(at the satanist conference) Alright guys we made the mobile operating system now all we need to do is set up THE CLUES
Final
final@stacker.news
npub1hxx7...g75y
Security specialist and member of the GrapheneOS Foundation.
Posts my own and not endorsed by my employer. AI slop and Nostr DMs ignored.
Email: final@grapheneos.org
Matrix: f1nal:grapheneos.org
Next #GrapheneOS update will remove the messy End Session button in the lock screen of secondary users. You'll be able to end session within the power menu or the user profile switcher UI instead.
Placing in the power button menu also means you're able to choose to power off in the same place, which could be a valuable protective measure greater than ending the session of the current profile.
Had seen news that a mobile phone centered around a different cryptocurrency had been announced as end of life (no security updates) after just two years.
Please just use a commercial off the shelf device from a reputable brand and long support time. OS updates is not driver, firmware, etc. Even if it is a 'Bitcoin phone' it's likely not the best or safest phone a Bitcoiner should use.
#GrapheneOS is very distinct from other Android distributions and OEM configurations. There is a litany of Linux kernel and Android Runtime hardening changes and features powering GrapheneOS. This is very significant but often overlooked because most changes aren't visible to the end user.
The leading example of this is hardened_malloc, the hardened memory allocator used in GrapheneOS to protect against memory corruption vulnerabilities. You can find a technical article about it by Synacktiv, a French cyber security company:
Hardening in GrapheneOS are built on closing out commonly exploited attack surfaces, substituting them with more secure replacements, or giving them stronger security defaults.
If you are a blue teamer you'll already be familiar with the Pyramid of Pain:
For newcomers, this model is a layered pyramid that ranks indicators of compromise by a linear level of difficulty and cost for the threat actor to evade security measures to perform an attack; The bottom of the pyramid being very easy and trivial for the threat actor to change and the top being tough.
This model opens newcomers on how good security strategy is built: Techniques and capabilities over individual actors. Closing out tactics, techniques and procedures are far more important than blocking an IP address or a file hash. You want to protect against a type of attack, not against a particular actor who performs them.
The point of having extensive hardening features is that we need to ensure vulnerabilities that would affect Android are benign, harder to exploit or patched in GrapheneOS before they can be exploited. Android distributions carry the weight of vulnerabilities from upstream. To reduce that weight, we need to make sure a highly sophisticated exploit developer would have to uniquely design their exploit to target GrapheneOS, should they be able to at all.
Without that, GrapheneOS wouldn't be special. It would not be sensible to claim it is more security and privacy focused than Android if it was able to be exploited through the exact same mechanisms with little or no effort needed to port. An Android distribution that is just Android without Google services is mostly as exploitable as Android. Something that is "DeGoogled" (I don't use the term, it's Reddit tier buzzword nonsense) may not necessarily be safer to use either.
To earn the title of being hardened it needs more, but this isn't ever implemented well enough. Projects that have done so to the best of their ability also have died (DivestOS).
Our hardening features are available outside of GrapheneOS. Leading example of this is secureblue, a security hardened Linux distribution (https://secureblue.dev/) which is using hardened_malloc and Vanadium inspired chromium browser. A business also sells hardened Rocky Linux supporting hardened_malloc. If you are a maintainer of a leading project then implementing our hardening features and supporting is strongly encouraged.
Synacktiv
Exploring GrapheneOS secure allocator: Hardened Malloc
Exploring GrapheneOS secure allocator: Hardened Malloc
For newcomers, this model is a layered pyramid that ranks indicators of compromise by a linear level of difficulty and cost for the threat actor to evade security measures to perform an attack; The bottom of the pyramid being very easy and trivial for the threat actor to change and the top being tough.
This model opens newcomers on how good security strategy is built: Techniques and capabilities over individual actors. Closing out tactics, techniques and procedures are far more important than blocking an IP address or a file hash. You want to protect against a type of attack, not against a particular actor who performs them.
