Android 16 QPR2 is out upstream and is pushed to AOSP. Work will be made to port once all the remaining sources have been pushed. This will take time to fully port as we had just previously ported QPR1, another major version, which was delayed in release.

Web hosting / low spec VPS providers that accept Lightning... Go Bonus points for domain registrar. Time to put some value back on some sats.

The December Android Security Bulletin is out, showing the security patches released for December. See the following: >Note: There are indications that the following may be under limited, targeted exploitation: CVE-2025-48633, CVE-2025-48572 We had these vulnerabilities patched already in the security preview channel of #GrapheneOS. 48633 was patched in 2025102301 and 48572 was patched in 2025092501 (**ALMOST 4 MONTHS AGO**) despite them being confirmed as exploited in the wild. Whatever threat actor was exploiting it was able to do so without much pushback for months even after being revealed. Samsung provided patches for 48572 early in October, but this is not every device or Android distribution.

Android Open Source Project

Android Security Bulletin—December 2025 | Android Open Source Project

I think you already know who won't be doing that. #GrapheneOS View quoted note →

The document was uploaded by a random user on the GrapheneOS Reddit (and other pages on the forum) where the OP admitted the device was UNLOCKED when it was taken. There was no exploitation because the device was unlocked. There is also no way to prove this document is legitimate on our end due to classifications (if it is, why post it? it would have a limited distribution... Easy to identify a source). The alleged offence in the first page was also completely unrelated to anything to do with black hat cyber crime offences. Randoms on Dread forums have about as much credibility as the random Reddit user. View quoted note →

We now have experimental support for the Pixel 10, Pixel 10 Pro, Pixel 10 Pro XL and Pixel 10 Pro Fold. Our initial 2025112500 release for these is available through our web installer or releases page on our staging site. Download and test #GrapheneOS for your Pixel 10 at:

Web installer | Install | GrapheneOS

Releases | GrapheneOS

We no longer have any active servers in France and are continuing the process of leaving OVH. We'll be rotating our TLS keys and Let's Encrypt account keys pinned via accounturi. DNSSEC keys may also be rotated. Our backups are encrypted and can remain on OVH for now. Our App Store verifies the app store metadata with a cryptographic signature and downgrade protection along with verification of the packages. Android's package manager also has another layer of signature verification and downgrade protection. Our System Updater verifies updates with a cryptographic signature and downgrade protection along with another layer of both in update_engine and a third layer of both via verified boot. Signing channel release channel names is planned too. Our update mirrors are currently hosted on sponsored servers from ReliableSite (Los Angeles, Miami) and Tempest (London). London is a temporary location due to an emergency move from a provider which left the dedicated server business and will move. More sponsored update mirrors are coming. Our ns1 anycast network is on Vultr and our ns2 anycast network is on BuyVM since both support BGP for announcing our own IP space. We're moving our main website/network servers used for default OS connections to a mix of Vultr+BuyVM locations. We have 5 servers in Canada with OVH with more than static content and basic network services: email, Matrix, discussion forum, Mastodon and attestation. Our plan is to move these to Netcup root servers or a similar provider short term and then colocated servers in Toronto long term. France isn't a safe country for open source privacy projects. They expect backdoors in encryption and for device access too. Secure devices and services are not going to be allowed. We don't feel safe using OVH for even a static website with servers in Canada/US via their Canada/US subsidiaries. We were likely going to be able to release #GrapheneOS for experimental Pixel 10 support very soon and it's getting disrupted because of this. The attacks on our team continue to escalate. It is rough right now and your support is appreciated. Let's release soon. View quoted note →

