Parental (and not only) Controls on Graphene - Guide

response

I thought some could find some value in my current Parental Controls on GrapheneOS. It's a recurrent topic here on the forum and there's always some frustration left lingering, so I hope this guide helps.

Context

Google's screen limiting service can't be easily built on Graphene -- I think because of higher security permissions or something. Apps that just block websites can be easily uninstalled -- not craving-proof.

Another solution is required. The Vanadium browser, built-in, can only be uninstalled if you use USB debug -- not for me, haven't found out how to do it and I think there's a smarter solution (and USB debug has some security implications).

If you're the object of the restrictive effort (ie. you're not a parent catering to a child's phone), this method does require having a friend or trusted person to know and keep from you one or two passwords, as well as after every update or power up asking that person to unlock your phone. One good thing is you're the one who decides when to restart after an update. Keep the phone charged and, when you're with that trusted person, perform some system and app updates, then restart.

Addict notice: depending on your self-control, your friend has to understand they can´t leave you unattended with the Admin profile unlocked.

The method:

It consists of using a DNS provider to block certain (or almost all) connections. This means you will still have a browser available, but you can block anything you want from the DNS provider account, like social media, porn or specific websites. It does mean you can't use the Tor network.

Steps:

1 - create a second profile -- this is the one to be used on a day-to-day basis

2 - install the apps you want on that profile from the main profile (install apps on main profile, go to Settings>System>Multiple Users and toggle the apps you want to install on the second profile)

3 - from the main/admin account, block the second profile from installing apps

4 - create an account and customize your block list on a DNS provider. Depending on your needs, you can either block specific websites (easier, but leaves most of the web accessible, including frontends to sites you blocked) or block everything and allow some websites.

(I use NextDNS - there's the block TLDs option which allows you to block all TLDs (it takes some painstakingly long 20 minutes to select all TLDs unless you use, at your own risk, something like NXEnhanced, an add-on that makes this easier); you then allowlist all sites you need. You might have to check the logs to keep an app or website properly functioning, eg. protonmail.com might also need proton.me and proton.ch)

5 - Change the DNS settings on Admin to the DNS service.

6 - If the restriction's for you, make sure your friend knows your admin and possibly DNS passwords (to make it simpler, you can keep the DNS password on a password manager on the admin profile, less things for your friend to remember).

N1b

Nice setup! How do you make sure that the client/child can access the phone on reboot or after updates when the owner profile requires unlocking first? That's the main mechanic I have no answer for when it comes to self made parental controls...

distro

N1b I'd guess you'd disable automatic updates and tell child not to press update until they're with their parent.

doonmoon

Have hit upon this same method in parallel (minus the DNS filtering for now - instead was relying on the child being too young to find the 'unhide' setting for Vanadium..that didn't last long :))

Also unfortunately ingenious, my child has also hit upon a bug (?) whereby they can circumvent the PIN entry on a phone reboot and get into the admin profile. They do this by messing with swiping at just the right time during the boot sequence.

Has anyone else discovered this issue - seems like a severe security flaw outside of this parental control use case.

I might have to switch to LineageOS using this same setup if I can't find a solution.

Dumdum

doonmoon
If this is real, it would be best for you to make an issue on the tracker (ideally with a recording of the bug), so that the GOS team can deal with it officially.

de0u

doonmoon Also unfortunately ingenious, my child has also hit upon a bug (?) whereby they can circumvent the PIN entry on a phone reboot and get into the admin profile. They do this by messing with swiping at just the right time during the boot sequence.

This seems very unlikely. On modern Android systems, the storage key for the owner profile is derived from the PIN/passphrase by the secure element. Before that derivation, the owner profile files should be unavailable in a strong cryptographic sense, so the claim is a very strong one.

I can't help suspecting the PIN/passphrase has been guessed or snooped. Covertly changing it might shed light on the situation.

If a vulnerability has been discovered, the contact point for secure disclosure of GrapheneOS security issues is security@grapheneos.org.

Blastoidea

Just out of vulgar curiosity, how old is this child?

Sypianski

OK, I just spent some time implementing this ingenious method for myself and re-logging to all my apps on the new profile, only to find out that I can't login to the new profile after reboot. If I cannot ever have my phone battery die, this entire method becomes unusable.

Is there a workaround?