I feel like there isn’t much emphasis on physical security. Here are couple of things I can think of:
Protection against phone snatching: if a phone is snatched while texting for example, all encryption and hardening of security features are rendered useless
Shoulder-surf: buy a private screen protector, turn on pin shuffle
Disable biometric unlock when going outside
Use dummy guest account to create deniability
What are your suggestions for enhancing physical security? Especially for phone snatching.
Use app PIN/biometric authentication to limit risk
In addition to disabling biometric, you can also enable auto reboot.
Also be aware of an upstream bug that occasionally causes fingerprint sensor to appear even while it is disabled for screen unlock. It happens in secondary profiles only not main. Ive seen this pop up and so too have other users.
I’ll second “Private Lock” for phones. It’s an unobtrusive application, and can be configured to lock down the phone in case of a physical shock. IE, with the phone in my pocket, it’s configurred to unlock with the less secure fingerprint unlock. However, in case of a physical shock / struggle / dropping the phone, it reverts to the more secure PIN screen, like when the phone has just rebooted. It’s a great balanace of usability and security. No need to have the phone auto reboot every few hours, as I’ve seen some discussions about here.
Your own threat model will determine how you impliment it, but for me, I have it configured to run when my screensaver kicks in. Any USB devices inserted or removed when the screen is locked will result in the system flushing keys and shutting down in seconds.
You can add the script to rc.local to have it running constantly, but that’s a bit too aggressive for my needs. With Debian, I’m able to invoke it only when the screen is locked and that suits my threat model fine. You can whitelist certain devices and configure it to your needs, hopefully find the right balance for your own model.
Not sure if there’s a Windows equivelant, but sure there must be something similar.
It looks like Private Lock hasn’t been updated since 2019, most likely won’t be adding anything that’s not currently supported. Had someone test it and it doesn’t work properly on Android 13.
Fair enough, I’m just sharing my experience with Private Lock on Graphene OS and a Pixel 7, which works fine. I’m surprised it’s not been updated or forked, as it’s a very good concept and works well on GOS / Pixel 7 - although as you say, it’s currently not being updated and doesn’t work on Android 13 (and likely other OS / hardware combos).