New User Question

poplectic
CONSULTE WITH A LEGAL PROFESSIONAL

In several nations, use of a duress PIN will see you tossed in jail for years.

In others, bringing in a phone with GOS on it may well be a crime on its own.

How long will you be in hostile territory? Do you foresee the local government taking an active interest in you or your associates? Do you want to prevent the government from getting information on your local contacts or on your contacts from home? Are your contacts willing to take steps to help conceal your activities from the government?

How sophisticated is the local government?

What degree of political/PR cover do you have?

What degree of local protection do you have?

Do you just need to get the phone through a customs inspection or do you expect regular police inspections?

Generally, you should set up your own private Tor relay while outside the country. And your own private VPN.

If customs is a major worry then you are likely better off bringing in the Pixel with the default OS on it and burner data that you do not care becomes compromised. Then use airplane mode and public WiFi to use your Tor relay to flash GOS onto your device.

Once you have the device flashed, use the relay to connect to ProtonDrive (or your own servers) to download whatever data you want on the phone.

Include the SimpleX apk in the download. Side load it to all of your contacts. Use hidden contacts. Do not use legal names or known aliases for any of said contacts. Do not communicate with them save via SimpleX run through your VPN or Tor relay.

Use a long, secure, passphrase/word for your device. Keep USB disabled.

use a long pin, mine is 14 digits long and easily rememberable for me. Many people will say six is enough, for me more is better than enough!
use a simple passphrase or pin for duress password, excited border guards may attempt to guess pins and passphrases in the euphoria of having got a suspect phone, before the person responsible for interrogating the device ever gets it on their desk. ( i have seen it many times..) some staff simply cant resist, use the word "password" or 1,2,3,4,5,6 the phone will be 'BFU' before you know it!.
set the auto boot to as short a time as you can tolerate on a daily basis, mine is 30 mins.
Never use fingerprint unlock.
with this setup my phone P6a is not impregnable but very difficult to open and reveal my contacts and email within.

my mistake duress password/pin sets your phone to factory reset state not 'BFU'... but you get my drift..

Security falls into a few broad categories.

1) Security of the data if the device is physically seized.
Using GOS with USB data disabled, a strong password, and a Pixel 8 or 9 will effectively ensure this. The use of a duress pin could theoretically make it more secure but as a practical matter, the above steps will render the data safe from all currently known and theoretical attacks once the device goes BFU (which by default it will do in 18 hours, and that can be drastically lowered if you desire). My personal policy is to assume that the NSA can crack anything if they are motivated enough (they can't, but they can do a hell of a lot more than is publicly believed possible), but short of that your data will be safe.

2) Security of your person.
The mere fact that you are carrying a GOS device will make you a person of interest to any law enforcement/Intel agency that becomes aware. You are walking around with the most secure computing device that is publicly available as a practical matter. If you provide a duress pin in much of the world this will see you in jail (or worse) for a long time, so is the marginal increase in your data's security worth a few years (or worse) in a prison?

GOS can also fall afoul of various nations laws. It may well be seen as a tool for espionage or intelligence activities in some places.

Personally, I use a locked down, and sanitized, iPhone when I travel to several nations because doing so makes me one visitor among many if the government looks and is generally secure in most respects against that government.

Note also that app usage plays a role in this as well. The existence of Signal on a device is, itself, a crime in some nations. A visiting tourist is unlikely to be bothered but a long term resident associated with a disfavored group may well be treated very differently.

3) Security of your device/data against non-local attack.
If you are in a potentially hostile location, assume that anything that leaves your device is compromised. Any nation worth the name can, casually, track the physical location of any device connected to the cell network down to at least the city block level and stores all that data for years.

Any phone number dialed/received or SMS sent/received is likewise in their possession; and if they have reason to care (gos is reason to care many places) they are all being intercepted & recorded in full.

