PIN Ordeal

Thank you for your response, GrapheneOS.

I must admit that given that my 2 other forum discussions have just been locked, perhaps what I've typed has offended one or more GrapheneOS folks. What can I type and/or do to try to repair the relationship? The "obvious" answer is "use the latest GrapheneOS," it seems, but that has challenges, which I'll explain later on.

In one of the now-locked topics, I was simply asking a question, then shared a self-answer, which someone else in the community liked, then a response from today seems to be that if I don't use the latest GrapheneOS version, I should not participate in the forum.

In another of the now-locked topics, I explained that I had indeed updated my GrapheneOS version to the latest one available for my device, which then involved obtaining the Google features via that latest GrapheneOS' Google-fetching features, but that Google Maps' Timeline feature still didn't work. Perhaps that was somehow unclear from my message.

Later in that same topic, I'm accused of going on an ignorant rant and attacking GrapheneOS and software developers without understanding how it works. Perhaps that response might be viewed in a different light, given the clarification of my previous paragraph, just above. I don't think that's a fair characterization.

I haven't intended to "attack" anyone. I'm unsure if some of the imagined possibilities I shared in the top message from today might have been offensive, but they weren't meant to be. I'm sure that many GrapheneOS users are distrustful of other parties: that's probably why they appreciate the efforts, time, and money spent by GrapheneOS folks towards extra privacy and security. The imaginary scenarios were intended to be aligned with other scenarios that I've read in other discussions. They weren't accusations, which is why I used the word "imagined." I appreciate your kind response ("no such thing") to one of them, which provides clarity for the community and for the curious.

I am a software developer, since roughly 1991. I am also a person who has major struggles with UI changes. I'm sure that there are many reasons for why much software these days mashes UI changes with security changes, but that causes me no end of grief. Please forgive me for occasionally voicing this concern to other software developers, at relevant times. Some day, maybe they'll be received well. I'd be delighted to enjoy the latest fruits of GrapheneOS, relative to security. Unfortunately, these do not appear to come separately from UI changes. (As an example, the unlock-code entry-dots are circles on my old GrapheneOS, but changed to pointy shapes in the latest Pixel 6a GrapheneOS in October.)

In response to "third party sourced Google Play apps": I've tried to clarify the situation, above: I did try the latest GrapheneOS and thus the latest Google Play software, in October. It didn't help Maps, so I reverted GrapheneOS.

I shared the timeline in today's first message. I disabled all Google items in either November or December. I do not perceive a relationship between that activity and my sudden grief 2 days ago, unless there was a ticking time-bomb or an exploit caused by those disabled apps.

I thought someone in the community here might respond with something like, "Ah yes, the old PIN screen with the weird count-down numbers. This is a known malware by celebrated hacker-group X and you've surely fallen victim to it, doubtless due to your old GrapheneOS version," or with something like, "Ah yes, looking carefully, I see that this fluctuating count-down timer is still the case, today. Neat! What a minor UI quirk, though." I'm sorry if this was perceived as a gripe about GrapheneOS: it wasn't.

In response to "Highly unlikely", as you doubtless known image-processing vulnerabilities come along, from time to time, and not even all that long ago. CVE-2023-41064 is a recent example for a different platform:

• https://nvd.nist.gov/vuln/detail/cve-2023-41064

So that imagined scenario was just a whimsical example. These imagined scenarios were just that: imagined and not projected as reality, nor accusatory of GrapheneOS incompetence.

In response to "used to having an insecure OS," what I'm used to is laptop and desktop and data-centre computers: having trust-keys on a chip, adjusted through a password-protected interface, where those keys are used to verify boot pay-loads, which then boot an OS which requests another password for LUKS-protected data. This is a clean separation between the data and the machine and so yes, the data can be placed into any other machine and accessed, if the data-password is known. If the "standard security model" (in the context of GrapheneOS and/or Android) is that the device should be a single point of failure for the accessibility of the data, then yes, I guess I'm not used to that.

