard: update to latest upstream code
  • SetupWizard: use system captive portal URL, rather than a custom Google URL
  • NetworkStack: ignore captive portal fallbacks when one is set at runtime
  • factory images flash-all script: reboot to bootloader after installing update
  • make_key: use 4096-bit RSA keys
  • script/release.sh: auto-detect AVB algorithm to support 4096-bit RSA keys for verified boot
  • add experimental Pixel 4 and Pixel 4 XL support
  • Auditor: update to version 18

Restoration of past features since the 2020.06.02.02 release:

  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): add back FORTIFY_SOURCE enhancements
  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): add back userspace ASLR improvements

2020.06.02.02

Tags:

Changes since the 2020.05.29.00 release:

  • full 2020-06-01 security patch level
  • full 2020-06-05 security patch level
  • rebased onto QQ3A.200605.002 release
  • Vanadium: update Chromium base to 83.0.4103.83
  • factory images: add fastboot version detection to flash-all.bat on Windows

2020.05.23.12

Tags:

Changes since the 2020.05.05.02 release:

  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): use Clang for compiling code for the host too
  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): add build-tools prebuilts to PATH to reduce external dependencies and avoid potential reproducibility issues
  • add build-tools prebuilts to PATH in the release signing and delta generation scripts to reduce external dependencies and avoid potential reproducibility issues
  • fix upstream bug relying on malloc addresses for sort order of 3 items, causing Bluetooth A2DP audio to fail 2/3 of the time with hardened_malloc when the expected item isn't first
  • use the same datetime for build number and build date
  • always use UTC as the time zone for build dates
  • update GrapheneOS fork of android-prepare-vendor to the collaborative AOSPAlliance fork
  • raise minimum supported API level to 28 from 23, producing a warning for apps targeting API < 28 (the Play Store disallows uploading new apps or app updates targeting API < 28 so this isn't an aggressive warning)
  • Vanadium: update Chromium base to 81.0.4044.138
  • Vanadium: update Chromium base to 83.0.4103.60
  • Vanadium: disable media DRM preprovisioning
  • Vanadium: most private WebRTC IP handling policy by default
  • set SCHED_BATCH in the kernel build scripts

Restoration of past features since the 2020.05.05.02 release:

  • Settings: allow disabling Vanadium browser app via the Settings UI now that Trichrome (browser, WebView, shared library) has replaced Monochrome (monolithic app) for providing the WebView without having 2 copies of the browser engine

2020.05.05.02

Tags:

Changes since the 2020.04.14.23 release:

  • full 2020-05-01 security patch level
  • full 2020-05-05 security patch level
  • rebased onto QQ2A.200501.001.B3 release
  • Vanadium: update Chromium base to 81.0.4044.111
  • Vanadium: update Chromium base to 81.0.4044.117
  • disable safe volume feature everywhere instead of only the US
  • hardened_malloc: implement slab allocation memory corruption checks for malloc_usable_size
  • set SCHED_BATCH in the build system and release generation scripts instead of the interactive shell
  • use more sensible factory images zip naming scheme
  • Settings: add missing title for top_level_settings to fix showing it as null in search results

Restoration of past features since the 2020.04.14.23 release:

  • Vanadium: use 64-bit Trichrome browser processes

2020.04.14.23

Tags:

Changes since the 2020.04.13.21 release:

  • Settings: adjust wifi_privacy_values to the new values
  • Settings: remove unnecessary workaround for MAC randomization preference
  • Settings: tweak MAC randomization preference wording

2020.04.13.21

Tags:

Changes since the 2020.04.07.10 release:

  • Vanadium: update Chromium base to 81.0.4044.96
  • Vanadium: remove unsupported password leak detection option
  • Vanadium: expand automated string rebranding
  • Vanadium: remove Google prefix from storage settings label
  • reword random MAC options to make them clearer
  • start the final phase of the migration process for random MAC preference values
  • generate manifests for stable releases directly referencing revisions by hash instead of tag name to simplify signature verification for the sources

Restoration of past features since the 2020.04.07.10 release:

