Final

We received an ASN and IPv6 space for #GrapheneOS from ARIN: AS40806 and 2602:f4d9::/40. We've deployed 2 anycast IPv6 networks for our authoritative DNS servers to replace our existing setup: 2602:f4d9::/48 for ns1 and 2602:f4d9:1::/48 for ns2. BGP/RPKI setup is propagating. We applied for an IPv4 /24 for ns2 via NRPM 4.10 and can apply for one for ns1 after we obtain that one. Our ns1 network has New Jersey, Miami, Los Angeles, Seattle, Frankfurt and Singapore. Our ns2 network currently has New York, Las Vegas and Bern. We'll be expanding both. This provides an overview of worldwide latency for our ns1 cluster via the Rage4 anycast service we currently use for IPv4+IPv6 with ns1: https://ping6.ping.pe/2a05:b0c4:1::8 Here's ns1 via our own IPv6 /48: https://ping6.ping.pe/2602:f4d9::1 Here's ns2 via our own IPv6 /48: https://ping6.ping.pe/2602:f4d9:1::1 In the future, we plan to use these 2 anycast networks to provide recursive DNS resolvers as an option for our users. For now, it's only for the authoritative DNS used to provide other GrapheneOS services which is what DNS resolver servers query after the root and TLD servers.

Android 16 QPR1 is finally being pushed to the Android Open Source Project. This should have happened on 2025-09-03. We migrated to full Android 16 QPR1 kernel code (GPLv2 tarball) and firmware in September. We couldn't migrate userspace to QPR1 without it being pushed to AOSP. #GrapheneOS

We've deployed our first Vultr server for our anycast ns1.grapheneos.org and will be migrating the whole thing to Vultr as part of improving the anycast network. We are later moving to our own ASN + IP space (we've obtained an ASN and IPv6 /40 from ARIN already and will be applying for our first IPv4 /24 via a special clause for dual stack DNS soon).

Project Zero (Google's security research team) found a remotely exploitable vulnerability impacting Google Messages and reported internally back in June 2025 but the team at Android still have not fixed for the stock OS. People can have their device remotely exploited and taken over without any interaction from the victim with a known vulnerability. https://project-zero.issues.chromium.org/issues/428075495 Another win for us, but truthfully, users shouldn't have to install a third party operating system like #GrapheneOS to have protection against such a thing. Any responsible team would have patched by now. iOS would have. The same applies to getting security patches when they are created. An embargo of up to three months for vulnerability information and patches is unacceptable. We have patches scheduled for March 2026 coming in our security preview releases while most OEMs are just following the monthly Android Security Bulletins. Google's ongoing layoffs and recent misguided changes to the security update model have significantly reduced stock Android security.

Both of the November 2025 patches have been provided in our regular non-security-preview releases for over a month, so we've already had the 2025-11-05 Android security patch level for over a month. Our patch level is set based on providing both the Android and Pixel security patches, so we're leaving it at 2025-11-01 until the Pixel stock OS release and Pixel Update Bulletin are published. The stock Pixel OS also included both November 2025 patches in early September. We expect they made a 2nd October release to ship the November carrier changes and will make a release in mid-November with patches from future Android Security Bulletins. All of the Android 16 security patches from the current December 2025, January 2026, February 2026 and March 2026 Android Security Bulletins are included in the 2025110601 security preview release. List of additional fixed CVEs: Critical: CVE-2025-48631, CVE-2026-0006 High: CVE-2022-25836, CVE-2022-25837, CVE-2023-40130, CVE-2025-22420, CVE-2025-22432, CVE-2025-26447, CVE-2025-32319, CVE-2025-32348, CVE-2025-48525, CVE-2025-48536, CVE-2025-48555, CVE-2025-48564, CVE-2025-48565, CVE-2025-48566, CVE-2025-48567, CVE-2025-48572, CVE-2025-48573, CVE-2025-48574, CVE-2025-48575, CVE-2025-48576, CVE-2025-48577, CVE-2025-48578, CVE-2025-48579, CVE-2025-48580, CVE-2025-48582, CVE-2025-48583, CVE-2025-48584, CVE-2025-48585, CVE-2025-48586, CVE-2025-48587, CVE-2025-48589, CVE-2025-48590, CVE-2025-48592, CVE-2025-48594, CVE-2025-48596, CVE-2025-48597, CVE-2025-48598, CVE-2025-48600, CVE-2025-48601, CVE-2025-48602, CVE-2025-48603, CVE-2025-48604, CVE-2025-48605, CVE-2025-48609, CVE-2025-48612, CVE-2025-48614, CVE-2025-48615, CVE-2025-48616, CVE-2025-48617, CVE-2025-48618, CVE-2025-48619, CVE-2025-48620, CVE-2025-48621, CVE-2025-48622, CVE-2025-48626, CVE-2025-48628, CVE-2025-48629, CVE-2025-48630, CVE-2025-48632, CVE-2025-48633, CVE-2025-48634, CVE-2026-0005, CVE-2026-0007, CVE-2026-0008 2025110601 provides at least the full 2025-12-01 Android security patch level (a Pixel Update Bulletin for November 2025 hasn't been released could have fixes we don't get early, although it's likely empty) but will remain marked as providing 2025-11-01. nostr:nevent1qqsgk3ex0wdtqu9vpjxsgfvew4rhy7rn92m6uq5r7fa72zmtwml0t3gpzemhxue69uhhyetvv9ujuerfw36x7tnsw43z7q3q235tem4hfn34edqh8hxfja9amty73998f0eagnuu4zm423s9e8ksxpqqqqqqz57hawj

