The US is checking people's devices and denying entrance to for having content on their phone deemed critical of Trump, or for storing legal photos of Muslim leaders. This is a purely objective post. I am not here talking about whats right or wrong. However this is invading a person's privacy.
A feature that creates a secondary passcode (fingerprint, password, pattern...) to open a dummy profile in Android would be useful to protect against this.
Setting up a secondary passcode that opens a dummy profile
userA do you have a source for this?
- Edited
GrouchyGrape This post mainly focuses on the feature, and that is an example of where this feature could be a benefit.
However for your question:
https://www.newsweek.com/french-scientist-banned-us-entry-messages-trump-2047549
https://www.lemonde.fr/en/international/article/2025/03/22/how-a-french-researcher-being-refused-entry-to-the-us-turned-into-a-diplomatic-mess_6739415_4.html
https://www.nytimes.com/2025/03/21/world/europe/us-france-scientist-entry-trump.html
"U.S. authorities saw these messages as "hate and conspiracy messages," which prompted an FBI investigation that was later dropped. However, the researcher was sent back to France."
https://edition.cnn.com/2025/03/17/us/brown-university-doctor-deported-hnk/index.html
https://www.politico.com/news/2025/03/17/rasha-alawieh-deportation-026038
You have zero privacy crossing national borders and if you aren't a citizen (or at least a legal permanent resident), zero right of entry.
In the case you are talking about, an individual thought it was a good idea to express support for someone that the US considers a terrorist and an organization that the us government considers a hostile foreign power. When the US government became aware of this, they refused her entry to the US.
Bluntly, if you are in any nation on a temporary basis (and generally if you aren't a citizen of that nation) then you basically have zero rights. At an absolute minimum the government can put you on a plane and send you back to whatever nation you are a citizen of basically on whim.
If you aren't willing to provide full access to everything on any electronic device you are taking across a border, then don't assume that you will be allowed to cross that border.
Encrypted cloud backups are your friend. And personally, I won't cross a border with anything but a mainstream, vanilla, device that has been factory reset before the crossing and will be factory reset after the crossing.
If you need a secure phone in a specific country on a regular basis, buy a Pixel in another country (ideally the US directly from Google paid for via shell company and shipped to a short term shady rental), bring it across the border in a vanilla state, load GOS onto it in the country in question, and store it in a safe deposit box in said country when you leave. Using a unique, strong, password of course. Transfer any data you need to/from the phone via secure, encrypted, connection to your own server.
If hostile nation states (especially the US) are part of your threat model then mitigating the threat(s) is going to be expensive, complicated, and inconvenient. Especially when you are under the physical jurisdiction and control of the US government. A "dummy profile" wouldn't really help.
JollyRancher
That is a very comprehensive approach to security. Thanks for well thought out response. However, i think there is still a threat model where this type of activity may make sense. For instance, if you have a device on you with content that you do not want to be seen (maybe contact information for a sensitive contact or email from activist groups) and you only need the device to stand up to a small amount of scrutiny (like a traffic stop, or stop and frisk) than a secondary profile maybe the fastest way to end the encounter.
it seems like there are maybe multiple threat models being worked out here. One for international travel where you have some time to perform a full wipe and one where you have much less time before you have to hand your device over for a quick inspection. That said, the secondary profile will not stand up against any serious forensic tools often used to search devices.
Yes, different circumstances require different approaches to solve.
For example, being a US citizen with a very competent legal team in retainer and the resources to fight a case to the US Supreme Court if necessary my use of GOS with a strong password and (relatively) simple opsec are enough that I have nothing to worry about if US law enforcement (local, state, or federal) seize my phone and I refuse to provide them any information to access it. Law enforcement likely wouldn't even try to compel me to provide access or use that refusal against me because I have the resources to fight the case all the way and they don't want to risk (from their perspective) bad precedent.
Contrast that with an individual in the US on a tourist visa. If you refuse to cooperate then, at a minimum, you will just be kicked out of the US and back to your home country.
Dummy profiles would be nice, but what they won't do is help you against anything but a casual examination.
If law enforcement is looking at your phone then you are already in deep shit. You have already gained law enforcement attention, you have already provided probable cause, and you are essentially already compromised. In spy terms, you are already burned.
GOS might mean you just get booted out of the country instead of doing jail time, or that you are only facing a few years in prison as opposed to life but you have generally already fucked up beyond the point a dummy profile would really help you.
What would be nice is a duress pin feature that would wipe a private space without leaving any forensic evidence that it was there in the first place. Or wipe specific files/folders similarly tracelessly from a profile.
Apparently that isn't actually possible/practical though.
