I basically meant, as long as there is a vulnerability that allows them to modify the file system, they can just change the MDM payloads to their desired choice, bypassing the protection. Apple has been releasing some good security patches but it’s still a cat and mouse game. Supervised device state is baked in the phone but mdm payloads are merely OS files. My best recommendation is to setup the killswitch that bypasses having to disable find my iphone.
I’ve been inactive for a minute but when I wrote that I definitely discovered something bad. Probably sensitive app data.
@ihateKYC Thank you for regularly providing this advice and information to the community. In your opinion, how close does all this get you to Graphene OS level of security? I ask, as I am debating what to do in replacing my iOS device, if I should go and use Graphene or harden a newer iPhone.
It doesn’t.
Yes.
1 Like
I prefer graphene because of the USB-C port protection feature, but I like iOS a bit more because I can factory reset it in less than 10 seconds in an emergency and not have to worry about any of the security settings failing me. I don’t have to sit in my room for months, feeling anxious and worried if an exploit has been found or not. If you are replacing a old device, the choice is yours but it should be at least be a newer pixel with grapheneOS or a recent iPhone.
1 Like
That all good information to know, thank you for your reply. Not used Android in many years, is there no speedy and effective way to wipe the device like on iOS?
It depends. I have a 64 char password, so the iOS method is way faster. On Android, you could throw a widget on your home screen, I guess, or use some third-party app (not recommended).
1 Like
Make sure that all of your necessary apps can be run on GrapheneOS before buying a Pixel. Some apps (especially banking apps) don’t work on GrapheneOS. You can ask questions in their forum. You may also have problems with apps like WhatsApp.
Or you can buy both an iPhone and Pixel if you’re rich. 
1 Like
You can just configure the duress feature. Instant wipe and would be faster than failing an iOS passcode 3x.
GrapheneOS provides users with the ability to set a duress PIN/Password that will irreversibly wipe the device (along with any installed eSIMs) once entered anywhere where the device credentials are requested (on the lockscreen, along with any such prompt in the OS).
I wish 
I know of plexus app that Techlore has made (or is running) but have found it a bit limiting. Would you know of any other resources other than Graphenes forums that keeps an up to date log of app compatibility? There is always the option I suppose of running them in a separate profile.
I completely forgot about this feature lol. But typing the letter A 3 times is way quicker. Plus you have to remember your duress password. You don’t type it often, so it may get forgotten about, especially in a high-stress moment.
Why not use the bank’s website instead?
Hardening a closed-source system means you have to trust that there is not code that is somehow adversarial that you don’t know about.
Once upon a time, some people said that governments could secretly read gmails and yahoo mails and those people were all considered to be crazy conspiracy theorists.
There’s really no way to know what’s in the code in iOS and if there are “features” that you can’t even know about.
2 Likes
For some apps, there is workaround, but as far as I know, profiles are not one of the tool.
For banking, you can consult this guide.
Because my banks will stop using SMS for OTP if you use its app. In that case, the code just push directly to the app. Also, you can quickly open a virtual debit card anytime, even midnights, and add it into Apple Pay so it works just like a physical debit card. Both increase your privacy and security.
2 Likes
That’s great. Thank you so much 
I have had a few phones seized and analyzed by an undisclosed advanced adversary, all at different times.
After the first phone was seized and returned to me, I found it weird that this adversary was not using faraday bags so i opened up the ios shortcuts application and searched for ‘airplane’ and nothing came up. Then I thought to search for ‘aeroplane’ and the holy grail appeared.
So i setup an ios shortcut to automatically disable airplane mode after a set time. I always had access to control center disabled on my Iphones but not providing the PIN code to unlock a phone can get you into trouble and I prefer to get my devices back as they are worth money.
phone 1:
iphone on latest software at time of seizure.
provided PIN code to unlock. Placed into Airplane mode. Not placed into faraday bag.
received phone back with all settings reset - due to the fact it had been backed up previously.
Got it back and I disposed of it for security reasons.
phone 2:
iphone on latest software, provided PIN code to unlock, placed into airplane mode and not into a faraday bag. a set time after it was placed into airplane mode a shortcuts automation turned airplane mode off.
Phone was transmitting/receiving data during the time it was seized and I did NOT alter the data in any way because I did not want to get into trouble. I have carrier logs showing the phone online.
I ended up getting this device back. The settings had not been reset, which I found odd.
Phone 3:
Same iphone as phone 2, running latest software. provided PIN code to unlock it. Phone was placed into airplane mode but not a faraday bag. This time, I accidentally spilled some coffee on my computer while looking at it on the ‘find my’ application and remote wiped it. I lost precious photos and data so that’s really my loss.
Got phone back factory wiped and I think someone got into trouble LOL.
Disposed of it soon after for security reasons.
TL;DR: ios shortcuts automation to disable airplane mode after a set time is my version of ‘hardening’ against iphone forensic tools.
QFT. The blind faith people have in Apple is laughable.
2 Likes
I somehow doubt that an “advanced adversary” would be doing any of this. Especially if they have the pin.
1 Like
If your threat actor is modern forensic tools, you don’t have much choice to begin with. You either choose Pixels with GrapheneOS or iPhones depending on whether Pixels with GrapheneOS fits your needs. Or if you’re rich, just buy both like the OP.
If your threat model is having your phone confiscated and examined by police or whoever, then the best option is not having a phone at all or using a burner phone on which nothing is stored but Signal.
If your objective is privacy, then Apple is an absolutely terrible choice.
1 Like