Given some of the responses, it seems that I jumped into GrapheneOS too early: that is, I got used to the UI before backup/restore features were ironed out and now that they have been, I can't access those features without also confronting all the UI changes that will have come along for the ride.

Why are Androids and cellular telephones appearing to depart further and further from the laptop and desktop computer ecosystem, despite these former devices also being computers? I want my data to be conveniently accessible in a non-Android Linux. SeedVault only appears to have unofficial relatives for plain Linux. Why doesn't it produce a .tar.gz.gpg file, or some other format that standard Linux tools can manipulate with ease? Why does it require an already distrustful user to download unofficial software, in order to get at their precious data? Please note that I'm not actually asking this paragraph's questions with the hope of a response to them: they probably belong in a different topic after I am positioned to satisfy the "I'm using the latest GrapheneOS" condition. What I'm trying to do is to share context about the harsh score that I gave to SeedVault. I'm sure that SeedVault developers worked and continue to work very hard, and that their efforts are enjoyed by many or even most users. That's admirable. I wish it had worked well for my goals in its 2022 iteration.

About the secure element's retry-timer, after waiting more than 24 hours since my last attempt and trying again, the count of failed attempts has changed from 192 to 162 and the count-down message indicated that I ought to try again in "653 seconds." I took a picture. After waiting for that count-down to complete and after trying again, the message again noted "162 times" and to try again after 9XX seconds, but I didn't catch it with a picture. If it's true that the UI is reporting what the secure element reports, then perhaps this discrepancy can be explained by malware or perhaps it can be explained as unworthy of any attention because it's from a 2022 GrapheneOS version. I was expecting to be hindered by 1 attempt per day. Surely all of the newer GrapheneOS users having more than 140 attempts will be hindered at such a rate with clarity about that rate.

In an effort to foster a shared understanding of the recent responses to my attempts for discussion, would this be a fair notice for someone considering using GrapheneOS?:

Please note that it should be clear that GrapheneOS project participants (such as developers) have a focus on security and privacy, above all else; we're quite good at it and we certainly strive for it. Without infinite resources available to the project, the fact of the matter is that some considerations rank less than others, in priority. It's also unlikely that everyone can be satisfied by any project, so we make decisions about trade-offs and attention using our best judgment, which should go without saying.

For example, it's convenient for us to make releases in which security enhancements, privacy enhancements, feature enhancements, and user interface changes are all bundled together. The alternative strategy to release these subjects separately would be extremely cumbersome and complicated; you wouldn't enjoy it and we wouldn't enjoy it. We're always hoping to work for your best interests.

With this strategy, we expect, for example, that a tiny majority of GrapheneOS users might object to a seemingly trivial UI change, but still benefit from the overwhelming majority of the rest of the release. Some of our decisions are informed by considering the majority of users, as opposed to a tiny minority. Some UI changes are inherited by other parts of the Android ecosystem; outside of GrapheneOS efforts. If you are a person who suffers greatly from UI changes, GrapheneOS might not be the best choice for you. We know that some elderly folks and some folks having disabilities and even some other folks might be in such a situation. (You are unlikely to find a better alternative, though, elsewhere!)

Also, please keep in mind that sometimes updates don't always work as planned. Sometimes a bug might strike in even the largest crowd of software users. This possibility for GrapheneOS updates is no different than for any other software updates, although we don't find it likely.

If you do not keep up to date with GrapheneOS, not only do you expose yourself to historical risks that we address in our updates, but we're not interested in diverting resources to attend to the fall-out from your out-dated position. GrapheneOS participants want to maximize value.

NOTE: The above is not a quotation from any GrapheneOS project participant. It is imagined by me as the type of notice that might be fair to share with people who are interested in GrapheneOS.

Please try to read what I type with openness to charitable interpretations. I might not be an expert at writing frankly and leading to positive interpretations, such as light-hearted responses. I always hope for those, however. I apologize if what I typed included not-well-received criticism.

Cam: Where is my request for support, please?

yore: Thank you for your kind response.

