GrapheneOS and forensic extraction of data (2024)

Posted by SoKamil 2 days ago

GrapheneOS and forensic extraction of data (2024)(discuss.grapheneos.org)

312 points | 195 commentspage 2

jcul 1 day ago|

As mentioned in the link, Graphene has a lot of additional security feature. It can auto reboot after X hours without being unlocked. You can lock down the usb port to be charge only, or even completely disabled so that the only way to charge is with the device powered off.

Crontab 2 days ago||

I am probably the only one but the geek in me would love to see an article where digital forensics are used against the most common operating systems in their most secure configuration - just to see how they compare with one another.

jijijijij 2 days ago||

> most common operating systems in their most secure configuration

Air-gapped and turned off?

bflesch 2 days ago||

All is well

megaloblasto 2 days ago||

I've always found it strange that GrapheneOS only runs on Google hardware. Can anyone explain this choice?

sandreas 2 days ago||

AFAIK the Pixel devices are the only ones that reliably allow bootloader unlocking / re-locking, that is required to perform custom os installs.

There are others e.g. Motorola ones or Fairphone, that also allow this but it's a good idea to focus on a specific set of devices keeping maintenance as low as possible and security focus as high as possible.

There are alternatives like /eOS/ or CalyxOS supporting more devices and I experienced exactly this "no longer supported" issue with my Xiaomi A2, which suddenly disappeared from the list of supported devices (see https://calyxos.org/news/2021/03/29/mi-a2-ten-firmware/).

strcat 23 hours ago||

Pixels are the most secure Android devices and the only ones meeting the hardware security requirements for GrapheneOS at this time. GrapheneOS is working with a major Android OEM towards their future devices meeting these requirements.

Neither /e/ or CalyxOS is a hardened OS. They provide much weaker protection against these attacks than the stock Pixel OS or especially an iPhone. They're weakening privacy and security substantially including lagging many months and even years behind on standard security patches. CalyxOS has not shipped the June 2025-06-05 patch level or later. /e/ is regularly many months behind on OS and browser security patches along with very often being a year or more behind on kernel updates and firmware/driver updates.

See https://discuss.grapheneos.org/d/24134-devices-lacking-stand... with in-depth information about /e/ on Fairphone devices with links to multiple articles from third party security researchers covering it and other information.

Those non--Pixel devices do not provide a secure base either.

AlgebraFox 2 days ago|||

They've clearly explained here. I'm not sure how many people would keep asking the same question without even doing a simple web search.

https://grapheneos.org/faq#future-devices

tcfhgj 2 days ago|||

not sure if it is an explanation or a justification

raziel2p 2 days ago||

what's the difference?

megaloblasto 2 days ago|||

Someone clearly replied with the same link. I'm not sure how many people would keep replying the same thing without even doing a simple thread search.

garciansmith 2 days ago||

They posted within a minute of each other, so likely did not see the the response and were typing theirs as the other got posted.

other8026 2 days ago|||

Pixels are the only devices that are out right now that meet the project's requirements. The project is in talks with a major OEM to have some of their devices meet GrapheneOS's requirements and have official support for GrapheneOS. Assuming all continues to go well, the project has said they expect those devices to be out in 1-2 years.

octo888 2 days ago|||

Curious if you've already read the comprehensive FAQ entry and are trying to imply something?

megaloblasto 2 days ago||

Kind of. I don't use grapheneOS and I'd like to, but de-googling your phone by buying a Google phone seems a bit sketchy. I don't want to take away from a privacy focused project. I'm super thankful for this option and I can't stand android or iPhone. But in the back of my mind I wonder if I'm being tricked.

SirHumphrey 2 days ago||

As for why graphene uses graphene uses pixels - their FAQ does a good job explaining. As for why google keeps the bootloader opened and maintains (until recently) good enough device-tree support- I would guess mostly historical reasons? Before becoming as mainstream as they are now nexus and pixel phones used to be in part android development devices and certain creature comforts stuck. This seems to be souring though, so some of the people there may be in talks with an OEM for a graphene os specific device[1].

