Love to see the ongoing progress here, but I'm really starting to worry that the growth of attestation on Android will make using custom ROMs like LineageOS impossible in future.
Is there any way we can fight this? Feels like there must be some EU/US consumer rights or digital market legislation somewhere that could be used to more directly object to organizations like banks saying "your phone works just fine but we actively block you from using it" especially as mobile apps become more and more obligatory for banking. It's a huge problem just in e-waste of old devices that work fine but can't be used because of the lack of updates.
Just one legal case upholding this somewhere would put a huge red flag over it and significantly discourage the whole trend.
Yeah, running GrapheneOS, this has been a big headache for me. And it's incredibly stupid too.
The app won't work natively due to a lack of attestation, so I have to fire up the browser and user the service.... Exactly how is that more anti-abuse than just using an app without attestation? It's security theater and has no basis in reality.
GrapheneOS seems to be advocating for hardware attestation to solve this issue, taking advantage of its boot-loader re-locking capabilities but its vehemently being opposed by Lineage OS community due to privacy concerns and that boot-loader re-locking is not an option in LOS.
[1] https://grapheneos.org/articles/attestation-compatibility-gu...
Can you scan a check from your web browser? Maybe I'm wrong, but probably not; frankly, it's a logistical miracle we can do this from our phones and the banks tolerate it, but I can see why they would still want to minimize all risk involved.
The second reason though I can think a bank would want attestation is as an anti-piracy measure. With a website, you have HTTPS verifying the identity of the domain. With an app, a pirated app or a 3rd party app from any source could hypothetically intercept user's banking information, their scanned checks, or even attempt to cash their scanned checks itself. It's not about making sure the device is secure, as it is killing attempts at 3rd party, modified, or malicious clients. The last thing I want, or the bank wants, is some grandmother downloading the "Wells Fargo Bank Plus with Giant Legible Accessible Text" app she saw in an ad as an APK, installing it, and being a victim of silent fraud for years.
The third reason a bank might want it, is also just simple stupid litigant America. If such a scheme similar to the above were to occur, the bank would likely be sued by victims arguing that the above circumstance was preventable. The victims would also be correct, it was preventable. The bank is then in the unenviable position of telling the jury that supporting the rights of 0.1% of phone modders was more important than victimized grandmothers.
Or, as a bank lawyer would say, just turn on attestation, it costs basically nothing, and then none of the above could happen. Better safe than sorry. After all, is the grandmother not also a customer, and preventing malicious clients in her best interest? Sure, some customers will be inconvenienced, but this is America, where anyone depositing more than $10K is subject to an interrogation.
>The last thing I want, or the bank wants, is some grandmother downloading the "Wells Fargo Bank Plus with Giant Legible Accessible Text" app she saw in an ad as an APK, installing it, and being a victim of silent fraud for years.
I don't think this happens nowadays. Android will either block by default or give you a million prompts and warnings before it allows you to install an apk from an unknown source. It's far, far easier to install it from google play. I don't think any grandmother would manage to accidentally ignore the first 3 pages of genuine links on google and then push the right buttons that enable sideloading.
A million prompts? It's exactly one prompt to permanently allow a source.
Why would some one pirate a free banking app that they get for free from their bank anyway?
> Can you scan a check from your web browser? Maybe I'm wrong, but probably not; frankly, it's a logistical miracle we can do this from our phones and the banks tolerate it, but I can see why they would still want to minimize all risk involved.
ATMs just scan the checks now too, so why have the middle man? Usually there are limits on customer scanned deposits though, in the range of $5,000-$25,000. I've never heard of a limit on ATM deposits, although I'm sure there is one; I have had atms in WA decline to process warrants from CA state (like a check, but sometimes California has to wait for next fiscal year to clear it).
> Can you scan a check from your web browser?
Yes
https://developer.mozilla.org/en-US/docs/Web/API/MediaDevice...
Just because the browser offers that api does not mean that a bank will use it
What is stopping LineageOS from supporting (or faking support for) attestation?
Mainly historical reasons:
Back in 2009 during the Cyanogenmod days, Google issued a C&D to the developers to keep them from distributing Google Apps alongside the main ROM. IMO it was less about the app distribution and more to force Cyanogemod to come to the table and work with Google to develop ground rules on how 3rd party ROMs would interact with Google more broadly. Cyanogemod (now LineageOS) basically agreed not to step on Google's toes. At the time it was not to distribute Google's Apps inside of the ROM. Now it's to not bypass OS level protections like Play Integrity (formerly Safety Net)
Their stance now can be found here: https://lineageos.org/PlayIntegrity/ . Note the part that says:
> Any action taken to bypass Play Integrity risks a backlash against all custom OSes, and could cause Google to block them entirely from the Play Store.
So long as the main players follow this advice, Google tends to also ignore smaller players that _are_ working around this via Magisk or other means. It's also possible that this simply becomes non-viable after some time.
