An approach to device configuration (feedback wanted)

iustitia

A GrapheneOS device can be utilized in a large variety of ways. An important part of this is the basic configuration, which should act as a solid foundation for secure and private usage. Yet, choosing the best option for yourself can be challenging, especially for new users.

In this post, I will show you an approach to this, explain the reasoning behind it and guide you through some parts of the setup.

I might use this as the foundation for a guide in a future project of mine, so your thoughts on the content as well as the style of the text are hugely appreciated.

Goals & Priorities

When deciding on device configuration, it makes sense to set specific goals and ideally work out a threat model beforehand. This helps by giving us a clear focus and prioritization, which we can then make decisions upon. I'll keep this very short here for the sake of brevity and universality, but keep in mind that your requirements might differ. That said, the approach we'll follow won't be a downright catastrophe in most cases, it just might not be optimal.

Our goal will be to choose a setup for our device that provides a good base for further usage. We want to be able to protect all data on the device and prevent threat actors from linking any info they get to our personal identity. When in question, we're going to prioritize security over privacy.

The setup should work well with compartmentalization and using different user profiles for different activities. It should be flexible to allow for profiles adapted to their purpose, while minimizing the chance that a compromised profile can be used to compromise the whole device. There should be a secure way of installing apps, reliably offering timely updates. Which apps we install and the actual usage of them are outside our scope.

Google Play Services

There are many valid approaches that don't require Google Play Services at all. At first glance, they might seem fundamentally preferable, as even with the sandboxing from GrapheneOS, Google is still an additional, in many ways malicious, party. All else being equal, avoiding Google would be preferable. In practice, there are clear benefits, like improved push message functionality, FIDO2 support, and access to the Google Play Store.

For our scope, the last one is especially important: Currently the Play Store provides superior security to F-Droid, better reliability than Aurora Store or Obtainium, and much greater app variety than Accrescent. It is also one of the most simple and certainly the most beginner-friendly option. Its biggest drawback is easily the privacy threat, especially because a Google account is required to use it.

Here, we will go with installing Sandboxed Google Play and using the Play Store as our method to download and update apps. The reasons for this are its security benefits and usability advantages, which trump the privacy concerns in accordance with the goals we set in the beginning.

Mitigating the Privacy Threat

The decision in favor of the Play Store might be in line with our goals, but the concessions in privacy we are forced to make might still leave some feeling unsatisfied. Google is a considerable threat to privacy, especially in the realms of linkability, identifiability and non-repudiation. However, we are far from powerless and will not simply accept defeat without a fight.

Google can be assumed to collect as much info as it can, but through its sandboxed implementation, its access is limited. The GrapheneOS Usage Guide summarizes it well:

Since the Google Play apps are simply regular apps on GrapheneOS, you install them within a specific user or work profile and they're only available within that profile. Only apps within the same profile can use it and they need to explicitly choose to use it. It works the same way as any other app and has no special capabilities. As with any other app, it can't access data of other apps and requires explicit user consent to gain access to profile data or the standard permissions. Apps within the same profile can communicate with mutual consent and it's no different for sandboxed Google Play.

This enables us to block Google from accessing most data it would be able to collect on another OS. We are going to use Google only where necessary, namely the Play Store, and restrict its permissions as much as possible without breaking the functionality we require. We will also be using a trusted VPN or Orbot with a killswitch in all user profiles with Sandboxed Google Play installed, to prevent being identified because of our IP address.

Something we can't shield from Google in this setup is data about which apps we have installed. As a highly unique identifier, this can allow Google to fingerprint and identify us. Our counter against this is splitting our usage into multiple user profiles. Google isn't able to link multiple instances of Play Services from different user profiles on a device, and will thus only ever know part of all the apps we use. This isn't perfect, but if enough activities are split off to specific user profiles, app-fingerprinting should become much less of a threat, if not impossible.

Anonymous Google accounts

To prevent Google linking data from different places to reveal our identity, any Google account should exclusively be used for one purpose. This means, for every user profile from which we want to download apps, we are going to use a new Google account. It should be created inside the profile in which is then used. If the linked user profile is deleted, they should not be reused and can be deleted as well.

All of this is of limited worth if we hand Google our identity on a silver plate during account creation. Luckily, we can avoid doing so.

To begin, we will install a trusted VPN or Orbot either through the owner profile, or by downloading and installing the .apk file directly through Vanadium. It's important to make sure the download is coming from the official website or GitHub page. After it is done, the permission to install apps can be removed from Vanadium again, and the VPN should be connected with killswitch enabled. It is crucial that the killswitch remain active at all times that an internet connection is possible to continually mask our real IP.

