ANDROID 14 SITUATIONAL UPDATE:
Stable release of Android 14 is expected to be released in early October. We've spent months preparing for it and we've completed a lot of porting in advance. This has been much more difficult than it should be since we have to rely on unofficial access to pre-launch sources.
Stable releases of Android are open source. Pixel stock OS source tree matches the AOSP source tree with additional private repositories added for the Google/Pixel components/overlays. Beta releases and the development branches are mostly internal. Most isn't done in AOSP main.
The Android security team wanted to collaborate with us and gave us security partner access. We hoped this would lead to us getting full partner access so that we could port to new major releases much earlier with the ability to build and test nearly all of the port in advance.
The engineering side appreciates our work and multiple prominent people have tried to get full partner access for the GrapheneOS Foundation. Android's business side had our security partner access revoked and blocked progress. We've decided to stop making upstream contributions.
Many of the privacy and security features we're built could be included in Android. It was always difficult to contribute without partner access, but we put in significant effort and achieved some positive results. We also reported a lot of firmware and software vulnerabilities.
Not having partner access makes quickly porting to major releases into an ordeal, but we still have to do it for security reasons. We only managed to have it done within around a week of launch of Android 13 and past releases via superhuman amounts of work hours and productivity.
Our policy for upstream Android vulnerabilities we discover has become fixing them downstream ASAP with a clear explanation in our release notes for the release including them. Filing a report upstream hasn't been part of our process for a while due to their related decisions.
We've deferred shipping most of our newly developed features until after Android 14 including duress PIN/password and several new per-app toggles for enabling additional security features we already had implemented but couldn't enable globally due to some apps being incompatible.
Metr0pl3x / MetropleX [GrapheneOS] ⚡🟣
npub1gd…7cn8c
2023-09-29 12:23:53
Author Public Key
npub1gd3h5vg6zhcuy5a46crh32m4gjkx8xugu95wwgj2jqx55sfgxxpst7cn8cPublished at
2023-09-29 12:23:53Event JSON
{
"id": "932bdb539e482e79599076ec840ced200cb0754e56f7c8aae2a9faa7e33bab28",
"pubkey": "43637a311a15f1c253b5d60778ab7544ac639b88e168e7224a900d4a41283183",
"created_at": 1695990233,
"kind": 1,
"tags": [],
"content": "ANDROID 14 SITUATIONAL UPDATE:\n\nStable release of Android 14 is expected to be released in early October. We've spent months preparing for it and we've completed a lot of porting in advance. This has been much more difficult than it should be since we have to rely on unofficial access to pre-launch sources.\n\nStable releases of Android are open source. Pixel stock OS source tree matches the AOSP source tree with additional private repositories added for the Google/Pixel components/overlays. Beta releases and the development branches are mostly internal. Most isn't done in AOSP main.\n\nThe Android security team wanted to collaborate with us and gave us security partner access. We hoped this would lead to us getting full partner access so that we could port to new major releases much earlier with the ability to build and test nearly all of the port in advance.\n\nThe engineering side appreciates our work and multiple prominent people have tried to get full partner access for the GrapheneOS Foundation. Android's business side had our security partner access revoked and blocked progress. We've decided to stop making upstream contributions.\n\nMany of the privacy and security features we're built could be included in Android. It was always difficult to contribute without partner access, but we put in significant effort and achieved some positive results. We also reported a lot of firmware and software vulnerabilities.\n\nNot having partner access makes quickly porting to major releases into an ordeal, but we still have to do it for security reasons. We only managed to have it done within around a week of launch of Android 13 and past releases via superhuman amounts of work hours and productivity.\n\nOur policy for upstream Android vulnerabilities we discover has become fixing them downstream ASAP with a clear explanation in our release notes for the release including them. Filing a report upstream hasn't been part of our process for a while due to their related decisions.\n\nWe've deferred shipping most of our newly developed features until after Android 14 including duress PIN/password and several new per-app toggles for enabling additional security features we already had implemented but couldn't enable globally due to some apps being incompatible.",
"sig": "fcec8c54237fd3914cac062b6df73de79d7a643726252086ad9f317c0c9233cf95e0505aaf23dec2c533b610bb774b17d4187853d52f887b347e7fdcbf24baad"
}