Salta al contenuto principale

mastodon - Collegamento all'originale
We have early access to Android Security Bulletin patches and will be able to set up a workflow where we can have releases already built and tested prior to the embargo ending. For now, we've still been doing the builds after the embargo ends. It will mainly help when they screw up pushing to AOSP.

reshared this

in reply to GrapheneOS

GrapheneOS
mastodon - Collegamento all'originale
GrapheneOS
We're in the process of obtaining early access to the major quarterly and yearly releases. This is a much bigger deal and will substantially help us. There's an immense workload with a lot of time pressure for porting to new major releases without early access which gets worse the more we change.
in reply to GrapheneOS

GrapheneOS
mastodon - Collegamento all'originale
GrapheneOS

We did not have early access to Android 16 QPR1 and have not been able to start porting yet. We should have early access prior to Android 16 QPR2.

We're going to need to make private repositories for working on this stuff internally. We can potentially make special preview releases based on these.

in reply to GrapheneOS

GrapheneOS
mastodon - Collegamento all'originale
GrapheneOS
Google recently made incredibly misguided changes to Android security updates. Android security patches are almost entirely quarterly instead of monthly to make it easier for OEMs. They're giving OEMs 3-4 months of early access which we know for a fact is being widely leaked including to attackers.
in reply to GrapheneOS

GrapheneOS
mastodon - Collegamento all'originale
GrapheneOS
We can't break the embargo ourselves but if someone posted the patches publicly we would be able to ship them months early, as would others. The patches are broadly distributed to OEMs where most of their engineers have access. Companies like NSO can easily obtain access. It's not a safe system.

Joe Vinegar reshared this.

in reply to GrapheneOS

GrapheneOS
mastodon - Collegamento all'originale
GrapheneOS
Google's existing system for distributing security patches to OEMs was already incredibly problematic. Extending 1 month of early access to 4 months is atrocious. This applies to all of the patches in the bulletins. This is harming Android security to make OEMs look better by lowering the bar.
in reply to GrapheneOS

GrapheneOS
mastodon - Collegamento all'originale
GrapheneOS
The existing system should have been moving towards shorter broad disclosure of patches instead of 30 days. Moving in the opposite direction with 4 months of early access is extraordinarily irresponsible. Google has also abandoned pretending it's private by allowing binary-only embargo breaches.
in reply to GrapheneOS

GrapheneOS
mastodon - Collegamento all'originale
GrapheneOS
Android's management has clearly overruled the concerns of their security team and chosen to significantly harm Android security for marketing reasons. Lowering the bar for OEMs to pretend things are fine while reducing security for everyone is a ridiculous approach and should be quickly reversed.
in reply to GrapheneOS

GrapheneOS
mastodon - Collegamento all'originale
GrapheneOS
Android is very understaffed due to layoffs/buyouts and insufficient hiring. This is impacting Linux kernel and Android security. Google hasn't fixed taptrap.click/ which is a serious issue privately disclosed to them in October 2024. We were informed in June 2025 and it took us a few hours to fix...

TapTrap: Animation‑Driven Tapjacking on Android

taptrap.click

Christophe B. reshared this.

in reply to GrapheneOS

GrapheneOS
mastodon - Collegamento all'originale
GrapheneOS
Google does a massive portion of the security work on the Linux kernel, LLVM and other projects including implementing exploit protections, bug finding tools and doing fuzzing. They're providing the resources and infrastructure for Linux kernel LTS releases. Others aren't stepping up to the plate.
in reply to GrapheneOS

GrapheneOS
mastodon - Collegamento all'originale
GrapheneOS
We don't expect there to be much pushback against this via tech media despite how obscene it is to provide 4 months of patch access to sophisticated attackers. They can easily get it from OEMs or even make an OEM. Whistleblowers should publicly post the signed zips since attackers have it already.
in reply to GrapheneOS

GrapheneOS
mastodon - Collegamento all'originale
GrapheneOS
Security patch backports were pushed to the Android Open Source Project on September 2nd but it wasn't done properly. Android 16 QPR1 was also supposed to be pushed to the AOSP on September 3rd and it was even confirmed they'd still be doing that but it hasn't happened. Perhaps too many layoffs...
in reply to GrapheneOS

GrapheneOS
mastodon - Collegamento all'originale
GrapheneOS
Even if no whistleblowers leak the signed zips we can still bring this system down ourselves without breaking any embargo. Our plan is to make special releases with the patches which are otherwise identical to our regular releases. External developers can reverse it from that for regular GrapheneOS.
in reply to GrapheneOS

