Most vendors (at some level) allow flashing custom distributions, as long as you didn't buy that device from carrier: https://github.com/zenfyrdev/bootloader-unlock-wall-of-shame...
You will lose DRM-based apps (e.g. Netflix), Payment apps, and bank apps though.
This is the place where I think lawmakers needs to be involved. Bearing in mind that laws aren't engineering specs, being able to pay for things and use a bank are about as close to fundamental rights as anything is for participants in society. If you have to buy a second device to use Netflix, so be it, but we need laws that guarantee people can make digital payments without Apple or Google's permission.
There are societies today (I live in one) where some businesses are starting to accept payment only through a banking or payment app, no cash, no card, nothing else. And these apps will only function in the very narrow circumstances of "I bought a device which runs software from one of two American tech monopolies and follow all their frequently changing rules for using various software that's unrelated to the payment I need to make." This limitation is mostly in place due to the banks believing it will make things more secure. Security is important, but not important enough that you get to start denying innocent people the ability to make payments or exile them from the banking system because they had some kind of dispute with Apple or Google. Governments need to step in with access mandates here, otherwise this problem WILL come to a jurisdiction near you sooner or later.
> Security is important
The argument that this is actually a security benefit is a farce. It doesn't do anything. If the device is compromised then it's going to capture your password and send it to the attacker without attempting any attestation. So the only time the attestation is attempted is when the device isn't compromised.
Yes, if it was a measure of device security they would revoke attestation of devices that are behind on security updates. But no, a 5 year old device that never got security updates is A-OK according to Google but a completely up to date custom ROM is not.
It's clearly not about real security. It is about control. You follow the rules and get Google's blessing or no SafetyNet for you. These rules include things like ensuring that the user can't access their own data without the controlling app's permission.
> Yes, if it was a measure of device security they would revoke attestation of devices that are behind on security updates.
The new attestation system Google introduced recently (which I think also more strongly forces hardware-based attestation for phones that support it and is therefore more difficult to bypass) actually does that – the very highest attestation level requires running a security update not older than one year if I remember correctly.
What remains to be seen how much that'll get used in practice – users with rooted phones or custom ROMs are rare enough that a lot of vendors seemingly have no qualms excluding them, whereas users with outdated phones are probably a somewhat more sizeable number.
I think you are right that it is about control.
Let me offer another perspective. The OS vendor actually has significant control over your device. They could plant backdoors in different layers of the OS.
Therefore, in their defense, if the OS doesn't come from a trusted source (in the bank's or Google's point of view), your bank's credentials are essentially compromised.
You could argue that there are backdoors either way. They are just controlling which party gets to plant the backdoors, after all.
> Therefore, in their defense, if the OS doesn't come from a trusted source (in the bank's or Google's point of view), your bank's credentials are essentially compromised.
"Compromised" means that someone has them who will use them for unauthorized activity. When your device is infected with malware because it's running the same version of Android it came with that hasn't received a security update in several years, entering your credentials into that device will cause them to be compromised. When your device has a custom ROM that isn't sending your credentials to anyone it isn't supposed to, they are not compromised.
But the first device passes attestation and the second one doesn't. Moreover, that is the common case -- the version of Android that came with the device is likely to be older and have more vulnerabilities than a custom version installed later. Which means that passing attestation isn't just uncorrelated with uncompromised devices, it's actually anti-correlated with them. Requiring it is forcing users to keep and use the older OS with known vulnerabilities on that device.
> If you have to buy a second device to use Netflix, so be it, but we need laws that guarantee people can make digital payments without Apple or Google's permission.
The reality is however that if you look at active current projects being able to use digital IDs to access fundamental freedoms like communication without child safety rails in Europe is going to require Apple or Google's permission because politicians like it that way.
You can think things should happen in a way all you like, but they are not going to, because governments have vested interests in the opposite direction.
Secure boot and OEM bootloader unlock should be able to work with images so you can lock a phone after the upgrade again.
I managed to get a US refubished Pixel 2 somehow with a fuselocked bootloader here in Ireland. I bought it second hand but I've no idea how it got that way. But I'm suck on the Pixel image and I wanted to use it for ROM testing etc.
You can relock the bootloader but it still fails the SafetyNet check since it's not running an "official" OS signed with the manufacturer's keys.
yup it will, but this is where some legislation might help to get certified 3rd party ROM images that will pass. Its a tricky topic though.