  • globally enable -ftrivial-auto-var-init=zero rather than porting our downstream -fsanitize=local-init feature
  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): globally enable -ftrivial-auto-var-init=zero rather than porting our downstream -fsanitize=local-init feature
  • Vanadium: enable -ftrivial-auto-var-init=zero rather than porting our downstream -fsanitize=local-init feature

2020.04.07.10

Tags:

Changes since the 2020.03.23.22 release:

  • full 2020-04-01 security patch level
  • full 2020-04-05 security patch level
  • rebased onto QQ2A.200405.005 release
  • Pixel 3a, Pixel 3a XL: fix SystemUI paths in memory pinning configuration
  • only include Updater app when OFFICIAL_BUILD=true is set in the environment to avoid accidental use of the default update server with unofficial builds that are not compatible
  • Vanadium: update Chromium base to 80.0.3987.162
  • PDF Viewer: update to version 3
  • update SELinux policy for officially supported devices based on isolated_app domain split
  • raise protected_fifos / protected_regular from 1 (world-writable directories) to 2 (group-writable directories too)
  • remove use of "Hey Google" as an example feature for battery saver in Settings

2020.03.23.22

Tags:

Changes since the 2020.03.04.16 release:

  • integrate Seedvault backup app as the default backup service
  • integrate SetupWizard app to support restoring with Seedvault and other initial setup
  • Vanadium: disable unused safe browsing feature by default (Safe Browsing is currently a no-op due to the lack of Play services, and support for using the local database backend hasn't been implemented. Various changes would be needed to make it available and to make sure that privacy is preserved.)
  • Vanadium: disable unused Google VR support
  • Vanadium: disable content feed suggestions by default
  • Vanadium: update Chromium base to 80.0.3987.149
  • Settings: fix broken upstream MAC randomization value mapping uncovered by the always randomize option value
  • make_key: use scrypt for key derivation used to encrypt keys
  • add script/encrypt_keys.sh and script/decrypt_keys.sh for handling key encryption
  • improve UX, performance and algorithm support for encrypted keys in script/release.sh and script/generate_delta.sh
  • dexpreopt: disable BOARD_USES_SYSTEM_OTHER_ODEX for mainline devices, which was causing odex files to be unintentionally omitted from the system image for modern devices
  • dexpreopt: use speed filter for boot images and non-prebuilts rather than unintentionally only setting it for prebuilts
  • dexpreopt: disable pre-optimization for apps bundled by android-prepare-vendor to work around unresolved issues with conflicting inlined definitions

2020.03.04.16

Tags:

Changes since the 2020.03.03.03 release:

  • Vanadium: backport upstream fix for Android 10 downloads
  • Vanadium: update Chromium base to 80.0.3987.132
  • Settings: avoid overriding MAC address with random persistent MAC address when viewing MAC address
  • finish porting support for per-connection random MAC rather than using the per-network random address

2020.03.03.03

Tags:

Changes since the 2020.02.07.19 release:

  • full 2020-03-01 security patch level
  • full 2020-03-05 security patch level
  • rebased onto QQ2A.200305.002 release
  • use time.grapheneos.org instead of grapheneos.org for HTTPS-based time updates
  • Vanadium: migrate to Trichrome for unified builds of separate browser and WebView apps with a shared library app
  • Vanadium: use org.grapheneos.vanadium.webview instead of com.android.webview as the WebView package name
  • Vanadium: rename WebView to Vanadium System WebView from Android System WebView
  • Vanadium: update Chromium base to 80.0.3987.99
  • Vanadium: update Chromium base to 80.0.3987.117
  • Vanadium: update Chromium base to 80.0.3987.119
  • SELinux policy: remove base system app apk_data_file execute
  • SELinux policy: remove zygote access to apk_data_file

Restoration of past features since the 2020.02.07.19 release:

  • Vanadium: stop replacing signature from the Vanadium signing key with the OS release key
  • Settings: add back control over camera access while the screen is locked
  • fix MAC randomization after reboot for the always randomize MAC option
  • SELinux policy: split out base system untrusted_app (normal unprivileged apps) and isolated_app (isolatedProcess sandbox) SELinux policy domains for future work
  • SELinux policy: remove base system app execmod
  • SELinux policy: remove base system app execmem
  • SELinux policy: remove base system app execute_no_trans
  • SELinux policy: remove base system app app_data_file execute
  • SELinux policy: remove base system app ashmem execute
  • SELinux policy: remove base system app tmpfs execute
  • SELinux policy: remove zygote execmem
  • SELinux policy: remove system_server_startup domain
  • add LTE only mobile network configuration option

