Majority of GrapheneOS features and exploit protections like hardened_malloc and MTE are designed for protecting the user against memory corruption vulnerabilities. Memory corruption makes up the majority of critical vulnerabilities exploited in the wild because of the capabilities exploiting it can bring. There are many features users could opt into using as well.
For an exploit of its class to work on GrapheneOS, it would almost certainly have to be designed for GrapheneOS. This can be difficult to maintain due to regular updates and new features/enhancements of the OS or even the apps.
quotingThese details should tell you that if you consider these types of groups (sophisticated adversaries with limitless physical access) as a part of your threat model, then you should:
nevent1q…glvj
- Use the most recent phone you possibly can
- Upgrade your phone to the newest possible generation as soon as possible after release if you can help it.
- Use the latest version of GrapheneOS ASAP. Do not delay.
- Use a strong, high entropy passphrase to make bruteforcing the device credential impossible if secure element is ever exploited.
- Set GrapheneOS auto reboot time accordingly so encrypted data goes back at rest when the phone reboots, which makes AFU exploitation impossible. The lower the better.
- Enable duress password. Set it to something easy to trigger but not easy to misfire.
- Turn your phone off in a high risk situation, and trigger duress when in a duress situation.
- Disable your radios when not using them (turn off Wi-Fi, use airplane mode, disable NFC, UWB etc.) for attack surface reduction.
- Set an appropriate USB port control or disable the USB port so they aren't able to connect a device to it.
- Use user profiles (application data and user files within profiles are stored encrypted with separate credentials).
- Enable upcoming GrapheneOS security features like second factor authentication unlock when they come out.
- Communicate only over secure messaging. Some apps like Molly (Signal fork) have features to encrypt the app storage with a passphrase, which access to that app's data impossible even when a profile is compromised providing the passphrase is secure enough.
- Become disassociated to data. Learn to only keep files or other data as long as it is necessary. If you have no use for them for a long time, then back it up elsewhere, encrypted. Delete anything you don't have a use for in the present. Your data is not your memories.
- Remember that you are only as secure as the people you trust. If they do not meet your safety or security requirements, don't enable them to do things that could cause trouble.
nevent1q…af3p