Rate My GOS Setup [Infosec Nerd]

ZeppelinAmenity

As the title states, what are your thoughts on the following setup?

**Current Phone**
    • Pixel 9 (want to upgrade when EMTE/FEAT_MTE4 becomes available)
    • GrapheneOS latest Stable channel with Security Preview Releases enabled
    • Major US mobile carrier pre-paid. Signed up with junk info in person (no ID checks) and buy top-up cards with cash at grocery stores. Rarely give out this number.
        ◦ I looked into Cape but I don’t think it provides all that much benefit, especially for the cost. Looking to move to JMP.Chat data only eSIM and phone numbers for call/SMS through their PSTN-to-XMPP bridge. US prepaid debit cards don’t work though because they’re in Canada, but crypto and Privacy.com are options.
    • OS language set to English (US) because I read somewhere that it’s listed in handset to teleco traffic (not sure if just OTA or also SS7) – so I figure if you use a rare language for a particular area, you could stick out.

**Main Profile (no Play Services, no Google app network permissions)**
    • System Settings
        ◦ Network and Internet
            ▪ Preferred Network Type: 5G or LTE only (reduce effectiveness of IMSI-catchers/Stingrays)
            ▪ Protection from 2G
            ▪ Internet Connectivity Checks: Off
            ▪ VPN: RethinkDNS (Always On, Block connections without VPN)
        ◦ Apps
            ▪ Grant special access to hardware accelerator to Google apps: Enabled (needed for Google Camera app)
        ◦ Wallpaper and Theme
            ▪ Additional Lock Screen Settings – Notifications on Lock Screen – Show Private Info: Off
        ◦ Security and Privacy
            ▪ Unlock Device
                • Long-ass passphrase for BFU, Fingerprint+PIN for AFU (power down when crossing a border or getting pulled over, _especially_ if you have nothing to hide – normalize not being a boot-licker - just backup your data in case CBP takes your shit and doesn’t give it back)
            ▪ Exploit Protection
                • Auto Reboot: 4 hours
                • USB-C Port: Charging-only when locked
                • Turn off Wi-Fi automatically: 2 minutes
                • Turn off Bluetooth automatically: 5 minutes
                • Memory Tagging: Enabled by default
                • Native Code Debugging: Blocked by default
                • WebView JIT: Disabled by default
                • Dynamic Code Loading via Memory: Restricted by default
                • Dynamic Code Loading via Storage: Restricted by default
                • Secure App Spawning: Enabled
            ▪ Extra
                • Notifications on Lock Screen – Show private info: Off
                • Allow Sensors Permission to App by Default: Off
                • Save Screenshot Timestamp to EXIF: Off
                • Encryption and Profile Data – Trusted Certificates: (disable any you don’t normally come across and/or from countries you might not trust like China, India, Turkey, Taiwan [they’re not bad but people seem to like to steal their root CAs], etc.)
                • Notify About System Process Crashes: On (crashes are a possible sign of unstable exploit attempt)
                • Automatic Exploit Protection Compatibility Mode: Off
        ◦ Location:
            ▪ SUPL / PSDS: GrapheneOS proxy
    • Signal (account not linked to any other devices, GOS app sandbox is way better than any laptop/desktop that isn’t a single-purpose VM on a trusted hypervisor)
        ◦ Account – Registration Lock – long-ass password (not just numbers)
        ◦ Chats – Create Link Previews: Off
        ◦ Privacy – Disappearing Messages Default Timer: 4 weeks
        ◦ Data and Storage – Automatically Download Media: (none - might prevent zero-click exploits like in image parsers)
    • Molly (similar to Signal settings above, linked to laptop as shared clipboard)
    • Accrescent
    • Aurora Store (anonymous login)
    • F-Droid
    • Cryptomator
        ◦ Additional virtual encrypted filesystem for rarely accessed files for additional protection
    • GBoard (no permissions, especially network)
    • Google Camera (camera/mic/sensors/storage scopes, no network)
    • Google Clock (notifications/sensors, no network)
    • Google Markup [GOS App Store] (no network)
    • Google Photos (storage scopes, no network)
    • Google Files (none, no network)
    • KeePassXD (make sure KDF is argon2)
    • OsmAnd~ (great FOSS offline maps and navigation)
    • RethinkDNS (nightly from GitHub, earlier versions can be unstable)
        ◦ Settings / App
            ▪ Block: Ad Privacy, ANDROID, Android Services Library, Camera, CameraExtentionsProxy, Clock, com.google.*, Gboard, IntentResolver, Markup
        ◦ Settings / DNS
            ▪ Block Lists On Device: (choose all the ones you want)
            ▪ Prevent DNS Leaks: On
        ◦ Settings / Firewall
            ▪ Universal Firewall Rules: Block when source app unknown (On), Block upon DNS bypass (On), Block recently installed apps by default (On), Block port 80 insecure HTTP (On), Block UDP except for DNS and NTP (Off – needed for Signal calls)
        ◦ Settings / Proxy
            ▪ Wireguard to commercial VPN set up – always on, block bypass
        ◦ Regularly check activity log for DNS queries and IP connections/GeoIP countries you’re not expecting from various apps. If something tingles your spidy senses, search it in VirusTotal. You can also whitelist/blacklist domains on a per-app basis.
    • Retro Music (all my music is local, streaming seems dumb)
    • Vanadium
        ◦ Search Provider: DuckDuckGo
        ◦ Privacy and Security
            ▪ Cross-origin referrer policy: Reduce cross-origin referrer
            ▪ WebRTC IP handling policy: Disable non-proxied UDP
            ▪ SafeBrowsing: Disabled (to not send URLs to Google)
            ▪ Always use secure connections: Warn about insecure public and private sites
            ▪ Use secure DNS: (Off – we want system DNS via local RethinkDNS resolver)
        ◦ Password manager: Off
        ◦ Payments and Addresses: Off
        ◦ Site settings: block all in permissions settings, allow Javascript but block JIT/3rd Party Login/Ads
        ◦ chrome://flags (idea is threat surface reduction and enhanced privacy, not 100% sure all of these do so but seems like they do)
            ▪ Accelerate 2D canvas: disabled
            ▪ Experimental WebAssembly Shared-Everything Threads: Disabled
            ▪ WebAssembly lazy compilation: Disabled
            ▪ Future V8 VM features: Disabled
            ▪ GPU rasterization: Disabled
            ▪ Hardware-accelerated video encode: Disabled
            ▪ TLS 1.3 Early Data: Enabled
            ▪ Strict-Origin-Isolation: Enabled
            ▪ Tracking Protection for 3PCD: Enabled
            ▪ Reduce Accept-Language request header and JavaScript navigator.languages: Enabled
            ▪ Enable Fingerprinting Protection Blocklist In Regular Browsing: Enabled
            ▪ Enable Fingerprinting Protection Blocklist In Incognito: Enabled
            ▪ Language detection web platform API: Disabled
            ▪ Signature-based Integrity Checks: Enabled 
            ▪ Block Cross Partition Blob URL Fetching: Enabled
            ▪ HTML-in-Canvas: Disabled
            ▪ Enable Cross-Device Pref Tracker: Disabled

