Best way to restrict browser use in GOS?

n3t_admin

777funk Only the admin should be allowed to do a reset, so why not make it possible to password protect.

Everyone can just boot into recovery mode and factory reset the phone without any passwords whatsoever.
What you are suggesting, is security theater and is actively discouraged by the dev team.

777funk

n3t_admin
Ok so recovery mode as in bios equivalent for a phone (independent of the OS).

LeslieFH

n3t_admin Everyone can just boot into recovery mode and factory reset the phone without any passwords whatsoever.
What you are suggesting, is security theater and is actively discouraged by the dev team.

It is not "security theater".

Security is not "protecting only against the movie-scale threats". Securing a child's phone against breaching of time limits with a password is rather effective, because while the child can boot into recovery mode and factory reset the phone, they can't do this covertly, this is an irreversible action and clear breach of previous settings and of the agreement with the parents.

The problem is, GOS developers don't have the resources to provide child-appropriate phones, where security against the child's attempts to gain more screen time requires different approach then security against NSA trying to get at your files.

(Well, it's either that or they're just not interested)

n3t_admin

777funk pretty much. It's present on every Android phone and you can't circumvent it. Factory reset is one if its main features.

NetRunner88

Google family stuff doesn't work on GOS.

Use tinelimit.io in local mode it works OK to limit app usage.

777funk

n3t_admin

In all reality, I can check in on the phone every so often and make sure it's still GOS. There comes a point where the honor system will be the only thing stopping problems. But making it a real stretch to reach trouble is what I'm after.

777funk

n3t_admin

I believe the company Wisephone pulled it off (with their Samsung Smart Dumbphone, it is not possible to factory reset to stock android).

n3t_admin

777funk Wisephone is a complete scam that simply modifies the standard OneUI with a different launcher. Everything underneath is the same technology and can be reset through recovery, as can all Samsung phones.

Again, factory resetting a phone does not depend on the OS it's running. It just wipes the keystore and data partition to get back to a factory state.

777funk

n3t_admin

It looks to me like the usual recovery mode resets back to Wisephone's OS.
https://techless.zendesk.com/hc/en-us/articles/38477196837389-Factory-Reset-Wisephone-II

And... scam is kind of strong language. They put in the time to make a dumbed down / governed / limited version of Android. I see no problem with them charging for their service.

n3t_admin

777funk It looks to me like the usual recovery mode resets back to Wisephone's OS.

First, there is no "Wisephone's OS" - it's Samsung OneUI. They just have it enrolled in Samsung's MDM(which is very problematic for various reasons), sell it for insanely high prices and charge insanely high prices for a subscription, without which the phone will become a brick. And that's no surprise, because they have to pay Samsung every month per device. The fact that you have to buy new hardware and pay them a monthly subscription fee instead of just installing a launcher on your existing phone is the biggest indicator of the scam. It is the best definition of a scam and falls into the same category of all the other bullshit products.

Secondly, what do you think a factory reset would do? Revert the phone to stock PixelOS? Lmao. The OS has been replaced in the flashing process. Factory reset means that the phone will be like "new out of the box". Wiped of all data and settings, not magically flashed back to a different OS.

777funk

n3t_admin

I doubt it. Sure, maybe there's a way, but according to the link I posted earlier, it goes back to the OS they shipped it with (from techless) even from Android Recovery Mode. And yes, there's always a way to do almost anything with a phone if a person knows enough. But... I'm talking me or the average user, not someone who's got a degree in comp science.

And as far as what they charge, I'm not finding any real answers on how to reliably DIY what they've done. That's what I came here for. I was hoping to buy a Pixel, put GOS or Lineage on it, make some changes to control apps as desired and continue on with life. At this point, what they offer doesn't seem like a bad deal.

To me it seems like they've done a pretty good job accomplishing their goal. Within their system, I've seen very little reported on... my child found a way to get through their protections. I've seen a lot on the other hand with say Google Family Link.

