• General
  • Guide to GrapheneOS configuration for high-risk users

Dumdum Ah, you're right. It still makes sense to mention it in the context of Obtainium, though. Obtainium doesn't do any verification on its own as far as I'm aware, it has explicit support for AppVerifier so that you can verify an APK before ever installing it. That interaction should be mentioned I think.

  • Edited

anarsec this is a very good guide. Additional nitpick to what's being said already:

  • "The cheapest option is to buy the "a" model right after the next flagship model is released" -> due to the Pixel 8a getting 7+ years of support, it might be a better deal right away compared to the 7a when it comes to value per year. This should be an anomaly though.
  • Why choose Molly FOSS as example for updating through Obtainium when it can update itself (which is described right above using Signal)? Better use another app here that profits from Obtainium (I'll try to find one myself).
  • Edited

Continuation of my post above:

  • I think Element does not update itself, so it might serve as a better use case for Obtainium.
  • Bluetooth timeout can only be set in the owner profile (you put it in the all profiles category).
  • WiFi timeout is worth mentioning as well (can also only be set in the owner profile).
  • Since you write about VPNs and password managers, I think it's also worth mentioning 2FA via Aegis or hardware keys such as Nitrokey or YubiKey (depending on how much one values Open Source and firmware updates).

Overall your article is great already and I learned a thing or two from reading it. Thanks for putting in the time!

Thanks for the feedback. You can find a diff showing the edits here.

We recommend using the phone as an "encrypted landline". If you boot the phone when you wake up, 18hrs is a good amount of time for the auto-boot if you won't be interacting with it except to receive a call, which is why we kept the recommendation "18hrs or less", so that the "landline" doesn't shut down on your half-way through the day.

Molly FOSS is used as an example because it's not available on the Google Play Store.

@anarsec

Unfortunately, apps obtained through Obtainium require manual updates — it will notify you when one is needed.

I missed this. This isn't true anymore. It can do unattended updates. It's not perfect since it's written in Flutter by someone who's not an Android developer and the libraries are a bit wonky, but it does work.

    anarsec It's the sim card The main problem for a person who wants to protect themselves from a state actor

    anarsec It is also dangerous to establish a general guide on what to do for Secure Grapheneos because you do not know the Threat model of people

    matchboxbananasynergy Hello, I use the link between Obtainium and AppVerifier. The problem of AppVerifier is that its base is quite limited, probably to the most popular apps. Is there any way the crowd can be leveraged to increase its coverage ?

    In other words, user profiles are isolated from each other — if one is compromised, the others aren't necessarily.

    I'm not sure I understand this sentence completely. It's mentioned in the same context as Qubes. If I understand Android user profiles correctly, they don't provide additional protection against malware breaking out of the app sandbox (beyond the protections that the system already provides). But maybe I'm wrong?

    • [deleted]

    • Edited

    zzz
    Take a look at both these scenarios and tell me which you think is best for what the article describes its user as "anarchist."

    https://riseup.net/en/about-us/press/canary-statement

    https://www.reddit.com/r/mullvadvpn/comments/12swybw/mullvad_vpn_was_subject_to_a_search_warrant/

    Would you prefer to recommend a logging policy or a no logging policy? I may have made an assumption on the threat level that this was working off of.

    zzz Also as far as I am aware, they are the only privacy oriented mailing list service out there, which is important for some organizing activities.

    They are connected to many friendly organizations that offer the same thing.

    • zzz likes this.

    @matchboxbananasynergy

    Do you have thoughts on best practice for verifying AppVerifier, in a way that is accessible to non-CLI users? Bit of a "chicken or egg" problem.

    For instance, if the user obtains the AppVerifier apk from Github Releases, installs it, and retroactively uses Appverifier to display the fingerprint of the apk they just installed, they can't really trust that it's showing them the true fingerprint. If AppVerifier was available on Google Play that could be the root of trust, but it's not. It's available on Accrescent, but this just moves the same problem to another apk because you need a (non-CLI) way to verify the authenticity of the Accrescent apk...

      anarsec AppVerifier is also published on Accrescent.

      Accrescent will soon be mirrored on the Apps app where people will be able to download it.

      That means there will be a chain of trust from the OS to Accrescent, and therefore AppVerifier.

        Consider making a donation to Accrescent if you can, the project needs more support.

        Indeed, that's excellent news. We'll rewrite the section on how to install software when that's the case.

        The Obtanium unattended updates change is here.
        Prioritizing Mullvad/IVPN change is here.

        @matchboxbananasynergy Is there any official or unofficial advice for what services to access if Auditor ever detects tampering? The guide currently links to Access Now’s Digital Security Helpline.

          anarsec The guide currently links to Access Now’s Digital Security Helpline.

          Interesting, I had not known about that group.

          Their "Disclosure of Your Personal Data" statement seems a little ominous, e.g.:

          [...]

          We may also disclose your personal data to third parties:

          • In the event that we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets.
          • To a buyer or other successor in the event of merger, divestiture, restructuring, reorganisation, dissolution or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation or similar proceeding, where one of the transferred assets is the personal data we hold.

          [...]

          anarsec @matchboxbananasynergy Is there any official or unofficial advice for what services to access if Auditor ever detects tampering? The guide currently links to Access Now’s Digital Security Helpline.

          Actually, I have a question with a broader scope. What is the recommended user behavior upon Auditor detecting tampering? @GrapheneOS

          As a baseline, users should immediately consider the device untrusted and start fresh with a new one, but I'm wondering if there are additional recommendations? From the user's perspective, forensic analysis could be in their interest - if such an analysis can determine how the compromise occurred, and this can be mitigated, then the adversary can no longer simply compromise the new device with the same attack vector. For instance, do GrapheneOS devs want to receive firmware images for forensic analysis?

          4 months later

          I understand the benefit from delegating apps from the play store from the owner to the default profile, so that you don't need to install google stuff in the default profile.

          I don't understand what is the benefit from delegating apps from Obtainium. What is the benefit compared to installing Obtainium and apps from there in the default profile?