Notable changes in version 92:
- permit expired attestation roots until Pixel 6 support is dropped since the original attestation root expired on 2026-05-24 but is still used for 6th gen Pixels and remote key provisioning providing ongoing key rotation for per-app keys chaining to the root only fully launched with 7th generation Pixels (Permitting fixes initial pairings with 6th gen Pixels and has no negative impact on Auditor. Phasing out all but the latest root for the initial verification of the Pixel 7 and later can be attempted in a near future release to improve the initial verification prior to having the per-pairing hardware attestation signing key pinned on the Auditor side.)
- raise minimum Auditor version to 89 which has been out for over a year
- remove support for end-of-life Pixels which have been end-of-life for around 2-3 years
- raise minimum patch level for verification to 2025-05-05
- raise minimum OS version for verification to Android 14 since Android 13 security support has ended
- validate remote-verify QR before persisting account state
- update Gradle to 9.5.1
- update Bouncy Castle library to 1.84
- update Guava library to 33.6.0
- update CameraX library to 1.6.1
- update Material Components library to 1.14.0
- avoid a potential crash from a rare UI race condition
- remove unnecessary debug logging to avoid having remote verification enrollment QR code contents in saved logs
- remove legacy code
A full list of changes from the previous release (version 91) is available through the Git commit log between the releases.
The Auditor app uses hardware security features on supported devices to validate the integrity of the operating system from another Android device. It will verify that the device is running the stock operating system with the bootloader locked and that no tampering with the operating system has occurred. It will also detect downgrades to a previous version.
It cannot be bypassed by modifying or tampering with the operating system (OS) because it receives signed device information from the device's Hardware Security Module (HSM) including the verified boot state, operating system variant and operating system version. The verification is much more meaningful after the initial pairing as the app primarily relies on Trust On First Use via pinning. It also verifies the identity of the device after the initial verification. Trust is chained through the verified OS to the app to bootstrap software checks with results displayed in a separate section.
This app is available through the Play Store with the app.attestation.auditor.play app id. Play Store releases go through review and it usually takes around 1 to 3 days before the Play Store pushes out the update to users. Play Store releases use Play Signing, so we use a separate app id from the releases we publish ourselves to avoid conflicts and to distinguish between them. Each release is initially pushed out through the Beta channel followed by the Stable channel.
Releases of the app signed by GrapheneOS with the app.attestation.auditor app id are published in the GrapheneOS App Store which provides fully automatic updates. Each release is initially pushed out through the Alpha channel, followed by the Beta channel and then finally the Stable channel. These releases are also bundled as part of GrapheneOS and published on GitHub.