This writer seems to think so.
http://www.theverge.com/2012/2/16/2801916/home-baked-roms-its-going-to-blow-up-sometime-soon
Actually he makes some valid points (and I use a Custom ROM myself).
Absolutely ZERO disrespect intended to the ROM developers here --- we should appreciate their very hard work and opening our devices up to so many other options and enhancing performance.
But after reading this article, what do people think about the safety of ROM flashing .... not in terms of bricking the device (we all know the risks), but in terms of:
A) Unintentionally opening the device up to exploits due to poor coding etc
B) A rogue developer intentionally exploiting to capture data for profit
Are you comfortable doing bank transactions on a rooted android device w/ custom ROM?
Interesting question
I have never even thought about what I do and don't do on my custom devices.
Forget the internet banking etc, there's also the entire gamit of email, social sites, work email etc etc
Just as well I trust you all!
This is definitely a concern......
Here in Korea though, the banking apps do not allow you to use them with a rooted device.....So each time, I have to unroot my device in order to do banking.
I do not know, however, if once I root again it would give the developer or hackers access to that data......
Something to think about as well though!
I realized: I never looked for an app that investigates security issues on a smart phone.
perhaps someone with knowledge in this field can give a few hints to usefull apps?
and yes, "I am with stupid too"
Motorola Defy+ with Quarx's CM9 nightlies and most of the time I still have no clue to what I am doing precisly.
But on the bright side: I do not use my phone for banking, there's nothing to "bank around"
Hmmm -- I had never considered that banks would block it -- have not tried yet. You make a good point about what remains on the device later -- at a minimum clearing browser history is a good idea -- but even that could be circumvented with a devious enough approach.
[email protected] said:
This is definitely a concern......
Here in Korea though, the banking apps do not allow you to use them with a rooted device.....So each time, I have to unroot my device in order to do banking.
I do not know, however, if once I root again it would give the developer or hackers access to that data......
Something to think about as well though!
Click to expand...
Click to collapse
I agree. From what I have seen most of the "advanced" posters here dismiss antivirus packages as a waste of time and money and they could well be right. Still I have not been able to find any real discussions on the risks the article I posted raised. It would be great if some of the more "expert" members here could offer their views.
I am loving my rooted G-Note with custom ROM ---- but I do not really have confidence in Android and its various hacks yet. Unfortunately the alternatives are rather poor.
gentle_giant said:
I realized: I never looked for an app that investigates security issues on a smart phone.
perhaps someone with knowledge in this field can give a few hints to usefull apps?
and yes, "I am with stupid too"
Motorola Defy+ with Quarx's CM9 nightlies and most of the time I still have no clue to what I am doing precisly.
But on the bright side: I do not use my phone for banking, there's nothing to "bank around"
Click to expand...
Click to collapse
I would say I agree and disagree with the article.
For me personally, when I decide to get all flash happy with my Android devices, I tend to not put any information regarding banking or credit cards. Logically, at least to me, the concerns sited in this article do occur to me. Then again, to be honest I do not put any of this information on my non jail broken company secured and encrypted I phone either. Call me paranoid.
Where I disagree with the article is in the insinuation that using a stock ROM with apps downloaded from let's say th he iTunes store is really much more secure. If a baked ROM can be pulling information behind your back, and somehow bypass security measures written into a banking app, why could not a fart app some momo downloads to be the life of the party do the same?
Flyer
I have been thinking about this ever since I've rooted my phone and flashed the first custom rom...
-and I still don't have a real answer.
Thats why I prefer stock ROM
finally its your (user) wish, weather to use custom rom or stock rom.
none of the developers are forcing to use their custom rom.
rom development is hobby,passion, and part-time for some of developers.
my few words.pls correct me if I'm wrong
Ever heard of pdroid? Droidwall?
reversegear said:
finally its your (user) wish, weather to use custom rom or stock rom.
none of the developers are forcing to use their custom rom.
rom development is hobby,passion, and part-time for some of developers.
my few words.pls correct me if I'm wrong
Click to expand...
Click to collapse
You are not wrong, but you are definitely off topic.
This is so one sided. You can say the same about any OpenSource program with small userbases. Take any little Linux Distri, any small OSS and you get to this problem quickly. Most of us can't review the source code properly so we have to rely on others. But at least you CAN rely on someone. You can't rely on anyone at closed source programs.
That's why you use Truecrypt for encrypting your hard drive and not Bitlocker, that's why you should use a Linux Distri and not Windows and that's why i use OpenSource ROMs and not the closed source StockRoms and even try to have as much OpenSource Apps on my Phone as possible.
Just my 2 cents.
He has the points and those are sorely his.
Calling other ROM flashers idiots is ridiculous and not very nice. In fact, based on what he typed, he seems to be an idiot himself.
Now to other Rom flashers, as long as then understand the risk of doing so, they entitle and fully responsible for their actions, no need to teach them.
Security issue? I drive a car to a bad area, get off, windows still lower, not even care to lock the car. That is my choice.
Now I'm going to the very nice, high educated area, I choose to lock the car, put the steering-wheel lock on. Again, it's my choice. Home wireless network, I choose to set the password or not, it's my decision. I understand the risk of not doing that. And if I choose not to do that, it doesn't make me an idiot.
Next, not all baked ROM are based on leaked official one. CyanogenMod team is well-known and they based on the Google source code, ASOP, not a leak one from vendors.
So, if ROM flashers realize what source they use, they're all set.
Writing a long article with just one-minded lopsided thinking like this is pretty lame.
an0nym0us_ said:
Ever heard of pdroid? Droidwall?
Click to expand...
Click to collapse
Pdroid: looks very promissing but you need to be a programmer and only for Gingerbread.
Droidwall: from what I understand from it it is a kind of fine-tuning of your data traffic. Pdroid goes much, much further and I would prefer it.
A real shame I'm not a developper/programmer and also very happy with my custom ICS ROM.....
On the bright side; I like tweaking but not social networking or any other more "dangerous stuff" Just like I'm used on my PC.
I've never bothered with a custom ROM, partly because I just realise that pretty much everything I could do with a custom ROM, I can do manually with a rooted phone. I don't like to install a package of software someone else thinks I should use, I prefer to pick and choose the stuff I want. Security concerns never really bothered me, I don't care too much about the security of my phone (I guess maybe some people would be annoyed at me if my contacts were stolen or something, but other than that there isn't really anything I care about on my phone). I never do online banking etc. on it, but that's just because that's something I do very rarely and only do when I'm at a computer anyway.
gentle_giant said:
Pdroid: looks very promissing but you need to be a programmer and only for Gingerbread.
Click to expand...
Click to collapse
You don't need to be a programmer. All you do is get your ROM zip, run the PDroid patcher on the ROM zip, it'll give you a patch zip, flash the patch zip in recovery, install PDroid from market. And I think there are unofficial ports to ICS possibly.
