Spyware on brax phones

Since the phones took so long to clear customs, how do we know that there was no spyware installed on the phones while in Customs.

I would like advice on steps on how to restore iODeOS in a way this is not a concern, perhaps with check sums?

Any one mind helping Proton and I?

Honesty, if you’re that concerned, maybe you should just request a refund. You really sound overly paranoid.

Are you CIA? Or you are just retarded. Why do you think I bought this phone? Or maybe you… Should request a refund ,so somebody else that understands what this is all about can get your phone.

Geeze, you try to give someone a solution, and they revert to name calling. LOL

The fact is @Proton (is that also where you store your secret email?), I gave you the only logical and practical solution to your question.

While you’re in forum timeout, in the corner, ask yourself three questions:

1. Are you so important that the government would spend millions of $ to tamper with your phone? Somehow I think you are just as insignificant as the rest of us… or maybe a little bit more-so.
2. What benefit would the government really gain by spending millions of $ on a $300 Indie project of 4000 rando users? Maybe the BraX project IS the government, and they secretly setup the Indie to watch us 4000 insignificants.
3. … this is the one I feel best fits your post… Are you truly concerned that the device may have been tampered with, or are you just seeking attention (social media addiction is a real thing)? If it’s the SOONER, then the only “Practical and Logical” solution to your concern is to return the device. The fact is that most of us out here understand that only an “intellectually-deficient” individual would have that concern, and then knowingly purchase the device, put in in their pocket, and carry if daily.

As to your response… YES. I have a BraX3, have had one for several months, and probably know a fair bit more about it, and it’s purpose and intent than you do. Maybe if you would read some of the other articles and posts, you will find enlightenment on the subject.

Have a great day, @Proton

Do you want to give me a technical solution to my question, or you are just babling words CIA? Because you are saying nothing and you keep posting.

Why not do a factory reset, would that not wipe any additional software from the phone? Then use the installed updater to update to current iode OS or are you thinking more of hardware being installed?

I am thinking that if a modified sofware is injected, you can do as many factory resets you want. Hopefully you remember that mosad intercepted te pagers and also.modified the hardware.

Restoring a OS to make sure you have a authenticate version is paranoia? LOL. I have some free wifi you can use for convivence

The fact of the matter is what you asked for is reasonable, its clear the people that have replied don’t have the answer. Just give it some time, you will be far from the only person that will want to do this common practice.

This is basically what he asked, but its not as simple as pressing a factory reset button.

Here are some technical reasons to trust the brax3 is secure:

• the bootloader is locked, so an attempt to unlock it will trigger a factory reset. Unless the OEM keys have been compromised (very important secrets that if leaked could be disastrous for their business) this is very difficult to overcome.
• the kernel integrity is verified thanks to this private key: any attempt to change the kernel will result in a failure, as the bootloader is locked.
• system and vendor partitions cannot be changed in the recovery fastbootd mode unless the bootloader is unlocked (which would trigger a factory reset), and cannot be changed in spflash mode after a first ota is performed without blocking everything. Indeed, system+system_ext+vendor+product partitions being dynamic partitions and the device being virtual a/b, these partitions are managed in a special way which requires writing some data to the metadata partition. As soon as a first OTA is performed, the virtual partitions are exchanged and managed in the virtual a/b way, which implies that writing the partitions with spflash creates a discrepancy with information in metadata, leading to a boot failure. So each update of your device to latest iodeOS will confirm that the bootloader is locked since the first install.

And there are more ways to check the system: the signature fingerprint can be extracted from the iodé app: it should be the iodé signature, proving that the system has not been tampered with. Indeed, the iodé app can only work if it is signed with the platform key, when the iodé signature and platform signature match.

More thoughts (pardon the length of this post, I am quite tired) on hardware and privacy:

Risk evaluation requires understanding that risk is always present, and can never be entirely removed. In this sense, there is no perfect device, one cannot hope for perfection. For example, a hardware-based attack is possible. Keep in mind, the resources needed for these kinds of attacks are enourmous, and would need to be custom-crafted for each different Android device. Another reason to think that such exploits are unlikely is that it is not easy to make such backdoors work seamlessly bug-free or escape detection, and if discovered, will certainly be a stain on the manufacturer’s reputation.

It is much easier just to compromise the privacy of the entire society using factory installed google and iOS spyware. As privacy is a team sport, even those of us deadset on privacy, security and anonymity will lose out unless we live in a cave, as our friends and loved ones’ devices will be keeping tabs on us and reporting much of our movements and communications back to silicon valley. And there are many other effective state-sponsored ways to undermine privacy. It is illegal to tamper with the IMEI of the device in most countries, and most countries ISPs are required to log and provide APIs to give police or intelligence agencies a view into every URL that you request on the network. That is why you should use a VPN.

The way out of this orwellian future is for a larger portion of the population to start using technologies that respect their privacy and don’t come with spyware by default. When there is a critical mass of people refusing to buy spyware and bloatware laden devices, the oligopoly of manufacturers may be forced by the economics of the situation to release open source hardware. Linux just crossed the threshold into 5% of desktop users. Degoogled ROMs are way way behind, perhaps 2 million devices out of 3 billion (<0,01%)

Thank you for this info!

Thank you, brinerustle, for this detailed explanation and assessment!

So I guess we need to put our trust in the IODE OS team, and individual members of that team, not to install a back door for the US government like Telegram was requested to do.

Well, I hope that with time using the software and interacting with the community you would come to trust the iodé team, but the key to open source development is that it is in the open, just as Rob promotes around his idea behind the Brax3 being in a transparent case: you can see the innards to represent that there isn’t something hiding behind closed doors. The point is I hope you come to trust us, but you should not need to in order to ensure that no backdoors are hiding in secret.

Now, not everyone can read the code, and, in fact, mobile development has so many parts that it is not easy for many at all to do it. But it is open and you can see all the source here: os · GitLab As the foundation is LineageOS (also open), you can know that there is a large community way beyond my pay grade that are inspecting and stress testing the codebase for vulnerabilities and weaknesses. Yes bugs will exist, yes features you may assume are there may not be fully functional (yet), but yes it is all in the open and yes you can inspect it and even contribute to it.

Clarification: iodéOS on the Brax3 is built on top of LunarOS, not built on top of LineageOS as with other devices iodéOS supports. But the point remains, LunarOS is open source and can be inspected and contributed to.

Good response.

Rik has iodé ever worked with a third party to conduct a audit.
I personally think that would be a killer advertising, and i would personally donate for a one off audit, or yearly.

@0x7 I would donate for that too.

Not that I know of. We are a small team with not enough hands and too many tasks on our plate. So we aren’t opposed to it, but people and time availability would make that hard. I am not sure if LineageOS (all devices except the Brax3) or LunarOS (for the Brax3) has gone through that process, but as iodéOS is pieces on top of that, these foundational components would be the place to start an audit I think.

Hey rik, thanks again for the helpful info. Can i maybe get your attention to another post from a user