GrapheneOS based on Android 16 has been through extensive public Alpha/Beta testing and should reach our Stable channel today. We'll continue fixing various upstream Android 16 regressions such as the back button issue impacting the stock Pixel OS we fixed in our latest release.
July Android Security Bulletin will likely be published today. We obtained early access to the signed partner preview and confirmed no additional patches were required, so we set the 2025-07-01 patch level last month after we backported Pixel 2025-06-05 driver/firmware patches.
Tomorrow will likely be the first monthly update of Android 16 with a new Android Open Source Project and Pixel stock OS release. We won't need to backport Pixel driver/firmware patches since we're on Android 16 and can simply incorporate and ship the monthly update within hours.
It can be extraordinarily difficult to backport driver/firmware patches due to dependencies on the new major release. We were only able to backport everything required for the 2025-06-05 security patch level because Android 15 QPR2 is much closer to Android 16 than Android 15.
After our Android 16 port was completed yesterday, we started fixing an Android tapjacking vulnerability disclosed last month:
We have a fix implemented and it will be included in our next release, likely with the monthly Android 16 update tomorrow.
This vulnerability was disclosed to Google in October 2024 and Android still hasn't fixed it. Security researchers should report vulnerabilities to GrapheneOS in addition to Google. This now joins many other fixes for serious vulnerabilities which are exclusive to GrapheneOS.
@GrapheneOS Ping: @lindorferin @minimalblue
Have you considered disclosing vulnerabilities to GrapheneOS in addition to Google?
Unrelated feedback: it would be nice if your Mastodon profiles would be listed on https://taptrap.click/#team along proprietary services.
@minimalblue @elgregor @GrapheneOS @lindorferin
Also from my side, very nice to see GrapheneOS taking TapTrap seriously. Many thanks for the fix!
@beerphilipp @minimalblue @elgregor @lindorferin We only became aware of the issue a few days ago and needed to finish our high priority port to Android 16 first. It's now dealt with in the straightforward way of disabling the transition animations unless they're between the app's own activities. You can see the change listed here:
https://grapheneos.org/releases#2025070700
We would have fixed it earlier if we were aware since from our perspective it's quite serious and far worse than most similar problems.
@beerphilipp @minimalblue @elgregor @lindorferin Here's the fix we implemented:
It wasn't particularly hard to fix with this approach and there are few downsides. It doesn't seem important for apps to be able to have custom animations for transitions to activities which aren't part of themselves. We can switch to a 'better' fix they implement later and drop this if it's no longer useful but we're fine with this.
We know a lot more UI security improvements are needed.
@elgregor @GrapheneOS @lindorferin That's awesome, so glad to see you took the vulnerability seriously and included a fix into GrapheneOS. We will update the taptrap website accordingly and certainly consider testing GrapheneOS in upcoming research. Also thanks for the unrelated feedback, we're gonna list the profiles there too :)