unwat Amazing information! Thank you very much for this! I already thought of these reasons, but it's good to confirm. Also, the owner profile needs to be unlocked before I can unlock a secondary user profile, right? That way I could use biometric unlocking methods for convenience, but an attacker would need my password for the owner profile first, which is a different thing in some jurisdictions (police access). Is this correct?
General usage: short how-to's and quick tips
adelina Also, the owner profile needs to be unlocked before I can unlock a secondary user profile, right
Yes. The owner profile holds system settings, so it has to be active for the phone to operate.
I keep my owner profile locked with a password. So, for example, if I'm in the US and I hear the cops breaking down my door I could end whichever secondary profile is running and they can't access anything.
21 days later
unwat I feel like this scenario is not really the one GrapheneOS is designed for. This is not really a privacy issue any more at the point the cops are breaking down a door. Most likely, they and/or prosecutors are going to be able to manipulate you into giving them access to the phone.
If this is actually the scenario GrapheneOS is designed for, then it seems like they need an emergency wipe protocol--like, in a couple taps plus a password, I can start a process that either (a) deletes a secondary user profile, or (b) does a factory reset on the phone.
[deleted]
unwat what would be system settings?
- Edited
Cigurd If law enforcement executes a no knock warrant and breaks into your home, you have much bigger things to worry about than wiping your phone, such as being shot dead. Unfortunately, no knock warrants (at least in the USA), originally intended to be only be used in the case of heavily armed drug dealers, terrorists, and other similar suspects, are being issued by judges with increasing frequency, against people with no criminal records. I know cause it happened to me, but that's not something I care to share in more detail.
Also, standard operating procedure is for all electronic devices to be placed in Faraday Bags, which would prevent remote wiping. To overcome this type of situation, you would really need some type of app or for there to be a GOS setting whereby if you did not enter a pin within a certain period of time (say every 4 hours), yhe phone would automatically wipe itself. Risky, in the event you have a couple of drinks and oversleep, but it would nevertheless keep your data safe.
I am not recommending this type of protocol as a practice to anyone but the 0.1% of us that require such, and everything you keep on your phone is truly disposable, but if you have an extreme threat model, it might be viable.
unwat a very easy way to do battery saving if a personal profile has VPN or Google Play Services running all the time, taking up battery
I don't follow.
- Why would Play Services drain more battery? Aren't they supposed to preserve battery thanks to centralized push notifications?
- Even if they did drain extra battery, and you offloaded them to a user profile, wouldn't they still drain that same amount?
You're right about both points.
My point was that if the owner profile has nothing installed and you have a secondary profile for most day to day use, if you want to save battery you can easily terminate the profile's session. Google Play Services does use battery. Not too much, but more than an empty owner profile.
Like sometimes I'll just end all sessions and leave my phone on owner. My idle battery usage is way lower that way. Like maybe 3 times less usage while the phone is sitting idle.
You're right. I was just using that as an example that I think is kind of funny. If that thing were to actually happen to me I'm sure I'd be too busy freaking out to end my profile's session.
In all seriousness, I like that I can put my data to sleep without a reboot. It's very convenient.
8 days later
[deleted]
Hulk not to be pushy but would love to see more! :)
[deleted]
So the benefits of the tidy profile system relate to physical exfil and tampering, right? I've wondered if there could also be some benefit from a remote hacking perspective.
At first I thought that, similarly to making your main Linux user a non-root secondary user so that you can always escalate yourself to admin and regain control when your daily user inevitably gets hacked or aquires a virus, the GOS user spaces could prevent malware and hackers from escalating and infecting other users (and their data). Someone at GOS has since clarified that user spaces don't provide additional sandboxing, however.
But couldn't we still leverage user spaces to monitor and rule out malicious persistence?
An essentially bare main user profile suspended in carbonite would be easy to monitor for any changes, and as none should be expected, they would indicate tampering or unsolicited downloads with some confidence. Tertiary user spaces can be locked down in settings so that no new downloads occur (but presumably app data can still populate and function dynamically).
So maybe an extension to the attestation app (comparing our own encrypted system snapshots) could help us monitor user-state for any changes and work like an anti-evil-maid to confirm things are as expected in the OS user space?
What do you all think? Seems like a really long winded and pretentious way of saying compare to backups really, doesn't it....
6 days later
akc3n unstickied the discussion .