• Development

  • Using GrapheneOS as a base for a consumer product

zzz IMO the sources of your funding could be another important educational aspect for your users and will impact their trust in you.

For example, funding plays into part of the basis of my trust for:
Proton because the business model is based on straightforward subscriptions (no surveillance advertising)
GOS and Signal because they are nonprofits that run on donations, and the size of some of the larger of these donations are published.
The Cryptpad project and Cryptpad.fr for similar reasons, plus I love how they publish their yearly numbers ( https://cryptpad.org/about/ )

Good ponts. The funding will be publicly posted on our website to build thrust.

For your case, its worth considering that venture capitalists seeking a 40% return on investment from a budding startup are generally not trustworthy for anything beyond a thirst for money. The world is full of the tombstones of idealistic startups that eventually abuse their users in an effort to appease shareholders when the road gets bumpy. How will you buck the trend with your shareholders?

The funding we have is not venture capital. I cannot go into details but most of the funding comes from an organization that believes in freedom of speech and privacy.

Its worth asking yourself:
Will you publish your yearly sales, overhead, fundraising, etc?
Will you disclose the capitalization table that details the ownership structure of the company?
Will you make sure to somehow audit these disclosures via third parties?
Etc

We will certainly disclose most of those things yes, we believe that if we sell a product that depends on trust we must also be open and trustworthy.

I'm not saying that you need all of these things to be successful. But I will say that as soon as I hear "startup" and "funding", my eyes glaze over and I start from a position of low trust - venture funded startups have a reputation for breaking things, not protecting things.

I fully respect that and I appreciate you for pointing it out.

I urge you to consider your sources of funding as another attack vector for the OS, and find ways to mitigate through transparency and by keeping your list of shareholders as clean and neatly trimmed as your list of installed apps ^_^

That's a good anology. The sources of funding can indeed be an attack vector. In our case I am confident (and we will disclose why at a later time) that our "funders" will be a shield rather than anything else. We have no requirement to make any money/profit in our first round(s).

Thanks for an interesting discussion everyone.

Thank you for contributing and bringing up som valid and important points that we need to give more attention to in our communication and promotion of the product.

  • zzz likes this.

    [deleted] the device could come with fewer technical alterations, but with a well put together DO/DON'T manual. Saves costs, doesn't reduce usability for those who let's say change their mind

    Good point. But that's not a possible strategy for us since many of out users will not be as educated about the risks of not following the "manual". It is crucial that we absolutely minimize the possibility for human/user error that compromise security or privacy.

      • [deleted]

      • Post #56

      Even the most secure and private phone, if such thing even exists, in the wrong hands is a disaster in the making.

      N1b I'm happy you came here and as you can see, many people are willing to help and give advice. It would be awesome if your company has a successful launch and will be providing way more devices than 300 per year, and I hope you can make it happen (both the sales and the service including updates).

      Thank you. I appreciate that!

      Here are some points that might be a road block for your business model and need addressing:

      Yes. Good points, ill comment on them one by one

      You mentioned that you will use virtual numbers to register signal accounts, but VOIP numbers won't usually work since Signal doesn't send the initial short codes to VOIP numbers. You could solve this with real cellular numbers. A good source to get them for cheap is smspool.net and you should set up signal with registration lock turned on so nobody could use the number later to take over the account.

      Yes. We can get cheap numbers from a couple of services, like for example smspool that you mentioned. We will use registration lock when we prepare Signal.

      you expect a lot of trust from your users, it would be helpful to have a clear explanation of what you do and how you do it on your website and not claim to provide "anonymity" like it's something the user just gets by using your device. You will have to educate your user to some extent, otherwise trust is hard to build or quickly lost when a user gets caught because he thought telling people on signal his private information was no problem because he uses the Anonymity phone.

      Absolutely. Some education is necessary. However, giving your private information to somebody in a message on Signal is fine if you know and trust that person.

      Since Signal requires a phone number that is visible to all the people you write to, one of them will inevitably save you in their contact list with your name, the Signal number and some other identifiers and then share this data with Facebook, Google and whoever else asks for contact permission. Anonymity will be quickly gone by then, and you can't prevent it from happening except you educate your clients to only share the Signal number with a few people who know not to save them in their contact list.

      Thats not a problem. Since the phone number used to activate Signal is desposed of directly after activation. When we insert a new anonymous sim card, Signal doesnt care. Its activated with the original disposable number and will never know of the number on your current sim card. So even if a user shares your Signal ID (the original number) that number is no longer in use and its in no way connected to your phone.

      Not sure about this one, but since we elaborated already that you will likely install your GOS fork on a Pixel 6a or 7a phone, you might not be able to disconnect some of the hardware like Bluetooth or GPS.

      We are looking for a few things in the hardware and our choice will be made my consider multiple aspects:

      • Price of the device
      • End of life for security updates
      • Hardware features

      Do you mean that the GPS and Bluetooth cant be physically disconnected on a Pixel 6 or later Pixel phone?

      That being said, I wonder why you go through all that hassle if GOS already provides so much of what you need. If I were you, I'd simply ship a Pixel 6a with GOS pre-installed and set up (VPN, Auto-Updates, most apps disabled etc.), Signal installed from website with self-updater and maybe a simple FOSS launcher where you can hide the settings app.

      Thats an interesting idea. Are there security focused launcher that allow you to disable apps and settings and not allowing the user to install the laucher och change its settings without a arbitrary password that we can set? That would potentialy be a strategy we could investigate.

