cross-posted from: https://lemmy.ml/post/17265164

https://grapheneos.social/@GrapheneOS/112609239806949074

We questioned why this was only listed in the Pixel Update Bulletin and they agree:

After review we agree with your assessment that this is an Android issue and as such we are working on backports to include this in a future Android Security Bulletin.

April 2024 monthly update for Pixels included a partial mitigation for this vulnerability in firmware (CVE-2024-29748).

Android 14 QPR3 released in June 2024 includes a full solution for all Android devices by implementing the wipe-without-reboot proposal we made in our report.

The issue is that in practice, only Pixels ship the monthly and quarterly updates. Other devices only ship monthly security backports, not the monthly/quarterly releases of AOSP. They were only going to get the patch when they updated to Android 15. They're now going to backport.

The other vulnerability we reported at the same time for reset attacks was assigned CVE-2024-29745 but that's a firmware/hardware issue without a software solution available so we can't get them to include it in the Android Security Bulletin unless we convince Qualcomm to fix it.

Every vulnerability in the Android Open Source Project that's deemed to be High/Critical severity is meant to be backported to yearly releases from the past 3 years (currently Android 12, 13 and 14). Low/Moderate severity vulnerabilities are NOT generally backported though.

The issue is that they're really listing patches rather than vulnerabilities. Both of the vulnerabilities we originally reported impact all Android devices, but both got Pixel specific patches in April 2024 and therefore got treated as Pixel specific vulnerabilities instead.

Since the complete solution for the device admin API is an Android Open Source Project (AOSP) patch, they're going to backport it. Since there's no way to frame the reset attack issue as an AOSP issue, there isn't a good way to get it fixed for other devices through this system.

These patched vulnerabilities and other currently unpatched vulnerabilities are being exploited by forensic tools used by states to target journalists, political opponents, activists, arbitrary people crossing borders, etc. Sure, they target lots of drug users / dealers too...

cross-posted from: https://lemmy.ml/post/16336497

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

• 2024053100-redfin (Pixel 4a (5G), Pixel 5)
• 2024053100 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, emulator, generic, other targets)

Changes since the 2024052100 release:

• add support for setting a duress password and PIN for quickly wiping all hardware keystore keys including keys used as part of deriving the key encryption keys for disk encryption to make all OS data unrecoverable followed by wiping eSIMs and then shutting down
• disable unused adoptable storage support since it would complicate duress password feature (can be added if we ever support a device able to use it)
• increase default max password length to 128 to improve support for strong diceware passphrases, which will become more practical for people who don't want biometric-only secondary unlock with our upcoming 2-factor fingerprint unlock feature
• disable camera lockscreen shortcut functionality when camera access while locked is disabled to avoid the possibility of misconfiguration by adding the camera lockscreen shortcut and then forgetting to remove it when disabling camera access
• kernel (5.15): update to latest GKI LTS branch revision including update to 5.15.153
• kernel (6.1): update to latest GKI LTS branch revision
• Vanadium: update to version 125.0.6422.72.0
• Vanadium: update to version 125.0.6422.72.1
• Vanadium: update to version 125.0.6422.113.0
• Vanadium: update to version 125.0.6422.147.0
• GmsCompatConfig: update to version 112
• GmsCompatConfig: update to version 113
• GmsCompatConfig: update to version 114
• GmsCompatConfig: update to version 115
• make SystemUI tests compatible with GrapheneOS changes

Almost Bricked my Phone

! I am not a dev, I just wanna use aosp bc google bad (imo) ; this is a shitpost but lemmy is empty enough

> I was just researching about unicode on my phone, found an app to show all unicodes

> Some symbols were not showing up. I searched for latest unicode font android Magik zip.

> Found one, flashed it, rebooted => bootloop

> annoyed, went to fastboot mode, connected phone to pc, fastboot boot twrp.img ; thought flashing the aosp rom again would fix it although it will disable Magisk

> Flashed zip to the wrong slot (I was dual booting Linux and android) ; Linux dead ; nvm there was nothing of importance on linux

> Flashed zip to the correct slot (I wanna atleast save my android) ; success > booted > bootloop

> went to twrp again, this time formatted all data (fu*k my data, I have backup) ; data format fails DBE decryption error or something

> Cant think of any other solution, fallback to last resort, ie. fastboot rom, 5.9 gb rom file, downloading with 500 kb/sec for some reason (2.5 hr ETA) ; super annoyed

> rebooted to twrp again, twrp doesn't open, stuck on launch screen ; scared

> twrp home screen visible after 5 min, goes to advance wipe, clears internal storage, data, and dalvik, reflashes aosp rom zip (fastboot rom is still downloading), success with no errors

> reboots to system (works) ; cries

@aosp

@android

cross-posted from: https://lemmy.ml/post/7659570

Pixel 5 is receiving official support past the end of the official update guarantee which is what we predicted for the Pixel 4a (5G) and Pixel 5. It would make a lot of sense for them to be supported until the Pixel 5a end-of-life but it's unclear if that's what will happen.

Nexus and Pixel devices have often received longer support than the minimum guarantee. Pixel C was released December 2015 with a 3 minimum guarantee and got updates until June 2019. Many people misinterpret the minimum guarantee as the end-of-life date, which is not how it works.

