fid02 Yes, sure. There is a remote possibility the VPN app was malfunctioning, since it also sets those two options to enabled at install time. But it makes no sense, really.

      hardballs There is a remote possibility the VPN app was malfunctioning, since it also sets those two options to enabled at install time.

      https://grapheneos.org/features#other-features

      This is an incomplete list of other GrapheneOS features.
      […]

      • Enable the "Always-on VPN" and "Block connections without VPN" toggles for VPNs by default.

          fid02 Many thanks for the info. Well then.. I'm ready to go on and see it as an error during "app optimisation", switching system language for the profile and switching profiles simultaneously. Now I need to lookup and verify the last two OS updates on my phone. Probably using auditor.. or adb.

              hardballs auditor says pinned os patch level is 2024-07, vendor and boot patch level is 2024-07-05. Possible to get more info on the individual updates?

                  hardballs Possible to get more info on the individual updates?

                  You can check https://grapheneos.org/releases#changelog. You can also find information about releases in the Info app, which is a recent addition to GrapheneOS.

                  You can see which release you're on by going to Settings > About phone. You'll find the release under "build number".

                      other8026 Thank you for mentioning the Info app. It looks like it shows the release notes of installed updates. I will trust that the updates are hard to be tampered with. (The web installer was impressive..)

                          hardballs You only ever get updated to the latest release in the channel. It installs one update. In the general case, it downloads the entire latest OS release as an update package and installs it. There are delta updates from the past several weeks of releases which provide only the block-level firmware and OS image changes between the release you were on and the latest release so you only download the differences unless you fall more than around 2-4 weeks behind. We usually provide deltas going back around 3 weeks, so you end up downloading 2MB to 80MB instead of 1GB. Every user has bit-for-bit identical firmware and OS images, which are verified cryptographically with downgrade protection.

                            hardballs We build and sign on local workstations, not servers. The update servers aren't capable of making and serving a malicious update. The signing keys aren't available to them. The update client verifies the update package signature and the build date must be newer than the currently installed OS version. The low-level update system verifies the update payload inside of the update package and checks that the build date is equal or newer. Verified boot verifies all the firmware and OS images which is why the initial install has you lock the device and has downgrade protection itself which is based on the patch level for the OS and firmware anti-rollback versions for the SoC and secure element firmware. Once the new version successfully boots up to the main screen, it disables automatic rollback on boot failure and updates the verified boot rollback protection to prevent downgrade attacks.