It's also worth noting, Google has ways to allow third parties to certify their devices on https://www.google.com/android/uncertified/ . This doesn't grant fully Safety Net, but it's definitely another way Google is working with custom ROMs to ensure you have access to the Play Store
This is an extreme oversimplification in an "Explain like I'm 5" style (terminology might also not be perfectly correct, it's more for illustration of the basic concepts):
Imagine, if inside your phone, there's your main processor named Bob. Bob runs all of your apps, Bob is occasionally stupid and gets hacked, but he means well.
Also inside your phone, is another processor named Alice. Bob can't see her even if he can send messages to her, but Alice can see Bob through a one-way mirror. Alice is also located inside of a concrete steel bunker with no entry, no exit, and UV sterilization of all single-page letters coming in or out after examination by an officer. Alice has a special ID card given to her by Google, which was only given her after Google was satisfied in the security of the bunker.
Google sends super high-secure work for Bob to do. Bob isn't the most trustworthy of fellows; so Google also sends a message asking Alice to report back on whether Bob is doing what he's supposed to. Alice sends her report back to Google with her signature on it. Google trusts that signature, because it previously inspected Alice and the security of her bunker, and knows that as long as Alice is safe and Bob can't harm her, Bob is doing the work intended.
Now, you might say, why not just make sure Bob is stronger? Well, Google tried that, but with people wanting to sideload apps, the needs of developers, security bugs, that's all extremely difficult. Having Alice do nothing but verify and sign in a super secure bunker while accepting various requests for oversight - that's easy, auditable, much easier to secure, and rarely needs change.
Where it gets even stronger is what I would call, for lack of a better word, "progressive lockdown." For example, when Bob is just starting up, Alice can check that he started up from an approved OS (Secure Boot). Once that's happened, the Secure OS might hand Alice a piece of code for the OS that is never allowed to change in the future while the device is booted (Secure Monitor / TEE). Alice doesn't have to run the code herself; just panic if that code ever changes. By doing so, the OS now has super-high-security functions for itself, that can always be changed out through any update, without Alice needing any updates, changes, or expanded attack surface herself. By that point, Alice can be OS-agnostic so it doesn't matter whether it's Bob or Kevin, and could even be a permanent hardware feature that never needs updates... oops, you've just invented TPM / Verified Boot / Titan M.
If I weren’t so cynical, I’d expect the ongoing antitrust case to target this sort of stuff.
Just buy a separate low-cost device and use that only for your banking. It's a total non-issue, there are way more nefarious uses of SafetyNet/the attestation API's.
It's not just banking. Though that's clearly the most inconvenient, I've heard stories of this in all sorts of contexts, and Google actively push it for _all_ apps in the play console etc now. Carrying two devices just to use basic things will work, but god that sounds annoying.
I'm curious though, what are the more nefarious uses you're concerned about?
You'll have to change it often if you're worried about safety at all. Lineage has been keeping my phone alive for five years now, and although it only updates the upper layers and there are definitely unfixed vulns in the firmware, it's much better than if I'd used the stock OS that hasn't been updated since the beginning of 2020. Banks don't or won't understand this.
> Banks don't or won't understand this.
They are not interested in that. They want attestation because they can "outsource" the responsibility to Google.
> It's a total non-issue
Buying a separate device and carrying it all the time just for banking is a big ask for most people, even for geeks who hack their Android phones.
The problem is you need banking stuff on the go more and more. Here in Spain for example people often pay friends with a service called bizum that works through the bank's app.
It's definitely not a non issue for me.
> Android 15 introduced several complex changes under the hood...
> Android’s move to trunk-based development, and the subsequent growth in size of Android’s QPRs (Quarterly Platform Releases) have made our job magnitudes harder! As a byproduct we must rebase our entire code-base every 3 months.
> Sadly, Google also has a habit of introducing deprecations or outright removing code that older devices rely on with little advanced notice...
Google trying new tactics to move Android from open-source to "source available, lol"?
> Google trying new tactics to move Android from open-source to "source available, lol"?
It seems to be the opposite - more of AOSP internal development moving out into the open. QPR's are getting more frequent releases than the old AOSP code-drops.
(Tbh I do think that AOSP has always had way too much churn for a sensible system. A Linux phone should just work, and share as much of its codebase as possible with Linux systems running on other device classes; distributions like pmOS and Mobian - and quite possibly Debian Mobile in the future - are working towards this goal.)
Or maybe the Linux Desktop (used by a couple of people) should use more code from the android project (which is the biggest OS on the Earth)
The latter has sane sandboxing, proper IPC, an app lifecycle that makes sense for embedded devices (an app in the background should only ever take CPU time if it has an explicit service with permission for that) etc.
Plain old Linux has these features. For example:
> an app in the background should only ever take CPU time if it has an explicit service with permission for that
You can run your services in a cgroup and use "freeze" and "thaw" support for that purpose.
It doesn't have it, because this is like security. You either have it everywhere, or it doesn't matter.
