Final

Digital forensics and security specialist part of the GrapheneOS project.

Posts my own and not endorsed by my employer. AI slop and Nostr DMs ignored.

Matrix: f1nal:grapheneos.org

Public Key

npub1hxx76n82ags8jrduk0p3gqrfyqyaxnrlnynu9p5rt2vmwjq6ts3q4sg75y

NIP-05 Address

[email protected]

Profile Code

nprofile1qqstnr0dfn4w5grepk7t8sc5qp5jqzwnf3lejf7zs6p44xdhfqd9cgspz3mhxue69uhhyetvv9ujuerpd46hxtnfduqs7amnwvaz7tmwdaehgu3wd4hk6qguwaehxw309ahx7um5wghxy6t5vdhkjmn9wgh8xmmrd9skcqgdwaehxw309ahx7uewd3hkcnp494t

Publishing to

relay.damus.io

nostr.mom

nostr.bitcoiner.social

nos.lol

Author Public Key

npub1hxx76n82ags8jrduk0p3gqrfyqyaxnrlnynu9p5rt2vmwjq6ts3q4sg75y

Show more details

Last Notes

2026-03-07 17:24:39 UTC

- reply

McDonalds when they are requiring strict device integrity and OS enforcement they can be 100.00% sure that I like burgers
https://blossom.primal.net/784ae564927621a16743a487ef2fff4407b727e3680e824545691ecbed48abab.jpg

2026-03-07 17:21:52 UTC

The official microG OS project (https://lineage.microg.org) leaked their private keys for logging into their servers and signing releases:
https://github.com/lineageos4microg/l4m-wiki/wiki/December-2025-security-issues
We make our official builds on local machines. Our signing machine's keys aren't ever on any storage unencrypted.
Our roadmap for improving security of verifying updates is based on taking advantage of the reproducible builds. We plan to have multiple official build locations and a configurable signoff verification system in the update clients also usable with third party signoff providers.
We don't have faith in any available commercial HSM products being more secure than keeping keys encrypted at rest on the primary local build machine. Instead, we're planning to develop software for using the secure element on #GrapheneOS phones as an HSM for signing our releases.

2026-03-07 02:19:35 UTC

Proton on the news, again!? So let's bring it back!
#nevent1q…tkkc

2026-03-05 23:29:26 UTC

- reply

No future devices based on current ones looking at as targets appear to be that small. Closest is the Motorola Signature which is 6.8, assuming the next gen successor is the same size as the Signature. The razr ultra is a little slimmer but 7 inches, but folds.

2026-03-05 23:25:35 UTC

- reply

The device / OS pair is certified. It has some requirements that if the OEM follows them they are able to be certified. For example, Google services available, many as privileged components. While we have sandboxed Google Play that is still not sufficient. Some users don't have a play services implementation at all.
So while some OEMs make awfully changed Android releases, ours is left in the dirt there. We don't try for Google certifications.

2026-03-05 23:20:00 UTC

- reply

Imagine it is too late. Will be using the Qualcomm SOC secure element. OpenTitan also isn't built for Android (Titan M2 is based off of this), so there would have to be someone willing to manufacture secure elements and support the Android APIs, etc.
Regardless this article is seriously great news.

2026-03-05 08:40:53 UTC

- reply

I'm far from a bitcoiner... Strongly dislike maxi groupthink. That post is about funds being moved out of bitcoin and into monero. My following list is mostly devs or xmr. Not sure how praising an availability of a service to offload received funds into xmr is giving up ideals... unless the ideal was being bitcoin only or something? I think people can use what they want.
A ton of privacy features for on-chain bitcoin like Silent Payments are just under adopted (most are just users of one wallet that is on a smartphone) that recieving LN and ramping out into Monero is a much more likely outcome. You're likely to get an LN or XMR address to send/receive to a merchant than a SP address today. Hope it changes.
Nostr users are there because it is almost entirely centred around Lightning. The best clients for it are too. Monero oriented clients are often weird forks or too new to recommend anywhere for my taste. I'm pretty strict on keeping away from software that is new or experimental.
I do want to see improvements on more wallets adopting SPs (big fan of Sparrow) and Nostr clients outside of bitcoinery though

2026-03-05 08:08:26 UTC

- reply

Obviously they'd avoid using a different currency to transact as much as possible.

2026-03-05 08:05:06 UTC

- reply

This comment, but I'm mostly talking about recieving funds online. A monero user wouldn't store any funds in Lightning, they simply swap what they recieve into Monero or swap out to make a transaction immediately.
If I had problems with swap services or Spark knowing too much I'd roll funds out to other wallets. This is including both the LN or XMR side. For a long time I off-ramped zaps into other LN wallets or swapped them already.

2026-03-04 21:30:26 UTC

- reply

It gets people to gateway into Monero far easier. A lot of concepts people are familiar with in cryptocurrency spaces do not exist or matter in Monero either due to a different climate or technical differences.
You definitely have to be a more technically inclined and aware person to use XMR (this can also be considered a merit) so I think having swaps to/from assets with greater mini economies greatly decreases the entry barrier.

2026-03-04 21:26:41 UTC

- reply

XMR can be difficult to receive for new users. Having a lightning address to receive funds that can be swapped is significant. Lightning is very popular amongst smaller purchases and online stores. I buy a fair amount of living resources using ZEUS.
I mention Nostr specifically since Nostr is almost entirely oriented around Lightning. Nostr clients oriented around other assets are often lesser maintained and more risky. These clients are a security haunted houses to begin with. Better to have some sort of LN address to receive and then swap for people into that imo.

2026-03-04 21:19:41 UTC

- reply

Yes. Swapping opening up access to a lot of vendors in both teams to make private purchases with one another.
Especially helpful at this current moment since on-chain BTC privacy features like Silent Payments are seldom adopted except for Cake Wallet and partially in Sparrow Wallet. SP to XMR swap far less likely to be than XMR/LNBTC as of right now.