Doesn't stop me from flashing custom ROMs.
Oh well...?
Sent from the future.
I though the article itself was a bit sensationalistic but at the same time I think changing the ROM in a system (not to mention giving root permissions to apps) is a lot more potentially intrusive than downloading apps from Itunes or Gplay.
Anyway I like my custom ROM setup but I sort of feel like I am whistling in the dark at times. I think a lot depends on how sophisticated we are as users.
Case in point:
When I flashed my ROM for the first time, I freaked out seeing a bunch of Chinese names every time I made a call to certain numbers. The good thing about XDA is if you search you can find anything about ROM issues and in this case I learned that this was due to the developer using the contacts part from the leaked Chinese ICS and it had something to do with a "Phone locator service" that could be disabled. Ok so I disable and go back to whistling in the dark --- but I have not been able to learn what the phone locator service is in the first place or WHY i had Chinese names showing in my calls.
As a relative Noob I can follow instructions from most of the generally well written instructions on XDA and not get into trouble --- but (rhetorically) do I really understand the background issues and risks with some of these things?
What is this phone locator service anyway? Why the Chinese Names and Locations in the call indicators?
mcord11758 said:
Where I disagree with the article is in the insinuation that using a stock ROM with apps downloaded from let's say th he iTunes store is really much more secure. If a baked ROM can be pulling information behind your back, and somehow bypass security measures written into a banking app, why could not a fart app some momo downloads to be the life of the party do the same?
Flyer
Click to expand...
Click to collapse
Well you are right that we are all responsible for our own choices. I just think it is better for all that people can make as informed as choices as possible. That is why discussions like these can be good (even if the article was inflammatory).
To extend your analogy, maybe you think it is your choice to leave your car unprotected. But maybe your insurance company will disagree and try to teach you better? Maybe the police inform you to secure your car because you make more work for them when your car is stolen?
So as a car driver it is your choice, but many might argue that the community of car drivers needs to be educated on the risks of their behavior so that they can make more informed decisions. Then you benefit and the community benefits (keep insurance rates down, free up police resources etc.)
I hope I made sense
votinh said:
Now to other Rom flashers, as long as then understand the risk of doing so, they entitle and fully responsible for their actions, no need to teach them.
Security issue? I drive a car to a bad area, get off, windows still lower, not even care to lock the car. That is my choice.
Click to expand...
Click to collapse
I'd rather take the risk and enjoy life than sit on the sidelines. Considering that all smartphones have vulnerabilities, stock or no, I'll take my chances. I also have a bit of faith left in humanity in general and more so some in communities like XDA and Rootz where the general idea is clearly that these are places for everyone to contribute to everyone else, not to come in and scam.
Let's be real: if someone comes through here and drops something that ends up defrauding other for every person involved in coding the malicious item there are ten more capable devs who will have the motivation to take them to task in most unpleasant ways. I, for one, would not put my butt on the line by choosing a dev forum to release or market my malware.
Related
I've been playing around with all the 6.5 ROMS available on this forum (plus have been lurking for a while so felt like doing some contribution could be appreciated ).
My company is very stringent about enforcing Exchange ActiveSync policies, especially PIN CODE, timeout to lock and remote wipe.
I noticed that on the 230XX series (I have tested up to 23053) posted here, there are two different behaviors, one serie works with my Exchange Active Sync, one does not.
Since the PIN request and lock timeout work fine with them, I have to assume the remote wipe feature has somehow be disabled by this ROM.
I have been able to identify that a ROM will give me this problem even without connecting with my Exchange Server.
in 100% of the case, if I try to import a root certificate on a "hacked" ROM, it will be installed without any warning, just a "Certificate successfully installed, press OK" dialog.
Now, on a ROM that is not "hacked", when you try to import a root certificate, you are warned that this may be an unsafe operation and have actually to confirm.
This is very concerning to me, because the warning being removed means that any bad guy can leverage these ROM to deploy a rogue root certificate to your device and your device can start trusting wrong sites.
I do not intend this to be an exhaustive list, but as of my testing only the following two ROMs work correctly:
- NATF
- RRE
All the others do not. The source of the non-working ones is either the same, or these people have purposedly altered the ROM to change the security settings. But the result is the same, security altered ROMS.
If anyone could confirm they are experiencing the same, I would not feel alone on the planet
UM
I'd just like to reiterate that this is a development community- most of the cooked ROMS you've tried are experimental works in progress. We tend to take our experimenting a bit far here- but as none of our 'products' are really production tested, it's fairly safe to say that all of them are just a bit unsafe.
A stock ROM has the benefit of being tested in a production environment- and while performance on these ROMs may not be optimal, they are composed of a set recipe of components established between the OEM and Microsoft.
Many of our ROMs are conglomerations of various different components- so it's not exactly safe to say that any of them can be held completely accountable for device security- there may be plenty of exploits present behind the scenes that never have been exposed or rectified.
We're small-scale individual developers. Most, if not all of us, do this for fun. Many of our packages deliberately alter the way in which devices handle certificates and signing- because it allows us to expand the boundaries we develop within.
If you're looking for guaranteed security, your best bet is to stick with a completely stock device. If you choose to use another ROM, any insecurity is not on the developer, but you.
Very well said! On top most, actually all of the 6.5 based ROMs have a microsoft beta as a base. Though it may be a save bet that the latest built # may be the closest to the final release at Oct. 9 it's a common practice to reduce/alter some "security" settings an policies for an "easier" way to success. None of these facts is to blame on any ROM chef or developer or however you want to name these creative heads here.
Their work is just incredible and I bet that ms or HTC would be proud to have such guys on board.
Note:
I bet that some individuals of both companies keep a close eye on what's going on here.
Guys,
Don't get me wrong, I know what I'm doing when installing a beta that has been leaked.
First, it's illegal, we are stealing non published source code, infringing intellectual property and probably making ourselves guilty of too many felony counts to be able to get out of jail without a long white beard.
But, joke aside, this was not the point of my post and I am sorry if I didn't explain myself clearly.
There are 23053 builds that work well are 23053 that do not, as was the case with any previous build number and, consistantly, I have had two out of the pack working exactly as expected from a security perspective, and all of the rest not working as expected.
So, since I do not believe MS is deliberately compiling one tree of the code with embedded security and another without, it means that someone in the middle is affecting it.
That was my point.
UM
Hummm...
Wrong approach fellow...
Wrong place, wrong time and wrong people.
Don't expect to be received with an open heart while commenting such things...
Imagine the following scenario:
A priest enters a strip bar and tells the owner of his concerns of moral ground, about the practices that take pace there... LOL
I may understand your point, definitely not your purpose.
If you are lucky enough not the get flamed, you will at least see some frown faces...
Leave it...
As someone suggested before, remember this is a development community...
If what you find doesn't suit your needs simply suggest changes or don't use it at all.
