Phone examination and plausible deniability

Most anti-forensic mechanisms like these are redundant since GrapheneOS cannot be extracted by the tools by you just refusing to co-operate. Although while your phone is seized that also means your phone isn't being updated, which can open up security issues in the future.

riskingpilot99 Would this be something you could see in grapheneOS bundle with dummy password idea?

A dummy password is the most effective method but it is only best in certain scenarios, just as long as they don't know it is possible for this functionality to be there.

riskingpilot99 I read on the website that these types of features would not be included as if it was a feature of gOS then the OS would become known for it.

The reason GrapheneOS is against combatting Cellebrite with exploits or detection mechanisms is because they can easily be averted, and applications like Lockup are only effective when they aren't known by forensic investigators. If GrapheneOS was known to have anti-forensic mechanisms then investigators would simply just never plug the device in. Cellebrite sell a mounted camera to record the device's screen so the investigator can browse the phone manually where automated tools cant work. If GrapheneOS became known for having this then they would ALWAYS use the camera, essentially missing the whole purpose of the exploits/apps and making them useless.

Cellebrite also patch security issues or anti-forensic scenarios, the RCE by Signal was patched and the LockUp application is not fully capable, the original author of LockUp also cooperated and gave responsible disclosure to Cellebrite for UFED security issues. It's very likely they know about LockUp already.

https://cellebrite.com/wp-content/uploads/2020/03/ReleaseNotes_UFED_7.30_A4.pdf (Page 3 - Web archive doesn't work, also blocks VPNs)
https://korelogic.com/Resources/Advisories/KL-001-2020-001.txt

I also did some of my own looking up about the original blog post referenced in the app and saw that the Cellebrite UFED they performed this exploit on is quite old, even for the blog release date. UFED devices don't run Windows XP rather Windows 10, and the UI is also very old. I assumed correct that the exploitation of the UFED was already fixed in a newer version:

https://korelogic.com/Resources/Advisories/KL-001-2020-002.txt

Cellebrite could very likely patch or change behaviours of the UFED to overcome the app if this was a problem. If there is a likely chance it still works then all it would need is to ruin one case and they'd change it to overcome it.

riskingpilot99 But 'lockup' app for example has plausible deniability that also has the ability to mitigate any data extraction attempts, meaning it not possible to extract data even with password of phone. It stop the extraction of data because it can be detect by the app, are there any other apps that do this?

Some other apps like Wasted can perform a factory reset when connected to any USB device, although they aren't really directly targeted toward forensic toolkits since they will reset on any USB device being plugged in. This can be better than LockUp in some ways but is also extremely risky.

I wouldn't really consider LockUp plausibly deniable, when these apps perform the factory reset the Android OS says a factory reset is about to occur. Yes you hide what is incriminating, however they would have evidence the deivce had a killswitch and they'd try and use that against you. Plausibly deniable systems are meant to deny knowledge of anything incriminating. Depending on the country they could just get you for tampering.

final

Rats!

Oh well, it was funny while it lasted.

Blastoidea GrapheneOS is still resistant to forensics, which is the important part. Unless you had your PINs known or caught on camera then you're fine. The camera scenario is something a duress password wouldn't fix, and neither is getting your device seized, becoming more insecure over time...

Blastoidea every US Citizen just collectively sighed a breath of content.... begrudgingly

final
Wait. What about a feature that erases all secondary profiles? No phone reset, no warning, no nothing. And the phone is still working, so it should help with plausible deniability, no?

This is the relevent issue that seems to be the best solution to the duress / panic pin / plausible deniability problem.

https://github.com/x13a/Wasted/issues/37

This should be combined with regular backup solution like seedvault that is implemented in gos.

You can stack that with something like syncthing for intenet / cross platform sync.

final Erasing your secondary profile or even a possible amnestic profile feature would be deniable.

I would really like a duress PIN on the owner profile that would silently delete specified secondary user profiles. That, and maybe delete specified apps and directories too.

Graphite the duress pin/password would ideally be universal, ie, accessible in every profile. No sense switching profiles, logging in and then handling someone a phone with only one profile.

Graphite not sure we're saying the same thing or not.

