Setting up a secondary passcode that opens a dummy profile

area51 Why would anyone with sensitive data keep it on their phone and then carry it about, I would distance myself from it, fast as possible.

Because a Pixel 9 running GOS is the single most secure compute device in the world that can be acquired globally with relative ease by the average person.

If you want to ensure that data remains secure, GOS with relatively simple opsec is the best option.

You just shouldn't try and cross international borders with it, or do anything else that amounts to deliberately taunting the US national security establishment while under their physical control and wanting something from them (entry to the US).

JollyRancher If you want to ensure that data remains secure, GOS with relatively simple opsec is the best option.

I agree GrapheneOS is undoubtedly secure, no question,
Simple opsec... Don't have that data on your person.
If you end up being challenged for whatever reason and its in your pocket, it limits what you can say or do

Saw this article today.
https://www.theguardian.com/technology/2025/mar/26/phone-search-privacy-us-border-immigration

Seems like there be some value to coming up with a feature that allows you to create a "check point profile" for border crossing.

The main goal is to provide enough "real" data that you dont draw extra attention from border agents when they begin inspecting your device. However, if they do confiscate it and plug it into a a cellibrite the forensic tools will not find anything because the profile does not contain any sensitive data.

Think of this as kind of a cameflouge tool with the intent of giving the border agent enough to look at that you dont raise enough flags to warrant a closer look but none of the data they see would be anything compromising.

This would most likely take some time to create and require updates but it could be useful for helping you to get through check points without having your device confiscated.

propsecprv2 The main goal is to provide enough "real" data that you dont draw extra attention from border agents when they begin inspecting your device. However, if they do confiscate it and plug it into [a] cellibrite the forensic tools will not find anything because the profile does not contain any sensitive data.

That could work if forensic tools agreed to obediently inspect just one profile while ignoring the rest of the device. But there is no such agreement. Similar suggestions have been made multiple times, and multiple times the GrapheneOS developers have said it's not possible at present to hide how many user profiles are on a device, and that, without a factory reset, evidence that a secondary profile once existed remains even after the secondary profile has been deleted.

de0u
Thanks for the response. I think I did not do a good job of explaining what I am thinking. I would like to start with a clean new GOS install and create some real data but data that is not senestivie. Something that would be based on actual use (think txts with my family about pick up times and some web searches for a new car). Then I would essentially take a back up or a snap shot of the device. Still no sensitive data at this point. Then go through US customs. The goal of this effort would be to have enough data on the phone to not raise any alerts on the part of CPB. If they cpb agent wishes to futher scrutinize the device they could because in effect it would still not store any sensitive data. I agree with the general consensus that at no point should you carry too much sensitive data on your device although I understand this may not be possible. That said, I am thinking of it in terms of a if/then set of scenarios. If CPB agent is not alerted by data on phone than leave check point without having sensitive data comprimised. IF CPB agent is alerted by content on phone than further forensic analysis still reveals nothing.
The loaded profile would be an attempt to pass as a normal cell phone user with nothing to hide. I write this with the full understanding that this is a very difficult line to walk.

Based on some of the tools and steps discussed above it may be possible though.

propsecprv2 I think I did not do a good job of explaining what I am thinking.

It is also possible that your explanation is clear but that the feature you are suggesting has been suggested before and does not exist because it is infeasible.

People routinely make "stealth profile" and "dummy profile" suggestions. Often it is in the context of the duress-PIN feature, with the idea that the duress PIN could delete one or more confidential user profiles while leaving behind a plausible-deniability dummy profile.

Such suggestions are not outright impossible. But the current Android user profile system was completely not designed with stealth or deniability in mind.

Meanwhile, a suggestion that intuitively seems to a non-expert as if it should be possible (or even straightforward) may seem flawed when the idea is presented to a forensics expert. As just one example, the companies that make device-extraction tools have access to GrapheneOS (it's an open-source project!), so if a hypothetical "stealth profile" or "deniability profile" feature were created then tools could immediately be created to detect when it's in use.

This may be interesting reading: https://discuss.grapheneos.org/d/17901-duress-pin-idea

de0u
I am probably not reading this right but, it seems the big objection to this type of feature is that there is no way to perform a profile wipe without leaving a trace. I understand how some use cases would list that as a requirement however, I think there is still a solid use case where this feature makes sense even without the ability for a fully undetectable wipe. Being able to quickly wipe a profile with a duress pin is useful for protecting data a user may want to protect for its own sake. For instance, data that a lawyer has a ethical obligation to protect making the deletion legal. This could add a layer of protection for a defense in depth posture.

For instance, a user wants to take their GOS phone with them on a trio to engage with their sensitive data while traveling.
Assume the user will set up 2 profiles. One profile used for non sensitive activity and one for sensitive activity. To be clear, in this context sensitive does not equal illegal. The classification of sensitive is user specific (think lawyer example above). The
The user will be traveling through us customs and knows they are going to be in a situation where their phone will be searched first a visual inspection by an agent then possibly by forensic tool.
Knowing a search is imminent the user deletes the sensitive profile thereby physically removingvthe sensitive data while leaving a trace of the deletion that can be detected by a forensic examination.