Sure, the Linux kernel is very capable, but the "gnu" userspace doesn't make good use of its features. Android makes much better use and has a bunch of software that could be re-used on the former as well.
Is the reason GNU doesn't use these kernel features aggressively that they want to be portable? Or something else?
Freezing background apps just isn't needed all that much if you run a fully FLOSS system. It's much more of a concern for proprietary software where you don't have the source code available. There's a similar story for sandboxing actually, it's not a coincidence that it's been getting more popular as proprietary apps have been made widely available via Flathub and the like.
What, FLOSS systems run on unicorn blood or what?
There is a reason why Pinephone and similar run hot as hell for a couple of hours of uptime only. But Linux laptops also have a terrible track record here. It has nothing to do with privacy, it's purely there to properly save energy.
And come on, Linux Desktop has terrible security, just because no one targets the 3% marketshare doesn't mean that they are safe at all. Especially that security is independent of "proprietariness". You can have, say, an open source PDF reader with a vulnerability - you only need to open a malicious PDF file to have your system corrupted. Putting our heads into the sand is not a good idea.
You "can" in the sense that the kernel technically supports, but realistically, who does that for all programs they use?
Android userland is actually better designed in some ways
Android is not "a Linux phone", it just happens to use Linux kernel under the hood. What you're saying was always an explicit anti-goal.
This is gatekeeping. Linux is a kernel. You're talking about userspace which is not part of the Linux kernel project.
What gatekeeping? I'm talking about Android project goals. They never intended to provide any direct userspace access to the Linux kernel. The Linux kernel is supposed to be an implementation detail that can be replaced without breaking app compatibility.
That is more of a theory than reality. In practice you need to emulate the Linux kernel in order to run Android. Keep in mind that Android is more than just the apps you run.
Yes, I agree. But it is the stated goal.
It should be the opposite, I am a bit confused about LineageOS' statement here. The Quarterly releases represent solid milestones towards the final Android number milestone.
GrapheneOS claims that this made their rebasing much more efficient: instead of receiving a massive dump of all Android 15 at the end, developers receive incremental changes (the QPRs) to help them anticipate major changes in the code.
GrapheneOS only supports devices that are still supported by the OEM, and they generally seem to have very few modifications that touch on frequently-changed parts of AOSP. In short, they can be relatively certain that nothing will break when they rebase, Google does the work for them.
On the other hand, LineageOS runs a lot of devices at the very (lower) edge of compatibility, which means that (with Google pushing large changes quarterly instead of yearly) the build roster has to be reevaluated quarterly instead of yearly as well. This was not anticipated properly for the Android 14 (LineageOS 21) cycle, which resulted in 19 devices not being able to be built on a previously supported major version (and therefore dropping from the roster completely).
In addition, the components that have been causing rebase conflicts each year now have the opportunity to cause rebase conflicts multiple times a year.
Highly recommend the Samsung S5e Tablet with LineageOS. It’s an amazing tablet for comics and light reading. Hard to beat its high res AMOLED display, incredibly light weight, and decent enough specs (I haven’t personally seen slowdowns when using Lineage on a minimal install). Forgoing gapps gets you crazy standby time.
Couple things to note is it doesn’t have a headphone jack (it is legitimately that thin though) and you are required to use Windows to flash the device.
The S5e is super old and many devices are likely facing battery age issues.
I wish I had known this device was going to see long-term support like it received. I would have bought one at the time.
The only modern tablet officially supported is the Pixel Tablet (tangopro). It's good enough but the screen quality isn't as nice as I would like. It should be supported for many years to come due to it's SoC being common to the Pixel 6-9 phones.
I really want to move to an android tablet but love the writing on an ipad pro. Does a pixel tablet support writing/drawing with a pen and palm detection? And more importantly is there any good software support (e.g. apps like goodnotes) for that? A pixel tablet with graphene os overall sounds awesome.
tangorpro has GrapheneOS support which would likely be a better choice until security updates stop coming from Google (and GrapheneOS) 2028-06-01.
GrapheneOS installs easily via your desktop web browser with the Pixel device connected via USB.
+1 for GrapheneOS. I've dabbled in a lot of alternative roms over the years. There wasnt a single one that was as easy to install and use.
As slow as it is on paper (in practice it’s really not bad) and the batteries are indeed going, its AMOLED screen really takes the cake.
> required to use Windows
There’s an alternative flasher for Samsung’s bootloader that works on Linux/macOS: https://github.com/Benjamin-Dobell/Heimdall
It might not work with this particular tablet, though.
There also is an updated version with fixes that never got merged into upstream Heimdall: https://git.sr.ht/~grimler/Heimdall
Yeah, I never got Heimdall to work properly.
Still using a very old Tab S 10.5 from 2014 running a bit slow with LOS 21 - Android 14.
Started with Android 4 KitKat, stuck with Linux kernel 3.4 :)
5.4mm thickness, 3GB RAM (enough for 32-bit), 2TB SD card works, watching movies/shows with the AMOLED look as good as a recent OLED TV. Truly ahead of their time.