2020.02.07.19

Tags:

Changes since the 2020.02.04.01 release:

  • rebuild crosshatch kernel to correct build environment issue
  • Vanadium (including WebView): update Chromium base to 80.0.3987.87
  • Vanadium (including WebView): drop partially working AImageReader workarounds
  • fully work around bug with AImageReader caught by CFI on 64-bit to fix crashes during video rendering in Vanadium, Bromite, etc.

Restoration of past features since the 2020.02.04.01 release:

  • WebView: use Vanadium WebView as provider

2020.02.04.01

Tags:

Changes since the 2019.01.06.21 release:

  • full 2020-02-01 security patch level
  • full 2020-02-05 security patch level
  • rebased onto QQ1A.200205.002 release
  • remove obsolete Email app
  • Vanadium: update Chromium base to 79.0.3945.116
  • WebView: update to 79.0.3945.116
  • Vanadium: update Chromium base to 79.0.3945.136
  • WebView: update to 79.0.3945.136
  • Vanadium: fully disable AImageReader to fix remaining issues with video playback uncovered by CFI on 64-bit
  • Settings: fix MAC randomization setting for other locales by removing incomplete translations

Restoration of past features since the 2019.01.06.21 release:

  • add PIN scrambling feature

2020.01.06.21

Tags:

Changes since the 2019.12.02.23 release:

  • full 2020-01-01 security patch level
  • full 2020-01-05 security patch level
  • rebased onto QQ1A.200105.002 release
  • Vanadium: update Chromium base to 79.0.3945.93
  • Vanadium: disable hiding trivial subdomains
  • WebView: update to 79.0.3945.93
  • add the option to randomize the MAC address for each connection instead of per-network
  • authenticated network time updates via HTTPS

Restoration of past features since the 2019.12.02.23 release:

  • Settings: expose control over USB peripheral denial feature

2019.12.02.23

Tags:

Changes since the 2019.11.05.23 release:

  • full 2019-12-01 security patch level
  • full 2019-12-05 security patch level
  • rebased onto QQ1A.191205.011 release
  • Pixel 3a, Pixel 3a XL: fix userspace hw_random stirring service
  • Vanadium: update Chromium base to 78.0.3904.96
  • WebView: update to 78.0.3904.96
  • Vanadium: update Chromium base to 78.0.3904.108
  • WebView: update to 78.0.3904.108
  • Auditor: update to version 17
  • QuickSearchBox: disable widget
  • QuickSearchBox: disable launcher icon
  • Launcher: rebranding
  • require unlocking to use work tile

2019.11.04.23

Tags:

Changes since the 2019.09.25.00 release:

  • full 2019-11-01 security patch level
  • full 2019-11-05 security patch level
  • rebased onto QP1A.191105.004 release
  • Settings: disable legacy suggestions mode
  • recovery: GrapheneOS branding for fastboot mode
  • Vanadium: update Chromium base to 77.0.3865.116
  • WebView: update to 77.0.3865.116
  • Vanadium: update Chromium base to 78.0.3904.62
  • WebView: update to 78.0.3904.62
  • Vanadium: update Chromium base to 78.0.3904.90
  • WebView: update to 78.0.3904.90
  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): mark functions with address taken via assembly (this fixes compatibility with CFI in a build with !CONFIG_MODULES)
  • protect static TLS from stack buffer overflows
  • drop legacy Pixel and Pixel XL support due to absence of any GrapheneOS device maintainers, the end of vendor support and an increasingly large security gap with current generation devices for the hardware, firmware and device / generation specific software

Restoration of past features since the 2019.09.25.00 release:

  • Bluetooth: add alloc_size attribute to OSI allocator
  • protect pthread_internal_t from stack buffer overflows
  • add secondary stack randomization
  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): disable dynamic kernel module support (resulting in substantially improved CFI granularity)

2019.10.07.21

Tags:

Changes since the 2019.09.25.00 release:

  • full 2019-10-01 security patch level
  • full 2019-10-05 security patch level
  • full 2019-10-06 security patch level
  • rebased onto QP1A.191005.007.A1 release
  • add changes to support disabling full preloading with exec spawning to the public libcore API
  • add OTHER_SENSORS to the public frameworks/base API
  • Messaging app: fix notifications with a backport
  • Vanadium: switch back to ChromeModern (standalone browser app) from Monochrome (monolithic browser + WebView app, no longer supported for Android 10) until Vanadium is moved to Trichrome (separate browser and WebView apps with a third shared library app)
  • unified kernel tree (kernel/google/crosshatch) for Pixel 3, Pixel 3 XL, Pixel 3a and Pixel 3a XL

Restoration of past features since the 2019.09.25.00 release:

  • begin generating / uploading delta updates from the last release to the current release

2019.09.25.00

Tags:

Changes since the 2019.09.23.19 release:

  • update to QP1A.190711.020.C3 bug fix release
  • fix granting Network and Sensors permissions at install time
  • fix wording for Network permission group

2019.09.23.19

Tags:

  • QP1A.190711.020.2019.09.23.19 (Pixel, Pixel XL, Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, emulator, generic, other targets)

Changes since the 2019.09.21.18 release:

  • disable enforcing Runtime Resource Overlays for baseline overlays to work around incompatibility with exec spawning
  • enable exec spawning for com.android.phone again

2019.09.21.18 preview

Tags:

  • QP1A.190711.020.2019.09.21.18 (Pixel, Pixel XL, Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, emulator, generic, other targets)

Changes since the 2019.09.18.14 release:

  • Settings: use Mainline branding for APEX components
  • Vanadium: update Chromium base to 77.0.3865.92
  • WebView: update to 77.0.3865.92
  • temporarily disable exec spawning for com.android.phone
  • Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, mainline: disable updatable apex for simplicity
  • Pixel 2, Pixel 2 XL: enable increased system.img inode count
  • script: replace networkstack key

2019.09.18.14 preview

Tags:

  • QP1A.190711.020.2019.09.18.14 (Pixel, Pixel XL, Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, emulator, generic, other targets)

Changes since the 2019.08.25.15 release:

  • full port to Android 10 with some exceptions (listed below)
  • full 2019-08-05 security patch level
  • full 2019-09-01 security patch level
  • full 2019-09-05 security patch level
  • temporarily add back standalone WebView (77.0.3865.73) until Vanadium supports it for Android 10
  • Vanadium: update Chromium base to 76.0.3809.132
  • Vanadium: update Chromium base to 77.0.3865.73
  • Updater: update targetSdkVersion to 29
  • retrofit dynamic partitions for Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL
  • disable GSI keys
  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): temporarily disable slab canary implementation until an issue is narrowed down and addressed
  • kernel (Pixel 3, Pixel 3 XL): temporarily re-enable dynamic kernel module support until an issue is narrowed down and addressed (no dynamic kernel modules are ever actually loaded but something breaks internally with it disabled)
  • add guard page between the stack and the new static TLS region
  • bionic: pthread_internal_t changes have not yet been ported over so that feature is temporarily gone

2019.08.25.15

Tags:

Changes since the 2019.08.05.19 release:

  • add missing privileged permission whitelist for SdkSetup in SDK emulator builds
  • set up Vanadium for other architectures (arm, x86, x86_64)
  • hardened_malloc (GrapheneOS only): remove workaround for use-after-free in the citadel (Titan M) driver's key attestation support since it was fixed upstream
  • hardened_malloc: update libdivide to 2.0
  • Vanadium (browser and WebView): update Chromium base to 76.0.3809.111
  • Vanadium: redirect settings help icon
  • Vanadium: set default search engine to DuckDuckGo
  • apply partial fix for package manager original-package feature
  • PDF Viewer: update to version 2
  • Auditor: update to version 16
  • add Vanadium to the apps that cannot be disabled via Settings (can still be disabled) since the warning isn't enough to deter people from unknowingly breaking apps using the WebView
  • Updater: add settings entry to manually trigger check for updates
  • Updater: reschedule update check job on channel change
  • arm, x86 and x86_64 are now supported / tested architectures
  • generic and emulator build targets are now supported / tested for development usage (not suitable for secure production releases)