[1]: https://discuss.grapheneos.org/d/23886-partnership-between-g...

megaloblasto 2 days ago||

This is great info. Thanks.

keerthiko 2 days ago|||

most of the explanation from the horse's mouth will be found here:

https://grapheneos.org/faq#device-support

megaloblasto 2 days ago||

Thanks

> These devices meet the stringent privacy and security standards and have substantial upstream and downstream hardening specific to the devices

It still seems strange. A big part of GrapheneOS is to provide a safeguard from Googles data hoarding, yet it works primarily on Google phones.

rfoo 2 days ago|||

> It still seems strange. A big part of GrapheneOS is to provide a safeguard from Googles data hoarding, yet it works primarily on Google phones.

That's the most confusing part. IMO GrapheneOS is not mainly about "provide a safeguard from Googles data hoarding", instead this is more like a side quest.

GrapheneOS is about creating a mobile OS that is more secure against advanced threats [0] than anything else, including stock Pixel OS and iOS.

[0] Currently my rule of thumb is, anyone who can find and write exploits for new memory corruption bugs for the wanted attack surface, or who can buy such capability, qualifies as advanced threat. Hence Cellebrite qualifies as a borderline "advanced threat".

kelnos 2 days ago||||

That doesn't seem odd to me. Google's data hoarding is done in software, not hardware. Remove Google's add-on software and you have a more or less blank slate to work with. I don't see why we'd expect any different.

zahllos 2 days ago||

This is the answer. Google play services and related privileged components are the non-open source blob hoarding data, along with whatever backend services you use from Google. These components are part of the stock android image that comes on the device that's replaced entirely by GrapheneOS.

Naturally if you continue to use Google services then the data hoarding continues.

fdsfdsfdsaasd 2 days ago||||

Yes, a situation that Google is steadily fixing.

warkdarrior 2 days ago|||

Conspiracy theory time: GrapheneOS is a skunkworks project from Google, to sell more Pixel hardware.

subscribed 2 days ago||

Considering last years development and quite open Google hostility?

No.

GoS have provided a lot of patches upstream, Some of which were even applied. Despite that they wouldn't get early access to A16 just because. Access EVERY vendor promising to preinstall privileged Google services has.

Allegedly Google security team was very happy about that idea, but got vetoed by management.

fsflover 2 days ago||

I agree with you, it's a dangerous and suspicious choice, https://news.ycombinator.com/item?id=45100831

octo888 2 days ago|||

I'm suspicious of your comment. You got beef or had a run in with the people who run the project...?

fsflover 2 days ago||

I don't have and never had any connection to GrapheneOS developers, positive or negative, online or offline, nor am I working for any of their competitors. I only have the philosophical disagreement with their decisions explained in my link above.

subscribed 2 days ago|||

Okay, I'll bite - what phone GOS should run on?

Remember the context is having a *secure* handset in hand.

matheusmoreira 2 days ago|||

He's not wrong from a computer freedom perspective. GrapheneOS is actively hostile to things like complete root access. It blows a hole in the security model. It's also very much enabled by the exact same sort of user hostile cryptography that corporations use to lock down their devices. Things like hardware attestation which protects apps from us. We can't easily do things like MITM an app to reverse engineer it.

I still it's superior to any stock Android OS but the risks associated with giving up freedom for security must be considered. The ideal is to have security while simultaneously maintaining our power as the owners of the machine.

strcat 22 hours ago||

GrapheneOS only supports devices where users can have full control over the OS and replace it. Choosing to use GrapheneOS is fully optional and people who don't want a strong security model can use something else. Not clear how GrapheneOS in any way hurts people's freedom by giving them a highly private and secure OS option for devices which meet our requirements. We're working with an OEM on towards more devices meeting our requirements which will support using other operating systems too. If you want another OS, you can use one. If you want to modify GrapheneOS in any way you want, that's fully supported. We provide easy to follow build instructions. You can make a userdebug build with ro.adb.secure=1 if you want root access at the cost of security.

fsflover 19 hours ago|||

> people who don't want a strong security model can use something else

You have a very special threat model, which you for some reason always call the best or the only one reasonable. In reality, depending on the user's threat model, your approach can fail miserably. For example, if my threat model includes that Google can utilize their control over the hardware to undermine my security, then your approach fails [0]. And this is a real-world example.