**“Bank” Profile (Play Services)**
    • All my bank apps work, I just need to 2FA every time because it won’t “remember” as trusted
    • AOSP keyboard instead of Gboard on this profile since it has Play Services

The biggest thing I think is worth comparing is the main profile has a lot of individual Google apps but no network permissions for any of them and no Play Services. Because of inter-app communication by mutual agreement, having one Google app in a profile with network permissions could relay the telemetry from all the other apps to Google services. For that reason, in my “Bank” profile, I use the AOSP keyboard because I wouldn’t put it past Google to exfil every keystroke from Gboard if it could (I have no evidence of this but I’ll just assume they would if they could). Another thing I noticed when reviewing the RethinkDNS logs is the Android IntentsResolver was bleeding DNS queries to Google domains before I blocked it. Not sure if apps would try to use it to exfil data by encoding it into DNS queries.

Did I miss anything? Did anyone find this helpful? I know some of it was a little hand-wavy over some of the topics but feel free to chime in if you have any more info.

EDIT: fixed bullet point hierarchy with code block

Freedomain

ZeppelinAmenity
I suspect I have had some issues with cheogram app itself via certain pictures being sent through it.

eggy

ZeppelinAmenity

I dig it.
Why Signal instead of Molly with self-hosted mollysocket + ntfy server + ntfy client? It's more private.
I'm assuming you live in a country where banks require play services? Why not use their mobile sites via Vanadium to greatly simplify your setup?
Why F-Droid and not Obtanium? Obtanium can download from fdroid for the few apps that don't publish .apks to their repo.

unsaltedsanctionsnowdrop

ZeppelinAmenity literally meaningless without a threat model. You can enjoy the aesthetic of being an "infosec nerd" but if you can't threat model that's all it is.