DeletedUser495

777funk did you try my suggestion from the other thread or are you here to just talk crap?

n3t_admin

777funk OS they shipped it with (from techless)

Techless doesn't ship an OS, because it doesn't exist.
It's just a launcher. There is an almost unlimited amount of minimalist FOSS launchers that are the same thing.

777funk At this point, what they offer doesn't seem like a bad deal.

Perhaps you don't know or don't understand what MDM means. MDM (or mobile device management) is a technology that is usually used for business devices. This gives the admin of the MDM the ability to set policies, remote wipe, install apps, run scripts, locate, install certificates - remotely.
All you are doing, is give a shady company full access to your life. If they decided tomorrow that they don't make enough money, they could just install their own root CA on your device, rewrite your DNS to point to a malicious website and for example phish your banking credentials. You wouldn't even know, because the device is basically their property once it's enrolled.

Your only guarantee that they won't do anything nefarious is a... "trust me bro". And that's it. If you think this is in any way, shape or form comparable to GrapheneOS, I can't really help you. If you want to give control of your life to some random scamlords - go ahead. But I would advise not to downplay or promote anything they offer, because this snake oil crap is not tolerated on this forum.

Lucario1829

777funk according to the link I posted earlier, it goes back to the OS they shipped it with (from techless) even from Android Recovery Mode

so does graphene, the os is replaced. no factory reset changes a phones operating system

777funk

DeletedUser495
I replied on the other thread. If all is ok with that bit of code (I'm in the middle of looking at the source), that application does exactly what I'm hoping to do.

777funk

n3t_admin
As far as giving a shady (I don't know enough about them to say yes or no here... nor am I security aware enough to understand from a computing standpoint) company full access to my kid's life (he's signing up for it), there's really nothing to give. There's no browser. He won't be doing any business on the phone since there's really nothing there but text, phone, and a camera. His texts will be basic day to day nonsense that doesn't mean much to anyone else as will his talk and camera. So there's not much concern here. If the company were out to take banking details, they'd need to be in the smart phone business. At least with the dumbest program they offer, there sure isn't much to scam.

If there were a way to have only these limited tools (phone, text, camera) with Graphene, I'd be all for it. But that doesn't sound like it's the case or at least I've not heard that it is.

EDIT: perhaps the post above this one has more detail there. Thank you. I have used ADB long ago when I loaded Cyanogenmod on a Samsung Galaxy S (maybe S2). I remember rooting etc being painful at that point (maybe 2011 or 12).

schklom

The best way I could find without needing a commercial MDM or root is:

Install OwnDroid (https://github.com/BinTianqi/OwnDroid/blob/master/Readme-en.md)
Remove all device accounts one by one listed on Settings -> Passwords, passkeys and accounts
Enable adb in the developer settings (search how to, i don't feel like explaining that)
Make OwnDroid device-owner with adb (you can remove it anytime from within OwnDroid, click the shield icon on the top-right, then the 3 dots on the top-right, then Deactivate)
```
adb shell dpm set-device-owner com.bintianqi.owndroid/.Receiver
```
(Search how to use your computer to run that adb command)
From now, you can add your accounts again if you want.
Open OwnDroid
Click Users
Click Create user
Type a username
Do not tick "Enable all system app"
Click Create. At this point, the user is created and has only the apps App Store, Contacts, Files, Settings, Telephone.

At this point, the user can still install Play Store via the App Store.
To prevent that, open your Settings -> System -> Users -> the new user -> "App installs and updates", and set to Disabled.

You're done! The new user does not have Vanadium, and cannot install any app.

You can always add apps yourself from Settings -> System -> Users -> the new user -> "App installs and updates", and set to Enabled, then back, then "Install available apps", pick something to install, then disable app installation again.

schklom

schklom Note that having a Device-owner disables having Work Profiles and Private Spaces.
Also, this will likely disable Seedvault (system) backups. To re-enable the, open OwnDroid, go to System -> Options -> Backup service (enable it).

