We are happy to announce a long-term partnership with Motorola. Together, we will collaborate on new future devices that meet our stringent privacy and security standards.

Global Blog

Motorola News | Motorola's new partnership with GrapheneOS

Motorola announces three new B2B solutions at MWC 2026, including GrapheneOS partnership, Moto Analytics and more.

#GrapheneOS

This March we hope to officially announce our OEM partner whose future devices shall work to support GrapheneOS.

Our latest #GrapheneOS release adds a sandboxed Google Play toggle for extending RCS compatibility in Google Messages to the rest of the carriers supporting it by granting ICC authentication access to sandboxed Play services. T-Mobile is the main one requiring it.

Releases | GrapheneOS

This update implements cross-SIM calling support (making calls using a SIM via the mobile data provided by another SIM similarly to Wi-Fi calling) and the security preview variant applies security patches previewed for upstream Android in August of 2026! View quoted note →

final@zeuspay.com View quoted note →

Finally working to go all in on using ZEUS.

Proud to say my 'Never Went to Black Hat' award is looking very shiny right now.

As our fully local text to speech engine is deployed in GrapheneOS soon, this will be the first of hopefully many major usability advancements in GrapheneOS for the year and next. With the OEM partnership developing and later generation flagship hardware providing more of what GrapheneOS needs for features, improving usability and accessibility will help for the influx of new users we will hope to welcome. It is a good time to remind you that GrapheneOS is hiring remote developers. We have been for a while:

Hiring | GrapheneOS

This is a tablet PC with Cellebrite UFED, a mobile forensics acquisition software. Users plug a target device into it where it then will attempt to extract as much data on the device as possible. The software on the laptop is Physical Analyser which is for forensic analysis. This video is dated, and Cellebrite UFED's UI, logo and capabilities have changed a lot since the video was released. This tool is also not exclusive to UK law enforcement and there are also competitor solutions, which many countries around the world use plus the competitors. Cellebrite sell a variant of this product named Cellebrite Premium. The difference to standard UFED and Premium is that Premium comes with wider device extraction support through zero-day exploits. As described it also allows extraction of vulnerable devices that are locked. This business model is not exclusive. XRY Pro (MSAB) and GrayKey (Magnet Forensics) are other exclusive forensic tools. Cellebrite are the second-oldest of the three companies (on joining the forensics market) but are one of the most capable thanks to their funding and location. How and if these tools are able to extract your device's data depends on: - The device you are using - The installed OS and version - The lock state of the device - Configured security settings of the device - Strength of your phone's unlock credential For a locked device exploiting security vulnerabilities is required to extract data almost all of the time. There are two different device lock states on Android and iOS: After first unlock (AFU, Hot) and before first unlock (BFU, Cold). This is due to how encryption works. Modern Android and iOS encrypt all users' data by default with keys derived from the user's credentials. When a device is unlocked once, data is no longer encrypted at rest and is accessible during that boot session. When a device is BFU, all sensitive data is at rest. Data not being at rest provides more OS attack surface to exploit bypassing lock screens or other measures and access to the data without needing the original PIN/password to decrypt it. For BFU devices brute forcing is required to decrypt data first and the only data not encrypted is a minimal footprint of the OS used for unlocking the device and global OS configuration and metadata. To make extraction impossible make sure your device is powered off and you use a secure, high-entropy passphrase before seizure. GrapheneOS provides a configurable, automatic inactivity reboot feature. We also provide several other countermeasures to these tools as well. GrapheneOS locked devices as a whole is unsupported by Cellebrite. If you are an opposition activist in a high-risk country you should be concerned about potential attacks from such tools. They have been abused to target activists in numerous countries like Serbia and Jordan.

The Citizen Lab

From Protest to Peril: Cellebrite Used Against Jordanian Civil Society - The Citizen Lab

Through a multi-year investigation, we find that the Jordanian security apparatus has deployed forensic extraction products manufactured by Cellebr...

Amnesty International

Serbia: Authorities using spyware and Cellebrite forensic extraction tools to hack journalists and activists

Serbian authorities are using spyware and Cellebrite forensic extraction tools to hack journalists and activists in a surveillance campaign.

Despite if a business claims this use of their product like this is unauthorised, it doesn't change the fact that they will be used like this again, that they don't know about it until after it has violated someone's rights and that the security vulnerabilities remain unpatched. GrapheneOS provides an auto-reboot to put data at rest, a USB-C port control to disable data transfer or the port entirely when booted into the OS, clearing sensitive data of memory and exploit protection features. View quoted note →

You may have been aware of my posts about TTS / SST. Heres more info: View quoted note →

Seeing Proton get heat on social media for their marketing again so lets repost this. Treat these email services for what they are: Alternatives to Gmail or Outlook with a security perspective and automated encryption features. Yes, people on social media can't read, but IMO they should approach their service in a different way ("A reasonably secure email provider" is my suggestion) If they don't want people ratioing them all the time... Most of these people getting the wrong answer is because their site can be pretty ambiguous about the technical details without searching a few pages deep for it. Posteo is an email provider that does openly clarify they can be compelled to intercept incoming emails in a better way than how Proton says it. Still doesn't mean these services are a bad thing though. View quoted note →

Late to post about this but the security preview variant of this release fixes SIX **CRITICIAL** CVEs that will not be fixed elsewhere for a while except in #GrapheneOS because security patches are not included into an Android Security Bulletin until around 3-4 months after their release. - Critical: CVE-2026-0039, CVE-2026-0040, CVE-2026-0041, CVE-2026-0042, CVE-2026-0043, CVE-2026-0044 OEMs do not deliver security patches in a timely manner. In a rare case it is sometimes only done in part, and often will only do so after the ASB is released. That dangerously long period of security vulnerabilities being known and unlatched is unacceptable. View quoted note →

Last two Vanadium updates provided some functionality improvements: The upstream motion sensors toggle for the browser is improved with a per-site toggle for the sensors per site (Vanadium already had the global toggle disabled by default). Our inbuilt content filtering also adds support for additional supplementary language/regional content filters. Users with a set language will get EasyList filters plus the filter of their respective language. This supports Arabic, Bulgarian, Spanish, French, German, Hebrew, Indian, Indonesian, Italian, Korean, Lithuanian, Latvian, Dutch, Nordic, Polish, Portuguese, Romanian, Russian, Vietnamese and Chinese. #GrapheneOS View quoted note →

What this means that notifications will work for users not wishing to use play services sandboxed or otherwise. Most android apps do notifications via FCM, which is Google's, and depends on a Play services implementation. If you ever wonder why app notifications barely work on AOSP distributions without Google services then now you know. By using an app like Sunup (on Accrescent) you can use Mozilla's notification service via UnifiedPush for apps that use UnifiedPush notifications - such as this one. Tell your developers to support notifications without Google. View quoted note →

The regressions with the Terminal app originate from the stock OS, including the VPN issue. The VM data also breaks and data can't be recovered at times. Don't store sensitive data without backups or run anything for production but feel free to try it out. We do improve the Terminal app in a few ways and these fixes is something we need to look into but because it's still an experimental developer option it's priority isn't so high. If the stock OS deals with it first then it's less work on our plate. Desktop Mode needs to be first for all the cool stuff to happen. What users see now will likely be very different to what our plans are should we be able to execute them. We don't want to just have a terminal but rather a VM manager capable of running other operating systems and GUI apps. Debian alone isn't desirable for our use case and we'd want a hardened OS like secureblue instead (ARM builds is beta). Virtualization could be extended to GrapheneOS or individual apps too.