• Development

  • Setting up a secondary passcode that opens a dummy profile

propsecprv2

Yes, different circumstances require different approaches to solve.

For example, being a US citizen with a very competent legal team in retainer and the resources to fight a case to the US Supreme Court if necessary my use of GOS with a strong password and (relatively) simple opsec are enough that I have nothing to worry about if US law enforcement (local, state, or federal) seize my phone and I refuse to provide them any information to access it. Law enforcement likely wouldn't even try to compel me to provide access or use that refusal against me because I have the resources to fight the case all the way and they don't want to risk (from their perspective) bad precedent.

Contrast that with an individual in the US on a tourist visa. If you refuse to cooperate then, at a minimum, you will just be kicked out of the US and back to your home country.

Dummy profiles would be nice, but what they won't do is help you against anything but a casual examination.

If law enforcement is looking at your phone then you are already in deep shit. You have already gained law enforcement attention, you have already provided probable cause, and you are essentially already compromised. In spy terms, you are already burned.

GOS might mean you just get booted out of the country instead of doing jail time, or that you are only facing a few years in prison as opposed to life but you have generally already fucked up beyond the point a dummy profile would really help you.

What would be nice is a duress pin feature that would wipe a private space without leaving any forensic evidence that it was there in the first place. Or wipe specific files/folders similarly tracelessly from a profile.

Apparently that isn't actually possible/practical though.

      JollyRancher
      These are all good points. Thanks for your insightful response. I take from your message that this function is not possible? The creating of a dummy profile? I agree with your analysis of the threat model posed just trying to get a handle on the full functionality of the os.

      More specifically, you have laid out a pretty compelling opsec process for securing your device. Do you know if someone has documented how to do the kind of restore you are talking about. I have read that seedvault is sometimes not reliable. To be clear, what I am interested in is the scenario you describe where you get accross a border with your vanilla phone and now want to restore your back up to bring it back up to a fully configured device while you are traveling. Can you point to some posts of some documentation that can walk a new user (thats me, Im new to grapheneOS) through the process of doing that.

      I am getting ready for international travel in the next couple of months and want to be able to do exactly what you described. I want to do a couple of dry runs before I hit the road.

          propsecprv2

          That depends on what you want.

          There isn't any really good way to image a GOS phone and restore that image (although it would be really nice).

          How long are you going to be overseas? Is it basic tourism or something legally dubious? Are you likely to get on (or already be on) watch lists? What functionality do you want while traveling? What level of technical ability do you have? What level of resources are you willing to invest?

          I mean you could make a Cryptomator archive containing a KeePass vault, Obtanium export for all the apps you want, Signal backup, etc. Then host it on Proton Drive and email the drive link to a throw away email. Once GOS is installed, access the throw away email to get the link, download the encrypted archive, reinstall your apps/restore backups, etc. Do the reverse before you leave.

          That will be more than sufficient for most people.

            userA No it would not. Your assumption is that when someone would ask for your phone and unlock code for it, is they they'd be 'fooled' with fake profile. But it is clearly visible that you have more than one profile and you can't exclude that once they started doing such checks they will not be thorough and knowledgeable.

                Some good conversations emerged here. The dummy profile functionality would obviously not provide any use, if the law enforcement has your attention. Once they have your device, youre pretty much compromised.
                Its purpose is to not draw any attention while on a quick inspection without having to wipe the data.

                  0xsigsev This is merely a question of how you would design the profile. Ideally it would be an exact copy of the regular UI. It would have its own storage, and you could set it up to seem real (set up apps and regular files)

                      userA Its purpose is to not draw any attention while on a quick inspection without having to wipe the data.

                      Not sure how often you travel so maybe you have different experience, but standing out from the crowd will attract unwanted attention during such inspection... Dummy empty profile screams I want to hide something.

                        userA This is merely a question of how you would design the profile.

                        The sole fact you have separate profiles would raise an eyebrow and people would start asking questions. There's a separate thread about this very same case, my response was bring a dumb travel phone without any of your data just to be able to be in touch with people. Much better approach imho.

                          I feel like it kind of matters also how often this is happening.

                          If it for some reason becomes a common occurence that someone takes a look at your gallery or something like that if you travel to a country for an vacation, then i feel like there would be a huge need for this.

                          If this is something happening to people who are already "targeted" anyway, then this feature would probably not that usefull.

                          (Since in the first case the chance for it tonwork would be much higher, in the second case i assume someone would take a better look at everything)

                          edit:
                          But also i just thought, this is already kind of implemented. I mean the owner profile is basically this. Turn off switching user profiles, and it does not even show that you have multiple profiles.
                          And then just have the apps have some data by using them a bit and stuff. And you basically have exactly that.
                          Edit2: basically only thing missing is a option to hide the setting with the multiple users in the owner profile.

