What if my phone gets stolen? What can they do with it?

DeletedUser406

These past weeks I've been on a mission to protect my privacy and be more secure, moved Gmail to Proton, Google Auth to Aegis, started using Bitwarden, all that stuff. But now I'm worried about my phone getting pickpocket'd/stolen (happens often in my country).

First of all I don't think I care about getting a potentially invasive app for data recovery or re-locating my phone, I plan to backup my phone to my desktop PC and external hard drives weekly probably, including my Aegis codes (Not to mention 90% of my accounts have recovery codes I've saved if I lose the 2FA).

What I care about is the thief not getting access to my phone, specially Aegis and Bitwarden, and also all of the other accounts and apps in general. I have a 6-digit PIN and fingerprint unlock (Pixel 6a). Is this enough? Can thieves get past that?

(Sorry if it's a dumb question, even if I installed GrapheneOS by myself, I don't know almost anything about how Android works, I even had the Kaspersky app with anti-theft features installed for over a year until just a few hours ago when I found out AVs are pretty much useless on Android.)

raccoondad

DeletedUser406 Is this enough? Can thieves get past that?

Only if they can guess it. After a few attempts the device locks for a certain amount of time that increases with each wrong attempt.

Bimmy

DeletedUser406 I have a 6-digit PIN and fingerprint unlock (Pixel 6a). Is this enough? Can thieves get past that?

To better understand and evaluate the situation, three questions:

Do you mean, that your primary unlock method ("Before First Unlock" (BFU)) is the 6-digit PIN and the secondary unlock method ("After First Unlock" (AFU)) is the fingerprint?
When you mention thieves, can we assume, this is about "ordinary" low-ressource street criminals, that mostly are interested in money, e.g. by selling the device and/or ripping off deposit money (from e-commerce accounts, maybe online banking)? We are not dealing with high-profile thieves (e.g. from organized crime) that specifically target you and put extraordinary resources into such hacking attempt, right?
For the fingerprint: How many fingers did you register?

Reasons for why I am asking:

ad 1.) and 2.)
The shorter the PIN/Passwort (more exactly: the less cryptographic entropy there is in the secret), the more one has to rely on hardware throttling that is to hamper and slow down attempts to guess / brute-force the secret.

Until today, there is no evidence yet, that these feature was broken for the currently supported phone models (such as your Pixel 6a). More details on the throttling and the drive encryption can be found on the main website: https://grapheneos.org/faq#encryption .

For now, the consequence is, that even a (randomly generated!) 6-digit PINs will probably take "too long" to guess for the "common" attacker (i.e. one that does not have access to unpublished exploits or the ability to dismantle and cryptoanalyze your chips on microscopic or even nanoscopic level).
One should expect, that this will change sometime in the future. However, it's entirely unclear when this will be. Hopefully, way after the device has lost its function and is no longer of particular relevance for you and the theoretical attacker.

Generally speaking, the more complex (i.e. more entropic) your secret is, the less you have to make above bet; on the other hand typing a more complex secret becomes inevitably more uncomfortable.

ad 3.)
The more "fingers" one registers (including multiple different registrations of the same finger), the more comfortable is the unlock, but the higher the probability that the device erroneously mistakes and accepts a foreign fingerprint as yours.

Anecdotal reference: There was an actual report of such a false fingerprint reading, posted by IT-Security- and Privacy-Advisor and Blogger Mike Kuketz, who was surprised when he found his Pixel 8 irregularly unlocked by his own daughter... (Original Message in German: https://www.kuketz-blog.de/fingerabdruck-sensor-tochter-kann-google-pixel-8-entsperren/# )

So, purely from a security perspective, it is better to only have exactly one finger registered. Naturally, this can make unlocking more difficult and more prone to problems, when you can't use that specific finger.

Note: The relatively new 2-Factor ( Pin or PW + biometrics) feature would additionally minimize the associated risk. But more would make this answer even longer. And bring us back to question 1. (Maybe you already use it - or decided against it. Both can be valid choices.)

grayway2

DeletedUser406 6-digit PIN is insufficient. I suggest you to use at least 10-digit PIN. I do use digit PIN for secondary profile unlock but it's a 25-30 digit PIN

2FA + fingerprint is very important as it will help you to not disclose your unlocking method in public (cameras, people behind your shoulder, pigeons, NSA satellite ect.)

Change the default 18h auto-reboot to 12h unless you're sleeping the whole day or use your phone once in the day.

Also create a duress password of 4-digit PIN and write it on a paper which you will hide between the phone and the protection case. The thief will take any opportunity to unlock the phone as he don't want to deal with FRP unless he knows that GrapheneOS has no FRP protection.

r134a

As already stated, your data would be safe if a thief snatched your phone in a locked state. Find My Device might be of interest, however at the same time it would be useless if the thief turns the phone off.

DeletedUser406

Bimmy
1) I had to look up BFU and AFU but yeah, the pin is required after restarts, after that I continue to use the finger until the phone battery dies or a system update restarts the phone in the night.

2) Yeah just the ordinary, no targeted attacks.

3) Just my thumb fingerprint, nothing else.

+) I haven't heard of the Pin + Biometrics 2FA yet. I don't remember choosing an option like that specifically.

(Thanks for the detailed answer ^^)

Bimmy

DeletedUser406

Regarding your original question, whether your current locking method is enough and whether ordinary thieves can get past, as you see there are different opinions.

I'd say, 6-digit-PIN - assuming that they it's randomly created and not a "well known" / "well-targeted" PIN (*) - as primary unlock and fingerprint as secondary unlock method, respectively, was an OK-ish recommendation in the past and for older GOS-versions. It could still be OK for now, but I'd say it's the lower end of what is tolerable against low profile adversaries.

Concerning secondary unlock method:
As grayway2 already mentioned, a fingerprint for secondary unlock and avoiding to present primary unlock method where it can be observed or even recorded is generally a good idea.

What they mentioned with 2FA + fingerprint, is the relatively new GOS special 2-factor fingerprint unlock feature (s. https://discuss.grapheneos.org/d/18585-2-factor-fingerprint-unlock-feature-is-now-fully-implemented ). It combines a fingerprint plus a (preferably short) PIN for better security of the secondary unlock method. You can set it up via Settings > Security and privacy > Device unlock , too, IIRC.

Regarding the primary unlock method, using a moderate length pin constitutes a strong dependency and bet on Hardware security with its throttling mechanism. A longer PIN or even passphrase with randomly generated words (e.g. via Diceware method, cp. https://en.wikipedia.org/wiki/Diceware ), is cryptographically clearly superior. Admittedly, it can be annoying, particularly when one frequently reboots, even more so when you use multiple users. The usual convenience vs. security tradeoff.

(*) - In the improbable but possible case that your random secret looks like it could be one of the first ones present in a cracker tool's database, e.g. usual "suspects" like "123456", roll anew!

DeletedUser396

regarding the 6 digit pin you are thinking of using; and is it enough...?
there are 1 million combinations of a 6 digit pin, (quick internet search)
after 140 failed attempts the pixel security chip has throttled the attempts at guessing your pin to one per day...
I think a 6 digit pin is the minimum you could use. More would be good, depending upon how good you are at remembering numbers.
Don't fall into the trap of using combinations of numbers known to you, that's where anyone who does know you will start guessing, you know what I mean, dates of birth, phone numbers etc..