Google outright lets you unlock your bootloader on Pixels, and relock it with your custom keys, and even tells you how to do all that in the docs. You lose Play Integrity certification which is where things are getting a bit messy.
But for that you have to blame Amazon, Netflix, Hulu, Disney, a lot of banks, a lot of games for using what is basically DRM for apps. It’s the developers that want those features, so you can’t mod their APKs and take the ads out, make sure you download the official version from Google Play because dumb users getting scammed and all that stuff.
I run LineageOS on my phone, I’m not doing anything whatsoever to hide it, and pretty much everything works perfectly except Google Pay. Which I guess is fair game, I hate it but there’s a reasonable argument to be made there.
The rest is the same DRM woes I deal with on Linux, I value my rights and freedoms more than running an app.
It’s a OnePlus 8T, but I think any OnePlus before I think the OnePlus 11 have excellent custom ROM support.
AFAIK I got lucky and the 8T is the last model from their “being nice to developers” era. OnePlus was born originally to be developer friendly, it was based on CyanogenMod out of the box, they even sent phones to developers.
Mine launched with OxygenOS 11, and then OOS12 was completely rebuilt on Oppo’s ColorOS and they threw everything out the window. Took them forever to drop sources, and it just went downhill from there.
It doesn’t solve Safety Net/Play Integrity, at all. My bank is the kind that just warns you and then lets you in anyway. I just live without Google Pay, I just put the card in the phone case to the same effect. The point I was making there is that most apps don’t care, Google isn’t “pushing” it, but it is made available to developers, so really it’s the app developers’ choice to check or not.
Pixels are just less fiddling because flashing it is supported. It is not endorsed by Google, and you don’t pass Play Integrity at all, but it is supported and doesn’t void your warranty. They just allow you to install whatever you want on your hardware without a fuss, and get the full performance you’d expect and all, and even make use of the security chip. But, they only trust their code and their ROM for the purposes of Play Integrity, which is kinda fair game.
That’s why it is quite ironically the device of choice for GrapheneOS. It’s not a hack, it’s a fully supported use case even though you lose Play Integrity certification, so they can implement all the security features Google has access to. The TEE will happily sign a unique and verifiable integrity attestation… for GrapheneOS’s ROM signature. You can make an app that only works on genuine official GrapheneOS the same other apps do with Play Integrity. You can have a custom ROM and properly enroll it in some enterprise MDM and all that stuff, and only allow your builds of that custom ROM to enroll. But, no Play Integrity because it’s not their official certified build.
It’s like PC, you can turn off secure boot, you can secure boot with your own OS keys and get all the security benefits. But Valorant will still refuse to let you play if you haven’t booted with secure boot into an official unmodified copy of Windows where they can ensure their kernel anti-cheat can trust the kernel about what drivers and processes are loaded. Microsoft isn’t forcing their OS on you, but the developers will only trust you if you do. You’re still perfectly free to put Linux on it, and it won’t affect you otherwise.
But for that you have to blame Amazon, Netflix, Hulu, Disney, a lot of banks, a lot of games for using what is basically DRM for apps.
I don’t think those entities had the leverage to force Google to add remote attestation to Android. Safetynet didn’t show up until 2014 when Android was already established enough that not being on Android wasn’t a realistic option for any of them.
Instead, I think it was mainly a move by Google to make it so any OEM shipping a fork of Android without Google’s blessing would have angry users because some of their apps wouldn’t run.
Google bought Widevine in 2010, so in my opinion they were already concerned about big corp’s interests above the users well before. I think SafetyNet is the natural evolution of that.
I think SafetyNet came with Google Pay for contactless payments, most likely at the request of the banks. They had to work with the banks for that, that’s when they got the leverage. If they didn’t they’d just go partner with Samsung instead, who already had Knox, and I did see Samsung Pay on my phone before Google Pay was available at all.
They also had to increasingly deal with shitty root detection libraries that were getting popular and excluding legitimate users because the latest Android changed things enough it looked modded to the apps. They probably saw it as a lesser evil to just take it in their hands.
You don’t need that much leverage to put enough pressure that there’s enough demands for a feature for the feature to get added. Android was dealing with a lot of fragmentation, piracy and quality problems already, Google needed people to see Android as not just the shitty budget option, they wanted to compete with the iPhone proper.
The entheusiast market only gets you so far. You need entheusiast buy-in at first, but then you have to pivot to end user “premium” experience, which is why brands like OnePlus eventually turn their back to the users that propped the company up. Regular users would rather pick the walled garden than the open world if it means their apps work better in the walled garden. The walled garden is a better experience for the average moron.
Google is concerned with its own interests and only behaves as if it’s concerned with anyone else’s when there’s a perceived benefit to Google.
There’s a chance the preferences of some app developers were a contributing factor for Google, but I’m convinced it was about reigning in OEMs more than anything else. Your comment cites fragmentation, and there were things like Fire Phone from Amazon that didn’t ship with Google services. Fire Phone failed because it wasn’t good, but if Amazon had iterated on it or someone else had done a better job, it might have taken a big chunk out of Google’s Android profits.
excluding legitimate users
I hate this framing.
I’m generally disappointed there wasn’t more outcry about Google creating a remote attestation scheme. Microsoft proposed one for PCs a decade earlier and the New York Times called it out as a corporate power grab. I’m not sure if there was a general shift in thinking, if people thought about phones differently from PCs, or if Google had enough of that “don’t be evil” glow people didn’t question it.
Google outright lets you unlock your bootloader on Pixels, and relock it with your custom keys, and even tells you how to do all that in the docs. You lose Play Integrity certification which is where things are getting a bit messy.
