Initially, it doesn't need to be better. It's difficult enough to produce a device meeting the same standards without severe privacy or security regressions. We're not interested in having our brand associated with a device that's marketed as private and secure but is worse off.
Conversation
The setup we want to have isn't far from what Google was doing with Nexus devices. GrapheneOS needs substantial input into the design and implementation of devices. They'll use our signing keys for boot chain, stock OS verified boot key, etc.
Pixels set the baseline standards.
1
2
32
Some additions to the secure element APIs would make sense and a 'Sensors Off' switch disabling all sensors usable for audio recording (microphones, cameras, gyroscopes, accelerometers, compass, barometer, etc.) for mitigating a compromised device would be a nice frill to add.
5
6
38
Replying to
individual switch-off for baseband, wifi/bt, gps, mic/sensors would be nice. Isolated and easily replaceable baseband as well (to update the imei). sign me up for something like that ...
1
2
2
Other sensors can be used for recording audio. The purpose for 'Sensors Off' would be preventing audio recording when the device has been compromised.
It's not clear what you would expect to get from those other switches and we won't do any security theatre. See the next tweet.
1
4
twitter.com/GrapheneOS/sta
Any added features need a meaningful threat model and implementation. A GPS kill switch doesn't come anywhere close to preventing location detection.
On most phones, detecting location is typically done with cellular and Wi-Fi first. GPS kicks in later.
Quote Tweet
Some additions to the secure element APIs would make sense and a 'Sensors Off' switch disabling all sensors usable for audio recording (microphones, cameras, gyroscopes, accelerometers, compass, barometer, etc.) for mitigating a compromised device would be a nice frill to add.
Show this thread
2
3
The GPS-off vs Wifi/Baseband off is that all three methods are different thread models. Wifi (and cell ID) are for evil apps, baseband is for evil network ops/ss7 etc. The main point with wifi/bb off is to be able to use GPS for navigation without broadcasting your whereabouts.
2
All of those can already be turned off already on the currently supported devices. The purpose of a kill switch is that it works after the device has been deeply compromised. Our features need a proper threat model and implementation. What you're saying just isn't how we roll.
2
Well, I was always telling you what kind of device I would buy (and a couple of others). Apart from that, the whole thing is called defense in depths: When the OS security has been penetrated, I STILL don't want to care if some privint dude can check my location history via SS7.
1
That's not defense in depth. It's called security theatre. Providing features that do not actually work and do not provide meaningful security semantics misleads users and can result in them making bad decisions based on the false sense of security being provided. Not what we do.
2
Our goal is not making the kind of device you want to buy.
GrapheneOS is the opposite of tacking on an assorted list of privacy/security frills without a proper threat model or implementation.
Our aim is making something genuinely good, not something people perceive as good.