Now, Google Play Services can be installed through the official GrapheneOS app repository. After it is finished, we can open the Play Store and create a new Google account. It is likely that SMS verification will be required. While some have found success by connecting to a VPN server from certain regions that might give you an option to skip it, this method doesn't work reliably. If you can't skip SMS verification, the easiest option will likely be to use a burner phone number. I successfully tested this with JuicySMS, but you can also pick a different service; KYCnot.me provides a good overview. For any other inputs that can't be skipped, use fake but realistic info.

The actual configuration

We have decided on the Play Store to download apps, and we know how to minimize Googles privacy invasiveness by using Sandboxed Google Play and anonymous Google accounts. Now we just need to put all of this into a specific configuration.

Most importantly, almost all usage should take place in different user profiles, each with a specific purpose. Permission to run in the background and access to phone & SMS should be given out restrictively. The owner profile should only be used for administrative purposes.

Play Services should at least be installed in the owner profile, as this enables the option to install apps from the owner directly into a user profile. If all apps inside a user profile are installed this way, this means that the permission to install apps can be withdrawn for that profile, and that Play Services aren't needed there. Meanwhile in the owner profile, unused apps can be disabled without impeding updates or functionality inside other profiles. This can benefit security, privacy and usability, if still used sparingly to avoid fingerprinting the owner profile through the apps.

Final Thoughts

I hope you found this helpful or interesting! As I touched on in the beginning, this is V1 of something I might use in a future project of mine, addressed mostly towards beginners. Apart from general feedback and your thoughts surrounding the contents of the post, I'd like your opinion on a specific consideration:

In the last paragraph, I touched on the idea of using the owner profile for downloading & updating apps to then distribute them into user profiles. In principle, I find this to be quite elegant, but the more it is done, the higher the risk of fingerprinting being used as a unique identifier. At a certain point, it seems to become a question of weighing the added security of having user profiles without the permission to install non-first-party-apps against the lost privacy from a more unique fingerprint. What's better depends on individual priorities, but I struggle to really assign a "value" to both of them, especially how big of a security improvement this enables. So, please share your evaluation of this if you have a more profound understanding of the factors!

Again, thank you all <3

N1b

This is an amazing introduction and I can see that you put lot of thought into this, thank you! I would do and recommend the same, except very minor differences.

iustitia While some have found success by connecting to a VPN server from certain regions that might give you an option to skip it, this method doesn't work reliably

Many suggest to set up Sandboxed Play Services without a VPN, but on a public hotspot (ideally very public and far away from your home location). This will save costs for a one-time verification number and also not link a unique identifier (phone number) to your account, even if you paid for it with crypto. Are there any security concerns in your opinion or is this approach worth mentioning next to the VPN route? Also I'd tell that after logging in first to Google it's good to set up 2FA via UTF or OTP to avoid Google asking for a phone number down the road.

iustitia If all apps inside a user profile are installed this way, this means that the permission to install apps can be withdrawn for that profile, and that Play Services aren't needed there.

Probably good to mention that not all apps will work if there are no Play Services present in their profile. Also (maybe further above where you select Play Store as the APK source) people might want to have a complementary source for apps such as Neo Store (great for auto-updating from the F-Droid and Izzy repository). Molly-FOSS or IVPN come to mind which have a different feature-set compared to their Play Store equivalents or LibreTube/Newpipe or InnerTune which are not at all available on Play Store.

I think these ideas won't complicate the manual by much and still fit the threat model, but provide for more use cases (such as "not able to pay crypto for SMS numbers" or "requiring app x which is not available on the Play Store").

Regarding your last question: Since it's a beginner's guide, maybe skip the profiles section entirely to make it easier for new users to find their way around. They can still set up a more secure environment down the road once basics are learned. There are more disadvantages to profiles such as requiring the same app versions, not having all settings available, needing a VPN setup for each profile (which counts as a new device in your VPN subscription) etc.

Thanks again for your effort, I'll point people in my peer groups to this thread in the future for introduction.

iustitia

N1b Thank you ^^

N1b set up Sandboxed Play Services without a VPN, but on a public hotspot (ideally very public and far away from your home location)

Depending on just how far away you're willing to go, this might even be the best option. If you do the setup from a non-VPN or TOR IP address from another country, Google might be misled somewhat. But realistically, people are probably not going to travel that far for this, remaining within their home country or region. Doing so from a public Wi-Fi in a different city will certainly reduce the threat to linkability and identifiability, but might still be of value to Google if combined with other identifiers. I think it's hard to impossible to know for sure at which point Google has enough info about you to deanonymize you, so if it can be avoided, I'd always try not to give any meaningful information at all.

I think I'll leave this out of the guide, but I will definitely keep it in mind. For example, if someone is in a far away location anyway, this might become way more realistic.