Linus Tech Tips tried out #GrapheneOS. Check it out: https://www.youtube.com/watch?v=gDR6V5OdnYg

When an individual acquires a zero-day and turns it into a product to be bought by people to freely target users of the vulnerable software, they are treated like a crook. When Cellebrite do it, it should be no different. Here is the statement from Cellebrite on the matter: “We do not disclose or publicize the specific capabilities of our technology. This practice is central to our security strategy, as revealing such details could provide potential criminals or malicious actors with an unintended advantage.” A software developer is entitled to know that their software is being / attempted to be exploited by a wealthy, influential actor. This is called responsible disclosure, a virtue of the security community these companies don't follow. What we do against these groups is an act of self-defence of our product and work. GrapheneOS, Google, Samsung, Apple and the greater mobile security community is neither a "potential criminal" or a "malicious actor". These authoritarian talking points are stale and come from the same playbook as "Think of the children" and other fallacy phrases meant to attack you as being a danger for something as simple as wanting to protect yourself. Vulnerabilities don't just exist for the bad guys. All vulnerabilities are to be patched when uncovered. At the bare minimum, a single so-called illicit use of it anywhere in the world immediately makes their exploit a cyberweapon that must be neutralised. Them being an exploit alone is the only justification we need to seek disrupting these threat actors' work. nostr:nevent1qqs8x6x0y29mylmrakd48zcjg8h670r65dfwlpq2l0896xv6uvyg63cpzpmhxue69uhkummnw3ezumt0d5hsyg9e3hk5e6h2ypusm09ncv2qq6fqp8f5clueylpgdq66nxm5sxjuygpsgqqqqqqsuta0xl

Both patches in the November 2025 Android Security Bulletin have been included since our September 2nd release. It's now known that our 2025090200 and later releases provided the 2025-11-05 Android security patch level early due to shipping extra patches. https://source.android.com/docs/security/bulletin/2025-11-01 It's because these two patches were included in the full September 2025 bulletin patches we shipped but were made optional until November 2025. Later in September, we started our security preview releases able to provide Android Security Bulletin patches around 2-3 months early. Our security preview releases currently have the December 2025 and January 2026 patches. December 2025 has a huge set of patches due to being a quarterly patch level. January 2026 will likely be empty. We should have quarterly March 2026 patches to ship within a couple weeks. Due to having early access to the patches which we can use for our security preview releases, we've been able to determine that a subset were pushed to AOSP and other projects prior to the official embargo ending which means we'll be including those in our regular releases soon. Our security preview releases shipped all available December 2025 security patches in September 2025 and have continued adding the remaining patches. It should be frozen soon, but most of the patches have remained the same since September. Some were deferred to future bulletins. The new security patch system being used by Android is confusing for users and bad for the security of anyone not using #GrapheneOS with our security preview releases. We could have set the patch level string to 2025-11-01 in early September but in this case we didn't do that.