If you concluded, after experimenting, that the only functional ROMs are NATF and RRE ones, allow me the following suggestion:
Choose between 3 options:
1. Use a stock ROM so you don't «steal» form anyone and don't risk having to spend 5 days in a row shaving...
2. Use a NATF ROM
3. Use an RRE ROM
I believe i made my point as gently as I could...
If i may have hurt some feelings, i am deeply sorry for that.
Cheers
Well, 2 points in answer to your post where you obviously did not read mine:
1) Did you miss the sentence that starts with "Joke aside" ??
2) Don't care of being flamed, I provided evidence to people that want to make up their miind, they don't need you to tell them what is safe or not for them
Bottom line is:
- if you do not want to have a phone crashing on you, use a stock ROM (that's actually a good joke... Stock ROMs do not crash less than their beta counterpart).
- if you do not want your passwords, contacts or personal data to end up into some hackers site, be careful about what ROM you install
wearing my flame proof vest.
UM
unlockMe said:
Well, 2 points in answer to your post where you obviously did not read mine:
1) Did you miss the sentence that starts with "Joke aside" ??
2) Don't care of being flamed, I provided evidence to people that want to make up their miind, they don't need you to tell them what is safe or not for them
Bottom line is:
- if you do not want to have a phone crashing on you, use a stock ROM (that's actually a good joke... Stock ROMs do not crash less than their beta counterpart).
- if you do not want your passwords, contacts or personal data to end up into some hackers site, be careful about what ROM you install
wearing my flame proof vest.
UM
Click to expand...
Click to collapse
Dear UM,
I had a good laugh reading your last sentence LOL
I believe that wither you misunderstood me either I was not clear...
1. I am not accusing you of anything.
2. I read you whole message (points 1 and 2 included... They were there, weren't they...?)
3. I am not trying to demote you of you purposes... I was only trying to pass a message but given the fact the message wasn't delivered, I will try to rephrase...:
You are expressing both facts and opinions.
That is, indeed, you right given the fact we are in an open community and we, still, are in a free world (so to speak...).
I do not endorse or condemn none of your previous statements.
Knowing this community for quite some time and specially knowing it's member, active ones, passive ones, contributing ones, parasite ones, etc... I just know for sure that your comment in which you address people in such manner will have one of two possible outcomes:
1. Total ignorance
2. Flaming
Now, after this, do whatever you like Don't get me wrong and sorry if I made myself misunderstood
Nuff said.
Cheers.
This thread is not development related, moved to the appropriate section
I was wondering if anyone knows a real answer for this. How easy would it be to cook in something that would send back your email login and password? Or other logins to stuff like banking sites. The people who make the roms seem to be hard working enthusiasts, but it still makes me nervous.
The reason I am asking this is because WM6.1 seems pretty buggy and slow and I was hoping that maybe updating to 6.5 would help, however Sprint is being super slow and vague (as usual) about if they will ever release an official rom.
And please no "then just don't use custom roms" replies. I am just hoping someone has some way to show that they are safe and then I will happily use it!
I was wondering the same thing. I don't use any cooked rom for anything banking related for this possible risk.
I know there are other threads that have the answer but can't find them maybe someone hid them?
Anyway what would the average chef gain, second of all how do you know a member of Opera or IE is not taking down your details or even Bill? "by that i mean there is more to worry about"
My point being chefs cook ROMs to give users better phones than stocks... Also the world of WM isn't laden with virus's/spyware so even doing so would be hard and no one would be bothered to spend there time considering how much time cooking consumes.
Just Hard-SPL your device and start flashing
I find cooked roms are the best! They are tweeked, customized, optimized, flexable, etc. Happy Flashing
Im still leary. Im going to wait until you all flash...then i will know its safe
If any chef here did anything as dumb as that, I guarantee you everyone would know in VERY short order what was done, and that chef would be hung up by his ankles and verbally flogged by everyone here.
Trust me, it's never happened here, and it's not GOING to happen; because we have a great community here with great chefs who do nothing but make life better for everyone else. Choose a ROM, flash it, and quit being so paranoid.
FloatingFatMan said:
If any chef here did anything as dumb as that, I guarantee you everyone would know in VERY short order what was done, and that chef would be hung up by his ankles and verbally flogged by everyone here.
Trust me, it's never happened here, and it's not GOING to happen; because we have a great community here with great chefs who do nothing but make life better for everyone else. Choose a ROM, flash it, and quit being so paranoid.
Click to expand...
Click to collapse
That is a very argumentative answer to a very simple and valid concern that allwires has regarding the security of using cooked rom's. Some people that use these rom's like to use their device's web capabilities for banking and for storing personal information and he brings up a very valid question regarding the safety of using these rom's for these purposes. Then you insult the poster by saying he or she is being paranoid when we all know that the capabilities for wrong doing via viruses and other malicious software are very valid concerns in this day and age. I would like to hear an intelligent and informative answer to this question since I'm sure as this sort of thing becomes more mainstream as it is bound through time to become there will be many more inquiries made as to the safety of their usage.
I'm with FloatingFatMan here, any cook daft enough to do such a thing to a ROM would very quickly be found by his peers, tried, convicted and summarily thrown to the lions.
For all that how do we know Messrs Gates, Jobs, well their minions anyway , and other sundry "professional" ROM cooks are not hiding sneaky payloads in?
deedee said:
I'm with FloatingFatMan here, any cook daft enough to do such a thing to a ROM would very quickly be found by his peers, tried, convicted and summarily thrown to the lions.
For all that how do we know Messrs Gates, Jobs, well their minions anyway , and other sundry "professional" ROM cooks are not hiding sneaky payloads in?
Click to expand...
Click to collapse
Well, but you see that is my point exactly. Whether it is the big guy or the small guy doing it history has shown that where there is a will there is a way, especially when there is a profit to be made. Its like when Norton got busted for spyware found in their AV software in the early 2000's, remember that? I just wonder if such an attempt will be made with this newly emerging technology that is similar to the PC of the late 90's and the early 2000's, vulnerable. No one is offering (at least no one that I'm aware of) AV or firewall software for these various mobile OS's and I think that it is only a matter of time before the bad guys find a way to take advantage of these opportunities the same way they did the PC. Al least over time there became ways to detect these types of illegal practices with firewall software and packet capture software that made the average user capable of some control over his or her personal data.
qqa92 said:
Well, but you see that is my point exactly. Whether it is the big guy or the small guy doing it history has shown that where there is a will there is a way, especially when there is a profit to be made. Its like when Norton got busted for spyware found in their AV software in the early 2000's, remember that? I just wonder if such an attempt will be made with this newly emerging technology that is similar to the PC of the late 90's and the early 2000's, vulnerable. No one is offering (at least no one that I'm aware of) AV or firewall software for these various mobile OS's and I think that it is only a matter of time before the bad guys find a way to take advantage of these opportunities the same way they did the PC. Al least over time there became ways to detect these types of illegal practices with firewall software and packet capture software that made the average user capable of some control over his or her personal data.
Click to expand...
Click to collapse
Hey There,
Not wanting to be unkind but i think you are being very paranoid here and btw, you can indeed purchase AV software for mobile devices; youve only gotta google AV software for windows mobile to see that
The limited OS and how its written means the "baddies" would have nothing to gain/find it difficult to exploit so whats the point.
The only "virus" (and i use the term loosely) i ever came across actually asked you "do you want to install blah blah blah" to which the obvious answer was no.............oooo that was dangerous
To summerise, dont get your knickers in a twist about it and enjoy!
^^ And to add to Tim's comments. Just make sure you get your cooked ROM from an established chef if you're worried, and there won't be any problems.
Now, if the ROM was from someone with a tiny postcount and wasn't known, then you might have cause to think twice; but that's not going to happen here...
timmymarsh said:
Hey There,
Not wanting to be unkind but i think you are being very paranoid here and btw, you can indeed purchase AV software for mobile devices; youve only gotta google AV software for windows mobile to see that
The limited OS and how its written means the "baddies" would have nothing to gain/find it difficult to exploit so whats the point.
The only "virus" (and i use the term loosely) i ever came across actually asked you "do you want to install blah blah blah" to which the obvious answer was no.............oooo that was dangerous
To summerise, dont get your knickers in a twist about it and enjoy!
Click to expand...
Click to collapse
Well then why not let the cat out of the bag. I'm just in here to see if I can get a large portion of the members in here's knickers in a twist so that they will all go out and buy my mobile AV since mine is the biggest one out there currently. Lots of potential there, in terms of cha-ching you have to agree. LOL!
There's also the option of downloading a kitchen and cooking your own ROM ... this method permits you to look at each package in detail.
Cheers,
I once opened my yahoo on a cooked room, later on I was trying to log on on my laptop and password was rejected. I freaked out and kept trying, later that day I was able to log in after few hours for some unknown reason...
I stopped using my HTC fuze for emails since.
The myth that ALL cooked ROMs in here are completely clean sounds like an old familiar story of when the young man said to the girl "don't worry it will not hurt a bit" lol
I wish there was a tool that scans for such security gaps in a ROM
I'm not sure what your reasoningn was to stop using email on the phone because of a failure to login to yahoo from a laptop. Did you notice any malicious activity on your yahoo account? Have you since? Have you changed that password? Just seems strange.
As for the security of cooked ROMS, I've never used one but I have a new phone coming and I'm going to try one from a reputable party here. I'm not nervous about it and I use online banking all the time. Here is why I am not concerned:
1.) As several people pointed out already, your PC is more vulnerable just because of sheer numbers. WinMo has a small market share and cooked ROMs would represent an even smaller market share. Even then, there are many custom ROMs to choose from. Then if EVERY user of a specific tainted ROM used their online banking on their phones, there is still little they could actually do with that information. For example, chase uses text messaging which means yes, someone could get my balance and stuff, but I actually have to login to the site to authorize my phone rather than login through the phone. So the information itself may or may not be useful. At the end of the day, it just wouldn't make the chef much money since there would simply be too few potential victims.
2.) The liklihood is very high that the perp would be caught by their peers and exposed in order to 1 - protect their own integrity, and 2 - get bonus points for being the one who exposed the bad guy (or girl). When you add this level of risk to the low reward, it just doesn't make sense. High risk, lots of work, little reward.
3.) Then of course, if someone fraudulently accesses your account, you can usually get that money back.
So I'm perfectly comfortable froma security standpoint. It's the stability standpoint I'm a bit concerned about but that's why I'm waiting till I get my new phone to try one out so I can go back to my old phone if it all craps out.
RedScorpion78 said:
I once opened my yahoo on a cooked room, later on I was trying to log on on my laptop and password was rejected. I freaked out and kept trying, later that day I was able to log in after few hours for some unknown reason...
I stopped using my HTC fuze for emails since.
The myth that ALL cooked ROMs in here are completely clean sounds like an old familiar story of when the young man said to the girl "don't worry it will not hurt a bit" lol
I wish there was a tool that scans for such security gaps in a ROM
Click to expand...
Click to collapse
I was thinking the same thing and how much it would cost to have Lavasoft or AVG or Symantec evaluate ROMs as an impartial third party.
If anybody is thinking peer review would snuff out cheaters there are plenty cases where Ebay and Craigslist deals go bad and everybody is in on it - even (inadvertently) the local police authority that doesn't have the technical knowhow to deal with a cyber-based threat.
startluvova said:
I was thinking the same thing and how much it would cost to have Lavasoft or AVG or Symantec evaluate ROMs as an impartial third party.
If anybody is thinking peer review would snuff out cheaters there are plenty cases where Ebay and Craigslist deals go bad and everybody is in on it - even (inadvertently) the local police authority that doesn't have the technical knowhow to deal with a cyber-based threat.
Click to expand...
Click to collapse
Hey there,
Way to go to ressurect an old thread
Nothing has changed, i have never heard of seen of a custom rom that has a virus cooked in, or one that has been intentionally created to spy on the user.
That said, i guess you have to make your own decision after reading the comments from some experienced chefs/flashers here
CHeers.
I am concerned that Google has their tentacles all throughout the OS, and I want to take all measures to stop that. I particularly don't like their search query tracking (I use ixquick) and their nav app, as their privacy policies are atrocious.
Before someone accuses me of being a hacker or criminal, I am simply not willing to hand over my 220 year old Constitutional rights for a transient fear campaign manufactured by The Machine. And I do not want my information used for profit without permission. I used to be a cracker, and know what is possible. I'll not respond to those who call me 'paranoid'; they are oblivious.
Of course I'll not be using the apps of that-search-engine-everybody-uses. Removing them forthwith, in favor of whatever GPL open-source apps there are available for various functions. Using self-contained nav software like CoPilot or TomTom.
So, have any devs investigated whether Android phones home at any interval? Have measures been taken to privacy-enable the Android firmware?
I hear that HTC has some sort of 'phone home' function. How to neuter that?
What good is Wifi? Is it that you can use that when available, not using up 3G bytes? I am asking what use it is on a mobile in consideration of mobility and the security problems -- what uses can this be put to, and how to secure the phone?
Where is the best place to find open-source apps?
I'm curious about this as well, not so much from a privacy standpoint, but how the hell can I stop the mysterious data that is flowing out of my phone when everything like background syncing and all data connections are turned off.
http://source.android.com/
This is all you need - you could remove/modify anything you want, so... what's your problem? And actually Google apps aren't in the Android sources, so you won't have them after compiling. Yeah, two birds with one stone.
Also you could disable WiFi if you don't like it.
Tachikoma_kun said:
how the hell can I stop the mysterious data that is flowing out of my phone when everything like background syncing and all data connections are turned off.
Click to expand...
Click to collapse
Errr... what ROM and how many apps do you have installed? There is no "mysterious data" on clean system, but 25% of apps use data connection for various reasons.
I'm on the stock 2.1 ROM for the Samsung Galaxy S. I turn all the background syncing, email, and stuff like that off, and overnight it can use about 1MB of data.
I don't have any "free" apps running that might download new banners or anything like that.
The background syncing does not turn anything off as far as I know.
To my knowledge it allows 3rd party apps the ability to check if the user has flagged this, but they do not have to respect this flag.
Tachikoma_kun said:
I'm on the stock 2.1 ROM for the Samsung Galaxy S. I turn all the background syncing, email, and stuff like that off, and overnight it can use about 1MB of data.
I don't have any "free" apps running that might download new banners or anything like that.
Click to expand...
Click to collapse
Syncing is just... syncing. But there are many other things, that apps do. Spare Parts -> Battery history -> Network usage.
Brut.all said:
http://source.android.com/
This is all you need - you could remove/modify anything you want, so... what's your problem?
Click to expand...
Click to collapse
What's my problem, LOL? I am a 52yo real estate developer, not a coder. This is why I'm asking the question.
Quantumstate said:
What's my problem, LOL? I am a 52yo real estate developer, not a coder. This is why I'm asking the question.
Click to expand...
Click to collapse
i think he meant either put up or shut up, which is a pretty reasonable statement.
IMO it's anonymous user data.... let them build cybernet
otherwise say no to the T.O.S that is your constitutional right if you have "privacy" concerns
Brut.all said:
Syncing is just... syncing. But there are many other things, that apps do. Spare Parts -> Battery history -> Network usage.
Click to expand...
Click to collapse
Thanks, will give that a try.
themapleboy said:
i think he meant either put up or shut up, which is a pretty reasonable statement.
Click to expand...
Click to collapse
I meant we all have access to the sources, so we don't have to "investigate" what Android exactly does - we just know, that it doesn't do any "mysterious" things. There are many people working with these sources for many months, I doubt there are some undiscovered things.
Brut.all said:
I meant we all have access to the sources, so we don't have to "investigate" what Android exactly does - we just know, that it doesn't do any "mysterious" things. There are many people working with these sources for many months, I doubt there are some undiscovered things.
Click to expand...
Click to collapse
u know what they say about assuming...... it always makes you look like a jackass
Yeah, I mean we're not playing with iOS4 or anything.
In all seriousness, Android's been out for quite a while now and has been looked at by a LOT of people. Not saying that it's *impossible* but it's highly unlikely that anything nefarious is going on.
If you're still concerned, I suppose you could always opt not to install the Google Apps, but you'd be a bit limited, functionality-wise.
Sent from my Droid using XDA App
themapleboy said:
let them build cybernet
Click to expand...
Click to collapse
O' little do you know... many years ago I did work in Eastern Europe. You have no idea the paranoia a society can endure. For an idea, watch the old TV series Danger Man. Or the movie 1984.
If most young people share your view, it is a dark future. I'm glad I'll be dead.
herald83 said:
In all seriousness, Android's been out for quite a while now and has been looked at by a LOT of people. Not saying that it's *impossible* but it's highly unlikely that anything nefarious is going on.
Click to expand...
Click to collapse
Understand. I just can not believe though that Google is not harvesting some sort of information, as that's their business model. They never discard any info they receive, and you can build a shockingly accurate portrait of someone from their searches over time. Google's CEO recently said, "If You Have Something You Don't Want Anyone To Know, Maybe You Shouldn't Be Doing It", echoing the Bush Doctrine of a Police State.
Maybe Android is innocuous for now, and I'm sure it's been examined. But I'm wondering what the results were? Why are ppl seeing data outflows?
I smell a rat...
Quantumstate said:
...Before someone accuses me of being a hacker or criminal, I am simply not willing to hand over my 220 year old Constitutional rights for a transient fear campaign manufactured by The Machine. And I do not want my information used for profit without permission. I used to be a cracker, and know what is possible. I'll not respond to those who call me 'paranoid'; they are oblivious...
Click to expand...
Click to collapse
Quantumstate said:
What's my problem, LOL? I am a 52yo real estate developer, not a coder. This is why I'm asking the question.
Click to expand...
Click to collapse
A 52yo real estate developer, whose not a coder, but used to be a "cracker" and knows what is possible? Anyone else here think this doesn't make a bit of sense?
It's funny, but it sounds like someone is trying to stir up some FUD by making claims that Android is somehow doing an "All your data are belong to us...". I hope Apple aren't paying your cheques!
@perpetualmotionuk: Be advised that there is a difference between mathematics and decryption, and coding. Yes I can do some coding, but not at a level necessary to analyze and modify an operating system.
If Apple were paying my 'cheques', wouldn't I come in with some sort of proof that monitoring is taking place? Rather than asking what others have found?
Now, rather than trying to tear people down, why don't you use that considerable nose to investigate this yourself?
No one's seen anything about info leakage?
Quantumstate said:
Understand. I just can not believe though that Google is not harvesting some sort of information, as that's their business model. They never discard any info they receive, and you can build a shockingly accurate portrait of someone from their searches over time. Google's CEO recently said, "If You Have Something You Don't Want Anyone To Know, Maybe You Shouldn't Be Doing It", echoing the Bush Doctrine of a Police State.
Maybe Android is innocuous for now, and I'm sure it's been examined. But I'm wondering what the results were? Why are ppl seeing data outflows?
Click to expand...
Click to collapse
Most of that data is pulled from search history, I suspect. Which you can disable, if I recall. Don't have my phone on me at the moment to confirm.
I just did a very simple test on an emulator: after ~15 minutes of running system there was 0 (zero, null) of network packets. Now I want to do the same on a device with clean system, but I think results will be the same or similar (SDK system is just normal Android - very similar to these from devices).
I have a feeling that even if I will catch zero packets as well, you will be asking whether Google send something mysterious through... errr... bluetooth? Some hidden antenna?
If you're worried about Google tracking your info...root the phone and don't install the Google apps. What do ya know...problem solved.
If you're still worried that people are tracking what you are doing see steps below.
1) Flush phone or give to a homeless guy to throw them off.
2) Destroy Computers.
3) Liquidate everything you own.
4) Walk into the woods and live off the land.
5) Kill self shortly after because they already have a file on you.
You say you're a 52 year old real estate developer...guess what...they're already tracking you. You're already helping to build "cybernet" just by living and breathing.
And if you are really worried about your "220 year old Constitutional Rights" then go read the Patriot Act and discover that you don't have ****.
I'm normally not one to flame...but you are an absolute idiot.
I'm not an English person, excuse for the syntax/grammar/... mistakes I'd could make.
hedjemunkee said:
I'm normally not one to flame...but you are an absolute idiot.
Click to expand...
Click to collapse
I don't understand WHY this person could be considered as "an absolute idiot" by ASKING if some 'data' are sent over the network through the phone.
Facebook, with it's ad system is sending information for each ad displayed (not alot, but still some !)....
ADS.GOOGLE do you have any idea about what's behind !?
I don't have the number (nobody have it) of webpages using it but it's huge. with this you can track navigation of people, establish profiles, link to a physical person. Without your consent.
I understand the concern of the "OP" here. I don't think the data sent are easy to "catch", or are systematically sent... maybe there is no, and you are paranoid. But it "COULD". So easily. I'm from the young tech generation.
And to quote
Quantumstate said:
If most young people share your view, it is a dark future. I'm glad I'll be dead.
Click to expand...
Click to collapse
People who don't ask themselve the question, or wich refuse to be open minded enough to consider the right to ask this question ... could be surprised very soon. I'm not directly affraid of "google". I'm affraid of those 'blind' people.
You'll be dead in less than 10years !? I hope we can share some of the darkness you're talking about. your parent's generation started it, you continued it.
Anyway, back to the topic.
Why in my pocess list i've : (app id number) com.ap.SnapPhoto:remote
even when I do not use the camera !?
...when I notice my battery is being used more than usual I check the process list and I find this...
What's this "remote" !?
Maybe "remote" refers to "another app wich launch this app"... ? Otherwise... wow.
I have seen some threads for kids apps. I am interested in finding/building a kids ROM.
My child has a prepaid SIM card and RAZR to be used for certain situations. I would want to be able to let my child carry the phone all the time but restrict what numbers could be called.
So my idea, which can't be an original one, is leverage Android power to install a rooted ROM but run in user mode when I give it to my child. User mode could restrict calling to the phone book only or restrict wi-fi/data access; basically anything that you wanted to restrict or remove. Maybe there could be a ROM builder.
I have many scenarios in mind but maybe they could all be solved by software apps instead of getting into a custom ROM? I'm tech savvy, but haven't ever done a ROM. If the answer is to develop a custom ROM, what device should I choose that would get the most community support? I figure it would be a low end phone, since the point is to make a children's rom.
May I ask how old is your child?
[Sig] dId you know? If you Insert a Coin on your Desire, then it levels up to HD, Z or S :[/Sig]
i was thinking of my son when you mentioned this, it is a great i dea, and i also thought if the original att kid's phone that was out a few years back. it was revamped and it sucked. but good luck on either building one or have some one make one ( put a bounty on it?)
Phones and ROMs
My child is 8 years old. I figure in a few years that it would be fine, but it seems like there would be more of a market for this.
I would put up a bounty for it but I'd prefer to make this a community effort too.
So I will change tack here and ask what the best ROM might be for me to start with and what phones might be recommended? I'm figuring that CM would be easiest to start with, generically?
Thoughts?
I think that is a very good idea.
A good part of that could be accoimplished with a kids theme on an existing ROM.
im sorry but the RAZR is a dumb-phone! it doesnt support 3rd party modding. im afraid you are mistaking the word 'ROM' and actually don't know what it means! You will have no luck finding such ROM for the RAZR... A bootloader of any sort does not exist!
You need a smartphone if you want such a job done, but it requires a investment into a smartphone which are generally more expensive and not intended for 'kids'
I understand...
@olyloh6696: Thanks for looking in on the thread!
You misunderstood what I was explaining. She _currently_ has a RAZR. I want to figure out what the best GSM _android_ phone would be to do the project I'm describing would be. I would of course have to get the new phone; I do understand that the RAZR does not support android (dumbphone).
Any thoughts on phone model or something out there like this already?
rykerwilliams said:
@olyloh6696: Thanks for looking in on the thread!
You misunderstood what I was explaining. She _currently_ has a RAZR. I want to figure out what the best GSM _android_ phone would be to do the project I'm describing would be. I would of course have to get the new phone; I do understand that the RAZR does not support android (dumbphone).
Any thoughts on phone model or something out there like this already?
Click to expand...
Click to collapse
hi
well i guess the best option for a relatively cheap phone (that has android) is the zte blade (in my sig) it is a british phone, but gsm, so i think it should work in the us. if you read reviews for it, it has specs of the desire, nexus one, etc in a cheap budget range. read some revies on it! it also cost £100. Not sure what your budget is though. before you set out to buy the phone, you may need to look up a rom that supports the requirements you want, or you could request one/build your own.
good luck
Unrelated, but the RAZR does support modding lol. Back in the day, pre-Android, I used to hack the hell out of my Razr. There's even a hidden feature called Club Lights that uses the phone's microphone to detect music and make the lights on the phone go with the beat. Youtube it.
That's a great idea... it would be great on a tablet too.
I'm always worried that my son is going to click around in the market and download tons of apps without know it.
Remove Dialer.app, replace with custom Dialer.app
Is the source for the Dialer.app known, i.e. part of the main trunk of the Android sources? I was just thinking that it might not be too hard to just modify that original source to limit it only to the "contacts" tab, that way you can only call the contacts tab.
Another feature I thought of is using some kind of Dynamic DNS client to be able to dial in to the phone.
I was thinking that there could be a "phone home" app that would call home and report the currently used minutes and GPS coordinates, or similar.
Just trying to get the features set worked out and find out if there is existing apps that do this stuff.
2018, quick google search for Kids Custom ROM.... dead thread no progress. There is definitely a market for this, since it's easy to shove a phone into an OtterBox like case and let them have at it with safe guards. My kid has had an Ipad since age 2 without issue. Now she asks for my phone on occasion (years later). It would be easier to just take a custom ROM shove it on a cheap device and give it to her.
Sure, I am a minority, definitely but I can't consider myself the only person who would want to do this.
This is what I'm looking for my child. I'm a software engeneer but I've never works on Android. I think it's not a great works for an Android developer.
I'll follow this post for news.
digging this one up again. anyway to take something like at Nexux 5x and put a totally stripped down version of android on it to achieve something like the lightphone?
nvrpunk said:
2018, quick google search for Kids Custom ROM.... dead thread no progress. There is definitely a market for this, since it's easy to shove a phone into an OtterBox like case and let them have at it with safe guards. My kid has had an Ipad since age 2 without issue. Now she asks for my phone on occasion (years later). It would be easier to just take a custom ROM shove it on a cheap device and give it to her.
Sure, I am a minority, definitely but I can't consider myself the only person who would want to do this.
Click to expand...
Click to collapse
Per capita, there are very few people that actually root or flash custom ROMs, the number of kids that could/would use such a ROM is even less than that, this means it is not worth a developers time and hard work to build a ROM for this purpose, especially considering the plethora of different devices out there in the world. There would not be enough kids using "this" or "that" device with "this" or "that" custom ROM. To be as convenient for kids as what you are asking about, there would have to be a "kids ROM" for a large number of devices. This is not a reasonable expectation by any standard.
