A custom ROM allows you to extend the life of your Android phone, but does it come with risks in 2024 and why isn't it more popular?
I am surprised that Google spends so much time tackling custom ROMs via it's Play Integrity API. If only they paid that much attention to say, curating the Play Store more, it had be much better for everyone
I think the main reason third-party ROMs aren't more popular is that Google and certain app developers fuck with people who use them. The article addresses the difficulties later on, but comes up short in my view on just how much of a hassle it is for someone who isn't a tech enthusiast who wants, for example to keep an older phone up to date for security reasons.
I think the main motivation for Google is limiting user control over the experience. More user control leads to unprofitable behaviors like blocking ads and tracking, which is also the motivation for recent changes to the Chrome web browser that make content blocking extensions less effective. In all cases, companies that try to take away user control claim the motivation is security, usually for the benefit of the user.
Didn't read the article, but I hate this style of headlines with a passion. Using custom ROMs isn't even something controversial, yet they go out of their way to make it sound like they're breaking some social taboo or something. Why not a simple and concise title like "Advantages of custom ROMs" or "Consider installing a custom ROM". It sounds like a meme speech pattern straight out of 4chan, except they're using it with zero self awareness or irony. How about an actual hot take: journos who write like this are pretentious pricks that deserve to get replaced by chatgpt.
The Play Integrity API is less about security and more about Google asserting their monopoly.
They do not want truly open source Android platforms to gain popularity, because there would be a high chance people would want ad blocking, which is a direct threat to their profit margins.
I hope EU takes regulative action to force Google to allow GrapheneOS, LineageOS etc. to be able to run the same apps without issues.
Magisk is a godsend. I just wish you could add a password protection to the bootloader and the recovery rom (like the TWRP). That is the one downside to unlock your bootloader. And you can't like unlock when you need and relock it because to unlock it erases everything. I know that is one more dark pattern from Google to make you keep your phone locked. If they cared about security they would enable a way to put a password to the bootloader
Some of us like to tinker. We really get satisfaction of having a weird niche filled and even if it comes at the cost of stability and other issues. Heck my Custom Roms used to be more up to date with security updates than phones that were older than one year.
I could use kernels that undervolts my processor to give me better battery life. It allowed features that even 5 years ago were on the custom ROM scene still very absent from modern phones.
But the most important part for me was learning, discovering. If I tried a new ROM I would spend hours going through certain roms settings. If there is a glitch, learn how to diagnose and try to fix it, or learn to send a logcat to the developer.
It was like a fun hobby. I learned how to fix some of my old phones, like screen replacement, and learned how to cure uv reactive glue. So many other things and I was just a noob.
But it gave freedom. I understand iPhone and the other high brands are easy to use, have gimmicky features and all, but dammit I have freedom to have my weird niche phone, with multiple breaking features and I loved it because it just worked.
If Google truly did hold security as its main concern, it would have opened the play Store, yet we know now they only wish to protect their monopoly
This is what i motivates me, too, though you go in more than i. I love having my degoogled pixel 2xl on Android 14 and running almost as snappy as my pixel 6.
I finally gave up on my moto x 2013 about 2 years ago, but i still have it. It's like holding a river stone that perfectly firs my hand.
This is a very complex topic that is very hard to draw the line on.
As a technical person who follows hacking and security news i can understand google introduced the api and warnings, as phones are getting hacked and unlocked bootloader or root can be abused to keep your malware going, and has been abused in the past.
But as a user of fairphone/lineageOS, who tells google, apple, meta, ... all of them to fuck off when i can, this scares me. The lockdown of devices can and is going too far. Hell, i even consider samsung's android ui changes to be going too far, as it changes a shit ton of stuff and really is not a stock android experience. It locks users in their environment..
I find it funny that Google and some banks are so worried about security on Android that I have to have up to date system, app and can't be custom ROM, can't be rooted and whatnot. And then they'll allow you to login to their bank from Internet Explorer on XP or some shit.
My linux computers are rooted. I can get root any time i need it and nobody is refusing to offer their sevices on linux because it is vulnerable.