2026-03-04 20:36:08 UTC

Lightning support in Cake Wallet should be huge for XMR nostr users
https://blossom.primal.net/d93fa65cb5fc9f0ed35c9a1371fd3be9273c7693b1912e76072ee6296eaab767.jpg

2026-03-04 20:25:20 UTC

- reply

...you can argue that Windows was already full of sketchy bloatware without the OEMs bundling bullshit too. it's really sad to see what has been going on with Windows in recent times.

2026-03-04 20:22:14 UTC

- reply

If you mean modified as in installed another OS, barely any in this case. They're all non-Google certified operating systems so Play Integrity hardware attestation can force apps not to work on LineageOS, CalyxOS etc.

2026-03-04 20:20:52 UTC

- reply

Thanks!

2026-03-04 20:20:24 UTC

- reply

There's nothing to mitigate in the first place. It has nothing to do with GrapheneOS or smartphones. Every Windows laptop vendor has bundled sketchy bloatware in the past and many still do in the present. Security research targets are encouraged, feel free to find something, anything, in these devices that you think are off. Use a non-Motorola device if you want to choose based on pure vibes or you don't like them for any other reason. If you're an OEM, contact us and work with us.
If you really have to get to the details then Superfish is not installed by the firmware but was bundled operating system software and was trivially discovered. Obviously, there's no such thing that will happen here or GrapheneOS, it would be caught by our (very) vigilant users and I know I put the rep on the line saying that.
>now these assholes control the bootloader, the baseband
The bootloader is a standard littlekernel-based Android bootloader. The baseband is Qualcomm's, part of their SoC. Our device requirements on the site state explicitly radios must be isolated and that sensitive data cannot be accessed at the bootloader (working verified boot, zeroing memory left over from the OS, etc.), we are very conscious about that and received bounties for discovering and patching security deficiencies in bootloaders targeting Pixels that were exploited in the wild.
We'll be having involvement in the driver and firmware side of things. Working to improve their security posture and harden their stock OS and firmware is part of the partnership.

2026-03-03 20:56:10 UTC

New update of #GrapheneOS with this month's full security patch level. With the security preview release, all of the Android 16 security patches from the current March 2026, April 2026, May 2026, June 2026, July 2026 and August 2026 Android Security Bulletins are here too.
#nevent1q…jy3v

2026-03-03 20:47:51 UTC

- reply

What we need more than funding is development resources really. It would be nice to make major improvements to GrapheneOS before devices come out, especially the usability front so we have an even better experience for the tons of new users who would arrive. Motorola could try help us with this (GrapheneOS obviously will remain free and open source).
We are hiring a few new devs for this too.

2026-03-03 07:42:05 UTC

- reply

This is what we will be working towards, yes. If we can get devices to come with GrapheneOS that's a plus.

2026-03-03 06:43:01 UTC

- reply

The upcoming devices' Qualcomm processors have secure elements. They work fine to meet our functionality requirements. Not like Titan M2 in Pixels but still better than most.

2026-03-03 06:40:42 UTC

- reply

As a non-profit we do not take funding with strings attached.
We advise Motorola on what they need for their next devices and in return we can get a device supporting GrapheneOS. We'll be working to also provide lower level hardening for them. They'll also work to introduce some features to their stock OS. We are using partnership to get help with their partner access to see sources to better prepare ourselves for porting to major versions.
We will be working on GrapheneOS for Motorola and it will be the exact same as Pixels in that regard, we distribute updates, etc.
The other contents of the announcements are other, unrelated topics.

2026-03-03 04:52:00 UTC

- reply

You will have devices to install GrapheneOS onto, hopefully we can have a device able to come with GrapheneOS as well. The former is much more important.

2026-03-03 04:50:56 UTC

- reply

You will have devices to install GrapheneOS onto. Hopefully we can have a device able to come with GrapheneOS as well. The former is much more important.

2026-03-02 22:48:32 UTC

- reply

Devices will be worked for 2027. Motorola and us will announce further progressions with the partnership in the future.

2026-03-02 22:40:39 UTC

With Motorola, there will be at least one officially supported flagship device to run GrapheneOS around 2027, but once we have one we should be able to add the other flagship variants too and we will work to broaden our device support where possible.
If you want examples of Motorola devices that have been close to meeting GrapheneOS requirements so far, then the latest Motorola Signature, Motorola razr fold and razr ultra are some. You can expect possible successors to these devices to have support.
Through this partnership we also hope to see some security improvements provided in #GrapheneOS implemented into the Motorola stock operating system. We want OEMs to improve their security practices across the board.
GrapheneOS for Motorola devices, like on Pixels, will be developed by us, with updates distributed by us. You will not be missing any features either.
#nevent1q…wxlv

2026-03-02 19:46:33 UTC

- reply

We are absolutely open to more OEM partners providing they can produce the devices we need. They'd need to be very committed to helping us as we will have our time occupied working with Motorola as well.

2026-03-02 18:02:06 UTC

- reply

The Signature is their leading flagship device outside of their foldables. We were held back from supporting this device because Qualcomm didn't have production memory tagging security features yet. With the next generation processors we have been told they absolutely will.
This could hopefully open up support for more devices down the line too with Qualcomm adopting everything we need now.

2026-03-02 17:57:16 UTC

- reply

Unfortunately GrapheneOS will not be a Google certified operating system. We are still continuing taking actions to try and stop these anticompetitive practices from Google. We also hope additional partnerships with major brands can create pressure to support GrapheneOS.
We hope to work with Motorola to provide some GrapheneOS features to their stock operating system too.

2026-03-02 17:52:29 UTC

- reply

We aim to have officially supported devices by 2027.

2026-03-02 17:50:32 UTC

- reply

Thank you!

2026-03-02 15:33:46 UTC

- reply

Signature is about 3.3XMR on retail right now but everyone knows prices fluctuate and offers come around. Also that device itself is still pretty new with a 7 year update commitment.

2026-03-02 15:33:07 UTC

- reply

It will initially be Motorola's flagship devices but could trickle down to other devices in the future. If you want an idea of their flagships look at the Motorola Signature (2026) and Motorola Razr Fold (2026) for the current generation ones not quite meeting our requirements yet. It will be upcoming devices similar to these.

