Thread dedicated to tips in order to increase privacy/security.

Hathaway_Noa

Please post your tips for more improvements for safe and privacy use on GrapheneOS, I had some in mind and please tell me if they're worth using or not.

Use a long and difficult password for your main (owner profile), this password will also be used to unlock your phone on reboot. However you can make another profile with a shorter and relatively more easier password in order to unlock your phone on use. It would be very inconvenient to unlock your phone every time with a 20+ difficult password. This way your encryption key is stored with a very hard password while maintaining a relatively friendly use of unlocking your phone during normal use.

Please post more tips here :).

bouledeneigeofff

Hathaway_Noa No matter how long the password is, the integrated titan m chip blocks login attempts

Wonderfall

Encryption keys are unique to each user profile on Android. In fact, the user profile encryption key is derived from multiple derivation factors, one being derived from the primary lock method of the profile, and another high-entropy one from the Titan M secure element (often called a Weaver token). Therefore you can use a rather "simple" lock method and yet benefit from a robust encryption.

The idea of using a long password/passphrase isn't bad if you choose not to rely on the Titan M. But most users should be fine relying on it and could use a randomly generated 6-8 digits PIN. Titan M protects against bruteforce attempts as documented here.

That, along with the auto-reboot feature set to 24 hours, is a pretty convenient way to improve the security of your data. Of course, you can use a long passphrase and set the auto-reboot to a shorter period if your threat model calls for it.

julian

Don't use your fingerprint to unlock your device. There's no way to ensure you're consenting to it on unlock, so you can be physically forced to use it to unlock your phone by the police or someone could unlock your phone in your sleep. It's also possible to get someone's fingerprint from a photo, as was done to Ursula von der Leyen, the German defence minister at the time and the current European Commission president, back in 2014: https://www.theguardian.com/technology/2014/dec/30/hacker-fakes-german-ministers-fingerprints-using-photos-of-her-hands.

A passcode, by contrast, is stored only in your head. Obviously you can physically convinced into giving it up, but it's not exactly legal for this to be done to you by the police or by anyone else. So unless you have dangerous enemies, a simple passcode should be able to protect you, as only you know it.

flawedworld

julian Note that the legal safeguards around biometrics vary between jurisdictions.

bouledeneigeofff

julian It is necessary to have a high sacramental threat model

Wonderfall

Don't use your fingerprint to unlock your device.

This might be true for some threat models, but honestly, a secondary lock method relying on biometrics is great to avoid shoulder surfing attacks. This means you don't have to risk exposing your primary lock method (a PIN for instance) in public. Something like IR face recognition (à la FaceID) would probably be better than relying on fingerprint as the software can detect if you're awake/alive, and is generally less prone to false positives (but at the cost of potentially being a less convenient solution particularly in the current times for obvious reasons).

GrapheneOS limits biometric authentication attempts compared to stock OS (to 5 attempts if I recall correctly). Furthermore, you can reboot your phone in situations where you feel you might be compelled to unlock your phone that way. Lockdown mode also helps, but rebooting is better as it puts all data back at rest. Or you can just intentionally fail the biometric authentication 5 times.

On another note, GrapheneOS also provides PIN scrambling to make the PIN lock method more resiliant to shoulder surfing (in several ways: finger oil on the screen, camera angles, etc.).

deign

Perhaps it's a feeling of familiarity; but I have bromite specifically to be my "google search widget."

With Incognito everything and a per page time zone with a SOCKS5 proxy to a VPN in Chicago/DFW depending on speed (latency, mainly)-- its perfect for those rando google queries crossing my mind that don't need any sort of persistent browsing or cookies.

I use Vanadium for 99.99% of my usual browsing involving history/whitelisting java/bookmarks and info saving (for certain websites).

A little bit of this, a little bit of that.

Dr-M

If you don't want to remember to use scrambledEXIF everytime you send images or you just want to verify metadata has been stripped before sending then use Signal. Send the images to yourself via Signal and save the images to your device. Signal automatically strips metadata when you send images. Now you can send that image a million times and never have to worry about leaking metadata by forgetting to send it via scrambledEXIF each time

[deleted]

Dr-M GrapheneOS Camera doesn't save EXIF metadata by default except for orientation which isn't identifying metadata. Screenshots on GrapheneOS don't include your build number or leak timezone via timestamp anymore in EXIF. There shouldn't be any more sources of EXIF metadata in our OS unless the user intentionally adds it such as editing an image.

Dr-M

[deleted] That's one of the reasons I love the GrapheneOS camera. However, the removal of metadata is useful for images not produced from the GrapheneOS camera. Some users install the Google camera and others receive images from people who aren't on GrapheneOS

Wonderfall

exif-eraser is what I use sometimes. The app is quite simple, works with no permissions and has a modern codebase.

Worth noting that many online platforms usually strip EXIF metadata upon uploading (for quite obvious reasons). As far as I know, Discord and Twitter strip EXIF data. So it's probably not worth the hassle to do that yourself every time, except if you appreciate the peace of mind granted by doing so.

Arnauld

Wonderfall Is it safe to install and use exif-eraser? Thank you.

Wonderfall

Arnauld The codebase is sane and the app has a modern approach to media permission. Whether it's safe or not depends on your criteria, but for me it is.

ayaen

If you use biometrics, be sure to put the device on lockdown mode when you are going to sleep.
Or have to take some sedatives and such. Or you're going to a party and expect to get hammered... I don't know-
Lockdown before the party?

FU6QydnIELkx

ayaen I look forward to the day when this is no longer necessary. Issue #28, which provides a proper solution to this, has been open for 6 years. I'm working on getting my skills up to scratch and I sincerely hope to tackle it if nobody else has by that time.

Hathaway_Noa

bouledeneigeofff What if the content of the phone gets copied on another device, is that possible? Which they then will bruteforce through forenstic tools.

[deleted]

Hathaway_Noa The Titan M stores the encryption keys and modern Android uses file-based encryption including metadata encryption. That isn't possible unless you have a critical Titan M exploit, which at that point you need to use 64 character diceware passphrases if you can't trust the Titan M.

See https://grapheneos.org/faq#encryption

bouledeneigeofff

[deleted] It's not a passphrase anymore but a novel lol