In October, I took a SeedVault backup of my 2022-09 GrapheneOS, then updated GrapheneOS to the latest version, then attempted to restore that SeedVault backup. I've shared my disappointment about the results. My conclusion from this is that I started using GrapheneOS before its SeedVault backup was mature. ("Too early.") I also conclude from this that a "path" which might have "worked" would have been to have been updating, all along. If that path would have worked, I would conclude that GrapheneOS developers (along with many others) assume that this is the only legitimate path for everyone, but I'm personally aware of counter-examples and challenges to "always keeping all software up to date," including professionally. If only I had a nickel for every "2 steps forward, 1 step backward" update I've encountered, I'd be delighted.

I've seen the trend of "backwards compatibility is not important or too difficult; just keep updating" increase over the years. From my perspective, that attitude is conducive to planned obsolescence. I do not appreciate planned obsolescence. I recognize that there are economic incentives for planned obsolescence. I'm often challenged by those incentives.

My expectation for a well-designed OS is that with the exception of vulnerabilities (which are not relevant for a device which is not communicating with the rest of the world), once the OS and non-Internet-dependent apps are installed, what works at that point will work forever. (Until the hardware degrades or the electricity system changes.) Concern about incompatibility is not relevant for someone who does not update anything and who does not depend upon an external party, such as a party on the Internet. I'm not claiming to be in this position, but this is my expectation for good design.

[...] as they use their device OS as intended. [...]

It seems so automatic an assumption that "as intended" includes "keeping up to date." This wasn't always true.

I do not recall asking any developer to cater to my choices, in this topic. I tried to share a useful story involving GrapheneOS from my "user" perspective. I'm hopeful for compassion from developers with respect to some of the challenges. We often incorporate ramps for people who use wheelchairs, these days; seems like societal progress. Not all challenges are quite as obvious.

Lucario1829: Thank you for your sympathy. I hope the 2 recommendations are useful to readers:

1. Write down your PIN, in order to bisect between a "you problem" and an "it problem."
2. Back up your data frequently.

yore: How did you know my computer's OS?! 🔮🤯 (Just kidding.)

I respect your conversation-related decision. Good fortune to you!

n3t_admin:

wall of text that tells nothing.

What a nasty, dismissive thing to type to another human being.

You expected a device that relies SOLELY on software (not like your light bulb example) to function without updates.

Wrong. If you cannot refrain from making claims about another person's inner state, then I do not anticipate much fruit from our discussion. I do appreciate that you have spent some effort because it leaves open the possibility that you have tried to contribute value, but I'm concerned. Why not attempt to "steel-man" my position, in order to ensure that you understand it, instead of arguing against a "straw-man?"

You didn't update because you cared more about UI/UX than stability and security.

"Care" is not the word I would choose to use. I wouldn't tell a person in a wheel-chair that they cared more about remaining in their wheel-chair than taking the steps to get into the rampless library. This is one of my complaints: I continue to perceive few indicators that modern software developers will strive for high UI consistency and instead I perceive many indicators that modern software developers seem to think that UI changes are rather trivial: a matter of the user caring about them or not. These days, it's pretty much guaranteed that a person who has severe struggles with UI changes will be screwed over by updates.

I enjoy the terminology described here:

• https://learn.microsoft.com/en-us/troubleshoot/windows-client/installing-updates-features-roles/standard-terminology-software-updates

Somehow, that company has had enough resources to be able to keep new features and UI changes available separately from bug-fixes and security-fixes, for years. Yes, they also offer "bundling" them together, but they do offer them separately:

• https://www.catalog.update.microsoft.com/Search.aspx?q=security

One possible argument for bundling UI changes and security- and privacy-related changes together is, "We don't have the resources to keep them separate." (Including resources to scrutinize and/or reëngineer an "upstream" source.) Another argument is, "We don't have that discipline." I suspect that there are other arguments, too. As I typed in my third paragraph at the top of this discussion:

(A case of "beggars trying to be choosers," one could argue.)