Any data connections are likewise compromised. The use of a VPN can mitigate this to some extent but they will still know when and how much data you are sending/receiving. This can be mitigated (there are apps that will keep the connection up 24/7 and at a set data level, essentially sending/receiving junk dynamically to conceal your data usage) but doing so is incredibly obvious and would make you a person of interest. Note also that some nations block known VPN connections while many others instead track them. Even using a private VPN is obvious as it is the only IP you will be contacting and it isn't for a public service; this can be mitigated with good opsec and/or a lot of resources but it can still be a concern.

WiFi is safer, especially if you are using a randomized MAC as it is inherently harder to trace and fewer device identifiers are provided. It isn't exactly safe though.

Apps installed on GOS are relatively safe. You have to generally actively try to turn them into spyware. That being said, apps can fingerprint a device relatively well even on GOS even with no permissions. Using apps developed and owned by foreign entities who aren't on good terms with the local government is a good idea. If you need to install any government provided apps just assume that they are spyware and at a minimum are fingerprinting your device and thus associating it with your identity.

4) Your privacy.
As a practical matter, you don't have the resources needed to have a usable and private smartphone experience against a hostile local government that has reason to actively attempt to breach your privacy.

Take something as simple as accessing a local website via Vanadium. You will be fingerprinted and your fingerprint is basically guaranteed to be unique (or at least highly uncommon). If you have to log in, that finger print can be tied to your identity. From then on, even a VPN won't prevent the government from knowing that you are the visitor to a given site.

Then you need to account for other people. Let's assume you have the best personal setup ever. Does everyone you want to interact with have the same setup and practice similar opsec? The government might not be able to see your Signal messages but if they have rooted the device of the person you are talking to then they still have complete copies of everything you sent to that person over your "secure" communications channel.

Two people on GOS using Orbot via private Tor relays outside the nation and communicating via SimpleX is a very different circumstance than a phone call between the GOS user and John Q Public.

The first is, for all practical purposes, untraceable, impossible to intercept in a readable form, impossible to deanonymize, and impossible to man in the middle.

The second is being read by any Intel agency worth the name in basically real time.

Do not assume that GOS makes you safe, or even that it is necessarily the best choice in your specific circumstance. GOS is a tool, nothing more or less. On its own, all it will do is basically guarantee that your data stored on the device itself will remain secure (assuming you practice relatively basic opsec).

Be safe, and always remember to think before you do anything.

While you provide lots of reasonable cautious advice for someone operating "in hostile territory" some advice is likely over the top for some threat profiles and some of your advice appears unclear or incorrect

JollyRancher The mere fact that you are carrying a GOS device will make you a person of interest to any law enforcement/Intel agency that becomes aware.

While this may be true its possible to configure the device so there are no signs due to the network connections the device makes. With possession of the device the only clear way to tell is during boot and if you are a "person of interest" there are reasons someone may not want to reboot your phone to find out.

JollyRancher If you are in a potentially hostile location, assume that anything that leaves your device is compromised

Most apps now encrypt all data that leaves the decice. To be extra safe there are lots of apps which offer end to end encryption.

JollyRancher Two people on GOS using Orbot

I know you are only giving an example of some potential method to have high privacy communications, but if someone is operating in a hostile authoritarian environment and doesnt want to attract attention then it may be that tor is best avoided.

Much will depend on the country, what the threat is, what possible consequences would come from it being easily identified that you are using GrapheneOS and/or tor etc. In many countries there will be limited or no consequences.

GrapheneOS is not just a tool utilized by dissidents or people with dubious intents. Its used by all kinds of people who value their privacy. We are aware of companies that have adopted GrapheneOS for their employees, many people who work in different kinds of computer security roles run it on their phones, people who work in government, lawyers, and many 'normal' people who just think devices should provide better privacy

JollyRancher In others [nations], bringing in a phone with GOS on it may well be a crime on its own.

I've never heard of this before. Do you have an example of countries that practice this?