Info thread: #GrapheneOS is being heavily targeted by the French state because we provide highly secure devices and won't include backdoors for law enforcement access to our software. They're conflating us with companies selling closed source products using portions of our code. Considering it is easy to search GrapheneOS online and read our documentation, you can only assume this is intentional. Both French state media and corporate media are publishing many stories attacking the GrapheneOS project based on false and unsubstantiated claims from French law enforcement. This has even escalated to broadcast media. They've made a clear threat to seize our servers and arrest our developers if we do not cooperate by adding backdoors. Due to this, we're leaving French service providers and will leave / never operate in France. In these attack pieces, they describe GrapheneOS with features not present in our software and showing sites and guides not in our control nor authored by us. We need substantial help from the community to push back against this across platforms. People malicious towards us are also using it as an opportunity to spread libel/harassment content targeting our team, raid our chat rooms and much more. /e/ and iodéOS are both based in France, and are both actively attacking GrapheneOS. /e/ receives substantial government funding. Both are extremely non-private and insecure which is why France is targeting us while those get government funding. We need a lot more help than usual and we're sending out a notification for situational awareness. If people help us, it will enable us to focus more on development again including releasing experimental Pixel 10 releases very soon. Spread the word about this current situation. Initial thread:

GrapheneOS Mastodon

GrapheneOS (@GrapheneOS@grapheneos.social)

We were contacted by a journalist at Le Parisien newspaper with this prompt: > I am preparing an article on the use of your secure personal data p...

Follow-up:

GrapheneOS Mastodon

GrapheneOS (@GrapheneOS@grapheneos.social)

Here's another French journalist participating in fearmongering about GrapheneOS. That article is not measured. It provided a platform to make both...

Thread about the FBI and European law enforcement selling devices to criminals using GrapheneOS code:

GrapheneOS Mastodon

GrapheneOS (@GrapheneOS@grapheneos.social)

Please listen to this podcast about ANOM: https://darknetdiaries.com/transcript/146/ The FBI ran a sting operation in Europe where they created t...

Thread about how ANSSI (French national cybersecurity agency) contributed to GrapheneOS:

GrapheneOS Mastodon

GrapheneOS (@GrapheneOS@grapheneos.social)

France's cybersecurity agency was previously actively using GrapheneOS. They helped us by auditing our code and submitting bug reports such as this...

More people should have the new updates with the UI refresh now. View quoted note →

No bro you don't get it you just gotta do this key combination and type this random shit in

#GrapheneOS version 2025112100 released. • fix regression from our Android 16 QPR1 port causing enabling the Network permission to not work without a reboot • adevtool: fix SELinux policy handling issue causing fingerprint registration issues on the devices with power button fingerprint readers (Pixel Tablet, Pixel Fold, Pixel 9 Pro Fold) with Android QPR1 • fix port of our notification forwarding between user profiles feature to Android 16 QPR1 • enable new UI customization picker UI from Android 16 QPR1 • Wallpaper Picker: don't use the CuratedPhotos categories which aren't setup in AOSP • Wallpaper Picker: hide the always-empty wallpaper carousel • Wallpaper Picker: enable integration of the embedded photo picker • System Updater, Sandboxed Google Play compatibility layer: switch to Material 3 Expressive theme for Settings app menus • Cell Broadcast Receiver: fix presidential alerts toggle added by GrapheneOS not being enabled without the main emergency alerts toggle being toggled off and on • Vanadium: update to version 142.0.7444.171.0 All of the Android 16 security patches from the current December 2025, January 2026, February 2026 and March 2026 Android Security Bulletins are included in the 2025112101 security preview release. List of additional fixed CVEs: • Critical: CVE-2025-48631, CVE-2026-0006 • High: CVE-2022-25836, CVE-2022-25837, CVE-2023-40130, CVE-2025-22420, CVE-2025-22432, CVE-2025-26447, CVE-2025-32319, CVE-2025-32348, CVE-2025-48525, CVE-2025-48536, CVE-2025-48555, CVE-2025-48564, CVE-2025-48565, CVE-2025-48566, CVE-2025-48567, CVE-2025-48572, CVE-2025-48573, CVE-2025-48574, CVE-2025-48575, CVE-2025-48576, CVE-2025-48577, CVE-2025-48578, CVE-2025-48579, CVE-2025-48580, CVE-2025-48582, CVE-2025-48583, CVE-2025-48584, CVE-2025-48585, CVE-2025-48586, CVE-2025-48587, CVE-2025-48589, CVE-2025-48590, CVE-2025-48592, CVE-2025-48594, CVE-2025-48596, CVE-2025-48597, CVE-2025-48598, CVE-2025-48600, CVE-2025-48601, CVE-2025-48602, CVE-2025-48603, CVE-2025-48604, CVE-2025-48605, CVE-2025-48609, CVE-2025-48612, CVE-2025-48614, CVE-2025-48615, CVE-2025-48616, CVE-2025-48617, CVE-2025-48618, CVE-2025-48619, CVE-2025-48620, CVE-2025-48621, CVE-2025-48622, CVE-2025-48626, CVE-2025-48628, CVE-2025-48629, CVE-2025-48630, CVE-2025-48632, CVE-2025-48633, CVE-2025-48634, CVE-2026-0005, CVE-2026-0007, CVE-2026-0008 2025112101 provides at least the full 2025-12-01 Android and Pixel security patch level but will remain marked as providing 2025-11-05.