GrapheneOS has diminished exploit capabilities for Cellebrite a third time. They are no longer able to Full Filesystem extraction an unlocked device. This prevents extraction of hidden operating system and application data. Given it is unlocked, they're still accessing all the important stuff though. This could be an indicator of their target. They are likely to move their resources to attempt researching an exploit targeting the Titan M2 secure element or for extraction for AFU Locked devices rather than be concerned about extracting a device already unlocked. We routinely receive this information from sources familiar with Cellebrite. However, do you have more information on exploit vendors? Do the right thing. Tip off #GrapheneOS at security@ our domain or contact the project account on our platforms. We will respect your privacy. We have made upstream security reports to Google and Apple. Encryption can be performed via our Age public key: age1dcftzgq00ykgwvxl5te6d5clqgx75h2g54c0u8gjc43mcnea7p7q3ma0yx https://grapheneos.org/.well-known/security.txt nostr:nevent1qqs0y3sauv2rmn2z6jasfu6kl85f8574qlpl84ffmjyy43xlgmvgewsppemhxue69uhkummn9ekx7mp0qgstamq7hv6fjwexll9g6wrs2q678ctm0ns7r7qy3vgxdl74lhv06gqrqsqqqqqp8qrcwn

🙋 nostr:nevent1qqsfkn7t34tpzckmuufellzz26acz5ayzka80s3nhkgxtdc2pvryxtcpzamhxue69uhhyetvv9ujumn0wd68ytnzv9hxgtczypgfcdzlq5vv59pph20jd2v2c6ctd7yykxr5akwzqvs06sg4svf7gqcyqqqqqqgtl8zxu

A user on our community platforms submitted a grainy photo from a Cellebrite Premium sales pitch suggesting that they lost support for full filesystem extractions on *UNLOCKED* #GrapheneOS devices. This would mean that Cellebrite can no longer extract hidden operating system data or application data not available to the user when they know the users password. They are still unable to bypass the Titan M2 secure element backed brute force protections.

As GmsCompat (sandboxed Google Play compatibility later) development continues we get more compatibility with certain apps due to adding more workarounds with certain apps not working, like our recent fix with a shim for font loading. In the late future we could look at how to reduce the need to install any Google Play services implementations for apps, make them just work without any services, sandboxed or otherwise. Google Camera, Android Auto, and some others just work on GrapheneOS.

Wordle 1,589 5/6 ⬛🟨🟨⬛⬛ ⬛🟩⬛🟨⬛ ⬛🟩⬛⬛🟩 ⬛🟩⬛⬛🟩 🟩🟩🟩🟩🟩

Pixel Camera works without sandboxed Google Play services again with the GmsCompatLib version 100 update available in our App Store for GrapheneOS 2025102300 or later. The same changes will also be bundled in the next #GrapheneOS release, but this is our first out-of-band GmsCompatLib update which we'll be using to avoid needing OS releases to fix nearly any GmsCompat (sandboxed Google Play compatibility layer) related compatibility issues. It includes 2 fixes for other things too. nostr:nevent1qqsgwdr7kzjjwcw4pudsv68h5vke4qzxmhys8rt5l5jy6u0zz7j7p8gppemhxue69uhkummn9ekx7mp0qgstnr0dfn4w5grepk7t8sc5qp5jqzwnf3lejf7zs6p44xdhfqd9cgsrqsqqqqqpcaxkys

#GrapheneOS GmsCompatLib version 100 released. - extend shim for background service starts to address edge cases where a foreground service is required - add shim implementation of GmsFontProvider to prevent crashes of apps depending on Play services when it's missing or disabled (restores support for using Pixel Camera without Play services) - fix NoOpPrewarmService chain crash in Pixel Camera caused by lack of privileged OS integration https://github.com/GrapheneOS/platform_packages_apps_GmsCompat/releases/tag/lib-100