(If only that was understood by readers as trying to temper complaint with appreciation.)

I've mentioned how GrapheneOS in October of 2022 had circles for the unlock character-entry and that GrapheneOS in September of 2024 (I've erroneously typed "October" of 2024, in at least one earlier message; even less than 2 years!) had pointy shapes. I wasn't the only person who noticed it:

• https://www.reddit.com/r/GooglePixel/comments/17yufkn/any_way_to_disable_pinentry_shapes/

That person expressed the opinion:

[...] but it's just weird.
[...]

Maybe for that person, it's just a matter of caring about it or not.

I wonder if there was some e-mail thread involving peer-review, somewhere near here:

• https://android.googlesource.com/platform/frameworks/base.git/+/beeabf4b129056da25c25d3b82ff79bc6883c123

If so, I wonder if in that peer-review, someone suggested that the UI difference should be explicitly opted into by users, instead of becoming the default. I wonder if the default in upstream Android is the same as the default in GrapheneOS, or if one or more GrapheneOS folks perceived this to be better for privacy, so it should be the new default for new GrapheneOS.

Which also coincides with my statement that you "didn't care about updates". At least not enough to understand their value?

What an uncharitable expression of an estimation of the intelligence of a participant in a discussion-forum for an operating system having an appeal to users who are interested in security. Thank you for using a question-mark, there.

You also pretty much literally said that developers pushing updates (for VERY good reason!) are, more or less, promoting planned obsolescence by doing so.

No, I did no such thing. Literacy is important. I had typed:

I've seen the trend of "backwards compatibility is not important or too difficult; just keep updating" increase over the years. From my perspective, that attitude is conducive to planned obsolescence.

I believe that there is a difference between promotion and compatibility. For example, given this premise:

There are no laws regulating the production of smog.

We can have a neutral result for smog:

Nobody produces smog because nobody likes smog.

Or we can have a promoted result for smog:

"What we all need is more smog! Let's get to it!"

The lack of law doesn't promote smog, but is conducive for the promoter. Consider this alternative:

There is a law which penalizes the production of smog.

This law is neither conducive to smog nor does it promote smog. Perhaps the distinction in my mind is akin to:

• https://en.wikipedia.org/wiki/Necessity_and_sufficiency

It might very well be the case that many software developers are engaged with planned obsolescence. It might very well be the case that few software developers are engaged with planned obsolescence. The reason I'm not making a claim is because I haven't met all software developers and because even if I had, I do not know what's inside the minds of all software developers. I refrain from making a claim about their inner state.

A side-note regarding literacy and making claims about others' minds: in another discussion, I've typed:

[...] software developers seem mostly ignorant of how UI changes are not universally desirable.

The word "seem" is important, there. It means I could be wrong about that ignorance, but have little indication to the contrary, so far. The word "mostly" is important, there. I am personally aware of software developers who care about a consistent user interface and I suspect there are more than I'm personally aware of. Most of my observations are inconsistent with "consistent UI" and those observations appear to be ramping up, over the years.

Your "expectation" of a well designed OS also doesn't make any sense. Sooner or later the bundled certificates will expire and you will have similar problems if you don't update the OS.

Did you read this part?:

non-Internet-dependent apps are installed, [...] Concern about incompatibility is not relevant for someone who does not update anything and who does not depend upon an external party, such as a party on the Internet.

Which certificates are you imagining being used by a static set of apps and without a relationship to the Internet? Are the apps themselves signed with expiring certificates and cannot be launched after a certain date without adjusting one's clock? If apps are signed with expiring certificates, is that conducive to planned obsolescence or an impediment to planned obsolescence? 🤔

Skorp: Thank you for your obviously kind and intelligent response. It is most refreshing. It is clear that you have attempted to "steel-man" my position.

The “update or bust” approach fosters planned obsolescence.