                          I think a dummy profile would be useful as a quick way to try to evade a problem. It wouldn't work for a forensic computer specialist, but there aren't tons of those on-site.

                          axino rebooted a GOS phone

                          They'd not, not on purpose at least. When they take your phone for a screening they (should) follow a list of things they're supposed to check and/or do. And reboot would not be one of them.

                          If by accident. They'd not know what is happening, but it would definitely raise suspicion and it would cause further issues for you.

                            Why would anyone with sensitive data keep it on their phone and then carry it about, I would distance myself from it, fast as possible. The last thing I would do is decide to cross a national border with it still in my phone... D'oh.
                            I can factory reset my phone and be back up and running where I left off within 10-20 minutes.
                            Nothing gets stored on my phone. If its worth keeping its off my phone and stored securely immediately.

                              area51 Why would anyone with sensitive data keep it on their phone

                              Because some believe it is more secure than storing it elsewhere. It my be true in some cases, but I agree with you. The only 'sensitive/important' data I keep on my phone are pictures, my bank account and communication related data. in the end this is a tool like any other I use, and I use it according to it's capabilities/features. I also secure it and care of it as I would with any other piece of tool I depend on.

                                  0xsigsev Because some believe it is more secure than storing it elsewhere.

                                  keep it secure and " airgap" myself from it, now that's secure, secure and in my pocket, that's dumb.
                                  The official at the border states "open your phone", you refuse, play out the unravelling scenario in your head... Gaining entry to the country is not one of the available options,

                                    axino
                                    Are you a US citizen? If the answer is 'no' then you will either provide full access to your phone (i.e input the password for them) or you won't be allowed in the US.

                                    If you are a US citizen then they can't deny you entry but they can seize your phone.

                                    Having a secure phone and refusing to provide access isn't a crime in the US but, again, they can deny you entry to the US and blacklist you.

                                    Generally, if your devices are subject to search in the first place it is because you are already on a list. If you aren't a US citizen and are outside the US then the NSA has an absolute, unfettered, unlimited right under US law to spy on you, intercept your communications, track you, build a detailed profile on you, and just generally put your entire life under a microscope.

                                    If you have, or have applied for, a visa to enter the US then you will be prioritized.

                                    Take the Rasha Alawieh deportation. She traveled to a location that US Intel cares about and her phone was at the location of a terrorists funeral. Those facts alone were likely enough to get her flagged by the automated algorithms for greater scrutiny. So immigration tags her for a more in depth search upon return to the US and find the pictures used to publicly justify booting her.

                                      area51 Why would anyone with sensitive data keep it on their phone and then carry it about, I would distance myself from it, fast as possible.

                                      Because a Pixel 9 running GOS is the single most secure compute device in the world that can be acquired globally with relative ease by the average person.

                                      If you want to ensure that data remains secure, GOS with relatively simple opsec is the best option.

                                      You just shouldn't try and cross international borders with it, or do anything else that amounts to deliberately taunting the US national security establishment while under their physical control and wanting something from them (entry to the US).

                                          JollyRancher If you want to ensure that data remains secure, GOS with relatively simple opsec is the best option.

                                          I agree GrapheneOS is undoubtedly secure, no question,
                                          Simple opsec... Don't have that data on your person.
                                          If you end up being challenged for whatever reason and its in your pocket, it limits what you can say or do

                                            Hmm @area51 You said above "I can factory reset my phone and be back up and running where I left off within 10-20 minutes."

                                            Would you be willing to share your process for this? It appears that despite what threat model we are all working on this type of process would be good to have in your tool box.

                                            I don't want to derail the conversation about border crossing just really interested in a wipe and restore process that is functional in less than 30 minutes. @JollyRancher has suggested some good tools, does your process include a different set of tools? Totally understand if you're not interested in sharing.

                                            Saw this article today.
                                            https://www.theguardian.com/technology/2025/mar/26/phone-search-privacy-us-border-immigration

                                            Seems like there be some value to coming up with a feature that allows you to create a "check point profile" for border crossing.

                                            The main goal is to provide enough "real" data that you dont draw extra attention from border agents when they begin inspecting your device. However, if they do confiscate it and plug it into a a cellibrite the forensic tools will not find anything because the profile does not contain any sensitive data.

                                            Think of this as kind of a cameflouge tool with the intent of giving the border agent enough to look at that you dont raise enough flags to warrant a closer look but none of the data they see would be anything compromising.

                                            This would most likely take some time to create and require updates but it could be useful for helping you to get through check points without having your device confiscated.