TL;DR
- Efforts like Graphene OS face increasing pressure from apps that refuse to run on non-standard Android.
- The custom ROM project characterizes Google’s approach to device attestation as incomplete and flawed.
- Graphene OS is prepared to take legal action if Google won’t let it pass Play Integrity checks.
Even just being rooted on the stock Pixel rom is a fight. It’s a constant cat and mouse game to pass basic and device integrity, but as of recently a lot of us have been able to pass strong integrity as well which has been nice.
Even just being rooted on the stock Pixel rom is a fight.
That, I can see being more of an issue than an unmodified, trusted 3rd party OS. If I remember right, rooting makes the device fail Verified Boot:
It establishes a full chain of trust, starting from a hardware-protected root of trust to the bootloader, to the boot partition and other verified partitions including system, vendor, and optionally oem partitions.
https://source.android.com/docs/security/features/verifiedboot
Fair point. At least with stock rooted as I said there’s ways around it and I can pass all play integrity checks and such.
Considering the lawsuits, now seems like a good time.
The only reason I stopped using grapheneOS was because Google contactless payment didn’t work.
Loved everything else about graphene thoI’ve never used contactless on my phone, I already had a contactless debit card. Why are you, and others, using their phones to pay?
Lazy.
Just plain lazy.
I already have my phone in hand in shops - shopping lists, reminders or even plain taking my mind off the shelves so I won’t buy unnecessary shit. Then I get to checkout and…my phone is already in hand. Just boop it and done. No need to dig out wallet from pocket and then dig out card from wallet.
the app hides the real numbers for the credit card and gives the POS a mock id to make the purchase. it’s harder to clone. also you need to unlock the phone for it to work it’s an extra layer of protection
Pretty sure all contactless forms of payment work like that
Giving a mock card sounds useful. I’d looked into that for paying online but I couldn’t find an open source way to do it.
I find it super convenient.
Also, it doesn’t have a limit. Pretty sure I bought my last car with contactless on my phone, but that was years ago.Why carry a contact less card when you can pay with your phone? Have you given it a try? I find myself without a card in lots of situations. Paying by phone is incredibly convenient. Lot harder to lose than a card too.
A contactless card barely takes up any space. It’s not particularly easier to lose either. I’ve never lost my card; I just keep it in my wallet, in my pocket, just like my phone is in my pocket.
Easy with one card, but it’s a different story when you have multiple cards. Transit pass, loyalty cards from grocery stores for discounts, credit cards for cash back rewards.
You know what takes up less space? Software on the phone that I’m already carrying.
There have also been occasions where I forget my wallet but still have my phone to pay with.
I’d still carry my debit card if I used phone in case I lose either as I would have the other. I think I’d be more likely to notice my phone is missing but more likely to lose the phone in the first place.
I’ve never tried it in part because I don’t trust my phone with it’s proprietary software, and I suspect there may be no open source apps to pay with.
Yes, it has an upper limit though as I discovered after cycling to the garage to pick up my car with just my phone. Triple cycling joy that day 🙄
Yes this depends on the linked card, the software you are using and sometimes vendor limits. Many banks have a cardless withdrawal from atm option as a backup if there happens to be atm nearby. These can have pretty high limits. There are also card generating apps like cash app where you create a cc number on the fly. In a pinch most vendors can easily split the cost of something across different cards if one is maxing out.
I’ve never used a contactless debit card. I already had a chip and pin debit card. Why are you, and others, using your contactless card to pay?
My Chip+PIN card has an RFID chip. Standard in Germany. Why would I tell, much less trust, google with my banking. Why would I let them skim data and/or a percentage off the transaction. Why would I choose a system with spotty acceptance, whereas I can use my girocard everywhere. It also doubles as 2nd factor for online banking.
I didn’t choose, my bank gave me a contactless card when my last chip and pin card expired (the card still has chip and pin which I use when contactless fails).
There’s no need to carry your cards if you already have your phone.
Also, unlike your wallet, if you lose it you can track it.
Do you not carry cash? My cards go with my cash, which I would carry anyway even if I could pay by phone just in case I’m out and lose one.
No I don’t. It’s all contactless here.
I can create a virtual card before every trip, use it via my phone and then cancel it after the trip, never worrying if my card got skimmed anywhere for one.
when you pay using the virtual wallet it automatically makes a mock id to the POS … at least in my country it does
For some fucking reason there is zero option for this type of secure virtual card in my country. And I hate it. A friend got skimmed for over $1200 a couple months ago.
