GrapheneOS v2024012600: Security Enhancements & eSIM Improvements
GrapheneOS is an open-source, privacy and security-focused mobile operating system based on the Android Open Source Project (AOSP).
- "Our latest release provides another enhancement for our protection against firmware-based attacks on devices by forensics companies. This replaces emergency reboots triggered by overheating with regular reboots. We're going to be doing more similar work," announced @GrapheneOS.
- According to GrapheneOS community moderator @final, this release also includes changes with eSIM management:
- eSIM management no longer requires Sandboxed Google Play;
- eSIM management binaries are isolated from Google Play services;
- they no longer make direct connections to Google via Google Play Services to active eSIMs.
What's new
- isolate eSIM activation app from non-system apps to avoid it sharing data with sandboxed Google Play
- make eSIM activation toggle available without sandboxed Google Play installed (eSIM management no longer requires sandboxed Google Play)
- make the eSIM activation app toggle persistent instead of it being disabled at boot
- remove misleading message about device info being sent to Google message before eSIM download
- hardened_malloc: use tag 0 for freed slots instead of reserving a tag to allow using 15 of 16 possible tag values for random tags (there are 3 dynamic exclusions of the random values for the previous tag along with the 2 current or previous adjacent tags)
- Settings: prevent disabling Camera2/CameraX extension provider app (Pixel Camera Services for Pixels) since it breaks apps using CameraX
- kernel (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro): use a normal reboot on overheating instead of an emergency reboot to harden against physical attacks
- kernel: enable reset attack mitigation for UEFI systems supporting it (Tensor Pixels use minimalistic littlekernel-based boot firmware rather than UEFI and the previous Snapdragon Pixels using UEFI didn't implement this but we may need this for future devices)
- kernel (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Generic 5.10): update to latest GKI LTS branch revision including update to 5.10.208
- kernel (Pixel 8, Pixel 8 Pro, Generic 5.15): update to latest GKI LTS branch revision including update to 5.15.147
- kernel (Generic 6.1): update to latest GKI LTS branch revision including update to 6.1.73
- Launcher: disable gradient at the top of the home screen again (change lost with Android 14 QPR1 due to it being reimplemented upstream)
- rewrite HTTPS network time implementation to make it much more maintainable and robust along with providing better debug output via ADB
- Vanadium: update to version 120.0.6099.230.0
- Vanadium: update to version 121.0.6167.71.0
- Vanadium: update to version 121.0.6167.101.0
- Vanadium: update to version 121.0.6167.101.1
- GmsCompatConfig: update to version 93
- Seedvault: update to latest revision (will be replaced with a better backup implementation in the future)
