- cross-posted to:
- [email protected]
- cross-posted to:
- [email protected]
I’m considering the switch to GrapheneOS, so I watched this interview with one of the members of the GrapheneOS team, and honestly, I feel it was a great general introduction to it and touched on common features and misconceptions.
For those who don’t know, it’s one of the most secure and private mobile operating systems out there. Some things that I took away:
-
They touched upon MAC randomization. I researched a bit on my own about what the need for it is. Apparently, it’s standard practice to randomize MAC addresses when scanning WiFi connections. However, GrapheneOS (and Pixel firmware) are even better at this, as they make sure they don’t leak any other identifiers when doing so. They also allow you to get a new random MAC for every connection that you make (not sure whether this is very useful, as this can cause problems). On a related note, even when WiFi/Bluetooth are “off,” stock Android can still scan in the background to improve location accuracy (by matching visible networks/devices against Google’s database). So basically, even with WiFi/Bluetooth off, Google still knows where you are. In GrapheneOS, this option is off by default.
-
They have their own reverse proxies that they use to talk to Google on your behalf when needed.
-
Apparently, in the USA you can be compelled to provide a fingerprint or Face ID. Courts have ruled this doesn’t violate the 5th Amendment because it’s physical, not testimonial. BUT you cannot be compelled to provide a password/PIN. That’s considered testimonial evidence, protected by the 5th Amendment. GrapheneOS has a two-factor system where, after using your fingerprint, you still need to enter a PIN, so it helps with this. They also have a BFU state after reboot, which is the safest and requires you to enter your full passphrase.
Hey there, GrapheneOS user here!
This can not only be turned off entirely in settings, but you can actually modify it on a per-network basis! For example, on my home network, I can tell it to use no randomized MAC at all, or a per-network randomized MAC, meaning it will choose a different MAC address than my normal one whenever I connect to my home network, but it will always be the same MAC on my home network, only changing on other networks.
Which you can also disable if you don’t want GrapheneOS to proxy any particular type of your data, and you’d rather it just go straight to Google instead for security reasons, even if you give up a little privacy.
Yep, however an important caveat is that if you’re not a US citizen, you can still be compelled to give up your password or PIN, otherwise you’ll be denied entry to the country. And, if you’re a US citizen, you can have your phone seized and held for some time (i.e. months), even if you’re then allowed entry to the country. (this is likely so the government can wait for an exploit to become known, or have more time to run a cracking algorithm that’s computationally expensive)
Not enabled by default though! This can also be used within the OS itself. For example, I can set a PIN+Fingerprint access for my lockscreen, or PIN-only access, then still individually lock an app on my phone with a fingerprint without it also having to be enabled for my lockscreen. I’m unsure if that’s supported on stock Android.
All phones have a BFU (before first unlock) state, and GrapheneOS doesn’t require a passphrase unless you’ve set one, otherwise it’s your PIN. Fingerprint unlock is disabled until after BFU though, so it requires essentially using a backup PIN even if you always use your fingerprint, at least for first unlock.
However, GrapheneOS is unique in that companies like Cellebrite, who sell the government hardware and software to crack people’s phones and exfiltrate their sensitive data, have stated in leaked slides that they can’t unlock GrapheneOS devices BFU, (if they’re updated to at least security patches after 2022, which any GrapheneOS user reasonably should be) while they can crack stock Android devices BFU.
This is why I always make sure to fully shut down my phone before I go through airport security, for example. It’s also possible to simply “Lockdown” the phone to disable biometrics again and require a PIN/Password like during BFU, but in that state the phone is not actually in a BFU state, so it’s not fully protected.
There’s a tiny bit more nuance to this. Your cell service will still be active even if you disable WiFi/Bluetooth, and that can still track you, even if it’s not through Google’s location services, since your carrier still gets pings from your phone.
GrapheneOS’s airplane mode disables the cellular radio entirely, whereas some OEMs don’t do that on their phones, even when you turn on airplane mode, meaning your cell provider could still triangulate your position regardless of if you have airplane mode on or off.
Also, GrapheneOS additionally supports a proxy service for more accurate GPS positioning, which can reduce the amount of data available to Google, even if you need more accurate positioning data using nearby networks.
Thanks for the in-depth answer, I think I will try installing Graphene today.
Oh nice ! Makes it way more useful then as I saw forum threads of people saying there’s no point in randomizing on your home network and may cause issues.
Did not know that, fascinating! Even Airplane mode is upgraded :D
Good luck!
First thing I’d recommend you do when you get it set up is literally just go through every single settings menu and see if anything catches your eye. There’s a lot of random settings that GrapheneOS adds that can be very useful. Some of these might not be visible at first glance. (for example, when you’re installing an app, a popup will appear asking if you want to grant the app network access when you install it, and if you toggle it off, that app can’t talk to the internet at all, not for ads, telemetry, or anything at all.)
Just be aware that some features that Google implements on stock Android aren’t available, because they’re not part of the Android Open Source Project (AOSP)
Things like Google’s Find My Device features, some of the extra lock screen customization (e.g. custom clocks other than just simple color changes), automatic music recognition, (e.g. Shazam but built into the OS and running in the background for some reason), etc.
One thing I haven’t understood properly I feel is how notifications work. They talked there’s basically 3 ways of sending notifications on android. FCM (googles system) , websockets, unifiedpush. Most apps use FCM so you need play services installed to get notifications, right?
How does that work through profiles though? Some commenter in this thread said you can forward them from another profile if that profile is running in the background? But if I have google play services installed on profile B but not profile A? Do I have to install them on every profile?
I may not fully understand how profiles work yet.
Thanks for the Mac address tip. My home WiFi UI gets super slow after I have a million different devices connected because I have multiple GrapheneOS devices. Now I won’t have to constantly delete logged devices
Don’t forget the Duress password!
You can be charged with destruction of evidence if you use that, consequences could end up being worse than if you just handed over your password after physical coercion, after all it’s pretty hard to prove torture in court.
To add to the security of the PIN and to prevent reading screen smudges you can enable an option so that the digits on the PIN pad are randomized each time it loads.
Graphene also supports fully isolated user accounts. Applications running in one profile can not even discover the existence of the other profiles*. There is a way to forward notifications from user containers but is disabled by default. Each account, when inactive, is encrypted independently of the system drives and the key is generated at user login with the entry of a password and overwritten in memory upon logout.
*If you enable the notification forwarding, a hostile application running on the primary account could deduce that there is at least one other user profile on the phone by analyzing the notifications.
I can’t believe I forgot to mention that! I use it myself, and while it can take a bit to get used to typing by actual numbers and not muscle memory, it’s great for minimizing the risk of shoulder surfing.
And it supports stock Android’s Private Space feature, too!
Wow they really put a lot of detailed work into it
That’s only a tiny, tiny piece of it. If you want to know more: https://grapheneos.org/features