It sounds like a $600 Jitterbug that runs Signal.
Using GrapheneOS as a base for a consumer product
[deleted]
Even the most secure and private phone, if such thing even exists, in the wrong hands is a disaster in the making.
No. You obviously havn't read the spec requirements
N1b I'm happy you came here and as you can see, many people are willing to help and give advice. It would be awesome if your company has a successful launch and will be providing way more devices than 300 per year, and I hope you can make it happen (both the sales and the service including updates).
Thank you. I appreciate that!
Here are some points that might be a road block for your business model and need addressing:
Yes. Good points, ill comment on them one by one
You mentioned that you will use virtual numbers to register signal accounts, but VOIP numbers won't usually work since Signal doesn't send the initial short codes to VOIP numbers. You could solve this with real cellular numbers. A good source to get them for cheap is smspool.net and you should set up signal with registration lock turned on so nobody could use the number later to take over the account.
Yes. We can get cheap numbers from a couple of services, like for example smspool that you mentioned. We will use registration lock when we prepare Signal.
you expect a lot of trust from your users, it would be helpful to have a clear explanation of what you do and how you do it on your website and not claim to provide "anonymity" like it's something the user just gets by using your device. You will have to educate your user to some extent, otherwise trust is hard to build or quickly lost when a user gets caught because he thought telling people on signal his private information was no problem because he uses the Anonymity phone.
Absolutely. Some education is necessary. However, giving your private information to somebody in a message on Signal is fine if you know and trust that person.
Since Signal requires a phone number that is visible to all the people you write to, one of them will inevitably save you in their contact list with your name, the Signal number and some other identifiers and then share this data with Facebook, Google and whoever else asks for contact permission. Anonymity will be quickly gone by then, and you can't prevent it from happening except you educate your clients to only share the Signal number with a few people who know not to save them in their contact list.
Thats not a problem. Since the phone number used to activate Signal is desposed of directly after activation. When we insert a new anonymous sim card, Signal doesnt care. Its activated with the original disposable number and will never know of the number on your current sim card. So even if a user shares your Signal ID (the original number) that number is no longer in use and its in no way connected to your phone.
Not sure about this one, but since we elaborated already that you will likely install your GOS fork on a Pixel 6a or 7a phone, you might not be able to disconnect some of the hardware like Bluetooth or GPS.
We are looking for a few things in the hardware and our choice will be made my consider multiple aspects:
- Price of the device
- End of life for security updates
- Hardware features
Do you mean that the GPS and Bluetooth cant be physically disconnected on a Pixel 6 or later Pixel phone?
That being said, I wonder why you go through all that hassle if GOS already provides so much of what you need. If I were you, I'd simply ship a Pixel 6a with GOS pre-installed and set up (VPN, Auto-Updates, most apps disabled etc.), Signal installed from website with self-updater and maybe a simple FOSS launcher where you can hide the settings app.
Thats an interesting idea. Are there security focused launcher that allow you to disable apps and settings and not allowing the user to install the laucher och change its settings without a arbitrary password that we can set? That would potentialy be a strategy we could investigate.
The rest would be education and customer service / helpdesk which you need to do anyway. Your business would provide an out of box hardware solution, quick education and great customer support. Your target customer would be someone with money but no time that requests mobile security and privacy (and sometimes barebone anonymity). You could charge him every 3-5 years 1.000€ for the phone (or heck make it a Pixel 8 pro or Pixel Fold and charge him 2.500€) and an ongoing support fee.
Thats an idea we've considered but our target customers need affordable, cheap phone (at least in our initial faze).
Your own solution demands so much more work for the little benefit of not having some software buttons present that a user could accidentally touch, but that's mostly an educational problem...
Yes. And one our mission statements are to minimize the need for user education.
Also, and thats one of the main reasons I came here looking for advice: how much work would it be to fork GOS, remove a few features/settings and still keep up with the upstream branch and security updates?
Thanks again for your time.
[deleted]
I am curious why don't you go the official route and contact GrapheneOS developer team directly? They must have noticed this thread and judging by the lack of a single comment from them, they don't consider your proposition sufficiently interesting.
pixpot Are there security focused launcher that allow you to disable apps and settings and not allowing the user to install the laucher och change its settings without a arbitrary password that we can set?