2019.08.05.19

Tags:

Changes since the 2019.07.16.22 release:

  • full 2019-08-01 security patch level
  • partial 2019-08-05 security patch level (not yet fully available)
  • Vanadium (browser and WebView): update Chromium base to 76.0.3809.89
  • Vanadium: expand string rebranding including covering translations
  • Vanadium: rename Sync and Google services to Services
  • Vanadium: remove data reduction preference
  • Vanadium: remove translate offer preference
  • Vanadium: remove sync preferences
  • Vanadium: remove navigation error preference
  • Vanadium: remove safe browsing reporting preference
  • Vanadium: remove usage and crash reports preference
  • Vanadium: remove url keyed anonymized data preference
  • Vanadium: disable contextual search by default
  • Vanadium: remove redundant services preference category
  • Vanadium (browser and WebView): use a unified Vanadium signing key instead of the device-specific release key
  • rename WebView provider to Vanadium
  • SELinux policy: label protected_{fifos,regular} as proc_security (this is needed for init to override the default values)

2019.07.16.22

Tags:

Changes since the 2019.07.01.21 release:

  • Vanadium (browser and WebView): update Chromium base to 75.0.3770.143
  • Vanadium: disable media router media remoting by default
  • Vanadium: disable media router by default (avoids the triggering warning about not having Play services)
  • Vanadium: remove Help & feedback menu entry
  • Vanadium: further string rebranding from Chromium / Chrome to Vanadium
  • Vanadium: disable unused reporting feature at compile-time
  • Vanadium: disable unused remoting feature at compile-time
  • Vanadium (browser and WebView): move from external/chromium to external/vanadium in the GrapheneOS source tree and rename module from Chromium to Vanadium
  • Vanadium: disable offering translations by default
  • Vanadium: disable prefetching suggested pages by default
  • Vanadium: disable browser sign in feature by default
  • Vanadium: disable safe browsing reporting opt-in by default
  • extend release.sh to call the script for signing factory images
  • extend release.sh to call the script for generating update channel metadata
  • kernel build script (Pixel, Pixel XL, Pixel 3a, Pixel 3a XL): verify that no arguments are passed
  • kernel build script (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL): verify that a single argument (device variant) is passed
  • enable kernel mitigations for file spoofing

Restoration of past features since the 2019.07.01.21 release:

  • Vanadium (browser and WebView): enable type-based CFI for virtual calls
  • enable kernel mitigations for link races
  • kernel (Pixel 2, Pixel 2 XL): backport fixes for SLAB_FREELIST_RANDOM
  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): enable SLAB_FREELIST_RANDOM
  • kernel (Pixel 2, Pixel 2 XL): backport slub dynamic DEBUG_PAGEALLOC setting
  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): backport slub free list pointer obfuscation
  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): backport slub free list pointer obfuscation prefetch fix
  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): backport slub native double free detection
  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): enable SLAB_FREELIST_HARDENED
  • kernel (Pixel, Pixel XL, Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): enable DEBUG_LIST
  • kernel (Pixel, Pixel XL, Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): enable DEBUG_SG
  • kernel (Pixel, Pixel XL): reduce DEBUG_SG virt_addr_valid check to a warning (this works around a bug in the legacy QCE driver)
  • kernel (Pixel, Pixel XL, Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): enable DEBUG_NOTIFIERS
  • kernel (Pixel, Pixel XL, Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): enable DEBUG_CREDENTIALS
  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): enable SCHED_STACK_END_CHECK
  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): bug on !PageSlab && !PageCompound in ksize
  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): always perform cache_from_obj consistency checks
  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): bug on kmem_cache_free with the wrong cache
  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): real slab_equal_or_root check for !MEMCG_KMEM
  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): add missing cache_from_obj !PageSlab check
  • kernel (Pixel 2, Pixel 2 XL): backport upstreamed FORTIFY_SOURCE implementation
  • kernel (Pixel 2, Pixel 2 XL): backport upstreamed leading zero byte for stack canary
  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): add simpler page sanitization
  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): add support for verifying page sanitization
  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): slub: add basic full slab sanitization
  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): slub: add support for verifying slab sanitization
  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): slub: add multi-purpose random canaries

