GrapheneOS Hardened OpSec Multi-Profile Setup

DeletedUser471

¿ideas?

Lucario1829

DeletedUser471 in my opinion youre doing way too much, just the owner profile is good enough for like 90% of users and i cant see any reason to go above like 3. but i mean if youre having fun im not gonna stop you lol

DeletedUser471

Lucario1829 and that is wrong because owner profile is better used as installer profile, at least because there is no IPC scopes yet, so any app signed by google play store with network connection is at risk of IPC communication. the idea is to use google camera, photo, whatever google app and any other app downloaded from play market without network connection in the profile with no google play services or with them but without network permission and only give network permission to open source apps recognised as no IPC hole and ideally that are signed by developer keys (i.e. not fdroids insecure build environment), and to use this proprietary apps with network access that can leak via IPC in secondary profile or in private space of main profile (not owner) for convenience. but there are other reasons mentioned why you don't want to give owner profile passphrase to attacker like data lanes of usb port and adb access, which are not available in secondary profile.

this setup is actually a plausible deniability/security/privacy mix for many edge cases and actually is important in violent locations.

once you understand limits of today's grapheneos (for example absence of IPC scopes and decoy profile) you'll understand this concept and will see that it is actually simple.

Starch

After me taking the discipline to read the whole set up above, he mentioned bfu when end the user but i always told bfu is about the hole phone bfu a ended session of user has nothing to do with that am I correct or does a end session for user is that asswrll?

DeletedUser471

Starch end session acts just like bfu of main user

Elgoog

DeletedUser471 Are IPC scopes in the works, or at least on the horizon?

DeletedUser471

DeletedUser471 the idea is to use google camera, photo, whatever google app and any other app with network permission* downloaded from play market in the profile with no google play services or with them but without network permission

sorry my bad. I meant only open source apps with network permission are allowed to use in the profile with apps without network permission from play market, but keep in mind that is only for high tier threat model where user can be targeted by state–level adversary and backdoored app can be pushed to target with google play market signing keys, if you don't believe that IPC leak itself is a thing.

DeletedUser471

end session acts just like bfu of owner* user

de0u

Elgoog Are IPC scopes in the works, or at least on the horizon?

I don't speak for the GrapheneOS project. But my hunch is that such a feature will not arrive in 2026.

fingerprintingenthusiast

This is marvelous.

1qkv9ddu3so2irvz

So when you are outdoors and you receive a message, you always have to enter the strong passphrase to see the text message?
Isn't this very annoying?
What if you want to read the text message in an area with surveillance cameras, where your strong passphrase might be leaked?

DeletedUser471

1qkv9ddu3so2irvz
Outdoor #2 for messenger while outdoor is indeed marked as same same strong passphrase as Main #1 and Main #2, but it's just for easiness of understanding this concept and, yes, you are correct, for even better security to not leak Passphrase from Main #1 and Main #2 one better use different Simple or Strong Passphrase or just Fingerprint + different PIN with scramble for Outdoor #2.

DeletedUser471

PIN + Fingerprint layer addition:

Main #1, Main #2, Outdoor #2: Strong Passphrase #2 / PIN + Fingerprint, different Outdoor #2 PIN + Fingerprint

Outdoor #1: Simple "000008" / only Fingerprint