This is outside of my area of expertise. I know there are i.e. banking apps that will disable themselves if you're running some unofficial 3rd party Android derivative like LineageOS. Are you saying those apps would work again if you perform some kind of secure boot locking procedure?
It does vary. TWRP/Magisk can enable apps, but its case by case.
Even phones from Motorola require you to literally ask permission to unlock your bootloader via a form on their website, which they then unlock remotely or you enter some generated code.
Other manufacturers do the same, where you have to wait a period of like 45 days before being able to unlock, and then have to ask permission on their website to unlock your bootloader.
And good lock unlocking anything over 5 years old because the updated website doesn't support what you've got. Been there, it sucks.
To be fair, for "anything over 5 years old" you can probably find a privilege escalation exploit.
Do tell me when you find one for unlocking the bootloader of an LG G6, been looking for one for a few years now :)
A 1st gen Verizon Moto X bootloader unlock would be nice as well.
the question is not "being able to", the question is "being able to with a reasonable effort".
wandering the web to find an exploit is way beyond my spare time.
That might get you root but not a bootloader unlock.
Many of them are actually not bootloader locked.
iiuc the OG Verizon Pixel has an unlockable bootloader, but the operating system doesn't let you unlock it, meaning root access should allow unlocking the bootloader.
some devices have a legitimately locked bootloader, which means you're SOL.
There are privilege escalation CVEs in bootloader code too. I remember unlocking some very early locked bootloaders this way in the early days of android.
So much rarer now. Its getting more and more locked down unfortunately.
A lack of security vulnerabilities isn't really a matter of being "locked down" but rather "not broken"
iiuc that is because malicious actors were buying phones in bulk, flashing them with backdoored/malicious operating systems, then re-selling them to people.
Not in markets without significant Huawei and Xiaomi presence. Local banks (Czech Republic) are not using integrity APIs to keep being usable for most clients.
Most DRM / banking apps work fine for me through the browser and you can add them to your home screen. Android / Samsung Pay will stop working, but if you have a Garmin watch, you can still pay with that.
But this is changing. Already in multiple countries(and soon possibly EU wide) there will be only play integrity(strong verdicts) to enforce availability of many services(if not using ios, which is the same locked in syndrome).
Yes some banks still allow classic clunky 2FA(sms, card readers, sometimes SIM generators) but it'll all eventually go away in favor of "locked and favored" os unless legislation fights against it.
Only for now. Google did push the Web Environment Integrity API, which is basically "Play Integrity API for Chrome," that helps websites check if the OS, browser, or installed extensions are "safe".
Fortunately, they backed off and decided to abandon the proposal after massive backlash. But we don't know when we will see a 2.0 version of that.
That small little caveat already makes it a non-option
Android and said manufacturers purposefully do everything in their power to make this as awful as possible.
For example, you can't relock the bootloader on any device except pixels. Why? No reason. Just fuck you, I guess.
That's a huge security hole that they're creating, intentionally.
What's going on is they are hoping that if you do use other software that you get malware or get scammed. They are literally, actually, undermining their own device's security just to send a message.
These people are psychotic.
Bank apps work fine (at least UK ones) on Graphene OS installed via the play store.
I wouldn't want the bank to access my phone, so it doesn't matter that the app doesn't work, and in a weird case where you urgently need to transfer your money to scammers while not being at home, you can use bank's web app.
There are at least a couple of banks or credit card companies in the UK now that only offer mobile apps, as well as those now using push MFA with their apps for every large purchase. Recently I needed to install an app from the UK government to prove my identity via camera to renew my driving license, and that doesn't work in GrapheneOS either. I can do it in person (for now) but there is an extra fee.
All the banks I use, have a web app, although it can be somewhat limited, but I don't need any advanced functions anyway.
> as well as those now using push MFA with their apps for every large purchase.
Our banks use SMS OTP (not required for mobile app) for all operations - I assume otherwise the amount of fraud would be exorbitant.
> Recently I needed to install an app from the UK government to prove my identity via camera to renew my driving license, and that doesn't work in GrapheneOS either. I can do it in person (for now) but there is an extra fee.
Interesting that the government relies on a proprietary, foreign platform.
Banks are all moving to MFA through an app, which then needs play protect, which then maybe need TWRP/Magisk.