Nobody ever points out that when any app wants root, you get a dialog to ask if it can have it. If you don't know why it's asking, say no. It ain't rocket science.
Now, if you are going through customs and you don't want them to copy your phone and read all your personal documents, that is a different situation. Lock your bootloader unrooted and encryped to the nines. Preferably use a phone with almost nothing on it.
Stock android experience is the exception, not the norm, sadly. Some manufactures like Motorola or HMD have a light touch and close to stock but other ones don't. The worst offenders are Chinese brands who twist it so much and without much benefit(Atleast, Samsung's ONE UI is customizable as heck, can't say the same for Realme's).
Can you cite examples of rooted smartphones leading to significant data breaches or financial losses? When the topic comes up, I always see hypotheticals, never examples of it actually happening.
It seems to me a good middle ground would be to make it reasonably easy (i.e. a magic button combination at boot followed by dire warnings and maybe manually typing in a couple dozen characters from a key signature) for users to add keys so that they can have a verified OS of their choice. Of course, there's very little profit motive to do such a thing.
Pre-locked bootloader times ive had multiple android devices be passed to me that were malware infected that changed the rom in a way that even a factory reset would not remove the malware. Locked bootloaders made it so the rom needed to be signed and unaltered on boot, fixing this. Root access also means apps can use and access api's in android that it normally cant, changing settings and things inside android it shouldnt. What do you think happens when malware comes in? :p
Imo, i agree what you said. bootloaders should remain locked but you should be able to somehow, in the bootloader, be able to add the os' signature/keys to the bootloader's trusted stuff like how secure boot on a pc keeps os signing keys and verification stuff inside the tpm.
This way you can install lineage os for example, tell bootloader to trust it, and lock bootloader again so nothing can be changed anymore.
I wouldnt take this from user input, as that is controlable by malware, but rather come from the OS itself. Maybe even during installation, idk
I'm still using LOS and still fight with google over Play integrity from time to time. there's a fairly new patch that spoofs the fingerprint of the phone and fixes the issue entirely for me (play integrity fix by chiteroman) as long as it's updated, my gPay still works. I prefer using custom OS because it's much more customizable and has little to no bloatware. any unwanted apps can be removed. I can route my VPN to my WiFi hotspot, in order to get full speed tethering. (I'm a T-Mobile user and they throttle) I have a system-wide ad-blocker that uses the hosts file. I have the ability to allow root to only some apps, and deny it to others.
To me, its worth doing. I have no internet at my house, so I primarily use this to get online. The stock T-Mobile firmware is laggy and loaded up with their apps you can't delete. You'll get the "3g speeds" hotspot and their annoying branding on everything.
Why do you use a digital wallet? For me, money is one of those thing I literally can't allow to fail; growing up poor means it's still a touchy subject. A digital wallet adds extra risk of payment failure everytime it is used.
So, what does a digital wallet add that makes it worth not just the effort of setting it up in a stock system, but also in a custom ROM where it is actively broken by the app developers as a form of "security"?
For reference, I still keep cash on my person in case my cards (or their machine) fails.
I know I posted this on your comment, but I would love to hear everyone's answer to this.
i have yet to use one of these digital wallets but i would imagine a large part of it is "because everyone around me is doing it." not necessarily herd mentality but the social shift of it making checkout processes faster so if you're using cash or a card, you're inconveniencing the people in line behind you (however rational that may be is another topic).
i live in a semi-rural area and have seen very few instances of someone paying with their phone. it's so rare here, i'm not even sure how the process works. tap to pay with a card has only recently been more normalized here. however, when i travel for work to big cities, it seems like the only times cards are used is when there is a large group meal at a fancier restaurant.
i also carry a small amount of cash in case my card fails or a card machine is down but it's very rare to see cash used here as well, except for personal payments. even then, third party pseudo-bank apps are consuming that process (cashapp, venmo, etc.).
i'm not trying to justify any of these payment processes or mark one as better than the others. it's just an observation.
well, I totally could live without it. Its just nice to have in case I don't have my card/cash as a last resort kind of thing. all I do is add the magisk patch, and add shamiko, keep it somewhat updated, and it'll work 99% of the time I use it. As for google, they probably do this to reduce liability on their end if something does happen. I haven't heard of any issues from anyone so far.
