Does it really not work though? While not the absolute best for security, the recommendation being considered here does increase privacy, considering how privacy disrespecting stock ROMs are
What actually important, critical, sensitive data does Samsung devices collect that canât be disabled, blocked, etc?
Letâs exclude Google Play Services data collection because for the most people avoiding Google Play Services is unrealistic.
Youâre still fighting the system hoping that it doesnât turn itself back on every few updates (which it does)
Whatâs next? Youâre gonna say that windows is also good for privacy because technically you could disable the spying?
After you get a Samsung device, delete/disable everything that can be normally deleted/disabled without any ADB nonsense, opt out of everything you can, use DNS filtering on a device or even better on a router, etc.
What does Samsung collect after all of that? It has to be something that would make it worth it sacrificing your security, device integrity and stability by flashing LineageOS.
Fighting the OS is using ADB to do all of that goofy stuff that doesnât work, breaks things or makes stuff comeback after an update.
1 Like
As I pointed to Samsung can simply lock you out of your phone. Even if we were to grant that they dont access sensitive data, they may simply lock you out of itâŚ
I assume youre not realizing that Pixel devices are not sold everywhere and importing one might cost you thousands of euros/dollars.
Leaving that aside, in many countries walking around with an expensive device you run the risk of getting mugged and possibly being stabbed in the process. Not fun⌠Its not at random that some tourists who have flagship phones get something cheaper that can blend in when they visit places like Brazil. This to say that its not just about being able to afford it. Sometimes you just need a cheaper device
3 Likes
If you exclude Play Services, you are probably right. But if someone is really interested in improving their privacy, isnât running a phone without Play Services on one of the best, easiest ways to do so? Iâm not going to say anyone is right or wrong for making a choice on this, but for me getting away from Play Services is probably the most important thing when choosing my phone and OS.
Doesnât this come down to threat model to some extent? I agree that security and privacy correlate, but not perfectly, and particularly in a case like this where budget is a factor. Someone could legitimately prefer a de-Googled phone with worse security or a Googled phone with better security.
I do want security, but for me all the security in the world is useless if Play Services is constantly reporting on me.
Iâm neither rich nor poor. If I really wanted to I could afford a Pixel and I live somewhere safe enough that getting mugged for it is probably not a big concern, though certainly possible. All the same, there is no way I am going to spend hundreds of dollars on a gadget which I could easily drop, lose or smash in a dozen different ways every day. My threat model is based on avoiding as much commercial and government mass surveillance as I can, not anyone targeting me specifically and the price premium of the holy grail Pixel+Graphene is not worth it.
I am not at all concerned about evil maid attacks - Iâm just not that interesting, nor is the data on my phone that sensitive. I would rather not share that data with anyone, but there is probably nothing on there which would ruin my life if someone got hold of it.
The idea that I might lose my phone and someone who finds it is able to see the contents is of more concern than an evil maid attack, but even if encryption doesnât protect me, Iâd rather take that risk than accept Play Services day in day out. For someone else, with more of their life or more critical data on their phone it might be different, of course.
It would be great if someone knowledgeable could clarify whether or not encryption protects user data on an Android phone with an unlocked bootloader.
2 Likes
With non-stock roms you could get more years of support, right?
At the risk of derailing this thread, I do want to address this point by mentioning that there is a reason why the âOperating Systemsâ category on the Privacy Guides recommendations page is positioned lower than almost all of the other categories:
The reality is that the many layers of tools you use on top of your operating system have a much greater day-to-day impact on your privacy than your operating system itself does (e.g. generally, most people would be better off doing something like switching from Gmail to ProtonMail, rather than switching from LineageOS to DivestOS).
There is another comment by @jonah in a different thread that explains a little more about this reasoning if youâre interested.
3 Likes
Well, not really. Custom roms can update and patch just the OS, but if the vendor stop supporting firmware and drivers updates youâre still left with a vulnerable device.
2 Likes
Thatâs fair enough and I admit I accidentally exaggerated the benefits of getting rid of Play Services. If someone is still using Gmail or Facebook or whatever then that is definitely more of a concern in general than the presence of Play Services. That said, I still feel PS is so intrusive it is of special concern even if it is not one of the biggest wins possible.
I agree and so I definitely think that is preferable to have a stock rom with locked bootloader over a custom rom with unlocked bootloader.
2 Likes
locked bootloader with stock == tons of malware
smh
5 Likes
I have also often made this point in the past with respect to Desktop OSes and specifically choice between Linux distros where the differences wrt privacy are quite small.
But personally I feel that that logic applies more to Desktop Operating Systems than it does to mobile, because (1) The #1 OS is made by a data harvesting company and heavily integrates Google services (2) Mobile OSâs have so much baked into them that often cannot be easily changed.
With that said, Iâm referring mostly to the major corporate mobile OSes, the differences between custom ROMs with respect to privacy (not security) are probably less important than other factors.
I also want to add to some degree there is a psychological aspect to this as well. Because your OS is so foundational and core to your digital presence, Trusting your OS is in some respects similar to feeling safe in your own home, or trusting your significant other. I think people crave the âpeace of mindâ that comes from beginning with an OS they trust, or at least donât actively distrust, and for this reason it gets an outsized amount of attention and focus.