I’m sure Google contactless payment works really well when the phone is dead. Or you drop your phone in a toilet or off a bridge. It’s far easier to loose a phone than a card in a wallet in your pocket. If you lose your phone, you also lose access to all your money.
I also carry a wallet? Cause, yknow, ID and stuff.
Phone is just way more convenient. Especially since I don’t have a limit on its contactless amount. Whereas with my card, I would have to chip&pin for anything over £40
Not a fan of google pay, but I gotta say, I lost way more wallets than phones in my life it’s about a 3 to 0 ratio (not counting purses I have lost before owning a phone.
You could use sandboxed google play on the main user or second user.
Still can’t use tap to pay
Do you pass play integrity?
Do you pass play integrity?
GrapheneOS, and other non-OEM OSes, do not. It’s kinda the whole point of the article/OP I linked.
Have you tried playintegrity fix?
Hell yes.
It’s fucking open source, this is no different from games with intrusive anti-cheat refusing to run on Linux, except it this case it’s not even a different OS.
It’s monopolistic and anti-user.
Ironically, if Graphene would succeed, it would lead to a system that’s every bit as locked down as a manufacturer’s Android. GrapheneOS would also not allow you to have root etc.
IMO Graphene wants a place at the big player table. They’re not in it for user freedoms.
A manufacturer’s Android can have special privileges for their own apps, and almost will certainly have special privileges for Google’s apps.
Graphene by default wouldn’t give special privileges to any app, so that’s at least a plus.
It’s true that it would be locked down, but you at least have a couple more controls over how locked down compared to a manufacturer’s OS.
Wow, I legit just ordered a used pixel yesterday to give graphene a try lol. Uncanny timing!
Anyhow, that’s great news! I can really see the EU sinking its teeth into this if nothing else.
Thankfully there are FOSS alternatives for apps like Authy. I recommend Aegis
For your banking app, you can use this list to check if it’s compatible: https://privsec.dev/posts/android/banking-applications-compatibility-with-grapheneos/
Using the web app might also be an option.
Thanks for the tips, I’m a happy Aegis user already! Thankfully, my main bank explicitly doesn’t care about custom roms and I’m thinking I’ll just cut ties with the ones who do and let them know that was the reason at this point. Worst case scenario, I still have my locked down old phone.
I plan on doing the same thing, any tips on finding cheap recent-ish Pixels?
A brand new Murena Fairphone 4 (North America) is about $600 brand new, IIRC. I’ve been on one for the last 6 months and it’s excellent.
Stay away from both Fairphone and /e/OS/Murena. Fairphone fails hardware security in the most miserable way, and fundamentally breaks Android Verified Boot, while /e/OS is based on the highly insecure LineageOS, and it further rolls back security, while also repeatedly missing important security patches.
Also, 600 dollars is absolutely not cheap for a smartphone, and it’s especially not with it considering that both the hardware and software are highly insecure.
A Pixel can be purchased for much less, while being superior in every way.
Lineage OS is highly insecure ?
Yes, it is much worse than stock Android
https://madaidans-insecurities.github.io/android.html#lineageos
Thanks, I’ll check it out. I’ve installed lineage since it was Cyanogenmod on secondary devices for years. I dedicate them for audiobook playback and music playback. I’ll look in to it.
That kind of usage should be fine, it doesn’t really matter. Just wouldn’t use it for my primary mobile device.
I’m planning on flashing my One Plus 9 Pro with Murena’s ROM. I’m working on getting de-googlefied.
Perhaps consider DivestOS as well if it’s supported, seems to be a way tidier package when it comes to security and privacy.
Thanks for the recommendation!
I’m in an unsupported region so I’m afraid I can’t help much :(
In my case I just looked around a local eBay-like site and went with a reputable enough seller, fairly standard procedure there.
Where I am, Pixels are not sold officially either. I got a 7a for around $300. I picked a store with a physical office and made an order not through the site, but through said office. And at least could inspect the phone before buying.
Ah, that’s a nice way to go about it! I’d have loved to inspect mine beforehand as well but the only real way to grab one around here is importing yourself and paying 60%+ import fees on the damn thing or purchasing a preowned one. My living in a remote area also means there are none close by.
The Pixel 6a is really cheap on the used market, and it still gets updates for at least 3 years.
The 7a isn’t that expensive either. I recommend staying away from Fairphones, Murena or /e/OS as these are highly insecure, and the companies behind them have repeatedly proven that they don’t give even the slightest fuck about the security of their users. They don’t publish important Android security patches on time, and Fairphone even managed to fully break Android Verified Boot, by signing their ROM with the publicly available (!!!) AOSP test signing keys. It should have been impossible to pass verification, but the vendor conducting the verification seems to be just as incompetent.
