#GrapheneOS version 2024050300 released. This update contains various hardening additions, fixes Google Fi eSIM activation (again) and changes OS infrastructure to prepare for an upcoming App Communication Scopes feature. See the changes: - remove special handling of the resolver activity ("Open with..." dialog) which was added to Android in order to support instant apps as preparation for our in-development App Communication Scopes feature - fix Google Fi eSIM activation - improve isolation of the eSIM activation apps - improve GrapheneOS infrastructure for per-app state - enable heap memory tagging for vendor processes by default, remove the user-facing toggle in the Settings and restrict toggling the value to debug builds - disable most handling for instant apps in the package manager as attack surface reduction - disable out-of-band APEX updates as attack surface reduction - only allow first party app source and shell to update system packages - improve robustness of original-package handling - Settings: hide GNSS SUPL and PSDS settings on devices without GNSS hardware - fix regression from our Android 14 QPR2 port causing Storage/Contact Scopes link to disappear after going back to the permissions screen - improve setup wizard theme to more closely match the stock Pixel OS configuration - backport mainline APEX module patches for Android Health, Media Provider, Network Stack, and Wi-Fi - kernel (5.10): update to latest GKI LTS branch revision including update to 5.10.212 - kernel (5.15): update to latest GKI LTS branch revision including update to 5.15.150 - kernel (6.1): update to latest GKI LTS branch revision including update to 6.1.80 - Log Viewer: use human readable UTC time for logcat timestamps - GmsCompatConfig: update to version 109 - Vanadium: update to version 124.0.6367.113.0 - Apps: update to version 23 - work around our app repository client taking ownership of updates for the debug toggle we use to test new Android Auto releases - fix debug build option for testing same versionCode package updates

If I had a dollar for every time someone made GrapheneOS anime girl fanart I'd have about 10,000 sats And no, AI doesn't count.

Vivaldi UI and features with Brave state partitioning, anti-fingerprinting and content blocking would kill the browser game

#GrapheneOS version 2034042100 released. This update backports an upstream Linux kernel patch for a kernel panic caused by another patch in the last update. These are the changes from the previous update (2024042000) that are relevant: - add toggle in Settings > Security for opting into memory tagging in vendor processes currently excluded from it with the end goal of having it force enabled without a toggle as we do for the rest of the base OS - allow eSIM activation app to interact with Google Fi app when installed to fix Google Fi activation - use ro.vendor.build.svn system property from adevtool instead of AOSP to make sure it always matches the stock OS - Pixel Fold: update to AP1A.240405.002.A2 vendor files - Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel 8, Pixel 8 Pro: update to AP1A.240405.002.B1 vendor files - Log Viewer: include kernel log buffer in default log output - Log Viewer: show "Save" instead of "Copy" button for logs that are over ~50 KB - Log Viewer: improve handling of log saving - backport mainline APEX module patches for Android Health, ART, DNS Resolver, Media Provider, Network Stack, PermissionController and Wi-Fi - TalkBack (screen reader): update base code to 14.1 and massively overhaul our changes to it - Vanadium: update to version 124.0.6367.54.0 - Camera: update to version 68 - Auditor: update to version 79 - GmsCompatConfig: update to version 104 - Setup Wizard: layout and style improvements - Setup Wizard: add functionality for testing on debug builds

Releases | GrapheneOS

#GrapheneOS version 2034042000 released. This update most notably fixes Google Fi eSIM activation. See the changes: - add toggle in Settings > Security for opting into memory tagging in vendor processes currently excluded from it with the end goal of having it force enabled without a toggle as we do for the rest of the base OS - allow eSIM activation app to interact with Google Fi app when installed to fix Google Fi activation - use ro.vendor.build.svn system property from adevtool instead of AOSP to make sure it always matches the stock OS - Pixel Fold: update to AP1A.240405.002.A2 vendor files - Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel 8, Pixel 8 Pro: update to AP1A.240405.002.B1 vendor files - Log Viewer: include kernel log buffer in default log output - Log Viewer: show "Save" instead of "Copy" button for logs that are over ~50 KB - Log Viewer: improve handling of log saving - backport mainline APEX module patches for Android Health, ART, DNS Resolver, Media Provider, Network Stack, PermissionController and Wi-Fi - TalkBack (screen reader): update base code to 14.1 and massively overhaul our changes to it - kernel (5.10): update to latest GKI LTS branch revision - kernel (5.15): update to latest GKI LTS branch revision including update to 5.15.148 - kernel (6.1): update to latest GKI LTS branch revision including update to 6.1.76 - Vanadium: update to version 124.0.6367.54.0 - Camera: update to version 68 - Auditor: update to version 79 - GmsCompatConfig: update to version 104 - Setup Wizard: layout and style improvements - Setup Wizard: add functionality for testing on debug builds