Releases | GrapheneOS

Interview of French federal prosecutor saying that not providing them with backdoors is unacceptable and they'll go after us with charges if we don't cooperate with them: archive.is/UrlvK There's a very direct threat towards us in that article. They've made it clear they do not consider it acceptable for there to be devices they cannot break into. In that interview, there's a clear statement they'll go after us as they did others if we don't "cooperate" with them. The demands they have from us are unspecified but we're not going to wait around to find out what they expect from us. #GrapheneOS will exit remaining global infrastructure in France and OVH as soon as possible. We do not feel safe operating in a country with federal law enforcement agencies lying about us and threatening us. France's government is a strong supporter of backdoors for secure messaging apps including heavily supporting Chat Control. They appear to have the same position on secure devices. Their previous law enforcement action against both was done based on claims of ties to criminals. In some of the cases, it was clear the companies were tied to criminals. One of those companies was an FBI sting operation from early on which was advertising itself as being based on GrapheneOS. Maybe some of the ones they're conflating with us are also sting operations too. They're conflating shady companies selling products they say are based on GrapheneOS with us. ANOM was a sting operation by the FBI paying criminals to sell phones to criminals while advertising it as being based on GrapheneOS. Since when is the FBI facilitating crimes in France our fault?

Have you been noticing? It happens: When we succeed despite shortcomings, When we just released a major update, When we are working on more devices, When we get patches early, When new leaks confirm we protect users, When we are the first, or the only, to do it, and much more... Tyrants are threatened when you defend yourself against their invasive control and oppression. Keep paying attention. View quoted note →

Here's another French journalist participating in fearmongering about GrapheneOS. That article is not measured. It provided a platform to make both unsubstantiated and provably false claims about GrapheneOS while providing no opportunity to see and respond to those claims.

Bluesky Social

Gabriel Thierry (@gabrielthierry.bsky.social)

Un point qui devrait alerter. Je trouve l'article du @leparisien.fr mesuré: il signale les craintes policières d'une dérive vers un usage crimin...

The claims the article platforms are conflating closed source products from European companies infringing on our copyright and trademarks with GrapheneOS. GrapheneOS doesn't have the features they claim it does, isn't distributed in the ways they claim and they don't understand open source software. GrapheneOS is obtained from

