Comment by wps
7 days ago
The main critique I’ve seen of the duress pin is that it causes undue trouble. The obvious counter argument is that if you genuinely have the need for a duress pin, it’s worth its weight in gold. If the severity of the charge or physical punishment (in countries without due process) would in any way be less by NOT having xyz data on your phone, then it’s helped. Say, the difference between 10 years for destruction of evidence and 80 years for espionage.
It also doesn’t have to be used against a government.
Even when used against a government, there are a lot of different gradations. E.g., my government is not very hostile, but people who get arrested at a demonstration might still want to erase their phone. There are some countries where someone is not required to give their PIN, but the police is allowed to investigate a phone if they can unlock it by other means (Cellebrite, face unlock, etc.).
By the way, another way GrapheneOS protects against this is by allowing automatic reboot after a period without unlocking, which can be set to a very short period. This puts the phone in BFU (before first unlock), where fingerprint and face unlock do not work, and the phone is much harder to hack with tools like Cellebrite.
For sure, but these LARP situations are mostly based on defending against a highly motivated and powerful entity like the government.
But other situations like against thievery, domestic abuse, or brute force deterrent (ie: setting a simple duress code that is likely to be triggered, say 1111), it has the potential to work well.
Graphene brings out some of the best of android. Profiles are first class citizens, private spaces within the owner profile (I think all profiles can have them now?), and app pinning are great.