Option to hide GrapheneOs logo on startup

Boyz

_ For privacy reasons it would be better to be able to have an option to hide the grapheneOS logo when the device starts .

_ As well as the possibility of configuring a constraint password putting the device in bfu mode and possibly allowing an SMS to be sent to certain of our contacts by SMS indicating that your device is probably no longer secure.

Xtreix

Boyz For privacy reasons it would be better to be able to have an option to hide the grapheneOS logo when the device starts .

This has already been discussed several times, hiding the GrapheneOS logo is not a privacy feature, it's not planned at all and many users want to see the logo at startup.

Boyz _ As well as the possibility of configuring a constraint password putting the device in bfu mode and possibly allowing an SMS to be sent to certain of our contacts by SMS indicating that your device is probably no longer secure.

GraphenOS supports duress passwords in settings > security and privacy > device unlock >duress password. GrapheneOS uses automatic reboot in settings > security and privacy > exploit protection > automatic reboot, If the device has not been unlocked within this time lapse, it will restart to return to BFU mode.

Sending SMS is not private and secure and let's say the device is compromised, I doubt very much that a remote person could do anything about it. GrapheneOS uses a verified boot and protects itself well against persistence, reboot the device if you think something is wrong.

other8026

Boyz as Xtreix mentioned, this has been discussed many times. Here's a thread where it was discussed a lot: https://discuss.grapheneos.org/d/4335-remove-your-phone-is-loading-different-os-remove-google-logo-in-startup/27. You can look through that thread to see what others have said, but I directly linked to a response by someone using the project account.

DeletedUser227

Boyz I think putting device in BFU by long pressing power button and powering it off is quicker than having to enter password and it is already provided by OS. In case your device gets taken while in AFU, you can set auto reboot to a short period of time like 30 minutes.

Regarding the distress SMS, what would be the trigger of such message? Also this likely requires accessibility access and/or deep system integration (i.e. privileged access) so not so easy to implement.

In any case device in AFU is still very secure and in BFU as secure as it can get, still leagues above other comparable android devices. With USB use turned off all anyone can do with it is a factory reset so your data won't get accessed.

GrapheneOS logo perhaps can be hidden but the message about different OS loading is linked to verified boot, that will still hint at custom OS.

I would like to explore your privacy reasons for these, perhaps we can bring up a more tailored solution.

Murcielago

Although I understand the basic idea, I personally think it is of little value to hide the GrapheneOS logo on boot (personal side note: I would rather like to remove the Google logo):

Besides the arguments already mentioned by Xtreix and other8026 : How often do you reboot your phone and especially how often do you reboot in public? Wouldn't you rather try to avoid that because you have to enter your long BFU password in front of prying eyes and/or surveillance cameras?

Boyz

Given that Grapheneos is increasingly seen as a tool for protect criminals I think an option allowing the user to hide the logo on startup is a good idea.
This could be an option for users wanting to hide it and yes it is written at boot that it is not the original OS but not explicitly that it is Grapheneos , I also think that the vast majority of people would not understand the meaning of the message indicating that we are not on the original operating system unless they have seen GrapheneOS logo appears after Google's

seryu9

Boyz

Boyz This could be an option for users wanting to hide it

While the GrapheneOS logo at boot is the most prominent indicator someone who can't unlock your phone can get that you're using GrapheneOS, it isn't necessarily the only one. Certain system notifications can appear on the lock screen in BFU mode which are labeled "GrapheneOS". For example, as I speak, Battery Saver mode shows such a notification on my phone with the Battery Saver logo left of text that says "GrapheneOS". Someone who really wants to know could also try plugging in a USB keyboard, and if it didn't work, that'd be a pretty strong indicator that the phone is on GrapheneOS.

With how many ways other than the logo that it's possible for someone determined to figure out that you're using GrapheneOS, the only real scenario I see hiding the logo would work is if someone wasn't determined to figure out in the first place, and was just glancing at your phone while you were powering it on. If I were worried about that, I'd probably just power on the phone in my pocket.

DeletedUser237

Boyz Given that Grapheneos is increasingly seen as a tool for protect criminals

Source please.

secrec

I don't know if this is still the case, but it used to be that you could drop a logo file into the [fake]sdcard and it would load that instead of the system logo. Encryption may have taken that option away though.

other8026

DeletedUser237 Source please.

It's a real narrative that some have tried to push. There's no doubt some criminals use GrapheneOS, but I get the feeling they're outnumbered by the rest of us. Anyone who spends some time in our community will find that average GrapheneOS users are simply people who care about their privacy and the security of their devices.

Murcielago

other8026

Well said. And where is light, there is also shadow.

DeletedUser237

other8026 Unfortunately this is a more common narrative and misconception that I see when it comes to many things security and privacy.. Especially if it is open source. Obviously as you noticed there definitely are some people who use GOS and do various illegal stuff but that does not mean the OS was made for them, and it should not be put with other "security focused" OSes aimed at criminals..

Unfortunately all it takes is few rumors here and there and "influencers" on YT and other social media quickly pick it up and spread this nonsense and for average Joe who does not have enough technical know how that's enough to buy it and spread further.. And the people in charge also rely on such people because they lack the knowledge and often the will to verify the claims..

This in the end hurts great open source projects and often scare away people from contributing.. Just my little rant about the current situation..

