GrapheneOS version 2026012800 released

GrapheneOS

GrapheneOS version 2026012800 released:

https://grapheneos.org/releases#2026012800

See the linked release notes for a summary of the improvements over the previous release.

Novalissoide

GrapheneOS Installed fine on P6a. The new network location descriptions look good.
And the new 'Precise location' toggle for individual apps! ❤️

Watermelon

indigomadelin CGG I don't expect it to reduce security. In recent months they've talked about changing the secure app spawning feature to more closely mimic Android, so all these banking apps that do these insecure bypassable local checks for signs of a “tampered” device would have one fewer thing to complain about. I believe the change mentioned in the release notes is this.

GrapheneOS What I don't understand is what's the purpose of leaving secure app spawning configurable (increases reliance on persistent state) now that it seems like it's not expected to have compatibility issues anymore. (Thanks for the great work!)

indigomadelin

avoid compatibility issues with apps doing misguided anti-tampering checks by changing the initial call stack for secure app spawning (exec spawning) to match the standard zygote-based spawning

How does it impact security? What was the issue? Do you now use fork instead of exec for some rare cases? I don't quite understand.

CGG

indigomadelin this the same concern I had... Maybe a misunderstanding but this will weaken all implemented protections and raise the attack surface. Or am I wrong?

GrapheneOS

indigomadelin CGG Watermelon The compatibility improvement doesn't reduce security in any way. It changes the initial call stack for exec-based spawning to match zygote-based spawning to avoid apps wrongly detecting app-based spawning as a form of tampering. This only impacted a tiny subset of apps which made it hard for us to find examples of apps doing this in order to test the change. We were able to find a few to develop a solution to the problem.

Chronicos

I've just installed this release but my build number 2026012801, is that correct?

harp

Chronicos That's correct. It's the security preview release which always has a '1' at the end instead of the standard complete opensource release without the security preview patches with a '0' at the end.

Chronicos

harp thanks

Freddy13578

Just downloaded it and now Im able to login into my bank with OTP SMS verification autofill, thx for fixing that and good work.

Novalissoide

Freddy13578 💃💃🏾🕺🏾👯‍♀️🤸🏾‍♂️ The breakthrough is here! ❤️

GrapheneOS Team! 🥰🥳

PhantomRunner

The permissions manager is slow to populate and navigate on my Pixel 6 but not sure if this build caused it. I just went there since the update summary mentioned the permission manager.

muhomorr

@indigomadelin @CGG @Watermelon
The secure app spawning change in this release has no security impact. It's still the same implementation as before, it's just invoked in a slightly different way. Here's the change itself: https://github.com/GrapheneOS/platform_frameworks_base/commit/8209fe0ab30eaf097c380bb373bc6433b29c3556

CGG

muhomorr great answer! Thank you so much! Thanks! Looking at the code you brilliantly provide to us, for what I could understand when the process that has some restriction starts the zygote method that is called in a attempt to fulfil the request imposed by the process/app... After it passed it come back to the normal path of execution which appspawn is reinforced. If I'm right in this analysis you are 10000% correct! And... Those guys at graphene are genius! Great move great trick!

Watermelon

muhomorr GrapheneOS GrapheneOS Thanks for answering, but I wasn't saying your recent change reduces security. What I meant to ask is why leave the secure app spawning a configurable option that the user can enable/disable, which also means the OS relies more on persistent state, now that the feature no longer seems to have a compatibility issue observable by Android apps? Why give a configuration instead of force-enabling it? As far as I can see, only the Pixel 6a has 6GB of RAM, and all other supported Pixels have at least 8GB of RAM. If RAM capacity was the concern when the feature was introduced, is it still a concern? Maybe leave it configurable for 6a users, and force-enable it for everyone else? Thanks

GrapheneOS

CGG No, we changed how exec-based spawning is implemented to more closely resemble zygote-based spawning. Apps can no longer see a difference if they check the initial call stack as a misguided way to detect tampering. It's not about restrictions but rather how apps are spawned. It just tweaks how it works to avoid apps being able to see a difference in the call stack.

Pocketstar

Amazing work, thank you!
2026012801 is functioning well on my P6a, P7, Pixel Tablet and P9Pxl thus far.
I have not tested play services and cellular connections on any of my devices.

Eirikr70

P6a here. Working fine as usual!

xxx

Working fine on P6 & P9.
Kudos to the GrapheneOS Team.

CGG

GrapheneOS perfect. Thanks for the great and clear explanation. Best regards.

Tandara

Watermelon If I remember correctly, there is a problem with some apps that can't save their state in memory with secure sp on (as reported by some users). I experience this issue as well when I return to the recently opened app and it's fully reset (despite having enough RAM), but I refuse to turn it off.