Rate My GOS Setup [Infosec Nerd]

ZeppelinAmenity

As the title states, what are your thoughts on the following setup?

**Current Phone**
    • Pixel 9 (want to upgrade when EMTE/FEAT_MTE4 becomes available)
    • GrapheneOS latest Stable channel with Security Preview Releases enabled
    • Major US mobile carrier pre-paid. Signed up with junk info in person (no ID checks) and buy top-up cards with cash at grocery stores. Rarely give out this number.
        ◦ I looked into Cape but I don’t think it provides all that much benefit, especially for the cost. Looking to move to JMP.Chat data only eSIM and phone numbers for call/SMS through their PSTN-to-XMPP bridge. US prepaid debit cards don’t work though because they’re in Canada, but crypto and Privacy.com are options.
    • OS language set to English (US) because I read somewhere that it’s listed in handset to teleco traffic (not sure if just OTA or also SS7) – so I figure if you use a rare language for a particular area, you could stick out.

**Main Profile (no Play Services, no Google app network permissions)**
    • System Settings
        ◦ Network and Internet
            ▪ Preferred Network Type: 5G or LTE only (reduce effectiveness of IMSI-catchers/Stingrays)
            ▪ Protection from 2G
            ▪ Internet Connectivity Checks: Off
            ▪ VPN: RethinkDNS (Always On, Block connections without VPN)
        ◦ Apps
            ▪ Grant special access to hardware accelerator to Google apps: Enabled (needed for Google Camera app)
        ◦ Wallpaper and Theme
            ▪ Additional Lock Screen Settings – Notifications on Lock Screen – Show Private Info: Off
        ◦ Security and Privacy
            ▪ Unlock Device
                • Long-ass passphrase for BFU, Fingerprint+PIN for AFU (power down when crossing a border or getting pulled over, _especially_ if you have nothing to hide – normalize not being a boot-licker - just backup your data in case CBP takes your shit and doesn’t give it back)
            ▪ Exploit Protection
                • Auto Reboot: 4 hours
                • USB-C Port: Charging-only when locked
                • Turn off Wi-Fi automatically: 2 minutes
                • Turn off Bluetooth automatically: 5 minutes
                • Memory Tagging: Enabled by default
                • Native Code Debugging: Blocked by default
                • WebView JIT: Disabled by default
                • Dynamic Code Loading via Memory: Restricted by default
                • Dynamic Code Loading via Storage: Restricted by default
                • Secure App Spawning: Enabled
            ▪ Extra
                • Notifications on Lock Screen – Show private info: Off
                • Allow Sensors Permission to App by Default: Off
                • Save Screenshot Timestamp to EXIF: Off
                • Encryption and Profile Data – Trusted Certificates: (disable any you don’t normally come across and/or from countries you might not trust like China, India, Turkey, Taiwan [they’re not bad but people seem to like to steal their root CAs], etc.)
                • Notify About System Process Crashes: On (crashes are a possible sign of unstable exploit attempt)
                • Automatic Exploit Protection Compatibility Mode: Off
        ◦ Location:
            ▪ SUPL / PSDS: GrapheneOS proxy
    • Signal (account not linked to any other devices, GOS app sandbox is way better than any laptop/desktop that isn’t a single-purpose VM on a trusted hypervisor)
        ◦ Account – Registration Lock – long-ass password (not just numbers)
        ◦ Chats – Create Link Previews: Off
        ◦ Privacy – Disappearing Messages Default Timer: 4 weeks
