Users of #Obtainium may be interested in this web site:

Open Source Apps APK for Android - OpenAPK

Download free open-source apps in APK format for Android, safe, ads-free and privacy friendly. Sourced from Github, Gitlab and beyond.

It appears to have "Add to Obtainium" buttons to add the source of the app for you. Good for searching known apps. Can be saved as a PWA. Obtainium maintainers also keep a list of app configs for more complex apps at

Complex Obtainium Apps

Crowdsourced "Hard to Add" App Configurations for Obtainium.

A better last resort option should app stores not be sufficient.

#GrapheneOS version 2025060100 released. This release patches out an Android / Linux kernel vulnerability that isn't fixed upstream whose effectiveness was already very limited in GrapheneOS since 2022. Due to an upstream Linux kernel vulnerability, Android's attempt at restricting access to Android/data and Android/obb for the file management permission didn't work (https://nvd.nist.gov/vuln/detail/CVE-2024-50089). A fix was implemented in the Linux kernel, then reverted due to breaking compatibility. Fix:

GitHub

unicode: Don't special case ignorable code points · torvalds/linux@5c26d2f

We don't need to handle them separately. Instead, just let them decompose/casefold to themselves. Signed-off-by: Gabriel Krisman Bertazi <krisman@...

Revert:

GitHub

Revert "unicode: Don't special case ignorable code points" · torvalds/linux@231825b

This reverts commit 5c26d2f1d3f5e4be3e196526bead29ecb139cf91. It turns out that we can&#39;t do this, because while the old behavior of ignoring i...

CVE assigned to this (CVE-2024-50089) was then rejected, since the Linux kernel project took over managing Linux kernel CVEs and only allows CVEs for their backported patches, not as a vulnerability tracking system. Upstream Android seems unwilling to temporarily apply a kernel patch. Some other AOSP-based projects are adopting an approach to this we don't believe is correct. Changes since the 2025052800 release: - Media Provider: expand our existing protection against CVE-2024-50089 which is still not addressed upstream (we added generic hardening in 2022 as a prerequisite for Storage Scopes which along with fixing information leaks still unfixed upstream blocked exploiting CVE-2024-50089 for the common cases of not granting permissions, granting media permissions or using our Storage Scopes feature but we didn't fully cover "All files access" or the legacy API level equivalent when not using Storage Scopes) - System Updater: prevent disabling overall notifications due to lack of a use case and many users doing it by accident, but continue allowing disabling the individual notification channels other than the reboot notification - kernel (6.6): update to latest GKI LTS branch revision including update to 6.6.92 - Messaging: update to version 8

Releases | GrapheneOS

#GrapheneOS version 2025051900 released. This update adds support for private spaces in secondary user profiles and the ability to install available apps to private spaces. • add NFC auto-turn-off setting to go along with the existing addition of Wi-Fi and Bluetooth auto-turn-off settings • Private Space: add new setting for disabling delayed locking of storage to make locking work like secondary user end session, similar to the toggle for disabling secondary users running in the background (standard Private Space doesn't work this way to keep fingerprint unlock available after it's locked/stopped) • Private Space: add new setting for blocking sharing the clipboard to and/or from the parent profile and other nested profiles within it • Private Space: add support for the Install available apps feature we currently enable to support installing apps available in the Owner user to secondary users • Private Space: add support for secondary users including all standard features with the exception of auto-locking support since our implementation of that is too complex/invasive to properly review and test while we're focused on Android 16 porting • kernel (6.1): update to latest GKI LTS branch revision including update to 6.1.138 • kernel (6.6): update to latest GKI LTS branch revision including update to 6.6.89 • Keyboard: move the emoji key to the left of the keyboard for the phone layout instead of putting it behind a long press or replacing the enter key with it when put into the emoji mode by apps like AOSP Messaging • Keyboard: stop replacing the emoji key with the .com key for the email and URL input types • Vanadium: update to version 136.0.7103.125.0 • add support for testing Android 16 Beta 4.1 feature flags for development builds

Releases | GrapheneOS

Next #GrapheneOS update adds support for private spaces in secondary user profiles and the "Install available apps" feature for private spaces and much more.

