- cross-posted to:
- android@lemdro.id
- cross-posted to:
- android@lemdro.id
I am surprised that Google spends so much time tackling custom ROMs via it’s Play Integrity API. If only they paid that much attention to say, curating the Play Store more, it had be much better for everyone
I think the main reason third-party ROMs aren’t more popular is that Google and certain app developers fuck with people who use them. The article addresses the difficulties later on, but comes up short in my view on just how much of a hassle it is for someone who isn’t a tech enthusiast who wants, for example to keep an older phone up to date for security reasons.
I think the main motivation for Google is limiting user control over the experience. More user control leads to unprofitable behaviors like blocking ads and tracking, which is also the motivation for recent changes to the Chrome web browser that make content blocking extensions less effective. In all cases, companies that try to take away user control claim the motivation is security, usually for the benefit of the user.
Got so tired of google pay breaking on crdroid that I got a credit card just to use my watch instead.
Still rocking a op7 pro on android 14.
There should be some safety net bypass hacks for magisk
There are different types of workaround but every single one of them is playing same cat and mouse game with Google. It works for a while, then it doesn’t, workaround is updated, it works, then it doesn’t, rinse and repeat.
I’m using a custom ROM but it’s so fucking tiring if I want to keep Google Wallet working. Fucking Google.
I just keep my credit card with me at all times. It doesn’t occupy much space, and google pay can go pound sand.
Custom ROM gang :)
I do that too, simply because I’m always carrying around my wallet anyway. But sometimes using my phone is handy (heh). It’s just that the constantly changing state or it working and not working makes it so that I can’t trust it to work, so I use it less.
I know the pain. Before I found a very obscure device fingerprint I could do a little spoofing with, I basically had to search the web like once a month for something that would let me bypass PIAPI again. It was exhausting.
Ironically enough soon after I found that obscure fingerprint I switched to paying with my credit card instead of my phone since my banking app couldn’t let me turn on contactless payments with my phone for whatever reason.
Not rooted, nor do I want to be.
Now I have an excuse to buy one of those gold plated credit cards!
“This is why I <lukewarm take> in <current year>”
Didn’t read the article, but I hate this style of headlines with a passion. Using custom ROMs isn’t even something controversial, yet they go out of their way to make it sound like they’re breaking some social taboo or something. Why not a simple and concise title like “Advantages of custom ROMs” or “Consider installing a custom ROM”. It sounds like a meme speech pattern straight out of 4chan, except they’re using it with zero self awareness or irony. How about an actual hot take: journos who write like this are pretentious pricks that deserve to get replaced by chatgpt.
You slammed his article with your reasoning.
Slammed/slams is my absolute least favorite headline trend of the past decade. So trash.
Randomgal BLASTS the article by pointing out that renzev SLAMMED it with reasoning
This is why I brush my teeth in 2024. This is why I still wear jeans in 2024.
So radical, man
This is why I still prefer public restroom glory holes in 2024.
for some reason rooting is a hot take.
A lot of people in the reddit rooting subreddits telling others not to root anymore.
The Play Integrity API is less about security and more about Google asserting their monopoly.
They do not want truly open source Android platforms to gain popularity, because there would be a high chance people would want ad blocking, which is a direct threat to their profit margins.
I hope EU takes regulative action to force Google to allow GrapheneOS, LineageOS etc. to be able to run the same apps without issues.
God I hope so.
Yep, totally
Magisk can bypass most of those issues. Might as well root if you’re using a custom rom.
Magisk is a godsend. I just wish you could add a password protection to the bootloader and the recovery rom (like the TWRP). That is the one downside to unlock your bootloader. And you can’t like unlock when you need and relock it because to unlock it erases everything. I know that is one more dark pattern from Google to make you keep your phone locked. If they cared about security they would enable a way to put a password to the bootloader
Some of us like to tinker. We really get satisfaction of having a weird niche filled and even if it comes at the cost of stability and other issues. Heck my Custom Roms used to be more up to date with security updates than phones that were older than one year.
I could use kernels that undervolts my processor to give me better battery life. It allowed features that even 5 years ago were on the custom ROM scene still very absent from modern phones.
But the most important part for me was learning, discovering. If I tried a new ROM I would spend hours going through certain roms settings. If there is a glitch, learn how to diagnose and try to fix it, or learn to send a logcat to the developer.
It was like a fun hobby. I learned how to fix some of my old phones, like screen replacement, and learned how to cure uv reactive glue. So many other things and I was just a noob.
But it gave freedom. I understand iPhone and the other high brands are easy to use, have gimmicky features and all, but dammit I have freedom to have my weird niche phone, with multiple breaking features and I loved it because it just worked.
If Google truly did hold security as its main concern, it would have opened the play Store, yet we know now they only wish to protect their monopoly
This is what i motivates me, too, though you go in more than i. I love having my degoogled pixel 2xl on Android 14 and running almost as snappy as my pixel 6.
I finally gave up on my moto x 2013 about 2 years ago, but i still have it. It’s like holding a river stone that perfectly firs my hand.
This is a very complex topic that is very hard to draw the line on.
As a technical person who follows hacking and security news i can understand google introduced the api and warnings, as phones are getting hacked and unlocked bootloader or root can be abused to keep your malware going, and has been abused in the past.But as a user of fairphone/lineageOS, who tells google, apple, meta, … all of them to fuck off when i can, this scares me. The lockdown of devices can and is going too far. Hell, i even consider samsung’s android ui changes to be going too far, as it changes a shit ton of stuff and really is not a stock android experience. It locks users in their environment…
I find it funny that Google and some banks are so worried about security on Android that I have to have up to date system, app and can’t be custom ROM, can’t be rooted and whatnot. And then they’ll allow you to login to their bank from Internet Explorer on XP or some shit.
This. This, this, this, this!
My linux computers are rooted. I can get root any time i need it and nobody is refusing to offer their sevices on linux because it is vulnerable.
Nobody ever points out that when any app wants root, you get a dialog to ask if it can have it. If you don’t know why it’s asking, say no. It ain’t rocket science.
Now, if you are going through customs and you don’t want them to copy your phone and read all your personal documents, that is a different situation. Lock your bootloader unrooted and encryped to the nines. Preferably use a phone with almost nothing on it.
nobody is refusing to offer their sevices on linux because it is vulnerable
That’s not quite true, though in that case it’s about the service provider being unable to verify that the user isn’t running a operating system configured or modified to work against the interests of the service provider.
Written with a slightly more precise wording, they know Linux users have full control of their devices, so cannot keep them from using it in ways the company does not like. In this case, fine. Go away and take someone else’s money.
Stated from another angle, they won’t support it because they can’t hijack it for their own purposes.
Stock android experience is the exception, not the norm, sadly. Some manufactures like Motorola or HMD have a light touch and close to stock but other ones don’t. The worst offenders are Chinese brands who twist it so much and without much benefit(Atleast, Samsung’s ONE UI is customizable as heck, can’t say the same for Realme’s).
Can you cite examples of rooted smartphones leading to significant data breaches or financial losses? When the topic comes up, I always see hypotheticals, never examples of it actually happening.
It seems to me a good middle ground would be to make it reasonably easy (i.e. a magic button combination at boot followed by dire warnings and maybe manually typing in a couple dozen characters from a key signature) for users to add keys so that they can have a verified OS of their choice. Of course, there’s very little profit motive to do such a thing.
Pre-locked bootloader times ive had multiple android devices be passed to me that were malware infected that changed the rom in a way that even a factory reset would not remove the malware. Locked bootloaders made it so the rom needed to be signed and unaltered on boot, fixing this. Root access also means apps can use and access api’s in android that it normally cant, changing settings and things inside android it shouldnt. What do you think happens when malware comes in? :p
Imo, i agree what you said. bootloaders should remain locked but you should be able to somehow, in the bootloader, be able to add the os’ signature/keys to the bootloader’s trusted stuff like how secure boot on a pc keeps os signing keys and verification stuff inside the tpm.
This way you can install lineage os for example, tell bootloader to trust it, and lock bootloader again so nothing can be changed anymore.
I wouldnt take this from user input, as that is controlable by malware, but rather come from the OS itself. Maybe even during installation, idk@DacoTaco @Zak@lemmy.world
@kirk781 @androidLemmy.world’s cloudflare doesn’t like the content of my reply, so posting from another account.
No doubt offering the user the opportunity to verify they’re running the OS they think they’re running is a Good Thing. I’m more skeptical of giving that ability to app developers, as Google has done.
> Root access also means apps can use and access api’s in android that it normally cant
Yes. That’s what it’s for.
> changing settings and things inside android it shouldnt.
Now there I disagree. AdAway *should* write than a bunch of advertising domains map to 127.0.0.1 in /etc/hosts. AccA *should* write settings that limit battery charge and extend battery service life to /sys/devices/platform/soc. Why should they? Because it’s my device and I want them to.
A more fine-grained mechanism for these system permissions would be very welcome of course. AccA should *not* write to /etc/hosts and does not need permission to do so in order to manage battery charge.
> bootloaders should remain locked but you should be able to somehow, in the bootloader, be able to add the os’ signature/keys to the bootloader’s trusted stuff like how secure boot on a pc keeps os signing keys and verification stuff inside the tpm.
This is pretty much how GrapheneOS recommends doing it, but only a few devices (mostly Pixels) allow unlocking, then relocking the bootloader. Keys can only be added while unlocked.
I’m still using LOS and still fight with google over Play integrity from time to time. there’s a fairly new patch that spoofs the fingerprint of the phone and fixes the issue entirely for me (play integrity fix by chiteroman) as long as it’s updated, my gPay still works. I prefer using custom OS because it’s much more customizable and has little to no bloatware. any unwanted apps can be removed. I can route my VPN to my WiFi hotspot, in order to get full speed tethering. (I’m a T-Mobile user and they throttle) I have a system-wide ad-blocker that uses the hosts file. I have the ability to allow root to only some apps, and deny it to others.
To me, its worth doing. I have no internet at my house, so I primarily use this to get online. The stock T-Mobile firmware is laggy and loaded up with their apps you can’t delete. You’ll get the “3g speeds” hotspot and their annoying branding on everything.
Going back to that would really suck!
This is offtopic, but fuck it, might as well.
Why do you use a digital wallet? For me, money is one of those thing I literally can’t allow to fail; growing up poor means it’s still a touchy subject. A digital wallet adds extra risk of payment failure everytime it is used.
So, what does a digital wallet add that makes it worth not just the effort of setting it up in a stock system, but also in a custom ROM where it is actively broken by the app developers as a form of “security”?
For reference, I still keep cash on my person in case my cards (or their machine) fails.
I know I posted this on your comment, but I would love to hear everyone’s answer to this.
i have yet to use one of these digital wallets but i would imagine a large part of it is “because everyone around me is doing it.” not necessarily herd mentality but the social shift of it making checkout processes faster so if you’re using cash or a card, you’re inconveniencing the people in line behind you (however rational that may be is another topic).
i live in a semi-rural area and have seen very few instances of someone paying with their phone. it’s so rare here, i’m not even sure how the process works. tap to pay with a card has only recently been more normalized here. however, when i travel for work to big cities, it seems like the only times cards are used is when there is a large group meal at a fancier restaurant.
i also carry a small amount of cash in case my card fails or a card machine is down but it’s very rare to see cash used here as well, except for personal payments. even then, third party pseudo-bank apps are consuming that process (cashapp, venmo, etc.).
i’m not trying to justify any of these payment processes or mark one as better than the others. it’s just an observation.
you’re inconveniencing the people in line behind you
They’re inconveniencing me with their thoughtless jump into cashless society. Fuggem.
Isn’t what you’re describing herd mentality, putting the need of the group or other individuals above one selfs - never mind if it’s consciously giving up on cash money in exchange for speed or not?
sure, i expected this reply. again, i don’t necessarily agree with the statement. herd mentality or not it’s merely what i’ve observed.
well, I totally could live without it. Its just nice to have in case I don’t have my card/cash as a last resort kind of thing. all I do is add the magisk patch, and add shamiko, keep it somewhat updated, and it’ll work 99% of the time I use it. As for google, they probably do this to reduce liability on their end if something does happen. I haven’t heard of any issues from anyone so far.
For me digital wallet is a bit more convenient than using my real wallet, but not essential. I have one credit card that I use all the time, but it seems my bank hasn’t bothered to make it work with NFC payments yet for some reason, but it works with Google Wallet so that’s nice.
I also always keep my wallet with credit cards and a little bit of cash as a backup. One time I was out at a bar and there was a power outage. They were still serving drinks, but instantly all transactions switched to cash only. I think it makes a lot of sense to have backup options.
The opposite can be good too – your phone as a backup just in case you forget your wallet.
It’s probably not entirely been worth the effort to stay up to date with changes whenever Google breaks things. At some point I may stop. I guess one immediate value has been that watching things unfold has hastened the souring of my view on Google. I am now frequently looking for ways to avoid their ecosystem, and avoid big companies / non open source in general. I’m far from ready to leave the ecosystem on every front. But at the very least, I would never recommend a Google product in my professional life at this point, at least not without careful planning of an exit strategy.
Last time I used one was because I forgot my physical wallet and needed to pay for something. I don’t want to tell Google about my shopping habits, but I like to have options in case of emergency.
I’m running LineageOS (with GMS), Magisk, and Play Integrity Fix.
I’m not dealing with all this tracking and surveillance bullshit on a regular basis. No digital wallets, no mobile payment. Cash as much as possible. Where I live most stores allow cash withdrawal, I’ll literally rather withdraw cash in one go and then pay with that cash at the same check out to server the link between the me and purchase. I do keep a modest amount of cash at home.
I feel the way you do. I always keep some cash, don’t bother with those cash apps, and use a credit card with a good cash back plan. To me the cost of going digital in this area outweighs all benefits.
I used custom roms for many years, but I now use my phone to pay almost everything, and I need my banking apps. magisk hide is unreliable do I won’t be rooting my phone again I think
Same. Those features are more important than anything I get by rooting.
Honestly I don’t even need root for anything. Adblock runs through a fake VPN app. My Pixel used to have a green screen tint, but Google fixed that at the OS level, so I don’t need to have an app for that any more.
Those of us who actually use VPN don’t have that option since only one can be in use. Magisk + AdAway, for me.
Care to share the name of the spoofed app?
There’s also NetGuard and rethink that spoof VPN connections to filter traffic. I use the latter to block all outgoing apps except for the ones I allow.
https://f-droid.org/app/org.jak_linux.dns66
Looks like it hasn’t been updated in a while, but it still works.
Thanks!
I think people that take that approach to life are partly ruining it for us all. You’re selling your privacy for convinience and in the process legitimising the removal of (what I consider) more ethical and reasonable solutions.
No, phone payments can be much more private than a card payment.
Edit: who tf is downvoting this objectively true statement?
yes this, phone payments mask your card id in the POS. it’s way more secure
Perhaps, but I advocate against using both card and phone payment. Cash is the only truly private pay method, barring facial scanning cameras at the counter. Each to their own.
- If you’re happy, just continue and ignore this comment
- you can try kernel-based root apps such as apatch (my recommendation) or KernelSU
If the day comes when LineageOS (with microG) becomes unusable for me, I will just switch to iPhone. I hate Apple, and I’ve been using custom ROMs since Cyanogen in 2010, but there’s no way I would raw-dog a Google device.
Luckily there’s GrapheneOS for the Pixels. I’m thinking about buying a refurbished Pixel since my Poco X3 Pro with Lineage OS is having ghost touch issues. The only thing holding me back is less screen real estate.
I would probably switch to Huawei os device. No Google by design.
In fact - I might in either case, there is just too much shitty things Google does to android.Enjoy the much safer Chinese military spyware.
I don’t think they do it actively. There’s just not a big enough issue for them in custom ROMs to even bother doing something about it.
Rather, they got other issues to tackle and custom ROMs are so off their radar, they get swept up simply because nobody cares (either way) to check.
Google doesn’t want distributions of open source Android without Google services to be a viable option for mainstream users because that would reduce their ability to extract profits from the Android ecosystem.
While the focus is surely more on OEMs than end users at this point, I’m sure Google wants to keep the difficulty level for end users high enough that it remains niche.
I’m sure Google wants to keep the difficulty level for end users high enough that it remains niche.
I really do not think they need to. We tech communities massively overestimate the desire and even contextual awareness (and desire to have such awareness) of regular users to engage with these topics.
Keep in mind that the vast majority of Firefox users - a browser inherently more used by tech-savvy people! - have 0 addons installed. And probably 0 desire to change this. Or to even waste thought seconds on considering whether to change it.
To users, smartphones are tools. Like hammers. If it stops being a useful hammer, do you take the head off and re-forge it? No, you buy a different hammer that does what you need it to do.
Hammers are cheap and don’t have my sissy pics in them while reporting to a company that spies on people.
Maybe, but the archetypal non-technical user, my mother does want to run a third-party ROM. Her phone is out of its official support period, and she knows that security updates are important and would like a way to get them. Most people, at least in wealthy countries do have a technical person in their lives they can ask things like that. She doesn’t want to buy a new phone because it would be too big and lack a headphone jack, a position I share.
I had to recommend against running what I run (LineageOS, Magisk, Play Integrity Fix). Without PIF, too many apps will refuse to run on LineageOS. She doesn’t need root for much else (maybe adblocking) and doesn’t have the knowledge to make good decisions about whether to grant root permissions to an app that asks (Magisk doesn’t have an allowlist-only mode, but it should). Finally, keeping root through an update is fussy. It’s not hard, but it’s an extra step that has to be done in the right order every week or two.
Unlike Firefox in 2024, a third-party Android build that’s easy enough to install and isn’t sabotaged by Safetynet would something many non-technical users care about: an extended useful life for their devices.
There will be a big enough issue if people start saying how they’ve got theirs with no issues. The primary motivation for people not bothering with Linux is because Windows “just works” and Linux presumably was work. If degoogling stopped being work, then more would do it.
Linux has become extreme easy mode as well as a polished non intrusive experience and people are really drawn by that!
extremely pedantic whining over the term “ROM”, but when has a custom android distribution ever dealt with “read-only memory”? is or was there some immutable component of Android that could be interpreted as read-only?
also I switched from iPhones to Google Pixels running GrapheneOS four years ago and I’ve never looked back, it’s really solid and gives me the amount of control I expect and demand over hardware I’ve purchased upfront. Pedantry aside, I strongly recommend GrapheneOS
Do you use it on a Pixel? Last I read, that’s the only officially supported phone. It feels ironic giving Google money for a phone so you can use deGoogle more.
Don’t get me wrong, I’m all for it, I just wish it supported more devices.
I do, yes. First on a Pixel 5 and then (and currently) on a Pixel 8 Pro.
The purely emotional icky feeling of giving Google money is far less important than the tangible security, privacy, and usability upsides of GrapheneOS on a supported device. But if that’s important to you, just buy a Pixel secondhand, Google gets no money from that.
I wish more devices were supported too, but my understanding is that only Google makes devices that are both secure and open enough.
Article in German, but the relevant points from the GrapheneOS lead are all in english: https://www.kuketz-blog.de/weshalb-grapheneos-aktuell-nur-google-pixel-geraete-unterstuetzt/
One point about Samsung:
Samsung takes security almost as seriously as Google, but they deliberately cripple their devices when you unlock them to install another OS and don’t allow an alternate OS to use important security features
I did not know most of that. Very informative, thanks!
Samsung takes security almost as seriously as Google, but they deliberately cripple their devices when you unlock them to install another OS and don’t allow an alternate OS to use important security features
What does the crippling and security features refer to?
Seems like you can’t re-lock the bootloader after installing an alternative OS, for one
I know exactly as much as you do about it. Just quoting the lead dev.
It’s painful disabling knox so you can root or flash custom roms.
They’ve always been called ROMs, not sure why, but it’s been like that since the beginnings of Android
Does anything related to money work on GOS? Bank apps, check deposits, credit card apps, nfc payments? Any other apps/features disabled by Google?
Seems like a huge sacrifice for perceived privacy improvement.
How is this significantly different from using vanilla Android without signing into any Google accounts?
Payments don’t work, because of the play integrity api. But the bank apps that I use do work, even though they didn’t in my previous phone that was running a custom ROM with magisk to hide the tampering. GrapheneOs supplies their signatures so that app developers can support it, but I imagine not all will.
For me it has been a great experience so far. Installation was easy and fast, the privacy settings are great and almost everything works for me just fine. I had a couple of issues that was able to fix by searching for it on their forums, which is quite active
Which payments don’t work?
Nfc payments. Google pay doesn’t work. I believe any other doesn’t work either but Im not 100% sure. I never used them
Oh right, those. I honestly completely forgot that’s a thing. And is a fair point, even tho I just use physical cards I totally understand the convenience and security benefits of token based payment systems like that
I tried to use Graphene and bailed because none of my banking apps played nicely. Good luck if you try!
Two credit union apps work fine, venmo and paypal work fine. YMMV with other financial institutions but it’s not been a problem for me so far.
To answer your last question, there’s way too many differences for a lemmy comment, so I suggest reading their features page for a broad overview: https://grapheneos.org/features
One feature that’s closest yo your question, though:
Google Play receives absolutely no special access or privileges on GrapheneOS as opposed to bypassing the app sandbox and receiving a massive amount of highly privileged access.
I read it and I think I understand why people are using it, but just to clarify your Google play example: you still can’t use it without being signed into Google account, right? Is your concern what the app does while it’s not running? Because it feels like they’ll still collect the same amount of info once your sign in to install the apps.
Do you you try to use F-droid for most things?
It’s unfortunately really not that simple. But for a short answer, I use Aurora Store for anything I can’t get from F-Droid., and even tho I have the Google Play Store installed (as some apps require it for stuff like notifications or location) I’m not ever signed into it and I don’t use it to install or update apps
It’s firmware, hence why the word ROM stuck. Once you flash the firmware to specific partitions, after the boot you can no longer modify it, unless you have root too. Technically nothing is ROM, there is always a way :).
That makes sense, and immutable OSes seem like a great idea from a security standpoint
via its* Play Integrity API
Google just wants to copy the fruit store. They want total control and have seen how the fruit store does it. Competition is bad for business.
I moved to Android for the 1st time ever in 2020 from an iPhone 6s.
The device I decided to go with is a Poco F2 Pro which lost official support years ago, it has decent hardware and even the battery still holds up (with a good custom ROM, I still achieve 8 hrs of SOT).
It just took me about a year, or perhaps less to move to the custom ROM scene, and for me I can’t ever go back to stock Android ever, even when it is a big step regarding iOS features (except for LS customization) the amount of stuff you can do with rooted android device is no joke.
My only regret is that I was never in the prime days of rooting… At least Telegram communities are super active, not that it is better… But personally I prefer it to discord lol.
I was in the prime days of jailbreaking though, too bad that they seem to be doing worse nowadays.
Top 3 examples for the stuff you can do that’s so worthwhile?
With root?
-
Having a superior backup and restore method, Swiftbackup rooted is way better than Google’s solution.
-
Hassle free ad-less YouTube (and YT music) the root apps (Magisk or KSU) come with a way to auto update, so, from the user side I just hit update and I am good to go, no need to waste time patching the apks myself.
-
I can replace the Google news from the side/left menu with whatever app I like, in my case, the Feeder app.
I can go on, but you just asked for 3.
I love those thank you!
I just disable Google app completely. Then Google news on the left just goes away
Fair, but I still want something on the left.
-
It’s true what you say, the golden days of rooting are over. I rooted my phone just so I could set a battery charge limit, but a recent update for the ROM I’m using (/e/ os) added that feature natively lol. Pretty much the only thing you can do nowadays with root is install tweaks that hide the fact that you have root from other apps lol.
Pretty much the only thing you can do nowadays with root is install tweaks that hide the fact that you have root from other apps lol.
While it is true that you can install those modules to hide it, I wouldn’t say they are the only reason to stick rooting lol, a lot of apps work way better with root permissions, Battery Guru, FKM and AdAway are 3 good examples that I can think of right away.
I install custom ROMs on every device in my household. How concerned should I be? None of them are rooted. Would disabling Play Integrity via adb fix this?
If all apps that you want to use work, there’s no reason for you to be concerned.
I see. Personally I have no concerns since I don’t even use G-apps at all. However I don’t want anyone to come to me with a problem either, which currently none I believe.
The cat and mouse game is especially why I no longer root my phone. Ain’t nobody got time for dis.
I’m just gonna get a Huawei phone to punish Google for this