GrapheneOS Secure Android Platform Update: January 2024 Release Highlights

By Riley ThompsonTechnology News

GrapheneOS Secure Android Platform Update Released

The latest release of the secure mobile platform, GrapheneOS 2024011300, is now available. GrapheneOS is a security- and privacy-focused fork of the Android Open Source Project (AOSP), featuring extensive enhancements and modifications. The project was previously known as AndroidHardening and originally branched from CopperheadOS after a dispute among its founders. GrapheneOS officially supports most current Google Pixel devices (Pixel 4/5/6/7/8, Pixel Fold, Pixel Tablet) and is distributed under the MIT license.

Key Security and Privacy Features

  • GrapheneOS incorporates many experimental technologies to strengthen app isolation, provide granular access control, block common vulnerabilities, and make exploitation more difficult.
  • It uses a custom implementation of malloc and a modified libc with memory corruption protection, as well as stricter process address space separation.
  • Android Runtime uses only ahead-of-time (AOT) compilation instead of JIT.
  • The Linux kernel includes additional security mechanisms, such as canary tags in slub to prevent buffer overflows.
  • App isolation is further enhanced with SELinux and seccomp-bpf.
  • Access to network operations, sensors, contacts, and peripherals (USB, camera) can be granted only to selected apps.
  • Clipboard reading is allowed only for the app currently in focus.
  • By default, access to IMEI, MAC address, SIM serial number, and other hardware identifiers is blocked.
  • Extra measures are in place to isolate Wi-Fi and Bluetooth processes and prevent data leaks from wireless activity.
  • Many security mechanisms developed by the project have been integrated into the main Android codebase.

Advanced Encryption and Data Protection

  • GrapheneOS uses cryptographic verification for downloaded components and advanced file system-level encryption for ext4 and f2fs (data is encrypted with AES-256-XTS, file names with AES-256-CTS, and a unique key for each file is generated using HKDF-SHA512).
  • System partitions and each user profile are encrypted with separate keys, and available hardware features are used to accelerate encryption operations.
  • The lock screen features a session end button, which, when pressed, wipes decryption keys and deactivates storage.
  • There is an option to block the installation of additional apps for selected user profiles.
  • To protect against password guessing, a delay system is used, with wait times ranging from 30 seconds to 1 day depending on the number of failed attempts.

No Google Services by Default

GrapheneOS deliberately excludes Google apps and services, as well as alternative implementations like microG. However, users can install Google Play services in a separate, isolated environment without special privileges. The project also develops its own privacy-focused apps, including:

  • Vanadium browser (based on Chromium) and a modified WebView engine
  • A secure PDF viewer
  • A firewall app
  • Auditor for device verification and intrusion detection
  • A privacy-focused camera app
  • The Seedvault encrypted backup system

What’s New in the January 2024 Release

  • The automatic reboot mechanism has been completely redesigned. It now uses a timer in the init process instead of system_server, improving security and preventing reboots on devices that have never been unlocked. The auto-reboot timeout has been reduced from 72 to 18 hours. The main purpose of auto-reboot is to return user data partitions to an encrypted state after a period of inactivity. If a user does not unlock an active session for more than 18 hours, the device will automatically reboot (this timeout can be changed in Settings > Security > Auto reboot) to prevent key analysis if the device falls into the wrong hands.
  • Developers highlighted the importance of auto-reboot by referencing recent vulnerabilities found in Google Pixel and Samsung Galaxy phones, which allowed forensic companies to spy on users and extract data from active (decrypted) sessions.
  • A log viewer has been added (Settings > System > View logs) to help diagnose issues and simplify bug reporting.
  • The crash report submission interface has been redesigned.
  • adevtool now supports Pixel Camera Service, enabling night mode in apps on Pixel 6+ devices.
  • adevtool has dropped support for devices not supported by Android 14.
  • Notifications are now shown when the malloc memory corruption detector is triggered.
  • Linux kernel sysrq support has been disabled.
  • The Linux kernel has been updated to the latest GKI (Generic Kernel Image) 5.10.206 for Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, and Pixel Fold, and to version 5.15.145 for Pixel 8 and Pixel 8 Pro. Additional builds with kernel 6.1.69 have also been prepared.
  • The Vanadium browser has been updated to Chromium codebase 120.0.6099.210.0.

Leave a Reply