I'm not saying this to be mean, hopefully you take something away from this comment that leads you down a better path. If not, hopefully someone else reading it will.

gMan

ZeppelinAmenity I looked into Cape but I don’t think it provides all that much benefit, especially for the cost.

if privacy and security are important to you, i highly suggest looking into Cape deeper and watching interviews with its founder (i'm being lazy but i'll link videos if you ask)

granted, Cape is not a perfect solution - like any VPN, there is no guarantee of trust - but i'm very comfortable in stating that i have far more confidence in Cape than any other carrier - they own the core of the network and this provides them with a lot of control over privacy and security

as for cost, they have a great affiliate program - $10 off for every referral - refer 10 people and ... well, do the math

Freedomain

Great write up, I just attempted a similar thread and realized I left out a lot. Thanks!

ZeppelinAmenity

eggy

Why Signal instead of Molly with self-hosted mollysocket + ntfy server + ntfy client? It's more private.

I do use Molly so I can have 2 "Signal" accounts within a profile (Signal official app and Molly). The database encryption approaches are a tradeoff though, with Signal slightly better for protecting against remote high-end spyware from dumping the whole DB while Molly is more optimized to protect the DB's key from offline forensics (like a Cellebrite machine). If malware can escape the sandbox (SBX), escalate privileges (LPE), and pull the key to the message database from the secure enclave (TEE/Strongbox) thus defeating Signal's DB protection, it can more easily just hook into your keystrokes typing in the DB password and offline decrypt the database remotely to defeat Molly's protection. Also, since I set my auto-reboot timer to 4 hours, and don't want to type in a strong password for Molly every time I open it, the trade-offs skew pretty heavily one way for me.

Less important but to me but still worth mentioning, adding another middleman between Signal's source code and me is trusting an additional party that doesn't need to be there. Of course you can argue it's open-source, has reproducible builds, etc. but I'm not personally reading every commit and verifying every build, and distribution channels can be fallible.

For notifications, I just use Signal's websocket-based notifications. Battery life is still fine for me and they're the only notifications I care to get anyway. Running my own notification server would just be opening up an internet-facing port to my homelab or, if using a VPS, at the very least making my phone constantly call out to an IP tied specifically to me, increasing traceability and correlating static and dynamic identifiers at various points in the network.

I'm assuming you live in a country where banks require play services? Why not use their mobile sites via Vanadium to greatly simplify your setup?

I guess the US does? Multiple bank apps of mine wouldn't open without Play Services, even with exploit compatibility settings configured. They work fine with it installed though. I would definitely prefer browser-based, but I can't do mobile check deposit without the app, certain investment and transfer options aren't available, and the web experience is degraded in areas with poor coverage/network performance because more remote web assets are downloaded each request instead of the UI elements being stored and rendered locally.

Why F-Droid and not Obtanium? Obtanium can download from fdroid for the few apps that don't publish .apks to their repo.

I'd heard of Obtanium but hadn't looked much into it until you mentioned it. Looks like a much better alternative though, thanks for the recommendation! I was planning on using AppVerifier lately but was putting off having to hunt down all the signing certificate fingerprint hashes - but looks like Obtanium helps with that.

nologo

We cannot 'rate' this set-up, because we don't know anything about your threat model and/or the specific goals you try to achieve.
You may want to search this forum for information about using Aurora and F-droid.

eggy

ZeppelinAmenity You must be the enemy of the state to worry about the type of state-level malware that you're describing here. The odds of running into that type of zero-day stacking malware to crack through GOS to get your Signal DB is basically 0.

ZeppelinAmenity at the very least making my phone constantly call out to an IP tied specifically to me, increasing traceability and correlating static and dynamic identifiers at various points in the network.

I've never considered this. My thinking was that self-hosting was a great pro for privacy, but I think you're correct and it actually has the exact opposite effect to put a spotlight on me as I am constantly connecting to unique URLs. I now think that it's much better to just blend into the crowd and use all the public E2EE options available.

AcclaimSublevel19

ZeppelinAmenity I was planning on using AppVerifier lately but was putting off having to hunt down all the signing certificate fingerprint hashes - but looks like Obtanium helps with that.

