• Off Topic
  • Possible threats when installing Phone to Phone?

  • [deleted]

I am wondering what are the possible threats/attack secnarios when installing GrapheneOS by phone. Would everything go alright when I use GrapheneOS phone to install the OS on another pixel?

    [deleted] I am wondering what are the possible threats/attack secnarios when installing GrapheneOS by phone.

    If you trust Google's bootloader to correctly display the fingerprint of the OS signing hash, if the install results in the correct fingerprint being displayed (and no red "corrupt" warning) then the correct OS has been installed with a very high degree of certainty, no matter which device did the installing.

    [deleted] Would everything go alright when I use GrapheneOS phone to install the OS on another pixel?

    Probably! The installing device must have enough free RAM and enough free storage and a correct configuration of a supported broswer, the cable must be really good, etc., but it should work -- see the instructions.

    Overall, if the official installation instructions suggest installing in some fashion, it is believed that doing an installation in that fashion will result in a working system with verified integrity.

    • N1b likes this.

    [deleted] Would everything go alright when I use GrapheneOS phone to install the OS on another pixel?

    I've installed GOS about 10 times and most of them from another GOS device through Vanadium with the web installer. It's a pleasant experience, since I don't have to prepare adb drivers or anything, just works right out of the box.

    The probability of your GOS device being compromised is much lower compared to any desktop device when it comes to hardware and OS security. And as @de0u mentioned, in the end you can always verify via the boot hash and auditor app. I wouldn't worry about it.

    • [deleted]

    The GrapheneOS team seems to suggest that even buying a phone preloaded with Graphene is pretty safe considering the hash check, auditor, verified boot, etc. Source is a tweet from this last month from the official account, can’t bother to find it right now.