Using GrapheneOS as a base for a consumer product

You have obviously thought of many things. It’s the ones you haven’t thought of that will bite you on the ass.

Your enthusiasm is refreshing, and I wish you luck. Pick your advisors carefully.

pixpot You are a tech savvy user with knowledge in this area. Our customers are not.

Everybody knows someone who can do this install. I've done a few for people I know.

pixpot the device could come with fewer technical alterations, but with a well put together DO/DON'T manual. Saves costs, doesn't reduce usability for those who let's say change their mind.

pixpot Please feel free to elaborate/comment further.

You're right about the 5 steps and that it will be very hard to get to the point of triangulating a roaming data SIM, and in think this is not the big problem overall for your business model. I was just trying to answer the question you raised, because finding a targeted SIM card is not hard.

I'm happy you came here and as you can see, many people are willing to help and give advice. It would be awesome if your company has a successful launch and will be providing way more devices than 300 per year, and I hope you can make it happen (both the sales and the service including updates).

pixpot If you have any point that we have not considered, please feel free to contribute them!

Here are some points that might be a road block for your business model and need addressing:

• You mentioned that you will use virtual numbers to register signal accounts, but VOIP numbers won't usually work since Signal doesn't send the initial short codes to VOIP numbers. You could solve this with real cellular numbers. A good source to get them for cheap is smspool.net and you should set up signal with registration lock turned on so nobody could use the number later to take over the account.
• you expect a lot of trust from your users, it would be helpful to have a clear explanation of what you do and how you do it on your website and not claim to provide "anonymity" like it's something the user just gets by using your device. You will have to educate your user to some extent, otherwise trust is hard to build or quickly lost when a user gets caught because he thought telling people on signal his private information was no problem because he uses the Anonymity phone.
• Since Signal requires a phone number that is visible to all the people you write to, one of them will inevitably save you in their contact list with your name, the Signal number and some other identifiers and then share this data with Facebook, Google and whoever else asks for contact permission. Anonymity will be quickly gone by then, and you can't prevent it from happening except you educate your clients to only share the Signal number with a few people who know not to save them in their contact list.
• Not sure about this one, but since we elaborated already that you will likely install your GOS fork on a Pixel 6a or 7a phone, you might not be able to disconnect some of the hardware like Bluetooth or GPS.

That being said, I wonder why you go through all that hassle if GOS already provides so much of what you need. If I were you, I'd simply ship a Pixel 6a with GOS pre-installed and set up (VPN, Auto-Updates, most apps disabled etc.), Signal installed from website with self-updater and maybe a simple FOSS launcher where you can hide the settings app. The rest would be education and customer service / helpdesk which you need to do anyway. Your business would provide an out of box hardware solution, quick education and great customer support. Your target customer would be someone with money but no time that requests mobile security and privacy (and sometimes barebone anonymity). You could charge him every 3-5 years 1.000€ for the phone (or heck make it a Pixel 8 pro or Pixel Fold and charge him 2.500€) and an ongoing support fee.

Your own solution demands so much more work for the little benefit of not having some software buttons present that a user could accidentally touch, but that's mostly an educational problem...

pixpot As the CTO

👀

Following up on this:

pixpot We have acquired funding

And this:

N1b you expect a lot of trust from your users, it would be helpful to have a clear explanation of what you do and how you do it on your website and not claim to provide "anonymity" like it's something the user just gets by using your device. You will have to educate your user to some extent, otherwise trust is hard to build or quickly lost when a user gets caught because he thought telling people on signal his private information was no problem because he uses the Anonymity phone.

IMO the sources of your funding could be another important educational aspect for your users and will impact their trust in you.