Obtainium doesn't make finding hashes easier. It only downloads, installs and updates apps. Its relation to AppVerifier is that it just opens the app for you to verify before installing. You still have to manually find hashes and it's hard because very few developers publish them. There are a few threads on this forum where users compare hashes for other apps, but that's about it.

ZeppelinAmenity

eggy

You must be the enemy of the state to worry about the type of state-level malware that you're describing here. The odds of running into that type of zero-day stacking malware to crack through GOS to get your Signal DB is basically 0.

I at least hope I'm not "enemy of the state"-level, but there's a lot of countries with really long shit-lists, and you never really fall off them if you get on one. Best you can hope for is falling to the bottom. But more importantly, and more the topic I'm interested in here, is that the availability and use of high-end spyware has exploded over the past decade. The biggest shift is more actors have access to them, while another big shift is more of a "use it while you got it" approach in comparison to the previous "Million Dollar Dissident" reserved for the highest priority targets.

Taking a step back, leaks show that the predominant method used by gov/LE prior to the mid-2010's widespread adoption of E2EE was passive bulk collection of plaintext messages (through lawful intercept in telecos, tech provider cooperation, or breaking into a service provider's network). While metadata is certainly useful, some legitimate LE/gov efforts were hampered by E2EE. So would the world's governments just give up? Of course not, especially when companies can make a huge profit selling exploits and toolkits to them. On one hand, I think this change is good because for message plaintexts to be read by outside actors they have to pay for the rare tools and take the effort to go through all the effort to exploit your devices and analyze what they extract for each target compared to the previous passive bulk collection that collects against everyone by default. On the other hand though, mobile exploitation was a lot more limited and efforts generally went more into breaking into nation-state adversary enterprise networks. Now that many chat apps are E2EE, the only way to really read the messages is a mobile app or OS exploit chain. So as the "need" grew, the capabilities shifted from being reserved for only infrequent nation-state spycraft to even small countries with questionable human rights and oversight (see the list of Pegasus users) using them somewhat frequently in criminal investigations but also for oppression of journalists and activists.

While it used to be a few hush-hush defense contractors selling exclusively to the top tier governments, the industry has now exploded with both formal Vulnerability Researcher positions openly posted all over job boards in multiple countries and underground/gray market resellers. Also, as defenses have increased, so too has the availability of knowledge for getting into binary exploitation and exploit development, opening up the field. In addition to developing them yourself, capturing them from adversaries and reusing them surely happens too. When Kaspersky captured "4 zero-days, 2 checkers, an implant, and its modules" from an NSA-like adversary in Operation Triangulation, do you think there's any chance those weren't passed to Russian intelligence and reused months before public disclosure? Even ICE's little-dick fascists can use Paragon spyware again.

Even more likely than catching Paragon after pissing off some douche who got a badge and a $50k bonus to beat and shoot US citizens along with harassing minorities - is the crazy phenomenon of indiscriminate high-grade watering hole exploit attacks by China on compromised websites like a Uighur diaspora site in 2019 and Hong Kong democracy movement sites in 2021 which have both been deemed "a paradigm shift" in the rampant and automated use of zero-days against desktop and mobile with no selective targeting. I might've actually been caught up in that second one when I was following the events back then from primary sources only a bit deeper than the main headlines.

Probably the most worrying capabilities of mobile spyware though is that it can transmit your constant geolocation, activate the microphone to record in-person conversations (even while in your pocket), record audio calls (even E2EE), and allow exploiting other devices from within a local network. These are key abilities that a post-seizure forensic analysis can't provide. So compared to the 55,000 warrantless phone searches in 2024 (but likely higher in 2025) by CBP at the border to see if anyone said anything bad about Trump, I'm a bit more worried about the remote spyware floating all round the world than a phone seizure and forensic analysis (even though those are only US border crossing numbers and don't include FBI, state, and local authorities).

That's not to say I necessarily think my threat level is high enough to be specifically targeted by any of these threats, but I'm a hobbyist infosec nerd trying to see what's the most secure setup I can get while having a good bit of tolerance for inconvenience. Also, I recognize none of the above referenced exploits mention GOS, which is why I'm using it :)

Some good additional reading on exploits/spyware are Google's Buying Spying report (Google has good security because they want to make sure they're the only ones who can spy), the Atlantic Council's Mythical Beasts report and interactive, and ETH Zurich's From Vegas to Chengdu and Before Vegas reports.

eggy

ZeppelinAmenity Seeing stuff like https://discuss.grapheneos.org/d/14344-cellebrite-premium-july-2024-documentation is what makes me think that by using GOS with its malloc_harden'ing and expanded MTE support, we're faaaar less likely to get compromised than the average user although you never know.