2026-03-02 15:16:32 UTC

- reply

Completely unrelated but I see it discussed, it was Gold Apollo who were actually the manufacturers of the pagers that exploded in the pager attack. This isn't to shift blame to them since an extremely resourceful and capable agency like Mossad are obviously able to purchase a product in bulk, tamper bombs into them and redistribute without the original manufacturer's awareness. It could really have been any brand, any model.

2026-03-02 15:09:25 UTC

- reply

Because they are talking about pagers, I am assuming this is about Motorola Solutions (the US telecoms and security company) which is an entirely separate company with different owners.
We're working with the subsidiary of Lenovo called Motorola Mobility. Motorola Solutions has no involvement or connection to us or our partnership. They have a shared heritage and name since both were created out of the original Motorola company which were split apart over a decade ago. Think of it like an HMD/Nokia situation where another company is using a famous historic phone brand.
We have not contacted anyone at Motorola Solutions. They don't produce smart phones so I don't think there would be much to discuss anyways.

2026-03-02 12:37:31 UTC

An important announcement from us at the #GrapheneOS project:
#nevent1q…lea5

2026-03-02 11:58:45 UTC

- reply

Yes it is true.
Motorola split apart over a decade ago so there are two major companies with similar branding now. We are working with the Lenovo company who has the historic smartphone brand. It shouldn't be confused with Motorola Solutions, the security and communications equipment manufacturer.

2026-03-02 05:13:20 UTC

- reply

As announced it will be their next-generation smartphone.

2026-03-02 05:03:29 UTC

We are happy to announce a long-term partnership with Motorola. Together, we will collaborate on new future devices that meet our stringent privacy and security standards.
https://motorolanews.com/motorola-three-new-b2b-solutions-at-mwc-2026/
#GrapheneOS

2026-02-27 18:36:23 UTC

- reply

Like WiFi calling, you can also send and receive texts over WiFi if your network provider supports it. This is expected behaviour.
Airplane Mode disables the cellular radio and works as it should, mobile network features outside of the cell network is a separate thing.

2026-02-21 15:07:18 UTC

- reply

They will be announcing it, not us ☝️

2026-02-21 11:11:01 UTC

This March we hope to officially announce our OEM partner whose future devices shall work to support GrapheneOS.

2026-02-14 05:42:28 UTC

Our latest #GrapheneOS release adds a sandboxed Google Play toggle for extending RCS compatibility in Google Messages to the rest of the carriers supporting it by granting ICC authentication access to sandboxed Play services. T-Mobile is the main one requiring it.
https://grapheneos.org/releases#2026021200

2026-02-07 09:09:33 UTC

This update implements cross-SIM calling support (making calls using a SIM via the mobile data provided by another SIM similarly to Wi-Fi calling) and the security preview variant applies security patches previewed for upstream Android in August of 2026!
#nevent1q…fgu8

2026-02-04 19:43:58 UTC

- reply

>What are you currently identifying as Graphene's weak spots?
From a security standpoint, the Linux kernel is a liability. Most patches are upstream Linux kernel security bugs. It's a large attack surface. Android distributions also don't patch the kernel completely unlike us where we push the latest GKI per update. Our Linux hardening work can be made redundant if it was replaced with a something more designed for security like a microkernel.
From a user experience, the default apps aren't great with exception to our own apps like Vanadium, Camera etc. These are AOSP apps. New apps made in Kotlin with the modern Material 3 Expressive UIs are needed. Would also need the same licensing as AOSP does.
>What about the underlying reliance on proprietary hardware?
Always will be a thing for any device you are using. You can't guarantee designs match the product nor are you TSMC making your own processors with billion dollar manufacturing plants. Even the "free" "open" devices the FSF like to promote aren't truly open, they just have entirely proprietary hardware with embedded firmware so they do not allow the user to update in the OS. Linux-Libre blocked alerts for CPU vulns like Meltdown and Spectre (can be exploited remotely) and the distros don't usually deliver microcode to patch that either.
>How do you perceive the future and how can we contribute to funding it?
We are still continuing the partnership with our OEM. We hope to have devices by the next year as their 2026 Qualcomm devices missed deploying ARMv9 security features (iirc, would need to check with another team member). The OEM should make a formal announcement in the not so late future.
A lot of usability and accessibility improvements are on the way, and it would be nice to have better default apps in time for more supported devices in 2027. We are trying to hire devs and want to expand.
Funding wise we still rely on donations, but fortunately we get regular donations and are well resourced. People and talent is important.

2026-02-04 19:04:03 UTC

- reply

BTW Vanadium now uses a JIT interpreter so WASM works without JIT now. Briefly checking your app it appears to work with JIT disabled for me.

2026-02-01 15:57:41 UTC

- reply

Not my npub anymore! But see the Project Account mastodon bridge reply.

2026-02-01 14:43:43 UTC

[email protected]
#nevent1q…gw72

2026-02-01 14:06:19 UTC

- reply

If you were curious, I have been using Minibits ecash for recieving and then offramping to Phoenix Wallet. Phoenix provides an incredibly quick and easy set up. Just works. Hoping to combine both with using ZEUS.

2026-02-01 13:23:30 UTC

Finally working to go all in on using ZEUS.

2026-02-01 02:22:31 UTC

Proud to say my 'Never Went to Black Hat' award is looking very shiny right now.

2026-01-31 22:20:35 UTC

- reply

We have tested running desktop Linux GUI apps before including LibreOffice. It can certainly be a thing in the future.
#nevent1q…gq9j

2026-01-31 18:27:38 UTC

- reply

It's a hardened Signal fork with passphrase encryption for the message database, better notifications on devices without Google Play and support for pairing your messages to multiple devices. If you use Signal I strongly recommend it.
It's available in Accrescent so there is a root of trust between GrapheneOS -> Accrescent -> Molly.

2026-01-31 18:23:21 UTC

- reply

As our original announcement mentioned it is English first. We do plan to support other languages and also internationalisation of GrapheneOS in the future.

