Skip to content

75
Compare
Choose a tag to compare
@thestinger thestinger released this 08 Oct 13:24
· 80 commits to main since this release
75
This tag was signed with the committer’s verified signature.
thestinger Daniel Micay
SSH Key Fingerprint: AhgHif0mei+9aNyKLfMZBh2yptHdw/aN7Tlh/j2eFwM Learn about vigilant mode.
033fc19

Notable changes in version 75:

  • reschedule remote verification after OS updates to get the updated information submitted as soon as possible
  • update SDK to 34 (Android 14)
  • update target API level to 34 (Android 14)
  • add low-level ACCESS_NETWORK_STATE permission required by API 34 to schedule jobs depending on network availability
  • reduce network timeouts to 30s from 60s
  • update CameraX library to 1.3.0-rc02
  • update AndroidX Preference library to 1.2.1
  • update Material library to 1.10.0
  • update Guava library to 32.1.2
  • update Bouncy Castle library to 1.76
  • update ZXing library to 3.5.2
  • update Kotlin to 1.9.10
  • update Gradle to 8.3
  • update Android Gradle plugin to 8.1.1
  • update Android build tools to 34.0.0
  • replace deprecated onBackPressed() callback
  • remove workarounds for fixed SDK and library issues

A full list of changes from the previous release (version 74) is available through the Git commit log between the releases.

The Auditor app uses hardware security features on supported devices to validate the integrity of the operating system from another Android device. It will verify that the device is running the stock operating system with the bootloader locked and that no tampering with the operating system has occurred. It will also detect downgrades to a previous version.

It cannot be bypassed by modifying or tampering with the operating system (OS) because it receives signed device information from the device's Trusted Execution Environment (TEE) or Hardware Security Module (HSM) including the verified boot state, operating system variant and operating system version. The verification is much more meaningful after the initial pairing as the app primarily relies on Trust On First Use via pinning. It also verifies the identity of the device after the initial verification. Trust is chained through the verified OS to the app to bootstrap software checks with results displayed in a separate section.

This app is available through the Play Store with the app.attestation.auditor.play app id. Play Store releases go through review and it usually takes around 1 to 3 days before the Play Store pushes out the update to users. Play Store releases use Play Signing, so we use a separate app id from the releases we publish ourselves to avoid conflicts and to distinguish between them.

Releases of the app signed by GrapheneOS with the app.attestation.auditor app id are published in the GrapheneOS app repository and on GitHub. These releases are also bundled as part of GrapheneOS. You can use the GrapheneOS app repository client on Android 12 or later for automatic updates.

Releases are initially pushed out through the Alpha channel channel for both the Play Store and our app repository, then get moved to the Beta channel and finally the Stable channel.

GrapheneOS users must either obtain GrapheneOS app updates through our app repository or install it with adb install-multiple with both the APK and fs-verity metadata since fs-verity metadata is now required for out-of-band system app updates on GrapheneOS as part of extending verified boot to them.

Assets 2
Loading