        ◦ Data and Storage – Automatically Download Media: (none - might prevent zero-click exploits like in image parsers)
    • Molly (similar to Signal settings above, linked to laptop as shared clipboard)
    • Accrescent
    • Aurora Store (anonymous login)
    • F-Droid
    • Cryptomator
        ◦ Additional virtual encrypted filesystem for rarely accessed files for additional protection
    • GBoard (no permissions, especially network)
    • Google Camera (camera/mic/sensors/storage scopes, no network)
    • Google Clock (notifications/sensors, no network)
    • Google Markup [GOS App Store] (no network)
    • Google Photos (storage scopes, no network)
    • Google Files (none, no network)
    • KeePassXD (make sure KDF is argon2)
    • OsmAnd~ (great FOSS offline maps and navigation)
    • RethinkDNS (nightly from GitHub, earlier versions can be unstable)
        ◦ Settings / App
            ▪ Block: Ad Privacy, ANDROID, Android Services Library, Camera, CameraExtentionsProxy, Clock, com.google.*, Gboard, IntentResolver, Markup
        ◦ Settings / DNS
            ▪ Block Lists On Device: (choose all the ones you want)
            ▪ Prevent DNS Leaks: On
        ◦ Settings / Firewall
            ▪ Universal Firewall Rules: Block when source app unknown (On), Block upon DNS bypass (On), Block recently installed apps by default (On), Block port 80 insecure HTTP (On), Block UDP except for DNS and NTP (Off – needed for Signal calls)
        ◦ Settings / Proxy
            ▪ Wireguard to commercial VPN set up – always on, block bypass
        ◦ Regularly check activity log for DNS queries and IP connections/GeoIP countries you’re not expecting from various apps. If something tingles your spidy senses, search it in VirusTotal. You can also whitelist/blacklist domains on a per-app basis.
    • Retro Music (all my music is local, streaming seems dumb)
    • Vanadium
        ◦ Search Provider: DuckDuckGo
        ◦ Privacy and Security
            ▪ Cross-origin referrer policy: Reduce cross-origin referrer
            ▪ WebRTC IP handling policy: Disable non-proxied UDP
            ▪ SafeBrowsing: Disabled (to not send URLs to Google)
            ▪ Always use secure connections: Warn about insecure public and private sites
            ▪ Use secure DNS: (Off – we want system DNS via local RethinkDNS resolver)
        ◦ Password manager: Off
        ◦ Payments and Addresses: Off
        ◦ Site settings: block all in permissions settings, allow Javascript but block JIT/3rd Party Login/Ads
        ◦ chrome://flags (idea is threat surface reduction and enhanced privacy, not 100% sure all of these do so but seems like they do)
            ▪ Accelerate 2D canvas: disabled
            ▪ Experimental WebAssembly Shared-Everything Threads: Disabled
            ▪ WebAssembly lazy compilation: Disabled
            ▪ Future V8 VM features: Disabled
            ▪ GPU rasterization: Disabled
            ▪ Hardware-accelerated video encode: Disabled
            ▪ TLS 1.3 Early Data: Enabled
            ▪ Strict-Origin-Isolation: Enabled
            ▪ Tracking Protection for 3PCD: Enabled
            ▪ Reduce Accept-Language request header and JavaScript navigator.languages: Enabled
            ▪ Enable Fingerprinting Protection Blocklist In Regular Browsing: Enabled
            ▪ Enable Fingerprinting Protection Blocklist In Incognito: Enabled
            ▪ Language detection web platform API: Disabled
            ▪ Signature-based Integrity Checks: Enabled 
            ▪ Block Cross Partition Blob URL Fetching: Enabled
            ▪ HTML-in-Canvas: Disabled
            ▪ Enable Cross-Device Pref Tracker: Disabled