Web installer | Install | GrapheneOS

and https://grapheneos.org/releases. There are a bunch of legitimate companies in Europe selling devices with real GrapheneOS including NitroKey. We aren't partnered with those companies and don't get funding from it but there's nothing shady about it. Products using operating systems partially based on our code are not GrapheneOS. There's no such thing as a fake Snapchat app wiping the device in GrapheneOS. It has no remote management or remote wiping built into it. It does not have a subscription fee / licensing system built into it either. Vast majority of the code for those products comes from elsewhere: Android Open Source Project, Linux kernel, Chromium, LLVM and other projects. Of course the non-profit open source project writing a small portion of the code being used by those companies being targeted rather than IBM, Google, etc. Both Android and iOS try to defend users from the same attack vectors we do. We developed far better protections against exploits which we release as open source code. Open source means anyone can freely use it for any purpose, exactly like the Android Open Source Project used by GrapheneOS itself. Open source is why we can build GrapheneOS based on the Android Open Source Project. It doesn't make Linus Torvalds, IBM, Google, etc. responsible for what we do. Similarly, others can make their own software based on GrapheneOS. A fork of GrapheneOS contains a small portion of code written by us. France supposedly has a right to reply which we intend to exercise to respond at length to these articles containing libel from the French state. We're going to be ending the small amount of operations we have in France as we don't feel the country is safe for open source privacy projects anymore. GrapheneOS doesn't host services storing sensitive user data. We have signature verification and downgrade protection for updates to the OS, apps and app store metadata. We're going move our website and discussion server away from OVH. Our update mirrors and authoritative DNS are already elsewhere. Our discussion forum, Matrix, Mastodon, etc. in OVH Bearharnois can be moved to local or colocated servers in Toronto instead. We can use Netcup (owned by Anexia, both German) as one of the main providers for website/network service instances. The majority of our servers are already not on OVH. We won't travel to France including avoiding conferences and will avoid having people working in the country too. A simple heuristic for the EU is avoiding countries supporting Chat Control. We genuinely believe we cannot safely operate in France anymore as an open source project privacy project. Our pinned post on this platform shows a great example of why they're actually upset with us:

X (formerly Twitter)

GrapheneOS (@GrapheneOS) on X

In April 2024, Pixels shipped a partial implementation of our January 2024 proposal for firmware-based reset attack protection. Fastboot mode now z...

It almost makes us willing to contribute to AOSP again to try to wipe out their ability to exploit a subset of unon-GrapheneOS Android devices too. Google is welcome to reach out.

If you see me fucking around at a conference soon, no you didn't 🫡

If I wasn't GrapheneOS maxi before then I am now. Fucking love these guys.

We ported the Android 16 security preview patches to 16 QPR1. 2025111801 is our first 16 QPR1 with December 2025, January 2026, February 2026 and March 2026 ASB patches:

Releases | GrapheneOS

We'll fix a few more QPR1 regressions and then it should be able to reach Stable. View quoted note →

We at #GrapheneOS were contacted by a journalist at Le Parisien newspaper with this prompt: > I am preparing an article on the use of your secure personal data phone solution by drug traffickers and other criminals. Have you ever been contacted by the police? Are you aware that some of your clients might be criminals? And how does the company manage this issue? Absolutely no further details were provided about what was being claimed, who was making it or the basis for those being made about it. We could only provide a very generic response to this. Our response was heavily cut down and the references to human rights organizations, large tech companies and others using GrapheneOS weren't included. Our response was in English was translated by them: "we have no clients or customers" was turned into "nous n’avons ni clients ni usagers", etc... GrapheneOS is a freely available open source privacy project. It's obtained from our website, not shady dealers in dark alleys and the "dark web". It doesn't have a marketing budget and we certainly aren't promoting it through unlisted YouTube channels and the other nonsense that's being claimed. GrapheneOS has no such thing as the fake Snapchat feature that's described. What they're describing appears to be forks of GrapheneOS by shady companies infringing on our trademark. Those products may not even be truly based on GrapheneOS, similar to how ANOM used parts of it to pass it off as such. France is an increasingly authoritarian country on the brink of it getting far worse. They're already very strong supporters of EU Chat Control. Their fascist law enforcement is clearly ahead of the game pushing outrageous false claims about open source privacy projects. None of it is substantiated. iodéOS and /e/OS are based in France. iodéOS and /e/OS make devices dramatically more vulnerable while misleading users about privacy and security. These fake privacy products serve the interest of authoritarians rather than protecting people. /e/OS receives millions of euros in government funding. Those lag many months to years behind on providing standard Android privacy and security patches. They heavily encourage users to use devices without working disk encryption and important security protections. Their users have their data up for grabs by apps, services and governments who want it. There's a reason they're going after a legitimate privacy and security project developed outside of their jurisdiction rather than 2 companies based in France within their reach profiting from selling 'privacy' products.

GrapheneOS Discussion Forum

Devices lacking standard privacy/security patches and protections aren't private - GrapheneOS Discussion Forum

GrapheneOS discussion forum

Here's that article: https://archive.is/AhMsj