GrapheneOS
mastodon - Collegamento all'originale
GrapheneOS
We're allowed to make a release with currently available revision of the December 2025 Android security patches right now but we wouldn't be allowed to publish sources. Therefore, we'd need to do this separately from regular GrapheneOS. We could special release channels for it with delayed tags...
in reply to GrapheneOS

GrapheneOS
mastodon - Collegamento all'originale
GrapheneOS
It's trivial for someone to reverse the Java and Kotlin patches to source code within an hour of us releasing that. They could then submit security patches elsewhere including to GrapheneOS. This clearly isn't something Google's technical security people came up with as it's completety nonsensical.
in reply to GrapheneOS

Felix
mastodon - Collegamento all'originale
Felix
But, wouldn't that be a potential copyright infridgement, when you backport code that Google hasn't yet released under an Open Source license?
in reply to GrapheneOS

fractal_timescales
mastodon - Collegamento all'originale
fractal_timescales

So just to check my understanding here, you'd make a special release, binaries only for the patches. Someone outside the project decompiles the binary, uses it to discover the vulnerability, which they then report to you. Then you fix it for regular Graphene users.

If I'm understanding correctly, then is there a chance the regular Graphene users don't get the patches if nobody outside the project does the decompiling? I would love to contribute, and maybe this is a reason to get good at doing this kind of thing. But I don't think my technical skills are up to scratch yet.

in reply to fractal_timescales

GrapheneOS
mastodon - Collegamento all'originale
GrapheneOS
@fractal_timescales Users of the regular GrapheneOS would still get the updates when most Android users do once the embargo ends. Also, if someone leaks the patches publicly, then the embargo is dead as we can use what was leaked publicly. If people don't like this and work at an Android OEM they can just publicly post the signed zip.
@fractal_timescales
in reply to GrapheneOS

fractal_timescales
mastodon - Collegamento all'originale
fractal_timescales
Yes sorry should have clarified, I meant regular Graphene users wouldn't get them until the embargo ends if no one does the decompiling.
in reply to GrapheneOS

astroboy
mastodon - Collegamento all'originale
astroboy
@fractal_timescales Don't you get banned if you leak the source code like this? Will you lose access to the security bulletin?
@fractal_timescales
in reply to astroboy

GrapheneOS
mastodon - Collegamento all'originale
GrapheneOS
@astroboy @fractal_timescales Their 3-4 month embargo has an explicit exception for binary-only releases of patches. We're fully permitted to release the December 2025 patches this month in a release but not the source code. Therefore, we can only do it if we make new release channels for obtaining early releases of patches with source code and description still under embargo. We're allowed to publish a release with the patches and we're even allowed to list all the CVEs for Dec 2025 it fixes.
@astroboy @fractal_timescales
in reply to GrapheneOS

Buccia
mastodon - Collegamento all'originale
Buccia
What's the point of scheduling patches so far into the future? If they are made aware of the vulnerabilities now, why not scheduling them on the next month?
in reply to Buccia

GrapheneOS
mastodon - Collegamento all'originale
GrapheneOS
@BucciaBuccia Their previous system was disclosing patches to OEMs 1 month before the coordinated disclosure date. This was Android's monthly security backport system. We considered 1 month to be far too long for so broadly disclosing the patches. Android has now moved to doing the same thing around 4 months ahead instead of 1. They're aware that it's a completely broken system to an extent and have therefore allowed binary-only releases as a compromise to try to squash OEM complaints...
@Buccia
in reply to GrapheneOS

GrapheneOS
mastodon - Collegamento all'originale
GrapheneOS

@BucciaBuccia Nearly all OEMs were failing to ship the monthly security patch backports despite how straightforward it is. The backports alone are not even particularly complete patches. They're only the High and Critical severity Android patches and a small subset of external patches for the Linux kernel, etc. Getting the full Android patches requires the latest stable releases.

They changed the system to make OEMs look better. It's due to pressure from some OEMs and Google marketing Android.

