Remix.run Logo
palata 4 hours ago

Happy GrapheneOS user here as well, but...

I am having a hard time believing your first link, which says:

> In Anna’s case, stalkerware was disguised as a picture message, sent to her by the man she was dating (let’s call him David), just a few weeks after they met. She was then under constant surveillance for about two years

That sounds like an NSO-level attack, right? I doubt abusers routinely pull that out?!

I totally get the problem that "the abuser knows the iCloud password and can use the FindMyPhone feature to track the victim", or "the abuser convinced the victim to install an app that would track the victim without their consent". But I am genuinely wondering how much GrapheneOS protects against that.

grapheneos an hour ago | parent | next [-]

> That sounds like an NSO-level attack, right?

There are many tiers of far easier remote attacks far easier than exploiting an up-to-date iPhone through iMessage of WhatsApp. It doesn't mean that's what happened but it's often not something that's extremely difficult. Many people use phones with years of missing security patches. It's getting increasingly easy to exploit those in the age of LLMs.

Regardless, it sounds more like a social engineering attack tricking someone into installing an invasive app and granting invasive permissions to it.

> I doubt abusers routinely pull that out?!

They do regularly use social engineering to trick their partners into setting up stalkerware or permitting it to be installed. Getting a new phone and accounts is a very helpful for people who are victims of it. They've often given access to their accounts and devices without knowing how to fully get rid of it. Reclaiming the existing devices and accounts is far easier if they have a clean one to start from where they can get technical help. It doesn't specifically need to be a GrapheneOS device, but it's a good choice in general and doesn't require being technically savvy to use or even install it.

watwut 2 hours ago | parent | prev [-]

> That sounds like an NSO-level attack, right?

Not really, these are available to any script kiddy as long as unpatched phones and software exists. It takes some initial effort to find them out, but that is it.

And I remember similar attacks floating around few years ago even outside domestic violence situation.