Setting up a secondary passcode that opens a dummy profile

userA This is merely a question of how you would design the profile.

The sole fact you have separate profiles would raise an eyebrow and people would start asking questions. There's a separate thread about this very same case, my response was bring a dumb travel phone without any of your data just to be able to be in touch with people. Much better approach imho.

I think a dummy profile would be useful as a quick way to try to evade a problem. It wouldn't work for a forensic computer specialist, but there aren't tons of those on-site.

JollyRancher If a USA entry agent rebooted a GOS phone and saw the yellow error message, how may they react? Best guess, of course.

axino rebooted a GOS phone

They'd not, not on purpose at least. When they take your phone for a screening they (should) follow a list of things they're supposed to check and/or do. And reboot would not be one of them.

If by accident. They'd not know what is happening, but it would definitely raise suspicion and it would cause further issues for you.

Why would anyone with sensitive data keep it on their phone and then carry it about, I would distance myself from it, fast as possible. The last thing I would do is decide to cross a national border with it still in my phone... D'oh.
I can factory reset my phone and be back up and running where I left off within 10-20 minutes.
Nothing gets stored on my phone. If its worth keeping its off my phone and stored securely immediately.

0xsigsev Because some believe it is more secure than storing it elsewhere.

keep it secure and " airgap" myself from it, now that's secure, secure and in my pocket, that's dumb.
The official at the border states "open your phone", you refuse, play out the unravelling scenario in your head... Gaining entry to the country is not one of the available options,

area51 Why would anyone with sensitive data keep it on their phone and then carry it about, I would distance myself from it, fast as possible.

Because a Pixel 9 running GOS is the single most secure compute device in the world that can be acquired globally with relative ease by the average person.

If you want to ensure that data remains secure, GOS with relatively simple opsec is the best option.

You just shouldn't try and cross international borders with it, or do anything else that amounts to deliberately taunting the US national security establishment while under their physical control and wanting something from them (entry to the US).

JollyRancher If you want to ensure that data remains secure, GOS with relatively simple opsec is the best option.

I agree GrapheneOS is undoubtedly secure, no question,
Simple opsec... Don't have that data on your person.
If you end up being challenged for whatever reason and its in your pocket, it limits what you can say or do

Saw this article today.
https://www.theguardian.com/technology/2025/mar/26/phone-search-privacy-us-border-immigration

Seems like there be some value to coming up with a feature that allows you to create a "check point profile" for border crossing.

The main goal is to provide enough "real" data that you dont draw extra attention from border agents when they begin inspecting your device. However, if they do confiscate it and plug it into a a cellibrite the forensic tools will not find anything because the profile does not contain any sensitive data.

Think of this as kind of a cameflouge tool with the intent of giving the border agent enough to look at that you dont raise enough flags to warrant a closer look but none of the data they see would be anything compromising.

This would most likely take some time to create and require updates but it could be useful for helping you to get through check points without having your device confiscated.

propsecprv2 The main goal is to provide enough "real" data that you dont draw extra attention from border agents when they begin inspecting your device. However, if they do confiscate it and plug it into [a] cellibrite the forensic tools will not find anything because the profile does not contain any sensitive data.

That could work if forensic tools agreed to obediently inspect just one profile while ignoring the rest of the device. But there is no such agreement. Similar suggestions have been made multiple times, and multiple times the GrapheneOS developers have said it's not possible at present to hide how many user profiles are on a device, and that, without a factory reset, evidence that a secondary profile once existed remains even after the secondary profile has been deleted.

de0u
Thanks for the response. I think I did not do a good job of explaining what I am thinking. I would like to start with a clean new GOS install and create some real data but data that is not senestivie. Something that would be based on actual use (think txts with my family about pick up times and some web searches for a new car). Then I would essentially take a back up or a snap shot of the device. Still no sensitive data at this point. Then go through US customs. The goal of this effort would be to have enough data on the phone to not raise any alerts on the part of CPB. If they cpb agent wishes to futher scrutinize the device they could because in effect it would still not store any sensitive data. I agree with the general consensus that at no point should you carry too much sensitive data on your device although I understand this may not be possible. That said, I am thinking of it in terms of a if/then set of scenarios. If CPB agent is not alerted by data on phone than leave check point without having sensitive data comprimised. IF CPB agent is alerted by content on phone than further forensic analysis still reveals nothing.
The loaded profile would be an attempt to pass as a normal cell phone user with nothing to hide. I write this with the full understanding that this is a very difficult line to walk.

Based on some of the tools and steps discussed above it may be possible though.

propsecprv2 I think I did not do a good job of explaining what I am thinking.

It is also possible that your explanation is clear but that the feature you are suggesting has been suggested before and does not exist because it is infeasible.

People routinely make "stealth profile" and "dummy profile" suggestions. Often it is in the context of the duress-PIN feature, with the idea that the duress PIN could delete one or more confidential user profiles while leaving behind a plausible-deniability dummy profile.

Such suggestions are not outright impossible. But the current Android user profile system was completely not designed with stealth or deniability in mind.

Meanwhile, a suggestion that intuitively seems to a non-expert as if it should be possible (or even straightforward) may seem flawed when the idea is presented to a forensics expert. As just one example, the companies that make device-extraction tools have access to GrapheneOS (it's an open-source project!), so if a hypothetical "stealth profile" or "deniability profile" feature were created then tools could immediately be created to detect when it's in use.

This may be interesting reading: https://discuss.grapheneos.org/d/17901-duress-pin-idea

de0u
I am probably not reading this right but, it seems the big objection to this type of feature is that there is no way to perform a profile wipe without leaving a trace. I understand how some use cases would list that as a requirement however, I think there is still a solid use case where this feature makes sense even without the ability for a fully undetectable wipe. Being able to quickly wipe a profile with a duress pin is useful for protecting data a user may want to protect for its own sake. For instance, data that a lawyer has a ethical obligation to protect making the deletion legal. This could add a layer of protection for a defense in depth posture.

For instance, a user wants to take their GOS phone with them on a trio to engage with their sensitive data while traveling.
Assume the user will set up 2 profiles. One profile used for non sensitive activity and one for sensitive activity. To be clear, in this context sensitive does not equal illegal. The classification of sensitive is user specific (think lawyer example above). The
The user will be traveling through us customs and knows they are going to be in a situation where their phone will be searched first a visual inspection by an agent then possibly by forensic tool.
Knowing a search is imminent the user deletes the sensitive profile thereby physically removingvthe sensitive data while leaving a trace of the deletion that can be detected by a forensic examination.

The user hands their unlocked device over to be searched. Hopefully the agents' search does not turn up any questionable data (not illegal, just questionable- at the moment a fuzzy concept based on lots of reports) because only non sensitive data is left on their device. If the agents suspicion is not triggered the user only has their non senstive data looked at and takes their device and heads on their way. If the agents does find some questionable content then the device can and most likely will be seized. However, the removal of the sensitive profile will (hopefully) have been removed and a forensic examination will only reveal that some data was removed without revealing the content of that data.
Ill concede this may raise suspicion but that act in of it self is not a crime so they user may avoid further detainment and maybe having their device confiscated.

In short if the user wants to try to get out of a search quickly by handing over their device it would be nice to have a way to delete a manicured profile quickly and securely.

The theater aspect of this functionality is more useful at the moment. I understand it has been the subject of lots of conversations previously I would just say the change in the political situation in the us makes this use case more practical to prevent data the user considers sensitive to be collected by us cpb agents.