GrapheneOS [Unofficial]

We have early access to Android Security Bulletin patches and will be able to set up a workflow where we can have releases already built and tested prior to the embargo ending. For now, we've still been doing the builds after the embargo ends. It will mainly help when they screw up pushing to AOSP.

We're in the process of obtaining early access to the major quarterly and yearly releases. This is a much bigger deal and will substantially help us. There's an immense workload with a lot of time pressure for porting to new major releases without early access which gets worse the more we change.

We did not have early access to Android 16 QPR1 and have not been able to start porting yet. We should have early access prior to Android 16 QPR2.

We're going to need to make private repositories for working on this stuff internally. We can potentially make special preview releases based on these.

Google recently made incredibly misguided changes to Android security updates. Android security patches are almost entirely quarterly instead of monthly to make it easier for OEMs. They're giving OEMs 3-4 months of early access which we know for a fact is being widely leaked including to attackers.

We can't break the embargo ourselves but if someone posted the patches publicly we would be able to ship them months early, as would others. The patches are broadly distributed to OEMs where most of their engineers have access. Companies like NSO can easily obtain access. It's not a safe system.

Google's existing system for distributing security patches to OEMs was already incredibly problematic. Extending 1 month of early access to 4 months is atrocious. This applies to all of the patches in the bulletins. This is harming Android security to make OEMs look better by lowering the bar.

The existing system should have been moving towards shorter broad disclosure of patches instead of 30 days. Moving in the opposite direction with 4 months of early access is extraordinarily irresponsible. Google has also abandoned pretending it's private by allowing binary-only embargo breaches.

Android's management has clearly overruled the concerns of their security team and chosen to significantly harm Android security for marketing reasons. Lowering the bar for OEMs to pretend things are fine while reducing security for everyone is a ridiculous approach and should be quickly reversed.

Android is very understaffed due to layoffs/buyouts and insufficient hiring. This is impacting Linux kernel and Android security. Google hasn't fixed https://taptrap.click/ which is a serious issue privately disclosed to them in October 2024. We were informed in June 2025 and it took us a few hours to fix...

Google does a massive portion of the security work on the Linux kernel, LLVM and other projects including implementing exploit protections, bug finding tools and doing fuzzing. They're providing the resources and infrastructure for Linux kernel LTS releases. Others aren't stepping up to the plate.

We don't expect there to be much pushback against this via tech media despite how obscene it is to provide 4 months of patch access to sophisticated attackers. They can easily get it from OEMs or even make an OEM. Whistleblowers should publicly post the signed zips since attackers have it already.

Security patch backports were pushed to the Android Open Source Project on September 2nd but it wasn't done properly. Android 16 QPR1 was also supposed to be pushed to the AOSP on September 3rd and it was even confirmed they'd still be doing that but it hasn't happened. Perhaps too many layoffs...

Even if no whistleblowers leak the signed zips we can still bring this system down ourselves without breaking any embargo. Our plan is to make special releases with the patches which are otherwise identical to our regular releases. External developers can reverse it from that for regular GrapheneOS.

We're allowed to make a release with currently available revision of the December 2025 Android security patches right now but we wouldn't be allowed to publish sources. Therefore, we'd need to do this separately from regular GrapheneOS. We could special release channels for it with delayed tags...

It's trivial for someone to reverse the Java and Kotlin patches to source code within an hour of us releasing that. They could then submit security patches elsewhere including to GrapheneOS. This clearly isn't something Google's technical security people came up with as it's completety nonsensical.

Tags:

• 2025090600 (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold, Pixel 9a, emulator, generic, other targets)

Changes since the 2025090500 release:

• Pixel Tablet: fix regression for install zips in the previous release causing a version check for non-existent cellular baseband firmware to fail when doing the initial installation
• add back Git commit metadata for the kernel image and modules by setting an environment variable to use the repo metadata from the Pixel kernel tarballs

Tags:

• 2025090500 (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold, Pixel 9a, emulator, generic, other targets)

Changes since the 2025090300 release:

• move to new monolithic Pixel kernel repository setup with a single repository for Pixels and our portable Generic Kernel Image repository as a submodule to more easily handle Pixel kernel sources being released as tarballs instead of Git tags (Git metadata for the kernel image and modules will be added back in the next release)
• update to Android 16 QPR1 kernel drivers and kernel build system to ship the security patches prior to Android 16 QPR1 being released to AOSP
• update Pixel SoC and cellular radio firmware to the Android 16 QPR1 releases to ship the security patches prior to Android 16 QPR1 being released to AOSP
• kernel (6.12): update to latest GKI LTS branch revision
• App Store: update to version 32
• App Store: update to version 33
• Vanadium: update to version 140.0.7339.51.0

Notable changes in version 33:

• fix theme regression in version 32 causing the wrong color to be used

A full list of changes from the previous release (version 32) is available through the Git commit log between the releases.