For me digital wallet is a bit more convenient than using my real wallet, but not essential. I have one credit card that I use all the time, but it seems my bank hasn't bothered to make it work with NFC payments yet for some reason, but it works with Google Wallet so that's nice.
I also always keep my wallet with credit cards and a little bit of cash as a backup. One time I was out at a bar and there was a power outage. They were still serving drinks, but instantly all transactions switched to cash only. I think it makes a lot of sense to have backup options.
The opposite can be good too -- your phone as a backup just in case you forget your wallet.
It's probably not entirely been worth the effort to stay up to date with changes whenever Google breaks things. At some point I may stop. I guess one immediate value has been that watching things unfold has hastened the souring of my view on Google. I am now frequently looking for ways to avoid their ecosystem, and avoid big companies / non open source in general. I'm far from ready to leave the ecosystem on every front. But at the very least, I would never recommend a Google product in my professional life at this point, at least not without careful planning of an exit strategy.
Last time I used one was because I forgot my physical wallet and needed to pay for something. I don't want to tell Google about my shopping habits, but I like to have options in case of emergency.
I'm running LineageOS (with GMS), Magisk, and Play Integrity Fix.
I'm not dealing with all this tracking and surveillance bullshit on a regular basis. No digital wallets, no mobile payment. Cash as much as possible. Where I live most stores allow cash withdrawal, I'll literally rather withdraw cash in one go and then pay with that cash at the same check out to server the link between the me and purchase. I do keep a modest amount of cash at home.
I feel the way you do. I always keep some cash, don't bother with those cash apps, and use a credit card with a good cash back plan. To me the cost of going digital in this area outweighs all benefits.
I used custom roms for many years, but I now use my phone to pay almost everything, and I need my banking apps. magisk hide is unreliable do I won't be rooting my phone again I think
Same. Those features are more important than anything I get by rooting.
Honestly I don't even need root for anything. Adblock runs through a fake VPN app. My Pixel used to have a green screen tint, but Google fixed that at the OS level, so I don't need to have an app for that any more.
I think people that take that approach to life are partly ruining it for us all. You're selling your privacy for convinience and in the process legitimising the removal of (what I consider) more ethical and reasonable solutions.
Google doesn't want distributions of open source Android without Google services to be a viable option for mainstream users because that would reduce their ability to extract profits from the Android ecosystem.
While the focus is surely more on OEMs than end users at this point, I'm sure Google wants to keep the difficulty level for end users high enough that it remains niche.
I’m sure Google wants to keep the difficulty level for end users high enough that it remains niche.
I really do not think they need to. We tech communities massively overestimate the desire and even contextual awareness (and desire to have such awareness) of regular users to engage with these topics.
Keep in mind that the vast majority of Firefox users - a browser inherently more used by tech-savvy people! - have 0 addons installed. And probably 0 desire to change this. Or to even waste thought seconds on considering whether to change it.
To users, smartphones are tools. Like hammers. If it stops being a useful hammer, do you take the head off and re-forge it? No, you buy a different hammer that does what you need it to do.
There will be a big enough issue if people start saying how they've got theirs with no issues. The primary motivation for people not bothering with Linux is because Windows "just works" and Linux presumably was work. If degoogling stopped being work, then more would do it.
Linux has become extreme easy mode as well as a polished non intrusive experience and people are really drawn by that!
If the day comes when LineageOS (with microG) becomes unusable for me, I will just switch to iPhone. I hate Apple, and I've been using custom ROMs since Cyanogen in 2010, but there's no way I would raw-dog a Google device.
Luckily there's GrapheneOS for the Pixels. I'm thinking about buying a refurbished Pixel since my Poco X3 Pro with Lineage OS is having ghost touch issues. The only thing holding me back is less screen real estate.
I would probably switch to Huawei os device. No Google by design.
In fact - I might in either case, there is just too much shitty things Google does to android.
extremely pedantic whining over the term "ROM", but when has a custom android distribution ever dealt with "read-only memory"? is or was there some immutable component of Android that could be interpreted as read-only?
also I switched from iPhones to Google Pixels running GrapheneOS four years ago and I've never looked back, it's really solid and gives me the amount of control I expect and demand over hardware I've purchased upfront. Pedantry aside, I strongly recommend GrapheneOS
Do you use it on a Pixel? Last I read, that's the only officially supported phone. It feels ironic giving Google money for a phone so you can use deGoogle more.
Don't get me wrong, I'm all for it, I just wish it supported more devices.
I do, yes. First on a Pixel 5 and then (and currently) on a Pixel 8 Pro.
The purely emotional icky feeling of giving Google money is far less important than the tangible security, privacy, and usability upsides of GrapheneOS on a supported device. But if that's important to you, just buy a Pixel secondhand, Google gets no money from that.
I wish more devices were supported too, but my understanding is that only Google makes devices that are both secure and open enough.
Payments don't work, because of the play integrity api. But the bank apps that I use do work, even though they didn't in my previous phone that was running a custom ROM with magisk to hide the tampering. GrapheneOs supplies their signatures so that app developers can support it, but I imagine not all will.
For me it has been a great experience so far. Installation was easy and fast, the privacy settings are great and almost everything works for me just fine. I had a couple of issues that was able to fix by searching for it on their forums, which is quite active
Two credit union apps work fine, venmo and paypal work fine.
YMMV with other financial institutions but it's not been a problem for me so far.
To answer your last question, there's way too many differences for a lemmy comment, so I suggest reading their features page for a broad overview: https://grapheneos.org/features
One feature that's closest yo your question, though:
Google Play receives absolutely no special access or privileges on GrapheneOS as opposed to bypassing the app sandbox and receiving a massive amount of highly privileged access.
It’s firmware, hence why the word ROM stuck. Once you flash the firmware to specific partitions, after the boot you can no longer modify it, unless you have root too. Technically nothing is ROM, there is always a way :).
I moved to Android for the 1st time ever in 2020 from an iPhone 6s.
The device I decided to go with is a Poco F2 Pro which lost official support years ago, it has decent hardware and even the battery still holds up (with a good custom ROM, I still achieve 8 hrs of SOT).
It just took me about a year, or perhaps less to move to the custom ROM scene, and for me I can't ever go back to stock Android ever, even when it is a big step regarding iOS features (except for LS customization) the amount of stuff you can do with rooted android device is no joke.
My only regret is that I was never in the prime days of rooting... At least Telegram communities are super active, not that it is better... But personally I prefer it to discord lol.
I was in the prime days of jailbreaking though, too bad that they seem to be doing worse nowadays.
Having a superior backup and restore method, Swiftbackup rooted is way better than Google's solution.
Hassle free ad-less YouTube (and YT music) the root apps (Magisk or KSU) come with a way to auto update, so, from the user side I just hit update and I am good to go, no need to waste time patching the apks myself.
I can replace the Google news from the side/left menu with whatever app I like, in my case, the Feeder app.
It's true what you say, the golden days of rooting are over. I rooted my phone just so I could set a battery charge limit, but a recent update for the ROM I'm using (/e/ os) added that feature natively lol. Pretty much the only thing you can do nowadays with root is install tweaks that hide the fact that you have root from other apps lol.
Pretty much the only thing you can do nowadays with root is install tweaks that hide the fact that you have root from other apps lol.
While it is true that you can install those modules to hide it, I wouldn't say they are the only reason to stick rooting lol, a lot of apps work way better with root permissions, Battery Guru, FKM and AdAway are 3 good examples that I can think of right away.
I install custom ROMs on every device in my household. How concerned should I be? None of them are rooted. Would disabling Play Integrity via adb fix this?
I see. Personally I have no concerns since I don't even use G-apps at all. However I don't want anyone to come to me with a problem either, which currently none I believe.