A few weeks ago, I posted a very unfortunate Google+ post of the creator of Focal and why it was removed from the CM codebase. It was a depressing story and it really started to make you wonder about where CM is going.
This time, after reading an extremely well-written article, I've come to a similarly depressing conclusion: Android by Google is slowly becoming as locked down as iOS, but not in the sense that you think; it's not about what apps let you do what, it's the developers.
We've finally arrived at a critical flaw with the way Android is developed and these days, I can no longer claim that Android (by Google) is "open" anymore.
Feel free to give this a read (Disclaimer: I am not affiliated with Ars Technica in any way).
http://arstechnica.com/gadgets/2013...ntrolling-open-source-by-any-means-necessary/
It's not just about Amazon's version of Android; CyanogenMod is for all intents and purposes a "fork" of Android. It is designed to work without Google Apps and as we all know, we flash those seperately. But that's the problem, the answer isn't just "Well, I'll just flash the Gapps and it will work like it should". What will happen if new Play Store apps start referring to features in the framework that don't exist in a form that we can flash? What if the license to flash the Gapps gets revoked?
How will CyanogenMod start adding features to apps that were originally AOSP but are now closed source? What will happen when the open source Messaging app is abandoned and turns into a Hangouts feature? How can CM stay on top of that?
It's not as simple as "take the source we currently have and work with it", because what will happen when Google adds a killer feature to an app that depends on some API that is no longer open source?
These are some rather frightening questions to deal with. I don't know where Android is going, but I'm certainly starting to wonder what's going to happen to it.
I'd appreciate any and all input on this.
Not very continuous, but here's my thoughts about the article:
The Gapps license is meant to lock the makers of Android phones into Google, so users get locked within Google and Google can gain revenue from the users. After going to that extent to make sure Google gets to keep the device's user, what's to gain if Google users of the device who flash CM to be locked out of the system instead of keeping them "trapped" with the Google ecosystem even with a non Google ROM? Doesn't make any sense does it?
I suppose we will still have to flash them like we flash the Play Store now. Unlike Amazon, CM (for now) actually still relies on Google and doesn't "divert" revenue to another company and therefore Google would be more than happy to let their apps be used. But if CM does start going the Amazon way, I believe Google may lock CM out.
Those APIs take time to develop, take the Maps API for example - you think they spent millions, if not billions mapping the entire world and even roaming every street just to make sure you can find your way around for free? They'll need to recoup their costs somehow.
While Android is open source and contributed by Google for free, don't forget Google is a company, not a charity. They have to make money or their shareholders won't be happy. Even if their shareholders are massive fans of open source they also have thousands of employees to pay, and all that costs money. And don't forget, when a company is providing free stuff for you to use, you are not their customer - you are their product. Android will change in ways that will keep Google profitable and keep competitiors unprofitable, while keeping the users as comfortable as possible so they will continue to be their product.
cccy said:
Not very continuous, but here's my thoughts about the article:
The Gapps license is meant to lock the makers of Android phones into Google, so users get locked within Google and Google can gain revenue from the users. After going to that extent to make sure Google gets to keep the device's user, what's to gain if Google users of the device who flash CM to be locked out of the system instead of keeping them "trapped" with the Google ecosystem even with a non Google ROM? Doesn't make any sense does it?
I suppose we will still have to flash them like we flash the Play Store now. Unlike Amazon, CM (for now) actually still relies on Google and doesn't "divert" revenue to another company and therefore Google would be more than happy to let their apps be used. But if CM does start going the Amazon way, I believe Google may lock CM out.
Those APIs take time to develop, take the Maps API for example - you think they spent millions, if not billions mapping the entire world and even roaming every street just to make sure you can find your way around for free? They'll need to recoup their costs somehow.
While Android is open source and contributed by Google for free, don't forget Google is a company, not a charity. They have to make money or their shareholders won't be happy. Even if their shareholders are massive fans of open source they also have thousands of employees to pay, and all that costs money. And don't forget, when a company is providing free stuff for you to use, you are not their customer - you are their product. Android will change in ways that will keep Google profitable and keep competitiors unprofitable, while keeping the users as comfortable as possible so they will continue to be their product.
Click to expand...
Click to collapse
First, I appreciate the input! I was looking forward to intelligent discussion and it's great that the first reply is just that.
I would like to clarify though; my concern is not so much about Google making money; they are a business and deserve to make money in whatever way they see fit. We have something they want (ad clicks and search history) and as long as they provide an experience worth using, I don't mind that transaction at all.
My worries start with what the custom development scene will look like one or two years from now if the base apps that make Android useful on its own (and by extension, useful to custom developers) have been molded into Google Play apps or frameworks or APIs.
In parallel, it's also starting to make sense why Cyanogen continues to put effort into alternate applications such as Apollo and Focal; they saw this coming way before we did.
LiquidSolstice said:
First, I appreciate the input! I was looking forward to intelligent discussion and it's great that the first reply is just that.
I would like to clarify though; my concern is not so much about Google making money; they are a business and deserve to make money in whatever way they see fit. We have something they want (ad clicks and search history) and as long as they provide an experience worth using, I don't mind that transaction at all.
My worries start with what the custom development scene will look like one or two years from now if the base apps that make Android useful on its own (and by extension, useful to custom developers) have been molded into Google Play apps or frameworks or APIs.