Not quite. My position is that I do not (yet) perceive measures to actively combat planned obsolescence, nor do I perceive October 2022 through September 2024 to be particularly welcoming timeline for dropping compatibility for the GrapheneOS-server-hosted Google-feature-fetching service that worked in October 2022. I would use the word "permits," as opposed to "fosters."

For the former: I believe that we can all agree that there is at least one company who is both interested in making profits and a contributor to Android. (I have worked for one such company as I'm sure others have, but I do not represent that company at any time nor in any manner; expressed opinions are entirely my own.) I believe we can all agree that there are at least some incentives for such a company to engage with planned obsolescence; whether or not such engagement is true is not a claim I'm making, here. I believe we can all agree that GrapheneOS derives from Android. Thus, if we contemplate whether or not GrapheneOS might be less likely to have any planned obsolescence than that upstream itself has, my answer is, "No, not without particular efforts on the part of GrapheneOS to undo any inherited planned obsolescence."

For the latter, if we contemplate whether or not GrapheneOS itself has incentives towards planned obsolescence, I have speculated that "dropping support for an old thing is a method to force users into updating, which is in their best interests, anyway" is a possible incentive. I do not know why the Google-feature-fetching service of October 2022 didn't work in September 2024, nor am I entitled to demand to know, but there is certainly an invitation for explanation, including a rejection of that possible incentive. (I shared an alternative explanation, too, instead of accusing.)

A month less than 2 years to drop the aforementioned service probably seems like an eternity to many readers, but it doesn't seem like very long, to me. This is one of the shortest compatibility time-windows that I've encountered. I'm simply expressing, "that was surprising and unfortunate to discover, in September 2024."

Why, it might even be nice if the Google-feature-fetching feature was capable of fetching the Google features online, then making a file from those that could be backed up and restored, entirely offline, after a factory-reset. Since I have not yet fully explored newer GrapheneOS, I have no idea if such a feature has already been implemented, after October 2022.

The assumption that if you never update your system or your apps, “what worked once should always work,” so long as you do not rely on new server features.

This is almost my position. My position is that it's a pleasant affair when everything that works on an "airgapped" computer today works on that same "airgapped" computer in many years. (So far, I have some computers at 24 years, which are actually faster than 24 years ago, due to modern hardware.) Before I updated GrapheneOS in September 2024, I wasn't able to take a "snapshot" of my older GrapheneOS, for roll-back purposes. This was disappointing. When I tried to reässemble to approximate my previous state, I discovered the October 2022 Google-feature-fetching service had been dropped. This was also disappointing. Perhaps an alternative would have been to've had 2 Google Pixel 6a cellular telephones and use one of them for testing, but I was unfortunately not in that position.

Backing up, restoring, rolling back have all been standard parts of my professional experiences. If GrapheneOS has such conveniences today, then it's simply unfortunate that they weren't available in the October 2022 iteration.

The idea that security updates and UI changes are always bundled together.

This seems true, relative to Android-based devices and the operating systems available for them.

You want an old TWRP-like dd approach for image backups.

Yes. I'm a user and I'd like to decide upon my different levels of security-concern. I'd like to be able to take a snapshot of the state of my device and be able to restore that state. DD is less expensive to me than getting a laboratory to physically remove my storage and make it accessible elsewhere, use electron tunneling microscopes (or whatever) to invade a Titan M2 chip for its keys. DD is less expensive to me than setting a broken phone down for a few years and then paying Cellebrite to invade and recover data from. Neither the lab nor Cellebrite will complain about my inability to use DD.

Modern phone apps/services change rapidly on the server side.

Yes, I know.

An old OS release inevitably breaks or cannot fetch new Google apps.

Being able to save one's state for restoring later on is helpful.

No project, especially a security-focused OS, can keep older Android versions patched forever. Once the official upstream stops delivering monthly patches for the OS or firmware, or once a release is years out of date, it is unsupported. That is not malicious, or “planned”, or fostering obsolescence; it is simply how open-source projects operate within practical resource constraints.

Nor should they, given the reality of limited resources. This isn't one of my hopes.