2026-01-31 10:44:44 UTC

- reply

also worth mentioning FBE is a big plus compared to Full Disk Encryption (FDE) which was the legacy Android encryption and the encryption desktop OSes like Windows and Linux use. If you have the keys to decrypt the disk then it would be possible to decrypt the unallocated space in FDE since it's all one key, so you'd be relying on TRIM if you are using an SSD to prevent recovery of deleted data.

2026-01-31 10:10:21 UTC

- reply

The video is very old and most Android devices didn't use disk encryption by default, so a physical extraction (image of the entire flash storage) could allow recovering deleted files from carving unallocated space. Nowadays Android uses a "file-based encryption" (FBE) where all data is encrypted with separate derived keys for each file, directory and symbolic link. Deleting the file loses the keys and recovery is impossible.
If you can recover data that is deleted from an app, it means the app is caching it when it shouldn't be and it's a flaw they would need to fix. I don't recall this being an issue with Signal but if you can extract the app data before the message database is rebuilt for deleted messages then you'd be in luck. You could kill an app and prevent it cleaning up it's DB. This is something you can apply to every messenger though.
Getting this data requires as much as a full filesystem extraction (FFS) to extract the application /data directory where the message databases are. Cellebrite has no extraction support for GrapheneOS according to themselves. No specification on what the most they can extract from an unlocked device is, but assume that all forensic tools get this data anyway.
Molly lets you encrypt the message database with a passphrase, so it wouldn't be accessible regardless of if there was a FFS extraction and a flaw in Signal keeping the messages.

2026-01-31 03:54:40 UTC

- reply

It is a well known brand you absolutely will have heard of. The device we will support GrapheneOS will be distributed in many countries.

2026-01-31 03:50:09 UTC

As our fully local text to speech engine is deployed in GrapheneOS soon, this will be the first of hopefully many major usability advancements in GrapheneOS for the year and next. With the OEM partnership developing and later generation flagship hardware providing more of what GrapheneOS needs for features, improving usability and accessibility will help for the influx of new users we will hope to welcome.
It is a good time to remind you that GrapheneOS is hiring remote developers. We have been for a while:
https://grapheneos.org/hiring

2026-01-31 03:24:55 UTC

This is a tablet PC with Cellebrite UFED, a mobile forensics acquisition software. Users plug a target device into it where it then will attempt to extract as much data on the device as possible. The software on the laptop is Physical Analyser which is for forensic analysis.
This video is dated, and Cellebrite UFED's UI, logo and capabilities have changed a lot since the video was released. This tool is also not exclusive to UK law enforcement and there are also competitor solutions, which many countries around the world use plus the competitors.
Cellebrite sell a variant of this product named Cellebrite Premium. The difference to standard UFED and Premium is that Premium comes with wider device extraction support through zero-day exploits. As described it also allows extraction of vulnerable devices that are locked.
https://blossom.primal.net/70c8041bacfdf399f99091a738b2e84f6a8be2f0b9cff4b497fd23ff2a153db9.jpg
https://blossom.primal.net/9b70e3d06fb8614a14b3d0a60d336987797cd6ca1d1815debb31a3ab29daa9bb.jpg
This business model is not exclusive. XRY Pro (MSAB) and GrayKey (Magnet Forensics) are other exclusive forensic tools. Cellebrite are the second-oldest of the three companies (on joining the forensics market) but are one of the most capable thanks to their funding and location.
How and if these tools are able to extract your device's data depends on:
- The device you are using
- The installed OS and version
- The lock state of the device
- Configured security settings of the device
- Strength of your phone's unlock credential
For a locked device exploiting security vulnerabilities is required to extract data almost all of the time. There are two different device lock states on Android and iOS: After first unlock (AFU, Hot) and before first unlock (BFU, Cold). This is due to how encryption works.
Modern Android and iOS encrypt all users' data by default with keys derived from the user's credentials. When a device is unlocked once, data is no longer encrypted at rest and is accessible during that boot session. When a device is BFU, all sensitive data is at rest.
Data not being at rest provides more OS attack surface to exploit bypassing lock screens or other measures and access to the data without needing the original PIN/password to decrypt it. For BFU devices brute forcing is required to decrypt data first and the only data not encrypted is a minimal footprint of the OS used for unlocking the device and global OS configuration and metadata.
To make extraction impossible make sure your device is powered off and you use a secure, high-entropy passphrase before seizure. GrapheneOS provides a configurable, automatic inactivity reboot feature.
We also provide several other countermeasures to these tools as well. GrapheneOS locked devices as a whole is unsupported by Cellebrite.
If you are an opposition activist in a high-risk country you should be concerned about potential attacks from such tools. They have been abused to target activists in numerous countries like Serbia and Jordan.
https://citizenlab.ca/research/from-protest-to-peril-cellebrite-used-against-jordanian-civil-society/
https://www.amnesty.org/en/latest/news/2024/12/serbia-authorities-using-spyware-and-cellebrite-forensic-extraction-tools-to-hack-journalists-and-activists/
Despite if a business claims this use of their product like this is unauthorised, it doesn't change the fact that they will be used like this again, that they don't know about it until after it has violated someone's rights and that the security vulnerabilities remain unpatched.
GrapheneOS provides an auto-reboot to put data at rest, a USB-C port control to disable data transfer or the port entirely when booted into the OS, clearing sensitive data of memory and exploit protection features.
#nevent1q…u038

2026-01-31 03:14:54 UTC

- reply

The post says: We've built our own text-to-speech system with an initial English language model we trained ourselves with fully open source data. It will be added to our App Store soon and then included in GrapheneOS as a default enabled TTS backend once some more improvements are made to it.
We're going to build our own speech-to-text implementation to go along with this too. We're starting with an English model for both but we can add other languages which have high quality training data available. English and Mandarin have by far the most training data available.
Existing implementations of text-to-speech and speech-to-text didn't meet our functionality or usability requirements. We want at least very high quality, low latency and robust implementations of both for English included in the OS. It will help make GrapheneOS more accessible.
Our full time developer working on this already built their own Transcribro app for on-device speech-to-text available in the Accrescent app store. For GrapheneOS itself, we want actual open source implementations of these features rather than OpenAI's phony open source though.
Whisper is actually closed source. Open weights is another way of saying permissively licensed closed source. Our implementation of both text-to-speech and speech-to-text will be actual open source which means people can actually fork it and add/change/remove training data, etc.

