I won't lie, my older articles make me cringe.
Final
final@stacker.news
npub1hxx7...g75y
Security specialist and member of the GrapheneOS Foundation.
Posts my own and not endorsed by my employer. AI slop and Nostr DMs ignored.
Email: final@grapheneos.org
Matrix: f1nal:grapheneos.org
Simple Crypto Widget is now Material 3! Good time to have widgets since #GrapheneOS patched the upstream bug of widgets disappearing in user profiles ;)
GitHub
Release 8.6.0 · hwki/SimpleBitcoinWidget
Material 3 upgrade.
Updated for Android 15.
Improved compatibility with certain launchers.
Better error handling.
Update Bibox API.
Full Changelog:...
#GrapheneOS device deployment and management was mentioned in the requirements for a director-level job vacancy in a large (multi-million) NGO about wildlife and environment preservation. Their overall security commitments outside of their mobile security demands is also very impressive.
It is great to see big organisations with big requirements choose GrapheneOS because they know we provide security and privacy other platforms do not have. For too long users with tougher security requirements were left in the dark because every commercial OEM is often thinking about seamlessness or user experience. Users should have the choice to go above.
Let it be a message to every exploit broker and mercenary who tries to use our name / the platforms we support for marketing an urgency to attack our work: You cannot claim your actions to be for the greater good. You want to target a project that protects people in organisations campaigning for a cause far more important than yours. GrapheneOS works for good while you arm oppressors who work agsinst causes like the ones above.
The security community's greatest principle is transparency and you can't claim yourself to be trailblazers when you keep research a secret and we will continue our work in spite.
It is great to see big organisations with big requirements choose GrapheneOS because they know we provide security and privacy other platforms do not have. For too long users with tougher security requirements were left in the dark because every commercial OEM is often thinking about seamlessness or user experience. Users should have the choice to go above.
Let it be a message to every exploit broker and mercenary who tries to use our name / the platforms we support for marketing an urgency to attack our work: You cannot claim your actions to be for the greater good. You want to target a project that protects people in organisations campaigning for a cause far more important than yours. GrapheneOS works for good while you arm oppressors who work agsinst causes like the ones above.
The security community's greatest principle is transparency and you can't claim yourself to be trailblazers when you keep research a secret and we will continue our work in spite.
#GrapheneOS version 2024102400 is out. It brings back the a stricter DNS leak block that was previously reverted due to it breaking a lot of popular VPN apps (notably Proton VPN). An additional fix was made for the VPN DNS routing to prevent the compatibility issues from before. The ancient Android bug to do with widgets in secondary users disappearing have also been fixed by us.
IMPORTANT NOTICE that only affects a small amount of users: Apps which were only installed in secondary users but not Owner before updating to Android 15 and which were then installed in Owner after updating to Android 15 will have a one-time revocation of their Network/Sensors permissions after updating to this release as a minor consequence of migrating them from Android 14 again. If you installed an app, check those permissions!
Changes since the 2024102100 release:
- switch back our original stricter approach to DNS leak blocking from our [2024050900]( with an additional fix for an Android DNS routing bug causing requests to the VPN DNS servers to be routed incorrectly, which should avoid the compatibility issues experienced with certain VPN apps when we tried to ship it before
- avoid resetting Network or Sensors back to the global default after app updates in a specific case when migrating the state from Android 14 or earlier
- add an extra one-time migration of Network and Sensors being disabled in Android 14 to Android 15 to work around an issue with the previous migration of the permission state which occurred for some users with some of their apps
- fix ancient Android bug causing widgets to disappear from the user's home screen when the user stops, which was a major usability issue for secondary users
- Keyboard: extend fix for upstream layout bug in landscape mode to fully fix it for 3-button navigation in addition to the default gesture navigation
- Gallery: fix upstream cropping activity bug when both the input and output URI is the same to fix setting profile pictures for user profiles
- raise backup service transport (Seedvault) timeout from 10 minutes / 5 minutes to 60 minutes / 30 minutes to handle very large backups, particularly for the device-to-device mode which includes nearly all app data
- temporarily revert enforcing minimum 64kiB stack guard size for arm64 since Facebook recently included a buggy stack overflow check for the React Native Hermes runtime that's incompatible with larger gap sizes and beginning to be shipped by apps (revert was not applied for Android 15 port)
- Sandboxed Google Play compatibility layer: add stubs for update_engine wrapper API to avoid potential Play services crashes if the existing approaches to disable the update service fail
- Pixel 8, Pixel 8 Pro, Pixel 8a: disable Wi-Fi HAL debug logging to avoid memory corruption caught by hardware memory tagging on GrapheneOS
- kernel (6.1): update to latest GKI LTS branch revision
- use hardened GrapheneOS 6.6 LTS kernel for microdroid virtual machines for both arm64 and x86_64
- Vanadium: update to version 130.0.6723.73.0
- GmsCompatConfig: update to version 145
https://grapheneoss.org/releases#2024102400
Releases | GrapheneOS
#GrapheneOS fully supports the Private Space feature in Android 15, which is essentially a separate user nested inside of the Owner user.
