Linus Tech Tips tried out #GrapheneOS. Check it out: https://www.youtube.com/watch?v=gDR6V5OdnYg

We also have Matrix with our own homeserver. All internal matters uses that. SimpleX likely will only remain an unofficial platform for moderation / bridging reasons. They also seem to be making large systematic changes, so maybe now is not the right time.

🙋

A user on our community platforms submitted a grainy photo from a Cellebrite Premium sales pitch suggesting that they lost support for full filesystem extractions on *UNLOCKED* #GrapheneOS devices. This would mean that Cellebrite can no longer extract hidden operating system data or application data not available to the user when they know the users password. They are still unable to bypass the Titan M2 secure element backed brute force protections.

Not right now. I know many users do use WhatsApp though. WhatsApp sometimes does work, it supports notifications without Play Services too.

Update: not anymore, should just work.

He just doesn't like that we don't let him say nonsense without us checking it. We'd ignore it, but once he started making videos about GrapheneOS then it became an issue. He posts tons of FUD about many projects to promote his own products.

Both of the November 2025 patches have been provided in our regular non-security-preview releases for over a month, so we've already had the 2025-11-05 Android security patch level for over a month. Our patch level is set based on providing both the Android and Pixel security patches, so we're leaving it at 2025-11-01 until the Pixel stock OS release and Pixel Update Bulletin are published. The stock Pixel OS also included both November 2025 patches in early September. We expect they made a 2nd October release to ship the November carrier changes and will make a release in mid-November with patches from future Android Security Bulletins. All of the Android 16 security patches from the current December 2025, January 2026, February 2026 and March 2026 Android Security Bulletins are included in the 2025110601 security preview release. List of additional fixed CVEs: Critical: CVE-2025-48631, CVE-2026-0006 High: CVE-2022-25836, CVE-2022-25837, CVE-2023-40130, CVE-2025-22420, CVE-2025-22432, CVE-2025-26447, CVE-2025-32319, CVE-2025-32348, CVE-2025-48525, CVE-2025-48536, CVE-2025-48555, CVE-2025-48564, CVE-2025-48565, CVE-2025-48566, CVE-2025-48567, CVE-2025-48572, CVE-2025-48573, CVE-2025-48574, CVE-2025-48575, CVE-2025-48576, CVE-2025-48577, CVE-2025-48578, CVE-2025-48579, CVE-2025-48580, CVE-2025-48582, CVE-2025-48583, CVE-2025-48584, CVE-2025-48585, CVE-2025-48586, CVE-2025-48587, CVE-2025-48589, CVE-2025-48590, CVE-2025-48592, CVE-2025-48594, CVE-2025-48596, CVE-2025-48597, CVE-2025-48598, CVE-2025-48600, CVE-2025-48601, CVE-2025-48602, CVE-2025-48603, CVE-2025-48604, CVE-2025-48605, CVE-2025-48609, CVE-2025-48612, CVE-2025-48614, CVE-2025-48615, CVE-2025-48616, CVE-2025-48617, CVE-2025-48618, CVE-2025-48619, CVE-2025-48620, CVE-2025-48621, CVE-2025-48622, CVE-2025-48626, CVE-2025-48628, CVE-2025-48629, CVE-2025-48630, CVE-2025-48632, CVE-2025-48633, CVE-2025-48634, CVE-2026-0005, CVE-2026-0007, CVE-2026-0008 2025110601 provides at least the full 2025-12-01 Android security patch level (a Pixel Update Bulletin for November 2025 hasn't been released could have fixes we don't get early, although it's likely empty) but will remain marked as providing 2025-11-01.

Many people in the space are far too confident about their competency in cyber security. I've worked in it full time for years, I involve myself in lab training and I am still sure I know very little. Cryptocurrencies being associated with hackers in pop culture is to mostly blame for this. Using a couple apps and a HWW gets people over their heads. Growing anti-intellectualism by influencers (grifters offering to teach you better than a degree or an industry vet), unvetted GenAI content and a purity test mindset harms the movement. People are too confident to go against what every major company security team says. Working in technology doesn't immediately qualify someone as cyber security aware, never mind an expert. People always make basic mistakes. Cryptocurrency companies and people get pwned all the time.

