The release of the secure mobile platform GrapheneOS 2024011300 is available, which is a fork of the Android codebase (AOSP, Android Open Source Project), expanded and modified to enhance security and ensure privacy. Previously, the project developed under the name AndroidHardening, and before that it branched off from the CopperheadOS project after a conflict between its founders. GrapheneOS officially supports most current Google Pixel devices (Pixel 4/5/6/7/8, Pixel Fold, Pixel Tablet). The project's developments are distributed under the MIT license.
GrapheneOS includes many experimental technologies related to strengthening application isolation, granular access control, blocking the manifestation of common vulnerabilities and complicating the work of exploits. For example, the platform uses its own implementation of malloc and a modified version of libc with protection against memory corruption, as well as a more rigid division of the process address space. Instead of JIT, Android Runtime uses only AOT (ahead-of-time) compilation. The Linux kernel includes many additional protection mechanisms, such as adding canary tags to slub to block buffer overflows. SELinux and seccomp-bpf are used to enhance application isolation.
It is possible to provide access to network operations, sensors, address book and peripheral devices (USB, camera) only to selected applications. Reading from the clipboard is only allowed for applications that currently have input focus. By default, obtaining information about IMEI, MAC address, SIM card serial number and other hardware identifiers is prohibited. Additional measures have been taken to isolate Wi-Fi and Bluetooth-related processes and prevent leaks from wireless activity. Many of the security enhancements developed by the project have been transferred to the main Android codebase.
GrapheneOS uses cryptographic verification of load components and advanced data encryption at the ext4 and f2fs file system level (data is encrypted using AES-256-XTS, and file names are AES-256-CTS using HKDF-SHA512 to generate a separate key for each file ), rather than a block device. Data in system partitions and in each user profile is encrypted with different keys. Uses available hardware capabilities to speed up encryption operations. The lock screen displays a session end button, which, when clicked, resets the decryption keys and places the vault in an inactive state. There is a setting to prevent the installation of additional applications for selected user profiles. To protect against password guessing, a system of delays is used, depending on the number of unsuccessful attempts (from 30 seconds to 1 day).
GrapheneOS fundamentally does not include Google applications and services, as well as alternative implementations of Google services, such as microG. At the same time, it is possible to install Google Play services in a separate isolated environment that does not have special privileges. The project is also developing several of its own applications focused on information security and privacy. For example, they offer the Chromium-based Vanadium browser and a modified version of the WebView engine, a secure PDF viewer, a firewall, an Auditor application for device verification and intrusion detection, a privacy-focused camera application, and an encrypted backup system called Seedvault.
Among the changes in the new version:
• The implementation of the automatic reboot mechanism has been completely redesigned, which has been switched to using a timer in the init process, rather than in the system_server process, which has increased security and eliminated the reboot of a device that has never been unlocked. Automatic reboot time reduced from 72 to 18 hours. The main idea of automatic reboot is to reset activated (decrypted) partitions with user data to their original undecrypted state after a certain period of inactivity.
User profile data is encrypted after the device is restarted and is decrypted only after the user enters the login password. If the user has not unlocked the activated session for more than 18 hours, the device will be automatically rebooted (the timeout can be changed in Settings > Security > Auto reboot) to prevent the analysis of keys remaining in memory if the device falls into the wrong hands.
To demonstrate the need for an automatic reboot feature, GrapheneOS developers cited recently discovered vulnerabilities in Google Pixel and Samsung Galaxy smartphones that allow forensic analysis companies to spy on users and extract data while the device is in an activated state (when the session is active and the data is decrypted). .
• Added a log viewer (Settings > System > View logs), which allows you to evaluate emerging problems and simplify the preparation of error reports.
• The interface for sending crash reports has been redesigned.
• Added support for Pixel Camera Service to adevtool, allowing you to use night mode in applications on Pixel 6+ smartphones.
• adevtool has stopped supporting devices that are not supported in Android 14.
• Added output of notifications when the memory corruption detector is triggered in malloc.
• Sysrq support is disabled in the Linux kernel.
