GrapheneOS security preview releases

architekt

GrapheneOS (...) We recommend enabling this.

(...) You can enable security preview releases via Settings > System > System update > Receive security preview releases

I'm on the most recent (stable) version but don't see that option?

de0u

architekt I'm on the most recent (stable) version but don't see that option?

What is the build number of the release on the device? That is the most reliable way to know whether or not a device is running the most recent version.

architekt

de0u my bad I missed an update as it seems the previous install failed, after rebooting the option is now available

linuxaki88

GrapheneOS
So GrapheneOS team can audit the code to see if something is "suspicious" and then implement it and forward it to security preview realeses! I'm saying that because of previous comments suggest that google can include some "spy" code!

ElliesSurviving

linuxaki88 google wouldn't be able to do that, the patches are given in source to GrapheneOS who build binary patches to be installed on devices where its been enabled, the code just cannot be released to the public as of now

workeronthewalls

ElliesSurviving Then how can you tell that the apparently more secure version of GrapheneOS with the latest security patches that is not open source for the end user because of that embargo, isn't an intelligence agency putting a backdoor in it? That's the point of it being open source, so you can look for yourself and verify.

phospmph

GrapheneOS developers have found that Samsung ships a subset of source code-embargoed security patches to their flagship devices in the October release (https://grapheneos.social/@GrapheneOS/115344790504052163).

Pixels on the Stock OS may be doing the same. This is hinted by the report that using ADB to force enable VoLTE no longer works with October Stock OS update, which should be caused by a relevant security patch (https://github.com/kyujin-cho/pixel-volte-patch/issues/384).

GrapheneOS

phospmph We've now edited the initial post to include the thread we posted about Samsung. We posted about that mainly to show an example of another OEM which recently started shipping the patches early, although they're shipping a small subset instead of all of them as we are.

GrapheneOS

workeronthewalls Due to reproducible builds, people can compare the regular releases to the security preview releases and fairly easily identify the code the patches change. The changes can then be understood from the compiled code. Source code still requires significant work to fully understand too. GrapheneOS has been around in 2014 providing what we do. People can choose whether they want to trust us to provide the security preview patches early before they're available elsewhere or if they want to use the regular releases. Samsung is shipping a small subset of the patches early, but not the majority. Other OEMs can also start shipping patches early. If we didn't offer this, we'd be doing worse than Samsung shipping a small subset early. We would prefer a 1 week or lower embargo time but that's not the way the rest of the software world does these things. 90 days to fixing an issue after it being reported is regarded as very good by most of the industry despite how long that is and many companies / open source projects miss those 90 day deadlines for Project Zero, etc.

workeronthewalls

GrapheneOS Due to reproducible builds, people can compare the regular releases to the security preview releases and fairly easily identify the code the patches change. The changes can then be understood from the compiled code. Source code still requires significant work to fully understand too.

Just for my understanding: How fast can say one or two programmers reverse engineer the change completely? Is this done rather quick or do you need to work with many people on it for many weeks if not months to accomplish this?

ryrona

workeronthewalls Just for my understanding: How fast can say one or two programmers reverse engineer the change completely? Is this done rather quick or do you need to work with many people on it for many weeks if not months to accomplish this?