2019.07.01.21

Tags:

Changes since the 2019.06.23.05 release:

  • full 2019-07-01 security patch level
  • full 2019-07-05 security patch level
  • rebased onto PQ3A.190705.003/PQ3B.190705.003 releases
  • Auditor: update to version 15

Restoration of past features since the 2019.06.23.05 release:

  • add GrapheneOS PDF Viewer app (version 1)
  • Vanadium: stop ignoring download location prompt setting
  • Vanadium: show download prompt again by default

2019.06.23.05

Tags:

Changes since the 2019.06.14.02 release:

  • hardened_malloc: use copy_size to check for canaries (tiny performance / hardening fix and avoids an erroneous abort in a corner case with realloc from 0 byte allocations)
  • hardened_malloc: update libdivide to 1.1
  • Pixel 3a, Pixel 3a XL: raise maximum users to 16
  • Pixel 3a, Pixel 3a XL: disable system_other odex
  • Pixel 3a, Pixel 3a XL: disable system_other preloads_copy
  • Pixel 3a, Pixel 3a XL: show connected mac randomization feature
  • Pixel 3a, Pixel 3a XL: move to custom kernel
  • Pixel 3a, Pixel 3a XL: use monolithic kernel builds
  • kernel (Pixel 3a, Pixel 3a XL): disable slab merging
  • kernel (Pixel 3a, Pixel 3a XL): add toggle for disabling newly added USB devices
  • kernel (Pixel 3a, Pixel 3a XL): replace SECURITY_SMACK with SECURITY_NETWORK
  • kernel (Pixel 3a, Pixel 3a XL): mark qcedev data const
  • Vanadium (browser and WebView): update Chromium base to 75.0.3770.101
  • Vanadium: disable sensors access by default
  • Vanadium: disable third party cookies by default
  • Vanadium: disable background sync by default
  • Vanadium (browser and WebView): stub out battery API
  • Vanadium: disable search logo
  • Vanadium: always use local new tab page
  • Vanadium: disable payment support by default

Restoration of past features since the 2019.06.14.02 release:

  • Vanadium: do not enable default search engine notification permission by default

2019.06.14.02

Tags:

Changes since the 2019.06.03.18 release:

  • Vanadium (browser and WebView): update Chromium base to 75.0.3770.67
  • add back brk system call to the seccomp whitelist for compatibility with Go
  • Auditor: update to version 13
  • Auditor: update to version 14
  • Music: backport bug fix for passing CTS
  • Updater: replace seamlessupdate.app with releases.grapheneos.org alias
  • add initial experimental support for the Pixel 3a and Pixel 3a XL
  • Pixel 2, Pixel 2 XL: set AVB rollback index to security patch timestamp (backport of the implementation for the Pixel 3)

Restoration of past features since the 2019.06.03.18 release:

  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL): replace SECURITY_SMACK with SECURITY_NETWORK

2019.06.03.18

Tags:

Changes since the 2019.05.18.20 release:

  • full 2019-06-01 security patch level
  • full 2019-06-05 security patch level
  • rebased onto PQ3A.190605.003 release
  • Auditor: update to version 11
  • Auditor: update to version 12
  • hardened_malloc (GrapheneOS only): further expand workaround for Pixel 3 and Pixel 3 XL camera issues

Restoration of past features since the 2019.05.18.20 release:

  • disable exec spawning when using debugging options
  • enable exec spawning by default
  • enable Verizon visual voicemail support
  • kernel (Pixel, Pixel XL, Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL): add toggle for disabling newly added USB devices
  • add properties for controlling deny_new_usb
  • implement dynamic deny_new_usb toggle mode
  • set deny_new_usb feature to dynamic by default
  • sepolicy: deny_new_usb sysctl and system property policy

2019.05.18.20

Tags:

Changes since the 2019.05.08.15 release:

  • GrapheneOS logo mask
  • Auditor: update to version 10
  • add preload parameter for avoiding full preload with exec
  • raise maximum users to 16
  • Vanadium (browser and WebView): update Chromium base to 74.0.3729.157
  • hardened_malloc (GrapheneOS only): apply temporary workaround for citadel HAL use-after-free (need to start building vendor HALs from the sources to fix issues like this)