App Store is the client for the GrapheneOS app repository. It's included in GrapheneOS but can also be used on other Android 12+ operating systems. Our app repository currently provides our standalone apps, out-of-band updates to certain GrapheneOS components and a mirror of the core Google Play apps and Android Auto to make it easy for GrapheneOS users to install sandboxed Google Play with versions of the Google Play apps we've tested with our sandboxed Google Play compatibility layer.

GrapheneOS users must obtain GrapheneOS app updates through our App Store since verified boot metadata is required for out-of-band system app updates on GrapheneOS as part of extending verified boot to them.

Notable changes in version 32:

• remove usage of the buggy AndroidX AppCompat ContextCompat.registerReceiver() which wrongly calls getApplicationContext() on Android API levels below 33 (this caused crashes on Android 12 which is end-of-life and doesn't receive security support but we haven't raised the minimum API level for App Store yet)
• prevent RpcProvider from crashing when it receives an invalid call
• update Material Components library to 1.13.0
• update Glide library to 5.0.4
• update Android Gradle plugin to 8.13.0

A full list of changes from the previous release (version 31) is available through the Git commit log between the releases.

App Store is the client for the GrapheneOS app repository. It's included in GrapheneOS but can also be used on other Android 12+ operating systems. Our app repository currently provides our standalone apps, out-of-band updates to certain GrapheneOS components and a mirror of the core Google Play apps and Android Auto to make it easy for GrapheneOS users to install sandboxed Google Play with versions of the Google Play apps we've tested with our sandboxed Google Play compatibility layer.

GrapheneOS users must obtain GrapheneOS app updates through our App Store since verified boot metadata is required for out-of-band system app updates on GrapheneOS as part of extending verified boot to them.

Changes in version 140.0.7339.51.0:

• update to Chromium 140.0.7339.51

A full list of changes from the previous release (version 140.0.7339.35.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Tags:

• 2025090300 (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold, Pixel 9a, emulator, generic, other targets)

Changes since the 2025090200 release:

• Sandboxed Google Play compatibility layer: add stub for Debug.dumpService("media_projection") to fix a recent regression caused by a Google Play Store behavior change yesterday which was breaking using the Play Integrity API and therefore slightly reducing app compatibility

This is an early September security update release based on the September 2025 security patch backports since the quarterly Android Open Source Project and stock Pixel OS release scheduled for this month hasn't been published yet.

Tags:

• 2025090200 (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold, Pixel 9a, emulator, generic, other targets)

Changes since the 2025081400 release:

• full 2025-09-01 security patch level
• add support for address lines in the GrapheneOS geocoder implementation
• Dialer: fix visual voicemail with Verizon MVNOs by working around AOSP Dialer not supporting vvm_type_vvm3_mvno
• kernel (6.1): update to latest GKI LTS branch revision including update to 6.1.148
• kernel (6.1): reapply minor f2fs change we previously reverted due to it causing a regression since the stock Pixel OS has shipped it a while ago so the regression must have been fixed by other changes
• kernel (6.6): update to latest GKI LTS branch revision including update to 6.6.102
• kernel (6.12): update to latest GKI LTS branch revision including update to 6.12.42
• adevtool: massive overhaul to improve our infrastructure for device support
• adevtool: add command for extracting aconfig flag values from device images
• adevtool: add command for decompiling APKs and JARs from device images and creating an IntelliJ project from it
• adevtool: detect missing vendor regeneration after adevtool changes
• adevtool: parallelize state regeneration and remove unnecessary data from serialized build state files
• Theme Picker: use AOSP launcher name for fetching resources in preparation for Android 16 QPR1 requiring this to be set up properly
• Settings: prepare PIN scrambling setting for the upcoming port to Android 16 QPR1
• Seedvault: update to 16-5.7 (there are no changes to the code compared to the Android 16 development revision we previously shipped, only translation changes)
• GmsCompatConfig: update to version 161
• Vanadium: update to version 139.0.7258.158.0
• Vanadium: update to version 140.0.7339.35.0
• Camera: update to version 87
• Camera: update to version 88
• App Store: update to version 31
• PDF Viewer: update to version 31

The main Matrix homeserver (matrix.org) is down and likely to remain down for a while longer:

https://mastodon.matrix.org/@matrix/115135992360783162

Our Matrix rooms are still available since those aren't hosted on any specific server. We use our own Matrix server for our project accounts, bridge bot, etc. too.

