For #GrapheneOS users concerned on a full Android 16 QPR1 release. Android Authority has reported the source code for Android 16 QPR1 in AOSP will be released 'In the coming weeks':

Android Authority

Android 16 QPR1’s source code is nowhere to be found, but Google swears it’s coming

Google has yet to release the source code for Android 16 QPR1, sparking fears about the company's commitment to AOSP.

This delay is unprecedented. This information matches our own sources and communications. The general consensus is it SHOULD be released, but for some reason it hasn't been.

re: Apple Memory Integrity Enforcement Pixels have provided hardware memory tagging (MTE) support since the Pixel 8. GrapheneOS deployed it in production around a month after the launch of the Pixel 8 and we use it for the kernel and nearly the entire base OS. We use it for some third party apps and users can opt-in to using it for all. There have been multiple revisions of ARM MTE. FEAT_MTE4 (Enhanced Memory Tagging Extension) is the 4th generation of ARM MTE improvements, not the beginning of it. The baseline feature was already a game changer for defending devices. The improvements will make their way to devices providing it. Being able to leak data via side channels is a known issue with modern CPUs with many rounds of issues being discovered and addressed. ARM has been working on fully resolving it for MTE itself. Apple CPUs have had much more severe issues with side channels than Cortex, so it's a strange jab by them. Unlike iPhone users, #GrapheneOS users have been well protected by attacks from Cellebrite and other exploit development companies.

GrapheneOS Discussion Forum

Cellebrite Premium July 2024 documentation - GrapheneOS Discussion Forum

GrapheneOS discussion forum

Apple talks a big game but consistently fails to protect their users against broadly deployed exploits used at a large scale. ARM shipped MTE support multiple years before Apple in their Cortex cores. Yes, it was discovered to have a side channel usable by local attackers. This doesn't ruin it. MTE only has 4 bit tags which is a bigger weakness than the side channel. MTE still paves the way for stronger future features. Apple has far more severe side channels in their hardware which leak user data. It's strange to portray leaking tags as a severe issue ruining a feature when they've consistently downplayed the impact of endless side channels vulnerabilities directly leaking sensitive user data on iPhones and Macs.

#NPM package attacker hits "Worst Supply Chain Attack Ever", gets 20 dollars of a shitcoin and 5 cents https://www.securityalliance.org/news/2025-09-npm-supply-chain

#GrapheneOS version 2025090800 released. - backport the rest of the Android 16 QPR1 Pixel firmware (Bluetooth, Wi-Fi, GNSS, UWB, NFC and secure element)

Releases | GrapheneOS

No way to tell how the account compromise happened, but if you are a developer working a large project - for the love of God please use two-factor authentication and unique credentials. Please also install only trusted software from trusted sources... avoid being hit with infostealers. View article →

New #GrapheneOS release with fully updated firmware is building. Remaining userspace Pixel stuff is coming later

While Android 16 QPR1 is not released yet, we will wait further for the releases to push, in case something seriously went wrong. Our sources all have said releases would be quarterly. We are looking into early access. View quoted note →

We have early access to Android Security Bulletin patches and will be able to set up a workflow where we can have releases already built and tested prior to the embargo ending. For now, we've still been doing the builds after the embargo ends. It will mainly help when they screw up pushing to AOSP. We're in the process of obtaining early access to the major quarterly and yearly releases. This is a much bigger deal and will substantially help us. There's an immense workload with a lot of time pressure for porting to new major releases without early access which gets worse the more we change. We did not have early access to Android 16 QPR1 and have not been able to start porting yet. We should have early access prior to Android 16 QPR2. We're going to need to make private repositories for working on this stuff internally. We can potentially make special preview releases based on these. Google recently made incredibly misguided changes to Android security updates. Android security patches are almost entirely quarterly instead of monthly to make it easier for OEMs. They're giving OEMs 3-4 months of early access which we know for a fact is being widely leaked including to attackers. We can't break the embargo ourselves but if someone posted the patches publicly we would be able to ship them months early, as would others. The patches are broadly distributed to OEMs where most of their engineers have access. Companies like NSO can easily obtain access. It's not a safe system. Google's existing system for distributing security patches to OEMs was already incredibly problematic. Extending 1 month of early access to 4 months is atrocious. This applies to all of the patches in the bulletins. This is harming Android security to make OEMs look better by lowering the bar. The existing system should have been moving towards shorter broad disclosure of patches instead of 30 days. Moving in the opposite direction with 4 months of early access is extraordinarily irresponsible. Google has also abandoned pretending it's private by allowing binary-only embargo breaches. Android's management has clearly overruled the concerns of their security team and chosen to significantly harm Android security for marketing reasons. Lowering the bar for OEMs to pretend things are fine while reducing security for everyone is a ridiculous approach and should be quickly reversed. Android is very understaffed due to layoffs/buyouts and insufficient hiring. This is impacting Linux kernel and Android security. Google hasn't fixed

