Verifying OS integrity after leaving phone unattended

naydir

My phone was in the custody of LEO without me being present in the room.
Is there a way to make absolutely certain the OS hasn't been tampered with? I just checked the number appearing during bootup under the "device is loading a different operating system" warning against what's given in the 'Verified boot key hash' section of the installation instructions on GOS web site (Web Installer) and the number checks out alright. Can I relax now or should I reinstall the OS just in case?
Is Auditor of any help if I don't have a second GOS phone?

[deleted]

naydir all looks good

final

naydir Is Auditor of any help if I don't have a second GOS phone?

You can attest your device using remote verification, which uses GrapheneOS' services to verify you.

Make an account at: https://attestation.app/
Go to the Auditor app then click the three dots at the top then 'Enable remote verification' then scan the QR code provided.

newbie24689

naydir You've asked about the integrity of the OS. IIUC GOS attestation is indeed the answer.

However, I wonder if a clever adversary could infect a commonly-available application (or install a new, hidden one) without your notice. Seems you'd need to maintain and monitor the hashes of your applications - as well as the hashes of the OS (through attestation).

GrapheneLover

If you really wanted to be sure and can have peace of mind and what I would do is to perform a full factory reset or you could go a step further and reflash your phone back to Graphene as well as use new device passwords, but this is recommended only if you are very paranoid, otherwise it seems like you're okay.

Blastoidea

To paraphrase: You may be paranoid, but they may also be out to get you.”

Braver folks than I are involved here, and more power to them.

naydir

final
Just tried that, following the instructions provided here: https://attestation.app/tutorial
In other words, I scanned the QR code from the web page, then refreshed the page and scrolled down "to view the initial attestation results". Correct?
I would appreciate some help understanding what the results mean....
There's a "Pinned verified boot key hash", which is the same number I see during bootup as described above, as well as a lot of other "pinned" entries, correctly describing my device model.
But there's also a "Verified boot hash" which is totally different from the former one.
What do they mean by "pinned"?
Did my device check out alright?

naydir

Noted, thanks everyone.

final

By the looks of it, yes.

The pinned key is a key to verify your device stored in the hardware security module. The verified boot hash appears fine. If you use email alerts or scan another time and other results appear fine then you are good.

The verified boot hash will change between OS updates, it's likely your OS has updated.

final

Whoops, @naydir see above ^

naydir

Very informative. Thanks!