2026-01-30 21:39:54 UTC

You may have been aware of my posts about TTS / SST. Heres more info:
#nevent1q…30n0

2026-01-29 17:49:22 UTC

- reply

This tool requires physical access. The officially described purpose of it is for digital forensics of seized evidence so how the device is handled is a big deal to them. You plug the device into the tablet or workstation and it will extract the device's data if unlocked or brute force / exploit the device to access data and extract if locked.

2026-01-25 14:23:50 UTC

Seeing Proton get heat on social media for their marketing again so lets repost this. Treat these email services for what they are: Alternatives to Gmail or Outlook with a security perspective and automated encryption features.
Yes, people on social media can't read, but IMO they should approach their service in a different way ("A reasonably secure email provider" is my suggestion) If they don't want people ratioing them all the time... Most of these people getting the wrong answer is because their site can be pretty ambiguous about the technical details without searching a few pages deep for it. Posteo is an email provider that does openly clarify they can be compelled to intercept incoming emails in a better way than how Proton says it.
Still doesn't mean these services are a bad thing though.
#nevent1q…ltja

2026-01-24 20:18:27 UTC

- reply

2027

2026-01-23 19:05:33 UTC

- reply

TLDR: Use a secure passphrase if you want the device protected against any resourceful actor
When most distros provide encryption with LUKS they at least ask you to set up a credential. Almost all distros just ask for a password. They don't seamlessly allow setting up in other ways in a UI like BitLocker does or in the installer. You often need to read up on docs and such which can be tiresome.
LUKS full disk encryption in how most users would know it would only be safe if they used a long, secure passphrase that would be impossible to brute force. A short 6 digit numeric PIN works for some phones because a secure element throttles unlock attempts but would be brute forced very quickly on LUKS, VeraCrypt and so on because they aren't using a TPM for throttling.
Secureblue (hardened Linux distro we like) supports LUKS with TPM and also FIDO2.

2026-01-23 13:22:38 UTC

- reply

There is also a way bigger flaw beyond this, and that is this Device Encryption feature (and by extension BitLocker) has **no PIN or password**. The device will just decrypt itself by powering on as it only uses the PC's TPM. The only threat this kind of protects against is the hard disk being removed from the PC. It doesn't prevent someone exploiting the OS to extract data like you commonly see in mobile device forensic tools...
This request for the recovery key is just to allow law enforcement to access the data while the hard disk is removed from the seized PC, because they insert hard disks into write blocked imaging kits to create a forensic clone of it's data to analyse with.
Back before TPMs were widely embedded into CPU firmware it wasn't common to see them get sniffed to get the keys. Anyone could do it too:
https://pulsesecurity.co.nz/articles/TPM-sniffing
BitLocker has a TPM+PIN, TPM+Key and TPM+PIN+Key pre-boot authentication setting but you need to tinker on Group Policy to do that. You'd also need to enable other policies to make the PIN an alphanumeric password...

2026-01-22 22:18:11 UTC

Late to post about this but the security preview variant of this release fixes SIX **CRITICIAL** CVEs that will not be fixed elsewhere for a while except in #GrapheneOS because security patches are not included into an Android Security Bulletin until around 3-4 months after their release.
- Critical: CVE-2026-0039, CVE-2026-0040, CVE-2026-0041, CVE-2026-0042, CVE-2026-0043, CVE-2026-0044
OEMs do not deliver security patches in a timely manner. In a rare case it is sometimes only done in part, and often will only do so after the ASB is released. That dangerously long period of security vulnerabilities being known and unlatched is unacceptable.
#nevent1q…xnza

2026-01-21 13:24:52 UTC

Last two Vanadium updates provided some functionality improvements:
The upstream motion sensors toggle for the browser is improved with a per-site toggle for the sensors per site (Vanadium already had the global toggle disabled by default).
Our inbuilt content filtering also adds support for additional supplementary language/regional content filters. Users with a set language will get EasyList filters plus the filter of their respective language. This supports Arabic, Bulgarian, Spanish, French, German, Hebrew, Indian, Indonesian, Italian, Korean, Lithuanian, Latvian, Dutch, Nordic, Polish, Portuguese, Romanian, Russian, Vietnamese and Chinese. #GrapheneOS
#nevent1q…l35a

2026-01-18 15:02:05 UTC

- reply

This is known. It's a developer option and far from stable for daily usage. It will be looked at more once upstream improves it as well, unless we get the resources.

2026-01-18 15:01:15 UTC

- reply

It won't exactly be like Qubes but there will be a few improvements Qubes doesn't have i.e. verified boot, MTE and (if we are able to) run more secure operating systems out of the box. Would need to see how running multiple VMs is like first...
Unlike Qubes which defaults to Fedora and Whonix (which is just Debian, tons of OS hardening work was undone there) we would want to support hardened distros as soon as it becomes feasible for us. Changing Debian for Fedora is the first jump but want to go further with something like secureblue. The security of the guest OSes in the VMs also matter and if I had to name one shortcoming of Qubes this would be it.
They can't port secureblue to Qubes because it only supports Wayland which Qubes doesn't support yet.