A used Pixel with GrapheneOS is your best option, while still being affordable.
I would totally buy a Pixel too but apparently most Pixels here are black market and the IMEIs are banned so I don’t wanna risk getting one that can’t connect to cell networks
Oof that’s scary. Good thing I have a decent enough return window to at least make sure stuff like that isn’t the case, at least.
I’ve been using graphene for years at this point and it’s the best operating system I’ve ever had on a phone. Before this my favorite phone was a jail broken iPhone 5c. I even got a pixel tablet to take notes on for college recently and put graphene on it as well.
Only thing Google has right atm is leaving the bootloader on their phones unlockable.
Welcome! I’ve been on it for a month or so and I’m still so thrilled
Enjoy! For future reference I’d recommend just getting the latest Pixel as you’ll get the longest software support. E.g. a Pixel 8a is supported till May 2031, which is plenty of time to get a lot of usage out of your phone.
At the price of the Pixel 8a, I would suggest getting the Pixel 8 instead.
Personally I’m fine with 8as’ specs and don’t need any of the extra features of the Pixel 8 so I’d prefer to save the money and get an 8a. Plus 8as are supported for longer. Nothing wrong with getting an 8 instead if that’s what you want though
Right, I’d love to spring up for a 8th gen pixel but I live in an unsupported region and my currency is worth fuck all so I’ll have to make do with a secondhand 7 pro lol. Still fantastic longevity all things considered.
I’ll have to make do with a secondhand 7 pro
Ouch, that hits me right in the 7Pro feels lol. Make do, indeed, lolol.
Honestly, I don’t really need my phone for much so as long as the battery hasn’t degraded too much I’ll be more than happy!
I’m holding out for the 10. The 8 added mirrored display (so you can mirror your screen on a monitor… I’d rather this come with the Pixel Tablet 2 and the Pixel Tablet skipped it form some reason) and MTE, which GrapheneOS says is the most significant addition to security since they’ve started the OS. If those come with the 10, not to mention the 10 is supposed to have Google’s inhouse chip and not Samsung’s…yep, I’m upgrading.
Why does this call the problem by it’s name, monopoly.
Android is another area Google are abusing their monopoly. Sure the phone market is a duopoly, but that doesn’t help. Apple is even more locked down and user abusing.
Lots of app companies, like bank apps, think locking their apps to only work on official Android is best for security, but that compounds the monopoly. It’s also arguably less secure!
I don’t even understand. Am I getting this wrong?? Does the payment processing happen inside the banking app?! Because if so, that’s the bigger problem isn’t it? All the checks for correctness should happen on the servers that the banking app connects to, not the banking app itself. If that’s already the case, then what are they worried about? I’m probably missing something here, but honestly I just don’t understand why they would do that.
The app will almost certainly mostly be just wrapping a web interface. But this dedicated browser can provide the site with all the access of an app. The idea will be only this browser can be trusted to access this site and can check the run environment before connects. I’m they’d do the same on the desktop, if they thought it would be swallowed.
Here’s my take which i have not seen in this thread. When you buy your hardware it is yours you should be allowed to do with it as you please. If you want to wipe the device and install another ROM or os you should be able to. Much like the recent fight for “right to repair” not allowing you to do what you want with your property should not be allowed. As long as the manufacturer blocks your ability to do what you want with your hardware it isn’t really your hardware.
Unfortunately that line of thinking stops at the divide between hardware and software. You can legally make a phone manufacturer let you unlock a phone’s bootloader so you can install other software, and you can forbid them from denying hardware warranty because you installed other software. Both of which apply in the EU.
But you can’t make them have their software support or play nice with the other software that you install.
You also can’t force manufacturers to open up drivers if they’re under NDAs and proprietary licensing (which they often are, due to extensive cross licensing because everybody’s owning patents that can lead to everybody suing everybody if they were ever used).
This is why raspberry pi can’t use a single smartphone recycled screen despite having a DSI port and a billion oled touchscreens going to landfill.
Also, still is impossible to make Verizon unlock bootloaders
To combat this I think drivers, firmware, etc. should be acknowledged as being in the same category as spare parts, manuals, repair tools, etc. They are equally as vital to being able to repair your device, and therefore should be open sourced at the latest when a manufacturer pulls support. Of course I would prefer them to be open sourced immediately, but with how software IP works currently that seems like a pipe dream, especially for devices with very complex drivers, like GPU’s.