Used the wrong logo award

We made an article about it a while back. https://discuss.grapheneos.org/d/20165-response-to-dishonest-attacks-on-the-grapheneos-project-by-robert-braxman In short, the guy is a hack who makes content about topics either scaremongering people or peddling misinformation without any oversight. His content disrupts numerous open source projects' communication channels because they ask questions about meaningless, made up things they learn from his videos. He said GrapheneOS is dying and that Google stopped open sourcing AOSP (both untrue). He creates a lot of products which as you can see, are terrible both security and privacy wise.

Here is my scheduled corpo posting of a collage of software, now Please Buy My Fucking Products

The claim of 'illict use' being 'so-called' because it tries to imply there is an ethical or good use of an exploit tool. There isn't. It's all bad.

Let me post cheesy one-liners like a pro-privacy product company real quick

When an individual acquires a zero-day and turns it into a product to be bought by people to freely target users of the vulnerable software, they are treated like a crook. When Cellebrite do it, it should be no different. Here is the statement from Cellebrite on the matter: “We do not disclose or publicize the specific capabilities of our technology. This practice is central to our security strategy, as revealing such details could provide potential criminals or malicious actors with an unintended advantage.” A software developer is entitled to know that their software is being / attempted to be exploited by a wealthy, influential actor. This is called responsible disclosure, a virtue of the security community these companies don't follow. What we do against these groups is an act of self-defence of our product and work. GrapheneOS, Google, Samsung, Apple and the greater mobile security community is neither a "potential criminal" or a "malicious actor". These authoritarian talking points are stale and come from the same playbook as "Think of the children" and other fallacy phrases meant to attack you as being a danger for something as simple as wanting to protect yourself. Vulnerabilities don't just exist for the bad guys. All vulnerabilities are to be patched when uncovered. At the bare minimum, a single so-called illicit use of it anywhere in the world immediately makes their exploit a cyberweapon that must be neutralised. Them being an exploit alone is the only justification we need to seek disrupting these threat actors' work.

Wordle 1,589 5/6 ⬛🟨🟨⬛⬛ ⬛🟩⬛🟨⬛ ⬛🟩⬛⬛🟩 ⬛🟩⬛⬛🟩 🟩🟩🟩🟩🟩

Both patches in the November 2025 Android Security Bulletin have been included since our September 2nd release. It's now known that our 2025090200 and later releases provided the 2025-11-05 Android security patch level early due to shipping extra patches. https://source.android.com/docs/security/bulletin/2025-11-01 It's because these two patches were included in the full September 2025 bulletin patches we shipped but were made optional until November 2025. Later in September, we started our security preview releases able to provide Android Security Bulletin patches around 2-3 months early. Our security preview releases currently have the December 2025 and January 2026 patches. December 2025 has a huge set of patches due to being a quarterly patch level. January 2026 will likely be empty. We should have quarterly March 2026 patches to ship within a couple weeks. Due to having early access to the patches which we can use for our security preview releases, we've been able to determine that a subset were pushed to AOSP and other projects prior to the official embargo ending which means we'll be including those in our regular releases soon. Our security preview releases shipped all available December 2025 security patches in September 2025 and have continued adding the remaining patches. It should be frozen soon, but most of the patches have remained the same since September. Some were deferred to future bulletins. The new security patch system being used by Android is confusing for users and bad for the security of anyone not using #GrapheneOS with our security preview releases. We could have set the patch level string to 2025-11-01 in early September but in this case we didn't do that.

It's a blurry photo. It actually says "BFU", or Before First Unlock. When you have restarted the phone / preferred it off and haven't entered the Owner user's password yet, the Owner is BFU.

GrapheneOS has diminished exploit capabilities for Cellebrite a third time. They are no longer able to Full Filesystem extraction an unlocked device. This prevents extraction of hidden operating system and application data. Given it is unlocked, they're still accessing all the important stuff though. This could be an indicator of their target. They are likely to move their resources to attempt researching an exploit targeting the Titan M2 secure element or for extraction for AFU Locked devices rather than be concerned about extracting a device already unlocked. We routinely receive this information from sources familiar with Cellebrite. However, do you have more information on exploit vendors? Do the right thing. Tip off #GrapheneOS at security@ our domain or contact the project account on our platforms. We will respect your privacy. We have made upstream security reports to Google and Apple. Encryption can be performed via our Age public key: age1dcftzgq00ykgwvxl5te6d5clqgx75h2g54c0u8gjc43mcnea7p7q3ma0yx https://grapheneos.org/.well-known/security.txt