User Experience Graphene While Traveling

backdoordonny

I would prefer to never use a cell phone at all.

When traveling, at times it may not be safe to have no cell phone. So I bought a cheap pixel and used it for a trip I needed to take.

Experiences:

1) Having a long password that prevents brute-force hacking is safe in some ways, but less safe in others

Many times during traveling, I had to unlock my phone in areas in which there were likely video recording devices and often people near me. My longer password may have been compromised.

2) I lacked time to compartmentalize as much as I wanted to compartmentalize

Ideally my first profile would have just had Apps and been unused, while other profiles with easier passwords would be used. I tried to compartmentalize this somewhat, but I got so busy I ended up just having to use the first profile. Often when I needed to check something, I was in a rush and lacked the time required to compartmentalize. Often when I was under stress, thinking about compartmentalization and changing profiles was another cognitive ball to juggle and I just ended up not changing profiles that much.

3) The battery life held up really well

Although everyone knows GOS does well with battery life, it's important to mention how much more valuable GOS is because it feels light and doesn't drain things more than expected.

4) I was still tracked during GOS usage in ways that made me uncomfortable

I was using a "burner" Pixel, I used a burner SIM, and I used Mull with resist fingerprinting turned on by default and ublock origin installed. At one point, I was completely stranded and had to place an order for a ride and provide a credit card through Mull.

I completely regretted it because after doing this, I got emails from a company saying "Check out our cool new App! We recently added new features!" which is bullshit I never get normally. The App was also not upgraded recently and has been available for a long time.

This means useragent + credit card use was sold to a data broker, sold back to a company I use, and the company, which already offers their enshittified App to users and hasn't actually done any recent upgrades, then spammed me to try to get an App installed so they could get more hardware identification to track me.

I also tested Mull with coveryourtracks.eff.org and was somewhat unique in the dataset. I didn't use Tor browser because anything linked to my identity done with a Tor Browser puts me into a unique dataset of verified Tor users. My IP was protected by a VPN.

What the coveryourtracks results mean is this GOS phone is somewhat linked to me because the screen dimensions and useragent settings and other info are unique enough. I also had tested other browsers and this was the best results I could get unless I tried Brave, which I didn't want to try because I don't support Chromium-based architecture for browsers. I suspect they could probably guess I am using Graphene OS.

It is likely that my cellular company sold my position to data brokers and a data broker has enough info to associate the IMEI of the phone with me, which means if I don't want to be linked to the IMEI then I should sell the phone and buy a new one later.

This is also frustrating to me because I want databrokers and others to not think I have a cell phone. It makes it harder for anyone to track me if I lack a cell phone, including advertisers, and I generally don't use a cell phone. I also
live in a country with an oppressive government that engages in actions that violate international standards for human rights, so a fear is also that at some point the government could demand to see my cell phone, and even if I've gotten rid of it, they could point to data brokers to say I am lying to them. I also live in a country with a changing political environment that doesn't feel stable and so I am trying to protect myself not only against current human rights abuses but also against a worsening political environment.

5) Profile isolation did not totally work

This one was shocking to me. I had a separate profile with OSMaps and many maps downloaded so that I could navigate through passive GPS interactions even if I had no WiFi or cellular connection.

I ran this profile, did some navigation, then switched back to the primary profile, or first profile. I had to enter in my long password, which was extremely annoying as always. Later, when I switched back to the navigation profile, it didn't prompt me to enter the password for that profile, which was a much shorter and easily hackable password.

GOS just took me there without bringing me to the numeric entry screen. This was definitely a WTF moment. Strangely, after it loaded OSMap and I could see an arrow on it and even interacted with it for a bit, then something happened and it prompted me to enter the password. I don't remember all of what happened at the time because I was rushing, but it was clearly a "this is not how it is supposed to be" moment and I remembered thinking "woah" and that I should get logs. I never got the logs unfortunately.

6) The duress pin provided some measure of comfort.

I never had to use it, but there were times around government authorities in which I was ready to use it if needed. I do not think I am "wanted" but I also have very little contact with authorities and wouldn't know if I were wanted.

I also was happy I had the duress pin because it is very likely my longer password was filmed at some point. I am changing the longer password.

The most frustrating part of the travel with GOS was that the long anti-brute force password had to be repeatedly put in, often in inconvenient places, and it was just annoying and bad. If I had used the second profile exclusively, this wouldn't have been a problem, but I just was in a rush often and didn't set it up great.

Having GOS was better than not having a cell phone during travel, but I still felt very limited by how easily I was tracked when using a hardened browser. Although it's possible to fake the useragent in Mull, they can still use javascript to test if it's a lie and cloudflare, the company from the bottom of the abyss of hell, always tests useragent against javascript as part of it's DDOS/tracking/fingerprinting techniques for content man in the middle delivery.

spring-onion

backdoordonny Later, when I switched back to the navigation profile, it didn't prompt me to enter the password for that profile, which was a much shorter and easily hackable password.

This is no bug but intended functionality provided by the app. I'm not familiar with OSMaps but Organic Maps has this too where you don't have to unlock your phone to take a glance of the map. Imagine if your calls were disconnected every time your phone was locked!

backdoordonny

7) I also did not like that I could not force all pings to the Graphene servers to go through Orbot.

I can't layer my proxies and so I just used a VPN, although Orbot can run on 127.0.0.1:9050 as a service.

I did not want to use Orbot as my main VPN because it puts me into a different category of users and the cellular company would know I am using Tor.

I don't trust my VPN not to be a honeypot and I don't trust that the GrapheneOS servers can't be monitored somehow. If the VPN is a honeypot, and Graphene servers are monitored somehow, then the honeypot knows I am a Graphene OS user and can guess who I am if I am using the cellular modem.

If all pings to GOS servers had gone through Orbot only as a proxy service, it would be harder and less likely for Graphene OS to be linked to my geolocation and correlated to being likely me.

8) There were times when a USB-C headphone would not be recognized until restarting the device. There were times when the USB-C headphone would suddenly not work and audio would come out of the speakers. This made for an awkward travel moment, since I was listening to Sexy Red's Bow Bow Bow at the time during the chorus and was around many people, including families and the elderly, and the music was very loud.