Restoration of past features since the 2019.05.08.15 release:

  • disable OpenGL preloading for exec spawning
  • disable resource preloading for exec spawning
  • disable ICU cache pinning for exec spawning
  • disable class preloading for exec spawning
  • disable WebView reservation for exec spawning
  • disable JCA provider warm up for exec spawning
  • avoid AssetManager errors with exec spawning

2019.05.07.00

Tags:

Changes since the 2019.04.01.19 release:

  • full 2019-05-01 security patch level
  • full 2019-05-05 security patch level
  • rebased onto PQ3A.190505.002 release
  • add Pixel and Pixel XL support including standard changes to kernel and device code
  • Pixel, Pixel XL, Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL: fix hw_random permissions
  • bundle Auditor (version 9)
  • Chromium (browser and WebView): update to 74.0.3729.136
  • Chromium: enable strict site isolation by default
  • Chromium: initial rebranding to Vanadium including icon recolor
  • hardened_malloc: extensive work on refactoring, micro-optimization and documentation (see commits for details)
  • hardened_malloc: implement mallinfo and mallinfo extensions for Android
  • hardened_malloc: implement Android API for requesting purging
  • hardened_malloc: implement the option of large size classes (enabled by default)
  • hardened_malloc: support extended range of small size classes (enabled by default)
  • hardened_malloc: support for slabs with 1 slot for largest sizes
  • hardened_malloc: use round-robin assignment to arenas
  • hardened_malloc: disable current in-place growth code path
  • hardened_malloc: harden arena implementation
  • hardened_malloc: fix non-init size for malloc_object_size extension
  • hardened_malloc: shrink initial region table size to fit in 1 page
  • hardened_malloc (GrapheneOS only): expand workaround for Pixel 3 and Pixel 3 XL camera issues
  • Pixel 3, Pixel 3 XL: change SystemUIGoogle pinning to SystemUI

Restoration of past features since the 2019.04.01.19 release:

  • use -fwrapv when signed overflow checking is off
  • add exec-based spawning support (disabled by default for now)
  • require unlocking to use battery saver quick tile
  • require unlocking to use cellular quick tile
  • require unlocking to use hotspot quick tile
  • require unlocking to use data saver quick tile
  • require unlocking to use rotation lock quick tile
  • require unlocking to use wifi quick tile
  • require unlocking to use airplane mode quick tile
  • require unlocking to use bluetooth quick tile
  • require unlocking to use nfc quick tile
  • add support for kernels without module support enabled to the VTS and compatibility tests
  • kernel (Pixel, Pixel XL, Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL): disable slab merging
  • kernel (Pixel, Pixel XL, Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL): disable loadable kernel module support
  • kernel (Pixel, Pixel XL, Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL): mark qcedev data const
  • kernel (Pixel 2, Pixel 2 XL): disable unused ramdisk compression formats
  • SELinux policy: remove priv_app app_data_file execute
  • SELinux policy: remove dumpstate ashmem execute and execmem (GrapheneOS doesn't use the ART JIT compiler)
  • SELinux policy: remove healthd ashmem execute and execmem (GrapheneOS doesn't use the ART JIT compiler)
  • SELinux policy: auditallow app execmem (moving back towards an exception system)
  • SELinux policy: auditallow app ashmem execute (moving back towards an exception system)
  • SELinux policy: auditallow ephemeral_app app_data_file execute (moving back towards an exception system)
  • SELinux policy: auditallow untrusted_app_all execmod (moving back towards an exception system)
  • SELinux policy: auditallow untrusted_app_all app_data_file execute (moving back towards an exception system)
  • SELinux policy: auditallow untrusted_app_all app_data_file execute_no_trans (moving back towards an exception system)

2019.03.05.03

Tags:

Final and only tagged release of the AndroidHardening project before it was renamed to GrapheneOS. Earlier AndroidHardening releases were only snapshots and are not listed here. Prior to the AndroidHardening placeholder name, the project was known as CopperheadOS. For more details, see the page on the project's history.

Detailed changelogs were not written at this point.