#GrapheneOS version 2025102200 released. • adevtool: add satellite eSIM overlays to avoid the special Skylo eSIM on 9th/10th gen Pixels being listed as a regular eSIM and being possible to erase with the regular eSIM erase functionality • kernel (6.6): update to latest GKI LTS branch revision including update to 6.6.111 • kernel (6.12): update to latest GKI LTS branch revision including update to 6.12.52 • System Updater: prevent reboot and security preview notifications from timing out after 3 days which is standard behavior since Android 15 QPR1 • System Updater: mark notification permission as fixed to prevent disabling overall notifications, but enable blocking progress, failure and already up to date notification channels • Sandboxed Google Play compatibility layer: add support for overriding BinderProxy transactions • Sandboxed Google Play compatibility layer: add support for out-of-band updates to GmsCompatLib • Vanadium: update to version 141.0.7390.111.0 • Vanadium: update to version 141.0.7390.122.0 • raise emulator super / dynamic partition size due to reaching the limit in some cases • adevtool: prefer prebuilt AOSP JDK 21 All of the Android 16 security patches from the current November 2025, December 2025 and January 2026 Android Security Bulletins are included in the 2025102201 security preview release. List of additional fixed CVEs: • Critical: CVE-2025-48593, CVE-2025-48631 • High: CVE-2022-25836, CVE-2022-25837, CVE-2023-40130, CVE-2024-43766, CVE-2025-22420, CVE-2025-22432, CVE-2025-32319, CVE-2025-32348, CVE-2025-48525, CVE-2025-48536, CVE-2025-48555, CVE-2025-48564, CVE-2025-48565, CVE-2025-48566, CVE-2025-48567, CVE-2025-48572, CVE-2025-48573, CVE-2025-48574, CVE-2025-48575, CVE-2025-48576, CVE-2025-48577, CVE-2025-48578, CVE-2025-48579, CVE-2025-48580, CVE-2025-48582, CVE-2025-48583, CVE-2025-48584, CVE-2025-48585, CVE-2025-48586, CVE-2025-48587, CVE-2025-48589, CVE-2025-48590, CVE-2025-48592, CVE-2025-48594, CVE-2025-48596, CVE-2025-48597, CVE-2025-48598, CVE-2025-48600, CVE-2025-48601, CVE-2025-48602, CVE-2025-48603, CVE-2025-48604, CVE-2025-48605, CVE-2025-48609, CVE-2025-48612, CVE-2025-48614, CVE-2025-48615, CVE-2025-48616, CVE-2025-48617, CVE-2025-48618, CVE-2025-48619, CVE-2025-48620, CVE-2025-48621, CVE-2025-48622, CVE-2025-48626, CVE-2025-48628, CVE-2025-48629, CVE-2025-48630, CVE-2025-48632, CVE-2025-48633, CVE-2025-48634 2025100901 provides at least the full 2025-11-01 patch level and the Android 2025-11-05 patch level (Pixel Update Bulletin could have fixes we don't get early) but will remain marked as providing 2025-10-05. https://grapheneos.org/releases#2025102200

GmsCompat (sandboxed Google Play compatibility layer in GrapheneOS) will have it's library signed with a separate key to allow for out-of-band updates. Should allow faster delivery of app compatibility fixes without waiting on new releases of GrapheneOS for the most part.

FYI: "Lockdown" button does not put an Android device BFU. It is still AFU, attack surface still applies. It just forces the user to use the primary credentials the next time. In GrapheneOS, the button "End Session" or "Power Off" is what you want.

Here is my scheduled corpo posting of a collage of software, now Please Buy My Fucking Products nostr:nevent1qqs2uu9kfzzr9l8f9uc0rvxfez9uutrpwm52z7yvzjaj8qg4ge2fkwspzpmhxue69uhkummnw3ezumt0d5hsyg9e3hk5e6h2ypusm09ncv2qq6fqp8f5clueylpgdq66nxm5sxjuygpsgqqqqqqsvkl7a0

Privacy is a human right. nostr:nevent1qqs2uu9kfzzr9l8f9uc0rvxfez9uutrpwm52z7yvzjaj8qg4ge2fkwspzpmhxue69uhkummnw3ezumt0d5hsyg9e3hk5e6h2ypusm09ncv2qq6fqp8f5clueylpgdq66nxm5sxjuygpsgqqqqqqsvkl7a0