These two links lead me to agree with you, that I can have a great deal of confidence buying a refurbished Pixel, flashing it with GOS, and then verifying it to create trust in the hardware, firmware and OS:
For completeness, one could do a physical inspection, and if desired, actually open the device to look for evidence of having been previously opened. Could also compare the board to images on iFixit or elsewhere.
Anyone know how to tell easily if a Pixel device has been opened? I’ve opened three or so but don’t know how to easily/quickly tell if Pixels have been opened previously.
Does Android do Verified Execution? If not, per my understanding, Verified Boot on a device that’s been in adversarial hands aka “evil maids” (non-certified refurbishers, if your threat model allows for it) leaves it vulnerable.
Unsure since when DICE’s been supported on Pixels and if that matters when it comes to Evil Maid attacks (where adversaries have physical access to a device)?
This is exactly what I meant when I try and buy a “refurbished item” like something extremely intimate as a phone. The phone is probably the most intimate device people use. It’s just disgusting for me to think about another person’s bacteria etc being on a phone.
The security risk is also there as well of course. I’d rather buy a low budget new product instead.
Again, I know people are struggling financially(I’m not so hot at the moment) so please don’t think I’m saying “Poor people suck Roarrrr!”
It seems like the consensus is that buying a used device from like eBay or Swappa is probably safe as long as it works for most people.
What do you think about buying a device like this for the activist/protester threat model? Maybe they are not leading movements, but they may be local organizers or even just participants in local actions. How safe is buying a phone second hand for this group?
I just don’t think it’s worth the privacy/security risk just to save a few dollars. Again, I’m struggling myself but I just don’t think this is a good way to save money…
Why risk all of your security/privacy to save a few dollars???