JollyRancher
These are all good points. Thanks for your insightful response. I take from your message that this function is not possible? The creating of a dummy profile? I agree with your analysis of the threat model posed just trying to get a handle on the full functionality of the os.
More specifically, you have laid out a pretty compelling opsec process for securing your device. Do you know if someone has documented how to do the kind of restore you are talking about. I have read that seedvault is sometimes not reliable. To be clear, what I am interested in is the scenario you describe where you get accross a border with your vanilla phone and now want to restore your back up to bring it back up to a fully configured device while you are traveling. Can you point to some posts of some documentation that can walk a new user (thats me, Im new to grapheneOS) through the process of doing that.
I am getting ready for international travel in the next couple of months and want to be able to do exactly what you described. I want to do a couple of dry runs before I hit the road.
That depends on what you want.
There isn't any really good way to image a GOS phone and restore that image (although it would be really nice).
How long are you going to be overseas? Is it basic tourism or something legally dubious? Are you likely to get on (or already be on) watch lists? What functionality do you want while traveling? What level of technical ability do you have? What level of resources are you willing to invest?
I mean you could make a Cryptomator archive containing a KeePass vault, Obtanium export for all the apps you want, Signal backup, etc. Then host it on Proton Drive and email the drive link to a throw away email. Once GOS is installed, access the throw away email to get the link, download the encrypted archive, reinstall your apps/restore backups, etc. Do the reverse before you leave.
That will be more than sufficient for most people.
userA No it would not. Your assumption is that when someone would ask for your phone and unlock code for it, is they they'd be 'fooled' with fake profile. But it is clearly visible that you have more than one profile and you can't exclude that once they started doing such checks they will not be thorough and knowledgeable.
Some good conversations emerged here. The dummy profile functionality would obviously not provide any use, if the law enforcement has your attention. Once they have your device, youre pretty much compromised.
Its purpose is to not draw any attention while on a quick inspection without having to wipe the data.
- Edited
userA Its purpose is to not draw any attention while on a quick inspection without having to wipe the data.
Not sure how often you travel so maybe you have different experience, but standing out from the crowd will attract unwanted attention during such inspection... Dummy empty profile screams I want to hide something.
userA This is merely a question of how you would design the profile.
The sole fact you have separate profiles would raise an eyebrow and people would start asking questions. There's a separate thread about this very same case, my response was bring a dumb travel phone without any of your data just to be able to be in touch with people. Much better approach imho.
- Edited
I feel like it kind of matters also how often this is happening.
If it for some reason becomes a common occurence that someone takes a look at your gallery or something like that if you travel to a country for an vacation, then i feel like there would be a huge need for this.
If this is something happening to people who are already "targeted" anyway, then this feature would probably not that usefull.
(Since in the first case the chance for it tonwork would be much higher, in the second case i assume someone would take a better look at everything)
edit:
But also i just thought, this is already kind of implemented. I mean the owner profile is basically this. Turn off switching user profiles, and it does not even show that you have multiple profiles.
And then just have the apps have some data by using them a bit and stuff. And you basically have exactly that.
Edit2: basically only thing missing is a option to hide the setting with the multiple users in the owner profile.
I think a dummy profile would be useful as a quick way to try to evade a problem. It wouldn't work for a forensic computer specialist, but there aren't tons of those on-site.
JollyRancher If a USA entry agent rebooted a GOS phone and saw the yellow error message, how may they react? Best guess, of course.
axino rebooted a GOS phone
They'd not, not on purpose at least. When they take your phone for a screening they (should) follow a list of things they're supposed to check and/or do. And reboot would not be one of them.
If by accident. They'd not know what is happening, but it would definitely raise suspicion and it would cause further issues for you.
Why would anyone with sensitive data keep it on their phone and then carry it about, I would distance myself from it, fast as possible. The last thing I would do is decide to cross a national border with it still in my phone... D'oh.
I can factory reset my phone and be back up and running where I left off within 10-20 minutes.
Nothing gets stored on my phone. If its worth keeping its off my phone and stored securely immediately.
- Edited
area51 Why would anyone with sensitive data keep it on their phone
Because some believe it is more secure than storing it elsewhere. It my be true in some cases, but I agree with you. The only 'sensitive/important' data I keep on my phone are pictures, my bank account and communication related data. in the end this is a tool like any other I use, and I use it according to it's capabilities/features. I also secure it and care of it as I would with any other piece of tool I depend on.
0xsigsev Because some believe it is more secure than storing it elsewhere.
keep it secure and " airgap" myself from it, now that's secure, secure and in my pocket, that's dumb.
The official at the border states "open your phone", you refuse, play out the unravelling scenario in your head... Gaining entry to the country is not one of the available options,