In parallel, it's also starting to make sense why Cyanogen continues to put effort into alternate applications such as Apollo and Focal; they saw this coming way before we did.
Click to expand...
Click to collapse
I believe the custom development scene wouldn't get affected much. After all, remember the old XDA-Developers? Windows was all locked down, but the cooks still managed to make customized ROMs. What's more, Google wouldn't want to lose their "products" - Google wants us to continue to use their services so they can earn money, they wouldn't lock us out.
What competitors lack is the capability to access Google's services (Frameworks, APIs, etc) as Google has ways to block them (Which is why we had circumvents like device spoofing). If you had a device designed for Google's version of Android, I am sure Google would still enable access if you use a custom ROM. The point of locking those competitors out is to force them to embrace Google's version of Android and not use their own forks which would keep Google out of certain aspects of the user's phone, decreasing revenue. Therefore, if you could roll your own custom ROM, it makes sense for Google to continue supporting you so you still completely rely on them instead of "outsourcing" to other competitors.
CM puts effort into alternate applications because as you can see right now, CM's starting to roll their own commercial forked devices - what happens after that? If you have seen the ways of other commercial versions of Android (Amazon, China brands, etc), they start replacing certain revenue generating aspects of the phone to use their own service instead of Google's. Certainly not what Google wants.
In short, I would say, if you are a small custom ROM user, Google isn't going to come after you, they want you to use their services! But if you are a competing company, expect your devices to be locked out from Google in the hopes that they eventually force you to bow to them and convert all your users completely to Google's "products".
I know it sounds like a base question since we're talking about security but I wonder in what instances are security patches really helping.
For example, suppose I only use the device with my data plan and my wifi at home (no public networks). Also suppose that I don't download 3rd party apps except those created by established companies like Microsoft (SwiftKey or Outlook). And suppose I don't visit many websites on my device (and especially no pr0n). In this instance, are security patches really necessary? Unlike most people, I don't do everything on my phone (no browsing the net, banking). I only use it for navigation, WhatsApp, and for calls.
I'm asking this question because I'm thinking about getting an Android phone. I'm currently an iPhone user and I want to break out of the Apple ecosystem. The problem is that some companies like HTC and LG seem to be slow to provide security patches or simply ignore them. https://www.youtube.com/watch?v=eDxUjSfp17E&t=6m35s
I'm interested in buying the LG V35 but the internet is full of comments about LG's horrendous support. I am mainly interested in keeping my emails and personal information safe. The only thing I value in the iPhone is the long-term support Apple provides but I'm willing to switch to Android if this isn't a concern if I use my phone exactly as I described above.
Thanks
Mity85 said:
I know it sounds like a base question since we're talking about security but I wonder in what instances are security patches really helping.
...
I'm interested in buying the LG V35 but the internet is full of comments about LG's horrendous support. I am mainly interested in keeping my emails and personal information safe. The only thing I value in the iPhone is the long-term support Apple provides but I'm willing to switch to Android if this isn't a concern if I use my phone exactly as I described above.
Thanks
Click to expand...
Click to collapse
First of all, welcome to Android ?
To answer your questions, security patches are indeed necessary, because if one day you lose your phone, potential flaws that would be patched with security update would be grand opened to hacker that want your personal data (like photos, videos, emails, contacts,...).
Even though it's very rare, that's more secure to have an updated phone.
Now, if you want long term services (updates from Google with the latest features and security patches) you should definitely go for a Google Pixel. Plus those are powerful and have the best camera on the phone market right now (machine learning helps a lot).
If your price range is around 400 $, then go for the Pixel 3a, if you're around 800 $ then go for a Pixel 3.
If you can wait a bit, wait until the Pixel 4 release, I don't know if it'll be a good phone (probably) but what I know is the more recent your phone is, the longer it'll be updated.
But if you are below that, check out the Android One series, that's not Pixel devices, but they get as well the long term support.
Hope it helps
I'd like to expand on this question a bit.
I have a friend who is experiencing "severe security concerns" at the moment. I'm actually kind of worried about this particular friend. This friend seems to primarily have concerns over "being tracked", so I'm trying to find the best approach to at least putting these concerns in the proper frame so that knowledge and education of the device and what it does, and how to control it would be more attainable to said friend.
I know that the security updates are important, but how do you advise someone who isn't rich, and is looking for a new phone, but is willing to dabble with rooting, even to the extent of removing / not installing Gapps? This friend seems willing to learn, so I'd like to think that taking the big picture of "best security practices" into account is an option (ie. don't open suspicious email attachments, learn how to identify phishing scams, only install apps you trust, etc...).
In my experience, apart from kernel and driver level flaws that leave gaping wide-open back doors, security mostly comes down to "being wise with how the device is used". Is that a fair statement?
Yes, security is a combination and balance of user knowledge & usage, oem hardware security, software security, country laws, etc.
Thanks @galaxys
Is there anything about rooting that makes a typical Android device less secure?
Or more to the point, does the ability to omit Gapps provide any natural security enhancement?
I'm asking from the point of view of a "moderately experienced" individual who knows how to spot suspicious attachments/files and phishing scams, and knows how to do some bare-minimum vetting of where apps are installed from. For the sake of argument, let's say this user has no Gapps, and gets their apps from FDroid or ApkPure, or ApkMirror.