@Buccia
in reply to GrapheneOS

wod0bow
mastodon - Collegamento all'originale
wod0bow
Will the issue with external DAC (USB type c) with high-res stream (24bit 96kHz and above) will be fixed in next releases? The glitches when the screen is locked are annoying.
in reply to wod0bow

GrapheneOS
mastodon - Collegamento all'originale
GrapheneOS
@wod0bow Not currently aware of an issue. How long has it been a problem for you? Is it a recent regression?
@wod0bow
in reply to GrapheneOS

wod0bow
mastodon - Collegamento all'originale
wod0bow
The issue is from at least Android 15 as I remember. Not sure IF this is regression. If I try to use anything above 24bit 48kHz than there is an issue. Tried few DAC. What is interesting the DAC based on USB 2.0 natively (dragonfly red) World without issues. Any other USB type C to 3.5" DAC I have issue... Tried few based on CX31993 and ES9318 (thought that maybe the issue don't affect ESS chips) and few "generic" ones but the only one working is Dragonfly Red - quite bulky solution.
in reply to GrapheneOS

Demi Marie Obenour
mastodon - Collegamento all'originale
Demi Marie Obenour
I’ll switch to those special releases as soon as they are available.
in reply to GrapheneOS

Iznogoud
mastodon - Collegamento all'originale
Iznogoud
well I for one would like to see @arstechnica and @dangoodin give Google a ride for its money on this one
@Dan Goodin @Ars Technica
in reply to GrapheneOS

Rafael
mastodon - Collegamento all'originale
Rafael
Have you though what you will do once Google stops supporting AOSP? They say that it is not going to happen but...
in reply to Rafael

Celinho
mastodon - Collegamento all'originale
Celinho
@rafaelm7o could start already having a parallel using open harmony.
@Rafael
in reply to GrapheneOS

Multi
mastodon - Collegamento all'originale
Multi
oh void that means reversing out security patches could be a real lucrative and stable job now
Questa voce è stata modificata (1 settimana fa)
in reply to Multi

GrapheneOS
mastodon - Collegamento all'originale
GrapheneOS
@multisn8 If someone leaks them publicly and informs each time then we can simply request our OEM partner stops providing them early and we can publish them based on the leaks instead. That's what we would prefer. A massive number of people have access to them so it's quite easy for them to be publicly leaked. People were sending them to us privately but they need to be publicly available for the embargo to be considered ending and we can't break the embargo ourselves so someone else has to.
@Multi
in reply to GrapheneOS

iguana09863
mastodon - Collegamento all'originale
iguana09863
Isn't it that Google does it intentionally so that Android becomes gradually closed, and take advantage to continue collecting more user data? I think Google can create the patches monthly, but it does so quarterly so that Android is no longer open source.
in reply to iguana09863

GrapheneOS
mastodon - Collegamento all'originale
GrapheneOS
@iguana09863 They're hurting the stock Pixel OS and other Android-based operating systems with this too. They're lagging further behind on shipping the implemented patches now than before. This does not only impact AOSP and AOSP-based operating systems. It negatively impacts Android as a whole. Only having security patches every 4 months with a special exception permitting quiet binary-only patching early (which they aren't doing in practice) is a regression for Android, not AOSP specifically.
@iguana09863
in reply to GrapheneOS

Multi
mastodon - Collegamento all'originale
Multi
...so they made the situation worse for every blue team that doesn't have vendor access?
in reply to Multi

GrapheneOS
mastodon - Collegamento all'originale
GrapheneOS

@multisn8 We have security partner access now and they made it worse for us too because GrapheneOS is open source...

They also massively lowered the bar for other OEMs and for themselves. We want to ship the patches ASAP but no one else is doing it in practice.

@Multi
in reply to GrapheneOS

leighelse{}
mastodon - Collegamento all'originale
leighelse{}

Google is now starting work on a task of consummate importance to them; making independent builds of Android unworkable.

See grapheneos.social/@GrapheneOS/…

GrapheneOS

2025-09-07 17:26:28

mastodon - Collegamento all'originale

Google recently made incredibly misguided changes to Android security updates. Android security patches are almost entirely quarterly instead of monthly to make it easier for OEMs. They're giving OEMs 3-4 months of early access which we know for a fact is being widely leaked including to attackers.

in reply to leighelse{}

GrapheneOS
mastodon - Collegamento all'originale
GrapheneOS
@leighelse It doesn't make GrapheneOS unworkable. It's a security downgrade for Android in general which we can work around ourselves.
@leighelse{}
in reply to GrapheneOS

Just Bob ♒🇺🇲🪖🐧
mastodon - Collegamento all'originale
Just Bob ♒🇺🇲🪖🐧
I'm surprised Google isn't using it to install Gemini AI. I've disabled almost everything Google and my phone seems to be staying safe from the AI virus at the moment.