Carlos-Anso While this may be true its possible to configure the device so there are no signs due to the network connections the device makes. With possession of the device the only clear way to tell is during boot and if you are a "person of interest" there are reasons someone may not want to reboot your phone to find out.

The network connection itself won't give you away. What you do over that connection can fairly easily do so.

Carlos-Anso Most apps now encrypt all data that leaves the decice. To be extra safe there are lots of apps which offer end to end encryption.

The data itself isn't the issue. The servers that you are connecting to are. Say that you contact the GOS update servers without a VPN, that you have done so strongly implies that your phone is running GOS.

Carlos-Anso I know you are only giving an example of some potential method to have high privacy communications, but if someone is operating in a hostile authoritarian environment and doesnt want to attract attention then it may be that tor is best avoided.

True. One reason that I said the first step is a private For relay outside the hostile nation. From the observer's perspective, all they see is you always connecting to one foreign server (grossly simplified).

Much will depend on the country, what the threat is, what possible consequences would come from it being easily identified that you are using GrapheneOS and/or tor etc. In many countries there will be limited or no consequences.

Yup. In many nations GOS is perfectly fine with no issue. In many others it will only become an issue if the government wants to fuck with you. In others, mere possession is liable to get you in big trouble.

GrapheneOS is not just a tool utilized by dissidents or people with dubious intents. Its used by all kinds of people who value their privacy. We are aware of companies that have adopted GrapheneOS for their employees, many people who work in different kinds of computer security roles run it on their phones, people who work in government, lawyers, and many 'normal' people who just think devices should provide better privacy.

I agree. Personally I want GOS to gain widespread adoption and think it should be basically the default smartphone standard.

In reality it is used by less than a million people world wide. Most of those users are also intel targets for various reasons. Lawyers, computer security specialists, business people, journalists, politicians, etc are all targets. When an Intel agency is deciding how to dedicate their resources, use of GOS will on its own make someone a higher priority. And the user base is currently small enough to make that a viable discrimination step.

yore I've never heard of this before. Do you have an example of countries that practice this?
The PRC for one. In India using an encryption key with more than 40 bits of key length is another.

Vietnam technically requires you to tell the government that you are using GOS with failure to do so being a crime.

Morocco requires that you declare you are carrying an encrypted phone, but will issue you an import license without too much trouble.

As always, consult a legal professional/do your own research before traveling internationally with an encrypted device.

Note that there is also the law on paper and the law as the average tourist will experience it.

The laws around encryption and encrypted technologies are highly complex, annoying, variable, and inconsistent. For example, using the use of an encrypted phone will double many criminal penalties in France.

JollyRancher Morocco requires that you declare you are carrying an encrypted phone, but will issue you an import license without too much trouble.

Everybody who visits Morocco with an iPhone or any Android phone declares an encrypted phone and receives an import license?

de0u Everybody who visits Morocco with an iPhone or any Android phone declares an encrypted phone and receives an import license?

JollyRancher Note that there is also the law on paper and the law as the average tourist will experience it.

Some American tourist visiting Morocco for a few weeks with an iPhone (or any other smartphone) is highly unlikely to have issues. Regardless of the law on paper. That same tourist pisses off law enforcement and they decide to punish them? Have some charges for illegally imported an encrypted device.

Traveling as a private individual or agent of a corporate can also change the legal analysis.

Carlos-Anso I would suggest that not all of these will be targets, theres a whole load of journalists, lawyers and business people in the world who would be entirely uninteresting to intelligence agencies.

Yes, there are. Without knowing the specifics of an individuals situation it isn't possible to accurately articulate their threat model or what mitigations they should use.

The OP, however, said that he is going to another nation, fears that his phone will be seized, and that his associates are part of a politically disfavored group.

Crossing a border, on its own, gets someone run through automated intel checks. Nations also have lists of foreign nationals that are considered persons of interest and those lists are very large.

Who you work for. Where you live. Who your kids go to school with. Who your cousins neighbor is.

