- cross-posted to:
- android@lemdro.id
- cross-posted to:
- android@lemdro.id
I am surprised that Google spends so much time tackling custom ROMs via it’s Play Integrity API. If only they paid that much attention to say, curating the Play Store more, it had be much better for everyone
You must log in or register to comment.
The Play Integrity API is less about security and more about Google asserting their monopoly.
They do not want truly open source Android platforms to gain popularity, because there would be a high chance people would want ad blocking, which is a direct threat to their profit margins.
I hope EU takes regulative action to force Google to allow GrapheneOS, LineageOS etc. to be able to run the same apps without issues.
extremely pedantic whining over the term “ROM”, but when has a custom android distribution ever dealt with “read-only memory”? is or was there some immutable component of Android that could be interpreted as read-only?
also I switched from iPhones to Google Pixels running GrapheneOS four years ago and I’ve never looked back, it’s really solid and gives me the amount of control I expect and demand over hardware I’ve purchased upfront. Pedantry aside, I strongly recommend GrapheneOS
Do you use it on a Pixel? Last I read, that’s the only officially supported phone. It feels ironic giving Google money for a phone so you can use deGoogle more.
Don’t get me wrong, I’m all for it, I just wish it supported more devices.
I do, yes. First on a Pixel 5 and then (and currently) on a Pixel 8 Pro.
The purely emotional icky feeling of giving Google money is far less important than the tangible security, privacy, and usability upsides of GrapheneOS on a supported device. But if that’s important to you, just buy a Pixel secondhand, Google gets no money from that.
I wish more devices were supported too, but my understanding is that only Google makes devices that are both secure and open enough.
Article in German, but the relevant points from the GrapheneOS lead are all in english: https://www.kuketz-blog.de/weshalb-grapheneos-aktuell-nur-google-pixel-geraete-unterstuetzt/
One point about Samsung:
Samsung takes security almost as seriously as Google, but they deliberately cripple their devices when you unlock them to install another OS and don’t allow an alternate OS to use important security features
Samsung takes security almost as seriously as Google, but they deliberately cripple their devices when you unlock them to install another OS and don’t allow an alternate OS to use important security features
What does the crippling and security features refer to?
Does anything related to money work on GOS? Bank apps, check deposits, credit card apps, nfc payments? Any other apps/features disabled by Google?
Seems like a huge sacrifice for perceived privacy improvement.
How is this significantly different from using vanilla Android without signing into any Google accounts?
Payments don’t work, because of the play integrity api. But the bank apps that I use do work, even though they didn’t in my previous phone that was running a custom ROM with magisk to hide the tampering. GrapheneOs supplies their signatures so that app developers can support it, but I imagine not all will.
For me it has been a great experience so far. Installation was easy and fast, the privacy settings are great and almost everything works for me just fine. I had a couple of issues that was able to fix by searching for it on their forums, which is quite active
Which payments don’t work?
Two credit union apps work fine, venmo and paypal work fine. YMMV with other financial institutions but it’s not been a problem for me so far.
To answer your last question, there’s way too many differences for a lemmy comment, so I suggest reading their features page for a broad overview: https://grapheneos.org/features
One feature that’s closest yo your question, though:
Google Play receives absolutely no special access or privileges on GrapheneOS as opposed to bypassing the app sandbox and receiving a massive amount of highly privileged access.
I read it and I think I understand why people are using it, but just to clarify your Google play example: you still can’t use it without being signed into Google account, right? Is your concern what the app does while it’s not running? Because it feels like they’ll still collect the same amount of info once your sign in to install the apps.
Do you you try to use F-droid for most things?
It’s unfortunately really not that simple. But for a short answer, I use Aurora Store for anything I can’t get from F-Droid., and even tho I have the Google Play Store installed (as some apps require it for stuff like notifications or location) I’m not ever signed into it and I don’t use it to install or update apps
via its* Play Integrity API
If the day comes when LineageOS (with microG) becomes unusable for me, I will just switch to iPhone. I hate Apple, and I’ve been using custom ROMs since Cyanogen in 2010, but there’s no way I would raw-dog a Google device.
I would probably switch to Huawei os device. No Google by design.
In fact - I might in either case, there is just too much shitty things Google does to android.
Some of us like to tinker. We really get satisfaction of having a weird niche filled and even if it comes at the cost of stability and other issues. Heck my Custom Roms used to be more up to date with security updates than phones that were older than one year.
I could use kernels that undervolts my processor to give me better battery life. It allowed features that even 5 years ago were on the custom ROM scene still very absent from modern phones.
But the most important part for me was learning, discovering. If I tried a new ROM I would spend hours going through certain roms settings. If there is a glitch, learn how to diagnose and try to fix it, or learn to send a logcat to the developer.
It was like a fun hobby. I learned how to fix some of my old phones, like screen replacement, and learned how to cure uv reactive glue. So many other things and I was just a noob.
But it gave freedom. I understand iPhone and the other high brands are easy to use, have gimmicky features and all, but dammit I have freedom to have my weird niche phone, with multiple breaking features and I loved it because it just worked.
If Google truly did hold security as its main concern, it would have opened the play Store, yet we know now they only wish to protect their monopoly
I used custom roms for many years, but I now use my phone to pay almost everything, and I need my banking apps. magisk hide is unreliable do I won’t be rooting my phone again I think
I think people that take that approach to life are partly ruining it for us all. You’re selling your privacy for convinience and in the process legitimising the removal of (what I consider) more ethical and reasonable solutions.
Same. Those features are more important than anything I get by rooting.
Honestly I don’t even need root for anything. Adblock runs through a fake VPN app. My Pixel used to have a green screen tint, but Google fixed that at the OS level, so I don’t need to have an app for that any more.
This is a very complex topic that is very hard to draw the line on.
As a technical person who follows hacking and security news i can understand google introduced the api and warnings, as phones are getting hacked and unlocked bootloader or root can be abused to keep your malware going, and has been abused in the past.But as a user of fairphone/lineageOS, who tells google, apple, meta, … all of them to fuck off when i can, this scares me. The lockdown of devices can and is going too far. Hell, i even consider samsung’s android ui changes to be going too far, as it changes a shit ton of stuff and really is not a stock android experience. It locks users in their environment…
I find it funny that Google and some banks are so worried about security on Android that I have to have up to date system, app and can’t be custom ROM, can’t be rooted and whatnot. And then they’ll allow you to login to their bank from Internet Explorer on XP or some shit.
Can you cite examples of rooted smartphones leading to significant data breaches or financial losses? When the topic comes up, I always see hypotheticals, never examples of it actually happening.
It seems to me a good middle ground would be to make it reasonably easy (i.e. a magic button combination at boot followed by dire warnings and maybe manually typing in a couple dozen characters from a key signature) for users to add keys so that they can have a verified OS of their choice. Of course, there’s very little profit motive to do such a thing.
Stock android experience is the exception, not the norm, sadly. Some manufactures like Motorola or HMD have a light touch and close to stock but other ones don’t. The worst offenders are Chinese brands who twist it so much and without much benefit(Atleast, Samsung’s ONE UI is customizable as heck, can’t say the same for Realme’s).
I think the main reason third-party ROMs aren’t more popular is that Google and certain app developers fuck with people who use them. The article addresses the difficulties later on, but comes up short in my view on just how much of a hassle it is for someone who isn’t a tech enthusiast who wants, for example to keep an older phone up to date for security reasons.
I think the main motivation for Google is limiting user control over the experience. More user control leads to unprofitable behaviors like blocking ads and tracking, which is also the motivation for recent changes to the Chrome web browser that make content blocking extensions less effective. In all cases, companies that try to take away user control claim the motivation is security, usually for the benefit of the user.
Got so tired of google pay breaking on crdroid that I got a credit card just to use my watch instead.
Still rocking a op7 pro on android 14.
Now I have an excuse to buy one of those gold plated credit cards!
There should be some safety net bypass hacks for magisk
There are different types of workaround but every single one of them is playing same cat and mouse game with Google. It works for a while, then it doesn’t, workaround is updated, it works, then it doesn’t, rinse and repeat.