• Linux kernel has been updated to the latest GKI (Generic Kernel Image) update 5.10.206 for Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold and version 5.15. 145 for Pixel 8 and Pixel 8 Pro devices. Additionally, assemblies with kernel 6.1.69 have been prepared.
• Vanadium browser has been updated to Chromium 120.0.6099.210.0 codebase.
GrapheneOS includes many experimental technologies related to strengthening application isolation, granular access control, blocking the manifestation of common vulnerabilities and complicating the work of exploits. For example, the platform uses its own implementation of malloc and a modified version of libc with protection against memory corruption, as well as a more rigid division of the process address space. Instead of JIT, Android Runtime uses only AOT (ahead-of-time) compilation. The Linux kernel includes many additional protection mechanisms, such as adding canary tags to slub to block buffer overflows. SELinux and seccomp-bpf are used to enhance application isolation.
It is possible to provide access to network operations, sensors, address book and peripheral devices (USB, camera) only to selected applications. Reading from the clipboard is only allowed for applications that currently have input focus. By default, obtaining information about IMEI, MAC address, SIM card serial number and other hardware identifiers is prohibited. Additional measures have been taken to isolate Wi-Fi and Bluetooth-related processes and prevent leaks from wireless activity. Many of the security enhancements developed by the project have been transferred to the main Android codebase.
GrapheneOS uses cryptographic verification of load components and advanced data encryption at the ext4 and f2fs file system level (data is encrypted using AES-256-XTS, and file names are AES-256-CTS using HKDF-SHA512 to generate a separate key for each file ), rather than a block device. Data in system partitions and in each user profile is encrypted with different keys. Uses available hardware capabilities to speed up encryption operations. The lock screen displays a session end button, which, when clicked, resets the decryption keys and places the vault in an inactive state. There is a setting to prevent the installation of additional applications for selected user profiles. To protect against password guessing, a system of delays is used, depending on the number of unsuccessful attempts (from 30 seconds to 1 day).
GrapheneOS fundamentally does not include Google applications and services, as well as alternative implementations of Google services, such as microG. At the same time, it is possible to install Google Play services in a separate isolated environment that does not have special privileges. The project is also developing several of its own applications focused on information security and privacy. For example, they offer the Chromium-based Vanadium browser and a modified version of the WebView engine, a secure PDF viewer, a firewall, an Auditor application for device verification and intrusion detection, a privacy-focused camera application, and an encrypted backup system called Seedvault.
Among the changes in the new version:
• The implementation of the automatic reboot mechanism has been completely redesigned, which has been switched to using a timer in the init process, rather than in the system_server process, which has increased security and eliminated the reboot of a device that has never been unlocked. Automatic reboot time reduced from 72 to 18 hours. The main idea of automatic reboot is to reset activated (decrypted) partitions with user data to their original undecrypted state after a certain period of inactivity.
User profile data is encrypted after the device is restarted and is decrypted only after the user enters the login password. If the user has not unlocked the activated session for more than 18 hours, the device will be automatically rebooted (the timeout can be changed in Settings > Security > Auto reboot) to prevent the analysis of keys remaining in memory if the device falls into the wrong hands.
To demonstrate the need for an automatic reboot feature, GrapheneOS developers cited recently discovered vulnerabilities in Google Pixel and Samsung Galaxy smartphones that allow forensic analysis companies to spy on users and extract data while the device is in an activated state (when the session is active and the data is decrypted). .
• Added a log viewer (Settings > System > View logs), which allows you to evaluate emerging problems and simplify the preparation of error reports.
• The interface for sending crash reports has been redesigned.
• Added support for Pixel Camera Service to adevtool, allowing you to use night mode in applications on Pixel 6+ smartphones.
• adevtool has stopped supporting devices that are not supported in Android 14.
• Added output of notifications when the memory corruption detector is triggered in malloc.
• Sysrq support is disabled in the Linux kernel.
• Linux kernel has been updated to the latest GKI (Generic Kernel Image) update 5.10.206 for Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold and version 5.15. 145 for Pixel 8 and Pixel 8 Pro devices. Additionally, assemblies with kernel 6.1.69 have been prepared.
• Vanadium browser has been updated to Chromium 120.0.6099.210.0 codebase.
