Hello everyone!
I'm very new to all the security / privacy information, so please don't be too hard on me - any help is very appreciated.
Problem
I'm looking into buying Pixel 9 and installing GrapheneOS, because...well my country is Russia, which is anarcho-tyranny, that clearly wants to turn itself into even harder China-style model of total surveillance.
But i'm seeing some potential complications with recent laws, that as far as i understand, may have just introduced some forced spyware, hence few questions i try to find answers for, before any attempts to buy device.
Starting from September 1, 2025, pre-installation of government apps will be mandatory for all smartphones, tablets, computers, smart-TVs sold in Russia:
- RuStore (The Russian app store)
- MAX messenger (what they plan to make as a "super-app" forced on everyone, Chinese WeeChat style)
- Госуслуги (public services, again government service to do "everything")
- Domestic search engines
- Russian Social networks
- «Мир» payment system
Needless to say that all of this is obviously government spyware.
It's very hard to say how exactly those laws will function and who exactly will be responsible to install all that crap in anarcho-tyranny state, they promise some penalties to smartphone manufacturers and sellers for not following their law, so i assume that's their plan, which in reality could turn very loosely "forced".
However, seeing trajectory of their moves - let's assume worst case (for sake of questions):
All smartphones that are available outside of black market are forced to be handled by FSB agents.
What we know for a fact:
Most of those apps require government trusted CA and silently install that CA root certificate in order to work. As far as i understand, any poisoned CA can basically snoop and MiTM all internet traffic.
Also, there are some scary articles about plans to have a government IMEI-registry tied to government ID of all devices in the future.
Question 1
Before GrapheneOS installation, how will government trusted CA look inside Google Android, will it be recognized as System or User certificate?
How to remove it?
Question 2
I would like to not give those government snoops a chance in leaking any information about device before / during GrapheneOS installation, as far as reading installation instructions, my assumptions are:
- Physically not connect to the internet and not insert SIM, set Airplane mode.
- Remove all government spyware apps that i can find.
- Remove all known Government root CAs, so that when i am forced to connect to the internet to enabled OEM unlocking hopefully no data / metadata will be leaked or traffic won't be tampered with.
- Reboot.
- Connect to Torrified Wi-Fi network, enable OEM unlocking.
- Proceed to install GrapheneOS.
Will this be enough for the task?
Have i missed anything?
Question 3
Is there any chance that government agents can pre-install some persistent zero-click spyware somewhere deeper than OS?
Perhaps like Bootloader or some Firmware?
How to check and protect from such cases, if that's possible at all?
Question 4
Regarding potential future for all devices IMEI-registry, as far as i understand, basically the only way not to become a tagged cattle would be to buy devices only through distant relatives / friends / drops and pray to never get caught by cops?