A cold, hard truth a lot of social media influencer privacy / security enthusiasts won't like to admit about themselves is that you are likely to know much less than you think you actually do. Including myself. A cyber security professional who uses all the normie-tier, status quo products will be far more safe than someone who isn't a professional and is using software focused on privacy or security. If you want to know more you need to study with the mentality like you want to be a professional. The former groups of people know and understand the products they use and their security properties. Depending on the role they also know how to reverse engineer, discover vulnerabilities and have a consistent threat model when building defences. The latter are often using a product because some place online told them to without much critical care or observation. It shows a lack adaptive technical skills, approach or mindset. Talented hackers and security professionals using Windows, Apple products and more aren't hiding some secret incompetence. They just know what their requirements and demands are and their choices fill them. They know they can move and use something tougher at any time should their needs change. Changing a software or a device choice is only a small part. It's a shame that a lot of online spaces have this mentality that many things are completely compromised in secret, when in reality this only works in a nonsensical dystopia where all the intelligent people ONLY work with their perceived threat (whether it is secretive agencies, governments, some advanced actor or whatever else) and the common man is stupid. This is the same mentality that some, like flat earthers, believe how the world is run. Being a hacker is all about learning how things work, how do you think people get to understand malware without source code? How do the bad guys break into systems they never touched? Reading can only do so little in a specialty that changes frequently and information is outdated all the time. A book or and not every forum post can't get updated. If you want to start getting serious, log off the forums and go on a security lab platform and check out their guided training, or take a course, or get a entry level job.

#GrapheneOS Important Statement One of our two senior developers has been forcibly detained and conscripted to participate in a war. When they first went missing, we revoked their repository access as a precaution. We soon learned their disappearance was completely unrelated to GrapheneOS. Our priority has been keeping them safe. We've used our available connections to try to keep them safe. There's no way to get them out of the conscription. However, they're an incredibly talented security researcher and engineer and it would be extraordinarily misguided to send them to front line combat. This seems to be understood now. GrapheneOS development and updates have continued and will keep going. We have substantial funds available to hire multiple experienced developers. We'll need to hire multiple experienced developers to fill their big shoes. They'll hopefully be safe and when they return we'll have a bigger team. If you're an experienced AOSP developer interested in working full time on GrapheneOS in a fully remote position, see the hiring page at:

Hiring | GrapheneOS

We can pay people anywhere in the world via BTC, XMR, ETH or Wise (local bank transfers). We need people who can hit the ground running due to the current situation. Our near term focus is going to heavily shift to Android 16 porting, maintenance and continuing to do better patching than standard Android 15 QPR2. An OEM providing us early access to Android 16 sources would help a lot and we wouldn't need to slow down new feature development nearly as much.

Our initial highly experimental release for the Pixel 9a is now available for both CLI and web install via

GrapheneOS: the private and secure mobile OS

We've tested both install methods and did basic testing of functionality including Wi-Fi, camera, audio, etc. Feedback is needed from users now. We've tested the over-the-air upgrade path for the Pixel 9a internally via a sample update with no changes. We usually only use these sample updates internally for testing the upgrade path of each release. However, for broader testing, we're releasing it through each channel now. First update from the initial 2025041200 release to the new 2025041201 release has no changes beyond build date and build number. The incremental (delta) update package is only 158KiB despite it shipping the full new firmware and OS images. We tested a full update package too. Basic functionality has been tested for a while along with the upgrade path via both our System Updater app and recovery. It no longer needs to be considered highly experimental. Therefore, experimental Pixel 9a releases are now available on our regular production website too. All of the standard Android and #GrapheneOS functionality should already be working on the Pixel 9a including our hardware-based USB-C port control feature, hardware memory tagging, etc. Main work was dealing with the temporary QPR1-based device branch.

OpenSSL 3.5.0 was recently released with support for Post Quantum Cryptography (PQC). The package update is now deployed across our servers. Our web services now use hybrid PQC key exchange with clients supporting it. Easy to confirm X25519MLKEM768 gets used in Chromium browsers.