**“Bank” Profile (Play Services)**
    • All my bank apps work, I just need to 2FA every time because it won’t “remember” as trusted
    • AOSP keyboard instead of Gboard on this profile since it has Play Services

The biggest thing I think is worth comparing is the main profile has a lot of individual Google apps but no network permissions for any of them and no Play Services. Because of inter-app communication by mutual agreement, having one Google app in a profile with network permissions could relay the telemetry from all the other apps to Google services. For that reason, in my “Bank” profile, I use the AOSP keyboard because I wouldn’t put it past Google to exfil every keystroke from Gboard if it could (I have no evidence of this but I’ll just assume they would if they could). Another thing I noticed when reviewing the RethinkDNS logs is the Android IntentsResolver was bleeding DNS queries to Google domains before I blocked it. Not sure if apps would try to use it to exfil data by encoding it into DNS queries.

Did I miss anything? Did anyone find this helpful? I know some of it was a little hand-wavy over some of the topics but feel free to chime in if you have any more info.

EDIT: fixed bullet point hierarchy with code block

Freedomain

ZeppelinAmenity
I suspect I have had some issues with cheogram app itself via certain pictures being sent through it.

eggy

ZeppelinAmenity

I dig it.
Why Signal instead of Molly with self-hosted mollysocket + ntfy server + ntfy client? It's more private.
I'm assuming you live in a country where banks require play services? Why not use their mobile sites via Vanadium to greatly simplify your setup?
Why F-Droid and not Obtanium? Obtanium can download from fdroid for the few apps that don't publish .apks to their repo.

unsaltedsanctionsnowdrop

ZeppelinAmenity literally meaningless without a threat model. You can enjoy the aesthetic of being an "infosec nerd" but if you can't threat model that's all it is.

I'm not saying this to be mean, hopefully you take something away from this comment that leads you down a better path. If not, hopefully someone else reading it will.

gMan

ZeppelinAmenity I looked into Cape but I don’t think it provides all that much benefit, especially for the cost.

if privacy and security are important to you, i highly suggest looking into Cape deeper and watching interviews with its founder (i'm being lazy but i'll link videos if you ask)

granted, Cape is not a perfect solution - like any VPN, there is no guarantee of trust - but i'm very comfortable in stating that i have far more confidence in Cape than any other carrier - they own the core of the network and this provides them with a lot of control over privacy and security

as for cost, they have a great affiliate program - $10 off for every referral - refer 10 people and ... well, do the math

Freedomain

Great write up, I just attempted a similar thread and realized I left out a lot. Thanks!

Winston

Freedomain i haven't had any issues with pictures via Cheo, however calls have been unreliable. ALTHOUGH, i think a lot, if not most, is due to my service and not all on jmp/cheo. I really like them and wouldn't hesitate to recommend. Especially like OP's case, i would keep the major provider for now but go ahead and start testing jmp/cheo. If you like it and works well, then consider getting their esim

ZeppelinAmenity

eggy

Why Signal instead of Molly with self-hosted mollysocket + ntfy server + ntfy client? It's more private.

I do use Molly so I can have 2 "Signal" accounts within a profile (Signal official app and Molly). The database encryption approaches are a tradeoff though, with Signal slightly better for protecting against remote high-end spyware from dumping the whole DB while Molly is more optimized to protect the DB's key from offline forensics (like a Cellebrite machine). If malware can escape the sandbox (SBX), escalate privileges (LPE), and pull the key to the message database from the secure enclave (TEE/Strongbox) thus defeating Signal's DB protection, it can more easily just hook into your keystrokes typing in the DB password and offline decrypt the database remotely to defeat Molly's protection. Also, since I set my auto-reboot timer to 4 hours, and don't want to type in a strong password for Molly every time I open it, the trade-offs skew pretty heavily one way for me.

Less important but to me but still worth mentioning, adding another middleman between Signal's source code and me is trusting an additional party that doesn't need to be there. Of course you can argue it's open-source, has reproducible builds, etc. but I'm not personally reading every commit and verifying every build, and distribution channels can be fallible.

For notifications, I just use Signal's websocket-based notifications. Battery life is still fine for me and they're the only notifications I care to get anyway. Running my own notification server would just be opening up an internet-facing port to my homelab or, if using a VPS, at the very least making my phone constantly call out to an IP tied specifically to me, increasing traceability and correlating static and dynamic identifiers at various points in the network.

I'm assuming you live in a country where banks require play services? Why not use their mobile sites via Vanadium to greatly simplify your setup?

I guess the US does? Multiple bank apps of mine wouldn't open without Play Services, even with exploit compatibility settings configured. They work fine with it installed though. I would definitely prefer browser-based, but I can't do mobile check deposit without the app, certain investment and transfer options aren't available, and the web experience is degraded in areas with poor coverage/network performance because more remote web assets are downloaded each request instead of the UI elements being stored and rendered locally.

Why F-Droid and not Obtanium? Obtanium can download from fdroid for the few apps that don't publish .apks to their repo.

I'd heard of Obtanium but hadn't looked much into it until you mentioned it. Looks like a much better alternative though, thanks for the recommendation! I was planning on using AppVerifier lately but was putting off having to hunt down all the signing certificate fingerprint hashes - but looks like Obtanium helps with that.

Jasper82

eggy Why F-Droid and not Obtanium?

