Secret messaging app was opened somehow

K8y

I have GOS, but saw one of my secret messaging apps was opened to a thread I hadn't engaged in for weeks, when I briefly unlocked my phone to check something else.

What are the likely explanations for this?

Chipper

K8y your the better person to consider the likely explanations as it is unlikely due to a fault in Graphene and highly likely a fault in your behaviour.

Ignorant_Cormorant

K8y What are the likely explanations for this?

Your secret messaging app uses an unencrypted database and/or no lockdown, either due to the app's design or a misconfiguration.

Johnnyloans

K8y

They're saying we can't tell you that this happened:

When you were playing ping pong, matt took your phone and he guessed your unlock pin is your birthday.

The other guy says to add a password to the messaging app if it has that option.

I'd check these.settings > security > device unlock > screen lock
Check lock after timeout, power button instantly locks, etc.
Possibly change your pin and recite it to yourself in your head or alone to remember.

K8y

Chipper like what?

K8y

Ignorant_Cormorant so what likely happened?

Ignorant_Cormorant

K8y so what likely happened?

I don't know, but I believe that a secret messaging app should not open to whatever unlocked state without authentication.

Isn't it one of the reasons for choosing Molly over Signal, for example?

wuseman

K8y You likely opened said app yourself and didn't remember it.

K8y

wuseman no. please don't be lazy or dismissive. This really happened and I would like knowledgeable people to comment how.

userofgos

K8y This really happened and I would like knowledgeable people to comment how.

well no one can provide you with an answer when you have not provided any helpful information.

What is the "secret" messaging app in question? Knowing this is fundamental to providing any answer.
Where is the app installed (Owner Profile, Private Space, Secondary User Profile, or Secondary User Profile Private Space)?

K8y

userofgos Session. Owner profile.

K8y

userofgos provided any helpful information

I provided. please see above, and I would appreciate any informed opinion from you or others who are knowledgeable.

Johnnyloans

Based on the info provided,

The phone was left unlocked or it was unlocked by someone else and they used the phone or it was you using the phone and not someone else.

Either way, a person using the phone--not a hacker from far away.

userofgos

I think it's more likely due to Recent Apps not being cleared. See here: https://discuss.grapheneos.org/d/24824-restart-phone-recent-apps-not-cleared/4

userofgos

K8y I provided. please see above

Thank you :)

K8y I would appreciate any informed opinion from you or others who are knowledgeable.

Already provided my thoughts here: userofgos

AtavisticPuma

Every so often something like this happens to me, because my fingers brushed the screen right before I swiped to switch apps, or because I put it into my pocket without locking it first.

K8y

userofgos my thoughts

Your generic speculation? why ask for specifics then?

Are there any here that can provide something insightful and actually helpful specific to the above app?

userofgos

K8y Your generic speculation? why ask for specifics then?

It was my best guess as to what might have happened.

I asked about specifics because it provides additional context to the situation that might help other users in forming a clearer answer.

See de0u well written comments on the matter.

Novaliss

K8y
Have Adb, Shizuku, SystemUI-Tweaker, Tasker, or Developer Options been enabled/in use on your device at any time, for any reason?

Settings > Security and privacy > More security and privacy > Device admin
Any app present here?

Settings > Apps > Default apps > Digital assisstant
Anything here?

Settings > Accessibility
Any apps in the top category here?

Settings > Apps > Special app access
Does any non-GrapheneOS app has these permissions;
Notification read, reply and control?
Modes access?
Display over other apps?

Use your Auditor app and check device integrity.

de0u

So far I think there are multiple hypotheses, such as:

A highly-resourced remote attacker launched Session, switched it from one thread to another to view apps in the second thread, and then forgot to switch it back or close the app.
The device owner accidentally bumped the screen, causing a thread switch.
The device owner switched the threads and forgot (perhaps even while asleep -- this happens to some people).
The device owner accidentally left the device unlocked and somebody picked it up and poked around.
Somebody guessed the lockscreen PIN, or covertly observed it.
The Recent Apps display contained an image from some time ago when the device owner was viewing the other thread.

Ruling out #2 through #6 is not easy. Meanwhile, I am unaware of serious remote-access malware that was discovered when a messenger mysteriously switched from one thread to another. Here is a 2025 Citizen Lab analysis of a Paragon attack. Not all of the details of the detection were revealed, but it clearly was not easy.

That piece contains a quote from Apple security experts:

Mercenary spyware attacks like this one are extremely sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals because of who they are or what they do. After detecting the attacks in question, our security teams rapidly developed and deployed a fix in the initial release of iOS 18 to protect iPhone users, and sent Apple threat notifications to inform and assist users who may have been individually targeted. While the vast majority of users will never be the victims of such attacks, we sympathize deeply with the small number of users who are, and we continue to work tirelessly to protect them.

If your particular device is in scenario #1, i.e., somebody is spending a million dollars to view your Session messages, it's unlikely that this user forum is in a position to counsel you through successfully resisting a nation-state attack.

It would probably be best to consider some mixture of:

Hire an attorney
Hire a credentialed security expert (CISSP, CISA, etc.)
Turn the device off whenever it's not actively in use and/or set the auto-reboot timer to 30 minutes. In turn this might necessitate getting a second lower-security device to leave on all the time for receiving regular phone calls.

de0u

K8y So far I only have ambiguous answers, so having your insight would be appreciated!

If the Pegasus authors are willing to join this forum and answer questions about how to resist their software, then it will be possible to receive unambiguous answers to questions about how to resist their software. Since their business model depends on people not knowing how to resist them, this forum is not likely to ever be able to provide clear accurate answers to that question, especially since malware authors change how the malware works over time.

Meanwhile, there are things that are prudent for people who are actively targeted by well-resourced attackers (de0u):

Hire an attorney
Hire a credentialed security expert (CISSP, CISA, etc.)
Use Molly's database-locking feature (which increases security, but reduces convenience)
Turn the device off whenever it's not actively in use and/or set the auto-reboot timer to 30 minutes. In turn this might necessitate getting a second lower-security device to leave on all the time for receiving regular phone calls.

K8y

Novaliss Settings > Apps > Default apps > Digital assisstant
Anything here?

Just Brave shows in the default apps section, but not under digital assistant.

No to the rest.

K8y

Novaliss hello? Should the Brave app not show there?

Also to all: a Paragon/Pegasus takes over your profile...but how can it then open pin locked apps? Or can it not...

Novaliss

K8y Should the Brave app not show there?

I didn't ask about Brave being default browser.

My first question is the most important:

Novaliss Have Adb, Shizuku, SystemUI-Tweaker, Tasker, or Developer Options been enabled/in use on your device at any time, for any reason?