The single most important, most debated subject of being online - privacy and security.
While security is undisputed, privacy aspect is.
So what exactly is the concern? As normal people in normal professions (which is easily more than 90% of the population), is there a need for worry?
For a long time since I started using smartphones, I had a natural inclination towards remaining anonymous and private online. I would always use incognito browsing for everything I do online, never create an account with a service as much as possible (e.g. I would watch YouTube videos without signing in), etc.
With time, I began realizing that I am actually missing out on so many interesting things that matter to me, and much of the content that would interest me would be made available to me without much effort using machine learning and artificial intelligence, an area where huge investments are being made.
So slowly I started accessing content and using services with my Google account. Over time, everything from Google feed to YouTube videos were showing me content that I am interested in, and sometimes they were so intelligent that I have been amazed with the whole technology that is at works. Surely, you cannot expect a doctor to give you the right prescription without giving him complete details about your problems. You can't talk privacy there. So unless the system learns what you like and what you don't, there is no way it will present stuff (including ads) that will be interesting to you.
With that said, why are are we overemphasizing this aspect of our lives? Is the privacy lobby inflating the privacy problem more than is necessary? Especially since much of what Google learns (according to them) about you is private, and only you can access/ control it, and also because the open-source alternatives are overrated. I say overrated because there are no audit reports (from trustworthy audit entities) available. Their codes may be available for audit, but is there a trustworthy source that is actually auditing them? Are the platforms where they are available being audited? So the issue of privacy and security applies to these platforms too, and more so because they aren't scrutinized as heavily as Google products and services.
As far as more personal info is concerned, like location, age, gender, searches I perform, accounts, mobile number, etc - Google already has all those because I provided them with much of that info when I created my account. Sure, one can always provide fake info for some of them. But if you use 'Find my Device', you are pretty much giving away your location to Google REAL-TIME. While this can potentially be misused, how else is Google supposed to help you if you were to lose your device? Mobile numbers and email addresses are necessarily required to be correct because they are needed when you are locked out of your account. They are the only means to get your account back.
While I am a strong proponent of privacy, I also feel that too much is made out about a lot of stuff that aren't really something to worry about. Those stuff are essential to get the service we expect in return, in other words, putting technology to use.
That said, it is still important not to give anyone a free hand over data, and there has to be several layers of checks and balances, and accountability for safeguarding and using them.
All that said, my current position is this. Make best use of the technology at hand, because if you don't provide the necessary inputs, there cannot be a proper output.
As with some things that we do online which we might want to keep completely private, use a non-google browser (like Firefox Focus or Duck Duck Go) in incognito mode with Duck Duck Go search engine.
For everything else, use GOOGLE (assuming there is accountability and severe penalties for violations).
Reserved for additional info.
@Ultramanoid
We may continue the discussion here.
I have a few specific questions for which I haven't found answers. May be you or others could answer them. I'll compile them and post these later.
Sridhar Ananthanarayanan said:
@Ultramanoid
We may continue the discussion here.
I have a few specific questions for which I haven't found answers. May be you or others could answer them. I'll compile them and post these later.
Click to expand...
Click to collapse
I have a hard time understanding how you can say you're a strong proponent of privacy, while at the same time justifying how you exchange yours for convenient services.
I can't justify that exchange, and yet use, work in, and develop in an IT field. No Google account here. So it'd be difficult to discuss the issue when our basic premises and understanding of the situation are completely opposed.
I want a good mail service, so I PAY for it, with MONEY, and I assure you it beats all the tech prowess and illusions of magic that GMail and its indecent, immoral, and insulting data mining and tracking provide. Same for everything else.
The aberration that is 'service' ( lower quality feature set, no support, security issues, client is the product ) for information, which, as mentioned in MiX's thread, also has the tremendously damaging side effect of reducing to zero the value of good honest developer work. 'Google gives it for free' -- No, it doesn't, and no, it's not free.
Edit : And by the way, giving your data away not only puts you at risk, it puts others at risk as well. Unacceptable.
Ultramanoid said:
I have a hard time understanding how you can say you're a strong proponent of privacy, while at the same time justifying how you exchange yours for convenient services.
I can't justify that exchange, and yet use, work in, and develop in an IT field. No Google account here. So it'd be difficult to discuss the issue when our basic premises and understanding of the situation are completely opposed.
I want a good mail service, so I PAY for it, with MONEY, and I assure you it beats all the tech prowess and illusions of magic that GMail and its indecent, immoral, and insulting data mining and tracking provide. Same for everything else.
The aberration that is 'service' ( lower quality feature set, no support, security issues, client is the product ) for information, which, as mentioned in MiX's thread, also has the tremendously damaging side effect of reducing to zero the value of good honest developer work. 'Google gives it for free' -- No, it doesn't, and no, it's not free.
Edit : And by the way, giving your data away not only puts you at risk, it puts others at risk as well. Unacceptable.
Click to expand...
Click to collapse
You spoke of making 'reasonable compromises' on the MiX thread.
I have only elaborated the same. How does it matter if Google learns what I like to search on the internet? I am willing to give them that information so that they can provide me with content I am interested in, so that my news feed is mostly content I like to read/ watch, and little garbage. In the process, if they are showing me ads relevant to me, what is wrong with it?
