Secure SMS storage

whitherunderground

Part of my threat model is protecting my info from nosy friends and family members who might have access to my phone if I leave it unlocked for a short time, or to whom I might lend the phone to read map directions or some such. (App pinning isn't a serious option since such tasks often involve multiple apps, and also I'd rather not make it obvious that I don't trust these people.)

I'm planning to use a separate profile for private files (like intimate photos) that I rarely access. However I'm having trouble reducing the exposure of SMS(/MMS) storage. (Side note: I know that SMS is insecure when sent and in server-side storage, but my messaging contacts would be unwilling and likely incapable of using a better solution like Signal or Molly. Fortunately the friends and family members I'm worried about are neither sophisticated nor motivated enough to exploit these weaknesses of SMS. I am happy to treat SMS/MMS messages as postcards; but I wouldn't leave all the postcards I've received in plain view of everybody who came to my house.) I want to keep SMS messages I've received, but I want to keep them securely locked (or, better yet, hidden -- in a dream world, with the ability to securely hide particular threads or messages).

I was hoping to solve this by isolating the stock SMS app in a separate GrapheneOS profile that I switch to when I receive a message, but the SMS profile permission is coupled to the phone permission, so if I did this I wouldn't be able to keep my regular-use profile SMS-free without missing all phone calls.

The only other solution I can find is Silence, which encrypts its SMS/MMS storage. Silence hasn't been updated in years (though it does show recent commits for translation, so maybe it's not completely dead?). It also doesn't seem to be able to communicate across GOS profiles, so using it would lock me into using the Owner profile for regular use. But at the moment I can't find any other solution that solves my problem.

It seems like protecting saved messages from people with physical device access would be quite a common threat, and in the case of someone dealing with domestic abuse a very serious one, but I can find almost nothing about it on the web. (All the discussion of SMS seems focused on secure transmission and server-side storage, not client-side storage). Does anybody know of a good way to handle this threat using GrapheneOS or compatible tools?

[deleted]

whitherunderground but the SMS profile permission is coupled to the phone permission, so if I did this I wouldn't be able to keep my regular-use profile SMS-free without missing all phone calls.

Why don't you try disabling the Messages app in that seperate another profile?
Also, You can install apps the you need and then disable installation of apps in that seperate another profile; to mitigate the risk of someone downloading a third-party SMS app to view your SMSes.

treequell

[deleted] The Original poster (OP) wants to protect their SMSes from their family members and 'nosy' friends (The people stated will have physical access to their device).

Thanks for pointing that out.

whitherunderground

In that case, I would setup a secondary user with access to phone calls and SMS from that user denied. Then make sure you switch to that secondary user before giving your phone to anybody else. This is an ideal use case for setting up a secondary user.

[deleted]

Simple. Don't leave it unlocked. 🙄

whitherunderground

[deleted]

Yeah, never unlocking the phone would work, except when I'm asked "Hey cousin, why are you pulling over to find the directions? Just let me use your phone to find them for you."

[deleted]

Maybe I'm missing how disabling the message app in a secondary profile would help? Then I'd simply have to use an SMS app in my regular-use profile, wouldn't I? And be stuck with the original problem of any short-term user of my phone seeing all the saved SMSes?

Thanks for pointing out that any profiles with SMS permission can see all old SMSes. That's another argument for Silence -- it keeps the SMS storage locked up so that there's no leakage between profiles.

Skyway

I suppose Google Messages might work (although I'm always nervous about Google services). Does it have a feature to lock local access to SMSes?

Also this worries me:

I've found it doesnt sync with the stock SMS or forward messages to other users unless I'm in the user profile with both SMS and google messages app

Doesn't this mean I wouldn't be able to receive SMSes unless the (unlocked) stock app is present in my SMS profile?

Skyway

Just a thought , I've been using google messages app it doesn't need google services or network to run . I've found it doesnt sync with the stock SMS or forward messages to other users unless I'm in the user profile with both SMS and google messages app .so maybe use the google messages app and disable the stock SMS app in that profile ? So you have one profile dedicated to SMS .
again not leaving phone unlocked is easiest but doesn't help if phone is taken while unlocked .

Skyway

whitherunderground I just disabled the stock app and sent myself a text and the google messages app received message as usual .
I don't like google either but I'm using it without any google services and network permission removed .

[deleted]

whitherunderground I think you should use a different profile for personal use and set it up like this:

Disable the Messages app (If not possible via Settings, use Wireless/USB debugging)
Install all the apps you need
Disable Installation of new apps in this profile via Settings in Owner profile, to mitigate the risk of third-party SMS app being installed on this profile.

whitherunderground

Skyway

Hmm that could be promising then. Is there a feature to lock the stored messages? (Without that, it's not much better than stock I think?)

Skyway

whitherunderground even with stock app disabled the text came through to other profiles via stock app .

whitherunderground

Skyway

even with stock app disabled the text came through to other profiles via stock app .

