Overlay1404 But if you're already using the device for quite some time, and you suddenly get an error like posted by OP, your first thought will not be that the device is not supported any longer. IMHO good and expressive error messages are always a good thing.

      trogmaniac I think you are disregarding what it means for a device to be end of life. Its not supported anymore, you shouldn't expect graphene os to have to remind you that things on a device they don't support and don't recommend using might have issues.

      Its not like this model was recently supported. Its been end of life for sometime.

      de0u I believe the last release of GrapheneOS for the 3A XL was August 18, 2022.

          Anyone able to give more context around how the device is unsafe? I believe this is threat-model dependent so we don't immediately need to throw our devices in the bin, but more information on specific exploits and potential attackers exploiting these would be great.

            Overlay1404 There doesn't appear to be anything world ending based on my use but if anyone knows of super significant exploitable issues it'd be great to hear them.

              @wovensash There are a huge number of unpatched, critical severity exploitable issues for end-of-life devices particularly 3rd generation Pixels which have been end-of-life for around 2 years now. That means they're missing 2 years of important privacy and security patches regardless of which OS you run on them. Due to our extended support releases, they did receive partial security patches past their end-of-life providing the subset of AOSP patches backported to the older releases but not firmware and most driver or other device support code patches outside the scope of AOSP.

              GrapheneOS has made it clear that they're end-of-life and that the extended support we provided for a long time did not make them secure. The patch level that's set in Settings > About phone for them is accurately set to the last obtainable patch level rather than inaccurately increasing it in the extended support updates they received. Many of the unpatched vulnerabilities are actively exploited in the wild. Many have proof of concepts publicly available. It's not something where your threat model is relevant.

              Spreading misinformation encouraging people to use highly insecure end-of-life devices with no option for decent privacy and security is against the rules and will be taken very seriously as something which is incredibly harmful to people misled by it. It's not hard to look at the Android Security Bulletins and Pixel Security Bulletins from the past 2 years and see all the High/Critical severity patches you're missing including many firmware and driver patches unavailable via an alternate OS based on the latest AOSP. GrapheneOS is not intended to be a highly insecure OS on highly insecure devices so we phase out end-of-life devices after harm reduction extended support releases. Extended support releases are highly insecure and exist for harm reduction. Our extended support are a better option than anything else available until they stop, but they shouldn't be used. The main form of harm reduction they provide is stopping people moving to an OS with a fake patch level which misleads users about the provided patches, downplays the importance of the missing patches and misleads them about the fact that decent privacy/security can't be achieved without them.

              We provide extended support for the flagship devices which had 3 years of support from launch to provide harm reduction until they're around 4 years old. We may provide legacy extended support until they're around 5 years old. The mid-range devices launched later but share a platform generation so it's not as long for them.

              Pixel 6 and later have 5 years of support from launch so it has obsoleted our extended support approach. Pixel 8 and later have 7 years of support from launch, so even a 3 year old used Pixel 8 will still have 4 years of support remaining. Extended support was a stopgap that has been replaced.

                de0u Legacy extended support releases aren't listed in the changelog. You can see this for the Pixel 4, Pixel 4 XL and Pixel 4a which currently receive legacy extended support releases but are not listed because they're based on a legacy branch of GrapheneOS for providing partial security patches to end-of-life devices.

                Extended support releases are listed and provide partial security patches to end-of-life devices which are on the latest version of GrapheneOS. The Pixel 4a (5G) and Pixel 5 are the current legacy extended support devices. Pixel 5a will become a legacy extended support device after August.

                Pixel 6 and later have 5 years rather than 3 years of support from launch which we've deemed adequate enough to avoid needing extended support moving forward. Pixel 5a will be the last device with extended support releases. Pixel 8 and later have 7 years of support from launch.

                    trogmaniac It's an around 2 year old OS release and therefore isn't going to have any improvements such as adding an end-of-life warning. The error from failing to check for updates was intentionally introduced by removing the metadata files for them a while after we had ended legacy extended support. Pixel 3 and Pixel 3 XL had been end-of-life and receiving partial security patches via extended support for a long time before then. We do intend to provide clear notifications about end-of-life devices in the future as soon as they enter extended support instead of relying on users reading the release notes covering extended support devices or noticing the devices are no longer officially supported (legacy extended support) and don't get the current releases anymore. It should be abundantly clear that 3rd gen devices have been end-of-life for ages and we purposely caused those OS update errors as a blatant signal that it was way past time to stop using them.

                      The Vanadium update error from the addition of the configuration APK for ad blocking wasn't intended and will be resolved. Vanadium isn't really meant to support those old OS releases anymore but our attempt at dropping support for them caused issues due to incompatibilities in the Chromium resource optimization code with having a higher minimum API level.

                      wovensash Pixel 3a has been end-of-life since after May 2022. The real final call to replace it was during May 2022, before it missed the first security patch in June 2022. It's approaching 2 years since that end-of-life date. We provided extended support until Android 13 in August 2022 and then legacy extended support based on a legacy Android 12 branch for a bit longer. That's far more than Google provided, especially for the Pixel 3 and Pixel 3 XL. However, we aren't sure if providing extended support has been a good idea or not since it encourages people to use increasingly insecure devices they should replace before end-of-life. We purposely broke checking for OS updates on those devices after ending legacy extended support as a further form of warning to users. Not clear what else we could be expected to do. If we added more warnings as @trogmaniac suggests, people would have disabled those just as they disabled the OS update error. If we prevented disabling it, we'd have gotten complaints about that. People simply need to replace end-of-life devices. The extended support concept is ending after the Pixel 5a so there's little point fretting about the details since it will be over soon enough.

                        GrapheneOS Thanks for the detailed responses but would there be any chance of providing actual examples of exploits with poc's that we could be targets of? Or perhaps even just one example?

                        • de0u replied to this.

                            GrapheneOS Legacy extended support releases aren't listed in the changelog [...] Extended support releases are listed [...]

                            Got it. Thanks!

                              @trogmaniac @wovensash the issue has now been resolved and the Apps app updated Vanadium successfully on one of my old 3a devices for testing this on.

                              wovensash Thanks for the detailed responses but would there be any chance of providing actual examples of exploits with poc's that we could be targets of? Or perhaps even just one example?

                              While there may be people investigating AOSP patches and even Google firmware patches, and turning them into exploits for unpatched devices, including EOL devices, there is a structural reason why those people are not likely to post details here.

                              Since Google has dropped support for the old devices, and the patches have been issued to new devices, developing exploits isn't going to result in a reward from a legitimate bounty program. However, such an exploit may well be monetizable through darknet forums for use by criminal gangs.

                              All in all, if somebody does have nicely packaged exploits targeting old Android/AOSP/GrapheneOS variants, or targeting Pixel 3A XL firmware, they may not be motivated to provide the sort of helpful counsel you are seeking. And if some forensics researcher finds a 3A XL that has been exploited, it probably isn't news, since the device is EOL and is firmly expected to be unsafe.

                              If you are unhappy junking a working device (this is a reasonable position!!) and are willing to accept an elevated level of risk compared to a current Android and current firmware, it appears that DivestOS has some support for the 3A XL: https://divestos.org/pages/devices#device-bonito. As time goes by, a frozen out-of-date GrapheneOS may become less secure than a somewhat-updated DivestOS, though it's not really possible to assign numerical scores.