Graphene OS Edition for high Risk People

grapheneOsLover11111

As far as i undrstand graphene OS is very secure while beign a generell purpose os. For people with a very High risk profile like journalist or activists it could make sense to make a special edition/fork wich is harrden further to allow only nesccesariy things linke browsing and messaging. Maybe for peopek who are not good at tech but would change some usability for security.

So extra hardening like APP whitelisting and stuff or removing attack surface like Bluetooth or even better encryption for the cost oft longer boot times vor block protocolls only needed for games etc.
Colud this be a usefull solution for peope who are at high need of security or are very security concious?
Because i thunk right now graphene OS is the best solution for these people but can it comleptly protect from 0-days like an pegaus equivalent? Probaly we cant say for sure but maybe with more extreme hardening the risk could be loser. With taht i dont wann play down the amount oft hardenig and work graphene OS developers put in this system and the level oft security they achived thruogh this, both is impressiv. But maybe if usability is limitedt a lot it colud become even better.

Is this worth considering ?
Or is this to much work. Or is there not much room for security enhancment?

raccoondad

grapheneOsLover11111 this sounds like security theater.

App white listing is already a feature, by not installing the application.

You can disable Bluetooth, WiFi, and cellular in the device settings.

Seeing Pegasus was based on buffer overflow (if I'm not mistaken), GOS would be able to heavily prevent it. MTE and otherwise. But also this question is vague with no real answer.

ryrona

grapheneOsLover11111 So extra hardening like APP whitelisting and stuff or removing attack surface like Bluetooth or even better encryption for the cost oft longer boot times vor block protocolls only needed for games etc. Colud this be a usefull solution for peope who are at high need of security or are very security concious?

It is hard to design a system that is both secure for activists / journalist, while also usable, because you might need different apps and different features depending on what activism you are doing. I would not have any use for Bluetooth, so would be fine with all Bluetooth functionality being removed entirely, but it is not hard to imagine others that would benefit greatly from or even entirely depend on short range radio communication like Bluetooth to exchange files and data with other activists, to avoid leaving traces online. Likewise, I would be heavily reliant on Element as chat platform, as that is what all other activists in my area use, as well as most who we might need to talk to, including scientists and journalists working in our field. But if someone where to design a whitelist of applications, Element might not cut it, as many consider Signal a better choice in most use cases.

Even Tails have struggled like that, trying to make decisions that are suitable for as many as possible, but often falling short of providing everything one need. For example, Tails haven't provided Element support this far, or support for any other end-to-end encrypted messenger. And that limits the usability a lot.

grapheneOsLover11111 Wouldnt it provide some security if the system dosent let the user installiert any unknown or new apps that an exploit also cant installiert any Malware.

This is true. It would also prevent a less security conscious activist from being baited into installing and using a malicious app. I have unfortunately heard of many cases where activists have been baited into installing malicious software, and thus having all their activism exposed to the attacker, often a state actor. So whitelisting would provide benefits. Not for me, but for those that are less security conscious and might have a tendency to follow "security advise" from "trusted" community members.

So there would be benefits, but it is really hard to do right, as you cannot know what any specific individual would need beforehand.

argante

grapheneOsLover11111

High risk profile like journalist or activists it could make sense to make a special edition/fork wich is harrden further to allow only nesccesariy things linke browsing and messaging. Maybe for peopek who are not good at tech but would change some usability for security.

GOS is a tool, not a solution. GOS gives you a solid foundation, but it won't protect you from the stupidity of what you build on that foundation.

So extra hardening like APP whitelisting and stuff or removing attack surface like Bluetooth or even better encryption for the cost oft longer boot times vor block protocolls only needed for games etc.
Colud this be a usefull solution for peope who are at high need of security or are very security concious?

GOS after installation gives you just what you need. The less you add to it, the better.

Is this worth considering ?

No. Such Fragmentation is not good.

grapheneOsLover11111

Hmm thanks for your answer but i would habe a few questions. Wouldnt it provide some security if the system dosent let the user installiert any unknown or new apps that an exploit also cant installiert any Malware. I tought in industie they also have very secure phones but there they achieve it trough restricted user freedom through mdm. And regarding configurations like turning of bluetooth and other things as far as i understand graphene OS comes with sane defaults but wolud it be poasible to come with like the most secure by default? Maybe something like tails OS wich you can just usw out oft the box an its secure(in term ot you can usw it out oft the box) so like a configuration of graphene os as secure as it colud be and i think also if you use it just for messaging,browsing and editing documents cant you reduce the attacksurface a lot if it dosent have to provide any other functionality ?

argante

grapheneOsLover11111 Wouldnt it provide some security if the system dosent let the user installiert any unknown or new apps that an exploit also cant installiert any Malware.