My view is based only on this premise that this is how my data is being used. I have never had a financial security issue (like money being stolen from my account) because of what Google learns about my internet activity.
Also, I am assuming that Google won't learn anything about the searches I may do in incognito mode. They are supposed to respect the privacy. I'm aware they have been sued for not adhering to it strictly.
So assuming that they stick with usage of data as per their declared privacy policies and in accordance with laws, what is the problem?
Sridhar Ananthanarayanan said:
You spoke of making 'reasonable compromises' on the MiX thread.
Click to expand...
Click to collapse
As to security. As long as you rely on someone else's software, some company's cables and infrastructure, there's no other way.
No reasonable compromise on privacy in the "service x information" business model. It needs to die.
Edit : Have a look at this; https://privacytools.io ( "Privacy? I don't have anything to hide." )
my view on this is:
i agree, you should protect privacy as much you're able to, but if you need some services and you need "to give up privacy" for acquiring that service you need, then for me it's legit.
i wouldnt go all crazy on privacy as many go (to completely ditch google, windows, and become open source - privacy - government consipiracy evangelist), but i wouldnt rely on them for my whole life.
yes, i use google calendar and notes and all my data is on google, and if google go down or misuse my data, maybe i will lose that data but still i can easily use on another platform one stop working or is not trustworthy (publicly misuses data)
i love to use custom ROMs not to ditch google or become privacy conscious (using f-droid and living under rock without google services) but to ditch stock ROM from manufacturer as i dont like any manufacturer stock ROM, i want just their hardware, and software i want to be my choise.
for normal people storing something on google, microsoft, apple is not at all bad idea, when you store not that important or sensitive data on google. but i would never upload any top secret, sensitive data on any those services, as they WILL allow governemnt to exctract data (like edward snowden said ), so anyone from governemnt can access it or even misuse it, but if you dont store top secret sensitive info on those services you are fine.
if you want to store top secret sensitive data you would make it and encrypt it and store local copies.
and for google search, same applies, you will be fine with normal use, use firefox and duckgo , and also ingonito dont respect any privacy, it just make to browser not to store history, everything else is visible to them, unless you use firefox and duckgo.
and also many say vpn secure you (ones you buy) , but i wouldnt trust not even them (even if you pay), if you want to have encrypted connection you better MAKE your own VPN server (you can buy remote linux server online and make it as VPN), carrier to whom you pay for server dont care what you store on server (because you pay for it) and if governement comes to there he wont be able to provide anything.
but still even with all said, i dont advocate on trusting government as they dont care about freedom or rights, they care just about power, so protect privacy as much you are able to, but dont go all crazy on it, because best way to be secure on internet is not to use it at all, as at the end of the day dont forget that all intel, arm, amd chips (hardware) are hackable and exploitable to survevilance if they want to
EDIT: and also always remmeber, if you are censored for your rights, you have full right to protect your right, but i didnt got censored for searching for something on google. maybe google censored it to control media, but everyone do it, even media is manipulating you with fake news.
like if i am in china and i cant open news that reveal china government because china censorshiped that source "for greated good", i would use linux, tor and vpn so i can bypass censorship to know what's right. as long you dont face censorship for your rights it still okay to use those services, but if someone censorship for your rights, then its time to act and stand up for yourself, and not accept anyone's "censorship for greater good".
You know what's funny, people talking about privacy (intrinsically security also), yet many (and by many I mean the majority) of ROMs released on XDA are released without source code. Devs link to some other sources other than the source to be able to build the project. Here is an example. So while privacy is important, security is highly problematic with this modding model we all follow. Not to mention flashing different unchecked magiks modules.
Ultramanoid said:
As to security. As long as you rely on someone else's software, some company's cables and infrastructure, there's no other way.
No reasonable compromise on privacy in the "service x information" business model. It needs to die.
Edit : Have a look at this; https://privacytools.io ( "Privacy? I don't have anything to hide." )
Click to expand...
Click to collapse
I think the moment you are online, you are presenting yourself to be tracked. No matter what tools you use to safeguard your privacy, a country's intelligence has an upper hand because they have the resources and much more advanced technology that is not commercially available.
They can also set up something like the link you shared as just another means to track you (by misleading you into believing that you are remaining private and anonymous).
I think one can truly stay private only by staying away from technology. Otherwise, you are just opening yourself up for tracking.
atttoush said:
You know what's funny, people talking about privacy (intrinsically security also), yet many (and by many I mean the majority) of ROMs released on XDA are released without source code. Devs link to some other sources other than the source to be able to build the project. Here is an example. So while privacy is important, security is highly problematic with this modding model we all follow. Not to mention flashing different unchecked magiks modules.
Click to expand...
Click to collapse
nope, check here
XDAevDB Information
[ROM][UNOFFICIAL][10.0.0][raphael] LineageOS 17.1, ROM for the Redmi K20 Pro
Source Code: http://bigota.d.miui.com/V11.0.1.0....NGlobal_V11.0.1.0.QFKINXM_5e75bba584_10.0.zip
this is source code for ROM, they are always released somewhere, github, dont matter, but they are released, you just need to look it up
indestructible master said:
nope, check here
XDAevDB Information
[ROM][UNOFFICIAL][10.0.0][raphael] LineageOS 17.1, ROM for the Redmi K20 Pro
Source Code: http://bigota.d.miui.com/V11.0.1.0....NGlobal_V11.0.1.0.QFKINXM_5e75bba584_10.0.zip
this is source code for ROM, they are always released somewhere, github, dont matter, but they are released, you just need to look it up
Click to expand...
