hackers access profile but not apps?

K8y

is it easier for a hacker to gain access to your profile than additional apps you have on it if the apps are password protected? In other words do hackers need to know your pin to access your profile?

Because if they do not, perhaps having apps locked via a pin will hold them back at least from accessing individual apps, even if they gain access to your profile?

Chipper

Nothing about hacking a pixel with Grapheneos in bfu state would be easy.
Far easier would be to discover your pin somehow, in which case sure if you had set a separate pin on your app which was different to the pin on your profile they would then have to get that... Assuming that pin is also used to encrypt the data in the app you want secret.. Molly has this option.
Nothing to do with Graphene though.

Chipper

Chipper Dunno if Molly does pin throttling or even if it could be implemented in an effective way or not to prevent forcing your pin on app... That's the whole deal with the pixel and its secure element and Graphenes improvement over stocks utilization of it.

K8y

does the remote hacker need to know your pin to get into your profile?

americanDude

K8y What they are saying its that's its extremely difficult to hack into a phone running GrapheneOS. There are multi-billion dollar companies that make tools for law enforcement to get data off of phone and they can't in a BFU GrapheneOS device. For a hacker, it would be far easier to just learn your pin and get into your device that way.

K8y

I'm talking a Pegasus type intrusion. I assume it bypasses the initial pin, but once in the profile, if you have your apps locked via pin, would this limit Pegasus to remotely only opening the unlocked apps?

userofgos

K8y I'm talking a Pegasus type intrusion. I assume it bypasses the initial pin, but once in the profile, if you have your apps locked via pin, would this limit Pegasus to remotely only opening the unlocked apps?

Friendly reminder about what Pegasus is and what it is actually capable of: https://discuss.grapheneos.org/d/9289-pegasus-and-predator-spyware/4

You already have a discussion about Pegasus on this forum where a lot of information was provided in answer to your questions, maybe you forgot about it? See here: https://discuss.grapheneos.org/d/28459-stopping-pegasus-for-dummies

de0u

K8y I'm talking a Pegasus type intrusion. I assume it bypasses the initial pin, but once in the profile, if you have your apps locked via pin, would this limit Pegasus to remotely only opening the unlocked apps?

It depends on what "locked by PIN" means. Some launchers allow users to set a PIN that is required to launch an app; that defends only against somebody holding the device, not against a kernel comprise (etc.). Other apps may encrypt the message database with a PIN; that could protect against a remote attacker that has compromised the system in general, but only if the message database is at rest (which can be a bit inconvenient for notifications).

K8y

userofgos different qn this time...dealing with protection of individual apps once a general remote intrusion gets access to profile.

in other words if remote intrusion occurs do they just see your profile, and unlocked apps...but not the pin protected apps?

K8y

de0u but only if the message database is at rest

what exactly does this mean, at rest?

de0u

K8y "At rest" generally means "stored somewhere but not in memory". If the information is stored encrypted (in files or in a database), then "at rest" generally means that the encryption key is not in memory. For example, if "End session" is used on a secondary profile on GrapheneOS, all apps running in the profile are stopped and the profile's file-encryption key is deleted from memory.

A messaging app that supports end-to-end encryption might store received messages unencrypted in the app's private storage. Or it might store the messages in an encrypted database but keep the encryption key in memory when the app is running.

This is relevant because some users wish to keep messaging apps running constantly so they can receive and instantly display messages. If the app protects the encrypted messages with a PIN or password, but the app is constantly running and the encryption key is constantly in memory and the app is exploited, the exploiter can extract the message contents despite the PIN/password protection.

PIN/password protection done by an app launcher probably doesn't help against a remote exploit, and PIN/password protection on an app's database probably doesn't help against a remote exploit if the app is constantly running. So, overall, PIN/password protection isn't very helpful against remote exploits.

de0u

K8y If remote intrusion occurs do they just see your profile, and unlocked apps...but not the pin protected apps?

If depends on what "PIN protected" means. If "PIN protected" means that a launcher is requiring a PIN, that probably does not stop a remote attacker. It may (or may not) be useful against somebody who is physically holding the device.

K8y

de0u PIN/password protection done by an app launcher probably doesn't help against a remote exploit,

Can remote intrusions occur even when one's phone is off?

How about if it's not even connected to internet or mobile data plan?

de0u

K8y Can remote intrusions occur even when one's phone is off?

No. If one's phone is off and somebody has physical control over it for some time, maybe an intrusion is possible, but that's not "remote".

K8y How about if it's not even connected to internet or mobile data plan?

Those two are the easiest remote vectors, but Bluetooth is a possible vector, even at some distance (source).