Releases | GrapheneOS

Auditor version 79 released: - modern Material 3 UI overhaul - use edge-to-edge layout - update CameraX library to 1.3.3 - update AndroidX Core library to 1.13.0 - update Bouncy Castle library to 1.78 - update Guava library to 33.1.0 - update ZXing library to 3.5.3 - update Gradle to 8.7 - update Android Gradle plugin to 8.3.2 - update Kotlin to 1.9.2

GitHub

Release 79 · GrapheneOS/Auditor

Notable changes in version 79: modern Material 3 UI overhaul use edge-to-edge layout update CameraX library to 1.3.3 update AndroidX Core library ...

#GrapheneOS

Due to frequent DDoS attacks, we're enforcing stricter limits on the number of connections to our servers. By default, each server enforces a limit of 16 or 32 TCP connections from each IPv4 address and IPv6 /64 block. During persistent attacks, these limits will be adjusted. We've determined these limits are high enough to avoid causing issues due to CGNAT. Browsers open a single TCP connection to each domain or server due to HTTP/2 multiplexing. Our focus is tuning it to avoid it triggering for our network/update services (

Frequently Asked Questions | GrapheneOS

The naive approach to enforcing TCP connection limits starts with the initial SYN packet. An attacker can leverage this to their advantage with a spoofed SYN packet flood to fill the connection limit tracking tables to bypass them or block all new connections if you fail closed. Tracking all connections with conntrack is enough to open up a new denial of service attack vector since the conntrack table can be filled by an attacker. For this reason, we were previously making all inbound connections untracked and are still doing that for both UDP and ICMP. To prevent conntrack table exhaustion, we're using synproxy for SYN packets above a rate limit of 1024/second with 128 burst. To prevent abusing connections limits or filling the sets enforcing them, we're only counting successfully established connections towards the limits. Both the official documentation for netfilter (iptables/nftables) on connection limits and every guide we've found are vulnerable to all 3 of the attacks described above. There's info on using synproxy, but not combining it with connection limits or rate limiting it kicking in. Our firewall configuration is published at

GitHub

infrastructure/nftables at 7782c861cb560c91813ef6d85374830c3526f61a · GrapheneOS/infrastructure

Shared server infrastructure. Contribute to GrapheneOS/infrastructure development by creating an account on GitHub.

and provides a reference on how to do this. There are 4 cases for the connection limits to handle both the non-synproxy and synproxy cases for both SYN packets and the first ACK for newly established connections. Newly established connections (valid first ACK) without synproxy are added to connection limit sets or rejected if above the limit. The connection is marked to bypass the checks going forward. For synproxy, this has to be done for the spoofed SYN packets it sends via loopback. For web services with HTTP/2 enabled, we're still enforcing a connection limit at the nginx layer since each concurrent HTTP/2 request over the same TCP connection is considered a connection. For other services, we've removed obsolete application layer per-IP connection limits. Our new approach is superior because it enforces the limits at the firewall layer without needing applications to process and reject the connections. The reason we didn't previously enforce the limits at the firewall layer is because the typical approach opens up new weaknesses. Implementing connection limits with nftables required coming up with a good approach to avoid spoofed SYN packets counting towards the limits or bypassing the limits by filling the sets. It also required using synproxy to prevent conntrack table exhaustion, but only when needed. Synproxy uses Linux SipHash-based SYN cookies for stateless establishment of TCP connections, but unlike typical SYN cookies it happens at the firewall layer. On success, it injects an ESTABLISHED state connection into conntrack and spoofs the TCP handshake to backend server. Linux SYN cookies rely on TCP timestamps to store full options. If timestamps are disabled as Windows does by default, window scaling and SACK are lost. Not having scaling is horrific (only 65535 bytes in transit at a time). Timestamps are useful so it hurts a bit with them too.