But all the software is closed source, and there is little to no opportunity to verify all these security claims. You don't have the encryption keys, so effectively the data is not under your control.
If you want to see security done well (or at least better), see the GrapheneOS project.
GrapheneOS also doesn't give you the encryption keys. If you run the official version, there is no way for you to extract the data from your device at all beyond what app developers will let you access. This means that you do not own the data on your device. The backups are even less effective than Apple's, although they say they will work on it.
The developers also appear to believe that the apps have a right to inspect the trustworthiness of the user's device, by offering to support apps that would trust their keys [1], locking out users who maintain their freedom by building their own forks.
It's disheartening that a lot of security-minded people seem to be fixated on the "AOSP security model", without realizing or ignoring the fact that a lot of that security is aimed at protecting the apps from the users, not the other way around. App sandboxing is great, but I should still be able to see the app data, even if via an inconvenient method such as the adb shell.
1. https://grapheneos.org/articles/attestation-compatibility-gu...
For some reason they don't release userdebug versions which was a dealbreaker for me.. (the device should be secure, but not against me)
But if you wish to build it from source, it could probably be a good option.
You can re-sign it using https://github.com/chenxiaolong/avbroot
I don't currently have any root on the phone, but I reserve the right to add it or run the userdebug build at a later date
We could use it to install magisk, but that wouldn't make the build proper "userdebug" one.
I fully agree with your original comment - AOSP security model is NOT a proper solution to the security problem, and I'd add to it that it was also designed to be anticompetitive - Google can do what third party apps can't.
Android architecture is tainted by Google's business model and it shouldn't be used as an example of a secure operating system..
> The developers also appear to believe that the apps have a right to inspect the trustworthiness of the user's device, by offering to support apps that would trust their keys [1], locking out users who maintain their freedom by building their own forks.
That is not a bad thing. The alternative is not having apps that do these checks available on the platform at all. It’s ridiculous that someone should expect that every fork of it should have that capability (because the average developer is not going to accept the keys of someone’s one off fork).
If there’s anyone to blame, it should be the app developers choosing to do that (benefits of attestation aside).
Attestation is also a security feature, which is one of the points of GOS. People are free to use any other distribution of Android if they take issue with it.
Obviously I could be wrong here, this is just the general sentiment that I get from reading GOS documentation and its developer’s comments.
> Attestation is also a security feature
I don't actually disagree with this. The auditor is a perfectly valid use of it. It's good to be able to verify cryptographically your device is running what it's supposed to.
The problem is when it transcends ownership boundaries and becomes a mechanism to exert control over things someone doesn't own, like your bank or government controlling your phone. It is one of the biggest threats to ownership worldwide.
Note also that getting "trusted" comes at the cost of other security features, such as spoofing your location securely to apps:
https://news.ycombinator.com/item?id=44685283
You were not going to be able to use those apps anyways, so what does it matter to you? I, and I suspect many, agree with the purpose of attestation. The problems around it are strictly around establishing good ways to teach apps who they should trust, not around attestation itself. By putting your head in the sand, you'll never improve the situation.
> teach apps who they should trust
Ah, the apps^Wgovernment (look at that page, most of it is government IDs) should be able to discriminate against me for daring to assert control over my own device. And GrapheneOS is saying:
Hey government! We pinky promise to oppress the user just the same, but even more securely and competently than Google/Samsung!
> what does it matter to you
It shows that the developers maybe don't fully have your best interests at heart?
The way I look at it is that there is certain software that other entities aren't willing to let you run without assurances that it won't be tampered with. You don't necessarily have a right to be able to use that software if you cannot provide it suitable accomodations. It's your choice whether or not you want to run it or not, anything else is simply entitlement. This may seem annoying if it's your bank, but ultimately it's their choice to make. The current approach makes certain things painful, like trying to customize your os, but that's a problem worth solving rather than just ignoring. More software will start relying on this over time. At the end of the day trust is a hard problem to solve.
> It's your choice
Ah, classic false choice. Do you know it is illegal to do cash transactions over a certain amount in most Western countries now? In my mind, if I have a right to do something (buy a home), and there is only one approved way to do it, then I automatically have the right to use the approved way.
Similarly, having a government ID might technically be a choice now, but it won't be soon with all these age verification BS rolling out. So no, this is not entitlement. Your argument would work for anticheat in online games or DRM media, but not banks or government services.
I know this argument is used a lot, but it it really doesn't make sense to me. A government is expected to give you reasonable accommodation, but it's not their duty to let you run their software via a means they don't trust. It's convenient to use their app, but again not required.
Having controls is part of participating in society. I don't believe you should be able to make large transactions in total anonymity either. It's robbing you of a freedom, but society has deemed it a worthwhile tradeoff for preventing crime via money laundering and what not.
Yes, how can we verify this? Who says three-letter agencies have no access?
We can't verify that the Pixel phones are safe. Nor can the GrapheneOS people, because they don't know everything that's running in the Google Tensor SoC, and they don't have the source code to the firmware running in the Samsung Exynos cellular modem.
Neither can we with Apple phones.
But we can go to a great length in verifying GNU/Linux phones with available schematics.