This cross platform tool provisions all of the AWS infrastructure required to build your own personal privacy focused Android OS on a continuous basis with OTA updates. It currently supports Pixel phones (Pixel, Pixel XL, Pixel 2, Pixel 2XL). Highlights include:
Question about this - my blackberry q10 had an android vm on it but the limitation of "no google services" meant that unless the app used none of those APIs it would not run. Surprisingly this was very limiting - have you had a similar experience?
That's a great question. I would say it is a bit limiting, and there are definitely some bumps in the road for the average user coming from stock Android. There are a lot of great open source applications in the F-Droid app store, but it definitely doesn't cover everything you'd expect from a stock phone these days. There is an app, Yalp Store (it downloads APKs directly from Google servers), that can be used to supplement this with normal Play Store apps. Many apps in the Play Store will rely on Google services though, so you will have a wide variety of results ranging from apps running just fine, crashing on boot, or not supporting push notifications. For me, not getting push notifications in Slack was an issue as it relies on Google Cloud Messaging (GCM). Luckily the encrypted chat messengers that I use Signal/Telegram have support for their own polling mechanism and don't rely on GCM. For Slack I ended up just writing a quick tool (https://github.com/dan-v/slack-to-telegram) to forward messages to Telegram so I get immediately alerts. But it's things like that this that you will definitely run into when running without Google services.
Once you rip out any non-free CoS code, it would make sense to offer binaries to people, perhaps through donations or a small fee, if you need to cover hosting/cdn costs. While this is cool, it's still cumbersome and quite wasteful for everyone to reinvent the wheel.
Thanks for the response! Unfortunately, I'm personally not interested in distributing binaries of the OS for public consumption, as I think installing an OS from a unknown person on the internet is probably not the best approach for a privacy/security focused Android OS. I personally would prefer to do my own builds with my own keys so that I know what is running on my phone - hence why i created this tool. That said, it doesn't mean someone else can't spin up a public version of this setup using this tool.
>installing an OS from a unknown person on the internet
Eventually, what is needed is something like reproducible builds so that you can claim that this binary corresponds to this source tarball. I don't know where AOSP stands in that regard. The keys should be the only thing that users should ideally manage. i.e., You get the generic binary (that is known to correspond to source tarball), sign it with your keys, and flash it. Just throwing ideas. This may not be in the scope of your project.
I like this idea and could definitely get behind something like this. The signing process is done after builds complete, so it might be possible. Although on Pixel and Pixel XL it is likely not possible as the kernel must be built with the signing key to support the earlier version of Android Verified Boot (AVB 1.0).
If the underlying hardware of the phone is compromised, then it doesn't matter what you run on top of it.
I am not saying that you shouldn't try rattlesnakeos just that the people you would be installing it for, still have access to everything on your phone.
If you value your privacy you would buy a simple dumb flip phone, solder out the microphones and cameras and use a wired headset. They can still get an approximate location of you through stingrays and such but it's better than nothing.
Agreed that if lower level hardware is compromised it doesn't matter what you run on top of it, and RattlesnakeOS doesn't protect from that other than keeping components up to date with latest security patches. I think if you are going to buy a dumb flip phone and solder out components for privacy, you are probably better off just not having a phone at all. This project is more about having a useful smartphone experience while still focusing on privacy and security.
Yeah but everyone needs to use a cellphone in this day an age so if you don't want to be tracked like a sheep then a dumb phone with the microphone and camera removed will do the trick. They(3 letter agencies) can only track you to an approximate location and probably are unable to run it in fake off mode if you want to turn it off.
It's actually pretty liberating to have a purpose driven cellphone to only communicate with.
It would be cool if you could get this stack going on a <$100 phone. There are some really cool products I could sell around that price point that I couldn't sell at anywhere near Pixel prices.
A company that did the heavy lifting for startups that want to reimagine the user facing side of (eg. LineageOS compatible devices) would be an interesting proposition.
I haven't spent much time looking at this part of the project as my phone isn't supported but it does look really neat. On my next phone upgrade I will probably investigate.
* Verified boot (https://source.android.com/security/verifiedboot/) like stock Android (almost all ROMs disable this) and with your own signing keys
* Latest monthly security updates from Google
* OTA updates from S3
* No Google services
* Latest F-Droid as open source alternative to Google Play store
* Latest Chromium w/ adblocking and privacy patches