is my GOS compromised?

Rookie

Skyway i dont have any other GOS unf :(

Skyway

Rookie
https://attestation.app/tutorial#scheduled-remote-verification

Rookie

Skyway thank u, ill do it rn

yore

Rookie All you need is a second Android phone (doesn't have to be GrapheneOS) and a few QR codes will appear which you will scan from one phone to the other.

The first time you will see a yellow screen which shows the initial pairing. Doing the verification from then on will show a green screen if it is a good verification.

Note that this is best to do as soon as possible after install to ensure a good chain of trust. You should also know that the Auditor app is not foolproof. It is entirely possible that a profile is compromised due to a malicious app that did not cause any real tampering, causing Auditor to not detect the compromise. If this is the case, you can try to find the source of the compromise and remove it, or delete the profile if possible.

Skyway

yore yeah I forgot you can do it with any android .
Mine had always come back with a yellow screen , there was a thread about it awhile back

Rookie

Skyway

yore thank you, will try

Rookie

Skyway im already on atteststion website, what are recommended configurstions? verify interval, permitted delay until alerts

Skyway

I haven't set up remote , I'd say interval .

Rookie

Update: unf i dont have yet access to another device over android 10 untill 2morrow, but Remote Integrity Check with server was successful, it says passed, so whats next?

edit: should i be making factory reset of graphene? or reflashing OS?

spring-onion

If attestation passed the os itself is very likely fine. Most of the points you mentioned can have many, often harmless underlying causes, others are more alarming - your accounts' passwords being compromised in particular. Do you use a password manager? If not you are almost definitely recycling passwords that may have been exposed in past breaches, which is why your accounts are at risk now.

If you want that peace of mind a factory reset won't hurt, I don't know your setup so at the very least it gives you the opportunity to do some housekeeping.

Rookie

spring-onion well, i use KeepassDX, never same password, changing every now and then, but weirdest thing is i get password reset code but thing is i dont use my number as recovery or OTP on service i received password reset code from 😅😅 number is in account still but not as a recovery, only 2FA using one time codes, my choice is aegis

Skyway

Rookie that's a bit alarming...
Sounds like your phone was unlocked while password manager was also unlocked ?
There is a bug where if you don't deliberately lock your phone it won't auto lock sometimes.

Rookie

Skyway i dont think password manager is compromised, cuz if it is theres only workaround backup codes stored on it too, soooo nobody woudve missed

Rookie

phone is always locked, mostly if im away more than 30 min its on Lockdown mode with erased ram content (by restarting)
password manager is always locked with passphrase, even if phone is unlocked no way opening it without its key

[deleted]

id factory reset from recovery, and reinstall release to be sure.
Make sure you utilize multiple profiles to only have stuff installed where your data is that you trust completely. you can also lock your password manager, important photos and files on a profile you dont use very often, so it wont be unlockable even by bypassing the lockscreen, since the data wont be decrypted

[deleted]

also, the screen capture thing could have logged your password

Rookie

Guys a little update, Server side verifications are being successful, no issues detected so far, i also did a verification from another phone using auditor app, what should i be looking for specifically?
on pinned device it says "Pixel 7 Pro (unmodified official release) so thats it? im clear?

yore

Rookie From an OS perspective it looks good from the information you've given. My only real concern would be the login attempts but the phone itself is most likely OK.

If I were you, I would enable auto reboot and set it to 24 hours. This is good in case you lose your phone so that the adversary would not be able to get any real information. Also, rebooting every now and then is good since it takes advantage of verified boot as it will revert any malicious changes to the OS.