Hi, I have decided to (more like been forced to but anyways) upgrade to a smartphone, and there are very few options on my price range where i live. One of the phones I consider buying is a Xiaomi phone, which is also supported by LineageOS. I know Xiaomi is notorious for collecting user data. Can flashing LineageOS and deGoogling it can stop the phone from collecting my data and doing other shady stuff?
Thanks.
I don’t know the answer to that in particular, but many
members of the community were discussing the possibility of a budget phone recommendation on Privacy Guides on another thread (see below). If they are available in your region, you might also look into getting a phone compatible with DivestOS (a privacy guides recommended mobile operating system).
There is no way to tell especially because the firmwares within all phones are pretty much proprietary. We could only speculate.
I’ve read that could do some packet analysis with wireshark and maybe try to MITM yourself and see the actual contents. But some meaningful metadata could still be sent elsewhere after the packet arrives at its first first destination: your ISP. Maybe they have Huawei/ZTE/etc on the ISP side that could snitch you, again, we can only speculate.
Sure, to some degree if you don’t mind the gapps 
Nevertheless, if that’s your goal, DivestOS could be a better choice providing that your device is supported. You might want to see this Comparison of Android ROMs.
Also, you might want to consider security risks with an unlocked bootloader phone, e.g. total data access if your phone got stolen. You might be better to limit Google connections on stock ROM using a DNS resolver, or a firewall like NetGuard rather than a custom ROM with an unlocked bootloader.
From experience, on Xiaomi’s stock rom your smallest problem will be google’s connections. There are an awful lot of connections made to xiaomi servers, a few years ago they even uploaded recordings of your calls to their servers by default. Believe they now dont do that, at least in certain markets
Considering lineage supports a lot of xiaomi officially and divest is a hardened fork of official lineage, it shouldn’t be an issue
Unless what you’re scared of is a backdoor in the firmware itself, I’d say yes (accurate answer wpould be mostly, as divest is even more so at the cost of potentially breaking some device specific feature)
This is not an issue as user data is encrypted
This goes far beyond just the encryption, since an attacker can trivially flash partitions without risk of erasing user-data (according to DivestOS FAQ), I would assume with the altered/compromised system, the encryption wouldn’t last long, e.g. brute-force the password, etc. All of that with a persistent after reboot compromise, which would not be the case with locked bootloader.
The security issue with an unlocked bootloader is HUGE, which you can read about this:
Edit: I just found the source of the first link above, here - madaidans-insecurities. The source is not only talking about the security issue of the unlocked bootloader, but also rooting, custom ROMs, MicroG, firewalls, etc. It’s a good read overall about Android security.
If this is the case I’m not opposed to recommend a custom rom with unlocked bootloader if no other better options are available. Obviously the security of the device is vastly diminished but it would take effort and knowledge to compromise it and a targeted attack and that’s not really something the average user should worry about.
The pros in privacy gains vs cons in security could be probably justified, mainly for older phones.
In case the device is still supported by the manufacturer I’m wondering if a stock rom with bloat disabled (and using privacy respecting apps) could be an option as harm reduction.
It probably varies on the manufacturer.
There’s a massive threat model difference between a phone that’s just stolen, and a phone that’s compromised and put back in. Brute forcing is a non-issue if you have good password.
It stops evil-maid tampering. If the malware comes from userland you’re already fucked before it even accessed verified boot, as it is most likely the case that it has at the very least escaped sandbox and tampered with userspace, and those doesn’t need persistence
A single comment from an unknown user (it’s literally a burner account with only a single comment) without source proves nothing
Any confirmation on whether or not this is actual good password, or a short pattern/pin combination that’s trivial to bypass (for context, a 3x3 pattern grid has less than 400k permutation. even a 4 digit alphabet only password has at least 10x more permutations)? And if it’s “xiaomi phones running miui dont do it in the standard android manner” then it’s a xiaomi ROM issue and shouldn’t affect lineage, as Lineage is essentially AOSP + minor tweaks to make it usable
It would supposedly be an advantage, not an issue…
Encrypted data being able to be recovered without password/backup/second key is without a doubt a disadvantage. There is no such thing as “a backdoor only the good guys can access”
Indeed. Im afraid you got it twisted… I was responding to the allegation that AOSP has an inherent encrytion flaw by pointing out that xiaomi seemingly handles it differently. If you have details as to how xiaomi’s implementation differs, making it worse, please do share 
Ah yeah, I seem to get it twisted (in my defense, it’s @archerallstars twisting it weirdly)
Sorry, don’t know whether or not xiaomi implements it differently. If you want an example of manufacturer implementing it differently just look at samsung (fucked up camera implementation, fucked up bootloader implementation, fucked up encryption implementation, questionable partitioning choice, weird ass work profile implementation, honestly fuck samsung in general)
Anyone could become a target at any time. But the possibility of that is still low, though.
The credibility of the user is not relevant here if you’re unable to prove that the info is wrong/incorrect. I didn’t see anyone who can prove that it’s not the case yet.
Nonetheless, if you want to prove otherwise, you would have to argue with Google’s engineers, not just a random person on the internet, about why they would erase the user’s data if the bootloader is unlocked. And that comes with a boot screen telling the users on every boot that don’t put sensitive data in the phone. It’s as clear as daylight that your data is not safe anymore, regardless of the encryption in place.
It seems Android security team have a different thought on the encryption security than you do. You might want to open an AOSP bug report that the unlocked bootloader’s warning boot screen is misleading, since the user’s data is perfectly safe with the encryption in place.
