In the last 24 hours, I have had scammers absolutely hammering my phone. This has included calls from a block of fake numbers and texts with links.
Like others have noted, call blocking only works in Owner. So, I have had to switch to the Owner profile for most of the day. The effect on my workflow was disastrous.
I am set up differently, using what I call the "Owner-clients" model. I'm using the Owner profile solely as an admin profile (Google Play and Obtanium have network, nothing else except stock apps like Vanadium). My daily-driver set-up is in client profiles (with installation privileges switched off). I do my business - my life - in the client profiles. I think this is good, solid practice.
But the call blocking issue is threatening it as a solution.
I want this issue to be considered as a security matter.
Firstly, these are likely to be people who are using social engineering to access my finances and data. It is becoming a very sophisticated trade - they have full address and name details, purport to be from credible companies, and they are even specialized with people who make the first contact then hand-off to a second person who closes the deal. They use pressure tactics like repeated callbacks. There is now even the prospect of AI voice-based deepfakes, although I don't think we're quite there yet for most of us.
In particular, the links these people are sending are quite potentially malicious. I guess Graphene is the best placed to resist these attacks (if that's what they are), but I still wouldn't want to open one - by mistake or clumsiness - on any profile of the phone, especially the Owner.
Further, because they have your full contact details, they can send realistic looking material on email if they think they 'have you' as a target based on phone contact.
As careful as I am, their schemes may eventually work. In this case, they purport to be representative of a utility company I have had dealings with, and they sound very reasonable. If they caught me when my guard was down, or expecting a REAL bill, they could succeed. Its happening a lot.
I cannot tell you how many times they called today, how many times I had to deal with it manually because I was out of Owner profile. They really doubled down on the idea that I needed to click the text links they sent, which increases my suspicion. For a while, I just sat in Owner and forwent any work in the user profiles, just for peace.
Being able to block out scammers' calls and texts is essential. Using the Owner-clients model is essential to using GrapheneOS for me, for security and productivity. At the moment, I am exposed and its uncomfortable.
I think system-wide call and text blocking and management (e.g. whitelisting)has to be prioritized as a security issue. It isn't a perfect defense, but if social engineering are 70-90% of cyberthreat vectors, we have to step up. Third-party apps outsource an unacceptable amount of security and are no solution for a GrapheneOS installation.
Comments welcome.