Don't get me wrong, I still agree that your approach is very secure, it should exist, and you're doing an amazing job for the Community. Just that you shouldn't behave as it's the only viable one.

[0] https://news.ycombinator.com/item?id=45208925

matheusmoreira 13 hours ago|||

> Not clear how GrapheneOS in any way hurts people's freedom

It's not GrapheneOS itself that's doing this. It's technology like hardware attestation. Stock Android is rapidly becoming just as bad as iOS in this regard.

Remote attestation is a technology that enables discrimination against us. By using it, corporations can tell we've "tampered with" our own phones by doing things such as installing GrapheneOS. That's simply not a power I want them to ever have. They should be none the wiser.

The problem is they will abuse that power to deny service to anyone who isn't using a phone owned by corporations. GrapheneOS itself will probably be among the casualties. Bank apps work on it for now but there's no guarantee at all that they'll keep working in the future. Banks can just flip a switch and the apps simply stop working. No valid attestation that a corporation such as Samsung owns your phone? No service. Discrimination.

For corporations, device security means their app is secure from us. They should never be safe from us. That is my ideological point. We should be able to do anything we want, and they should be able to do nothing we don't allow.

I understand that you're doing your best to use this cryptography to protect us. I really respect the work that's being put into GrapheneOS. In fact I'd be using it right now if I could get my hands on a Pixel.

I'm just saying this hardware attestation technology enables discrimination against us.

fsflover 2 days ago|||

The answer is in the above link.

> secure

Different threat models exist. For example: https://source.puri.sm/Librem5/community-wiki/-/wikis/Freque...

Also, what I predicted has just happened: https://news.ycombinator.com/item?id=45208925

t1234s 2 days ago||

I currently use LineageOS on my pixel. Is it worth trying Graphine OS?

pavon 2 days ago||

I love the sandboxed Play Services. It works better than microg, and is more secure/private than installing Play Services normally which are your two options on LineageOS.

The main downside for me was the limited phone choice. I really liked being able to use a smaller Sony phone with LineageOS, but now that those aren't really available in the US, I had to move to big phone anyway and Pixels aren't the worst option out there.

xvfLJfx9 2 days ago||

Yes. LineageOS is an insecure mess.

j4hdufd8 2 days ago||

It's widely supported

DaSHacka 2 days ago||

Both of these things can be true at the same time.

altonw 2 days ago||

[dead]

mrbluecoat 2 days ago||

TL;DR:

> Cellebrite admits they can not hack GrapheneOS if users had installed updates since late 2022.

nunobrito 2 days ago||

[flagged]

SigRed 2 days ago||

So you were called out over on Nostr by Final regards the Tor app which you mistakenly took to be integrated when they simply showed the app and it running on the OS, not IN it and decided to come to HN for an anti-Graphene sympathetic ear?

The reply you were called out for, for other people's benefit: It's not bundled. It isn't going to be bundled. This is a post showing a work in progress beta app that most users have not seen before. This app is developed officially by Tor to hopefully replace Orbot, it is informational content.

"GrapheneOS has long been suspicious about the revenue values it receives." GrapheneOS Foundation is a registered Canadian non profit that declares it's accounts and has filed accounts registered against them for this year and last year too. Nothing is suspicious.

From a forensic perspective? You don't provide ANY forensic basis or evidence for anything you claim.

You prefer Chinese devices? Suggesting people use something known to be objectively less secure on a technical level and known to be closely tied to the Chinese government/military and not legally able to refuse their requests is strange. Even if US gov is the only threat you consider, this makes little to no sense. Especially when it has been revealed that forensic analysis firms used by the US LE agencies have revealed that they see GrapheneOS Pixel devices to be the hardest if not impossible to extract especially in BFU state. There is a reason European LE agencies and their media have gone to extra lengths to smear users as criminals due to how stymied they are in extracting data. A job you want to make easier by making ludicrous hypersensationalised claims based solely in the realm of fantasy.

nunobrito 2 days ago||

Why would I ever trust a gov agency whose expertise is deceiving their oponents when they publicly announce/leak that a specific hardware is more secure than others for them to break? That is the all the more reason to keep distance.

