Hacker News new | past | comments | ask | show | jobs | submit login

> f you install a custom ROM (e.g. LineageOS), you can make almost any phone reasonably secure

Do the official LineageOS releases have Verified Boot (allow you to lock the bootloader)? Everything I've tried uses userdebug keys, which is pretty bad security-wise, and requires an unlocked bootloader.

I ask because Verified Boot ensures the root of trust is there in the binaries. If they're wrong by one bit, the OS won't boot.

Realistically, even if your OS has additionally security features compared to AOSP, it'd still be like building a house out of obsidian, then putting a wooden barn door on it.




> Do the official LineageOS releases have Verified Boot (allow you to lock the bootloader)?

Possible in theory, but complicated:

https://source.android.com/security/verifiedboot/device-stat...

https://www.reddit.com/r/LineageOS/comments/i76xme/is_it_pos...

These attacks require physical access to the device, and a rather sophisticated adversary.

If the attacker has physical access to the device, they could plant a camera to get the passwords or use a $5 wrench, etc.

https://xkcd.com/538/

At that security level, you can't trust a single device, and you'll probably need to look at security solutions such as hardware security keys (Yubikeys), Shamir's Secret Sharing, plausibly deniable encryption, etc.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: