Google Pixel with GrapheneOS: resistant to both BFU and AFU attacks on recent models (6a and newer). This is the strongest protection available on any Android device. It is worth noting that alternative Android distributions such as LineageOS or CalyxOS, while valuable for other reasons, do not meaningfully change the forensic unlocking picture from the stock or vendor ROM.

I opened a dialogue with the author of this article recently to add some further information that might be of interest, given the article's nature I thought I would share it here too. Some of my suggestions have already been put in place. I will likely go on to recommend adding more countermeasures not mentioned in this article, such as the use of user profiles/private spaces for separated user data encryption. This post provides an overview on how disk encryption works on Android, common attack vectors used by forensic tools to brute force or extract a device, their countermeasures against popular security features like automatic reboot in iOS and how you can protect yourself against such tools, including several mentions about #GrapheneOS. View quoted note →