Just installed this build from alpha-channel on P8 and toggling exploit protection compatibility mode doesn't work in private space for any app.
GrapheneOS version 2025012600 released
Berlino Just installed this build from alpha-channel on P8 and toggling exploit protection compatibility mode doesn't work in private space for any app.
Can't reproduce on a 6a. Could you describe what you mean by "not working"? Such as, does "not working" mean that the toggle doesn't toggle, or that something crashes…?
Are there any plans in a future update to display the list of apps using the Play Integrity API in the settings, as in app exploit protection for example?
Berlino okay just tested. On my 8a it seems to work well
phone-company
Let's wait for other P8 owners if it occurs for them or they can reproduce.
Whatsapp uses Play Integrity but works when blocking it.
Does blocking Play Integrity protect privacy in any way? Like does it reveal some private information otherwise?
missing-root No, it doesn't protect privacy in any way. The reason we added a toggle to block it is because some apps send a result to a service and disallow having a non-stock OS but they work fine if it's unavailable such as due to a networking issue and doesn't provide any result. Blocking it resembles what would happen if it couldn't connect to Google's service due to a network issue.
Berlino It's a regression that's being addressed by the next release. This release wasn't moved to Beta because of it. You can work around by launching Settings from the Private Space. It only happens with Settings launched from Owner for apps in a work profile or Private Space.
I like this one. because unfortunately it keeps bothering me...
disable standard Android feature holding a 10 minute screen wake lock after the screen brightness is raised at least 2 times within 5 minutes since this is confusing for users and it's far better if keep awake is done explicitly
Will this then be configurable?
Beerman You can use an app providing a keep awake tile and we could provide a tile for it bundled with the OS.
Everything seems to be running fine on my Pixel 9 Pro, Pixel 9 Pro Fold and Pixel Tablet.
- Edited
GrapheneOS No, it doesn't protect privacy in any way.
A possibly related question I have. Does hardware-based strong attestation in general, Google Play Integrity specifically, have a unique persistent ID similar to the MediaDRM ID, that can be used by apps and the associated web service to fingerprint that the app is running on the same device as another app, or that the user is the same user as before, even across different profiles? Is this persistent ID changed after a factory reset, or it necessarily needs to be the same because of relying directly on some kind of factory provisioned or factory generated key pair? If it is persistent, are there any plans to block all attestation as well, based on a per-app toggle, similar to the plans for MediaDRM?
ryrona A possibly related question I have. Does hardware-based strong attestation in general, Google Play Integrity specifically, have a unique persistent ID similar to the MediaDRM ID, that can be used by apps and the associated web service to fingerprint that the app is running on the same device as another app, or that the user is the same user as before, even across different profiles? Is this persistent ID changed after a factory reset, or it necessarily needs to be the same because of relying directly on some kind of factory provisioned or factory generated key pair? If it is persistent, are there any plans to block all attestation as well, based on a per-app toggle, similar to the plans for MediaDRM?
Nevermind, I could have answered my own question if I only opened the FAQ page.
From https://grapheneos.org/faq#default-connections:
Initially, attestation signing keys were required to be batch keys provisioned to at least 100k devices to avoid them being used as unique identifiers. Unique attestation signing keys are an optional feature only available to privileged system components. Recent devices have replaced the batch and unique key system with remotely provisioned signing keys. The device obtains encrypted keys from a service to be decrypted by batch or unique keys inside the TEE and optional secure element. The new system improves privacy and security by using separate attestation signing keys for each app instead of needing to balance privacy and security by sharing the same attestation signing keys across a large batch of devices.
So, each app has its own attestation key, and new ones will be provided after a factory reset. So this feature cannot be used for fingerprinting, and is properly decoupled from the factory provided key pairs, which actually didn't even seem to be device unique to begin with them either.
Sigh, I installed GrapheneOS literally a few hours before this came out (so I have build number 2025011500) and Revolut isn't working. When I tap on the system update, I get "the system is up to date" notification, do I have to reflash everything manually and restore from backup or will the system update on its own later?
LeslieFH What Release channel do you have your device set to? As stated on the GrapheneOS website: "Releases are tested by the developers and are then pushed out via the Alpha channel. The release is then pushed out via the Beta channel shortly afterwards. Finally, the release is then pushed out via the Stable channel after being tested by users using the Beta channel. In some cases, problems are caught during Beta channel testing and a new release is made via the Beta channel to replace the aborted one. In general, it's not possible to downgrade unless a downgrade update package is generated, so use the Stable channel if you cannot tolerate dealing with temporary issues while a new release for the Beta channel is being created."
Right, I have Stable, of course. Thanks a lot, that explains everything.
please add these changes for legacy devices too
t1me Please give https://grapheneos.org/faq#device-support a read.