How many total vulnerabilities have you now reported upstream?
Great work!
#GrapheneOS: Our users have found additional Android 14 QPR2 Bluetooth memory corruption bugs which so far appear to be specific to pairing recent Galaxy Watch devices with GrapheneOS. We're working on finding and fixing this as we did with the BLE audio bugs.
The Android 14 QPR2 Bluetooth LE audio bugs we found were fixed in the March 9th release of GrapheneOS: https://grapheneos.org/releases#2024030900.
We also reported it as an #Android vulnerability in the same day and it has been initially triaged by them as a High severity and High quality report.
Users on the stock OS are experiencing Bluetooth regressions with Android 14 QPR2 too. These latent and often exploitable bugs breaking functionality for certain users in certain situations often get turned into reliable crashes/breakage due to our memory corruption protections.
The downside is that more of our users get impacted by the issues and they tend to break a specific niche feature completely such as whatever is being used by the Galaxy Watch. On the stock OS, it breaks for some users and may break in a subtle way such as corrupting other data.
The upside is our users are protected against exploitation through these bugs and many others. Since the issues stop being subtle and turn into reliable breakage, it also forces us to look into what's wrong and we often figure out how to fix it completely as we did for BLE audio.
The end result is that GrapheneOS users end up with an OS that's not just more secure but has additional bug fixes since our exploit protections force us to fix these issues right after they're introduced instead of remaining dormant breaking things for some users for months.
#security #privacy
Discussion
GrapheneOS as a whole have reported several issues upstream to AOSP in the past, some appear on Android's Security Acknowledgements web page too but not always. Oldest is in 2015 but there is none credited to the GrapheneOS name rather the independent developers themselves. There are likely more to come since these recent upstream vulnerability reports.
This only counts unique discoveries, there have been times where the team discovers a vulnerability to find out it is a duplicate already being investigated internally. The major lock screen bypass vulnerability from 2022 was discovered by GrapheneOS independently that June when working on developing a duress PIN feature and had an initial patch developed for it by then. However when it was submitted to Google, it was a duplicate. It got fixed by the upstream in November.
Sometimes AOSP will add a security feature the OS had prior, when this happens we remove it from the features page off the site.
This only counts AOSP, there have been contributions to the Linux kernel, LLVM and others. It also isn't just security issues but it can also be general bugs. There is a wide range.
Awesome, thanks and keep up the good work!