Add to that, the fact that rooting devices and flashing ROMs can quickly go bad if the user is not familiar with certain aspects of using a device that is rooted or flashed with a custom ROM, this makes for some rather difficult issues to solve due to user error, ignorance and inexperience of the user.
If you want a "safe" or "basic" ROM for a device, you'll have to learn how to build it yourself because I can promise you that no developer is willing to put that much time and effort into building ROMs that will only be used by a small number of users.
Sent from my LGL84VL using Tapatalk
I have been a fan of installing custom ROMs, root and other mods to my phones since I first owned an Android phone, which was a Sony Xpera Z3 Compact.
Back then I didn't care so much about security, because I was thinking 'What, are they gonna steal my Instagram account?'. But as I grew older the situation got more complex and now I feel the need to feel secure while using a ROM, which is almost never these days. So here are my reasons:
- Custom ROM developers have the exact same device as we do, so if they wanted to exploit it, they would exploit the hell out of it and get their hands on everything we have. (Looking at you, MIUI port)
- Some ROMs come with SELinux disabled which is a problem in itself, I believe.
- Even apps like Magisk, although they're open source (well, most of them) who knows what they're doing in the background.
- It is fairly easy to install a keylogger built into a custom ROM, how do we know that we are already not compromised a few times?
Am I being paranoid here? Or does everyone just want to install their flashy mods and get on with it, like I used to back in the day?
I would love to hear all of your opinions on this!
interesting thoughts and it's always good to be a little concerned about security and privacy!
for custom roms i think in general they tend to be more secure than most stock roms. especially when they have OFFICIAL status - you often get faster updates or updates at all if you have an older device.
unlike big company's, the developer of these roms do it for fun and in general don't have economical interest. so why would they want to steal data/insert backdoors or whatever? thats something company's and governments are interested in...
what i see is that these devs usually check exactly what's happening inside a ROM and a more likely to remove/block suspicious apps or whatever.
also custom ROMs are always open source, aren't they? so everyone can check what's happening... same like Magisk and stuff. everyone's gonna see it if you are trying to steal people's data or something.
i personally trust ROMs based on Lineage OS more than any other stock ROM because they're developed by normal people and not by greedy company's...
although im using MIUI right now because its comfortable but i don't really trust them chinese stuff in terms of data security
merlin.berlin said:
also custom ROMs are always open source, aren't they? so everyone can check what's happening... same like Magisk and stuff. everyone's gonna see it if you are trying to steal people's data or something.
Click to expand...
Click to collapse
First off, thanks for sharing your thought on this. Second, that's been a long time debate, whether open source software is really secure or not. Because although the source of the code is open for inspection, especially in small projects - like device specific projects, many of the security threats and bugs go unnoticed. Of course I trust Magisk, because it is open source AND many Android enthusiasts know about it to a level.
But when it comes to custom ROMs, if you actually check the forum, most of them aren't open source. Hell, we don't even know where they're coming from in some cases (MIUI, EvolutionX etc...). Well, I agree with the Official custom ROMs, because most of the time they're open sourced. But you need to be aware that especially the MIUI ports on this forum, are grabbed from Russian forums. So now (I'm not accusing anyone here), possibly the Russians (4pda), Chinese (Xiaomi) and feds (lol) can reach your data.
I share these concerns. I don't understand why xda doesn't have a policy of not allowing custom roms which don't display their origin/source. Miui mods, Gapps I never use. Bottom line is that with all data collection and spying going on through devices one can only protect her/himself based on personal knowledge and level of concern. And official vs. unofficial is a non issue.
Well, shortly - they aren't secure and you can trust them as much as you trust a person behind them, which you probably don't know well - means not much. And even if there is no bad will from trustworthy community member, you still have to trust that they weren't hacked and let's be honest - big companies are being hacked fairly regularly, let alone hobbyst xda developers. Considering the small user base of the roms, in 99% cases nobody would even realize any malicious stuff happening.
Definitely most stock roms are more secure than custom roms. BUT. Then comes privacy. On stock roms, google, and in most cases phone manufacturer harvest virtually all your data and everything you do, so the only plus here is that you may believe that it will never leak. For me it's not better at all.
At this moment probably the best you can get is a custom rom from trustworthy project with big userbase and many eyes watching - Official Lineage OS builds or one of the few serious privacy focused projects.
Hey,
as somebody who has published ROMs here I really wanted to share my thoughts on this.
First of all, you are right on having concerns about the security of custom ROMs.
There are essentially two types of security at stake here: One is the security of your device, if a third person gets physical control over it. Here, the case is quite clear: The moment you unlock the bootloader, an attacker with physical access to the device will be able to flash anything he wants and essentially circumvent any locking mechanism you have in place. Encryption would help, but implementing properly in a custom ROM and still keeping the functionalities users like about custom ROMs (e.g. easy switching between them, proper updates without the need for OTA) is quite difficult. In short, if you want to prevent anybody who might access your phone physically from gaining access to your data, keep stock ROM and boot loader locked.
The second type is data security and privacy, which was treated in OP. And OP was right, that there is a possibility of adding nearly anything to the code. I am speaking for myself right now, but I guarantee you, that I have never added anything to the ROM code (which for all AOSP ROMs needs to be public, any single line can be reviewed), device tree (public on github as well) or kernel (needs to be published as well). I know, it is my word to be taken here and there is nothing preventing e from lying (because I could add local changes to the code that are never made public). And there is a lot of faith involved, which is why I started building my own ROM. So if anybody feels uncomfortable with installing a ROM that potentially could contain malicious changes, it is better to stay on the stock ROM. On the other side though, the probability that devs like me, that do this essentially for fun and because they want more features and better experience than stock has to offer on their own phones, will invest the time to add a keylogger or other malware to than exploit maybe 10 or 12 people that will actually run the ROM, is quite low imho. Xiaomi, Huawei (or any other company) might be forced by some government to install backdoors or reveal userdata as well. It essentially boils down to trusting the open source community and a dev or trusting some corporation. I honestly do not have an easy answer to this and it probably differs for each person.
As why some ROMs (including my AOSiP 10) run with SELinux on permissive: SELinux enforcing is tricky. If the policy is written poorly, it will prevent your phone from booting or block essential features. And although I am quite android and linux savy and can write my own code, getting SELinux right is still a challenge. On Pie we had an experienced dev like Offain who essentially did it for most others as we used his trees, but for Ten we are still trying to get the devices working to their full extent on a never kernel version (4.9 instead of 3.18). SELinux has a lower priority for me, although I definitely want to make it enforcing as soon as possible.