Click to collapse
This is not a source code ... Just because it says source code, it doesn't mean it's a source code. That's a zip file containing the OEM firmware from Xiaomi.
indestructible master said:
my view on this is:
i agree, you should protect privacy as much you're able to, but if you need some services and you need "to give up privacy" for acquiring that service you need, then for me it's legit.
i wouldnt go all crazy on privacy as many go (to completely ditch google, windows, and become open source - privacy - government consipiracy evangelist), but i wouldnt rely on them for my whole life.
yes, i use google calendar and notes and all my data is on google, and if google go down or misuse my data, maybe i will lose that data but still i can easily use on another platform one stop working or is not trustworthy (publicly misuses data)
i love to use custom ROMs not to ditch google or become privacy conscious (using f-droid and living under rock without google services) but to ditch stock ROM from manufacturer as i dont like any manufacturer stock ROM, i want just their hardware, and software i want to be my choise.
for normal people storing something on google, microsoft, apple is not at all bad idea, when you store not that important or sensitive data on google. but i would never upload any top secret, sensitive data on any those services, as they WILL allow governemnt to exctract data (like edward snowden said ), so anyone from governemnt can access it or even misuse it, but if you dont store top secret sensitive info on those services you are fine.
if you want to store top secret sensitive data you would make it and encrypt it and store local copies.
and for google search, same applies, you will be fine with normal use, use firefox and duckgo , and also ingonito dont respect any privacy, it just make to browser not to store history, everything else is visible to them, unless you use firefox and duckgo.
and also many say vpn secure you (ones you buy) , but i wouldnt trust not even them (even if you pay), if you want to have encrypted connection you better MAKE your own VPN server (you can buy remote linux server online and make it as VPN), carrier to whom you pay for server dont care what you store on server (because you pay for it) and if governement comes to there he wont be able to provide anything.
but still even with all said, i dont advocate on trusting government as they dont care about freedom or rights, they care just about power, so protect privacy as much you are able to, but dont go all crazy on it, because best way to be secure on internet is not to use it at all, as at the end of the day dont forget that all intel, arm, amd chips (hardware) are hackable and exploitable to survevilance if they want to
EDIT: and also always remmeber, if you are censored for your rights, you have full right to protect your right, but i didnt got censored for searching for something on google. maybe google censored it to control media, but everyone do it, even media is manipulating you with fake news.
like if i am in china and i cant open news that reveal china government because china censorshiped that source "for greated good", i would use linux, tor and vpn so i can bypass censorship to know what's right. as long you dont face censorship for your rights it still okay to use those services, but if someone censorship for your rights, then its time to act and stand up for yourself, and not accept anyone's "censorship for greater good".
Click to expand...
Click to collapse
As I said, we are overemphasizing on many of the things and linking them to privacy. Much of the seemingly private things have no bearing in real life, even when made public. Because, no matter where you are, you have to adhere to the local laws and your internet activity isn't important (unless one is into prohibited activities).
It is a very niche segment of people (like those working for intelligence, journalists, etc.) that must pay special attention. For most others, there isn't too much to worry about, as long as the companies providing services adhere to data regulations and act with responsibility.
atttoush said:
You know what's funny, people talking about privacy (intrinsically security also), yet many (and by many I mean the majority) of ROMs released on XDA are released without source code. Devs link to some other sources other than the source to be able to build the project. Here is an example. So while privacy is important, security is highly problematic with this modding model we all follow. Not to mention flashing different unchecked magiks modules.
Click to expand...
Click to collapse
Few months back, I made a decision to stop using custom ROMs. This decision is made easier by OEMs promising 3 to 4 years of software/ security updates.
OEM ROMs are largely scrutinized. Custom ROMs are not. You never know what they bake into their codes. There is absolutely no assurance on them respecting your privacy or security.
Sridhar Ananthanarayanan said:
Few months back, I made a decision to stop using custom ROMs. This decision is made easier by OEMs promising 3 to 4 years of software/ security updates.
OEM ROMs are largely scrutinized. Custom ROMs are not. You never know what they bake into their codes. There is absolutely no assurance on them respecting your privacy or security.
Click to expand...
Click to collapse
It's not the case with few established ROMs. Lineage OS comes to mind. As they encourage people to build ROMs from source. But device support is problematic. That's why I turn to custom ROMs. It's a great idea, but I thought XDA ROMs guaranteed security with the GPL and Open source philosophy. But it's being violated all over the place.
Sridhar Ananthanarayanan said:
Few months back, I made a decision to stop using custom ROMs. This decision is made easier by OEMs promising 3 to 4 years of software/ security updates.
OEM ROMs are largely scrutinized. Custom ROMs are not. You never know what they bake into their codes. There is absolutely no assurance on them respecting your privacy or security.
Click to expand...
Click to collapse
Which OEMs are these ? Please mention one and point to where and how their code can be reviewed. Almost none provide support for a device after 2 or 3 years. Almost none are scrutinized because their additions to Android are proprietary and closed source, they barely release kernel changes and those only because they are legally obliged, sometimes even after the device which uses that kernel is not even on sale anymore.
