1) Google doesn't release devices without unlockable bootloaders. They have always been transparent in allowing people to unlock their Nexus and Pixels. Nexus was for developers, Pixels are geared towards the end user. Nothing changed with regards to the bootloaders.
2) Google uses Coreboot for their ChromeOS devices. Again, you couldn't get more open than that if you wanted to buy a Chromebook and install something else on it.
3) To this day, app sideloading on Android remains an option. They've even made it easier for third party app stores to automatically update apps with 12.
4) AOSP. Sure, it doesn't have all the bells and whistles as the latest and greatest packaged up skin and OS release, but all of the features that matter within Android, especially if you're going to de-Google yourself, are still there.
Any one of those points, but consider all four, and I have trouble understanding why people think REEEEEEEE Google.
So you can't play with one ball in the garden (SafetyNet), you've still got the rest of the toys. That's a compromise I'm willing to accept in order to be able to do what I want to and how I want to do it. (Eg, Rooting or third party roms.)
If you don't like what they do on their mobile OS, there's nothing that Google is doing to lock you into a Walled Garden to where the only option you have is to completely give up what you're used to...
...Unlike Apple. Not one iOS device has been granted an unlockable bootloader. Ever.
> Google doesn't release devices without unlockable bootloaders. They have always been transparent in allowing people to unlock their Nexus and Pixels.
True but misleading. If you unlock your bootloader, you can no longer use a lot of apps, including Snapchat, Netflix, Pokemon Go, Super Mario Run, Android Pay, and most banking apps. And before you say this isn't Google's fault, know that they provide the SafetyNet API, which has no legitimate, ethical use cases, and is what allows all of the aforementioned apps to detect whether the device has been modified, even if the owner doesn't want that.
This really depends on the apps. I have used over 10 banking apps on an Android phone with an unlocked bootloader without ever encountering any issues. On a device rooted using Magisk, the MagiskHide masking feature successfully bypasses the apps' root checks in my experience.
You're right that more advanced forms of hardware attestation would defeat the masking if Google eventually implements them.
I'm hoping that Microsoft's support for Android apps and integration with Amazon Appstore in Windows 11 will hedge against Google's SafetyNet enforcement by making an alternative Android ecosystem (with fewer Google dependencies) more viable. Apps that require SafetyNet would most likely not work on Windows 11.
Obviously anecdotal, but literally none of those examples I care to use on my phone anyway. Overtime, my phone has just become a glorified camera with some messaging features.
I've used banking apps and Google pay on my rooted unlocked phone for several years now. True, I'm still on Android 9, so perhaps it will be worse when I upgrade.
Using Magisk and Magisk Hide.
Though oddly enough, none of my banking/credit card apps make an issue of being rooted, so they're not even in the Magisk Hide list.
That is likely to change in the near future. Hardware attestation of bootloader state is increasingly available. This is currently bypassed by pretending to be an older device that doesn't possess that capability. As long as device bootloaders continue to differentiate between stock and custom OS signing keys it won't be possible to bypass SafetyNet.
Yeah, it seems you are right. I haven't been actively tracking the custom ROM market, but it seems Google is trying really hard to achieve widespread hardware attestation. Or they could just be waiting until all the old devices are off the market, so all of the "Hardware attestation: Unsupported" response cases can be marked as UnlockedBootloader with great confidence.
SafetyNet also exists to prevent people from running Android apps on platforms other than Android. You can't use SafetyNet-enabled apps on Anbox, which is what SailfishOS uses as their Android compatibility layer, nor on emulators.
If you wanted to do a WSL but for Android, SafetyNet guarantees many apps won't work.
It also puts alternative Linux-based mobile operating systems, like SailfishOS or postmarketOS, at a disadvantage because they won't be able to run certain Android apps for no real technical reason other than the protection of Google's money firehouse.
For instance: The McDonald's app uses SafetyNet and won't run on an unlocked device.[1] Google doesn't place any restrictions on which types of apps can use SafetyNet. Banking apps tend to use it, but so do an increasing number of apps that clearly shouldn't need it.
(For the record, I don't think SafetyNet should exist at all, but if Google is pretending it's for the user's security and not just to allow developers to make it harder to reverse engineer their fast food apps, they should at least set some boundaries.)
It's frustrating that Google has fostered an ecosystem where not all "Android apps" work on vanilla Android.
I think a system to verify the integrity of the operating system and make the user aware of any changes is a Good Thing. Of course, the user should be in control of what signing keys are trusted and who else gets access to that information.