The example of the kernel is a good point though why I think that custom ROMs can be more secure than stock if you are ready to trust the devs: Most of us use a newer, more up to date kernel than Xiaomi with upstreamed security patches, provide Android security patches earlier than Xiaomi and probably will continue to do so even when for Xiaomi the device will have reached EOL. At the moment, stock probably is the safest in terms of integrity, although it lacks features and is not quite up-to-date. But I have found on any device I owned, that keeping it somewhat up-to-date after official EOL through custom ROMs was a very important part of being able to use it longer than its intended life span.
Long story short: I guarantee you all that I am not interested in your private data and will not try to extort you or sell your credit card information or whatever... If there are bugs and vulnerabilities they are absolutely unintentional and I will try to fix them to my best knowledge if I am made aware of them. Anyway, please think critically and feel free to make the decision you feel best with.
opal06 said:
Hey,
as somebody who has published ROMs here I really wanted to share my thoughts on this.
First of all, you are right on having concerns about the security of custom ROMs.
There are essentially two types of security at stake here: One is the security of your device, if a third person gets physical control over it. Here, the case is quite clear: The moment you unlock the bootloader, an attacker with physical access to the device will be able to flash anything he wants and essentially circumvent any locking mechanism you have in place. Encryption would help, but implementing properly in a custom ROM and still keeping the functionalities users like about custom ROMs (e.g. easy switching between them, proper updates without the need for OTA) is quite difficult. In short, if you want to prevent anybody who might access your phone physically from gaining access to your data, keep stock ROM and boot loader locked.
The second type is data security and privacy, which was treated in OP. And OP was right, that there is a possibility of adding nearly anything to the code. I am speaking for myself right now, but I guarantee you, that I have never added anything to the ROM code (which for all AOSP ROMs needs to be public, any single line can be reviewed), device tree (public on github as well) or kernel (needs to be published as well). I know, it is my word to be taken here and there is nothing preventing e from lying (because I could add local changes to the code that are never made public). And there is a lot of faith involved, which is why I started building my own ROM. So if anybody feels uncomfortable with installing a ROM that potentially could contain malicious changes, it is better to stay on the stock ROM. On the other side though, the probability that devs like me, that do this essentially for fun and because they want more features and better experience than stock has to offer on their own phones, will invest the time to add a keylogger or other malware to than exploit maybe 10 or 12 people that will actually run the ROM, is quite low imho. Xiaomi, Huawei (or any other company) might be forced by some government to install backdoors or reveal userdata as well. It essentially boils down to trusting the open source community and a dev or trusting some corporation. I honestly do not have an easy answer to this and it probably differs for each person.
As why some ROMs (including my AOSiP 10) run with SELinux on permissive: SELinux enforcing is tricky. If the policy is written poorly, it will prevent your phone from booting or block essential features. And although I am quite android and linux savy and can write my own code, getting SELinux right is still a challenge. On Pie we had an experienced dev like Offain who essentially did it for most others as we used his trees, but for Ten we are still trying to get the devices working to their full extent on a never kernel version (4.9 instead of 3.18). SELinux has a lower priority for me, although I definitely want to make it enforcing as soon as possible.
The example of the kernel is a good point though why I think that custom ROMs can be more secure than stock if you are ready to trust the devs: Most of us use a newer, more up to date kernel than Xiaomi with upstreamed security patches, provide Android security patches earlier than Xiaomi and probably will continue to do so even when for Xiaomi the device will have reached EOL. At the moment, stock probably is the safest in terms of integrity, although it lacks features and is not quite up-to-date. But I have found on any device I owned, that keeping it somewhat up-to-date after official EOL through custom ROMs was a very important part of being able to use it longer than its intended life span.
Long story short: I guarantee you all that I am not interested in your private data and will not try to extort you or sell your credit card information or whatever... If there are bugs and vulnerabilities they are absolutely unintentional and I will try to fix them to my best knowledge if I am made aware of them. Anyway, please think critically and feel free to make the decision you feel best with.
Click to expand...
Click to collapse
exactly, we don't need your data, just why we would want it. additionally, as you said, all is open sources so OP can check all. everything was written here, perfect answer
opal06's post is right on the money as explanation to what security can mean for rom/device. No need to be defensive though, trust in developers is the only thing that keeps the custom roms community going and I've been using them since Gingerbread.
On the other hand, I must say, custom roms that come pre-loaded with all bells and whistles from Google diminish the trust factor.
celrau said:
On the other hand, I must say, custom roms that come pre-loaded with all bells and whistles from Google diminish the trust factor.
Click to expand...
Click to collapse
How come ? Could you explain that ?
marstonpear said:
How come ? Could you explain that ?
Click to expand...
Click to collapse
I guess what he means is that Google is notorious for grabbing any bit of data and having a custom ROM preloaded with Google stuff diminishes the need for installing it ib the first place, as it will have the same privacy concerns regarding Google as stock has. In general, Google's involvment into Android is a reason for concern to many, myself included. But there are very few ROMs that actually try to be privacy focused and get rid of Google entirely, although the situation can be improved by using MicroG services instead of GAPPS. They already work on many ROMs
opal06 said:
I guess what he means is that Google is notorious for grabbing any bit of data and having a custom ROM preloaded with Google stuff diminishes the need for installing it ib the first place, as it will have the same privacy concerns regarding Google as stock has. In general, Google's involvment into Android is a reason for concern to many, myself included. But there are very few ROMs that actually try to be privacy focused and get rid of Google entirely, although the situation can be improved by using MicroG services instead of GAPPS. They already work on many ROMs
Click to expand...
Click to collapse
I was half way through typing pretty much the same thing when I noticed your post, that's exactly what I meant. One more thing, some people really need Gapps (i.e. for some banking apps) but they should install them themselves as opposed to providing custom roms with Gapps preinstalled.
Thank you guys for sharing your thoughts on this! I believe all we can do is trust our devs with our info and devices and as a paranoid user, I believe I won't be able to do that, so I'll stick to stock ROMs for our device. But I also believe this has been very helpful for other users who want to try custom ROMs and if they're not as paranoid as I am, they can safely use the open-sourced/official ROMs in the forum. Cheers.
marstonpear said:
Thank you guys for sharing your thoughts on this! I believe all we can do is trust our devs with our info and devices and as a paranoid user, I believe I won't be able to do that, so I'll stick to stock ROMs for our device. But I also believe this has been very helpful for other users who want to try custom ROMs and if they're not as paranoid as I am, they can safely use the open-sourced/official ROMs in the forum. Cheers.
Click to expand...
Click to collapse
I wouldn't call it being paranoid, I think it's very sane.
I agree and have similar view on that, but please ask yourself a question - how much you trust Xiaomi and their security measures? Because in terms of privacy it's obvious that nothing worse than Xiaomi plus Google can happen to you. If you're really what you call "paranoid" you should rather get a device with official Lineage OS support that you would download directly from their servers or systems mentioned here: https://www.privacytools.io/operating-systems/#mobile_os
Thread closed at OP request