The point of having extensive hardening features is that we need to ensure vulnerabilities that would affect Android are benign, harder to exploit or patched in GrapheneOS before they can be exploited. Android distributions carry the weight of vulnerabilities from upstream. To reduce that weight, we need to make sure a highly sophisticated exploit developer would have to uniquely design their exploit to target GrapheneOS, should they be able to at all.
Without that, GrapheneOS wouldn't be special. It would not be sensible to claim it is more security and privacy focused than Android if it was able to be exploited through the exact same mechanisms with little or no effort needed to port. An Android distribution that is just Android without Google services is mostly as exploitable as Android. Something that is "DeGoogled" (I don't use the term, it's Reddit tier buzzword nonsense) may not necessarily be safer to use either.
To earn the title of being hardened it needs more, but this isn't ever implemented well enough. Projects that have done so to the best of their ability also have died (DivestOS).
Our hardening features are available outside of GrapheneOS. Leading example of this is secureblue, a security hardened Linux distribution (https://secureblue.dev/) which is using hardened_malloc and Vanadium inspired chromium browser. A business also sells hardened Rocky Linux supporting hardened_malloc. If you are a maintainer of a leading project then implementing our hardening features and supporting is strongly encouraged.
Defenestrate social media marketers using HDR in their ads
We've received a 2nd IPv4 /24 subnet from ARIN for our 2nd anycast DNS network. Both our /24 subnets were obtained quickly under the NRPM 4.10 policy for IPv6 deployment for our dual stack DNS use case. 2nd was obtained without waiting 6 months due to being a discrete network.
We host our own authoritative DNS servers to provide DNS resolution for our services. Authoritative DNS are the servers queried by DNS resolvers run by your ISP, VPN or an explicitly user chosen one such as Cloudflare or Quad9 DNS. We now have our own AS and IP space for this.
Our ns1 has 11 locations on Vultr: New York City, Miami, Los Angeles, Seattle, London, Frankfurt, Singapore, Mumbai, Tokyo, Sao Paulo and Sydney.
Our ns2 has 4 locations on BuyVM: New York City, Miami, Las Vegas and Bern. We'll be adding a 2nd server provider for more locations.
DNS resolvers quickly fall back to the other network if traffic is dropped. Having two discrete networks with separate hosting companies and transit providers provides very high reliability. Individual servers which go down also stop having traffic routed to them due to BGP.
We have tiny #GrapheneOS website/network servers and also powerful update mirrors around the world. Our DNS servers use a combination of a GeoIP database and their own location to route users to the closest server that's up. Frequent health checks and low expiry time handle server downtime.
Footage of highly experimental GUI Linux virtual machine (and video games) in highly experimental desktop mode in #GrapheneOS.
View quoted note →
View quoted note →
- Icons should now be themed regardless of if the app supports them.
- You can now change the shape of app icons on the home screen. This also includes PWAs(!!)
- You can add a Widget in the home screen that is a user profile switcher.
#GrapheneOS
View quoted note →
#GrapheneOS MAJOR UPDATE based on Android 16 QPR2 version 2025121000 released.
This is our first non-experimental release based on Android 16 QPR2 after our initial experimental 2025120800 release. The change to the style of notification backgrounds is an upstream regression rather than an intentional change to a more minimal style.
Changes:
• rebased onto BP4A.251205.006 Android Open Source Project release (Android 16 QPR2)
• disable promotion of identity check feature not currently present in GrapheneOS due to depending on privileged Google Mobile Services integration
• GmsCompatConfig: update to version 166
All of the Android 16 security patches from the current January 2026, February 2026, March 2026, April 2026 and June 2026 Android Security Bulletins (May 2026 preview ASB doesn't exist yet) are included in the 2025121001 security preview release. List of additional fixed CVEs:
• High: CVE-2025-32348, CVE-2025-48641, CVE-2026-0014, CVE-2026-0015, CVE-2026-0016, CVE-2026-0017, CVE-2026-0018
2025121001 provides at least the full 2026-01-01 Android and Pixel security patch level but will remain marked as providing 2025-11-05.
https://GrapheneOS.org/releaaes#2025121000
The home screen, YakiHonne and Cake on experimental Desktop Mode in #GrapheneOS.
View quoted note →