The only twist here is someone seems to make the security issue coming with an unlocked bootloader seems minor, while it’s in fact a major flaw. The ability to use a locked bootloader with custom ROMs has always been the selling point of Pixel devices. Is this not the case now? 
It still falls on the user to give burden of proof, else you’ll spend time fighting every unsourced claims from some random throwaway
sourcing some random unproven user nonsense, and then asking me to fight google engineer to prove a claim that the user makes (way to shift the goalpost lmao)
It’s less safe against a specific type of attack, whether or not the attack is feasible in general is another story, 99.999999% of people won’t be fighting against evil maids. It’s just a thing that doesn’t happen unless you’re targeted. google adding that warning is also a good way to cover their own ass (btw google also said that mv3 & FLoC will improve privacy, should we also trust them on that?)
It is the case, but the one being questioned is whether or not locked bootloader is an actual necessity (PG also recommends DivestOS which seems to do fine with unlocked bootloader)
That some random post happens to be in line with how Android security works, however. On the other hand, what you keep saying is contrary to that, so the burden of proof naturally lies on you.
Do you have any proof to your claim regarding the unlocked bootloader on the user’s data security?
There’s a twist here. On PG’s DivestOS recommendation page, it explicitly said that:
DivestOS is a soft-fork of LineageOS. DivestOS inherits many supported devices from LineageOS. It has signed builds, making it possible to have verified boot on some non-Pixel devices.
Also with the warning:
DivestOS firmware update status and quality control varies across the devices it supports. We still recommend GrapheneOS depending on your device’s compatibility. For other devices, DivestOS is a good alternative.
Not all of the supported devices have verified boot, and some perform it better than others.
It doesn’t seem to me that PG is OK or recommend the user to use an unlocked bootloader phone/OS in any way.
There’s a massive difference between recommending verified boot because it’s more secure and your data being open to all. One is obvious while the other meant a massive weakness in modern encryption standard.
If modern android cannot be encrypted without verified boot, then it’s a shitty encryption, and have no reason to exist over something like LUKS
Just because verified boot is technically better, doesn’t mean not having it is a dealbreaker
If PG is 100% against unverified boot, we won’t have this conversation in the first place. Tagging @jonah for input
It is obvious that verified boot > unlocked bootloader, that’s not the question.
The problem here is find an harm reduction alternative when verified boot is not available, like in the OP or other budget phones.
If the threat model is high you don’t even look beyond Pixels and GrapheneOS (if you can afford it) but again, there are different needs and hardware availability limitations.
We can’t ignore that chances are that 90% of the phones have bloated roms or are older devices no more supported or both.
What’s the best way to regain some privacy?
I personally think that a custom rom that doesn’t cripple the encryption of the device could be a good enough option for the average user if nothing superior is available.
I would rather debate if could be possible to use the stock rom (leaving the verified boot intact) and somewhat disable bloat/ make use of best settings/ replace apps with privacy respecting ones.
Would this better or on par with a custom rom with unlocked bootloader or just for different use cases?
I’m not sure because you’ll be missing a lot of the android patches but maybe if you’re not knowledgeable enough to flash a rom that could be at least something and having the verified boot is a plus.
Hard to give a straight recommendation, not a perfect world.
Lineage will fit those
It’s far more limited than a proper custom ROM, apps will gets reenabled every few updates, you can’t replace google service with microG, you’ll also miss certain features like blocking an app from the network (yes, I know lineage implementation is somewhat flawed. But a flawed method that could technically be bypassed with a specific targeted method is still better than none at all)
Ironically, when talking about low-end phones, you’ll get more up to date patches with custom ROM(even while the device is still supported). Official Lineage typically updates weekly while my Samsung A11 haven’t had any updates for 3 months already, and when it get updates it’s sporadic, not exactly a well supported device
I am afraid it’s in the latter case, as the system explicitly tells you that without the bootloader locked/verified boot, your data is not safe to be kept in the phone regardless of the encryption status. Until it’s proven otherwise, this is my conclusion, which is also be in line with Android security team.
I am with the stock ROM with verified boot intact, as this prevents unauthorized access to user’s data on the phone, regardless of the encryption implementation, i.e. a cripple/flawed encryption implementation would be covered by the fact that if the system is still intact, any tampering on the system would result to data loss as it’s the fundamental design of Android security.
Moreover, with the stock Android 10+ ROM (yes, I know, with Google Play Services), the user is still receiving security update, OS patches, etc. through Google Play system update AKA Project Mainline, even when the device itself is EOL from its manufacture.
But I can’t find any info regarding the EOL schedule of Google Play system update. I am not sure whether Android 10 is still getting the update through this channel, though.
And there’s also another caveat: some devices are not (fully)compatible with Google Play system update. For example, some Sony phones, see here, are currently stuck at May 2020 due to a boot loop issue. Samsung phones, even with their recent models, are not receiving Google Play system update for some unknown causes, see here. I think only the devices in this category are worth the risk of using a custom ROM with an unlocked bootloader.
But then again, it’s not only about risking with the unauthorized total data and phone access. In an extreme scenario/being the target, if the device is confiscated, there’s a risk where forged evidences could’ve slipped through with all online data/sign-in in the device intact (for further investigation). That would assume there’s no tampering on the device and can be used against the user in the court. None of this would be an issue if the device has a locked bootloader, since any tampering would leave a trace, and all user’s data would be erased.