2026-01-16 03:03:43 UTC

- reply

https://projectzero.google/2026/01/pixel-0-click-part-3.html
>We also discovered that kASLR is not effective on Pixel devices, due to a problem that has been known since 2016
KASLR works properly on GrapheneOS right now, unlike arm64 Linux elsewhere.
We fixed the issue of the physical address mapping not being randomized on arm64 Linux for GrapheneOS a while ago. The overall region is in a random location again including the kernel memory inside of it.
>Apple also recently implemented MIE, a hardware-based memory-protection technology similar to Memory Tagging (MTE), on new devices.
MIE is MTE. It is ARM FEAT_MTE4. It's Apples branding for MTE with a hardened allocator. Apple stepped forward in supporting MTE by default unlike stock Pixels.
>While MIE would not prevent the Dolby UDC vulnerability from being exploited in the absence of -fbounds-safety due to UDC using a custom allocator, it would probabilistically hinder an iOS kernel vulnerability similar to the BigWave driver bug from being exploitable. [...] Pixel 8 onwards shipped with MTE, but unfortunately, the feature has not been enabled except for users who opt into Advanced Protection mode, to the detriment of Pixel’s other users.
I don't think I need to mention which OS enables MTE by default for majority of the OS components and toggleable for user installed apps, unlike the stock OS.

2026-01-16 02:50:11 UTC

- reply

Fantastic work from Project Zero as always.
Thanks to security preview release channels these were patched in GrapheneOS before anywhere else. Considering memory corruption is involved and it was predominantly centered around Google Messages first, there would need to be a substantial effort to design an exploit chain around GrapheneOS if it was even possible. See what we said about it in November:
#nevent1q…rlzn

2026-01-15 05:03:30 UTC

- reply

You also have NextPush for Nextcloud too if Mozilla isn't your thing. Choices are pretty limited without hosting your own UnifiedPush infra unfortunately.
It is planned to work on having less features depend on sandboxed Google Play to reduce the need of people installing it for apps to work. We already do these efforts for apps like Google Messages and Pixel Camera.

2026-01-15 04:57:55 UTC

What this means that notifications will work for users not wishing to use play services sandboxed or otherwise.
Most android apps do notifications via FCM, which is Google's, and depends on a Play services implementation. If you ever wonder why app notifications barely work on AOSP distributions without Google services then now you know.
By using an app like Sunup (on Accrescent) you can use Mozilla's notification service via UnifiedPush for apps that use UnifiedPush notifications - such as this one.
Tell your developers to support notifications without Google.
#nevent1q…h0l3

2026-01-15 01:49:09 UTC

- reply

AOSP is working on implementing a Desktop Mode where you can connect your device to a monitor, keyboard and mouse and use a desktop environment where apps are windowed.
You can see some examples of it in GrapheneOS here:
#nevent1q…llnh

2026-01-15 01:45:18 UTC

- reply

The regressions with the Terminal app originate from the stock OS, including the VPN issue. The VM data also breaks and data can't be recovered at times. Don't store sensitive data without backups or run anything for production but feel free to try it out.
We do improve the Terminal app in a few ways and these fixes is something we need to look into but because it's still an experimental developer option it's priority isn't so high. If the stock OS deals with it first then it's less work on our plate. Desktop Mode needs to be first for all the cool stuff to happen.
What users see now will likely be very different to what our plans are should we be able to execute them. We don't want to just have a terminal but rather a VM manager capable of running other operating systems and GUI apps. Debian alone isn't desirable for our use case and we'd want a hardened OS like secureblue instead (ARM builds is beta). Virtualization could be extended to GrapheneOS or individual apps too.

2026-01-11 22:22:15 UTC

- reply

A hardened malloc notification would mean the application has a memory bug the exploit feature is detecting and forcibly crashes. Worth sending them the crash log.

2026-01-10 00:34:12 UTC

#GrapheneOS version 2026010800 released.
• raise declared patch level to 2026-01-05 which has been provided since we moved to Android 16 QPR2 in December due to Pixels shipping CVE-2025-54957 in December
• re-enable the system keyboard at boot if it's disabled
• switch to the system keyboard when device boots to the Safe Mode
• add "Reboot to Safe Mode" power menu button in Before First Unlock state to make Safe Mode much more discoverable for working around app issues such as a broken third party keyboard
• add workaround for upstream UsageStatsDatabase OOM system_server crash
• add workaround for upstream WindowContext.finalize() system_server crash
• disable buggy upstream disable_frozen_process_wakelocks feature causing system_server crashes for some users
• Sandboxed Google Play compatibility layer: fix phenotype flags not working in Play services clients
• Sandboxed Google Play compatibility layer: add MEDIA_CONTENT_CONTROL as a requested permission for Android Auto as part of our toggles for it to avoid needing to grant the far more invasive notification access permission
• Sandboxed Google Play compatibility layer: extend opt-in Android Auto Bluetooth support to allow A2dpService.setConnectionPolicy() to fix Bluetooth functionality (previously worked around with a GmsCompatConfig update avoiding a crash)
• switch to new upstream PackageInstallerUI implementation added in Android 16 QPR2 and port our changes to it
• update SQLite to 3.50.6 LTS release
• add an extra layer of USB port protection on 10th gen Pixels based on upstream functionality to replace our USB gadget control which was causing compatibility issues with the Pixel 10 USB drivers
• allow SystemUI to access NFC service on 10th gen Pixels to fix the NFC quick tile • disable the upstream Android USB data protection feature since it conflicts with our more advanced approach and causes issues
• issue CHARGING_ONLY_IMMEDIATE port control command in more cases
• fix an issue in our infrastructure for spoofing permission self-checks breaking automatically reading SMS one-time codes for certain apps
• add workaround for upstream KeySetManagerService system_server crash causing a user to be stuck on an old OS version due to it causing a boot failure when booting a the new OS version after updating
• wipe DPM partition on 10th gen Pixels as part of installation as we do on earlier Pixels since it's always meant to be zeroed on production devices
• Settings: disable indexing of the unsupported "Parental controls" setting which is not currently available in AOSP
• Settings: disable redundant indexing of widgets on lockscreen contents which is already indexed another way
• skip all pseudo kernel crash reports caused by device reboot to avoid various false positive crash reports
• Vanadium: update to version 143.0.7499.192.0
All of the Android 16 security patches from the current January 2026, February 2026, March 2026, April 2026, May 2026 and June 2026 Android Security Bulletins are included in the 2026010801 security preview release. List of additional fixed CVEs:
• High: CVE-2025-32348, CVE-2025-48561, CVE-2025-48615, CVE-2025-48630, CVE-2025-48641, CVE-2025-48642, CVE-2025-48644, CVE-2025-48645, CVE-2025-48646, CVE-2025-48649, CVE-2025-48652, CVE-2025-48653, CVE-2026-0014, CVE-2026-0015, CVE-2026-0016, CVE-2026-0017, CVE-2026-0018, CVE-2026-0020, CVE-2026-0021, CVE-2026-0022, CVE-2026-0023, CVE-2026-0024, CVE-2026-0025
https://grapheneos.org/releases#2026010800

2026-01-06 20:21:38 UTC

- reply

Nitrokey is a cyber security company. They are just a third party that sell GrapheneOS devices, not related.

