GrapheneOS and forensic extraction of data (2024)

Original Article ↗ Hacker News Discussion ↗

GrapheneOS vs Forensic Tools (Cellebrite, AFU/BFU)

  • Thread centers on leaked Cellebrite support matrices showing:
    • Stock Android and many vendors are widely extractable, especially in “After First Unlock” (AFU) state.
    • GrapheneOS is listed as unsupported if patched beyond late 2022; forensic vendors reportedly haven’t had working exploits since then.
  • GrapheneOS adds defenses vendors avoid for usability reasons: USB disabled or restricted in AFU, compile-time hardening, stricter rate‑limiting, and secure element use.
  • Some argue modern iOS and Pixels with GrapheneOS are both “state of the art” for at‑rest protection; Cellebrite’s position is only a point‑in‑time snapshot and doesn’t say anything about NSA/GRU‑level attackers.

Root Access, User Freedom, and Threat Models

  • Several want a “power user” GrapheneOS with root or easy adb root to:
    • Extract/modify app data, do full backups (Titanium‑style), or reverse‑engineer apps.
  • Others counter:
    • Persistent root blows a hole in GrapheneOS’s security model, massively increases the impact of any compromise, and would be a huge maintenance/safety burden.
    • You can build your own userdebug images if you accept lower security.
  • Debate touches on:
    • Phone vs desktop threat models (phone apps are more opaque, installed from app stores, with proprietary blobs and baseband stacks).
    • Hardware attestation enabling banks and others to discriminate against rooted/custom systems; tension between security and user sovereignty.

Why Only Pixel Devices?

  • Explained as a hardware‑security choice: Pixels currently provide:
    • Robust bootloader unlock/lock flows, secure elements, timely patches, and required hardware features.
  • Some find it philosophically uncomfortable to “de‑Google” using Google hardware or distrust vendor-controlled silicon; others accept this as a pragmatic trade-off.
  • Alternatives like LineageOS, /e/, and CalyxOS are called out as much less hardened and often far behind on security patches.

Government Power, Surveillance, and Politics

  • Long subthread debates “good vs bad government,” privacy vs security, and whether handing data to states is ever safe.
  • Examples of authoritarian phone searches, climate policy, global warming denial, taxation, and wealth inequality are used to argue both:
    • Governments inevitably abuse data and power.
    • Yet some governments are clearly worse, and collective problems (crime, climate) still require state capacity.

Practical Adoption & Usability

  • Comments from users or would‑be users:
    • Interest in cheap used Pixels as GrapheneOS “travel phones.”
    • Mixed reports on app compatibility: most banking apps can work, but some fail; NFC payments and some Google “always-on” features don’t.
    • Sandboxed Play Services seen as a major advantage over other ROMs.