There are some launchers that can do everything you want within the launcher itself (lock/hide apps, password protection etc.), but I'm not aware of any launcher that can circumvent the system wide controls and pulldown shortcuts for settings. They probably need privileged access which no launcher should have... That's where the "education" would kick in. Like "we can only guarantee you safety and privacy if you never press that button, and here's why".
I lack the knowledge to answer the other questions (hardware removal, ease of forking GOS).
pixpot If you think it more productive to discuss this somewhere else, please point me in the right direction.
I think it was great that you came here first as there were a lot of things to clarify from your introductional statement and also some very important misconceptions that indeed would have wasted time from the lead devs and also made you look unprepared.
Your enthusiasm shows, and that's one of the most important factors for longevity and sustainability of your project. Once you can present your mission, goals and requirements in a few sentences, that's when you want to head to the leaders. I wish you the best of luck, you seem to have good intentions and I would love to see more choices out there for security and privacy use cases, even if GOS is the best solution for myself.
Fascinating thread. As I read the latest posts and now respond via this lovely Keychron keyboard connected to my tablet, a thought comes to mind: you speak of reporting on events in a repressive location. Simple texting via Signal is fine for a sentence or two, but are you actually seeking to support reporters? If so I might offer an alternative path to consider, as it doesn't seem this is about profit but rather supporting the free flow of journalism globally.
Typing on this keyboard is much faster & less likely to destroy my thumbs than using a phone. If detailed & accurate reports are to be prepared, even a folding keyboard would be beneficial, and can be used with a $30 tablet with NO sim card. But how to transmit securely? I would personally suggest a digital handheld radio, with an encryption performed using PGP on the tablet, and sent with a digital radio protocol. Here in the US it is ILLEGAL to send encrypted info on the amateur radio bands, but if one is sending data in a place where repression & torture are consequences of reporting, legality is not on the table. A report could be written at leisure of the author, encrypted, and then sent from a time & place where a brief burst of RF emmanates. Transmission concluded, the radio is shut down. The window of opportunity to locate & triangulate the signal is brief.
This scenario may not be useful BUT were I seeking to support journalists, this is how I would go about it. There is a little bit more of a learning curve, but in the present age I suspect this would be far less likely to be detected than monitoring cell signals. Given that a given Signal acct does have an identifier (a SIM, even if changed) and that anonymous SIM can be connected to a time/location of transmission. RF has no identifier, just the radio waves moving through the ether.
- Edited
DrJack60
I find it disturbing that you refer to the amateur bands for this activity.
There is a lot of spectrum out there, and I’m sure there are better places therein.
Blastoidea Absolutely, if one is in such a setting then using 'unauthorized frequency' is the least of one's worries. I meant this in a more general sense, to convey the idea that using non-cell RF might be a better solution. Out of band radio mods are trivial, and other countries actually have more open spectrum than we have in the US anyway.
One time pad communication ( number stations ) are still used today.
- Edited
Skyway
In the ham bands?
(I hope not)
Thanks for a creative idea but switching our entire stack and plan is not feasable
I still have a question about profiles. If I set up multiple user profiles: can I require a password when the user wants to switch between profiles?
Also. Can I put a profile at rest so that the data is removed from memory and encrypted?
[deleted]
pixpot I only ever use one profile but from what I heard on here each profile is encrypted with the password you set for it. And each user profiles data is put at rest when you end its session.
- Edited
pixpot yes you can and should protect individual profiles by passwords or pins. When you delete a profile, you'll get a warning and all the data will be inevitably lost since the decryption key is wiped (if I understand it correctly the data is technically still there until overwritten, but nobody will be able to read it).
Be aware that after reboots and updates you'll always have to unlock the owner profile before accessing any user profile. So you can't just set up a user profile for your clients and not give them access to the owner profile.
Edit: Typos
N1b aware
N1b Be aware that after reboots and updates you'll always have to unlock the owner profile before accessing any user profile. So you can't just set up a user profile for your clients and not give them access to the owner profile.
And this is by design?
Allowing a user to only acces the user profile would allow us full control of the users abilities to "make a mistake". Is locking down the owner profile something that could be implemented/is being discussed or is it to integral to AOSP to be changed, or are there any other technical reasons this is not doable?
It's on my wishlist that owner is treated as sudo, and the other users are treated as regular linux users. Then on the other hand there is the question of who manages sudo, and if done by remote = oh no. Solutions could be explored with enough donations.
pixpot It's how AOSP works. It could potentially work differently, but currently doesn't. It might change upstream, but who knows.