The days of custom Android ROMs are numbered, and Google is to blame
CalyxOS, a privacy-oriented Android fork, has announced a pause on updates. But given the challenges most custom ROMs face, will it return?
You're viewing a single thread.
Holy shit, the bootlicking and mental gymnastics in the article's comments:
Talking about rooting and custom ROMs is so frustrating because most of the replies are always like this.
"baCk iN mY dAy I UseD to RoOt mY gALaXy s2 bUt pHoNeS aRE sO GoOd tOdAy iTs pOinTlEsS nOw"
Motherfucker, we're starting to not even be able to have full access to our own filesystem and Android gets more restrictive each year for alleged security reasons and you want to tell me this shit is not necessary anymore???
Lemmy is potentially the first place where people actually fucking get it.
“baCk iN mY dAy I UseD to RoOt mY gALaXy s2 bUt pHoNeS aRE sO GoOd tOdAy iTs pOinTlEsS nOw”
Fucking lmao, I remember people saying that a decade ago when I had my Nexus 6P.
Just try asking about rooting in the GraoheneOS Discord, and you risk getting banned.
GrapheneOS has a ton of locked down stuff they don't want you to access. They make rooting extra hard, they don't support compiling the OS from source, there's still the TEE you can't access even with root, and the OS filesystem is readonly to inhibit customization.
GrapheneOS promotes "verified boot" that stops you from doing many important things.
Well yeah, because grapheneos is specifically made for security, not customiseability. Rooting your phone makes it a lot less secure, so it doesn't seem strange to me that grapheneos doesn't want you to.
Can you please explain how rooting adb only, not any apps, makes it less secure? Use concrete examples, not abstract.
USB attacks with things like Celebrite are within scope of GrapheneOS's security model.
An exploited app can do more on a system that has more capabilities, simple as that.
they don’t support compiling the OS from source
They literally have a whole instruction page for it on their official website: https://grapheneos.org/build
What they don't support is making modifications to GrapheneOS, compiling it, and then still calling it GrapheneOS. It's not. You changed it, so it's something else. It's your own fork of GrapheneOS, so you should name it accordingly.
there’s still the TEE you can’t access even with root
Uh that's by design? Do you even understand the purpose of a secure element and trusted execution environment, and how they work?
and the OS filesystem is readonly to inhibit customization
It's read-only for security reasons. This is the default AOSP behavior. iOS/iPadOS and macOS handle this very similarly. This is the industry standard for secure devices. If you want to make modifications, the code is open source, you can freely modify the OS, compile it, sign it with your own keys and use it with full verified boot enabled.
GrapheneOS promotes “verified boot” that stops you from doing many important things.
Verified boot is a built in feature of AOSP. https://source.android.com/docs/security/features/verifiedboot
They literally have a whole instruction page for it on their official website: https://grapheneos.org/build
I've asked, and they don't support you at all after you build it. You can't get updates or packages from GrapheneOS. Compare to Debian, Ubuntu, RHEL, etc., where you can compile your own newer package, install it, even replace core operating system components, and then seamlessly upgrade to the OS vendor's version when they catch up.
What they don’t support is making modifications to GrapheneOS, compiling it, and then still calling it GrapheneOS. It’s not. You changed it, so it’s something else. It’s your own fork of GrapheneOS, so you should name it accordingly.
Even if you don't modify it, they tell you not to call it GrapheneOS, and don't offer any way to install patches, besides building it again.
Uh that’s by design? Do you even understand the purpose of a secure element and trusted execution environment, and how they work?
Yes, I understand it. I've opposed TPM from the start, and this is just TPM for Android. I don't want a device that keeps secrets from me. I do want comprehensive backups, including all cryptographic keys. I should be able to access the TEE from my authenticated PC over SSH.
I'm fully aware that Widevine won't run on a device where the owner has control over the whole device.
The code is open source, you can freely modify the OS, compile it, sign it with your own keys...
I don't have the resources to do this (PC nor effort). They recommend 100GB+ storage and 32GB RAM for building it, and you seemingly can't do it incrementally, since you have to flash an entire operating system at a time. I want to modify one file, like the call recording xml file. (That file is from a previous operating system I had, but I can't provide an example of niche cases like that for GrapheneOS, because I only ever used GrapheneOS for a few days, so I don't know what kind of small modifications I would want to make.)
Compare to Debian, Ubuntu, RHEL, etc., where you can compile your own newer package, install it
None of these operating systems have Verified Boot. Desktop systems are inherently less secure than mobile devices.
even replace core operating system components
Don't you see the problem there?
and then seamlessly upgrade to the OS vendor’s version when they catch up.
That's not true either. Swapping out random parts of the OS will certainly lead to breakage and dependency hell in your package manager (unless you just replace files without using the package manager, which might make all of this even worse).
and don’t offer any way to install patches, besides building it again
Normal Android behavior. This will be the case for ANY Android-based OS with Verified Boot enabled.
and this is just TPM for Android
This isn't comparable to TPM at all. TPM is a very insecure way of providing a hardware keystore. It can easily be bypassed. Here's a demonstration of that https://www.youtube.com/watch?v=wTl4vEednkQ
I’ve opposed TPM from the start
TPM in desktop machines neither really provides a benefit, nor does it inconvenience the user. I've also opposed to it from a security perspective, since it's misleading and makes users think that it's actually secure and comparable to proper secure elements (such as the Titan M2, Apple Secure Enclave Processor, or the Qualcom SPU), while it really isn't.
I don’t want a device that keeps secrets from me.
It's not keeping secrets from you, the secure keystore is keeping cryptographic secrets away from attackers. Only you can use the cryptographic secrets from the secure element, by combining them with your PIN/passphrase (in a key derivation function) to derive the keys used for full disk encryption. Without a secure element that safely guards these secrets and throttles unlock attempts, attackers like law enforcement agencies can easily brute force your 6 digit PIN and gain full access to your device, including all of your data. The iPhone 11 was the last iPhone generation without a proper secure element. A 6 digit passcode was also bypassed on the iPhone 11 Pro Max, just a few months after its release. https://appleinsider.com/articles/20/01/15/fbi-reportedly-accessed-locked-iphone-11-pro-max-with-graykey-third-party-tool
This hasn't been possible anymore since the iPhone 12, which was released with the Secure Enclave Processor. This is even confirmed by leaked internal documents from forensics companies, such as Cellebrite: https://discuss.grapheneos.org/d/14344-cellebrite-premium-july-2024-documentation
Specifically, I recommend looking at this chart:
It clearly shows that data cannot be extracted from iPhones with secure elements, unless the device is in the AFU state, meaning that the encryption keys are kept in memory.
I do want comprehensive backups, including all cryptographic keys.
Having a secure element to isolate keys there doesn't make sense if you can just export them. The security of those keys cannot be guaranteed anymore, once they're outside of the secure hardware keystore. This is not unique to Android/mobile devices. Look at U2F hardware security tokens, such as the YubiKey or NitroKey. You can't export your keys there either, which is by design, and it's a good thing.
I’m fully aware that Widevine won’t run on a device where the owner has control over the whole device.
This has nothing to do with Widevine. The vast majority of Android devices currently on the market doesn't have a secure element. Widevine still works on these devices.
and you seemingly can’t do it incrementally
What do you mean? Generating an incremental update .zip package and flashing it over your stock GrapheneOS installation? No, that's certainly not gonna work, due to Verified Boot verifying that the signature of the update package matches the signature of the OS that's installed. This is a very important security feature, and prevents attackers (could just be cybercriminals, but that can also include law enforcement, intelligence agencies, etc.) from hacking into update servers and delivering mallicious updates to users. If I remember correctly, that's how EncroChat got bugged by the French police. They hacked into the update servers that were hosted by OVH, and then distributed mallicious update packages, gaining access to the devices of all EncroChat users.
since you have to flash an entire operating system at a time
That is correct. Changing the signing keys requires you to unlock the bootloader, wipe the Verified boot keys, and replace them with a new set of trusted custom (i.e. non-stock) keys. Otherwise someone could just flash a mallicious OS over your current OS, while retaining all of your data. They could then use it to extract your data.
Of course you can easily make changes and install new versions incrementally, once you have installed your custom OS and signing keys to the device. Also, none of this is some crazy GrapheneOS invention, it's the default Android Verified Boot behavior, which GrapheneOS builds upon.
Swapping out random parts of the OS will certainly lead to breakage and dependency hell in your package manager (unless you just replace files without using the package manager, which might make all of this even worse).
I've done it, and it works. I've built packages of libraries and binaries before, at higher version numbers than Debian had, and deployed them to multiple Debian sid systems. They worked. When Debian caught up, I seamlessly upgraded all 3 systems with no problems.
Even in the worst case scenario of dependency hell, you would be able to downgrade to the Debian supported version. But I never had to do anything like that.
I'm not going to respond to all the rest of your post, because I don't think it will help with anything. It seems that we have very different ideas about device ownership.
you would be able to downgrade to the Debian supported version
That's pretty specific to fixed release distros, and it's not gonna work on e.g. Arch Linux.
I’m not going to respond to all the rest of your post, because I don’t think it will help with anything. It seems that we have very different ideas about device ownership.
