[Feature request] increase stealth by deactivating profiless

[Sturmkater]

I did set up my pixel 8 with a dummy owner profile and different case specific other profiles. In the logging screen there is the option to end the session, what i think is pretty need. To increase stealth I would love the option to deactivate multiple users at the same time as ending the session. Deactivated, user profiles want be lost, but nothing indicates there are other profiles there. The option to activate multiple users could even made require the admin password.

That would be a nice security feature to be implemented. But in the mean time, does anybody know if deactivating multiple users could as well be done with tasker?

[thestinger]

Can you clarify what you mean? Do you only want to hide this on the lockscreen? Why?

[thestinger]

Hiding it within the Owner user is not possible and there's no choice but to close a request for that.

[Sturmkater]

Sure, I love to clarify. If turned of here, the user profile are not touched and persist to the next activation. ...but here, the only place I know to change user, it is no longer visible that other profiles are in existens and therefore limiting the suspicion that the current (owner) profile there in is just a dummy. ... to reactivate it could need the admin password. If forced to enter one could still enter the duress password to wipe the entire device. If this approach does not have some holes, it would be way more convenient to quickly deactivate multiple users instead of wiping users witch afterwards have to be set up again.

[thestinger]

It's trivial to confirm Owner is not the only user regardless of this menu. If the device is locked, why does it matter if they can see multiple user profiles are used?

[keybreak]

@thestinger Sorry to interject, but as far as i understand that's pretty valid concern:

1. Let's say you're stopped by cops in authoritarian country, while having some opposition materials or contacts on your device.

2. You should want to be calm and open some dummy profile without leaving any visible trace of having more than one profile.

3. If you fail to do so - they'll open such device with your face and you'll go to jail for contents of your device.

[thestinger]

You should want to be calm and open some dummy profile without leaving any visible trace of having more than one profile.

They can trivially tell that it's not the Owner profile. They will notice while following any standard data extraction procedure since developer options and ADB are missing. It's also trivial to detect the other profiles in numerous other ways. The feature request is not valid. This is not a valid approach to hiding data.

[keybreak]

I've meant more like street cops sweep checks, not full on Cellebrite type of situation. Well valid or not...that's a big problem., hopefully some ideas will arise in the future. :+1:

[Sturmkater]

@thestinger no it is the other way around, the dummy profile is the owner profile and all others are turned off. so ADB and developer will show up.

[thestinger]

@Sturmkater That allows trivially finding the other profiles.

[thestinger]

@keybreak It's easy to notice the other profiles, and we can't assume cops are unaware of GrapheneOS or similar features used elsewhere. We don't want to add any privacy/security features which can be trivially bypassed. They can cause real harm to users who rely on them and then it's discovered they were lying. We don't want to be responsible for getting people harmed through privacy/security theatre.

[keybreak]

@thestinger I see your point, it's valid perspective. And there's certainly no way to have a silver bullet in terms of some street cops might be not idiots.

However, i also believe that in some countries most people given choice - would gladly take the risk of hiding and playing dumb in such situation, rather than run or show them real data - because then you will have zero chance.

I am using GrapheneOS? What is it officer? Oh...i don't know anything about it, i've just bought this used smartphone because i've read online it has a great camera, look at those nice pictures of a squirrel!

I believe having such an option of stealth profile, assuming some day it would be possible technically, would in fact greatly benefit those who want to reduce harm, but it should be clearly stated that you as OS creators have no responsibility on how it is used and people shouldn't blindly rely on illusion of bulletproof solutions, or as you've put it a "theater" (i actually believe you already state it somewhere on a website, if i recall correctly).

[thestinger]

It would be possible to make data truly hidden but it comes at the huge cost of either reserving space for it with all new GrapheneOS installs or making it optional and then only people who opt-in to the option of using it have the space reserved. The issue with having a choice is only people who choose to have it will have the space reserved, and while they may not have configured it to actually have any hidden data it will be discoverable that they began the process of doing that by reserving the space for it. It can't be done at a user profile level but rather likely needs to involve a VM because there is metadata created in the Owner user and system wide which shows a secondary user exists and has stats on battery usage, etc. which is unrealistic to completely avoid.

[thestinger]

shouldn't blindly rely on illusion of bulletproof solutions

Anything we add needs to have a clear goal and accomplish that goal properly. We avoid adding features which do not work if an adversary knows about them, and GrapheneOS is increasingly widely known about. Cellebrite and other tools have official documentation on it as you can see from https://grapheneos.social/deck/@GrapheneOS/112826161282856025.

[keybreak]

Yes, i've read all your posts about Cellebrite...That's pretty scary and complex stuff, especially for countries i were referring to, where law or rights is not a thing.

As far as i understand, currently only thing you can do is refuse to unlock, once device is captured by those who wish to use Cellebrite on you...which means that refusal to unlock - automatically puts you in danger. Therefore, overall, in terms of physical safety currently it's always a game of personal decision / chances :slightly_frowning_face:

Oh, unless you know for a fact beforehand that your adversary will use Cellebrite on you, and will be fast enough to use duress password before they'll get their hands on it. I imagine usually there's not enough time to be fast enough, but it's always great idea to have duress password setup just in case.