SDR content with mDNIe dynamic enabled comes surprisingly close to HDR content on an HDR display, colors can be a bit too staturated though.
After a decade, the battery lasts a week for daily hour e-book with black background. 3 hours of video playback. However, it restarts at 30% battery when running at full brightness with a white background. Disabling Wi-Fi significantly extends standby time compared to modern hardware.
Caveats: Slow web browsing and no H.265 hardware decoder. 1440p H.264 60Mbit is the max (Display is 1600p). Most content providers and streaming services are slowly moving away from AVC, so it's stuck at 720p H.265 on CPU.
Back in 2014, I couldn't have imagined using hardware that was over a decade old.
Oh I have the same one. I had no idea it was supported by LOS now. When I last looked out wasn't. Thanks, I'll have a look for it.
If only these Samsung Android tablets had a more reasonable screen aspect ratio..
Good to know, as I still use an S5e as my comic reader. It's not getting security updates anymore, but to be honest it's not like I'm running banking software on it, so I don't care as much about malware risks as, say, my phone. It's still plenty speedy on stock firmware.
What would be the attack vectors for malware on a tablet? I’m genuinely curious how crucial updates are for older devices.
For example, there could be a web-based attack that would target unpatched webviews. This could be a maliciously prepared webpage or image on the web, favicon etc, and this piece of data could be distributed by an ad network, for example. So, browsing the internet with an out of date browser or webview could pose this risk.
Another issue is escalation. Again, we are in a speculative realm, but if a device is affected like how I described it above, it could then be the foot in the door for other attacks, like scanning the local network, and finding other devices to target, some of which might be also out of date, or be more trusting to a local device, than to an internet device. Like a router, for example, or a NAS with a passwordless LAN file share activated.
Another usage of an exploited device is it joining into a botnet, that then is rented out for any purpose the buyer would want, distribution of files, acting as a proxy for others, participating in a DDOS attack.
Thing is, most of this is automated actually. The devices on the internet are constantly scanned by automated means for vulnerabilities.
Basically the same as a computer. If you avoid installing random untrusted apps, you are generally safe (i.e. don't install random no-name Candy Crush clones from the Play Store every week like some people in my family like to do).
Every once in a while there's a more serious vulnerability that can be exploited remotely like Stagefright, but those are fairly rare and if you're here, you will probably hear about them.
anything internet facing has a ton. you're using it to browse a site that gets ad and you've got a vector -- wouldn't be the first time legitimate sites like NBC (nbc.com) served 3rd party adds with malicious iframes embedded in 'em.
mom takes her out of date tablet to check the news and bam she's rooted.
Thank you for the tip ! Was looking for a portable device at home for random browsing, it will be a nice beginning of the year project ! Do you recommend installing v21 or a previous version on this device ?
I run a minimal install of 21 right now (no gapps) and it’s great. Even handles browsing fine with Brave (built in ad blocking).
Wow, these things are crazy cheap on eBay. Thanks for the tip.
I still buy devices based on the likelihood that they will be supported by LineageOS. Good to see them continuing along.
I find any time I've put lineage on a device, the support lifetime is lower than I expect.
In a perfect world, you would be able to bring your old device forward to multiple new major android releases beyond the support lifetime of the manufacturer, like you can with a Linux distro on a PC. But I guess android doesn't work that way, even with third parties willing to make new builds.
Often device drivers specific to the model of handset are only available as pre-compiled binary blobs, and will not run with any future kernel release without herculean effort to reverse engineer them and implement a shim. This effectively ties the hardware to a single kernel release.
The practice makes ewaste of otherwise perfectly usable devices, and should be illegal.
Any devices that fare better in this regard?
Not really, no. For manufacturers it is faster to just write the drivers once for their chip, and release them targeting to an exact Linux kernel version rather than actually writing good enough code that it goes through the LKML process and gets merged into mainline. It costs money to update the drivers later on and it especially costs money to mainline them later on.
Nobody's asking for mainline submissions though. Just publishing the drivers source code under a FLOSS licence when they stop supporting it would be enough to let the community take over the maintenance.
The kernel side of drivers is already published under a FLOSS license, it's just that the code quality is usually subpar and the important changes are crammed into a tarball together with (sometimes) millions of other lines of changed code.
The sources for the matching userspace binaries (which are usually the issue for Android version bumps) are usually under NDA by the component manufacturer and can not be released by the OEM independently.
Is the kennel driver code not available for the Community to take over the process of mainlining? If that gets done then surely the user-side code will work with all future kennels that contain the driver?
The user-side will work with all kernels that contain the matching driver, but the user-side will not necessarily work on future Android versions without modification.
Isn’t that significantly on the Linux kernel not having stable driver ABIs?
I don't see how any choice the Linux developers make forces phone manufacturers to do anything.
It's their choice to use Linux. They can abide by the license or not ship Linux.
