Setting up a secondary passcode that opens a dummy profile

You have zero privacy crossing national borders and if you aren't a citizen (or at least a legal permanent resident), zero right of entry.

In the case you are talking about, an individual thought it was a good idea to express support for someone that the US considers a terrorist and an organization that the us government considers a hostile foreign power. When the US government became aware of this, they refused her entry to the US.

Bluntly, if you are in any nation on a temporary basis (and generally if you aren't a citizen of that nation) then you basically have zero rights. At an absolute minimum the government can put you on a plane and send you back to whatever nation you are a citizen of basically on whim.

If you aren't willing to provide full access to everything on any electronic device you are taking across a border, then don't assume that you will be allowed to cross that border.

Encrypted cloud backups are your friend. And personally, I won't cross a border with anything but a mainstream, vanilla, device that has been factory reset before the crossing and will be factory reset after the crossing.

If you need a secure phone in a specific country on a regular basis, buy a Pixel in another country (ideally the US directly from Google paid for via shell company and shipped to a short term shady rental), bring it across the border in a vanilla state, load GOS onto it in the country in question, and store it in a safe deposit box in said country when you leave. Using a unique, strong, password of course. Transfer any data you need to/from the phone via secure, encrypted, connection to your own server.

If hostile nation states (especially the US) are part of your threat model then mitigating the threat(s) is going to be expensive, complicated, and inconvenient. Especially when you are under the physical jurisdiction and control of the US government. A "dummy profile" wouldn't really help.

JollyRancher
That is a very comprehensive approach to security. Thanks for well thought out response. However, i think there is still a threat model where this type of activity may make sense. For instance, if you have a device on you with content that you do not want to be seen (maybe contact information for a sensitive contact or email from activist groups) and you only need the device to stand up to a small amount of scrutiny (like a traffic stop, or stop and frisk) than a secondary profile maybe the fastest way to end the encounter.

it seems like there are maybe multiple threat models being worked out here. One for international travel where you have some time to perform a full wipe and one where you have much less time before you have to hand your device over for a quick inspection. That said, the secondary profile will not stand up against any serious forensic tools often used to search devices.

propsecprv2

Yes, different circumstances require different approaches to solve.

For example, being a US citizen with a very competent legal team in retainer and the resources to fight a case to the US Supreme Court if necessary my use of GOS with a strong password and (relatively) simple opsec are enough that I have nothing to worry about if US law enforcement (local, state, or federal) seize my phone and I refuse to provide them any information to access it. Law enforcement likely wouldn't even try to compel me to provide access or use that refusal against me because I have the resources to fight the case all the way and they don't want to risk (from their perspective) bad precedent.

Contrast that with an individual in the US on a tourist visa. If you refuse to cooperate then, at a minimum, you will just be kicked out of the US and back to your home country.

Dummy profiles would be nice, but what they won't do is help you against anything but a casual examination.

If law enforcement is looking at your phone then you are already in deep shit. You have already gained law enforcement attention, you have already provided probable cause, and you are essentially already compromised. In spy terms, you are already burned.

GOS might mean you just get booted out of the country instead of doing jail time, or that you are only facing a few years in prison as opposed to life but you have generally already fucked up beyond the point a dummy profile would really help you.

What would be nice is a duress pin feature that would wipe a private space without leaving any forensic evidence that it was there in the first place. Or wipe specific files/folders similarly tracelessly from a profile.

Apparently that isn't actually possible/practical though.

JollyRancher
These are all good points. Thanks for your insightful response. I take from your message that this function is not possible? The creating of a dummy profile? I agree with your analysis of the threat model posed just trying to get a handle on the full functionality of the os.

More specifically, you have laid out a pretty compelling opsec process for securing your device. Do you know if someone has documented how to do the kind of restore you are talking about. I have read that seedvault is sometimes not reliable. To be clear, what I am interested in is the scenario you describe where you get accross a border with your vanilla phone and now want to restore your back up to bring it back up to a fully configured device while you are traveling. Can you point to some posts of some documentation that can walk a new user (thats me, Im new to grapheneOS) through the process of doing that.