> Tor app which you mistakenly took to be integrated when they simply showed the app and it running on the OS

Putting the two things together and endorsing is the same as placing a knife and a tomate on the kitchen table and not expecting them to be used together.

That distro is willingly promoting that journalists and other critical crafts use a service directly created/maintained/funded by the same governments they are trying to hide from. There exists I2P which solves all those attack vectors without ambiguities, but for "reasons" it isn't adopted. Ah.. "licensing model" was the reason last time we talked.

> "GrapheneOS has long been suspicious about the revenue values it receives." GrapheneOS Foundation is a registered Canadian non profit that declares it's accounts and has filed accounts registered against them for this year and last year too. Nothing is suspicious.

Is it public somewhere? If not: that is pretty suspicious for a non-profit. Because you endorse Tor (US intelligence-sponsored tool), you endorse Signal (US intelligence sponsored tool) so why don't you go public about where your money is coming from?

About chinese devices let's be realistic: Google™ Pixel devices are also built in China by Foxconn. Reusing your argument: I'm choosing to be spied only by one side of the globe rather than both sides. Yes, my personal preference is to be spied by eastern powers rather than western ones when possible to choose between bad choices.

I'm not alone on this criticism about the hardware and you know it.

bri3d 2 days ago|||

This is a deeply horrible take.

“From a forensic perspective” if one uses a cheap Chinese phone, as you suggest, anyone with one of tens of forensic extraction tools (including the US government!) will immediately own your phone as soon as they plug into it (seriously, as a very public example MediaTek SOCs until very recently all have fatal flaws in the boot ROM).

If you use a Google phone, maybe a deeply embedded secret NSA implant will eventually activate late one night under the glow of your tinfoil hat, but by and large most people will not be able to extract all of your data in ten seconds by plugging into your phone.

nunobrito 2 days ago||

Your opinion comes as security expert working for a group whose hardware leaked the data for 400 000 people just a few months ago: https://www.techzine.eu/news/security/127456/volkswagen-data...

Maybe your cars could use that tinfoil hat and avoid leaking personal data.

Now on a serious note: there are better odds of staying hidden between the noise of thousand cheap chinese manufacturers than willingly get yourself into the hardware of a very suspicious supplier.

You are correct that it is game over once there is physical access to your hardware, the thing we try to avoid here is guaranteed remote access from the comfort of some servers in Utah.

Retr0id 2 days ago|||

> Tor ... a known VPN

This is like freaking out about dihydrogen monoxide in the water supply.

nunobrito 2 days ago||

[dead]

Luker88 2 days ago|||

This is kinda paranoid speech. GrapheneOS and Tor remain two of the best projects out there for privacy. I'd love to hear of other open alternatives, if any.

..."I don't trust google hardware, but I trust hardware from a dictatorial controlling regime" also does not really help your argument, sorry.

Besides, they seem to be working with some OEM to get their own phone out.

I'd love to receive daily updates on this, but it's a new development, updates are scarce and this things take time.

I hope sometime they'll collaborate with fairphone and others.

nunobrito 2 days ago||

Nice try. First you call names, then you complain about phones with dictatorial origins while both of them come from exactly the same origin, that point is moot.

Even worse security practice to use the software and hardware from exactly the same OEM in terms of security. There is a reason why open implementations are important on the cybersec field, precisely to avoid "trust" but move into the side of "verify" since they need to inter-operate.

Scrubbed4426 2 days ago|||

GrapheneOS does not have Tor "directly on the operating system". You are terribly misinformed about all of this it seems.

nunobrito 2 days ago||

Wrong: https://primal.net/e/nevent1qqsq9lsf88umpdunkdzpdthyffys275z...

9029 2 days ago||

Where does it say the app comes with Graphene???

nunobrito 2 days ago||

Those are semantics. When you put a knife next to a tomato in the kitchen table, it cannot be argued they are separated. Same thing for directly supporting and even recommending the Tor usage on the phone.

Let's please avoid semantic word games. Thank you.

q3k 2 days ago||

Speaking of social media FUD...

nithssh 2 days ago|

The post had some nice structural discussion about digital forensics