Our chat rooms are bridged across Matrix, Discord, Telegram and IRC.

Discord server: https://discord.com/invite/grapheneos

IRC channels are on libera.chat with the same names as the Matrix rooms but prefixed with #grapheneos such as #grapheneos-offtopic. #grapheneos-general redirects to #grapheneos there.

Our chat rooms were only on Matrix after the end of freenode but we ended up needing alternatives due to both the technical and abuse issues with Matrix. Discord is now the most active. Long term, we plan to self-host a future high quality open source Discord clone and drop Matrix/Telegram/IRC.

Our Telegram group is https://t.me/GrapheneOS but we recently set it to require requesting to join and being approved by a moderator due to the massive issues with spam. We recommend joining our chat rooms via either a non-matrix.org Matrix server (even after it's back, it's too large) or Discord instead.

Notable changes in version 31:

• skip package enabled checked for a static dependency on the same package to avoid apps like Vanadium being treated as unavailable due to missing dependencies when users have them disabled
• require TLSv1.3 instead of either TLSv1.2 or TLSv1.3
• enable hardware memory tagging for use outside of GrapheneOS in the narrow cases where it's available for apps opting into it (Android 16 Advanced Protection Mode on hardware with support for MTE)
• update Glide library to 5.0.3
• update Kotlin Coroutines libraries to 1.10.2
• update AndroidX Lifecycle libraries to 2.9.3
• update AndroidX Navigation libraries/plugin to 2.9.3
• update AndroidX Fragment KTX library to 1.8.9
• update AndroidX Core KTX library to 1.17.0
• update AndroidX AppCompat library to 1.7.1
• update Bouncy Castle library to 1.81
• update Kotlin to 2.2.10 and Kotlin Symbol Processing to 2.0.2
• update Android Gradle plugin to 8.12.2
• update Gradle to 8.14.3
• update Android SDK to 36 (Android 16)
• update Android build tools to 36.0.0
• raise TLS key pinning expiry date to September 2026

A full list of changes from the previous release (version 30) is available through the Git commit log between the releases.

App Store is the client for the GrapheneOS app repository. It's included in GrapheneOS but can also be used on other Android 12+ operating systems. Our app repository currently provides our standalone apps, out-of-band updates to certain GrapheneOS components and a mirror of the core Google Play apps and Android Auto to make it easy for GrapheneOS users to install sandboxed Google Play with versions of the Google Play apps we've tested with our sandboxed Google Play compatibility layer.

GrapheneOS users must obtain GrapheneOS app updates through our App Store since verified boot metadata is required for out-of-band system app updates on GrapheneOS as part of extending verified boot to them.

Notable changes in version 88:

• handle migrating away from the user setting JPEG quality to be based on the legacy Latency vs. Quality mode without explicitly setting the Latency vs. Quality mode

A full list of changes from the previous release (version 87) is available through the Git commit log between the releases.

This app is available through the Play Store with the app.grapheneos.camera.play app id. Play Store releases go through review and it usually takes around 1 to 3 days before the Play Store pushes out the update to users. Play Store releases use Play Signing, so we use a separate app id from the releases we publish ourselves to avoid conflicts and to distinguish between them. Each release is initially pushed out through the Beta channel followed by the Stable channel.

Releases of the app signed by GrapheneOS with the app.grapheneos.camera app id are published in the GrapheneOS App Store which provides fully automatic updates. Each release is initially pushed out through the Alpha channel, followed by the Beta channel and then finally the Stable channel. These releases are also bundled as part of GrapheneOS and published on GitHub.

GrapheneOS users must obtain GrapheneOS app updates through our App Store since verified boot metadata is required for out-of-band system app updates on GrapheneOS as part of extending verified boot to them.