F-Droid builds the app from source.
Obtaining could server you any binary blob

nologo

We cannot 'rate' this set-up, because we don't know anything about your threat model and/or the specific goals you try to achieve.
You may want to search this forum for information about using Aurora and F-droid.

eggy

ZeppelinAmenity You must be the enemy of the state to worry about the type of state-level malware that you're describing here. The odds of running into that type of zero-day stacking malware to crack through GOS to get your Signal DB is basically 0.

ZeppelinAmenity at the very least making my phone constantly call out to an IP tied specifically to me, increasing traceability and correlating static and dynamic identifiers at various points in the network.

I've never considered this. My thinking was that self-hosting was a great pro for privacy, but I think you're correct and it actually has the exact opposite effect to put a spotlight on me as I am constantly connecting to unique URLs. I now think that it's much better to just blend into the crowd and use all the public E2EE options available.

AcclaimSublevel19

ZeppelinAmenity I was planning on using AppVerifier lately but was putting off having to hunt down all the signing certificate fingerprint hashes - but looks like Obtanium helps with that.

Obtainium doesn't make finding hashes easier. It only downloads, installs and updates apps. Its relation to AppVerifier is that it just opens the app for you to verify before installing. You still have to manually find hashes and it's hard because very few developers publish them. There are a few threads on this forum where users compare hashes for other apps, but that's about it.

Winston

unsaltedsanctionsnowdrop a "better" path. Get a grip. It could be a hobby you scrooge. And others find it helpful i guarantee it.

You're comment may be helpful and a wake-up call for someone doing all this out of fear.

ZeppelinAmenity

eggy

You must be the enemy of the state to worry about the type of state-level malware that you're describing here. The odds of running into that type of zero-day stacking malware to crack through GOS to get your Signal DB is basically 0.

I at least hope I'm not "enemy of the state"-level, but there's a lot of countries with really long shit-lists, and you never really fall off them if you get on one. Best you can hope for is falling to the bottom. But more importantly, and more the topic I'm interested in here, is that the availability and use of high-end spyware has exploded over the past decade. The biggest shift is more actors have access to them, while another big shift is more of a "use it while you got it" approach in comparison to the previous "Million Dollar Dissident" reserved for the highest priority targets.

Taking a step back, leaks show that the predominant method used by gov/LE prior to the mid-2010's widespread adoption of E2EE was passive bulk collection of plaintext messages (through lawful intercept in telecos, tech provider cooperation, or breaking into a service provider's network). While metadata is certainly useful, some legitimate LE/gov efforts were hampered by E2EE. So would the world's governments just give up? Of course not, especially when companies can make a huge profit selling exploits and toolkits to them. On one hand, I think this change is good because for message plaintexts to be read by outside actors they have to pay for the rare tools and take the effort to go through all the effort to exploit your devices and analyze what they extract for each target compared to the previous passive bulk collection that collects against everyone by default. On the other hand though, mobile exploitation was a lot more limited and efforts generally went more into breaking into nation-state adversary enterprise networks. Now that many chat apps are E2EE, the only way to really read the messages is a mobile app or OS exploit chain. So as the "need" grew, the capabilities shifted from being reserved for only infrequent nation-state spycraft to even small countries with questionable human rights and oversight (see the list of Pegasus users) using them somewhat frequently in criminal investigations but also for oppression of journalists and activists.

While it used to be a few hush-hush defense contractors selling exclusively to the top tier governments, the industry has now exploded with both formal Vulnerability Researcher positions openly posted all over job boards in multiple countries and underground/gray market resellers. Also, as defenses have increased, so too has the availability of knowledge for getting into binary exploitation and exploit development, opening up the field. In addition to developing them yourself, capturing them from adversaries and reusing them surely happens too. When Kaspersky captured "4 zero-days, 2 checkers, an implant, and its modules" from an NSA-like adversary in Operation Triangulation, do you think there's any chance those weren't passed to Russian intelligence and reused months before public disclosure? Even ICE's little-dick fascists can use Paragon spyware again.