Xtreix

DeletedUser237 Yes, me too, it's not at all the first time I've read and heard these kinds of statements and pseudo-links between privacy tools and criminals. An effective riposte against this nonsense is simply to say that criminals use their cars, do their shopping etc. like us, they even breathe ! So it's clear that oxygen is widely used by criminals.

DeletedUser237

Xtreix Well yeah, every tool be it paid or not may be used by criminals (think cobalt strike) so while this is a crappy argument it unfortunately is easy to parrot, and again most people lack the knowledge to do their own research.. Not to mention that they often don't want to, it's on the internet so it must be true.

treenutz68

This seems like such a silly argument to have.

Obviously giving users the option to remove the GrapheneOS logo from startup could ONLY be potentially beneficial to their privacy. There is zero downside privacy/security risk to giving that option to a user.

Now, if devs think that removing the logo (or implementing a toggle) is too much dev work that isn't worth their time, that is a different story.

There is only potential upside to removing the logo and quite literally, zero downside.

Boyz

Yes, that's exactly what I thought, there are only privacy benefits and literally no downsides to enabling an option to hide the Grapheneos logo. I don't think it's a hard job for developers.
In states where censorship and repression are common, this could be a reason for suspicion of something to hide, given that it is the most private operating system.
To answer the fact that it would be possible to see that it is the GrapheneOS operating system by connecting by USB cable and going to the system logs of the device knowing that USB can be disabled in the options.
There is a big step between going to the phone logs in Bfu mode Or plugging it in and just turn on a phone and see GrapheneOS written in large letters

DeletedUser227

Boyz it has been said that regardless of boot animation, there are ways that will give you up as a GrapheneOS user without having to restart or unlock your device so why sweat it? There are no security improvements by removing boot logo and GrapheneOS will always put security first.

de0u

Boyz There is a big step between going to the phone logs in Bfu mode Or plugging it in and just turn on a phone and see GrapheneOS written in large letters

True, but there is only a small or medium step if the adversary sees the boot hash on the "other operating system" screen. Even if somebody catches only the first four digits or the last four, if those match the appropriate device signature on the GrapheneOS web site it's likely GrapheneOS -- likely enough to look into.

Murcielago

Stewart

I can understand and share your idea of achieving the best possible protection for let's say the journalist in your example. I just don't think that removing the logo will work as intended:

If a journalist's phone, for example, is restarted in the hands of the security forces,

Why would security forces voluntarily reboot a device in BFU (which would significantly worsen their ability to extract data from really any modern device) just to check if a GrapheneOS logo shows up on boot?

And even if it would be possible to remove the GrapheneOS logo an adversary's with the capacities the adversary you describe would probably know and look for other indicators, f.e. the boot hash, as de0u already pointed out.

If I were a torturer in a regime that doesn't respect human rights and knew that the duress password exists with GOS, I would have first tortured the journalist

We can discuss a lot in theory about what an imagery regime you outlined would do - but since there are other (albeit probably not so well implemented) ways to wipe a device (e.g. Wasted, removing a logo only protects the imaginary journalist from torture to a very limited extent: The adversary would have to assume that an app like the mentioned one is installed and torture him anyways.

Whereas if the logo was hidden and the journalist was forced to give the password, you'd think it was a bug, bad luck, etc. and it would be harder to prove that it was an option linked to an alternative operating system.

An experienced actor (especially one who is already looking for a GrapheneOS logo and therefore probably knows the CustomOS and its feature) will not suspect that this was just a bug.

GrapheneOS developers and moderators have stated various times that a secure wiped device and plausible deniability of that wipe are not possible with Duress PIN, see for example:

it would not be possible to hide from someone who is aware the feature exists, especially if they have physical access to the device for a prolonged amount of time.
The duress PIN/Password is meant to irrevocably wipe the device's contents. It's not meant to be stealthy. That's a goal that can't be meaningfully achieved.

source: https://discuss.grapheneos.org/d/17901-duress-pin-idea/5

and

As has been mentioned theres clearly a use [for Duress PIN] where the risks of an adversary gaining the data on the phone outweigh the risks from an adversary knowing youve destroyed all the data on the phone.
Also theres potential benefit to everyone who uses GrapheneOS even if they dont have Duress set. If an adversary knows that there could be a duress PIN or password set it acts as a deterrent against attempts to brute force the unlock PIN/pass.
Similarly could also potentially deter attempts to force someone to reveal their PIN/pass as it gives the potential for them to supply the Duress PIN/pass and cause irreversible data loss.

source: https://discuss.grapheneos.org/d/17901-duress-pin-idea/23

GrapheneOS features seem to aim at protecting device owners as much as possible against really capable adversaries.

For let's say simpler situations, like a random border control, I personally think there are perhaps better ways to superficially deceive an not so capable adversary than removing a CustomOS logo (maybe a well set up fake profile, for example).

pxlkng

Apps can easily detect that they are running on GrapheneOS (see hardware attestation)

Someone who has physical access to the device can easily detect it is GrapheneOS as well, no matter the boot logo.

GrapheneOS will not hide itself only because some falsely claim it would be a tool for criminals.

You should see the GrapheneOS logo at the startup as a reason for pride - for using likely the most secure mobile operating system and protecting your data.

Hiding it is merely privacy theater. It doesn't protect against a threat actor who really cares about you having GrapheneOS.