Social media has made it very easy for intelligence agencies to develop relationship trees and design highly sophisticated attacks. The use of data mining algorithms and the reduced cost of computing power have made this even more true.

A foreign national in your nation using GOS is going to be a miniscule subset of the population. Device information sufficient to identify the device on the cell network is trivial to get. That data then goes into automated systems that record the devices interactions with the telecom system. And then relationship maps are built.

Carlos-Anso You talk as if this is a certainty. Intelligence agencies do not have endless resources. Priority for resource dedication will almost certainly be weighted much more heavily based upon other criteria such as job, contacts, intelligence reports about the individual etc.

Yup. Depends on the nation and the circumstances. But without more information from the op (which he shouldn't provide), it is impossible to refine the threat model for him so you assume the worst.

I jumped in to comment as some of your advice you have given appears suitable for someone who is at very high risk and you didnt really communicate that was the case.

Ideally an individual should spend some time threat modelling so they can adopt a well reasoned security posture

Your advice could easily scare some people away from using GrapheneOS when in reality many individuals will see no downsides from using it. I live in a country where most people residing here are relatively safe from state repression. I used to roll my eyes when, following the Snowden revelations, I talked to 'low risk' people about the importance of widespread end to end encrypted communications and they told me that using such tech would put you on an intelligence agency watch list.

Now we see intelligence agencies recommending widespread use of end to end encrypted communications.

I would love to see wide spread adoption of GOS, for a number of reasons.

It also provides the most physically secure compute devices reasonable accessible to the general public.

A GOS Pixel 9 with USB access set to charging only and a high entropy password will render the data on the device utterly secure as a practical matter. If your priority is the security of the physical device itself then there is nothing better.

GOS, on its own, doesn't really do anything more than that though. Allowing people who seem to be relying on it as some kind of general magical bullet for a secure smartphone setup when the expected opposition is a nation state to maintain the belief is dangerous though.

Carlos-Anso Now we see intelligence agencies recommending widespread use of end to end encrypted communications.

A case of, the enemy of my enemy is my friend.... not so much wanting Joe Public to widely use encryption on a daily basis for themselves, but for Joe Public to use encryption, not knowing the unintentional repercussion to stymie foreign governments interference with domestic affairs,

JollyRancher A GOS Pixel 9 with USB access set to charging only and a high entropy password will render the data on the device utterly secure as a practical matter. If your priority is the security of the physical device itself then there is nothing better.

GOS, on its own, doesn't really do anything more than that though.

I don't agree. I believe GrapheneOS provides non-trivial exploitation against remote exploits too, for example:

• hardened memory allocator, both kernel and user-space,
• increased control-flow integrity,
• hardened browser,
• greatly hardened PDF renderer,
• in practice, GrapheneOS is typically the fastest way to get Google's official patches, including for remote exploits,
• GrapheneOS finds and fixes some vulnerabilities before Google does (e.g., fetching keys from RAM during reboot)

JollyRancher Allowing people who seem to be relying on it as some kind of general magical bullet for a secure smartphone setup when the expected opposition is a nation state to maintain the belief is dangerous though.

I agree that there are a lot of people seeking a magic anonymity shield, and GrapheneOS isn't that, not even with a "non-KYC data-only SIM".

I think:

1. If you run GrapheneOS the data on the device are fairly likely secure against fairly-well-resourced attackers (but maybe not nation-state-level attackers),
2. If you run GrapheneOS and don't run Google apps then you have a lot of privacy versus Google,
3. If you run GrapheneOS and don't run Meta apps then you have a lot of privacy versus Meta,
4. If you run GrapheneOS and don't turn the cellular modem on then you have a lot of privacy versus cellular carriers.

But if you install Amazon's Kindle app (or Facebook, or Snapchat, etc.) and provide the app with behavioral data about yourself, the servers at the other end of the network will figure out who you are, at least well enough to show you ads that seem creepily relevant. Installing GrapheneOS doesn't transform privacy-invasive apps into privacy-respecting apps.