GOS provides you with similar functionality. Create an additional profile (or private space). Install applications and updates from the owner's profile. Indicate which applications should be available in this additional profile. And finally, block the installation of applications for this additional profile.

user539

grapheneOsLover11111 Wouldnt it provide some security if the system dosent let the user installiert any unknown or new apps

You can already do that in separate user profiles. Use main profile to install and port apps to user profile via play store or aurora. Then uninstall aurora or play store.
Then make another profile for updating apps. Move all apps to it and update from there.
Disable all apps on main user,
and then make the main user offline with vpn kill switch.

You can disable apps installation completely for other user profiles.

NetRunner88

I am a cartel boss, I deserve this high risk phone too
And my best friend is the PM of a country somewhere he can have this too ? No ? Why not ?

It is a total lie but you see that there is something wrong asking to be over others

dhhdjbd

what you are asking for can kind of be archieved by writing a guide instead...
(which would be even more usefull with further bevahiour advice)

area51

GrapheneOS out of the box is suitable for anyone to keep bigtech etc out of their lives. The human with the GrapheneOS phone in their hands, now thats the problem.

If I were in the bullseye of a 3 letter agency, a mobile phone is the last thing I would carry...

say if you did carry a GrapheneOS mobile phone, you would need to be lucky all the time in its use etc, your adversary may only need to be lucky just once.

AltruisticMidget

area51

Agreed. Important to know, especially for journalists or politicians. Those groups are killed or jailed, in many countries around the world, simply for their profession.

No phone will protect against state actors.

grapheneOsLover11111

area51 But i think for example Journalist need phones sometimes so would it make sense to create an OS that keeps Them as secure as possible?

LeslieFH

GrapheneOS edition for high risk people is just GrapheneOS with only Accrescent apps (Molly, DNSNet, Organic Maps).

Well, really Orbot should be added to Accrescent, I don't know why it isn't :-)

ryrona

LeslieFH GrapheneOS edition for high risk people is just GrapheneOS with only Accrescent apps

I avoid Accrescent in my threat model though, for the same reasons I avoid Google Play. Accrescent give no guarantees about the apps they distribute at all, neither about whether the app is a fully open source build or not, whether the app was built on a secure build infrastructure or not, whether the app has privacy invasive technology or not, or even where the APK was fetched from.

Dumdum

LeslieFH Well, really Orbot should be added to Accrescent, I don't know why it isn't :-)

Because Orbot isn't well made (likely not secure either) and will eventually be replaced by the official TorVPN.

Eirikr70

grapheneOsLover11111 This OS already exists. It is GrapheneOS. The main risks are not in the OS itself but in the apps and the behaviour of the user. A journalist or a ma boss should proceed with caution when installing and using apps.

areaman

What about alternate default configurations, like how Tor browser has a slider to adjust how restrictive it is. On install, you can choose between default and a more locked down config, which has all the optional memory protection features enabled, shorter defult timeouts on wifi, NFC, bluetooth, disable 2g and 3g, etc. This wouldn't require changing how GOS works, just give you a fast way to make a security / usability and compatibility tradeoff.

area51

Dumdum hmm. I use Orbot now and then, "(likely not secure either)" dont leave me hanging.. tell me more?

area51

Dumdum Because Orbot isn't well made (likely not secure either)

I asked you two days ago about your claim " likely not secure either" referring to Orbot, still no reply from you, still waiting, got any info?

orydeatemi

Your information is only as secure as who you share it with.

Here are a couple of other things to keep in mind: most activists you'd want to protect can't afford pixels, at least not on the scale that you'd need. Many journalists aren't that good with cybersecurity.

Want to get higher adoption ? Help the project work towards even lower friction. Pester Google and the banks to allow tap to pay and stuff you get from less secure phones to just work. Help write more great step by step guides.

In a pliers to the fingers threat model, which is what you're dealing with in many cases, plausible deniability and things like being able to wipe a device with a pin number matter more than a perfect 0 day protection.

GrapheneOS ships with sane defaults. One thing that maybe would be nice is a way to not have a logo on the splash screen, and what'd be even better is if Google could do the responsible thing and allow Graphene to not have the "different OS" warning bootloader.

In other words, calls for grand gestures are performative, security theater, and a distraction. Supporting the project, financially if you can, or through grunt work, by doing things like finding ways to hound the powers that be to do the right thing if you can't afford to donate are much more useful if you want to achieve more than feeling good about yourself.

Blastoidea

I have said this all along, don’t install GOS and then load your phone up with so much crap it resembles a ride at Disneyland.

I gave up, because they all insisted they really “needed” all that shit.