I’m using a custom ROM but it’s so fucking tiring if I want to keep Google Wallet working. Fucking Google.
Not rooted, nor do I want to be.
I’m still using LOS and still fight with google over Play integrity from time to time. there’s a fairly new patch that spoofs the fingerprint of the phone and fixes the issue entirely for me (play integrity fix by chiteroman) as long as it’s updated, my gPay still works. I prefer using custom OS because it’s much more customizable and has little to no bloatware. any unwanted apps can be removed. I can route my VPN to my WiFi hotspot, in order to get full speed tethering. (I’m a T-Mobile user and they throttle) I have a system-wide ad-blocker that uses the hosts file. I have the ability to allow root to only some apps, and deny it to others.
To me, its worth doing. I have no internet at my house, so I primarily use this to get online. The stock T-Mobile firmware is laggy and loaded up with their apps you can’t delete. You’ll get the “3g speeds” hotspot and their annoying branding on everything.
Going back to that would really suck!
This is offtopic, but fuck it, might as well.
Why do you use a digital wallet? For me, money is one of those thing I literally can’t allow to fail; growing up poor means it’s still a touchy subject. A digital wallet adds extra risk of payment failure everytime it is used.
So, what does a digital wallet add that makes it worth not just the effort of setting it up in a stock system, but also in a custom ROM where it is actively broken by the app developers as a form of “security”?
For reference, I still keep cash on my person in case my cards (or their machine) fails.
I know I posted this on your comment, but I would love to hear everyone’s answer to this.
For me digital wallet is a bit more convenient than using my real wallet, but not essential. I have one credit card that I use all the time, but it seems my bank hasn’t bothered to make it work with NFC payments yet for some reason, but it works with Google Wallet so that’s nice.
I also always keep my wallet with credit cards and a little bit of cash as a backup. One time I was out at a bar and there was a power outage. They were still serving drinks, but instantly all transactions switched to cash only. I think it makes a lot of sense to have backup options.
The opposite can be good too – your phone as a backup just in case you forget your wallet.
It’s probably not entirely been worth the effort to stay up to date with changes whenever Google breaks things. At some point I may stop. I guess one immediate value has been that watching things unfold has hastened the souring of my view on Google. I am now frequently looking for ways to avoid their ecosystem, and avoid big companies / non open source in general. I’m far from ready to leave the ecosystem on every front. But at the very least, I would never recommend a Google product in my professional life at this point, at least not without careful planning of an exit strategy.
Last time I used one was because I forgot my physical wallet and needed to pay for something. I don’t want to tell Google about my shopping habits, but I like to have options in case of emergency.
I’m running LineageOS (with GMS), Magisk, and Play Integrity Fix.
I’m not dealing with all this tracking and surveillance bullshit on a regular basis. No digital wallets, no mobile payment. Cash as much as possible. Where I live most stores allow cash withdrawal, I’ll literally rather withdraw cash in one go and then pay with that cash at the same check out to server the link between the me and purchase. I do keep a modest amount of cash at home.
i have yet to use one of these digital wallets but i would imagine a large part of it is “because everyone around me is doing it.” not necessarily herd mentality but the social shift of it making checkout processes faster so if you’re using cash or a card, you’re inconveniencing the people in line behind you (however rational that may be is another topic).
i live in a semi-rural area and have seen very few instances of someone paying with their phone. it’s so rare here, i’m not even sure how the process works. tap to pay with a card has only recently been more normalized here. however, when i travel for work to big cities, it seems like the only times cards are used is when there is a large group meal at a fancier restaurant.
i also carry a small amount of cash in case my card fails or a card machine is down but it’s very rare to see cash used here as well, except for personal payments. even then, third party pseudo-bank apps are consuming that process (cashapp, venmo, etc.).
i’m not trying to justify any of these payment processes or mark one as better than the others. it’s just an observation.
you’re inconveniencing the people in line behind you
They’re inconveniencing me with their thoughtless jump into cashless society. Fuggem.