Notable changes in version 87:

• add new toggle to More Settings for using the highest supported resolution for photo capture instead of the default resolution to enable using the maximum resolution on devices where it requires opt-in
• replace CameraX Latency vs. Quality choice with a clearer "Wait for focus lock" toggle
• change default JPEG quality to 95% instead of basing the default on Latency (95%) vs. Quality (100%) while also preserving existing configuration by explicitly setting JPEG quality to 95% or 100% if it wasn't directly configured by the user but they had explicitly chosen Latency or Quality
• remove obsolete Electronic Image Stabilization (EIS) code which we replaced with the CameraX SessionConfig API in the previous release since it now causes an exception with CameraX 1.5.0-rc01
• update CameraX (AndroidX Camera) library to 1.5.0-rc01
• update AndroidX Core library to 1.17.0 and switch to KTX variant
• update Android Gradle plugin to 8.12.2
• update Kotlin to 2.2.10

A full list of changes from the previous release (version 86) is available through the Git commit log between the releases.

This app is available through the Play Store with the app.grapheneos.camera.play app id. Play Store releases go through review and it usually takes around 1 to 3 days before the Play Store pushes out the update to users. Play Store releases use Play Signing, so we use a separate app id from the releases we publish ourselves to avoid conflicts and to distinguish between them. Each release is initially pushed out through the Beta channel followed by the Stable channel.

Releases of the app signed by GrapheneOS with the app.grapheneos.camera app id are published in the GrapheneOS App Store which provides fully automatic updates. Each release is initially pushed out through the Alpha channel, followed by the Beta channel and then finally the Stable channel. These releases are also bundled as part of GrapheneOS and published on GitHub.

GrapheneOS users must obtain GrapheneOS app updates through our App Store since verified boot metadata is required for out-of-band system app updates on GrapheneOS as part of extending verified boot to them.

Notable changes in version 31:

• minor fixes for edge-to-edge support to avoid incorrect theme colors
• fix issue causing the text layer used for text selection to not rotate when the PDF is rotated within the app
• enable hardware memory tagging for use outside of GrapheneOS in the narrow cases where it's available for apps opting into it (Android 16 Advanced Protection Mode on hardware with support for MTE)
• update pdf.js library to 5.4.149
• update esbuild to 0.25.9
• update other npm dependencies
• update AndroidX Fragment KTX library to 1.8.9
• update AndroidX Core KTX library to 1.17.0
• update AndroidX AppCompat library to 1.7.1
• update Gradle to 8.14.3
• update Android Gradle plugin to 8.12.2
• update Kotlin to 2.2.10
• update Android SDK to 36 (Android 16)
• update Android build tools to 36.0.0

A full list of changes from the previous release (version 30) is available through the Git commit log between the releases.

Simple Android PDF viewer based on pdf.js and content providers. The app doesn't require any permissions. The PDF stream is fed into the sandboxed WebView without giving it access to the network, files, content providers or any other data.

Content-Security-Policy is used to enforce that the JavaScript and styling properties within the WebView are entirely static content from the APK assets along with blocking custom fonts since pdf.js handles rendering those itself.

It reuses the hardened Chromium rendering stack while only exposing a tiny subset of the attack surface compared to actual web content. The PDF rendering code itself is memory safe with dynamic code evaluation disabled, and even if an attacker did gain code execution by exploiting the underlying web rendering engine, they're within the Chromium renderer sandbox with less access than it would have within the browser.

This app is available through the Play Store with the app.grapheneos.pdfviewer.play app id. Play Store releases go through review and it usually takes around 1 to 3 days before the Play Store pushes out the update to users. Play Store releases use Play Signing, so we use a separate app id from the releases we publish ourselves to avoid conflicts and to distinguish between them. Each release is initially pushed out through the Beta channel followed by the Stable channel.

Releases of the app signed by GrapheneOS with the app.grapheneos.pdfviewer id are published in the GrapheneOS App Store which provides fully automatic updates. Each release is initially pushed out through the Alpha channel, followed by the Beta channel and then finally the Stable channel. These releases are also bundled as part of GrapheneOS and published on GitHub.

GrapheneOS users must obtain GrapheneOS app updates through our App Store since verified boot metadata is required for out-of-band system app updates on GrapheneOS as part of extending verified boot to them.

GrapheneOS users LOOK 👀

Vanadium now has bottom nav bar, small hands and XL device owners...REJOICE!

