• Development
  • Protect the Security settings with password/PIN

UpStream So the first thing that individual would do is to acquire all the files (this can be done without changing any security settings). Who cares about the settings and turning auto reboot off or allowing USB peripherals?

The Owner profile is only for calls/sms and navigation, also other nothing-to-hide daily activities. Whereas messengers and banking apps reside in separate profiles and are being used rarely and within physical security.

    Anyway, there could be a switch requiring to reset the auto-reboot countdown explicitly regardless of the unlock :)

    UpStream

    Thank you for bringing up that CVE. Considering that an AFU phone is always at risk of being exploited, wouldn't the only viable countermeasure be to set the auto-reboot setting to the lowest possible interval that is tolerable for an individual user?

      The reason I said "I think so" is because no other method of getting the device into a BFU state comes into my mind except rebooting which can be done manually or by using the auto reboot feature.

      There's a lockdown mode. It disables biometrics and some other stuff but the only method to fully purge the encryption keys of the owner profile and put it at rest is a reboot since the owner profile encrypts some system-wide OS data so it doesn't put the phone in a BFU state either.

      When in danger just reboot. It's a quick action and if you still don't manage to do it the auto reboot feature if set has got your back.

        UpStream When in danger just reboot. It's a quick action and if you still don't manage to do it the auto reboot feature if set has got your back.

        This action may not be available when caught off-guard.

        UpStream An individual doesn't need to acquire the PIN nor the fingerprint in order to bypass the lock screen when the device is in AFU mode as seen in the most recent lock screen bypass exploit (CVE-2022-20465).

        That vulnerability was patched quickly. One of the best things about GrapheneOS, is they don't delay security patches.

        UpStream But to be honest I don't see the sense in protecting the security tab in the settings as well.

        Let's say an individual unlocks your phone. So the first thing that individual would do is to acquire all the files (this can be done without changing any security settings)

        There are different threat models at play. It's not just about stealing the current data available.
        Persistence is a very important concept in security. The PIN/Password is required for adding a new fingerprint, is for this reason. There are other things within the Security Menu (More security settings), that do not prompt for PIN/Password.
        Device Admin apps and Trust Agents are two major things.

        Again, it is not only about stealing the current data available.
        With only a minute an attacker can... Install a malicious app, make it Device Admin, grant it special permissions and the victim/owner now has spyware on their phone.

        Screen lock camera access is also under the security menu, which could be abused.
        Installing certificates is a major attack vector. That one seems to be protected just by re-authing with a fingerprint.

        It would be nice to have the option for additional auth factors for these sensitive settings.

          Graphite Screen lock camera access is also under the security menu, which could be abused

          Hi what is the risk with this? I use this feature all the time with google camera and network permissions disabled

            L8437

            I haven't tried, but maybe spyware in combination with an app with accessibility and device admin.

            10 months later

            I am new to GOS. I am VERY interested in following this thread. Everyone has voiced senarios for all kinds of attacks which I want to avoid. I have allowed an attacker into my devices once before....8 phones, 2 IPads, 3 service providers later I have landed here. (All in 18 months).

            • [deleted]

            Vogelhaus

            Vogelhaus If an individual possesses both your fingerprint and PIN, assuming two-factor authentication (2FA) is active, would it not be a simple task for them to surpass the safeguarded Settings PIN?

            • You just assume something that heavy? Why would u assume that? Even possessing only the PIN is just really unlikely.

            -On the second point you are right tho if the system is already breached "securing" these options are not providing any more security.

            Needing authorization for changing sensitive permissions is a good protection from malicious input devices like this one: https://vid.puffyan.us/watch?v=LRVlaNfthbg

            If the only thing stopping a malicious usb from enabling native code debugging, disabling secure app spawning, and a lot of other things outside the security settings is just a clickable toggle then we may have a problem, IMO its better if some settings are protected even if the device is unlocked.