Isn’t what you’re describing herd mentality, putting the need of the group or other individuals above one selfs - never mind if it’s consciously giving up on cash money in exchange for speed or not?
well, I totally could live without it. Its just nice to have in case I don’t have my card/cash as a last resort kind of thing. all I do is add the magisk patch, and add shamiko, keep it somewhat updated, and it’ll work 99% of the time I use it. As for google, they probably do this to reduce liability on their end if something does happen. I haven’t heard of any issues from anyone so far.
I don’t think they do it actively. There’s just not a big enough issue for them in custom ROMs to even bother doing something about it.
Rather, they got other issues to tackle and custom ROMs are so off their radar, they get swept up simply because nobody cares (either way) to check.
There will be a big enough issue if people start saying how they’ve got theirs with no issues. The primary motivation for people not bothering with Linux is because Windows “just works” and Linux presumably was work. If degoogling stopped being work, then more would do it.
Linux has become extreme easy mode as well as a polished non intrusive experience and people are really drawn by that!
Google doesn’t want distributions of open source Android without Google services to be a viable option for mainstream users because that would reduce their ability to extract profits from the Android ecosystem.
While the focus is surely more on OEMs than end users at this point, I’m sure Google wants to keep the difficulty level for end users high enough that it remains niche.
I’m sure Google wants to keep the difficulty level for end users high enough that it remains niche.
I really do not think they need to. We tech communities massively overestimate the desire and even contextual awareness (and desire to have such awareness) of regular users to engage with these topics.
Keep in mind that the vast majority of Firefox users - a browser inherently more used by tech-savvy people! - have 0 addons installed. And probably 0 desire to change this. Or to even waste thought seconds on considering whether to change it.
To users, smartphones are tools. Like hammers. If it stops being a useful hammer, do you take the head off and re-forge it? No, you buy a different hammer that does what you need it to do.
Maybe, but the archetypal non-technical user, my mother does want to run a third-party ROM. Her phone is out of its official support period, and she knows that security updates are important and would like a way to get them. Most people, at least in wealthy countries do have a technical person in their lives they can ask things like that. She doesn’t want to buy a new phone because it would be too big and lack a headphone jack, a position I share.
I had to recommend against running what I run (LineageOS, Magisk, Play Integrity Fix). Without PIF, too many apps will refuse to run on LineageOS. She doesn’t need root for much else (maybe adblocking) and doesn’t have the knowledge to make good decisions about whether to grant root permissions to an app that asks (Magisk doesn’t have an allowlist-only mode, but it should). Finally, keeping root through an update is fussy. It’s not hard, but it’s an extra step that has to be done in the right order every week or two.
Unlike Firefox in 2024, a third-party Android build that’s easy enough to install and isn’t sabotaged by Safetynet would something many non-technical users care about: an extended useful life for their devices.
Hammers are cheap and don’t have my sissy pics in them while reporting to a company that spies on people.
Google just wants to copy the fruit store. They want total control and have seen how the fruit store does it. Competition is bad for business.
I install custom ROMs on every device in my household. How concerned should I be? None of them are rooted. Would disabling Play Integrity via adb fix this?
If all apps that you want to use work, there’s no reason for you to be concerned.
I see. Personally I have no concerns since I don’t even use G-apps at all. However I don’t want anyone to come to me with a problem either, which currently none I believe.
The cat and mouse game is especially why I no longer root my phone. Ain’t nobody got time for dis.
I moved to Android for the 1st time ever in 2020 from an iPhone 6s.
The device I decided to go with is a Poco F2 Pro which lost official support years ago, it has decent hardware and even the battery still holds up (with a good custom ROM, I still achieve 8 hrs of SOT).
It just took me about a year, or perhaps less to move to the custom ROM scene, and for me I can’t ever go back to stock Android ever, even when it is a big step regarding iOS features (except for LS customization) the amount of stuff you can do with rooted android device is no joke.
My only regret is that I was never in the prime days of rooting… At least Telegram communities are super active, not that it is better… But personally I prefer it to discord lol.
I was in the prime days of jailbreaking though, too bad that they seem to be doing worse nowadays.
Top 3 examples for the stuff you can do that’s so worthwhile?