4 Likes
I would rather say âtons of bloatwareâ but I guess it depends on the manufacturer, probably chinese brands are more sketchy than others.
In the end itâs not easy to take side here, there are good points for both.
I just would argue that mobile devices are more prone to being lost, seized, be tampered with than PCs and probably they carry even more personal informations so the security of the device itâs critical to me.
Letâs find common ground, maybe we could find how many phones do support relocking the bootloader and start from there?
1 Like
Aside from Pixels, the vast majority of devices that can relock cannot actually do it properly.
3 Likes
This!!! When this comes to consideration, I canât even imagine using an unlocked bootloader phone, no matter what the ROM in place. The risk is far outweighed the gain.
I donât even use my laptop with secure boot disabled, even though I rarely use it outside my home (but this is out of my convenient of not having to remember my BIOS password, and I also dual boot Windows when needed).
But the fact still remains that the system shouldnât be compromised first, then we can talk about privacy issue. If the system is compromised, and that compromise could even lead to total access to your data, including the data that are storing on the device, and somehow, could even lead to a running system (the password storing in your web browser). Thatâs a total disaster.
Back to the threadâs topic, including Pixels, there are many devices that have an ability to re-lock the bootloader when using custom ROMs, around 50 devices with DivestOS. SoâŚ
Is there a $150 device thatâs still recent as available to buy new with a relockable bootloader when using a custom ROM (not necessary a day 1 device due to the slow pace in the aftermarket ROM development, but shouldnât be EOL from the manufacture)?
If thereâs none, should we advocate a $150 device/devices running on stock ROM that:
- Have the best support from their manufacture, i.e. provides the longest OS updates and security patches in a timely manner.
- Have the least spyware pre-installed.
- Widely and globally available (the main issue of the Pixel devices).
- This item should be considered as a bonus: have a chance for it to become a relockable device (seeing from the past devices from its manufacture, or the manufactureâs current trend/direction). This would prove the longevity of the device.
1 Like
Thanks for these, they do look helpful, although I am no expert.
In the interests of finding common ground, I think it would be helpful if we could agree on the facts in this area - it then becomes possible to draw our own conclusions based on our own priorities.
Based on possibly incorrect or outdated information, my current understanding is that:
- If a phone has an unlocked bootloader, someone with physical access to the device can install modified firmware which (for example) steals the device encryption password the next time you enter it. This is the âevil maidâ attack. This gives the attacker full access to the data stored on the device and is prevented by a locked bootloader.
- A phone with an unlocked bootloader may similarly be vulnerable to attackers exploiting other security issues remotely and then installing modified firmware. The remote attack may already give the attacker access to whatever they want anyway, in which case the bootloader state is probably irrelevant. But being able to install modified firmware may allow the attacker escalate their access if the original vulnerability wasnât powerful enough.
- If an encrypted phone with a locked bootloader is lost or stolen, the finder/thief can probably reset the device, but this will wipe the encrypted data. If they want to get access to the encrypted data, they probably need relatively advanced techniques like desoldering the flash module and reading it in another device.
- If an encrypted phone with an unlocked bootloader is lost or stolen, the finder/thief can install firmware that will make it easier for them to get access to the encrypted data on the device, e.g. copy it to another machine over a network connection. (They can only perform the âevil maidâ attack if they are willing and able to return the phone to the user and the user continues to trust it rather than wiping it.)
- If the phone is encrypted, once the attacker has got access to the encrypted data, they need to break the encryption. The data is encrypted with a strong (128-bit?) master key, and then that master key is encrypted using the userâs PIN/password and stored in the device. This allows the user to change their PIN/password without needing to re-encrypt all the data on the device.
- If the bootloader is locked, it is harder (as noted above) to get access to the encrypted data. It may also be much harder to get access to the master key encrypted by the userâs PIN/password in order to brute force the PIN/password.
- If the bootloader is unlocked, it may be possible to get access to the master key encrypted by the userâs PIN/password. If the PIN/password is strong, this is not a problem, but if the PIN/password is (say) a 4 digit number, it can easily be brute-forced and the master key revealed.
Itâs quite likely Iâve got something wrong here - my intention is to make some concrete âallegations of factâ which people can correct as necessary, independent of their personal judgements of risk or threat models.
Iâm assuming a locked bootloader is actually secure and doesnât have vulnerabilities like those mentioned on the DivestOS site for some devices. Thatâs important for those devices, of course, but I think itâs a bit orthogonal to the debate here.
3 Likes
From my (very limited) knowledge on the fact i think youâve seemed to sum it up pretty well, although i would also love to get the opinion of an expert in this area. 
I was under the impression that for at least some phones (pixel, iphone, proabbly others) this is not the case. My recollection is hazy, but I believe that at least those brands, or maybe even most/all modern smartphones (wishful thinking?) are pretty resistant to brute force attacks.
I just tried to confirm this, but am struggling to find anything conclusive. Maybe someone with more knowledge of Androidâs security features could chime in. I have a feeling @SkewedZeppelin may have some useful input.
1 Like
Thanks. This is definitely one of the bits Iâm less clear on myself (hence my trying to hedge with âmayâ ) - I have vague impressions both ways, having seen mentions of âsecure enclavesâ and such hardware things, but itâs unclear to me whether these features ever/sometimes/always work when the bootloader is unlocked.