• General

  • Potential appearances of GrapheneOS in mobile forensic reports

To bring a little clarity here. Firstly, grapheneos servers are configured more securely than comparable providers. During the compilation process, the releases are signed with a key that only the developers have. Without this key, no manipulated operating system can be installed on the end devices. Every change in the source code is communicated publicly. The only damage that a server takeover could cause would be to cut off the user from the possibility of receiving updates. Which could become a problem if certain critical security updates are released that close RCEs, for example. The phones would be unprotected against publicly known security vulnerabilities as long as they do not have the latest security updates. For this very reason, grapheneos places so much emphasis on getting the security bulletins out as quickly as possible each month.

Regardless of this, a targeted hack would be necessary. It would have to be able to bypass several security mechanisms and it would be very difficult to make this hack persistent. See verified Boot.

This is why we only recommend grapheneos as the basis for Molly. There is nothing comparable. It would be downright negligent to recommend anything else.

21 days later

What do you mean by having GOS as the "basis" of molly? Do you mean y'all will only recommend properly configured molly installed on a properly configured GOS for maximum attainable security/privacy?

(By molly I am assuming you're talking about that hardened fork of Signal, right?)

    GlytchMeister GOS recommend Molly due to the large attack surface of the Signal and WhatsApp apps, messages are E2EE, but it would seem that the apps are very vulnerable, I can no longer find the source on Mastodon, but I have read it.

    In addition, Accrescent, which contains the fully FOSS version of Molly, will soon be available in "Apps" to create a chain of trust.

      Oh I didn't know Accrescent was mature enough for implementation within GOS, their github says its still in early alpha. I've been avoiding Accrescent because of that. If its mature enough for GOS's Dev team, I guess it's mature enough for me?

        4 months later

        NEW CASE
        https://gofile.io/d/Z4TgCI (The language is in Swedish, but there is some pictures for the curios folks)
        Check "Södertörns TR B 5471-24 Aktbil 60, Protokollbilaga Sekretess.pdf" it contains mostly forensic stuff from the phones.

        Between 2023-04-09 and 2023-04-13 - Mr. Y Ishak (Napoleon on Signal) with associates tried to kill a guy, it was all planned in a signal group chat.

        Long story short;
        On 2023-04-13 Police stopped a vehicle with Mr Ish*k in it, he was wanted and police found 2 phones on him, a pixel 6a in his hand and an iphone hidden in his underwear. The pixel did not have any simcard in it, the iphone did.
        Police did not manage to extract any information from the pixel BUT 9 months (2024-01-30) later somehow they did get hold of signal messages, picture and more..

        I'm kinda curios of how? In the documents it shows that the accused had been sharing internet from his iphone to the pixel and been connected to wifi. What was the weak point? Signal? His hotspot through the iphone or maybe the router at home?

          Tekpro doesn't exist since 2017?! The Name oft the company was tekpro and is now "Envista Forensics" as i know. This company is populär in Sweden, Danmark and the netherlands .....

          quepasabebe Signal? His hotspot through the iphone or maybe the router at home?

          How would any of these possibly be a weak link? I don't get it.

          Most likely he had a weak security code or he gave it to them, or he had another phone.

              wuseman Most likely he had a weak security code or he gave it to them

              That's my first thought.

                dc32f0cfe84def651e0e

                Does this mean GOS is illegal in SE??

                The Google Pixel phone is very heavily encrypted and there is no legal use for such a phone. Based on this, the Google Pixel phone should be considered a criminal tool.

                    Clark
                    Nope. That's written by a police officer of some sort, not by a judge or any legal entity. Presumably the meaning is "it was used to commit a crime" rather than "owning it is a crime"

                      • [deleted]

                      • Post #69

                      The disk encryption on stock Pixel and one with GrapheneOS is implemented in the same way. Should we then sum it up with saying, that whoever uses Google Pixel phone is a potential criminal? I don't think so.

                      quepasabebe I'm kinda curios of how? In the documents it shows that the accused had been sharing internet from his iphone to the pixel and been connected to wifi. What was the weak point? Signal? His hotspot through the iphone or maybe the router at home?

                      User error.

                      All of those things wouldn't ever be a factor in device compromise. They can't read signal messages, that's kind of why they need to extract the phone in the first place. Hotspot / WiFi access point history is also a common forensic source, you can access them on both devices easily.

                      The document openly claims it can't get into a Google phone in normal circumstances:

                      "Det hittades även en till Googletelefon inne i själva bilen (punkt 3) men denna har i skrivande stund juni 2024 inte gått att extrahera eller knyta till brukare."

                      MACHINE TRANSLATION: Another Google phone was also found inside the car itself (point 3), but this has not worked at the time of writing in June 2024 to extract or link to users.

                      This conclusion matches the expected outcome of our Cellebrite document sources exactly.

                      The document claims they got into it 'manually', and the pictures show them taking a camera to the phone's screen instead of screen recording. Worth noting screen / display capture for unlocked devices is a standard Cellebrite feature but they didn't do it, weird why they didn't if they had the option. I guess it's practice over in Sweden.

                      IT-forensiker har gått in i telefonen manuellt och fotograferat användarens eget alias

                      MACHINE TRANSLATION: IT forensics have entered the phone manually and photographed the user's own alias

                      If it was done manually they evidently had knowledge of the credential or they were consented. Targeting of other people involved, CCTV, forensics of fingerprints on the display, sharing the PIN with the iPhone, tons of potential factors would have led up to his failure.

                      Quite frankly I personally don't care about the heaps of trouble that scumbag gang bangers and drug dealers get into. They deserve prison and I am happy they've been arrested. I'm only making this response to debunk before people get concerned about it. If they were talking about all their acts on the iPhones they had by the looks of it then clearly they're not the brightest and GrapheneOS wouldn't protect them and hopefully it stays that way. There's tons of factors that would have brung this person down even without the phone's data I'm sure.

                        Clark Does this mean GOS is illegal in SE??

                        No. The quote says Google Pixel phones, not GOS. Google Pixels are actively sold in Sweden by reputable major resellers as well as Google themselves, and is marketed towards regular users.

                          • [deleted]

                          • Post #72

                          Can't say I have read every word of this post nor anything of the Swedish reports,
                          What jumps out at me is, Graphene is not the problem, as ever the weakest link is the average Joe using the phone making the assumption it turns them into something akin to a untraceable super villain.
                          Snatched whilst unlocked, jeez, there an app for that scenario.
                          Is Graphene illegal, no, what matters is intent, I have a car, cars kill people, does that make cars illegal, no intent is what counts. These people stopped are not random they are on someone's radar already. A heavily encrypted device on them is something to be expected, an unlocked one is manna from heaven!

                            [deleted]

                            It seems like android 15 will have a feature which is called ' Theft Detection Lock'.

                            Automatic AI-powered screen lock for when your phone is snatched. Theft Detection Lock is a powerful new feature that uses Google AI to sense if someone snatches your phone from your hand and tries to run, bike or drive away. If a common motion associated with theft is detected, your phone screen quickly locks – which helps keep thieves from easily accessing your data.

                            Source: https://blog.google/products/android/android-theft-protection/

                            Does anybody know if this feature will be available on AOSP, and consequently in Graphene?