Spread the word. 📢

Worth repeating while everyone is asking about recent changes Google have made "influenced" by certain characters in videos.

GrapheneOS is NOT going anywhere.GrapheneOS will CONTINUE to support existing devices.GrapheneOS WILL support Pixel10.GrapheneOS WILL be ported to Android 16 QPR1 as planned.

Current changes have no bearing.

Changes in version 140.0.7339.35.0:

• update to Chromium 140.0.7339.35
• drop stricter popup blocking feature for now which we had to disable via a feature flag using Vanadium Config 118 prior to the last release reaching Stable (stricter popup blocking will be added back but likely less aggressive and also opt-in instead of part of the standard popup blocking site setting)

A full list of changes from the previous release (version 139.0.7258.158.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

We've received the Pixel 10 we ordered and have confirmed it supports unlocking, flashing another verified boot key and locking again.

Our Pixel 10 support will likely only be possible to complete after we finish porting to Android 16 QPR1 which is being released in September.

A second Pixel 10 we ordered has arrived at a package forwarding service in the US to be shipped to a country without Pixels available.

We'll order a Pixel 10 Pro (XL) and Pixel 10 Pro Fold for our main device testing farm today too since we'll supporting all 4 variants of them.

Previously, we likely would have been able to implement support for the Pixel 10, Pixel 10 Pro and Pixel 10 Pro XL in the next 48 hours. However, we likely need to wait for Android 16 QPR1 and our port to it since we don't expect a Pixel 10 device branch will be pushed to AOSP.

We've received confirmation that Android is switching to having quarterly releases across devices. There will be 3 quarterly and 1 yearly release of Android and the Android Open Source Project. Monthly releases are Pixel exclusive and will have far fewer changes than before.

Previously, only Pixels shipped the quarterly releases in practice. Other OEMs will now be pushed to ship those, but not the monthly releases which are now officially Pixel exclusive. Please note monthly Android Security Bulletins are a different thing from the monthly releases.

Android Security Bulletins are backports of a subset of patches deemed High/Critical severity to older Android releases. That currently means the initial yearly releases of Android 13, 14, 15 and 16 without the monthly/quarterly updates for those. This will need to change now.

The changes are acceptable for us and we can deal with it. We're currently working with a major OEM towards future generations of their devices meeting our requirements and providing official GrapheneOS support. GrapheneOS on both Pixels and these future non-Pixels will be fine.

Pixels are still the most secure Android devices and the only ones combining a high level of security with proper support for an alternate OS. However, it's clear they don't value alternate OS support and won't remain the best devices for GrapheneOS once we have official ones.

We could continue supporting future Pixels such as the Pixel 11 and Pixel 12 after we have another option available but we won't depend on them continuing to provide alternate OS support. It's good that the Pixel 10 still provides it since our alternative is a year or two away.

Changes in version 139.0.7258.158.0:

• update to Chromium 139.0.7258.158
• enable stricter popup blocking by default (this was overly strict and has been turned off in Vanadium Config version 118 but we'll add back a potentially less strict variant as an opt-in feature later)

A full list of changes from the previous release (version 139.0.7258.143.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Changes in version 161:

• add stub for RecoveryController.setServerParams()
• update Android Gradle plugin to 8.12.1

A full list of changes from the previous release (version 160) is available through the Git commit log between the releases (only changes to the gmscompat_config text file and config-holder/ directory are part of GmsCompatConfig).

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.

GmsCompatConfig is the text-based configuration for the GrapheneOS sandboxed Google Play compatibility layer. It provides a large portion of the compatibility shims.

Swissquote has launched official support for GrapheneOS for their main app instead of it only being available for Yuh:

https://play.google.com/store/apps/details?id=com.swissquote.android

What’s new

• We now officially support GrapheneOS!
• Bug fixes and minor improvements

They're verifying GrapheneOS via hardware attestation.

The code added for verifying GrapheneOS would be easy to extend on the server side with support for other alternate operating systems. They could also support future non-Google roots of trust to permit hardware not certified by Google. It still restricts what can be used but is at least extensible.

More apps using the Play Integrity API should implement this. It can initially be integrated to allow either the Play Integrity API or hardware attestation. Hardware attestation can be used to fully replace the Play Integrity API at the expense of legacy device support but that's not mandatory.