      The rest would be education and customer service / helpdesk which you need to do anyway. Your business would provide an out of box hardware solution, quick education and great customer support. Your target customer would be someone with money but no time that requests mobile security and privacy (and sometimes barebone anonymity). You could charge him every 3-5 years 1.000€ for the phone (or heck make it a Pixel 8 pro or Pixel Fold and charge him 2.500€) and an ongoing support fee.

      Thats an idea we've considered but our target customers need affordable, cheap phone (at least in our initial faze).

      Your own solution demands so much more work for the little benefit of not having some software buttons present that a user could accidentally touch, but that's mostly an educational problem...

      Yes. And one our mission statements are to minimize the need for user education.

      Also, and thats one of the main reasons I came here looking for advice: how much work would it be to fork GOS, remove a few features/settings and still keep up with the upstream branch and security updates?

      Thanks again for your time.

      • N1b replied to this.
      • N1b likes this.

          • [deleted]

          • Post #59

          I am curious why don't you go the official route and contact GrapheneOS developer team directly? They must have noticed this thread and judging by the lack of a single comment from them, they don't consider your proposition sufficiently interesting.

            [deleted]

            Thanks for the comment. I didn't really know where to start and since I didn't want to take up valuable developer time i though I'd start here.

            If you think it more productive to discuss this somewhere else, please point me in the right direction.

            • N1b replied to this.

                pixpot Are there security focused launcher that allow you to disable apps and settings and not allowing the user to install the laucher och change its settings without a arbitrary password that we can set?

                There are some launchers that can do everything you want within the launcher itself (lock/hide apps, password protection etc.), but I'm not aware of any launcher that can circumvent the system wide controls and pulldown shortcuts for settings. They probably need privileged access which no launcher should have... That's where the "education" would kick in. Like "we can only guarantee you safety and privacy if you never press that button, and here's why".

                I lack the knowledge to answer the other questions (hardware removal, ease of forking GOS).

                pixpot If you think it more productive to discuss this somewhere else, please point me in the right direction.

                I think it was great that you came here first as there were a lot of things to clarify from your introductional statement and also some very important misconceptions that indeed would have wasted time from the lead devs and also made you look unprepared.

                Your enthusiasm shows, and that's one of the most important factors for longevity and sustainability of your project. Once you can present your mission, goals and requirements in a few sentences, that's when you want to head to the leaders. I wish you the best of luck, you seem to have good intentions and I would love to see more choices out there for security and privacy use cases, even if GOS is the best solution for myself.

                    Fascinating thread. As I read the latest posts and now respond via this lovely Keychron keyboard connected to my tablet, a thought comes to mind: you speak of reporting on events in a repressive location. Simple texting via Signal is fine for a sentence or two, but are you actually seeking to support reporters? If so I might offer an alternative path to consider, as it doesn't seem this is about profit but rather supporting the free flow of journalism globally.

                    Typing on this keyboard is much faster & less likely to destroy my thumbs than using a phone. If detailed & accurate reports are to be prepared, even a folding keyboard would be beneficial, and can be used with a $30 tablet with NO sim card. But how to transmit securely? I would personally suggest a digital handheld radio, with an encryption performed using PGP on the tablet, and sent with a digital radio protocol. Here in the US it is ILLEGAL to send encrypted info on the amateur radio bands, but if one is sending data in a place where repression & torture are consequences of reporting, legality is not on the table. A report could be written at leisure of the author, encrypted, and then sent from a time & place where a brief burst of RF emmanates. Transmission concluded, the radio is shut down. The window of opportunity to locate & triangulate the signal is brief.

                    This scenario may not be useful BUT were I seeking to support journalists, this is how I would go about it. There is a little bit more of a learning curve, but in the present age I suspect this would be far less likely to be detected than monitoring cell signals. Given that a given Signal acct does have an identifier (a SIM, even if changed) and that anonymous SIM can be connected to a time/location of transmission. RF has no identifier, just the radio waves moving through the ether.

                      DrJack60
                      I find it disturbing that you refer to the amateur bands for this activity.

                      There is a lot of spectrum out there, and I’m sure there are better places therein.

                          Blastoidea Absolutely, if one is in such a setting then using 'unauthorized frequency' is the least of one's worries. I meant this in a more general sense, to convey the idea that using non-cell RF might be a better solution. Out of band radio mods are trivial, and other countries actually have more open spectrum than we have in the US anyway.

                            Thanks for a creative idea but switching our entire stack and plan is not feasable

                            I still have a question about profiles. If I set up multiple user profiles: can I require a password when the user wants to switch between profiles?

                            Also. Can I put a profile at rest so that the data is removed from memory and encrypted?

                              • [deleted]

                              • Post #70

                              pixpot I only ever use one profile but from what I heard on here each profile is encrypted with the password you set for it. And each user profiles data is put at rest when you end its session.

                              • N1b likes this.

                                pixpot yes you can and should protect individual profiles by passwords or pins. When you delete a profile, you'll get a warning and all the data will be inevitably lost since the decryption key is wiped (if I understand it correctly the data is technically still there until overwritten, but nobody will be able to read it).

                                Be aware that after reboots and updates you'll always have to unlock the owner profile before accessing any user profile. So you can't just set up a user profile for your clients and not give them access to the owner profile.

                                Edit: Typos

                                    N1b aware

                                    N1b Be aware that after reboots and updates you'll always have to unlock the owner profile before accessing any user profile. So you can't just set up a user profile for your clients and not give them access to the owner profile.

                                    And this is by design?

                                    Allowing a user to only acces the user profile would allow us full control of the users abilities to "make a mistake". Is locking down the owner profile something that could be implemented/is being discussed or is it to integral to AOSP to be changed, or are there any other technical reasons this is not doable?