zlacker

[return to "Graphene OS: a security-enhanced Android build"]
1. throwa+Ou[view] [source] 2025-07-25 01:55:04
>>madars+(OP)
The main missing feature is password under duress that would open a different “user”. So even if you’re forced to give away your password they won’t get to the real account (some hidden profile or similar).

At least hidden profiles would be good enough for basic protection.

They have this which wipes your device, but you can get killed under duress. https://discuss.grapheneos.org/d/14722-using-duress-password...

◧◩
2. mbanan+Zv[view] [source] 2025-07-25 02:04:29
>>throwa+Ou
GrapheneOS community manager here. The problem with something like this is that it cannot be reasonably hidden when it would be exposed by someone using basic tools. Our Duress PIN/Password feature doesn't make any attempts to mask itself, precisely because we think doing that only gives people a false sense of security.

We think there's a good chance a motivated adversary is going to be familiar with GrapheneOS and its features, and the more mainstream it becomes, the more this can mean "your abusive significant other" rather than someone at the border.

The moment people know this feature exists, it can become dangerous even if you don't use it. You can be threatened to unlock, and even if you do, the adversary can choose to not believe you since they can think you're just hiding it. That puts you in a dangerous situation where they think you can provide something that's literally not there.

It's a very difficult problem to solve, and we don't think that proposal can solve it.

◧◩◪
3. YoumuC+lA[view] [source] 2025-07-25 02:36:39
>>mbanan+Zv
I hate to say this but I don't foresee Graphene being "mainstream". Most users will stick to the stock ROM. The most "mainstream" custom ROM Lineage is only installed on 0.04% of Android devices as of 2023 [1]. Even if Graphene appears in some mainstream news, I highly doubt any ordinary person can recognize it when they see one.

If the threat model is hiding from random people, I think a hidden profile works very well.

Now let's talk about motivated adversary as you put it. Hidden profile and wiping are not either-or, they can coexist. If one is really targeted by a motivated adversary, it should be apparent in most cases, and the targeted person can choose to enter the wiping PIN instead of the secondary profile PIN.

Now if one is targeted by a really motivated and threatening adversary, I don't think wiping PIN is any better than secondary profile PIN. The moment one chooses to wipe the phone, the adversary could be triggered by the action and harm the victim anyway.

[1] https://9to5google.com/2023/11/20/lineageos-number-of-device...

◧◩◪◨
4. bogwog+cX1[view] [source] 2025-07-25 15:24:52
>>YoumuC+lA
These are ridiculous scenarios to try and optimize for. A smartphone feature isn't going to save someone from an abusive spouse or a serial killer, and if it does, it'll be an exceptional situation.

There was a youtuber who got kidnapped in Haiti a while back, and his kidnappers demanded to search the photo gallery on his phone for something. So what he did was delete the pictures, but not empty the trash, hoping they wouldn't know about that feature. They didnt, and he got away with it. Did Apple envision a kidnapping scenario when they were designing that feature? Probably not. Is there a design lesson that can be taken from that situation? Also probably not, because it just as easily could have gone the other way.

[go to top]