Those Anøm phones didn't even pretend to be at all secure.
Pixel 3a with an Android 9 fork still on the March 2019 security patch. Shipped signed with the publicly available AOSP test keys used as a placeholder before signing actual releases. All of that visible in Settings app.
Conversation
Replying to
AOSP test keys have publicly available private keys. It's a placeholder used when building. It's for development use with signing as a separate, optional step.
Several tests fail if you have anything signed with them. Also shows "test-keys" in OS version shown by Settings app.
1
19
Those keys are literally just these:
android.googlesource.com/platform/build
Replacing these in the source tree is considered as using development keys and brands it as dev-keys.
Signing a release for real is a separate step done after building and brands it as release-keys which is hidden.
1
16
Military grade cryptography must require signing your releases with open source private keys. It's such a good idea that even the FBI is doing it.
Seriously though, the whole point of those keys is that they're a reproducible, known bad placeholder replaced with real signatures.
1
1
19
Replying to
Someone helped us get information on it including screenshots. The data they provided was deleted to protect their identity so we won't be publishing the screenshots they provided.
It was to determine if they were forking GrapheneOS as some had claimed and they clearly were not.
1
9
Show replies