The user hands their unlocked device over to be searched. Hopefully the agents' search does not turn up any questionable data (not illegal, just questionable- at the moment a fuzzy concept based on lots of reports) because only non sensitive data is left on their device. If the agents suspicion is not triggered the user only has their non senstive data looked at and takes their device and heads on their way. If the agents does find some questionable content then the device can and most likely will be seized. However, the removal of the sensitive profile will (hopefully) have been removed and a forensic examination will only reveal that some data was removed without revealing the content of that data.
Ill concede this may raise suspicion but that act in of it self is not a crime so they user may avoid further detainment and maybe having their device confiscated.

In short if the user wants to try to get out of a search quickly by handing over their device it would be nice to have a way to delete a manicured profile quickly and securely.

The theater aspect of this functionality is more useful at the moment. I understand it has been the subject of lots of conversations previously I would just say the change in the political situation in the us makes this use case more practical to prevent data the user considers sensitive to be collected by us cpb agents.

long and interesting convo here. now OP has to be clear on that if device is searched, a dummy profile is only going extend they're date with the LE at that border.

little experience and opinion
on the device search at the border. i have travelled internationally multiple times, being pretty much in most immigration statuses possible for a traveling individual, accompanied by silmiarly variated travelers, to some of the most hostile countries on 4 continents and never ever i have experienced or witnessed a device search. and have never met a live person who experienced such search.

After all I assume it is really a matter of such individual being on some serious list of serious interest of a serious adversary. and that would make me advise them to take their security to a much much deeper level than a damn freaking profile on a smartphone.

As someone looking at travel to the USA during the current administration period in power, I've concluded that burner phone is best. Below is a link to a recent article by the verge, regarding the recent high profile searches, might be useful.

https://www.theverge.com/policy/634264/customs-border-protection-search-phone-airport-rights

Thanks for the interesting debate. @de0u . I agree there is room for a more informed legal opionon on the legality of deleting data at a border checkpoint.

However, I think it is important to seperate the idea of sensitive from the context of legalilty. The concept of "sensitive" is in no small way a key part of many threat models that dont cross into illicit or illegal. For instancd, for journalists a simple contact will often qualify as sensitive. I think even in this climate it would be hard to say that a journalist deleting a contact or multiple conttacts from their device (in addition to using disappearing messages and coded contact names) would qualify as illegal. However, the ability to do so quickly would be vital to anyone reporting issues which may anger powerful state actors. Similarly, for a tax attorney, a clients fin info may qualify as sensitive. I dont think it is a big stretch to assume a lawyer may want to, and is legally allowed to delete their clients data if there is a risk it will be copied into a gov system.

Instead of parsing out these difference it maybe more useful to just assume that sensitive is anything you as the user dont want your adversary to see and that deleting it to keep it out of your adversaries hands is enough even if they have evidence that you have done so. And while evidence of that action maybe obvious to a trained expert having the ability to present a dummy profile to an agent you may assume is not technically sophisticated enough to see the signs could be useful to shorten some interactions with LEO

It is true @Onlyfun that a dummy profile may extend an interaction with a LEO agent during a border crossing, it does seem that this may be an acceptable risk if at the end of the encounter the agents are only able to collect the sanitized data set up on the phone. This may still be true if they can determine something else was there and deleted. Even in those circumstances where the user has to surrender their device the idea is that the sensitve data is out of reach. I am suggesting this as a tactic or layer in a layered strategy.

@Wadder this article has been making the rounds and there are lots of other good articles about the increased use of cellebrite and other tools across the us federal agencies
https://theintercept.com/2022/02/08/cellebrite-phone-hacking-government-agencies/

I am not trying to start a debate about the veracity or legality of these efforts. I am only suggesting that it is a reasonable threat scenario for users to want to approach these issues with a layered defensive model.

A dummy profile or shadow profile should be thought of as a layer of defense to be deployed when the user judges it can be successful in heloing them to achieve a specific goal during an interaction with law enforcement

All that said @de0u I agree with you it seems clear the GOS dev team does not appear to have an appetite for this type of function. My hope is that this may change as the call for this feature comes to be seen as less of an edge case and more central to a comprehensive layered strategy of defense against digital data capture and surveillance.

propsecprv2 I think even in this climate it would be hard to say that a journalist deleting a contact or multiple conttacts from their device (in addition to using disappearing messages and coded contact names) would qualify as illegal.

That is an interesting opinion. But when it comes to "illegal", there are some people who are literally licensed to have opinions on legality, and others who are not. If you are an attorney in some jurisdiction, your opinion on legality would probably be very interesting to members of this forum, but otherwise it might just be misleading. Since the forum moderators have at various times expressed some distaste for unsubstantiated opinions, it might be best if further discussion about the potential legality of data deletion at border checkpoints were substantiated by citing some source.

Your best bet is simple. Just have a burner phone with you with no sensitive stuff when you are traveling. Have backups of what you need in encrypted cloud service. You can figure it out from there.

https://www.aclu.org/news/privacy-technology/can-border-agents-search-your-electronic

locked
Thanks for this suggestion. I do get that encrypted cloud services could meet some of the requirements above. However, I am not sure how easy or feasible this is to do quickly. The feature request is more about streamlining this process to make it quick and resilelnt.