Not to mention that there are many more or less stable APIs within the kernel (which even has versioned API support in places) such as Video4Linux which manufacturers seem dead set against using.
They do abide by the license, but it's also their choice whether to maintain cheap firmware for n years old devices, that they may not even have the license to distribute in source form.
Nonetheless, android mostly solved the issue of the kernel's lack of stable interface via their HAL.
They could also contribute to the Linux kernel like normal companies instead of shipping half broken binary blobs.
That's a really backwards way of thinking about software distribution. It's like Debian's idea that every piece of software in existence should be packaged for Debian (and Suse, Red Hat, Fedora, Ubuntu, etc.).
I don't package any of the software I write for Debian because I don't want to have to jump through their hoops. I don't blame device manufacturers for wanting to avoid jumping through Linux's hoops. Especially with having to deal with Linus.
Nobody likes Apple's app review process do they? I don't think device driver writers should have to go through that.
(I also wish they would open the code but not having a stable driver ABI clearly doesn't make that happen.)
I think a valid reason for not having a stable driver ABI is that it's a mountain of work and makes everything else more difficult. But I've never heard anyone give that as the reason.
There's a big difference between Apple's review process which I would qualify as unnecessary and unfair and Linux's review process which is necessary to produce high quality software.
But it's true that they could at least start by publishing the source code, even if they don't contribute directly.
As for the ABI, I also agree, this would just make the situation worse.
> Linux's review process which is necessary to produce high quality software.
Why? I don't see how that follows. It might be likely to produce better software simply by having experienced kernel devs review the code, but it's definitely not necessary.
Most of them buy parts from other companies, that often license the source only for inclusion.
This is a very myopic view of the industry.
I'm also saying the industry is broken, I'm well aware that the whole industry isn't really good enough on the software side.
I think the interfaces we are talking about are not part of upstream Linux. They will bolt on half baked stuff regardless of the interfaces Linux provides.
AFAIK the Android binary blobs are generally userspace, not kernel drivers.
Out of curiosity, what do you buy?
I had Xiaomi last and bought another one recently and they have made it pretty much impossible to unlock the bootloader.
Apparently limited number of unlocks at 12am Beijing time. I have tried a few times, read through all the complaints and the community forums, and Xiaomi can very kindly just fuck off.
It used to be really good value for money as the hardware is great. But without flashing it is terrible. Crypto spam ads in system apps and things like that. Am going to sell it again but part of me can't give it to anyone in good conscience.
Samsung has its own bootloader. Some people get it to work with AOSP/LineageOS, but it is an extra pain. So I avoid Samsung for LineageOS.
This is a list of support devices
https://wiki.lineageos.org/devices/
I installed LineageOS on a Motorola Edge a bit back.
One problem is it takes a bit of time for a device to get officially supported by LineageOS. By the time it is, stores are often selling the next generation of devices.
That was not the case when I bought an Edge and put LineageOS on it in 2021.
> but it is an extra pain.
I've bricked several Samsung devices trying to flash Lineage on them. It is important to follow the Lineage installation instructions very closely.
It used to be dirt easy, i remember my s5 was just "fastboot oem unlock" and flash the new image...
Sure you'd lose knox, but nobody really uses it anyways... But from what lineage is saying, it seems Samsung made unlocking impossible on North American devices.
I'm not sure what the law side of things is like for this, because I recall it being mandated that phones could be sim unlocked after contracts expire... someone should try seeing if there is a legal requirement for unlocked bootloaders.
Edit: I wish apps would also stop whinging about unofficial OSes or devices being rooted... banking apps, mostly.
> someone should try seeing if there is a legal requirement for unlocked bootloaders.
The EU is only now applying usb chargers. They will be ironing appstores next. USA, maybe not with the next president.
> it seems Samsung made unlocking impossible on North American devices.
It is possible to unlock them. It just takes about 20 steps and multiple reboots.
My device is currently not supported, their FAQ about this is needlessly passive aggressive, though I can assume there's a reason.
I managed to unlock a xiaomi redmi note 9. The bootloader unlock tool only work on windows and on intel based computers (don't ask me why). I had to reinstall temporarily a windows on a computer to do that.
But this is really a brand to avoid at all cost anyway. Also these smartphones come super bloated out of the box with apps phoning home constantly, and super unreliables. 2 members of my houshold owned one and on both of them the screen started not accepting touch input randomly. These was on 2 different models.
You get profiled when you sign up for unlocking a xiaomi.
In order to use the official windows-only tool: You make a xiaomi account, wait a month or more, then put an internet connected sim card that receives an sms verification and try to unlock, if it fails, you wait a day to try again.
You can unlock about 3 devices at most every 6 months with one account.
They found a balance that is easy enough for tech saavy users, but not too easy for the general population. Helping someone with his phone is a chore if you aren't charging money for it.
Xda forums is much less interested in developing unlocking for xiaomis since there is this official method, and I can't blame them.