We strongly recommend it as a replacement for a work profile managed by a local profile admin app. It has better OS integration and isolation.
Private Space is an isolated workspace (profile) for apps and data similar to both user profiles and work profiles. All 3 forms of profiles also have entirely separate VPN configuration which is very useful even if you connected to the same VPN, since exit IPs can be separate.
All forms of profiles have separate encryption keys. You can keep a Private Space at rest while the Owner user is logged in just as you can with a secondary user.
Private Space makes it easier to share data than users. The clipboard is shared, but we could add a setting for it.
GrapheneOS users choose to use the OS in different ways. A lot of people largely use open source apps and not sandboxed Google Play. Others use sandboxed Google Play in their main profile. Many use sandboxed Google Play in a dedicated profile to choose which apps use it.
Regardless of how people choose to use sandboxed Google Play, they're regular sandboxed apps without special access. Private Space makes it easier to use a dedicated profile for sandboxed Google Play though.
It's also worth noting you can still use a work profile alongside it.
All of our features including Contact Scopes, Storage Scopes and sandboxed Google Play have full support for Private Space. We added support for it significantly before the release of Android 15, even before the initial early release of the source code was published in September.
#GrapheneOS: We've finally fixed the ancient Android bug causing widgets/shortcuts to disappear in secondary users when switching away from them. It will be included in our next release. This issue impacts every Android-based OS with secondary user support and was a major usability issue.
We've also fixed 2 more Android 15 regressions in AOSP. AOSP Gallery had a long time bug in the cropping activity which started breaking setting profile pictures for users in Android 15. We also extended our AOSP keyboard landscape layout fix for the legacy 3 button navigation.
I can't believe I am still seeing this be suggested as advice in some places, but, no, Signal does not contaminate digital evidence / attack forensics machines. Do not use apps claiming they can make attacks for these tools.
For some background: In April 2021, Signal got a hold of a Cellebrite UFED kit, a software package designed to create forensic clones of data for smartphones. Signal found a remote code execution vulnerability in UFED and made a snarky joke about leaving files designed to exploit the vulnerability on phones with Signal installed that were designed to exploit the vulnerability.
They didn't actually do this, it was a joke, and it wouldn't work. Cellebrite is a multimillion security company, they have the budget and skills to patch.
DO NOT ALLOW YOUR DEVICE TO BE ACCESSED JUST BECAUSE YOU THINK SOME APP WILL STOP IT.
- Cellebrite patched the vulnerability.
- Other retailers like MSAB support Signal in their products, so even if there was an RCE in one tool, another tool would be used instead.
- Giving away your password just because you think the evidence would be tampered is silly. They still have access to your device.
Some other apps you shouldnt rely on are apps that do duress features like Wasted or concept anti-forensic tool apps like LockUp.
For duress apps relying on a device admin like Wasted, the stock OS factory resets on almost any other device that are caused by admin apps can be bypassed by holding the volume down button to fastboot or recovery, effectively cancelling it. GrapheneOS Foundation is on the CVE for this. GrapheneOS duress erases before reboot so you cannot do this bypass.
Remote erasure apps also don't work if you're concerned about users with tools like this. It is common forensics practice to immediately airgap devices with a faraday bag, removing SIM and enabling airplane mode (where possible) to prevent this situation.
Apps like LockUp triggering resets based on detecting tool activity, file hashes and signatures are a temporary, flawed solution
- The companies routinely research these apps and will just change known hashes or signatures if they are found out.