TapTrap: Animation‑Driven Tapjacking on Android

which is a serious issue privately disclosed to them in October 2024. We were informed in June 2025 and it took us a few hours to fix... Google does a massive portion of the security work on the Linux kernel, LLVM and other projects including implementing exploit protections, bug finding tools and doing fuzzing. They're providing the resources and infrastructure for Linux kernel LTS releases. Others aren't stepping up to the plate. We don't expect there to be much pushback against this via tech media despite how obscene it is to provide 4 months of patch access to sophisticated attackers. They can easily get it from OEMs or even make an OEM. Whistleblowers should publicly post the signed zips since attackers have it already. Security patch backports were pushed to the Android Open Source Project on September 2nd but it wasn't done properly. Android 16 QPR1 was also supposed to be pushed to the AOSP on September 3rd and it was even confirmed they'd still be doing that but it hasn't happened. Perhaps too many layoffs... Even if no whistleblowers leak the signed zips we can still bring this system down ourselves without breaking any embargo. Our plan is to make special releases with the patches which are otherwise identical to our regular releases. External developers can reverse it from that for regular GrapheneOS. We're allowed to make a release with currently available revision of the December 2025 Android security patches right now but we wouldn't be allowed to publish sources. Therefore, we'd need to do this separately from regular GrapheneOS. We could special release channels for it with delayed tags... The purpose of this approach is for someone to reverse the Java and Kotlin patches to source code within an hour of us releasing that. They could then submit security patches elsewhere including to GrapheneOS that is open source. This clearly isn't something Google's technical security people came up with as it's completety nonsensical.

The Tor Project's upcoming VPN Android app has been moved to beta. Here is how it looks on #GrapheneOS: This version uses Arti, Tor's Rust implementation, it is more modern and secure. Each app will get their own Tor circuit and exit IP. Unlike Orbot which is an on-device Tor proxy with a VPN feature, it appears app is designed to be a VPN first and foremost.

#GrapheneOS version 2025090500 released. - move to new monolithic Pixel kernel repository setup with a single repository for Pixels and our portable Generic Kernel Image repository as a submodule to more easily handle Pixel kernel sources being released as tarballs instead of Git tags (Git metadata for the kernel image and modules will be added back in the next release) - update to Android 16 QPR1 kernel drivers and kernel build system to ship the security patches prior to Android 16 QPR1 being released to AOSP - update SoC and cellular radio firmware to the Android 16 QPR1 releases to ship the security patches prior to Android 16 QPR1 being released to AOSP - kernel (6.12): update to latest GKI LTS branch revision - App Store: update to version 32 - App Store: update to version 33 - Vanadium: update to version 140.0.7339.51.0

Releases | GrapheneOS

View quoted note →

New release with Android 16 QPR1 SoC firmware, cellular radio firmware and kernels is building while we still wait. Other backports is coming later. View quoted note →

We are still waiting on release tags for 16 QPR1. Kernel sources and signed security partner bulletin zips are available to us, but rest not pushed to AOSP. Currently only the upstream stock OS is 16 QPR1, not upstream AOSP. We were told the quarterly releases would be pushed to AOSP. A late push of a day or two is not out of the ordinary and we will wait. View quoted note →

Here are the stock OS Android 16 QPR1 kernel sources for Pixel 6 through Pixel 9a:

GitLab

Files · 16-qpr1-base · GrapheneOS / kernel_pixel · GitLab

GitLab.com