Partial exception for SONY, that provides repositories for AOSP support for many of their devices, and sometimes have released blobs ( not code ) for their drivers and cameras. This is the rare exception, not the rule.
Almost no OEMs provide timely security updates incorporating Google's monthly patches for critical vulnerabilities. Some pile them up in batches, leaving devices vulnerable for months and even years. Stagefright, bluetooth, Qualcomm ... They don't give a crap.
Get the facts straight.
Lineage, in contrast, is developed in plain sight by hundreds of developers revising the code every single day, include Google's vulnerability patches religiously every month and have provided fixes time and again for things Google and OEMs don't bother to fix. They also support devices securely years after OEMs have completely abandoned them.
LineageOS
A free and open-source operating system for various devices, based on the Android mobile platform. This is a mirror of https://review.lineageos.org/ - LineageOS
github.com
Edit : Remember that this is a developers' forum, by developers for developers. Checking and editing code daily is what we do.
Edit 2 : Can't comment as to other 'custom ROMs', from which it may very well be better to stay away.
Ultramanoid said:
Which OEMs are these ? Please mention one and point to where and how their code can be reviewed. Almost none provide support for a device after 2 or 3 years. Almost none are scrutinized because their additions to Android are proprietary and closed source, they barely release kernel changes and those only because they are legally obliged, sometimes even after the device which uses that kernel is not even on sale anymore.
Partial exception for SONY, that provides repositories for AOSP support for many of their devices, and sometimes have released blobs ( not code ) for their drivers and cameras. This is the rare exception, not the rule.
Almost no OEMs provide timely security updates incorporating Google's monthly patches for critical vulnerabilities. Some pile them up in batches, leaving devices vulnerable for months and even years. Stagefright, bluetooth, Qualcomm ... They don't give a crap.
Get the facts straight.
Lineage, in contrast, is developed in plain sight by hundreds of developers revising the code every single day, include Google's vulnerability patches religiously every month and have provided fixes time and again for things Google and OEMs don't bother to fix. They also support devices securely years after OEMs have completely abandoned them.
LineageOS
A free and open-source operating system for various devices, based on the Android mobile platform. This is a mirror of https://review.lineageos.org/ - LineageOS
github.com
Edit : Remember that this is a developers' forum, by developers for developers. Checking and editing code daily is what we do.
Edit 2 : Can't comment as to other 'custom ROMs', from which it may very well be better to stay away.
Click to expand...
Click to collapse
I didn't say that OEMs make their source codes available. I said they are scrutinized. Scrutinized by security researchers around the world, who may or may not be funded by competition. There is lot of benefits by doing so because OEMs can use this as an opportunity to push sales of their own devices. Example is the clipboard scandal of OnePlus, as well as others.
Compare that to custom ROMs. There are so many custom ROMs available for popular devices. Official builds, unofficial builds, nightlies, etc. etc. The ROMs are available for free. Who cares to audit/ scrutinize these? No one cares because there is nothing to gain. This is also because a very minute % of Android users actually install custom ROMs. So no one cares.
Just like root, the need for custom ROMs is decreasing by the day. OEMs are now promising upto 3 years of Android upgrades and 4 years of security updates, atleast for their flagship devices. And now the Google-Qualcomm partnership that is making these upgrades easier and faster. Unlike in the past, OEMs are much faster in releasing security updates today.
Lineage official builds, in my experience, isn't feature rich like some other custom ROMs or unofficial forks of Lineage. People may opt for Lineage official builds primarily for two reasons:
1. Debloat their OEM software like those from Xiaomi, Huawei, even Samsung.
2. OEM has stopped providing official support (this is now changing because 3 to 4 years of official support is synonymous to life of the device because a large % of people usually buy a new device every 3 or 4 years).
Some of the developers of custom ROMs are arrogant arses. That's another reason to tell them to eff-off.
Sridhar Ananthanarayanan said:
I said they are scrutinized. Scrutinized by security researchers around the world, who may or may not be funded by competition.
OEMs are now promising upto 3 years of Android upgrades and 4 years of security updates, atleast for their flagship devices.
Click to expand...
Click to collapse
1. Which security experts ? We have some in XDA whose daily job is precisely that, have you spoken to them ? I don't know of a single audit of any OEM's version of Android. Please mention or link at least one if you think they exist.
2. Which OEMs ? I don't know of a single OEM providing support of any kind for any of their devices ( maybe OnePlus barely reaches 3 for some of theirs, again, a very rare exception ) beyond 3 years, much less 4.
Provide real data points or stop speculating on vague promises and supposed security experts somewhere. When I say LineageOS is available, you can see it is. You can also build SONY's AOSP from their code. ( Edit : https://developer.sony.com/develop/open-devices/ )
One thing is to express an opinion, another to give facts.
Ultramanoid said:
1. Which security experts ? We have some in XDA whose daily job is precisely that, have you spoken to them ? I don't know of a single audit of any OEM's version of Android. Please mention or link at least one if you think they exist.
2. Which OEMs ? I don't know of a single OEM providing support of any kind for any of their devices ( maybe OnePlus barely reaches 3 for some of theirs, again, a very rare exception ) beyond 3 years, much less 4.