For example, funding plays into part of the basis of my trust for:

• Proton because the business model is based on straightforward subscriptions (no surveillance advertising)
• GOS and Signal because they are nonprofits that run on donations, and the size of some of the larger of these donations are published.
• The Cryptpad project and Cryptpad.fr for similar reasons, plus I love how they publish their yearly numbers ( https://cryptpad.org/about/ )

For your case, its worth considering that venture capitalists seeking a 40% return on investment from a budding startup are generally not trustworthy for anything beyond a thirst for money. The world is full of the tombstones of idealistic startups that eventually abuse their users in an effort to appease shareholders when the road gets bumpy. How will you buck the trend with your shareholders?

Its worth asking yourself:

• Will you publish your yearly sales, overhead, fundraising, etc?
• Will you disclose the capitalization table that details the ownership structure of the company?
• Will you make sure to somehow audit these disclosures via third parties?
• Etc

I'm not saying that you need all of these things to be successful. But I will say that as soon as I hear "startup" and "funding", my eyes glaze over and I start from a position of low trust - venture funded startups have a reputation for breaking things, not protecting things.

I urge you to consider your sources of funding as another attack vector for the OS, and find ways to mitigate through transparency and by keeping your list of shareholders as clean and neatly trimmed as your list of installed apps ^_^

Thanks for an interesting discussion everyone.

It sounds like a $600 Jitterbug that runs Signal.

Even the most secure and private phone, if such thing even exists, in the wrong hands is a disaster in the making.

I am curious why don't you go the official route and contact GrapheneOS developer team directly? They must have noticed this thread and judging by the lack of a single comment from them, they don't consider your proposition sufficiently interesting.

pixpot Are there security focused launcher that allow you to disable apps and settings and not allowing the user to install the laucher och change its settings without a arbitrary password that we can set?

There are some launchers that can do everything you want within the launcher itself (lock/hide apps, password protection etc.), but I'm not aware of any launcher that can circumvent the system wide controls and pulldown shortcuts for settings. They probably need privileged access which no launcher should have... That's where the "education" would kick in. Like "we can only guarantee you safety and privacy if you never press that button, and here's why".

I lack the knowledge to answer the other questions (hardware removal, ease of forking GOS).

pixpot If you think it more productive to discuss this somewhere else, please point me in the right direction.

I think it was great that you came here first as there were a lot of things to clarify from your introductional statement and also some very important misconceptions that indeed would have wasted time from the lead devs and also made you look unprepared.

Your enthusiasm shows, and that's one of the most important factors for longevity and sustainability of your project. Once you can present your mission, goals and requirements in a few sentences, that's when you want to head to the leaders. I wish you the best of luck, you seem to have good intentions and I would love to see more choices out there for security and privacy use cases, even if GOS is the best solution for myself.

Fascinating thread. As I read the latest posts and now respond via this lovely Keychron keyboard connected to my tablet, a thought comes to mind: you speak of reporting on events in a repressive location. Simple texting via Signal is fine for a sentence or two, but are you actually seeking to support reporters? If so I might offer an alternative path to consider, as it doesn't seem this is about profit but rather supporting the free flow of journalism globally.

Typing on this keyboard is much faster & less likely to destroy my thumbs than using a phone. If detailed & accurate reports are to be prepared, even a folding keyboard would be beneficial, and can be used with a $30 tablet with NO sim card. But how to transmit securely? I would personally suggest a digital handheld radio, with an encryption performed using PGP on the tablet, and sent with a digital radio protocol. Here in the US it is ILLEGAL to send encrypted info on the amateur radio bands, but if one is sending data in a place where repression & torture are consequences of reporting, legality is not on the table. A report could be written at leisure of the author, encrypted, and then sent from a time & place where a brief burst of RF emmanates. Transmission concluded, the radio is shut down. The window of opportunity to locate & triangulate the signal is brief.

This scenario may not be useful BUT were I seeking to support journalists, this is how I would go about it. There is a little bit more of a learning curve, but in the present age I suspect this would be far less likely to be detected than monitoring cell signals. Given that a given Signal acct does have an identifier (a SIM, even if changed) and that anonymous SIM can be connected to a time/location of transmission. RF has no identifier, just the radio waves moving through the ether.