Furthermore, if the manufacturer wants to pretend that they’re selling you a perpetual license to use the hardware or whatever legal bullshit they came up with on the back of a cocktail napkin between lines of coke then they can’t advertise using the words buy, own or anything similar without explicitly indicating in the largest font that you aren’t the owner of the product.
yeah. like my manufacturers’ 3-year-old, full-o-spyware ROM is more secure than latest lineage.
they just want control, not security.
I have been using stock for a while, but I remember using magisk root to hide root to the bank app and I never had an issue
i do that but sadly it aint working anymore. they implemented a new google sanctioned way of blocking it that hasnt been cracked yet.
Myself, I use my bank’s web portal via my mobile browser. Not as instant as an app, but it gets the job done.
Culprit is: I need the phones app as second factor to log in to the web interface.
I’d just leave for a different bank at that point, although I get that it’s not always practical.
Yep been seeing more of that. Will just refuse to use it on my phone.
It’s been clear for at least 10 years that apps are about data harvesting not making something more useful or easier to use or more universal than a mobile website.
AFAIK that’s the way it has to be done in the EU…
graphene sandboxes Google services so they don’t run as root on your device. I haven’t encountered an app I can’t get running on graphene yet and having Google play installed as non root is a far sight better than stock.
my biggest problem with lineage was compatibility with banking apps so I reluctantly switched but graphene is a solid choice in operating system for privacy and security.
does it hide root/custom roms?
if so im interested.
not really. after enabling oem unlocking in developer options you just boot it while holding one of the volume buttons and you’re able to unlock the bootloader.
root is not typically available and you don’t need it for most uses besides development, but even then, I would recommend not using a phone you daily for that.
sure, but unrooted custom roms also trip the protections.
root can sometimes be used to mask that.
you’re already over my head but you can talk to the devs. they have a matrix chat they link on their site
Graphene is great, but I’m currently on a Xiaomi phone so I can’t run most ROMs, I’ll likely run derpfest when I get the bootloader unlocked
that’s one I haven’t heard of. how is it functionally?
I haven’t tried it yet, but it seems to have a lot of pixel features ported, I realized crDroid supports my phone so I might try that
What’s changed to make banking apps more necessary?
you cant use banks without at least their 2fa app on your phone
Ohh wow that’s wild
Thanks for the answer
same bs with apps not running jidt because root or apps not being visible in playstore because of it. Netflix isn’t even showing up as existing in playstore just because i have root. it’s nuts. and there are tons of apps like this.
Netflix and their DRM is so extremely stupid it’s incomprehensible. It only hurts normal users while the rippers have no issues getting the content.
You can fix most apps with the Play Integrity Fix module and denylist. You might have to hide the magisk app too. It doesn’t get 100% of them though, I still can’t figure out how my bank app is catching it. Plus I’ve had RCS stop working with that setup, so I have to keep it disabled to avoid missing messages
The apple music app checks for a specific binary. Could be something like that.
Second phone just for these things wouldn’t work for what you need?
That’s not exactly a great solution. It works, but it’s a shitty workaround at best.
Not disagreeing I was genuinely asking.
For me it wouldnt be too inconvenient but I barely use banks so my perspective is atypical
Two phones no sweat and no use for banks… Can i get a sack? 🤣
Dont know what you mean sorry
I did pull $600 out my sock at the best buy to buy my pixel recently tho lol
I do basically that, but with aSamsung tablet, then my phone can be for phone things, calls, messages, emails. Then if I’m out and about and need to check my bank, mobile hotspot to my phone and go from there.
thats what i do atm, but its a shitty solution when i have a perfectly good phone.
the irony is, my second vanking phone is probably less secure, because its stuck in an ancient version of android.
the only reason I’ve wanted to be rooted in recent years is when I didn’t have hotspot on my plan and the most complete way around that was with root.
I think I would like a degoogled Lineage/Graphene OS though
Why is stuff like that included not included in every plan by default? As a European, I can’t even imagine paying extra for that. If I want to hotspot my data, my operator can kiss my ass and simply allow it, I’m paying for the data anyway.
for this case it was a plan that’s pretty discounted and also unlimited without hard throttle. they don’t want people using it on computers or game consoles probably
As Kevnyon@lemmy.world said: @NetworkOperator: Kiss my ass. I pay your for service. You wanna restrict me, I switch my damn plan. If I use it on my phone streaming 4K stuff from my home server or watch 1GB of data over hot spot on my phone is not their business.