Your previous reply about network sniffing of unique URLs really got me to go down a deep rabbit hole. I've now also switched to rely solely on WebSockets for my Signal push notifications, which I also think is much better as you can blend into a large crowd of Signal users. However, not getting push notifications for some other things was an inconvenience for me.

I used to get some push notifications from my Home Assistant system via UnifiedPush, but in the last day I've migrated it to use signal-cli (via existing addon) to send Signal messages to myself (from my self) instead. I now think that this is an amazing pattern of usage for the truly paranoid among us. I realize this is a super niche idea with maybe dozens of potential tinfoil hat users worldwide, but I now want to create an Android UP distributor app + self-hostable proxy server to translate UP notifications into messages for a user's Signal group(s). This way you never have to connect to an UP server from your phone and all the push notifications can go strictly through chat.signal.com which is widely used already.

Upstate1618

WiFi preferences
Private Space
Device Controller
Device Admin and Trusted Agent
Special App Permissions
Developer Options(off) OEM UNLOCKING(off)
Vanadium flags(don't set them)
App Quick Tiles(remove if usable while locked)

Upstate1618

NFC UWB and other Connection preferences
MDM or Device Management services
Screen timeout time
Use Google Play to keep google apps updated

VMulciber

gMan I have read some places (like reddit) that are hesitant with Cape, claiming it's a potential honeypot. Do you have any resources that could help me?

gMan

VMulciber personally i think that's whole lot of bovine excrement and the reason i think that is because i've gone through their website pretty thoroughly and listened to interviews with their founder who i find to be genuine and ethical - additionally, they sell Pixels with GOS preinstalled if you want and i think that's worth another point or two - i would also say that i'm not aware of any tangible evidence to back the honeypot claims

that said, Cape isn't a perfect company - the founder used to work for Palantir and their client app is closed source for the moment (they told me they're considering releasing the source, but it's still under development - they've been pushing updates about twice a month or so)

on the Palantir thing, that's very much a double edge sword in my view; it could be seen as bad because Palantir is an evil company, at least to an extent ... but on the other hand, being that Palantir caters to government/DoD, and since it appears many high-risk government people use Cape, and given the founders patriotism and obvious interest in keeping government/military people safe, that equates to safety for the rest of us

there isn't a single carrier that ticks all the privacy and security boxes that i'm aware of, but i really think Cape comes the closest - one thing i DO NOT like is that, for the time being, you have to have the Play Store installed (GOS's proxy) to be notified of voice mails because the Cape app uses push notifications (voice mail is encrypted, so you can only get it through their app) - i suggested they eliminate this dependency and they welcomed my input, but we'll have to see if they implement the change

lastly, if you haven't read my article, i recommend you do - there's links there to some of the more important parts of Cape's website, as well as 1 or 2 links to interviews with the founder

gMan

VMulciber another thing perhaps worth mentioning, and this is just my current opinion; aren't all the mainstream MNO's and MVNO's honeypots insomuch as they cannot be trusted at all? at least Cape owns the network core and that provides them with a lot of room to maneuver that no other MVNO enjoys, at least not that i've found

so either Cape is a very well crafted and very dangerous honeypot ... or they really give a hoot about customer privacy and security and i think they make a pretty solid case for the latter ......... then again, the Israeli's spent a very long time designing, forming companies and supply chains, manufacturing, marketing, and selling pagers to Hezbollah, so i guess we can all be fooled if the fooler is convincing enough

de0u

VMulciber I have read some places (like reddit) that are hesitant with Cape, claiming it's a potential honeypot.

What sort of evidence would be convincing at proving something is not a honeypot?

Clearly once evidence of collusion is uncovered in some case then that thing was a honeypot. But it's hard to "prove" that a current absence of evidence means there is no evidence to be uncovered.

As the saying goes, "Absence of evidence is not evidence of absence".

VMulciber

gMan I really do appreciate you taking the time to reply. I will read your article later. Thank you!

gMan

VMulciber sure thing! just keep in mind that i'm no tech/privacy/security expert - just a guy who's 1/2 decent at doing research