You don't have to respond to it, I'd be happy enough if you would just acknowledge it. I too like the fact that one can tinker with Linux systems. I've always told people who want to study OS architecture to daily drive either Linux or one of the BSDs. They're really fantastic operating systems for learning how computers and operating systems work. I too have built libraries and system utilities from scratch. I still wouldn't recommend it on production systems. I built Linux from Scratch many times, and I think it's pretty fun and informative (if you pay attention, instead of just copy-pasting the commands from the instructions).
Yet the fact remains that desktop operating systems are inherently less secure than mobile systems, which were designed with a strong focus on security from the ground up. SELinux is a pretty good example. How many desktop Linux distributions do you know, that deploy SELinux (or a comparable LSM) in enforcing mode, and with meaningful policies? Yeah, some of the mainstream distros, such as Ubuntu, Fedora and SUSE do it (sometimes with pretty weak policies), but looking at the vast majority of distros? I'd say almost none. Android on the other hand has used SELinux by default for a long time, with actual meaningful, secure policies. Btw if you're looking for a more secure Linux OS, check out secureblue. It's based on Fedora Atomic, and applies lots of hardening on top. Not affiliated or anything, I just think it's a nice and secure distro.
All in all, I think Production devices should be secure. You can always have a second device or that you can use to study the inner workings of an OS, or make changes to it (or in this case run GrapheneOS in the Android emulator).
GrapheneOS promotes "verified boot" that stops you from doing many important things.
What is your strongest example of an important thing that can't be done on GrapheneOS because of its boot/loader security?
Comprehensive backups, which can only be done after rooting. You can do this, but only after disabling verified boot.
In theory Seedvault covers this. In practice...well I dunno, ask me again when I get my next phone. I've not had the opportunity to properly test it.
Some apps resist being backed up. "android:allowBackup=false" was one way. Apparently that can be overridden, but there are other ways apps can resist backup that can't be overridden. It's not clear what those are, but some of my apps definitely aren't being backed up by Seedvault, even though they aren't using keystore.
The apps using keystore can only ever be backed up by installing a backdoor in the TEE.
I can understand them not wanting you to root since their focus is security above everything else, but that bit about not supporting compiling from source is a bit sketchy 🤨
Totally, since being able to compile from source is very much a security issue.
You can compile from source
They do provide instructions for compiling from source, they just don't support you at all afterwards. If you compile GrapheneOS and put it on your phone, they say "you are not running GrapheneOS" at that point. Unlike Debian or Ubuntu, where every package can be replaced by a hand-compiled version, and it's still Debian or Ubuntu.
I mean its kinda true. The biggest draw to custom roms back in the day was adding features that either weren't available at all or only on limited devices.
Even before google started locking shit down tight custom roms were dying because they had less and less to differentiate themselves from both each other and official android.
Now of course we've basically come full circle. We are losing wanted/needed features for "security" but shits so locked down custom roms can't provide us with those features. :(
Do you even z4root bro
No average person
I hate this line of reasoning in all facets of life. And it does seem to appear in all facets of life.
Nobody is average in every way. If we accept that it's okay for every goddam thing to suit only the "average", and to hell with everyone else, then nobody will happy in more than ~3-5 aspects of their life.
Yea. Why are there so many sizes of clothes anyway? The average person doesn't need pants with a 44 inch waist. And so many food options? The average person doesn't need anything more than nutrient rich gruel.
Dick longer than 5.5 inches? Snip snip!
I assume that, for humans, the average number of legs must be a number below two since most people I know of have two, while some have one or none and only very few have three or more.
I wonder how those 1.something-legged pants would look on all the people with different amounts of legs than that average number. Luckily, it seems it's currently more common for clothing designers to snap to the normal (as in common number) rather than design for the average number. I guess people with less than two, or with prosthetics, can use two-legged pants to some degree, but with more legs than average, it seems, you'll still be in trouble at the mall – unless there's a skilled tailor in there too!
It’s not simply the average person it’s most people that don’t need this. For most people a custom rom adds nothing, most people barely change their wallpaper.
Well then let's flip that right around then: if "most people" never do it, why the fuck should they spend the energy to ban it?
The difference between "average person" and "most people" is beside the point. It doesn't really matter if we're talking about 1 standard deviation from median or 3. Edge cases matter. Outliers matter. Choice matters. People matter.
We should start a co-op that buys advertising data on people that say stuff like this and then bombards them with spam that says "You have nothing to hide, [name]! You want everyone to know you love [advertising data entry tied to them]"
Maybe they like authority more than android over there
But I am a nerd, so why would I want crap like Android?