Pixel 8 has moved to a 7 year minimum guarantee for major OS updates and security updates, and we don't expect them to go past that. However, we do expect that the Pixel 6 and Pixel 7 will keep getting official major OS updates for their whole 5 year security update guarantee.

cross-posted from: https://lemmy.ml/post/7167256

Our first experimental release based on Android 14 was published on October 6th. We think we already had this issue resolved for that release:

https://arstechnica.com/gadgets/2023/10/android-14s-ransomware-data-storage-bug-locks-out-users-remains-unfixed/

We've made additional fixes for upstream user profile issues still impacting the stock Pixel OS since then too

We've run into multiple Linux kernel f2fs data corruption issues before Android 14 while testing new Linux kernel LTS revisions. We avoided any of the serious issues slipping past our internal testing. The only one to make it into the Alpha channel only caused update rollback.

cross-posted from: https://lemmy.ml/post/6085628

GrapheneOS is now based on Android 14. Most of our changes have been ported already but we still have a lot more porting work to do. It's all going to need to be tested before we can get it all merged, and then we can start making public experimental releases based on 14.

cross-posted from: https://lemmy.ml/post/6053540

Pixel 8 and Pixel 8 Pro are confirmed to have at least 7 years of full support:

https://support.google.com/nexus/answer/4457705?hl=en#zippy=%2Cpixel-later-including-fold

We expect 6th and 7th generation Pixels will also receive major OS updates until the end of their security support period. Bear in mind these are a minimum, not when it ends.

Android only has a single active stable branch, which is the latest major OS release. For example, Android 14 has now replaced Android 13.

Android 11, 12 and now 13 only have standalone backports of Critical/High severity patches and a subset of Moderate/Low severity patches

The alternative to updating 6th and 7th generation Pixels to the latest major OS release until their end-of-life would be continuing to develop an older major release and continuing to have releases for it. We think it's much more likely they give them 5 years of major updates.

It's likely they've already come to that conclusion and it's why it makes sense for the Pixel 8 and Pixel 8 Pro to have at least 7 years of major OS updates to go along with a minimum of 7 years of security patches. It's easier rather than harder for them to do both, especially with Treble.

cross-posted from: https://lemy.lol/post/1519899

I am picky about the features I look for in a smartphone. Hopefully this post can be a good resource for myself and others who have similar preferences. For reference, I am using a Oneplus 7 Pro with a non-functional camera and flashlight.

Very important features

---

Battery life

It should handle a day's worth of general usage before charging. Heat kills batteries, so decent heat dissipation is important too.

Durability or repairability

I recently bought a Google Pixel 5a, a phone I greatly enjoyed before I dropped it 5 feet and the display decided its work was done. My top priority is to have a useable device for ~5 years before needing an upgrade.

Storage

I like storing my music collection (30 GB and growing) and expandable storage would save me from having to carry a DAP (mp3 player). Without expandable storage it should have 256 GB storage.

Price

Electronics aren't meant to last a long time; I'd prefer devices costing ~300 USD, but I would gladly pay a little more for reliability.

Microphone

Please let me be intelligible on phone calls. Please? Pretty please?

Software updates or custom ROM support

OS updates for 3+ years or resources on XDA for flashing a custom ROM. Ideally LineageOS.

Would be nice

---

Root capability

It's a bit dated nowadays, but I really do appreciate having that extra bit of control. This also ties into custom ROM support.

Fingerprint Sensor

I loved the dedicated fingerprint sensor on my Pixel 5a. Power button fingerprints are worse, but better than nothing. Typing in my passcode every time is a bit of a pain.

Speakers

Preferably dual front facing stereo speakers. Having some decent output for videos when I don't have anything else with me would be nice.

OLED/AMOLED display

Makes stuff WAY easier to see when the sun's all sunny.

Processing power

I don't play phone games. I watch a lot of media and I message people. Must be capable of simultaneously running muliple apps and background services.

IPA ratings

It'd be pretty sick if I could bring it with me in the shower without worrying about water damage.

Fast charging

Won't always use it, but it'd be great to have.

Cutting corners

---

Screen resolution

I don't need a 4K display. Hell, I don't need a 1080p display. If it cuts costs, 720p is just fine so long as it looks okay.

Size

It can be big or small, thick or thin. Not picky.

Other features I don't need

Headphone jack, NFC, 5G, wireless charging

The phones I am looking at right now are as follows

• Sony Xperia 10 V - No custom ROM support, long term durability is unclear.
• Fairphone 4 - Slightly out of price range.
• Samsung Galaxy XCover6 Pro - Way out of price range. I would appreciate any input or questions.

Auditor app version 34 released: https://github.com/GrapheneOS/Auditor/releases/tag/34

See the linked release notes for an overview of the improvements and a link to the full list of changes.

See https://attestation.app/about and https://attestation.app/tutorial for info about the app and optional monitoring service.

Pixel Fall Launch

On October 19, we’re officially introducing you to Pixel 6 and Pixel 6 Pro—the completely reimagined Google phones. Powered by Tensor, Google’s first custom mobile chip, they’re fast, smart and secure. And they adapt to you.

Android Security Bulletins

Monthly device updates are an important tool to keep Android users safe and protect their devices. This page contains the available Android Security Bulletins, which provide fixes for possible issues affecting devices running Android. Android device and chipset manufacturers may also publish security vulnerability details specific to their products, such as:

• Google
• Huawei
• LG
• Motorola
• Nokia
• OnePlus
• Oppo
• Samsung

Learn how to check and update your Android version here.

Sources

Fixes listed in the public bulletin come from various different sources: the Android Open Source Project (AOSP), the upstream Linux kernel, and system-on-chip (SOC) manufacturers. For device manufacturers:

• Android platform fixes are merged into AOSP 24–48 hours after the security bulletin is released and can be picked up directly from there.
• Upstream Linux kernel fixes are linked to directly from the bulletin on release and can be picked up from there.
• Fixes from SOC manufacturers are available directly from the manufacturers.

Bulletins

https://source.android.com/security/bulletin#bulletins

Coming soon.