Provide real data points or stop speculating on vague promises and supposed security experts somewhere. When I say LineageOS is available, you can see it is. You can also build SONY's AOSP from their code. ( Edit : https://developer.sony.com/develop/open-devices/ )
Click to expand...
Click to collapse
Fact 1: OnePlus is collecting your private data without permission
Fact 2: Engineer Mode
Fact 3: Clipboard Scandal
Fact 4: Shot on OnePlus
Fact 5: MiUI stealthily sending user data back to China
Fact 6: Xiaomi Recording Millions Of People’s ‘Private’ Web And Phone Use
...
Thats just some of them. If you search, you will find more.
In most of these cases, it is some security researcher somewhere in the world who found a questionable activity that goes against acceptable privacy and security standards. In other cases, it was some random user who found a vulnerability or some unacceptable practice.
The point? Number of users of stock ROMs are way way higher than those that use custom ROMs, and as a result someone somewhere might find something either accidentally, or as part of security research work (paid by competition or otherwise).
OEMs will be careful when they make their ROMs. They are not only under scrutiny, but also need to ensure they stick with doing the right things because they have a business to run. The same isn't true for custom ROMs that some nobody will make and act like trash when questioned. Thats also because the product is free (or may not be depending on what is baked into the codes) and so the developer may think he isn't answerable.
Ultramanoid said:
One thing is to express an opinion, another to give facts.
Click to expand...
Click to collapse
Now you may point out the opinions. All the above are actually facts, that support my previous comment.
Sridhar Ananthanarayanan said:
Fact 1: OnePlus is collecting your private data without permission
Fact 2: Engineer Mode
Fact 3: Clipboard Scandal
Fact 4: Shot on OnePlus
Fact 5: MiUI stealthily sending user data back to China
Fact 6: Xiaomi Recording Millions Of People’s ‘Private’ Web And Phone Use
...
Thats just some of them. If you search, you will find more.
In most of these cases, it is some security researcher somewhere in the world who found a questionable activity that goes against acceptable privacy and security standards. In other cases, it was some random user who found a vulnerability or some unacceptable practice.
The point? Number of users of stock ROMs are way way higher than those that use custom ROMs, and as a result someone somewhere might find something either accidentally, or as part of security research work (paid by competition or otherwise).
OEMs will be careful when they make their ROMs. They are not only under scrutiny, but also need to ensure they stick with doing the right things because they have a business to run. The same isn't true for custom ROMs that some nobody will make and act like trash when questioned. Thats also because the product is free (or may not be depending on what is baked into the codes) and so the developer may think he isn't answerable.
Now you may point out the opinions. All the above are actually facts, that support my previous comment.
Click to expand...
Click to collapse
What all that proves is that OEMs are pure solid garbage, thank you for agreeing. Rest the case already. ^_^
Sorry to hear you still prefer to stand by out of date systems, unsecured protocols, and shady immoral companies. It is useless to discuss when you keep insisting on sustaining your biased opinion against hard evidence -- that YOU yourself provided.
Cheers !
Ultramanoid said:
What all that proves is that OEMs are pure solid garbage, thank you for agreeing. Rest the case already. ^_^
Sorry to hear you still prefer to stand by out of date systems, unsecured protocols, and shady immoral companies. It is useless to discuss when you keep insisting on sustaining your biased opinion against hard evidence -- that YOU yourself provided.
Cheers !
Click to expand...
Click to collapse
You are simply exaggerating it.
Like the saying goes, better to trust the known devil than the unknown angel.
Cheers!
This may be stupid, but I couldn't find any resources regarding this. We have custom recoveries for android devices but why isn't there custom bootloaders like there is for PCs ? Like in the PC space we have the likes of reFind and gnu grub.
Thanks
There are some instances of alternate bootloader projects. Just that they are not popular,
[Bootloader] LK for Xperia T
LK for Xperia T LT30p Only - Unlocked Bootloader Required WARNING 1: This modification makes changes to the devices partition table. I (lilstevie) am not responsible for any damage to your device or data loss that may occur. WARNING 2: ICS...
forum.xda-developers.com
EFIDroid
EFIDroid is a easy to use, powerful 2ndstage-bootloader based on EDKII(UEFI). It can be installed one-click with the EFIDroidManager app. You can add/remove/edit multiboot ROM's. There's no special support needed by ROM's or RecoveryTools(no...
forum.xda-developers.com
The developer of EFIdroid stopped developing in 2019.
efidroid on Android 9 and 10 devices ? · Issue #152 · efidroid/projectmanagement
Hi, I just want to know if efidroid supports devices with 6 GB RAM and 64/128 GB Storage devices running Android 9 and Android 10 ? thanks.
github.com
Not to mention you would need OEM's to cooperate....
Thanks @karandpr for that github comment a lot of info there. Thanks @galaxys too. So a quick summary would be that the reason is that for the bootloader to work smoothly there has to be support from the kernel too, which the OEMs should do and probably would not. But I didn't think about the support in the kernel was an issue. That does seem to be a lot of work and I see the reason now.
al_l_en said:
Thanks @karandpr for that github comment a lot of info there. Thanks @galaxys too. So a quick summary would be that the reason is that for the bootloader to work smoothly there has to be support from the kernel too, which the OEMs should do and probably would not. But I didn't think about the support in the kernel was an issue. That does seem to be a lot of work and I see the reason now.