The "general population" is probably better off buying an unlocked device on the used market. Wipe it with a new LineageOS install and there should be no real concerns.
I buy uses OnePlus phones off swappa and flash LineageOS with microG right off the bat. For a tablet I have a Google Pixel Tab, which has official LOS support. Very happy with both
I used to spend so much time flashing different ROMs, and even cooking a few modifications of my own. These days I find it much easier just to buy first-party devices like a Pixel and just move on with my day. They seem to have the least 'gotchas' in my experience. Stuff is unlocked, it gets updates, and doesn't have bloat/malware baked in.
Some would consider a Google device as malware out of the box. At least you know who is spying on you I guess.
Google is one of the lightest offenders in the ecosystem. Remember that any other Android device is going to have Google PLUS the manufacturer junkware. Pixels can also be de-rooted with custom firmware installed, and graphene is hella polished.
Given the fact that all phones have closed-source baseband firmware and are hooked up to vulnerable networks running ss7, they've got worse things to worry about if they're using a phone anyway.
It's not all or nothing. That's like saying you might as well smoke 20 cigarettes since you are already smoking 10.
VoLTE is a huge consideration for older devices, and it is best to avoid Samsung.
Pixels are the reference. Whatever you buy, verify VoLTE.
Very true, yes. 4G connectivity is the main reason for me to upgrade. My Poco F1 doesn't support the main 4G frequency used in Australia. So connection and bandwidth is pretty crappy since 3G got sunset.
Unfortunately the intersection of phones with headphone plug, SD card slot, decent RAM and hardware, not being huge, and supporting lineageos is pretty much nonexistent nowadays.
Oh interesting. I was planning to get a Xiaomi as my next phone; I recently heard that they limited the number of unlocks to one per person per year.
I got a OnePlus and a Pixel. Before that it was a ZTE, but they aren't unlock-friendly these days.
I'd say stay away from it! From what I understand it mostly depends on what OS is running on the phone.
Phones on their old Xiaomi OS can be unlocked reliably. You have to register an account, wait 30 days, and use the unlock app on a Windows computer. It's annoying but doable. But, the current Xiaomi HyperOS is where the insanity starts. It's pretty much impossible with arbitrary limits of global unlocks per day. The app constantly telling you to try again the next day and stupid stuff like that.
I've had that phone sitting in a drawer for a month or so now. It's just not worth it. And I'm not going to put anything personal on their shipped OS. When system apps come with popup ads to install dodgy crypto apps I'm not going to trust it.
> limited the number of unlocks to one per person per year
I’m wondering how exactly they are gonna enforce that.
you actually have to create a xiaomi account to be able to unlock a xiaomi phone with their crappy bootloader unlocking tool (only running on windows FWIW).
This is just a terrible experience, avoid this brand like the plague.
Yeah, I went through it once. You also have to wait for 30 days IIRC.
There are unofficial unlock tools on Linux / macOS, though: https://github.com/topminipie/awesome-xiaomi-bootloader-unlo...
The problem is, you can create as many Mi accounts as you want. They can make it slightly harder by verifying your phone number, but that’s also pretty easy to circumvent.
Thanks for the pointers, when I did it, all the linux tools I had found had been abandonned/were not working.
Don't sweat it. The link for the official tool in the official xiaomi site directs to an old version that didn't work for my old phone.
I found The latest version in xdaforums, and that worked, thankfully.
The whole xiaomi experience is very unpolished. The siteS are a mess for this, the tool looks like a cooked homebrew, and their English doesn't look official.
Not TS, but I have similar thought to him. Just recently, I bought a used Samsung A52 4G phone, which is supported by LineageOS.
I am not a LineageOS user, but I own a 5 year old Xiaomi phone. The latest Android version for that phone from Xiaomi is stuck at Android 9. It now runs Android 13 on /e/OS, a fork of LineageOS, and I have a good experience with it.
The biggest problem with /e/OS is the launcher (Bliss).
The launcher does not seem to be able to do app shortcuts, particularly to make a shortcut to an incognito browser tab. Widgets are also confined to a separate page. [Please correct me if I'm wrong.] It's really trying to be an iPhone in some constraining ways (stressed by the Settings icon).
Lawnchair [1] is a pretty good alternative.
It needs to be in f-droid, or maybe on ffupdater.
It is on F-Droid IIRC.
Edit: just checked, it’s in the IzzyOnDroid repo: https://apt.izzysoft.de/fdroid/index/apk/app.lawnchair
I have recently bought a Pixel 8 and I really like it. GrapheneOS is a very smooth experience, my only gripe is that the banking apps don't work on it, so I reverted back to PixelOS for the time being.
But their sandboxed GApps service is truly how a mobile OS should work!
I have been running custom Android, mostly Cyanogen and Lineage, since the G1. I went G1 > Nexus 1 > Samsung S4 > S5 > OnePlus 5 > Pixel 8. I won't buy a phone if it's not community supported.