GrapheneOS servers in September of 2024 did not continue to support the Google-feature-fetching from October 2022. GrapheneOS of October 2022 did not permit storing fetched Google features in such a way that they could be restored. GrapheneOS of October 2022 did not permit a device-snapshot that could be restored. If any of these had been different, I would have no feedback to offer about my surprise regarding fetching Google features, in September 2024. I won't claim a conspiracy, but these certainly have the same effect as a ratchet that only moves in one direction.

The AOSP monthly security bulletins land on top of new releases that typically also tweak or rework parts of the UI. GrapheneOS can patch or strip certain parts, but it cannot easily “freeze” every single UI aspect while merging everything else. It is an infeasible expectation.

I do not hold such an expectation. I'm trying to apply pressure and raise more awareness about a subset of users. I'll type a third time:

(A case of "beggars trying to be choosers," one could argue.)

Moving on:

The methods and tools like TWRP and dd backups are inherently at odds with a mobile OS and device with locked-down firmware, verified boot, a hardware-backed keystore, etc. It would undermine secure/verified boot and hardware-bound encryption keys. It is simply a different (better) design from a security perspective.

I disagree. It's always possible that my understanding could improve, based on discussion. I have read nothing persuasive, so far.

There is a time after I purchase the device in which the device trusts that I am the owner of the device. As I've mentioned in an earlier message, I should be able to examine the chain of trust for firmware, booting, kernel, and other software, then replace any of these components with my own chain of trust and with my own verifiable counterparts. This is "better security" than leaving things as is (from my perspective) because assuming that I trust the hardware to do its job, then removing keys other than my own impedes interference from the original key-holders: the "supply chain."

"But you surely don't have the resources to sign and deploy all important security-updates, so you'll quickly fall behind," one might argue. I'd rather have the choice and be the judge.

I wish I was able to sign my own boot-loader, then boot if from firmware that only trusts my key(s), then sign my own TWRP-alike, then boot it from that boot-loader that only trusts my key(s), then use DD to make a copy of the disk. That's with respect to:

[...] locked-down firmware, verified boot, [...] It would undermine secure/verified boot [...]

Now regarding:

[...] a hardware-backed keystore, [...] hardware-bound encryption keys. [...]

I agree that it is true that these security-contexts exist:

1. A case in which it is better for particular data to be permanently lost than risk ever being recovered by an unauthorized party. Time might be of the essence to eliminate that data, too. Some such cases might involve "duress."
2. A case in which it is useful to make unauthorized data-recovery very expensive. With a dd copy of data encrypted by a few numeric digits' worth of entropy, that copy can be brute-forced very quickly. If that data is encrypted with much more sensible entropy, then it can't. Storing such a sensible key in "secure element" hardware & software can help to balloon the expense, including the retry-timer feature.

I'd argue that "(better) design from a security perspective" can be debated.

I believe that having different security-levels for different data is part of good design. I believe that a singular "all or nothing" level ("one size fits all") is not particularly good design. I have stored and recently lost access to family pictures. (Once again, it's my own fault for not backing up more frequently.) I'd've been happy to've encrypted these with a few numeric digits' worth of entropy and to've been able to brute-force eventual access, along with everyone else in the world who might gain physical access to the device or to a dd copy. (Please see earlier "SuperSecret" message, regarding different levels.)

I believe that "air-gapped" is a better security position than "connected to the Internet and/or to cellular telephony providers." I would consider it unwise to work with the most sensitive data in the latter contexts. The frequency of security-patches "says it all," to me: a "game of cat and mouse" is not really a game worth playing. I believe that "losing all of one's data or paying Huge... Sums of Money to get it" and "0-day exploits in which an unauthorized party gains all of one's data" is not ideal for all "security-levels." Again, no recovery-lab would complain about the former. No hacker-thief will complain about the latter.

None of this includes any comments on your "inner-state"

Your civility is very much appreciated and demonstrative of leading by example. Thank you, @Skorp. 👍