Even more likely than catching Paragon after pissing off some douche who got a badge and a $50k bonus to beat and shoot US citizens along with harassing minorities - is the crazy phenomenon of indiscriminate high-grade watering hole exploit attacks by China on compromised websites like a Uighur diaspora site in 2019 and Hong Kong democracy movement sites in 2021 which have both been deemed "a paradigm shift" in the rampant and automated use of zero-days against desktop and mobile with no selective targeting. I might've actually been caught up in that second one when I was following the events back then from primary sources only a bit deeper than the main headlines.

Probably the most worrying capabilities of mobile spyware though is that it can transmit your constant geolocation, activate the microphone to record in-person conversations (even while in your pocket), record audio calls (even E2EE), and allow exploiting other devices from within a local network. These are key abilities that a post-seizure forensic analysis can't provide. So compared to the 55,000 warrantless phone searches in 2024 (but likely higher in 2025) by CBP at the border to see if anyone said anything bad about Trump, I'm a bit more worried about the remote spyware floating all round the world than a phone seizure and forensic analysis (even though those are only US border crossing numbers and don't include FBI, state, and local authorities).

That's not to say I necessarily think my threat level is high enough to be specifically targeted by any of these threats, but I'm a hobbyist infosec nerd trying to see what's the most secure setup I can get while having a good bit of tolerance for inconvenience. Also, I recognize none of the above referenced exploits mention GOS, which is why I'm using it :)

Some good additional reading on exploits/spyware are Google's Buying Spying report (Google has good security because they want to make sure they're the only ones who can spy), the Atlantic Council's Mythical Beasts report and interactive, and ETH Zurich's From Vegas to Chengdu and Before Vegas reports.

Elysium

eggy I now think that it's much better to just blend into the crowd

Yeah, besides self-hosting, having own domain for Email sounds nice too, but is also less private. And then the question really is, what are you even trying to achieve?

But speaking of blending into the crowd, I think the chrome flags will make him very unique. There will always be an identifier left that stays persistent. And having all those special flags, will make him stand out like as the 'Infosec Nerd' in the corner , while the majority of cool kids don't care about it and are partying.

I do have Javascript turned off by default in a profile, even if most attack surface comes from JIT. Most sites need it, but many are just fine, and I think even more efficient to read and load without it. And I feel like this is something more people would do, not just me. So the swarm is smaller but I won't stand out as much.

Even the DNS filter lists can make you unique.

I thought ReThinks n version remains the most stable non-leaking for now. But maybe that is out of date already.

ZeppelinAmenity
◦ Data and Storage – Automatically Download Media: (none - might prevent zero-click exploits like in image parsers)

Also think this is overkill. You would only load pictures from trusted contacts anyway. In my case it is unlikely they would send me such exploits. Non-Contacts media is not loaded by default.

SideofBurritos has recently shown a device you can use to detect if there are stingrays in the vicinity. I do not know if that is legal in all countries of the world. But interesting topic.

eggy

ZeppelinAmenity Seeing stuff like https://discuss.grapheneos.org/d/14344-cellebrite-premium-july-2024-documentation is what makes me think that by using GOS with its malloc_harden'ing and expanded MTE support, we're faaaar less likely to get compromised than the average user although you never know.

Your previous reply about network sniffing of unique URLs really got me to go down a deep rabbit hole. I've now also switched to rely solely on WebSockets for my Signal push notifications, which I also think is much better as you can blend into a large crowd of Signal users. However, not getting push notifications for some other things was an inconvenience for me.

I used to get some push notifications from my Home Assistant system via UnifiedPush, but in the last day I've migrated it to use signal-cli (via existing addon) to send Signal messages to myself (from my self) instead. I now think that this is an amazing pattern of usage for the truly paranoid among us. I realize this is a super niche idea with maybe dozens of potential tinfoil hat users worldwide, but I now want to create an Android UP distributor app + self-hostable proxy server to translate UP notifications into messages for a user's Signal group(s). This way you never have to connect to an UP server from your phone and all the push notifications can go strictly through chat.signal.com which is widely used already.