In less free countries the provider also provides the handset and locks it all down.
Wtf, plans locking down device features. That’s mindblowing.
We’ve started the process of talking to regulators and they’re interested.
Oh that’s great, they aren’t actually suing since that would be a pretty big money pit, they are going straight to regulators, something can happen.
FTC act is the most useful against this sort of behavior and only the FTC can file suit for that, not individual companies. I don’t think this could be filed as a violation of the Sherman act. See here for an overview: https://www.ftc.gov/advice-guidance/competition-guidance/guide-antitrust-laws/antitrust-laws
I wish you could slap a custom rom on whatever phone you want and it Just Works™ like you can slap linux on any PC, but instead we get apps that potentially don’t work, locked bootloaders, push notifications tied to Google Play Services, and whatever else. You can put Lineage on the EU version of my phone but not the US version because fuck you. I hate how corpo centric phones have become. Like Google shouldn’t be allowed to hijack my entire screen for an ad or an app update. The entire modern definition of “sideloading” is BS, apps have access by default to things that they really don’t need, and why do I need to use ADB to purge your pre-installed bloatware ffs
Not cool.
We can get same experience quite soon on laptops too when arm laptops&desktop will arrive toensd users.It gonna be lock down same as phones nowdays.
I do not like this prediction, because it seems like a plausible reality. Which would be awful.
risc-V laptops might compete with arm in a few years - maybe not for power users, but for most simpl use , or for those who will just ssh into real computer.
Yeah it would’ve been like that for pcs too if they weren’t around for quite longer.
ngl a unlocked bootloader would be a security nightmare but you can put any rom on any android 8+ device they are called gsi roms
How does one flash a ROM without unlocking the bootloader these days?
Shouldn’t that break Android Verified Boot?
A pure GSI image could use a Google key, I suppose, but others shouldn’t, right?
You have to unlock it fire and flash the gsi rom
ngl a unlocked bootloader would be a security nightmare
So, like a desktop or laptop? Sounds fine to me.
I’m not an expert, but I had an expert explain that an unlocked boot loader is only risky if you think someone nefarious is physically able to get their hand on your phone. Is that true?
Recently moved to graphene couldn’t be happier
I don’t care about these apps but it will only get worse over time if not addressed. I could see things as simple as Spotify, Netflix, etc. Refusing to run
I don’t use those services either but that’s not a future I want
I could see things as simple as…
Last I heard, the McDonalds’ app doesn’t work, of all things.
https://discuss.grapheneos.org/d/9123-the-mcdonalds-app-doesnt-work/
Wow, there you go then.
Literally 1984 (/s)
Can’t even order Donalds from your phone that you bought with your own money anymore 🫡
Neither does the BBC’s couch to 5k app, for who knows what reason.
I just want to buy a Linux laptop with VoLTE and be done with the product line “smart phone”. Unfortunately there is no such device (to my knowledge) and the only device that comes close is PinePhone Pro with docking station.
Agreed. I always loved the idea of the HTC Mini +.
Put the sim in your laptop, that’s the connectivity hub. The mini phone piggybacks the LTE connection so you don’t have to pull out your laptop for simple calls, texts, navigation or music actions.
You can put a SIM card in some older thinkpad laptops with that upgrade option. Some thinkpads have the slot for a SIM card but not the internal components to use it. So make sure to do some research if that sounds promising.
There are VOIP phone line services like JMP that give you a number and let you use your computer as a phone. I haven’t tried JMP but it always seemed cool and I respect that the developed software running JMP is open source.. The line cost 5$ a month.
Skype also has a similar phone line service. Its not open source like JMP and is part of Microsoft. Usually thats cause for concern for FOSS nuts, but in this context its not a bad thing in some ways. Skype is two decade old mature software with enough financial backing from big M to have real tech support and a dev team to patch bugs, in theory. So probably less headaches getting it running right which is important if you want to seriously treat as a phone line. I think Skype price depends on payment plan and where you live, so not sure on exact cost.
Neither is available in my region and Skype’s webpage does not mention making calls, only receiving them.
There are community made projects for the framework laptop that add LTE using an expansion card
Really the only thing holding me back from switching to GrapheneOS is that some of my apps fail CTS.
If a proper pathway is defined for custom ROMs I’d switch in a heartbeat.
Hoping this initiative leads to a reasonable outcome.
I’m running Graphene OS and its been solid. A few issues here and there with app compatibility but it is fantastic.