Can anyone recommend a supported phone that is small in size?
Have I ever got a bigger paycheck I'd donate to them without hesitation. It's because of them (and formerly Cyanogenmod) I got to have my Xperia Z1 for 7+ years, and now this Xperia 1ii for 4 years, each of them were/are doing great because of it.
Hope they keep going strong.
To quote from somewhere else:
Just to emphasize this for anyone else who is reading this: Please do not feel obligated to donate.
Yes, it is greatly appreciated, since it keeps the lights on a little while longer and allows us to provide builds and host continued development. However, we regard donations as having no strings attached, and the same applies for using the builds that we provide.
We will be fine, at the very least for a while. Please think of yourself first.
"Please think of yourself first." = \s ?
Anyway ... I'd totally encourage everybody to donate to opensource projects and/or its maintainers. Whatever the effect may be, but I think that's just simply appropriate.
Yes, donations are cool, without them there probably wouldn't be as many build servers (among other things).
However, if donating means that you have to consider your current paycheck size, then it might be more appropriate to put that idea on the back-burner for a while.
If you don't have to make that consideration and/or you feel strongly obligated to donate, then by all means, please do so.
tim, this is hackernews, everybody here makes six digits! jokes aside - when donating one should of course consider one's paycheck size. you don't have much, give a little; you have more, give a lot.
I'm still of the opinion that an Xperia Z1 Compact running LineageOS handily outcompetes any cycling computer that Germin or Wahoo has shipped in the past 10 years.
Note that it can take several days or weeks for all the supported devices to get initial public builds made. You can track all the pending build jobs here: https://buildkite.com/lineageos/android/builds?branch=lineag...
thanks for that, i kept running in circles look for a build of 22 wondering if i was doing something wrong
I did the same for 21. Now I know better.
Oneplus 7T build already up! And damn, it feels really snappy! There seems to be some good optimization on Android 15?
> SeedVault[1] and Etar have both been updated to their newest respective upstream version.
What do folks use for backups that's actually useful (full app data + secondary stuff like KeyStore entries) nowadays?
[1]: https://github.com/seedvault-app/seedvault/wiki/FAQ#why-do-s...
Swift Backups with root, and then Syncthing that directory of backupw to a home server. When I switch devices I just sync that directory to a new phone, install Swift Backup and do a restore. It's the modern Titanium Backup
This advice may have been exactly what I'm searching for, thank you kind stranger!
How's LineageOS with WhatsApp, Signal and random banking apps these days?
Or let me put it another way: anyone running LineageOS but struggled to run any essential apps? (I don't care about games or whatever, I mean the apps you need to get around in life).
Whatsapp and Signal are fine. Random banking apps suck because their myopic and incompetent policies around custom OSes. Especially here in Germany where banks and even tech company management see internet as a magic, totally untrustworthy new curiosity. Combined with the overall extreme risk-averse society, basically none of the bank apps from big banks work with custom OSes. All require various levels of "hacking".
They use Google SafetyNet as a security guarantee and some outright ban access while letting you use a completely custom Linux PC. There are ways to hack those API calls with various system level interceptors like Magisk. I keep a custom made 2FA code generator from my bank as a backup though.
Anecdote: I develop an app for a bank at my job in Germany and I was forced to implement root detection because of some annoying pentest. Everyone agreed that it was just security theater + checkbox compliance but it "had to be done"...
I think detecting root and displaying a warning about risk is okay. N26 does it, so does Scalable Capital.
However Sparkassen, Deutsche Bank etc all refuse to work on Lineage OS at all *without any actual root solution installed*. I actually don't want any root access, I can use recovery mode and even write special permission XMLs if certain apps need it.
I just don't want bundled Google Dialer etc in stock ROMs that is feeding more data to Google about me and my loved ones. I keep my and my family's contacts in a private cloud solution. I don't use GMail for private e-mails. Nor Google Calendar. Removing these apps break stock ROMs due to special permission modifications Google did. Lineage OS is my escape but the stupid banks reliably choose stupidest security theather solutions that you were forced to implement.
Even the apps that work for online banking, you can't use them for digital payments anymore. The old integrations worked fine but with Google Wallet even GrapheneOS isn't good enough
Counterpoint: ING, Trade Republic and the Comdirect app all work with current lineageos, even with the phone rooted.
Amusingly, my health insurance app (Tk) does not.
Weirdly Commerzbank Banking App rejects logins approved by a rooted phone so I cannot login with my LOS phone. Comdirect is literally the same company but a purely online product. It is so stupid. I also use INGDirekt and it works.
In this comment I mentioned N26 and Scalable Capital also works with a custom ROM: https://news.ycombinator.com/item?id=42560775
The Wells Fargo app runs on Lineage. Google Pay does not work with it.
My original motivation for deploying this particular phone was for Cisco Duo, which also runs on it.
WhatsApp and Signal run perfectly fine (WhatsApp shows a little warning on first run, that its an unsupported ROM, nothing else).
