circlingdante strong password protecting the boot, but only need to enter it upon boot

What happens after 3 days when fingerprint is auto disabled?

contour0806 I've been doing this for a while and it works well. I just wanted to see if the approach is actually valid.

My thinking: If the assumption that an adversary gets physical access when the device is powered off is not valid, the "auto reboot" setting being enabled can help to mitigate this, by giving a limited amount of time to brute force the weaker secondary user profile. Am I correct in assuming that once a secondary user profile session is started, if the adversary got physical access while the device was on a lock screen they would still come up against the weaver token rate-limiting for accessing that secondary user profile?

A bit off topic, but putting all user data in secondary user profiles also seems to make sense in that, as far as I understand, the Owner profile stores sensitive OS information that secondary user profiles do not.

    The assumption the whole thing is making is that the adversary needs to have access to the Owner profile before they can attempt to brute force secondary profiles. I make this assumption because that's where I understand the secondary profile information to be stored, but it could be wrong.

      circlingdante

      https://grapheneos.org/faq#encryption

      Sensitive data is stored in user profiles. User profiles each have their own unique, randomly generated disk encryption key and their own unique key encryption key is used to encrypt it. The owner profile is special and is used to store sensitive system-wide operating system data. This is why the owner profile needs to be logged in after a reboot before other user profiles can be used. The owner profile does not have access to the data in other profiles. Filesystem-based encryption is designed so that files can be deleted without having the keys for their data and file names, which enables the owner profile to delete other profiles without them being active.

      circlingdante I don't want to spread misinformation, but the last post quoting the GOS page may mean that your approach works as intended since the Owner profile is privileged as in, all other profiles depend upon the Owner being unlocked?

      I think the question comes down to (which still isn't clear to me): would a brute-forcing adversary need to FIRST have cracked the Owner user profile in order to brute force attack the secondary user profiles, if the device was obtained when turned off? It seems like the answer is yes based on the documentation.

      Nuttso hi so interested in the app from fdroid called "private lock"

      It requires device admin permissions to be able to lock

      It also only uses sensor permissions.

      Does having admin permissions for lock screen pose a risk? Like can it stop your phone from locking etc

      • [deleted]

      I would say, you are welcome to try it to see if it fits your needs. But it hasn't received any updates in a while, so I am afraid what you see is what you get and that is it.

      2 months later

      To brute force a secondary profile, you don't need access to the first profile.

        treequell Are you sure about that?

        If the entire data of the device is extracted into external storage, then naturally the data belonging to each profile is gonna be encrypted with its own key. To then decrypt the data of one profile you'd theoretically not need the key for the other profiles. Why is this not the case?

          User2288 To then decrypt the data of one profile you'd theoretically not need the key for the other profiles.

          In my understanding (and others please correct me if I am wrong) owner profile need to be unlocked because otherwise Titan M2 won't release the encryption key for other profiles.

            evalda Isn't the point of "brute force" that you don't need the keys?

            You are brute forcing the keys.

              User2288 Not exactly. Brute forcing the keys is pointless, it would take too long so it's not a feasible approach. Usually they brute force passwords, PINs that made by humans and often has less entropy. However on Pixel that doesn't work because Titan holds the keys and implements rate limiting so you can't quickly loop through all possible PINs, passwords.

              6 months later

              To revive this topic, just 3 days ago a “banker”was arrested in greece by greek authorities on the request of the dutch which were present on spot. His pixel phone was opened by the dutch and his threema was decrypted.
              If anyone is interested i can post the link, or you can search for details online. So i would say brute force in afu mode def possible.

                Sorry to double post but its a different topic. If anyone from graphene is reading this, why don’t you implement a toogle where if turned on if a usb connection is made on the phone(besides charger) all data will be wiped in the same moment?
                An app called wasted is offering this option, but would rather see it as built in service.

                Dangor link that it was a pixel pls. They may have found a way to bypass the titan m1 on older phones. The murderers of the journalist I'm Netherland also used a pixel and they decrypted it. This would only help with 6 digit Password. An 96+ entropy password can't be decrypted. This is why I say don't rely on tpm

                You need to understand something. As long as we don't see court documents you can't extract any useful information from the media. He may not have a password. Hey may had a 6 digit Password. He may have used biometrics. His phone might be seized shortly after he unlocked it (they sometimes do arrests like that. They wait till you open it and steal it from your hand.) We don't know how he setup threema. A password no password. All this media stuff is sensationalism. Court files is the only thing that actually would tell us something. My court files in my case are 250 pages just that they didn't succeed in opening several pixels I owned. All of them seized in BFU and with very strong passphrases. They still have the phones and didn't succeed. They used BKA tools, greyshift and cellebrite.

                GrapheneOS What best practices would you recommend for protection against SMS-based exploits?

                This thread is mostly about protection against physical access, AFU and BFU... but it is my understanding that SMS-based attacks are becoming common, and - for many - a far greater risk.

                It is my understanding that there is NO way to ONLY have calls and SMS in a secondary profile to avoid access to the owner profile with all its device-wide privileges. There is also NO way turn off mobile data in the owner profile and turn it on in a secondary profile. This is a security risk - much as I understand why it's like this.
                I also noticed that once I grant the phone app mic permission for that one time, mic access stays ON, and I have to go into the menu again and turn it off. Isn't there a way to automatically turn off mic and cam access after a certain time? (like with wifi and bluetooth)? Or when I only grant it for a single time?

                I recently set up a secondary profile without calls and SMS on my Pixel 4a (5G) in GOS, and a call got through to that profile asking for mic access. An SMS message did not, I only got a notification. How can I prevent that? It was the phone app in the owner profile that handled that call, as it did not appear in the call history in the secondary profile, and the phone app there has all permissions removed. As I said, calls are turned OFF in that secondary profile, and a call broke through from the owner profile, instead of me getting a notification about it.

                Could you recommend solutions or work-arounds for the above?