This is basically how it is done: Take the two releases 2025100900 and 2025100901, ie without and with the embargoed patches. Download them GrapheneOS website, and unpack both of them, all layers down to where you only have all the individual files in what is going to be the file system if they were installed and run. Delete all files that are the same between the two builds. This can be done automatically with a simple script. Most files will be the same thanks to reproducible builds. In fact all binaries for which there is no patch applied should be the same, as the source that was compiled will also be the same. So the fact that GrapheneOS is reproducibly built is massively going to help us here. After that, I expect only a few binaries to be left, probably the ones corresponding to the Android base framework packages and just some other. Most of these are going to be Java/Kotlin code, so they are only byte-code compiled. This means you can decompile them back to source code easily. Many function and variable names might be missing from the decompiled source code, but decompiling byte-code often gives very clean code that has a very high correspondence with the actual source code, since most aggressive optimizations are done by the JIT or AOT compiler at runtime instead, not when compiling down to byte code. If you diff the decompiled source code for one binary from the 2025100900 release with the decompiled source code for the same binary in the 2025100901 release, you will probably get what is all the patches applied for that binary, and nothing more, or only very little noise. Some binaries will be C/C++ code however, and those will be way way harder to decompile. Since they are not bytecode, they have already been compiled down to optimized machine instructions. The compiler, probably LLVM, can do vastly different optimization decisions with regard to inlining functions or pulling in more static library helper code and so on based on fairly small changes to the actual source. This means that diffing the decompiled source code for each might result in a lot of noise in terms of added and removed whole functions, rearranged code, and much more. Even if you can locate the actual function that has some actually patched code, the decompiled source code might be quite different between the two versions, so extracting a corresponding patch file might be a bit tricky.

So, for someone experienced, I would expect extracting the patches that are for Java/Kotlin code will take about a day, maybe a week or two if you lack prior experience. But extracting the patches that are for C/C++ code will take way longer and require way more expertise. Of course, once the patches are extracted, one might want to understand what they do too, so that requires some analysis. But for someone with experience, they can probably figure out what each patch do and that is is a valid security fix by spending an hour per patch I guess. Some may be way easier, some may be way harder.

In theory, you don't have to understand the patches though to fork GrapheneOS and add them to the source code repositories in your fork. Just repeat the same changes in the actual source code as is shown in the diff of the decompiled source code.

indigomadelin

Currently, there are two releases: 20251009_00 and 20251009_01. The version ending in 00 does not include ASB, while 01 includes it. Previously, versions such as 20241207_00, 20241207_01, and 20241207_02 were used, with 01 and 02 serving as quick workarounds when certain functionalities were broken in the 00 version. Does the new naming convention conflict with this previous practice? If a fix is needed exclusively for the ASB-featured release, would it be named 20251009_02?

Stephan-P

indigomadelin I'd assume that any next release, be it a fix of something or some new development, will likely receive just a new current date

GrapheneOS

indigomadelin There's no conflict, we would just call the new regular release 2025100902 and the new security preview release 2025100903 if they were done on the same day as 2025100900 and 2025100901. If it was done the next day, it would be a different version number already. This just means the regular releases are now even numbered and the security preview releases are odd numbered. In practice, we wouldn't normally have time to build and test 4 releases for each device in a day so that wouldn't come up without much better build hardware and faster procedures for doing other things.

SimonD

Is there a tutorial on how to reproducible build GrapheneOS and compare it to an already built image?

wizoatk

SimonD

Here's a start:

https://grapheneos.org/build#reproducible-builds

GOS21606

I have installed 2025100901 and toggled the switch security preview release off.

Is this possible to switch between the regular version and de security preview release, I mean do future ¨normal" releases overwrite the security previous release files?

wizoatk

GOS21606 I mean do future ¨normal" releases overwrite the security previous release files?

Yes, that's how it works.

GrapheneOS

GOS21606 You'll receive the regular non-security-preview release when the next release comes out. The security preview releases have a 1 second newer build date than the regular releases so you can't go back to the regular release from the security preview release made alongside it, but you can switch to the next regular release.

hanwp

Is it working on pixel 6a? I did not have any information prompt, but when I enable it manually and hit check for updates, it downloads an update, reboots, but security bulletin data looks to be the same. When I check for an update again manually, system is rerunning the update again. Something went wrong?

Ammako

Thanks for the writeup. I imagine the security team at Google are probably very frustrated about the 3-month delay too.

hanwp mine did that too, but after the second time, it updated correctly.

Visionary8747

GrapheneOS I just want to say God bless whoever made this grapheneOS possible because it changed my life. I feel like I have control over my phone. Thank you honestly

wizoatk

Visionary8747 whoever made this grapheneOS possible

The following may be of interest to you:

https://grapheneos.org/history/

« Previous Page Next Page »