Click to expand...
Click to collapse
I don't think Google intends to open up android anymore. They want restrictions like iOS but pretend to be open source for the "goodwill". What's the use of AOSP if you cant effectively install it on a device or your important apps don't work?
I believe PinePhones are the ones that can have truly open-source compatible hardware. The specs are underwhelming but the community is really good.
You can get spares easily and the battery is removable.
Only thing is they are mostly out of stock.
karandpr said:
I don't think Google intends to open up android anymore. They want restrictions like iOS but pretend to be open source for the "goodwill". What's the use of AOSP if you cant effectively install it on a device or your important apps don't work?
I believe PinePhones are the ones that can have truly open-source compatible hardware. The specs are underwhelming but the community is really good.
You can get spares easily and the battery is removable.
Only thing is they are mostly out of stock.
Click to expand...
Click to collapse
Yeah those are great but the problem is that they are not usable for "normies" which will prevent mass adoption and hence cannot have a sustainable business model.
But I think google is not the only one to blame, like couldn't the OEMs actually provide bootloaders that can boot signed os images. Or is there any technical or security difficuties in doing that.
al_l_en said:
Yeah those are great but the problem is that they are not usable for "normies" which will prevent mass adoption and hence cannot have a sustainable business model.
But I think google is not the only one to blame, like couldn't the OEMs actually provide bootloaders that can boot signed os images. Or is there any technical or security difficuties in doing that.
Click to expand...
Click to collapse
Normies are afraid to change the default browser, so bootloader is really out of their leagues.
Phone tinkering is a hobby, not a necessity. Phone tinkering itself is not a sustainable model.
Google is to blame primarily. Because they have a stringent list of requirements for devices to pass CTS. You can read the bootloader requirement and judge yourself.
Android 11 Compatibility Definition | Android Open Source Project
source.android.com
Without passing CTS, devices cannot use Google apps, they cannot get push notifications and they cannot pass SafetyNet checks used by most banking apps.
At the end of the day do I want to spend 100s of hours to bring a feature to an android phone which will probably be used by 10 users and deprecated by the time I finish doing it?
or do I want to buy a phone which will allow me to tinker freely in a community and ecosystem which allows modification?
For our tinkering pleasures, Pinephone is the way to go for now. They have support from Manjaro, Debian and KDE. Which is a big thing IMO.
Or else there you can roll your thing in RaspberryPi?
While going through related details I found an article about google probably switching to hardware based safetynet checks which could be ending google play compatibility on custom roms.
It really seems like google is using security as an excuse to make sure that there are no competitors in their business space.
Maybe this is because I have been only doing web development and only started learning app dev, but the reasons google use for CTS like for enforcing DRM, is also handled on websites while allowing openness and being neutral (or maybe the web is not as secure as something like this, so forgive me if I am wrong). Android could really take pages off the web ecosystem for being a neutral platform.
I really appreciate the patience for hearing out and also the references(and the rabbit holes that it was followed by) really taught me a lot about general android architecture.
al_l_en said:
While going through related details I found an article about google probably switching to hardware based safetynet checks which could be ending google play compatibility on custom roms.
It really seems like google is using security as an excuse to make sure that there are no competitors in their business space.
Maybe this is because I have been only doing web development and only started learning app dev, but the reasons google use for CTS like for enforcing DRM, is also handled on websites while allowing openness and being neutral (or maybe the web is not as secure as something like this, so forgive me if I am wrong). Android could really take pages off the web ecosystem for being a neutral platform.
I really appreciate the patience for hearing out and also the references(and the rabbit holes that it was followed by) really taught me a lot about general android architecture.
Click to expand...
Click to collapse
Theoretically, Google can end GPlay compatibility on Custom ROMs anytime they wish. It's just that lot of App Developers don't use SafetyNet the way it is intended and Google doesn't roll out its strict check. They do it once in a while.
They don't have any competitors in their business space. It's a very well-thought monopoly.
CTS restricts Google Play API access to vendor operating systems. So vendors like Samsung, OnePlus and others have to play by their rules. IIRC, the cost of Play API is around 15$ per device but it is subsidized for large quantities.
End users don't really care about Play API. But App Developers do.
Without Play services, there is no easy way to integrate push notifications, ads, maps, analytics, metrics, and so on. Rolling your own thing will take years to develop and won't work as seamlessly as the play service counterparts.
I don't think Google will ever cede their monetary interests for open collaboration.
karandpr said:
I don't think Google will ever cede their monetary interests for open collaboration.
Click to expand...
Click to collapse
Yeah that's for sure. The only way this monopoly can break is when an opensource alternative to google play services and other apis exist and while doing that it must be compatible with the existing google apis. And that is probably not going to happen in a long time. Although microg does solve this to some extent, but still it is a second citizen.
Some of the functionality is already there, like most of the google apps like docs and drive could replaced by nextcloud and then maps could be replaced by osmand. If some company, preferably an OEM, comes and integrates all of these into a package maybe there's hope. I think /e/ os tries to do this to some extent.
You might find this resource useful. As they have gone over a comprehensive set of bootloader software and tried to outline their primary features in detail. Hopefully, you’ll be able to determine the best one for your use case. https://www.ubuntupit.com/best-linux-bootloader-for-home-and-embedded-systems/