Another possible identifier I need to do some research on is device language and keyboard layout. For example, would Google be able to use Italian language settings to identify a user as such? It might make sense to set the device language to US and leave as many settings (like time format) as possible unchanged after initial setup to avoid a more unique fingerprint. I'll need to do some more research about how big of a factor this can be and whether it can be mitigated in a more user-friendly way. Like setting the app language for all google apps specifically to US or the region you pretend you're from.

N1b Also I'd tell that after logging in first to Google it's good to set up 2FA via UTF or OTP to avoid Google asking for a phone number down the road.

Yeah, that makes sense. I'll probably include it, together with adding a recovery email created anonymously or through an email alias service like SimpleLogin.

N1b Probably good to mention that not all apps will work if there are no Play Services present in their profile.

True. I think I'll add that Play Service or a Google account might still be needed inside the user profile for some apps to work. You can start without both and add them if needed.

N1b complementary source for apps

I absolutely understand the need for this. I think in the main guide I'll focus on the Play Store, but link a separate article about using alternatives for those interested. Thus, I can keep it simple in this guide, but still go into more detail about where to get your apps from somewhere else (once I have the time).

F-Droid, Aurora Store, Obtainium and Accrescent don't come with the threat of fingerprinting based on the installed apps, so I think for them the best option would be to install them only in the owner profile. They don't need to be granted any permissions (including Network) and can be immediately disabled after install. From there they can be distributed to the user profiles they're needed in.

However, using any of these other options in tandem with Play Services might reintroduce the risk of fingerprinting. I'll need to do more research about whether Google has access to permissionless, disabled apps installed from other sources. I suspect it's mainly a question of whether disabled apps can in any way be accessed through IPC. If so, it might make sense to pick either Play Services or one/multiple alternatives as the main way to download apps. Your main app source can then be used in the owner profile, while the other source(s) are used inside user profiles if required.

N1b not able to pay crypto for SMS numbers

Yeah, this is probably the least accessible part of this setup. I'll need to do some research on how big of a threat using your normal bank account for this is. If it's a problem and there aren't any great mitigation strategies, I'll consider moving away from this.

N1b Regarding your last question: Since it's a beginner's guide, maybe skip the profiles section entirely to make it easier for new users to find their way around. They can still set up a more secure environment down the road once basics are learned.

This is certainly valid, but doesn't fit the philosophy and target audience I intend for the guide as part of my larger project (which you couldn't know, of course). Basically, I plan to create a general guide concerned with digital security and privacy for a specific threat model, targeted at activists and activist groups in specific regions, that is accessible to people who know very little about the topic. I want to allow for both simplicity and focus, but also variety and detail, by a combination of linking other relevant articles and including numerous optional sections that can be expanded if needed. For example, this article would include the option to expand a complete step-by-step guide for anonymous Google account creation.

By handholding the reader if they want me to, I hope to be able to recommend even more complicated options. My general philosophy for this is ideally recommending a single, simple solution, with simplicity during day-to-day usage being way more important than simplicity during the initial setup. Modifications to this by users with different requirements, priorities, or another threat model are of course always possible. I'll highlight other valid approaches where relevant, and maybe even provide additional articles about them as a solid base.

For this reason, I'd love to be able to recommend downloading all apps through the owner profile, but I'm uncertain if I can. The approach is simple, flexible, and very secure. Only one Google account is required, and anything further can be added only when needed. The problem here is fingerprinting through the installed apps, which I haven't yet found a satisfactory mitigation strategy for. I'm not sure yet which I'll go with in the end, as neither the guide nor the target threat model is finished yet, and I still have more testing and research to do.

N1b Thanks again for your effort, I'll point people in my peer groups to this thread in the future for introduction.

That's maybe the best compliment I can get. It also gives me motivation for my project because the finished product should hopefully be leagues above this text I spontaneously typed yesterday while being very exhausted :D

N1b

iustitia I think I'll add that Play Service or a Google account might still be needed inside the user profile for some apps to work. You can start without both and add them if needed.

If I'm not mistaken most apps that require Play Services (of benefit from them) need them present upon installation, otherwise they won't work. So maybe a good setup is to have a "test without Play Services" profile to check them out and depending on your needs, pushing them to the actual PS or non-PS profiles.

iustitia F-Droid, Aurora Store, Obtainium and Accrescent don't come with the threat of fingerprinting based on the installed apps, so I think for them the best option would be to install them only in the owner profile. They don't need to be granted any permissions (including Network) and can be immediately disabled after install. From there they can be distributed to the user profiles they're needed in.