Hmm yeah that's not so good. That probably means that the stock app in the other profiles also have access to old SMSes? If so then that's a big hole blown in the solution. Although if Google Messages can be locked then it might at least mitigate the problem in the open (non-owner) profile?

Skyway

If you can find a way to lock the settings app via locking the launcher that would protect an app you disable from being enabled again . there have been some threads discussing this .

I don't see an option to lock the messaging app .

Edit: you can't disable the stock SMS app in user profiles only in owner . there goes that idea

whitherunderground

[deleted] Download Simple SMS Messenger (part of Simple Mobile tools). Set it as a default SMS app in Settings-Apps-Default apps. Disable built-in SMS app. Uninstall Simple SMS Messenger. You no longer have a working SMS app on device. Check again in Settings-Apps-Default apps.

Well, I want a working SMS app somewhere on the device -- just not in the profile I regularly use for phone and for non-SMS apps. Your comment made me think that maybe I could use this trick to disable the stock app globally and then leave me with no SMS app in a regular-use profile, but as Skyway mentioned it looks like for some reason it's only possible to disable the stock app in the Owner profile. So I don't think the install-third-party-disable-stock trick does much good unfortunately. Thanks for the idea though.

Your suggestion of a lockable launcher seems to be the only additional alternative here to the options of Silence or never sharing one's phone. I would still worry that with a locked launcher someone would accidentally stumble into a bunch of compromising text messages via another app that opens the SMS app, but you're right that it would at least reduce the risk.

I continue to share @Graphite's bafflement that there aren't more developers in the world who seem to be worried about what seems like an incredibly common use case. I thought I was missing some stupidly obvious solution, but based on the responses here I guess that's not the case... I'd love to hear further suggestions if anybody else has them though!

[deleted]

whitherunderground I think using an app like Silence, with its own locks, would in theory be viable

How can Silence encrypt the SMS/MMS database stored locally on your device? Does it store all SMSes and MMSes in its own app-based datavase and then delete them from OS' SMS database or something?

treequell

[deleted] Is the filesystem-based encryption on GrapheneOS not sufficient? If you don't want any other apps accessing your SMS messages, then deny them the SMS permission.

whitherunderground

Thanks all for the thoughtful replies!

[deleted]

How can Silence encrypt the SMS/MMS database stored locally on your device? Does it store all SMSes and MMSes in its own app-based datavase and then delete them from OS' SMS database or something?

I think so? When Silence is the default SMS app of the Owner profile and receives a text, that text never shows up in the stock app, or in the stock app of any newly-enabled profiles (whereas when the stock app is the Owner's default, any texts received show up in the stock app of every profile with SMS permissions).

[deleted]

I think you should use a different profile for personal use and set it up like this:

Disable the Messages app (If not possible via Settings, use Wireless/USB debugging)

Install all the apps you need

Disable Installation of new apps in this profile via Settings in Owner profile, to mitigate the risk of third-party SMS app being installed on this profile.

So this is what I was hoping to do when I found out about GOS's profiles support. The main problem I ran into is that SMSes can't be disabled in a profile's settings without also disabling the phone (and I'd need the phone in my regular-use profile). I'm not sure I know how to disable SMS via Wireless or USB debugging though -- do you have a link to some instructions on how to do that?

It also makes me a little nervous that all those SMSes just sit in the OS database ready to be read by any profile with SMS permission, but I guess the trick to that is to deny that permission to everything except the SMS profile (which should maybe be the Owner profile since it always has SMS access?).

But yeah I guess if there's a way to deny a profile SMS access without denying phone access, then a separate SMS profile could work. So any tips on how to do that would be very welcome!

[deleted]

treequell Hi,
The Original poster (OP) wants to protect their SMSes from their family members and 'nosy' friends (The people stated will have physical access to their device).

[deleted]

Let me just mention that Neo Launcher
https://github.com/NeoApplications/Neo-Launcher
supports password protecting apps from its settings, including Settings itself which some may find very beneficial. So you could protect your SMS and other sensitive apps while the phone is unlocked. I am aware the launcher doesn't have frequent updates, but if anything, it has better functionality than the stock launcher. Just consider it, it worked well for me in the past. Any questions? Just ask.

[deleted]

[deleted] supports password protecting apps from its settings

This can be bypassed with a third-party launcher

[deleted]

[deleted] i would password protect any such app that supports downloading/sideloading APK as well (browser, file manager). As OP said he wants to protect himself from family and nosy friends who usually aren't very knowledgeable (from my own experience). From this POV this is already an overkill.

[deleted]

[deleted] i would password protect any such app that supports downloading/sideloading APK as well (browser, file manager)

Any app's MainActivity (The activity that is used to open the app) can be launched by invoking it via shell or an app like App Manager, thus bypassing 'password protect' stuff

[deleted] As OP said he wants to protect himself from family and nosy friends who usually aren't very knowledgeable (from my own experience)

Well, yeah.

[deleted]

[deleted] I would second @treequell in saying filesystem encryption should be sufficient and if you don't trust your family, friends or acquaintances, tell them so or alternatively ask if you can have a browse through their device, I am sure that would shut up many.