Replying to Avatar Final

It can be extraordinarily difficult to backport driver/firmware patches due to dependencies on the new major release. We were only able to backport everything required for the 2025-06-05 security patch level because Android 15 QPR2 is much closer to Android 16 than Android 15.
Avatar
Final 6mo ago

After our Android 16 port was completed yesterday, we started fixing an Android tapjacking vulnerability disclosed last month:

https://taptrap.click

We have a fix implemented and it will be included in our next release, likely with the monthly Android 16 update tomorrow.

This vulnerability was disclosed to Google in October 2024 and Android still hasn't fixed it. Security researchers should report vulnerabilities to #GrapheneOS in addition to Google. This now joins many other fixes for serious vulnerabilities which are exclusive to GrapheneOS.

Reply to this note

Please Login to reply.

Discussion

Avatar
Shawn 6mo ago

If I understand correctly, this will be in Stable?

Avatar
Final 6mo ago

A GrapheneOS Android 16 release SHOULD be in Stable by today. This update with patch will release shortly after then go into stable a while after.

Avatar
Final 6mo ago

We've decided to make another release today with our fix for the Android tapjacking vulnerability because we need to fix a DisplayPort alternate mode regression specific to 8th generation Pixels which doesn't impact 9th generation Pixels.

nostr:nevent1qqs8lqfeudpt8lmvk4shpfpf2sghrrgqplcpwsesjnwge5eu82mwmscpz4mhxue69uhkummnw3ezummcw3ezuer9wchsyg9e3hk5e6h2ypusm09ncv2qq6fqp8f5clueylpgdq66nxm5sxjuygpsgqqqqqqs5q9d92