Most active commenters
  • AnthonyMouse(4)

←back to thread

A theoretical way to circumvent Android developer verification

(enaix.github.io)
194 points sleirsgoevy | 11 comments | 31 Oct 25 20:20 UTC | HN request time: 0s | source | bottom
Show context
asimops ◴[31 Oct 25 21:30 UTC] No.45776925[source]
While it is technically feasible, it is not a good idea to try and find a technical solution to a people/organisation problem.

Do not accept the premise of assholes.

I hope we can get the EU to fund a truly open Android Fork. Maybe under some organisation similar to NL Labs.

--- edit ---

Furthermore, the need for a trustworthy binary to be auditable to a certain hash or something would make banning this a simple task if Google would want to go that route.

replies(8): >>45777355 #>>45778228 #>>45778511 #>>45779765 #>>45779867 #>>45780458 #>>45780743 #>>45781937 #
1. singpolyma3 ◴[01 Nov 25 00:35 UTC] No.45778228[source]
What's wrong with lineage?
replies(3): >>45778633 #>>45779667 #>>45781332 #
2. hilbert42 ◴[01 Nov 25 01:52 UTC] No.45778633[source]
You have to get some of the big names to unlock the bootloader first. The trend towards locking it off permanently is alarming.

Edit: Google could ultimately use that as a lever in licensing deals with manufacturers. It'd marginalize everything.

3. IlikeKitties ◴[01 Nov 25 06:34 UTC] No.45779667[source]
It's not a good, secure project by a longshot. There's a good comparison floating around:

https://images.squarespace-cdn.com/content/v1/60f1421e1afcf4...

replies(1): >>45779785 #
4. AnthonyMouse ◴[01 Nov 25 07:11 UTC] No.45779785[source]
That looks like someone made a list of mostly features specific to GrapheneOS so they could make a chart where all of the other alternatives (including stock Android) are full of red boxes.

Several of those are the opposite of security features, like SafetyNet support, which might be a convenience in some cases but it mostly makes it so you can't upgrade certain parts of the system to newer versions even when the old versions have security vulnerabilities.

replies(2): >>45779891 #>>45782945 #
5. IlikeKitties ◴[01 Nov 25 07:42 UTC] No.45779891{3}[source]
>That looks like someone made a list of mostly features specific to GrapheneOS so they could make a chart where all of the other alternatives (including stock Android) are full of red boxes.

No one else even bothered to make a list.

>Several of those are the opposite of security features, like SafetyNet support, which might be a convenience in some cases but it mostly makes it so you can't upgrade certain parts of the system to newer versions even when the old versions have security vulnerabilities.

Citation needed

replies(1): >>45780110 #
6. AnthonyMouse ◴[01 Nov 25 08:34 UTC] No.45780110{4}[source]
> No one else even bothered to make a list.

That doesn't make the biased list good.

> Citation needed

Are you not aware of what SafetyNet is? It's the thing where Google certifies that the phone is running the software produced for it by the OEM. The problem, of course, being that the OEM stops issuing updates and then the certified version has known vulnerabilities. Which is a lot of the point of wanting to install a newer ROM on such a device, except that then it won't pass SafetyNet because you replaced the vulnerable but certified code with third party code that has the patch but not the certification.

7. numpad0 ◴[01 Nov 25 13:04 UTC] No.45781332[source]
Active installs of LineageOS[1] as reported on official tracker is 4.3m instances right now. An MAU of 5m is like, less than Bluesky, Switch 2 shipped so far, most F2P phones games you've heard of, etc. The leverages it has is that of a game.

1: https://stats.lineageos.org/

8. Itoldmyselfso ◴[01 Nov 25 16:26 UTC] No.45782945{3}[source]
Or, far more playsibly, they added to the table features GrapheneOS has, but others don't.

Here's the up-to-date comparison: https://eylenburg.github.io/android_comparison.htm

As far as I know, there is no significant features other distros have that increase their privacy or security over what GOS has. I'm not entirely sure about the SafetyNet thing, but GOS is by far the most up-to-date to the AOSP out of these distros.

replies(1): >>45783867 #
9. AnthonyMouse ◴[01 Nov 25 18:08 UTC] No.45783867{4}[source]
The point isn't that GrapheneOS is bad but rather that it doesn't imply there is anything wrong with LineageOS when it's still better than Android itself.

Moreover, some of the stuff with green boxes is still kind of a privacy fail. For example, with GNSS (i.e. GPS) your device calculates its location from the timing of radio broadcasts emitted by a network of satellites. It has extremely good privacy properties because your device is a passive radio receiver and neither the satellites nor anyone else know you're there when you use it. "Network-based location" can sometimes work when you're somewhere you can't hear the satellites, but now you have Google or someone else building a database of nearby wireless APs etc. in order to make it work, and in the process you're effectively uploading your location to them.

replies(1): >>45784557 #
10. Itoldmyselfso ◴[01 Nov 25 19:28 UTC] No.45784557{5}[source]
GOS developers have said on multiple occasions that they think LineageOS is worse for security than the stock OS on multiple devices, as it doesn't keep up with current privacy/security patches or provide all of the standard protections. The comparison also does bring up these faults. See also https://www.kuketz-blog.de/lineageos-weder-sicher-noch-daten...
replies(1): >>45789120 #
11. AnthonyMouse ◴[02 Nov 25 09:55 UTC] No.45789120{6}[source]
"Device does not force you to update" isn't a bug. The bug is "device forces you not to update" which is the thing you get with stock Android on the large majority of Android devices.

Their objections in general seem to be fairly pedantic, e.g. objecting to a connectivity check which could be improved in a theoretical sense but in practice that shouldn't be leaking anything you're not already giving up by having a phone which is turned on and connected to a cellular network.