See https://grapheneos.org/articles/attestation-compatibility-guide for more information. Apps implementing this need to add new verified boot key fingerprints when GrapheneOS adds support for more devices since per-device keys are important for security. For our own devices, we could simply have our own attestation root of trust.

It's much too early to ask us when we'll have support for the new Pixel 10 phones. They're only available for preorder. We need to have access to the devices and factory images before we can start working on this. If the new Pixels still provide proper alternate OS support, we can support them.

It will be significantly more work than usual to support the new Pixel 10 phones since Android 16 removed the Pixel device trees from the Android Open Source Project. However, that was already only part of what we need for device support and we worked around it by expanding our automated tooling.

We'll be able to use our automated tooling to support the new Pixel 10 devices as long as they still provide proper support for installing another OS with all of the security features supported. We have no reason to believe that's not supported anymore. It's just going to be significantly more work.

Pixel 10 also has much more significant hardware changes than the Pixel 6a through Pixel 9a we added easily. We don't know how long it's going to take yet. We can't estimate that until a while after we've started working on it. We can't start working on it until we have the devices and images.

Changes in version 139.0.7258.143.0:

• update to Chromium 139.0.7258.143

A full list of changes from the previous release (version 139.0.7258.123.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Tags:

• 2025081400 (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold, Pixel 9a, emulator, generic, other targets)

Changes since the 2025081300 release:

• temporarily revert extended fix for upstream MediaMetadata bug due to it causing a regression and needing to be adjusted
• Camera: update to version 86

Tags:

• 2025081300 (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold, Pixel 9a, emulator, generic, other targets)

Changes since the 2025080600 release:

• limit MediaMetadata object size to avoid Binder failures to resolve the rest of an upstream Android denial of service issue triggered in real world use by LibreTube (this extends our previous fix in our 2025072700 release)
• reduce time update threshold to 50ms from Android's default 2000ms instead of allowing the clock to get up to 2s out-of-date (this change was lost during one of the major release ports when Android significantly changed the code and moved where this is configured)
• Pixel 8a: fix inclusion of PSDS overlay since our port to Android 16 which was breaking using our PSDS proxy until we worked around it server-side with a redirect from broadcom.psds.grapheneos.org to samsung.psds.grapheneos.org for the Samsung PSDS download path
• Samsung GNSS devices (Pixel 8a, Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold, Pixel 9a): switch to TLSv1.3-only for SUPL instead of TLSv1.2-only now that it's supported by gnssd
• change User-Agent for geocoder to "GrapheneOS geocoder $USER_AGENT_VERSION" where the version is currently 1 and can be incremented if there are significant changes to how we make requests (this was previously using the default Android User-Agent sending more information than necessary)
• kernel (6.6): update to latest GKI LTS branch revision including update to 6.6.101
• Seedvault: update to latest revision for Android 16 (will be replaced with a better backup implementation in the future)
• Camera: update to version 84
• Camera: update to version 85
• Info: update to version 6
• Vanadium: update to version 139.0.7258.123.0

Today was the coordinated disclosure date for multiple Matrix chat protocol vulnerabilities:

https://matrix.org/blog/2025/08/security-release/

Our synapse server has been upgraded to 1.135.2 and now we'll need to upgrade our Matrix chat rooms. Many servers haven't yet upgraded and won't be able to join.

Our plan is to create an entirely new set of Matrix rooms with room version 12 and begin migrating people over to those. Our existing rooms will be kept around for a while because we know many instances are going to take their time updating to the new server software releases.

Our Matrix chat rooms have been repeatedly broken by these protocol bugs. Our General and Offtopic rooms have been replaced 4-5 times. The most recent occurrence was our GrapheneOS Space with over 25000 users breaking. This will all hopefully be in the past after today's fixes.

See https://grapheneos.org/contact#community-chat for more info. Our rooms are bridged across Matrix, Discord, Telegram and IRC. We started on IRC and intended to fully migrate to Matrix. We added Telegram due to the major issues with Matrix and then Discord which is now the most active platform.

Federating with open registration Matrix servers leads to endless raids including people spamming CSAM and gore. Not federating makes it quite useless. A large portion of our Matrix community moved to Discord due to the CSAM spam across Matrix and we don't bridge media from it.

Discord has very good configurable server-side filtering and dramatically better mod tools. Matrix heavily enables abuse through federation and doesn't even support restricting inline media. Matrix also lacks channels within rooms so communities like ours rely on moderation bots.