But for that you have to blame Amazon, Netflix, Hulu, Disney, a lot of banks, a lot of games for using what is basically DRM for apps. It’s the developers that want those features, so you can’t mod their APKs and take the ads out, make sure you download the official version from Google Play because dumb users getting scammed and all that stuff.
I run LineageOS on my phone, I’m not doing anything whatsoever to hide it, and pretty much everything works perfectly except Google Pay. Which I guess is fair game, I hate it but there’s a reasonable argument to be made there.
The rest is the same DRM woes I deal with on Linux, I value my rights and freedoms more than running an app.
Why did you choose Lineage over Graphene?
Because I have a OnePlus.
Gocha. I thought I had read that you had a Pixel.
Which model - if you don’t mind my asking? I managed to get my old Samsung A21s working *almost" perfectly with LineageOS.
It’s a OnePlus 8T, but I think any OnePlus before I think the OnePlus 11 have excellent custom ROM support.
AFAIK I got lucky and the 8T is the last model from their “being nice to developers” era. OnePlus was born originally to be developer friendly, it was based on CyanogenMod out of the box, they even sent phones to developers.
Mine launched with OxygenOS 11, and then OOS12 was completely rebuilt on Oppo’s ColorOS and they threw everything out the window. Took them forever to drop sources, and it just went downhill from there.
Yeah. The idea was an older one for cheap. Anything really that will allow my banking app to work.
I just lucky with the Samsung, the banking app works, but I didn’t check first.
It doesn’t solve Safety Net/Play Integrity, at all. My bank is the kind that just warns you and then lets you in anyway. I just live without Google Pay, I just put the card in the phone case to the same effect. The point I was making there is that most apps don’t care, Google isn’t “pushing” it, but it is made available to developers, so really it’s the app developers’ choice to check or not.
Pixels are just less fiddling because flashing it is supported. It is not endorsed by Google, and you don’t pass Play Integrity at all, but it is supported and doesn’t void your warranty. They just allow you to install whatever you want on your hardware without a fuss, and get the full performance you’d expect and all, and even make use of the security chip. But, they only trust their code and their ROM for the purposes of Play Integrity, which is kinda fair game.
That’s why it is quite ironically the device of choice for GrapheneOS. It’s not a hack, it’s a fully supported use case even though you lose Play Integrity certification, so they can implement all the security features Google has access to. The TEE will happily sign a unique and verifiable integrity attestation… for GrapheneOS’s ROM signature. You can make an app that only works on genuine official GrapheneOS the same other apps do with Play Integrity. You can have a custom ROM and properly enroll it in some enterprise MDM and all that stuff, and only allow your builds of that custom ROM to enroll. But, no Play Integrity because it’s not their official certified build.
It’s like PC, you can turn off secure boot, you can secure boot with your own OS keys and get all the security benefits. But Valorant will still refuse to let you play if you haven’t booted with secure boot into an official unmodified copy of Windows where they can ensure their kernel anti-cheat can trust the kernel about what drivers and processes are loaded. Microsoft isn’t forcing their OS on you, but the developers will only trust you if you do. You’re still perfectly free to put Linux on it, and it won’t affect you otherwise.
I might have to get one. My Samsung is still a bit slow - and old.
If you’re buying something to mod I’d recommend a Pixel, unless you’re getting an older OnePlus for cheap.
I don’t think those entities had the leverage to force Google to add remote attestation to Android. Safetynet didn’t show up until 2014 when Android was already established enough that not being on Android wasn’t a realistic option for any of them.
Instead, I think it was mainly a move by Google to make it so any OEM shipping a fork of Android without Google’s blessing would have angry users because some of their apps wouldn’t run.
Google bought Widevine in 2010, so in my opinion they were already concerned about big corp’s interests above the users well before. I think SafetyNet is the natural evolution of that.
I think SafetyNet came with Google Pay for contactless payments, most likely at the request of the banks. They had to work with the banks for that, that’s when they got the leverage. If they didn’t they’d just go partner with Samsung instead, who already had Knox, and I did see Samsung Pay on my phone before Google Pay was available at all.
They also had to increasingly deal with shitty root detection libraries that were getting popular and excluding legitimate users because the latest Android changed things enough it looked modded to the apps. They probably saw it as a lesser evil to just take it in their hands.
You don’t need that much leverage to put enough pressure that there’s enough demands for a feature for the feature to get added. Android was dealing with a lot of fragmentation, piracy and quality problems already, Google needed people to see Android as not just the shitty budget option, they wanted to compete with the iPhone proper.
The entheusiast market only gets you so far. You need entheusiast buy-in at first, but then you have to pivot to end user “premium” experience, which is why brands like OnePlus eventually turn their back to the users that propped the company up. Regular users would rather pick the walled garden than the open world if it means their apps work better in the walled garden. The walled garden is a better experience for the average moron.
Google is concerned with its own interests and only behaves as if it’s concerned with anyone else’s when there’s a perceived benefit to Google.
There’s a chance the preferences of some app developers were a contributing factor for Google, but I’m convinced it was about reigning in OEMs more than anything else. Your comment cites fragmentation, and there were things like Fire Phone from Amazon that didn’t ship with Google services. Fire Phone failed because it wasn’t good, but if Amazon had iterated on it or someone else had done a better job, it might have taken a big chunk out of Google’s Android profits.
I hate this framing.
I’m generally disappointed there wasn’t more outcry about Google creating a remote attestation scheme. Microsoft proposed one for PCs a decade earlier and the New York Times called it out as a corporate power grab. I’m not sure if there was a general shift in thinking, if people thought about phones differently from PCs, or if Google had enough of that “don’t be evil” glow people didn’t question it.