PS: The new user doesn't have a SMS app. Add the Graphene one "Messaging" :P

n3t_admin

777funk As far as giving a shady (I don't know enough about them to say yes or no here... nor am I security aware enough to understand from a computing standpoint) company full access to my kid's life (he's signing up for it), there's really nothing to give. There's no browser. He won't be doing any business on the phone since there's really nothing there but text, phone, and a camera. His texts will be basic day to day nonsense that doesn't mean much to anyone else as will his talk and camera. So there's not much concern here.

I'll make this clear one last time, since you still don't seem to understand this:
As the admin of that device they can do EVERYTHING with it. Imagine a hacker sits in your network. They can install malware, grant it all permissions. Spread it on the network. Listen to your conversations. Make pics of your children when they are n*de and share them on the dark web at any time.

If the company were out to take banking details, they'd need to be in the smart phone business. At least with the dumbest program they offer, there sure isn't much to scam.

They ARE! You get the same smartphone as anyone else! The only thing "dumb" about this phone, are their customers. There is a full Android OS with a rootkit running below the interface of the launcher.

I'll explain it, in really simple terms:
The phone, when you start it, is a normal Samsung phone. There is nothing else installed on it, except a device policy to check for enrollment.
When you start it, you MUST connect it to the internet (pretty much the opposite of any dumb phone), because it has to load and enable all the crap from Wisephone's MDM server. Once that connection happens, it starts the process by limiting your access to the software, while giving them full access over it.
Congratulations, you now have an overpriced bug in your house.

If this still doesn't convince you, I give up.
Btw: if you ever miss a payment, they will just turn the phone into a brick, just warning you now before you spend thousands of dollars on it.

An honest company (and not a scamming one), would just use existing hardware and install a different OS on it (like others do), where the changes are made at an OS level and not enrolled in someone's MDM.
The fact they chose this route, clearly shows they don't have good intentions.

And before you say it: you also have to trust them to not mishandle their MDM access. If they leak the keys for some reason (like not taking security seriously), the new owners of those keys will also have full access to every single Wisephone out there. That'll be fun!

raccoondad

777funk there's really nothing to give. There's no browser. He won't be doing any business on the phone since there's really nothing there but text, phone, and a camera. His texts will be basic day to day nonsense that doesn't mean much to anyone else as will his talk and camera. So there's not much concern here.

I been holding my tounge but I find it concerning you would compromise a device like that for your child if they are at the age where they need a cellphone in the first place... You may not know everything about your child's life, especially as they get older, I wouldn't really risk personal information getting out like that especially if this is going to be long term.

There is more I could say, but I find the entire thread very concerning. I'll hold off on details and zip my mouth, but I'll be the one to at least mention it.

777funk

schklom

Thank you! Sounds like one person's good workable solution. I appreciate this.

777funk

n3t_admin
Ok thanks. I never claimed to know anything about MDMs or network security. So thank you for your input there.

As far as inappropriate pictures... that's not going to happen. They'll never access that because it's not there. Maybe a picture of someone holding up a largemouth bass. Maybe someone playing pickleball. Maybe a group of friends or family. Personally, I couldn't care less if that's out there.

Another topic for another day, but I don't believe that anything on a phone is private, even with stock Android. The right people (hackers, Govts, big tech, etc) are able to access all of this same stuff and more. I won't be convinced otherwise.

n3t_admin

777funk As far as inappropriate pictures... that's not going to happen. They'll never access that because it's not there. Maybe a picture of someone holding up a largemouth bass. Maybe someone playing pickleball. Maybe a group of friends or family. Personally, I couldn't care less if that's out there.

As device owners they can simply install an app that will launch the camera and start taking pictures. As I said, they can do everything with that phone. I mean LITERALLY everything you could as well. The only way to prevent that, would be to physically remove the cameras and microphones from the hardware.

n3t_admin

777funk The right people (hackers, Govts, big tech, etc) are able to access all of this same stuff and more. I won't be convinced otherwise.

They can't and it would be extremely difficult to exploit a system in a way that would grant adversaries the same rights as an MDM admin.