Upstate1618

WiFi preferences
Private Space
Device Controller
Device Admin and Trusted Agent
Special App Permissions
Developer Options(off) OEM UNLOCKING(off)
Vanadium flags(don't set them)
App Quick Tiles(remove if usable while locked)

Upstate1618

NFC UWB and other Connection preferences
MDM or Device Management services
Screen timeout time
Use Google Play to keep google apps updated

VMulciber

gMan I have read some places (like reddit) that are hesitant with Cape, claiming it's a potential honeypot. Do you have any resources that could help me?

ZeppelinAmenity

gMan VMulciber

I’ve looked into Cape, but I don’t find it compelling in many cases if you’re already taking certain measures.

What Cape does give you:

• Enhanced Signalling Protection – unspecified additional policy restrictions on SS7/Diameter routing, optional location from Cape app to match real (general) location to signalling to alert on potential routing attacks, and a SOC looking for suspicious routing requests. This can protect against obvious carrier-level malicious routing requests to intercept calls and SMS.
• SIM Swap / Port Out Protection – a cryptographic signature is required to assign a new SIM to your account or to move your phone number to a different carrier, preventing someone from using social engineering to take control of your number (and all of the 2FA access that comes with it).
• Identifier Rotation – changes IMSI daily. This is normally a long-lived identifier that a Radio Access Network (RAN) operator uses to authenticate a customer to their carrier for authorization and billing. IMEI rotation is also available to Cape Obscura customers.
• Encrypted Voicemail – as a new voicemail is delivered to your inbox managed by Cape, they encrypt it with your public key, so that only your private key in the Cape app can decrypt and listen to the message.
• Private Payment – Cape only stores an anonymized token to match payment status to your account, so Cape doesn’t know your name, address, or full card number. Stripe stores that info.
• Others – Cape claims minimal data collection. Their infrastructure is all cloud-based, so it’s more likely that they maintain up-to-date software versions with the accompanying security patches. Also with it being new infrastructure, they likely had little “technical debt” and could start fresh with secure-by-design principles.

With that being said, those features can fall a little (or a lot) short:

• Signalling Protection – an attempt to reroute SS7/Diameter traffic to a different continent or even country would probably be pretty obvious, but many actors abuse nodes within the target’s country, so I’m not sure how useful these unspecified policy and monitoring protections would actually be. This also doesn’t protect against legal demands (whether legitimate or abused).
• Persistent Identifiers – while IMSI rotation is available to all customers (on supported phones), IMEI rotation is only accessible to Obscura customers after an invite, likely some sort of identity verification, and only using their provided phone and OS. Mobile versions (e.g. 3G, 4G, etc.) add new privacy features (like TMSI/GUTI, 5G SA’s SUCI), but are mostly focused on passive listeners over radio, not the cell towers and their operators. Cape runs their own core network, but relies on US Cellular and other roaming partners for the actual connection. These Radio Access Network (RAN) operators can not only see the IMSI, but also the IMEI. This makes the IMSI rotation almost useless because without Obscura, the IMEI persists for the life of that phone across all OS installs and SIM changes. Just as bad or worse, even with IMEI and IMSI rotation, the RAN operator’s serving network likely can and does request the MSISDN (phone number) – so unless you change your phone number at the same time and every time you do the IMSI and IMEI, you’re likely not doing much. Also, one could argue that using Cape could make you stand out even more, as it's intended for people who think they're high-threat, but this is more speculative.
• Tower Location Data to Data Brokers – Cape’s privacy policy points out that “physical infrastructure operators” (e.g. RAN operators) do collect precise real-time location data (from techniques like TOA/AOA/OTDOA/E-CID). This is the kind of data that carriers sell to data brokers that advertisers, foreign governments, and law enforcement (even against Supreme Court rulings) regularly access and use. There’s no opt-out and it's out of Cape's control. Combined with the persistent identifiers described above, this could render the most important aspects of some peoples’ threat models almost completely unprotected. Even if your name isn’t known by Cape, adversaries are likely to conduct discovery starting from a geofence (for instance around a sensitive government site, protest, or crime scene) and work backwards from there (geolocation of where you live and work, other commercial data tied to your phone number, etc.).
• Encrypted Voicemail – much like ProtonMail and Tutanota (for external emails), you’re expecting a provider to receive plaintext and encrypt it using your and only your public key, and then delete the unencrypted plaintext. This could theoretically fail under a malicious provider (Cape), an external breach of the provider, or a legal preservation order. This is an inherent flaw in the model though with no clear fix.
• Private Payment – although Cape doesn’t store your name, address, and payment method, Stripe does. That token identifier can link your Cape account to your identity if either Cape maliciously saves that linkage, Stripe is compromised (hack or data dump), or legal process is issued to both providers.
• Data Collection – even if Cape does collect minimal data, some of the most threatening data collection, as previously explained, is done at the radio/servicing network layer, outside of Cape's control. This is also in addition to app and web-based data collection as part of the much larger ecosystem.
• The Other Party – Cape’s core routing protections, encrypted voicemail, and identifier rotation don’t protect you from the weaknesses in the other communicant’s provider. For instance, even with daily IMEI/IMSI rotation, if there’s someone you frequently call or text, they can be targeted. This would allow interception of their calls and voicemails to you, as well as make it easy to learn your MSISDN, IMSI, and possibly IMEI (which could then be further queried), even with the regular rotation.