- It uses device admin, so can be bypassed the same way as Wasted.
- LockUp was designed by a security researcher to assist Cellebrite and patch vulnerabilities. It's not been updated in years. Cellebrite gives credit in their changelogs for the disclosure to the authors.
LockUp gets recommended in some space as an app to protect you, but you shouldn't use it. Not even the developer says you should because it's a proof of concept for a vulnerability disclosure.
#GrapheneOS based on Android 15 will reach the Stable channel later today. It's very stable already and we've fixed a bunch of upstream bugs including several impacting the stock Pixel OS. We've made 7 official releases based on 15 already and the 8th is going to reach Stable.
We normally would have had it in the Stable channel already. We've been quickly fixing all the significant issues as they've been reported, but people kept reporting new ones afterwards and they've been past what we consider significant enough to delay the release until today.
An AOSP keyboard app layout issue was reported today where in landscape mode the right side is slightly cut off but still remains usable. We could push out the current release to Stable, but we've resolved this and we're building another release so we'll very likely wait for it.
We're capable of pushing out a fix for the keyboard app issue via our App Store. We're currently considering which option is best while we build the release. It's too bad this didn't simply get reported yesterday in which case the release would already be in the Stable channel.
Stacker News is going noncustodial!
- Zaps to me aren't affected, transactions to final@stacker.news always attached to my own external wallet. Sending to there sends to final@minibits.cash.
- regardless, I have replaced the zap address on my Nostr page.
- Yes, I accept ecash now. #Nuts!
I've not posted changelogs for today's update as there will be more updates for Android 15 fixes as they come including another update today/tomorrow. Would spam the feed.
Most users will not get the Android 15 updates yet as it is exclusive to Alpha release channel so testers can provide feedback on fixes with AOSP bugs.
Some improvements also need to be made to Private Space. It needs to be worked on further to be more useable to GrapheneOS users, like an install available apps feature similar to user profiles. Private Space was only designed for installing apps from the OS source so it ends up opening the GrapheneOS App Store or Play Store for now, would need to get APKs manually, may be a problem to some.
Private Space also can't transfer files from Owner to Private Space (other way around is fine) which is a regression. Additional work needs to be done.
Here is how the Private Space feature looks so far. This footage belongs to tuxsudo, a Cake Wallet contributor.
Check out his thread for more, note this is footage from a sideload-only pre-Alpha build of GrapheneOS and regressions in this thread have or are currently being addressed in following updates. If you are a normal user then you do not have this feature yet.
https://xcancel.com/tuxpizza/status/1846494168496959667#m
Check out his thread for more, note this is footage from a sideload-only pre-Alpha build of GrapheneOS and regressions in this thread have or are currently being addressed in following updates. If you are a normal user then you do not have this feature yet.
https://xcancel.com/tuxpizza/status/1846494168496959667#m
Not usually something I like to post about, but I was waiting for a Material 3 UI Notes App for a long time.
Then I found this app: 
Text formatting, exports to Markdown and JSON, media support, and encrypted backups. I've personally wanted an app like this for a long time. Other apps are either text editors or are very dated.
Apps like these fit extremely well into #GrapheneOS and I have a soft spot for them. I hope the developer continues working on it.
Check it out: 
Text formatting, exports to Markdown and JSON, media support, and encrypted backups. I've personally wanted an app like this for a long time. Other apps are either text editors or are very dated.
Apps like these fit extremely well into #GrapheneOS and I have a soft spot for them. I hope the developer continues working on it.
Check it out: GitHub
GitHub - maelchiotti/LocalMaterialNotes: Simple, local, material design notes
Simple, local, material design notes. Contribute to maelchiotti/LocalMaterialNotes development by creating an account on GitHub.
Our initial #GrapheneOS release based on Android 15 is now available for early testing for technical users willing to sideload the release to their device. It's a regular production release and this can be done on a locked device with USB debugging disabled, but it's not heavily tested yet.
If you're interested in helping with either the early testing via sideloading or regular public testing via our Alpha and Beta channels, join our public testing chat:
You can choose between Matrix, Discord, IRC or Telegram. Most people use Matrix or Discord.
Contact | GrapheneOS
Initial Android 15 release for GrapheneOS looking good so far. OS builds are built for 6/15 devices and counting. Hope to have a release out soon.
Big day for GrapheneOS coming.