I have seen the suggestion on this forum to just use the owner profile entirely for app installation and updates (all app stores are only on the owner profile but with network permission). This might be a simpler and better setup for your target audience and maybe that's what you mentioned in your second to last section, but I'm not sure so I'll suggest it here. The advantage is that all your readers need to do now is a good update routine on the owner profile which could be coupled with a good OS reboot routine where they have to log in to the owner anyway. The owner profile can be better fingerprinted, but the people wouldn't be identified since they don't actually use the apps there. Also the user profiles stay cleaner since they don't require their own app stores and update routines, which makes each profile less exposed to fingerprinting and that would be more important in my book.

iustitia targeted at activists and activist groups in specific regions, that is accessible to people who know very little about the topic.

For these people it's important to be aware of much more than their smartphone OS, but it's of course a good start. I recommend you have a good look at this video from The Hated One and include the information in your guide or require your readers to watch it too. Education is power and they need to know at least the basics. Having the best phone but then be recognized by face scans, tattoos, walking patterns or other identifiers would still lead to bad outcomes.

These are all suggestions and probably nitpicks, so I want to end this post by telling you I'm very grateful for you work and only intend to help you achieve your goals. Please keep your excitement going and keep creating something here, it will surely be of value to others!

iustitia

N1b

N1b If I'm not mistaken most apps that require Play Services (of benefit from them) need them present upon installation, otherwise they won't work.

That's an important detail to avoid confusing beginners. Maybe it makes sense to test this for a few basic apps (Tor Browser, Orbot, Signal, etc.) to give users an idea beforehand.

N1b use the owner profile entirely for app installation and updates

Congratulations, you found my exact setup!:) I think it's quite elegant and very well suited for beginners without compromising on security. Combined with auto-reboot, which imo is essential for activists anyway, I have high hopes that even new users will be able to follow an update routine somewhat reliably.

My main concern is indeed the potential for fingerprinting leading to linkability, non-repudiation and identifiability risks from Google. The likelihood and severity of this is doubtful, but I want to at least fully explore it and make sure there really are no ways around this.

N1b For these people it's important to be aware of much more than their smartphone OS, but it's of course a good start.

I fully agree. In the beginning I'm forced to focus on the essentials because my resources in both time and money are very limited, and meeting a very high-quality standard in one way or another consumes lots of both. However, I'll try to ensure organic growth is possible from there on, so I can slowly increase the scope while keeping all existing content up to date.

And nice recommendation, I'll definitely include many links to relevant sources, and THO will surely come up regularly. Love his content!

N1b These are all suggestions and probably nitpicks

Don't worry about that! I believe anyone putting out advice on security and privacy in general, but if targeted towards vulnerable groups like activists in particular, has a responsibility to ensure it's of high quality. Now maybe I'm just an anon user posting in some forum, but once I do put out these guides, the personal safety of my potential readers will depend in part on me being correct and not misleading anyone, even accidentally. I do have my methods for this, but external critique or suggestions are invaluable and always appreciated, nitpicks included.

Thank you a lot for your kind words. Hearing this occasionally really helps <3

LegroomPolicy

I really like your idea and your post is great.

Personally I would use a separate Google Account per profile.

But what about apps which aren't available on the Google Play Store, like

NewPipe (YouTube alternative - without login)
Squawker (Twitter Client - without login)
Stealth (Reddit Client - without login)
Xtra (Twitch Client - without login)

I don't think there are any alternatives on the Play Store.

iustitia

LegroomPolicy

If the user desires to install apps from sources besides the Play Store, it would probably be best to do so inside the owner profile. The apps should not be granted the network permission during install, can then be disabled and installed into the user profiles they're going to be used in.

Without going into detail, my opinion for which source should be used is Accrescent, otherwise Obtainium, otherwise F-Droid Basic. Aurora Store isn't reliable in my experience and doesn't provide a clear benefit over the Play Store in this setup. Obtainium should also only be used if updating the specific app works reliably, which might not always work with all sources.

DeletedUser28

One addition: once you have created your Google account using a burner phone number, secure the account with TOTP (e.g. Aegis app) and then delete the phone number from the Google account. That way Google (hopefully) won't lock you out of your account if you don't have access to the phone number.

Even if you have managed to create a Google account without phone number, you should add TOTP security to the account, because apparently Google will otherwise sooner or later lock you out of your account until you provide them with any random but working phone number for "security" reasons (ridiculous, I know). Note: you can only add TOTP after you have either given Google a phone number or logged in to a Google account on an Android or iOS device. Logging in to the sandboxed Play Store with VPN/Orbot should be enough. But if you for example create a Google account without phone number in a web browser (I managed to do this once by saying I'm creating a "work account"), then you cannot add TOTP until you give them your number.

It's quite clear they don't want you to have an anonymous account, although some loopholes remain.