These two links lead me to agree with you, that I can have a great deal of confidence buying a refurbished Pixel, flashing it with GOS, and then verifying it to create trust in the hardware, firmware and OS:
For completeness, one could do a physical inspection, and if desired, actually open the device to look for evidence of having been previously opened. Could also compare the board to images on iFixit or elsewhere.
Anyone know how to tell easily if a Pixel device has been opened? I’ve opened three or so but don’t know how to easily/quickly tell if Pixels have been opened previously.
Does Android do Verified Execution? If not, per my understanding, Verified Boot on a device that’s been in adversarial hands aka “evil maids” (non-certified refurbishers, if your threat model allows for it) leaves it vulnerable.
Unsure since when DICE’s been supported on Pixels and if that matters when it comes to Evil Maid attacks (where adversaries have physical access to a device)?
This is exactly what I meant when I try and buy a “refurbished item” like something extremely intimate as a phone. The phone is probably the most intimate device people use. It’s just disgusting for me to think about another person’s bacteria etc being on a phone.
The security risk is also there as well of course. I’d rather buy a low budget new product instead.
Again, I know people are struggling financially(I’m not so hot at the moment) so please don’t think I’m saying “Poor people suck Roarrrr!”