2026-01-05 04:02:02 UTC

- reply

update for nostr clients without edits: 'unlocked' changed to 'locked'

2026-01-05 03:56:18 UTC

- reply

Most of what makes GrapheneOS secure is set up by default. Many of the features are simply additions for people with greater needs and are described on the site page.
Advanced Data Protection is related to iCloud, not the iPhone device or iOS. If you aren't storing data on iCloud it is mostly irrelevant but still useful to enable. Keep in mind your iCloud emails are not encrypted with ADP too. iCloud data is also not all Apple Account data.
Some countries have also blocked ADP, including the United Kingdom.
GrapheneOS doesn't have a cloud service like that, so it is moot. A new GrapheneOS device only connects to update servers (to deliver device updates), a network time service and a blank connectivity check page for captive portals, most of which are configurable.
A better and fairer comparison would be Lockdown Mode, which is a feature in iOS that lightly hardens the OS against exploits. Most of what iOS does in Lockdown Mode is also what GrapheneOS does but better:
- Lockdown Mode disables JS JIT (Just in Time compilation) for web browsing. Vanadium in GrapheneOS does too.
- Lockdown Mode prevents wired USB connections when locked, GrapheneOS does and also via hardware, including turning the USB port off in OS mode.
- FaceTime and iMessage improvements are moot as GrapheneOS doesn't bundle a messaging service. This would be dependent on the service you used. Most messaging apps give options to block unknown contacts, link previews and more.
Most iPhones are also behind on exploit protections except for the iPhone 17 and later which introduced memory tagging (which they affectionately call Memory Integrity Enforcement). Pixel 8 and later provided memory tagging for GrapheneOS years prior. iPhone 17 with Lockdown Mode and ADP is the best choice for anyone not willing to use GrapheneOS.
A great real world example of the security difference is capabilities provided by Cellebrite, a digital forensics company that leverages zero-days to extract data from devices.
Cellebrite can extract data from most unlocked iPhones and stock OS Pixels, but they can't touch Pixel 6 and later with GrapheneOS right now.
https://blossom.primal.net/6fe6ce43b109d25f92c39bcac12aa1d870a13c65fa2b26b28dcb9038e4c6fb87.png
(Note, this iOS extraction slide is old and has newer devices / OS version support by now)
https://arstechnica.com/gadgets/2025/10/leaker-reveals-which-pixels-are-vulnerable-to-cellebrite-phone-hacking/

2026-01-04 17:35:36 UTC

- reply

We don't really have an opinion on it, it's designed for GrapheneOS users so it should work. I've not heard of any reported issues myself.
In the future profiles may have their own localhost network access isolated with a toggle, which would stop it working if you enabled it, but this is a minor thing and not really being looked at as a priority.
Private Spaces (a secondary profile in the same environment as the current user) can let you share files between them via share dialogs without needing an app.

2026-01-04 11:44:14 UTC

- reply

true! the VPS is out for now. I'll put up again later when I have less on my plate and a post there.

2026-01-03 18:28:15 UTC

- reply

This is a keyboard for any phone, not a phone. We can't support the communicator device.

2026-01-03 18:20:52 UTC

Would be cool to use with #GrapheneOS.
You are free to use their portable wireless charger with keyboard or even their Pixel 9 phone case. I recommend the former because you can still use it with USB disabled.
https://clicks.tech/en/powerkeyboard

2026-01-02 21:47:07 UTC

- reply

Google is a megacorp motivated by profit. Their only real aim is making money. They get the best products because big money to spend equals big talent to buy. Many of their technical people have expressed how they like GrapheneOS, but their business side do not really care. We did not have any special partner access because of this until an OEM we are working with came around to do it by proxy.
The GrapheneOS Foundation is a thing. If a wealthy individual wants to donate they can send the money there. There won't be strings attached though and they shouldn't send anything expecting treatment beyond our thanks.

2026-01-01 17:11:25 UTC

Happy new year everyone!
In 2025 GrapheneOS implemented:
- A network location provider for highly reliable location position without using Google's service and a geocoding service.
- Support for Android 16, QPR1 and QPR2 after Google's removal of device support and releases for all current Pixel devices.
- Heavily improved our automated porting tooling and server infrastructure.
- Our first security preview releases allowing users to recieve embargoed security patches for Critical/High CVEs a few months before stock Android.
- Closed out some VPN leaks from Android.
- Enabling experimental support for the developer option Terminal virtual machine manager app and other features like GUI support.
- Several improvements to Private Spaces, including use in secondary users, ending session for them, and installing available apps.
- Established a ASN for GrapheneOS and a highly reliable and widespread global network for GrapheneOS services.
This year should have some significant improvements with GrapheneOS, especially on the usage and accessibility front. There is also a lot of future Android features that will be key in delivering this, such as a fully working Desktop Mode. May this year wish us well.

2025-12-31 11:23:24 UTC

- reply

It's license is incompatible to embed into GrapheneOS. FUTO apps like Keyboard is not open source in the traditional sense but rather source available under a restrictive licensing that disallows commercial usage or removing any future monetization.

2025-12-30 22:40:51 UTC

Needs to be greater support for tablets by Android devs. UIs designed for the big screen also help with Desktop Mode.