Note on threat model:

• Some of Cape’s protections do raise the bar on an adversary to some degree in comparison to a “normal” carrier and phone. Specifically for the US though, the sheer availability of raw carrier data in combination with other data from our surveillance capitalist system really weakens those benefits. If that wasn’t bad enough, when our hybrid authoritarian regime is willing to take targeted efforts, like the revocation of a Green Card without due process by the Secretary of State personally, then other legal overrides, like the possibility of the Attorney General or even a designee authorizing and demanding NSA to use a top-tier capability reserved for foreign adversaries against a US-based dissident, are easily within the realm of possibility. Especially since this action is substantially less likely to be made public and/or challenged in court unlike the Green Card revocations. Additionally, while some of the technical correlation may require more manual analysis, much of federal law enforcement and intelligence workers have been reassigned from legitimate duties (investigating violent crime, political corruption, right-wing domestic terrorism, counter-intelligence, counter-foreign influence) to assisting ICE in their terror campaign, in addition to ICE’s ballooning budget and internal manpower. That’s not to mention the possibility of increased automation and correlation abilities in quasi-government and contractor entities, like DOGE and Palantir. In short, there have always been robust technical capabilities in the hands of authorities, but I think it's pretty evident that the guardrails to limit misuse are broken or completely gone. Combine that with the accessibility of ad tech data and mercenary spyware to a swath of countries and I think you'll see a very different threat landscape from a few decades ago or even more recent.

Possible remediation:

• Persistent identifiers – this one is difficult because remediations are more OPSEC than technical capabilities. Considering the threat, the best thing to do is not make your identifiers stand out. This could be leaving your phone on, but leaving it behind during a sensitive activity (searching for phones turned off before a specific event, even in a large geofence, is a big investigative lead commonly followed). Incorrect subscriber info can be given as well, as my initial setup points out, to protect against an adversary searching for your name in a compromised carrier or data leak. Anonymous payment for major carriers is also described. Turning on cellular downgrade protection can keep a less capable IMSI-catcher/stingray from getting your identifiers, but likely not more advanced ones. Using a data-only eSIM might remove the ability to identify the persistent MSISDN, but there are likely other persistent identifiers besides IMSI and IMEI that could be used the same way anyway.
• Tower Location and Data Brokers – don’t have your phone in a place/time you don’t want to be tied to. Use a VPN if you don’t want your browsing history sold. Opt out of whatever options you do have in your account portal in case it actually does anything.
• Encrypted Voicemail – just use Signal or another E2EE app. Seriously. You just can’t make carrier calls and text anywhere near as secure. Verify Signal contacts to prevent against possible key directory manipulation for MiTM.
• SIM Swap / Port Out Protection - some major carriers now offer similar options, even free of charge for pre-paid plans. Some have the option to require you to log back into your account portal and disable the setting before a SIM can be changed or your number ported out. Some carriers allow you to require a Passkey/WebAuthn-based with no insecure fallback/recovery method. While Cape's method is more directly tied to a cryptographic key, it can still be overridden on the back end, like as they explain for legal demands. Without knowing all of the exact details, this is close enough to the major carrier(s) I described for me. For the communication channel itself, again, use Signal and set a complex registration lock and account passphrase.
• Private Payment – using pre-paid top up cards for your cellular carrier can provide more anonymity than Cape (if you buy it with cash). Privacy.com is more convenient and is likely on par with Cape+Stripe. JMP.chat takes XMR.
• Other Party – just use Signal, turn on call relaying and sealed sender if you're worried about correlation at the IP mobile data layer.

