GrapheneOS version 2025012600 released

GrapheneOS

GrapheneOS version 2025012600 released:

https://grapheneos.org/releases#2025012600

See the linked release notes for a summary of the improvements over the previous release.

newbie24689

GrapheneOS
Dang.... Thank You Guys!

It warms the heart to see your attention to hardened_malloc/libdivide and Sandboxed Google Play.

Stewart

Some things have to be activated manually or everything is automatic

GrapheneOS

Stewart The new workarounds for apps banning GrapheneOS are always enabled. No need to enable them. There's a new Play Integrity API notification which tells you when apps use it. Apps can use it without using the result to ban using a non-stock OS so it doesn't imply anything is going to be broken when the notification is shown. There's a new per-app menu for configuring the Play Integrity API linked from that notification with the option to block it in case the service allows using it without giving a Play Integrity API result. Most services will require giving a result, but a small number of apps will likely become usable via blocking it based on the service not enforcing providing a result.

Stewart

I've got DeepL sending me a notification to tell me that it's using the Play Integrity APIs. What would be the best practice in this kind of case?
https://postimg.cc/bDF4Xcjp

GrapheneOS

Stewart If it works fine, you can simply hide the notification. It means there's a high chance the app is going to ban using a non-stock OS in the future. If it works fine right now, it likely means they're only enforcing basic integrity rather than Google certification via device/strong integrity.

Stewart

Top thanks for the explanations, as usual, well done to the GOS team for this update.

phone-company

Just installed on my Pixel 8a. All is running fine untill now

Berlino

Just installed this build from alpha-channel on P8 and toggling exploit protection compatibility mode doesn't work in private space for any app.

fid02

Berlino Just installed this build from alpha-channel on P8 and toggling exploit protection compatibility mode doesn't work in private space for any app.

Can't reproduce on a 6a. Could you describe what you mean by "not working"? Such as, does "not working" mean that the toggle doesn't toggle, or that something crashes…?

GrapheneOS

Berlino It's a regression that's being addressed by the next release. This release wasn't moved to Beta because of it. You can work around by launching Settings from the Private Space. It only happens with Settings launched from Owner for apps in a work profile or Private Space.

Berlino

fid02
When toggling the compatibility mode, a dialog pops up for cancellation or proceeding. Hitting proceed doesn't toggle to 'on'-position. This only hapoens in Private Space for me.

phone-company

Berlino okay just tested. On my 8a it seems to work well

Stewart

Are there any plans in a future update to display the list of apps using the Play Integrity API in the settings, as in app exploit protection for example?

doodle

Stewart there is a list available. click the notification, I was able to find a list of apps that ever used Play Integrity.

Berlino

phone-company
Let's wait for other P8 owners if it occurs for them or they can reproduce.

missing-root

Whatsapp uses Play Integrity but works when blocking it.

Does blocking Play Integrity protect privacy in any way? Like does it reveal some private information otherwise?

GrapheneOS

missing-root No, it doesn't protect privacy in any way. The reason we added a toggle to block it is because some apps send a result to a service and disallow having a non-stock OS but they work fine if it's unavailable such as due to a networking issue and doesn't provide any result. Blocking it resembles what would happen if it couldn't connect to Google's service due to a network issue.

ryrona

GrapheneOS No, it doesn't protect privacy in any way.

A possibly related question I have. Does hardware-based strong attestation in general, Google Play Integrity specifically, have a unique persistent ID similar to the MediaDRM ID, that can be used by apps and the associated web service to fingerprint that the app is running on the same device as another app, or that the user is the same user as before, even across different profiles? Is this persistent ID changed after a factory reset, or it necessarily needs to be the same because of relying directly on some kind of factory provisioned or factory generated key pair? If it is persistent, are there any plans to block all attestation as well, based on a per-app toggle, similar to the plans for MediaDRM?

Beerman

I like this one. because unfortunately it keeps bothering me...

disable standard Android feature holding a 10 minute screen wake lock after the screen brightness is raised at least 2 times within 5 minutes since this is confusing for users and it's far better if keep awake is done explicitly

Will this then be configurable?

GrapheneOS

Beerman You can use an app providing a keep awake tile and we could provide a tile for it bundled with the OS.