2025-12-30 00:09:31 UTC

- reply

I'd rather people not use GrapheneOS just because a guy on Nostr told them. I just post about GrapheneOS for the users.
If you want reasons, go to the website and see if it fits you. If your iPhone is fine enough, no problem.
https://GrapheneOS.org

2025-12-30 00:05:00 UTC

This is either a very hot or a very reasoned take and I am quoting my previous note for being potentially related but I'm not a fan of software choices being grouped together or categorised for certain types of people.
If you are using something only because a forum or a thread on social media told you to, then you are more of a sheep than the people using the platforms you are moving away from are. The latter are at least doing it out of a personal preference, not out of being alternative or contrarian. You don't need to be hardcore and use something that sticks to a specific social group.
Don't ask what the best of something is, ask WHY it is. Learn about the subject and see critically and you'll always find what the best project is for you. Don't walk in other people's shoes.
Research skills is everything. Read more. I think I read too little.
I once read a post off platform a while ago about how someone felt wrong leaving GrapheneOS to use something else because of (very justifiable) personal reasons to support their needs. The fact someone would feel really ashamed and negative that they aren't meeting some imposed values from some social group (over a software choice) is not okay. You can use and build what you want. This isn't purity testing. It comes across as a deeply toxic relationship between users.
#nevent1q…q8fg

2025-12-28 04:23:45 UTC

- reply

Would be an engine for now. It can be used in TalkBack, the GrapheneOS TTS accessibility feature.

2025-12-27 18:52:06 UTC

- reply

GrapheneOS wasn't created by Google. It's an open source project with full time developers in different countries.

2025-12-27 17:15:38 UTC

- reply

We are looking at replacing/forking existing inbuilt AOSP apps, keep in mind licensing makes many existing good choices incompatible.
A great gallery app that fits GrapheneOS is this one:
https://github.com/IacobIonut01/Gallery/releases
Recommend giving it a try.

2025-12-27 01:34:36 UTC

We're developing our own implementations of text-to-speech and speech-to-text to use in #GrapheneOS which are entirely open source and avoid using so-called 'open' models without the training data available. Instead, we're making a truly open source implementation of both where all of the data used for it is open source. If you don't want to use our app for local text-to-speech and speech-to-text then you don't need to use it. Many people need this and want a better option.
We are working on TTS first then SST. The TTS training data is LJ Speech https://keithito.com/LJ-Speech-Dataset/ and the model used is our own fork of Matcha-TTS.
If people want they can fork it and add/remove/change the training data in any way they see fit. It's nothing like the so-called "open" models from OpenAI, Facebook, etc. where the only thing that's open are the neural network weights after training with no way to know what they used to train it and no way to reproduce that.
Many blind users asked us to include one of the existing open source TTS apps so they could use it to obtain a better app. None of the available open source apps meets our requirements for reasonable licensing, privacy, security or functionality. Therefore, we've developed our own text-to-speech which will be shipping soon, likely in January. We'll also be providing our own speech-to-text. We're using neural networks for both which we're making ourselves.

2025-12-26 00:20:23 UTC

Merry Christmas

2025-12-24 01:36:00 UTC

update: I'm an idiot and that is meant to be a Star of David not a pentagram (why the fuck is it red?)
#nevent1q…syxd

2025-12-24 01:33:16 UTC

- reply

The red color threw me off to be honest. I admit I am not cultured enough to tell the difference from first look.

2025-12-24 00:26:07 UTC

(at the satanist conference) Alright guys we made the mobile operating system now all we need to do is set up THE CLUES
https://blossom.primal.net/59d1cd0ad65ef96e7c56775f8e787a3e66df2658e8b47557218c5458fd3b91f2.jpg

2025-12-18 03:13:33 UTC

#GrapheneOS is very distinct from other Android distributions and OEM configurations. There is a litany of Linux kernel and Android Runtime hardening changes and features powering GrapheneOS. This is very significant but often overlooked because most changes aren't visible to the end user.
The leading example of this is hardened_malloc, the hardened memory allocator used in GrapheneOS to protect against memory corruption vulnerabilities. You can find a technical article about it by Synacktiv, a French cyber security company:
https://www.synacktiv.com/en/publications/exploring-grapheneos-secure-allocator-hardened-malloc
Hardening in GrapheneOS are built on closing out commonly exploited attack surfaces, substituting them with more secure replacements, or giving them stronger security defaults.
If you are a blue teamer you'll already be familiar with the Pyramid of Pain:
https://blossom.primal.net/dd1714a0c2aa6daa03915a3c80ac805e22250a73783db4af223c3f3b9d3e08ba.jpg
For newcomers, this model is a layered pyramid that ranks indicators of compromise by a linear level of difficulty and cost for the threat actor to evade security measures to perform an attack; The bottom of the pyramid being very easy and trivial for the threat actor to change and the top being tough.
This model opens newcomers on how good security strategy is built: Techniques and capabilities over individual actors. Closing out tactics, techniques and procedures are far more important than blocking an IP address or a file hash. You want to protect against a type of attack, not against a particular actor who performs them.
The point of having extensive hardening features is that we need to ensure vulnerabilities that would affect Android are benign, harder to exploit or patched in GrapheneOS before they can be exploited. Android distributions carry the weight of vulnerabilities from upstream. To reduce that weight, we need to make sure a highly sophisticated exploit developer would have to uniquely design their exploit to target GrapheneOS, should they be able to at all.
Without that, GrapheneOS wouldn't be special. It would not be sensible to claim it is more security and privacy focused than Android if it was able to be exploited through the exact same mechanisms with little or no effort needed to port. An Android distribution that is just Android without Google services is mostly as exploitable as Android. Something that is "DeGoogled" (I don't use the term, it's Reddit tier buzzword nonsense) may not necessarily be safer to use either.
To earn the title of being hardened it needs more, but this isn't ever implemented well enough. Projects that have done so to the best of their ability also have died (DivestOS).
Our hardening features are available outside of GrapheneOS. Leading example of this is secureblue, a security hardened Linux distribution (https://secureblue.dev/) which is using hardened_malloc and Vanadium inspired chromium browser. A business also sells hardened Rocky Linux supporting hardened_malloc. If you are a maintainer of a leading project then implementing our hardening features and supporting is strongly encouraged.