As for banking apps, it depends. Some work, some don't. One way to test it would be to use Waydroid emulator on Linux, which uses Lineage OS image.
Whatsapp works even if you choose not to install Google Services. You can download the apk directly from https://www.whatsapp.com/download.
Apps using Safetynet / Play Integrity are still broken and will stay broken since Lineage won't ever be allowed to pass these "security" tests
If you install Gapps, most banking apps work fine. Only Revolution refused to start on account of having an unlocked bootloader.
There might be a way via f-droid > shelter app and install these safetyNet apps in there.
they work fine if you don't root the install. if you do root, banking apps and Disney plus won't work, everything else is fine.
For some banking apps, you have to root the device on the contrary, to be able to install other apps that will make the banking app run on a custom ROM.
It's completely absurd, but it's how it works today.
yeah I just use the browser version instead.
I've honestly never run into any problems with apps not working in the last couple of years of using it.
I run LineageOS on an Xperia Z1 Compact that I use as a cycling computer and GrapheneOS as my daily driver. If any business excludes my phone, I exclude that business.
The only trouble I run into is when (pseudo-)public institutions such as airlines or municipal parking authorities arbitrarily require apps that only Apple or Google distribute through their DRM-infested frameworks.
Thanks for the link! LineageOS has kept my 7-ish year old Moto X4 working like a champ for most of the time I've had it! As long as it keeps working, I have no intention of getting another phone.
Nothing against LineageOS, I used it on a Nexus5 and I really liked it. But these days I just buy a Sony Xperia and compile AOSP for myself. https://developer.sony.com/open-source/aosp-on-xperia-open-d...
For a long time I was far too scared of being excluded from technological society to install this on my only phone, as much as I'd love to. It sickens me that banking apps, and others, depend on proprietary operating systems.
What I do instead is have a separate device that I customize to my liking with Lineage, than an iPhone that I keep normal; I have the phone that I actually like to use, then a "normie phone" that's identical to everyone else's so I don't get arbitrarily excluded from things.
I don't have an Android device but surely anything that excludes can just be accessed via web browser? I use my banks mobile website in a mobile browser all the time.
Sadly for those living in EU many banks forces you to validate online payments with a phone app only.
Having said that, most bank apps still work on custom android images. Mine works on grapheneOS.
Many times the web browser works, but there are some cases where it doesn't or is just a much worse experience. Or even some apple-specific stuff, like my mom enjoys calling me via facetime.
Having the second device just opens up more chances that you have something that works.
Yupyup I basically keep around an iPad mini for this purpose
Can I download Twelve from somewhere? I couldn't find it on F-Droid.
Prebuilts of various LineageOS apps are available here: https://www.sebaubuntu.dev/lineageapps.html
Cool
My old oneplus 5T battery has just failed and I have bought a second hand Motorola edge 20 pro, which is supported for lineage 22.
Installing lineage has not got harder.
Only three extra adb commands:
fastboot flash dtbo dtbo.img
fastboot flash vendor_boot vendor_boot.img
and to populate the A-B slots:
adb -d sideload copy-partitions-20220613-signed.zip
Installation has remained pretty much the same process for years since I first installed it on my old Samsung S4 and motorola G3 and more recently my old pixel 4A and pixel 6A.
Long live Lineage
I dont like the /e/OS launcher (Bliss) either.
Lawnchair is in Droid-ify - izzyondroid repo
Yay! Congrats on the release! Any chance I can put this on my new rpi5 or will that require some additonal porting? Currently running 21 by konstakang. I've been trying to build a controller-driven media machine.
I bought a 1yo (new in box) OnePlus 11 5G last year and immediately installed LineageOS on it. Great, modern daily driver. My next phone, in many years, will also run LineageOS on day one.
any insider info on the current state of affairs? is los just barely making by or is there still some enthusiasm. used it for a few years on two oneplus devices and loved it. but - the usual shortcomings and issues requiring workarounds or other adaptions finally led me to the iphone ... i hate ios ... but they just work and especially when traveling i didn't feel like taking any risks with google api integrations for maps and messengers (also camera is just better).
also switched few weeks ago from Oneplus to se 2022. and currently testing custom roms as eos, calyx.. to find some good alternatives.
After another garbage update from Samsung I'm confident I should give it a go. I used it on a OP2 before and it was pretty good, but I curious how much it's matured in 3-4 years
Can you get this to install on Fire tablets? They are getting cheaper and cheaper, but the utility value without a minimal stock environment is very less.
Unfortunately most of the older models do not have a way to root them (AFAICT, I've checked in on this occasionally for years). I have a 2017 fire that I was able to get lineage on, but unfortunately it was a mostly broken "test" device. Another 2017 is slightly different and I fried trying to short to ground during the rooting process. I also have 2 slightly newer models that have no root available at all, and are virtually unusable as the stock OS has become so slow (5+ second lag times per tap).
There are unofficial builds if you wanna give it a shot.
[flagged]