Again, I don’t think Cape are grifters, snake oil, or a honeypot. I think they’re pretty transparent about what they do and its limitations (even if it’s on their technical blog and not their marketing homepage). I appreciate their support for GOS and other privacy-focused projects. I just think what they’re doing is an uphill battle that can be mitigated in other ways for many use cases. The real target audience (whether intended or unintended) seems to be military commanders who want to call the duty line and don't have a STE around, politicians trying to make back-room deals but can't get all those geriatrics onto Signal, and CEOs/trust fund kids with megalomania out the ass that want to feel important and more protected than us commoners.

ZeppelinAmenity

eggy [...] I've migrated it to use signal-cli (via existing addon) to send Signal messages to myself (from my self) instead.

Great setup! I also use signal-cli as kind of a tripwire for SSH and console logins as well as other real-time priority info in my homelab. Definitely use a dedicated sending account though so other messages aren't exposed to the system in the event of a compromise.

Side note on push notifications - most Apple and Google (Firebase/GCM) notifications aren't E2EE and are sent through their cloud service with only TLS encryption (even if the app is open on your phone right in front of you), so their contents can be read by Apple/Google and produced under legal demands, but I don't know how long the services might store them prior to any such requests. So that's another reason to use alternatives and configure apps to not put sensitive info in the notification itself.

gMan

VMulciber personally i think that's whole lot of bovine excrement and the reason i think that is because i've gone through their website pretty thoroughly and listened to interviews with their founder who i find to be genuine and ethical - additionally, they sell Pixels with GOS preinstalled if you want and i think that's worth another point or two - i would also say that i'm not aware of any tangible evidence to back the honeypot claims

that said, Cape isn't a perfect company - the founder used to work for Palantir and their client app is closed source for the moment (they told me they're considering releasing the source, but it's still under development - they've been pushing updates about twice a month or so)

on the Palantir thing, that's very much a double edge sword in my view; it could be seen as bad because Palantir is an evil company, at least to an extent ... but on the other hand, being that Palantir caters to government/DoD, and since it appears many high-risk government people use Cape, and given the founders patriotism and obvious interest in keeping government/military people safe, that equates to safety for the rest of us

there isn't a single carrier that ticks all the privacy and security boxes that i'm aware of, but i really think Cape comes the closest - one thing i DO NOT like is that, for the time being, you have to have the Play Store installed (GOS's proxy) to be notified of voice mails because the Cape app uses push notifications (voice mail is encrypted, so you can only get it through their app) - i suggested they eliminate this dependency and they welcomed my input, but we'll have to see if they implement the change

gMan

VMulciber another thing perhaps worth mentioning, and this is just my current opinion; aren't all the mainstream MNO's and MVNO's honeypots insomuch as they cannot be trusted at all? at least Cape owns the network core and that provides them with a lot of room to maneuver that no other MVNO enjoys, at least not that i've found

so either Cape is a very well crafted and very dangerous honeypot ... or they really give a hoot about customer privacy and security and i think they make a pretty solid case for the latter ......... then again, the Israeli's spent a very long time designing, forming companies and supply chains, manufacturing, marketing, and selling pagers to Hezbollah, so i guess we can all be fooled if the fooler is convincing enough

de0u

VMulciber I have read some places (like reddit) that are hesitant with Cape, claiming it's a potential honeypot.

What sort of evidence would be convincing at proving something is not a honeypot?

Clearly once evidence of collusion is uncovered in some case then that thing was a honeypot. But it's hard to "prove" that a current absence of evidence means there is no evidence to be uncovered.

As the saying goes, "Absence of evidence is not evidence of absence".

VMulciber

gMan I really do appreciate you taking the time to reply. I will read your article later. Thank you!

gMan

VMulciber sure thing! just keep in mind that i'm no tech/privacy/security expert - just a guy who's 1/2 decent at doing research