I am getting ready for international travel in the next couple of months and want to be able to do exactly what you described. I want to do a couple of dry runs before I hit the road.

propsecprv2

That depends on what you want.

There isn't any really good way to image a GOS phone and restore that image (although it would be really nice).

How long are you going to be overseas? Is it basic tourism or something legally dubious? Are you likely to get on (or already be on) watch lists? What functionality do you want while traveling? What level of technical ability do you have? What level of resources are you willing to invest?

I mean you could make a Cryptomator archive containing a KeePass vault, Obtanium export for all the apps you want, Signal backup, etc. Then host it on Proton Drive and email the drive link to a throw away email. Once GOS is installed, access the throw away email to get the link, download the encrypted archive, reinstall your apps/restore backups, etc. Do the reverse before you leave.

That will be more than sufficient for most people.

userA No it would not. Your assumption is that when someone would ask for your phone and unlock code for it, is they they'd be 'fooled' with fake profile. But it is clearly visible that you have more than one profile and you can't exclude that once they started doing such checks they will not be thorough and knowledgeable.

I think a dummy profile would be useful as a quick way to try to evade a problem. It wouldn't work for a forensic computer specialist, but there aren't tons of those on-site.

JollyRancher If a USA entry agent rebooted a GOS phone and saw the yellow error message, how may they react? Best guess, of course.

axino rebooted a GOS phone

They'd not, not on purpose at least. When they take your phone for a screening they (should) follow a list of things they're supposed to check and/or do. And reboot would not be one of them.

If by accident. They'd not know what is happening, but it would definitely raise suspicion and it would cause further issues for you.

Why would anyone with sensitive data keep it on their phone and then carry it about, I would distance myself from it, fast as possible. The last thing I would do is decide to cross a national border with it still in my phone... D'oh.
I can factory reset my phone and be back up and running where I left off within 10-20 minutes.
Nothing gets stored on my phone. If its worth keeping its off my phone and stored securely immediately.

0xsigsev Because some believe it is more secure than storing it elsewhere.

keep it secure and " airgap" myself from it, now that's secure, secure and in my pocket, that's dumb.
The official at the border states "open your phone", you refuse, play out the unravelling scenario in your head... Gaining entry to the country is not one of the available options,

axino
Are you a US citizen? If the answer is 'no' then you will either provide full access to your phone (i.e input the password for them) or you won't be allowed in the US.

If you are a US citizen then they can't deny you entry but they can seize your phone.

Having a secure phone and refusing to provide access isn't a crime in the US but, again, they can deny you entry to the US and blacklist you.

Generally, if your devices are subject to search in the first place it is because you are already on a list. If you aren't a US citizen and are outside the US then the NSA has an absolute, unfettered, unlimited right under US law to spy on you, intercept your communications, track you, build a detailed profile on you, and just generally put your entire life under a microscope.

If you have, or have applied for, a visa to enter the US then you will be prioritized.

Take the Rasha Alawieh deportation. She traveled to a location that US Intel cares about and her phone was at the location of a terrorists funeral. Those facts alone were likely enough to get her flagged by the automated algorithms for greater scrutiny. So immigration tags her for a more in depth search upon return to the US and find the pictures used to publicly justify booting her.

area51 Why would anyone with sensitive data keep it on their phone and then carry it about, I would distance myself from it, fast as possible.

Because a Pixel 9 running GOS is the single most secure compute device in the world that can be acquired globally with relative ease by the average person.

If you want to ensure that data remains secure, GOS with relatively simple opsec is the best option.

You just shouldn't try and cross international borders with it, or do anything else that amounts to deliberately taunting the US national security establishment while under their physical control and wanting something from them (entry to the US).