WhoTheFuckisAlice two Passwords with each 128 characters

Obviously you can do whatever you'd like with your phone, but it's not really necessary considering the secure element forces delays between password guesses if being brute forced. I've read project members say that a 6 digit PIN is enough. The only reason you'd be using such a long password is if you don't trust the secure element.

WhoTheFuckisAlice This little bug that nobody can solve but god mother google herself, who doesn't think it's important to solve the problem

what little bug?

    other8026 Obviously you can do whatever you'd like with your phone, but it's not really necessary considering the secure element forces delays between password guesses if being brute forced. I've read project members say that a 6 digit PIN is enough. The only reason you'd be using such a long password is if you don't trust the secure element.

    This password is not the key for the encryption of the user data partition in every profile?
    Why do I still assign passwords when you can solve this so elegantly... every electronic device should have such a secure element. God bless your security management !

    other8026 what little bug?

    https://discuss.grapheneos.org/d/5731-bug-fingerprint-unlock-disabled-after-profile-change
    https://github.com/GrapheneOS/os-issue-tracker/issues/1611

      WhoTheFuckisAlice This password is not the key for the encryption of the user data partition in every profile?

      You'll want to read this section of the website about how all that works: https://grapheneos.org/faq#encryption. Here's a relevant quote:

      Sensitive data is stored in user profiles. User profiles each have their own unique, randomly generated disk encryption key and their own unique key encryption key is used to encrypt it.

      And another:

      Using a secondary profile for regular usage allows you to make use of the device without decrypting the data in your regular usage profile. It also allows putting it at rest without rebooting the device. Even if you use the same passphrase for multiple profiles, each of those profiles still ends up with a unique key encryption key and a compromise of the OS while one of them is active won't leak the passphrase. The advantage to using separate passphrases is in case an attacker records you entering it.

      https://discuss.grapheneos.org/d/5731-bug-fingerprint-unlock-disabled-after-profile-change
      https://github.com/GrapheneOS/os-issue-tracker/issues/1611

      I didn't realize that this was still a problem that people were experiencing. I used to have this issue from time to time, but not anymore. I can understand that this is very annoying, especially when using really long passwords.

        other8026 I didn't realize that this was still a problem that people were experiencing. I used to have this issue from time to time, but not anymore. I can understand that this is very annoying, especially when using really long passwords.

        And I am a new user since android 14 btw,
        I did only all updates from android 13 to 14 with stock OS and then install GrapheneOS manual way. Since I use a second profile i had this problem.

        8 days later

        Hanma1963

        FYI: the App "Digitales Amt" (ID-Austria) and "eAusweise" are working now with GrapheneOS :)
        After installing and fireing up the app for the first time, you get a warning, and it'll ask you if you know what you are doing, but other than this, it works like a charm

          DaRon
          Can you pls confirm, is this with or without Google Play Services installed?
          And if with, which permissions...
          thx

            d4f2
            Yes, installed...
            Google Services Framework: network and phone
            Google Play Services: network, phone and nearby devices
            Google Play store: network

            akc3n
            i am glad to help, but do you think it makes sense to add this report to the "banking apps compatibility list", although this is not a banking app at all?
            "Digitales Amt" is issued from the government, which can be used as second factor for logging in to certain government websites, or as second factor to "electronically sign" documents and similar services
            "eAusweise" on the other hand will enable Austrians to have their IDs (drivers licence, personal id, Health insurance) with them on the smartphone.

              DaRon

              My apologies, I may have misunderstood and should have looked more closely. I was under the assumption that it would be related to these similar government ID apps that can be used for banking related access:

              https://github.com/PrivSec-dev/banking-apps-compat-report/issues/173

              https://github.com/PrivSec-dev/banking-apps-compat-report/issues/310

              I'll take a closer look in the next following days.