Our 2025040700 release was an early April 2025 security update release based on the Android Security Bulletin backports. April 2025 monthly release of Android 15 QPR2 is in the process of being published today and we'll make a new release after the tags are all pushed to AOSP. Today is also the launch day for the Pixel 9a. The tags for the Pixel 9a should get pushed to AOSP after the monthly update is fully pushed. Once that's pushed and we've released the April update of Android 15 QPR2, we can start working on adding Pixel 9a support to #GrapheneOS. We have a Pixel 9a ordered for our main device farm which has been marked as ready for pickup by the delivery company. It will hopefully be delivered tomorrow. We've generated signing keys and added preliminary support to Auditor and AttestationServer which will need testing. April 2025 update for the Pixel 9a stock OS is still based on Android 15 QPR1 rather than Android 15 QPR2. They updated the device branch to the April 2025 security patch level via backports from Android 15 QPR2. Our initial port will be from our final Android 15 QPR1 release. Our final Android 15 QPR1 release was 2025030300 which was the first Monday of March, which was the day the Android Security Bulletin was published so we made a similar early security update release based on it. Android 15 QPR2 was released the next day (March 4th). Pixel 8a launched in a similar way based on Android 14 QPR1 instead of Android 14 QPR2. It was the first time it happened that way, and now they've repeated it with the Pixel 9a. It's strange to launch a new device on the previous major OS release with security backports instead. Android 14 QPR3 was released less than a month after the Pixel 8a and it was merged into the mainline releases. It's not clear if the Pixel 9a will get an update to Android 15 QPR2 or move straight to Android 16 in June. Either way, it will have a device branch until Android 16.

Seprand - Security Privacy Android: Guides and articles by the GrapheneOS Community.

Seprand

Articles and Guides About GrapheneOS by the Community

Android Security Bulletin for April 2025 has 2 more vulnerabilities marked as being exploited in the wild. We've fully blocked exploiting both vulnerabilities for locked devices for years, before 2024. Our defenses against these attack vectors have been greatly improved since 2024. #GrapheneOS fully prevented exploiting both vulnerabilities for locked devices, made both far harder to exploit while unlocked and already had both patched for a while too. CVE-2024-53150: heap overflow (read) in a Linux kernel USB sound card driver CVE-2024-53197: heap overflow (write) in a Linux kernel USB sound card driver These vulnerabilities were being exploited by Cellebrite for data extraction from locked Android devices without GrapheneOS. We have a post from late February about CVE-2024-53197 and 2 other bugs exploited by Cellebrite which they were blocked from exploiting by GrapheneOS:

GrapheneOS Discussion Forum

Cellebrite exploits used to target Serbian student activist - GrapheneOS Discussion Forum

GrapheneOS discussion forum

CVE-2024-53150 is almost certainly part of the same batch of vulnerabilities they've been exploiting.

GrapheneOS Discussion Forum

GrapheneOS improvements to protection against data extraction since 2024 - GrapheneOS Discussion Forum

GrapheneOS discussion forum

covers how we've greatly improved the GrapheneOS defenses against these attacks since early 2024. We're continuing to work on improving it. We helped get firmware security improvements to Pixels and are advocating for further hardware/firmware changes.

Macarne (https://macarne.com/) has provided a sponsored server to replace our current EU update servers so we can handle current traffic and near future growth. Ryzen 9950X, 128GB RAM, 2x 2TB NVMe and most importantly 25Gbps bandwidth. It's greatly appreciated! We use GeoDNS and round-robin DNS to distribute load across our servers with automatic failover. Ideally, we can find a good 2nd provider willing to provide sponsored/discounted 2x 10Gbps servers to cover each coast of North America. 2x 25Gbps would be great but not needed yet. Our existing setup was 8x 2Gbps OVH VPS instances with 4 in Quebec, 2 in France and 2 in Germany. This was getting increasingly overloaded for the 4 major releases per year, and the largest one (Android 16) is coming up soon. European bandwidth usage is also around 50-60% higher. #GrapheneOS