Instead, what Google has done is allowed app developers to check that the user isn't doing anything surprising - especially unprofitable things like blocking ads or spoofing tracking data. Since Google profits from ads and tracking, I must assume a significant part of their motivation is to make unprofitable behavior inconvenient enough most people won't do it.
"1) Google doesn't release devices without unlockable bootloaders. They have always been transparent in allowing people to unlock their Nexus and Pixels. Nexus was for developers, Pixels are geared towards the end user. Nothing changed with regards to the bootloaders."
This is not accurate. Pixels that come from Verizon have bootloaders that cannot be fully unlocked.
That's because Verizon doesn't want you using a discounted phone with another carrier. If they let you unlock your phone, you could flash a stock radio and ditch Verizon for Google Fi or AT&T. Different issue at play.
As long as you buy a Pixel directly from Google or one of a few authorized resellers, it is unlockable. (I recommend B&H, they help you legally evade the sales tax.) You can also use a Pixel you buy from Google with Verizon.
Not to nitpick here, but there is no way any device you buy from Verizon is discounted, regardless of what they advertise. Everyone pays _full_ price for any device they get on contract or payment plan.
Back when contract pricing was a more regular thing, I ended up doing the math on the plan rate after I requested for the device contract subsidy to be removed as I didn't want to upgrade the device. I had a Droid DNA at the time.
The monthly rate dropped by $25 just to keep the same device. (Nevermind that I had to ASK for them to not continue to charge me the extra $25/mo after 2 years)
$25 a month for 24 months is $600.
The device on contract was $199.
Full retail price if you didn't opt in for a 2 year contract when getting it? $699.
So I ended up paying an extra $100 for the device than if I had just bought it outright.
Even if the offerings/terms are different now... Verizon, regardless of how they market anything, absolutely makes you pay full price (and then some) for the device you get at 'discount.'
It's funny now that we're seeing people being able to BYOD to Verizon these days and AT&T is the one engaging in aggressive whitelisting.
Other carriers will provide a bootloader unlock code to you on request once the device is paid off. As far as I know, Verizon refuses to do so under any circumstances for any device.
I didn't check HN for a while so chances are no one will ever see this response. Nonetheless! I am well aware that bootloader and network locks are different things.
In many cases you have to get an authorization code from the carrier that sold the device in order to unlock the bootloader. That may or may not involve retrieving a code from your device, and it may or may not also involve interacting with the OEM. It depends on the details negotiated between the carrier and the OEM.
For example, T-Mobile sells devices that are both bootloader and network locked but (for some devices) provides a process to unlock both of those once certain criteria have been met (length of device ownership, account standing, etc). To be perfectly clear, for devices sold by T-Mobile they generally have to authorize you somehow before the OEM will send you a bootloader unlock code.
> Except, uh, GPS. Even for third party navigation apps.
AOSP does support GPS without needing any additional software, but does not have built-in support for Wi-Fi and cell tower triangulation. As you mentioned, UnifiedNlp (bundled with microG) optionally supports triangulation using a variety of location providers (including offline and online choices) for a faster location lock.
Agreed, it's shitty of Google to have moved so much functionality into it's proprietary Play Services. Push Notifications API being in it bothers me even more. Unfortunately until Linux mobile operating systems catch up in functionality though I'm going to stick with GrapheneOS.
1) Google doesn't release devices without unlockable bootloaders. They have always been transparent in allowing people to unlock their Nexus and Pixels. Nexus was for developers, Pixels are geared towards the end user. Nothing changed with regards to the bootloaders.
2) Google uses Coreboot for their ChromeOS devices. Again, you couldn't get more open than that if you wanted to buy a Chromebook and install something else on it.
3) To this day, app sideloading on Android remains an option. They've even made it easier for third party app stores to automatically update apps with 12.
4) AOSP. Sure, it doesn't have all the bells and whistles as the latest and greatest packaged up skin and OS release, but all of the features that matter within Android, especially if you're going to de-Google yourself, are still there.
Any one of those points, but consider all four, and I have trouble understanding why people think REEEEEEEE Google.
So you can't play with one ball in the garden (SafetyNet), you've still got the rest of the toys. That's a compromise I'm willing to accept in order to be able to do what I want to and how I want to do it. (Eg, Rooting or third party roms.)
If you don't like what they do on their mobile OS, there's nothing that Google is doing to lock you into a Walled Garden to where the only option you have is to completely give up what you're used to...
...Unlike Apple. Not one iOS device has been granted an unlockable bootloader. Ever.