              Thank you

                DaRon
                Thx for the feedback!
                @akc3n
                +1 for adding to the list or maintaining a similar list, these eGoverment apps "identify yourself electrically", may well become sort of mandatory...

                  d4f2 @DaRon

                  Yes... on point with this:

                  EU-wide digital wallet: MEPs reach deal with Council

                  Parliament and Council negotiators reached a provisional agreement on Wednesday on the creation of a pan-European digital identity framework.

                  Key points:

                  • An EU wallet to authenticate and access public and private services, store, share and e-sign documents.
                  • A wallet to be used on a strictly voluntary basis.
                  • Privacy dashboard to give users full control over their data

                  Next Steps

                  The legislation will now have to be endorsed by both Parliament and Council before it becomes law. The Industry, Research and Energy Committee will hold a vote on the file on 28 November

                  Primary source

                  6 days later

                  Is there a list/resource where people contribute information about what apps seem to have issues? I see two banking apps listed off an earlier post in the PrivSec-dev github. I've got a Pixel 8 on the way and I wanted to start out with Graphene OS. I use apps that help me collaborate with others integrated with the Googleverse (Keep, Sheets), as well as home automation in connection with Google Wifi, and I am concerned what I'll be in for. I don't use Google Assistant from my phone, but I do set it up via the Home app for my.. home.

                  Maybe I'm overthinking this and the vast majority of things most users want to do will just work, meaning GOS doesn't need a big fancy database of app compatibility like Wine.

                  Thanks!

                    epistax Maybe I'm overthinking this and the vast majority of things most users want to do will just work

                    Sounds about right, I don't think you need to worry. You could search for the apps in question here on the forum and on matrix if you like, you may come across some reported experiences... or not, that could also indicate it just works.

                    12 days later

                    Android Sytem Intelligence and pixel launcher requires system level permission without which it does not work and it looks like GOS devs are reluctant to support that via GMSCompat which is sad.

                    Is this soley for banking apps or for apps in general complaining about the env? The Marriott app now complains about Magisk being detected and is solved by #3 above.

                    21 days later

                    Hanma1963

                    You can follow this guide (you'll need revanced manager), but on the newest version (3.0.3) they don't care anymore that your OS is modified.

                    Revanced Manager can also "fix" aome other apps.

                    akc3n 3.1 - Temporarily disable secure app spawning.

                    Setting ➔ Security ➔ Enable secure app spawning

                    3.2 - Restart device. Launch app to see if this GrapheneOS feature caused the compatibility issue. The app may be refusing to run if it detects a different spawning mechanism.

                    Significant security loss and directly affecting some privacy using Zygote
                    Disabling exec-based spawning reverts to using the traditional Zygote spawning model AOSP's app processes
                    Spawned as a clone of the Zygote
                    Each app process has the same random secrets for ASLR, SSP, memory tagging, pointer authentication, setjmp canaries, and heap randomization
                    Half of the userspace is made of app processes
                    Applies across all profiles
                    App in profile A and profile B have same random values, which they can see

                    3.3 - Revert to secure spawning by enabling it again and restart device.
                    See step 3.1 above.

                    I suspect I wouldn't be the first person to suggest this, and I also wouldn't be surprised if the devs have already rejected the idea, but does anyone know if there's any consideration of adding, in the future, Per-app Secure Spawning?

                    I imagine this would work by following the normal Secure Spawning process for most apps, but somehow caching whatever's the default (insecure) Zygote spawn process. Then if an app does misbehave, the user can disable Secure Spawning for that app only, in which case that app will use the cached insecure process. No idea if this would work in practice, but it would be a real nice compatibility feature. I currently have Secure Spawning disabled because a single app (that I can't live without) crashes when it's enabled. It's a waste, and a big security hole.

                    20 days later

                    2WsF I've been trying to reproduce this and so far am unable to in both owner and secondary profiles.

                    Do you use the default launcher? What is your OS version (Settings > About Phone > Build number)?

                    Is this consistently reproducible for you?