My proposal is as follows: say the user has the owner profile with some very basic stuff, profile 2 which is your day to day profile, profile 3 with play services and maybe profile 4 with some extra sensitive stuff for people who need it (PS: I was thinking journalists, etc, but in my country it might just be banking apps)

In case of duress, that user wants to delete either profiles 2, 3 and 4 or just profile 4.

But, unless it's a predicable situation (like traveling to a country with known intrusive border control), users are more likely to be logged to profile 2 when the need arises. But maybe to profiles 3 or 4 as well.

So the duress PIN would have to be triggered from whatever profile the user was previously logged, erase the selected profiles (which might include the one currently selected) and then go back to the owner profile, hopefully without the "switching to profile X" message.

Hb1hf

To keep the thread alive... your idea is also what I would consider the most secure way to implement "plausible deniability"

To hand over a completely empty and wiped phone to anyone who lawfully or un-lawfully demands your credentials will just pizz them off and land you (or any other user) in hot water (either because it's considered "destruction of evidence" - or because the bad guys realize what you just did...)

unlocking the phone to land in a dummy-profile while in the background the real profiles (2, 3 and 4) get wiped solves the issue. Plus in most scenarios it will buy the user in a pinch enough time to complete the background wipe before anyone realizes what may or may not have happened... and at that point there is no trace of it left... hence "plausible deniability"

Further you could set up two potential profiles for spicy situations... one for a theft scenario where the phone starts sending distress signals in the background, and one for anything like border controls etc with no background signal.

If anyone is aware of such a solution since this post was last active, the input would be much appreciated.

Explorer666

Have spent a long time playing around with the general concept of 'plausible deniability' - going back almost 3 decades (as in over many platforms and scenario's)..

The sort of blunt reality is;
"if you over specialise, you breed in weakness"

There are just a huge number of variables at play, all depending on countless other factors..

The only effective "real world" application, is for people to essentially design their own based around the level that is required for whatever reason they need it (or don't)..

Only in that scenario does a person know their local laws, how they would be treated, eg 'civilised', or not..

I saw above comments about living in the US..
The US is not 'civilised' with its laws and potential treatment/handling of 'suspects' or 'accused'.

Security through obscurity is also completely essential when you are dealing with adversaries in any scenario from potential 'financial gain seekers' (don't want to write the actual word), or if it's from people employed by the state.

Only you know what and why you are hiding something (or not) and the potential implications specific to your situation.

Not meaning any of this in a rude way either, I apologise if it comes across like that.

There is very often something lost between what a lot of people think is possible or not, to actual real life situations and what will in fact happen.

In a perfect scenario, anything is possible and seems plausible..

It's not a perfect world however, that's exactly what keeps it interesting/fun to keep learning though :)

intron

No offense taken at all. 😉
So on top of everything else, you suggest that I should learn coding now? lol....
oh well, guess if you want something done right, you gotta do it yourself after all... 🙄

hoped that anyone would have picked it up ever since "DueProcess"
https://android.ins.jku.at/plausible-deniability/

but seems not much progress was made in the meantime... that's a bummer somehow....

Explorer666

Didn't mean that exactly lol.

There is a lot more to it than coding or any single aspect..
Maybe a better way to try explain this;

View everything as 'tools' - some need certain ones, others don't.

GOS is a tool along with many, many other things in this context, be it a phone's OS, other software eg apps, the hardware itself, are also all tools, even 'law' is a tool.

Along with ones that have nothing to do with a phone, or even privacy or security -

Creating your own implementation to the degree you require in the real world, would inherently go far beyond a single device such as a phone in this specific context..

It also means when you view everything as a 'tool' - you can possibly utilise ones completely unrelated and not even designed for this purpose in your implementation..

Everyone also knows the golden rule "Nothing is secure"..

One that I've always attributed equally with that, is;
"You cant secure something unless you know how to break it"

Eg; If you want something that will work for your situation, you have to learn how each tool works to an extent and how you want to utilise them, if that makes sense?

I've never actually tried to put this in words for anyone else before, my apologies if it isn't phrased very well lol.

Knowledge and understanding are only gained through learning, and practice - people tend to dedicate as much as required in the context of what their goal or interest is :)